This module exploits a command injection vulnerability in the tdpServer daemon (/usr/bin/tdpServer), running on the router TP-Link Archer A7/C7 (AC1750), hardware version 5, MIPS Architecture, firmware version 190726. The vulnerability can only be exploited by an attacker on the LAN side of the router, but the attacker does not need any authentication to abuse it. After exploitation, an attacker will be able to execute any command as root, including downloading and executing a binary from another host. This vulnerability was discovered and exploited at Pwn2Own Tokyo 2019 by the Flashback team (Pedro Ribeiro + Radek Domanski).
The Edimax Technology EW-7438RPn-v3 Mini firmware version 1.23 and 1.27 allows remote attackers to execute arbitrary commands via a crafted HTTP request in setup and unsetup modes.
The exploit allows an attacker to trigger a local buffer overflow vulnerability in DiskBoss version 7.7.14. By providing a specially crafted input directory, an attacker can execute arbitrary code on the target system. The vulnerability has been tested on Windows 7 Ultimate Service Pack 1 (32 bit - English).
This module exploits a Preauth Server-Side Template Injection leads remote code execution vulnerability in PlaySMS Before Version 1.4.3. The TPL template language is vulnerable to PHP code injection.
The W-Agora version 4.2.1 is vulnerable to SQL Injection. By exploiting this vulnerability, an attacker can execute arbitrary SQL queries on the database.
An authenticated CSRF exists in web client and web administration of Wing FTP v6.2.6, a crafted HTML page could delete admin user from the application where as administration needs to re-install the program and add admin user again. Issue was patched in v6.2.7.
The vulnerability allows remote attackers to include arbitrary files via a URL in the config[root_ordner] parameter in thumbnail.php.
This module exploits a vulnerability that exists due to a lack of input validation when creating a user. Messages for a given user are stored in a directory partially defined by the username. By creating a user with a directory traversal payload as the username, commands can be written to a given directory. To use this module with the cron exploitation method, run the exploit using the given payload, host, and port. After running the exploit, the payload will be executed within 60 seconds. Due to differences in how cron may run in certain Linux operating systems such as Ubuntu, it may be preferable to set the target to Bash Completion as the cron method may not work. If the target is set to Bash completion, start a listener using the given payload, host, and port before running the exploit. After running the exploit, the payload will be executed when a user logs into the system. For this exploitation method, bash completion must be enabled to gain code execution. This exploitation method will leave an Apache James mail object artifact in the /etc/bash_completion.d directory and the malicious user account.
This module exploits an authentication bypass in the WordPress InfiniteWP Client plugin to log in as an administrator and execute arbitrary PHP code by overwriting the file specified by PLUGIN_FILE. The module will attempt to retrieve the original PLUGIN_FILE contents and restore them after payload execution. If VerifyContents is set, which is the default setting, the module will check to see if the restored contents match the original. Note that a valid administrator username is required for this module. WordPress >= 4.9 is currently not supported due to a breaking WordPress API change. Tested against 4.8.3.
This exploit allows an attacker to inject SQL code in certain modules of RUNCMS 1.6, including 'brokenfile.php' and 'visit.php'. By injecting the code, the attacker can retrieve the admin cookie, which can then be used to login to the admin session and change the admin's password.