PHPShell does not regenerate the Session ID upon authentication, this can potentially allow remote attackers to access parts of the application using only a valid PHPSESSID if PHP.INI setting for session.use_only_cookies=0. An existing XSS vulnerability exists in PHPShell which increases the risk if an authenticated user clicks an attacker supplied link and the attacker finds way to access or set the victims Cookie. In 'phpshell.php' line 153 we see call to PHP function session_start(); After user authentication no call to 'session_regenerate_id()' is made leaving the authenticated session id same as pre-auth session id. However, 'session.use_only_cookies=1' is default since PHP 4.3.0, so to exploit it would require that PHP.INI is set to 'session.use_only_cookies=0' on the victims system.
Sawmill suffers from a classic "Pass The Hash" vulnerability whereby an attacker who gains access to the hashed user account passwords can login to the Sawmill interface using the raw MD5 hash values, allowing attackers to bypass the work of offline cracking account password hashes. This issue usually is known to affect Windows systems e.g. (NT Pass the Hash/Securityfocus, 1997). However, this vulnerability can also present itself in a vulnerable Web application. Sawmill account password hashes are stored under LogAnalysisInfo/ directory in "users.cfg". Moreover, since 'users.cfg' file is world readble a regular non Admin Windows user who logs into the system running sawmill can now grab a password hash and easily login to the vulnerable application without the needing the password itself.
NetgearPwn is an exploit that provides access to default user account, privileges can be easily elevated by using either a kernel exploit (ex. memodipper was tested and it worked), by executing /bin/bd (suid backdoor present on SOME but not all versions) or by manipulating the httpd config files to trick the root user into executing your code.
A SQL injection vulnerability exists in Joomla! Component Most Wanted Real Estate v1.1.0. An attacker can exploit this vulnerability by sending malicious SQL queries to the vulnerable application. This can allow the attacker to bypass authentication, access, modify and delete data within the database.
An Attackers are able to execute js and php code on web application using RSS News - AutoPilot Script which allow an attacker to create a post when an authenticated user/admin browses a special crafted web page. Also, all the process was possible without any authenticated user/admin for more info watch the below PoC Video.
A SQL injection vulnerability exists in Joomla! Component Google Map Store Locator v4.4. An attacker can send a specially crafted HTTP request containing malicious SQL statements to the vulnerable application in order to gain access to unauthorized information or to manipulate data. The vulnerability is due to insufficient sanitization of user-supplied input in the 'filter_to', 'filter_day', and 'filter_time' parameters of the 'index.php' script. An attacker can exploit this vulnerability by sending a malicious HTTP request containing malicious SQL statements to the vulnerable application.
A SQL injection vulnerability exists in Joomla! Component Bazaar Platform v3.0. An attacker can send malicious SQL queries to the application, which can be used to extract sensitive information from the database, modify data, or execute arbitrary system commands.
A SQL injection vulnerability exists in Joomla! Component Room Management v1.0. An attacker can send malicious SQL queries to the application to gain access to sensitive information stored in the database. The vulnerable parameters are 'tmpl', 'id', 'date', 'task', 'status' and 'id'. An attacker can exploit this vulnerability by sending a specially crafted SQL query to the vulnerable parameter.
A SQL injection vulnerability exists in Joomla! Component OS Services Booking v2.5.1. An attacker can send a specially crafted HTTP request to the vulnerable application in order to execute arbitrary SQL commands in the back-end database. This can potentially result in the manipulation or disclosure of application data.
A SQL injection vulnerability exists in Joomla! Component EShop v2.5.1, which allows an attacker to execute arbitrary SQL commands via the 'id' parameter in a 'index.php?option=com_eshop&view=category' request.
Services By CQR