Kinsey's Infor-Lawson application (formerly ESBUS) is vulnerable to SQL injection in at least two parameters: 1) TABLE parameter, PoC below GET /esbus/servlet/GetSQLData?SCHEMA=ESBUS_INTERNAL&TABLE=SCHEDULEDTASKS UNION ALL SELECT <<ATTACKER INPUT>>&FIELD=LASTRUN&NOHEADER=1&SELECT=CLASS=com.esbus.appliance.SOD_PolicyCheck_SystemRun_TimerTask&OUT=XML HTTP/1.1 2) Query POST parameter POST /KK_LS9ReportingPortal/GetData?SERVERID=%27;LSF_PROD& HTTP/1.1 QUERY=1 AND SLEEP(5) AND ('foo'='foo')) &OUT=TAB A JSP webshell can then be written to the /esbus/ directory.
Multiple cross site request forgeries exist in the Web Interface side of FTP Voyager Scheduler running on port 52986. Allowing remote attackers to make HTTP requests on behalf of an authenticated user if that user visits a malicious webpage or clicks an attacker supplied link. FTP Voyager has a scheduler feature that lets users create tasks/commands to execute on some type of other action like when Directorys are created, files uploaded/downloader, Scheduler starts or stops and so forth. Remote attackers who successfully pull off CSRF exploitation can do things like change the Admin password or cause a persistent Denial of Service by setting the task to terminate 'FTP Voyager Scheduler' itself upon startup among other nefarious things.
networkmap is responsible for generating a map of computers connected to the router. It continuously monitors the LAN to detect ARP requests submitted by unknown computers. When a new MAC address appears it will probe the related IP address for running services like printer sharing, http server and also iTunes servers. This is implemented by sending out multicast SSP discoveries: M-SEARCH * HTTP/1.1 HOST: 239.255.255.250:1900 ST:upnp:rootdevice MAN:"ssdp:discover" MX:3 A device can then respond with messages which indicate the location of the iTunes service. The function process_device_repsonse is responsible for parsing the SSDP answer.
httpd uses the function search_token_in_list to validate if a user is logged into the admin interface by checking his asus_token value. There seems to be a branch which could be a failed attempt to build in a logout functionality. If an attacker sets his cookie value to cgi_logout and puts asusrouter-Windows-IFTTT-1.0 into his User-Agent header he will be treated as signed-in if any other administrator session is active. It’s possible to execute arbitrary commands on the router if any admin session is currently active.
Apache Struts 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 is susceptible to remote command injection attacks. The Jakarta Multipart parser has incorrect exception handling and error-message generation during file upload attempts, which can allow an attacker to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header. This was exploited in March 2017 with a Content-Type header containing a #cmd= string.
An unauthenticated attacker can inject arbitrary SQL commands into the 'aid' parameter of the 'wp-admin/admin-ajax.php' script. This can be exploited to read, modify or delete data from the database.
httpd checks in the function handle_request if the requested file name is longer than 50 chars. It then responds with a redirection which allows an attacker to inject arbitrary JavaScript code into the router’s web interface context.
An attacker can download arbitrary files from the vulnerable WordPress Plugin Apptha Slider Gallery v1.0 by manipulating the 'imgname' parameter in the 'asgallDownload.php' script.
An attacker can exploit a SQL injection vulnerability in WordPress Plugin Apptha Slider Gallery v1.0 to gain access to the database. By sending a specially crafted HTTP request, an attacker can inject arbitrary SQL commands into the application which can be used to bypass authentication and gain access to the database.
An attacker can download arbitrary files from the vulnerable WordPress Plugin Mac Photo Gallery v3.0 by manipulating the 'albid' parameter in the 'macdownload.php' script.
Services By CQR