25% of all web services hits.
Remote code execution vulnerability in NoneCMS ThinkPHP framework.
ThinkPHP is a web application development framework based on PHP. It focuses on development of web applications, mainly used in enterprise projects. The framework is very popular in China. The vulnerability was discovered in December 2018 by Github user twosmi1e and affected NoneCMS ThinkPHP 5.x with maintenance releases before v5.0.23 and v5.1.31.
The vulnerability, CVE-2018-20062 allows a remote attacker to execute arbitrary code on an affected NoneCMS ThinkPHP 5 server. A remote unauthenticated attacker is able to craft a malicious request to run code on the victim’s machine leading to complete takeover of NoneCMS ThinkPHP 5 server.
14% of all web services hits.
Sensitive Data Exposure vulnerability of WordPress configuration files.
WordPress is the most popular content management system (CMS) in the world. WordPress is an open source CMS. According to w3techs, it has a market share of 36% of all the websites globally and 62.8% of all CMS based websites, making it a highly targeted system by malicious actors.
‘wp-config.php’ is an important WordPress configuration file. The file contains the base configuration details for the website, such as database connection information and certificates. An attacker with access to ‘wp-config.php’ file can retrieve sensitive information about the server and use it to gain control of the WordPress instance and its associated database.
11% of all web services hits.
Huawei HG532 routers Remote Code Execution vulnerability – port 37215.
Huawei HG532 is a high-speed wireless router designed for household and small offices (SOHO). In November 2017, Huawei published a security advisory regarding a remote code execution (RCE) vulnerability, CVE-2017-17215. By sending malicious requests to port 37215, an attacker could remotely execute arbitrary code without authentication.
9% of all web services hits.
Unescaped URI: /nice ports,/Trinity.txt.bak
The URI above indicates a network scan in attempt to find vulnerable web server. The request was originally crafted for Nmap scanner, but attacks can use it with other tools or scripts.
Nmap is a network scanner which used to discover hosts and services on a computer network by sending packets and analyzing the responses. In this request the attacker uses ASCII escaped characters in attempt to generate HTTP 404 error message to probe a web server. A successful scan can reveal important information about the web server code and possibly even vulnerabilities through response headers and error messages.
9% of all web services hits.
phpMyAdmin Remote Code Execution vulnerability.
phpMyAdmin is a free and open source administration tool written in PHP for MySQL and MariaDB. phpMyAdmin frequently used as databases and permissions managing tool and therefore highly targeted by attackers. In March 2009, phpMyAdmin project released security advisory PMASA-2009-3 for phpMyAdmin 2 versions before 188.8.131.52 and phpMyAdmin 3 versions before 184.108.40.206.
The vulnerability, CVE-2009-1151 is a PHP Remote Code Execution vulnerability. One of phpMyAdmin components – setup.php allows remote attackers to inject arbitrary PHP code into a configuration file via the save action. A remote unauthenticated attacker can craft a malicious POST request to inject code on the victim’s machine which can result in execution of an arbitrary malicious PHP code in the context of the webserver process.
7% of all web services hits.
Oracle WebLogic server Remote Code Execution vulnerability.
Oracle WebLogic Server is an application server for building and deploying Java Enterprise Edition applications. In October 2017 Oracle have published Critical Patch Update Advisory which covered CVE-2017-10271, affected versions are 10.3.6.0.0, 220.127.116.11.0, 18.104.22.168.0 and 22.214.171.124.0.
The vulnerability, CVE-2017-10271 is a Remote Code Execution vulnerability. WLS Security component of WebLogic fails to properly deserialize unsafe XML. A remote unauthenticated attacker can craft a malicious XML request which will run his code on the victim’s machine which can result in complete takeover of Oracle WebLogic server.
5% of all web services hits.
NVMS-9000 Digital Video Recorder hardcoded admin credentials and Remote Code Execution vulnerabilities.
NVMS-9000 Digital Video Recorder is a popular DVR appliance from Shenzhen TVT Digital Technology Co. Ltd (TVT). In April 2018, TVT have published Critical advisory and a firmware update which covers the 3 vulnerabilities.
The observed vulnerability is a Remote Code Execution vulnerability NVMS-9000 Digital Video Recorder. NVMS-9000 had a hardcoded authentication admin credentials. A remote unauthenticated attacker can use the hardcoded admin credentials to run his code on the victim’s machine.
2% of all web services hits.
HNAP protocol Authentication Bypass vulnerabilities.
Scanning attempt in order to find routers with open HNAP interface.
Network Administration Protocol (HNAP) is a proprietary network device management protocol developed by Pure Networks and later acquired by Cisco. It allows advanced programmatic configuration and management by remote entities. Starting at 2010, many vulnerabilities were discovered in devices that implemented HNAP such as D-Link and Linksys routers for example CVE-2014-8244 vulnerability.
1% of all web services hits.
Oracle WebLogic server Deserialization Remote Code Execution vulnerability.
Oracle WebLogic Server is an application server for building and deploying enterprise Java EE applications. The vulnerability was found in WebLogic versions 10.3.6.0.0 and 126.96.36.199.0 and discovered and published by China National Vulnerability Database on April 17, 2019.
The vulnerability, CVE-2019-2725 is a Remote Code Execution vulnerability. One of Oracle WebLogic components fails to properly deserialize the input data. A remote unauthenticated attacker can craft a malicious XML request to run code on the victim’s machine which can result in complete takeover of Oracle WebLogic server.
1% of all web services hits.
GPON home routers vulnerable to authentication bypass and remote command execution vulnerability.
GPON routers is a high-speed wireless router designed for household and small office customers. GPON is a type of passive optical network that uses fiber-optics. Most of GPON routers are provided by ISPs which made the router is very popular as home router. The estimation is millions of GPON routers are in use in the global.
The vulnerabilities CVE-2018-10561 and CVE-2018-10562 are authentication bypass and remote command execution respectively. The vulnerabilities allow remote attacker to execute arbitrary command in affected version of Gpon routers.