Ganib 2.0 preauth SQLi PoC allows an attacker to inject malicious code into the vulnerable application. This exploit was discovered by drone (@dronesec) and was tested on Ubuntu 12.04 (apparmor disabled) / WinXP SP3.
The vulnerability exists due to insufficient validation of 'track' HTTP GET parameter passed to '/wp-content/plugins/adrotate/library/clicktracker.php' script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database. The following PoC code contains a base64-encoded string '-1 UNION SELECT version(),1,1,1', which will be injected into SQL query and will output MySQL server version.
First from admin user logged in, an attacker can exploit a persistent XSS vulnerability by sending a POST request with malicious payload. An attacker can also upload a webshell in the ILIAS directories and access it directly to gain a webshell. An attacker can also exploit an XSS vulnerability by sending a POST request with malicious payload.
This vulnerability allows remote attackers to write arbitrary file on vulnerable installations of SolidWorks Workgroup PDM.
This exploit is a slightly more weaponised version of the Mini HTTPD buffer overflow written by Sumit. It allocates memory in a safe area, copies the payload to it, creates a new thread which runs the payload and then suspends the current thread. The suspending of the thread forces the parent to kill it off rather than let it crash and potentially bring the process down.
The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site and/or execute arbitrary HTML and script code in a user's browser session.
A remote attacker can exploit this vulnerability by sending a specially crafted packet to the vulnerable application. The packet contains a malicious payload that will overwrite the stack buffer and execute arbitrary code. The attacker can then gain full control of the vulnerable system.
The persistent input validation web vulnerability is located in the `name` value of the `/cgi-mod/index.cgi` module. Remote attackers are able to inject own malicious script codes to the vulnerable `name` value of the `/cgi-mod/index.cgi` module. The execution of the malicious script code occurs in the main page of the web-application after a successful login. The attack vector is persistent and the request method to inject is POST.
This module exploits a stack-based buffer overflow in Audiotran 1.4.2.4. An attacker must send the file to victim and the victim must open the file. Alternatively, it may be possible to execute code remotely via an embedded PLS file within a browser when the PLS extention is registered to Audiotran. This alternate vector has not been tested and cannot be exercised directly with this module.
A persistent input validation web vulnerability has been discovered in the official Barracuda Message Archiver 650 v1.0.0.0 web-application. The vulnerability allows remote attackers to inject own malicious script codes to the application-side of the vulnerable module. The vulnerability is located in the `username` and `password` value parameter of the `/cgi-bin/login.cgi` file. Remote attackers are able to inject own malicious script codes to the application-side of the vulnerable module. The request method to inject is POST and the attack vector is located on the application-side of the vulnerable service. The security risk of the persistent web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.5. Exploitation of the persistent input validation web vulnerability requires no user interaction or privileged web-application user account. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicious sources and persistent manipulation of affected or connected module context.
Services By CQR