Hello friends, 0day of today is NavigateCMS RCE. The protection for file upload isn’t enough and this allows us to upload shell then execute os commands.

There is an upload extension section on the admin panel.

We can upload extensions for NavigateCMS (Votes is default one). But the file will be uploaded must be a zip file. If it doesn’t match, the file won’t be uploaded.


Hello friends, This is my first blog-post, Apologizes for my mistakes and my possible grammar mistakes :)

This is a SQL Injection vulnerability that I found on GilaCMS, 1.14.0 version(may affect previous versions) but now it’s patched on 1.15.0 version. GilaCMS is written with PHP. So Let’s Start

/src/core/classes/Package.php
/src/core/classes/Package.php

/src/core/classes/Package.php 249–251 lines

As you can see there is a clearly SQLi vulnerability. The user input [‘option’] is going to foreach loop since the user-input is an array (multipart/form-data) and value is going into the query directly (without any protection). That’s why an attacker is able to modify the SQL query.

But…

Selim Enes Karaduman

Hacker, Security Researcher, Exploit Developer

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store