exploit the possibilities
Showing 1 - 10 of 10 RSS Feed

Files from Erik Wynter

First Active2020-03-03
Last Active2020-12-08
FlexDotnetCMS 1.5.8 Arbitrary ASP File Upload
Posted Dec 8, 2020
Authored by Erik Wynter | Site metasploit.com

This Metasploit module exploits an arbitrary file upload vulnerability in FlexDotnetCMS versions 1.5.8 and prior in order to execute arbitrary commands with elevated privileges.

tags | exploit, arbitrary, file upload
advisories | CVE-2020-27386
MD5 | 49d8406c21ab8ebe76041ae803166693
HorizontCMS 1.0.0-beta Shell Upload
Posted Nov 13, 2020
Authored by Erik Wynter | Site metasploit.com

This Metasploit module exploits an arbitrary file upload vulnerability in HorizontCMS 1.0.0-beta in order to execute arbitrary commands. The module first attempts to authenticate to HorizontCMS. It then tries to upload a malicious PHP file via an HTTP POST request to /admin/file-manager/fileupload. The server will rename this file to a random string. The module will therefore attempt to change the filename back to the original name via an HTTP POST request to /admin/file-manager/rename. For the php target, the payload is embedded in the uploaded file and the module attempts to execute the payload via an HTTP GET request to /storage/file_name.

tags | exploit, web, arbitrary, php, file upload
advisories | CVE-2020-27387
MD5 | b1586e133ec28d35e83ec172e95fe1d0
MaraCMS 7.5 Remote Code Execution
Posted Sep 28, 2020
Authored by Erik Wynter, Michele Cisternino | Site metasploit.com

This Metasploit module exploits an arbitrary file upload vulnerability in MaraCMS versions 7.5 and below in order to execute arbitrary commands. The module first attempts to authenticate to MaraCMS. It then tries to upload a malicious PHP file to the web root via an HTTP POST request to codebase/handler.php. If the php target is selected, the payload is embedded in the uploaded file and the module attempts to execute the payload via an HTTP GET request to this file. For the linux and windows targets, the module uploads a simple PHP web shell. Subsequently, it leverages the CmdStager mixin to deliver the final payload via a series of HTTP GET requests to the PHP web shell. Valid credentials for a MaraCMS admin or manager account are required. This module has been successfully tested against MaraCMS 7.5 running on Windows Server 2012 (XAMPP server).

tags | exploit, web, arbitrary, shell, root, php, file upload
systems | linux, windows
advisories | CVE-2020-25042
MD5 | f3fcdcf0924156e882b29740d16480f8
ZenTao Pro 8.8.2 Remote Code Execution
Posted Jul 22, 2020
Authored by Daniel Monzon, Erik Wynter, Melvin Boers | Site metasploit.com

This Metasploit module exploits a command injection vulnerability in ZenTao Pro 8.8.2 and earlier versions in order to execute arbitrary commands with SYSTEM privileges. Valid credentials for a ZenTao admin account are required. This module has been successfully tested against ZenTao 8.8.1 and 8.8.2 running on Windows 10 (XAMPP server).

tags | exploit, arbitrary
systems | windows
advisories | CVE-2020-7361
MD5 | 0c709d672ec84543f14645bf7ef4cccb
Pandora FMS 7.0 NG 7XX Remote Command Execution
Posted Jul 11, 2020
Authored by Fernando Catoira, Erik Wynter, Julio Sanchez | Site metasploit.com

This Metasploit module exploits a vulnerability (CVE-2020-13851) in Pandora FMS versions 7.0 NG 742, 7.0 NG 743, and 7.0 NG 744 (and perhaps older versions) in order to execute arbitrary commands. This module takes advantage of a command injection vulnerability in th e Events feature of Pandora FMS. This flaw allows users to execute arbitrary commands via the target parameter in HTTP POST requests to the Events function. After authenticating to the target, the module attempts to exploit this flaw by issuing such an HTTP POST request, with the target parameter set to contain the payload. If a shell is obtained, the module will try to obtain the local MySQL database password via a simple grep command on the plaintext /var/www/html/pandora_console/include/config.php file. Valid credentials for a Pandora FMS account are required. The account does not need to have admin privileges. This module has been successfully tested on Pandora 7.0 NG 744 running on CentOS 7 (the official virtual appliance ISO for this version).

tags | exploit, web, arbitrary, shell, local, php
systems | linux, centos
advisories | CVE-2020-13851
MD5 | f5291266eaebb8b290e3a0b7e6659455
ATutor 2.2.4 Directory Traversal / Remote Code Execution
Posted Jun 30, 2020
Authored by liquidsky, Erik Wynter | Site metasploit.com

This Metasploit module exploits an arbitrary file upload vulnerability together with a directory traversal flaw in ATutor versions 2.2.4, 2.2.2 and 2.2.1 in order to execute arbitrary commands.

tags | exploit, arbitrary, file upload
advisories | CVE-2019-12169
MD5 | 09ec42ff94266d8b91d8385b7c530d7b
Bolt CMS 3.7.0 Authenticated Remote Code Execution
Posted Jun 29, 2020
Authored by r3m0t3nu11, Erik Wynter, Sivanesh Ashok | Site metasploit.com

This Metasploit module exploits multiple vulnerabilities in Bolt CMS version 3.7.0 and 3.6.x in order to execute arbitrary commands as the user running Bolt. Valid credentials for a Bolt CMS user are required. This module has been successfully tested against Bolt CMS 3.7.0 running on CentOS 7.

tags | exploit, arbitrary, vulnerability
systems | linux, centos
MD5 | 0e1891b316c1ddb10007d34437171dba
Nagios XI Authenticated Remote Command Execution
Posted Mar 10, 2020
Authored by Erik Wynter, Jak Gibb | Site metasploit.com

This Metasploit module exploits a vulnerability in Nagios XI versions before 5.6.6 in order to execute arbitrary commands as root. The module uploads a malicious plugin to the Nagios XI server and then executes this plugin by issuing an HTTP GET request to download a system profile from the server. For all supported targets except Linux (cmd), the module uses a command stager to write the exploit to the target via the malicious plugin. This may not work if Nagios XI is running in a restricted Unix environment, so in that case the target must be set to Linux (cmd). The module then writes the payload to the malicious plugin while avoiding commands that may not be supported. Valid credentials for a user with administrative privileges are required. This module was successfully tested on Nagios XI 5.6.5 running on CentOS 7. The module may behave differently against older versions of Nagios XI.

tags | exploit, web, arbitrary, root
systems | linux, unix, osx, centos
advisories | CVE-2019-15949
MD5 | 27aeb9dcadc656869ca4d5c1b08a9963
Apache ActiveMQ 5.11.1 Directory Traversal / Shell Upload
Posted Mar 5, 2020
Authored by David Jorm, Erik Wynter | Site metasploit.com

This Metasploit module exploits a directory traversal vulnerability (CVE-2015-1830) in Apache ActiveMQ versions 5.x before 5.11.2 for Windows. The module tries to upload a JSP payload to the /admin directory via the traversal path /fileserver/..\\admin\\ using an HTTP PUT request with the default ActiveMQ credentials admin:admin (or other credentials provided by the user). It then issues an HTTP GET request to /admin/<payload>.jsp on the target in order to trigger the payload and obtain a shell.

tags | exploit, web, shell
systems | windows
advisories | CVE-2015-1830
MD5 | d70509a7229f04053ab2e6c54f80f4a5
EyesOfNetwork AutoDiscovery Target Command Execution
Posted Mar 3, 2020
Authored by Brendan Coles, Clement Billac, Erik Wynter | Site metasploit.com

This Metasploit module exploits multiple vulnerabilities in EyesOfNetwork version 5.3 and prior in order to execute arbitrary commands as root. This module takes advantage of a command injection vulnerability in the target parameter of the AutoDiscovery functionality within the EON web interface in order to write an Nmap NSE script containing the payload to disk. It then starts an Nmap scan to activate the payload. This results in privilege escalation because the apache user can execute Nmap as root. Valid credentials for a user with administrative privileges are required. However, this module can bypass authentication via two methods, i.e. by generating an API access token based on a hard-coded key, and via SQL injection. This module has been successfully tested on EyesOfNetwork 5.3 with API version 2.4.2.

tags | exploit, web, arbitrary, root, vulnerability, sql injection
advisories | CVE-2020-8654, CVE-2020-8655, CVE-2020-8656, CVE-2020-8657
MD5 | 3a699f2aa100664503fd2a6553c99d29
Page 1 of 1
Back1Next

File Archive:

March 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    19 Files
  • 2
    Mar 2nd
    15 Files
  • 3
    Mar 3rd
    30 Files
  • 4
    Mar 4th
    13 Files
  • 5
    Mar 5th
    0 Files
  • 6
    Mar 6th
    0 Files
  • 7
    Mar 7th
    0 Files
  • 8
    Mar 8th
    0 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    0 Files
  • 12
    Mar 12th
    0 Files
  • 13
    Mar 13th
    0 Files
  • 14
    Mar 14th
    0 Files
  • 15
    Mar 15th
    0 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    0 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close