header-logo
Suggest Exploit
explore-vulnerabilities

Explore Vulnerabilities

Version
Year

Explore all Exploits:

TP-Link Archer A7/C7 Unauthenticated LAN Remote Code Execution

This module exploits a command injection vulnerability in the tdpServer daemon (/usr/bin/tdpServer), running on the router TP-Link Archer A7/C7 (AC1750), hardware version 5, MIPS Architecture, firmware version 190726. The vulnerability can only be exploited by an attacker on the LAN side of the router, but the attacker does not need any authentication to abuse it. After exploitation, an attacker will be able to execute any command as root, including downloading and executing a binary from another host. This vulnerability was discovered and exploited at Pwn2Own Tokyo 2019 by the Flashback team (Pedro Ribeiro + Radek Domanski).

DiskBoss 7.7.14 – ‘Input Directory’ Local Buffer Overflow (PoC)

The exploit allows an attacker to trigger a local buffer overflow vulnerability in DiskBoss version 7.7.14. By providing a specially crafted input directory, an attacker can execute arbitrary code on the target system. The vulnerability has been tested on Windows 7 Ultimate Service Pack 1 (32 bit - English).

PlaySMS 1.4.3 Pre Auth Template Injection Remote Code Execution

This module exploits a Preauth Server-Side Template Injection leads remote code execution vulnerability in PlaySMS Before Version 1.4.3. The TPL template language is vulnerable to PHP code injection.

Wing FTP Server 6.2.3 – Privilege Escalation

An authenticated CSRF exists in web client and web administration of Wing FTP v6.2.6, a crafted HTML page could delete admin user from the application where as administration needs to re-install the program and add admin user again. Issue was patched in v6.2.7.

Apache James Server 2.3.2 Insecure User Creation Arbitrary File Write

This module exploits a vulnerability that exists due to a lack of input validation when creating a user. Messages for a given user are stored in a directory partially defined by the username. By creating a user with a directory traversal payload as the username, commands can be written to a given directory. To use this module with the cron exploitation method, run the exploit using the given payload, host, and port. After running the exploit, the payload will be executed within 60 seconds. Due to differences in how cron may run in certain Linux operating systems such as Ubuntu, it may be preferable to set the target to Bash Completion as the cron method may not work. If the target is set to Bash completion, start a listener using the given payload, host, and port before running the exploit. After running the exploit, the payload will be executed when a user logs into the system. For this exploitation method, bash completion must be enabled to gain code execution. This exploitation method will leave an Apache James mail object artifact in the /etc/bash_completion.d directory and the malicious user account.

WordPress InfiniteWP Client Authentication Bypass

This module exploits an authentication bypass in the WordPress InfiniteWP Client plugin to log in as an administrator and execute arbitrary PHP code by overwriting the file specified by PLUGIN_FILE. The module will attempt to retrieve the original PLUGIN_FILE contents and restore them after payload execution. If VerifyContents is set, which is the default setting, the module will check to see if the restored contents match the original. Note that a valid administrator username is required for this module. WordPress >= 4.9 is currently not supported due to a breaking WordPress API change. Tested against 4.8.3.

RUNCMS 1.6 BLIND SQL Injection Exploit get Admin Cookie

This exploit allows an attacker to inject SQL code in certain modules of RUNCMS 1.6, including 'brokenfile.php' and 'visit.php'. By injecting the code, the attacker can retrieve the admin cookie, which can then be used to login to the admin session and change the admin's password.

Recent Exploits: