6 matches found
SQL Injection Vulnerability in Material Management System of Sunshine Printing Website
Sunshine Printing is an enterprise non-core affairs procurement platform, providing one-stop procurement services for customized products required in office, marketing, packaging and logistics, business gifts and other scenarios for enterprise users. SQL injection exists in the material managemen...
Bravo Tejari Web Portal - Cross-Site Request Forgery Vulnerability
Exploit for multiple platform in category web applications Exploit Title: Bravo Tejari Web Portal-CSRF CVE-ID: CVE-2018-7216 Vulnerability Type: Cross Site Request Forgery CSRF Vendor of Product: Tejari Affected Product Code Base: Bravo Solution Affected Component: Web Interface Management. Attac...
Bravo Tejari Web Portal Cross Site Scripting
Exploit Title: Bravo Tejari Web Portal-CSRF CVE-ID: CVE-2018-7216 Vulnerability Type: Cross Site Request Forgery CSRF Vendor of Product: Tejari Affected Product Code Base: Bravo Solution Affected Component: Web Interface Management. Attack Type: Local - Authenticated Impact: Unauthorised Access...
Arbitrary File Containment Vulnerability in e-Procurement Platform of Beijing Yizaitong Information Technology Co.
Beijing Yizaitong Information Technology Co., Ltd. e-procurement platform is a system for online procurement transactions. A file inclusion vulnerability exists in the e-procurement platform of Beijing Yizaitong Information Technology Co., Ltd, which can be exploited by attackers to download...
某通用型电子采购平台可遍历用户和管理员账户密码
简要描述: RT 详细说明: 前人大牛的洞洞 WooYun: 某通用型电子采购平台SQL注射(涉及大量企业) WooYun: 某通用型电子采购平台存在任意文件上传漏洞GETSHELL WooYun: 某通用型电子采购平台从某处目录遍历到任意文件上传GetShell 我也来凑凑热闹 老问题,权限控制问题 漏洞证明: 演示地址为某上市公司 http://cg.jishimedia.com 首先注册账户,登录之后进入密码修改 此时查看源代码即可获取当前用户密码 burpsuite抓包 放入intruder利用0000-9999遍历UserID即可获取所有人员姓名用户和密码,包括管理员 管理后台...
某通用型电子采购平台存在任意文件上传漏洞GETSHELL
简要描述: 详细说明: 1.看看前人提交的漏洞: WooYun: 某通用型电子采购平台SQL注射(涉及大量企业) ,说的是注入漏洞,后来仔细研究发现存在一个编辑器存在任意文件上传可导致批量Getshell,影响危害极大。 厂商: http://www.ng.com/ 北京网达信联科技发展有限公司 关键字(构造的不是很好): 2.Getshell漏洞。 /ftb.imy.aspx 可以直接上传asp文件 漏洞证明: 【声明以下案例仅供CNCERT、CNVD复现测,其它人不得利用或使用其恶意破坏,否则后果自负!】 3.案例测试:...