This Metasploit module exploits the .NET deserialization vulnerability within the RadAsyncUpload (RAU) component of Telerik UI ASP.NET AJAX that is identified as CVE-2019-18935. In order to do so the module must upload a mixed mode .NET assembly DLL which is then loaded through the deserialization flaw. Uploading the file requires knowledge of the cryptographic keys used by RAU. The default values used by this module are related to CVE-2017-11317, which once patched randomizes these keys. It is also necessary to know the version of Telerik UI ASP.NET that is running. This version number is in the format YYYY.#(.###)? where YYYY is the year of the release (e.g. 2020.3.915).
1681e42767479128abf9e29c90cc76efRed Hat Security Advisory 2020-3699-01 - .NET Core is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET Core that address security vulnerabilities are now available. The updated versions are .NET Core SDK 3.1.108 and .NET Core Runtime 3.1.8. Security Fixes: .NET Core: ASP.NET cookie prefix spoofing vulnerability. Issues addressed include a spoofing vulnerability.
3fa3742d20b581bf1ce4a1edfffb538cRed Hat Security Advisory 2020-3422-01 - .NET Core is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET Core that address security vulnerabilities are now available. The updated versions are .NET Core SDK 3.1.107 and .NET Core Runtime 3.1.7. Security Fixes: .NET Core: ASP.NET Core Resource Consumption Denial of Service. Issues addressed include a denial of service vulnerability.
bfc2f4036f8d918be1ab666309a7b00bThis Metasploit module exploits a ViewState .NET deserialization vulnerability in web-based MS SQL Server management tool myLittleAdmin, for version 3.8 and likely older versions, due to hardcoded machineKey parameters in the web.config file for ASP.NET. Popular web hosting control panel Plesk offers myLittleAdmin as an optional component that is selected automatically during "full" installation. This exploit caters to the Plesk target, though it should work fine against a standalone myLittleAdmin setup. Successful exploitation results in code execution as the user running myLittleAdmin, which is IUSRPLESK_sqladmin for Plesk and described as the "SQL Admin MSSQL anonymous account". Tested on the latest Plesk Obsidian with optional myLittleAdmin 3.8.
863f2f71f0ddb8aeb000570885bf0d3fThe Telerik UI for ASP.NET AJAX insecurely deserializes JSON objects in a manner that results in arbitrary remote code execution on the software's underlying host.
725661dfbd6f55841367cc547d0ba030The ZyXEL P-660HN-T1 V2 rpWLANRedirect.asp page is missing authentication and discloses an administrator password.
cf5fae94f3ebd7bddbf170217d338656LW-N605R devices allow remote code execution via shell metacharacters in the HOST field of the ping feature at adm/systools.asp. Authentication is needed but the default password of admin for the admin account may be used in some cases.
381dfb828206901640b7a36fed462414ASP.NET jVideo Kit version 1.0 suffers from a remote SQL injection vulnerability.
446e636ca5035f35b4ff0efa533d29fcASP.NET Core version 5.-RC1 suffers from an HTTP header injection vulnerability.
28fbb855c6805f6d739cc89ce38fed04ASP Gateway 1.0.0 suffers from a database disclosure vulnerability.
77c6b85e907011a63bde9b54324dac6eCodeWarrior is a manual code and static analysis tool. It has many modules, one for each common language like PHP, ASP, Ruby, C/C++, Java and Javascript. Each module has rules in raw text with parameters like description, type, reference, relevance and match (regex to detect pattern). You can also create your own rules.
125797229a978f1c58e1d352c00eb34eAfterLogic WebMail Pro ASP.NET versions prior to 6.2.7 suffer from an administrator account takeover via an XXE injection vulnerability.
41cc07503156fc99994ba41aa68c9031ASP webshell backdoor designed specifically for IIS 8.
5b19b3cbecf0cf539f8e5a3954f4af53ASP Forums version 2.1 suffers from a database disclosure vulnerability.
9bda0cee7848574a11e6fc4425560437ASP Dynamika version 2.5 suffers from a cross site scripting vulnerability.
c9b04b24328d128f04a3a0978d658dc4ASP Dynamika version 2.5 suffers from arbitrary file upload and remote SQL injection vulnerabilities.
76dfcd46a38b6fa6cef2b01bf008adffThis Metasploit module exploits an arbitrary file upload vulnerability found in Kaseya VSA versions between 7 and 9.1. A malicious unauthenticated user can upload an ASP file to an arbitrary directory leading to arbitrary code execution with IUSR privileges. This Metasploit module has been tested with Kaseya v7.0.0.17, v8.0.0.10 and v9.0.0.3.
1ed310adae7ef7d86de486f92950fe9dThis Metasploit module exploits an arbitrary file upload vulnerability in Numara / BMC Track-It! v8 to v11.X. The application exposes the FileStorageService .NET remoting service on port 9010 (9004 for version 8) which accepts unauthenticated uploads. This can be abused by a malicious user to upload a ASP or ASPX file to the web root leading to arbitrary code execution as NETWORK SERVICE or SYSTEM. This Metasploit module has been tested successfully on versions 11.3.0.355, 10.0.51.135, 10.0.50.107, 10.0.0.143, 9.0.30.248 and 8.0.2.51.
406dc97f0e83abf8ccd024baffb6b4d8Telerik ASP.NET AJAX RadEditor Control versions 2014.1.403.35 and 2009.3.1208.20 suffer from a persistent cross site scripting vulnerability.
beb89cba885a1201044ca7c377436e7fThis is a whitepaper that goes into detail on hacking ASP/ASPX websites manually.
d56d34728763832f62fc8b57670829beThis Metasploit module exploits an injection vulnerability in Cogent DataHub prior to 7.3.5. The vulnerability exists in the GetPermissions.asp page, which makes insecure use of the datahub_command function with user controlled data, allowing execution of arbitrary datahub commands and scripts. This Metasploit module has been tested successfully with Cogent DataHub 7.3.4 on Windows 7 SP1.
d10aca0d44b8abb4b65c009880426183DevExpress ASP.NET File Manager versions 10.2 through 13.2.8 suffer from a directory traversal vulnerability.
e93318bb004858c2424fa43a693ab368ASP-Nuke version 2.0.7 suffers from an open redirect vulnerability.
320246de1354caff29a2016cda4dd56dThis Metasploit module exploits an arbitrary file upload vulnerability found in Kaseya versions below 6.3.0.2. A malicious user can upload an ASP file to an arbitrary directory without previous authentication, leading to arbitrary code execution with IUSR privileges.
593b4d4095655301ec4bee6ac4bd2eb9FCKEditor version 2.6.8 ASP version suffers from a file upload protection bypass.
220d912d0f1646c9e97383f3e3f657e3
© 2020 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed