Search the Community
Showing results for tags '1.17'.
-
Exploits Apache Tika 1.17 Header Command Injection
1337day-Exploits posted a topic in Updated Exploits
This Metasploit module exploits a command injection vulnerability in Apache Tika versions 1.15 through 1.17 on Windows. A file with the image/jp2 content-type is used to bypass magic byte checking. When OCR is specified in the request, parameters can be passed to change the parameters passed at command line to allow for arbitrary JScript to execute. A JScript stub is passed to execute arbitrary code. This module was verified against version 1.15 through 1.17 on Windows 2012. While the CVE and finding show more versions vulnerable, during testing it was determined only versions greater than 1.14 were exploitable due to jp2 support being added. View the full article -
Havij is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page. It can take advantage of a vulnerable web application. By using this software, user can perform back-end database fingerprinting, retrieve DBMS login names and password hashes, dump tables and columns, fetch data from the database, execute SQL statements against the server, and even access the underlying file system and execute operating system shell commands. The distinctive power of Havij that differentiates it from similar tools lies in its unique methods of injection. The success rate of attack on vulnerable targets using Havij is above 95%. The user friendly GUI (Graphical User Interface) of Havij and its automated configuration and heuristic detections make it easy to use for everyone even amateurs. Key Features Supported Databases with injection methods: MsSQL 2000/2005 with error MsSQL 2000/2005 no error union based MsSQL Blind MySQL time based MySQL union based MySQL Blind MySQL error based MySQL time based Oracle union based Oracle error based PostgreSQL union based MsAccess union based MsAccess Blind Sybase (ASE) Sybase (ASE) Blind HTTPS support Multi-threading Proxy support Automatic database server detection Automatic type detection (string or integer) Automatic keyword detection (finding difference between the positive and negative response) Automatic scan of all parameters. Trying different injection syntaxes Options for replacing space by /**/,+,… against IDS or filters Avoids using strings (bypassing magic_quotes and similar filters) Installation Guide Download files from the links provided below Extract them using winRAR,winZIP or any other tool Run Havij 1.17 PRO.exe Copy and paste loader.exe in the folder where havij is installed (probably it is C:\Program Files (x86)\ITSecTeam\Havij Pro) Run loader.exe as an administrator Direct hit Register button BoOm!!!! Now you are using Havij PRO 😮 Download: FILE BINDED & BACKDOORED!