The exploitation is implanting a backdoor in /configuration.php file in the root directory with an eval in order to be more suitable for all environments, but it is also more intrusive. If you don't like this way, you can replace the get_backdoor_pay() with get_pay('php_function', 'parameter') like get_pay('system','rm -rf /')
There is a use-after-free of the wait member in the binder_thread struct in the binder driver at /drivers/android/binder.c. As described in the upstream commit, binder_poll() passes the thread->wait waitqueue that can be slept on for work. When a thread that uses epoll explicitly exits using BINDER_THREAD_EXIT, the waitqueue is freed, but it is never removed from the corresponding epoll data structure. When the process subsequently exits, the epoll cleanup code tries to access the waitlist, which results in a use-after-free.
This exploit should work on all PHP 7.0-7.3 versions released as of 04/10/2019, specifically: PHP 7.0 - 7.0.33, PHP 7.1 - 7.1.31, PHP 7.2 - 7.2.23, PHP 7.3 - 7.3.10. It uses a function called 'pwn' to bypass the disable_functions. It uses a combination of functions such as str2ptr, ptr2str, write, leak, parse_elf, find_sym, and call to achieve this.
LabCollector Lab Services Manager (LSM) is a network based application that helps laboratories, core facilities, biotechs providing services to clients or partners to keep track of samples arriving for processing, track status and generate reports. Billing management is also possible. LSM is a simple and complete lab services LIMS software. Totally configurable by the user, it can be adapted to any situation. This allows unauthenticated remote attacker to execute arbitrary SQL commands and obtain private information. Admin or users valid credentials aren't required. In a deeper analysis other pages are also affected with the vulnerability over others inputs.
This exploit is for mintinstall (aka Software Manager) object injection vulnerability. It allows an attacker to inject malicious code into the .cache/mintinstall/reviews.cache file, which is then executed when the mintinstall application is started. The malicious code is written to the file using the shellCode() function, which takes a payload as an argument. The payload is a Python string that contains a command to execute a reverse shell to the attacker's machine.
This exploit allows an attacker to gain access to the Detrix EDMS system by exploiting a SQL injection vulnerability and decrypting the user password. The exploit sends a malicious SQL query to the target host, which is then used to extract the encrypted user password from the database. The encrypted password is then decrypted using a key from the Detrix EDMS system and the clear-text password is revealed.
Counter-Strike Global Offensive (vphysics.dll) before 1.37.1.1 is vulnerable to a memory corruption vulnerability which can be exploited by creating a gaming server and inviting a victim to this server. An attacker can craft a malicious map using memory corruption and modify the class name value in the PoC for triggering this vulnerability. The offset for modifying the PoC is 0x115703. After copying the malicious map to the game directory, the attacker can start the game with the malicious map and exploit the vulnerability to achieve code execution or denial of service.
When a cached page is being restored, and the page that's being navigated away is not cacheable, there exists a time frame during which two documents are attached to the same frame. If an attacker finds a way to run JS during this time frame, she will be able to use one of the documents to execute JavaScript in the context of the other one. The attack has a restriction that significantly limits its applicability -- a victim page should load a (potentially sandboxed) <iframe> with attacker-controlled content, so the attacker's JS has a chance to run inside Document::prepareForDestruction.
When the currently focused element is an <input>, `selection.rootEditableElement()` in [1] might point to a node inside the <input>'s user-agent shadow DOM tree. Then `insertFragmentForTestRendering` is called, which might have side effects, e.g., if the inserted fragment contains an <iframe> element its "onload" handler will be called synchronously, and it's possible to reach the user-agent shadow root object by following the ancestor chain from the <iframe>. When an attacker has access to the shadow root, she can use it to leak other elements that are only intended to be accessible from the user-agent shadow tree, e.g., the <input> element in [3].
This vulnerability allows an attacker to execute the 'InsertHTML' command and run JavaScript in the context of the victim page. This is possible due to the fact that the method checks that the 'document' argument is the document that's currently displayed on the page, but it does so before the 'updateStyleIfNeeded' call.
Services By CQR