SQL Injection: An attacker can inject malicious SQL queries into the vulnerable parameter AgentID in the URL http://localhost/script/email.php?AgentID=[SQL]. Authentication Bypass: An attacker can bypass authentication by using username: [real_admin_or_user_name] ' or ' 1=1-- and password: ZoRLu. Remote File Upload: An attacker can upload a malicious file by logging into the application and editing their profile. XSS: An attacker can inject malicious JavaScript code into the vulnerable parameter ListingID in the URL http://localhost/script/email.php?AgentID=&ListingID="><script>alert()</script>
admin Auth bypass, panel => http://localhost/[paht]/admin/; javascript:document.cookie = "adm=1"; users Auth bypass; javascript:document.cookie = "logged=[username]"; we can download a Backup of Database; http://localhost/[paht]/admin/backup/db; Username : [a_valid_username]; Password : ' OR ' 1=1--; http://www.hyperstop.com/demo/webhost/; username: testtest; password: ' OR ' 1=1--; javascript:document.cookie = "logged=testtest";
A vulnerability in BandSite CMS 1.1.4 allows an attacker to set a cookie with the name 'login_auth' and value 'true' to gain access to the application.
A vulnerability exists in ScriptsFeed (SF) Recipes Listing Portal which allows an attacker to upload arbitrary files to the server. An attacker can exploit this vulnerability by registering to the website, logging in, clicking on 'Add a Recipe' and adding a recipe. After clicking on 'View your Recipes', the attacker can right click on the photo and select properties to copy the photo link. The attacker can then paste the link in the explorer and add the path of the shell to the end of the link. This will allow the attacker to upload the shell to the server and gain access to the server.
A vulnerability in ScriptsFeed (SF) Auto Classifieds Software allows an attacker to upload a malicious file to the server. An attacker can exploit this vulnerability by registering an account on the application, logging in, and then uploading a malicious file to the server. The malicious file can then be accessed via the URL http://localhost/script/cars_images/[id]_logo_your_shell.php
A vulnerability in ScriptsFeed (SF) Real Estate Classifieds Software allows an attacker to upload a malicious file to the server. An attacker can register to the site, login, and then edit their profile. When they upload a logo, they can right click on the logo and select properties to copy the link. The attacker can then paste the link into their browser and upload a malicious file. The malicious file can then be accessed via the URL http://localhost/script/re_images/[id]_logo_your_shell.php
Pi3Web is vulnerable to a denial of service (DoS) vulnerability whenever an invalid ISAPI module is requested from server. By requesting the following URL from pi3web the server crashes: http://WEB_SITE/isapi/users.txt The crash is due to insufficient checks for incoming requests. Whenever a file in ISAPI directory, which is not a valid DLL is requested, the server tries to load it into memory as a DLL library and a crash happens.
The Turnkeyforms Web Hosting Directory is vulnerable to an authentication bypass and XSS vulnerability. An attacker can bypass the authentication of the admin panel by setting the 'adm' cookie to '1' and can inject malicious JavaScript code into the 'id' parameter of the 'edit_host', 'edit_cat', and 'edit_news' actions.
Turnkeyforms Local Classifieds is vulnerable to an authentication bypass vulnerability. An attacker can access the admin panel without authentication by accessing the admin.php page. This vulnerability affects all versions of the software.
An attacker can exploit this vulnerability by sending a crafted HTTP request to the vulnerable server. The attacker can inject malicious SQL code in the 'id' parameter of the 'code.php' script. This can allow the attacker to gain access to the database and execute arbitrary SQL commands.
Services By CQR