POC for proving ability to execute malicious Java code in uploaded JAR file as an Oracle Weblogic library to connect to Weblogic servers. Exploits the newInstance() and loadClass() methods being used by the 'WeblogicReference', when attempting a Credential Test for a new Monitor. When invoking the Credential Test, a call is being made to lookup a possibly existing 'weblogic.jar' JAR file, using the 'weblogic.jndi.Environment' class and method.
grocy household management solution v2.7.1, allows stored XSS and HTML Injection, via Create Shopping List module, that is rendered upon deletiing that Shopping List. To exploit this vulnerability, a user must login to the application, go to 'Shooping List' module, click on 'New Shopping List' module, enter the payload: <marquee onstart=alert(document.cookie)> in 'Name' input field, click Save, and click 'Delete Shopping List'.
A successful attempt to exploit this vulnerability could allow to execute code during startup or reboot with the elevated privileges.
SiteMagic CMS 4.4.2 is vulnerable to an authenticated arbitrary file upload vulnerability. An attacker can upload a malicious file to the server and execute arbitrary code. This vulnerability can be exploited by sending a specially crafted POST request to the vulnerable application. The malicious file can be uploaded to the server by setting the filename parameter in the request body. The malicious file can then be accessed by sending a GET request to the uploaded file.
A vulnerability in Daily Tracker System 1.0 allows an attacker to bypass authentication by sending a malicious POST request to the application. This vulnerability is due to the application not properly validating user input. An attacker can exploit this vulnerability to gain unauthorized access to the application.
BloodX CMS 1.0 is vulnerable to authentication bypass. Attacker can bypass login page and access to dashboard page by sending a POST request with payload '=''or' to the vulnerable file login.php.
This vulnerability can results attacker to inject the XSS payload in User Registration section and each time admin visits the manage user section from admin panel, the XSS triggers and attacker can able to steal the cookie according to the crafted payload.
This exploit has two modes of execution, using the session fixation vulnerability (CVE-2020-15946) or using the access credentials of any account under any profile. With the --type L option, this script will create a malicious link, if the link is accessed in a browser by the victim, an arbitrary session identifier will be set that will be used to steal their session after uploading an image with PHP content on their photo profile, and then use local file include (CVE-2020-11819) to get a nice reverse shell. Or, with the options --type C -u <username> -p <password> you can provide credentials, load the image with PHP content and use local file inclusion (CVE-2020-11819) to achieve the execution of code. Protip: remember to check if the registration module is enabled ;)
MaraCMS 7.5 is vulnerable to Authenticated Remote Code Execution. In order to exploit the vulnerability, an attacker must have a valid authenticated session on the CMS as 'admin' or 'manager'. The file uploader fails to check extensions of files uploaded by the user, so it is possible to upload a webshell and get RCE.
FUEL CMS 1.4.8 allows SQL Injection via parameter 'fuel_replace_id' in pages/replace/1 Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Services By CQR