Aperto Blog version 0.1.1 is vulnerable to Local File Inclusion and SQL Injection. The vulnerable files are admin.php, index.php and categories.php. An attacker can exploit these vulnerabilities by sending malicious requests to the vulnerable files. For example, an attacker can send a malicious request to admin.php?action=[LFI] to exploit the Local File Inclusion vulnerability. Similarly, an attacker can send a malicious request to categories.php?id=[SQL] to exploit the SQL Injection vulnerability.
Bugged file is: /[path]/calendar.php. The $lang variable is not declared, so it can be set directly from GET. Exploit: /[path]/calendar.php?lang=[remote_txt_shell]. Sensitive Data Disclosure: In this cms, when an user register himself, the cms puts informations like username and password on a .txt file. So, just going on it, we can get sensitive data like username and passoword. Exploit: /[path]/data/usr.txt
A SQL injection vulnerability exists in CadeNix Online Games Play Online. An attacker can exploit this vulnerability to gain access to sensitive information such as usernames and passwords. The vulnerability is due to insufficient sanitization of user-supplied input to the 'cid' parameter in the 'index.php' script. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing malicious SQL statements to the vulnerable script. Successful exploitation of this vulnerability can result in unauthorized access to sensitive information.
Amevents is prone to an SQL injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. An attacker can exploit this issue to manipulate SQL queries by injecting arbitrary SQL code. This may allow the attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.
A vulnerability exists in the Rat CMS login.php file, where an attacker can bypass authentication by using the ' or '1=1 exploit.
This exploit is used to gain access to the Mediatheka application by exploiting a blind SQL injection vulnerability. The exploit sends a request to the connection.php page with a crafted user parameter. If the response time is greater than 6 seconds, the exploit assumes that the crafted parameter was valid and prints the character corresponding to the ASCII code of the character in the password. This process is repeated for each character in the password.
This exploit allows an attacker to steal the cookie of any visitor to the BabbleBoard v1.1.6 website. The attacker registers as a user with a malicious script in their username, which redirects visitors to a cookie grabber page. The cookie grabber page then stores the cookie in a log file. Additionally, the attacker can use Cross Site Request Forgery (CSRF) to execute malicious actions such as deleting categories, deleting groups, banning users, and deleting users.
The vulnerability exists in the lpro.php file, which is vulnerable to SQL injection. An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable file with the parameter ‘id’ set to ‘-1 UNION SELECT 1,concat(username,0x3a,password),3,4,5,6,7,8,9,10,11 from users’. This will allow the attacker to view the usernames and passwords of all users in the database.
eZ Publish is vulnerable to privilege escalation and weak activation token for new user exploit. The vulnerability is present in versions >= 3.5.6 and is resolved in 3.9.5, 3.10.1, 4.0.1. The vulnerable code in version 3.9.2 is $hash = md5( mktime( ) . $user->attribute( 'contentobject_id' ) ) and in version 4.0.1 is $hash = md5( time() . $user->attribute( 'contentobject_id' ) ). The exploit can be used by running the script eZPublish_create_admin_exploit.php with the required parameters -u, -p, -s and optional parameters -e and -t.
CARateMySite version 1.0 suffers from a directory traversal vulnerability. This allows an attacker to read arbitrary files from the web server. The vulnerability is due to a lack of proper sanitization of user-supplied input to the '_private/CARateMySite.mdb' script. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing directory traversal characters.
Services By CQR