This Metasploit module exploits an arbitrary file upload vulnerability in Numara / BMC Track-It! v8 to v11.X. The application exposes the FileStorageService .NET remoting service on port 9010 (9004 for version 8) which accepts unauthenticated uploads. This can be abused by a malicious user to upload a ASP or ASPX file to the web root leading to arbitrary code execution as NETWORK SERVICE or SYSTEM. This Metasploit module has been tested successfully on versions 11.3.0.355, 10.0.51.135, 10.0.50.107, 10.0.0.143, 9.0.30.248 and 8.0.2.51.

This Metasploit module exploits an arbitrary file upload vulnerability found in Kaseya VSA versions between 7 and 9.1. A malicious unauthenticated user can upload an ASP file to an arbitrary directory leading to arbitrary code execution with IUSR privileges. This Metasploit module has been tested with Kaseya v7.0.0.17, v8.0.0.10 and v9.0.0.3.

ASP Dynamika version 2.5 suffers from arbitrary file upload and remote SQL injection vulnerabilities.

MPC Sharj version 3.11.1 suffers from an arbitrary file download vulnerability.

Zen Load Balancer version 3.10.1 suffers from a directory traversal vulnerability. This finding was originally discovered by Cody Sixteen.

UPLoad version 7.0 suffers from an insecure cookie handling vulnerability.

Ac4p.com Gallery version 1.0 suffers from cross site scripting, phpinfo disclosure, shell upload, and insecure cookie handling vulnerabilities.

Denapars Shop Script suffers from administrative bypass, shell upload, and insecure cookie handling vulnerabilities.

[whem]-UPLoad version 7.0 suffers from an insecure cookie handling vulnerability.

ATutor version 2.2.4 suffers from a language_import arbitrary file upload that allows for command execution.

This Metasploit module exploits the file upload vulnerability of baldr malware panel in order to achieve arbitrary code execution.

An issue was discovered in osTicket versions before 1.10.7 and 1.12.x before 1.12.1. The Ticket creation form allows users to upload files along with queries. It was found that the file-upload functionality has fewer (or no) mitigations implemented for file content checks; also, the output is not handled properly, causing persistent XSS that leads to cookie stealing or malicious actions.

Integria IMS version 5.0.86 suffers from an arbitrary file upload vulnerability that allows for remote command execution.

Sentrifugo version 3.2 suffers from a file upload restriction bypass vulnerability.

FileThingie version 2.5.7 suffers from a remote shell upload vulnerability.

Dokeos versions 1.8.6.1 and 1.8.6.3 suffer from a remote file upload vulnerability via an fckeditor.

IBM Bigfix Platform version 9.5.9.62 suffers from an arbitrary file upload vulnerability as root that can achieve remote code execution.

Linear eMerge E3 versions 1.00-06 and below arbitrary file upload remote root code execution exploit.

Centraleyezer suffers from a remote shell upload vulnerability.

Online Book Store version 1.0 suffers from an arbitrary file upload vulnerability.

Joomla GMapFP component version 3.30 suffers from an arbitrary file upload vulnerability.

WordPress Event-Registration plugin version 5.43 suffers from an arbitrary file upload vulnerability.

Playable version 9.18 for iOS suffers from script insertion and arbitrary file upload vulnerabilities.

Air Sender version 1.0.2 for iOS suffers from an arbitrary file upload vulnerability.

Gigamon GigaVUE version 5.5.01.11 suffers from directory traversal and file upload with command execution vulnerabilities. Gigamon has chosen to sunset this product and not offer a patch.

HardDrive version 2.1 for iOS suffers from an arbitrary file upload vulnerability.

Online Clothing Store version 1.0 suffers from an arbitrary file upload vulnerability.

PHPKB Multi-Language 9 suffers from an image-upload.php remote authenticated code execution vulnerability.

PHP-Fusion version 9.03.50 suffers from an arbitrary file upload vulnerability.

NEC Univerge SV9100/SV8100 WebPro version 10.0 suffers from a remote configuration download vulnerability. The gzipped telephone system configuration file 'config.gz' or 'config.pcpx' that contains the unencrypted data file 'conf.pcpn', can be downloaded by an attacker from the root directory if previously generated by a privileged user.

This whitepaper is a quick tutorial on pentesting the Zen load balancer.

This Metasploit module exploits a vulnerability on the lrFileIOService ActiveX, as installed with HP LoadRunner 11.50. The vulnerability exists in the WriteFileString method, which allow the user to write arbitrary files. It's abused to drop a payload embedded in a dll, which is later loaded through the Init() method from the lrMdrvService control, by abusing an insecure LoadLibrary call. This Metasploit module has been tested successfully on IE8 on Windows XP. Virtualization based on the Low Integrity Process, on Windows Vista and 7, will stop this module because the DLL will be dropped to a virtualized folder, which isn't used by LoadLibrary.

Air Transfer Iphone version 1.3.9 suffers from remote denial of service and unauthenticated file access vulnerabilities.

WordPress Windows Desktop and iPhone Photo Uploader plugin suffers from a remote shell upload vulnerability.

This Metasploit module exploits a directory traversal vulnerability (CVE-2015-1830) in Apache ActiveMQ versions 5.x before 5.11.2 for Windows. The module tries to upload a JSP payload to the /admin directory via the traversal path /fileserver/..\admin\ using an HTTP PUT request with the default ActiveMQ credentials admin:admin (or other credentials provided by the user). It then issues an HTTP GET request to /admin/.jsp on the target in order to trigger the payload and obtain a shell.

The FLIR Brickstream 3D+ sensor is vulnerable to unauthenticated config download and file disclosure vulnerability when calling the ExportConfig REST API (getConfigExportFile.cgi). This will enable the attacker to disclose sensitive information and help her in authentication bypass, privilege escalation and/or full system access.

An exploitable unverified password change vulnerability exists in the ACEManager upload.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can cause a unverified device configuration change, resulting in an unverified change of the user password on the device. An attacker can make an authenticated HTTP request to trigger this vulnerability.

An exploitable remote code execution vulnerability exists in the upload.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can upload a file, resulting in executable code being uploaded, and routable, to the webserver. An attacker can make an authenticated HTTP request to trigger this vulnerability.

An exploitable information disclosure vulnerability exists in the ACEManager template_load.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can cause a information leak, resulting in the disclosure of internal paths and files. An attacker can make an authenticated HTTP request to trigger this vulnerability.

This Metasploit module exploits an authenticated directory traversal vulnerability in Zen Load Balancer version 3.10.1. The flaw exists in index.cgi not properly handling the filelog= parameter which allows a malicious actor to load arbitrary file path.