This Metasploit module exploits an authenticated remote command execution vulnerability in the F5 BIGIP iControl API (and likely other F5 devices).
776e3aeff0083df2861f8e072af91181406b096d9fca90ce04c40954c904255dThis Metasploit module exploits a remote file include vulnerability in Railo, tested against version 4.2.1. First, a call using a vulnerable cffile line in thumbnail.cfm allows an attacker to download an arbitrary PNG file. By appending a .cfm, and taking advantage of a directory traversal, an attacker can append cold fusion markup to the PNG file, and have it interpreted by the server. This is used to stage and execute a fully-fledged payload.
0bbe174102c9e26fadfffb5af3c7e341a378b56297c9ad11a3b67c73f86ebcd0This Metasploit module will exploit an unauthenticated SQL injection in order to gain a shell on the remote victim. This was tested against PowerIQ version 4.1.0. The 'check' command will attempt to pull the banner of the DBMS (PGSQL) in order to verify exploitability via boolean injections. In order to gain remote command execution, multiple vulnerabilities are used.
82be59d3b7e4fb6726460b589da8c608cb66c0ecd7ab47efe0c8055b4159d2f7Dell Sonicwall Scrutinizer version 11.01 is vulnerable to an authenticated SQL injection that allows an attacker to write arbitrary files to the file system. This vulnerability can be used to write a PHP script to the file system to gain remote command execution. Metasploit module included. Dell contacted Packet Storm on 07/14/2014 to let us know that release 11.5.2 has been made available to address this issue.
e6844166557a62dfe434032eb24092085e6956f068dc06377704ee9ecd4283d7InvGate Service Desk version 4.2.36 suffers from multiple remote SQL injection vulnerabilities.
294e286dd4ab6ecdb1b5049d5d2988629872d53ef390926a21c84a0185be41d0This Metasploit module exploits an unauthenticated remote command execution vulnerability in version 0.4.0 of Gitlist. The problem exists in the handling of an specially crafted file name when trying to blame it.
2d10e7f5052c363ec8a9a489e9f7c7fd6b0f2a333365ccb4fc9fa7413a6b823cHP Enterprise Maps version 1.00 suffers from an authenticated XXE injection vulnerability.
49cac9392e67761747314562b60d157df35c9cc117dcad5865d91f95214595b0This is a Metasploit modules that leverages an authenticated arbitrary file upload vulnerability in Dotclear versions 2.6.2 and below.
fa7134cec4517d630b5ea12c4242fbfc9bfb06e0df1b252b0e24e5fa245675a6This Metasploit module takes advantage of three separate vulnerabilities in order to read an arbitrary text file from the file system with the privileges of the web server. You must be authenticated, but can be unprivileged since a privilege escalation vulnerability is used. Tested against HP Release Control 9.20.0000, Build 395 installed with demo data. The first vulnerability allows an unprivileged authenticated user to list the current users, their IDs, and even their password hashes. Can't login with hashes, but the ID is useful in the second vulnerability. When a user changes their password, they post the ID of the user who is going to have their password changed. Just replace it with the admin ID and you change the admin password. You are now admin. The third vulnerability is an XXE in the dashboard XML import mechanism. This is what allows you to read the file from the file system. This Metasploit module is super ghetto half because it was an AMF application, half because I worked on it longer than I wanted to.
32678ccb2a4454a4f3176a572bfd08436712de26dce1cdfb8b2986d281d3c14emetafang2 interfaces with a Metasploit RPC instance to generate .NET executables that run x86/x64 shell code in a platform-agnostic way. One binary to rule them all. Also provides an encryption mechanism that will bruteforce the payload's key at run time.
20c10c631c9a70070002d5cea6ff36b38cb38808dc41c913cab9d88308c1ebbbF5 iControl systems suffer from a remote command execution vulnerability.
3bb67baccdc0e397583692f37c40518c602a130776335c7f7b2de6042944cd0dF5 BIG-IQ version 4.1.0.2013.0 is vulnerable to a privilege escalation attack which allows an attacker to change the root users password. This Metasploit module does just this, then SSH's in.
e88c2fdbf6780b151994d9da095dd2c28aa8321d1b27ae806082f64775e233a7WebTitan version 4.01 suffers from remote command execution and directory traversal vulnerabilities.
31bb563ba45d9f1705203ffe533103b28d9455039d7f5594f6e0b5ff6584664bThis Metasploit module exploits a remote command execution vulnerability in Unitrends Enterprise Backup version 7.3.0.
990dbbca3608cabc6a86f28a9fb4e995a70d4fd9ca01cb2876fd6e886b835ca0Xerox DocuShare suffers from a remote SQL injection vulnerability.
359f347609e558ed6a4327b3bbf7312d0184b8b8950c198fc1929251921926e2This Metasploit module takes advantage of two vulnerabilities in order to gain remote code execution as root as an otherwise non-privileged authorized user. By taking advantage of a mass assignment vulnerability that allows an unprivileged authenticated user to change the administrator's password hash, the module updates the password to login as the admin to reach the second vulnerability. No server-side sanitization is done on values passed when configuring a static network interface. This allows an administrator user to run arbitrary commands in the context of the web application, which is root when configuring the network interface. This Metasploit module will inadvertently delete any other users that may have been present as a side effect of changing the admin's password.
dec69c75e7fc0e768a05e89693c7430eec2119658aa589cd230964ae4332340fEMC Cloud Tiering appliance version 10.0 suffers from an unauthenticated XXE injection vulnerability. Metasploit module proof of concept is included.
8191ae1d7b8520f1907f9a4102488831c9cce91d284f870d73ce4c7105f6ce7cAlienVault version 4.5.0 suffers from an authenticated remote SQL injection vulnerability. Metasploit module proof of concept is included.
40ee4d126c36742998c3f763beb792fa2eaff2e289df522b3fa9296d803a35a6When authenticated as an administrator on LifeSize UVC 1.2.6, an attacker can abuse the ping diagnostic functionality to achieve remote command execution as the www-data user (or equivalent).
efca4edbd5362527ab761c155c785c794bfe447ad8520c997f75d88b0393b019McAfee Cloud SSO is vulnerable to cross site scripting. McAfee Asset Manager version 6.6 is susceptible to a traversal that allows for arbitrary file read and remote SQL injection.
235fa0a455346bf78fc185e183a6d715c8696783a2e2e500e8bac0e9db5f3156MantisBT versions 1.2.16 and below Metasploit module that leverages a remote SQL injection vulnerability to perform an arbitrary file read. Administrative credentials required.
aa47d71bf88217768761036b4fe39e67d36b8a53ac37514259ca02cca0186d98MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5 and 1.19.x before 1.19.11, when DjVu or PDF file upload support is enabled, allows remote unauthenticated users to execute arbitrary commands via shell metacharacters. If no target file is specified this module will attempt to log in with the provided credentials to upload a file (.DjVu) to use for exploitation.
853d2b2d7b1ab2575d40f73544cf31c3010f47bbfc35b70e1a2faa0dfdf9204dMcAfee Email Gateway version 7.6 suffers from remote command execution and remote SQL injection vulnerabilities.
7172a81dff8369131711642e7e104a07c0f78271d32b91deced3c5b456750eb2vTiger CRM allows an authenticated user to upload files to embed within documents. Due to insufficient privileges on the 'files' upload folder, an attacker can upload a PHP script and execute arbitrary PHP code remotely. This Metasploit module was tested against vTiger CRM v5.4.0 and v5.3.0.
bbcd3689cbd9914d5739cb0af4a9dcca7c841307f2ee05af37a9fcc839aed4a2NAS4Free allows an authenticated user to post PHP code to a special HTTP script and have the code executed remotely. This Metasploit module was successfully tested against NAS4Free version 9.1.0.1.804. Earlier builds are likely to be vulnerable as well.
fbb827ba13b127c83e13d52ae23cb93628f4e71810cd8f99c67c4c5a187bb5f0
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed