Menu

Search for hundreds of thousands of exploits

"CHIYU BF430 TCP IP Converter - Stored Cross-Site Scripting"

Author

Exploit author

Luca.Chiou

Platform

Exploit platform

cgi

Release date

Exploit published date

2020-02-11

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# Exploit Title: CHIYU BF430 TCP IP Converter - Stored Cross-Site Scripting
# Google Dork: In Shodan search engine, the filter is "CHIYU"
# Date: 2020-02-11
# Exploit Author: Luca.Chiou
# Vendor Homepage: https://www.chiyu-t.com.tw/en/
# Version: BF430 232/485 TCP/IP Converter all versions prior to 1.16.00
# Tested on: It is a proprietary devices: https://www.chiyu-t.com.tw/en/product/rs485-to-tcp_ip-converter_BF-430.html
# CVE: CVE-2020-8839

# 1. Description:
# In CHIYU BF430 web page,
# user can modify the system configuration by access the /if.cgi.
# Attackers can inject malicious XSS code in "TF_submask" field.
# The XSS code will be stored in the database, so that causes a stored XSS vulnerability.

# 2. Proof of Concept:
# Access the /if.cgi of CHIYU BF430 232/485 TCP/IP Converter.
# Injecting the XSS code in parameter “TF_submask”:
# http://<Your Modem IP>/if.cgi?TF_submask=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E

==---------------------------------------------------------------
This email contains information that is for the sole use of the intended recipient and may be confidential or privileged. If you are not the intended recipient, note that any disclosure, copying, distribution, or use of this email, or the contents of this email is prohibited. If you have received this email in error, please notify the sender of the error and delete the message. Thank you.
---------------------------------------------------------------==!!
Release DateTitleTypePlatformAuthor
2020-03-27"Everest 5.50.2100 - 'Open File' Denial of Service (PoC)"doswindows"Ivan Marmolejo"
2020-03-23"ProficySCADA for iOS 5.0.25920 - 'Password' Denial of Service (PoC)"dosios"Ivan Marmolejo"
2020-03-23"rConfig 3.9.4 - 'search.crud.php' Remote Command Injection"webappsphp"Matthew Aberegg"
2020-03-23"Google Chrome 80.0.3987.87 - Heap-Corruption Remote Denial of Service (PoC)"doswindows"Cem Onat Karagun"
2020-03-23"Joomla! com_hdwplayer 4.2 - 'search.php' SQL Injection"webappsphpqw3rTyTy
2020-03-23"CyberArk PSMP 10.9.1 - Policy Restriction Bypass"remotemultiple"LAHBAL Said"
2020-03-23"FIBARO System Home Center 5.021 - Remote File Include"webappsmultipleLiquidWorm
2020-03-20"VMware Fusion 11.5.2 - Privilege Escalation"localmacos"Rich Mirch"
2020-03-20"Exagate Sysguard 6001 - Cross-Site Request Forgery (Add Admin)"webappsphp"Metin Yunus Kandemir"
2020-03-18"NetBackup 7.0 - 'NetBackup INET Daemon' Unquoted Service Path"localwindows"El Masas"
2020-03-18"Broadcom Wi-Fi Devices - 'KR00K Information Disclosure"remotemultiple"Maurizio S"
2020-03-18"Microtik SSH Daemon 6.44.3 - Denial of Service (PoC)"remotehardwareFarazPajohan
2020-03-18"Netlink GPON Router 1.0.11 - Remote Code Execution"webappshardwareshellord
2020-03-17"VMWare Fusion - Local Privilege Escalation"localmacosGrimm
2020-03-17"Rconfig 3.x - Chained Remote Code Execution (Metasploit)"remotelinuxMetasploit
2020-03-17"ManageEngine Desktop Central - Java Deserialization (Metasploit)"remotemultipleMetasploit
2020-03-17"Microsoft VSCode Python Extension - Code Execution"localmultipleDoyensec
2020-03-16"PHPKB Multi-Language 9 - 'image-upload.php' Authenticated Remote Code Execution"webappsphp"Antonio Cannito"
2020-03-16"PHPKB Multi-Language 9 - Authenticated Remote Code Execution"webappsphp"Antonio Cannito"
2020-03-16"PHPKB Multi-Language 9 - Authenticated Directory Traversal"webappsphp"Antonio Cannito"
2020-03-16"MiladWorkShop VIP System 1.0 - 'lang' SQL Injection"webappsphp"AYADI Mohamed"
2020-03-16"Enhanced Multimedia Router 3.0.4.27 - Cross-Site Request Forgery (Add Admin)"webappsasp"Miguel Mendez Z"
2020-03-14"Microsoft Windows 10 (1903/1909) - 'SMBGhost' SMB3.1.1 'SMB2_COMPRESSION_CAPABILITIES' Buffer Overflow (PoC)"doswindowseerykitty
2020-03-13"AnyBurn 4.8 - Buffer Overflow (SEH)"localwindows"Richard Davy"
2020-03-13"Drobo 5N2 4.1.1 - Remote Command Injection"remotehardware"Ian Sindermann"
2020-03-13"Centos WebPanel 7 - 'term' SQL Injection"webappslinux"Berke YILMAZ"
2020-03-12"rConfig 3.9 - 'searchColumn' SQL Injection"webappsphpvikingfr
2020-03-12"Joomla! Component com_newsfeeds 1.0 - 'feedid' SQL Injection"webappsphp"Milad karimi"
2020-03-12"WatchGuard Fireware AD Helper Component 5.8.5.10317 - Credential Disclosure"webappsjava"RedTeam Pentesting GmbH"
2020-03-12"HRSALE 1.1.8 - Cross-Site Request Forgery (Add Admin)"webappsphp"Ismail Akıcı"
Release DateTitleTypePlatformAuthor
2020-02-11"CHIYU BF430 TCP IP Converter - Stored Cross-Site Scripting"webappscgiLuca.Chiou
2019-09-09"Rifatron Intelligent Digital Security System - 'animate.cgi' Stream Disclosure"webappscgiLiquidWorm
2019-07-12"Citrix SD-WAN Appliance 10.2.2 - Authentication Bypass / Remote Command Execution"webappscgi"Chris Lyne"
2019-02-18"Master IP CAM 01 3.3.4.2103 - Remote Command Execution"webappscgi"Raffaele Sabato"
2019-02-11"IPFire 2.21 - Cross-Site Scripting"webappscgi"Ozer Goker"
2019-02-11"Smoothwall Express 3.1-SP4 - Cross-Site Scripting"webappscgi"Ozer Goker"
2019-01-24"SirsiDynix e-Library 3.5.x - Cross-Site Scripting"webappscgiAkkuS
2019-01-18"Webmin 1.900 - Remote Command Execution (Metasploit)"remotecgiAkkuS
2019-01-14"AudioCode 400HD - Command Injection"webappscgiSysdream
2019-01-07"PLC Wireless Router GPN2.4P21-C-CN - Cross-Site Scripting"webappscgi"Kumar Saurav"
2018-11-30"Synaccess netBooter NP-02x/NP-08x 6.8 - Authentication Bypass"webappscgiLiquidWorm
2018-08-15"ASUSTOR ADM 3.1.0.RFQ3 - Remote Command Execution / SQL Injection"webappscgi"Kyle Lovett"
2018-08-03"cgit < 1.2.1 - 'cgit_clone_objects()' Directory Traversal"webappscgi"Google Security Research"
2018-03-30"Homematic CCU2 2.29.23 - Arbitrary File Write"webappscgi"Patrick Muench and Gregor Kopf"
2018-03-30"Homematic CCU2 2.29.23 - Remote Command Execution"webappscgi"Patrick Muench and Gregor Kopf"
2018-01-08"Synology DiskStation Manager (DSM) < 6.1.3-15152 - 'forget_passwd.cgi' User Enumeration"webappscgi"Steve Kaun"
2018-01-01"Cambium ePMP1000 - 'get_chart' Shell via Command Injection (Metasploit)"remotecgiMetasploit
2017-12-15"ITGuard-Manager 0.0.0.1 - Remote Code Execution"webappscgi"Nassim Asrir"
2017-12-13"Meinberg LANTIME Web Configuration Utility 6.16.008 - Arbitrary File Read"webappscgi"Jakub Palaczynski"
2017-12-07"LaCie 5big Network 2.2.8 - Command Injection"remotecgi"Timo Sablowski"
2017-11-28"Synology StorageManager 5.2 - Root Remote Command Execution"webappscgiSecuriTeam
2017-10-18"Linksys E Series - Multiple Vulnerabilities"webappscgi"SEC Consult"
2017-10-15"Webmin 1.850 - Multiple Vulnerabilities"webappscgihyp3rlinx
2017-07-24"IPFire < 2.19 Update Core 110 - Remote Code Execution (Metasploit)"remotecgiMetasploit
2017-07-19"Netscaler SD-WAN 9.1.2.26.561201 - Command Injection (Metasploit)"webappscgixort
2017-07-19"Sonicwall < 8.1.0.2-14sv - 'sitecustomization.cgi' Command Injection (Metasploit)"webappscgixort
2017-07-19"Citrix CloudBridge - 'CAKEPHP' Cookie Command Injection"webappscgixort
2017-07-19"Sonicwall Secure Remote Access 8.1.0.2-14sv - Command Injection"webappscgixort
2017-07-19"Sonicwall < 8.1.0.6-21sv - 'gencsr.cgi' Command Injection (Metasploit)"webappscgixort
2017-06-26"NETGEAR DGN2200 - 'dnslookup.cgi' Command Injection (Metasploit)"remotecgiMetasploit
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/48040/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Browse exploit APIBrowse