Skip to content

Instantly share code, notes, and snippets.

Avatar

farid hashmi farid007

View GitHub Profile
@farid007
farid007 / NeDI 1.9C Bypass XSS
Last active Jun 28, 2020
NeDI 1.9C Bypass function
View NeDI 1.9C Bypass XSS
CVE-2020-14413
NeDi 1.9C is vulnerable to XSS because of an incorrect implementation of sanitize() in inc/libmisc.php. This function attempts to escape the SCRIPT tag from user-controllable values, but can be easily bypassed, as demonstrated by an onerror attribute of an IMG element as a Devices-Config.php?sta= value.
Steps to reproduce :
> Note: every parameters is exploitable (Which are being displayed and stored).
> Login to the application.
> Go to "https://ip/Devices-Config.php?sta="><img src=x onerror=alert(1)>"
> Js Code will be executed.
@farid007
farid007 / NeDi 1.9C RCE
Created Jun 28, 2020
NeDi 1.9C Authenticated RCE (CVE-2020-14414)
View NeDi 1.9C RCE
CVE-2020-14414
NeDi 1.9C is vulnerable to Remote Command Execution. pwsec.php improperly escapes shell metacharacters from a POST request. An attacker can exploit this by crafting an arbitrary payload (any system commands) that contains shell metacharacters via a POST request with a pw parameter. (This can also be exploited via CSRF.)
Steps To Reproduce-:
>
> Login with the credential.
> Go to https://ip/pwsec.php.
> Insert any data in the first field then intercept the request.
@farid007
farid007 / NeDI 1.9C RCE
Last active Jun 28, 2020
NeDi 1.9C Authenticated RCE (CVE-2020-14412)
View NeDI 1.9C RCE
CVE-2020-14412
NeDi 1.9C is vulnerable to Remote Command Execution. System-Snapshot.php improperly escapes shell metacharacters from a POST request. An attacker can exploit this by crafting an arbitrary payload (any system commands) that contains shell metacharacters via a POST request with a psw parameter.
(This can also be exploited via CSRF.)
Steps To Reproduce-:
> Login with the credential.
> Go to https://ip/System-Snapshot.php.
@farid007
farid007 / Rconfig File Upload RCE Exploit
Last active May 23, 2020
Rconfig 3.9.4 File Upload RCE
View Rconfig File Upload RCE Exploit
Remote Code Execution via File Upload (CVE-2020-12255)
The rConfig 3.9.4 is vulnerable to remote code execution due to improper checks/validation via the file upload functionality.
The vendor.crud.php accepts the file upload by checking through content-type and it is not restricting upload by checking the file extension and header.
Due to this flaw, An attacker can exploit this vulnerability by uploading a PHP file that contains arbitrary code (shell) and changing the content-type to `image/gif` in the vendor.crud.php.
since the validation checks are happening through content-type the server would accept the PHP file uploaded ultimately resulting code execution upon the response when invoked.
Steps To Reproduce-:
@farid007
farid007 / Rconfig CSRF Exploit
Last active May 19, 2020
Rconfig 3.9.4 CSRF
View Rconfig CSRF Exploit
Cross-Site Request Forgery (CSRF) (CVE-2020-12257)
The rConfig 3.9.4 is vulnerable to cross-site request forgery (CSRF).
Due to no implementation of CSRF protection such as CSRF token.
An attacker can leverage this vulnerability by creating a form (add the user or delete the user or edit user)
and host this form on his server and share this form to victims through social engineering methods.
once the victims who are already authenticated to the rConfig clicks upon the form, unintended actions will be performed on the victim's behalf.
Steps To Reproduce-:
@farid007
farid007 / Rconfig Multiple Vulnerabilities
Last active May 18, 2020
Rconfig 3.9.4 Session Fixation and XSS
View Rconfig Multiple Vulnerabilities
1. Cross-Site Scripting (XSS) (CVE-2020-12256)
The rConfig 3.9.4 is vulnerable to cross-site scripting. The devicemgmnt.php file improperly validates the request coming from the user input. Due to this flaw, An attacker can exploit this vulnerability by crafting arbitrary javascript
("><script>alert(document.cookie)</script>) in `deviceId` GET parameter of devicemgmnt.php resulting in execution of the
javascript.
Step To Reproduce-:
1. Login with the credential.
2. Go to https://ip-rconfig/devicemgmt.php?deviceId="><script>alert(document.cookie)</script>
You can’t perform that action at this time.