This exploit is related to the suid-root restorer binaries in Arq for Mac. After reversing the inter-app protocol, it was discovered that the path to the restorer binary was specified as part of the data packet sent by the UI. After receiving this, the restorer binaries then set +s and root ownership on this path, allowing an attacker to specify an arbitrary path which will receive +s and root ownership.
SQL Injection on GET parameter = token. The payloads used are boolean-based blind, AND/OR time-based blind and UNION query.
Local File Disclosure vulnerability exists in WinduCMS through a vulnerable PHPMailer version 5.2.1 used here. It requires a contact form present on the website. An example of the vulnerable code is {{W name=contactForm inputs="name" email="root@localhost"}}
SQL Injection on GET parameter = id. Payloads used are boolean-based blind, AND/OR time-based blind and UNION query.
The vulnerability allows an attacker to inject sql commands into the 'id' parameter of the 'single.php' page. An attacker can exploit this vulnerability to gain access to sensitive information such as user credentials, database details, etc.
The CIS application permits tampering of users’ permission values which are loaded through the following methods inside the Perspective.data.dll just after the initial authentication phase and before the graphical users’ interface is loaded: accessLevels(), userEntityPrivs(), userFieldPrivs(). Due to insufficient validation methods and missing cross server side checking mechanisms, unprivileged authenticated users are allowed to modify their access level permissions by tampering and modifying these values thus gaining access to priveleged users actions.
Possible to corrupt heap memory of the Abyss Web Server by sending specially crafted HTML in repeated HTTP POST requests.
Artica offers a web based command line emulator 'system.terminal.php' (shell), allowing authenticated users to execute OS commands as root. However, artica fails to sanitize the following HTTP request parameter $_GET["username-form-id"] used in 'freeradius.users.php'. Therefore, authenticated users who click an attacker supplied link or visit a malicious webpage, can result in execution of attacker supplied Javascript code. Which is then used to execute unauthorized Operating System Commands (RCE) on the affected Artica Web Proxy Server abusing the system.terminal.php functionality. Result is attacker takeover of the artica server.
Unauthenticated remote attackers can inject persistent XSS payloads by making failed HTTP authentication requests. Attacker supplied payloads will get stored in the server logs as failed authentication requests alerts. Mistserver echoes back the unsanitized payloads in Mist Servers Web interface automatically due to automatic refresh of the UI every few seconds, thereby, executing arbitrary attacker supplied code.
SQL injection on keyword parameter. Proof of Concept (PoC): SQLi: https://localhost/[path]/onlinejobsearch/job Parameter: keyword (POST) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: keyword=xxxx') AND (SELECT 6727 FROM(SELECT COUNT(*),CONCAT(0x7176707a71,(SELECT (ELT(6727=6727,1))),0x7178627671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND ('zImA'='zImA&location_name[]=
Services By CQR