Categoria: command

QNAP Transcode Server Command Execution
29 08
Pubblicato in command Nessun commento

QNAP Transcode Server Command Execution

This Metasploit module exploits an unauthenticated remote command injection vulnerability in QNAP NAS devices. The transcoding server listens on port 9251 by default and is vulnerable to command injection using the ‘rmfile’ command. This Metasploit module was tested successfully on a QNAP TS-431 with firmware version 4.3.3.0262 (20170727). Source: QNAP Transcode Server Command Execution

The post QNAP Transcode Server Command Execution appeared first on MondoUnix.

VICIdial user_authorization Unauthenticated Command Execution
22 07
Pubblicato in AUTHORIZATION Nessun commento

VICIdial user_authorization Unauthenticated Command Execution

This Metasploit module exploits a vulnerability in VICIdial versions 2.9 RC 1 to 2.13 RC1 which allows unauthenticated users to execute arbitrary operating system commands as the web server user if password encryption is enabled (disabled by default). When password encryption is enabled the user’s password supplied using HTTP basic authentication is used in a […]

The post VICIdial user_authorization Unauthenticated Command Execution appeared first on MondoUnix.

Metasploit RPC Console Command Execution
22 07
Pubblicato in command Nessun commento

Metasploit RPC Console Command Execution

This Metasploit module connects to a specified Metasploit RPC server and uses the ‘console.write’ procedure to execute operating system commands. Valid credentials are required to access the RPC interface. This Metasploit module has been tested successfully on Metasploit 4.15 on Kali 1.0.6; Metasploit 4.14 on Kali 2017.1; and Metasploit 4.14 on Windows 7 SP1. Source: […]

The post Metasploit RPC Console Command Execution appeared first on MondoUnix.

GoAutoDial 3.3 Authentication Bypass / Command Injection
5 07
Pubblicato in authentication Nessun commento

GoAutoDial 3.3 Authentication Bypass / Command Injection

This Metasploit module exploits a SQL injection flaw in the login functionality for GoAutoDial version 3.3-1406088000 and below, and attempts to perform command injection. This also attempts to retrieve the admin user details, including the cleartext password stored in the underlying database. Command injection will be performed with root privileges. The default pre-packaged ISO builds […]

The post GoAutoDial 3.3 Authentication Bypass / Command Injection appeared first on MondoUnix.