The Point of Sales 1.0 application is vulnerable to SQL Injection in the 'username' parameter. An attacker can inject malicious SQL code in the 'username' parameter and execute it in the backend database. This can be exploited to gain unauthorized access to the application and the underlying database.
An attacker can exploit a SQL injection vulnerability in Gym Management System 1.0 by sending a maliciously crafted HTTP request to the vulnerable parameter 'id'. The attacker can use the UNION operator to append a maliciously crafted SQL query to the existing query and extract sensitive information from the database, such as the database name and version.
Ankita Pal discovered a stored cross-site scripting vulnerability in lot reservation management system 1.0. By sending a malicious request with a payload of <script>alert("XSS")</script> in the Name and Discription fields, an attacker can execute arbitrary JavaScript code in the context of the victim's browser.
An authentication bypass vulnerability exists in lot reservation management system 1.0. By using the payload ' or 1=1 limit 1 -- -+ for both username and password, an attacker can bypass authentication and gain access to the application as an admin.
The User Registration & Login and User Management System 2.1 is vulnerable to SQL injection. An attacker can exploit this vulnerability to gain access to the admin panel by sending a malicious HTTP request to the update-profile.php page. The attacker can then use the GROUP_CONCAT() function to extract the admin credentials from the database.
Stock Management System 1.0 is vulnerable to SQL Injection. This vulnerability can be exploited by sending malicious SQL queries to the application. An attacker can use this vulnerability to gain access to sensitive information such as user credentials, emails, etc. from the database.
This exploit is used to exploit a Remote Code Execution vulnerability in a web application. It takes the URL, username, password, listener IP and listener port as arguments and sends a payload to the web application which is then executed on the server. The payload contains a command to open a reverse shell to the specified IP and port.
This exploit is for Tiki Wiki CMS Groupware 21.1. It is a PoC for CVE-2020-15906. It uses a request to the tiki-login_scr.php page with the admin username and password to log in as admin. It then sends a request to the tiki-admin.php page to get the admin token. Finally, it sends a request to the tiki-login.php page with the admin username, password, and token to bypass authentication.
A persistent cross-site scripting vulnerability exists within the 'Brand Name' parameter in the edit brand function. This example allows a logged-in user to inject javascript code as a persistent XSS attack which is persistent on any page with the Brand Name value expected.
A persistent cross-site scripting vulnerability exists within the 'Product Name' parameter in the Edit Product function. This example allows a logged-in user to inject javascript code as a persistent XSS attack which is persistent on any page with the Product Name value expected.
Services By CQR