The WebPagetest application is vulnerable to local file disclosure. An attacker can exploit this vulnerability by sending a crafted request to the 'gettext.php' script with a specially crafted 'file' parameter, allowing them to read arbitrary files on the server. The vulnerability exists due to improper input validation in the 'gettext.php' script, where user-supplied input is not properly sanitized. This vulnerability can be exploited by an unauthenticated attacker with network access to the affected system.
FTP Explorer stores profiles of visited FTP sites, including the user's name and weakly encrypted passwords. The encryption algorithm increments each character in the password by 9, then increments it further based on its position in the password. The encryption mechanism is weak and can easily be broken.
The help files for the Windows Help system (*.cnt, *.hlp) can be edited so that they run an arbitrary executable when selected by a user. The executable will run at the privilege level of the user. The *.cnt files are like tables of contents that tell the help system what to open when each topic is selected. These entries can be edited to cause system and DLL calls and programs to be executed when a topic is chosen. The help files themselves, *.hlp, can be edited in a similar manner.
This module can be used to execute a payload on Umbraco CMS 4.7.0.378. The payload is uploaded as an ASPX script by sending a specially crafted SOAP request to codeEditorSave.asmx, which permits unauthorised file upload via the SaveDLRScript operation. SaveDLRScript is also subject to a path traversal vulnerability, allowing code to be placed into the web-accessible /umbraco/ directory. The module writes, executes and then overwrites an ASPX script; note that though the script content is removed, the file remains on the target. Automatic cleanup of the file is intended if a meterpreter payload is used. This module has been tested successfully on Umbraco CMS 4.7.0.378 on a Windows 7 32-bit SP1. In this scenario, the "IIS APPPOOLASP.NET v4.0" user must have write permissions on the Windows Temp folder.
The sflog! CMS/Blog system is vulnerable to multiple vulnerabilities including Local File Inclusion (LFI). An attacker can exploit the LFI vulnerability by providing a crafted URL to access sensitive files on the server.
The spooler service (spoolss.exe) allows local users to add their own dll files and have the spooler run them at SYSTEM level. This could lead to privilege escalation all the way up to Administrator level. The problem is in the function AddPrintProvider(). This exploit will crash the spooler service and copy a custom dll into c:winntsystem32. When the spooler service is restarted, the custom dll is loaded and run at SYTEM level. The 'whoami' binary is run and the results logged in a text file for verification. If the target machine's NT directory is not the default c:winnt, the program will have to be modified.
The UCCASS survey script (version <= 1.8.1) is vulnerable to blind SQL injection. An attacker can exploit this vulnerability by manipulating the 'sid' parameter in the 'filter.php' file. By injecting a specially crafted SQL query, the attacker can bypass authentication or retrieve sensitive information from the database.
The LimeSurvey version 1.92+ build 120620 is vulnerable to Remote File Inclusion (RFI) and Directory Traversal attacks. In the RFI vulnerability, an attacker can include arbitrary remote files by setting the 'rootdir' parameter to a malicious URL. In the Directory Traversal vulnerability, an attacker can access sensitive files by manipulating the 'sFullFilepath' parameter.
A vulnerability in Floosietek's FTGate allows remote malicious users to steal local files. The web server fails to check whether requested files fall outside its document tree (by using '..' in the URL). Thus attackers can retrieve files in the same drives as that on which the software resides if they know or can get its filename.
This exploit targets the Mrxsmb.sys driver in Windows XP and Windows 2000 to gain ring0 privileges. It disables ReadOnly Memory protection by modifying a specific file offset call. The exploit has been tested on XP SP2 and 2K SP4. This exploit is for educational purposes only.
Services By CQR