Jetty suffers from a vulnerability where certain encoded URIs and ambiguous paths can access protected files in the WEB-INF folder. Versions effected are: 9.4.37.v20210219, 9.4.38.v20210224 and 9.4.37-9.4.42, 10.0.1-10.0.5, 11.0.1-11.0.5. Exploitation can obtain any file in the WEB-INF folder, but web.xml is most likely to have information of value.
8dfcee78eebf17abc7fd9c39192937639d93c646932d8c726dffcbafbedbf39b
MongoDB Ops Manager Diagnostics Archive does not redact SAML SSL Pem Key File Password field (mms.saml.ssl.PEMKeyFilePassword) within app settings. Archives do not include the PEM files themselves. This Metasploit module extracts that unredacted password and stores the diagnostic archive for additional manual review. This issue affects MongoDB Ops Manager v5.0 prior to 5.0.21 and MongoDB Ops Manager v6.0 prior to 6.0.12. API credentials with the role of GLOBAL_MONITORING_ADMIN or GLOBAL_OWNER are required. Successfully tested against MongoDB Ops Manager v6.0.11.
45ba51538092c0786c6bd4937a07e6072266e95af860b5e64b878f5a7813787a
This Metasploit module allows you to log into Advantech WebAccess 8.1, and collect all of the credentials. Although authentication is required, any level of user permission can exploit this vulnerability. Note that 8.2 is not suitable for this.
3443ef0bbc137d2d4553bf62cf7c34597cef839151197a57af51313d2174333e
An issue was discovered in Rancher versions up to and including 2.5.15 and 2.6.6 where sensitive fields, like passwords, API keys and Ranchers service account token (used to provision clusters), were stored in plaintext directly on Kubernetes objects like Clusters, for example cluster.management.cattle.io. Anyone with read access to those objects in the Kubernetes API could retrieve the plaintext version of those sensitive data.
aa21f2eed1c6bd78e0f86cdb240955cb11c3d968ea60860ae6abc633af2fc72b
This Metasploit module exploits a SQL injection vulnerability in BillQUick Web Suite prior to version 22.0.9.1. The application is .net based, and the database is required to be MSSQL. Luckily the website gives error based SQLi messages, so it is trivial to pull data from the database. However the webapp uses an unknown password security algorithm. This vulnerability does not seem to support stacked queries. This Metasploit module pulls the database name, banner, user, hostname, and the SecurityTable (user table).
d8cefad10acdca162e64259d0c38c3ba88805f7a520f39ce7f23d5c73f4b4074
GitLab version 16.0 contains a directory traversal for arbitrary file read as the gitlab-www user. This Metasploit module requires authentication for exploitation. In order to use this module, a user must be able to create a project and groups. When exploiting this vulnerability, there is a direct correlation between the traversal depth, and the depth of groups the vulnerable project is in. The minimum for this seems to be 5, but up to 11 have also been observed. An example of this, is if the directory traversal needs a depth of 11, a group and 10 nested child groups, each a sub of the previous, will be created (adding up to 11). Visually this looks like: Group1->sub1->sub2->sub3->sub4->sub5->sub6->sub7->sub8->sub9->sub10. If the depth was 5, a group and 4 nested child groups would be created. With all these requirements satisfied a dummy file is uploaded, and the full traversal is then executed. Cleanup is performed by deleting the first group which cascades to deleting all other objects created.
69b07b1cbc660e9b657d46058136f20875b62aea95d13f5799d7b0fd27caa958
Apache Superset versions less than or equal to 2.0.0 utilize Flask with a known default secret key which is used to sign HTTP cookies. These cookies can therefore be forged. If a user is able to login to the site, they can decode the cookie, set their user_id to that of an administrator, and re-sign the cookie. This valid cookie can then be used to login as the targeted user and retrieve database credentials saved in Apache Superset.
d2f3f49f545f08316164ead81d35121c2e2d9bcf18db08e5892b4b09ada13936
The Jasmin Ransomware web server contains an unauthenticated directory traversal vulnerability within the download functionality. As of April 15, 2024 this was still unpatched, so all versions are vulnerable. The last patch was in 2021, so it will likely not ever be patched.
1a47a9f079fd98ddb8e82daba4cc80d59e8ba4c54e1587cfbd504193442e68fb
This Metasploit module extracts usernames and password hashes from the Cerberus Helpdesk through an unauthenticated access to a workers file. Verified on Version 4.2.3 Stable (Build 925) and 5.4.4.
4b0b190e224da3f10ae6c1e26c651553c801115a0efd5b142981876936e97d88
C2S DVR allows an unauthenticated user to disclose the username and password by requesting the javascript page read.cgi?page=2. This may also work on some cameras including IRDOME-II-C2S, IRBOX-II-C2S.
f14eb376c1dcefd1b99e4b5370da22899ba91385ab2b1509b470c463d912db0f
Splunk 6.2.3 through 7.0.1 allows information disclosure by appending /__raw/services/server/info/server-info?output_mode=json to a query. Versions 6.6.0 through 7.0.1 require authentication.
07708dd7f74b24739aca258afc9f5d706912acb38f18c511a0b86e93637db740
This Metasploit module utilizes the Jenkins cli protocol to run the help command. The cli is accessible with read-only permissions by default, which are all thats required. Jenkins cli utilizes args4js parseArgument, which calls expandAtFiles to replace any @<filename> with the contents of a file. We are then able to retrieve the error message to read up to the first two lines of a file. Exploitation by hand can be done with the cli, see markdown documents for additional instructions. There are a few exploitation oddities: 1. The injection point for the help command requires 2 input arguments. When the expandAtFiles is called, each line of the FILE_PATH becomes an input argument. If a file only contains one line, it will throw an error: ERROR: You must authenticate to access this Jenkins. However, we can pad out the content by supplying a first argument. 2. There is a strange timing requirement where the download (or first) request must get to the server first, but the upload (or second) request must be very close behind it. From testing against the docker image, it was found values between .01 and 1.9 were viable. Due to the round trip time of the first request and response happening before request 2 would be received, it is necessary to use threading to ensure the requests happen within rapid succession. Files of value: * /var/jenkins_home/secret.key * /var/jenkins_home/secrets/master.key * /var/jenkins_home/secrets/initialAdminPassword * /etc/passwd * /etc/shadow * Project secrets and credentials * Source code, build artifacts.
8799f2e8f0af3fd5eaa3690edb0e303a727a1d5ed7c421cade67b080436d71e9
SIEMENS IP-Camera (CVMS2025-IR + CCMS2025), JVC IP-Camera (VN-T216VPRU), and Vanderbilt IP-Camera (CCPW3025-IR + CVMW3025-IR) allow an unauthenticated user to disclose the username and password by requesting the javascript page readfile.cgi?query=ADMINID. Siemens firmwares affected: x.2.2.1798, CxMS2025_V2458_SP1, x.2.2.1798, x.2.2.1235.
75f290c73dd9cc43a56aaf952cb417b04741e27f28826be5a9ebfc52ebd9c6c9
Docker containers of ownCloud compiled after February 2023, which have version 0.2.0 before 0.2.1 or 0.3.0 before 0.3.1 of the app graph installed contain a test file which prints phpinfo() to an unauthenticated user. A post file name must be appended to the URL to bypass the login filter. Docker may export sensitive environment variables including ownCloud, DB, redis, SMTP, and S3 credentials, as well as other host information.
c842a41fbb657cad7419181e3093fbff8fdbb245a42bb73c77e84f9cbda710ff
The Debut embedded HTTP server <= 1.20 on Brother printers allows for a Denial of Service (DoS) condition via a crafted HTTP request. The printer will be unresponsive from HTTP and printing requests for ~300 seconds. After which, the printer will start responding again.
6abe9352b9d34ef6573032676ef3ee7e89c293b7374e09ebf3b03793ae527283
VSCode when opening a Jupyter notebook (.ipynb) file bypasses the trust model. On versions v1.4.0 through v1.71.1, its possible for the Jupyter notebook to embed HTML and javascript, which can then open new terminal windows within VSCode. Each of these new windows can then execute arbitrary code at startup. During testing, the first open of the Jupyter notebook resulted in pop-ups displaying errors of unable to find the payload exe file. The second attempt at opening the Jupyter notebook would result in successful execution. Successfully tested against VSCode 1.70.2 on Windows 10.
dfacdfad1b8092f162656aa7bc4778fc74536b788b7075dfea96dafa5efb29f3
NorthStar C2, prior to commit 7674a44 on March 11 2024, contains a vulnerability where the logs page is vulnerable to a stored cross site scripting issue. An unauthenticated user can simulate an agent registration to cause the cross site scripting attack and take over a users session. With this access, it is then possible to run a new payload on all of the NorthStar C2 compromised hosts (agents), and kill the original agent. Successfully tested against NorthStar C2 commit e7fdce148b6a81516e8aa5e5e037acd082611f73 running on Ubuntu 22.04. The agent was running on Windows 10 19045.
e5fdc1eb511aee9e0ced55911325ab4ed7c9efe59d20347fc192d3a17a7fa844
CHAOS version 5.0.8 is a free and open-source Remote Administration Tool that allows generated binaries to control remote operating systems. The web application contains a remote command execution vulnerability which can be triggered by an authenticated user when generating a new executable. The web application also contains a cross site scripting vulnerability within the view of a returned command being executed on an agent.
f57ebc1eae72783c36ac9e3df7805d9879e3d1ced0b8232ea872b32518252dce
GitKraken GitLens versions prior to 14.0.0 allow an untrusted workspace to execute git commands. A repo may include its own .git folder including a malicious config file to execute arbitrary code. Tested against VSCode 1.87.2 with GitLens 13.6.0 on Ubuntu 22.04 and Windows 10.
b8273beeca3962657f6a9b1d3bfeafcc468090839b20a36ae8bb674024aa42ce
This Metasploit module creates a vsix file which can be installed in Visual Studio Code as an extension. At activation/install, the extension will execute a shell or two. Tested against VSCode 1.87.2 on Ubuntu 22.04.
e6880eb05602e6f92b535b42014f6031b0323eada13388a7f9aab0f3804a2789
runc versions 1.1.11 and below, as used by containerization technologies such as Docker engine and Kubernetes, are vulnerable to an arbitrary file write vulnerability. Due to a file descriptor leak it is possible to mount the host file system with the permissions of runc (typically root). Successfully tested on Ubuntu 22.04 with runc 1.1.7-0ubuntu1~22.04.1 using Docker build.
c42842f57bc20a342f98ba3468fd922f4034a579676faa1da23d0d71f03b5e91
This Metasploit exploit module uses saltstack salt to deploy a payload and run it on all targets which have been selected (default all). Currently only works against nix targets.
089952eb6cbf532bc25c3176998f1732aa55627e24f74d1317773bc48528a206
This exploit module creates an ansible module for deployment to nodes in the network. It creates a new yaml playbook which copies our payload, chmods it, then runs it on all targets which have been selected (default all).
a5fbba3600698942b6e9fdfb81bf552aec7d2529c1415dbf0234d6081449a4c1
This Metasploit module exploits a remote code execution vulnerability in Splunk Enterprise. The affected versions include 9.0.x before 9.0.7 and 9.1.x before 9.1.2. The exploitation process leverages a weakness in the XSLT transformation functionality of Splunk. Successful exploitation requires valid credentials, typically admin:changeme by default. The exploit involves uploading a malicious XSLT file to the target system. This file, when processed by the vulnerable Splunk server, leads to the execution of arbitrary code. The module then utilizes the runshellscript capability in Splunk to execute the payload, which can be tailored to establish a reverse shell. This provides the attacker with remote control over the compromised Splunk instance. The module is designed to work seamlessly, ensuring successful exploitation under the right conditions.
ea31fbcf387f710ebb5a4b9243ec8009edb093af5bce5d17f8b759e679c83bdf
This Metasploit exploit module takes advantage of a Docker image which has either the privileged flag, or SYS_ADMIN Linux capability. If the host kernel is vulnerable, its possible to escape the Docker image and achieve root on the host operating system. A vulnerability was found in the Linux kernel's cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly.
f89ca645e9a7ab68a61d054b319e54c6af9a4e97faf0cab7987d8a5f919f6c11