header-logo
Suggest Exploit
explore-vulnerabilities

Explore Vulnerabilities

Version
Year

Explore all Exploits:

Joomla Component Expose <= RC35 Remote Permission Bypass/Arbitrary File Upload Vulnerability

The Joomla component Expose <= RC35 has a vulnerability that allows for remote permission bypass and arbitrary file upload. The vulnerable file is /com_expose/uploadimg.php. The target_path variable is set to ../../../components/com_expose/expose/img/. If the uploaded file does not have a .jpg extension, an alert is displayed. An attacker can upload a PHP shell using the link http://site.com/administrator/components/com_expose/uploadimg.php. The shell file can be found at http://site.com/components/com_expose/expose/img/

eSyndiCat: Multiple SQL Injection’s

The eSyndiCat software is vulnerable to multiple SQL injection attacks. The first attack can be performed by modifying the 'id' parameter in the 'news.php' file, allowing an attacker to retrieve sensitive information from the 'dir_admins' table. The second attack can be performed by modifying the 'name' parameter in the 'page.php' file, allowing an attacker to bypass authentication and access unauthorized information.

PsNews 1.1 (show.php newspath) Local File Inclusion

The vulnerability allows an attacker to include local files on the server by manipulating the 'newspath' parameter in the 'show.php' script. By injecting a file path, an attacker can potentially read sensitive files, such as the '/etc/passwd' file. The vulnerability affects PsNews version 1.1.

Buffer overflow in WebDAV service in IIS 6.0

The buffer overflow vulnerability in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0 allows remote attackers to execute arbitrary code via a long header beginning with "If: <http://" in a PROPFIND request.

Java Web Start Buffer Overflow POC Exploit

This is a proof-of-concept exploit for a buffer overflow vulnerability in Java Web Start. The exploit takes advantage of a vulnerability in the javaws.exe file, specifically in the sub_406208 subroutine. It pushes various values onto the stack and calls the sub_40544D function multiple times. The exploit is designed to execute a shellcode, but a dummy shellcode is provided in the code and needs to be replaced with a real one.

Aigaion <= 1.3.3 SQL Injection Exploit

The Aigaion web application version 1.3.3 and below is vulnerable to SQL Injection. An attacker can exploit this vulnerability to obtain the admin username and MD5 hash. The exploit involves injecting malicious SQL code into the 'topic_id' parameter of the 'index.php?page=topic' URL. By manipulating the SQL query, the attacker can retrieve the admin login and password information.

Centreon SQL and Command Injection

This module exploits several vulnerabilities on Centreon 2.5.1 and prior and Centreon Enterprise Server 2.2 and prior. Due to a combination of SQL injection and command injection in the displayServiceStatus.php component, it is possible to execute arbitrary commands as long as there is a valid session registered in the centreon.session table. In order to have a valid session, all it takes is a successful login from anybody. The exploit itself does not require any authentication. This module has been tested successfully on Centreon Enterprise Server 2.2.

Multiple vulnerabilities discovered in dnaLIMS DNA sequencing web-application

1) Improperly protected web shell: dnaLIMS requires authentication to view cgi-bin/dna/sysAdmin.cgi, which is a web shell included with the software running as the web user. However, sending a POST request to that page bypasses authentication checks, including the UID parameter within the POST request. 2) Unauthenticated Directory Traversal: The viewAppletFsa.cgi seqID parameter is vulnerable to a null terminated directory traversal attack. This allows an unauthenticated attacker to retrieve files on the operating system accessible by the permissions of the web server. This page also does not require authentication, allowing any person on the Internet to exploit this vulnerability. 3) Insecure Password Storage: An option, which is most likely the default, allows the password file (/home/dna/spool/.pfile) to store clear text passwords. When combined with the unauthenticated directory traversal vulnerability, it is possible to gain the username and password for all users of the software and gain complete control of the software. 4) Session Hijacking: Each user of the dnaLIMS software is assigned a unique four-digit user identification number(UID) upon account creation. These numbers appear to be assigned sequentially. Multiple pages of the dnaLIMS application require that this UID be passed as a URL parameter in order to view the content of the page.

ViRC 2.0 ‘JOIN Response’ 0day Remote SEH Overwrite PoC Exploit

This is a proof-of-concept exploit for the ViRC 2.0 'JOIN Response' vulnerability. The exploit takes advantage of a buffer overflow in the JOIN response message to overwrite the Structured Exception Handler (SEH) record and gain control of the program flow. The exploit includes a shellcode that executes the Windows command 'calc.exe'. The exploit works by sending a specially crafted JOIN response message to the ViRC client, which then passes the message to the IRC server. The exploit_tunnel is used to intercept and modify the message before it reaches the IRC server. The exploit has been tested on Visual IRC 2.0 with Windows 2000 SP4 Polish.

Cimetrics BACnet Explorer 4.0 XXE Vulnerability

Cimetrics BACnet Explorer 4.0 is vulnerable to an XML External Entity (XXE) vulnerability using the DTD parameter entities technique. This vulnerability allows for the disclosure and retrieval of arbitrary data on the affected node via an out-of-band (OOB) attack. The vulnerability occurs when input passed to the XML parser is not properly sanitized while parsing the XML project file.

Recent Exploits: