Wordpress history collection plugin contains a file called download.php which is not filtering the GET input, it then uses this get input value to force the download of a file. Proof of concept is provided in the text.
Based on user input, the content of a file is printed out (unfortunately not included) so any html file can be loaded, and an attacker may be able to read any local file which is not executed in the server.
The affected file is f.php and the get-parameter 'l' is vulnerable to local file inclusion. We just need to base64 encode our injection, like 'php://filter/resource=./../../../wp-config.php' or 'file:///etc/passwd', and then use it in a URL like 'http://domain.com/wp-content/plugins/robotcpa/f.php?l=ZmlsZTovLy9ldGMvcGFzc3dk' to view the content of the passwd file.
A website was created that exploits the vulnerability by using an OOB technique. The website contains a hidden input field with a payload that contains an XML External Entity. The entity references a file on the attacker's host which specifies which file should be retrieved from the remote host and where the content of that file should be sent. Another website was created that steals hashes of the Administrator user. The attacker needs to start a tool on the server that captures hashes. The exploit is triggered while profiling or scanning the created application using vulnerable versions of HP WebInspect.
Adding two NULL bytes to the end of a VCF file allows a user to manipulate free() calls which occur during it's lexer's memory clean-up procedure. This could lead to exploitable conditions such as crafting a specific memory chunk to allow for arbitrary code execution.
Milw0rm Clone Script v1.0 is vulnerable to a time based SQL injection vulnerability. An attacker can exploit this vulnerability by sending a specially crafted HTTP request with malicious SQL code to the vulnerable application. This can allow the attacker to gain access to sensitive information from the database.
Unauthenticated SQL Injection via 'detail.php?id=' parameter. The vulnerable file is '/home/DOMAIN/domains/DOMAIN.go.th/public_html/detail.php'. The POC is 'http://127.0.0.1/detail.php?id=[SQL]'. The SQLMap command is 'python sqlmap.py --url "http://127.0.0.1/detail.php?id=[SQL]" --dbs'. The vulnerable parameter is 'id' with GET request method.
The affected file is the div_img.php it allowed anybody to upload jpg files. It also support a FPD and we can also delete entry's with http://domain.com/wp-content/plugins/wp-imagezoom/div_img.php?cmd=. Proof of concept is provided.
This vulnerability allows an unauthenticated attacker to remotely change the DNS settings of the D-Link DSL-526B ADSL2+ AU_2.01 router. By sending a specially crafted HTTP GET request to the dnscfg.cgi script, an attacker can change the DNS settings of the router. This can be used to redirect users to malicious websites or to intercept traffic.
This security hole allows an attacker to bypass authentication and change the DNS. When the administrator is logged in the web management interface, an attacker may be able to completely bypass authentication phase and connect to the web management interface with administrator's credentials. This attack can also be performed by an external attacker who connects to the router's public IP address, if remote management is enabled. To change the DNS without logging into web management interface use the following URL: http://TARGET/dnscfg.cgi?dnsPrimary=8.8.8.8&dnsSecondary=8.8.4.4&dnsDynamic=0&dnsRefresh=1&dnsIfcsList=WAN-1
Services By CQR