exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 25 of 100 RSS Feed


Apache 2.4.x Buffer Overflow
Posted Apr 3, 2023
Authored by Sunil Iyengar

Apache versions 2.4.x before 2.4.51 suffer from a buffer overflow vulnerability.

tags | exploit, overflow
advisories | CVE-2021-44790
SHA-256 | 6a6c99d5716acf1681cb083650a22a4be9cc12142ce87b080fb71192a5a3b67e

Related Files

Apache OFBiz Forgot Password Directory Traversal
Posted Jun 18, 2024
Authored by jheysel-r7, Mr-xn | Site metasploit.com

Apache OFBiz versions prior to 18.12.13 are vulnerable to a path traversal vulnerability. The vulnerable endpoint /webtools/control/forgotPassword allows an attacker to access the ProgramExport endpoint which in turn allows for remote code execution in the context of the user running the application.

tags | exploit, remote, code execution
advisories | CVE-2024-32113
SHA-256 | 95a799d52023de4e870b8e6e3293276e9dc9c6116e4ec377371d107ab468f276
Apache Solr Backup/Restore API Remote Code Execution
Posted Apr 24, 2024
Authored by jheysel-r7, l3yx | Site metasploit.com

Apache Solr versions 6.0.0 through 8.11.2 and versions 9.0.0 up to 9.4.1 are affected by an unrestricted file upload vulnerability which can result in remote code execution in the context of the user running Apache Solr. When Apache Solr creates a Collection, it will use a specific directory as the classpath and load some classes from it. The backup function of the Collection can export malicious class files uploaded by attackers to the directory, allowing Solr to load custom classes and create arbitrary Java code. Execution can further bypass the Java sandbox configured by Solr, ultimately causing arbitrary command execution.

tags | exploit, java, remote, arbitrary, code execution, file upload
advisories | CVE-2023-50386
SHA-256 | 982c87ed2032bff9e2a889f42db78ed065aa2707c068813f76b1c3875193d49d
Apache Commons Text 1.9 Remote Code Execution
Posted Jan 19, 2024
Authored by Alvaro Munoz, Karthik UJ, Gaurav Jain | Site metasploit.com

This Metasploit module exploit takes advantage of the StringSubstitutor interpolator class, which is included in the Commons Text library. A default interpolator allows for string lookups that can lead to remote code execution. This is due to a logic flaw that makes the script, dns and url lookup keys interpolated by default, as opposed to what it should be, according to the documentation of the StringLookupFactory class. Those keys allow an attacker to execute arbitrary code via lookups primarily using the script key. In order to exploit the vulnerabilities, the following requirements must be met: Run a version of Apache Commons Text from version 1.5 to 1.9, use the StringSubstitutor interpolator, and the target should run JDK versions prior to 15.

tags | exploit, remote, arbitrary, vulnerability, code execution
advisories | CVE-2022-42889
SHA-256 | 3303e5c941051cbc6b4f8ddaa2c9912a8740038a8cc31a244e760936ff9694d8
Apache ActiveMQ Unauthenticated Remote Code Execution
Posted Nov 14, 2023
Authored by sfewer-r7, X1r0z | Site metasploit.com

This Metasploit module exploits a deserialization vulnerability in the OpenWire transport unmarshaller in Apache ActiveMQ. Affected versions include 5.18.0 through to 5.18.2, 5.17.0 through to 5.17.5, 5.16.0 through to 5.16.6, and all versions before 5.15.16.

tags | exploit
advisories | CVE-2023-46604
SHA-256 | d62b07b49999cf639cee2c97c21a92b797b2c59f3353f6f4b3a0a040950ac02e
Apache Superset 2.0.0 Remote Code Execution
Posted Oct 13, 2023
Authored by h00die, Spencer McIntyre, Naveen Sunkavally, paradoxis | Site metasploit.com

Apache Superset versions 2.0.0 and below utilize Flask with a known default secret key which is used to sign HTTP cookies. These cookies can therefore be forged. If a user is able to login to the site, they can decode the cookie, set their user_id to that of an administrator, and re-sign the cookie. This valid cookie can then be used to login as the targeted user. From there the Superset database is mounted, and credentials are pulled. A dashboard is then created. Lastly a pickled python payload can be set for that dashboard within Superset's database which will trigger the remote code execution. An attempt to clean up ALL of the dashboard key values and reset them to their previous values happens during the cleanup phase.

tags | exploit, remote, web, code execution, python
advisories | CVE-2023-27524, CVE-2023-37941, CVE-2023-39265
SHA-256 | 0cf3211c0a88b94f22c56bd68535a69b15419a4e9c97ce50b1d180e75e44b6be
Apache Airflow 1.10.10 Remote Code Execution
Posted Sep 19, 2023
Authored by Pepe Berba, Ismail E. Dawoodjee, xuxiang | Site metasploit.com

This Metasploit module exploits an unauthenticated command injection vulnerability by combining two critical vulnerabilities in Apache Airflow version 1.10.10. The first, CVE-2020-11978, is an authenticated command injection vulnerability found in one of Airflow's example DAGs, "example_trigger_target_dag", which allows any authenticated user to run arbitrary OS commands as the user running Airflow Worker/Scheduler. The second, CVE-2020-13927, is a default setting of Airflow 1.10.10 that allows unauthenticated access to Airflow's Experimental REST API to perform malicious actions such as creating the vulnerable DAG above. The two CVEs taken together allow vulnerable DAG creation and command injection, leading to unauthenticated remote code execution.

tags | exploit, remote, arbitrary, vulnerability, code execution
advisories | CVE-2020-11978, CVE-2020-13927
SHA-256 | bb3e8db54407d69676a1eba8103ab6fd9b1a3d72a85765a5ca4067e046a3ef88
Apache NiFi H2 Connection String Remote Code Execution
Posted Aug 30, 2023
Authored by h00die, Matei Mal Badanoiu | Site metasploit.com

The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution. This exploit will result in several shells (5-7). Successfully tested against Apache nifi 1.17.0 through 1.21.0.

tags | exploit, shell, code execution
advisories | CVE-2023-34468
SHA-256 | 0160a2622a4649020abd8fb0d476ca59d2c4968c668499c8167e44d6c9276020
Apache RocketMQ 5.1.0 Arbitrary Code Injection
Posted Jul 7, 2023
Authored by h00die, jheysel-r7, Malayke | Site metasploit.com

RocketMQ versions 5.1.0 and below are vulnerable to arbitrary code injection. Broker component of RocketMQ is leaked on the extranet and lack permission verification. An attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as. Additionally, an attacker can achieve the same effect by forging the RocketMQ protocol content.

tags | exploit, arbitrary, protocol
advisories | CVE-2023-33246
SHA-256 | b33a501b649fb4900d4cb03d01bea674dda00bc78e807afce60061fd47ecfcea
Apache Druid JNDI Injection Remote Code Execution
Posted Jun 27, 2023
Authored by RedWay Security, Jari Jaaskela | Site metasploit.com

This Metasploit module is designed to exploit the JNDI injection vulnerability in Druid. The vulnerability specifically affects the indexer/v1/sampler interface of Druid, enabling an attacker to execute arbitrary commands on the targeted server. The vulnerability is found in Apache Kafka clients versions ranging from 2.3.0 to 3.3.2. If an attacker can manipulate the sasl.jaas.config property of any of the connector's Kafka clients to com.sun.security.auth.module.JndiLoginModule, it allows the server to establish a connection with the attacker's LDAP server and deserialize the LDAP response. This provides the attacker with the capability to execute java deserialization gadget chains on the Kafka connect server, potentially leading to unrestricted deserialization of untrusted data or even remote code execution (RCE) if there are relevant gadgets in the classpath. To facilitate the exploitation process, this module will initiate an LDAP server that the target server needs to connect to in order to carry out the attack.

tags | exploit, java, remote, arbitrary, code execution
advisories | CVE-2023-25194
SHA-256 | f66b350948de8d0c6e468d03fb8436dd9af78149309b8e72facbdb3d5300a0ea
Apache CouchDB Erlang Remote Code Execution
Posted Nov 2, 2022
Authored by 1F98D, jheysel-r7, Konstantin Burov, _sadshade, Milton Valencia | Site metasploit.com

In Apache CouchDB versions prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges.

tags | exploit
advisories | CVE-2022-24706
SHA-256 | adaa831a27cc8a7dbc13e63bb293d887542dcd7e9b4a0d6eb85acf4fc9076b08
Apache Spark Unauthenticated Command Injection
Posted Sep 8, 2022
Authored by Kostya Kortchinsky, h00die-gr3y | Site metasploit.com

This Metasploit module exploits an unauthenticated command injection vulnerability in Apache Spark. Successful exploitation results in remote code execution under the context of the Spark application user. The command injection occurs because Spark checks the group membership of the user passed in the ?doAs parameter by using a raw Linux command. It is triggered by a non-default setting called spark.acls.enable. This configuration setting spark.acls.enable should be set true in the Spark configuration to make the application vulnerable for this attack. Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1 are affected by this vulnerability.

tags | exploit, remote, code execution
systems | linux
advisories | CVE-2022-33891
SHA-256 | 2872827635148239363023f1f407242ab1de4a64b6832222c392d7a683334b7b
Apache APISIX Remote Code Execution
Posted Mar 7, 2022
Authored by Heyder Andrade, YuanSheng Wang | Site metasploit.com

Apache APISIX has a default, built-in API token that can be used to obtain full access of the admin API. Access to this API allows for remote LUA code execution through the script parameter added in the 2.x version. This module also leverages another vulnerability to bypass th e IP restriction plugin.

tags | exploit, remote, code execution
advisories | CVE-2020-13945, CVE-2022-24112
SHA-256 | 75f7fd4db82a985948b400b9686ffc05f654d453b228621992abd5bb2505add2
Apache 2.4.49 / 2.4.50 Traversal / Remote Code Execution
Posted Oct 25, 2021
Authored by Dhiraj Mishra, Ramella Sebastien, Ash Daulton | Site metasploit.com

This Metasploit module exploits an unauthenticated remote code execution vulnerability which exists in Apache version 2.4.49 (CVE-2021-41773). If files outside of the document root are not protected by ‘require all denied’ and CGI has been explicitly enabled, it can be used to execute arbitrary commands. This vulnerability has been reintroduced in the Apache 2.4.50 fix (CVE-2021-42013).

tags | exploit, remote, arbitrary, cgi, root, code execution
advisories | CVE-2021-41773, CVE-2021-42013
SHA-256 | a75779abdd3a9f2a319a34c0efbba4f95b420f39624081c3a13752641b7c8d6d
Apache Druid 0.20.0 Remote Command Execution
Posted Apr 27, 2021
Authored by Litch1, je5442804, Alibaba Cloud Security Team | Site metasploit.com

Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests; however, that feature is disabled by default. In Druid versions prior to 0.20.1, an authenticated user can send a specially-crafted request that both enables the JavaScript code-execution feature and executes the supplied code all at once, allowing for code execution on the server with the privileges of the Druid Server process. More critically, authentication is not enabled in Apache Druid by default.

tags | exploit, javascript, code execution
advisories | CVE-2021-25646
SHA-256 | b298c899e38be69b54163c4da54bb4be979f3abb34cca3c04ac527f6a5c92905
Apache OFBiz SOAP Java Deserialization
Posted Apr 6, 2021
Authored by Spencer McIntyre, wvu, yumusb | Site metasploit.com

This Metasploit module exploits a Java deserialization vulnerability in Apache OFBiz's unauthenticated SOAP endpoint /webtools/control/SOAPService for versions prior to 17.12.06.

tags | exploit, java
advisories | CVE-2021-26295
SHA-256 | 1a3d79d4b32857119cfd6ad9c273dd5c7dfc3e857b95b83ad391b6001cc0de14
Apache Ghostcat Exploitation
Posted Mar 22, 2021
Authored by Team SafeSecurity

This whitepaper focuses on explaining the Apache Ghostcat vulnerability and how it can be used to read file contents of all web applications deployed on Tomcat.

tags | paper, web
advisories | CVE-2020-1938
SHA-256 | dc2b8740104317c36ad79dcb929d334c237272637cf804d3dfc086cec7bb44d1
Apache OFBiz XML-RPC Java Deserialization
Posted Mar 12, 2021
Authored by Alvaro Munoz, wvu | Site metasploit.com

This Metasploit module exploits a Java deserialization vulnerability in Apache OFBiz's unauthenticated XML-RPC endpoint /webtools/control/xmlrpc for versions prior to 17.12.04.

tags | exploit, java
advisories | CVE-2020-9496
SHA-256 | 92c0cbc161c309a9ee69f4716d1ce3b791ab490da8ad91b396463bbefc0310d2
Apache Flink JAR Upload Java Code Execution
Posted Feb 23, 2021
Authored by Brendan Coles, bigger.wing, Henry Chen | Site metasploit.com

This Metasploit module uses job functionality in the Apache Flink dashboard web interface to upload and execute a JAR file, leading to remote execution of arbitrary Java code as the web server user. This module has been tested successfully on Apache Flink versions: 1.9.3 on Ubuntu 18.04.4; 1.11.2 on Ubuntu 18.04.4; 1.9.3 on Windows 10; and 1.11.2 on Windows 10.

tags | exploit, java, remote, web, arbitrary
systems | linux, windows, ubuntu
SHA-256 | c4af5d4222df2b897758547790bace5a4fc29668737046e86bcb9bdee4ee6038
Apache NiFi API Remote Code Execution
Posted Nov 28, 2020
Authored by Graeme Robinson | Site metasploit.com

This Metasploit module uses the NiFi API to create an ExecuteProcess processor that will execute OS commands. The API must be unsecured (or credentials provided) and the ExecuteProcess processor must be available. An ExecuteProcessor processor is created then is configured with the payload and started. The processor is then stopped and deleted.

tags | exploit
SHA-256 | b437b66f2c8618f8c04df9a7df92d09d11a6da720c7f0e0b83b4d0ced50bc1b8
Apache OFBiz XML-RPC Java Deserialization
Posted Aug 17, 2020
Authored by Alvaro Munoz, wvu | Site metasploit.com

This Metasploit module exploits a Java deserialization vulnerability in Apache OFBiz's unauthenticated XML-RPC endpoint /webtools/control/xmlrpc for versions prior to 17.12.04.

tags | exploit, java
advisories | CVE-2020-9496
SHA-256 | 60488cf10d0bb2c687a49e401984865b951905374c0cf0ff883035fc4a5200b0
Apache ActiveMQ 5.11.1 Directory Traversal / Shell Upload
Posted Mar 5, 2020
Authored by David Jorm, Erik Wynter | Site metasploit.com

This Metasploit module exploits a directory traversal vulnerability (CVE-2015-1830) in Apache ActiveMQ versions 5.x before 5.11.2 for Windows. The module tries to upload a JSP payload to the /admin directory via the traversal path /fileserver/..\\admin\\ using an HTTP PUT request with the default ActiveMQ credentials admin:admin (or other credentials provided by the user). It then issues an HTTP GET request to /admin/<payload>.jsp on the target in order to trigger the payload and obtain a shell.

tags | exploit, web, shell
systems | windows
advisories | CVE-2015-1830
SHA-256 | 962139239272b0ab745f8a302505e5c8a4403aa9a95316d97e92c5946f3bd92f
Apache James Server 2.3.2 Insecure User Creation / Arbitrary File Write
Posted Feb 20, 2020
Authored by Matthew Aberegg, Michael Burkey, Palaczynski Jakub | Site metasploit.com

This Metasploit module exploits a vulnerability that exists due to a lack of input validation when creating a user. Messages for a given user are stored in a directory partially defined by the username. By creating a user with a directory traversal payload as the username, commands can be written to a given directory. To use this module with the cron exploitation method, run the exploit using the given payload, host, and port. After running the exploit, the payload will be executed within 60 seconds. Due to differences in how cron may run in certain Linux operating systems such as Ubuntu, it may be preferable to set the target to Bash Completion as the cron method may not work. If the target is set to Bash completion, start a listener using the given payload, host, and port before running the exploit. After running the exploit, the payload will be executed when a user logs into the system. For this exploitation method, bash completion must be enabled to gain code execution. This exploitation method will leave an Apache James mail object artifact in the /etc/bash_completion.d directory and the malicious user account.

tags | exploit, code execution, bash
systems | linux, ubuntu
advisories | CVE-2015-7611
SHA-256 | 38aec6cad30d28bc144df66f4ad6d698b59a52c8a529a3cc66391e571ee852c6
Apache Tika 1.17 Header Command Injection
Posted Aug 2, 2019
Authored by h00die, David Yesland, Tim Allison | Site metasploit.com

This Metasploit module exploits a command injection vulnerability in Apache Tika versions 1.15 through 1.17 on Windows. A file with the image/jp2 content-type is used to bypass magic byte checking. When OCR is specified in the request, parameters can be passed to change the parameters passed at command line to allow for arbitrary JScript to execute. A JScript stub is passed to execute arbitrary code. This module was verified against version 1.15 through 1.17 on Windows 2012. While the CVE and finding show more versions vulnerable, during testing it was determined only versions greater than 1.14 were exploitable due to jp2 support being added.

tags | exploit, arbitrary
systems | windows
advisories | CVE-2018-1335
SHA-256 | 1d10dcd077954ec22984a947fb2e56ca4e13c135682dadd44362021acac47063
Apache Camel Exploitation
Posted Jul 4, 2019
Authored by Nick Aliferopoulos

Whitepaper called Apache Camel Exploitation. It discusses how unvalidated input in Apache Camel endpoints can result in information exposure.

tags | paper
SHA-256 | 7ed20d8d1893d6d7876e248a8838efd2c8bd000ecac1c0bbcd721d515d9128bd
CARPE (DIEM) Apache 2.4.x Local Privilege Escalation
Posted Apr 8, 2019
Authored by Charles FOL | Site cfreal.github.io

Apache versions 2.4.17 up to 2.4.38 apache2ctl graceful logrotate local privilege escalation exploit.

tags | exploit, local
advisories | CVE-2019-0211
SHA-256 | 3319265a25f9489c7617752a0f4a299d38530c30caf7932b9bb2b32075e9f1b7
Page 1 of 4

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By