This exploit allows an unauthenticated attacker to execute arbitrary commands on a vulnerable Oracle WebLogic Server 12.2.1.0 instance. The exploit is achieved by sending a specially crafted POST request to the /console/images/%252E%252E%252Fconsole.portal endpoint, which contains a malicious payload that is executed by the server. This vulnerability is tracked as CVE-2020-14882.
The source of "/admin_pages/admission.php" file defines the following lines of code which allow to an authenticated administrator to modify the source code of the page. Every change is then reflected and the user-input is not properly sanitized, this leads to cross site scripting attacks. An attacker may try to gain access to the admin panel using authentication bypass through sql injection exploit.
The source of "/admin_pages/login.php" file defines the following lines of code: $name=$_POST['name']; $password=$_POST['password']; $result=mysqli_query($conn,"SELECT * FROM users WHERE name='$name' AND Password='$password'"); which are called when trying to log into the administrative panel at "/admin_pages/login.php" itself. The user input is not properly sanitized and this leads to authentication bypass through the classic "<username>' or '1' = '1 -- -" where <username> has to be a valid username. For example, the default username is "florian".
This module exploits an unauthenticated command injection vulnerability in Klog Server <= 2.4.1. 'user' parameter is executed via shell_exec() function without input validation.
Library System 1.0 is vulnerable to SQL Injection. An attacker can exploit this vulnerability by sending malicious SQL queries to the application. To exploit this vulnerability, an attacker can send a malicious SQL query to the application via the 'category' parameter. For example, an attacker can send a malicious SQL query to the application via the URL http://localhost:8080/libsystem/libsystem/index.php?category=3 and then run sqlmap to exploit the vulnerability.
A stored XSS vulnerability exists in the CASAP Automated Enrollment System 1.0, which allows an attacker to inject malicious JavaScript code into the 'route' field of the student's profile. By logging in with the username 'admin' and password `' or 1=1#, an attacker can exploit this vulnerability by entering a malicious script into the 'route' field and saving it. When the page is reloaded, the malicious script will be executed.
A stored XSS vulnerability exists in the CASAP Automated Enrollment System 1.0, which allows an attacker to inject malicious JavaScript code into the 'First Name' parameter. This code will be stored and executed every time the page is loaded, allowing the attacker to steal the cookie of an authenticated user.
A persistent cross-site scripting vulnerability exists in Collabtive 3.1. An attacker can exploit this vulnerability by sending a malicious payload to the 'address' field of the profile edit page. The payload will be executed when the user visits the profile edit page. This can be used to steal user data or perform other malicious activities.
MyBB Timeline replaces the default MyBB user profile. This introduces cross-site scripting on user profiles & a CSRF that allows for the users timeline banner/image to be changed. Proof of Concept: XSS via Thread/Post: Make a new thread or reply to an existing thread and input a payload in either the thread title or main post itself. XSS via Location/Bio: Go to User CP -> Edit Profile and input a payload in the Location/Bio. CSRF: A form with an input field for the image URL and a hidden input field for the action.
Exploit for CVE-2019-3396 (https://www.cvedetails.com/cve/CVE-2019-3396/) Widget Connector macro in Atlassian Confluence Server server-side template injection. While Metasploit module works perfectly fine it has a limitation that to gain RCE outbound FTP request is being made from the target Confluence server towards attacker's server where the Velocity template with the payload is being hosted. If this is not possible, for example, because network where the target Confluence server is located filters all outbound traffic, alternative approach is needed. This exploit, in addition to original exploit implements this alternative approach by first uploading the template to the server and then loading it with original vulnerability from local file system. The limitation is that to upload a file, a valid session is needed for a non-privileged user. Any user can upload a file to the server by attaching the file to his "personal space". There are two modes of the exploit: Exploiting path traversal for file disclosure and directory listings. RCE by uploading a template file with payload to the server.
Services By CQR