Yang Chenglong - Security Researcher - Exploit Intelligence Platform

CVE-2019-9182 EXPLOITDB HIGH text WORKING POC

Zzzcms Zzzphp - CSRF

There is a CSRF in ZZZCMS zzzphp V1.6.1 via a /admin015/save.php?act=editfile request. It allows PHP code injection by providing a filename in the file parameter, and providing file content in the filetext parameter.

CVSS 8.8

View Code

CVE-2019-9082 EXPLOITDB HIGH text WORKING POC

Thinkphp < 3.2.4 - Missing Authentication

ThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other products, allows Remote Command Execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command.

CVSS 8.8

View Code

CVE-2019-9041 EXPLOITDB HIGH text WRITEUP

ZZZCMS zzzphp <V1.6.1 - RCE

An issue was discovered in ZZZCMS zzzphp V1.6.1. In the inc/zzz_template.php file, the parserIfLabel() function's filtering is not strict, resulting in PHP code execution, as demonstrated by the if:assert substring.

CVSS 7.2

View Code