Redis service unauthenticated write access to OS file system

Redis is a in memory key-value database. Due to the nature of the database design, typical use cases are session caching, full page cache, message queue applications, leaderboards and counting among others. By default, the service runs on port 6379. In my case, redis was running on a range of ports 7081-7090. So an nmap […]

CVE-2018-3004 – Oracle Database Privilege Escalation via XML Deserialization

Oracle Database Privilege Escalation via XML Deserialization Since this is a privilege escalation, lets assume you have access to oracle database with atleast the following roles: CONNECT and RESOURCE In this example the user tom has been granted connect and resource roles XML Deserialization Java.beans library has two classes XMLEncoder to serialize a Java object […]

CVE-2018-17246 – Kibana Local File Inclusion

Logstash is an open source tool for collecting, parsing, and storing logs for future use. Kibana is a web interface that can be used to search and view the logs that Logstash has indexed. Both of these tools are based on Elasticsearch. Elasticsearch, Logstash, and Kibana, when used together is known as an ELK stack. Vulnerability: Affected URL:  http://<IP>:5601/api/console/api_server?sense_version=%40%40SENSE_VERSION&apis=../../../../../../../<js file> Affected Parameter: apis The […]