Skip to content

Instantly share code, notes, and snippets.

@LioTree
LioTree / CVE-2024-28421.md
Last active March 21, 2024 22:19
SQLi vulnerability in Razor

A SQL injection vulnerability in Razor v0.8.0.

In https://github.com/cobub/razor/blob/2c991aff4a9c83f99e77a03e26056715706f15c0/web/application/controllers/manage/autoupdate.php#L187, $description is controlled by users and has few restrictions on its format.

$this->form_validation->set_rules('description', lang('v_man_au_updateLog'), 'trim|required|xss_clean');
$this->form_validation->set_rules('versionid', lang('v_man_au_versionID'), 'trim|required|xss_clean|callback_versionid_check');
//......
  $description = $this->input->post('description');

A SSRF vulnerability in gleezcms 1.20.

If :// is present in the URL path, GleezCMS will use the cURL library to send a request specified by the attacker.

POC:

https://gleezcms.org/http%3A%2F%2Fwww.google.com
https://gleezcms.org/gopher%3A%2F%2F127%2E0%2E0%2E1%3A9000%2F%5Ftest
@LioTree
LioTree / CVE-2024-33444.md
Last active April 28, 2024 09:09
SQLi vulnerability in onethink
@LioTree
LioTree / CVE-2024-33445.md
Last active April 28, 2024 09:10
Code injection vulnerability in hisiphp
@LioTree
LioTree / CVE-2024-31822.md
Last active April 28, 2024 12:45
CVE-2024-31822

vendor: kirilkirkov/Ecommerce-CodeIgniter-Bootstrap (github.com)

version: before Vulnerability fixes from Lion Tree · kirilkirkov/Ecommerce-CodeIgniter-Bootstrap@d22b54e (github.com)

A code injection(CWE-94) vulnerability is in application/modules/admin/controllers/advanced_settings/Languages.php. In the saveLanguageFiles method, the element of $_POST['php_keys'] is escaped by htmlentities and enclosed in two single quotes as the key of $lang. However, htmlentities doesn't escape ' , which allows the attacker to escape from single quotes and inject malicious PHP code, leading to authenticated remote code execution.

private function saveLanguageFiles()
@LioTree
LioTree / CVE-2024-31823.md
Created April 28, 2024 12:35
CVE-2024-31823
@LioTree
LioTree / CVE-2024-31821.md
Last active April 28, 2024 12:44
CVE-2024-31821

vendor: kirilkirkov/Ecommerce-CodeIgniter-Bootstrap (github.com)

version: before Vulnerability fixes from Lion Tree · kirilkirkov/Ecommerce-CodeIgniter-Bootstrap@d22b54e (github.com)

A second-order SQL injection vulnerability is in manageQuantitiesAndProcurement method of application/modules/admin/models/Orders_model.php. The $product['product_quantity'] and $product['product_info']['id'] are inserted into SQL statements without any sanitizers. These two values come from previous query result and users can control them in setOrder method of application/models/Public_model.php, which leads to a SQL injection.

@LioTree
LioTree / CVE-2024-31820.md
Created April 28, 2024 12:43
CVE-2024-31820

vendor: kirilkirkov/Ecommerce-CodeIgniter-Bootstrap (github.com)

version: before Vulnerability fixes from Lion Tree · kirilkirkov/Ecommerce-CodeIgniter-Bootstrap@d22b54e (github.com)

A file inclusion vulnerability is in getLangFolderForEdit method of application/modules/admin/controllers/advanced_settings/Languages.php. By controlling $_GET['editLang'], the attacker can make the server include .php files under specific directory. The attacker can use CVE-2024-31821 to write malicous PHP code in log-xxxx.php and use this vulnerability to include PHP files under application/logs/ (At this point, BASEPATH has been set, allowing bypass of the check at the beginning of the log file.), which leads to remote code execution.

@LioTree
LioTree / PicUploader_sqli1.md
Last active May 2, 2024 22:36
PicUploader HistoryController::getList SQL injection