A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
Proof of Concept remote exploit against Fedora 31 netkit-telnet-0.17 telnetd. This exploit is for demonstration purposes only and has not been engineered to be reliable.
UniSharp Laravel File Manager version 2.0.0-alpha8 and 2.0.0 is vulnerable to an arbitrary file read vulnerability. An attacker can craft a malicious URL to read any file on the server. The URL is crafted by appending the file path to the working_dir parameter in the download request. For example, http://localhost/laravel-filemanager/download?working_dir=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2F&type=&file=passwd can be used to read the /etc/passwd file.
A vulnerability in the RICOH Aficio SP 5210SF Printer allows an attacker to inject malicious HTML code via the 'entryNameIn' parameter in the 'adrsSetUser.cgi' script. An attacker can send a specially crafted HTTP POST request to the vulnerable script, which will execute the injected HTML code.
GUnet OpenEclass 1.7.3 E-learning platform is vulnerable to an unauthenticated information disclosure vulnerability and an authenticated error-based SQL injection vulnerability. The unauthenticated information disclosure vulnerability can be exploited by accessing the system info page at 127.0.0.1/modules/admin/sysinfo, the web-app version info page at 127.0.0.1/README.txt, 127.0.0.1/info/about.php, and 127.0.0.1/upgrade/CHANGES.txt. The authenticated error-based SQL injection vulnerability can be exploited by sending a specially crafted request to the myagenda.php page at 127.0.0.1/modules/agenda/myagenda.php?month=2&year=2020.
Each file has a set of properties than can be edited by any authenticated user that have write access on the project or the file. The URL property of the file provided by the user is injected in the href attribute of the HTML link without a proper escaping. On the document explorer, the value is injected in a span tag. But on the detailed view of the file, it's inserted in the href attribute of a a tag. http:// is prefixed before the payload provided by the user but can be bypassed. The generated vulnerable link will look like that: <a target="_blank" href="http://" onmouseover="alert(document.cookie)" rel="noopener">http://" onmouseover="alert(document.cookie)">. It requires write privileges to store it, any user with read access can see it. There is no file restriction for photo uploading in the user profile page. Then the profile picture can be seen in the browser. The payload is injected in the src attribute of an img tag. It requires write privileges to store it, any user with read access can see it. The document preview feature is vulnerable to XSS. The payload is injected in the src attribute of an iframe tag. http:// is prefixed before the payload provided by the user but can be bypassed. The generated vulnerable link will look like that: <iframe src="http://" onmouseover="alert(document.cookie)" "=" ">. It requires write privileges to store it, any user with read access can see it.
Intelbras WRN240 devices do not require authentication to replace the firmware via a POST request to the incoming/Firmware.cfg URI.
This exploit allows an attacker to execute arbitrary code on the vulnerable TP-Link TL-WR849N router. The vulnerability exists in the TRACEROUTE_DIAG CGI script, which allows an attacker to inject arbitrary commands into the host parameter. The attacker can then use the diagnosticsState parameter to execute the command. The vulnerability is due to insufficient input validation.
If $_WINGFTPDIR is the installation directory where Wing FTP was installed, $_WINGFTPDIR/wftpserver/session/* corresponds to user sessions which are world readable/writeable (possibly exploitable). $_WINGFTPDIR/wftpserver/session_admin/* corresponds to admin sessions which are world readable/writeable. An attacker can wait for an admin to log in, steal their session, then launch a curl command which executes LUA.
This exploit is a native implementation without requirements, written in Python 2. It works equally well on Windows as Linux (as MacOS, probably ;-). It uses reverse engineered serialization code from https://github.com/pwntester/ysoserial.net to generate a payload and send it to the target server.
Services By CQR