This Metasploit module exploits an authenticated remote command execution vulnerability in the F5 BIGIP iControl API (and likely other F5 devices).
776e3aeff0083df2861f8e072af91181406b096d9fca90ce04c40954c904255d
This Metasploit module exploits a remote file include vulnerability in Railo, tested against version 4.2.1. First, a call using a vulnerable cffile line in thumbnail.cfm allows an attacker to download an arbitrary PNG file. By appending a .cfm, and taking advantage of a directory traversal, an attacker can append cold fusion markup to the PNG file, and have it interpreted by the server. This is used to stage and execute a fully-fledged payload.
0bbe174102c9e26fadfffb5af3c7e341a378b56297c9ad11a3b67c73f86ebcd0
This Metasploit module will exploit an unauthenticated SQL injection in order to gain a shell on the remote victim. This was tested against PowerIQ version 4.1.0. The 'check' command will attempt to pull the banner of the DBMS (PGSQL) in order to verify exploitability via boolean injections. In order to gain remote command execution, multiple vulnerabilities are used.
82be59d3b7e4fb6726460b589da8c608cb66c0ecd7ab47efe0c8055b4159d2f7
Dell Sonicwall Scrutinizer version 11.01 is vulnerable to an authenticated SQL injection that allows an attacker to write arbitrary files to the file system. This vulnerability can be used to write a PHP script to the file system to gain remote command execution. Metasploit module included. Dell contacted Packet Storm on 07/14/2014 to let us know that release 11.5.2 has been made available to address this issue.
e6844166557a62dfe434032eb24092085e6956f068dc06377704ee9ecd4283d7
InvGate Service Desk version 4.2.36 suffers from multiple remote SQL injection vulnerabilities.
294e286dd4ab6ecdb1b5049d5d2988629872d53ef390926a21c84a0185be41d0
This Metasploit module exploits an unauthenticated remote command execution vulnerability in version 0.4.0 of Gitlist. The problem exists in the handling of an specially crafted file name when trying to blame it.
2d10e7f5052c363ec8a9a489e9f7c7fd6b0f2a333365ccb4fc9fa7413a6b823c
HP Enterprise Maps version 1.00 suffers from an authenticated XXE injection vulnerability.
49cac9392e67761747314562b60d157df35c9cc117dcad5865d91f95214595b0
This is a Metasploit modules that leverages an authenticated arbitrary file upload vulnerability in Dotclear versions 2.6.2 and below.
fa7134cec4517d630b5ea12c4242fbfc9bfb06e0df1b252b0e24e5fa245675a6
This Metasploit module takes advantage of three separate vulnerabilities in order to read an arbitrary text file from the file system with the privileges of the web server. You must be authenticated, but can be unprivileged since a privilege escalation vulnerability is used. Tested against HP Release Control 9.20.0000, Build 395 installed with demo data. The first vulnerability allows an unprivileged authenticated user to list the current users, their IDs, and even their password hashes. Can't login with hashes, but the ID is useful in the second vulnerability. When a user changes their password, they post the ID of the user who is going to have their password changed. Just replace it with the admin ID and you change the admin password. You are now admin. The third vulnerability is an XXE in the dashboard XML import mechanism. This is what allows you to read the file from the file system. This Metasploit module is super ghetto half because it was an AMF application, half because I worked on it longer than I wanted to.
32678ccb2a4454a4f3176a572bfd08436712de26dce1cdfb8b2986d281d3c14e
metafang2 interfaces with a Metasploit RPC instance to generate .NET executables that run x86/x64 shell code in a platform-agnostic way. One binary to rule them all. Also provides an encryption mechanism that will bruteforce the payload's key at run time.
20c10c631c9a70070002d5cea6ff36b38cb38808dc41c913cab9d88308c1ebbb
F5 iControl systems suffer from a remote command execution vulnerability.
3bb67baccdc0e397583692f37c40518c602a130776335c7f7b2de6042944cd0d
F5 BIG-IQ version 4.1.0.2013.0 is vulnerable to a privilege escalation attack which allows an attacker to change the root users password. This Metasploit module does just this, then SSH's in.
e88c2fdbf6780b151994d9da095dd2c28aa8321d1b27ae806082f64775e233a7
WebTitan version 4.01 suffers from remote command execution and directory traversal vulnerabilities.
31bb563ba45d9f1705203ffe533103b28d9455039d7f5594f6e0b5ff6584664b
This Metasploit module exploits a remote command execution vulnerability in Unitrends Enterprise Backup version 7.3.0.
990dbbca3608cabc6a86f28a9fb4e995a70d4fd9ca01cb2876fd6e886b835ca0
Xerox DocuShare suffers from a remote SQL injection vulnerability.
359f347609e558ed6a4327b3bbf7312d0184b8b8950c198fc1929251921926e2
This Metasploit module takes advantage of two vulnerabilities in order to gain remote code execution as root as an otherwise non-privileged authorized user. By taking advantage of a mass assignment vulnerability that allows an unprivileged authenticated user to change the administrator's password hash, the module updates the password to login as the admin to reach the second vulnerability. No server-side sanitization is done on values passed when configuring a static network interface. This allows an administrator user to run arbitrary commands in the context of the web application, which is root when configuring the network interface. This Metasploit module will inadvertently delete any other users that may have been present as a side effect of changing the admin's password.
dec69c75e7fc0e768a05e89693c7430eec2119658aa589cd230964ae4332340f
EMC Cloud Tiering appliance version 10.0 suffers from an unauthenticated XXE injection vulnerability. Metasploit module proof of concept is included.
8191ae1d7b8520f1907f9a4102488831c9cce91d284f870d73ce4c7105f6ce7c
AlienVault version 4.5.0 suffers from an authenticated remote SQL injection vulnerability. Metasploit module proof of concept is included.
40ee4d126c36742998c3f763beb792fa2eaff2e289df522b3fa9296d803a35a6
When authenticated as an administrator on LifeSize UVC 1.2.6, an attacker can abuse the ping diagnostic functionality to achieve remote command execution as the www-data user (or equivalent).
efca4edbd5362527ab761c155c785c794bfe447ad8520c997f75d88b0393b019
McAfee Cloud SSO is vulnerable to cross site scripting. McAfee Asset Manager version 6.6 is susceptible to a traversal that allows for arbitrary file read and remote SQL injection.
235fa0a455346bf78fc185e183a6d715c8696783a2e2e500e8bac0e9db5f3156
MantisBT versions 1.2.16 and below Metasploit module that leverages a remote SQL injection vulnerability to perform an arbitrary file read. Administrative credentials required.
aa47d71bf88217768761036b4fe39e67d36b8a53ac37514259ca02cca0186d98
MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5 and 1.19.x before 1.19.11, when DjVu or PDF file upload support is enabled, allows remote unauthenticated users to execute arbitrary commands via shell metacharacters. If no target file is specified this module will attempt to log in with the provided credentials to upload a file (.DjVu) to use for exploitation.
853d2b2d7b1ab2575d40f73544cf31c3010f47bbfc35b70e1a2faa0dfdf9204d
McAfee Email Gateway version 7.6 suffers from remote command execution and remote SQL injection vulnerabilities.
7172a81dff8369131711642e7e104a07c0f78271d32b91deced3c5b456750eb2
vTiger CRM allows an authenticated user to upload files to embed within documents. Due to insufficient privileges on the 'files' upload folder, an attacker can upload a PHP script and execute arbitrary PHP code remotely. This Metasploit module was tested against vTiger CRM v5.4.0 and v5.3.0.
bbcd3689cbd9914d5739cb0af4a9dcca7c841307f2ee05af37a9fcc839aed4a2
NAS4Free allows an authenticated user to post PHP code to a special HTTP script and have the code executed remotely. This Metasploit module was successfully tested against NAS4Free version 9.1.0.1.804. Earlier builds are likely to be vulnerable as well.
fbb827ba13b127c83e13d52ae23cb93628f4e71810cd8f99c67c4c5a187bb5f0