Personal BlogTwitterGitHubContact

Low-Hanging Fruit

Easy ways to get a shell

Services

Adobe ColdFusion BlazeDS

Ports: 8080 Exploit:

LogoAdobe ColdFusion BlazeDS Java Object Deserialization RCE
LogoAdobe Coldfusion 11.0.03.292866 - BlazeDS Java Object Deserialization Remote Code ExecutionExploit Database

Apache Flink

Ports: 5000 Exploit:

LogoApache Flink JAR Upload Java Code ExecutionRapid7
LogoApache Flink JobManager TraversalRapid7
LogoApache Flink 1.9.x - File Upload RCE (Unauthenticated)Exploit Database

Apache Hadoop

Ports: 8088 Exploit:

LogoHadoop YARN ResourceManager Unauthenticated Command ExecutionRapid7
Logovulhub/exploit.py at master · vulhub/vulhubGitHub

Apache Solr

Ports: 8983 Exploit:

LogoGitHub - jas502n/solr_rce: Apache Solr RCE via Velocity templateGitHub
LogoGitHub - Imanfeng/Apache-Solr-RCE: Apache Solr Exploits 🌟GitHub

Apache Spark

Ports: 6066 Exploit:

LogoGitHub - ivanitlearning/CVE-2018-11770: Python RCE exploit for Apache Spark rewritten from Metasploit moduleGitHub
LogoApache Spark Unauthenticated Command ExecutionRapid7

Atlassian Crowd

Ports: 4990 Exploit:

curl -k -H "Content-Type: multipart/mixed" \ --form "[email protected]" http://[HOST]:4990/crowd/admin/uploadplugin.action
LogoAtlassian Crowd pdkinstall Remote Code Execution ≈ Packet Storm

Cisco Smart Install

Ports: 4786 Exploit:

LogoIdentify Cisco Smart Install endpointsRapid7
LogoGitHub - frostbits-security/SIET: Smart Install Exploitation ToolGitHub

Cisco Unified Communications Manager

Ports: 6970 Exploit:

curl http://[CUCM IP Address]:6970/ConfigFileCacheList.txt
LogoGitHub - trustedsec/SeeYouCM-ThiefGitHub

Dameware

Ports: 6129 Exploit:

LogoSolarWinds Dameware Mini Remote Control Unauthenticated RCETenable®
Logopoc/dwrcs_dwDrvInst_rce.py at master · tenable/pocGitHub

Dell iDrac

Ports: 443

Exploit:

LogoDell iDRAC Default LoginRapid7

Docker API

Ports: 2375 Exploit:

docker -H [host]:2375 run --rm -it --privileged --net=host -v /:/mnt alpine

  • File Access: cat /mnt/etc/shadow

  • Remote Code Execution: chroot /mnt

GlassFish

Ports: 4848 Exploit:

LogoPath Traversal in Oracle GlassFish Server Open Source EditionRapid7

Hashicorp Consul

Ports: 8500 Exploit:

LogoHashicorp Consul Remote Command Execution via Services APIRapid7

HP Data Protector

Ports: 5555, 5556 Exploit:

LogoHP Data Protector EXEC_INTEGUTIL Remote Code ExecutionRapid7
LogoHP Data Protector 8.10 Remote Command ExecutionRapid7

HP iLO

Ports: 80, 443

Exploit:

LogoCVE-2017-12542/exploit_1.py at master · skelsec/CVE-2017-12542GitHub

IBM Websphere

Ports: 8880 Exploit:

LogoIBM WebSphere RCE Java Deserialization VulnerabilityRapid7

IPMI

Ports: 623 Exploit:

LogoIPMI Information DiscoveryRapid7
LogoIPMI 2.0 RAKP Remote SHA1 Password Hash RetrievalRapid7
LogoIPMI 2.0 Cipher Zero Authentication Bypass ScannerRapid7

Java RMI

Ports: 1090, 1098, 1099, 4444, 11099, 47001, 47002, 10999 Exploit:

LogoJava RMI Server Insecure Default Configuration Java Code ExecutionRapid7
LogoJava RMI for pentesters: structure, recon and communication (non-JMX Registries).Medium
LogoJava RMI for pentesters part two — reconnaissance & attack against non-JMX registriesMedium

JBoss

Ports: 4444, 4445, 11111 Exploit:

LogoJBoss Vulnerability ScannerRapid7
LogoGitHub - joaomatosf/jexboss: JexBoss: Jboss (and Java Deserialization Vulnerabilities) verify and EXploitation ToolGitHub

JDWP

Ports: 5005 - 5009, 45000, 45001 Exploit:

LogoJava Debug Wire Protocol Remote Code ExecutionRapid7
LogoGitHub - IOActive/jdwp-shellifierGitHub

JMX

Ports: 8686, 9012, 50500 Exploit:

LogoJava JMX Server Insecure Configuration Java Code ExecutionRapid7

MS17-010: Eternal Blue

Ports 139, 445

Exploit:

nmap -Pn -sV --script smb-vuln-ms17-010 -p139,445 $ip
LogoMS17-010 EternalBlue SMB Remote Windows Kernel Pool CorruptionRapid7

Portainer

Ports: 9000 Exploit:

LogoGitHub - MauroEldritch/PAZUZU: PAZUZU (Portainer Authentication Zap Using Zero Utilities) is a ruby exploit for vulnerable Portainer instances (--no-auth). Featured @ DevFest Siberia 2018.GitHub
LogoGitHub - MauroEldritch/lempo: LEMPO (Ldap Exposure on POrtainer) is an exploit for CVE-2018-19466 (LDAP Credentials Disclosure on Portainer). Featured @ DevFest Siberia 2018GitHub

PrintNightmare

crackmapexec smb $host_file -u $username -p $password -M spooler
LogoGitHub - cube0x0/CVE-2021-1675: C# and Impacket implementation of PrintNightmare CVE-2021-1675/CVE-2021-34527GitHub

Redis

Ports: 6379 Exploit:

LogoRedis Replication Code ExecutionRapid7
LogoRedis Unauthenticated Code ExecutionRapid7

SAP

Ports: 3300 Exploit:

LogoGitHub - chipik/SAP_GW_RCE_exploit: SAP Gateway RCE exploitsGitHub

WebLogic

Ports: 7000-7004, 7070, 7071, 8000-8003, 9000-9003, 9503 Exploit:

LogoOffensive Security’s Exploit Database Archive

Zoho Manageengine Desktop

Ports: 8383 Exploit:

https://srcincite.io/pocs/src-2020-0011.py.txt

References

LogoGitHub - trustedsec/spoonmapGitHub
PreviousTimestompingNextNetworks

Last updated