This Metasploit module exploits a arbitrary file upload vulnerability within the Baldr stealer malware control panel. Attackers can turn this vulnerability into remote code execution by adding malicious PHP code inside the victim logs ZIP file and registering a new bot to the panel by uploading the ZIP file under the logs directory. On versions 3.0 and 3.1 victim logs are ciphered by a random 4 byte XOR key. This exploit module retrieves the IP specific XOR key from panel gate and registers a new victim to the panel with adding the selected payload inside the victim logs.
3aee05fb3bfa3e3eb0452ce7bbf7bdfbThis Metasploit module exploits a vulnerability (CVE-2020-13851) in Pandora FMS versions 7.0 NG 742, 7.0 NG 743, and 7.0 NG 744 (and perhaps older versions) in order to execute arbitrary commands. This module takes advantage of a command injection vulnerability in th e Events feature of Pandora FMS. This flaw allows users to execute arbitrary commands via the target parameter in HTTP POST requests to the Events function. After authenticating to the target, the module attempts to exploit this flaw by issuing such an HTTP POST request, with the target parameter set to contain the payload. If a shell is obtained, the module will try to obtain the local MySQL database password via a simple grep command on the plaintext /var/www/html/pandora_console/include/config.php file. Valid credentials for a Pandora FMS account are required. The account does not need to have admin privileges. This module has been successfully tested on Pandora 7.0 NG 744 running on CentOS 7 (the official virtual appliance ISO for this version).
f5291266eaebb8b290e3a0b7e6659455Impress CMS version 1.4.0 has an issue where an authenticated user can make use of the AutoTask feature to execute php code, allowing for remote SQL injection and remote code execution.
b5f8c806b5bde139ab34a7e35d46ad18PHP version 7.4 FFI disable_functions bypass proof of concept exploit.
837034ab8198c13f97935215b65ad576Red Hat Security Advisory 2020-2835-01 - PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Issues addressed include an underflow vulnerability.
7d3efa23b778cb571c090b3a2406b404This Metasploit module exploits multiple vulnerabilities in openSIS 7.4 and prior versions which could be abused by unauthenticated attackers to execute arbitrary PHP code with the permissions of the webserver. The exploit chain abuses an incorrect access control issue which allows access to scripts which should require the user to be authenticated, and a local file inclusion to reach a SQL injection vulnerability which results in execution of arbitrary PHP code due to an unsafe use of the eval() function.
07a638401a07dae3fe0cc15b5a196965Nagios XI version 5.6.12 remote code execution exploit that leverages export-rrd.php.
31691ce3c81c37946e036a7240a1b83fe-learning PHP Script version 0.1.0 suffers from a remote SQL injection vulnerability.
d3535b2b5828fb6373c1ce7b70ade504PHP-Fusion version 9.03.60 suffers from a PHP object injection vulnerability.
17b561a217b4cfbeba912004f8ef1c98This Metasploit module exploits a command injection vulnerability within the Agent Tesla control panel, in combination with an SQL injection vulnerability and a PHP object injection vulnerability, to gain remote code execution on affected hosts. Panel versions released prior to September 12, 2018 can be exploited by unauthenticated attackers to gain remote code execution as user running the web server. Agent Tesla panels released on or after this date can still be exploited however, provided that attackers have valid credentials for the Agent Tesla control panel. Note that this module presently only fully supports Windows hosts running Agent Tesla on the WAMP stack. Support for Linux may be added in a future update, but could not be confirmed during testing.
d4d981962d4baab56ec1e03af0dd4132College-Management-System-Php version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.
fedd77cb039b3c893f4bfd8b2086e2caPHP-Fusion version 9.03.60 PHP object injection to SQL injection pre-authentication exploit.
cb7df3cd8016da3a40d81715186ff656This Metasploit module exploits a vulnerability in LinuxKI Toolset versions 6.01 and below which allows remote code execution. The kivis.php pid parameter received from the user is sent to the shell_exec function, resulting in the security vulnerability.
cd78cc0c010d3ea09c0e4662335d84a3This Metasploit module exploits a file upload feature of Drag and Drop Multi File Upload - Contact Form 7 for versions prior to 1.3.4. The allowed file extension list can be bypassed by appending a %, allowing for php shells to be uploaded. No authentication is required for exploitation.
8741d1320b67d5240a0da5c63f0f5065NeonLMS Learning Management System PHP Laravel Script version 4.6 suffers from a persistent cross site scripting vulnerability.
2e508022471e1a49271d4745b0b3e811NeonLMS Learning Management System PHP Laravel Script version 4.6 suffers from an arbitrary file download vulnerability.
e762859b96e7391cb7c4d0f1d5bc1371Sabberworm PHP CSS parser suffers from a code injection vulnerability. Many versions are affected.
3a39459dcc05923af09d4a4ccd02d788Ubuntu Security Notice 4375-1 - It was discovered that PHP incorrectly handled certain files. An attacker could possibly use this issue to cause a denial of service.
ac90635f0db37791117aaebd12e9e72cKuicms PHP EE version 2.0 suffers from a persistent cross site scripting vulnerability.
1ce0e2a58f4c205e0f768a130497d76cPHP-Fusion version 9.03.50 has been found susceptible to additional methods of persistent cross site scripting. Initial findings in this version were discovered by SunCSR.
1ddd5d7ad012d226ccc8051352c24f77PHP-Fusion version 9.03.50 suffers from a remote SQL injection vulnerability.
0a1a9de287822195e0373a79ec7c6409This Metasploit module exploits a command execution in Pi-Hole versions 4.4 and below. A new blocklist is added, and then an update is forced (gravity) to pull in the blocklist content. PHP content is then written to a file within the webroot. Phase 1 writes a sudo pihole command to launch teleporter, effectively running a privilege escalation. Phase 2 writes our payload to teleporter.php, overwriting the content. Lastly, the phase 1 PHP file is called in the web root, which launches our payload in teleporter.php with root privileges.
45a7854959d2d37b594d4f7a3b3c052eThis Metasploit module exploits a Python code injection in the Netsweeper WebAdmin component's unixlogin.php script, for versions 6.4.4 and prior, to execute code as the root user. Authentication is bypassed by sending a random whitelisted Referer header in each request. Tested on the CentOS Linux-based Netsweeper 6.4.3 and 6.4.4 ISOs. Though the advisory lists 6.4.3 and prior as vulnerable, 6.4.4 has been confirmed exploitable.
f3a7e388a69ddecf6195fe24bcc68477Ubuntu Security Notice 4330-2 - USN-4330-1 fixed vulnerabilities in PHP. This update provides the corresponding update for Ubuntu 20.04 LTS. It was discovered that PHP incorrectly handled certain EXIF files. An attacker could possibly use this issue to access sensitive information or cause a crash. Various other issues were also addressed.
fa624b67647513f5623dee65a7767548This Metasploit module exploits an authenticated OS command injection vulnerability found in Trixbox CE versions 1.2.0 through 2.8.0.4 inclusive in the network POST parameter of the /maint/modules/endpointcfg/endpoint_devicemap.php page. Successful exploitation allows for arbitrary command execution on the underlying operating system as the asterisk user. Users can easily elevate their privileges to the root user however by executing sudo nmap --interactive followed by !sh from within nmap.
fd5084cbbf34c562fd7812f4604bd3eb
© 2020 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed