PonyOS 0.4.99-mlp had two kernel vulnerabilities disclosed in April 2013 that could be leveraged to read/write arbitrary kernel memory. This is due to tty winsize ioctl() allowing to read/write arbitrary memory. This exploit patches the setuid system call to remove a root uid check allowing any process to obtain root privileges.
The WordPress LeagueManager plugin is vulnerable to an unauthenticated SQL injection vulnerability. The vulnerable code is located in the lib/core.php file, where the getMatch() and getLeague() functions are passed an unsanitized $match_id and $league_id parameter to the SQL query. An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable server. This can be done using a tool such as SQLMap, which can be used to send a payload to the vulnerable server and extract data from the database.
The analysis discovered a stored cross site scripting vulnerability (OWASP OTG-INPVAL-002) in the ClearPass Policy Manager. A malicious unauthenticated user is able to inject arbitrary script through the login form that may be rendered and triggered later if a privileged authenticated user reviews the access audit record. An attack can use the aforementioned vulnerability to effectively steal session cookies of privileged logged on users.
Different D-Link Routers are vulnerable to OS command injection in the HNAP SOAP interface. Since it is a blind OS command injection vulnerability, there is no output for the executed command. This module has been tested on a DIR-645 device. The following devices are also reported as affected: DAP-1522 revB, DAP-1650 revB, DIR-880L, DIR-865L, DIR-860L revA, DIR-860L revB DIR-815 revB, DIR-300 revB, DIR-600 revB, DIR-645, TEW-751DR, TEW-733GR
PonyOS is vulnerable to a privilege escalation vulnerability in the ELF loader. The vulnerability is caused by a lack of validation of the ELF header, which allows an attacker to craft a malicious ELF file that can be used to gain root privileges. The vulnerability can be exploited by an attacker who has access to the system, either locally or remotely. The attacker can then upload the malicious ELF file to the system and execute it, which will result in the attacker gaining root privileges.
This exploit abuses the lack of file permissions checking in MyLittleUnix <= 3.0 to replace the root user password with the attacker's own and escalate their privileges. This exploit is now 20% cooler and tested on the latest 3.0 mlp OS.
A vulnerability in the WordPress dzs-zoomsounds plugin allows an attacker to upload a malicious file to the server. The vulnerable file is upload.php, which is located in the admin folder of the plugin. An attacker can use a malicious file such as dz.phtml and upload it to the server using the upload.php file. The malicious file can then be accessed via the URL http://127.0.0.1/wp-content/plugins/dzs-zoomsounds/admin/upload/$Evil
WebDrive connects to many types of web servers, as well as servers in the cloud. Copy the AAAA...string from WebDrive.txt to clipboard, create a connection and paste it in the URL/Address and attempt to connect.
This exploit is based on MS14-064 CVE-2014-6332 and allows attackers to execute arbitrary code on the vulnerable system. It uses a Python script to start a sample HTTP server on the attacker machine and serves an exploit code and Metasploit windows/shell_bind_tcp executable payload.
JSPMyAdmin 1.1 is a Java web based MySQL database management system. It is vulnerable to SQL Injection, CSRF and XSS attacks. The deletedata.jsp page is vulnerable to SQL Injection as it uses concatenated user input to build SQL statements even though paramaterized queries are used. There is no CSRF token used, allowing attackers to drop any database by sending malicious links. There is also zero user input checks allowing remote attackers to execute arbitrary scripts in the context of an authenticated user's browser session.
Services By CQR