An unmarshal reflection vulnerability in GlobalProtect feature of Palo Alto Networks PAN-OS software allows unauthenticated remote attackers to create empty arbitrary directories and files in the operating system. If device telemetry is enabled, then remote OS command injection is possible via the dt_curl python module. This module performs the vulnerability verification in three steps. The first step, does a control check using a random filename against the /images directory. Since this file shouldn't exist in the target webapp, the webserver will return a 404 HTTP code. The second step consists in using the vulnerability to try to create the file in the given location. The final step performs the first step again. If the file exists, then a 403 HTTP code is returned, proving that the file was created with the vulnerability. Any other HTTP code will be taken as the target system being not vulnerable.
This module connects to a MySQL server in order to determine if its vulnerable to memcmp authentication bypass
This module connects to the remote domain controller host and attempts to determine by requesting a specially crafted packet, if the target is vulnerable to CVE-2020-1472 based on the inspection of the target's response.
This module connects to the remote host and attempts to determine by sending specially crafted requests, if the target is vulnerable to CVE-2021-44228 based on the inspection of the target's response.
This module connects to the remote host and attempts to determine by sending specially crafted requests, if the target is vulnerable or not to CVE-2024-0204 based on the inspection of the target's response. If the target is vulnerable, the module will create a new admin user in the target system using the provided credentials. If no credentials are provided, it will generate a random one. Also, the new admin credentials will be added as an identity.
This module connects to the remote host and attempts to determine by sending specially crafted requests, if the target is vulnerable to CVE-2023-27997. The detection of the vulnerability is probabilistic. The module does ~400 requests trigguering the heap overflow in a special way that it doesn't corrupt anything used in memory and another ~400 requests without doing the overflow. Then it calculates the mean of each group and does a Welch's T-Test. It could be the case that the result of the test is not reliable. In that case, the module is going to repeat the process. Therefore the module could need several minutes 10min, in order to have a good result.
This module connects to a remote target via any exposed DCE RPC endpoints and fingerprints them to determine if the machine appears to be compromised by the Conficker worm. The module is able to detect B, C and D variants of the worm.
This module connects to the remote host and attempts to determine by sending specially crafted requests, if the target is vulnerable to CVE-2023-20198 based on the inspection of the target's response. If the target is vulnerable, the module will create a new local administrator user in the target system using the provided credentials. Also, the new credentials will be added as an identity.
An insufficient input validation leading to memory overread in Citrix NetScaler ADC and Citrix NetScaler Gateway when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server may allow unauthenticated remote attackers to exfiltrate cookies, session IDs, or passwords from the target application. The vulnerability is reached via the /p/u/doAuthentication.do endpoint. This module will attempt to trigger the vulnerability to determine if the target system is vulnerable.
This vulnerability enables unauthenticated attackers to bypass authentication in CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0. The vulnerability stems from how the CrushAuth cookie and AWS4-style Authorization header are processed, allowing attackers to impersonate an administrator by crafting specific values using a valid username. A valid username is required for the attack to succeed, but no password is needed. By default, CrushFTP includes a built-in administrative user named crushadmin. This user is automatically suggested during the initial setup, but administrators may choose a different name. The exploit will only succeed if the username provided exists on the system. Successful exploitation provides full administrative access to the CrushFTP WebInterface. This exploit performs the following steps: 1. Authentication Bypass - Sends a request to the 'getUserList' endpoint (typically at /WebInterface/function/) using a crafted 'CrushAuth' cookie and 'Authorization' header. - If the server returns the list of users, the target is confirmed vulnerable. 2. User Enumeration - Parses the XML response to extract usernames and displays them in the module output. 3. Optional User Creation - If parameters new_username and new_userpass are provided, a new user is created via the setUserItem endpoint.
Pagination
- Previous page
- Page 3
- Next page