Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Add module Crypttech CryptoLog Remote Code Execution #8331
This module exploits the sql injection and command injection vulnerability of CryptoLog. An un-authenticated user can execute a terminal command under the context of the web user.
List the steps needed to make sure this thing works
It's not possible to download free trial of this product. Where can I send pcap file that I've recorded during exploitation ?
Please expand the tile as well, it may also be possible to create a CVE reference for this if you have not already gone that route.
We can assist with reporting to MITRE and potential CVE assignment, if you need to send more details they can go to firstname.lastname@example.org. Public key is here: https://www.rapid7.com/disclosure/ if you would like to send anything securely.
+1 to @jmartin-r7 -- @mmetince, if you could provide a contact at the vendor that you already talked to so we can make sure they're on that same page, if they have an issue number to track this, that'd be swell.
We can deal with the vendor, CERT/CC, MITRE, and all the other foo around disclosure so you can keep on hackin'. :) Since all the details are public now, I don't see a ton of upside to PGP, but it's there if you'd like it.
May 5, 2017
1 check passed
The exploits/linux/http/crypttech_cryptolog_login_exec exploit has been added to the framework. The module exploits an SQL injection vulnerability to perform command injection on Crypttech CryptoLOG. An un-authenticated user can execute any terminal command under the context of the web user.