CSRF vulnerability was discovered in Sistem kelulusan. With this vulnerability, authorized users can be added to the system.
Bypass SafeSEH by overwriting the Structured Exception Handler (SEH) with a Stack-Pivot return address located in the [BandMonitor.exe] memory-space; as it was not compiled with the SafeSEH Protection. The Stack-Pivot will land in a RET Sled; as the process's offset on the Stack is different every time. Bypass Address Space Layout Randomization (ASLR) & Data Execution Protection (DEP) using Return Orientation Programming (ROP), choosing Gadgets from the [ssleay32.dll], [BandMonitor.exe], and [LIBEAY32.dll]; as they are not compiled with Rebase or ASLR. A pointer to the LoadLibraryA symbol exists in the import table of the [LIBEAY32.dll] module. Use Gadgets to call LoadLibraryA and find the memory address of the [kernel.dll] module; as it is protected by ASLR and will be different every time the process runs. A pointer to the GetProcAddress symbol exists in the import table of the [LIBEAY32.dll] module. Use Gadgets to call GetProcAddress to find the memory address of the WinExec Symbol within [kernel32.dll]. Use Gadgets to call the WinExec Function and open calc.
This exploit is for Bludit version 3.9.12 and higher. It allows an attacker to execute arbitrary code on the vulnerable system. The exploit is based on a directory traversal vulnerability in the Bludit CMS. It allows an attacker to upload a malicious PHP file to the server and execute it. The exploit is written in Python and uses the requests library to send the malicious payload to the vulnerable server.
Virtual Airlines Manager 2.6.2 is vulnerable to multiple SQL Injection vulnerabilities. The vulnerable GET parameters are notam_id, airport, registry_id and plane_location. An attacker can exploit these vulnerabilities to gain access to sensitive information from the database.
The 'notam_id' parameter in Virtual Airlines Manager 2.6.2 is vulnerable to SQL injection. The parameter's value is going into the SQL query directly, allowing an attacker to inject malicious code. Proof of concept can be found at https://localhost:8080/vam/index.php?page=notam¬am_id=11%27%27
An attacker can exploit a directory traversal vulnerability in Kyocera Printer d-COPIA253MF by sending a specially crafted HTTP request containing a directory traversal payload followed by a null byte (%00). This allows the attacker to access files outside of the web root directory.
An SQL injection vulnerability was discovered in Online-Exam-System 2015. An attacker can send a specially crafted payload to the 'feedback' parameter of the 'feed.php' page, which can be used to extract the password from the 'user' table in the database.
CAYIN xPost suffers from an unauthenticated SQL Injection vulnerability. Input passed via the GET parameter 'wayfinder_seqid' in wayfinder_meeting_input.jsp is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and execute SYSTEM commands.
CAYIN Technology provides Digital Signage solutions, including media players, servers, and software. The SMP-8000QD, SMP-8000, SMP-6000, SMP-4000, SMP-2310, SMP-2300, SMP-2210, SMP-2200, SMP-2100, SMP-2000, SMP-1000, SMP-PROPLUS, SMP-WEBPLUS, SMP-WEB4, SMP-PRO4, SMP-NEO2, SMP-NEO, and SMP-300 media players are vulnerable to remote command injection as root.
The application allows the currently logged-in user to edit the configuration files in the system using the CGI executable 'edit_config_files' in /cgi-bin/cgix/. The files that are allowed to be modified (read/write/delete) are located in the /etc/config/ directory. An attacker can manipulate the POST request parameters to escape from the restricted environment by using absolute path and start reading, writing and deleting arbitrary files on the system.
Services By CQR