This module exploits a buffer overflow vulnerability on the UploadControl ActiveX. The vulnerability exists in the handling of the 'Attachment_Times' property, due to the insecure usage of the _swscanf. The affected ActiveX is provided by the dwa85W.dll installed with the IBM Lotus iNotes ActiveX installer. This module has been tested successfully on IE6-IE9 on Windows XP, Vista and 7, using the dwa85W.dll 85.3.3.0 as installed with Lotus Domino 8.5.3.
The http://<IP>/test.cgi 'essid' parameter is not sanitized for input which allows for execution of operating system commands. The parameter input field can be like this to create a file /tmp/test.txt: 'LINKTEST & /bin/touch /tmp/test.txt #'. Authentication to the web site is necessary to exploit this vulnerability.
This module exploits a stack based buffer overflow on RealPlayer <=15.0.6.14. The vulnerability exists in the handling of real media files, due to the insecure usage of the GetPrivateProfileString function to retrieve the URL property from an InternetShortcut section. This module generates a malicious rm file which must be opened with RealPlayer via drag and drop or double click methods. It has been tested successfully on Windows XP SP3 with RealPlayer 15.0.5.109.
Guru Auction 2.0 is vulnerable to multiple SQL injection vulnerabilities. An attacker can exploit these vulnerabilities to gain access to sensitive information such as usernames and passwords. The vulnerability can be exploited by sending a specially crafted SQL query to the vulnerable application. The SQL query can be used to extract data from the database, modify data, or execute system commands. The vulnerability can also be exploited using a blind SQL injection technique, where the attacker sends a specially crafted SQL query and checks the response of the application to determine if the query was successful.
This module exploits a vulnerability found in Asset-Manager <= 2.0 WordPress plugin. By abusing the upload.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution.
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution.
This modules exploits a command injection vulnerability in the URL handler for for the IBM Lotus Notes Client <= 8.5.3. The registered handler can be abused with an specially crafted notes:// URL to execute arbitrary commands with also arbitrary arguments. This module has been tested successfully on Windows XP SP3 with IE8, Google Chrome 23.0.1271.97 m and IBM Lotus Notes Client 8.5.2.
The AwayList MyBB plugin is vulnerable to a SQL injection vulnerability due to the variable '$mybb->input['id']' remaining unsanitized. An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to the server, such as http://server/index.php?action=editAwlItem&id=[SQLi].
HM My Country Flags has a SQL Injection vulnerability. If we go to a thread we'll see a country next to the users post. We'll start HTTP Live Headers and press this link to get the URL (Otherwise it's in popup box and we will not see the URL). Here we can just perform basic UNION Based SQL Injection. The column count is often very big, usually around 150-180 depending on the countries available.
City Directory Review and Rating Script is vulnerable to SQL Injection. The vulnerability exists in the 'search.php' page, where user-supplied input is not properly sanitized before being used in a SQL query. An attacker can exploit this vulnerability to gain access to the database and execute arbitrary SQL commands.
Services By CQR