CVE-2018-6410
published 2018-05-26CVE-2018-6410: An issue was discovered in Appnitro MachForm before 4.2.3. There is a download.php SQL injection via the q parameter.
PriorityP263critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
4.97%
91.1th percentile
An issue was discovered in Appnitro MachForm before 4.2.3. There is a download.php SQL injection via the q parameter.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chrome_chrome | — | — | |
| machform | machform | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urldownload.php?q=ZWw9IChTRUxFQ1QgMSBGUk9NKFNFTEVDVCBDT1VOVCgqKSxDT05DQVQoMHgyMDIwLChTRUxFQ1QgTUlEKCh1c2VyX2VtYWlsKSwxLDUwKSBGUk9NIGFwX3VzZXJzIE9SREVSIEJZIHVzZXJfaWQgTElNSVQgMCwxKSwweDIwMjAsRkxPT1IoUkFORCgwKSoyKSl4IEZST00gSU5GT1JNQVRJT05fU0NIRU1BLkNIQVJBQ1RFUl9TRVRTIEdST1VQIEJZIHgpYSkgOyZpZD0xJmhhc2g9MSZmb3JtX2lkPTE=↗
commandel= (SELECT 1 FROM(SELECT COUNT(*),CONCAT(0x2020,(SELECT MID((user_email),1,50) FROM ap_users ORDER BY user_id LIMIT 0,1),0x2020,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) ;&id=1&hash=1&form_id=1↗
- →Detect path traversal attempts in download.php responses by looking for sequences of '../' in the decoded 'q' parameter's 'el' field value. ↗
- →Use Google dorks to identify exposed MachForm instances: search for 'machform' inurl:"view.php" or 'machform' inurl:"embed.php". ↗
- →Monitor for PHP webshell uploads in the MachForm data/form_*/files/ directory path, which is the known upload destination for bypassed file uploads. ↗
- ·The vulnerable SQL statement directly interpolates $field_name and $form_id into the query string, meaning stacked queries and error-based techniques are viable in addition to time-based blind injection — detection should cover all three classes. ↗
- ·File upload bypass only applies when the form's upload filter is configured as a whitelist ('allow' mode); blacklist-configured forms are not directly vulnerable to the upload bypass without first exploiting the SQLi to change the filter setting. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-ph64-vv6r-8php: An issue was discovered in Appnitro MachForm before 4
ghsa_unreviewed·2022-05-13
CVE-2018-6410 [CRITICAL] CWE-89 GHSA-ph64-vv6r-8php: An issue was discovered in Appnitro MachForm before 4
An issue was discovered in Appnitro MachForm before 4.2.3. There is a download.php SQL injection via the q parameter.
Chrome
Stable Channel Update for Desktop: CVE-2020-6409
vendor_chrome·2020-02-04·CVSS 8.8
CVE-2020-6409 [LOW] Stable Channel Update for Desktop: CVE-2020-6409
Stable Channel Update for Desktop
CVE-2020-6409: Inappropriate implementation in Omnibox. Reported by Divagar S and Bharathi V from Karya Technologies on 2019-12-26
[$500][ 881675 ] Low CVE-2020-6410: Insufficient policy enforcement in navigation
Reported by evi1m0 of Bilibili Security Team on 2018-09-07
Severity: low
No detection rules found.
No writeups or analysis indexed.
https://metalamin.github.io/MachForm-not-0-day-EN/https://www.exploit-db.com/exploits/44804/https://www.machform.com/blog-machform-423-security-release/https://metalamin.github.io/MachForm-not-0-day-EN/https://www.exploit-db.com/exploits/44804/https://www.machform.com/blog-machform-423-security-release/
2018-05-26
Published