cmseasy 存储xss+csrfgetshell

简要描述： 存储xss可打管理员，因为一个有趣的pregreplace函数特性造成getshell。 详细说明： 用官方的demo测试了一遍 官网shell地址：http://test.cmseasy.cn/celive/include/config.inc.php 流程： （1）在bbs发帖。 （2）管理员审核帖子时触发 （3）getshell？（可以用一个csrf getshell，但是此csrf需要登陆过celive，最好的方法就是打到cookie或者修改管理员的密码，然后自己登陆后台getshell） 存储xss位置： 在文件bbs/add-archive.php下...

magento1. 9. 0. 1 PHP object injection analysis-vulnerability warning-the black bar safety net

Original: https://websec.wordpress.com/2014/12/08/magento-1-9-0-1-poi/ The use of unserializefunction to cause code execution vulnerability not new things, but in this article are a few of the more interesting use of points or that technique, although not a common technique, but the idea was good...

CVE-2014-8998

lib/message.php in X7 Chat 2.0.0 through 2.0.5.1 allows remote authenticated users to execute arbitrary PHP code via a crafted HTTP header to index.php, which is processed by the pregreplace function with the eval switch...

Code injection

The XmlImportExport plugin in MantisBT 1.2.17 and earlier allows remote attackers to execute arbitrary PHP code via a crafted 1 description field or 2 issuelink attribute in an XML file, which is not properly handled when executing the pregreplace function with the e modifier...

MantisBT XmlImportExport Plugin PHP Code Injection

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class Metasploit3 'MantisBT XmlImportExport Plugin PHP Code Injection Vulnerability', 'Description' = %q This module exploits a post-auth vulnerability...

MantisBT XmlImportExport Plugin PHP Code Injection Exploit

This Metasploit module exploits a post-auth vulnerability found in MantisBT versions 1.2.0a3 up to 1.2.17 when the Import/Export plugin is installed. The vulnerable code exists on plugins/XmlImportExport/ImportXml.php, which receives user input through the "description" field and the "issuelink"...

X7 Chat 2.0.5 lib/message.php preg_replace() PHP Code Execution

No description provided by source. This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class Metasploit3 Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include...

X7 Chat 2.0.5 - 'message.php' PHP Code Execution (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class Metasploit3 'X7 Chat 2.0.5 lib/message.php pregreplace PHP Code Execution', 'Description' = %q This module exploits a post-auth vulnerability fou...

activeCollab Chat Module Arbitrary PHP Code Execution (CVE-2012-6554)

A code execution vulnerability exists in Chat module for activeCollab.The vulnerability is due to a flaw that is triggered by the pregreplace function.A remote attacker may exploit this vulnerability by evaluating a string with complex curly syntax, allowing for the execution of arbitrary code...

X7 Chat 2.0.5 lib/message.php preg_replace() PHP Code Execution

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class Metasploit3 'X7 Chat 2.0.5 lib/message.php pregreplace PHP Code Execution', 'Description' = %q This module exploits a post-auth vulnerability fou...

phpMyAdmin 3.5.8 and 4.0.0-RC2 - Multiple Vulnerabilities

No description provided by source. waraxe-2013-SA103 - Multiple Vulnerabilities in phpMyAdmin =============================================================================== Author: Janek Vind waraxe Date: 25. April 2013 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-103.html...

phpBB viewtopic.php Arbitrary Code Execution

No description provided by source. $Id: phpbbhighlight.rb 9671 2010-07-03 06:21:31Z jduck $ This file is part of the Metasploit Framework and may be subject to redistribution and commercial restrictions. Please see the Metasploit Framework web site for more information on licensing and terms of...

vBSEO <= 3.6.0 "proc_deutf()" Remote PHP Code Injection Exploit

No description provided by source. require 'msf/core' class Metasploit3 Msf::Exploit::Remote include Msf::Exploit::Remote::HttpClient def initializeinfo = superupdateinfoinfo, 'Name' = 'vBSEO = 3.6.0 procdeutf Remote PHP Code Injection', 'Description' = %q This module exploits a vulnerability in...

DataLife Engine preview.php PHP Code Injection

No description provided by source. This file is part of the Metasploit Framework and may be subject to redistribution and commercial restrictions. Please see the Metasploit web site for more information on licensing and terms of use. http://metasploit.com/ require 'msf/core' class Metasploit3...

Supernews <= 2.6.1 (noticias.php cat) SQL Injection

No description provided by source. Supernews = 2.6.1 noticias.php cat Remote SQL Injection Google Dork: intext:2003 - 2004 : SuperNews : Todos os direitos reservados Bug discovered by Pr0T3cT10n, [email protected] Date: 31/05/2012 Version: 2.6.1 Software Link:...

Active Collab "chat module" <= 2.3.8 - Remote PHP Code Injection Exploit

No description provided by source. This file is part of the Metasploit Framework and may be subject to redistribution and commercial restrictions. Please see the Metasploit web site for more information on licensing and terms of use. http://metasploit.com/ require 'msf/core' class Metasploit3...

PHPizabi 0.848b - C1 HFP1 Remote Privilege Escalation Vulnerability

No description provided by source. -------------------------------------------------------------------------------- PHPizabi v0.848b C1 HFP1 proc.inc.php remote privilege escalation php.ini independent by Nine:Situations:Group::bookoo...

CVE-2013-5352

Sharetronix 3.1.1.3, 3.1.1, and earlier allows remote attackers to execute arbitrary PHP code via the 1 activitiestext parameter to services/activities/set or 2 commentstext parameter to services/comments/set, which is not properly handled when executing the pregreplace function with the e modifi...

Sharetronix <= 3.1.1 Two PHP Code Injection Vulnerabilities

Sharetronix 3.1.1.3, 3.1.1, and earlier allows remote attackers to execute arbitrary PHP code via the 1 activitiestext parameter to services/activities/set or 2 commentstext parameter to services/comments/set, which is not properly handled when executing the pregreplace function with the e...

CVE-2013-1412

DataLife Engine DLE 9.7 allows remote attackers to execute arbitrary PHP code via the catlist parameter to engine/preview.php, which is used in a pregreplace function call with an e modifier...