67 matches found
CVE-2018-19520
CVE-2018-19520 targets SDCMS 1.6 on PHP 5.x. The admin path app/admin/controller/themecontroller.php uses a check_bad function intended to block certain PHP functions (e.g., eval) but does not block preg_replace with the /e/ modifier, enabling an attacker with admin template access to execute arb...
CVE-2018-19520
An issue was discovered in SDCMS 1.6 with PHP 5.x. app/admin/controller/themecontroller.php uses a checkbad function in an attempt to block certain PHP functions such as eval, but does not prevent use of pregreplace 'e' calls, allowing users to execute arbitrary code by leveraging access to admin...
Cross site request forgery (csrf)
An issue was discovered in SDcms v1.5. Cross-site request forgery CSRF vulnerability in /WWW//app/admin/controller/admincontroller.php allows remote attackers to add administrator accounts via m=admin&c=admin&a=add...
CVE-2018-11004
An issue was discovered in SDcms v1.5. Cross-site request forgery CSRF vulnerability in /WWW//app/admin/controller/admincontroller.php allows remote attackers to add administrator accounts via m=admin&c=admin&a=add...
CVE-2018-11004
An issue was discovered in SDcms v1.5. Cross-site request forgery CSRF vulnerability in /WWW//app/admin/controller/admincontroller.php allows remote attackers to add administrator accounts via m=admin&c=admin&a=add...
CVE-2018-11004
SDcms v1.5 is affected by a Cross-Site Request Forgery (CSRF) in /WWW//app/admin/controller/admincontroller.php that allows a remote attacker to add administrator accounts via m=admin&c=admin&a=add. The issue is identified as CVE-2018-11004. Impact, per the provided data, includes potential unaut...
CVE-2018-11004
An issue was discovered in SDcms v1.5. Cross-site request forgery CSRF vulnerability in /WWW//app/admin/controller/admincontroller.php allows remote attackers to add administrator accounts via m=admin&c=admin&a=add...
SQL Injection Vulnerability in SDCMS v1.1 Frontend Message Boards
SDCMS is a PHP 3-in-1 website management system independently developed by Fireworks Network. SDCMS v1.1 version of the foreground message board there are SQL injection vulnerabilities, attackers can use the vulnerability to obtain sensitive database information...
Code Execution Vulnerability in SDCMS Version 1.1
SDCMS is a PHP 3-in-1 website management system independently developed by Fireworks Network. There is a code execution vulnerability in SDCMS V1.1, which can be exploited by attackers to execute code and gain administrative privileges...
Code Execution Vulnerability in SDCMS Frontend
SDCMS is a PHP 3-in-1 website management system independently developed by Fireworks Network. A code execution vulnerability exists in the frontend of SDCMS. An attacker can exploit this vulnerability to elevate user privileges...
SDCMS Search Box SQL Injection Vulnerability
SDCMS is a PHP 3-in-1 website management system independently developed by Fireworks Network. An SQL injection vulnerability exists in the SDCMS search box. The vulnerability stems from failure to filter user input. An attacker can exploit this vulnerability to obtain sensitive information from t...
SDCMS arbitrary file read vulnerability
No description provided by source...
SDCMS front Desk arbitrary file deletion vulnerability
No description provided by source...
SDCMS attachment management plugin arbitrary file deletion vulnerability
No description provided by source...
SDCMS大量网站存在弱口令#Getshell方法
简要描述: RT 详细说明: SDCMS大量网站存在弱口令 默认后台 admin/login.asp 弱口令 admin admin、admin admin888、sdcms sdcms、admin 123456 随便找了个政府站 http://www.qhxjcy.gov.cn/admin/ sdcms sdcms 进后台选择--界面 接着 模板管理----管理模板 选择 sdcmsindex.asp 并插入asp一句话 访问http://www.qhxjcy.gov.cn/index.asp img...
SDCMS论坛存在高危漏洞可getshell,影响其大量系统
简要描述: shell 详细说明: 论坛存在解析漏洞,可利用该漏洞getshell 漏洞证明: 该论坛为aspx类型的论坛,但还可以做php容器可以执行php文件,且存在php解析漏洞。。然后就没有然后了。。。 找到论坛需要注册码:http://bbs.sdcms.cn/,十块钱一个。。。。 屌丝买不起,找到一个手机号昵称的用户:15837309973,手机号当用户名和密码居然登进去了。。 在头像上传处直接上传一张图片马,找到路径:http://bbs.sdcms.cn/max-temp/avatar/28a1ddde7e6a4ecbaf56e54ad06a3406.jpg...
SDCMS 最新门户版 V3.0 储存型xss一枚 可盲打后台
简要描述: 严谨的说 是编辑器xss储存型漏洞 详细说明: 虚拟主机搭建测试: 需要条件: 开启会员注册默认开启 开启投稿功能(默认开启) 下载地址: http://www.sdcms.cn/product/portal.html 默认 开启会员注册 无需审核 原本想在demo上测试的 但是他开启审核了 ---------------------------------------- 注册个会员 找到在线投稿 选择文章模型 远程上传地址处 插入: " 提交 img...
SDCMS somewhere stored xss can hijack administrator-vulnerability warning-the black bar safety net
SDCMS somewhere storage typexss, you can cross into the background directly hijack the administrator The problem or in the short message. Before SDCMS short message exists atxsscan be directly hijack any given user, the Modify bug, but not fix completely, this time to a more ruthless, directly...
SDCMS多处csrf+xss等于管理员
简要描述: SDCMS整个应用都没有防御csrf,结合xss等于管理员了,最新版的也一样 详细说明: 这里主要讲csrf,因为整个应用都没有防御csrf,所以我就挑基础危害较大的吧。 1、添加管理员处: 然后来添加管理员: 抓包,看看添加管理员的请求内容: 然后我们构造好这个添加管理员的表单请求: None 然后把这个csrf.html放到另外一个服务器上x.x.20.199上,利用xss: WooYun: SDCMS某处存储型xss可劫持管理员 然后我们来访问这个短消息,并抓个包看看: https://images.seebug.org/...
SDCMS某处存储型xss可劫持管理员
简要描述: SDCMS某处存储型xss,可跨进后台直接劫持管理员 详细说明: 问题还是在短消息处。 之前SDCMS短消息处存在xss可以直接劫持任意指定用户,这个bug修改了,但是没有修复完全,这次来个更狠的,直接劫持管理员账户。 首先,我们发送短消息给任意存在的用户,这里我们用222222给111111账户发消息: 然后再后台看看: 打开我们刚才发给111111用户的消息,在短消息的内容处,触发xss: 同样可以劫持到完整cookie: 所以,只要我们给消息起一个引人注目的标题,管理员登陆后只要打开此消息查看,就会被劫持,利用起来也很顺利的吧 漏洞证明: 见详细说明...