exploit the possibilities
Showing 1 - 25 of 5,004 RSS Feed

PHP Files

elFinder Archive Command Injection
Posted Sep 15, 2021
Authored by Shelby Pace, Thomas Chauchefoin | Site metasploit.com

elFinder versions below 2.1.59 are vulnerable to a command injection vulnerability via its archive functionality. When creating a new zip archive, the name parameter is sanitized with the escapeshellarg() php function and then passed to the zip utility. Despite the sanitization, supplying the -TmTT argument as part of the name parameter is still permitted and enables the execution of arbitrary commands as the www-data user.

tags | exploit, arbitrary, php
advisories | CVE-2021-32682
MD5 | 748ee7b37719159b8db8d6bf33aad64b
AHSS-PHP 1.0 Cross Site Scripting / SQL Injection
Posted Sep 15, 2021
Authored by nu11secur1ty

AHSS-PHP version 1.0 suffers from cross site scripting and remote SQL injection vulnerabilities.

tags | exploit, remote, php, vulnerability, xss, sql injection
MD5 | 00674176fa93d01b22d17bb2c4952741
POMS-PHP 1.0 SQL Injection
Posted Sep 9, 2021
Authored by nu11secur1ty

POMS-PHP version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

tags | exploit, remote, php, sql injection
MD5 | bd8eafbd3e81ab90a2981a83f111f34c
Firebase PHP-JWT Algorithm Confusion
Posted Aug 15, 2021
Site paragonie.com

Firebase's PHP-JWT suffers from an algorithm confusion issue. Proof of concept code included.

tags | exploit, php, proof of concept
MD5 | 4c84fb0fba2f42d4741760b2e2b2764c
COVID19 Testing Management System 1.0 SQL Injection
Posted Aug 12, 2021
Authored by Ashish Upsham

COVID19 Testing Management System version 1.0 suffers from a remote SQL injection vulnerability leveraging the searchdata parameter on the patient-search-report.php page. This is a variant of the original discovery of SQL injection in this version as discovered by Rohit Burke in May of 2021.

tags | exploit, remote, php, sql injection
MD5 | b36fd4281ed2835482616a0d0da9e478
Red Hat Security Advisory 2021-2992-01
Posted Aug 3, 2021
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2021-2992-01 - PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Issues addressed include bypass, null pointer, and server-side request forgery vulnerabilities.

tags | advisory, web, php, vulnerability
systems | linux, redhat
advisories | CVE-2020-7068, CVE-2020-7069, CVE-2020-7070, CVE-2020-7071, CVE-2021-21702, CVE-2021-21705
MD5 | 0321756619f042ba1c91635b25b8fce2
Hotel Management System 1.0 Cross Site Scripting / Shell Upload
Posted Aug 3, 2021
Authored by Merbin Russel

Hotel Management System version 1.0 exploit that leverages a blind cross site scripting attack against the admin to have a reverse PHP shell uploaded.

tags | exploit, shell, php, xss
MD5 | aa7d7b6de743aefd9eda1c19bbe45794
PHP 7.3.15-3 PHP_SESSION_UPLOAD_PROGRESS Session Data Injection
Posted Jul 27, 2021
Authored by Faisal Alhadlaq

PHP version 7.3.15-3 suffers from a PHP_SESSION_UPLOAD_PROGRESS session data injection vulnerability.

tags | exploit, php
MD5 | c88e9682c0140b88e53745d1f1516e69
WordPress SP Project And Document Remote Code Execution
Posted Jul 26, 2021
Authored by Ron Jost, Yann Castel | Site metasploit.com

This Metasploit module allows an attacker with a privileged WordPress account to launch a reverse shell due to an arbitrary file upload vulnerability in WordPress SP Project and Document plugin versions prior to 4.22. The security check only searches for lowercase file extensions such as .php, making it possible to upload .pHP files for instance. Finally, the uploaded payload can be triggered by a call to /wp-content/uploads/sp-client-document-manager/<user_id>/<random_payload_name>.php.

tags | exploit, arbitrary, shell, php, file upload
advisories | CVE-2021-24347
MD5 | d73daa7ac6681410691920aff7640598
WordPress Modern Events Calendar Remote Code Execution
Posted Jul 26, 2021
Authored by Ron Jost, Yann Castel, Nguyen Van Khanh | Site metasploit.com

This Metasploit module allows an attacker with a privileged WordPress account to launch a reverse shell due to an arbitrary file upload vulnerability in WordPress Modern Events Calendar plugin versions prior to 5.16.5. This is due to an incorrect check of the uploaded file extension. Indeed, by using text/csv content-type in a request, it is possible to upload a .php payload as is is not forbidden by the plugin. Finally, the uploaded payload can be triggered by a call to /wp-content/uploads/<random_payload_name>.php.

tags | exploit, arbitrary, shell, php, file upload
advisories | CVE-2021-24145
MD5 | 75b29e689541f825031d9308d2c36b24
WordPress Backup Guard Authenticated Remote Code Execution
Posted Jul 21, 2021
Authored by Ron Jost, Nguyen Van Khanh | Site metasploit.com

This Metasploit module allows an attacker with a privileged WordPress account to launch a reverse shell due to an arbitrary file upload vulnerability in Wordpress plugin Backup Guard versions prior to 1.6.0. This is due to an incorrect check of the uploaded file extension which should be of SGBP type. Then, the uploaded payload can be triggered by a call to /wp-content/uploads/backup-guard/<random_payload_name>.php.

tags | exploit, arbitrary, shell, php, file upload
advisories | CVE-2021-24155
MD5 | a13b79ee96d9f6b0f86db446a8c091a9
KevinLAB BEMS 1.0 Authenticated File Path Traversal / Information Disclosure
Posted Jul 20, 2021
Authored by LiquidWorm | Site zeroscience.mk

KevinLAB BEMS version 1.0 suffers from an authenticated arbitrary file disclosure vulnerability. Input passed through the page GET parameter in index.php is not properly verified before being used to include files. This can be exploited to disclose the contents of arbitrary and sensitive files via directory traversal attacks.

tags | exploit, arbitrary, php
MD5 | 4bc3f448faf6a5df2c5354ab9084063b
KevinLAB BEMS 1.0 Unauthenticated SQL Injection / Authentication Bypass
Posted Jul 20, 2021
Authored by LiquidWorm | Site zeroscience.mk

KevinLAB BEMS version 1.0 suffers from an unauthenticated SQL Injection vulnerability. Input passed through input_id POST parameter in /http/index.php is not properly sanitized before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code to bypass the authentication mechanism.

tags | exploit, web, arbitrary, php, sql injection
MD5 | 3498bc654a493cbf9b46522829eb067c
Concrete5 8.5.5 Phar Deserialization
Posted Jul 20, 2021
Authored by EgiX | Site karmainsecurity.com

Concrete5 versions 8.5.5 suffer from a logging settings phar deserialization vulnerability. User input passed through the logFile request parameter is not properly sanitized before being used in a call to the file_exists() function at line 91. This can be exploited by malicious users to inject arbitrary PHP objects into the application scope (PHP Object Injection via phar:// stream wrapper), allowing them to carry out a variety of attacks, such as executing arbitrary PHP code. Successful exploitation of this vulnerability requires an administrator account.

tags | advisory, arbitrary, php
advisories | CVE-2021-36766
MD5 | a1fb25a9ba4326669a0ede911fe27d02
Ubuntu Security Notice USN-5006-2
Posted Jul 14, 2021
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 5006-2 - USN-5006-1 fixed several vulnerabilities in PHP. This update provides the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. It was discovered that PHP incorrectly handled certain PHAR files. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service, or possibly obtain sensitive information. Various other issues were also addressed.

tags | advisory, remote, denial of service, php, vulnerability
systems | linux, ubuntu
advisories | CVE-2020-7068, CVE-2020-7071, CVE-2021-21702, CVE-2021-21704, CVE-2021-21705
MD5 | 66293c19cf8113112211326af4be7f4c
Ubuntu Security Notice USN-5006-1
Posted Jul 7, 2021
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 5006-1 - It was discovered that PHP incorrectly handled certain PHAR files. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service, or possibly obtain sensitive information. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. It was discovered that PHP incorrectly handled parsing URLs with passwords. A remote attacker could possibly use this issue to cause PHP to mis-parse the URL and produce wrong data. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 20.10. Various other issues were also addressed.

tags | advisory, remote, denial of service, php
systems | linux, ubuntu
advisories | CVE-2020-7068, CVE-2020-7071, CVE-2021-21702, CVE-2021-21704, CVE-2021-21705
MD5 | d2eaebcf41b9edfd36340798eb2ac873
WordPress wpDiscuz 7.0.4 Shell Upload
Posted Jun 28, 2021
Authored by Hoa Nguyen, Chloe Chamberland | Site metasploit.com

This Metasploit module exploits an arbitrary file upload in the WordPress wpDiscuz plugin versions from 7.0.0 through 7.0.4. This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable server.

tags | exploit, remote, arbitrary, php, code execution, file upload
advisories | CVE-2020-24186
MD5 | fdf8135289f12d026401f86e91ab3f6d
Lightweight Facebook-Styled Blog Remote Code Execution
Posted Jun 25, 2021
Authored by Maide Ilkay Aydogdu

This Metasploit module exploits the file upload vulnerability of Lightweight self-hosted facebook-styled PHP blog and allows remote code execution.

tags | exploit, remote, php, code execution, file upload
MD5 | 574d24d96494d02754d265cd9346aa85
rConfig Shell Upload
Posted Jun 24, 2021
Authored by Murat Seker, Vishwaraj Bhattrai | Site metasploit.com

This Metasploit module allows an attacker with a privileged rConfig account to start a reverse shell due to an arbitrary file upload vulnerability in /lib/crud/vendors.crud.php.

tags | exploit, arbitrary, shell, php, file upload
MD5 | b0d94160c515ca53615beeeac06c2e14
SuiteCRM Log File Remote Code Execution
Posted Jun 4, 2021
Authored by M. Cory Billington | Site metasploit.com

This Metasploit module exploits an input validation error on the log file extension parameter. It does not properly validate upper/lower case characters. Once this occurs, the application log file will be treated as a php file. The log file can then be populated with php code by changing the username of a valid user, as this info is logged. The php code in the file can then be executed by sending an HTTP request to the log file. A similar issue was reported by the same researcher where a blank file extension could be supplied and the extension could be provided in the file name. This exploit will work on those versions as well, and those references are included.

tags | exploit, web, php
advisories | CVE-2020-28328
MD5 | d7acd34cfa8d5f47a3eb69700fe86af1
PHP 8.1.0-dev User-Agentt Remote Code Execution
Posted Jun 3, 2021
Authored by flast101

PHP version 8.1.0-dev remote code execution exploit that leverages a backdoor under the User-Agentt header.

tags | exploit, remote, php, code execution
MD5 | 4a66165091ec5e614d9f7b2d045ffcb8
Cacti 1.2.12 SQL Injection / Remote Command Execution
Posted Jun 2, 2021
Authored by h00die, Leonardo Paiva, Mayfly277 | Site metasploit.com

This Metasploit module exploits a SQL injection vulnerability in Cacti versions 1.2.12 and below. An admin can exploit the filter variable within color.php to pull arbitrary values as well as conduct stacked queries. With stacked queries, the path_php_binary value is changed within the settings table to a payload, and an update is called to execute the payload. After calling the payload, the value is reset.

tags | exploit, arbitrary, php, sql injection
advisories | CVE-2020-14295
MD5 | 96f2d2ce45330fd71491a45ad435fbe4
IPS Community Suite 4.5.4.2 PHP Code Injection
Posted May 31, 2021
Authored by EgiX | Site karmainsecurity.com

IPS Community Suite versions 4.5.4.2 and below suffer from a PHP code injection vulnerability. The vulnerability exists because the IPS\cms\modules\front\pages\_builder::previewBlock() method allows to pass arbitrary content to the IPS\_Theme::runProcessFunction() method, which will be used in a call to the eval() PHP function. This can be exploited to inject and execute arbitrary PHP code. Successful exploitation of this vulnerability requires an account with permission to manage the sidebar (such as a Moderator or Administrator) and the "cms" application to be enabled.

tags | exploit, arbitrary, php
advisories | CVE-2021-32924
MD5 | 1b4fb4e5987be3d21bd6ca2f13378d32
PHP 8.1.0-dev Backdoor Remote Command Execution
Posted May 31, 2021
Authored by Mayank Deshmukh

PHP version 8.1.0-dev unauthenticated remote command execution proof of concept exploit that leverages the backdoor.

tags | exploit, remote, php, proof of concept
MD5 | 68b81a413521d514b1b67f8bde5a5138
Trixbox 2.8.0.4 Remote Code Execution
Posted May 28, 2021
Authored by Ron Jost

Trixbox version 2.8.0.4 has an OS command injection vulnerability that can be leveraged via shell metacharacters in the lang parameter to /maint/modules/home/index.php.

tags | exploit, shell, php
advisories | CVE-2017-14535
MD5 | b20a34f5709b4607d3383fa6db1f537f
Page 1 of 201
Back12345Next

File Archive:

September 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    14 Files
  • 2
    Sep 2nd
    19 Files
  • 3
    Sep 3rd
    9 Files
  • 4
    Sep 4th
    1 Files
  • 5
    Sep 5th
    2 Files
  • 6
    Sep 6th
    3 Files
  • 7
    Sep 7th
    12 Files
  • 8
    Sep 8th
    22 Files
  • 9
    Sep 9th
    17 Files
  • 10
    Sep 10th
    19 Files
  • 11
    Sep 11th
    3 Files
  • 12
    Sep 12th
    2 Files
  • 13
    Sep 13th
    15 Files
  • 14
    Sep 14th
    16 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    7 Files
  • 17
    Sep 17th
    13 Files
  • 18
    Sep 18th
    2 Files
  • 19
    Sep 19th
    2 Files
  • 20
    Sep 20th
    14 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close