what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 25 of 5,253 RSS Feed

PHP Files

VICIdial Multiple Authenticated SQL Injection
Posted Sep 1, 2024
Authored by h00die | Site metasploit.com

This Metasploit module exploits several authenticated SQL Inject vulnerabilities in VICIdial 2.14b0.5 prior to svn/trunk revision 3555 (VICIBox 10.0.0, prior to January 20 is vulnerable). Injection point 1 is on vicidial/admin.php when adding a user, in the modify_email_accounts parameter. Injection point 2 is on vicidial/admin.php when adding a user, in the access_recordings parameter. Injection point 3 is on vicidial/admin.php when adding a user, in the agentcall_email parameter. Injection point 4 is on vicidial/AST_agent_time_sheet.php when adding a user, in the agent parameter. Injection point 5 is on vicidial/user_stats.php when adding a user, in the file_download parameter. VICIdial does not encrypt passwords by default.

tags | exploit, php, vulnerability
advisories | CVE-2022-34876, CVE-2022-34877, CVE-2022-34878
SHA-256 | ee13ad5d4ae7546320169435916f3c9bac21c75f6a3c00a761a80c9d13b3d3b5
Icingaweb Directory Traversal In Static Library File Requests
Posted Sep 1, 2024
Authored by h00die, Thomas Chauchefoin, Jacob Ebben | Site metasploit.com

Icingaweb versions from 2.9.0 to 2.9.5 inclusive, and 2.8.0 to 2.8.5 inclusive suffer from an unauthenticated directory traversal vulnerability. The vulnerability is triggered through the icinga-php-thirdparty library, which allows unauthenticated users to retrieve arbitrary files from the targets filesystem via a GET request to /lib/icinga/icinga-php-thirdparty/<absolute path to target file on disk> as the user running the Icingaweb server, which will typically be the www-data user. This can then be used to retrieve sensitive configuration information from the target such as the configuration of various services, which may reveal sensitive login or configuration information, the /etc/passwd file to get a list of valid usernames for password guessing attacks, or other sensitive files which may exist as part of additional functionality available on the target server. This Metasploit module was tested against Icingaweb 2.9.5 running on Docker.

tags | exploit, arbitrary, php
advisories | CVE-2022-24716
SHA-256 | cdc69a4bccff0e05ac6725d9eb18225432bfef742c18d90b549db0f05b86206e
Bitweaver Overlay_type Directory Traversal
Posted Sep 1, 2024
Authored by sinn3r, Jonathan Claudius, David Aaron | Site metasploit.com

This Metasploit module exploits a directory traversal vulnerability found in Bitweaver. When handling the overlay_type parameter, view_overlay.php fails to do any path checking/filtering, which can be abused to read any file outside the virtual directory.

tags | exploit, php
advisories | CVE-2012-5192
SHA-256 | 75260c8739219589832630db597ad076c6fa9dee26583aeb19f2537f54e959f0
WordPress WPS Hide Login Login Page Revealer
Posted Sep 1, 2024
Authored by h00die, thalakus | Site metasploit.com

This Metasploit module exploits a bypass issue with WPS Hide Login versions less than or equal to 1.9. WPS Hide Login is used to make a new secret path to the login page, however a GET request to /wp-admin/options.php with a referer will reveal the hidden path.

tags | exploit, php
advisories | CVE-2021-24917
SHA-256 | cf0e23084f88d35da4dd2286627bbd0801ca437e1cdded439cd94d23e28d6ab9
Chinese Caidao Backdoor Bruteforce
Posted Sep 1, 2024
Authored by Jay Turla | Site metasploit.com

This Metasploit module attempts to bruteforce the chinese caidao asp/php/aspx backdoor.

tags | exploit, php, asp
SHA-256 | 60088f8d003987fa40a7002f9f668383b9ab73531f528efc470f1246253bee90
WordPress ChopSlider3 Id SQL Injection Scanner
Posted Sep 1, 2024
Authored by h00die, SunCSR, Callum Murphy | Site metasploit.com

The iDangero.us Chop Slider 3 WordPress plugin version 3.4 and prior contains a blind SQL injection in the id parameter of the get_script/index.php page. The injection is passed through GET parameters, and thus must be encoded, and magic_quotes is applied at the server.

tags | exploit, php, sql injection
advisories | CVE-2020-11530
SHA-256 | c40d3f2150f043263d7f5b593f87cd6eb6ed9507f109b3c2713e5d016de691c2
Wordpress LearnPress Current_items Authenticated SQL Injection
Posted Sep 1, 2024
Authored by h00die, nhattruong, Sagi Tzadik, Omri Herscovici | Site metasploit.com

LearnPress, a learning management plugin for WordPress, prior to 3.2.6.8 is affected by an authenticated SQL injection via the current_items parameter of the post-new.php page.

tags | exploit, php, sql injection
advisories | CVE-2020-6010
SHA-256 | 150d41dad29f88db33ed82424ed85cc194746e3e92127751db33050409ecec61
WebPageTest Directory Traversal
Posted Sep 1, 2024
Authored by dun, sinn3r | Site metasploit.com

This Metasploit module exploits a directory traversal vulnerability found in WebPageTest. Due to the way the gettext.php script handles the file parameter, it is possible to read a file outside the www directory.

tags | exploit, php
SHA-256 | c8fc5793bb9641b12b4d2106a06fb4d479a668d64206809ae721e664f0532142
WordPress Total Upkeep Unauthenticated Backup Downloader
Posted Sep 1, 2024
Authored by h00die, Wadeek | Site metasploit.com

This Metasploit module exploits an unauthenticated database backup vulnerability in WordPress plugin Boldgrid-Backup also known as Total Upkeep version < 1.14.10. First, env-info.php is read to get server information. Next, restore-info.json is read to retrieve the last backup file. That backup is then downloaded, and any sql files will be parsed looking for the wp_users INSERT statement to grab user creds.

tags | exploit, php
SHA-256 | 8ab619abe5830fc334f96aa44ebe91bf5262fbdf2d37942eb3a12c5a678f4e61
TYPO3 News Module SQL Injection
Posted Aug 31, 2024
Authored by Charles FOL, Marco Rivoli | Site metasploit.com

This Metasploit module exploits a SQL Injection vulnerability In TYPO3 NewsController.php in the news module 5.3.2 and earlier. It allows an unauthenticated user to execute arbitrary SQL commands via vectors involving overwriteDemand and OrderByAllowed. The SQL injection can be used to obtain password hashes for application user accounts. This Metasploit module has been tested on TYPO3 3.16.0 running news extension 5.0.0. This Metasploit module tries to extract username and password hash of the administrator user. It tries to inject sql and check every letter of a pattern, to see if it belongs to the username or password it tries to alter the ordering of results. If the letter doesnt belong to the word being extracted then all results are inverted (News #2 appears before News #1, so Pattern2 before Pattern1), instead if the letter belongs to the word being extracted then the results are in proper order (News #1 appears before News #2, so Pattern1 before Pattern2).

tags | exploit, arbitrary, php, sql injection
advisories | CVE-2017-7581
SHA-256 | 472f7767d1d622fc181d7fa0a90d223e85f29ef884a67376c132a17b0cf4808e
WordPress WPLMS Theme Privilege Escalation
Posted Aug 31, 2024
Authored by Evex, rastating | Site metasploit.com

The WordPress WPLMS theme from version 1.5.2 to 1.8.4.1 allows an authenticated user of any user level to set any system option due to a lack of validation in the import_data function of /includes/func.php. The module first changes the admin e-mail address to prevent any notifications being sent to the actual administrator during the attack, re-enables user registration in case it has been disabled and sets the default role to be administrator. This will allow for the user to create a new account with admin privileges via the default registration page found at /wp-login.php?action=register.

tags | exploit, php
SHA-256 | 3114c995b0c2306901d1283939e44b371d069e27d3e312a12481be6528b00537
WordPress Symposium Plugin SQL Injection
Posted Aug 31, 2024
Authored by Matteo Cantoni, PizzaHatHacker | Site metasploit.com

This Metasploit module exploits a SQL injection vulnerability in the WP Symposium plugin before 15.8 for WordPress, which allows remote attackers to extract credentials via the size parameter to get_album_item.php.

tags | exploit, remote, php, sql injection
advisories | CVE-2015-6522
SHA-256 | 2961b2a6386f280ff2a5c8a22286ae6b39869c94cfc164ff4f01d0e67ea4a838
VBulletin Administrator Account Creation
Posted Aug 31, 2024
Authored by juan vazquez, temp66 | Site metasploit.com

This Metasploit module abuses the "install/upgrade.php" component on vBulletin 4.1+ and 4.5+ to create a new administrator account, as exploited in the wild on October 2013. This Metasploit module has been tested successfully on vBulletin 4.1.5 and 4.1.0.

tags | exploit, php
advisories | CVE-2013-6129
SHA-256 | c24deea47d1ee74b3fe339182867838b53b59f6e667d57d1dedb6d10ded9c962
D-Link DIR-600 / DIR-300 Unauthenticated Remote Command Execution
Posted Aug 31, 2024
Authored by Jay Turla | Site metasploit.com

This Metasploit module exploits an OS Command Injection vulnerability in some D-Link Routers like the DIR-600 rev B and the DIR-300 rev B. The vulnerability exists in command.php, which is accessible without authentication. This Metasploit module has been tested with the versions DIR-600 2.14b01 and below, DIR-300 rev B 2.13 and below. In order to get a remote shell the telnetd could be started without any authentication.

tags | exploit, remote, shell, php
SHA-256 | 2f5b594e622d424820044978baa8b49d0949391ea6ea0829281922f271fa3004
WordPress WP GDPR Compliance Plugin Privilege Escalation
Posted Aug 31, 2024
Authored by Mikey Veenstra, Thomas Labadie | Site metasploit.com

The Wordpress GDPR Compliance plugin less than or equal to v1.4.2 allows unauthenticated users to set wordpress administration options by overwriting values within the database. The vulnerability is present in WordPress’s admin-ajax.php, which allows unauthorized users to trigger handlers and make configuration changes because of a failure to do capability checks when executing the save_setting internal action. WARNING: The module sets Wordpress configuration options without reading their current values and restoring them later.

tags | exploit, php
advisories | CVE-2018-19207
SHA-256 | 64cded384a3949ad5bd9c2b263dc7ba25d3c4c97c531268cfc49e7c119da1511
WordPress WP EasyCart Plugin Privilege Escalation
Posted Aug 31, 2024
Authored by rastating | Site metasploit.com

The WordPress WP EasyCart plugin from version 1.1.30 to 3.0.20 allows authenticated users of any user level to set any system option via a lack of validation in the ec_ajax_update_option and ec_ajax_clear_all_taxrates functions located in /inc/admin/admin_ajax_functions.php. The module first changes the admin e-mail address to prevent any notifications being sent to the actual administrator during the attack, re-enables user registration in case it has been disabled and sets the default role to be administrator. This will allow for the user to create a new account with admin privileges via the default registration page found at /wp-login.php?action=register.

tags | exploit, php
advisories | CVE-2015-2673
SHA-256 | 82a443a84115c1e1dd2260df74ac66dd23800ff63bb525cbf98d193ffcf673c2
Oracle Secure Backup Authentication Bypass / Command Injection
Posted Aug 31, 2024
Authored by Jay Turla | Site metasploit.com

This Metasploit module exploits an authentication bypass vulnerability in login.php in order to execute arbitrary code via a command injection vulnerability in property_box.php. This Metasploit module was tested against Oracle Secure Backup version 10.3.0.1.0 (Win32).

tags | exploit, arbitrary, php, bypass
systems | windows
advisories | CVE-2010-0904
SHA-256 | 6863a81671e2c9181fc762b376462302051ea799490c07fe8f165bc20e6d3514
Oracle Secure Backup Authentication Bypass / Command Injection
Posted Aug 31, 2024
Authored by Jay Turla | Site metasploit.com

This Metasploit module exploits an authentication bypass vulnerability in login.php in order to execute arbitrary code via a command injection vulnerability in property_box.php. This Metasploit module was tested against Oracle Secure Backup version 10.3.0.1.0 (Win32).

tags | exploit, arbitrary, php, bypass
systems | windows
advisories | CVE-2009-1977, CVE-2009-1978
SHA-256 | 16474ed0f873351c852148c57a073ca86fa3cdb0b63dfb8b35602ac09c210c32
AlienVault Authenticated SQL Injection Arbitrary File Read
Posted Aug 31, 2024
Authored by Brandon Perry | Site metasploit.com

AlienVault 4.5.0 is susceptible to an authenticated SQL injection attack via a PNG generation PHP file. This Metasploit module exploits this to read an arbitrary file from the file system. Any authenticated user is able to exploit it, as administrator privileges aren't required.

tags | exploit, arbitrary, php, sql injection
SHA-256 | 8ebaffc716eedd5e4b8b8c7e5043252a757d480ee4bddd7781480547382b3917
AlienVault Authenticated SQL Injection Arbitrary File Read
Posted Aug 31, 2024
Authored by Chris Hebert | Site metasploit.com

AlienVault 4.6.1 and below is susceptible to an authenticated SQL injection attack against newpolicyform.php, using the insertinto parameter. This Metasploit module exploits the vulnerability to read an arbitrary file from the file system. Any authenticated user is able to exploit this, as administrator privileges are not required.

tags | exploit, arbitrary, php, sql injection
advisories | CVE-2014-5383
SHA-256 | 47041a9a098122925ec54b3140188d51933adc560f06bb113f6adbbff41e40a1
Pimcore Gather Credentials via SQL Injection
Posted Aug 31, 2024
Authored by Shelby Pace, N. Rai-Ngoen, Thongchai Silpavarangkura | Site metasploit.com

This Metasploit module extracts the usernames and hashed passwords of all users of the Pimcore web service by exploiting a SQL injection vulnerability in Pimcores REST API. Pimcore begins to create password hashes by concatenating a users username, the name of the application, and the users password in the format USERNAME:pimcore:PASSWORD. The resulting string is then used to generate an MD5 hash, and then that MD5 hash is used to create the final hash, which is generated using PHPs built-in password_hash function.

tags | exploit, web, php, sql injection
advisories | CVE-2018-14058
SHA-256 | a1fac0dca0eb708a1348babebd5e4be27016a27680c8d2967d94171f313a98ca
WordPress Ultimate CSV Importer User Table Extract
Posted Aug 31, 2024
Authored by rastating, James Hooker | Site metasploit.com

Due to lack of verification of a visitors permissions, it is possible to execute the export.php script included in the default installation of the Ultimate CSV Importer plugin and retrieve the full contents of the user table in the WordPress installation. This results in full disclosure of usernames, hashed passwords and email addresses for all users.

tags | exploit, php
SHA-256 | 5379251c063efce854746f3e41f1141fcad4e8abbd7239dfc0c51bb84f2fb588
DoliWamp jqueryFileTree.php Traversal Gather Credentials
Posted Aug 31, 2024
Authored by Brendan Coles | Site metasploit.com

This Metasploit module will extract user credentials from DoliWamp - a WAMP packaged installer distribution for Dolibarr ERP on Windows - versions 3.3.0 to 3.4.2 by hijacking a users session. DoliWamp stores session tokens in filenames in the tmp directory. A directory traversal vulnerability in jqueryFileTree.php allows unauthenticated users to retrieve session tokens by listing the contents of this directory. Note: All tokens expire after 30 minutes of inactivity by default.

tags | exploit, php
systems | windows
SHA-256 | 343f39a5e75827ba9aafe33c696a34ec5f95c6a3bec54cae7cab8ff77208bdb4
Hashtable Collisions
Posted Aug 31, 2024
Authored by Dan S. Wallach, Alexander Klink, Krzysztof Kotowicz, Christian Mehlmauer, Julian Waelde, Scott A. Crosby | Site metasploit.com

This Metasploit module uses a denial-of-service (DoS) condition appearing in a variety of programming languages. This vulnerability occurs when storing multiple values in a hash table and all values have the same hash value. This can cause a web server parsing the POST parameters issued with a request into a hash table to consume hours of CPU with a single HTTP request. Currently, only the hash functions for PHP and Java are implemented. This Metasploit module was tested with PHP + httpd, Tomcat, Glassfish and Geronimo. It also generates a random payload to bypass some IDS signatures.

tags | exploit, java, web, php
advisories | CVE-2011-4858, CVE-2011-4885, CVE-2011-5034, CVE-2011-5035
SHA-256 | b029e67e4fc45769ef0806adf780beee36692122a886f5bb14135c025f43efbc
WordPress Traversal Directory Denial of Service
Posted Aug 31, 2024
Authored by Yorick Koster, CryptisStudents | Site metasploit.com

Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 allows remote attackers to hijack the authentication of subscribers for /dev/random read operations by leveraging a late call to

tags | exploit, remote, php, csrf
advisories | CVE-2016-6897
SHA-256 | dfbf6112b8043a07bd5dc3c5f12befea229766c77ef87e3562c17357bedf2f80
Page 1 of 211
Back12345Next

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    0 Files
  • 9
    Sep 9th
    0 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close