The Softbiz Ad Management plus Script version 1 is vulnerable to SQL Injection. An attacker can exploit this vulnerability by injecting SQL code through the 'package' parameter in the 'ads.php' file. By using a specific SQL code, the attacker can retrieve sensitive information such as the admin username and password.
The GL-AR300M-Lite router is vulnerable to multiple vulnerabilities, including command injection (CVE-2019-6272), arbitrary file download (CVE-2019-6273), and directory traversal (CVE-2019-6274). These vulnerabilities allow an authenticated attacker to execute arbitrary commands, download arbitrary files, and traverse directories on the affected router.
This exploit allows an authenticated user to perform an out of bounds write, leading to a denial of service condition.
This exploit allows an attacker to trigger a NULL pointer exception in ntpsec version 1.1.2, causing a denial-of-service condition. The vulnerability is authenticated, meaning that the attacker must provide valid credentials to exploit it. The exploit sends a specially crafted packet to the target server, triggering the NULL pointer exception.
This is a proof of concept exploit for the ntpsec 1.1.2 version, which allows an out-of-bounds read vulnerability. The exploit does not crash the target.
The Softbiz Auctions Script is vulnerable to SQL Injection. An attacker can inject malicious SQL code in the 'id' parameter of the product_desc.php file, allowing them to extract sensitive information from the database. The specific SQL code provided in the exploit description can be used to retrieve the admin_name and pwd (password) fields from the sbauctions_admin table.
The Browser Broker COM object doesn’t verify its caller correctly allowing one user to execute arbitrary code in another logged on user’s session. The majority of the calls are checked with functions such as BrokerAuthenticateAttachedCallerGetPIC which ensures the caller is an Edge process (based on its package ID) and meets certain requirements based on the sandbox type etc. One thing this code doesn’t do is check that the caller is the same user as the running broker process.
The Data Sharing Service’s check for the user passing UNC paths can be circumvented leading to a security feature bypass which can facilitate easier exploitation for privilege elevation. During DSSCreateSharedFileTokenEx, the path is passed to DSUtils::CanonicalAndValidateFilePath to canonicalize the path. This method also verifies that the passed path isn’t a UNC path (for reasons unknown). The UNC path check can be bypassed by using the ??UNC form. When this is passed to PathAllocCanonicalize, it returns it verbatim, however, this path format isn’t considered a UNC path by PathIsUNCEx. However, when passed to CreateFile, etc., it will be considered as if it was a ?UNC path format. This could be useful for a few different attacks. For a start, you could redirect the call to localhostpipesomepipe and get a named pipe handle bound to the SYSTEM user. Although I’ve not worked out a way of getting the handle back (as GetFinalPathFromHandle fails). Another attack vector is when going to an SMB share any directory junctions are resolved on the server, this would allow you to bypass any checks such as DSUtils::VerifyPathFromHandle as the returned path would be ?UNClocalhostc$blah.. Regardless of the final des
Performing an NTLM authentication to the same machine results in a network token which can be used to create arbitrary processes in session 0.
This exploit allows for privilege escalation in Dokany, a file system library for Windows. By exploiting a stack-based buffer overflow vulnerability, an attacker can gain elevated privileges on the system. The vulnerability exists in the driver version 1.2.0.1000 of Dokany. The exploit code leverages offsets and memory manipulation to steal the token and gain elevated privileges.
Services By CQR