header-logo
Suggest Exploit
explore-vulnerabilities

Explore Vulnerabilities

Version
Year

Explore all Exploits:

ATutor < 2.2.4 'file_manager' Remote Code Execution

This module allows the user to run commands on the server with teacher user privilege. The 'Upload files' section in the 'File Manager' field contains arbitrary file upload vulnerability. The '$IllegalExtensions' function has control weakness and shortcomings. It is possible to see illegal extensions within 'constants.inc.php'. (exe|asp|php|php3|php5|cgi|bat...) However, there is no case-sensitive control. Therefore, it is possible to bypass control with filenames such as '.phP', '.Php'. It can also be used in dangerous extensions such as 'shtml' and 'phtml'. The directory path for the 'content' folder is located at 'config.inc.php'. For the exploit to work, the 'define ('AT_CONTENT_DIR', 'address')' content folder must be located in the web home directory or the address must be known. This exploit creates a course with the teacher user and loads the malicious php file into server.

FTP Shell Server 6.83 ‘Account name to ban’ Buffer Overflow

The FTP Shell Server 6.83 'Account name to ban' feature is vulnerable to a buffer overflow attack. By providing a specially crafted account name, an attacker can trigger the overflow and execute arbitrary code. This exploit was created to demonstrate the vulnerability during intern training in 2019.

Dell KACE Systems Management Appliance (K1000) <= 6.4.120756 Unauthenticated RCE

This exploit allows an attacker to execute arbitrary commands on the target system without authentication. It takes advantage of a vulnerability in Dell KACE Systems Management Appliance (K1000) version 6.4.120756 and earlier.

wpQuiz 2.7 Remote SQL Injection Vulnerability

The wpQuiz 2.7 script is vulnerable to a remote SQL injection attack. The vulnerability can be exploited through the viewimage.php file by using a specially crafted SQL query. By injecting SQL code, an attacker can bypass authentication and retrieve sensitive information from the database, such as usernames and passwords.

River Past Cam Do 3.7.6 Local Buffer Overflow in Activation Code

This exploit takes advantage of a buffer overflow vulnerability in the activation code of River Past Cam Do 3.7.6. By generating a malicious activation code and pasting it into the application, an attacker can execute arbitrary code, such as launching the calculator (calc.exe) in this example.

PHP-Nuke NSN Script Depository module <= 1.0.0 Remote Source Disclosure

This exploit allows an attacker to remotely disclose the source code of a PHP-Nuke NSN Script Depository module version 1.0.0 or below. By providing the target URL and the file path, the exploit generates a form that triggers the disclosure of the specified file.

Reflected HTML Injection

This vulnerability allows an attacker to inject HTML code into a website, which can lead to various attacks such as cross-site scripting (XSS). The vulnerability can be exploited by manipulating the 'log', 'name', or 'data' parameters in the affected URLs. An example payload for this exploit is '<h1>HTML Injection</h1>'.

Recent Exploits: