Skip to content

Instantly share code, notes, and snippets.

Avatar

Grey D victomteng1997

View GitHub Profile
@victomteng1997
victomteng1997 / SeoPanel_SQL_Injection.md
Last active Jun 7, 2021
Seo Panel 4.9.0 and below SQL Injection
View SeoPanel_SQL_Injection.md

Seo Panel SQL Injection Vulnerability

SeoPanel Official Website: https://www.seopanel.org/

Github: https://github.com/seopanel/Seo-Panel

Latest version 4.9.0: https://www.seopanel.org/spdownload/, https://github.com/seopanel/Seo-Panel/tree/7c107c789be74bdb284f857cd6a51877f0e0c11b, or the file attached to this gist below.

vulnerability description:

In api/user.api.php, the function getUserName directly calls function __checkUserName in controllers/user.ctrl.php file without filtering on variables. Attacker can pass arbitrary string to username variable through $info. This allows injection to the __checkUsername function directly:

@victomteng1997
victomteng1997 / GilaCMS_XSS.md
Last active Jun 3, 2021
GilaCMS XSS (latest version below 2.1.0)
View GilaCMS_XSS.md
@victomteng1997
victomteng1997 / GilaCMSFileDeletion.md
Last active Jun 2, 2021
Gila CMS v2.0.1 Unrestricted File Deletion
View GilaCMSFileDeletion.md

Gila CMS (https://github.com/GilaCMS, https://gilacms.com/) v2.0.1 below is vulenrable to an arbitrary file deletion attack, where attacker can delete arbitrary files from the remote server by sending a malicious crafted GET request. In this version, a previous unrestricted file upload vulnerability (https://gist.github.com/victomteng1997/73cf75b97829a153b5100fddde9b1290) is patched, but the webapp is still vulnerable.

Take Gila CMS v2.0.1 (https://github.com/GilaCMS/gila/tree/2c9baf5bf4a1aa308482655b0df2a7dbc21180fa) as example: The vulenrable component is at src/core/classes/Session.php:

if (isset($_COOKIE['GSESSIONID'])) {
        if (!file_exists(LOG_PATH.'/sessions/'.$_COOKIE['GSESSIONID'])) {
          User::metaDelete(self::userId(), 'GSESSIONID', $_COOKIE['GSESSIONID']);
          self::destroy();
@victomteng1997
victomteng1997 / GilaCMSFileUpload.md
Last active Jun 1, 2021
Gila CMS Unrestricted File Upload (<2.0.1)
View GilaCMSFileUpload.md

Gila CMS (https://github.com/GilaCMS/gila) is an opensource CMS webapp. A vulnerability is found to upload arbitrary file by Gila CMS Session component for versions before 2.0.1, which may result in more serious issue.

Here we take Gila version 1.5.3 as example: https://github.com/GilaCMS/gila/tree/85e7052a90523127bb1759969fb180131e7de90d. Versions below 2.0.0 (including) are tested.

The problem is at Session.php: https://github.com/GilaCMS/gila/blob/85e7052a90523127bb1759969fb180131e7de90d/src/core/classes/Session.php, where the path is not properly filtered when saving session files. User can then pass data through User-Agent parameter and Cookie parameter.

  public static function createFile($gsession)
  {
    $data = [
@victomteng1997
victomteng1997 / Rukovoditel_CVE_submission.md
Last active Apr 5, 2021
Two CSRF vulnerabilities identified at Rukovoditel Project Management App
View Rukovoditel_CVE_submission.md

The official github of the project is: https://github.com/Rukovoditel/Rukovoditel, but hasn't been updated for a long time. The source code of the software can be downloaded at: https://sourceforge.net/projects/rukovoditel/files/rukovoditel_2.8.3.zip/download

Vulnerabilities description

  1. Attacker may exploit the CSRF vulenrability to add user with admin privilege. Process: (1) Admin login to his own account with correct credential. (2) The advesary crafts the following web page with an username "admin2" and password "admin2", and hosts it online.
<html>