what you don't know can hurt you

Register | Login

FilesNewsUsersAuthors

Home Files News &[SERVICES_TAB]About Contact Add New

Showing 1 - 2 of 2

Files from Karthik UJ

Apache Commons Text 1.9 Remote Code Execution

Posted Jan 19, 2024

Authored by Alvaro Munoz, Karthik UJ, Gaurav Jain | Site metasploit.com

This Metasploit module exploit takes advantage of the StringSubstitutor interpolator class, which is included in the Commons Text library. A default interpolator allows for string lookups that can lead to remote code execution. This is due to a logic flaw that makes the script, dns and url lookup keys interpolated by default, as opposed to what it should be, according to the documentation of the StringLookupFactory class. Those keys allow an attacker to execute arbitrary code via lookups primarily using the script key. In order to exploit the vulnerabilities, the following requirements must be met: Run a version of Apache Commons Text from version 1.5 to 1.9, use the StringSubstitutor interpolator, and the target should run JDK versions prior to 15.

tags | exploit, remote, arbitrary, vulnerability, code execution

advisories | CVE-2022-42889

SHA-256 | 3303e5c941051cbc6b4f8ddaa2c9912a8740038a8cc31a244e760936ff9694d8

Download | Favorite | View

Prestashop Blockwishlist 2.1.0 SQL Injection

Posted Aug 9, 2022

Authored by Karthik UJ

Prestashop Blockwishlist module version 2.1.0 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection

advisories | CVE-2022-31101

SHA-256 | c4740ce3e754d2170870371886153ecc56be12fc11d2a658a526807b827fdd99

Download | Favorite | View