This script will login with the provided credentials, create a new post and add a custom field with the link to a web shell, that will be automatically downloaded by the server. If you don't want to upload the file, you need to provide a URL to a web shell with SSL support (https) and make sure it contains the file name in it. If the plugin is set to show a fixed number of popular posts (ie. top 5), you just need to refresh the post page to make it go up ;)
This exploit allows an authenticated attacker to upload a shell file and execute remote commands on the target system. The vulnerability exists in the 'manage_site_files.php' script of OpenEMR version 5.0.1.3 and prior. By exploiting this vulnerability, an attacker can upload a malicious file and execute arbitrary code with the privileges of the web server. This can lead to a complete compromise of the affected system.
The vulnerability allows an attacker to store malicious script code in the database, which is then executed when triggered by certain functionality.
The Wyomind Help Desk extension up to and including version 1.3.6 is vulnerable to stored XSS, directory traversal, and unrestricted upload of a dangerous file type. These vulnerabilities combined could lead to code execution. An XSS payload can be sent via the ticket message from the front-end in the 'Support - My tickets' section. The payload is triggered when an administrator views the ticket in the Magento 2 backend.
This exploit utilizes the authenticated NoSQL injection to retrieve the reset token for administrator instead of performing blind NoSQL injection.
Prior to 0.15.5, it was possible for a third party to potentially access arbitrary files when the application used SharedDataMiddleware on Windows. Due to the way Python's os.path.join() function works on Windows, a path segment with a drive name will change the drive of the final path. TLDR; In Pallets Werkzeug before 0.15.5, SharedDataMiddleware mishandles drive names (such as C:) in Windows pathnames lead to arbitrary file download.
The plugin did not ensure that the imported files are of the SGBP format and extension, allowing high privilege users (admin+) to upload arbitrary files, including PHP ones, leading to RCE. Additional Info, and Bypass of .htaccess protection found by WPScanTeam, while confirming the issue: There is a protection in place against accessing the uploaded files, via a .htaccess in the wp-content/uploads/backup-guard/ folder, however: - Some web servers do not support .htaccess, e.g Nginx, making it useless in such case - Arbitrary content can be appended to the existing .htaccess, to make the deny from all invalid, and bypass the protection on web servers such as ApacheNote: v1.6.0 forced the uploaded file to have the .sgbp extension by adding it if not present, but the file content is not verified, which could still allow chaining with an issue such as LFI or Arbitrary File Renaming to achieve RCE
The Church Management System 1.0 is vulnerable to multiple stored cross-site scripting (XSS) attacks. An attacker can inject malicious code into the 'amount' and 'trcode' parameters, which are not properly sanitized, leading to the execution of arbitrary JavaScript code in the context of the user's browser.
Arbitrary file upload in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly check the imported file, allowing PHP ones to be uploaded by administrator by using the 'text/csv' content-type in the request.
Stored cross-site scripting (XSS) in the embedded webserver of AKCP sensorProbe before SP480-20210624 enables remote authenticated attackers to introduce arbitrary JavaScript via the Sensor Description, Email (from/to/cc), System Name, and System Location fields.
Services By CQR