The vulnerability allows remote attackers to execute arbitrary files by including a remote file in the vulnerable application.
The 'net' HTTP form POST parameter to dns.php script is not checked/sanitized and is used directly in MySQL query allowing attacker to easily exfiltrate any data from the backend database by using SQL Injection exploits.
This exploit allows local privilege escalation on Microsoft Windows 7-10 and Server 2008-2012. It does not rely on powershell.exe and can run in security restricted environments with GPO, SRP, App Locker.
The Trend Micro Antivirus CoreServiceShell.exe includes an HTTP daemon with multiple vulnerabilities. The daemon allows path traversal in the /loadhelp/ and /wtp/ endpoints, has header injection bugs, and has an XSS vulnerability in the loader.html file. These vulnerabilities can be combined to remotely access files as SYSTEM on a Trend Micro machine.
Microsoft Windows Media Center (all versions prior to May 11th, 2016) contains a remote code execution upon processing specially crafted .MCL files. The vulnerability exists because Windows Media Center does not correctly processes paths in the "Run" parameter of the "Application" tag, bypassing the usual security warning displayed upon trying to run programs residing on remote (WebDAV/SMB) shares. In order to bypass the Windows Media Center security warning an attacker only needs to write the prefix "file://" before the actual remote location. For example : file:///192.168.10.10shareapp.exe. However, Windows will still display an "Open File" security warning for files placed in remote locations (Internet Security Zone of IE), which can also be bypassed using a special "Control Panel Shortcut" that points to a remote DLL/CPL file. Upon pointing to a shortcut located in a remote share it is possible to run arbitrary code in the context of the currently logged on user. Note: On 64 bits Windows OSes, a 64-bits DLL should be provided, but 32-bits DLL files should work as well. A PoC MCL file is provided, which points to a default Windows share, to retrieve a special "Control Panel Shortcut", that runs a CPL file from the same location (127.0.0.1c$programdatacpl.lnk). Notice that although the address points to the "Localhost", Windows treats it the same way as any other IP based location, placing it in the context of the IE "Internet Security Zone" (default for non-local places). The PoC CPL file only runs "cmd.exe /c calc" for demonstration purposes. Another important note is that after this Micr
This exploit allows an attacker to retrieve the admin username and hash from the Dokeos <= 1.6.5 system. The vulnerability exists in the courseLog.php file, where an SQL query is executed without proper input validation.
The exploit allows writing NULL bytes below &line[0] by supplying negative lengths. read_sbuf calls buf[len] = 0. Standard NULL byte off by one from there on.
This module exploits a shell command injection in the way "delegates" (commands for converting files) are processed in ImageMagick versions <= 7.0.1-0 and <= 6.9.3-9 (legacy). Since ImageMagick uses file magic to detect file format, you can create a .png (for example) which is actually a crafted SVG (for example) that triggers the command injection. Tested on Linux, BSD, and OS X. You'll want to choose your payload carefully due to portability concerns. Use cmd/unix/generic if need be.
An elevation of privileges vulnerability exists in the Microsoft AppXSvc Deployment Service. The vulnerability occurs when the service cannot properly handle a folder junction, leading to arbitrary file deletion from a low integrity user.
This module attempts to find D-Link router DIR-600M which is vulnerable to Incorrect Access Control. The vulnerability exists in wan.htm, which is accessible without authentication. This vulnerability can lead an attacker to manipulate WAN settings. This module has been tested successfully on Firmware Version 3.01, 3.02, 3.03, 3.04, 3.05, 3.06.
Services By CQR