exploit-db-mirror/exploits/multiple/webapps/39288.txt
Offensive Security cf96346519 DB: 2018-01-25
124 changes to exploits/shellcodes

Airsensor M520 - HTTPD Unauthenticated Remote Denial of Service / Buffer Overflow (PoC)
Airsensor M520 - HTTPd Unauthenticated Remote Denial of Service / Buffer Overflow (PoC)

Samsung DVR SHR2040 - HTTPD Remote Denial of Service Denial of Service (PoC)
Samsung DVR SHR2040 - HTTPd Remote Denial of Service Denial of Service (PoC)

Novell ZenWorks 10/11 - TFTPD Remote Code Execution
Novell ZENworks 10/11 - TFTPD Remote Code Execution

Apache 1.1 / NCSA httpd 1.5.2 / Netscape Server 1.12/1.1/2.0 - a nph-test-cgi
Apache 1.1 / NCSA HTTPd 1.5.2 / Netscape Server 1.12/1.1/2.0 - a nph-test-cgi

WhitSoft SlimServe HTTPd 1.1 - Get Denial of Service
WhitSoft SlimServe HTTPd 1.1 - 'GET_ Denial of Service

GoAhead Software GoAhead WebServer (Windows) 2.1 - Denial of Service
GoAhead Web Server 2.1 (Windows) - Denial of Service

Anti-Web HTTPD 2.2 Script - Engine File Opening Denial of Service
Anti-Web HTTPd 2.2 Script - Engine File Opening Denial of Service

Rosiello Security Sphiro HTTPD 0.1B - Remote Heap Buffer Overflow
Rosiello Security Sphiro HTTPd 0.1B - Remote Heap Buffer Overflow

D-Link DWL-G700AP 2.00/2.01 - HTTPD Denial of Service
D-Link DWL-G700AP 2.00/2.01 - HTTPd Denial of Service

Lorex LH300 Series - ActiveX Buffer Overflow (PoC)

Debut Embedded httpd 1.20 - Denial of Service
Debut Embedded HTTPd 1.20 - Denial of Service

Xorg 1.4 < 1.11.2 - File Permission Change
X.Org xorg 1.4 < 1.11.2 - File Permission Change

Sync Breeze Enterprise 9.5.16 - Import Command Buffer Overflow (Metasploit)
Sync Breeze Enterprise 9.5.16 - 'Import Command' Buffer Overflow (Metasploit)

ICU library 52 < 54 - Multiple Vulnerabilities

rooter VDSL Device - Goahead WebServer Disclosure
FS4104-AW VDSL Device (Rooter) - GoAhead WebServer Disclosure

Ruby 1.8.6/1.9 (WEBick Httpd 1.3.1) - Directory Traversal
Ruby 1.8.6/1.9 (WEBick HTTPd 1.3.1) - Directory Traversal

Simple HTTPd 1.42 - PUT Request Remote Buffer Overflow
Simple HTTPd 1.42 - 'PUT' Remote Buffer Overflow

Debian 2.1 - httpd
Debian 2.1 - HTTPd

Apache 0.8.x/1.0.x / NCSA httpd 1.x - test-cgi Directory Listing
Apache 0.8.x/1.0.x / NCSA HTTPd 1.x - 'test-cgi' Directory Listing

Inso DynaWeb httpd 3.1/4.0.2/4.1 - Format String
Inso DynaWeb HTTPd 3.1/4.0.2/4.1 - Format String

W3C CERN httpd 3.0 Proxy - Cross-Site Scripting
W3C CERN HTTPd 3.0 Proxy - Cross-Site Scripting

ATP httpd 0.4 - Single Byte Buffer Overflow
ATP HTTPd 0.4 - Single Byte Buffer Overflow

AN HTTPD 1.38/1.39/1.40/1.41 - SOCKS4 Request Buffer Overflow
AN HTTPD 1.38/1.39/1.40/1.41 - 'SOCKS4' Buffer Overflow
Light HTTPd 0.1 - GET Buffer Overflow (1)
Light HTTPd 0.1 - GET Buffer Overflow (2)
Light HTTPd 0.1 - 'GET' Buffer Overflow (1)
Light HTTPd 0.1 - 'GET' Buffer Overflow (2)

Light HTTPD 0.1 (Windows) - Remote Buffer Overflow
Light HTTPd 0.1 (Windows) - Remote Buffer Overflow

Ultra Mini HTTPD 1.21 - Remote Stack Buffer Overflow
Ultra Mini HTTPd 1.21 - Remote Stack Buffer Overflow

Ultra Mini HTTPD - Remote Stack Buffer Overflow (Metasploit)
Ultra Mini HTTPd - Remote Stack Buffer Overflow (Metasploit)

BusyBox 1.01 - HTTPD Directory Traversal
BusyBox 1.01 - HTTPd Directory Traversal

Ultra Mini HTTPD 1.21 - 'POST' Remote Stack Buffer Overflow (1)
Ultra Mini HTTPd 1.21 - 'POST' Remote Stack Buffer Overflow (1)

Ultra Mini HTTPD 1.21 - 'POST' Remote Stack Buffer Overflow (2)
Ultra Mini HTTPd 1.21 - 'POST' Remote Stack Buffer Overflow (2)
Postfix SMTP 4.2.x < 4.2.48 - 'Shellshock'  Remote Command Injection
Apache mod_cgi - 'Shellshock'  Remote Command Injection
Postfix SMTP 4.2.x < 4.2.48 - 'Shellshock' Remote Command Injection
Apache mod_cgi - 'Shellshock' Remote Command Injection

IPFire - 'Shellshock'  Bash Environment Variable Command Injection (Metasploit)
IPFire - 'Shellshock' Bash Environment Variable Command Injection (Metasploit)

AsusWRT Router < 3.0.0.4.380.7743 - Unauthenticated LAN Remote Code Execution

GoAhead Web Server - 'LD_PRELOAD' Arbitrary Module Load (Metasploit)
GoAhead Web Server 2.5 < 3.6.5 - HTTPd 'LD_PRELOAD' Arbitrary Module Load (Metasploit)

GoAhead httpd 2.5 < 3.6.5 - 'LD_PRELOAD' Remote Code Execution
GoAhead Web Server 2.5 < 3.6.5 - HTTPd 'LD_PRELOAD' Remote Code Execution

NETGEAR WNR2000v5 - Unauthenticated 'hidden_lang_avi' Remote Stack Overflow (Metasploit)

Getsimple 2.01 - Local File Inclusion
Getsimple CMS 2.01 - Local File Inclusion

Novell Zenworks Mobile Device Managment 2.6.1/2.7.0 - Local File Inclusion (Metasploit)
Novell ZENworks Mobile Device Managment 2.6.1/2.7.0 - Local File Inclusion (Metasploit)

ManageEngine DesktopCentral 8.0.0 build < 80293 - Arbitrary File Upload
ManageEngine Desktop Central 8.0.0 build < 80293 - Arbitrary File Upload
ManageEngine DesktopCentral - Arbitrary File Upload / Remote Code Execution
ManageEngine EventLog Analyzer - Multiple Vulnerabilities
ManageEngine Desktop Central - Arbitrary File Upload / Remote Code Execution
ManageEngine EventLog Analyzer - Multiple Vulnerabilities (1)

Bash CGI - 'Shellshock' Remote Command Injection  (Metasploit)
Bash CGI - 'Shellshock' Remote Command Injection (Metasploit)

Getsimple 3.0 - 'set' Local File Inclusion
Getsimple CMS 3.0 - 'set' Local File Inclusion

ZENworks Configuration Management 11.3.1 - Remote Code Execution
Novell ZENworks Configuration Management 11.3.1 - Remote Code Execution

Kaseya Virtual System Administrator - Multiple Vulnerabilities (1)
Kaseya Virtual System Administrator (VSA) - Multiple Vulnerabilities (1)

Getsimple - 'path' Local File Inclusion
Getsimple CMS 3.1.2 - 'path' Local File Inclusion

Sysaid Helpdesk Software 14.4.32 b25 - SQL Injection (Metasploit)
SysAid Help Desk Software 14.4.32 b25 - SQL Injection (Metasploit)

ManageEngine Password Manager Pro and ManageEngine IT360 - SQL Injection
ManageEngine Password Manager Pro / ManageEngine IT360 - SQL Injection
BMC Track-It! 11.4 - Multiple Vulnerabilities
Billion / TrueOnline / ZyXEL Routers - Multiple Vulnerabilities
SysAid Help Desk 14.4 - Multiple Vulnerabilities
Pimcore CMS 1.4.9 <2.1.0 - Multiple Vulnerabilities
GetSimple CMS 3.3.1 - Cross-Site Scripting
CMS Made Simple 1.11.9 - Multiple Vulnerabilities
ManageEngine Desktop Central - Create Administrator
ManageEngine EventLog Analyzer - Multiple Vulnerabilities (2)
ManageEngine OpManager / Applications Manager / IT360 - 'FailOverServlet' Multiple Vulnerabilities
ManageEngine Netflow Analyzer / IT360 - Arbitrary File Download
ManageEngine OpManager / Social IT Plus / IT360 - Multiple Vulnerabilities

Kaseya Virtual System Administrator (VSA) 7.0 < 9.1 - Authenticated Arbitrary File Upload

Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)
FreeBSD/x86-64 - exec /bin/sh Shellcode (31 bytes)
FreeBSD/x86-64 - execve(/bin/sh) Shellcode (34 bytes)
FreeBSD/x64 - exec /bin/sh Shellcode (31 bytes)
FreeBSD/x64 - execve(/bin/sh) Shellcode (34 bytes)
Linux/x86-64 - Flush IPTables Rules (/sbin/iptables -F) Shellcode (84 bytes)
Linux/x86-64 - Reverse TCP Shell (/bin/bash) + Semi-Stealth Shellcode (88+ bytes) (Generator)
Linux/x64 - Flush IPTables Rules (/sbin/iptables -F) Shellcode (84 bytes)
Linux/x64 - Reverse TCP Shell (/bin/bash) + Semi-Stealth Shellcode (88+ bytes) (Generator)

Linux/x86-64 - setuid(0) + execve(/bin/sh) Shellcode (49 bytes)
Linux/x64 - setuid(0) + execve(/bin/sh) Shellcode (49 bytes)

Linux/x86 - execve(/bin/sh) + Alphanumeric Shellcode (392 bytes)
Linux/x86-64 - Bind TCP (4444/TCP) Shell Shellcode (132 bytes)
Linux/x86-64 - execve(/bin/sh) Shellcode (33 bytes)
Linux/x64 - Bind TCP (4444/TCP) Shell Shellcode (132 bytes)
Linux/x64 - execve(/bin/sh) Shellcode (33 bytes)

NetBSD/x86 - execve(/bin/sh) Shellcode (68 bytes)

Solaris/SPARC - execve(/bin/sh) Shellcode (52 bytes)

Solaris/SPARC - Bind TCP Shell Shellcode (240 bytes)
Solaris/x86 - execve(/bin/sh) ToUpper Encoded Shellcode (84 bytes)
Solaris/x86 - inetd Add Service + execve() Shellcode (201 bytes)
UnixWare - execve(/bin/sh) Shellcode (95 bytes)
Solaris/x86 - execve(/bin/sh) ToUpper Encoded Shellcode (84 bytes)
Solaris/x86 - inetd Add Service + execve() Shellcode (201 bytes)
UnixWare - execve(/bin/sh) Shellcode (95 bytes)

Windows/x86 - Reverse TCP + Download A File + Save + Execute Shellcode
Windows/x86 - Reverse TCP + Download File + Save + Execute Shellcode

Windows/x86-64 - (URLDownloadToFileA) Download File (http://localhost/trojan.exe) + Execute Shellcode (218+ bytes)
Windows/x64 - URLDownloadToFileA(http://localhost/trojan.exe) + Execute Shellcode (218+ bytes)

Windows/x86 (XP SP3) - ShellExecuteA Shellcode
Windows/x86 (XP SP3) - ShellExecuteA() Shellcode

Linux/x86 - Fork Bomb Shellcode (6 bytes) (1)
Windows  (XP Professional SP2) (English) - Wordpad.exe + Null-Free Shellcode (12 bytes)
Linux/x86 - Eject /dev/cdrom Shellcode (42 bytes)
Windows (XP Professional SP2) (English) - Wordpad.exe + Null-Free Shellcode (12 bytes)
Linux/x86 - Eject /dev/cdrom Shellcode (42 bytes)
Linux/x86 - ip6tables -F + Polymorphic Shellcode (71 bytes)
Linux/x86 - ip6tables -F Shellcode (47 bytes)
Linux/i686 - pacman -S <package> (default package: backdoor) Shellcode (64 bytes)
Linux/i686 - pacman -R <package> Shellcode (59 bytes)
Linux/x86 - ip6tables -F + Polymorphic Shellcode (71 bytes)
Linux/x86 - ip6tables -F Shellcode (47 bytes)
Linux/i686 - pacman -S <package> (default package: backdoor) Shellcode (64 bytes)
Linux/i686 - pacman -R <package> Shellcode (59 bytes)

Windows/x86 - JITed Stage-0 Shellcode

Windows/x86 (XP SP2) - WinExec (write.exe) + ExitProcess Shellcode (16 bytes)
Windows/x86 (XP SP2) - WinExec(write.exe) + ExitProcess Shellcode (16 bytes)
Windows/x86 - MessageBox Shellcode (Metasploit)
Windows (XP/Vista/7) - Egghunter (0x07333531) JITed Stage-0 Adjusted Universal Shellcode
Windows/x86 - MessageBox Shellcode (Generator) (Metasploit)
Windows (XP/Vista/7) - Egghunter (0x07333531) JITed Stage-0 Adjusted Universal Shellcode
Linux/x86-64 - reboot(POWER_OFF) Shellcode (19 bytes)
Linux/x86-64 - execve(/bin/sh) Shellcode (30 bytes)
Linux/x64 - reboot(POWER_OFF) Shellcode (19 bytes)
Linux/x64 - execve(/bin/sh) Shellcode (30 bytes)

Linux/x86 - execve(_/bin/sh__ _0__ _0_) with umask 16 (sys_umask(14)) Shellcode (45 bytes)

Windows/x86-64 (7 Professional SP1) (French) - Beep Shellcode (39 bytes)
Windows/x64 (7 Professional SP1) (French) - Beep Shellcode (39 bytes)
Linux/x86 - chmod 0777 /etc/passwd + sys_chmod syscall Shellcode (39 bytes)
Linux/x86 - execve(_/bin/sh__ _-c__ _reboot_) Shellcode (45 bytes)
Linux/x86 - chmod 0777 /etc/passwd + sys_chmod syscall Shellcode (39 bytes)
Linux/x86 - execve(_/bin/sh__ _-c__ _reboot_) Shellcode (45 bytes)

Windows/x86-64 (7) - cmd.exe Shellcode (61 bytes)
Windows/x64 (7) - cmd.exe Shellcode (61 bytes)

Windows - MessageBoxA Shellcode (238 bytes)
Windows - MessageBoxA() Shellcode (238 bytes)

Linux/x86-64 - Disable ASLR Security Shellcode (143 bytes)
Linux/x64 - Disable ASLR Security Shellcode (143 bytes)
Linux/x86-64 - setuid(0) + chmod 0777 /etc/passwd + exit(0) Shellcode (63 bytes)
Linux/x86-64 - Add Root User (shell-storm/leet) To /etc/{passwd_shadow} Shellcode (390 bytes)
Windows (XP SP3) (Spanish) - URLDownloadToFileA + CreateProcessA + ExitProcess Shellcode (176+ bytes) (Generator)
Linux/ARM - setuid(0) + kill(-1_ SIGKILL) Shellcode (28 bytes)
Windows - WinExec (cmd.exe) + ExitProcess Shellcode (195 bytes)
Linux/x64 - setuid(0) + chmod 0777 /etc/passwd + exit(0) Shellcode (63 bytes)
Linux/x64 - Add Root User (shell-storm/leet) To /etc/{passwd_shadow} Shellcode (390 bytes)
Windows (XP SP3) (Spanish) - URLDownloadToFileA() + CreateProcessA() + ExitProcess() Shellcode (176+ bytes) (Generator)
Linux/ARM - setuid(0) + kill(-1_ SIGKILL) Shellcode (28 bytes)
Windows - WinExec(cmd.exe) + ExitProcess Shellcode (195 bytes)

Linux/ARM - chmod 0777 /etc/shadow Shellcode (35 bytes)

Linux/x86-64 - Flush IPTables Rules (execve(_/sbin/iptables__ [_/sbin/iptables__ _-F_]_ NULL)) Shellcode (49 bytes)
Linux/x64 - Flush IPTables Rules (execve(_/sbin/iptables__ [_/sbin/iptables__ _-F_]_ NULL)) Shellcode (49 bytes)

Windows (XP SP3) (English) - MessageBoxA Shellcode (87 bytes)
Windows (XP SP3) (English) - MessageBoxA() Shellcode (87 bytes)
OSX/x86-64 - setuid() + Shell(/bin/sh) Shellcode (51 bytes)
ARM - Add Root User Shellcode (Metasploit) (66+ bytes) (Generator)
OSX/x64 - setuid() + Shell(/bin/sh) Shellcode (51 bytes)
ARM - Add Root User Shellcode (66+ bytes) (Generator) (Metasploit)

Windows/x86 - Eggsearch Shellcode (33 bytes)
Linux/x86 - Bind TCP (6666/TCP) Netcat (/usr/bin/netcat) Shell (/bin/sh) + Polymorphic + XOR Encoded Shellcode (69/93 bytes)
OSX/x86-64 - Reverse TCP (FFFFFFFF:4444/TCP) Shell (/bin/sh) Shellcode (131 bytes)
Linux/x86 - Bind TCP (6666/TCP) Netcat (/usr/bin/netcat) Shell (/bin/sh) + Polymorphic + XOR Encoded Shellcode (69/93 bytes)
OSX/x64 - Reverse TCP (FFFFFFFF:4444/TCP) Shell (/bin/sh) Shellcode (131 bytes)

Windows/x86 (PerfectXp-pc1/SP3 ) (Turkish) - Add Administrator User (kpss/12345) Shellcode (112 bytes)

OSX/x86-64 - Universal ROP + Reverse TCP Shell Shellcode
OSX/x64 - Universal ROP + Reverse TCP Shell Shellcode

Linux/x86-64 - execve(/bin/sh) Shellcode (52 bytes)
Linux/x64 - execve(/bin/sh) Shellcode (52 bytes)

Linux/x86-64 - Add Root User (t0r/Winner) To /etc/passwd Shellcode (189 bytes)
Linux/x64 - Add Root User (t0r/Winner) To /etc/passwd Shellcode (189 bytes)

Windows/x86-64 - Bind TCP (4444/TCP) Shell Shellcode (508 bytes)
Windows/x64 - Bind TCP (4444/TCP) Shell Shellcode (508 bytes)

Windows/x86-64 / x86 (2000/XP/7) - URLDownloadToFile (http://bflow.security-portal.cz/down/xy.txt) + WinExec() + ExitProcess Shellcode
Windows (2000/XP/7) - URLDownloadToFile(http://bflow.security-portal.cz/down/xy.txt) + WinExec() + ExitProcess Shellcode

Windows - Add Administrator User (BroK3n/BroK3n) + Null-Free Shellcode (194 bytes)

Linux/x86-64 - Reverse TCP (127.1.1.1:6969/TCP) Shell (/bin/bash) Shellcode (139 bytes)
Linux/x64 - Reverse TCP (127.1.1.1:6969/TCP) Shell (/bin/bash) Shellcode (139 bytes)
Linux/x86-64 - execve(_/bin/sh\0__NULL_NULL) + Position Independent + Alphanumeric Shellcode (87 bytes)
Linux/x86 - rmdir() Shellcode (37 bytes)
Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (Z~r0) + Null-Free Shellcode (81/96 bytes)
Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (Z~r0) + Null-Free + Null-Mask Shellcode (77-85/90-98 bytes)
Linux/x64 - execve(_/bin/sh\0__NULL_NULL) + Position Independent + Alphanumeric Shellcode (87 bytes)
Linux/x86 - rmdir() Shellcode (37 bytes)
Linux/x64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (Z~r0) + Null-Free Shellcode (81/96 bytes)
Linux/x64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (Z~r0) + Null-Free + Null-Mask Shellcode (77-85/90-98 bytes)

Windows/x86-64 - Add Administrator User (ALI/ALI) + Add To RDP Group + Enable RDP From Registry + Stop Firewall + Auto Start Terminal Service + Obfuscated Shellcode (1218 bytes)
Windows/x64 - Add Administrator User (ALI/ALI) + Add To RDP Group + Enable RDP From Registry + Stop Firewall + Auto Start Terminal Service + Obfuscated Shellcode (1218 bytes)

Windows/x86-64 (XP) - Download File + Execute Shellcode Using Powershell (Generator)
Windows/x64 (XP) - Download File + Execute Shellcode Using Powershell (Generator)

Linux/x86-64 - Read /etc/passwd + Write To /tmp/outfile Shellcode (118 bytes)
Linux/x64 - Read /etc/passwd + Write To /tmp/outfile Shellcode (118 bytes)

Linux/x86-64 - execve(/bin/sh) Via Push Shellcode (23 bytes)
Linux/x64 - execve(/bin/sh) Via Push Shellcode (23 bytes)

Linux/x86-64 - execve(/bin/sh) + Null-Free Shellcode (30 bytes)
Linux/x64 - execve(/bin/sh) + Null-Free Shellcode (30 bytes)
Linux/x86-64 - execve() Encoded Shellcode (57 bytes)
Linux/x86 - execve(/bin/sh) + ROT7 Encoded Shellcode
Linux/x64 - execve() Encoded Shellcode (57 bytes)
Linux/x86 - execve(/bin/sh) + ROT7 Encoded Shellcode (Generator)
Windows/x86 - user32!MessageBox _Hello World!_ + Null-Free Shellcode (199 bytes)
Linux/x86 - execve(/bin/sh) + ROL/ROR Encoded Shellcode
Windows/x86-64 (2003) - Token Stealing Shellcode (59 bytes)
OSX/x86-64 - execve(/bin/sh) + Null-Free Shellcode (34 bytes)
Windows/x86 - user32!MessageBox(Hello World!) + Null-Free Shellcode (199 bytes)
Linux/x86 - execve(/bin/sh) + ROL/ROR Encoded Shellcode (Generator)
Windows/x64 (2003) - Token Stealing Shellcode (59 bytes)
OSX/x64 - execve(/bin/sh) + Null-Free Shellcode (34 bytes)
OSX/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (144 bytes)
Linux/x86-64 - execve(/bin/sh) Shellcode (34 bytes)
OSX/x64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (144 bytes)
Linux/x64 - execve(/bin/sh) Shellcode (34 bytes)
Linux/x86-64 - execve() Shellcode (22 bytes)
Linux/x86-64 - Bind TCP (31173/TCP) Shell (/bin/sh) + Password (1234) Shellcode (92 bytes)
Linux/x86-64 - Egghunter (0x6b634068) Shellcode (24 bytes)
Linux/x86-64 - execve() + Polymorphic Shellcode (31 bytes)
Windows (XP < 10) - Command Generator WinExec + Null-Free Shellcode (Generator)
Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (103 bytes)
Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (162 bytes)
Linux/x64 - execve() Shellcode (22 bytes)
Linux/x64 - Bind TCP (31173/TCP) Shell (/bin/sh) + Password (1234) Shellcode (92 bytes)
Linux/x64 - Egghunter (0x6b634068) Shellcode (24 bytes)
Linux/x64 - execve() + Polymorphic Shellcode (31 bytes)
Windows (XP < 10) - Command Generator WinExec() + Null-Free Shellcode (Generator)
Linux/x64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (103 bytes)
Linux/x64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (162 bytes)
Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (151 bytes)
Linux/x86-64 - Egghunter (0x50905090) Shellcode (18 bytes)
Linux/x64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (151 bytes)
Linux/x64 - Egghunter (0x50905090) Shellcode (18 bytes)
Linux/x86-64 - execve() + XOR/NOT/DIV Encoded Shellcode (54 bytes)
Linux x86/x86-64 - Reverse TCP (192.168.1.29:4444/TCP) Shell Shellcode (195 bytes)
Linux x86/x86-64 - Bind TCP (4444/TCP) Shell Shellcode (251 bytes)
Linux x86/x86-64 - Read /etc/passwd Shellcode (156 bytes)
Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Polymorphic Shellcode (122 bytes)
Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell + Password (hack) + Polymorphic Shellcode (135 bytes)
Linux/x64 - execve() + XOR/NOT/DIV Encoded Shellcode (54 bytes)
Linux x86/x64 - Reverse TCP (192.168.1.29:4444/TCP) Shell Shellcode (195 bytes)
Linux x86/x64 - Bind TCP (4444/TCP) Shell Shellcode (251 bytes)
Linux x86/x64 - Read /etc/passwd Shellcode (156 bytes)
Linux/x64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Polymorphic Shellcode (122 bytes)
Linux/x64 - Reverse TCP (127.0.0.1:4444/TCP) Shell + Password (hack) + Polymorphic Shellcode (135 bytes)

Linux/x86-64 - execve() Stack + Polymorphic Shellcode (47 bytes)
Linux/x64 - execve() Stack + Polymorphic Shellcode (47 bytes)
Linux/x86-64 - Reverse TCP (192.168.1.2:1234/TCP) Shell Shellcode (134 bytes)
Linux/x86-64 - execve(/bin/sh) Shellcode (26 bytes)
Linux/x86-64 - execve(/bin/sh) Shellcode (25 bytes) (1)
Linux/x86-64 - execve(/bin/bash) Shellcode (33 bytes)
Linux/x86-64 - Bind TCP (5600/TCP) Shell Shellcode (81 bytes)
Linux/x86-64 - Read /etc/passwd Shellcode (65 bytes)
Linux/x86-64 - Bind TCP (5600/TCP) Shell Shellcode (86 bytes)
Windows/x86 - URLDownloadToFileA() (http://192.168.86.130/sample.exe) + SetFileAttributesA() (pyld.exe) + WinExec() + ExitProcess() Shellcode (394 bytes)
Linux/x64 - Reverse TCP (192.168.1.2:1234/TCP) Shell Shellcode (134 bytes)
Linux/x64 - execve(/bin/sh) Shellcode (26 bytes)
Linux/x64 - execve(/bin/sh) Shellcode (25 bytes) (1)
Linux/x64 - execve(/bin/bash) Shellcode (33 bytes)
Linux/x64 - Bind TCP (5600/TCP) Shell Shellcode (81 bytes)
Linux/x64 - Read /etc/passwd Shellcode (65 bytes)
Linux/x64 - Bind TCP (5600/TCP) Shell Shellcode (86 bytes)
Windows/x86 - URLDownloadToFileA(http://192.168.86.130/sample.exe) + SetFileAttributesA(pyld.exe) + WinExec() + ExitProcess() Shellcode (394 bytes)

Linux/x86-64 - Bind TCP Shell Shellcode (Generator)
Linux/x64 - Bind TCP Shell Shellcode (Generator)
Linux/x86-64 - Bind TCP (1472/TCP) Shell (/bin/sh) + IPv6 Shellcode (199 bytes)
Linux/x86-64 - Reverse TCP (192.168.209.131:1472/TCP) Shell (/bin/sh) + IPv6 Shellcode (203 bytes)
Linux/x64 - Bind TCP (1472/TCP) Shell (/bin/sh) + IPv6 Shellcode (199 bytes)
Linux/x64 - Reverse TCP (192.168.209.131:1472/TCP) Shell (/bin/sh) + IPv6 Shellcode (203 bytes)

Linux/x86-64 - Download File (http://192.168.30.129/pri.sh) + Execute Used To Steal Information Shellcode (399 bytes)
Linux/x64 - Download File (http://192.168.30.129/pri.sh) + Execute Used To Steal Information Shellcode (399 bytes)
Linux/x86-64 - execve() + XOR Encoded Shellcode (84 bytes)
BSD / Linux / Windows/x86-64/x86 - execve(_/bin//sh__ {_//bin/sh__ _-c__ _cmd_}_ NULL) Execute Command Shellcode (194 bytes)
Linux/x64 - execve() + XOR Encoded Shellcode (84 bytes)
BSD / Linux / Windows - execve(_/bin//sh__ {_//bin/sh__ _-c__ _cmd_}_ NULL) Execute Command Shellcode (194 bytes)
Linux/x86-64 - Reverse TCP (192.168.86.128:1472/TCP) cat /etc/passwd Shellcode (164 bytes)
Linux/x86-64 - Bind TCP Netcat Shell + Null-Free Shellcode (64 bytes)
Linux/x64 - Reverse TCP (192.168.86.128:1472/TCP) cat /etc/passwd Shellcode (164 bytes)
Linux/x64 - Bind TCP Netcat Shell + Null-Free Shellcode (64 bytes)

Linux/x86-64 - Bind TCP (4442/TCP) Ncat Shell + SSL + Multi-Channel (4444-4447/TCP) + Persistant + fork() + IPv4/6 + Password + Null-Free Shellcode (176 bytes)
Linux/x64 - Bind TCP (4442/TCP) Ncat Shell + SSL + Multi-Channel (4444-4447/TCP) + Persistant + fork() + IPv4/6 + Password + Null-Free Shellcode (176 bytes)

Linux/x86-64 - Reverse TCP (10.1.1.4/TCP) Shell + Continuously Probing via Socket + Port-Range (391-399) + Password (la crips) + Null-Free Shellcode (172 bytes)
Linux/x64 - Reverse TCP (10.1.1.4/TCP) Shell + Continuously Probing via Socket + Port-Range (391-399) + Password (la crips) + Null-Free Shellcode (172 bytes)

Linux/x86-64 - Bind TCP (4442/TCP) Shell + Syscall Persistent + Multi-Terminal/Port-Range (4444-4447/TCP) + Password (la crips) + Daemon Shellcode (83/148/177 bytes)
Linux/x64 - Bind TCP (4442/TCP) Shell + Syscall Persistent + Multi-Terminal/Port-Range (4444-4447/TCP) + Password (la crips) + Daemon Shellcode (83/148/177 bytes)

Linux/x86-64 - Reverse TCP (10.1.1.4:46357/TCP) Shell + Subtle Probing + Timer + Burst + Password (la crips) + Multi-Terminal Shellcode (84/122/172 bytes)
Linux/x64 - Reverse TCP (10.1.1.4:46357/TCP) Shell + Subtle Probing + Timer + Burst + Password (la crips) + Multi-Terminal Shellcode (84/122/172 bytes)

Windows/x86 - MessageBoxA Shellcode (242 bytes)
Windows/x86 - MessageBoxA() Shellcode (242 bytes)
Linux/x86-64 - Bind TCP (4444/TCP) + Stager + Egghunter (0x64616564) Shellcode (157 bytes)
Linux/x86-64 - Add User (pwned/$pass$) Using open_write_close To /etc/{passwd_shadow} Shellcode (358 bytes)
Linux/x86-64 - Add User (pwned/$pass$) Using echo cmd To /etc/{passwd_shadow} Shellcode (273 bytes)
Linux/x86-64 - Read /etc/passwd Shellcode (82 bytes)
Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (Password) Shellcode (173 bytes)
Linux/x86-64 - Reverse TCP (192.168.1.9:4444/TCP) Shell (/bin/sh) + Password (doomedra) Shellcode (138 bytes)
Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (doomedra) Shellcode (175 bytes)
Linux/x86-64 - Bind TCP (Random TCP Port) Shell + Null-Free Shellcode (57 bytes)
Linux/x86-64 - Bind TCP (31337/TCP) Shell Shellcode (150 bytes)
Linux/x86-64 - Reverse TCP (192.168.1.10:31337/TCP) Shell Shellcode (118 bytes)
Linux/x86-64 - Bind TCP (1337/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (131 bytes)
Linux/x86-64 - Reverse TCP (127.0.0.1:1337/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (109 bytes)
Linux/x86-64 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (85 bytes)
Linux/x86-64 - setreuid(0_0) + execve(/bin/csh_ [/bin/csh_ NULL]) + XOR Encoded Shellcode (87 bytes)
Linux/x86-64 - setreuid(0_0) + execve(/bin/ksh_ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (87 bytes)
Linux/x86-64 - setreuid(0_0) + execve(/bin/zsh_ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (87 bytes)
Linux/x86-64 - sethostname(Rooted !) + killall Shellcode (33 bytes)
Linux/x64 - Bind TCP (4444/TCP) + Stager + Egghunter (0x64616564) Shellcode (157 bytes)
Linux/x64 - Add User (pwned/$pass$) Using open_write_close To /etc/{passwd_shadow} Shellcode (358 bytes)
Linux/x64 - Add User (pwned/$pass$) Using echo cmd To /etc/{passwd_shadow} Shellcode (273 bytes)
Linux/x64 - Read /etc/passwd Shellcode (82 bytes)
Linux/x64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (Password) Shellcode (173 bytes)
Linux/x64 - Reverse TCP (192.168.1.9:4444/TCP) Shell (/bin/sh) + Password (doomedra) Shellcode (138 bytes)
Linux/x64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (doomedra) Shellcode (175 bytes)
Linux/x64 - Bind TCP (Random TCP Port) Shell + Null-Free Shellcode (57 bytes)
Linux/x64 - Bind TCP (31337/TCP) Shell Shellcode (150 bytes)
Linux/x64 - Reverse TCP (192.168.1.10:31337/TCP) Shell Shellcode (118 bytes)
Linux/x64 - Bind TCP (1337/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (131 bytes)
Linux/x64 - Reverse TCP (127.0.0.1:1337/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (109 bytes)
Linux/x64 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (85 bytes)
Linux/x64 - setreuid(0_0) + execve(/bin/csh_ [/bin/csh_ NULL]) + XOR Encoded Shellcode (87 bytes)
Linux/x64 - setreuid(0_0) + execve(/bin/ksh_ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (87 bytes)
Linux/x64 - setreuid(0_0) + execve(/bin/zsh_ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (87 bytes)
Linux/x64 - sethostname(Rooted !) + killall Shellcode (33 bytes)

Windows/x86-64 - WinExec(cmd.exe) Shellcode (93 bytes)
Linux/x86 - execve(/bin/sh) + ROT-N + Shift-N + XOR-N Encoded Shellcode (77 bytes)
Windows/x64 - WinExec(cmd.exe) Shellcode (93 bytes)
Windows/x86-64 - Reverse TCP (192.168.232.129:4444/TCP) Shell + Injection Shellcode (694 bytes)
Linux/x86-64 - execve(/bin/sh) -c reboot Shellcode (89 bytes)
Windows/x86-64 - Download File (http://192.168.10.129/pl.exe) + Execute (C:/Users/Public/p.exe) Shellcode (358 bytes)
Windows/x64 - Reverse TCP (192.168.232.129:4444/TCP) Shell + Injection Shellcode (694 bytes)
Linux/x64 - execve(/bin/sh) -c reboot Shellcode (89 bytes)
Windows/x64 - Download File (http://192.168.10.129/pl.exe) + Execute (C:/Users/Public/p.exe) Shellcode (358 bytes)
Windows/x86-64 - Bind TCP (2493/TCP) Shell + Password (h271508F) Shellcode (825 bytes)
Windows/x86-64 - CreateRemoteThread() DLL Injection Shellcode (584 bytes)
Linux/x86-64 - mkdir() Shellcode (25 bytes)
Linux/x86-64 - Bind TCP (5600/TCP) Shell Shellcode (87 bytes)
Linux/x86-64 - execve(/bin/sh) Shellcode (22 bytes)
Windows/x64 - Bind TCP (2493/TCP) Shell + Password (h271508F) Shellcode (825 bytes)
Windows/x64 - CreateRemoteThread() DLL Injection Shellcode (584 bytes)
Linux/x64 - mkdir() Shellcode (25 bytes)
Linux/x64 - Bind TCP (5600/TCP) Shell Shellcode (87 bytes)
Linux/x64 - execve(/bin/sh) Shellcode (22 bytes)

Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) Shellcode (65 bytes)
Linux/x64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) Shellcode (65 bytes)

Linux/x86-64 - Egghunter (0xDEADC0DE) Shellcode (38 bytes)
Linux/x64 - Egghunter (0xDEADC0DE) Shellcode (38 bytes)
Linux/x86-64 - Bind TCP (Random TCP Port) Shell (/bin/sh) Shellcode (54 bytes)
Linux/x86-64 - Reverse TCP (192.168.1.45:4444/TCP) Shell Shellcode (84 bytes)
Linux/x64 - Bind TCP (Random TCP Port) Shell (/bin/sh) Shellcode (54 bytes)
Linux/x64 - Reverse TCP (192.168.1.45:4444/TCP) Shell Shellcode (84 bytes)
Linux/x86-64 - setuid(0) + execve(/bin/sh) + Polymorphic Shellcode (31 bytes)
Linux/x86-64 - Flush IPTables Rules (/sbin/iptables -F) + Polymorphic Shellcode (47 bytes)
Linux/x86-64 - Reverse Netcat Shell (127.0.0.1:1337) Shellcode (72 bytes)
Linux/x86-64 - Reverse Netcat Shell (127.0.0.1:1234) + Polymorphic Shellcode (106 bytes)
Linux/x64 - setuid(0) + execve(/bin/sh) + Polymorphic Shellcode (31 bytes)
Linux/x64 - Flush IPTables Rules (/sbin/iptables -F) + Polymorphic Shellcode (47 bytes)
Linux/x64 - Reverse Netcat Shell (127.0.0.1:1337) Shellcode (72 bytes)
Linux/x64 - Reverse Netcat Shell (127.0.0.1:1234) + Polymorphic Shellcode (106 bytes)
FreeBSD/x86-64 - execve(/bin/sh) Shellcode (28 bytes)
FreeBSD/x86-64 - Bind TCP Shell (/bin/sh) + Password (R2CBw0cr) Shellcode (127 bytes)
FreeBSD/x64 - execve(/bin/sh) Shellcode (28 bytes)
FreeBSD/x64 - Bind TCP Shell (/bin/sh) + Password (R2CBw0cr) Shellcode (127 bytes)
Linux/x86-64 - Execute /bin/sh Shellcode (27 bytes)
Linux/x86-64 - Execute /bin/sh Shellcode (24 bytes)
Linux/x86-64 - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (110 bytes)
Linux/x86-64 - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (96 bytes)
Linux/x86-64 - Flush IPTables Rules (execve(_/sbin/iptables__ [_/sbin/iptables__ _-F_]_ NULL)) Shellcode (43 bytes)
Linux/x86-64 - Bind TCP (1337/TCP) Shell + Password (pAzzW0rd) + Egghunter Using sys_access() Shellcode (49 bytes)
Linux/x86-64 - shutdown -h now Shellcode (65 bytes)
Linux/x86-64 - shutdown -h now Shellcode (64 bytes)
Linux/x86-64 - Read /etc/passwd + Write To /tmp/outfile Shellcode (105 bytes)
Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hell) Shellcode (136 bytes)
Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (hell) Shellcode (147 bytes)
Linux/x86-64 - Add Root User (shell-storm/leet) + Polymorphic Shellcode (273 bytes)
Linux/x64 - Execute /bin/sh Shellcode (27 bytes)
Linux/x64 - Execute /bin/sh Shellcode (24 bytes)
Linux/x64 - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (110 bytes)
Linux/x64 - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (96 bytes)
Linux/x64 - Flush IPTables Rules (execve(_/sbin/iptables__ [_/sbin/iptables__ _-F_]_ NULL)) Shellcode (43 bytes)
Linux/x64 - Bind TCP (1337/TCP) Shell + Password (pAzzW0rd) + Egghunter Using sys_access() Shellcode (49 bytes)
Linux/x64 - shutdown -h now Shellcode (65 bytes)
Linux/x64 - shutdown -h now Shellcode (64 bytes)
Linux/x64 - Read /etc/passwd + Write To /tmp/outfile Shellcode (105 bytes)
Linux/x64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hell) Shellcode (136 bytes)
Linux/x64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (hell) Shellcode (147 bytes)
Linux/x64 - Add Root User (shell-storm/leet) + Polymorphic Shellcode (273 bytes)

Linux/x86-64 - execve(/bin/sh) Shellcode (21 bytes)
Linux/x64 - execve(/bin/sh) Shellcode (21 bytes)
Windows/x86-64 (10) - Egghunter Shellcode (45 bytes)
Linux/x86-64 - execve(/bin/sh) Shellcode (31 bytes) (2)
Windows/x64 (10) - Egghunter Shellcode (45 bytes)
Linux/x64 - execve(/bin/sh) Shellcode (31 bytes) (2)
Linux/x86-64 - Reverse TCP (::1:1472/TCP) Shell + IPv6 + Null-Free Shellcode (113 bytes)
Windows/x86-64 / x86 - cmd.exe Shellcode (718 bytes)
Linux/x86-64 - execve(/bin/sh) Shellcode (31 bytes) (1)
Linux/x64 - Reverse TCP (::1:1472/TCP) Shell + IPv6 + Null-Free Shellcode (113 bytes)
Windows - cmd.exe Shellcode (718 bytes)
Linux/x64 - execve(/bin/sh) Shellcode (31 bytes) (1)

Linux/x86-64 - execve(/bin/sh) Shellcode (24 bytes)
Linux/x64 - execve(/bin/sh) Shellcode (24 bytes)

Linux/x86-64 - Reverse TCP (192.168.1.8:4444/TCP) Shell Shellcode (104 bytes)
Linux/x64 - Reverse TCP (192.168.1.8:4444/TCP) Shell Shellcode (104 bytes)
Linux/x86-64 - Reverse TCP (192.168.1.2:4444/TCP) Shell Shellcode (153 bytes)
Linux/x86-64 - Kill All Processes Shellcode (19 bytes)
Linux/x86-64 - Fork Bomb Shellcode (11 bytes)
Linux/x64 - Reverse TCP (192.168.1.2:4444/TCP) Shell Shellcode (153 bytes)
Linux/x64 - Kill All Processes Shellcode (19 bytes)
Linux/x64 - Fork Bomb Shellcode (11 bytes)

Linux/x86-64 - mkdir(evil) Shellcode (30 bytes)
Linux/x64 - mkdir(evil) Shellcode (30 bytes)

Windows/x86-64 - API Hooking Shellcode (117 bytes)
Windows/x64 - API Hooking Shellcode (117 bytes)
2018-01-25 18:22:06 +00:00

92 lines
No EOL
4.8 KiB
Text

source: http://www.securityfocus.com/bid/69303/info
ManageEngine Password Manager Pro and ManageEngine IT360 are prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
The following products are affected:
ManageEngine Password Manager Pro 5 through 7 build 7003
ManageEngine IT360 8 through 10.1.1 build 10110
www.example.com/MetadataServlet.dat?sv=[SQLi]
www.example.com/console/MetadataServlet.dat?sv=[SQLi]
>> Blind SQL injection in ManageEngine Desktop Central, Password Manager Pro and IT360 (including MSP versions)
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
==========================================================================
Disclosure: 19/08/2014 / Last updated: 05/02/2015
>> Background on the affected products:
"Desktop Central is an integrated desktop & mobile device management software that helps in managing the servers, laptops, desktops, smartphones and tablets from a central point. It automates your regular desktop management routines like installing patches, distributing software, managing your IT Assets, managing software licenses, monitoring software usage statistics, managing USB device usage, taking control of remote desktops, and more."
"Password Manager Pro is a secure vault for storing and managing shared sensitive information such as passwords, documents and digital identities of enterprises."
"Managing mission critical business applications is now made easy through ManageEngine IT360. With agentless monitoring methodology, monitor your applications, servers and databases with ease. Agentless monitoring of your business applications enables you high ROI and low TOC. With integrated network monitoring and bandwidth utilization, quickly troubleshoot any performance related issue with your network and assign issues automatically with ITIL based ServiceDesk integration."
These products have managed service providers (MSP) versions which are used to control the desktops and smartphones of several clients.
Quoting the author of the Internet Census 2012: "As a rule of thumb, if you believe that "nobody would connect that to the Internet, really nobody", there are at least 1000 people who did."
These vulnerabilities can be abused to achieve remote code execution as SYSTEM in Windows or as the user in Linux. Needless to say, owning a Desktop Central / IT360 box will give you control of all the computers and smartphones it manages, while owning Password Manager Pro will give you a treasure trove of passwords.
>> Technical details:
The two blind SQL injections described below have been present in Desktop Central, Password Manager Pro and IT360 in all releases since 2006. They can only be triggered via a GET request, which means you can only inject around 8000 characters at a time.
#1
Vulnerability:
Blind SQL injection in LinkViewFetchServlet (unauthenticated on DC/PMP / authenticated on IT360)
CVE-2014-3996
Affected products / versions:
- ManageEngine Desktop Central (DC) [MSP]: all versions from v4 up to v9 build 90033
- ManageEngine Password Manager Pro (PMP) [MSP]: all versions from v5 to version 7 build 7002
- ManageEngine IT360 [MSP]: all versions from v8 to v10.1.1 build 10110
This affects all versions of the products released since 19-Apr-2006. Other ManageEngine products might be affected.
Fix: Upgrade to DC v9 build 90043; PMP v7 build 7003; IT360 v10.3.3 build 10330
Constraints:
- DC: no authentication or any other information needed
- PMP: no authentication or any other information needed
- IT360: valid user account needed
Proof of concept:
DC / PMP:
GET /LinkViewFetchServlet.dat?sv=[SQLi]
IT360:
GET /console/LinkViewFetchServlet.dat?sv=[SQLi]
#2
Vulnerability:
Blind SQL injection in MetadataServlet (unauthenticated on PMP / authenticated on IT360)
CVE-2014-3997
Affected products / versions:
- ManageEngine Password Manager Pro (PMP) [MSP]: all versions from v5 to version 7 build 7002
- ManageEngine IT360 [MSP]: all versions from v8 to v10.1.1 build 10110
This affects all versions of the products released since 03-Apr-2008. Other ManageEngine products might be affected.
Fix: Upgrade to DC v9 build 90043; PMP v7 build 7003; IT360 v10.3.3 build 10330
Constraints:
- PMP: no authentication or any other information needed
- IT360: valid user account needed
Proof of concept:
PMP:
GET /MetadataServlet.dat?sv=[SQLi]
IT360:
GET /console/MetadataServlet.dat?sv=[SQLi]
================
Agile Information Security Limited
http://www.agileinfosec.co.uk/
>> Enabling secure digital business >>