This Metasploit module checks for known vulnerabilities in the CGI applications of Supermicro Onboard IPMI controllers. These issues currently include several unauthenticated buffer overflows in the login.cgi and close_window.cgi components.
25146ab0a527b2c20a4d174368a8756c57f0f973644733c599eb8239270f30b0This Metasploit module exploits a authenticated directory traversal vulnerability in Zen Load Balancer v3.10.1. The flaw exists in index.cgi not properly handling filelog= parameter which allows a malicious actor to load arbitrary file path.
011af6df07f2ee11564536666bb82966d29715170c3c7d030a6d4aaa8987376bThis Metasploit module exploits a directory traversal vulnerability found in dnaLIMS. Due to the way the viewAppletFsa.cgi script handles the secID parameter, it is possible to read a file outside the www directory.
51e9c7257950972cb9c2f3eadb03402eb6967e9df8461564e00e53de1edcfebaThis Metasploit module scans for an unauthenticated RCE vulnerability which exists in Apache version 2.4.49 (CVE-2021-41773). If files outside of the document root are not protected by ‘require all denied’ and CGI has been explicitly enabled, it can be used to execute arbitrary commands (Remote Command Execution). This vulnerability has been reintroduced in Apache 2.4.50 fix (CVE-2021-42013).
8661970ef7fbc7bc8a93b978a820b094101fa41f1545520eb469ee134ef69aa9This Metasploit module scans for the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This Metasploit module targets CGI scripts in the Apache web server by setting the HTTP_USER_AGENT environment variable to a malicious function definition. PROTIP: Use exploit/multi/handler with a PAYLOAD appropriate to your CMD, set ExitOnSession false, run -j, and then run this module to create sessions on vulnerable hosts. Note that this is not the recommended method for obtaining shells. If you require sessions, please use the apache_mod_cgi_bash_env_exec exploit module instead.
87c833264ee49ea156b8462740c64928a943a3c37c5f3d9c388659dfaa1d03a0This Metasploit module abuses a directory traversal vulnerability in the url_redirect.cgi application accessible through the web interface of Supermicro Onboard IPMI controllers. The vulnerability is present due to a lack of sanitization of the url_name parameter. This allows an attacker with a valid, but not necessarily administrator-level account, to access the contents of any file on the system. This includes the /nv/PSBlock file, which contains the cleartext credentials for all configured accounts. This Metasploit module has been tested on a Supermicro Onboard IPMI (X9SCL/X9SCM) with firmware version SMT_X9_214. Other file names to try include /PSStore, /PMConfig.dat, and /wsman/simple_auth.passwd.
2a895b9a6c562c00a389ca6061ee3c5d3935d00911eac01555699f44b7a15397This Metasploit module exploits a vulnerability in ZyXEL GS1510-16 routers to extract the admin password. Due to a lack of authentication on the webctrl.cgi script, unauthenticated attackers can recover the administrator password for these devices. The vulnerable device has reached end of life for support from the manufacturer, so it is unlikely this problem will be addressed.
f64ee1ebff3c90a08beadeb514409a3b5bbf36e3c99ab50125bfcad7485c04c5This Metasploit module abuses a directory traversal in Sophos Web Protection Appliance, specifically on the /cgi-bin/patience.cgi component. This Metasploit module has been tested successfully on the Sophos Web Virtual Appliance v3.7.0.
3d4fc09d9f6482421e030cede564961a2b390c83045857868d24748e125478ecThis Metasploit module exploits a heap buffer overflow in the genie.cgi?backup.cgi page of Netgear R7000 routers running firmware version 1.0.11.116. Successful exploitation results in unauthenticated attackers gaining code execution as the root user. The exploit utilizes these privileges to enable the telnet server which allows attackers to connect to the target and execute commands as the admin user from within a BusyBox shell. Users can connect to this telnet server by running the command "telnet *target IP*".
042eaa7026a5227a1b186fee630ffdae53cf707f495f6cf7879c9d6f44e1ac01This Metasploit module exploits a directory traversal in Webmin 1.580. The vulnerability exists in the edit_html.cgi component and allows an authenticated user with access to the File Manager Module to access arbitrary files with root privileges. The module has been tested successfully with Webmin 1.580 over Ubuntu 10.04.
6c0a9a2b80ec4a4d227511510ff034d0be1d1387d4299cbb7189ca3bd983eb19C2S DVR allows an unauthenticated user to disclose the username and password by requesting the javascript page read.cgi?page=2. This may also work on some cameras including IRDOME-II-C2S, IRBOX-II-C2S.
f14eb376c1dcefd1b99e4b5370da22899ba91385ab2b1509b470c463d912db0fThis Metasploit module will collect the password for the admin user. The exploit will not complete if password recovery is set on the router. The password is received by passing the token generated from unauth.cgi to passwordrecovered.cgi. This exploit works on many different NETGEAR products. The full list of affected products is available in the References section.
aa53592f4c2de5f7742c7914a0b26fa42e6e62f00e84c3a8ce2e442d825edf56SIEMENS IP-Camera (CVMS2025-IR + CCMS2025), JVC IP-Camera (VN-T216VPRU), and Vanderbilt IP-Camera (CCPW3025-IR + CVMW3025-IR) allow an unauthenticated user to disclose the username and password by requesting the javascript page readfile.cgi?query=ADMINID. Siemens firmwares affected: x.2.2.1798, CxMS2025_V2458_SP1, x.2.2.1798, x.2.2.1235.
75f290c73dd9cc43a56aaf952cb417b04741e27f28826be5a9ebfc52ebd9c6c9Akuvox Smart Intercom/Doorphone suffers from an unauthenticated live stream disclosure when requesting video.cgi endpoint on port 8080. Many versions are affected.
b9109fbd6b81561f43a64e422162fa5e99ed650e66b857057e94fc3b868986d0This Metasploit module exploits a PHP CGI argument injection vulnerability affecting PHP in certain configurations on a Windows target. A vulnerable configuration is locale dependant (such as Chinese or Japanese), such that the Unicode best-fit conversion scheme will unexpectedly convert a soft hyphen (0xAD) into a dash (0x2D) character. Additionally a target web server must be configured to run PHP under CGI mode, or directly expose the PHP binary. This issue has been fixed in PHP 8.3.8 (for the 8.3.x branch), 8.2.20 (for the 8.2.x branch), and 8.1.29 (for the 8.1.x branch). PHP 8.0.x and below are end of life and have note received patches. XAMPP is vulnerable in a default configuration, and we can target the /php-cgi/php-cgi.exe endpoint. To target an explicit .php endpoint (e.g. /index.php), the server must be configured to run PHP scripts in CGI mode.
c2545000b9fdd9d40a19e238932d2917bdfb1a41c680df6e0ffb2128341c38efThere exists an unauthenticated command injection vulnerability in the QNAP operating system known as QTS and QuTS hero. QTS is a core part of the firmware for numerous QNAP entry and mid-level Network Attached Storage (NAS) devices, and QuTS hero is a core part of the firmware for numerous QNAP high-end and enterprise NAS devices. The vulnerable endpoint is the quick.cgi component, exposed by the device's web based administration feature. The quick.cgi component is present in an uninitialized QNAP NAS device. This component is intended to be used during either manual or cloud based provisioning of a QNAP NAS device. Once a device has been successfully initialized, the quick.cgi component is disabled on the system. An attacker with network access to an uninitialized QNAP NAS device may perform unauthenticated command injection, allowing the attacker to execute arbitrary commands on the device.
512c538bc485b9095fb0fb14daba0e91a985496262d3017dc3aaf05f8005e9adNikto is an Open Source web server scanner which performs comprehensive tests against web servers for multiple items, including over 3500 potentially dangerous files/CGIs, versions on over 900 servers, and version specific problems on over 250 servers.
fb0dc4b2bc92cb31f8069f64ea4d47295bcd11067a7184da955743de7d97709dR Radio Network FM Transmitter version 1.07 suffers from an improper access control that allows an unauthenticated actor to directly reference the system.cgi endpoint and disclose the clear-text password of the admin user allowing authentication bypass and FM station setup access.
957fbcd8e2322bfb4df06832e6de97007a8bedfc7567ee79382899cdc5a7a54dElectrolink FM/DAB/TV Transmitter from a denial of service scenario. An unauthenticated attacker can reset the board as well as stop the transmitter operations by sending one GET request to the command.cgi gateway.
b9b0622841f3107d917cdcd1705a85c49fc9e8558ff56a20647b6b895f6e0b05An unauthenticated remote code execution vulnerability exists in the embedded webserver in certain Lexmark devices through 2023-02-19. The vulnerability is only exposed if, when setting up the printer or device, the user selects "Set up Later" when asked if they would like to add an Admin user. If no Admin user is created, the endpoint /cgi-bin/fax_change_faxtrace_settings is accessible without authentication. The endpoint allows the user to configure a number of different fax settings. A number of the configurable parameters on the page fail to be sanitized properly before being used in a bash eval statement, allowing for an unauthenticated user to run arbitrary commands.
55b25ea44278a5136992f906756ff24cc7e2991ab7847a6388c6522fffc7a70aTinycontrol LAN Controller version 3 suffers from an unauthenticated remote denial of service vulnerability. An attacker can issue direct requests to the stm.cgi page to reboot and also reset factory settings on the device.
9b6ba51344fefe8dd52543c161ab1ed42968403a056b495c0371ffad0323a48cThis Metasploit module exploits authentication bypass (CVE-2018-17153) and command injection (CVE-2016-10108) vulnerabilities in Western Digital MyCloud before 2.30.196 in order to achieve unauthenticated remote code execution as the root user. The module first performs a check to see if the target is WD MyCloud. If so, it attempts to trigger an authentication bypass (CVE-2018-17153) via a crafted GET request to /cgi-bin/network_mgr.cgi. If the server responds as expected, the module assesses the vulnerability status by attempting to exploit a commend injection vulnerability (CVE-2016-10108) in order to print a random string via the echo command. This is done via a crafted POST request to /web/google_analytics.php. If the server is vulnerable, the same command injection vector is leveraged to execute the payload. This module has been successfully tested against Western Digital MyCloud version 2.30.183.
0ce2f1497429d5e02113422d33a5d38d119e0b68b4af0aa04d5b4189b6ef07f8Ubuntu Security Notice 6181-1 - Hiroshi Tokumaru discovered that Ruby did not properly handle certain user input for applications the generate HTTP responses using cgi gem. An attacker could possibly use this issue to maliciously modify the response a user would receive from a vulnerable application. This issue only affected Ubuntu 22.10. It was discovered that Ruby incorrectly handled certain regular expressions. An attacker could possibly use this issue to cause a denial of service.
f634308d9f8170226b080952b6f1730c28beb18e02e1b9af7f1902121a0a253cSecurePoint UTM versions 12.x suffers from a memory leak vulnerability via the spcgi.cgi endpoint.
15ddc40a5043fe4407a10fa673fb39fdb12a08b717f9167e70ad626fbe024350SecurePoint UTM versions 12.x suffers from a session identifier leak vulnerability via the spcgi.cgi endpoint.
1d4cd9e39a6938ba5bad5e9bd158f7895198cb30170e4a59be88883cdba0cd69
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed