Exploit the possiblities
Showing 1 - 25 of 27 RSS Feed

Files from Mehmet Ince

Email addressmehmet at mehmetince.net
First Active2012-04-26
Last Active2017-10-12
Trend Micro InterScan Messaging Security (Virtual Appliance) Remote Code Execution
Posted Oct 12, 2017
Authored by mr_me, Mehmet Ince | Site metasploit.com

This Metasploit module exploits the authentication bypass and command injection vulnerability together. Unauthenticated users can execute a terminal command under the context of the web server user. The specific flaw exists within the management interface, which listens on TCP port 443 by default. Trend Micro IMSVA product have widget feature which is implemented with PHP. Insecurely configured web server exposes diagnostic.log file, which leads to an extraction of JSESSIONID value from administrator session. Proxy.php files under the mod TMCSS folder takes multiple parameter but the process does not properly validate a user-supplied string before using it to execute a system call. Due to combination of these vulnerabilities, unauthenticated users can execute a terminal command under the context of the web server user.

tags | exploit, web, php, tcp, vulnerability
MD5 | c596a4696eab69db88b173ffa1c4b5fb
Trend Micro OfficeScan Remote Code Execution
Posted Oct 10, 2017
Authored by mr_me, Mehmet Ince | Site metasploit.com

This Metasploit module exploits the authentication bypass and command injection vulnerability together. Unauthenticated users can execute a terminal command under the context of the web server user. The specific flaw exists within the management interface, which listens on TCP port 443 by default. The Trend Micro Officescan product has a widget feature which is implemented with PHP. Talker.php takes ack and hash parameters but doesn't validate these values, which leads to an authentication bypass for the widget. Proxy.php files under the mod TMCSS folder take multiple parameters but the process does not properly validate a user-supplied string before using it to execute a system call. Due to combination of these vulnerabilities, unauthenticated users can execute a terminal command under the context of the web server user.

tags | exploit, web, php, tcp, vulnerability
MD5 | 02f022c47acfeb55ae34578721c1b3be
Lansweeper 6.0.100.29 XXE Injection
Posted Oct 6, 2017
Authored by Mehmet Ince, Barkin Kilic

Lansweeper version 6.0.100.29 suffers from an XML external entity injection vulnerability.

tags | exploit
advisories | CVE-2017-13706
MD5 | ac359c8576cebe46e9bfc2fd930fc500
DenyAll Web Application Firewall Remote Code Execution
Posted Sep 23, 2017
Authored by Mehmet Ince | Site metasploit.com

This Metasploit module exploits the command injection vulnerability of DenyAll Web Application Firewall. Unauthenticated users can execute a terminal command under the context of the web server user.

tags | exploit, web
MD5 | aa61f54d09236aa9b2ce2c30c247b100
osTicket 1.10 SQL Injection
Posted Sep 12, 2017
Authored by Mehmet Ince

osTicket version 1.10 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection
MD5 | edb823aec7badd3b6f3d1fed3d989044
Trend Micro InterScan Messaging Security (Virtual Appliance) Remote Code Execution
Posted Aug 18, 2017
Authored by Mehmet Ince, Cody Sixteen | Site metasploit.com

This Metasploit module exploits a command injection vulnerability in the Trend Micro IMSVA product. An authenticated user can execute a terminal command under the context of the web server user which is root. Besides, default installation of IMSVA comes with a default administrator credentials. WizardSetting_sys.imss endpoint takes several user inputs and performs LAN settings. After that it use them as argument of predefined operating system command without proper sanitation. It's possible to inject arbitrary commands into it. InterScan Messaging Security prior to 9.1.-1600 affected by this issue.

tags | exploit, web, arbitrary, root
MD5 | 7eadfd94788e579c42212511e87507fe
Symantec Messaging Gateway Remote Code Execution
Posted Jun 24, 2017
Authored by Mehmet Ince | Site metasploit.com

This Metasploit module exploits the command injection vulnerability of Symantec Messaging Gateway product. An authenticated user can execute a terminal command under the context of the web server user which is root. backupNow.do endpoint takes several user inputs and then pass them to the internal service which is responsible for executing operating system command. One of the user input is being passed to the service without proper validation. That cause an command injection vulnerability. But given parameters, such a SSH ip address, port and credentials are validated before executing terminal command. Thus, you need to configure your own SSH service and set the required parameter during module usage. This Metasploit module was tested against Symantec Messaging Gateway 10.6.2-7.

tags | exploit, web, root
advisories | CVE-2017-6326
MD5 | ec43893d466be8d6bcf23e16f2e3a697
Crypttech CryptoLog Remote Code Execution
Posted May 6, 2017
Authored by Mehmet Ince | Site metasploit.com

This Metasploit module exploits the sql injection and command injection vulnerability of CryptoLog. An un-authenticated user can execute a terminal command under the context of the web user. login.php endpoint is responsible for login process. One of the user supplied parameter is used by the application without input validation and parameter binding. Which cause a sql injection vulnerability. Successfully exploitation of this vulnerability gives us the valid session. logshares_ajax.php endpoint is responsible for executing an operation system command. It's not possible to access this endpoint without having a valid session. One user parameter is used by the application while executing operating system command which cause a command injection issue. Combining these vulnerabilities gives us opportunity execute operation system command under the context of the web user.

tags | exploit, web, php, vulnerability, sql injection
MD5 | def1cf31ae496fb40d65c478545ef605
SolarWind LEM Default SSH Password Remote Code Execution
Posted Apr 4, 2017
Authored by Mehmet Ince | Site metasploit.com

This Metasploit module exploits the default credentials of SolarWind LEM. A menu system is encountered when the SSH service is accessed with the default username and password which is "cmc" and "password". By exploiting a vulnerability that exist on the menuing script, an attacker can escape from restricted shell. This Metasploit module was tested against SolarWinds LEM v6.3.1.

tags | exploit, shell
MD5 | b551077e34268bd111ec9232032426a6
Logsign Remote Command Injection
Posted Mar 23, 2017
Authored by Mehmet Ince | Site metasploit.com

This Metasploit module exploits an command injection vulnerability in Logsign. By exploiting this vulnerability, unauthenticated users can execute arbitrary code under the root user. Logsign has a publicly accessible endpoint. That endpoint takes a user input and then use it during operating system command execution without proper validation. This Metasploit module was tested against 4.4.2 and 4.4.137 versions.

tags | exploit, arbitrary, root
MD5 | 30dabe9a85146a69decc9f4f053c65b4
AlienVault OSSIM/USM Remote Code Execution
Posted Feb 25, 2017
Authored by Mehmet Ince, Peter Lapp | Site metasploit.com

This Metasploit module exploits object injection, authentication bypass and ip spoofing vulnerabilities all together. Unauthenticated users can execute arbitrary commands under the context of the root user. By abusing authentication bypass issue on gauge.php lead adversaries to exploit object injection vulnerability which leads to SQL injection attack that leaks an administrator session token. Attackers can create a rogue action and policy that enables to execute operating system commands by using captured session token. As a final step, SSH login attempt with a invalid credentials can trigger a created rogue policy which triggers an action that executes operating system command with root user privileges. This Metasploit module was tested against following product and versions: AlienVault USM 5.3.0, 5.2.5, 5.0.0, 4.15.11, 4.5.0 AlienVault OSSIM 5.0.0, 4.6.1

tags | exploit, arbitrary, root, spoof, php, vulnerability, sql injection
MD5 | c403c0d00272c2fb94d0906435878b17
Trend Micro InterScan Messaging Security (Virtual Appliance) Remote Code Execution
Posted Feb 25, 2017
Authored by Mehmet Ince | Site metasploit.com

This Metasploit module exploits a command injection vulnerability in the Trend Micro IMSVA product. An authenticated user can execute a terminal command under the context of the web server user which is root. Besides, default installation of IMSVA comes with a default administrator credentials. saveCert.imss endpoint takes several user inputs and performs blacklisting. After that it use them as argument of predefined operating system command without proper sanitation. However,due to improper blacklisting rule it's possible to inject arbitrary commands into it. InterScan Messaging Security prior to 9.1.-1600 affected by this issue. This Metasploit module was tested against IMSVA 9.1-1600.

tags | exploit, web, arbitrary, root
MD5 | e30a5f7b0efb1a22f93c027e3330d052
ManageEngine ADManager Plus 6.5.40 Cross Site Scripting / SQL Injection
Posted Jan 15, 2017
Authored by Mehmet Ince

ManageEngine ADManager Plus versions 6.5.40 and below suffer from cross site scripting and remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, xss, sql injection
MD5 | 95091da6de9488e305350dc7991db01c
Tuleap 8.18 SQL Injection / XSS / Insecure Direct Object Reference
Posted Oct 17, 2016
Authored by Mehmet Ince

Analysis of Tuleap versions 8.18 and below remote SQL injection, cross site scripting, and insecure direct object reference vulnerabilities.

tags | exploit, remote, vulnerability, xss, sql injection
MD5 | 81925c9f3348b620bac0bc40758f9dad
Kaltura Remote PHP Code Execution
Posted Sep 22, 2016
Authored by Mehmet Ince | Site metasploit.com

This Metasploit module exploits an Object Injection vulnerability in Kaltura. By exploiting this vulnerability, unauthenticated users can execute arbitrary code under the context of the web server user. Kaltura has a module named keditorservices that takes user input and then uses it as an unserialized function parameter. The constructed object is based on the SektionEins Zend code execution POP chain PoC, with a minor modification to ensure Kaltura processes it and the Zend_Log function's __destruct() method is called. Kaltura versions prior to 11.1.0-2 are affected by this issue. This Metasploit module was tested against Kaltura 11.1.0 installed on CentOS 6.8.

tags | exploit, web, arbitrary, code execution
systems | linux, centos
MD5 | 88b5feb4d8804371bd527a59fffd03f5
Drupal CODER Module Remote Command Execution
Posted Jul 26, 2016
Authored by Mehmet Ince, Nicky Bloor | Site metasploit.com

This Metasploit module exploits a Remote Command Execution vulnerability in Drupal CODER Module. Unauthenticated users can execute arbitrary command under the context of the web server user. CODER module doesn't sufficiently validate user inputs in a script file that has the php extension. A malicious unauthenticated user can make requests directly to this file to execute arbitrary command. The module does not need to be enabled for this to be exploited This Metasploit module was tested against CODER 2.5 with Drupal 7.5 installation on Ubuntu server.

tags | exploit, remote, web, arbitrary, php
systems | linux, ubuntu
MD5 | fdf3b92a1c985d41e2402896ff66cf9a
Drupal RESTWS Module Remote PHP Code Execution
Posted Jul 21, 2016
Authored by Mehmet Ince, Devin Zuczek | Site metasploit.com

This Metasploit module exploits a Remote PHP Code Execution vulnerability in Drupal RESTWS Module. Unauthenticated users can execute arbitrary code under the context of the web server user. RESTWS alters the default page callbacks for entities to provide additional functionality. A vulnerability in this approach allows an unauthenticated attacker to send specially crafted requests resulting in arbitrary PHP execution. RESTWS 2.x prior to 2.6 and 1.x prior to 1.7 versions are affected by issue. This Metasploit module was tested against RESTWS 2.5 with Drupal 7.5 installation on Ubuntu server.

tags | exploit, remote, web, arbitrary, php, code execution
systems | linux, ubuntu
MD5 | a07fff541bb884e4701ff7f27d49ae76
Tiki Wiki 15.1 Unauthenticated File Upload
Posted Jul 12, 2016
Authored by Mehmet Ince | Site metasploit.com

This Metasploit module exploits a file upload vulnerability in Tiki Wiki versions 15.1 and below which could be abused to allow unauthenticated users to execute arbitrary code under the context of the web server user. The issue comes with one of the 3rd party components. Name of that components is ELFinder -version 2.0-. This components comes with default example page which demonstrates file operations such as upload, remove, rename, create directory etc. Default configuration does not force validations such as file extension, content-type etc. Thus, unauthenticated user can upload PHP file. The exploit has been tested on Debian 8.x 64-bit and Tiki Wiki 15.1.

tags | exploit, web, arbitrary, php, file upload
systems | linux, debian
MD5 | 75ff5f78056283806bf48c4b08b4edfc
BigTree CMS 4.2.11 SQL Injection
Posted Jun 28, 2016
Authored by Mehmet Ince

BigTree CMS version 4.2.11 and below suffer from a remote authenticated SQL injection vulnerability.

tags | exploit, remote, sql injection
MD5 | 97512bfee561640281a0ecd4acf8a516
BookingWizz LFI / XSS / CSRF / SQL Injection
Posted Jun 15, 2016
Authored by Mehmet Ince

BookingWizz versions prior to 5.5 suffer from having default administrative credentials, local file inclusion, cross site request forgery, cross site scripting, and remote SQL injection vulnerabilities.

tags | exploit, remote, local, vulnerability, xss, sql injection, file inclusion, csrf
MD5 | 1c319583f82f231e10fa8953319eb536
AfterLogic WebMail Pro ASP.NET Account Takeover / XXE Injection
Posted May 24, 2016
Authored by Mehmet Ince, Halit Alptekin

AfterLogic WebMail Pro ASP.NET versions prior to 6.2.7 suffer from an administrator account takeover via an XXE injection vulnerability.

tags | exploit, asp
MD5 | 41cc07503156fc99994ba41aa68c9031
Bonefire 0.7.1 Reinstall Admin Account
Posted Apr 24, 2014
Authored by Mehmet Ince

Bonefire version 0.7.1 suffers from a flaw where it allows the reinstall of the default administrative account.

tags | exploit
MD5 | e34588f0e03e0ed0cf42517b7ccfa1df
No-CMS 0.6.6 Rev 1 Account Hijack / Remote Command Execution
Posted Apr 22, 2014
Authored by Mehmet Ince

No-CMS version 0.6.6 revision 1 administrative account hijacking and remote command execution exploit that leverages a static encryption key.

tags | exploit, remote
MD5 | 76a4c0e266510950631096383416e84a
Source Code Analysis With Web Applications II
Posted Jun 19, 2013
Authored by Mehmet Ince

This is a whitepaper discussing source code analysis of web applications. Part II. Written in Turkish.

tags | paper, web
MD5 | e93efab9b391fd7cc98c5f9136560ff6
Web Application Security 101
Posted Jun 14, 2012
Authored by Mehmet Ince

This is a brief whitepaper that discusses various types of vulnerabilities found in web applications. It is written in Turkish.

tags | paper, web, vulnerability
MD5 | 6b7b68e34f9ea5f6554d01143c311d43
Page 1 of 2
Back12Next

File Archive:

November 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    22 Files
  • 2
    Nov 2nd
    28 Files
  • 3
    Nov 3rd
    10 Files
  • 4
    Nov 4th
    1 Files
  • 5
    Nov 5th
    5 Files
  • 6
    Nov 6th
    15 Files
  • 7
    Nov 7th
    15 Files
  • 8
    Nov 8th
    13 Files
  • 9
    Nov 9th
    9 Files
  • 10
    Nov 10th
    9 Files
  • 11
    Nov 11th
    3 Files
  • 12
    Nov 12th
    2 Files
  • 13
    Nov 13th
    15 Files
  • 14
    Nov 14th
    17 Files
  • 15
    Nov 15th
    19 Files
  • 16
    Nov 16th
    15 Files
  • 17
    Nov 17th
    19 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close