Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-41508 PoC — Super Store Finder 信任管理问题漏洞

Source
https://github.com/redblueteam/CVE-2023-41508
Associated Vulnerability
Title:Super Store Finder 信任管理问题漏洞 (CVE-2023-41508)
Description:Super Store Finder是Super Store Finder公司的一个易于使用的谷歌地图 API 商店查找程序超级商店查找器。 Super Store Finder v3.6 版本存在安全漏洞,该漏洞源于使用硬编码密码。
Description
CVE-2023-41508 - A hard-coded password in Super Store Finder v3.6 allows attackers to access the administration panel.
Readme
# CVE-2023-41508
CVE-2023-41508 - A hard-coded password in Super Store Finder v3.6 allows attackers to access the administration panel.

## Vulnerability Type
Incorrect Access Control

## Vendor of Product
[Super Store Finder](https://superstorefinder.net/)

## Affected Product Code Base
Super Store Finder - Affected version 3.6 or below. Fixed in version 3.7

## CVSS v3.1 Vector (Base Score)
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (10.0)

## Affected Component
Affected Web admin console

## Attack Type
Remote

## Impact Denial of Service
true

## Impact Escalation of Privileges
true

## Impact Code execution
true

## Attack Vectors
The default admin password (admin/password) is hardcoded, defeating the authentication's purpose.
Besides, the default admin username and password could not be changed.

**Screenshot of the hardcoded password (admin/password)**
![Screenshot of the indicator of error-based SQL injection](/assets/images/admin01.png)

**Screenshot of the Proof-of-Concept to inject stored cross-site scripting (XSS) due to the absence of input validation for the admin panel**
![Screenshot of the Proof-of-Concept to extract the users table using SQLMap](/assets/images/admin03.png)

**Screenshot of the Proof-of-Concept to trigger stored cross-site scripting (XSS)**
![Screenshot of the Proof-of-Concept to extract the users table using SQLMap](/assets/images/admin02.png)

## Patch Notes
[https://superstorefinder.net/support/forums/topic/super-store-finder-patch-notes/](https://superstorefinder.net/support/forums/topic/super-store-finder-patch-notes/)
File Snapshot

 [4.0K]  /data/pocs/a6b02f66c6417d26efa9aadc452d40e674005252
├── [4.0K]  assets
│   └── [4.0K]  images
│       ├── [123K]  admin01.png
│       ├── [ 61K]  admin02.png
│       ├── [ 16K]  admin03.png
│       └── [  14]  note.md
├── [ 11K]  LICENSE
└── [1.5K]  README.md

2 directories, 6 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.