Eserv/3.x is a Mail, News, Web and Proxy Servers which includes Mail Server (SMTP, IMAP4 and POP3), News Server (NNTP), Web Server (HTTP), FTP Server, Proxy Servers (HTTP, FTP, Socks, etc), Finger Server and Built-in scheduler and dialer. This PoC exploits a stack overflow vulnerability in the FTP server component of Eserv/3.x. The vulnerability is triggered when a maliciously crafted ABOR command is sent to the FTP server. This can lead to remote code execution.
SezHoo 0.1 is vulnerable to a Remote File Inclusion vulnerability due to improper validation of user-supplied input. An attacker can exploit this vulnerability by sending a malicious URL to the vulnerable application. This can allow the attacker to execute arbitrary code on the vulnerable system.
The exploit is based on a backdoor that allows to enable telnet, ftp, tftp and web-admin from internal lan.
Nuked-klaN suffers from a vulnerability due to HTTP_REFERER, which is not correctly filtered before being inserted in nuked_stats_visitor table. If HTTP headers are not addslashes()'d by PHP, it could lead to a INSERT SQL injection. In function view_referer() (visits.php), referers are extracted from the database to perform an other SQL query, without being secured in between. This leads to a blind SQL injection. Theses injections are only possible if Nuked-klaN (NK) considers us as a new user, because else it won't touch the nuked_stats_visitor table. For this, we can use X-Forwarded-For HTTP header to specify NK a new IP, to be considered as a new user, and therefore access the database. NK automaticaly tries to resolve our host (using gethostbyaddr()), and it could be very long if the IP is not corresponding to a real one, because the default timeout is ~3 seconds, and that's very unconvenient for blind SQL injection. In order to solve this, we can try to generate IPs that might be valid, using, for example, a known BASE (the first two numbers), and randomizing the two other numbers. Stats can be disabled, or not accessible for users or visitors. In the last case we can't get query results, so the unique way to inject is BENCHMARK method, but this implies that the headers are not addslashed by PHP, but this method is not implemented in this exploit. If we got an admin session or login, we can spawn a remote shell/uploader using the NK 'MySQL administration', but PHP safe_mode must be disabled. This exploit uses all these vulnerabilities to spawn a shell/uploader or to simply obtain adimin credentials.
A SQL injection vulnerability exists in XOOPS Module: xhresim All Version. An attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary SQL commands in application's database. This can be exploited to disclose sensitive information from the database, modify data, or exploit further vulnerabilities in the underlying system.
WP Comment Remix 1.4.3 is vulnerable to SQL Injection. An attacker can exploit this vulnerability to extract information from the database, including user credentials, database information, and other sensitive information. This vulnerability can be exploited by sending a specially crafted HTTP request to the vulnerable application.
IndexScript v 3.0 is vulnerable to SQL injection. An attacker can exploit this vulnerability to gain access to sensitive information such as login credentials, version, database, and user information. The attacker can also use this vulnerability to modify the content of the database.
An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable application. The malicious request contains a specially crafted SQL query that can be used to extract sensitive information from the database. The malicious query is sent as a parameter in the URL, which is then processed by the vulnerable application. The vulnerable application then executes the malicious query, which can be used to extract sensitive information from the database.
This exploit allows an attacker to include a local file on the server, such as the /etc/passwd file, by manipulating the 'language' parameter in the 'admin.php' file. The vulnerability exists due to insufficient sanitization of user-supplied input in the 'language' parameter. An attacker can exploit this vulnerability by sending a specially crafted HTTP request with a malicious 'language' parameter.
LokiCMS is still vulnerable to Remote Command Execution. The exploit changed becouse the vars changed but the bugged function is the same: writeconfig(). LokiCMS does not check the access to admin.php via POST.