what you don't know can hurt you

Register | Login

FilesNewsUsersAuthors

Home Files News &[SERVICES_TAB]About Contact Add New

Showing 1 - 2 of 2

Files from jsass

SePortal 2.5 SQL Injection / Remote Code Execution

Posted Mar 28, 2014

Authored by xistence, jsass | Site metasploit.com

This Metasploit module exploits a vulnerability found in SePortal version 2.5. When logging in as any non-admin user, it's possible to retrieve the admin session from the database through SQL injection. The SQL injection vulnerability exists in the "staticpages.php" page. This hash can be used to take over the admin user session. After logging in, the "/admin/downloads.php" page will be used to upload arbitrary code.

tags | exploit, arbitrary, php, sql injection

advisories | CVE-2008-5191, OSVDB-46567

SHA-256 | 523ae89437abd95ee2b8adbfe4b6eb79e71f45e8218d4bcec51f35af6aab99d6

Download | Favorite | View

SePortal 2.5 SQL Injection

Posted Mar 19, 2014

Authored by jsass

SePortal version 2.5 suffers from a remote SQL injection vulnerability in the sp_id variable of staticpages.php. This version has already had known SQL injection vulnerabilities noted in 2011.

tags | exploit, remote, php, vulnerability, sql injection

SHA-256 | 8f4257a80f761be925bfdf6c5c86b1aa0a890871ff237d0be07eb7a35351f1e2

Download | Favorite | View