Packet Storm

This exploits a command execution in Pi-Hole Web Interface less than or equal to 5.5. The Settings > API/Web inetrace page contains the field Top Domains/Top Advertisers which is validated by a regex which does not properly filter system commands, which can then be executed by calling the gravity functionality. However, the regex only allows a-z, 0-9, _.

The NETGEAR WNR2000 router has a vulnerability in the way it handles password recovery. This vulnerability can be exploited by an unauthenticated attacker who is able to guess the value of a certain timestamp which is in the configuration of the router. Brute forcing the timestamp token might take a few minutes, a few hours, or days, but it is guaranteed that it can be bruteforced. This Metasploit module works very reliably and it has been tested with the WNR2000v5, firmware versions 1.0.0.34 and 1.0.0.18. It should also work with the hardware revisions v4 and v3, but this has not been tested.

ManageEngine Password Manager Pro (PMP) has an authenticated blind SQL injection vulnerability in SQLAdvancedALSearchResult.cc that can be abused to escalate privileges and obtain Super Administrator access. A Super Administrator can then use his privileges to dump the whole password database in CSV format. PMP can use both MySQL and PostgreSQL databases but this module only exploits the latter as MySQL does not support stacked queries with Java. PostgreSQL is the default database in v6.8 and above, but older PMP versions can be upgraded and continue using MySQL, so a higher version does not guarantee exploitability. This Metasploit module has been tested on v6.8 to v7.1 build 7104 on both Windows and Linux. The vulnerability is fixed in v7.1 build 7105 and above.

This Metasploit module exploits an OS Command Injection vulnerability in some D-Link Routers like the DIR-600 rev B and the DIR-300 rev B. The vulnerability exists in command.php, which is accessible without authentication. This Metasploit module has been tested with the versions DIR-600 2.14b01 and below, DIR-300 rev B 2.13 and below. In order to get a remote shell the telnetd could be started without any authentication.

The Wordpress GDPR Compliance plugin less than or equal to v1.4.2 allows unauthenticated users to set wordpress administration options by overwriting values within the database. The vulnerability is present in WordPress’s admin-ajax.php, which allows unauthorized users to trigger handlers and make configuration changes because of a failure to do capability checks when executing the save_setting internal action. WARNING: The module sets Wordpress configuration options without reading their current values and restoring them later.

This Metasploit module exploits a vulnerability in SysAid Help Desk that allows an unauthenticated user to create an administrator account. Note that this exploit will only work once. Any subsequent attempts will fail. On the other hand, the credentials must be verified manually. This Metasploit module has been tested on SysAid 14.4 in Windows and Linux.

This Metasploit module exploits a stack-based buffer overflow vulnerability in the WRT120N Linksys router to reset the password of the management interface temporarily to an empty value. This Metasploit module has been tested successfully on a WRT120N device with firmware version 1.0.07.

The WordPress WP EasyCart plugin from version 1.1.30 to 3.0.20 allows authenticated users of any user level to set any system option via a lack of validation in the ec_ajax_update_option and ec_ajax_clear_all_taxrates functions located in /inc/admin/admin_ajax_functions.php. The module first changes the admin e-mail address to prevent any notifications being sent to the actual administrator during the attack, re-enables user registration in case it has been disabled and sets the default role to be administrator. This will allow for the user to create a new account with admin privileges via the default registration page found at /wp-login.php?action=register.

Nexpose v5.7.2 and prior is vulnerable to a XML External Entity attack via a number of vectors. This vulnerability can allow an attacker to a craft special XML that could read arbitrary files from the filesystem. This Metasploit module exploits the vulnerability via the XML API.

Google Chrome versions prior to 125.0.6422.112 V8 type confusion proof of concept exploit.