CVE-2022-36637 The Garage Management System v1.0 had a XSS vulnerability via the brand_name parameter.

An attacker can inject malicious code into the database to steal database credentials, reveal sensitive information, or deploy a malicious plugin to the website. In the example below, an out of bounds (OOB) read vulnerability has been identified in the database where an administrator's password value is stored. Exploitation of this issue may allow remote attackers to gain access to the database and take control of the website. a onclick="alert(\"XSS\")">XSS/a> img src='database_conn.php?brand_name=&username=&password=&host=127.0.0.1&port=3306&db=&mode=view&table=user&where=1'> An attacker can also inject an arbitrary command into the website via the brand_name parameter at /brand.php. In the example below, a command has been injected into the website that will execute a bash script and download and install a malicious plugin from an attacker-controlled server. a onclick="alert(\"XSS\")">XSS/a> img src='database_conn.php?brand_name=&username=&password=&host=127.0.0.1&port=3306&db=&mode=view&table=user&where=1&cmd=bash -s /pentestlab/malicious_script.sh'>

How do I know if my website is vulnerable?

If you are using database to store your website's data, you may be vulnerable to this issue.

Injection Tokens

An injection token is a string of characters used to indicate that this particular injection should be blocked. For example, if you wanted to use JavaScript code to load an image on the website and want it to be blocked by your security measures, you would need to add the following line of code:

SQL Injection

One of the most common types of vulnerabilities is SQL injection. This vulnerability occurs when an attacker uses a crafted SQL query to access data that should not be available for public retrieval. In the example below, a user is querying for their username, which should only be accessible if they have privileges to view it. When this query is executed, the attacker will receive the results and can now view sensitive information such as usernames and passwords in plain text.
a onclick="alert(\"XSS\")">XSS/a> img src='database_conn.php?brand_name=&username=&password=&host=127.0.0.1&port=3306&db=&mode=view&table=user&where=1'>

Timeline

Published on: 09/02/2022 05:15:00 UTC
Last modified on: 09/02/2022 21:50:00 UTC

References

• https://senzee.net/index.php/2022/07/21/vulnerability-of-garage-management-system-1-0/
• https://www.sourcecodester.com/php/15485/garage-management-system-using-phpmysql-source-code.htm
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36637