Search for hundreds of thousands of exploits

"Zoph 0.9.1 - Multiple Vulnerabilities"

Author

Exploit author

"Manuel García Cárdenas"

Platform

Exploit platform

php

Release date

Exploit published date

2014-11-17

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
=============================================
MGC ALERT 2014-005
- Original release date: March 5, 2014
- Last revised:  November 18, 2014
- Discovered by: Manuel Garcia Cardenas
- Severity: 10/10 (CVSS Base Score)
=============================================

I. VULNERABILITY
-------------------------
Multiple Vulnerabilities in Zoph <= 0.9.1

II. BACKGROUND
-------------------------
Zoph (Zoph Organizes Photos) is a web based digital image presentation and
management system. In other words, a photo album. It is built with PHP,
MySQL and Perl.

III. DESCRIPTION
-------------------------
It is possible to inject SQL code in the variables "id" and "action" on the
pages group, photos and user. This bug was found using the portal with
authentication. To exploit the vulnerability only is needed use the version
1.0 of the HTTP protocol to interact with the application.
Has been detected a reflected XSS vulnerability in Zoph, that allows the
execution of arbitrary HTML/script code to be executed in the context of
the victim user's browser.

IV. PROOF OF CONCEPT
-------------------------
SQL Injection:

/zoph/php/group.php?_action=1'%22&_clear_crumbs=1
/zoph/php/photos.php?location_id=1'%22
/zoph/php/user.php?user_id=&_action=1'%22

Cross-Site Scripting GET:

/zoph/php/edit_photos.php?photographer_id=3"><script>alert(1)</script>
/zoph/php/edit_photos.php?album_id=2&_crumb=3"><script>alert(1)</script>

V. BUSINESS IMPACT
-------------------------
Public defacement, confidential data leakage, and database server
compromise can result from these attacks. Client systems can also be
targeted, and complete compromise of these client systems is also possible.

VI. SYSTEMS AFFECTED
-------------------------
Zoph <= 0.9.1

VII. SOLUTION
-------------------------
No news releases

VIII. REFERENCES
-------------------------
http://www.zoph.org/

IX. CREDITS
-------------------------
This vulnerability has been discovered and reported
by Manuel Garcia Cardenas (advidsec (at) gmail (dot) com).

X. REVISION HISTORY
-------------------------
March 11, 2014 1: Initial release

XI. DISCLOSURE TIMELINE
-------------------------
March 5, 2014 1: Vulnerability acquired by Manuel Garcia Cardenas
March 5, 2014 2: Send to vendor
June 17, 2014 3: Second mail to the verdor without response
November 18, 2014 4: Sent to lists

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.

XIII. ABOUT
-------------------------
Manuel Garcia Cardenas
Pentester
Release DateTitleTypePlatformAuthor
2020-05-21"Composr CMS 10.0.30 - Persistent Cross-Site Scripting"webappsphp"Manuel García Cárdenas"
2019-09-13"phpMyAdmin 4.9.0.1 - Cross-Site Request Forgery"webappsphp"Manuel García Cárdenas"
2019-03-13"WordPress Plugin GraceMedia Media Player 1.0 - Local File Inclusion"webappsphp"Manuel García Cárdenas"
2018-09-19"WordPress Plugin Localize My Post 1.0 - Local File Inclusion"webappsphp"Manuel García Cárdenas"
2018-09-19"WordPress Plugin Wechat Broadcast 1.2.0 - Local File Inclusion"webappsphp"Manuel García Cárdenas"
2018-06-11"WordPress Plugin Pie Register < 3.0.9 - Blind SQL Injection"webappsphp"Manuel García Cárdenas"
2018-04-18"Kodi 17.6 - Persistent Cross-Site Scripting"webappsmultiple"Manuel García Cárdenas"
2018-03-12"TextPattern 4.6.2 - 'qty' SQL Injection"webappsphp"Manuel García Cárdenas"
2018-01-12"PyroBatchFTP < 3.19 - Buffer Overflow"doswindows"Manuel García Cárdenas"
2017-12-15"Sync Breeze 10.2.12 - Denial of Service"doswindows"Manuel García Cárdenas"
2017-04-11"WordPress Plugin Spider Event Calendar 1.5.51 - Blind SQL Injection"webappsphp"Manuel García Cárdenas"
2016-09-22"Exponent CMS 2.3.9 - Blind SQL Injection"webappsphp"Manuel García Cárdenas"
2016-04-26"ImpressCMS 1.3.9 - SQL Injection"webappsphp"Manuel García Cárdenas"
2016-02-04"UliCMS v9.8.1 - SQL Injection"webappsphp"Manuel García Cárdenas"
2015-10-06"PHP-Fusion 7.02.07 - Blind SQL Injection"webappsphp"Manuel García Cárdenas"
2014-11-17"WebsiteBaker 2.8.3 - Multiple Vulnerabilities"webappsphp"Manuel García Cárdenas"
2014-11-17"Zoph 0.9.1 - Multiple Vulnerabilities"webappsphp"Manuel García Cárdenas"
2014-11-13"Piwigo 2.6.0 - 'picture.php?rate' SQL Injection"webappsphp"Manuel García Cárdenas"
2013-09-30"XAMPP 1.8.1 - 'lang.php?WriteIntoLocalDisk method' Local Write Access"webappsphp"Manuel García Cárdenas"
2013-06-04"Telaen 2.7.x - Open Redirection"webappsphp"Manuel García Cárdenas"
2013-06-04"Telaen 2.7.x - Cross-Site Scripting"webappsphp"Manuel García Cárdenas"
2013-06-03"Telaen - Information Disclosure"webappsphp"Manuel García Cárdenas"
2013-03-10"Asteriskguru Queue Statistics - 'warning' Cross-Site Scripting"webappsphp"Manuel García Cárdenas"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/35278/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.