Improper input sanitization of the parameter 'community' on the page snmp-x.php would allow a remote attacker to inject command directives into the file snmpd.conf. This would allow executing commands on the target server by by injecting an 'extend' or 'exec' SNMPD directive and querying the snmp daemon of the server for the correct OID.
A persistent cross-site scripting vulnerability exists in Photo Share Website 1.0. An attacker can send a malicious payload in the post_id parameter of the ajax.php page, which will be stored in the database and executed when the page is loaded.
A vulnerability exists in MedDream PACS Server 6.8.3.751 which allows an authenticated user to execute arbitrary code on the server. An attacker can exploit this vulnerability by creating a one line php shell to call commands, running the script on the attacking machine, and entering parameters such as IP, filename, username, password, and command. The Core Vulnerability resides in another product which has been remediated as well.
CMS Made Simple 2.2.14 allows an authenticated user with access to the Content Manager to edit content and put persistent XSS payload in the affected text fields. The user can get cookies from every authenticated user who visits the website.
WebsiteBaker 2.12.2 allows SQL Injection via parameter 'display_name' in /websitebaker/admin/preferences/save.php. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
The application is vulnerable to unauthenticated database download and information disclosure vulnerability. This can enable an attacker to disclose sensitive information resulting in authentication bypass, session hijacking and full system control.
Unauthenticated Server-Side Request Forgery (SSRF) vulnerability exists in the BrightSign digital signage media player affecting the Diagnostic Web Server (DWS). The application parses user supplied data in the 'url' GET parameter to construct a diagnostics request to the Download Speed Test service. Since no validation is carried out on the parameter, an attacker can specify an external domain and force the application to make an HTTP request to an arbitrary destination host. This can be used by an external attacker for example to bypass firewalls and initiate a service and network enumeration on the internal network through the affected application.
The vulnerability is caused due to a boundary error in the processing of received FTP traffic through the FTP client functionality (ftpclient.cgi), which can be exploited to cause a stack-based buffer overflow when a user issues a POST request to connect to a malicious FTP server. Successful exploitation could allow execution of arbitrary code on the affected device or cause denial of service scenario.
This exploit uses MSVCRT.System to create a new user (boku:0v3R9000!) and add the new user to the Administrators group. A requirement of successful exploitation is the CloudMe.exe process must be running as adminstrator, such as when ran with 'Run as Administrator'; as this permission is required to create new users on the system. This exploit has been tested against multiple Windows 10 systems including x86, x64, Pro, Education, Home; although there is no guarantee it will work in your CTF.
This exploit allows an attacker to execute arbitrary code on the vulnerable WebsiteBaker 2.12.2 system. The attacker must first authenticate to the system using valid credentials, then use the template_edit tool to inject malicious code into a template file. The malicious code is then executed when the template is loaded. The attacker can then use a reverse shell to gain access to the system.
Services By CQR