OzzzyWeb CMS Multiple Vulnerabilities

2019.11.03
tr z3r0fy (TR) tr
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

/*********************************************************************************** ** Exploit Title: OzzzyWeb CMS Multiple Vulnerabilities ** ** Exploit Author: z3r0fy ** ** Vendor Homepage : http://wwww.ozzzyweb.com/ ** ** Download (Warez) : http://agrovipkimya.com/alfa.zip ** ** Google Dork : Copyright 2015 @ Ozzzy Akıllı Web Panelleri ** ** Tested on: ParrotOS ** ** Demo : http://agrovipkimya.com/ ** ************************************************************************************ WLB 1 : SQL Injection : http://vulnerabletarget.com/urundetay.php?=[SQL Payload] Vulnerable COde : Line 367,365 ---------------- WLB 2 : Cross Site Scripting : http://vulnerabletarget.com/admin/sayfalar/dosya.php?urun_id=[XSS Payload] Vulnerable Code : Line 95 , 19 ------------------------------- WLB 3 : Admin Authentication Bypass http://vulnerabletarget.com/admin/anasayfa.html PoC : Step 1 : Open Burpsuite Step 2 : Add Match And Replace Rule Step 3 : and Add This Matchs Type : Request Header Match : 30[12] FOUND Replace : 200 OK COmment : Bypass Step 4 : Reload /admin/anasayfa.html page.. *********************************************************************************** Twitter.com/z3r0fy T.me/z3r0fy ***********************************************************************************


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top