Any I line CRM permissions, bypass, upload, XSS, SQL injection variety of simple test-vulnerability warning-the black bar safety net

ID MYHACK58:62201441891
Type myhack58
Reporter 佚名
Modified 2014-01-19T00:00:00


Any I line CRM system permissions, bypass, upload, XSS, aSQL injectiona variety of simple test

A company's internal network using this system, The first see you to, see the WEB application could not help but hand base~~

1, upload Personal platform inside the write internal messages when uploading attachments, the many types without filtering, such as asa, cdx, of course, no filter xx. asp;x. jpg this format:

! 1

Find the address:

! 1

Get a shell:

! 1

2, theXSS Occurs in many places, the screenshots for the truncated e-mail message header here:

! 1

3, permissions, bypass

There may be friends do not have employee accounts to the system these are no way to use Ah! Not enough! This app has permission to bypass the~~direct access to: into the write message interface, you can upload, canXSS, and of course a permission to bypass the soon it happens here, a lot of pages have the right to limit bypass:

! 1

[1] [2] next