Posted in Exploits Web Application

FUDForum 3.0.9 – Stored XSS / Remote Code Execution (CVE-2019-18839, CVE-2019-18873)

Exploit Title : FUDForum 3.0.9 – Stored XSS / Remote Code Execution Date : 10/26/19 Exploit Author : liquidsky (JMcPeters) Vulnerable Software : FUDForum 3.0.9…

Continue Reading?
Posted in Uncategorized

How spending our Saturday hacking earned us 20k

Note: I have personally archived this amazing article due to the fact that the original is no longer available. How spending our Saturday hacking earned…

Continue Reading?
Posted in Exploits Penetration Testing Web Application

ATutor 2.2.4 ‘language_import’ Arbitrary File Upload / RCE (CVE-2019-12169)

This proof of concept is demonstrating a vulnerability in ‘/mods/_core/languages/language_import.php’ that can be used to get remote code execution. The code can be modified to…

Continue Reading?
Posted in Exploits Web Application

eLabFTW 1.8.5 ‘EntityController’ Arbitrary File Upload / RCE (CVE-2019-12185)

I was doing some research last night and I discovered a vulnerability in eLabFTW 1.8.5. So I went ahead and coded a proof of concept…

Continue Reading?
Posted in Exploits Web Application

ATutor 2.2.4 ‘Backup’ Remote Command Execution (CVE-2019-12170)

ATutor-Instructor-Backup-Exploit Exploit Title: ATutor 2.2.4 ‘Backup’ Remote Command Execution Google Dork: inurl:/ATutor/login.php Date: 5/13/2019 Exploit Author: Joseph McPeters Vendor Homepage: https://atutor.github.io/ Software Link: https://sourceforge.net/projects/atutor/files/latest/download Version:…

Continue Reading?