Unauthenticated users can review the contents of anyfile on the host machine using a browser. The 'id' parameter in ajax/event.php is vulnerable to a time based sql injection. Complete enumeration of the mysql 'nvr' database is possible.
Vulnerability is in the Help Documents located in /admin/helpfiles/. AdminHelp.php ~ lines 42-44, which includes a $_GET parameter that is not properly sanitized, allowing an attacker to read arbitrary files on the server.
Division By zero Vulnerability in Microsoft Windows Media Player Consists to divide the value of a register by Zero. In this case it is the ECX register executing a command DIV ECX as well known. This will cause an Integer division by Zero --> Exception Can't be Handled --> CRASH.
This module exploits a vulnerability found in Project Pier. The application's uploading tool does not require any authentication, which allows a malicious user to upload an arbitrary file onto the web server, and then cause remote code execution by simply requesting it. This module is known to work against Apache servers due to the way it handles an extension name, but the vulnerability may not be exploitable on others.
Metasploit < 4.4 contains a vulnerable 'pcap_log' plugin which, when used with the default settings, creates pcap files in /tmp with predictable file names. This exploits this by hard-linking these filenames to /etc/passwd, then sending a packet with a priviliged user entry contained within. This, and all the other packets, are appended to /etc/passwd. Successful exploitation results in the creation of a new superuser account.
The FileBound On-Site document management application is vulnerable to a privilege escalation attack by sending a modified password request to the FileBound web service. By modifying the UserID value you can reset the password of any local user in the application without requiring administrative privileges.
The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the vOlk-Botnet framework application v4.0 private edition. The sql vulnerabilities allow remote attackers to inject/execute own sql commands/statements on the affected vOlks botnet application control panel dbms. The vulnerabilities are located in the Messenger, Filezilla, Estadisticas files with the bound vulnerable ?pag listing parameter. The vulnerability can be exploited by remote attackers without required user inter action. Successful exploitation of the vulnerabilities result in botnet control panel compromise via remote sql injection attack. The persistent vulnerabilities allow remote attackers to inject malicious persistent script codes on application side (persistent). The vulnerability can be exploited by remote attackers with low user inter action. Successful exploitation of the vulnerabilities result in session hijacking, persistent phishing attacks, persistent external redirects and persistent manipulation of affected or connected module context.
The Vulnerability Laboratory Research Team discovered multiple critical Web Vulnerabilities in Omnistardrives Omnistar Document Manager v8.0. Multiple SQL Injection Vulnerabilities are detected in Omnistardrives Omnistar Document Manager v8.0 web application. The sql injection vulnerability allows an remote attacker to inject own sql commands/statements on the affected application dbms. The vulnerabilities are detected in the user portal and admin section of the application. The sql vulnerabilities can be exploitation by remote attackers without privileged application user or admin account. The sql bugs are located index.php file with the bound vulnerable report_id, delete_id, add_id, return_to, interface, page & sort_order parameter requests. Successful exploitation of the vulnerabilities results in application dbms compromise & dbms manipulation via sql injection.
This module exploits a code execution vulnerability in the KeyScript ActiveX control from keyhelp.ocx. It is packaged in several products or GE, such as Proficy Historian 4.5, 4.0, 3.5, and 3.1, Proficy HMI/SCADA 5.1 and 5.0, Proficy Pulse 1.0, Proficy Batch Execution 5.6, and SI7 I/O Driver between 7.20 and 7.42. When the control is installed with these products, the function "LaunchTriPane" will use ShellExecute to launch "hh.exe", with user controlled data as parameters. Because of this, the "-decompile" option can be abused to write arbitrary files on the remote system. Code execution can be achieved by first uploading the payload to the remote machine, and then upload another mof file, which enables Windows Management Instrumentation service to execute it. Please note that this module currently only works for Windows before Vista. On the other hand, the target host must have the WebClient service (WebDAV Mini-Redirector) enabled. It is enabled and automatically started by default on Windows XP SP3.
This exploit is a local exploit for PHP 5.3.4 Win Com Module Com_sink. It is a 0-day exploit tested on Microsoft XP Pro 2002 SP2. It uses a buffer overflow to execute a shellcode which displays an alert box. The exploit is written by Rahul Sasi and more details can be found at http://www.garage4hackers.com/blogs/8/web-app-remote-code-execution-via-scripting-engines-part-1-local-exploits-php-0-day-394/.
Services By CQR