Vulnerable script /html/ajax_serarch.php contains a search parameter $search = mres($_REQUEST['search']); which accepts a user input using $_REQUEST['']. The mres() fuction is located under /includes/common.php and calls the mysqli_real_escape_string() which can be bypassed by '%'. The POC involves logging into LibreNMS and going to /ajax_search.php?search=%27&type=group or /ajax_search.php?search=%27&type=alert-rules which will result in an SQL syntax error.
Attacker can bypass login page and access to dashboard page by sending a POST request with username and password parameters set to '=''or'
The Victor CMS v1.0 application is vulnerable to SQL injection via the 'post' parameter on the post.php page. The back-end DBMS is MySQL and the web application technology is PHP, Apache 2.4.39, PHP 7.2.18. An attacker can exploit this vulnerability by sending a malicious payload to the 'post' parameter. This payload can be a boolean-based blind, error-based, time-based blind, or a UNION query.
Wordpress Plugin Simple File List version 4.2.2 is vulnerable to Remote Code Execution. An attacker can exploit this vulnerability by uploading a malicious file and then moving it to a web accessible directory. The attacker can then execute arbitrary code on the vulnerable system.
A persistent input validation web vulnerability has been discovered in the official Sentrifugo v3.2 CMS web-application series. The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application requests from the application-side. The persistent vulnerability is located in the `expense_name` parameters of the `/expenses/expenses/edit` module in the `index.php` file. Remote attackers with low privileges are able to inject own malicious persistent script code as expenses entry. The injected code can be used to attack the frontend or backend of the web-application. The request method to inject is POST and the attack vector is located on the application-side. Entries of expenses can be reviewed in the backend by higher privileged accounts as well. Successful exploitation of the vulnerabilities results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected application modules.
This exploit allows an attacker to execute arbitrary code on the vulnerable Pi-hole server. The exploit requires the attacker to have an authenticated session token, the target's URL, the attacker's IP address, and the port to listen for the reverse shell. The exploit uses a Python3 reverse shell one-liner to execute the code.
The Online AgroCulture Farm Management System v1.0 application is vulnerable to SQL injection via the 'pid' parameter on the review.php page. The application is vulnerable to boolean-based blind, error-based, time-based blind and UNION query injection attacks. The back-end DBMS is MySQL and the web application technology is PHP, Apache 2.4.39, PHP 7.2.18.
Pisay Online E-Learning System v1.0 is vulnerable to SQL Injection and Remote Code Execution (RCE). An attacker can bypass authentication by providing a crafted user_email and user_pass parameter in the login.php page. This can be exploited to execute arbitrary code on the server by sending a crafted request to webshell.php page.
Open Products.php and select any product. Fill details. Create php shell code with below script <?php echo shell_exec($_GET['e'].' 2>&1'); ?>. Click on upload Image. Select php file. Click Submet. Access below URL: http://localhost/online%20Clothing%20Store/Products/shell.php?e=dir. Add system commands after e to execute it.
An attacker can inject malicious SQL code into the 'username' parameter of the School File Management System 1.0 application. By sending a specially crafted request, an attacker can print the database name and MariaDB version.
Services By CQR