The dashboardXml parameter is vulnerable to XML external entity injection. The tag <!DOCTYPE foo [<!ENTITY xxe8295c SYSTEM "file:///etc/passwd"> ]> was injected into the XML of the client's POST request. This tag defines an external entity, xxe8295c, which references a file on the XML parser's filesystem. This entity was then used within a data field in the XML document. The server's response contains the contents of the specified file, indicating that the parser processed the injected external entity. By manipulating the POST request to “/pentaho/content/dashboards” it is possible to inject arbitrary XML declarations- and tags. This request is triggered while a user is creating a customized dashboard.
Multiple CSRF & Cross-Site Scripting (XSS) vulnerabilities have been identified in Crushftp 7.2.0 (Web Interface) on default configuration. These vulnerabilities allows an attacker to gain control over valid user accounts, perform operations on their behalf, redirect them to malicious sites, steal their credentials, and more.
When an authenticated user is navigating to 'Photos/Batch Manager' he is able to apply different filters. When all filters are activated and the button 'Refresh photo set' is executed, the following POST request is sent to the server, which is prone to bSQL injection.
jui_filter_rules is a jQuery plugin which allows users to generate a ruleset which could be used to filter datasets inside a web application. The plugin also provides a PHP library to turn the user submitted ruleset into SQL where statements for server side filtering. This PHP library contains a feature which allows to convert the submitted filter values with server side functions. These functions can be specified within the ruleset, which leads to an arbitrary PHP code execution.
Every registered user can create and download backup files. The exploit involves sending a request to the admin-ajax.php page with the action parameter set to duplicator_package_scan, duplicator_package_build, duplicator_package_delete, or duplicator_package_report. This will allow the user to create and download backup files.
Different D-Link Routers are vulnerable to DNS change. The vulnerability exist in the web interface, which is accessible without authentication. Tested firmware version: EU_2.03. Once modified, systems use foreign DNS servers, which are usually set up by cybercriminals. Users with vulnerable systems or devices who try to access certain sites are instead redirected to possibly malicious sites. Modifying systems' DNS settings allows cybercriminals to perform malicious activities like steering unknowing users to bad sites, replacing ads on legitimate sites, controlling and redirecting network traffic, and pushing additional malware.
This module takes advantage a Java JMX interface insecure configuration, which would allow loading classes from any remote (HTTP) URL. JMX interfaces with authentication disabled (com.sun.management.jmxremote.authenticate=false) should be vulnerable, while interfaces with authentication enabled will be vulnerable only if a weak configuration is deployed (allowing to use javax.management.loading.MLet, having a security manager allowing to load a ClassLoader MBean, etc.).
Stable with Firefox 34.0.5. Other browsers may be unstable or may not work. When an authenticated admin is exposed to the code below it will do a couple things. 'CSRF 1' allows a registered user to escalate their privileges to Collaborator Admin with access to the 'files' plugin. This will allow the attacker to upload a php shell to compromise the server. Once executed the attacker would log into the website as normal then proceed to site.com/admin where it greets them with 'AttackerName, enter your password :' and login with the same password you registered with. Hover over 'General Management' and then click 'Files' where the you can upload a shell of your choosing. 'CSRF 2' As stated earlier the a registered user can upload a php shell to the server. This code will allow an unregistered user to upload a php shell to the server.
This exploit will automatically log you in and change the email to any registered user except for the admin that is installed with the web application. Click on 'Become a member' on the target website to insert the appropriate cookies for this to work. Once the exploit takes place proceed to click 'Modify' and change the password. To see if the user has some sort of admin privileges go to site.com/admin/ while still logged in. If they do it will say 'Vic_username, enter your password:' and login with the password you just changed it to.
The URL http://192.168.1.25:18080/cm/blogrss/feed?entity=mostviewedpost&analyticsType=blog&catId=-1&count=10&et_cw=850&et_ch=600 is vulnerable to a time-based SQL injection in the catId parameter. Exploitation with sqlmap can be done by using the command './sqlmap.py -u http://192.168.1.25:18080/cm/blogrss/feed?entity=mostviewedpost&analyticsType=blog&catId=-1&count=10&et_cw=850&et_ch=600 --dbms=mysql -p catId --level=5 --risk=3 -o --technique=t --time-sec=10 --dbs'
Services By CQR