www.1337.or.id
Search: qdpm
qdPM 9.1 - Remote Code Execution (RCE) (Authenticated)
Ganesha
21 November 2022
21.585 Views
A remote code execution RCE vulnerability exists in qdPM 9.1 and earlier. An attacker can upload a malicious PHP code file via the profile photo functionality, by leveraging a path traversal vulnerability in the users photo preview delete photo feature, allowing bypass of .htaccess protecti...
Reflected XSS on sgsg.samsung.com
Ganesha
27 November 2022
21.187 Views
Like I did before, I use Google Dorks, to find some interesting URLs. Google Dork site sgsg.samsung.com I found a very interesting URL, The HTTP response shows every value from the campu...
Microsoft says hackers attacking energy grids using decades-old software
Ganesha
25 November 2022
20.334 Views
Microsoft said this week that technology discontinued in 2005 is still being used widely and poses threats and vulnerabilities to power grids and the petroleum industry. Malicious hackers, according to the tech giant, are gaining access into secure networks and devices through common Internet of ...
Ganesha
26 November 2022
19.546 Views
I signed up on Chess24 and a play couple of games. Then I was thinking about security on the Chess24 website. I enter the user profile page, then I put the payload below as my website address. Request Response a href targe...
Paraminer: Finds hidden parameters.
Ganesha
29 November 2022
23.327 Views
Paraminer is a tool used to search for hidden parameters in a website Main Features GET Request POST Request Usage php paraminer.php u URL w WORDLIST .. images post 6941dbb5d020 64484851 74288d80 d242 11e9 89e5 cf937dd61541.png Link ...
Ganesha
27 November 2022
19.973 Views
DomaiNesia is a company that serves domain name registration, Web Hosting, VPS, and others. I just found Reflected XSS Vulnerability at DomaiNesia s subdomain We required to upload an official document if buy a special domain, like ac. or. sch. etc. On the...
Reflected XSS on Xiaomi with KNOXSS
Ganesha
28 November 2022
19.733 Views
Xiaomi Bug Bounty Programs When we look at Xiaomi Bug Bounty Program, they accept every subdomains from mi.com and xiaomi.com .. images post d6b1f2098768 xiaomi 20writeup1.jpg And I start looking for a subdomain of mi.com with sublist3r .. images...
Dynamic Content for Elementor < 1.9.6 - Authenticated RCE
Airlangga
10 February 2023
13.579 Views
The PHP Raw Widget dynamic.ooo widget php raw of the Dynamic Content for Elementor plugin before 1.9.6 did not properly check for user permissions, allowing accounts with a role as low as editor to perform RCE attacks. Proof of Concept POST wp admin admin ajax.php HTTP 1.1 Host exam...
CVE-2022-3360 - Unauthenticated PHP Object Injection via REST API
Ganesha
21 November 2022
22.395 Views
The LearnPress WordPress plugin before 4.1.7.2 unserialises user input in a REST API endpoint available to unauthenticated users, which could lead to PHP Object Injection when a suitable gadget is present, leadint to remote code execution RCE . To successfully exploit this vulnerability attackers m...
Ganesha
28 November 2022
22.048 Views
DomaiNesia is a company that serves domain name registration, Web Hosting, VPS, and others, the vulnerability I found was POST based XSS. It takes me a few minutes to go through each page, check each URL and parameter, try to enter some code character in the form, etc. Finally on the page ...
Russian Cybercrime Groups Stole Over 50 Million Passwords with Stealer Malware
Ganesha
24 November 2022
17.672 Views
Security researchers have warned of a password theft epidemic after revealing that Russian groups are using off the shelf info stealing malware to devastating effect. Group IB said its analysis revealed 34 Telegram groups used by threat actors to organize their efforts, and that they d infected o...