This Metasploit module exploits a vulnerability (CVE-2020-13851) in Pandora FMS versions 7.0 NG 742, 7.0 NG 743, and 7.0 NG 744 (and perhaps older versions) in order to execute arbitrary commands. This module takes advantage of a command injection vulnerability in th e Events feature of Pandora FMS. This flaw allows users to execute arbitrary commands via the target parameter in HTTP POST requests to the Events function. After authenticating to the target, the module attempts to exploit this flaw by issuing such an HTTP POST request, with the target parameter set to contain the payload. If a shell is obtained, the module will try to obtain the local MySQL database password via a simple grep command on the plaintext /var/www/html/pandora_console/include/config.php file. Valid credentials for a Pandora FMS account are required. The account does not need to have admin privileges. This module has been successfully tested on Pandora 7.0 NG 744 running on CentOS 7 (the official virtual appliance ISO for this version).
f5291266eaebb8b290e3a0b7e6659455This Metasploit module exploits a directory traversal in F5's BIG-IP Traffic Management User Interface (TMUI) to upload a shell script and execute it as the root user.
bc9ef269b0fbd9bf35cb0c0f8d89b446Various CDATA OLTs suffer from backdoor access with telnet, credential leaks, shell escape with root privileges, denial of service, and weak encryption algorithm vulnerabilities.
2e33e528404f107efc0dd79c6d3284e7Bolt CMS versions 3.7.0 and below suffer from cross site request forgery, cross site scripting, and remote shell upload vulnerabilities that when combined can achieve remote code execution in one click.
e1905dcd1353235ff99a9faf7ed545efOnline Shopping Portal version 3.1 suffers from a remote SQL injection vulnerability that allows for authentication bypass as well as a shell upload.
a413dd610290694b938f4df3d35a392dThis Metasploit module exploits a cross site request forgery vulnerability in Online Student Enrollment System version 1.0 to perform a shell upload.
5b27f66c5ed24e68abd5443719b457a4This Metasploit module takes advantage of a poorly configured TACACS+ config, Arista's bash shell, and a TACACS+ read-only account to achieve privilege escalation.
c89e5030f0dbb92c9b9a0aaee9be5226This Metasploit module exploits a shell upload vulnerability in Neon LMS versions prior to 4.9.1.
26aa3aff8f77bd3458a0a09ac6e239c5NeonLMS version 3.6 suffers from an authenticated remote shell upload vulnerability.
2c01c097ed4377f370cef2cfdd6872fbThis Metasploit module exploits a file upload feature of Drag and Drop Multi File Upload - Contact Form 7 for versions prior to 1.3.4. The allowed file extension list can be bypassed by appending a %, allowing for php shells to be uploaded. No authentication is required for exploitation.
8741d1320b67d5240a0da5c63f0f5065CAYIN CMS suffers from an authenticated OS semi-blind command injection vulnerability using default credentials. This can be exploited to inject and execute arbitrary shell commands as the root user through the NTP_Server_IP HTTP POST parameter in system.cgi page.
2b40a82dbae2a46bd38664601734d373CAYIN SMP-xxxx suffers from an authenticated OS command injection vulnerability using default credentials. This can be exploited to inject and execute arbitrary shell commands as the root user through the NTP_Server_IP HTTP GET parameter in system.cgi and wizard_system.cgi pages.
9a04cbad2c7bcc1e00789b91f73a0061Clinic Management System version 1.0 suffers from a remote shell upload vulnerability.
aef32468a77bdfeb84c28f99eb758777Various PanaceaSoft products appear to suffer from a shell upload vulnerability.
dbac78cf550b5cda3c73303bea5d98e1WordPress Drag and Drop File Upload Contact Form plugin version 1.3.3.2 suffers from a remote shell upload vulnerability.
415c8b9b89531c519f109fc5a2a6d49fRed Hat Security Advisory 2020-2210-01 - KornShell is a Unix shell which is backward-compatible with the Bourne shell and includes many features of the C shell. The most recent version is KSH-93. KornShell complies with the POSIX.2 standard. A code injection vulnerability has been addressed.
fd8c80347cd4ed97e92d1050f4903cafVictor CMS version 1.0 suffers from an authenticated remote shell upload vulnerability.
7f5c0f7f129fcb1e7e08e68329e0210bCuteNews version 2.1.2 suffers from a remote shell upload vulnerability.
854221f3da517dea5c1d414090b7e5dfIBM Data Risk Manager (IDRM) contains three vulnerabilities that can be chained by an unauthenticated attacker to achieve remote code execution as root. The first is an unauthenticated bypass, followed by a command injection as the server user, and finally abuse of an insecure default password. This module exploits all three vulnerabilities, giving the attacker a root shell. At the time of disclosure, this is a 0day. Versions 2.0.3 and below are confirmed to be affected, and the latest 2.0.6 is most likely affected too.
3146f36e720ad41b90d484a8f93fd1deTP-LINK Cloud Cameras including products NC200, NC210, NC220, NC230, NC250, NC260, and NC450 suffer from a command injection vulnerability. The issue is located in the swSystemSetProductAliasCheck method of the ipcamera binary (Called when setting a new alias for the device via /setsysname.fcgi), where despite a check on the name length, no other checks are in place in order to prevent shell metacharacters from being introduced. The system name would then be used in swBonjourStartHTTP as part of a shell command where arbitrary commands could be injected and executed as root.
55083492881e98ef2dd06b513cdf658dRed Hat Security Advisory 2020-1933-01 - The targetcli package contains an administration shell for configuring Internet Small Computer System Interface, Fibre Channel over Ethernet, and other SCSI targets, using the Target Core Mod/Linux-IO kernel target subsystem. FCoE users also need to install and use the fcoe-utils package. A command execution vulnerability was addressed.
88341a0345f7668c4411745c48d226ed80 bytes small Linux/x86 reverse shell generator shellcode with customizable TCP port and IP address.
937201f1ff92ab4fabd623cad7224a07This Metasploit module exploits a shell command injection vulnerability in the libnotify plugin. This vulnerability affects Metasploit versions 5.0.79 and earlier.
885145668200c03fca22ddeebb838fd3Red Hat Security Advisory 2020-1333-01 - KornShell is a Unix shell developed by AT+T Bell Laboratories, which is backward-compatible with the Bourne shell and includes many features of the C shell. The most recent version is KSH-93. KornShell complies with the POSIX.2 standard. A code injection vulnerability has been addressed.
129fab33e89337166620907e653bddf2Red Hat Security Advisory 2020-1332-01 - KornShell is a Unix shell developed by AT+T Bell Laboratories, which is backward-compatible with the Bourne shell and includes many features of the C shell. The most recent version is KSH-93. KornShell complies with the POSIX.2 standard. A code injection vulnerability has been addressed.
4326e13a6cfed935ccfe0b0a3331ba4c
© 2020 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed