hadihadi

36 exploits Active since Dec 2007
CVE-2008-3564 EXPLOITDB text WORKING POC
Dayfox Blog 4 - Remote File Inclusion via Path Traversal in p, cat, and archive Parameters
Multiple directory traversal vulnerabilities in index.php in Dayfox Blog 4 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the (1) p, (2) cat, and (3) archive parameters. NOTE: in some environments, this can be leveraged for remote file inclusion by using a UNC share pathname or an ftp, ftps, or ssh2.sftp URL.
CVE-2008-6438 EXPLOITDB perl WORKING POC
MacGuru BLOG Engine Plugin 2.1.4-2.2 - SQL Injection via uid Parameter
SQL injection vulnerability in macgurublog_menu/macgurublog.php in the MacGuru BLOG Engine plugin 2.2 for e107 allows remote attackers to execute arbitrary SQL commands via the uid parameter, a different vector than CVE-2008-2455. NOTE: it was later reported that 2.1.4 is also affected.
CVE-2008-6438 EXPLOITDB perl WORKING POC
MacGuru BLOG Engine Plugin 2.1.4-2.2 - SQL Injection via uid Parameter
SQL injection vulnerability in macgurublog_menu/macgurublog.php in the MacGuru BLOG Engine plugin 2.2 for e107 allows remote attackers to execute arbitrary SQL commands via the uid parameter, a different vector than CVE-2008-2455. NOTE: it was later reported that 2.1.4 is also affected.
CVE-2008-6438 EXPLOITDB text WRITEUP
MacGuru BLOG Engine Plugin 2.1.4-2.2 - SQL Injection via uid Parameter
SQL injection vulnerability in macgurublog_menu/macgurublog.php in the MacGuru BLOG Engine plugin 2.2 for e107 allows remote attackers to execute arbitrary SQL commands via the uid parameter, a different vector than CVE-2008-2455. NOTE: it was later reported that 2.1.4 is also affected.
EIP-2026-105904 EXPLOITDB text WORKING POC
Clever Copy 3.0 - Multiple SQL Injections / Cross-Site Scripting Vulnerabilities
CVE-2008-6473 EXPLOITDB text WORKING POC
Blogator-script 0.95 - Unauthenticated Arbitrary Password Change via Wildcard Parameter Injection
_blogadata/include/init_pass2.php in Blogator-script 0.95 allows remote attackers to change the password for arbitrary users via a modified "a" parameter with a "%" wildcard symbol in the b parameter.
CVE-2008-0422 EXPLOITDB text WORKING POC
boastmachine < 3.1 - SQL Injection via mail.php id Parameter
SQL injection vulnerability in mail.php in boastMachine (aka bMachine) 3.1 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2008-1763 EXPLOITDB text WRITEUP
Blogator-script 0.95 - SQL Injection
SQL injection vulnerability in _blogadata/include/sond_result.php in Blogator-script 0.95 allows remote attackers to execute arbitrary SQL commands via the id_art parameter.
CVE-2008-2117 EXPLOITDB text WRITEUP
Project Alumni 1.0.9 - Cross-Site Scripting via News Page Year Parameter
Cross-site scripting (XSS) vulnerability in pages/news.page.inc in Project Alumni 1.0.9 allows remote attackers to inject arbitrary web script or HTML via the year parameter in a news action to index.php, a different vector than CVE-2007-6126.
CVE-2008-2118 EXPLOITDB text WORKING POC
Project Alumni 1.0.9 - SQL Injection via id Parameter
SQL injection vulnerability in info.php in Project Alumni 1.0.9 allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2008-6667 EXPLOITDB text WORKING POC
A+ PHP Scripts News Management System - Unauthenticated Authentication Bypass via Cookie Manipulation
A+ PHP Scripts News Management System (NMS) allows remote attackers to bypass authentication and gain administrator privileges by setting the mobsuser and mobspass cookies to 1.