A user with the teacher role is able to execute arbitrary code by exploiting a vulnerability in Moodle v3.4.1. The exploit is based on information provided by Robin Peraglie and requires a netcat listener to be running on the specified port before executing the script.
The Laundry CMS is vulnerable to SQL Injection via the cloth_code and cloth_name parameters. An attacker can exploit this vulnerability by sending a crafted payload with the %2527 attack pattern to the http://localhost/laundry/index.php/admin/cloth_crud/create POST request.
The front page of the server web interface leaks the private IP address in the hidden form 'ipaddress' around line 80. The server web interface contains multiple reflected XSS exploits that do not require authentication. The server web interface contains a self XSS in the search function.
ICE HRM is vulnerable to a blind SQL injection vulnerability in the ‘ob’ parameter. An attacker can exploit this vulnerability by sending a specially crafted payload in the ‘ob’ parameter. The payload is 1+%2b+((SELECT+1+FROM+(SELECT+SLEEP(25))A))%2f*%27XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR%27%7c%22XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR%22*%2f which can be sent via POST or GET method. This payload will cause the application to sleep for 25 seconds, indicating a successful exploitation.
NetData is prone to multiple HTML-injection vulnerabilities. Successful exploitation will allow attacker-supplied HTML to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. An example of malicious HTML code is provided in the text, which asks the user to enter their credentials in a form that will be sent to the attacker's IP address.
This code represents a small proof of concept of an unauthenticted remote code execution using the Apache OpenOffice UNO API (https://www.openoffice.org/udk/). This code has been tested against LibreOffice Version: 6.1.1.2 on a Ubuntu Mate 18.04 with kernel 4.15.0-34-generic. For this PoC to work the target machine needs to run the ServiceManager using an external interface. The following command was used to test this PoC: [Ubuntu] Open a terminal and execute the following command: soffice --accept='socket,host=0.0.0.0,port=2002;urp;StarOffice.Service'. The above command will start the LibreOffice ServiceManager but this can be executed with the --invisible flag to prevent the dialogbox from popping up on the target. I also made a scanner available that can be used to check for the presence of the StarOffice manager running on a machine: https://sud0woodo.sh/2019/03/06/building-a-go-scanner-to-search-externally-reachable-staroffice-managers/
This is a PoC for remote command execution in Apache Tika-server. It exploits a vulnerability in Tika-server versions < 1.18, which allows attackers to execute arbitrary commands on the server. The exploit is done by sending a specially crafted HTTP PUT request with a JScript payload to the Tika-server. The payload contains a command that is executed on the server.
This bug was found in the file: /gracemedia-media-player/templates/files/ajax_controller.php. The parameter "cfg" it is not sanitized allowing include local files. To exploit the vulnerability only is needed use the version 1.0 of the HTTP protocol to interact with the application.
The Microsoft Windows MSHTML Engine is prone to a vulnerability that allows attackers to execute arbitrary code on vulnerable systems because of improper validation of specially crafted web documents (html, xhtml, etc). The issue is triggered when users 'Edit' specially crafted documents containing a 'meta' HTML tag set to 'ProgId' and its content set to a 'ProgId' of choice eg. 'HTAFILE', usually through MS IE browser or a MS Office component (The Edit HTML app 'msohtmed.exe'). Some Office versions will add an 'Edit' menu option to html and xhtml files, making it possible to exploit the vulnerability locally or remotely (usually through network shares).
CoreFTP Server FTP / SFTP Server v2 - Build 674 is vulnerable to a directory traversal attack when sending a SIZE command with a specially crafted path. An attacker can use this vulnerability to read files outside of the web root directory.
Services By CQR