Admin Login Bypass: By setting the Username and Password to 'or''=' and hitting enter, an attacker can bypass the authentication process. SQLi: By manipulating the parameters of the URL, an attacker can inject malicious SQL code into the application. Other features have the same security vulnerability.
An attacker can exploit this issue via a browser. The following example URIs are available: http://localhost/[PATH]/admin/settings/managersssettings http://localhost/[PATH]/admin/settings/addrsssettings Vs.....
An attacker can exploit the vulnerability by sending a malicious SQL query to the viewpropertydetails.php page with the id parameter. Additionally, an attacker can bypass the admin login page by setting the username and password to 'or''='.
The vulnerability allows an attacker to bypass the admin login page and gain access to the admin panel of the Hindu Matrimonial Script. The attacker can also gain access to the Add/Edit pages of the script by directly entering the URL. The vulnerable script is hosted on http://www.phpmatrimonialscript.in/ and the vulnerable version is unknown.
This module exploits a vulnerability found in Cisco Firepower Management Console. The management system contains a configuration flaw that allows the www user to execute the useradd binary, which can be abused to create backdoor accounts. Authentication is required to exploit this vulnerability.
Zeroshell is a small Linux distribution for servers and embedded devices with the aim to provide network services. It is available in the form of live CD or compact Flash image and it can be configured using a web browser. The main features of Zeroshell include: load balancing and failover of multiple Internet connections, UMTS/HSDPA connections by using 3G modems, RADIUS server for providing secure authentication and automatic management of encryption keys to wireless networks, captive portal to support web login, and many others. Three RCE vulnerabilities were discovered in Zeroshell, which allow an attacker to execute arbitrary code on the vulnerable system without authentication. The first vulnerability is a GET/POST request to the ‘/cgi-bin/kerbynet’ page with the ‘User’ parameter set to a malicious payload. The second vulnerability is a GET request to the ‘/cgi-bin/kerbynet’ page with the ‘x509type’ parameter set to a malicious payload. The third vulnerability is a GET request to the ‘/cgi-bin/kerbynet’ page with the ‘Object’ parameter set to a malicious payload.
Register in the site, login, go to profile, upload an empty file .htaccess and Shell.php, and then go to http://site.com/Shell.php
The vulnerability exists in the School Management Software v2.75, where an attacker can inject malicious SQL queries via the 'aid' parameter in the 'notice-edit.php' file. Other files may also be vulnerable.
The 'apply.cgi' file was vulnerable to Open Redirection and XSS. Inside the router many other cgi files too use this functionality in 'apply.cgi'. For example the 'ping_response.cgi' file. The exploit code for Open Redirection and XSS is provided in the text.
A SQL injection vulnerability exists in iTechscripts Freelancer Script v5.11 (sk) which allows an attacker to gain access to the admin panel of the application. The vulnerability is due to the lack of proper input validation in the 'sk' parameter of the 'category.php' page. An attacker can exploit this vulnerability by sending a malicious SQL query to the vulnerable parameter. This can allow the attacker to gain access to the admin panel of the application.
Services By CQR