Lucene search
K

67 matches found

myhack58
myhack58
added 2013/07/24 12:0 a.m.19 views

SDCMS background to bypass directly into the,A not common design mistakes case study-vulnerability warning-the black bar safety net

Brief description: SDCMS background to bypass directly into the: test version 2. 0 beta2 other versions not tested Detailed description: Islogin //determine login method sub islogin if sdcms. strlenadminid=0 or sdcms. strlenadminname=0 then dim t0,t1,t2 t0=sdcms. getintsdcms. loadcookie"adminid",...

0.4AI score
Exploits0
seebug.org
seebug.org
added 2013/07/22 12:0 a.m.201 views

SDCMS某处设计缺陷导致遍历任意文件内容

简要描述: SDCMS某处设计缺陷导致遍历任意文件内容 详细说明: 1、首先看看缺陷文件: 文件/sdcms/admin/sdtheme.asp ...... 第138行: case "edit" dim filename:filename=sdcms.fget"filename",0 if notsdcms.checkstrfilename,"filename" then sdcms.echo "filename is wrong" sdcms.die end if if notsdcms.isfile"../theme/"&filename then sdcms.echo...

7AI score
Exploits0
seebug.org
seebug.org
added 2013/07/22 12:0 a.m.16 views

SDCMS某功能限制不严导致可CSRF劫持账户

简要描述: SDCMS邮件绑定csrf可劫持账户 详细说明: 1、在SDCMS的邮件绑定处,未作任何防御,导致csrf None 2、我们在本地打开poc: 3、然后看看邮箱,成功修改: 4、由于通过csrf可以绑定任意用户任意邮箱,所以可以通过找回密码,发送密码到我们绑定的邮箱中,从而劫持会员账户。 漏洞证明: 见详细说明...

7.1AI score
Exploits0
seebug.org
seebug.org
added 2013/04/24 12:0 a.m.37 views

SDCMS后台绕过直接进入,一种不常见的设计失误案例

简要描述: SDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试 详细说明: Islogin //判断登录的方法 sub islogin if sdcms.strlenadminid=0 or sdcms.strlenadminname=0 then dim t0,t1,t2 t0=sdcms.getintsdcms.loadcookie"adminid",0 loadcookie t1=sdcms.loadcookie"islogin" t2=sdcms.loadcookie"loginkey" if sdcms.strlent0=0 or...

7.1AI score
Exploits0
myhack58
myhack58
added 2012/11/08 12:0 a.m.17 views

SDCMS through the kill exploit tool and provide the right to take SHELL-vulnerability warning-the black bar safety net

Author: T00LS Ghost brother Vulnerability file: background catalog/index. asp Sub Check Dim username,password,code,getcode,Rs IF Checkpost Then Echo "1 is prohibited from an external submit data!": Exit Sub username=FilterTextTrimRequest. Form"username",1 password=FilterTextTrimRequest...

7.4AI score
Exploits0
seebug.org
seebug.org
added 2012/06/12 12:0 a.m.22 views

sdcms过滤不严

简要描述: 最新的SDCMS可以通过程序后台自动创建目录,从而拿到网站权限 详细说明: 以Sdcms1.3.1为例子 在后台,出现模版功能,可创建文件夹及文件. 看图. 现在创建1个文件夹 OK了,但是过滤掉了部分. 文件夹无办法了,那么试下文件呢. 1.asp;1.htm 直接提示 失败 找到系统设置功能,点上传类型,增加asp类型asp,aaspsp,asasa,aasasa,全部失败 继续修改上传目录为1.asp 然后直接在文章页面上传jpg程序, 利用IIS 解析漏洞,成功执行. 可以直接用菜刀就可以了。...

7.1AI score
Exploits0
myhack58
myhack58
added 2010/12/21 12:0 a.m.23 views

Sdcms v1. 3 exploits-exploits warning-the black bar safety net

First, at the following address using the livehttpheader capture to get the COOKIE value: COOKIE: 1Rq4Qz6We6Dbsdcms%5Finfolever=; 1Rq4Qz6We6Dbsdcms%5Falllever=; 1Rq4Qz6We6Dbsdcms%5Fadmin=; 1Rq4Qz6We6Dbsdcms%5Fpwd=; 1Rq4Qz6We6Dbsdcms%5Fname=; 1Rq4Qz6We6Dbsdcms%5Fid=;...

7.1AI score
Exploits0
Rows per page
Query Builder