POC详情: 9ae8f727fcb736b5881f833732f718124eae3f48

来源
https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-37292.yaml
关联漏洞
标题: KevinLAB Building Energy Management System 安全漏洞 (CVE-2021-37292)
描述:KevinLAB Building Energy Management System(KevinLAB BEMS)是韩国KevinLAB公司的一个建筑能源管理系统。 KevinLAB Building Energy Management System 1.0.0 中存在安全漏洞,攻击者可以使用具有管理员最高权限的后台帐户登录并获得系统控制权。
描述
KevinLAB BEMS has an undocumented backdoor account, and these sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the solution through the RMI. An attacker could exploit this vulnerability by logging in using the backdoor account with highest privileges for administration and gain full system control. The backdoor user cannot be seen in the users settings in the admin panel, and it also uses an undocumented privilege level (admin_pk=1) which allows full availability of the features that the BEMS is offering remotely.
文件快照

 id: CVE-2021-37292

info:
  name: KevinLAB BEMS (Building Energy Management System) - Backdoor Accou

...
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。