This exploit abuses a persistent cross site scripting vulnerability in Wordpress to install an OS Agent in the server running the Wordpress installation. To do this, it posts a comment with the cross site scripting code for every target selected. The injected code will attempt to install a Wordpress plugin everytime the post comment is rendered, and it will immediately remove itself from the DOM so as to not be visible or execute again until the page containing it is opened again. The attack will be successful when someone visits the page with the attack while being logged in with administrator credentials. The attack should not have any effect on visitors either not logged in or without sufficient permissions to install a plugin. If the comment is queued for moderation, the attack will continue only if it's approved. Because the contents of the comment are quite clearly an XSS attack, it's better to try to avoid the moderation of the comment. The following attack steps are then recommended. Using 'Verification Mode' Use the 'Verification Mode' provided by this module turning it on by means of the 'VERIFICATION MODE ON' parameter. Complete the 'Verification Mode' parameters. Run the module. Verify the post to attack (i.e., open it in a web browser). If the comment appears without the need for moderation, you can directly attack the page. Otherwise, wait until the comment is approved, and then conduct the attack turning the verification mode off. Using 'Web Proxy': Navigate to the Wordpress post you mean to use a target and add a comment. Do not use Impact's 'Web Proxy' module while doing it. If the comment is moderated, wait for the message to be approved. Configure the current scenario to use the same user agent as your browser. Run the 'Web Proxy' module, and configure your web browser to use it. Visit the same post with the proxy configured: the cookies captured with the 'Web Proxy' module will be used for the atack. Also, the same author and author email will be used. Run this module against the blog post URL discovered by the 'Web Proxy'. The target webpage must be a Wordpress post. The module will attempt to read certain values from the comment posting form, for which will make a request to the post first. It will next make a POST against a different URL (the action of said form) to create the comment with the attack code. Keep in mind that, for comments to be automatically approved, the request should be made from the same IP, with the same user agent, with the same author name, and with the same author email. In all cases, you'll need to wait for a logged in administrator to visit the post. The attack will be executed on a 'onmouseover' event on the page with the comment. If you choose to post the attack skipping the use of cookies and other request values to avoid moderation, you should provide an author name and author email in the Advanced paramenters. If not provided, dummy values will be used, reducing even further the chances of a moderation approval. By default on some systems, the owner for the Wordpress plugins directory is different from the one running the HTTP server, so plugin installation works differently from what the current implementation of this module expects. In those cases, the attack will fail even though the vulnerability is present. If the installation of the plugin succeeds, an agent will installed, and both the comment and the plugin will be removed from Wordpress. This module will keep waiting for agent connections until manually stopped.
This module runs a DHCP server. When requests (DHCPREQUEST or DHCPDISCOVER) are received, it will respond with an offer according to the given configuration, and it will include a string leveraging the GNU Bash Environment Variables Injection vulnerability into the DHCP's 'default-url' option to register a crond script, that'll subsequently download and execute an Impact agent, using the target system's wget. The injection will be tried once per MAC. Keep in mind that a successful attack requires that the attacked hosts have connectivity to Impact's web server after the attack -which might set new network settings in the target-, so consider changing the source agent for the web server module if you're attacking from an agent different from /localagent. Also, if the source agent has multiple network interfaces listed, select the appropriate one for the network you're attacking. If the agent is running in a host with more than one network interface, be sure to select the appropriate one so the module receives and responds in the correct network. This module requires that the pcap plugin be installed.
This module exploits a vulnerability in Linux. The overlayfs filesystem does not correctly check file permissions when creating new files in the upper filesystem directory. This can be exploited by an unprivileged process in kernels with CONFIG_USER_NS=y and where overlayfs has the FS_USERNS_MOUNT flag, which allows the mounting of overlayfs inside unprivileged mount namespaces.
The fdctrl_handle_drive_specification_command() function in the code that emulates the Floppy Disk Controller in QEMU does not properly reset the index within a buffer when processing user-controlled data, leading to a heap-based buffer overflow in the QEMU process that runs on the Host system. An attacker running code within a Guest operating system can exploit this vulnerability in order to escape from the QEMU virtual machine and execute arbitrary code on the Host operating system. This vulnerability is also known as VENOM.
Zen Cart is prone to a vulnerability that attackers can leverage to execute arbitrary code. This issue occurs in the 'admin/record_company.php' script. Specifically, the application fails to sufficiently sanitize user-supplied input to the 'frmdt_content' parameter of the 'record_company_image' array.
A Remote Code Execution issue has been found in Zabbix version 1.6.2 and no authentication is required in order to exploit this vulnerability. Magic Quotes must be turned off in order to exploit this vulnerability. NOTE: Magic quotes is no longer supported by PHP starting with PHP 6.0
Input passed to the mydirname parameter in xoops_lib/modules/protector/oninstall.php, xoops_lib/modules/protector/onupdate.php, xoops_lib/modules/protector/notification.php, and xoops_lib/modules/protector/onuninstall.php is not properly sanitised before being used in an eval() statement. This can be exploited to inject and execute arbitrary PHP code. Successful exploitation requires that register_globals is enabled.
Subscribe to Linux