Disk Pulse v9.7.26 is vulnerable to a local buffer overflow vulnerability when a maliciously crafted input is supplied to the 'Add Directory' textbox. This can be exploited to execute arbitrary code by a local attacker.
Sync Breeze v9.7.26 is vulnerable to a local buffer overflow vulnerability. An attacker can exploit this vulnerability by clicking 'Add', entering any command name, scrolling down to 'Exclude', clicking 'Add Exclude Directory' and pasting a malicious payload into the 'Directory' field.
DiskBoss v8.0.16 is vulnerable to a local buffer overflow vulnerability. To trigger the exploit, click 'Search' -> second (+) sign -> 'Add Input Directory' and paste the content of exploit.txt. The exploit uses EBX to jump to the payload.
Easy File Sharing Web Server is a file sharing software that allows visitors to upload/download files easily through a Web Browser. An attacker can bypass the login screen by changing the URL and browsing the drives. The attacker can then view drives and folders and download files from different drives or folders.
An unauthenticated remote root code execution vulnerability exists in Logpoint versions < 5.6.4. An attacker can send a malicious payload to the Logpoint server via a zmq socket on port 5504. This payload will be executed as root on the Logpoint server. The payload will download a second stage of the exploit from the attacker's web server and execute it as root.
SQL Injection on Shipping Cost page in Cart, with 'country' & 'weight' parameter (GET)
Registeration page 'register.ghp' allows disclosing ANY user's password. Remote un-authenticated attackers can send HTTP GET requests to obtain ANY Easy Chat Server user password.
eCom Cart 1.3 is vulnerable to SQL Injection. An attacker can exploit this vulnerability by sending a maliciously crafted request to the charge.php page with a crafted order_id parameter. This can be exploited using the sqlmap tool to enumerate the database and extract sensitive information.
The Uniview NVR web application does not enforce authorizations on the main.cgi file when requesting json data. It says that you can do anything without authentication, however you must know the request structure. In addition, the users' passwords are both hashed and also stored in a reversible way. The POC below remotely downloads the device's configuration file, extracts the credentials and decodes the reversible password strings using a crafted map. It is worth mention that when you login, the javascript hashes the password with MD5 and pass the request. If the script does retrieve the hash and not the password, you can intercept the request and replace the generated MD5 with the one disclosed using this script.
The file ids.cgi doesn't sanitize the OINKCODE parameter and gets passed to a system call which call wget. You need valid credentials to exploit this vulnerability or you can exploit it through CSRF.
Services By CQR