This Metasploit module exploits a PHP environment variable manipulation vulnerability affecting Juniper SRX firewalls and EX switches. The affected Juniper devices running FreeBSD and every FreeBSD process can access their stdin by opening /dev/fd/0. The exploit also makes use of two useful PHP features. The first being auto_prepend_file which causes the provided file to be added using the require function. The second PHP function is allow_url_include which allows the use of URL-aware fopen wrappers. By enabling allow_url_include, the exploit can use any protocol wrapper with auto_prepend_file. The module then uses data:// to provide a file inline which includes the base64 encoded PHP payload. By default this exploit returns a session confined to a FreeBSD jail with limited functionality. There is a datastore option JAIL_BREAK, that when set to true, will steal the necessary tokens from a user authenticated to the J-Web application, in order to overwrite the root password hash. If there is no user authenticated to the J-Web application this method will not work. The module then authenticates with the new root password over SSH and then rewrites the original root password hash to /etc/master.passwd.
23552b23e1cc0e2022181944f8894c8f7203e6893e7d1127561c3ffd867b9517
WordPress Essential Blocks plugin versions 4.2.0 and below and Essential Blocks Pro versions 1.1.0 and below suffer from multiple PHP object injection vulnerabilities.
3bc456da9e240b7476040544d3e4f0b5fa6f68d4e3ad65a015be529481ab73ad
PHP Shopping Cart version 4.2 suffers from a remote SQL injection vulnerability.
606411a83a93b9d6c705936cd642d323cf06f1e728faa5294bef0c1a617f8551
This Metasploit module exploits a vulnerability found in Online Pizza Ordering System version 1.0. By abusing the admin_class.php file, a malicious user can upload a file to the img/ directory without any authentication, which results in arbitrary code execution. The module has been tested successfully on Ubuntu 22.04.
3002ce5e2a8a96ceb421dddfd1cd12fa3676d726242592bcbe8fb80e7b19715f
This Metasploit module exploits a command injection vulnerability on the SolarView Compact version 6.00 web application via the vulnerable endpoint downloader.php. After exploitation, an attacker will have full access with the same user privileges under which the webserver is running (typically as user contec).
d0437fdd852a45a2f8dcde9836a0c763b4e6b928a9997b6532fb7346909945a8
PHP JABBERS PHP Review Script version 1.0 suffers from a cross site scripting vulnerability.
b9b98b4a795bf346b16b6fba859f15dc9f9da7740340375a350eddf3a8d1d69f
Islam CMS version 1.0 suffers from a remote PHP code injection vulnerability.
39b07aef1fa1c0862a22398b5f20aabeb8f16190e023159d1c613e4cc63eef60
Ubuntu Security Notice 6305-1 - It was discovered that PHP incorrectly handled certain XML files. An attacker could possibly use this issue to expose sensitive information. It was discovered that PHP incorrectly handled certain PHAR files. An attacker could possibly use this issue to cause a crash, expose sensitive information or execute arbitrary code.
1dc8c3dad3030fd034169b595c1d037465ec0558c0e070e9e64ad1aef797927d
This Metasploit module exploits an unauthenticated remote command execution vulnerability that affects Chamilo versions 1.11.18 and below. Due to a functionality called Chamilo Rapid to easily convert PowerPoint slides to courses on Chamilo, it is possible for an unauthenticated remote attacker to execute arbitrary commands at the OS level using a malicious SOAP request at the vulnerable endpoint /main/webservices/additional_webservices.php.
9eddd6c9a39fb97ca77aeebd1ec713969953ce2f89e609c528b4a46ca5ec152d
SugarCRM versions 12.2.0 and below suffer from a PHP object injection vulnerability.
32f7ef69ef5791e90290f62780a766a77c6238a01e2c71417b234a5b64db910c
RaspAP is feature-rich wireless router software that just works on many popular Debian-based devices, including the Raspberry Pi. A Command Injection vulnerability in RaspAP versions 2.8.0 thru 2.8.7 allows unauthenticated attackers to execute arbitrary commands in the context of the user running RaspAP via the cfg_id parameter in /ajax/openvpn/activate_ovpncfg.php and /ajax/openvpn/del_ovpncfg.php. Successfully tested against RaspAP 2.8.0 and 2.8.7.
abc5a8577c76d38277377259204d36eaaa8e98293d1ed4d1030fb74de2c622f0
DigaSell Digital Store PHP Script version 1.0.0 suffers from a cross site scripting vulnerability.
f72dfd55d23408ab5429974dee598db6c2f5f4c1ad279051decdd75964ab240b
Discussion On Kontackt The Exclusive PHP Social Network Platform version 1.18 suffers from a cross site scripting vulnerability.
7d18de8acfc063f172113a27af33ebbcf209b0dcb3d43c8ec163f7ff1adefc84
DigaSell Digital Store PHP Script version 1.0.0 suffers from a remote blind SQL injection vulnerability.
8729994d50fb2282a91511c1471e529be3acfb58262a0d60949d1b29f6c5d7a6
Chatone Social Networking PHP Script version 1.6 suffers from an add administrator vulnerability.
aa549a9947a1342ad9aeff37c9e15f1e470ba8802ce29b603d258f911541cf20
This Metasploit module exploits authentication bypass (CVE-2018-17153) and command injection (CVE-2016-10108) vulnerabilities in Western Digital MyCloud before 2.30.196 in order to achieve unauthenticated remote code execution as the root user. The module first performs a check to see if the target is WD MyCloud. If so, it attempts to trigger an authentication bypass (CVE-2018-17153) via a crafted GET request to /cgi-bin/network_mgr.cgi. If the server responds as expected, the module assesses the vulnerability status by attempting to exploit a commend injection vulnerability (CVE-2016-10108) in order to print a random string via the echo command. This is done via a crafted POST request to /web/google_analytics.php. If the server is vulnerable, the same command injection vector is leveraged to execute the payload. This module has been successfully tested against Western Digital MyCloud version 2.30.183.
0ce2f1497429d5e02113422d33a5d38d119e0b68b4af0aa04d5b4189b6ef07f8
Availability Booking Calendar PHP suffers from cross site scripting and arbitrary file upload vulnerabilities. This was tested in July of 2023 but it is unclear what versions are affected.
e67ac34384ab2be0d18a5bd94e4c7187126859aaf2b755a195aa0c55fd5cf914
WordPress File Manager Advanced Shortcode plugin does not adequately prevent uploading files with disallowed MIME types when using the shortcode. This leads to remote code execution in cases where the allowed MIME type list does not include PHP files. In the worst case, this is available to unauthenticated users, but it also works in an authenticated configuration. Versions 2.3.2 and below are affected. To install the Shortcode plugin File Manager Advanced version 5.0.5 or lower is required to keep the configuration vulnerable. Any user privileges can exploit this vulnerability which results in access to the underlying operating system with the same privileges under which the Wordpress web services run.
70276f13c7da05f57a272fbb51cb03ce6c129189c7bb524b4612cc20be063403
Bazaar Social Listing Shopping Web PHP Template version 2.3.2 suffers from a cross site scripting vulnerability.
c6e4d11aa955cb2bed6d76defb35557734149c0312ced065d9b37014584f212f
Bazaar Social Listing Shopping Web PHP Template version 2.3.2 suffers from a privilege escalation vulnerability.
f5312fef20d54f675129250c93dbc79ad8b831731e0ba613b47a3771260a63cd
Super Store Finder PHP Script versions 3.6 and below suffer from a remote SQL injection vulnerability that allows for authentication bypass.
626e9249014429e44e6f78886ff283f9591b5337313b41d8bca85c6684a00018
Ubuntu Security Notice 6199-1 - It was discovered that PHP incorrectly handled certain Digest authentication for SOAP. An attacker could possibly use this issue to expose sensitive information.
f900e85ecda5d4b00c19b39d7bf754425099337a6a82556ace53811d967446d9
Advanced PHP URL Shortener version 1.0 suffers from a cross site scripting vulnerability.
4e1d8e53e5314398ff0dd35afa47391639eddbece2db8c996181a7b27a46577e
PHP Online School version 1.0 suffers from a cross site scripting vulnerability.
f03972c1e09a9186ceda63b51379c7322f797984280b34e747cead9ca8483d0d
PHP Mail version 5.0 suffers from a cross site scripting vulnerability.
ab9cccf88065d059ab46972fbfac65d69ffa30754d5ac7563f151812c102ac6b