In 'tinfo.php' script there are function named uploadAttachment() through which we are able to upload files. It does not checks what the file is uploaded. First of all it uploads small shell, then, due to unknown shell name, it bruteforces it. (Uploaded shell name is concatenation of original filename, unix timestamp and substracted microseconds from time.) Then it uploads new shell through small shell. (Script saves to DB what has been uploaded, but if magic_quotes_gpc=off exploit will disable this logging via SQl-inj.)
FreeLyrics is vulnerable to a remote source code disclosure vulnerability. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable server. This request contains a parameter (p) which specifies the file to be disclosed. An attacker can use this vulnerability to view the source code of any file on the server.
If the username that we typed in the register form is invalid, it will directly appear in the html code. So we just have to put a js code, like an alert, and we will get a XSS. The cms uses a flat database, a .txt file where it stores usernames,passwords and emails of the registered users.
This exploit allows an attacker to include a file on the server through the web application. The vulnerability is present when a web application allows the user to submit input into files or upload files to the server. The malicious user can then insert a file path that will allow the execution of a file on the web server. This can lead to the disclosure of sensitive information, manipulation of data, or even server compromise.
The vulnerability exists due to insufficient sanitization of user-supplied input passed via the 'filename' parameter to the 'download.php' script. This can be exploited to include arbitrary files from local resources via directory traversal attacks.
ReVou Twitter Clone is a commercial script written in PHP and MySQL. It is vulnerable to an admin password changing exploit. An attacker can reset the admin password and then login as admin. The attacker can then use the path http://site.tld/revou/adminlogin/index.php?id=dbimport to upload a php shell script. The uploaded file can be accessed at http://site.tld/revou/db_backup/shell.php.
This exploit tries to read an arbitrary file by exploiting a SQL Injection vulnerability in MyPBS.
Directory traversal, also known as path traversal, is an HTTP attack which allows attackers to access restricted directories and execute commands outside of the web server's root directory. This attack is also known as “dot-dot-slash”, “directory traversal”, “directory climbing” and “backtracking”. It is used by attackers to gain access to files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations, or by using absolute file paths, attackers can access arbitrary files and directories stored on file system including application source code or configuration and critical system files. Directory traversal attacks can also be used to access restricted directories and execute commands outside of the web server's root directory.
A crafted mDNS packet with source port 0 can cause avahi-daemon to abort() due to failed assertion assert(port > 0); in originates_from_local_legacy_unicast_socket() function in avahi-core/server.c.
MyPHPSite is vulnerable to Local File Inclusion (LFI) vulnerability. An attacker can exploit this vulnerability by sending a crafted HTTP request containing a maliciously crafted URL with a maliciously crafted parameter value. The maliciously crafted parameter value contains a maliciously crafted path to a file on the server. The maliciously crafted path can be used to access sensitive files on the server, such as the /etc/passwd file. The PoC for this vulnerability is http://[target]/[path]/index.php?mod=../../../../../../etc/passwd%00
Services By CQR