header-logo
Suggest Exploit
explore-vulnerabilities

Explore Vulnerabilities

Version
Year

Explore all Exploits:

Apache 2.4.x – Buffer Overflow

A buffer overflow vulnerability exists in Apache 2.4.x versions less than 2.4.51. An attacker can send a specially crafted HTTP request with a malicious payload to the vulnerable server, which can lead to a denial of service or arbitrary code execution. The payload is sent as a multipart/form-data with a boundary value of 4, which can be changed to any other value. The form data returns a response of 'memory allocation error: block too big', but if the payload is changed to name="name"4, the lua module overflows 3 more bytes during memset.

TP-Link TL-WR902AC firmware 210730 (V3) – Remote Code Execution (RCE) (Authenticated)

A vulnerability in TP-Link TL-WR902AC firmware 210730 (V3) allows an authenticated attacker to execute arbitrary code by importing a malicious firmware file. This vulnerability is due to insufficient validation of user-supplied input. An attacker can exploit this vulnerability by sending a malicious firmware file to the targeted device. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected device.

Hughes Satellite Router HX200 v8.3.1.14 – Remote File Inclusion

The router contains a cross-frame scripting via remote file inclusion vulnerability that may potentially be exploited by malicious users to compromise an affected system. This vulnerability may allow an unauthenticated malicious user to misuse frames, include JS/HTML code and steal sensitive information from legitimate users of the application.

Reprise Software RLM v14.2BL4 – Cross-Site Scripting (XSS)

Reprise Software RLM v14.2BL4 is vulnerable to Cross-Site Scripting (XSS). An attacker can inject malicious JavaScript code into the username and password fields of the login page. This code will be executed when the page is loaded by the victim, allowing the attacker to perform malicious actions such as stealing cookies, session tokens, etc.

SugarCRM 12.2.0 – Remote Code Execution (RCE)

A vulnerability in SugarCRM versions up to 12.2.0 allows an attacker to execute arbitrary code on the server. This is due to the application not properly validating user-supplied input. An attacker can exploit this vulnerability by sending a malicious request to the server. This can allow the attacker to execute arbitrary code on the server.

perfSONAR v4.4.5 – Partial Blind CSRF

A partial blind CSRF vulnerability exists in perfSONAR v4.x <= v4.4.5 within the /perfsonar-graphs/ test results page. Parameters and values can be injected/passed via the URL parameter, forcing the client to connect unknowingly in the background to other sites via transparent XMLHTTPRequests. This partial blind CSRF bypasses the built-in whitelisting function in perfSONAR.

XCMS v1.83 – Remote Command Execution (RCE)

The xcms's footer(that is in "/dati/generali/footer.dtb") is included in each page of the xcms. Taking "home.php" for example, the xcms allow you to modify the footer throught a bugged page called cpie.php included in the admin panel. So with a simple html form, an attacker can change the footer and insert malicious code. Trick: We can change the admin panel password by inserting this code in the footer. Fix: The fix is very simple, just add an exit() after the header() in the cpie.php.

AD Manager Plus 7122 – Remote Code Execution (RCE)

In the summer of 2022, I have been doing security engagement on Synack Red Team in the collaboration with my good friend (Thura Moe Myint). At that time, Log4j was already widespread on the internet. Manage Engine had already patched the Ad Manager Plus to prevent it from being affected by the Log4j vulnerability. They had mentioned that Log4j was not affected by Ad Manager Plus. However, we determined that the Ad Manager Plus was running on our target and managed to exploit the Log4j vulnerability. First, Let’s make a login request using proxy. Inject the following payload in the ```methodToCall``` parameter in the ```ADSearch.cc``` request. Then you will get the dns callback with username in your burp collabrator. When we initially reported this vulnerability to Synack, we only managed to get a DNS callback and our report was marked as LDAP injection. However, we attempted to gain full RCE on the host but were not successful. Later, we discovered that Ad Manager Plus was running on another target, so we tried to get full RCE on that target. We realized that there was a firewall and an anti-virus running on the machine, so most of our payloads wouldn't work. After spending a considerable amount of time , we eventually managed to bypass the firewall and anti-virus, and achieve full RCE.

Recent Exploits: