This module exploits an issue in GitLab CE/EE that allows sending reset emails to an unverified email address. In order to takeover the account, the module will exploit the vulnerability adding the attacker's email to the JSON from /users/password endpoint, then it will connect via IMAP to the attacker's email, parse the reset email and change the password.

This module chains together three vulnerabilities to deploy an agent. First, a vulnerability is used to obtain the exact version of Ivanti Connect Secure installed on the system. Next, the module exploits a second vulnerability that allows the attacker to access certain restricted resources without authentication, leveraging a flaw in the SAML component. Finally, the module uses a third vulnerability that enables remote code execution with elevated privileges in the management component, facilitating the injection and execution of the agent. This module uses the first vulnerability to take advantage of the lack of authentication at '/api/v1/totp/user-backup-code,' allowing unauthenticated access and route traversal. With this, the application version can be obtained by accessing '/system/system-information.' Next, it leverages an SSRF vulnerability in the xmltooling library. The '/dana-ws/saml20.ws' endpoint, which handles SOAP-based SAML requests, does not require authentication. This allows anyone to send requests to this endpoint without authentication, exploiting the SSRF vulnerability to send HTTP requests from the compromised server to internal resources. Finally, by sending a request to the SSRF-exploited endpoint, the third vulnerability is used to access the system and execute remote commands. The deployed agent will run with ROOT privileges.

This module chains 2 vulnerabilities to deploy an agent in Magento eCommerce Web Sites that will run with the webserver user privileges. The first vulnerability is an XML External Entity Reference that leverages nested deserialization in Magento's handling of JSON data. This vulnerability allows attackers to manipulate XML input to access arbitrary files on the server. The second vulnerability is a heap buffer overflow in the iconv() function of the GNU C Library. This module will use first vulnerability to download the /proc/self/maps and the libc library. These files will allow the calculation of all the memory offsets required to exploit the second vulnerability and deploy an agent.

This module chains 2 vulnerabilities to deploy an agent in Magento eCommerce Web Sites that will run with the webserver user privileges. The first vulnerability is an XML External Entity Reference that leverages nested deserialization in Magento's handling of JSON data. This vulnerability allows attackers to manipulate XML input to access arbitrary files on the server. The second vulnerability is a heap buffer overflow in the iconv() function of the GNU C Library. This module will use first vulnerability to download the /proc/self/maps and the libc library. These files will allow the calculation of all the memory offsets required to exploit the second vulnerability and deploy an agent.

This vulnerability allows local attackers to execute arbitrary code on affected installations of Linux Kernel. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the n_gsm driver. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of the kernel.

A directory traversal vulnerability in SolarWinds Serv-U FTP Server allows unauthenticated remote attackers to download system files. To take advantage of this vulnerability, we need to make a request using the InternalDir and InternalFile parameters, this will allow us to trigger a directory traversal and thus be able to read an arbitrary file. This module exploits the directory traversal to download the file specified and to save it locally in the location specified in the "OUTPUT PATH" parameter.

A SQL injection vulnerability in Fortra FileCatalyst Workflow versions 5.1.6 build 135 and earlier allows remote attackers, including anonymous ones, to exploit a SQL injection via the JOBID parameter. This could lead to unauthorized SQL commands execution such as table deletion or admin user creation. This module without authentication creates an administrative user, proceeds to authenticate with this newly created user to assess if the system is vulnerable. This module does not install an agent but instead creates an administrator user for FileCatalyst.s

An authenticated user can exploit a command injection vulnerability in the web components of Ivanti Connect Secure (9.x and 22.x) to execute arbitrary commands. This module exploits two vulnerabilities. First, it leverages the lack of authentication in "/api/v1/totp/user-backup-code", allowing unauthenticated access and path traversal. Then, it uses this vulnerability to access the system and execute remote commands in "/api/v1/license/key-status/path:node_name". The deployed agent will run with ROOT privileges.

A java unsafe reflection vulnerability present in Gremlin scripting feature of Apache HugeGraph allows remote attackers to execute system commands in the context of the affected application. This module exploits the vulnerability by sending scripts to the vulnerable endpoint (/gremlin) that bypasses the checks made by the callFromWorkerWithClass function. The bypass consist in changing the current thread name to something else than doesn't contain "gremlin-server-exec" nor "task-worker".

A java unsafe reflection vulnerability present in Gremlin scripting feature of Apache HugeGraph allows remote attackers to execute system commands in the context of the affected application. This module exploits the vulnerability by sending scripts to the vulnerable endpoint (/gremlin) that bypasses the checks made by the callFromWorkerWithClass function. The bypass consist in changing the current thread name to something else than doesn't contain "gremlin-server-exec" nor "task-worker".