Some DLink Routers are vulnerable to OS Command injection in the web interface. On DIR-645 versions prior 1.03 authentication isn't needed to exploit it. On version 1.03 authentication is needed in order to trigger the vulnerability, which has been fixed definitely on version 1.04. Other DLink products, like DIR-300 rev B and DIR-600, are also affected by this vulnerability. Not every device includes wget which we need for deploying our payload. On such devices you could use the cmd generic payload and try to start telnetd or execute other commands. Since it is a blind os command injection vulnerability, there is no output for the executed command when using the cmd generic payload. A ping command against a controlled system could be used for testing purposes. This module has been tested successfully on DIR-645 prior to 1.03, where authentication isn't needed in order to exploit the vulnerability.
Simple HRM system is vulnerable to sqli attacks in their login page. An attacker can perform blind sql injection through the login form and obtain information such as password hash. Additionally, if an attacker were to grab hold of the user's password hash, the attacker can easily spoof a cookie and impersonate as anyone to access the system. Together with the blind sql injection stated above, an attacker can simply blind the password hash, userid, username and recreate a cookie. This vuln effectively defeats one of the primary purposes of password hashing.
A vulnerability in Free Monthly Websites 2.0 allows an attacker to remotely change the administrator password. The vulnerability exists due to insufficient validation of user-supplied input in the 'admin/file_io.php' script. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing malicious values for the 'admin_password' and 'admin_password_confirm' parameters. This will allow the attacker to change the administrator password.
AT-TFTP 2.0 is vulnerable to a stack based buffer overflow vulnerability. The vulnerability is triggered when a maliciously crafted packet is sent to the server. This can lead to a denial of service (DoS) condition. The vulnerability was discovered in 2006 by liuqx@nipc.org.cn and is still present in version 2.0. The exploit can be triggered remotely and has been tested on Windows XP SP3.
This exploit is a quick and dirty h4x by kingcope for ircd-hybrid-8.0.5 centos6. It uses Socket to connect to the server and sends a malicious MODE command with a negative number as a parameter to crash the server.
KNet Web Server is vulnerable to a stack-based buffer overflow vulnerability due to improper bounds checking of user-supplied data. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing an overly long string in the URI. This can allow the attacker to execute arbitrary code in the context of the application.
This exploit uses the nativeHelper.apply feature in the spidermonkey mongodb implementation to execute arbitrary code. The exploit uses a combination of shellcode and ropchain to execute the code.
Some Linksys Routers are vulnerable to an authenticated OS command injection in the Web Interface. Default credentials are admin/admin or admin/password. Since it is a blind os command injection vulnerability, there is no output for the executed command when using the cmd generic payload. A ping command against a controlled system could be used for testing purposes. The user must be prudent when using this module since it modifies the router configuration while exploitation, even when it tries to restore previous values.
ZAPms is a free open source web content management system, adapted to the needs of businesses on the Internet. An attacker can exploit a SQL injection vulnerability in the 'products' page of the ZAPms application by sending a specially crafted HTTP request containing malicious SQL code. This can allow the attacker to gain access to sensitive information stored in the database, such as usernames and passwords.
This module exploits a code execution flaw in Novell ZENworks Configuration Management 10 SP3 and 11 SP2. The vulnerability exists in the ZEnworks Control Center application, allowing an unauthenticated attacker to upload a malicious file outside of the TEMP directory and then make a second request that allows for arbitrary code execution. This module has been tested successfully on Novell ZENworks Configuration Management 10 SP3 and 11 SP2 on Windows 2003 SP2 and SUSE Linux Enterprise Server 10 SP3.
Services By CQR