This Metasploit module exploits several authenticated SQL Inject vulnerabilities in VICIdial 2.14b0.5 prior to svn/trunk revision 3555 (VICIBox 10.0.0, prior to January 20 is vulnerable). Injection point 1 is on vicidial/admin.php when adding a user, in the modify_email_accounts parameter. Injection point 2 is on vicidial/admin.php when adding a user, in the access_recordings parameter. Injection point 3 is on vicidial/admin.php when adding a user, in the agentcall_email parameter. Injection point 4 is on vicidial/AST_agent_time_sheet.php when adding a user, in the agent parameter. Injection point 5 is on vicidial/user_stats.php when adding a user, in the file_download parameter. VICIdial does not encrypt passwords by default.
ee13ad5d4ae7546320169435916f3c9bac21c75f6a3c00a761a80c9d13b3d3b5
Icingaweb versions from 2.9.0 to 2.9.5 inclusive, and 2.8.0 to 2.8.5 inclusive suffer from an unauthenticated directory traversal vulnerability. The vulnerability is triggered through the icinga-php-thirdparty library, which allows unauthenticated users to retrieve arbitrary files from the targets filesystem via a GET request to /lib/icinga/icinga-php-thirdparty/<absolute path to target file on disk> as the user running the Icingaweb server, which will typically be the www-data user. This can then be used to retrieve sensitive configuration information from the target such as the configuration of various services, which may reveal sensitive login or configuration information, the /etc/passwd file to get a list of valid usernames for password guessing attacks, or other sensitive files which may exist as part of additional functionality available on the target server. This Metasploit module was tested against Icingaweb 2.9.5 running on Docker.
cdc69a4bccff0e05ac6725d9eb18225432bfef742c18d90b549db0f05b86206e
This Metasploit module exploits a directory traversal vulnerability found in Bitweaver. When handling the overlay_type parameter, view_overlay.php fails to do any path checking/filtering, which can be abused to read any file outside the virtual directory.
75260c8739219589832630db597ad076c6fa9dee26583aeb19f2537f54e959f0
This Metasploit module exploits a bypass issue with WPS Hide Login versions less than or equal to 1.9. WPS Hide Login is used to make a new secret path to the login page, however a GET request to /wp-admin/options.php with a referer will reveal the hidden path.
cf0e23084f88d35da4dd2286627bbd0801ca437e1cdded439cd94d23e28d6ab9
This Metasploit module attempts to bruteforce the chinese caidao asp/php/aspx backdoor.
60088f8d003987fa40a7002f9f668383b9ab73531f528efc470f1246253bee90
The iDangero.us Chop Slider 3 WordPress plugin version 3.4 and prior contains a blind SQL injection in the id parameter of the get_script/index.php page. The injection is passed through GET parameters, and thus must be encoded, and magic_quotes is applied at the server.
c40d3f2150f043263d7f5b593f87cd6eb6ed9507f109b3c2713e5d016de691c2
LearnPress, a learning management plugin for WordPress, prior to 3.2.6.8 is affected by an authenticated SQL injection via the current_items parameter of the post-new.php page.
150d41dad29f88db33ed82424ed85cc194746e3e92127751db33050409ecec61
This Metasploit module exploits a directory traversal vulnerability found in WebPageTest. Due to the way the gettext.php script handles the file parameter, it is possible to read a file outside the www directory.
c8fc5793bb9641b12b4d2106a06fb4d479a668d64206809ae721e664f0532142
This Metasploit module exploits an unauthenticated database backup vulnerability in WordPress plugin Boldgrid-Backup also known as Total Upkeep version < 1.14.10. First, env-info.php is read to get server information. Next, restore-info.json is read to retrieve the last backup file. That backup is then downloaded, and any sql files will be parsed looking for the wp_users INSERT statement to grab user creds.
8ab619abe5830fc334f96aa44ebe91bf5262fbdf2d37942eb3a12c5a678f4e61
This Metasploit module exploits a SQL Injection vulnerability In TYPO3 NewsController.php in the news module 5.3.2 and earlier. It allows an unauthenticated user to execute arbitrary SQL commands via vectors involving overwriteDemand and OrderByAllowed. The SQL injection can be used to obtain password hashes for application user accounts. This Metasploit module has been tested on TYPO3 3.16.0 running news extension 5.0.0. This Metasploit module tries to extract username and password hash of the administrator user. It tries to inject sql and check every letter of a pattern, to see if it belongs to the username or password it tries to alter the ordering of results. If the letter doesnt belong to the word being extracted then all results are inverted (News #2 appears before News #1, so Pattern2 before Pattern1), instead if the letter belongs to the word being extracted then the results are in proper order (News #1 appears before News #2, so Pattern1 before Pattern2).
472f7767d1d622fc181d7fa0a90d223e85f29ef884a67376c132a17b0cf4808e
The WordPress WPLMS theme from version 1.5.2 to 1.8.4.1 allows an authenticated user of any user level to set any system option due to a lack of validation in the import_data function of /includes/func.php. The module first changes the admin e-mail address to prevent any notifications being sent to the actual administrator during the attack, re-enables user registration in case it has been disabled and sets the default role to be administrator. This will allow for the user to create a new account with admin privileges via the default registration page found at /wp-login.php?action=register.
3114c995b0c2306901d1283939e44b371d069e27d3e312a12481be6528b00537
This Metasploit module exploits a SQL injection vulnerability in the WP Symposium plugin before 15.8 for WordPress, which allows remote attackers to extract credentials via the size parameter to get_album_item.php.
2961b2a6386f280ff2a5c8a22286ae6b39869c94cfc164ff4f01d0e67ea4a838
This Metasploit module abuses the "install/upgrade.php" component on vBulletin 4.1+ and 4.5+ to create a new administrator account, as exploited in the wild on October 2013. This Metasploit module has been tested successfully on vBulletin 4.1.5 and 4.1.0.
c24deea47d1ee74b3fe339182867838b53b59f6e667d57d1dedb6d10ded9c962
This Metasploit module exploits an OS Command Injection vulnerability in some D-Link Routers like the DIR-600 rev B and the DIR-300 rev B. The vulnerability exists in command.php, which is accessible without authentication. This Metasploit module has been tested with the versions DIR-600 2.14b01 and below, DIR-300 rev B 2.13 and below. In order to get a remote shell the telnetd could be started without any authentication.
2f5b594e622d424820044978baa8b49d0949391ea6ea0829281922f271fa3004
The Wordpress GDPR Compliance plugin less than or equal to v1.4.2 allows unauthenticated users to set wordpress administration options by overwriting values within the database. The vulnerability is present in WordPress’s admin-ajax.php, which allows unauthorized users to trigger handlers and make configuration changes because of a failure to do capability checks when executing the save_setting internal action. WARNING: The module sets Wordpress configuration options without reading their current values and restoring them later.
64cded384a3949ad5bd9c2b263dc7ba25d3c4c97c531268cfc49e7c119da1511
The WordPress WP EasyCart plugin from version 1.1.30 to 3.0.20 allows authenticated users of any user level to set any system option via a lack of validation in the ec_ajax_update_option and ec_ajax_clear_all_taxrates functions located in /inc/admin/admin_ajax_functions.php. The module first changes the admin e-mail address to prevent any notifications being sent to the actual administrator during the attack, re-enables user registration in case it has been disabled and sets the default role to be administrator. This will allow for the user to create a new account with admin privileges via the default registration page found at /wp-login.php?action=register.
82a443a84115c1e1dd2260df74ac66dd23800ff63bb525cbf98d193ffcf673c2
This Metasploit module exploits an authentication bypass vulnerability in login.php in order to execute arbitrary code via a command injection vulnerability in property_box.php. This Metasploit module was tested against Oracle Secure Backup version 10.3.0.1.0 (Win32).
6863a81671e2c9181fc762b376462302051ea799490c07fe8f165bc20e6d3514
This Metasploit module exploits an authentication bypass vulnerability in login.php in order to execute arbitrary code via a command injection vulnerability in property_box.php. This Metasploit module was tested against Oracle Secure Backup version 10.3.0.1.0 (Win32).
16474ed0f873351c852148c57a073ca86fa3cdb0b63dfb8b35602ac09c210c32
AlienVault 4.5.0 is susceptible to an authenticated SQL injection attack via a PNG generation PHP file. This Metasploit module exploits this to read an arbitrary file from the file system. Any authenticated user is able to exploit it, as administrator privileges aren't required.
8ebaffc716eedd5e4b8b8c7e5043252a757d480ee4bddd7781480547382b3917
AlienVault 4.6.1 and below is susceptible to an authenticated SQL injection attack against newpolicyform.php, using the insertinto parameter. This Metasploit module exploits the vulnerability to read an arbitrary file from the file system. Any authenticated user is able to exploit this, as administrator privileges are not required.
47041a9a098122925ec54b3140188d51933adc560f06bb113f6adbbff41e40a1
This Metasploit module extracts the usernames and hashed passwords of all users of the Pimcore web service by exploiting a SQL injection vulnerability in Pimcores REST API. Pimcore begins to create password hashes by concatenating a users username, the name of the application, and the users password in the format USERNAME:pimcore:PASSWORD. The resulting string is then used to generate an MD5 hash, and then that MD5 hash is used to create the final hash, which is generated using PHPs built-in password_hash function.
a1fac0dca0eb708a1348babebd5e4be27016a27680c8d2967d94171f313a98ca
Due to lack of verification of a visitors permissions, it is possible to execute the export.php script included in the default installation of the Ultimate CSV Importer plugin and retrieve the full contents of the user table in the WordPress installation. This results in full disclosure of usernames, hashed passwords and email addresses for all users.
5379251c063efce854746f3e41f1141fcad4e8abbd7239dfc0c51bb84f2fb588
This Metasploit module will extract user credentials from DoliWamp - a WAMP packaged installer distribution for Dolibarr ERP on Windows - versions 3.3.0 to 3.4.2 by hijacking a users session. DoliWamp stores session tokens in filenames in the tmp directory. A directory traversal vulnerability in jqueryFileTree.php allows unauthenticated users to retrieve session tokens by listing the contents of this directory. Note: All tokens expire after 30 minutes of inactivity by default.
343f39a5e75827ba9aafe33c696a34ec5f95c6a3bec54cae7cab8ff77208bdb4
This Metasploit module uses a denial-of-service (DoS) condition appearing in a variety of programming languages. This vulnerability occurs when storing multiple values in a hash table and all values have the same hash value. This can cause a web server parsing the POST parameters issued with a request into a hash table to consume hours of CPU with a single HTTP request. Currently, only the hash functions for PHP and Java are implemented. This Metasploit module was tested with PHP + httpd, Tomcat, Glassfish and Geronimo. It also generates a random payload to bypass some IDS signatures.
b029e67e4fc45769ef0806adf780beee36692122a886f5bb14135c025f43efbc
Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 allows remote attackers to hijack the authentication of subscribers for /dev/random read operations by leveraging a late call to
dfbf6112b8043a07bd5dc3c5f12befea229766c77ef87e3562c17357bedf2f80