Sysax Scheduler Service runs as Local System. By default the application allows for low privilege users to create/run backup jobs other than themselves. By removing the option to run as current user or another, the task will run as System. A low privilege user could abuse this and escalate their privileges to local system.
This is the RCE exploit for the following advisory (officially discovered by Jakub Kramarz): https://forums.ivanti.com/s/article/SA-2021-12-02?language=en_US. Shoutouts to phyr3wall for providing a hint to where the obfuscated code relies.
This exploit allows an attacker to gain remote code execution on a vulnerable iRZ Mobile Router. The exploit requires the attacker to have access to the router's web page, either through authentication or through a CSRF attack. Once the attacker has access, they can send a specially crafted JSON payload to the router, which will execute a reverse shell on the attacker's machine.
iQ Block Country is a Wordpress plugin that allows you to limit access to your website content. It can allow or disallow visitors from defined countries to (parts of) the content of the website. The settings of the plugin can be exported or imported using its backup functionality. An authorized user can import preconfigured settings of the plugin by uploading a zip file. After the uploading process, files in the uploaded zip file are extracted one by one. During the extraction process, existence of a file is checked. If the file exists, it is deleted without any security control by only considering the name of the extracted file. This behavior leads to “Zip Slip” vulnerability. Zip Slip can cause damage by overwriting configuration files or other sensitive resources. In this finding, An attacker can exploit this vulnerability and the behavior of the extraction process, to delete an arbitrary file in the server. For doing this, it is enough to upload a zip file containing a file that is named as the path of a file which is desired to be deleted.
A vulnerability in Apache APISIX versions 1.3 - 2.12.1 allows an attacker to execute arbitrary code on the target system. This is due to the lack of proper input validation when handling user-supplied data. An attacker can exploit this vulnerability by sending a maliciously crafted request to the target system.
Tiny File Manager 2.4.6 is vulnerable to Remote Code Execution (RCE) due to a lack of authentication. An attacker can exploit this vulnerability by sending a malicious POST request to the vulnerable application. This will allow the attacker to execute arbitrary code on the server.
A theme upload functinality in Pluck CMS before 4.7.16 allows an admin privileged user to gain access in the host through the "themes files", which may result in remote code execution.
Moodle 2.7dev (Build: 20131129) to 3.11.5+ 2nd Order SQLi Exploit by muffin (@mufinnnnnnn). Exploit allows an authenticated user to inject malicious SQL code into the application. The exploit requires the user to define variables at the top of the tamper() function, create a file called req.txt, and run the tamper script with the command 'python sqlmap.py -u "http://127.0.0.1/moodle/badges/criteria_settings.php?badgeid=badge-id-replace-me&add=1&type=6" --tamper=moodle_2nd_order_sqli.py --data=@req.txt --level=5 --risk=3 --dbms=mysql --threads=10 --batch'
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
This exploit is related to the Baixar GLPI Project 9.4.6. It is a SQL injection vulnerability that allows an attacker to execute malicious SQL queries on the vulnerable system. The exploit is triggered by sending a specially crafted request to the plugins/ramo/ramoapirest.php/getOutdated?idu=-1 endpoint. The attacker can then use the sqlmap tool to enumerate the databases on the vulnerable system.
Services By CQR
