phpMyAdmin is prone to a regexp abuse via an eval modifier which can be found in old PHP versions. This vulnerability allows authenticated attackers to run arbitrary php code on the affected server. PHP versions 4.3.0-5.4.6 had a "feature" which allowed users to run a RegExp Pattern Modifier using PREG_REPLACE_EVAL and may lead to execute code. phpMyAdmin had an issue in their code that can be exploited from a table replace call. The general idea is to insert a crafted regexp eval record format, and then trigger it via a find and replace function with system commands For that purpose, the exploit will try to use any existing cookies of that host, or the username and password provided. Once logged in, if the user provided a database, it will be used. If not, we will search for existing databases. The attack will not leave any trace. This exploit installs an OS Agent.
The REST plugin in the Apache Struts 2 framework is prone to a remote code execution vulnerability when evaluating OGNL expressions when Dynamic Method Invocation is enabled. This vulnerability allows remote attackers to execute arbitrary Java code on the affected server. This module exploits the vulnerability in any web application built on top of vulnerable versions of Apache Struts 2 making use of the REST plugin with the Dynamic Method Invocation feature enabled. This exploit installs an OS Agent.
The default error page in Spring Boot (also know as "Whitelabel Error Page"), when a type error is detected in a parameter configured in a controller, will display the provided value. The page's rendering expands Spring Expression Language (SPEL) expressions found in the page, and it does so recursively. Because of this, a string containing an expression language provided as the value for an URL parameter may be evaluated server side while rendering the page if it's from a different type to the expected for said parameter. The "Whitelabel Error Page" is provided by default, but it can be customized. This attack has only been tested with the default error page. In particular, if SPEL is not used a the templating language for another page, or if the page doesn't print the exception due to type mismatch, the attack is not possible.
This module exploits a remote code execution vulnerability in Joomla. The session handling code is susceptible to PHP Object Injection attacks due to lack of sanitization in some HTTP headers that are saved to the database session backend.
This module exploits a SQL Injection vulnerability in Drupal.An attacker can send a specially crafted data and execute arbitrary SQL commands leading to remote code execution.
Subscribe to OS Command Injection