This Metasploit module exploits the .NET deserialization vulnerability within the RadAsyncUpload (RAU) component of Telerik UI ASP.NET AJAX that is identified as CVE-2019-18935. In order to do so the module must upload a mixed mode .NET assembly DLL which is then loaded through the deserialization flaw. Uploading the file requires knowledge of the cryptographic keys used by RAU. The default values used by this module are related to CVE-2017-11317, which once patched randomizes these keys. It is also necessary to know the version of Telerik UI ASP.NET that is running. This version number is in the format YYYY.#(.###)? where YYYY is the year of the release (e.g. 2020.3.915).
2f6a8f760339d2c83d483651740d009b85c87d1a8e03ca388c1ef83409e65051Red Hat Security Advisory 2020-3699-01 - .NET Core is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET Core that address security vulnerabilities are now available. The updated versions are .NET Core SDK 3.1.108 and .NET Core Runtime 3.1.8. Security Fixes: .NET Core: ASP.NET cookie prefix spoofing vulnerability. Issues addressed include a spoofing vulnerability.
7eeb6e7fa92674b30184bea1625342bc83c0ce98fc29e396e3ea53dc07658cc2Red Hat Security Advisory 2020-3422-01 - .NET Core is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET Core that address security vulnerabilities are now available. The updated versions are .NET Core SDK 3.1.107 and .NET Core Runtime 3.1.7. Security Fixes: .NET Core: ASP.NET Core Resource Consumption Denial of Service. Issues addressed include a denial of service vulnerability.
63ff17b1af981e5982dd10ff67547e6ebfc5151221f3bd6a33f8e48ae1b0ba3eThis Metasploit module exploits a ViewState .NET deserialization vulnerability in web-based MS SQL Server management tool myLittleAdmin, for version 3.8 and likely older versions, due to hardcoded machineKey parameters in the web.config file for ASP.NET. Popular web hosting control panel Plesk offers myLittleAdmin as an optional component that is selected automatically during "full" installation. This exploit caters to the Plesk target, though it should work fine against a standalone myLittleAdmin setup. Successful exploitation results in code execution as the user running myLittleAdmin, which is IUSRPLESK_sqladmin for Plesk and described as the "SQL Admin MSSQL anonymous account". Tested on the latest Plesk Obsidian with optional myLittleAdmin 3.8.
4124c84ac15efa5a91216b271b351c4f85f28724a0347ca062414a3d04b8a3b5The Telerik UI for ASP.NET AJAX insecurely deserializes JSON objects in a manner that results in arbitrary remote code execution on the software's underlying host.
4aab62684a4cdf73f2ac375b58ade0ea344753c8d22b1fdf5f8a4e944c3eee54The ZyXEL P-660HN-T1 V2 rpWLANRedirect.asp page is missing authentication and discloses an administrator password.
cd8bb7af8822a1c75ff1134d8c9adce8d94144c9aa905f9b2571d26b3cd740eeLW-N605R devices allow remote code execution via shell metacharacters in the HOST field of the ping feature at adm/systools.asp. Authentication is needed but the default password of admin for the admin account may be used in some cases.
405a54b7328103d274033ba1718a79ec36e34a387798e6c349e7e6c74465d240ASP.NET jVideo Kit version 1.0 suffers from a remote SQL injection vulnerability.
eb792f18f1f53dbfb6b5c50d9878dc053d894293efeeb4b0f55522c1f6d55849ASP.NET Core version 5.-RC1 suffers from an HTTP header injection vulnerability.
1d6c349a4c1cbeebdb441bb9d71d28155836dfc3262d25c0f5027232b302026bASP Gateway 1.0.0 suffers from a database disclosure vulnerability.
7117d0ed47e50d0cd2ca5bc4a1b4c5a29c59a1035262d55ef463a436105f5798CodeWarrior is a manual code and static analysis tool. It has many modules, one for each common language like PHP, ASP, Ruby, C/C++, Java and Javascript. Each module has rules in raw text with parameters like description, type, reference, relevance and match (regex to detect pattern). You can also create your own rules.
82753c89cb961457842b407e2a28042ca4dfbd896b15eb1555371fa0f3628dceAfterLogic WebMail Pro ASP.NET versions prior to 6.2.7 suffer from an administrator account takeover via an XXE injection vulnerability.
285a356df0342917c10949047f0e7a8de20316652b88f7502badf4e23df2d5c3ASP webshell backdoor designed specifically for IIS 8.
a44d9c6790e87fa2491d5b551491b6c414d55452959ef3a48cf31d639af39609ASP Forums version 2.1 suffers from a database disclosure vulnerability.
2a82cea0a7e0fc3cdf08bd773189c08f0aff6348e891a9283f84cac52de4e6d2ASP Dynamika version 2.5 suffers from a cross site scripting vulnerability.
03ca5035c8a555789ffc39c66287fa1aa9631adb55c10abcd347b9d848a316c2ASP Dynamika version 2.5 suffers from arbitrary file upload and remote SQL injection vulnerabilities.
2e960dfa2b379ae040834e8b3cb8d71edacd24f9b079f13a5a901b91e0617293This Metasploit module exploits an arbitrary file upload vulnerability found in Kaseya VSA versions between 7 and 9.1. A malicious unauthenticated user can upload an ASP file to an arbitrary directory leading to arbitrary code execution with IUSR privileges. This Metasploit module has been tested with Kaseya v7.0.0.17, v8.0.0.10 and v9.0.0.3.
a3160e35b949105dc779c6f1769beb11f955240e314addc241694dc44304af7dThis Metasploit module exploits an arbitrary file upload vulnerability in Numara / BMC Track-It! v8 to v11.X. The application exposes the FileStorageService .NET remoting service on port 9010 (9004 for version 8) which accepts unauthenticated uploads. This can be abused by a malicious user to upload a ASP or ASPX file to the web root leading to arbitrary code execution as NETWORK SERVICE or SYSTEM. This Metasploit module has been tested successfully on versions 11.3.0.355, 10.0.51.135, 10.0.50.107, 10.0.0.143, 9.0.30.248 and 8.0.2.51.
95061f597110575d12518dbaad93354d7acf1c2eabf6a59fdfcc9c6bc66fdd45Telerik ASP.NET AJAX RadEditor Control versions 2014.1.403.35 and 2009.3.1208.20 suffer from a persistent cross site scripting vulnerability.
c00ca1a36468d8069de3d09b942cd140f1aa6d4e521b6cead6b21e7289d8edeaThis is a whitepaper that goes into detail on hacking ASP/ASPX websites manually.
e01e929f0159f35636b57ccb14d23133cee0871e331625923ed2e065e0033b49This Metasploit module exploits an injection vulnerability in Cogent DataHub prior to 7.3.5. The vulnerability exists in the GetPermissions.asp page, which makes insecure use of the datahub_command function with user controlled data, allowing execution of arbitrary datahub commands and scripts. This Metasploit module has been tested successfully with Cogent DataHub 7.3.4 on Windows 7 SP1.
ea90ec1ce02362764c088f9a23d4e3e49eb058ef8047c0f1c9b916a1d71d04e3DevExpress ASP.NET File Manager versions 10.2 through 13.2.8 suffer from a directory traversal vulnerability.
394a34f5bb9c0db271438b8c89cbdc148df7951f648d6063157e850611f77962ASP-Nuke version 2.0.7 suffers from an open redirect vulnerability.
902da011bf746423d5b241e17da52bd86559dbc0d84acce478a7761e2d717453This Metasploit module exploits an arbitrary file upload vulnerability found in Kaseya versions below 6.3.0.2. A malicious user can upload an ASP file to an arbitrary directory without previous authentication, leading to arbitrary code execution with IUSR privileges.
3e11070aa3e56e32d0904d26cac7cacb888f2199f24e9d97a3ad562caf0a7096FCKEditor version 2.6.8 ASP version suffers from a file upload protection bypass.
139ccad597b02f049b3b2b0129bd2dd23c86df34ebff98c04ada72b76409a1d8
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Subscribe to an RSS Feed