This module exploits arbitrary file upload vulnerability in Feng Office 3.7.0.5. Application allows the unauthenticated users to upload arbitrary files. There is no control of any session. All files are sent under "/tmp" directory. The ".htaccess" file under the "/tmp" directory prevents files with the "php,php2,php3.." extensions. This exploit creates the php payload and moves the payload to the main directory via "shtml". After moving the php payload to the main directory, Exploit executes payload and receives shell.
Vulnerability in file pkinc/public/article.php allows SQL Injection. The variable $contentid is not properly sanitized before being used in a SQL statement, which allows an attacker to manipulate the SQL query and potentially execute arbitrary SQL commands. The exploit takes advantage of this vulnerability to bypass the security restrictions and retrieve sensitive information from the database.
The 'nsextt' parameter in Hoteldruid 2.3 is vulnerable to XSS Injection. An attacker can inject malicious code through the 'nsextt' parameter, which gets executed when the user hovers over the injected element.
An Absolute Path Traversal vulnerability in the Administration zone allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via any file name.
The web application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. The devolo web application uses predictable URL/form actions in a repeatable way. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.
This module exploits an arbitrary command execution vulnerability in Webmin 1.900 and lower versions. Any user authorized to the "Java file manager" and "Upload and Download" fields can execute arbitrary commands with root privileges. In addition, the "Running Processes" field must be authorized to discover the directory to be uploaded. A vulnerable file can be printed on the original files of the Webmin application. The vulnerable file we are uploading should be integrated with the application. Therefore, a ".cgi" file with the vulnerability belonging to the webmin application should be used. The module has been tested successfully with Webmin 1900 over Debian 4.9.18.
A vulnerability exists in the DR-810 modem where the rom-0 file, which contains sensitive information including the router password, can be downloaded without authentication. By sending a simple GET request to the target address with /rom-0 appended, the file can be downloaded. The file can then be decompressed to obtain the password.
Synergiser cms allows to include a file by the get variabile "page". We can't include a remote file, coz there is a filter..but we can include, by a directory traversal, some important files...for example: http://[target]/[synergiser_path]/index.php?page=../../../etc/passwd So, we have to know the script path if we wanna browse the server...we can get it generating a full path disclosure, like this: http://[target]/[synergiser_path]/index.php?page=../index.phpWe know that a function cannot be declared two times. So, let's read the "index.php" code, and we will found:include('application_top.php');This row includes "application_top.php". In that page, is declared a php function: assign_rand_value(); So, including index.php in index.php, we will reinclude application_top.php, and we will redeclare the same function. We can't do it! So the server will answer:Fatal error: Cannot redeclare assign_rand_value() (previ
This module attempts to gain root privileges with SUID Xorg X11 server versions 1.19.0 < 1.20.3. A permission check flaw exists for -modulepath and -logfile options when starting Xorg. This allows unprivileged users that can start the server the ability to elevate privileges and run arbitrary code under root privileges. This module has been tested with OpenBSD 6.3, 6.4, and CentOS 7 (1708). CentOS default install will require console auth for the users session. Cron launches the payload so if Selinux is enforcing exploitation may still be possible, but the module will bail. Xorg must have SUID permissions and may not start if running. On exploitation a crontab.old backup file will be created by Xorg. This module will remove the .old file and restore crontab after successful exploitation. Failed exploitation may result in a corrupted crontab. On successful exploitation artifacts will be created consistent with starting Xorg and running a cron.
The exploit allows an attacker to perform a remote SQL injection in emagiC CMS.Net v4.0. By injecting a malicious SQL query, the attacker can retrieve the encrypted password for the admin 'sa'.
Services By CQR