This Metasploit module scans for the Juniper SSH backdoor (also valid on Telnet). Any username is required, and the password is <<< %s(un=%s) = %u.
9063c59689446fe07bb9610922c2bca3f2bd26ac97f441441018bc99fbe63a81This Metasploit module exploits several authenticated SQL Inject vulnerabilities in VICIdial 2.14b0.5 prior to svn/trunk revision 3555 (VICIBox 10.0.0, prior to January 20 is vulnerable). Injection point 1 is on vicidial/admin.php when adding a user, in the modify_email_accounts parameter. Injection point 2 is on vicidial/admin.php when adding a user, in the access_recordings parameter. Injection point 3 is on vicidial/admin.php when adding a user, in the agentcall_email parameter. Injection point 4 is on vicidial/AST_agent_time_sheet.php when adding a user, in the agent parameter. Injection point 5 is on vicidial/user_stats.php when adding a user, in the file_download parameter. VICIdial does not encrypt passwords by default.
ee13ad5d4ae7546320169435916f3c9bac21c75f6a3c00a761a80c9d13b3d3b5Icingaweb versions from 2.9.0 to 2.9.5 inclusive, and 2.8.0 to 2.8.5 inclusive suffer from an unauthenticated directory traversal vulnerability. The vulnerability is triggered through the icinga-php-thirdparty library, which allows unauthenticated users to retrieve arbitrary files from the targets filesystem via a GET request to /lib/icinga/icinga-php-thirdparty/<absolute path to target file on disk> as the user running the Icingaweb server, which will typically be the www-data user. This can then be used to retrieve sensitive configuration information from the target such as the configuration of various services, which may reveal sensitive login or configuration information, the /etc/passwd file to get a list of valid usernames for password guessing attacks, or other sensitive files which may exist as part of additional functionality available on the target server. This Metasploit module was tested against Icingaweb 2.9.5 running on Docker.
cdc69a4bccff0e05ac6725d9eb18225432bfef742c18d90b549db0f05b86206eEmail Subscribers and Newsletters plugin contains an unauthenticated timebased SQL injection in versions before 4.3.1. The hash parameter is vulnerable to injection.
883d0eaca9891a011a583d7cbea23b1c7f956800de4a058033366b43cb374379This Metasploit module attempts to enumerate users on the Synology NAS by sending GET requests for the forgot password URL. The Synology NAS will respond differently if a user is present or not. These count as login attempts, and the default is 10 logins in 5min to get a permanent block. Set delay accordingly to avoid this, as default is permanent. Vulnerable DSMs are: DSM 6.1 < 6.1.3-15152 DSM 6.0 < 6.0.3-8754-4 DSM 5.2 < 5.2-5967-04.
c622438aa3e4a490bc624fb626fb236ea403a3b449e8c9b443cda4f4befb21ebThis Metasploit module exploits a bypass issue with WPS Hide Login versions less than or equal to 1.9. WPS Hide Login is used to make a new secret path to the login page, however a GET request to /wp-admin/options.php with a referer will reveal the hidden path.
cf0e23084f88d35da4dd2286627bbd0801ca437e1cdded439cd94d23e28d6ab9Joomla versions between 4.0.0 and 4.2.7, inclusive, contain an improper API access vulnerability. This vulnerability allows unauthenticated users access to webservice endpoints which contain sensitive information. Specifically for this module we exploit the users and config/application endpoints. This Metasploit module was tested against Joomla 4.2.7 running on Docker.
fa67ae7e6f213f19e195eecd75ea212d3daefe54df94381a906f0a5269cb2249Paid Membership Pro, a WordPress plugin, prior to 2.9.8 is affected by an unauthenticated SQL injection via the code parameter. Remote attackers can exploit this vulnerability to dump usernames and password hashes from the wp_users table of the affected WordPress installation. These password hashes can then be cracked offline using tools such as Hashcat to obtain valid login credentials for the affected WordPress installation.
d01aa9df62ceaa2afa8e7303c8aaf9059424791f857f1b227c5c890811cf5457RegistrationMagic, a WordPress plugin, prior to 5.0.1.5 is affected by an authenticated SQL injection via the task_ids parameter.
1a580e447f3469ec25a634735f3ea21fb9756b92a3c75631271cbb832da6c3fdThis Metasploit module exploits an authenticated arbitrary file read in the log modules filter engine. SteelHead VCX (VCX255U) version 9.6.0a was confirmed as vulnerable.
82200956bfcf313b96ff93db76c110d1947a97a9884d89e92f426e7c7e7da5eaThis Metasploit module connects to ES File Explorers HTTP server to run certain commands. The HTTP server is started on app launch, and is available as long as the app is open. Version 4.1.9.7.4 and below are reported vulnerable This Metasploit module has been tested against 4.1.9.5.1.
a73c6b524b907dbe590605fec39555ee25f87f4dfb5e202dfc167e9995d06c69The iDangero.us Chop Slider 3 WordPress plugin version 3.4 and prior contains a blind SQL injection in the id parameter of the get_script/index.php page. The injection is passed through GET parameters, and thus must be encoded, and magic_quotes is applied at the server.
c40d3f2150f043263d7f5b593f87cd6eb6ed9507f109b3c2713e5d016de691c2Secure Copy Content Protection and Content Locking, a WordPress plugin, prior to 2.8.2 is affected by an unauthenticated SQL injection via the sccp_id[] parameter. Remote attackers can exploit this vulnerability to dump usernames and password hashes from thewp_users table of the affected WordPress installation. These password hashes can then be cracked offline using tools such as Hashcat to obtain valid login credentials for the affected WordPress installation.
a16f33882a4042dbb5483766850b39941b6501b9b0173d5fdf5fb279b10a5e47This Metasploit module exploits a directory traversal vulnerability found in dnaLIMS. Due to the way the viewAppletFsa.cgi script handles the secID parameter, it is possible to read a file outside the www directory.
51e9c7257950972cb9c2f3eadb03402eb6967e9df8461564e00e53de1edcfebaAbandoned Cart, a plugin for WordPress which extends the WooCommerce plugin, prior to 5.8.2 is affected by an unauthenticated SQL injection via the billing_first_name parameter of the save_data AJAX call. A valid wp_woocommerce_session cookie is required, which has at least one item in the cart.
80a396b232c09010cbae409cc90533d399a952a66a286c4d10fe3644a0ecc608This Metasploit module exploits an unauthenticated directory traversal vulnerability in the Dicoogle PACS Web Server v2.5.0 and possibly earlier, allowing an attacker to read arbitrary files with the web server privileges. While the application is java based, the directory traversal was only successful against Windows targets.
8f2ecf1201b59abdcaedb189bb29a75443dfe162b8acf3116d81747473b35059The Wordpress plugin BulletProof Security, versions less than or equal to 5.1, suffers from an information disclosure vulnerability, in that the db_backup_log.txt is publicly accessible. If the backup functionality is being utilized, this file will disclose where the backup files can be downloaded. After downloading the backup file, it will be parsed to grab all user credentials.
67c4807293a251cc053fbb1a5fb7a2329f603f6abac1003faf1823ea7751fe74Wordpress plugin Easy WP SMTP versions less than or equal to 1.4.2 was found to not include index.html within its plugin folder. This potentially allows for directory listings. If debug mode is also enabled for the plugin, all SMTP commands are stored in a debug file. An email must have been sent from the system as well to create the debug file. If an email hasnt been sent (Test Email function not included), Aggressive can bypass the last check. Combining these items, its possible to request a password reset for an account, then view the debug file to determine the link that was emailed out, and reset the users password.
8559f369219946f2ef710f6c5fb744b1424d53fa6245cf079bdb8020ffd203c8LearnPress, a learning management plugin for WordPress, prior to 3.2.6.8 is affected by an authenticated SQL injection via the current_items parameter of the post-new.php page.
150d41dad29f88db33ed82424ed85cc194746e3e92127751db33050409ecec61Modern Events Calendar plugin contains an unauthenticated timebased SQL injection in versions before 6.1.5. The time parameter is vulnerable to injection.
982d4d258c486cd930bfa6a8ab9aa9156ad56e14deb8a20ab4d8c1bd29c21177Loginizer wordpress plugin contains an unauthenticated timebased SQL injection in versions before 1.6.4. The vulnerable parameter is in the log parameter. Wordpress has forced updates of the plugin to all servers.
19a3dea18cc17107d42a30ec2c31df71bf5f3d9812f33d059c921e228a7efb3eThis Metasploit module exploits an authenticated path traversal vulnerability found in LimeSurvey versions between 4.0 and 4.1.11 with CVE-2020-11455 or less than or equal to 3.15.9 with CVE-2019-9960, inclusive. In CVE-2020-11455 the getZipFile function within the filemanager functionality allows for arbitrary file download. The file retrieved may be deleted after viewing, which was confirmed in testing. In CVE-2019-9960 the szip function within the downloadZip functionality allows for arbitrary file download. Verified against 4.1.11-200316, 3.15.0-181008, 3.9.0-180604, 3.6.0-180328, 3.0.0-171222, and 2.70.0-170921.
9f74526757273c5edcea64339d62718ea0a109843590d25d98a39b5da99e5413WooCommerce-Payments plugin for Wordpress versions 4.8, 4.8.2, 4.9, 4.9.1, 5.0, 5.0.4, 5.1, 5.1.3, 5.2, 5.2.2, 5.3, 5.3.1, 5.4, 5.4.1, 5.5, 5.5.2, and 5.6, 5.6.2 contain an authentication bypass by specifying a valid user ID number within the X-WCPAY-PLATFORM-CHECKOUT-USER header. With this authentication bypass, a user can then use the API to create a new user with administrative privileges on the target WordPress site IF the user ID selected corresponds to an administrator account.
6f6df2d58639769e982d2ed7af034862e1b5fef526f5ddae0309cdf72c8e05acGrafana versions 8.0.0-beta1 through 8.3.0 prior to 8.0.7, 8.1.8, 8.2.7, or 8.3.1 are vulnerable to directory traversal through the plugin URL. A valid plugin ID is required, but many are installed by default.
9a1339320c6be6654d8bea7386ff041fd2641e68f9a4fbeae07e898d1d0b2068This Metasploit module scans for the Apache optionsbleed vulnerability where the Allow response header returned from an OPTIONS request may bleed memory if the server has a .htaccess file with an invalid Limit method defined.
ac77af0b3c6e749b827f71ab13339140afc6a894fad192ca238076187f0cb5e7
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed