User input passed through the "data[extension]" and "data[filedata]" parameters to the "ajax/api/user/updateAvatar" endpoint is not properly validated before being used to update users' avatars. This can be exploited to inject and execute arbitrary PHP code. Successful exploitation of this vulnerability requires the "Save Avatars as Files" option to be enabled (disabled by default).
This is a command injection exploit for RaidenHTTPD 2.0.19. It allows an unauthenticated attacker to execute arbitrary commands on the target system.
This exploit takes advantage of a local stack overflow vulnerability in ASX to MP3 converter version 3.1.3.7. By exploiting this vulnerability, an attacker can execute arbitrary code with the privileges of the user running the vulnerable software.
By default, AnchorCMS will log errors to the "/anchor/errors.log" file in the webroot of the web application. This allows malicious users to access the error log and view potentially sensitive information. Sometimes the AnchorCMS error log contains occurrences of the MySQL error "Can't connect to MySQL server on 'xxx.xxx.xxx.xxx' (111)". When this error occurs the variables of the MySQL connector class are serialized into a JSON object and logged to the error log.
This module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the 'Neutralize implant' target allows you to disable the implant.
The vulnerability exists in the 'ciftokic.c' file in line 84, where the program uses the 'strcpy' function to copy the input argument into the 'CIFFile' variable without proper bounds checking. If the input argument is 80 characters or less, the program functions normally. However, if the input argument is 81 characters or more, a buffer overflow occurs, causing the program to fail.
This script exploits a path traversal vulnerability in the WordPress Arforms plugin version 3.7.1. The vulnerability allows an attacker to delete files on the server by providing a path that includes directory traversal sequences. The script sends HTTP requests to the target server and checks for the existence of specific files in the arforms/userfiles directory. If the files exist, the script sends a deletion request to remove them.
A Host Header Injection vulnerability may allow an attacker to spoof a particular Host header, allowing the attacker to render arbitrary links that point to a malicious website with poisoned Host header webpages. An issue was discovered in GoAhead web server version 2.5.0 (may be affected on other versions too). The values of the 'Host' headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection attack and also the affected hosts can be used for domain fronting. This means affected hosts can be used by attackers to hide behind during various other attack. PS: Affected on most of embedded webservers on hardware such as switches, routers, IOT and IP cameras.
Create a new agent account, log in and press the blue «Plus» button under the main menu («Add Your Property» text will pop-up on hover) - you will be redirected to https://zoner.demo-website.com/?add-property=XXXX page. Use your payload inside «Address» input field («Local information» block), press on the «Create Property» button and check your payload on the https://zoner.demo-website.com/author/agentm0ze/?profile-page=my_properties page. Your new property must be approved by admin, so this is a good point to steal some cookies :)Payload Sample: "><img src=x onerror=alert('Greetings from m0ze')>PoC: log in as agentm0ze:WhgZbOUH (login/password) and go to the https://zoner.demo-website.com/author/agentm0ze/?profile-page=my_properties page.IDOR:Create a new agent account, log in and create a new property. Then go to the https://zoner.fruitfulcode.com/author/aaaagent/?profile-page=my_properties page and pay attention to the trash icon under your property info. Open the developers console and check out this code: <a title="Delete Property" href="#" data-toggle="modal" class="delete-property" data-propertyid="XXX"><i class="delete fa fa-trash-o"></i></a>. Edit the data-propertyid="XXX" attribute by typing instead of XXX desired post or page ID which you want to delete (you can get post/page ID on the <body> tag class -> postid-494, so attribute for post with ID 494 will be data-propertyid="494"). After you edit the ID, click on the trash icon and confirm deletion (POST https://zoner.fruitfulcode.com/wp-admin/admin-ajax.php?action=delete_property_act&property_id=494&
This exploit allows an attacker to grab the admin username and password from FreeWebshop version 2.2.7 or below. The attacker needs to provide the target URL and path as command line arguments. The exploit uses LWP::UserAgent and HTTP::Cookies modules to inject a cookie and retrieve the admin credentials.
Services By CQR