The win32k!NtGdiGetDIBitsInternal system call in Windows is vulnerable to a double-fetch vulnerability. This can potentially lead to kernel pool memory disclosure or denial of service. The vulnerability occurs when accessing the BITMAPINFOHEADER structure multiple times, specifically its .biSize field. By manipulating the user-controlled 'bmi' buffer, an attacker can exploit this vulnerability to corrupt memory or cause a denial of service. However, the exploit is mostly harmless due to various checks in place that prevent major consequences.
The vulnerability allows an attacker to extract admin email/passwords by exploiting a SQL Injection vulnerability in the 'referralUrl.php' script. By using a UNION-based SQL injection, an attacker can retrieve the email and password of the admin from the 'StatAdmin' table.
The provided PoC triggers a heap buffer overflow vulnerability in Safari 10.0.3 (12602.4.8). By repeatedly refreshing the page, the exploit crashes the browser.
The PoC code creates an iframe and appends it to the body. It then attempts to adopt the iframe using `adoptNode` from another iframe's content document. This triggers a use-after-free vulnerability, leading to a heap-use-after-free error. The vulnerability can potentially be used to achieve UXSS (Universal Cross-Site Scripting) in WebKit.
This exploit triggers a heap-use-after-free vulnerability in the JavaScriptCore (JSC) engine. By executing a specially crafted JavaScript code, an attacker can cause a crash and potentially execute arbitrary code.
This PoC gains arbitrary command execution by overwriting /etc/crontab. In case of successful exploitation /etc/crontab will contain the following line * * * * * root touch /tmp/pwned
The vulnerability exists in the includes/search.php file of the PHP Arena website. The code shown is susceptible to SQL injection, as it directly concatenates user input ($_POST['categories']) into the SQL query without proper sanitization. An attacker can exploit this vulnerability to execute arbitrary SQL commands and retrieve sensitive information from the database.
SQL injection in cat_id of directory.php among others. Able to retrieve email/passwords of users who posted URLs in the directory.
Pullout admin password from database
The Spiceworks TFTP Server, as distributed with Spiceworks Inventory 7.5, allows remote attackers to access the Spiceworks 'dataconfigurations' directory by leveraging the unauthenticated nature of the TFTP service for all clients who can reach UDP port 69. This allows remote attackers to overwrite files within the Spiceworks configurations directory, if the targeted file name is known or guessed. Remote attackers who can reach UDP port 69 can also write/upload arbitrary files to the 'dataconfigurations', this can potentially become a Remote Code Execution vulnerability if for example an executable file e.g. EXE, BAT is dropped, then later accessed and run by an unknowing Spiceworks user.