This vulnerability allows a remote attacker to gain access to the user name and admin password of the YVS Image Gallery application. The vulnerability exists due to insufficient sanitization of user-supplied input in the 'album_id' parameter of the 'view_album.php' script. An attacker can exploit this vulnerability by sending a specially crafted HTTP request with an SQL injection payload in the 'album_id' parameter. This will allow the attacker to gain access to the user name and admin password of the application.
This exploit is a proof of concept for a remote crash vulnerability in Tiny HTTP Server version 1.1.9 and below. The exploit sends a payload of 658 X characters to the server, which causes it to crash.
webgrind suffers from a file inlcusion vulnerability (LFI) when input passed thru the 'file' parameter to index.php is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks and URL encoded NULL bytes.
This exploit allows an attacker to execute arbitrary commands on a vulnerable system running cPassMan v1.82. The exploit requires PHP 5.3.3 or lower due to the use of a poison null byte in the LFI. The exploit consists of two stages: an unauthenticated arbitrary file upload and an unauthenticated command execution. The uploaded file is stored in the document root of the web server as a file with the MD5 hash of the original filename.
This exploit abuses a vulnerability in the HP Data Protector service. This flaw allows an unauthenticated attacker to take advantage of the EXEC_CMD command and traverse back to /bin/sh, this allows arbitrary remote code execution under the context of root.
This module exploits a flaw in the Web Start component of the Sun Java Runtime Environment. The arguments passed to Java Web Start are not properly validated, allowing injection of arbitrary arguments to the JVM. By utilizing the lesser known -J option, an attacker can take advantage of the -XXaltjvm option, as discussed previously by Ruben Santamarta. This method allows an attacker to execute arbitrary code in the context of an unsuspecting browser user. In order for this module to work, it must be ran as root on a server that does not serve SMB. Additionally, the target host must have the WebClient service (WebDAV Mini-Redirector) enabled.
The userid parameter in the users.php file is vulnerable to SQL Injection. A user must be signed in to exploit this.
This module exploits various flaws in The Uploader to upload a PHP payload to target system. When run with defaults it will search possible URIs for the application and exploit it automatically. Works against both English and Italian language versions. Notably it disables pre-emptive email warnings before uploading the payload, though it leaves log cleanup as a post-exploitation task.
The privilege escalation is possible because the form used to login as the admin user is the same form for resetting the admin password, and the user is not required to enter their old password when changing their password. This form is also vulnerable to Cross-Site Request Forgery (CSRF). This issue is exploitable on the following pages: Version 7, 8: http://x.x.x.x/advanced_network.htm Version 6 and below: http://x.x.x.x/advanced.htm Where an attacker can reset the Administrator password by removing all password attempt variables and adding the following POST data: admin_mode=on admin_mode_password=newpass admin_mode_password_confirm=newpass Settings=Save hidden_tag=(leave as the current post variable if CSRF protection is enabled in firmware versions 7.1.33 and above)
In this software, there are multiple SQL Injection vulnerabilities in the file 'line.php'. Although the variables seem to be partially filtered with the use of htmlspecialchars(), practice has proven that these parts are vulnerable.
Services By CQR