The PHPXref application fails to properly sanitize user-supplied input, leading to a cross-site scripting vulnerability. An attacker can exploit this vulnerability to execute arbitrary script code in the browser of an unsuspecting user, within the context of the affected site, and potentially steal cookie-based authentication credentials.
The router suffers from an authenticated file inclusion vulnerability (LFI) when input passed thru the 'getpage' parameter to 'webproc' script is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks.
The application Study planner (Studiewijzer) version <= 0.15 is vulnerable to remote file inclusion. The include function at inc/service.alert.inc.php does not properly sanitize the $SPL_CFG['dirroot'] variable, allowing an attacker to include and execute arbitrary files from a remote location.
An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Link Library (DLL) file. The exploit code given above demonstrates a possible way to exploit this vulnerability by hijacking the DwmSetWindowAttribute function and executing malicious code.
The exploit spawns a shell on TCP port 4444 and connects to it. At the time of overflow we control EAX which is used in a call as follows 00420C64: call dword ptr [eax + 4]. ECX points into our buffer at the time of overflow. So if we can craft a DWORD that points to an address that translates to call dword ptr [ecx + xx] and have a pointer into our shellcode at that location then our shellcode executes. This exploit uses hardcoded address which worked fine on Windows 2000 server SP4 machines. Credits for discovery and POC goes to Evgeny Legerov.
The Monster Top List <= 1.4.2 is vulnerable to remote command execution. An attacker can exploit this vulnerability by sending a malicious request to the functions.php file, including the path to an evil script. This allows the attacker to execute arbitrary commands on the target system.
Running this will create a file 'j.job'. When explorer.exe or any file-open dialog box accesses the directory containing this file, notepad.exe will be spawned.
This exploit takes advantage of a vulnerability in the hash_update_file() function in PHP. By repeatedly calling the function and freeing the resource, an attacker can cause resource exhaustion and potentially crash the server.
A tool to exploit .NET Remoting Services vulnerable to CVE-2014-1806 or CVE-2014-4149. It only works on Windows although some aspects _might_ work in Mono on *nix.
The PHPFox admin control panel (AdminCP) is vulnerable to a cross-site scripting (XSS) attack. The vulnerability allows an attacker to inject malicious scripts into the user_agent field of the phpfox_log_session table, which is displayed in the AdminCP's Online Guests/Boots page. An attacker with administrative access can exploit this vulnerability to execute arbitrary scripts in the administrative area of the PHPFox website.