An authenticated SQL Injection vulnerability in the 'Booking Calendar' WordPress plugin allows an attacker to read arbitrary data from the database. An attacker can perform a time based SQL injection by appending ) AND SLEEP(100) AND (1=1 after the ID value in the parameter. Obtaining a shell using sqlmap can be done by using the --sql-shell, --os-shell, and --os-cmd options.
A Stored Cross-site scripting (XSS) was discovered in DomainMod application versions from v4.09.03 to v4.11.01. After logging into the Domainmod application panel, browse to the /assets/add/dns.php page and inject a javascript XSS payload in Profile Name & notes fields "><img src=x onerror=alert("XSSed-By-Abdul-Kareem")>
Core FTP/SFTP Server 1.2 - Build 589.42 is vulnerable to a denial of service attack when a maliciously crafted domain name is provided. An attacker can exploit this vulnerability by running a python code to generate a maliciously crafted domain name, copying the content to clipboard, opening Core FTP Server, selecting 'Setup' > 'New', selecting 'Domain Name' and putting 'Test', selecting 'Domain IP/Address' and putting '1.1.1.1', selecting 'Base directory' and choosing a directory path, enabling 'WinNT users', selecting 'User domain' and pasting the clipboard, clicking on 'Ok' and the next window clicking 'Ok', which will cause the application to crash.
This exploit code allows for a malicious script to execute with root privileges on the host. The exploit code is copied into an existing container and run using the make.sh script. The malicious script is then able to overwrite the host runc binary, allowing for root-level code execution on the host.
NetworkSleuth 3.0 is vulnerable to a Denial of Service attack when a maliciously crafted string is entered into the 'Name' field of the 'Enter Registration Code' window. When the 'Ok' button is clicked, the application crashes.
This exploit is destructive and will overwrite the /usr/bin/docker-runc binary on the host with the payload. It will also overwrite the /bin/sh inside the container. It has been tested only on Debian 9 and no attempts were made to make it stable or reliable. It is only tested to work when a docker exec <id> /bin/sh is issued on the host.
An issue was discovered on Shenzhen Skyworth DT741 Converged Intelligent Terminal (G/EPON+IPTV) SDOTBGN1,DT721-cb SDOTBGN1,and DT741-cb SDOTBGN1 devices. A long password to the Web_passwd function allows remote attackers to cause a denial of service (segmentation fault) or achieve unauthenticated remote code execution because of control of registers S0 through S7.
This bug report describes two different issues in different branches of the binder kernel code. The first issue is in the upstream Linux kernel, commit 7f3dc0088b98 (“binder: fix proc->files use-after-free”); the second issue is in the wahoo kernel (and maybe elsewhere? but at least the android common kernel for 4.4 doesn’t seem to contain this code...), commit 1b652c7c29b7 (“FROMLIST: binder: fix proc->files use-after-free”). In the Linux kernel, normally, when a struct file * is read from the file descriptor table, the reference counter of the struct file is bumped to account for the extra reference; this happens in fget(). Later, if the extra reference is not needed anymore, the refcount is dropped via fput(). A negative effect of this is that, if the struct file is frequently accessed, the cacheline containing the reference count is constantly dirty; and if the struct file is used by multiple tasks in parallel, cache line bouncing occurs. Linux provides the helpers fdget() and fdput() to avoid this overhead. fdget() checks whether the reference count of the file descriptor table is 1, implying that the current task has sole ownership of the file descriptor table and no concurrent modifications of the file descriptor table can occur. If this check succeeds, fdget() then omits the reference count increment on the struct file. fdget() sets a flag in its return value that signals to fdput() whether a reference count has been taken. If so, fdput() uses the normal fput() logic; if not, fdput() does nothing.
LayerBB is a free open-source forum software. The 2 XSS's found allows users to input a payload to Custom Profile Fields and the polls question & answers input via a new thread. Proof of Concept: PoC - Polls QnA: Start a new thread and use a payload in the polls QnA input boxes <script>alert('XSS')</script>. PoC - Custom Profile Fields: Create a Custom Profile Field in ACP, then use an account from any usergroup & edit profile, input a payload in the bottom 'Additional Profile Fields' textbox <script>alert('XSS')</script>.
Path traversal vulnerability leading to remote code execution. This vulnerability affects BlogEngine.NET versions 3.3.6 and below. This is caused by an unchecked "theme" parameter that is used to override the default theme for rendering blog pages. Attackers can set the TcpClient address and port within the method to their attack host, who has a reverse tcp listener waiting for a connection. The vulnerable code can be seen in the file /Custom/Controls/PostList.ascx.cs. The file must be uploaded as PostView.ascx and the vulnerability is triggered by accessing the base URL for the blog with a theme override specified like so: http://10.10.10.10/?theme=../../App_Data/files
Services By CQR