Skip to content

Instantly share code, notes, and snippets.

View victomteng1997's full-sized avatar

Grey D victomteng1997

13 followers · 11 following
View GitHub Profile
@victomteng1997
victomteng1997 / Rukovoditel_CVE_submission.md
Last active April 5, 2021 06:01
Two CSRF vulnerabilities identified at Rukovoditel Project Management App

The official github of the project is: https://github.com/Rukovoditel/Rukovoditel, but hasn't been updated for a long time. The source code of the software can be downloaded at: https://sourceforge.net/projects/rukovoditel/files/rukovoditel_2.8.3.zip/download

Vulnerabilities description

  1. Attacker may exploit the CSRF vulenrability to add user with admin privilege. Process: (1) Admin login to his own account with correct credential. (2) The advesary crafts the following web page with an username "admin2" and password "admin2", and hosts it online.
<html>
@victomteng1997
victomteng1997 / GilaCMSFileUpload.md
Last active June 1, 2021 16:02
Gila CMS Unrestricted File Upload (<2.0.1)

Gila CMS (https://github.com/GilaCMS/gila) is an opensource CMS webapp. A vulnerability is found to upload arbitrary file by Gila CMS Session component for versions before 2.0.1, which may result in more serious issue.

Here we take Gila version 1.5.3 as example: https://github.com/GilaCMS/gila/tree/85e7052a90523127bb1759969fb180131e7de90d. Versions below 2.0.0 (including) are tested.

The problem is at Session.php: https://github.com/GilaCMS/gila/blob/85e7052a90523127bb1759969fb180131e7de90d/src/core/classes/Session.php, where the path is not properly filtered when saving session files. User can then pass data through User-Agent parameter and Cookie parameter.

  public static function createFile($gsession)
  {
    $data = [
@victomteng1997
victomteng1997 / GilaCMSFileDeletion.md
Last active June 2, 2021 14:45
Gila CMS v2.0.1 Unrestricted File Deletion

Gila CMS (https://github.com/GilaCMS, https://gilacms.com/) v2.0.1 below is vulenrable to an arbitrary file deletion attack, where attacker can delete arbitrary files from the remote server by sending a malicious crafted GET request. In this version, a previous unrestricted file upload vulnerability (https://gist.github.com/victomteng1997/73cf75b97829a153b5100fddde9b1290) is patched, but the webapp is still vulnerable.

Take Gila CMS v2.0.1 (https://github.com/GilaCMS/gila/tree/2c9baf5bf4a1aa308482655b0df2a7dbc21180fa) as example: The vulenrable component is at src/core/classes/Session.php:

if (isset($_COOKIE['GSESSIONID'])) {
        if (!file_exists(LOG_PATH.'/sessions/'.$_COOKIE['GSESSIONID'])) {
          User::metaDelete(self::userId(), 'GSESSIONID', $_COOKIE['GSESSIONID']);
          self::destroy();
@victomteng1997
victomteng1997 / GilaCMS_XSS.md
Last active June 3, 2021 13:23
GilaCMS XSS (latest version below 2.1.0)
@victomteng1997
victomteng1997 / SeoPanel_SQL_Injection.md
Last active June 7, 2021 10:04
Seo Panel 4.9.0 and below SQL Injection

Seo Panel SQL Injection Vulnerability

SeoPanel Official Website: https://www.seopanel.org/

Github: https://github.com/seopanel/Seo-Panel

Latest version 4.9.0: https://www.seopanel.org/spdownload/, https://github.com/seopanel/Seo-Panel/tree/7c107c789be74bdb284f857cd6a51877f0e0c11b, or the file attached to this gist below.

vulnerability description:

In api/user.api.php, the function getUserName directly calls function __checkUserName in controllers/user.ctrl.php file without filtering on variables. Attacker can pass arbitrary string to username variable through $info. This allows injection to the __checkUsername function directly:

@victomteng1997
victomteng1997 / 1_block_sql_injection_sql_result.png
Last active July 22, 2021 05:41
NavigateCMS CVE
1_block_sql_injection_sql_result.png