WordPress version 5.0.4 with FormCraft plugin version 2.0 suffers from a cross site request forgery vulnerability that can be leveraged to perform a shell upload.
34bba172e28c83ea38f0a59db712f769This Metasploit module exploits a command injection vulnerability in elFinder versions prior to 2.1.48. The PHP connector component allows unauthenticated users to upload files and perform file modification operations, such as resizing and rotation of an image. The file name of uploaded files is not validated, allowing shell metacharacters. When performing image operations on JPEG files, the filename is passed to the exiftran utility without appropriate sanitization, causing shell commands in the file name to be executed, resulting in remote command injection as the web server user. The PHP connector is not enabled by default. The system must have exiftran installed and in the PATH. This module has been tested successfully on elFinder versions 2.1.47, 2.1.20, and 2.1.16 on Ubuntu.
3664569f65ef2128717bd5e02f29d7b4This Metasploit module creates a virtual web server and uploads the php payload into it. Admin privileges cannot access any server files except File Station files. The user who is authorized to create Virtual Web Server can upload malicious php file by activating the server. Exploit creates a new directory into File Station to connect to the web server. However, only the "index.php" file is allowed to work in the virtual web server directory. No files can be executed except "index.php". Gives an access error. After the harmful "index.php" has been uploaded, the shell can be retrieved from the server. There is also the possibility of working in higher versions. Affects versions prior to 4.2.2.
a35108ec28d9740153245bbe67cbb79aWordPress WP-Image-News-Slider plugin version 3.3 suffers from cross site request forgery and remote shell upload vulnerabilities.
565786e871040f0759e592f8d15a7c02This Metasploit module exploits a file upload vulnerability Booked 2.7.5. In the "Look and Feel" section of the management panel, you can modify the Logo-Favico-CSS files. Upload sections has file extension control except favicon part. You can upload the file with the extension you want through the Favicon field. The file you upload is written to the main directory of the site under the name "custom-favicon". After you upload the php payload to the main directory, the exploit executes the payload and receives a shell.
d99806184924b3c9ff46a07a219526b9WordPress WP-DreamworkGallery plugin version 2.3 suffers from cross site request forgery and remote shell upload vulnerabilities.
ebb77b46f615eb3e479a22add194666dJoomla ModPPCSimpleSpotLight module versions 1.2 and 3.0 suffer from cross site request forgery and remote shell upload vulnerabilities.
deefd967b89d7090b674d60afaae3978This Metasploit module exploits an arbitrary file upload vulnerability in Feng Office version 3.7.0.5. The application allows unauthenticated users to upload arbitrary files. There is no control of any session. All files are sent under /tmp directory. The .htaccess file under the /tmp directory prevents files with the php, php2, and php3 extensions. This exploit creates the php payload and moves the payload to the main directory via shtml. After moving the php payload to the main directory, the exploit executes payload and receives a shell.
fd4c717a95e850f0b81235df10b31b52HanYazilim Paper Submission System .NET version 1.0 suffers from a remote shell upload vulnerability.
4aaca634076bf068eefce87d76d0b6f3Joomla JWallPapers component version 2.0.1 suffers from cross site request forgery and remote shell upload vulnerabilities.
9aab6fcc8810d60727be6c9cea7da1d0Joomla Attachments component version 3.2.6 suffers from a remote shell upload vulnerability.
1b32b2a5e7b7c598712e5dccee53aaf3Digi TransPort LR54 suffers from a restricted shell bypass vulnerability that gets a root shell.
896322aa0ccd273bc0ef57111661649e119 bytes small macOS reverse shell (::1:4444/TCP) shellcode.
6397c35a057a288f54f8ee4475724784103 bytes small macOS reverse (127.0.0.1:4444/TCP) shell (/bin/sh) with null-free shellcode.
7ea2751121ef3c6b1e135ae2a9db3a20Slims CMS Senayan Library Management System version 7.0 suffers from a remote shell upload vulnerability.
d5be7d73783868baa48653a63e6a6a0dThis exploit bypasses access control checks to use a restricted API function (POST /v2/snaps) of the local snapd service. This allows the installation of arbitrary snaps. Snaps in "devmode" bypass the sandbox and may include an "install hook" that is run in the context of root at install time. dirty_sockv2 leverages the vulnerability to install an empty "devmode" snap including a hook that adds a new user to the local system. This user will have permissions to execute sudo commands. As opposed to version one, this does not require the SSH service to be running. It will also work on newer versions of Ubuntu with no Internet connection at all, making it resilient to changes and effective in restricted environments. This exploit should also be effective on non-Ubuntu systems that have installed snapd but that do not support the "create-user" API due to incompatible Linux shell syntax. Some older Ubuntu systems (like 16.04) may not have the snapd components installed that are required for sideloading. If this is the case, this version of the exploit may trigger it to install those dependencies. During that installation, snapd may upgrade itself to a non-vulnerable version. Testing shows that the exploit is still successful in this scenario. This is the second of two proof of concepts related to this issue. Versions below 2.37.1 are affected.
e9db49ddfa940a474a61af831e403fe3WordPress WP User Manager plugin version 2.0.8 suffers from a remote shell upload vulnerability.
3fca06ac6e8e03541e64f3fb8360717cWordPress Ultimate-Member plugin version 2.0.38 suffers from cross site request forgery and remote shell upload vulnerabilities.
f61b91a24dc98849236a6c36c3e9540eDebian Linux Security Advisory 4382-1 - Nick Cleaton discovered two vulnerabilities in rssh, a restricted shell that allows users to perform only scp, sftp, cvs, svnserve (Subversion), rdist and/or rsync operations. Missing validation in the rsync support could result in the bypass of this restriction, allowing the execution of arbitrary shell commands.
c712f853c846c1437ca257c7fcd7a563Joomla Remository component version 3.58 suffers from database disclosure, remote shell upload, and remote SQL injection vulnerabilities.
18465f7b60e2578f320cbef6b64376edDebian Linux Security Advisory 4377-1 - The ESnet security team discovered a vulnerability in rssh, a restricted shell that allows users to perform only scp, sftp, cvs, svnserve (Subversion), rdist and/or rsync operations. Missing validation in the scp support could result in the bypass of this restriction, allowing the execution of arbitrary shell commands.
0f3abdb1f9aef1a11fc5a00e69af7d1764 bytes small Linux/ARM reverse TCP (192.168.1.124:4321) shell (/bin/sh) shellcode.
e576a654739aa60859efbc5ba2d8bc76WordPress MM-Forms-Community plugin version 2.2.7 suffers from remote shell upload and remote SQL injection vulnerabilities.
982252fe3a971fdcf2bcfce4c7d269bbWordPress pitajte-strucnjaka plugin version 4.9.6 suffers from a remote shell upload vulnerability.
ea500206c71fd9e591418c2fcbaca0a0Splunk Enterprise version 7.2.3 authenticated remote reverse shell code execution exploit.
df373c09f1ec13bc91f5b1af385b3c67
© 2019 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed